Dell EMC Configuration Guide for the S3048–ON System 9.14.2.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2019 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 About this Guide...........................................................................................................................................34 Audience............................................................................................................................................................................34 Conventions.....................................................................................................................................................
Upgrading Dell EMC Networking OS............................................................................................................................ 60 Verify Software Images Before Installation...................................................................................................................60 Using HTTP for File Transfers.........................................................................................................................................61 4 Management...........
Setting Timeout for EXEC Privilege Mode................................................................................................................... 86 Using Telnet to get to Another Network Device..........................................................................................................86 Lock CONFIGURATION Mode....................................................................................................................................... 87 Viewing the Configuration Lock Status.
Configuring Set Conditions..................................................................................................................................... 120 Configure a Route Map for Route Redistribution..................................................................................................121 Configure a Route Map for Route Tagging............................................................................................................ 121 Continue Clause.................................
Configure BFD for IPv6 Static Routes...................................................................................................................155 Configure BFD for OSPF.........................................................................................................................................158 Configure BFD for OSPFv3..................................................................................................................................... 161 Configure BFD for IS-IS.........
Changing BGP keepalive and hold timers.............................................................................................................234 Setting the extended timer.................................................................................................................................... 235 Enabling or disabling BGP neighbors.....................................................................................................................236 Route Map Continue........................
Debugging the DHCP Server................................................................................................................................. 275 Using DHCP Clear Commands...............................................................................................................................275 Configure the System to be a Relay Agent................................................................................................................
15 Force10 Resilient Ring Protocol (FRRP)................................................................................................... 303 Protocol Overview......................................................................................................................................................... 303 Ring Status...............................................................................................................................................................
System Health Monitoring...................................................................................................................................... 323 Failure and Event Logging.......................................................................................................................................324 Hot-Lock Behavior.........................................................................................................................................................
Enabling Energy Efficient Ethernet..............................................................................................................................352 View EEE Information................................................................................................................................................... 352 Clear EEE Counters.......................................................................................................................................................
Link Dampening.............................................................................................................................................................. 378 Important Points to Remember..............................................................................................................................379 Configuration Example of Link Dampening...........................................................................................................379 Enabling Link Dampening....
ARP Learning via Gratuitous ARP............................................................................................................................... 406 Enabling ARP Learning via Gratuitous ARP................................................................................................................406 ARP Learning via ARP Request................................................................................................................................... 406 Configuring ARP Retries......
Showing the Running-Configuration for an Interface.......................................................................................... 431 Clearing IPv6 Routes................................................................................................................................................431 Disabling ND Entry Timeout.................................................................................................................................... 431 Configuring IPv6 RA Guard...........
LACP Basic Configuration Example............................................................................................................................ 464 Configure a LAG on ALPHA................................................................................................................................... 464 25 Layer 2.....................................................................................................................................................
Storing and Viewing Unrecognized LLDP TLVs......................................................................................................... 498 Reserved Unrecognized LLDP TLVs..................................................................................................................... 498 Organizational Specific Unrecognized LLDP TLVs.............................................................................................. 498 Viewing Unrecognized LLDP TLVs................................
MSDP with Anycast RP................................................................................................................................................530 Configuring Anycast RP................................................................................................................................................ 531 Reducing Source-Active Message Flooding.........................................................................................................
MSTP Sample Configurations......................................................................................................................................554 Router 1 Running-ConfigurationRouter 2 Running-ConfigurationRouter 3 RunningConfigurationSFTOS Example Running-Configuration.......................................................................................554 Debugging and Verifying MSTP Configurations..........................................................................................
OSPFv3 NSSA.................................................................................................................................................................611 NSSA Options............................................................................................................................................................611 Configuration Task List for OSPFv3 (OSPF for IPv6)...............................................................................................
Implementation Information..........................................................................................................................................646 Important Points to Remember............................................................................................................................. 646 Configure PIM-SSM......................................................................................................................................................
Disabling PVST+.............................................................................................................................................................682 Influencing PVST+ Root Selection...............................................................................................................................682 Modifying Global PVST+ Parameters..........................................................................................................................
41 Routing Information Protocol (RIP).......................................................................................................... 724 Protocol Overview......................................................................................................................................................... 724 RIPv1..........................................................................................................................................................................724 RIPv2.....
Configuration Task List for Privilege Levels.......................................................................................................... 763 RADIUS............................................................................................................................................................................767 RADIUS Authentication...........................................................................................................................................
46 Service Provider Bridging........................................................................................................................ 820 VLAN Stacking...............................................................................................................................................................820 Important Points to Remember.............................................................................................................................. 821 Configure VLAN Stacking.
SNMPv3 Compliance With FIPS................................................................................................................................. 846 Configuration Task List for SNMP............................................................................................................................... 847 Related Configuration Tasks...................................................................................................................................
Global MIB objects for port security......................................................................................................................874 MIB support for interface level port security........................................................................................................874 MIB objects for configuring MAC addresses........................................................................................................875 MIB objects for configuring MAC addresses...........
Remove Units or Front End Ports from a Stack........................................................................................................906 Removing a Unit from a Stack...............................................................................................................................906 Removing Front End Port Stacking.......................................................................................................................907 Troubleshoot a Stack..........................
Configure the Network Time Protocol..................................................................................................................936 Enabling NTP............................................................................................................................................................937 Configuring NTP Broadcasts..................................................................................................................................
Enabling Null VLAN as the Default VLAN.................................................................................................................. 965 58 Virtual Link Trunking (VLT)...................................................................................................................... 966 Overview........................................................................................................................................................................ 966 VLT Terminology......
Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN........................... 1018 Configuring a VLT VLAN or LAG in a PVLAN...........................................................................................................1020 Creating a VLT LAG or a VLT VLAN.................................................................................................................... 1020 Associating the VLT LAG or VLT VLAN in a PVLAN..................................................
Sample VRF Configuration..........................................................................................................................................1053 Route Leaking VRFs.................................................................................................................................................... 1058 Dynamic Route Leaking...............................................................................................................................................
General IPv4 Protocols............................................................................................................................................1112 General IPv6 Protocols............................................................................................................................................1113 Border Gateway Protocol (BGP)...........................................................................................................................
1 About this Guide This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system. S3048–ON stacking is supported with Dell EMC Networking OS version 9.7(0.1) and beyond. Though this guide contains information about protocols, it is not intended to be a complete reference.
2 Configuration Fundamentals The Dell EMC Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
For more information about privilege levels and security options, refer to the Privilege Levels Overview section in the Security chapter. The Dell EMC Networking OS CLI is divided into three major mode levels: • EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information.
uBoot PRIORITY-GROUP PROTOCOL GVRP QOS POLICY RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP Navigating CLI Modes The Dell EMC Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode.
CLI Command Mode Prompt Access Command Interface Group DellEMC(conf-if-group)# interface(INTERFACE modes) Interface Range DellEMC(conf-if-range)# interface (INTERFACE modes) Loopback Interface DellEMC(conf-if-lo-0)# interface (INTERFACE modes) Management Ethernet Interface DellEMC(conf-if-ma-1/1)# interface (INTERFACE modes) Null Interface DellEMC(conf-if-nu-0)# interface (INTERFACE modes) Port-channel Interface DellEMC(conf-if-po-1)# interface (INTERFACE modes) Tunnel Interface DellEM
CLI Command Mode Prompt Access Command SPANNING TREE DellEMC(config-span)# protocol spanning-tree 0 TRACE-LIST DellEMC(conf-trace-acl)# ip trace-list CLASS-MAP DellEMC(config-class-map)# class-map CONTROL-PLANE DellEMC(conf-control-cpuqos)# control-plane-cpuqos DHCP DellEMC(config-dhcp)# ip dhcp server DHCP POOL DellEMC(config-dhcp-pool-name)# pool (DHCP Mode) ECMP DellEMC(conf-ecmp-group-ecmpgroup-id)# ecmp-group EIS DellEMC(conf-mgmt-eis)# management egress-interfaceselection FRR
The do Command You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode by preceding the EXEC mode command with the do command. The following example shows the output of the do command.
Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree. Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command: • To list the keywords available in the current mode, enter ? at the prompt or after a keyword. • Enter ? after a command prompt to list all of the available keywords.
Short-Cut Key Combination Action CNTL-N Return to more recent commands in the history buffer after recalling commands with CTRL-P or the UP arrow key. CNTL-P Recalls commands, beginning with the last command. CNTL-R Re-enters the previous command. CNTL-U Deletes the line. CNTL-W Deletes the previous word. CNTL-X Deletes the line. CNTL-Z Ends continuous scrolling of command outputs. Esc B Moves the cursor back one word. Esc F Moves the cursor forward one word.
The except keyword displays text that does not match the specified text. The following example shows this command used in combination with the show system brief command. Example of the except Keyword DellEMC#show system brief | except 1 Stack MAC Reload-Type : 4c:76:25:e5:49:40 : normal-reload [Next boot : normal-reload] The find keyword displays the output of the show command beginning from the first occurrence of specified text.
• On the system that telnets into the switch, this message appears: % Warning: The following users are currently configuring the system: User "" on line console0 • On the system that is connected over the console, this message appears: % Warning: User "" on line vty0 "10.11.130.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
Console Access The device has one RJ-45/RS-232 console port, an out-of-band (OOB) Ethernet port, and a micro USB-B console port. Serial Console The RJ-45/RS-232 console port is labeled on the upper right-hand side, as you face the I/O side of the chassis. Figure 1. RJ-45 Console Port Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1 Install an RJ-45 copper cable into the console port.
Table 2.
• To avoid denial of service (DoS) attacks, a rate-limit of 10 concurrent sessions per minute in SSH is devised. Therefore, you might experience a failure in executing SSH-related scripts when multiple short SSH commands are executed. • If you issue an interactive command in the SSH session, the behavior may not really be interactive.
interface ManagementEthernet slot/port 2 Assign an IP address to the interface. INTERFACE mode ip address ip-address/mask 3 • ip-address: an address in dotted-decimal format (A.B.C.D). • mask: a subnet mask in /prefix-length format (/ xx). Enable the interface. INTERFACE mode no shutdown Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely.
◦ 8 — input the password that is already encrypted using sha256–based encryption method. – password: Enter the password string for the user. – dynamic-salt: Generates an additional random input to password encryption process whenever the password is configured. – privilege level: Assign a privilege levels to the user. The range is from 0 to 15. – role role-name: Assign a role name for the user.
Copy Files to and from the System The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url. NOTE: For a detailed description of the copy command, refer to the Dell EMC Networking OS Command Reference. • To copy a local file to a remote system, combine the file-origin syntax for a local file location with the file-destination syntax for a remote file location.
Before executing any CLI command to perform file operations, you must first mount the NFS file system to a mount-point on the device. Since multiple mount-points exist on a device, it is mandatory to specify the mount-point to which you want to load the system. The /f10/mnt/nfs directory is the root of all mount-points. To mount an NFS file system, perform the following steps: Table 4.
15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:///username/snoop.pcap ! 24 bytes successfully copied DellEMC# DellEMC#copy tftp://10.16.127.35/username/dv-maa-test ? flash: Copy to local file system ([flash://]filepath) nfsmount: Copy to nfs mount file system (nfsmount:///filepath) running-config remote host: Destination file name [test.
Configure the Overload Bit for a Startup Scenario For information about setting the router overload bit for a specific period of time after a switch reload is implemented, see the Intermediate System to Intermediate System (IS-IS) section in the Dell Command Line Reference Guide for your system. Viewing Files You can only view file information and content on local file systems. To view a list of files or the contents of a file, use the following commands. • View a list of files on the internal flash.
! Version 9.4(0.0) ! Last configuration change at Tue Mar 11 21:33:56 2014 by admin ! Startup-config last updated at Tue Mar 11 12:11:00 2014 by default !
Uncompressed Compressed ! ! interface TenGigabitEthernet 1/4 interface group Vlan 2 , Vlan 100 no ip address no ip address shutdown no shutdown ! ! interface TenGigabitEthernet 1/10 interface group Vlan 3 – 5 no ip address tagged te 1/1 shutdown no ip address ! shutdown interface TenGigabitEthernet 1/34 ! ip address 2.1.1.1/16 interface Vlan 1000 shutdown ip address 1.1.1.
Uncompressed Compressed interface Vlan 100 no ip address no shutdown ! interface Vlan 1000 ip address 1.1.1.1/16 no shutdown Uncompressed config size – 52 lines write memory compressed The write memory compressed CLI will write the operating configuration to the startup-config file in the compressed mode. In stacking scenario, it will also take care of syncing it to all the standby and member units.
• Change the default directory. EXEC Privilege mode cd directory Enabling Software Features on Devices Using a Command Option The capability to activate software applications or components on a device using a command is supported on this platform. Starting with Release 9.4(0.0), you can enable or disable specific software features or applications that need to run on a device by using a command attribute in the CLI interface.
Example of the show command-history Command Example 1: Default configuration service timestamps log datetime or service timestamps log datetime localtime DellEMC(conf)#service timestamps log datetime DellEMC#show command-history - Repeated 1 time. [May 17 15:38:55]: CMD-(CLI):[service timestamps log datetime]by default from console [May 17 15:41:40]: CMD-(CLI):[write memory]by default from console - Repeated 1 time.
DellEMC(conf)#no service timestamps log DellEMC# show command-history - Repeated 1 time. [1d0h26m]: CMD-(CLI):[configure]by default from console - Repeated 1 time. [May 17 15:53:10]: CMD-(CLI):[no service timestamps log]by default from console [May 17 15:53:16]: CMD-(CLI):[write memory]by default from console - Repeated 3 times. [May 17 15:53:22]: CMD-(CLI):[show logging]by default from console - Repeated 1 time. [May 17 15:53:36]: CMD-(CLI):[write memory]by default from console - Repeated 5 times.
• hash-value: (Optional). Specify the relevant hash published on iSupport.
DellEMC(conf)#ip http vrf {management | } 62 Getting Started
4 Management This chapter describes the different protocols or services used to manage the Dell EMC Networking system.
Creating a Custom Privilege Level Custom privilege levels start with the default EXEC mode command set. You can then customize privilege levels 2-14 by: • restricting access to an EXEC mode command • moving commands from EXEC Privilege to EXEC mode • restricting access A user can access all commands at his privilege level and below.
• removes the resequence command from EXEC mode by requiring a minimum of privilege level 4 • • moves the capture bgp-pdu max-buffer-size command from EXEC Privilege to EXEC mode by requiring a minimum privilege level 3, which is the configured level for VTY 0 allows access to CONFIGURATION mode with the banner command • allows access to INTERFACE tengigabitethernet and LINE modes are allowed with no commands • Remove a command from the list of available commands in EXEC mode.
exit Exit from configuration mode interface Select an interface to configure line Configure a terminal line DellEMC(conf)#interface ? fastethernet Fast Ethernet interface gigabitethernet Gigabit Ethernet interface loopback Loopback interface managementethernet Management Ethernet interface null Null interface port-channel Port-channel interface range Configure interface range sonet SONET interface tengigabitethernet TenGigabit Ethernet interface vlan VLAN interface DellEMC(conf)#interface tengigabitethernet
• the internal buffer • console and terminal lines • any configured syslog servers To disable logging, use the following commands. • Disable all logging except on the console. CONFIGURATION mode no logging on • Disable logging to the logging buffer. CONFIGURATION mode no logging buffer • Disable logging to terminal lines. CONFIGURATION mode no logging monitor • Disable console logging.
The security log contains security events and information. RBAC restricts access to audit and security logs based on the CLI sessions’ user roles. The types of information in this log consist of the following: • Establishment of secure traffic flows, such as SSH. • Violations on secure flows or certificate issues. • Adding and deleting of users.
Configuring Logging Format To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version {0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
Setting Up a Secure Connection to a Syslog Server You can use reverse tunneling with the port forwarding to securely connect to a syslog server. Figure 2.
If you do not, the system displays an error when you attempt to enable role-based only AAA authorization. DellEMC(conf)# logging localhost tcp port DellEMC(conf)#logging 127.0.0.1 tcp 5140 Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.
Example of Configuring Login Activity Tracking The following example enables login activity tracking. The system stores the login activity details for the last 30 days. DellEMC(config)#login statistics enable The following example enables login activity tracking and configures the system to store the login activity details for 12 days.
Last login time: 13:18:42 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2 Example of the show login statistics user user-id command The show login statistics user user-id command displays the successful and failed login details of a specific user in the last 30 days or the custom defined time period.
Configuring Concurrent Session Limit To configure concurrent session limit, follow this procedure: • Limit the number of concurrent sessions for each user. CONFIGURATION mode login concurrent-session limit number-of-sessions Example of Configuring Concurrent Session Limit The following example limits the permitted number of concurrent login sessions to 4.
When you try to create more than the permitted number of sessions, the following message appears, prompting you to close one of the existing sessions. If you close any of the existing sessions, you are allowed to login. $ telnet 10.11.178.17 Trying 10.11.178.17... Connected to 10.11.178.17. Escape character is '^]'. Login: admin Password: Maximum concurrent sessions for the user reached. Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 4 vty 2 10.14.1.97 5 vty 3 10.14.1.
• no logging buffer Disable logging to terminal lines. CONFIGURATION mode • no logging monitor Disable console logging. CONFIGURATION mode no logging console Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.
• Specify the minimum severity level for logging to a syslog server. CONFIGURATION mode • logging trap level Specify the minimum severity level for logging to the syslog history table. CONFIGURATION mode • logging history level Specify the size of the logging buffer. CONFIGURATION mode logging buffered size • NOTE: When you decrease the buffer size, Dell EMC Networking OS deletes all messages stored in the buffer. Increasing the buffer size does not affect messages in the buffer.
%CHMGR-5-CHECKIN: Checkin from line card 5 (type EX1YB, 1 ports) %TSM-6-PORT_CONFIG: Port link status for LC 5 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 5 is up %CHMGR-5-CHECKIN: Checkin from line card 12 (type S12YC12, 12 ports) %TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 12 is up %IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8 %IFMGR-5-CSTATE_DN: changed interface Physical state to down: So 12/8
service timestamps debug datetime msec ! logging trap debugging logging facility user logging source-interface Loopback 0 logging 10.10.10.4 DellEMC# Synchronizing Log Messages You can configure Dell EMC Networking OS to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system. 1 Enter LINE mode.
To view the configuration, use the show running-config logging command in EXEC privilege mode. To disable time stamping on syslog messages, use the no service timestamps [log | debug] command. Example 1: Default configuration service timestamps log datetime or service timestamps log datetime localtime DellEMC(conf)#service timestamps log datetime DellEMC#show clock 15:42:42.
Buffer logging: level debugging, 6 Messages Logged, Size (40960 bytes) Trap logging: level informational Last logging buffer cleared: May 17 15:46:36 May 17 10:17:46 %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from console May 17 10:17:40 %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config flash by default May 17 10:17:37 %STKUNIT1-M:CP %IFMGR-5-OSTATE_UP: Changed interface state May 17 10:17:34 %STKUNIT1-M:CP %IFMGR-5-ASTATE_UP: Changed interface Admin May 17 10:17:32 %STKUNIT1-M:CP %IFMGR-5-OSTATE_D
[May [May [May [May [May 17 17 17 17 17 15:54:54]: 15:55:00]: 15:55:12]: 15:55:22]: 15:55:27]: CMD-(CLI):[end]by default from console CMD-(CLI):[show logging]by default from console CMD-(CLI):[show clock]by default from console CMD-(CLI):[show running-config]by default from console CMD-(CLI):[show command-history]by default from console DellEMC# show logging Syslog logging: enabled Console logging: disabled Monitor logging: level debugging Buffer logging: level debugging, 3 Messages Logged, Size (40960
ftp-server username nairobi password 0 zanzibar DellEMC# Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters. To specify the system logging settings, use the following commands. • Specify the directory for users using FTP to reach the system. CONFIGURATION mode ftp-server topdir dir • The default is the internal flash directory. Specify a user name for all FTP users and configure either a plain text or encrypted password.
To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for Enable FTP Server. Terminal Lines You can access the system remotely and restrict access to the system by creating user profiles. Terminal lines on the system provide different means of accessing the system. The console line (console) connects you through the console port in the route processor modules (RPMs). The virtual terminal lines (VTYs) connect you through Telnet to the system.
seq 15 permit ip any any ! ipv6 access-list testv6deny seq 10 deny ipv6 3001::/64 any seq 15 permit ipv6 any any ! DellEMC(conf)# DellEMC(conf)#line vty 0 0 DellEMC(config-line-vty)#access-class testv6deny ipv6 DellEMC(config-line-vty)#access-class testvpermit ipv4 DellEMC(config-line-vty)#show c line vty 0 exec-timeout 0 0 access-class testpermit ipv4 access-class testv6deny ipv6 ! Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authen
login authentication myvtymethodlist line vty 1 password myvtypassword login authentication myvtymethodlist line vty 2 password myvtypassword login authentication myvtymethodlist DellEMC(config-line-vty)# Setting Timeout for EXEC Privilege Mode EXEC timeout is a basic security feature that returns Dell EMC Networking OS to EXEC mode after a period of inactivity on the terminal lines. To set timeout, use the following commands. • Set the number of minutes and seconds.
Login: admin Password: DellEMC>exit DellEMC#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin DellEMC# Lock CONFIGURATION Mode Dell EMC Networking OS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2).
LPC Bus Quality Degradation LPC Bus Quality Analyzer (LBQA) runs on the system that make use of the LPC bus. It constantly monitors the LPC bus and alerts or warns the user using following methods when it detects signal degradation: 1 The system displays a high priority syslog message. The text of this syslog is CPU Clock signal has degraded below acceptable threshold on stack-unit with service tag . Please contact Technical Support.
EXEC Privilege mode reload onie [install | uninstall | rescue] Use the install parameter to reload the system and enter the Install mode to install a networking OS. Use the uninstall parameter to reload the system and enter the Uninstall mode to uninstall a networking OS. Use the rescue parameter to reload the system and enter the Rescue mode to access the file system.
5 802.1X 802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example). 802.
Figure 4. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
• Configuring Dynamic VLAN Assignment with Port Authentication • Guest and Authentication-Fail VLANs Port-Authentication Process The authentication process begins when the authenticator senses that a link status has changed from down to up: 1 When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame. 2 The supplicant responds with its identity in an EAP Response Identity frame.
Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1X Support Dell EMC Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Configuring dot1x Profile You can configure a dot1x profile for defining a list of trusted supplicant MAC addresses. A maximum of 10 dot1x profiles can be configured. The profile name length is limited to 32 characters. Thedot1x profile {profile-name} command sets the dot1x profile mode and you can enter profile-related commands, such as the mac command. To configure a dot1x profile, use the following commands. • Configure a dot1x profile.
dot1x static-mab profile profile-name Eenter a name to configure the static MAB profile name. The profile name length is limited to a maximum of 32 characters. Example of Static MAB and MAB Profile for an Interface DellEMC(conf-if-Te-2/1)#dot1x static-mab profile sample DellEMC(conf-if-Te 2/1))#show config ! interface TenGigabitEthernet 21 switchport dot1x static-mab profile sample no shutdown DellEMC(conf-if-Te 2/1))#show dot1x interface TenGigabitEthernet 2/1 802.
no shutdown DellEMC#show dot1x interface tengigabitethernet 2/1 802.
Enabling 802.1X Enable 802.1X globally. Figure 7. 802.1X Enabled 1 Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2 Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3 Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Examples of Verifying that 802.1X is Enabled Globally and on an Interface Verify that 802.
In the following example, the bold lines show that 802.1X is enabled. DellEMC#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface GigabitEthernet 2/1 no ip address dot1x authentication no shutdown ! DellEMC# To view 802.1X configuration information for an interface, use the show dot1x interface command. In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default. DellEMC#show dot1x interface GigabitEthernet 2/1/ 802.
• Configure the maximum number of times the authenticator re-transmits a Request Identity frame. INTERFACE mode dot1x max-eap-req number The range is from 1 to 10. The default is 2. The example in Configuring a Quiet Period after a Failed Authentication shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits for 10 times.
Forcibly Authorizing or Unauthorizing a Port The 802.1X ports can be placed into any of the three states: • ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port. • ForceUnauthorized — an unauthorized state.
dot1x reauthentication [interval] seconds The range is from 1 to 31536000. • The default is 3600. Configure the maximum number of times the supplicant can be re-authenticated. INTERFACE mode dot1x reauth-max number The range is from 1 to 10. The default is 2. Example of Re-Authenticating a Port and Verifying the Configuration The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period.
The default is 30. Example of Viewing Configured Server Timeouts The example shows configuration information for a port for which the authenticator terminates the authentication process for an unresponsive supplicant or server after 15 seconds. The bold lines show the new supplicant and server timeouts. DellEMC(conf-if-Gi-1/1)#dot1x port-control force-authorized DellEMC(conf-if-Gi-1/1)#do show dot1x interface GigabitEthernet 1/1 802.
Figure 8. Dynamic VLAN Assignment 1 Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2 Make the interface a switchport so that it can be assigned to a VLAN. 3 Create the VLAN to which the interface will be assigned. 4 Connect the supplicant to the port configured for 802.1X.
The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices and the Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users. • • If the supplicant fails authentication a specified number of times, the authenticator places the port in the Authentication-fail VLAN. If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of the Guest VLAN and the authentication process begins.
no shutdown DellEMC(conf-if-gi-2/1)# Example of Viewing Configured Authentication View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC Privilege mode. 802.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This section describes the access control list (ACL) virtual local area network (VLAN) group, and content addressable memory (CAM) enhancements. Optimizing CAM Utilization During the Attachment of ACLs to VLANs To minimize the number of entries in CAM, enable and configure the ACL CAM feature. Use this feature when you apply ACLs to a VLAN (or a set of VLANs) and when you apply ACLs to a set of ports.
• The ACL VLAN group is deleted and it does not contain VLAN members. • The ACL is applied or removed from a group and the ACL group does not contain a VLAN member. • The description of the ACL group is added or removed. Guidelines for Configuring ACL VLAN Groups Keep the following points in mind when you configure ACL VLAN groups: • The interfaces where you apply the ACL VLAN group function as restricted interfaces.
description description 3 Apply an egress IP ACL to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode ip access-group {group name} out implicit-permit 4 Add VLAN member(s) to an ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode member vlan {VLAN-range} 5 Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.
EXEC Privilege mode DellEMC#show cam-usage switch Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|============|============|============= 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 Codes: * - cam usage is above 90%. Viewing CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub- partitions) using the show cam-usage command in EXEC Privilege mode.
2 | 0 | IN-L2 ACL | | IN-L3 ACL | | IN-V6 ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL 3 | 0 | IN-L2 ACL | | IN-L3 ACL | | IN-V6 ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL Codes: * - cam usage is above 90%.
To reset the number of FP blocks to the default, use the no version of these commands. By default, zero groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by default. You must also allocate the slices for CAM optimization. To display the number of FP blocks that is allocated for the different VLAN services, use the show cam-acl-vlan command. After you configure the ACL VLAN groups, reboot the system to store the settings in nonvolatile storage.
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
Topics: • IP Access Control Lists (ACLs) • Important Points to Remember • IP Fragment Handling • Configure a Standard IP ACL • Configure an Extended IP ACL • Configure Layer 2 and Layer 3 ACLs • Assign an IP ACL to an Interface • Applying an IP ACL • Configure Ingress ACLs • Configure Egress ACLs • IP Prefix Lists • ACL Remarks • ACL Resequencing • Route Maps • Logging of ACL Processes • Flow-Based Monitoring IP Access Control Lists (ACLs) In Dell EMC Networking switch/router
CAM Usage The following section describes CAM allocation and CAM optimization. • User Configurable CAM Allocation • CAM Optimization User Configurable CAM Allocation Allocate space for IPV6 ACLs by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP blocks. (There are 16 FP blocks, but System Flow requires three blocks that cannot be reallocated.
If counters are enabled on ACL rules that are already configured, those counters are reset when a new rule which is inserted or prepended or appended requires a hardware shift in the flow table. Resetting the counters to 0 is transient as the proginal counter values are retained after a few seconds. If there is no need to shift the flow in the hardware, the counters are not affected.
DellEMC(config-std-nacl)#exit DellEMC(conf)#class-map match-all cmap1 DellEMC(conf-class-map)#match ip access-group acl1 DellEMC(conf-class-map)#exit DellEMC(conf)#class-map match-all cmap2 DellEMC(conf-class-map)#match ip access-group acl2 DellEMC(conf-class-map)#exit DellEMC(conf)#policy-map-input pmap DellEMC(conf-policy-map-in)#service-queue 7 class-map cmap1 DellEMC(conf-policy-map-in)#service-queue 4 class-map cmap2 DellEMC(conf-policy-map-in)#exit DellEMC(conf)#interface gigabitethernet 10/1 DellEMC(
Configured Route Map Examples The default action is permit and the default sequence number starts at 10. When you use the keyword deny in configuring a route map, routes that meet the match filters are not redistributed. To view the configuration, use the show config command in ROUTE-MAP mode.
Configure Route Map Filters Within ROUTE-MAP mode, there are match and set commands. • match commands search for a certain criterion in the routes. • set commands change the characteristics of routes, either adding something or specifying a level. When there are multiple match commands with the same parameter under one instance of route-map, Dell EMC Networking OS does a match between all of those match commands.
• Match routes whose next hop is a specific interface. CONFIG-ROUTE-MAP mode match interface interface The parameters are: – For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. – For a port channel interface, enter the keywords port-channel then a number.
To create route map instances, use these commands. There is no limit to the number of match commands per route map, but the convention is to keep the number of match filters in a route map low. Set commands do not require a corresponding match command. Configuring Set Conditions To configure a set condition, use the following commands. • Add an AS-PATH number to the beginning of the AS-PATH. CONFIG-ROUTE-MAP mode set as-path prepend as-number [...
To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low. Set commands do not require a corresponding match command. Configure a Route Map for Route Redistribution Route maps on their own cannot affect traffic and must be included in different commands to affect routing traffic.
Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found. The following example shows a continue clause at the end of a route-map module. In this example, if a match is found in the route-map “test” module 10, module 30 is processed.
DellEMC(conf-ext-nacl)#permit ip any 10.1.1.1/32 DellEMC(conf-ext-nacl) Layer 4 ACL Rules Examples The following examples show the ACL commands for Layer 4 packet filtering. Permit an ACL line with L3 information only, and the fragments keyword is present: If a packet’s L3 information matches the L3 information in the ACL line, the packet's FO is checked. • If a packet's FO > 0, the packet is permitted. • If a packet's FO = 0, the next ACL entry is processed.
A standard IP ACL uses the source IP address as its match criterion. 1 Enter IP ACCESS LIST mode by naming a standard IP access list. CONFIGURATION mode ip access-list standard access-listname 2 Configure a drop or forward filter. CONFIG-STD-NACL mode seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte] [dscp] [order] [monitor [session-id]] [fragments] NOTE: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter.
ip access-list standard access-list-name 2 Configure a drop or forward IP ACL filter. CONFIG-STD-NACL mode {deny | permit} {source [mask] | any | host ip-address} [count [byte] [dscp] [order] [monitor [session-id]] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details.
seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp | udp} {source mask | any | host ip-address} {destination mask | any | host ip-address} [operator [portnumber ] [count [byte]] [order] [monitor [session-id]] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details.
Configuring Filters Without a Sequence Number If you are creating an extended ACL with only one or two filters, you can let Dell EMC Networking OS assign a sequence number based on the order in which the filters are configured. Dell EMC Networking OS assigns filters in multiples of five. To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the following commands: • Configure a deny or permit filter to examine IP packets.
• L2 egress access list If a rule is simply appended, existing counters are not affected. Table 7. L2 and L3 Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Deny L3 ACL denies. Deny Permit L3 ACL permits. Permit Deny L3 ACL denies. Permit Permit L3 ACL permits. NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets. The L3 ACL applied to such a port does not affect traffic.
ip access-list [standard | extended] name To view which IP ACL is applied to an interface, use the show config command in INTERFACE mode, or use the show runningconfig command in EXEC mode. Example of Viewing ACLs Applied to an Interface DellEMC(conf-if)#show conf ! interface GigabitEthernet 1/1 ip address 10.2.1.100 255.255.255.0 ip access-group nimule in no shutdown DellEMC(conf-if)# To filter traffic on Telnet sessions, use only standard ACLs in the access-class command.
seq 10 deny icmp any any seq 15 permit 1.1.1.2 Configure Egress ACLs Egress ACLs are applied to line cards and affect the traffic leaving the system. Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack — malicious and incidental — by explicitly allowing only authorized traffic. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation.
Applying Egress Layer 3 ACLs (Control-Plane) By default, packets originated from the system are not filtered by egress ACLs. For example, if you initiate a ping session from the system and apply an egress ACL to block this type of traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and CPU-forwarded traffic.
• After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route. Implementation Information In Dell EMC Networking OS, prefix lists are used in processing routes for routing protocols (for example, router information protocol [RIP], open shortest path first [OSPF], and border gateway protocol [BGP]). NOTE: It is important to know which protocol your system supports prior to implementing prefix-lists.
ip prefix-list juba seq 12 deny 134.23.0.0/16 seq 15 deny 120.0.0.0/8 le 16 seq 20 permit 0.0.0.0/0 le 32 DellEMC(conf-nprefixl)# NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded. To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.
Examples of the show ip prefix-list Command The following example shows the show ip prefix-list detail command. DellEMC>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.100.1.
network 10.0.0.0 DellEMC(conf-router_rip)#router ospf 34 Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. • Enter OSPF mode. CONFIGURATION mode • router ospf Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded.
ip access-list {extended | standard} access-list-name ipv6 access-list {extended | standard} access-list-name 2 Define the ACL rule. CONFIG-EXT-NACL mode or CONFIG-STD-NACL seq sequence-number {permit | deny} options 3 Write a remark. CONFIG-EXT-NACL mode or CONFIG-STD-NACL remark [remark-number] remark-text The remark number is optional.
ACL Resequencing ACL resequencing allows you to re-number the rules and remarks in an access or prefix list. The placement of rules within the list is critical because packets are matched against rules in sequential order. To order new rules using the current numbering scheme, use resequencing whenever there is no opportunity. For example, the following table contains some rules that are numbered in increments of 1.
ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 DellEMC# end DellEMC# resequence access-list ipv4 test 2 2 DellEMC# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.
Route maps also have an “implicit deny.” Unlike ACLs and prefix lists; however, where the packet or traffic is dropped, in route maps, if a route does not match any of the route map conditions, the route is not redistributed. The implementation of route maps allows route maps with the no match or no set commands. When there is no match command, all traffic matches the route map and the set command applies. Logging of ACL Processes This functionality is supported on the platform.
Guidelines for Configuring ACL Logging This functionality is supported on the platform. Keep the following points in mind when you configure logging of ACL activities: • During initialization, the ACL logging application tags the ACL rule indices for which a match condition exists as being in-use, which ensures that the same rule indices are not reused by ACL logging again.
IPv6 ACLs, and standard and extended MAC ACLs. Configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces. CONFIG-STD-NACL mode seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [log [interval minutes]] Flow-Based Monitoring Flow-based monitoring conserves bandwidth by monitoring only the specified traffic instead of all traffic on the interface.
If you configure the flow-based enable command and do not apply an ACL on the source port or the monitored port, both flow-based monitoring and port mirroring do not function. You cannot apply the same ACL to an interface or a monitoring session context simultaneously. The port mirroring application maintains a database that contains all monitoring sessions (including port monitor sessions).
flow-based enable 2 Define access-list rules that include the keyword monitor. Dell Networking OS only considers port monitoring traffic that matches rules with the keyword monitor. CONFIGURATION mode ip access-list For more information, see Access Control Lists (ACLs). 3 Apply the ACL to the monitored port.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 9. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet. My Discriminator A random number generated by the local system to identify the session. Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface.
Demand mode If one system requests Demand mode, the other system stops sending periodic control packets; it only sends a response to status inquiries from the Demand mode initiator. Either system (but not both) can request Demand mode at any time. NOTE: Dell EMC Networking OS supports Asynchronous mode only. A session can have four states: Administratively Down, Down, Init, and Up. State Description Administratively Down The local system does not participate in a particular session.
Figure 10.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 11.
Configure BFD This section contains the following procedures. • Configure BFD for Static Routes • Configure BFD for OSPF • Configure BFD for OSPFv3 • Configure BFD for IS-IS • Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol.
Viewing Physical Port Session Parameters BFD sessions are configured with default intervals and a default role (active). Dell EMC Networking recommends maintaining the default values. To view session parameters, use the show bfd neighbors detail command. Example of Viewing Session Parameters R1(conf-if-gi-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive R1(conf-if-gi-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.
If the remote system state changes due to the local state administration being down, this message displays: R2>01:32:53: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Down for neighbor 2.2.2.1 on interface Gi 2/1 (diag: 7) Configure BFD for Static Routes BFD offers systems a link state detection mechanism for static routes.
R1(conf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 2.2.2.2 Gi 4/24 Up 200 200 4 R To view detailed session information, use the show bfd neighbors detail command. Establishing Sessions for Static Routes for Nondefault VRF You can also create nondefault VRFs and establish sessions for all neighbors that are the next hop of a static route.
Ad Dn B C I O O3 R M V VT - Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult VRF Clients * 13.1.1.1 13.1.1.2 Gi 1/2 Up 200 200 3 2 R * 23.1.1.1 23.1.1.2 Vl 300 Up 200 200 3 2 R * 33.1.1.1 33.1.1.2 Vl 301 Up 200 200 3 2 R Establishing Static Route Sessions on Specific Neighbors You can selectively enable BFD sessions on specific neighbors based on a destination prefix-list.
• If other destination prefixes in the prefix-list are pointing to the same neighbor, then the no permit or the deny option on a particular destination prefix neither creates a BFD session on a neighbor nor removes the static routes from the unicast database. • BFD sessions created using any one IP prefix list are active at any given point in time. If a new prefix list is assigned, then BFD sessions corresponding to the older (existing) prefix list are replaced with the newer ones.
Establishing Sessions for IPv6 Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. To establish a BFD session, use the following command. • Establish BFD sessions for all IPv6 neighbors that are the next hop of a static route.
The following example shows that sessions are created for static routes for the default VRF.
Configure BFD for OSPF When you use BFD with OSPF, the OSPF protocol registers with the BFD manager. BFD sessions are established with all neighboring interfaces participating in OSPF. If a neighboring interface fails, the BFD agent notifies the BFD manager, which in turn notifies the OSPF protocol that a link state change has occurred. Configuring BFD for OSPF is a two-step process: 1 Enable BFD globally. 2 Establish sessions with OSPF neighbors.
Establishing Sessions with OSPF Neighbors for the Default VRF BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Enable BFD globally.
INTERFACE mode ip ospf bfd all-neighbors Example of Verifying Sessions with OSPF Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 * 2.2.3.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Gi 2/1 Up 100 100 3 O 2.2.3.
• Disable BFD sessions with all OSPF neighbors on an interface. INTERFACE mode ip ospf bfd all-neighbors disable Configure BFD for OSPFv3 BFD for OSPFv3 provides support for IPV6. Configuring BFD for OSPFv3 is a two-step process: 1 Enable BFD globally. 2 Establish sessions with OSPFv3 neighbors.
* fe80::2a0:c9ff:fe00:2 DellEMC# fe80::3617:98ff:fe34:12 Vl 2 Up 200 200 3 O3 Establishing BFD Sessions with OSPFv3 Neighbors for nondefault VRFs To configure BFD in a nondefault VRF, use the following procedure: • Enable BFD globally. CONFIGURATION mode • bfd enable Establish sessions with all OSPFv3 neighbors in a specific VRF. ROUTER-OSPFv3 mode • bfd all-neighbors Establish sessions with the OSPFv3 neighbors on a single interface in a specific VRF.
* 13.1.1.1 511 O 13.1.1.2 Vl 103 Up 150 150 3 * fe80::2a0:c9ff:fe00:2 511 O3 fe80::3617:98ff:fe34:12 Vl 100 Up 150 150 3 * fe80::2a0:c9ff:fe00:2 511 O3 fe80::3617:98ff:fe34:12 Vl 101 Up 150 150 3 * fe80::2a0:c9ff:fe00:2 511 O3 fe80::3617:98ff:fe34:12 Vl 102 Up 150 150 3 * fe80::2a0:c9ff:fe00:2 511 O3 DellEMC# fe80::3617:98ff:fe34:12 Vl 103 Up 150 150 3 Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role.
Configure BFD for IS-IS When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager on the RPM. BFD sessions are then established with all neighboring interfaces participating in IS-IS. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the IS-IS protocol that a link state change occurred. Configuring BFD for IS-IS is a two-step process: 1 Enable BFD globally. 2 Establish sessions for all or particular IS-IS neighbors.
• Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode bfd all-neighbors • Establish sessions with IS-IS neighbors on a single interface. INTERFACE mode isis bfd all-neighbors Example of Verifying Sessions with IS-IS Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows that IS-IS BFD sessions are enabled.
ROUTER-ISIS mode no bfd all-neighbors • Disable BFD sessions with IS-IS neighbors on a single interface. INTERFACE mose isis bfd all-neighbors disable Configure BFD for BGP In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on physical, port-channel, and VLAN interfaces. BFD for BGP does not support the BGP multihop feature.
BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays. Incoming BFD control packets received from the BGP neighbor are assigned to the highest priority queue within the control plane policing (COPP) framework to avoid BFD packets drops due to queue congestion. BFD notifies BGP of any failure conditions that it detects on the link. Recovery actions are initiated by BGP.
8 Activate the neighbor in IPv6 address family. CONFIG-ROUTERBGPv6_ADDRESSFAMILY mode neighbor ipv6-address activate 9 Configure parameters for a BFD session established with all neighbors discovered by BGP. Or establish a BFD session with a specified BGP neighbor or peer group using the default BFD session parameters. CONFIG-ROUTERBGP mode bfd all-neighbors DellEMC(conf)#router bgp 1 DellEMC(conf-router_bgp)#neighbor 10.1.1.2 remote-as 2 DellEMC(conf-router_bgp)#neighbor 10.1.1.
CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ipv6-address | peer-group name} remote-as as-number 7 Enable the BGP neighbor. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor { ipv6-address | peer-group-name} no shutdown 8 Specify the address family as IPv6. CONFIG-ROUTERBGP_ADDRESSFAMILY mode address-family ipv6 unicast vrf vrf-name NOTE: Before performing this step, create the required VRF. 9 Activate the neighbor in IPv6 address family.
• Disable a BFD for BGP session with a specified neighbor. ROUTER BGP mode • neighbor {ip-address | ipv6–address |peer-group-name} bfd disable Remove the disabled state of a BFD for BGP session with a specified neighbor. ROUTER BGP mode no neighbor {ip-address | ipv6–address | peer-group-name} bfd disable Displaying BFD for BGP Information You can display related information for BFD for BGP.
LocalAddr * 1.1.1.3 * 2.2.2.3 * 3.3.3.3 RemoteAddr 1.1.1.2 2.2.2.2 3.3.3.2 Interface Gi 6/1 Gi 6/2 Gi 6/3 State Up Up Up Rx-int 200 200 200 Tx-int 200 200 200 Mult 3 3 3 Clients B B B The following example shows viewing BFD neighbors with full detail. The bold lines show the BFD session parameters: TX (packet transmission), RX (packet reception), and multiplier (maximum number of missed packets). R2# show bfd neighbors detail Session Discriminator: 9 Neighbor Discriminator: 10 Local Addr: 1.1.1.
The bold line shows the message displayed when you enable BFD for BGP connections. R2# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 2 BGP table version is 0, main routing table version 0 BFD is enabled, Interval 200 Min_rx 200 Multiplier 3 Role Active 3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.2 2.2.2.2 3.3.3.
BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP neighbor mode BFD configuration Peer active in peer-group outbound optimization ... R2# show ip bgp neighbors 2.2.2.4 BGP neighbor is 2.2.2.4, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP peer-group mode BFD configuration Peer active in peer-group outbound optimization ...
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 16. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. • Establish sessions with all VRRP neighbors.
The bold line shows that VRRP BFD sessions are enabled. DellEMC(conf-if-gi-4/25)#vrrp bfd all-neighbors DellEMC(conf-if-gi-4/25)#do show bfd neighbor * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr * 2.2.5.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.5.2 Gi 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command. The bold line shows the VRRP BFD session.
To disable all VRRP sessions on an interface, sessions for a particular VRRP group, or for a particular VRRP session on an interface, use the following commands. • Disable all VRRP sessions on an interface. INTERFACE mode no vrrp bfd all-neighbors • Disable all VRRP sessions in a VRRP group. VRRP mode bfd disable • Disable a particular VRRP session on an interface.
9 Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) is an interdomain routing protocol that manages routing between edge routers. BGP uses an algorithm to exchange routing information between switches enabled with BGP. BGP determines a path to reach a particular destination using certain attributes while avoiding routing loops. BGP selects a single path as the best path to a destination network or host. You can also influence BGP to select different path by altering some of the BGP attributes.
connections from one network to another. The ISP is considered to be “selling transit service” to the customer network, so thus the term Transit AS. The devices within an AS (AS1 or AS2, as seen in the following illustration) exchange routing information using Internal BGP (IBGP), whereas the devices in different AS communicate using External BGP (EBGP). IBGP provides routers inside the AS with the knowledge to reach routers external to the AS.
Figure 18. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. AS4 Number Representation Dell EMC Networking OS supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported.
ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by a decimal point (.): .. Some examples are shown in the following table. • • All AS numbers between 0 and 65535 are represented as a decimal number, when entered in the CLI and when displayed in the show commands outputs. AS Numbers larger than 65535 is represented using ASDOT notation as ..
router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in.
• Next Hop NOTE: There are no hard coded limits on the number of attributes that are supported in the BGP. Taking into account other constraints such as the Packet Size, maximum number of attributes are supported in BGP. Communities BGP communities are sets of routes with one or more common attributes. Communities are a way to assign common attributes to multiple routes at the same time. NOTE: Duplicate communities are not rejected.
Best Path Selection Details 1 Prefer the path with the largest WEIGHT attribute. 2 Prefer the path with the largest LOCAL_PREF attribute. 3 Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. a 4 Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate-address command.
Weight The weight attribute is local to the router and is not advertised to neighboring routers. If the router learns about more than one route to the same destination, the route with the highest weight is preferred. The route with the highest weight is installed in the IP routing table. Local Preference Local preference (LOCAL_PREF) represents the degree of preference within the entire AS. The higher the number, the greater the preference for the route.
One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this example, assume the MED is the only attribute applied. In the following illustration, AS100 and AS200 connect in two places. Each connection is a BGP session. AS200 sets the MED for its T1 exit point to 100 and the MED for its OC3 exit point to 50. This sets up a path preference through the OC3 link. The MEDs are advertised to AS100 routers so they know which is the preferred path.
Network *> 7.0.0.0/29 *> 7.0.0.0/30 *> 9.2.0.0/16 Next Hop 10.114.8.33 10.114.8.33 10.114.8.33 Metric 0 0 10 LocPrf 0 0 0 Weight 18508 18508 18508 Path ? ? 701 i AS Path The AS path is the list of all ASs that all the prefixes listed in the update have passed through. The local AS number is added by the BGP speaker when advertising to a EBGP neighbor. NOTE: Any update that contains the AS path number 0 is valid. The AS path is shown in the following example.
MBGP allows information about the topology of the IP multicast-capable routers to be exchanged separately from the topology of normal IPv4 and IPv6 unicast routers. It allows a multicast routing topology different from the unicast routing topology. MBGP uses either an IPv4 address configured on the interface (which is used to establish the IPv6 session) or a stable IPv4 address that is available in the box as the next-hop address.
Example of BGP configuration command levels Following is an example configuration, which explains the neighbor configuration for all the address families. Also, the configuration shows how to create address families (IPv4 and IPv6) and activate the neighbors in the address family. DellEMC(conf)#router bgp 10 DellEMC(conf-router_bgp)#neighbor 20.20.20.1 remote-as 200 DellEMC(conf-router_bgp)#neighbor 20.20.20.
Implement BGP with Dell EMC Networking OS The following sections describe how to implement BGP on Dell EMC Networking OS. Additional Path (Add-Path) Support The add-path feature reduces convergence times by advertising multiple paths to its peers for the same address prefix without replacing existing paths with new ones. By default, a BGP speaker advertises only the best path to its peers for a given address prefix.
Ignore Router-ID in Best-Path Calculation You can avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath routerid ignore command reduces network disruption caused by routing and forwarding plane changes and allows for faster convergence. AS Number Migration With this feature you can transparently change the AS number of an entire BGP network and ensure that the routes are propagated throughout the network while the migration is in progress.
3 Prepend "65001 65002" to as-path. Local-AS is prepended before the route-map to give an impression that update passed through a router in AS 200 before it reached Router B. BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances support for BGP management information base (MIB) with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website.
• Multiple BPG process instances are not supported. Thus, the f10BgpM2PeerInstance field in various tables is not used to locate a peer. • Multiple instances of the same NLRI in the BGP RIB are not supported and are set to zero in the SNMP query response. • The f10BgpM2NlriIndex and f10BgpM2AdjRibsOutIndex fields are not used. • Carrying MPLS labels in BGP is not supported. The f10BgpM2NlriOpaqueType and f10BgpM2NlriOpaquePointer fields are set to zero. • 4-byte ASN is supported.
Restrictions Dell EMC Networking OS supports only one BGP routing configuration and autonomous system (AS), but supports multiple address family configuration. Enabling BGP By default, BGP is disabled on the system. Dell EMC Networking OS supports one autonomous system (AS) and assigns the AS number (ASN). To enable the BGP process and begin exchanging information, assign an AS number and use commands in ROUTER BGP mode to configure a BGP neighbor.
Example configuration steps to enable BGP NOTE: When you change the configuration of a BGP neighbor, always reset it by entering the clear ip bgp * command in EXEC Privilege mode. To view the BGP configuration, enter show config in CONFIGURATION ROUTER BGP mode. To view the BGP status, use the show ip bgp summary command in EXEC Privilege mode. The example shows that the summary with a 2-byte AS number using the show ip bgp summary command.
Last read 00:00:00, Last write 00:00:07 Hold time is 90, keepalive interval is 30 seconds Received 18 messages, 0 in queue 7 opens, 6 notifications, 0 updates 5 keepalives, 0 route refresh requests Sent 26 messages, 0 in queue 7 opens, 0 notifications, 0 updates 19 keepalives, 0 route refresh requests Route refresh request: received 0, sent messages 0 Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds For address family: IPv4 Unicast BGP local RIB : R
Changing a BGP router ID BGP uses the configured router ID to identify the devices in the network. By default, the router ID is the highest IP address of the Loopback interface. If no Loopback interfaces are configured, the highest IP address of a physical interface on the router is used as the BGP router ID. To change the default BGP router ID, use the following command. • Change the BGP router ID of a BGP router ROUTER BGP mode bgp router-id ip-address ip-address- IP address in dotted decimal format.
• Enable ASPLAIN AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asplain • NOTE: ASPLAIN is the default method Dell EMC Networking OS uses and does not appear in the configuration display. Enable ASDOT AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot • Enable ASDOT+ AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot+ Examples of the bgp asnotation Commands The following example shows the bgp asnotation asplain command output.
Configuring a BGP peer To configure a BGP neighbor or peer, you must provide the IP address and the AS number of each neighbor since BGP does not discover the neighbor or peer. Neighbors that are present with the same AS communicate using IBGP while the neighbors that are present in different AS communicate using EBGP. To allow the neighbor to establish a BGP session, you have to enable the neighbor by providing neighbor no shutdown command. To configure BGP between two peers, use the following commands.
Example-Configuring BGP routing between peers The following example show how BGP is configured between two peers. Figure 23. BGP topology with two AS To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes. Example-Configuring BGP routing between peers Example of enabling BGP in Router A Following is an example to enable BGP configuration in the router A.
Following is the sample output for show ip bgp summary command for Router B. RouterB#show ip bgp summary BGP router identifier 172.17.1.99, local 45000 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 40960 bytes of memory Neighbor 192.168.1.2 AS 40000 MsgRcvd 10 MsgSent 20 TblVer 0 InQ 0 OutQ Up/Down State/Pfx 0 00:06:11 0 BGP peer group To configure multiple BGP neighbors at one time, create and populate a BGP peer group.
3 Enable the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown By default, all peer groups are disabled. 4 Create a BGP neighbor. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address} remote-as as-number 5 Enable the neighbor. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address} no shutdown NOTE: You can use neighbor shutdown command to disable a BGP neighbor or a peer group. 6 Add an enabled neighbor to the peer group.
To view the configuration, use the show config command in CONFIGURATION ROUTER BGP mode. When you create a peer group, it is disabled (shutdown). The following example shows the creation of a peer group (zanzibar) (in bold). To enable a peer group, use the neighbor peer-group-name no shutdown command.
Figure 24. BGP peer group example configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/32 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int gi 1/21 R1(conf-if-gi-1/21)#ip address 10.0.1.21/24 R1(conf-if-gi-1/21)#no shutdown R1(conf-if-gi-1/21)#show config ! interface GigabitEthernet 1/21 ip address 10.0.1.
R1(conf-router_bgp)#neighbor 192.168.128.2 no shut R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 R1(conf-router_bgp)#neighbor 10.0.3.33 remote 100 R1(conf-router_bgp)#neighbor 10.0.3.33 no shut R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 10.0.3.33 no shutdown neighbor 10.0.3.
R3(conf-if-gi-3/21)#no shutdown R3(conf-if-gi-3/21)#show config ! interface GigabitEthernet 3/21 ip address 10.0.2.3/24 no shutdown R3(conf-if-gi-3/21)# R3(conf-if-gi-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#neighbor 10.0.3.31 remote 99 R3(conf-router_bgp)#neighbor 10.0.3.31 no shut R3(conf-router_bgp)#neighbor 10.0.2.2 remote 99 R3(conf-router_bgp)#neighbor 10.0.2.2 no shut R3(conf-router_bgp)#show config ! router bgp 100 neighbor 10.0.3.
R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.3 no shut R2(conf-router_bgp)#show conf ! router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 peer-group CCC neighbor 192.
Route-refresh and Soft-reconfiguration BGP soft-reconfiguration allows for faster and easier route changing. Changing routing policies typically requires a reset of BGP sessions (the TCP connection) for the policies to take effect. Such resets cause undue interruption to traffic due to hard reset of the BGP cache and the time it takes to re-establish the session. BGP soft-reconfiguration allows for policies to be applied to a session without clearing the BGP Session.
DellEMC(conf-router_bgp)# neighbor 10.108.1.1 soft-reconfiguration inbound DellEMC(conf-router_bgp)# exit Route-refresh This section explains how the soft-reconfiguration and route-refresh works. Soft-reconfiguration has to be configured explicitly for a neighbor unlike route refresh, which is automatically negotiated between BGP peers when establishing a peer session.
In the below example, under the IPv6 address family configuration, only the IPv6 neighbor is enabled using neighbor ipv6–address activate command. If you execute, clear ip bgp neighbor-ipv4–address soft in command, only the IPv4 route-refresh update is sent. If you execute clear ip bgp neighbor-ipv6–address soft incommand, both the IPv4 and IPv6 route-refresh updates are sent.
reducing the convergence time. You can configure BGP to configure and advertise aggregated routes. At least one specific route of the aggregate must be in the routing table for the configured aggregate to become active. To aggregate routes, use the following command. AS_SET includes AS_PATH and community information from the routes included in the aggregated route. • Assign the IP address and mask of the prefix to be aggregated.
Suppressing BGP aggregate routes The routes that are suppressed are not advertised to any of the BGP neighbors. You can suppress the aggregate routes using the suppress-map or summary-only options in the aggregate-address configuration. To suppress the advertisement of the aggregate routes using BGP, use the following commands. • Create an aggregate entry and suppress the advertisement of specific routes to all neighbors.
Regular Expressions as Filters Regular expressions are used to filter AS paths or community lists. A regular expression is a special character used to define a pattern that is then compared with an input string. For an AS-path access list, as shown in the previous commands, if the AS path matches the regular expression in the access list, the route matches the access list. The following lists the regular expressions accepted in Dell EMC Networking OS.
DellEMC(config-as-path)#ex DellEMC(conf)#router bgp 99 DellEMC(conf-router_bgp)#neighbor AAA filter-list Eagle in DellEMC(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA filter-list Eaglein neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 filter-list 1 in neighbor 10.155.15.
ip prefix-list prefix-name 2 Create multiple prefix list filters with a deny or permit action. CONFIG-PREFIX LIST mode seq sequence-number {deny | permit} {any | ip-prefix [ge | le] } • ge: minimum prefix length to be matched. • le: maximum prefix length to me matched. For information about configuring prefix lists, refer to Access Control Lists (ACLs). 3 Return to CONFIGURATION mode. CONFIG-PREFIX LIST mode exit 4 Enter ROUTER BGP mode.
Filtering BGP Routes Using Route Maps To filter routes using a route map, use these commands. 1 Create a route map and assign it a name. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2 Create multiple route map filters with a match or set action. CONFIG-ROUTE-MAP mode {match | set} For information about configuring route maps, see Access Control Lists (ACLs). 3 Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4 Enter ROUTER BGP mode.
Filtering on an AS-Path Attribute You can use the BGP attribute, AS_PATH, to manipulate routing policies. The AS_PATH attribute contains a sequence of AS numbers representing the route’s path. As the route traverses an AS, the ASN is prepended to the route. You can manipulate routes based on their AS_PATH to affect interdomain routing. By identifying certain ASN in the AS_PATH, you can permit or deny routes based on the number in its AS_PATH. AS-PATH ACLs use regular expressions to search AS_PATH values.
20 0 20 0 20 0 20 0 20 0 20 0 20 0 20 0 20 0 20 0 --More-- 64801 64801 64801 64801 64801 64801 64801 64801 64801 64801 i i i i i i i i i i Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. 1 Enter the ROUTE-MAP mode and assign a name to a route map.
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode. To view which BGP routes meet an IP community or IP extended community list’s criteria, use the show ip bgp {community-list | extcommunity-list} command in EXEC Privilege mode. Configuring BGP Fast Fall-Over By default, a BGP session is governed by the hold time.
CISCO_ROUTE_REFRESH(128) fall-over enabled Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 20.20.20.2, Local port: 65519 Foreign host: 10.10.10.
CONFIG-ROUTER-BGP mode neighbor peer-group-name peer-group passive limit Enter the limit keyword to restrict the number of sessions accepted. 2 Assign a subnet to the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name subnet subnet-number mask The peer group responds to OPEN messages sent on this subnet. 3 Enable the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown 4 Create and specify a remote peer for BGP neighbor.
• Enable graceful restart for the BGP node. CONFIG-ROUTER-BGP mode bgp graceful-restart • Set maximum restart time, in seconds, to restart and bring-up all the peers. CONFIG-ROUTER-BGP mode bgp graceful-restart [restart-time time-in-seconds] • The default is 120 seconds. Set maximum time, in seconds, to retain the restarting peer’s stale paths. CONFIG-ROUTER-BGP mode bgp graceful-restart [stale-path-time time-in-seconds] • The default is 360 seconds.
– metric value: The value is from 0 to 16777215. The default is 0. – route-map map-name: Specify the name of a configured route map to be consulted before adding the ISIS route. • Include specific OSPF routes into BGP. ROUTER BGP or CONF-ROUTER_BGPv6_ AF mode redistribute ospf process-id [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: – ospf: Indicates that you are redistributing OSPF routes in BGP.
Example configuration for enabling additional paths DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# neighbor 10.10.10.1 remote-as 500 DellEMC(conf-router_bgp)# bgp add-path both 2 DellEMC(conf-router_bgp)# address-family ipv4 multicast DellEMC(conf-router_bgp_af)# neighbor 10.10.10.1 activate DellEMC(conf-router_bgp_af)# neighbor 10.10.10.
deny 701:20 deny 702:20 deny 703:20 deny 704:20 deny 705:20 deny 14551:20 deny 701:112 deny 702:112 deny 703:112 deny 704:112 deny 705:112 deny 14551:112 deny 701:667 deny 702:667 deny 703:667 deny 704:666 deny 705:666 deny 14551:666 DellEMC# Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1 Create a extended community list and enter the EXTCOMMUNITY-LIST mode.
deny 703:667 deny 704:666 deny 705:666 deny 14551:666 DellEMC# Configure BGP attributes Following sections explain how to configure the BGP attributes such as MED, COMMUNITY, WEIGHT, and LOCAL_PREFERENCE. Changing MED Attributes By default, Dell EMC Networking OS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths received from different BGP neighbors or peers from the same AS for the same route.
If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route map with one or both of the following statements in the route map. Then apply that route map to a BGP neighbor or peer group. 1 Enter ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2 Configure a set filter to delete all COMMUNITY numbers in the IP community list.
*>i 6.1.0.0/16 *>i 6.2.0.0/22 *>i 6.3.0.0/18 *>i 6.4.0.0/16 *>i 6.5.0.0/19 *>i 6.8.0.0/20 *>i 6.9.0.0/20 *>i 6.10.0.0/15 *>i 6.14.0.0/15 *>i 6.133.0.0/21 *>i 6.151.0.0/16 --More-- 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 205.171.0.16 205.171.0.16 205.171.0.
router bgp as-number 5 Apply the route-map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} route-map map-name {in | out} Example configuration for manipulating the LOCAL_PREFERENCE attribute DellEMC# configure terminal DellEMC(conf)# route-map route1 permit 10 DellEMC(conf-route-map)# set local-preference 140 DellEMC(conf-route-map)# exit DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# neighbor 10.10.10.
• Sets weight for the route. CONFIG-ROUTE-MAP mode set weight weight weight: the range is from 0 to 65535. NOTE: The weight assigned using the set weight command under route map configuration override the weight assigned using the neighbor weight command. Example configuration for changing the WEIGHT attribute DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# neighbor 10.10.10.1 remote-as 500 DellEMC(conf-router_bgp)# neighbor 10.10.10.
Route Reflectors Route reflectors reorganize the iBGP core into a hierarchy and allow some route advertisement rules. NOTE: Do not use route reflectors (RRs) in the forwarding path. In iBGP, hierarchal RRs maintaining forwarding plane RRs could create routing loops. Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection cluster.
bgp cluster-id ip-address | number – ip-address: IP address as the route reflector cluster ID. – number: A route reflector cluster ID as a number from 1 to 4294967295. • You can have multiple clusters in an AS. When a BGP cluster contains only one route reflector, the cluster ID is the route reflector’s router ID. For redundancy, a BGP cluster may contain two or more route reflectors.
Enter the following optional parameters to configure route dampening parameters: – half-life: the range is from 1 to 45. Number of minutes after which the Penalty is decreased. After the router assigns a Penalty of 1024 to a route, the Penalty is decreased by half after the half-life period expires. The default is 15 minutes. – reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value.
The following example shows how to configure values to reuse or restart a route. In the following example, default = 15 is the set time before the value decrements, bgp dampening 2 ? is the set re-advertise value, bgp dampening 2 2000 ? is the suppress value, and bgp dampening 2 2000 3000 ? is the time to suppress a route. Default values are also shown.
• – holdtime: Time interval, in seconds, between the last keepalive message and declaring the BGP peer is dead. The range is from 3 to 65536. The default is 180 seconds. Configure timer values for all neighbors. CONFIG-ROUTER-BGP mode timers bgp keepalive holdtime – keepalive: Time interval, in seconds, between keepalive messages sent to the neighbor routers. The range is from 1 to 65535. The default is 60 seconds.
Enabling or disabling BGP neighbors You can enable or disable all the configured BGP neighbors using the shutdown all command in ROUTER BGP mode. To disable all the configured BGP neighbors: 1 Enter the router bgp mode using the following command: CONFIGURATION Mode router bgp as-number 2 In ROUTER BGP mode, enter the following command: ROUTER BGP Mode shutdown all You can use the no shutdown all command in the ROUTER BGP mode to re-enable all the BGP interface.
When you use the shutdown all command in global configuration mode, this command takes precedence over the shutdown address-family-ipv4-unicast, shutdown address-family-ipv4-multicast, and shutdown address-familyipv6-unicast commands. Irrespective of whether the BGP neighbors are disabled earlier, the shutdown all command brings down all the configured BGP neighbors. When you issue the no shutdown all command, all the BGP neighbor neighbors are enabled.
confederations appear as one AS. Within the confederation sub-AS, the IBGP neighbors are fully meshed and the MED, NEXT_HOP, and LOCAL_PREF attributes are maintained between confederations. To configure BGP confederations, use the following commands. • Specifies the confederation ID. CONFIG-ROUTER-BGP mode bgp confederation identifier as-number – as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). • Specifies which confederation sub-AS are peers.
Example of configuring both IPv4 and IPv6 VRF address families The following are the sample steps performed to configure a VRF, and VRF address families for IPv4 (unicast and multicast) and IPv6. DellEMC(conf)# ip vrf vrf1 DellEMC(conf-vrf)# exit DellEMC(conf)# router bgp 100 DellEMC(conf-router_bgp)# address-family ipv4 vrf vrf1 DellEMC(conf-router_bgp_af)# neighbor 50.0.0.2 remote-as 200 DellEMC(conf-router_bgp_af)# neighbor 50.0.0.
– peer-group-name: 16 characters. – AS-number: 0 to 65535 (2-Byte) or 1 to 4294967295 (4-Byte) or 0.1 to 65535.65535 (Dotted format). – No Prepend: specifies that local AS values are not prepended to announcements from the neighbor. Format: IPv4 Address: A.B.C.D and IPv6 address: X:X:X:X::X. You must Configure Peer Groups before assigning it to an AS. This feature is not supported on passive peer groups.
To disable this feature, use the no neighbor allow-as in number command in CONFIGURATION ROUTER BGP mode. R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.
Configuring IPv6 MBGP between peers To configure IPv6 MBGP, use the following commands. Following are the steps to configure IPv6 MBGP between two peers. The neighbors that are configured using neighbor remote-as command exchange only the IPv4 unicast address prefixes. In order to exchange IPv6 address prefixes, you have to activate the neighbors using neighbor activate command inside the address-family configuration.
Example-Configuring IPv4 and IPv6 neighbors The following example configurations show how to enable BGP and set up some peer under IPv4 and IPv6 address families. To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes.
30.30.30.1 2001::2 20 200 0 40 0 45 0 0 0 0 0 00:00:00 0 0 00:03:14 0 The same output will be displayed when using show ip bgp ipv4 unicast summary command. Following is the sample output of show ip bgp ipv4 multicast summary command. R1# show ip bgp ipv4 multicast summary BGP router identifier 1.1.1.1, local AS number 10 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 24576 bytes of memory Neighbor 20.20.20.
Following is the output of show ip bgp ipv6 unicast summary command for the above configuration example. R2#show ip bgp ipv6 unicast summary BGP router identifier 2.2.2.2, local AS number 200 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 2 neighbor(s) using 24576 bytes of memory Neighbor 20.20.20.
DellEMC(conf-router_bgpv6_af)# neighbor 10.1.1.2 activate DellECM(conf-router_bgpv6_af)# exit Configuring the auto-local-address for a neighbor will dynamically pick the local BGP interface IPv6 address (2001::1/64) as a the next hop for all the updates over IPv4 neighbor configured under IPv6 address family. If the auto-local-address is not configured, the IPv4 mapped IPv6 address (10.1.1.1) as a next hop. Following is the show running-config command output for the above configuration.
BGP Regular Expression Optimization Dell EMC Networking OS optimizes processing time when using regular expressions by caching and re-using regular expression evaluated results, at the expense of some memory in RP1 processor. BGP policies that contain regular expressions to match against as-paths and communities might take a lot of CPU processing time, thus affect BGP routing convergence.
To disable a specific debug command, use the keyword no then the debug command. For example, to disable debugging of BGP updates, use no debug ip bgp updates command. To disable all BGP debugging, use the no debug ip bgp command. To disable all debugging, use the undebug all command. Storing Last and Bad PDUs Dell EMC Networking OS stores the last notification sent/received and the last bad protocol data unit (PDU) received on a per peer basis.
PDU Counters Dell EMC Networking OS supports additional counters for various types of PDUs sent and received from neighbors. These are seen in the output of the show ip bgp neighbor command.
10 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On Dell EMC Networking systems, CAM stores Layer 2 (L2) and Layer 3 (L3) forwarding information, access-lists (ACLs), flows, and routing policies. CAM Allocation CAM Allocation for Ingress To allocate the space for regions such has L2 ingress ACL, IPV4 ingress ACL, IPV6 ingress ACL, IPV4 QoS, L2 QoS, PBR, VRF ACL, and so forth, use the cam-acl command in CONFIGURATION mode.
NOTE: When you reconfigure CAM allocation, use the nlbclusteracl number command to change the number of NLB ARP entries. The range is from 0 to 2. The default value is 0. At the default value of 0, eight NLB ARP entries are available for use. This platform supports upto 512 CAM entries. Select 1 to configure 256 entries. Select 2 to configure 1024 entries.
NOTE: If you do not enter the allocation values for the CAM regions, the value is 0. 3 Execute write memory and verify that the new settings are written to the CAM on the next boot. EXEC Privilege mode show cam-acl 4 Reload the system. EXEC Privilege mode reload Test CAM Usage To determine whether sufficient CAM space is available to enable a service-policy, use the test-cam-usage command.
VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 DellEMC(conf)# Example of Viewing CAM-ACL Settings NOTE: If you change the cam-acl setting from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis.
IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 DellEMC# View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4 and IPv6 Flow and Layer 2 ACL subpartitions) using the show cam-usage command in EXEC Privilege mode The following output shows CAM blocks usage for Layer 2 and Layer 3 ACLs and other processes that use CAM space: Example of the show cam-usage Command Conf
NOTE: If you delete a FP in a CAM region that is assigned with threshold, a syslog warning appears even during the silence period. The system triggers syslog during the following events: • Re-configure the CAM threshold • Add or delete an ACL rule Example of Syslog message on CAM usage Following table shows few possible scenarios during which the syslog message appear on re-configuring the CAM usage threshold value.
If you exceed the QoS CAM space, follow these steps. 1 Verify that you have configured a CAM profile that allocates 24 K entries to the IPv4 system flow region. 2 Allocate more entries in the IPv4Flow region to QoS. Dell EMC Networking OS supports the ability to view the actual CAM usage before applying a service-policy. The test cam-usage service-policy command provides this test framework. For more information, refer to Pre-Calculating Available QoS CAM Space.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 28. CoPP Implemented Versus CoPP Not Implemented Configure Control Plane Policing The system can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
CONTROL-PLANE mode service-policy rate-limit-protocols Examples of Configuring CoPP for Different Protocols The following example shows creating the IP/IPv6/MAC extended ACL.
DellEMC(conf-policy-map-in-cpuqos)#class-map class_lacp qos-policy rate_limit_200k DellEMC(conf-policy-map-in-cpuqos)#class-map class-ipv6 qos-policy rate_limit_200k DellEMC(conf-policy-map-in-cpuqos)#exit The following example shows creating the control plane service policy.
The following example shows creating the control plane service policy. DellEMC#conf DellEMC(conf)#control-plane DellEMC(conf-control-plane)#service-policy rate-limit-cpu-queues cpuq_rate_policy CoPP for OSPFv3 Packets You can create an IPv6 ACL for control-plane traffic policing for OSPFv3, in addition to the CoPP support for VRRP, BGP, and ICMP. You can use the ipv6 access-list name cpu-qos permit ospfv3 command to allow CoPP traffic for OSPFv3.
As part of enhancements, CPU queues are increased from 8 to 12 on CPU port. However, the front-end port and the backplane ports support only 8 queues. As a result, when packets are transmitted to the local CPU, the CPU uses Q0-Q11 queues. The control packets that are tunneled to the master unit are isolated from the data queues and the control queues in the backplane links. Control traffic must be sent over the control queues Q4-Q7 on higig links.
• NDP Packets in VLT peer routing enable – VLT peer routing enable cases each VLT node will have route entry for link local address of both self and peer VLT node. Peer VLT link local entry will have egress port as ICL link. And Actual link local address will have entry to CopyToCpu. But NDP packets destined to peer VLT node needs to be taken to CPU and tunneled to the peer VLT node..
unicast packets. This CLI knob to turn off the catch-all route is of use in networks where the user does not want to generate Destination Unreachable messages and have the CPU queue’s bandwidth available for higher priority control-plane traffic. Configuring CoPP for OSPFv3 You can create an IPv6 ACL for control-plane traffic policing for OSPFv3, in addition to the CoPP support for VRRPv3, BGPv6, and ICMPv6.
Viewing Queue Rates Example of Viewing Queue Rates DellEMC#show cpu-queue rate cp Service-Queue Rate (PPS) -------------- ----------Q0 1300 Q1 300 Q2 300 Q3 300 Q4 2000 Q5 400 Q6 400 Q7 1100 DellEMC# Example of Viewing Queue Mapping To view the queue mapping for each configured protocol, use the show ip protocol-queue-mapping command.
DellEMC# Control Plane Policing (CoPP) 267
12 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Figure 29. DHCP packet Format The following table lists common DHCP options. Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description Rebinding Time Option 59 Specifies the amount of time after the IP address is granted that the client attempts to renew its lease with any server, if the original server does not respond. Vendor Class Identifer Option 60 L2 DHCP Snooping Option 82 Identifies a user-defined string used by the Relay Agent to forward DHCP client packets to a specific server.
Figure 30. Client and Server Messaging Implementation Information The following describes DHCP implementation. • Dell EMC Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell EMC Networking OS uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
DHCP Server Responsibilities Description keeping track of which addresses have been allocated and which are still available. Configuration Parameter Storage and Management DHCP servers also store and maintain other parameters that are sent to clients when requested. These parameters specify in detail how a client is to operate. Lease Management DHCP servers use leases to allocate addresses to clients for a limited time.
Configuration Tasks To configure DHCP, an administrator must first set up a DHCP server and provide it with configuration parameters and policy information including IP address ranges, lease length specifications, and configuration data that DHCP hosts need.
Configure a Method of Hostname Resolution Dell systems are capable of providing DHCP clients with parameters for two methods of hostname resolution—using DNS or NetBIOS WINS. Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1 Create a domain. DHCP domain-name name 2 Specify in order of preference the DNS servers that are available to a DHCP client.
DHCP host—address address 3 Specify the client hardware address. DHCP hardware-address hardware-address type • hardware-address: the client MAC address. • type: the protocol of the hardware platform. The default protocol is Ethernet. Debugging the DHCP Server To debug the DHCP server, use the following command. • Display debug information for DHCP server.
Figure 31. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gigabitethernet 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (Dell EMC Networking OS version and a configuration file). BMP is enabled as a factory-default setting on a switch.
To manually configure a static IP address on an interface, use the ip address command. A prompt displays to release an existing dynamically acquired IP address. If you confirm, the ability to receive a DHCP server-assigned IP address is removed. To enable acquiring a dynamic IP address from a DHCP server on an interface configured with a static IP address, use the ip address dhcp command. A prompt displays to confirm the IP address reconfiguration.
server are in the same or different subnets. The management default route is deleted if the management IP address is released like other DHCP client management routes. • ip route for 0.0.0.0 takes precedence if it is present or added later. • Management routes added by a DHCP client display with Route Source as DHCP in the show ip management route and show ip management-route dynamic command output.
• An entry in the DHCP snooping table is not added for a DHCP client interface. DHCP Server A switch can operate as a DHCP client and a DHCP server. DHCP client interfaces cannot acquire a dynamic IP address from the DHCP server running on the switch. Acquire a dynamic IP address from another DHCP server. Virtual Router Redundancy Protocol (VRRP) Do not enable the DHCP client on an interface and set the priority to 255 or assign the same DHCP interface IP address to a VRRP virtual group.
route-map map2 permit 20 match source-protocol connected Route Leaking for Complete Routing Table ! ip vrf VRF_1 ip route-import 1:1 ip route-export 2:2 ! ip vrf VRF_2 ip route-import 2:2 ip route-export 1:1 Route Leaking for Selective Routes ! ip vrf VRF_1 ip route-import 1:1 map1 ip route-export 2:2 map2 ! ip vrf VRF_2 ip route-import 2:2 ip route-export 1:1 ! ! route-map map1 permit 10 match ip address ip1 ! route-map map2 permit 20 match ip address ip2 ! ip prefix-list ip1 seq 5 permit 20.0.0.
Configuring DHCP relay source interface The following section explains how to configure global and interface level DHCP relay source IPv4 or IPv6 configuration to forward all the DHCP packets from the DHCP client to DHCP server through the configured source interface. This feature is applicable only for L3 interface with relay configuration and L3 DHCP snooping enabled VLANs.
{ip | ipv6} dhcp relay source-interface interface Example configuration of interface level DHCP relay source IPv4 or IPv6 interface Following are the steps to configure interface specific source IPv4 or IPv6 configuration for DHCP relay. The below example shows when the DHCP relay uses the interface specific configuration and global source interface configuration depending on the configuration. 1 Configuring L3 interface with IPv4 or IPv6 address.
Configure the System for User Port Stacking (Option 230) Set the stacking-option variable to provide stack-port detail on the DHCP server when you set the DHCP offer. A stack can be formed when the units are connected. Option 230 is the option for user port stacking. Use it to create up to eight stack groups. Define the configuration parameters on the DHCP server for each chassis based on the chassis MAC address.
• track the number of address requests per relay agent. Restricting the number of addresses available per relay agent can harden a server against address exhaustion attacks. • associate client MAC addresses with a relay agent to prevent offering an IP address to a client spoofing the same MAC address on a different relay agent. • assign IP addresses according to the relay agent. This prevents generating DHCP offers in response to requests from an unauthorized relay agent.
When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages — containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on a trusted port, it adds an entry to the table.
INTERFACE mode INTERFACE PORT EXTENDER mode ip dhcp snooping trust 3 Enable DHCP snooping on a VLAN. CONFIGURATION mode ip dhcp snooping vlan name Enabling IPv6 DHCP Snooping To enable IPv6 DHCP snooping, use the following commands. 1 Enable IPv6 DHCP snooping globally. CONFIGURATION mode ipv6 dhcp snooping 2 Specify ports connected to IPv6 DHCP servers as trusted. INTERFACE mode ipv6 dhcp snooping trust 3 Enable IPv6 DHCP snooping on a VLAN or range of VLANs.
• Delete all of the entries in the binding table. EXEC Privilege mode clear ip dhcp snooping binding Clearing the DHCP IPv6 Binding Table To clear the DHCP IPv6 binding table, use the following command. • Delete all of the entries in the binding table. EXEC Privilege mode clear ipv6 dhcp snooping binding DellEMC# clear ipv6 dhcp snooping? binding Clear the snooping binding database Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command.
IP Address MAC Address Expires(Sec) Type VLAN Interface ========================================================================= 10.1.1.254 00:00:a0:00:00:02 162 D Vl 200 Gi 1/4 10.1.1.
11:11::22 33::22 333:22::22 11:22:11:22:11:22 11:22:11:22:11:23 11:22:11:22:11:24 120331 120331 120331 S S D Vl 100 Vl 200 Vl 300 Gi 1/1 Gi 1/1 Gi 1/2 Debugging the IPv6 DHCP To debug the IPv6 DHCP, use the following command. • Display debug information for IPV6 DHCP. EXEC Privilege mode debug ipv6 dhcp IPv6 DHCP Snooping MAC-Address Verification Configure to enable verify source mac-address in the DHCP packet against the mac address stored in the snooping binding table.
The lack of authentication in ARP makes it vulnerable to spoofing. ARP spoofing is a technique attackers use to inject false IP-to-MAC mappings into the ARP cache of a network device. It is used to launch man-in-the-middle (MITM), and denial-of-service (DoS) attacks, among others. A spoofed ARP message is one in which the MAC address in the sender hardware address field and the IP address in the sender protocol field are strategically chosen by the attacker.
Configuring dynamic ARP inspection-limit To configure dynamic ARP inspection rate limit on a port, perform the following task. 1 Enter into global configuration mode. EXEC Privilege mode configure terminal 2 Select the interface to be configured. CONFIGURATION mode interface interface-name 3 Configure ARP packet inspection rate limiting. INTERFACE CONFIGURATION mode arp inspection-limit {rate pps [interval seconds]} The rate packet per second (pps) range is from 1 to 2048. The default is 15.
Source Address Validation Using the DHCP binding table, Dell EMC Networking OS can perform three types of source address validation (SAV). Table 18. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
DHCP MAC Source Address Validation DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against the client hardware address field (CHADDR) in the payload. Dell EMC Networking OS ensures that the packet’s source MAC address is checked against the CHADDR field in the DHCP header only for packets from snooped VLANs. • Enable DHCP MAC SAV.
Viewing the Number of SAV Dropped Packets The following output of the show ip dhcp snooping source-address-validation discard-counters command displays the number of SAV dropped packets.
13 Equal Cost Multi-Path (ECMP) This chapter describes configuring ECMP. This chapter describes configuring ECMP. ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features. To adjust the ExaScale behavior to match TeraScale, use the following command.
Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order. However, the hash algorithm uses as a seed the lower 12 bits of the chassis MAC, which yields a different hash result for every chassis. This behavior means that for a given flow, even though the prefixes are sorted, two unrelated chassis can select different hops.
Interface Gi 1/1 Gi 1/1 Line Protocol Up Up Utilization[In Percent] 36 52 Managing ECMP Group Paths To avoid path degeneration, configure the maximum number of paths for an ECMP route that the L3 CAM can hold. When you do not configure the maximum number of routes, the CAM can hold a maximum ECMP per route. To configure the maximum number of paths, use the following command. NOTE: For the new settings to take effect, save the new ECMP settings to the startup-config (write-mem) then reload the system.
• Modify the threshold for monitoring ECMP group bundles. CONFIGURATION mode link-bundle-distribution trigger-threshold {percent} The range is from 1 to 90%. • The default is 60%. Display details for an ECMP group bundle. EXEC mode show link-bundle-distribution ecmp-group ecmp-group-id The range is from 1 to 64. Viewing an ECMP Group NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network.
14 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell EMC Networking platforms.
Enabling FIPS Mode To enable or disable FIPS mode, use the console port. Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. When you enable FIPS mode, the following actions are taken: • If enabled, the SSH server is disabled. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
Examples of the show fips status and show system Commands The following example shows the show fips status command. DellEMC#show fips status FIPS Mode : Enabled for the system using the show system command. The following example shows the show system command. Disabling FIPS Mode When you disable FIPS mode, the following changes occur: • The SSH server disables. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, close.
15 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Member VLAN Spanning Two Rings Connected by One Switch A member VLAN can span two rings interconnected by a common switch, in a figure-eight style topology. A switch can act as a Master node for one FRRP group and a Transit for another FRRP group, or it can be a Transit node for both rings. In the following example, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups.
• One Master node per ring — all other nodes are Transit. • Each node has two member interfaces — primary and secondary. • There is no limit to the number of nodes on a ring. • Master node ring port states — blocking, pre-forwarding, forwarding, and disabled. • Transit node ring port states — blocking, pre-forwarding, forwarding, and disabled. • STP disabled on ring interfaces. • Master node secondary port is in blocking state during Normal operation.
Concept Explanation • Hello RHF (HRHF) — These frames are processed only on the Master node’s Secondary port. The Transit nodes pass the HRHF through without processing it. An HRHF is sent at every Hello interval. • Topology Change RHF (TCRHF) — These frames contains ring status, keepalive, and the control and member VLAN hash. The TCRHF is processed at each node of the ring.
Configuring the Control VLAN Control and member VLANS are configured normally for Layer 2. Their status as control or member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to Layer 2. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • You can only add ring nodes to the VLAN. • A control VLAN can belong to one FRRP group only. • Tag control VLAN ports.
CONFIG-FRRP mode. no disable Configuring and Adding the Member VLANs Control and member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to the Layer 2 chapter. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • Tag control VLAN ports. Member VLAN ports, except the Primary/Secondary interface, can be tagged or untagged.
no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode. timer {hello-interval|dead-interval} milliseconds – Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500). – Dead-Interval: the range is from 50 to 6000, in increments of 50 (default is 1500).
show frrp summary Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • • • • • • Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only. Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP.
no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 2/14 secondary GigabitEthernet 2/31 control-vlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface GigabitEthernet 3/14 no ip address switchport no shutdown ! interface GigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address ta
Figure 33. FRRP Ring Connecting VLT Devices You can also configure an FRRP ring where both the VLT peers are connected to the FRRP ring and the VLTi acts as the primary interface for the FRRP Master and transit nodes. This active-active FRRP configuration blocks the FRRP ring on a per VLAN or VLAN group basis enabling the configuration to spawn across different set of VLANs.
In the FRRP ring R2, the primary interface for VLT Node1 (transit node) is the VLTi. P1 is the secondary interface, which is an orphan port that is participating in the FRRP ring topology. V1 is the control VLAN through which the RFHs are exchanged indicating the health of the nodes and the FRRP ring itself. In addition to the control VLAN, multiple member VLANS are configured (for example, M11 through Mn) that carry the data traffic across the FRRP rings.
16 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and deregister attribute values, such as VLAN IDs, with each other.
• RPM Redundancy Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 35.
Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch. CONFIGURATION mode gvrp enable Example of Configuring GVRP DellEMC(conf)#protocol gvrp DellEMC(config-gvrp)#no disable DellEMC(config-gvrp)#show config ! protocol gvrp no disable DellEMC(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command.
Based on the configuration in the following example, the interface is not removed from VLAN 34 or VLAN 35 despite receiving a GVRP Leave message. Additionally, the interface is not dynamically added to VLAN 45 or VLAN 46, even if a GVRP Join message is received.
• RPM Synchronization GARP VLAN Registration Protocol (GVRP) 319
17 High Availability (HA) High availability (HA) is supported on Dell EMC Networking OS. HA is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. To support all the features within the HA collection, you should have the latest boot code. The following table lists the boot code requirements as of this Dell EMC Networking OS release. Table 19. Boot Code Requirements Component Boot Code S3048–ON 1 2.0.
Example of the show redundancy Command DellEMC#show redundancy -- Stack-unit Status ------------------------------------------------Mgmt ID: 0 Stack-unit ID: 0 Stack-unit Redundancy Role: Primary Stack-unit State: Active Stack-unit SW Version: 9.6(0.
Example of the redundancy force-failover stack-unit Command Dell#redundancy force-failover stack-unit System configuration has been modified. Save? [yes/no]: yes Proceed with Stack-unit hot failover [confirm yes/no]:yes Dell# Specifying an Auto-Failover Limit When a non-recoverable fatal error is detected, an automatic failover occurs. However, Dell EMC Networking OS is configured to auto-failover only three times within any 60 minute period and you cannot change that.
deliver a hitless OSPF-LACP result. However, to achieve a hitless end result, if the hitless behavior involves multiple protocols, all protocols must be hitless. For example, if OSPF is hitless but bidirectional forwarding detection (BFD) is not, OSPF operates hitlessly and BFD flaps upon an RPM failover. The following protocols are hitless: • Link aggregation control protocol. • Spanning tree protocol. Refer to Configuring Spanning Trees as Hitless.
Failure and Event Logging Dell EMC Networking systems provide multiple options for logging failures and events. Trace Log Developers interlace messages with software code to track the execution of a program. These messages are called trace messages and are primarily used for debugging and to provide lower-level information then event messages, which system administrators primarily use.
18 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
leaves a multicast group by sending an IGMP message to its IGMP Querier. The querier is the router that surveys a subnet for multicast receivers and processes survey responses to populate the multicast routing table. IGMP messages are encapsulated in IP packets, as shown in the following illustration. Figure 36.
3 Any remaining hosts respond to the query according to the delay timer mechanism (refer to Adjusting Query and Response Timers). If no hosts respond (because there are none remaining in the group), the querier waits a specified period and sends another query. If it still receives no response, the querier removes the group from the list associated with forwarding port and stops forwarding traffic for that group to the subnet. IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2.
Figure 38. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1 The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2 The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 39. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1 Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary.
Figure 40. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1 Enable multicast routing using the ip multicast-routing command. 2 Enable a multicast routing protocol.
Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. • View IGMP-enabled IPv4 interfaces. EXEC Privilege mode • show ip igmp interface View IGMP-enabled IPv6 interfaces. EXEC Privilege mode show ipv6 mld interface Example of the show ip igmp interface Command DellEMC#show ip igmp interface GigabitEthernet 3/10 Inbound IGMP access group is not set Internet address is 165.87.34.
Internet address is 1.1.1.1/24 IGMP is enabled on interface IGMP query interval is 60 seconds IGMP querier timeout is 125 seconds IGMP max query response time is 10 seconds IGMP last member query response interval is 1000 ms IGMP immediate-leave is disabled IGMP activity: 0 joins, 0 leaves, 0 channel joins, 0 channel leaves IGMP querying router is 1.1.1.1 (this system) IGMP version is 3 Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command.
When the querier receives a leave message from a host, it sends a group-specific query to the subnet. If no response is received, it sends another. The amount of time that the querier waits to receive a response to the initial query before sending a second one is the last member query interval (LMQI). The switch waits one LMQI after the second query before removing the group from the state table. • Adjust the period between queries.
Figure 41. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 20. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value). Then, after no response, it removes the group from the outgoing interface for the subnet. IGMP immediate leave reduces leave latency by enabling a router to immediately delete the group membership on an interface after receiving a Leave message (it does not send any group-specific or group-and-source queries before deleting the entry).
• View the configuration. CONFIGURATION mode show running-config • Disable snooping on a VLAN.
no ip igmp snooping flood Specifying a Port as Connected to a Multicast Router To statically specify or view a port in a VLAN, use the following commands. • Statically specify a port in a VLAN as connected to a multicast router. INTERFACE VLAN mode ip igmp snooping mrouter • View the ports that are connected to multicast routers. EXEC Privilege mode. show ip igmp snooping mrouter Configuring the Switch as Querier To configure the switch as a querier, use the following command.
Fast Convergence after MSTP Topology Changes When a port transitions to the Forwarding state as a result of an STP or MSTP topology change, Dell EMC Networking OS sends a general query out of all ports except the multicast router ports. The host sends a response to the general query and the forwarding database is updated without having to wait for the query interval to expire.
Table 21.
When the feature is enabled using the management egress-interface-selection command, the following events are performed: • The CLI prompt changes to the EIS mode. • In this mode, you can run the application and no application commands • Applications can be configured or unconfigured as management applications using the application or no application command. All configured applications are considered as management applications and the rest of them as non-management applications.
Handling of Switch-Initiated Traffic When the control processor (CP) initiates a control packet, the following processing occurs: • TCP/UDP port number is extracted from the sockaddr structure in the in_selectsrc call which is called as part of the connect system call or in the ip_output function.
• If route lookup in the EIS routing table fails or if the management port is down, then packets are dropped. The management application drop counter is incremented. • Whenever IP address is assigned to the management port, it is stored in a global variable in the IP stack, which is used for comparison with the source IP address of the packet. • Rest of the response traffic is handled as per existing behavior by doing route lookup in the default routing table.
Traffic type / Application type Switch initiated traffic Switch-destined traffic only. No change in the existing behavior.
Table 23.
Table 24.
• Designate an interface as a multicast router interface.
19 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell EMC Networking Operating System (OS). The system supports 1 Gigabit Ethernet and 10 Gigabit Ethernet interfaces.
• VLAN Interfaces • Loopback Interfaces • Null Interfaces • Port Channel Interfaces • Bulk Configuration • Defining Interface Range Macros • Monitoring and Maintaining Interfaces • Configuring wavelength for 10–Gigabit SFP+ optics • Link Dampening • Link Bundle Monitoring • Using Ethernet Pause Frames for Flow Control • Configure the MTU Size on an Interface • Port-Pipes • Auto-Negotiation on Ethernet Interfaces • View Advanced Interface Information • Configuring the Traffic S
NOTE: To end output from the system, such as the output from the show interfaces command, enter CTRL+C and Dell EMC Networking OS returns to the command prompt. NOTE: The CLI output may be incorrectly displayed as 0 (zero) for the Rx/Tx power values. To obtain the correct power information, perform a simple network management protocol (SNMP) query. Examples of the show Commands The following example shows the configuration and status information for one interface.
interface GigabitEthernet no ip address shutdown ! interface GigabitEthernet no ip address shutdown ! interface GigabitEthernet no ip address shutdown ! interface GigabitEthernet no ip address shutdown 2/6 2/7 2/8 2/9 Resetting an Interface to its Factory Default State You can reset the configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1 View the configurations applied on an interface.
interface interface 2 • For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. Enable the interface. INTERFACE mode no shutdown To confirm that the interface is enabled, use the show config command in INTERFACE mode. To leave INTERFACE mode, use the exit command or end command. You cannot delete a physical interface.
show interfaces eee statistics show interfaces interface-type slot/port eee statistics show interfaces interface-type slot/port-range eee statistics • List the hardware counters on a specified interface or a specified stack unit. EXEC mode EXEC PRIVILEGE mode show hardware counters interface-type slot/port show hardware stack-unit stack-unit-number unit unit-number counters Examples of the show Commands The following example shows the status information for all the interfaces.
S3048–ON Dell#show interfaces gigabitethernet 1/1 eee statistics Port EEE LPI TxLPIEventCount TxLPIDuration Gi 1/1 Yes Yes 0 0 The following example shows the hardware counters on a specified interface.
TX - 1519 to 1522 Byte Good VLAN Frame Counter TX - 1519 to 2047 Byte Frame Counter TX - 2048 to 4095 Byte Frame Counter TX - 4096 to 9216 Byte Frame Counter TX - Good Packet Counter TX - Packet/Frame Counter TX - Unicast Frame Counter TX - Multicast Frame Counter TX - Broadcast Frame Counter TX - Byte Counter TX - Control Frame Counter TX - Pause Control Frame Counter TX - Oversized Frame Counter TX - Jabber Counter TX - VLAN Tag Frame Counter TX - Double VLAN Tag Frame Counter TX - RUNT Frame Counter TX -
RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - 356 Control Frame Counter Pause Control Frame Counter Oversized Frame Counter Jabber Frame Counter VLAN Tag Frame Counter Double VLAN Tag Frame Counter RUNT Frame Counter Fragment Counter VLAN Tagged Packets Ingress Dropped Packet MTU Check Error Frame Counter PFC Frame Priority 0 PFC Frame Priority
TX TX TX TX TX TX TX - Debug Counter 7 Debug Counter 8 Debug Counter 9 Debug Counter 10 Debug Counter 11 EEE LPI Event Counter EEE LPI Duration Counter 0 0 0 0 0 0 0 <
• Overview of Layer Modes • Configuring Layer 2 (Data Link) Mode • Configuring Layer 2 (Interface) Mode • Management Interfaces • Auto-Negotiation on Ethernet Interfaces • Adjusting the Keepalive Timer • Clearing Interface Counters Overview of Layer Modes On all systems running Dell EMC Networking OS, you can place physical interfaces, port channels, and VLANs in Layer 2 mode or Layer 3 mode. By default, VLANs are in Layer 2 mode. Table 26.
Configuring Layer 2 (Interface) Mode To configure an interface in Layer 2 mode, use the following commands. • Enable the interface. INTERFACE mode no shutdown • Place the interface in Layer 2 (switching) mode. INTERFACE mode switchport To view the interfaces in Layer 2 mode, use the show interfaces switchport command in EXEC mode. Configuring Layer 3 (Network) Mode When you assign an IP address to a physical interface, you place it in Layer 3 mode.
• Enable the interface. INTERFACE mode no shutdown • Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx). Add the keyword secondary if the IP address is the interface’s backup IP address. Example of the show ip interface Command You can only configure one primary IP address per interface.
Following is the sample syslog displayed when the timer for Err-disable recovery is started: May 8 17:18:57 %STKUNIT1-M:CP %IFMGR-5-ERR_DIS_RECOVERY_TIMER_START: 180 seconds timer started to attempt recovery of interface Gi 2/18 from error disabled state caused by bpdu-guard. Following is the sample syslog displayed when the recovery action is complete: May 8 17:21:57 %STKUNIT1-M:CP %IFMGR-5-ERR_DIS_RECOVERY_COMPLETE: Error Disable Recovery timer expired for interface Gi 2/18.
Important Points to Remember • Deleting a management route removes the route from both the EIS routing table and the default routing table. • If the management port is down or route lookup fails in the management EIS routing table, the outgoing interface is selected based on route lookup from the default routing table. • If a route in the EIS table conflicts with a front-end port route, the front-end port route has precedence.
ip address ip-address mask – ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in /prefix format (/x). Viewing Two Global IPv6 Addresses Important Points to Remember — virtual-ip You can configure two global IPv6 addresses on the system in EXEC Privilege mode. To view the addresses, use the show interface managementethernet command, as shown in the following example. If you try to configure a third IPv6 address, an error message displays.
• After the virtual IP address is removed, the system is accessible through the native IP address of the primary RPM’s management interface. • Primary and secondary management interface IP and virtual IP must be in the same subnet. To view the Primary RPM Management port, use the show interface Managementethernet command in EXEC Privilege mode. If there are two RPMs, you cannot view information on that interface.
NOTE: To monitor VLAN interfaces, use Management Information Base for Network Management of TCP/IP-based internets: MIB-II (RFC 1213). NOTE: You cannot simultaneously use egress rate shaping and ingress rate policing on the same VLAN. Dell EMC Networking OS supports Inter-VLAN routing (Layer 3 routing in VLANs). You can add IP addresses to VLANs and use them in routing protocols in the same manner that physical interfaces are used.
Many of the commands supported on physical interfaces are also supported on a Loopback interface. Null Interfaces The Null interface is another virtual interface. There is only one Null interface. It is always up, but no traffic is transmitted through this interface. To enter INTERFACE mode of the Null interface, use the following command. • Enter INTERFACE mode of the Null interface.
The port channel ID ranges from 1 to 128. As soon as you configure a port channel, Dell EMC Networking OS treats it like a physical interface. For example, IEEE 802.1Q tagging is maintained while the physical interface is in the port channel. Member ports of a LAG are added and programmed into the hardware in a predictable order based on the port ID, instead of in the order in which the ports come up. With this implementation, load balancing yields predictable results across device reloads.
Creating a Port Channel You can create up to 128 port channels with up to 16 port members per group on the platform. To configure a port channel, use the following commands. 1 Create a port channel. CONFIGURATION mode interface port-channel id-number 2 Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown After you enable the port channel, you can place it in Layer 2 or Layer 3 mode.
Examples of the show interfaces port-channel Commands To view the port channel’s status and channel members in a tabular format, use the show interfaces port-channel brief command in EXEC Privilege mode, as shown in the following example.
Reassigning an Interface to a New Port Channel An interface can be a member of only one port channel. If the interface is a member of a port channel, remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, Dell EMC Networking OS recalculates the hash algorithm for the port channel. To reassign an interface to a new port channel, use the following commands. 1 Remove the interface from the first port channel.
Example of Configuring the Minimum Oper Up Links in a Port Channel DellEMC#config t DellEMC(conf)#int po 1 DellEMC(conf-if-po-1)#minimum-links 5 DellEMC(conf-if-po-1)# Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command). To add or remove a VLAN port channel and to view VLAN port channel members, use the following commands.
EXEC mode DellEMC(conf)# interface gigabitethernet 1/1 DellEMC(conf-if-gi-1/1)#switchport DellEMC(conf-if-gi-1/1)# vlan tagged 2-5,100,4010 DellEMC#show interfaces switchport gi 1/1 Codes: U x G i - Untagged, T - Tagged Dot1x untagged, X - Dot1x tagged GVRP tagged, M - Trunk, H - VSN tagged Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged Name: GigabitEthernet 1/1 802.
Dell EMC Networking OS allows you to modify the hashing algorithms used for flows and for fragments. The load-balance and hashalgorithm commands are available for modifying the distribution algorithms. Changing the Hash Algorithm The load-balance command selects the hash criteria applied to port channels. If you do not obtain even distribution with the load-balance command, you can use the hash-algorithm command to select the hash scheme for LAG, ECMP and NH-ECMP.
• xor2 — Upper 8 bits of CRC16-BISYNC and lower 8 bits of xor2 • xor4 —Upper 8 bits of CRC16-BISYNC and lower 8 bits of xor4 • xor8 — Upper 8 bits of CRC16-BISYNC and lower 8 bits of xor8 • xor16 — uses 16 bit XOR. Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces.
Create a Single-Range The following is an example of a single range. Example of the interface range Command (Single Range) DellEMC(config)# interface range gigabitethernet 1/1 - 1/23 DellEMC(config-if-range-gi-1/1-1/23)# no shutdown DellEMC(config-if-range-gi-1/1-1/23)# Create a Multiple-Range The following is an example of multiple range.
Add Ranges The following example shows how to use commas to add VLAN and port-channel interfaces to the range. Example of Adding VLAN and Port-Channel Interface Ranges DellEMC(config-if-range-gi-1/1-1/2)# interface range Vlan 2 – 100 , Port 1 – 25 DellEMC(config-if-range-gi-1/1-1/2-vl-2-100-po-1-25)# no shutdown Defining Interface Range Macros You can define an interface-range macro to automatically select a range of interfaces for configuration.
– For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. Example of the monitor interface Command The information displays in a continuous run, refreshing every 2 seconds by default. To manage the output, use the following keys.
NOTE: TDR is an intrusive test. Do not run TDR on a link that is up and passing traffic. To test and display TDR results, use the following commands. 1 To test for cable faults on the TenGigabitEthernet cable. EXEC Privilege mode tdr-cable-test tengigabitethernet slot/port Between two ports, do not start the test on both ends of the cable. Enable the interface before starting the test. Enable the port to run the test or the test prints an error message. 2 Displays TDR test results.
• half-life— The accumulated penalty decays exponentially based on the half-life period. The accumulated penalty decreases half after each half-life period. The range of half-life is from 1 to 30 seconds. The default is 5 seconds. • reuse-threshold— After exponential decay, the penalty reaches the default or configured reuse threshold. The interface is unsuppressed and the state changes to “up”. The range of reuse threshold is from 1 to 20000. The default is 750.
Figure 42. Interface State Change Consider an interface periodically flaps as shown above. Every time the interface goes down, a penalty (1024) is added. In the above example, during the first interface flap (flap 1), the penalty is added to 1024. And, the accumulated penalty will exponentially decay based on the set half-life, which is set as 10 seconds in the above example.
accumulated. When the accumulated penalty exceeds the configured suppress threshold (2400), the interface state is set to Error-Disabled state. After the flap (flap 3), the interface flap stops. Then, the accumulated penalty decays exponentially and when it reaches below the set reuse threshold (300), the interface is unsuppressed and the interface state changes to “up” state. Enabling Link Dampening To enable link dampening, use the following command. • Enable link dampening.
Link Dampening Support for XML View the output of the following show commands in XML by adding | display xml to the end of the command. • show interfaces dampening • show interfaces dampening summary • show interfaces interface slot/port Configure MTU Size on an Interface In Dell EMC Networking OS, Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload). The following table lists the range for each transmission media.
Using Ethernet Pause Frames for Flow Control Ethernet pause frames and threshold settings are supported on the Dell EMC Networking OS. Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it. The destination sends a PAUSE frame back to the source, stopping the sender’s transmission for a period of time.
INTERFACE mode flowcontrol {rx [off | on] tx [off | on] [negotiate] } – rx on: enter the keywords rx on to process the received flow control frames on this port. – rx off: enter the keywords rx off to ignore the received flow control frames on this port. – tx on: enter the keywords tx on to send control frames from this port to the connected device when a higher rate of traffic is received.
Port-Pipes A port pipe is a Dell EMC Networking-specific term for the hardware packet-processing elements that handle network traffic to and from a set of front-end I/O ports. The physical, front-end I/O ports are referred to as a port-set. In the command-line interface, a port pipe is entered as port-set port-pipe-number. Auto-Negotiation on Ethernet Interfaces By default, auto-negotiation of speed and full duplex mode is enabled on 10/100/1000 Base-T Ethernet interfaces.
INTERFACE mode no negotiation auto If the speed was set to 1000, do not disable auto-negotiation. 7 Verify configuration changes. INTERFACE mode show config Example of the show interfaces status Command to View Link Status NOTE: The show interfaces status command displays link status, but not administrative status. For both link and administrative status, use the show ip interface command.
mode Specify autoneg mode no Negate a command or set its defaults show Show autoneg configuration information DellEMC(conf-if-gi-1/1-autoneg)#mode ? forced-master Force port to master mode forced-slave Force port to slave mode DellEMC(conf-if-gi-1/1-autoneg)# For details about the speed, , and negotiation auto commands, refer to the Interfaces chapter of the Dell EMC Networking OS Command Reference Guide.
802.1QTagged: True Vlan membership: Vlan 2 Name: GigabitEthernet 3/3 802.1QTagged: True Vlan membership: Vlan 2 Name: GigabitEthernet 3/4 802.1QTagged: True Vlan membership: Vlan 2 --More-- Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG.
MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 1d23h45m Queueing strategy: fifo 0 packets input, 0 bytes Input 0 IP Packets, 0 Vlans 0 MPLS 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Mult
0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 3106 packets, 226755 bytes, 0 underruns 133 64-byte pkts, 2973 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 406 Multicasts, 0 Broadcasts, 2700 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 150 seconds): Input 300.00 Mbits/sec, 1534517 packets/sec, 30.00% of line-rate Output 100.00 Mbits/sec, 4636111 packets/sec, 10.
• • • • IP ACL IP FIB L2 ACL L2 FIB Clearing Interface Counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters any SNMP program captures. To clear the counters, use the following the command. • Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones. Without an interface specified, the command clears all interface counters.
Example of the show interfaces Command DellEMC# show interfaces gigabitethernet 1/1 GigabitEthernet 1/1 is up, line protocol is down Hardware is DellEMCEth, address is 00:01:e8:41:77:95 Current address is 00:01:e8:41:77:95 Pluggable media present, SFP type is 1000BASE-SX Wavelength is 850nm Interface index is 100974648 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00
• LACP traffic redirects • Common VLT control frames 2 Packets are dropped due to user defined ACLs. 3 Multicast traffic with the TTL value 1. 4 Multicast traffic is not part of any group or special group that has to be processed by the CPU. 5 In addition to the above protocols, the filter processor rule also drops Yellow and Red packets if QoS is configured on the system.
20 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
transform-set myXform-set session-key inbound esp 256 auth encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3 Apply the crypto policy to management traffic.
21 IPv4 Routing The Dell EMC Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell EMC Networking OS.
• Configurations Using UDP Helper • UDP Helper with Broadcast-All Addresses • UDP Helper with Subnet Broadcast Addresses • UDP Helper with Configured Broadcast Addresses • UDP Helper with No Configured Broadcast Addresses • Troubleshooting UDP Helper IP Addresses Dell EMC Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks.
2 • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. • For the Management interface on the stack-unit, enter the keyword ManagementEthernet then the slot/port information. • For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Enable the interface.
– permanent: keep the static route in the routing table (if you use the interface option) even if you disable the interface with the route. (optional) – tag tag-value: the range is from 1 to 4294967295. (optional) Example of the show ip route static Command To view the configured routes, use the show ip route static command. DellEMC#show ip route static Destination Gateway ----------------S 2.1.2.0/24 Direct, Nu 0 S 6.1.2.0/24 via 6.1.20.2, S 6.1.2.2/32 via 6.1.20.2, S 6.1.2.3/32 via 6.1.20.2, S 6.1.2.
To view the description for the IPv4 or IPv6 static routes, use the show running-config static command. Following is the sample show running-config static output: DellEMC#show running-config static ! ipv6 route 1::/32 GigabitEthernet 2/3 11::1 name Stack-2 ipv6 route 2::/32 GigabitEthernet 2/48 11::1 name Stack-2 ip route 2.2.2.0/24 GigabitEthernet 2/47 name Stack-2 ipv6 route 1001:1001::/64 GigabitEthernet 1/42 2001:2001::1 name ipv6_link_going_to_europe_centre ip route 19.1.1.0/24 19.1.1.
then the sending device lowers the packet size accordingly and resends the packet. Otherwise, the iterative method is followed until the packet can traverse without being fragmented. To use the PMTD in the physical interface, you must allocate and activate the fedgov CAM ACL space using the cam-acl command. The fedgov CAM ACL space is defined as a value (0-8) and you can select the required value to define the space.
for a specific service (such as SSH or BGP) with a SYN ACK, the router waits for a period of time for the ACK packet to be sent from the requesting host that will establish the TCP connection. You can set this duration or interval for which the TCP connection waits to be established to a significantly high value to prevent the device from moving into an out-of-service condition or becoming unresponsive during a SYN flood attack that occurs on the device. You can set the wait time to be 10 seconds or lower.
Enabling Dynamic Resolution of Host Names By default, dynamic resolution of host names (DNS) is disabled. To enable DNS, use the following commands. • Enable dynamic resolution of host names. CONFIGURATION mode ip domain-lookup • Specify up to six name servers. CONFIGURATION mode ip name-server ip-address [ip-address2 ... ip-address6] The order you entered the servers determines the order of their use. Example of the show hosts Command To view current bindings, use the show hosts command.
Configuring DNS with Traceroute To configure your switch to perform DNS with traceroute, use the following commands. • Enable dynamic resolution of host names. CONFIGURATION mode ip domain-lookup • Specify up to six name servers. CONFIGURATION mode ip name-server ip-address [ip-address2 ... ip-address6] • The order you entered the servers determines the order of their use.
Configuration Tasks for ARP For a complete listing of all ARP-related commands, refer to the Dell EMC Networking OS Command Line Reference Guide.
Clearing ARP Cache To clear the ARP cache of dynamically learnt ARP information, use the following command. • Clear the ARP caches for all interfaces or for a specific interface by entering the following information. EXEC privilege clear arp-cache [interface | ip ip-address] [no-refresh] – ip ip-address (OPTIONAL): enter the keyword ip then the IP address of the ARP entry you wish to clear. – no-refresh (OPTIONAL): enter the keywords no-refresh to delete the ARP entry from CAM.
Figure 43. ARP Learning via ARP Request Beginning with Dell EMC Networking OS version 8.3.1.0, when you enable ARP learning via gratuitous ARP, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 44. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP.
CONFIGURATION mode arp backoff-time The default is 30. • The range is from 1 to 3600. Display all ARP entries learned via gratuitous ARP. EXEC Privilege mode show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet.
Figure 45. ICMP Redirect Host H is connected to the same Ethernet segment as SW1 and SW2. SW1 and SW2 are multi-layer switches which can route packets. The default gateway of Host H is configured as SW1. Although the best route to the remote branch office host may be through SW2, Host H sends a packet destined for Host R to its default gateway — SW1.
Important Points to Remember • The existing ip directed broadcast command is rendered meaningless if you enable UDP helper on the same interface. • The broadcast traffic rate should not exceed 200 packets per second when you enable UDP helper. • You may specify a maximum of 16 UDP ports.
2 If you enable UDP helper (using the ip udp-helper udp-port command), and the UDP destination port of the packet matches the UDP port configured, the system changes the destination address to the configured broadcast 1.1.255.255 and routes the packet to VLANs 100 and 101. If you do not configure an IP broadcast address (using the ip udp-broadcast-address command) on VLANs 100 or 101, the packet is forwarded using the original destination IP address 255.255.255.255.
UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces. In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast address of VLAN 100 and 101. If you enabled UDP helper and the UDP port number matches, the packet is flooded on both VLANs with an unchanged destination address. Packet 2 is sent from a host on VLAN 101.
2017-08-05 11:59:35 %RELAY-I-BOOTREQUEST, Forwarded BOOTREQUEST for 00:02:2D:8D:46:DC to 137.138.17.6 2017-08-05 11:59:36 %RELAY-I-PACKET, BOOTP REPLY (Unicast) received at interface 194.12.129.98 BOOTP Reply, XID = 0x9265f901, secs = 0 hwaddr = 00:02:2D:8D:46:DC, giaddr = 172.21.50.193, hops = 2 2017-08-05 11:59:36 %RELAY-I-BOOTREPLY, Forwarded BOOTREPLY for 00:02:2D:8D:46:DC to 128.141.128.90 Packet 0.0.0.0:68 -> 255.255.255.
22 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell EMC Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
Extended Address Space The address format is extended from 32 bits to 128 bits. This not only provides room for all anticipated needs, it allows for the use of a hierarchical address space structure to optimize global addressing. Stateless Autoconfiguration When a booting device comes up in IPv6 and asks for its network prefix, the device can get the prefix (or prefixes) from an IPv6 router on its link.
• Flow Label (20 bits) • Payload Length (16 bits) • Next Header (8 bits) • Hop Limit (8 bits) • Source Address (128 bits) • Destination Address (128 bits) IPv6 provides for extension headers. Extension headers are used only if necessary. There can be no extension headers, one extension header or more than one extension header in an IPv6 packet. Extension headers are defined in the Next Header field of the preceding IPv6 header.
Next Header (8 bits) The Next Header field identifies the next header’s type. If an Extension header is used, this field contains the type of Extension header (as shown in the following table). If the next header is a transmission control protocol (TCP) or user datagram protocol (UDP) header, the value in this field is the same as for IPv4. The Extension header is located between the IP header and the TCP or UDP header. The following lists the Next Header field values.
Source Address (128 bits) The Source Address field contains the IPv6 address for the packet originator. Destination Address (128 bits) The Destination Address field contains the intended recipient’s IPv6 address. This can be either the ultimate destination or the address of the next hop router. Extension Header Fields Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header, adding extension headers do not severely impact performance.
10 Discard the packet and send an ICMP Parameter Problem Code 2 message to the packet’s Source IP Address identifying the unknown option type. 11 Discard the packet and send an ICMP Parameter Problem, Code 2 message to the packet’s Source IP Address only if the Destination IP Address is not a multicast address. The second byte contains the Option Data Length. The third byte specifies whether the information can change en route to the destination.
the same IPv6 address to a particular computer, and never to assign that IP address to another computer. This allows static IPv6 addresses to be configured in one place, without having to specifically configure each computer on the network in a different way. In IPv6, every interface, whether using static or dynamic address assignments, also receives a local-link address automatically in the fe80::/64 subnet.
Feature and Functionality Dell EMC Networking OS Release Introduction Documentation and Chapter Location S3048–ON IS-IS for IPv6 support for redistribution 9.7.(0.1) Intermediate System to Intermediate System IPv6 IS-IS in the Dell EMC Networking OS Command Line Reference Guide. ISIS for IPv6 support for distribute lists and administrative distance 9.7.(0.1) OSPF for IPv6 (OSPFv3) 9.7.(0.1) Equal Cost Multipath for IPv6 9.7.(0.
• Error reporting messages indicate when the forwarding or delivery of the packet failed at the destination or intermediate node. These messages include Destination Unreachable, Packet Too Big, Time Exceeded and Parameter Problem messages. • Informational messages provide diagnostic functions and additional host functions, such as Neighbor Discovery and Multicast Listener Discovery. These messages also include Echo Request and Echo Reply messages.
NOTE: To avoid problems with network discovery, Dell EMC Networking recommends configuring the static route last or assigning an IPv6 address to the interface and assigning an address to the peer (the forwarding router’s address) less than 10 seconds apart. With ARP, each node broadcasts ARP requests on the entire link. This approach causes unnecessary processing by uninterested nodes.
lifetime to use the RDNSS address does not expire. A value of 0 indicates to the host that the RDNSS address should not be used. You must specify a lifetime using the lifetime or infinite parameter. The DNS server address does not allow the following: • link local addresses • loopback addresses • prefix addresses • multicast addresses • invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed.
Displaying IPv6 RDNSS Information To display IPv6 interface information, including IPv6 RDNSS information, use the show ipv6 interface command in EXEC or EXEC Privilege mode. Examples of Displaying IPv6 RDNSS Information The following example displays IPv6 RDNSS information. The output in the last 3 lines indicates that the IPv6 RDNSS was correctly configured on interface te 1/1.
Configuration Tasks for IPv6 The following are configuration tasks for the IPv6 protocol. • Adjusting Your CAM-Profile • Assigning an IPv6 Address to an Interface • Assigning a Static IPv6 Route • Configuring Telnet with IPv6 • SNMP over IPv6 • Showing IPv6 Information • Clearing IPv6 Routes Adjusting Your CAM-Profile Although adjusting your CAM-profile is not a mandatory step, if you plan to implement IPv6 ACLs, adjust your CAM settings. The CAM space is allotted in FP blocks.
The total number of groups is 4. Assigning an IPv6 Address to an Interface Essentially, IPv6 is enabled in Dell EMC Networking OS simply by assigning IPv6 addresses to individual router interfaces. You can use IPv6 and IPv4 together on a system, but be sure to differentiate that usage carefully. To assign an IPv6 address to an interface, use the ipv6 address command.
– For a Null interface, enter the keyword null then the Null interface number. – For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Configuring Telnet with IPv6 The Telnet client and server in Dell EMC Networking OS supports IPv6 connections. You can establish a Telnet session directly to the router using an IPv6 Telnet client, or you can initiate an IPv6 Telnet connection from the router. NOTE: Telnet to link local addresses is supported on the system.
ospf pim prefix-list route rpf DellEMC# OSPF information PIM V6 information List IPv6 prefix lists IPv6 routing information RPF table Displaying an IPv6 Interface Information To view the IPv6 configuration for a specific interface, use the following command. • Show the currently running configuration for the specified interface.
• Show IPv6 routing information for the specified route type. EXEC mode show ipv6 route [vrf vrf-name] type The following keywords are available: – To display information about a network, enter ipv6 address (X:X:X:X::X). – To display information about a host, enter hostname. – To display information about all IPv6 routes (including non-active routes), enter all. – To display information about all connected IPv6 routes, enter connected.
S 8888:9999:5555:6666:1111:2222::/96 [1/0] via 2222:2222:3333:3333::1, Gi 9/1, 00:03:16 9999:9999:9999:9999::/64 [1/0] via 8888:9999:5555:6666:1111:2222:3333:4444, 00:03:16 S Showing the Running-Configuration for an Interface To view the configuration for any interface, use the following command. • Show the currently running configuration for the specified interface.
• To reenable the ND timer, use the no form of the command: INTERFACE no ipv6 nd disable-reachable-timer The following example shows how to disable the ND timer. DellEMC(conf-if-fo-1/1/1)#ipv6 nd disable-reachable-timer Configuring IPv6 RA Guard The IPv6 Router Advertisement (RA) guard allows you to block or reject the unwanted router advertisement guard messages that arrive at the network device platform.
POLICY LIST CONFIGURATION mode router-preference maximum {high | low | medium} 10 Set the router lifetime. POLICY LIST CONFIGURATION mode router—lifetime value The router lifetime range is from 0 to 9,000 seconds. 11 Apply the policy to trusted ports. POLICY LIST CONFIGURATION mode trusted-port 12 Set the maximum transmission unit (MTU) value. POLICY LIST CONFIGURATION mode mtu value 13 Set the advertised reachability time.
interface interface-type slot/port 2 Apply the IPv6 RA guard to a specific interface. INTERFACE mode ipv6 nd ra-guard attach policy policy-name [vlan [vlan 1, vland 2, vlan 3.....]] 3 Display the configurations applied on all the RA guard policies or a specific RA guard policy. EXEC Privilege mode show ipv6 nd ra-guard policy policy-name The policy name string can be up to 140 characters.
23 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell EMC Networking supports both IPv4 and IPv6 versions of IS-IS.
• area address — within your routing domain or area, each area must have a unique area value. The first byte is called the authority and format indicator (AFI). • system address — the router’s MAC address. • N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.0001) are the area address. The system portion is 000c.000a.4321 and the last byte is always 0. Figure 52.
Interface Support MT IS-IS is supported on physical Ethernet interfaces, physical synchronous optical network technologies (SONET) interfaces, portchannel interfaces (static and dynamic using LACP), and virtual local area network (VLAN) interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions.
IPv6 Reachability and IPv6 Interface Address. Also, a new IPv6 protocol identifier has also been included in the supported TLVs. The new TLVs use the extended metrics and up/down bit semantics. Multi-topology IS-IS adds TLVs: • MT TLV — contains one or more Multi-Topology IDs in which the router participates. This TLV is included in IIH and the first fragment of an LSP. • MT Intermediate Systems TLV — appears for every topology a node supports.
Configuration Tasks for IS-IS The following describes the configuration tasks for IS-IS. • Enabling IS-IS • Configure Multi-Topology IS-IS (MT IS-IS) • Configuring IS-IS Graceful Restart • Changing LSP Attributes • Configuring the IS-IS Metric Style • Configuring IS-IS Cost • Changing the IS-Type • Controlling Routing Updates • Configuring Authentication Passwords • Setting the Overload Bit • Debugging IS-IS Enabling IS-IS By default, IS-IS is not enabled.
4 • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. • For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Enter an IPv4 Address. INTERFACE mode ip address ip-address mask Assign an IP address and mask to the interface.
Accept wide metrics: DellEMC# none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
4 Implement a wide metric-style globally. ROUTER ISIS AF IPV6 mode isis ipv6 metric metric-value [level-1 | level-2 | level-1-2] To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215. Configuring IS-IS Graceful Restart To enable IS-IS graceful restart globally, use the following commands. Additionally, you can implement optional commands to enable the graceful restart settings. • Enable graceful restart on ISIS processes.
– adjacency: the restarting router receives the remaining time value from its peer and adjusts its T3 value so if user has configured this option. – manual: allows you to specify a fixed value that the restarting router should use. The range is from 50 to 120 seconds. The default is 30 seconds. Examples of the show isis graceful-restart detail Command NOTE: If this timer expires before the synchronization has completed, the restarting router sends the overload bit in the LSP.
LSP Interval: 33 Next IS-IS LAN Level-1 Hello in 4 seconds Next IS-IS LAN Level-2 Hello in 6 seconds LSP Interval: 33 Restart Capable Neighbors: 2, In Start: 0, In Restart: 0 DellEMC# Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
Distance: 115 Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: DellEMC# level-1-2 level-1-2 none none Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands. • Assign an IS-IS metric.
Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router. ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2-only} • Default is level-1-2. Change the IS-type for the IS-IS process.
– For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or Dell EMC Networking OS does not install the route in the routing table. The prefix lists are globally applied on all interfaces running IS-IS.
• Apply a configured prefix list to all incoming IPv6 IS-IS routes. ROUTER ISIS-AF IPV6 mode distribute-list prefix-list-name in [interface] Enter the type of interface and the interface information: – For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a Loopback interface, enter the keyword loopback then a number from 0 to 16383.
ROUTER ISIS mode redistribute ospf process-id [level-1| level-1-2 | level-2] [metric value] [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: – process-id the range is from 1 to 65535. – level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. – metric value the range is from 0 to 16777215. The default is 0. – match external the range is from 1 or 2.
Configuring Authentication Passwords You can assign an authentication password for routers in Level 1 and for routers in Level 2. Because Level 1 and Level 2 routers do not communicate with each other, you can assign different passwords for Level 1 routers and for Level 2 routers. However, if you want the routers in the level to communicate with each other, configure them with the same password. To configure a simple text password, use the following commands.
eljefe.00-00 * 0x0000000A 0xF963 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.00-00 0x00000002 0xD1A7 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000006 0xC38A eljefe.00-00 * 0x0000000E 0x53BF eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
To disable a specific debug command, enter the keyword no then the debug command. For example, to disable debugging of IS-IS updates, use the no debug isis updates-packets command. To disable all IS-IS debugging, use the no debug isis command. To disable all debugging, use the undebug all command. IS-IS Metric Styles The following sections provide additional information about the IS-IS metric styles.
Table 31. Metric Value When the Metric Style Changes Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value wide narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition truncated value (the truncated value appears in the LSP only). The original isis metric value is displayed in the show config and show running-config commands and is used if you change back to transition metric style.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value commands and is used if you change back to transition metric style. Moving to transition and then to another metric style produces different results. Table 32.
Level-1 Metric Style Level-2 Metric Style Resulting Metric Value wide transition narrow truncated value wide transition narrow transition truncated value wide transition transition truncated value Sample Configurations The following configurations are examples for enabling IPv6 IS-IS. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations.
IS-IS Sample Configuration — Congruent Topology IS-IS Sample Configuration — Multi-topology IS-IS Sample Configuration — Multi-topology Transition The following is a sample configuration for enabling IPv6 IS-IS. DellEMC(conf-if-gi-3/17)#show config ! interface GigabitEthernet 3/17 ip address 24.3.1.1/24 ipv6 address 24:3::1/76 ip router isis ipv6 router isis no shutdown DellEMC(conf-if-gi-3/17)# DellEMC(conf-router_isis)#show config ! router isis metric-style wide level-1 metric-style wide level-2 net 34.
24 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic.
LACP Modes Dell EMC Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. • Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state.
The default is 32768. LACP Configuration Tasks The following configuration tasks apply to LACP. • Creating a LAG • Configuring the LAG Interfaces as Dynamic • Setting the LACP Long Timeout • Monitoring and Debugging LACP • Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. • Create a dynamic port channel (LAG).
DellEMC(conf)#interface Gigabitethernet 4/15 DellEMC(conf-if-gi-4/15)#no shutdown DellEMC(conf-if-gi-4/15)#port-channel-protocol lacp DellEMC(conf-if-gi-4/15-lacp)#port-channel 32 mode active ...
• Debug LACP, including configuration and events. EXEC mode [no] debug lacp [config | events | pdu [in | out | [interface [in | out]]]] Shared LAG State Tracking Shared LAG state tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG.
Example of LAGs in the Same Failover Group DellEMC#config DellEMC(conf)#port-channel failover-group DellEMC(conf-po-failover-grp)#group 1 port-channel 1 port-channel 2 To view the failover group configuration, use the show running-configuration po-failover-group command. DellEMC#show running-config po-failover-group ! port-channel failover-group group 1 port-channel 1 port-channel 2 As shown in the following illustration, LAGs 1 and 2 are members of a failover group.
Important Points about Shared LAG State Tracking The following is more information about shared LAG state tracking. • • • • • This feature is available for static and dynamic LAGs. Only a LAG can be a member of a failover group. You can configure shared LAG state tracking on one side of a link or on both sides. If a LAG that is part of a failover group is deleted, the failover group is deleted. If a LAG moves to the Down state due to this feature, its members may still be in the Up state.
Port is part of Port-channel 10 Hardware is DellEMCEth, address is 00:01:e8:06:95:c0 Current address is 00:01:e8:06:95:c0 Interface Index is 109101113 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit, Mode full duplex, Slave Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:02:11 Queueing strategy: fifo Input statistics: 132 packets, 163668 bytes 0 Vlans 0 64-byte pkts,
Figure 57.
Figure 58.
Figure 59.
Summary of the LAG Configuration on Bravo Bravo(conf-if-gi-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/21-lacp)#port-channel 10 mode active Bravo(con
Figure 60.
Figure 61.
Figure 62. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
25 Layer 2 This chapter describes the Layer 2 features supported on the device. Manage the MAC Address Table You can perform the following management tasks in the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
In this case, the configuration is still present in the running-config and show output. Remove the configuration before re-applying a MAC learning limit with a lower value. Also, ensure that you can view the Syslog messages on your session. NOTE: The CAM-check failure message beginning in Dell EMC Networking OS version 8.3.1.0 is different from versions 8.2.1.
converted to sticky MACs on that interface. To remove all sticky MAC addresses from the running config file, disable sticky MAC and use the write config command. When you enable sticky mac on an interface, dynamically-learned MAC addresses do not age, even if you enabled mac-learninglimit dynamic. If you configured mac-learning-limit and mac-learning-limit dynamic and you disabled sticky MAC, any dynamically-learned MAC addresses ages.
learn-limit-violation shutdown Setting Station Move Violation Actions no-station-move is the default behavior. You can configure the system to take an action if a station move occurs using one the following options with the mac learning-limit command. To display a list of interfaces configured with MAC learning limit or station move violation actions, use the following commands. • Generate a system log message indicating a station move.
Disabling MAC Address Learning on the System You can configure the system to not learn MAC addresses from LACP and LLDP BPDUs. To disable source MAC address learning from LACP and LLDP BPDUs, follow this procedure: • Disable source MAC address learning from LACP BPDUs. CONFIGURATION mode mac-address-table disable-learning lacp • Disable source MAC address learning from LLDP BPDUs. CONFIGURATION mode mac-address-table disable-learning lldp • Disable source MAC address learning from LACP and LLDP BPDUs.
Figure 63. Redundant NICs with NIC Teaming When you use NIC teaming, consider that the server MAC address is originally learned on Port 0/1 of the switch (shown in the following) and Port 0/5 is the failover port. When the NIC fails, the system automatically sends an ARP request for the gateway or host NIC to resolve the ARP and refresh the egress interface.
following illustration). The redundant pairs feature allows you to create redundant links in networks that do not use STP by configuring backup interfaces for the interfaces on either side of the primary link. NOTE: For more information about STP, refer to Spanning Tree Protocol (STP). Assign a backup interface to an interface using the switchport backup command. The backup interface remains in a Down state until the primary fails, at which point it transitions to Up state.
To ensure that existing network applications see no difference when a primary interface in a redundant pair transitions to the backup interface, be sure to apply identical configurations of other traffic parameters to each interface. If you remove an interface in a redundant link (remove the line card of a physical interface or delete a port channel with the no interface port-channel command), the redundant pair configuration is also removed.
1 L2 up 00:08:33 Gi 1/1 (Up) 2 L2 up 00:00:02 Gi 2/1 (Up) DellEMC#configure DellEMC(conf)#interface port-channel 1 DellEMC(conf-if-po-1)#switchport backup interface port-channel 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Po 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-STATE_ACT_STBY: Changed interface state to standby: Po 2 DellEMC(conf-if-po-1)# DellEMC# DellEMC#show
In the event of a far-end failure, the device stops receiving frames and, after the specified time interval, assumes that the far-end is not available. The connecting line protocol is brought down so that upper layer protocols can detect the neighbor unavailability faster. FEFD State Changes FEFD has two operational modes, Normal and Aggressive.
Configuring FEFD You can configure FEFD for all interfaces from CONFIGURATION mode, or on individual interfaces from INTERFACE mode. To enable FEFD globally on all interfaces, use the following command. • Enable FEFD globally on all interfaces. CONFIGURATION mode fefd-global To report interval frequency and mode adjustments, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3.
fefd [mode {aggressive | normal}] • Disable FEFD protocol on one interface. INTERFACE mode fefd disable Disabling an interface shuts down all protocols working on that interface’s connected line. It does not delete your previous FEFD configuration which you can enable again at any time. To set up and activate two or more connected interfaces, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3.
2w1d22h: %RPM0-P:CP %IFMGR-5-INACTIVE: Changed Vlan interface state to inactive: Vl 1 2w1d22h : FEFD state on Gi 4/1 changed from Bi-directional to Unknown DellEMC#debug fefd packets DellEMC#2w1d22h : FEFD packet sent via interface Gi 1/1 Sender state -- Bi-directional Sender info -- Mgmt Mac(00:01:e8:14:89:25), Slot-Port(Gi 1/1) Peer info -- Mgmt Mac (00:01:e8:14:89:25), Slot-Port(Gi 4/1) Sender hold time -- 3 (second) 2w1d22h : FEFD packet received on interface Gi 4/1 Sender state -- Bi-directional Sender
26 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 35. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of a LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Figure 69. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell EMC Networking system to advertise any or all of these TLVs. Table 36. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. Dell EMC Networking OS does not currently support this TLV.
Type TLV Description in the Dell EMC Networking OS implementation of LLDP, but is available and mandatory (non-configurable) in the LLDPMED implementation. 127 Power via MDI Dell EMC Networking supports the LLDPMED protocol, which recommends that Power via MDI TLV be not implemented, and therefore Dell EMC Networking implements Extended Power via MDI TLV only.
Table 37. TIA-1057 (LLDP-MED) Organizationally Specific TLVs Type SubType TLV Description 127 1 LLDP-MED Capabilities Indicates: • • • whether the transmitting device supports LLDP-MED what LLDP-MED TLVs it supports LLDP device class 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value.
LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. • • The value of the LLDP-MED capabilities field in the TLV is a 2–octet bitmap, each bit represents an LLDP-MED capability (as shown in the following table). The possible values of the LLDP-MED device type are shown in the following.
• VLAN ID • VLAN tagged or untagged status • Layer 2 priority • DSCP value An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED network policy TLV is generated for each application type that you specify with the Dell EMC Networking OS CLI (Advertising TLVs).
Extended Power via MDI TLV The extended power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices. Advertise the extended power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device. • Power Type — there are two possible power types: power source entity (PSE) or power device (PD). The Dell EMC Networking system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification.
• LLDP is not hitless. LLDP Compatibility • Spanning tree and force10 ring protocol “blocked” ports allow LLDPDUs. • 802.1X controlled ports do not allow LLDPDUs until the connected device is authenticated. CONFIGURATION versus INTERFACE Configurations All LLDP configuration commands are available in PROTOCOL LLDP mode, which is a sub-mode of the CONFIGURATION mode and INTERFACE mode. • Configurations made at the CONFIGURATION level are global; that is, they affect all interfaces on the system.
Disabling and Undoing LLDP To disable or undo LLDP, use the following command. • Disable LLDP globally or for an interface. disable To undo an LLDP configuration, precede the relevant command with the keyword no. Enabling LLDP on Management Ports LLDP on management ports is enabled by default. To enable LLDP on management ports, use the following command. 1 Enter Protocol LLDP mode. CONFIGURATION mode protocol lldp 2 Enter LLDP management-interface mode.
To advertise TLVs, use the following commands. 1 Enter LLDP mode. CONFIGURATION or INTERFACE mode protocol lldp 2 Advertise one or more TLVs. PROTOCOL LLDP mode advertise {dcbx-appln-tlv | dcbx-tlv | dot3-tlv | interface-port-desc | management-tlv | med } Include the keyword for each TLV you want to advertise. • For management TLVs: system-capabilities, system-description. • For 802.1 TLVs: port-protocol-vlan-id, port-vlan-id vlan-name. • For 802.3 TLVs: max-frame-size.
Storing and Viewing Unrecognized LLDP TLVs Dell EMC Networking OS provides support to store unrecognized (reserved and organizational specific) LLDP TLVs. Also, support is extended to retrieve the stored unrecognized TLVs using SNMP. When the incoming TLV from LLDP neighbors is not recognized, the TLV is categorized as unrecognized TLV.
Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration. CONFIGURATION or INTERFACE mode show config Examples of Viewing LLDP Configurations The following example shows viewing an LLDP global configuration.
The length of the LLDP neighbors (Remote host) name is truncated if it is above 15 characters.
The neighbors are given below: ----------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 00:00:00:00:00:01 Remote Port Subtype: Interface name (5) Remote Port ID: TenGigabitEthernEt 1/40 Local Port ID: GigabitEthernet 1/1 Locally assigned remote Neighbor Index: 1 Remote TTL: 120 Information valid for next 44 seconds Time since last information change of this neighbor: 00:01:16 UnknownTLVList: ( 9, 4) ( 10, 4) ( 11, 4) ( 12, 4) ( 13, 4
Locally assigned remote Neighbor Index: 2 Remote TTL: 300 Information valid for next 201 seconds Time since last information change of this neighbor: 00:01:39 UnknownTLVList: OrgUnknownTLVList: ((00-01-66),127, 4) ((00-01-66),126, 4) ((00-01-66),125, 4) ((00-01-66),124, ((00-01-66),122, 4) ((00-01-66),121, 4) ((00-01-66),120, 4) ((00-01-66),119, --------------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 4c:76:25:f4:ab:03 Remote Por
Configuring LLDP Notification Interval This implementation has been introduced to adhere to the IEEE 802.1AB standard. This implementation allows a user to configure the LLDP notification interval between 5 (default) and 3600 seconds. NOTE: Before implementation of this feature, notification messages were not throttled. After implementation, the system throttles the lldp notification messages by 5 seconds (default) or as configured by the user.
Example of Configuring a Single Mode R1(conf)#protocol lldp R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-
R1(conf-lldp)#no multiplier R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Debugging LLDP You can view the TLVs that your system is sending and receiving. To view the TLVs, use the following commands. • • View a readable version of the TLVs.
Dec Dec Dec Dec Dec Dec Dec Dec Dec Dec Dec Dec 4 4 4 4 4 4 4 4 4 4 4 4 22:38:27 22:38:27 22:38:27 22:38:28 22:38:28 22:38:29 22:38:29 22:38:29 22:38:29 22:38:29 22:38:29 22:38:29 : : : : : : : : : : : : 01 80 c2 00 00 0e 00 a0 c9 00 00 03 81 00 00 88 cc 02 07 04 00 a0 c9 00 00 01 04 02 05 54 02 01 2c fe 05 aa bb cc 04 61 fa 01 40 00 00 00 00 00 00 00 00 00 00 c6 0f ba 27 TLV: Chassis ID, Len: 7, Subtype: Mac address TLV: Port ID, Len: 2, Subtype: Interface name TLV: TTL, Len: 2, Value: 300 TLV: UNKNOWN
MIB Object Category LLDP Variable LLDP MIB Object Description statsFramesOutTotal lldpStatsTxPortFramesTotal Total number of LLDP frames transmitted through the port. statsTLVsDiscardedTotal lldpStatsRxPortTLVsDiscardedTotal Total number of TLVs received then discarded. statsTLVsUnrecognizedTotal lldpStatsRxPortTLVsUnrecognizedTot Total number of all TLVs the local al agent does not recognize. Table 42.
TLV Type TLV Name TLV Variable interface number OID System LLDP MIB Object Remote lldpRemManAddrIfSubtype Local lldpLocManAddrIfId Remote lldpRemManAddrIfId Local lldpLocManAddrOID Remote lldpRemManAddrOID Table 43. LLDP 802.
TLV Sub-Type 2 TLV Name Network Policy TLV Variable Application Type Unknown Policy Flag Tagged Flag VLAN ID L2 Priority DSCP Value 3 Location Identifier Location Data Format Location ID Data 4 Extended Power via MDI Power Device Type Power Source System LLDP-MED MIB Object Remote lldpXMedRemDeviceClass Local lldpXMedLocMediaPolicyAp pType Remote lldpXMedRemMediaPolicyA ppType Local lldpXMedLocMediaPolicyUn known Remote lldpXMedLocMediaPolicyUn known Local lldpXMedLocMediaPol
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object lldpXMedRemXPoEPDPow erSource Power Priority Local lldpXMedLocXPoEPDPowe rPriority lldpXMedLocXPoEPSEPort PDPriority Remote lldpXMedRemXPoEPSEPo werPriority lldpXMedRemXPoEPDPow erPriority Power Value Local lldpXMedLocXPoEPSEPort PowerAv lldpXMedLocXPoEPDPowe rReq Remote lldpXMedRemXPoEPSEPo werAv lldpXMedRemXPoEPDPow erReq 510 Link Layer Discovery Protocol (LLDP)
27 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
With Multicast NLB mode, the data forwards to all the servers based on the port specified using the following Layer 2 multicast command in CONFIGURATION MODE: mac-address-table static multicast vlan output-range , Limitations of the NLB Feature The following limitations apply to switches on which you configure NLB: • The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN.
CONFIGURATION mode ip vlan-flooding There might be some ARP table entries that are resolved through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries.
28 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell EMC Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 76.
active sources in the area of the other RPs. If any of the RPs fail, IP routing converges and one of the RPs becomes the active RP in more than one area. New sources register with the backup RP. Receivers join toward the new RP and connectivity is maintained. Implementation Information The Dell EMC Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process.
Figure 77.
Figure 78.
Figure 79.
Figure 80. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1 Enable MSDP. CONFIGURATION mode ip multicast-msdp 2 Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source Examples of Configuring and Viewing MSDP R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
R3(conf)#do show ip msdp summary Peer Addr Description Local Addr State Source SA Up/Down To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
show ip msdp sa-limit If the total number of active sources is already larger than the limit when limiting is applied, the sources that are already in Dell EMC Networking OS are not discarded. To enforce the limit in such a situation, use the clear ip msdp sa-cache command to clear all existing entries. Clearing the Source-Active Cache To clear the source-active cache, use the following command. • Clear the SA cache of all, local, or rejected entries, or entries for a specific group.
Figure 81.
Figure 82.
Figure 83. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
GroupAddr 229.0.50.2 229.0.50.3 229.0.50.4 SourceAddr 24.0.50.2 24.0.50.3 24.0.50.4 RPAddr 200.0.0.50 200.0.0.50 200.0.0.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 DellEMC#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 Expire 73 73 73 UpTime 00:13:49 00:13:49 00:13:49 LearnedFrom 10.0.50.
R1_E600(conf)#do show ip msdp sa-cache R1_E600(conf)#do show ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 1 rejected SAs received, cache-size 1000 UpTime GroupAddr SourceAddr RPAddr LearnedFrom 00:02:20 239.0.0.1 10.11.4.2 192.168.0.1 local Reason Redistribute Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1 OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache.
Example of Verifying the System is not Advertising Local Sources In the following example, R1 stops advertising source 10.11.4.2. Because it is already in the SA cache of R3, the entry remains there until it expires. [Router 1] R1(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.3 list mylocalfilter R1(conf)#do show run acl ! ip access-list extended mylocalfilter seq 5 deny ip host 239.0.0.1 host 10.11.4.
Output (S,G) filter: none [Router 1] R1(conf)#do show ip msdp peer Peer Addr: 192.168.0.3 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:03 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Clearing Peer Statistics To clear the peer statistics, use the following command. • Reset the TCP connection to the peer and clear all peer statistics.
03:17:10 : MSDP-0: Peer 192.168.0.3, 03:17:27 : MSDP-0: Peer 192.168.0.3, Input (S,G) filter: none Output (S,G) filter: none rcvd Keepalive msg sent Source Active msg MSDP with Anycast RP Anycast RP uses MSDP with PIM-SM to allow more than one active group to use RP mapping.
Figure 84. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1 In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2 Make this address the RP for the group.
4 Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5 Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP.
interface Loopback 1 ip address 192.168.0.11/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.
The following example shows an R3 configuration for MSDP with Anycast RP. ip multicast-routing ! interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.
ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 1/1 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.
29 Multicast Listener Discovery Protocol Dell Networking OS Supports Multicast Listener Discovery (MLD) protocol. Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Joining a Multicast Group The Querier periodically sends a General Query to the all-nodes multicast address FF02::1. A host that wants to join a multicast group responds to the general query with a report that contains the group address; the report is also addressed to the group (in the IPv6 Destination Address field). To avoid duplicate reporting, any host that hears a report from another host for the same group in which it itself is interested cancels its report for that group.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | * * | | * Source Address [1] * | | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +. -+ . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version 2 multicast listener reports are sent by IP nodes to report (to neighboring routers) the current multicast listening state, or changes in the multicast listening state, of their interfaces.
| | * Multicast Address * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | * * | | * Source Address [1] * | | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +-+ . . . . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Auxiliary Data . . .
ipv6 mld query-interval Reducing Host Response Burstiness General Queries contain a Query Response Interval value, which is the amount of time the host has to respond to a general query. Hosts set a timer to a random number less than the Query Response Interval upon receiving a general query, and send a report when the timer expires. Increasing this value spreads host responses over a greater period of time, and so reduces response burstiness.
ipv6 mld explicit-tracking Reducing Leave Latency Leave Latency is the amount of time after the last host leaves the MLD group that the router stops forwarding traffic for that group. Latency is introduced because the router attempts several times to determine if there are any remaining members before stopping traffic for the group. The Querier sends a Multicast-Address-Specific Query upon receiving a Done message to ascertain whether there are any remain receivers for a group.
waste of bandwidth. MLD Snooping enables switches to use information in MLD packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers. NOTE: If PIM and MLD snooping is enabled in FHR, then either enable mrouter towards LHR or disable snooping towards LHR. Enable MLD Snooping MLD is automatically enabled when you enable IPv6 PIM, but MLD snooping must be explicitly enabled.
ipv6 mld snooping mrouter 2 View the ports that are connected to multicast routers. EXEC Privilege mode show ipv6 mld snooping mrouter Enable Snooping Explicit Tracking The switch can be a querier, and therefore also has an option of updating the group table through explicit-tracking. Whether the switch is the querier or not, if snooping is enabled, the switch tracks all the MLD joins. It has a separate explicit tracking table which contains group, source, interface, VLAN, and reporter details.
30 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• Adding and Removing Interfaces • Creating Multiple Spanning Tree Instances • Influencing MSTP Root Selection • Interoperate with Non-Dell Bridges • Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Setting STP path cost as constant • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • MSTP Sample Configurations • Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell EMC Networking OS
Related Configuration Tasks The following are the related configuration tasks for MSTP.
• spanning-tree 0 To remove an interface from the MSTP topology, use the no spanning-tree 0 command. Creating Multiple Spanning Tree Instances To create multiple spanning tree instances, use the following command. A single MSTI provides no more benefit than RSTP. To take full advantage of MSTP, create multiple MSTIs and map VLANs to them. • Create an MSTI. PROTOCOL MSTP mode msti Specify the keyword vlan then the VLANs that you want to participate in the MSTI.
Port path cost 20000, Port priority 128, Port Identifier 128.384 Designated root has priority 32768, address 0001.e806.953e Designated bridge has priority 32768, address 0001.e809.c24a Designated port id is 128.
Changing the Region Name or Revision To change the region name or revision, use the following commands. • Change the region name. PROTOCOL MSTP mode name name • Change the region revision number. PROTOCOL MSTP mode revision number Example of the name Command To view the current region name and revision, use the show spanning-tree mst configuration command from EXEC Privilege mode.
NOTE: With large configurations (especially those configurations with more ports) Dell EMC Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. 3 Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4 Change the max-hops parameter. PROTOCOL MSTP mode max-hops number The range is from 1 to 40. The default is 20.
Port Cost Default Value 25-Gigabit Ethernet interfaces 800 40-Gigabit Ethernet interfaces 500 50-Gigabit Ethernet interfaces 400 100-Gigabit Ethernet interfaces 200 Port Channel with 100 Mb/s Ethernet interfaces 100000 Port Channel with 1-Gigabit Ethernet interfaces 10000 Port Channel with 10-Gigabit Ethernet interfaces 1000 Port Channel with 25-Gigabit Ethernet interfaces 400 Port Channel with 50-Gigabit Ethernet interfaces 200 Port Channel with 100-Gigabit Ethernet interfaces 100 To
Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode, an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states. The bpduguard shutdown-on-violation option causes the interface hardware to be shut down when it receives a BPDU.
MSTP Sample Configurations The running-configurations support the topology shown in the following illustration. The configurations are from Dell EMC Networking OS systems. Figure 86. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology.
no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology. 3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
exit (Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs. EXEC Privilege mode • debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages.
name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 The following example shows viewing the debug log of a successful MSTP configuration. DellEMC#debug spanning-tree mstp bpdu MSTP debug bpdu is ON DellEMC# 4w0d4h : MSTP: Sending BPDU on Gi 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x6e CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.
31 Multicast Features NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default virtual routing and forwarding (VRFs).
Protocol Ethernet Address OSPF 01:00:5e:00:00:05 01:00:5e:00:00:06 RIP 01:00:5e:00:00:09 NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d • The Dell EMC Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. • Multicast is not supported on secondary IP addresses. • If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic.
NOTE: The Dell EMC Networking OS waits at least 30 seconds between stopping and starting IGMP join processing. You may experience this delay when manipulating the limit after it is reached. When the multicast route limit is reached, the following displays: 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB limit reached. No new routes will be learnt until TIB level falls below low watermark. 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB below low watermark. Route learning will begin.
Figure 87. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 47. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Forming an Adjacency To prevent a router from participating in PIM (for example, to configure stub multicast routing), use the following command. • Prevent a router from participating in PIM. INTERFACE mode ip pim neighbor-filter Preventing a Source from Registering with the RP To prevent the PIM source DR from sending register packets to route processor (RP) for the specified multicast source and group, use the following command.
Figure 88. Preventing a Source from Transmitting to a Group The following table lists the location and description shown in the previous illustration. Table 48. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell EMC Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
Important Points to Remember • Destination address of the mtrace query message can be either a unicast or a multicast address. NOTE: When you use mtrace to trace a specific multicast group, the query is sent with the group's address as the destination. Retries of the query use the unicast address of the receiver. • When you issue an mtrace without specifying a group address (weak mtrace), the destination address is considered as the unicast address of the receiver.
– Forwarding code — error code as present in the response blocks – Source Network/Mask — source mask Example of the mtrace Command to View the Network Path The following is an example of tracing a multicast route. R1>mtrace 103.103.103.3 1.1.1.1 226.0.0.3 Type Ctrl-C to abort. Querying reverse path for source 103.103.103.3 to destination 1.1.1.1 via group 226.0.0.
The response data block filled in by the last-hop router contains a Forwarding code field. Forwarding code can be added at any node and is not restricted to the last hop router. This field is used to record error codes before forwarding the response to the next neighbor in the path towards the source. In a response data packet, the following error codes are supported: Table 50.
Scenario Output -4 103.103.103.3 --> Source ----------------------------------------------------------------- You can issue the mtrace command specifying the source multicast tree and multicast group without specifying the destination. Mtrace traces the complete path traversing through the multicast group to reach the source. The output displays the destination and the first hop (-1) as 0 to indicate any PIM enabled interface on the node. R1>mtrace 103.103.103.3 1.1.1.1 226.0.0.3 Type Ctrl-C to abort.
Scenario Output 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.3 --> Source ----------------------------------------------------------------- You can issue the mtrace command by providing the source and multicast information. However, if the multicast group is a shared group (*,G), then mtrace traces the path of the shared tree until it reaches the RP. The source mask field reflects the shared tree that is being used to trace the path.
Scenario Output -3 10.10.10.1 PIM No route default ----------------------------------------------------------------- If a multicast tree is not formed due to a configuration issue (for example, PIM is not enabled on one of the interfaces on the path), you can invoke a weak mtrace to identify the location in the network where the error has originated. R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
Scenario Output -3 2.2.2.1 PIM 99.99.0.0/16 -4 * * * * ----------------------------------------------------------------- If there is no response for mtrace even after switching to expanded hop search, the command displays an error message. R1>mtrace 99.99.99.99 1.1.1.1 Type Ctrl-C to abort. While traversing the path from source to destination, if the mtrace packet exhausts the maximum buffer size of the packet, then NO SPACE error is displayed in the output.
Scenario Output scenario, a corresponding error message is displayed. ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 4.4.4.5 --> Destination -1 4.4.4.4 PIM 6.6.6.0/24 -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM Wrong interface 6.6.6.0/24 ----------------------------------------------------------------R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
32 Object Tracking IPv4 or IPv6 object tracking is available on Dell EMC Networking OS. Object tracking allows the Dell EMC Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell EMC Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 89. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • UP and DOWN thresholds used to report changes in a route metric. • A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4 or IPv6 address and prefix-length. Optionally specify a tracked route by a virtual routing and forwarding (VRF) instance name if the route to be tracked is part of a VRF. The next-hop address is not part of the definition of the tracked object.
Set Tracking Delays You can configure an optional UP and/or DOWN timer for each tracked object to set the time delay before a change in the state of a tracked object is communicated to clients. The configured time delay starts when the state changes from UP to DOWN or the opposite way. If the state of an object changes back to its former UP/DOWN state before the timer expires, the timer is cancelled and the client is not notified.
To configure object tracking on the status of a Layer 2 interface, use the following commands. 1 Configure object tracking on the line-protocol state of a Layer 2 interface. CONFIGURATION mode track object-id interface interface line-protocol Valid object IDs are from 1 to 500. 2 (Optional) Configure the time delay used before communicating a change in the status of a tracked interface. OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0.
For an IPv6 interface, a routing object only tracks the UP/DOWN status of the specified IPv6 interface (the track interface ipv6routing command). • The status of an IPv6 interface is UP only if the Layer 2 status of the interface is UP and the interface has a valid IPv6 address. • The Layer 3 status of an IPv6 interface goes DOWN when its Layer 2 status goes down (for a Layer 3 VLAN, all VLAN ports must be down) or the IPv6 address is removed from the routing table.
Interface GigabitEthernet 7/11 ipv6 routing Description: Austin access point Track an IPv4/IPv6 Route You can create an object that tracks the reachability or metric of an IPv4 or IPv6 route. You specify the route to be tracked by its address and prefix-length values. Optionally, for an IPv4 route, you can enter a VRF instance name if the route is part of a VPN routing and forwarding (VRF) table. The next-hop address is not part of the definition of a tracked IPv4/ IPv6 route.
Tracking Route Reachability Use the following commands to configure object tracking on the reachability of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1 Configure object tracking on the reachability of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} reachability [vrf vrf-name] Valid object IDs are from 1 to 500.
The following example configures object tracking on the reachability of an IPv6 route: DellEMC(conf)#track 105 ipv6 route 1234::/64 reachability DellEMC(conf-track-105)#delay down 5 DellEMC(conf-track-105)#description Headquarters DellEMC(conf-track-105)#end DellEMC#show track 105 Track 105 IPv6 route 1234::/64 reachability Description: Headquarters Reachability is Down (route not in route table) 2 changes, last change 00:03:03 Configuring track reachability refresh interval If there is no entry in ARP tab
2 • OSPF routes - 1 to 1592. The efault is 1. Configure object tracking on the metric of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} metric threshold [vrf vrf-name] Valid object IDs are from 1 to 500. Enter an IPv4 address in dotted decimal format. Valid IPv4 prefix lengths are from /0 to /32. Enter an IPv6 address in X:X:X:X::X format. Valid IPv6 prefix lengths are from /0 to /128.
The following example configures object tracking on the metric threshold of an IPv6 route: DellEMC(conf)#track 8 ipv6 route 2::/64 metric threshold DellEMC(conf-track-8)#threshold metric up 30 DellEMC(conf-track-8)#threshold metric down 40 Displaying Tracked Objects To display the currently configured objects used to track Layer 2 and Layer 3 interfaces, and IPv4 and IPv6 routes, use the following show commands.
IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 Example of the show track vrf Command DellEMC#show track vrf red Track 5 IP route 192.168.0.0/24 reachability, Vrf: red Reachability is Up (CONNECTED) 3 changes, last change 00:02:39 First-hop interface is GigabitEthernet 1/4 Example of Viewing Object Tracking Configuration DellEMC#show running-config track track 1 ip route 23.0.0.
33 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell EMC Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell EMC Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 90. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. NOTE: If you configure two non-backbone areas, then you must enable the B bit in OSPF.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Figure 91. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
An ABR can connect to many areas in an AS, and is considered a member of each area it connects to. Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes.
• Type 7: External LSA — Routers in an NSSA do not receive external LSAs from ABRs, but are allowed to send external routing information for redistribution. They use Type 7 LSAs to tell the ABRs about these external routes, which the ABR then translates to Type 5 external LSAs and floods as normal to the rest of the OSPF network. • Type 8: Link LSA (OSPFv3) — This LSA carries the IPv6 address information of the local links.
Figure 92. Priority and Cost Examples OSPF with Dell EMC Networking OS The Dell EMC Networking OS supports up to 16,000 OSPF routes for OSPFv2. Dell EMC Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell EMC Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell EMC Networking OS supports only one OSPFv3 process per VRF. OSPFv2 and OSPFv3 can co-exist but you must configure them individually.
Graceful Restart When a router goes down without a graceful restart, there is a possibility for loss of access to parts of the network due to ongoing network topology changes. Additionally, LSA flooding and reconvergence can cause substantial delays. It is, therefore, desirable that the network maintains a stable topology if it is possible for data flow to continue uninterrupted.
Fast Convergence (OSPFv2, IPv4 Only) Fast convergence allows you to define the speeds at which LSAs are originated and accepted, and reduce OSPFv2 end-to-end convergence time. Dell EMC Networking OS allows you to accept and originate LSAs as soon as they are available to speed up route information propagation. NOTE: The faster the convergence, the more frequent the route calculations and updates. This impacts CPU utilization and may impact adjacency stability in larger topologies.
Examples of Setting and Viewing a Dead Interval In the following example, the dead interval is set at 4x the hello interval (shown in bold). DellEMC(conf)#int gigabitethernet 2/2 DellEMC(conf-if-gi-2/2)#ip ospf hello-interval 20 DellEMC(conf-if-gi-2/2)#ip ospf dead-interval 80 DellEMC(conf-if-gi-2/2)# In the following example, the dead interval is set at 4x the hello interval (shown in bold).
• Troubleshooting OSPFv2 1 Configure a physical interface. Assign an IP address, physical or Loopback, to the interface to enable Layer 3 routing. 2 Enable OSPF globally. Assign network area and neighbors. 3 Add interfaces or configure other attributes. 4 Set the time interval between when the switch receives a topology change and starts a shortest path first (SPF) calculation.
The OSPF process ID is the identifying number assigned to the OSPF process. The router ID is the IP address associated with the OSPF process. After the OSPF process and the VRF are tied together, the OSPF process ID cannot be used again in the system.
• Enable OSPFv2 on an interface and assign a network address range to a specific OSPF area. CONFIG-ROUTER-OSPF-id mode network ip-address mask area area-id The IP Address Format is A.B.C.D/M. The area ID range is from 0 to 65535 or A.B.C.D/M. Enable OSPFv2 on Interfaces Enable and configure OSPFv2 on each interface (configure for Layer 3 protocol), and not shutdown. You can also assign OSPFv2 to a Loopback interface as a virtual interface.
Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 13.1.1.1, Interface address 10.2.3.2 Backup Designated Router (ID) 11.1.2.1, Interface address 10.2.3.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:05 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 13.1.1.1 (Designated Router) DellEMC> Loopback interfaces also help the OSPF process.
area area-id stub [no-summary] Use the keywords no-summary to prevent transmission into the area of summary ASBR LSAs. Area ID is the number or IP address assigned when creating the area. Example of the show ip ospf database database-summary Command To view which LSAs are transmitted, use the show ip ospf database process-id database-summary command in EXEC Privilege mode. DellEMC#show ip ospf 34 database database-summary OSPF Router with ID (10.1.2.
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 13:39:46 Neighbor Count is 0, Adjacent neighbor count is 0 GigabitEthernet 2/1 is up, line protocol is down Internet Address 10.1.3.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 10.1.3.100 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
DellEMC#(conf)#ex DellEMC##show ip ospf 1 Routing Process ospf 1 with ID 192.168.67.2 Supports only single TOS (TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Convergence Level 0 Min LSA origination 5 secs, Min LSA arrival 1 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 DellEMC# Changing OSPFv2 Parameters on Interfaces In Dell EMC Networking OS, you can modify the OSPF settings on the interfaces.
• – number: the range is from 0 to 255 (the default is 1). Change the retransmission interval between LSAs. CONFIG-INTERFACE mode ip ospf retransmit-interval seconds – seconds: the range is from 1 to 65535 (the default is 5 seconds). • The retransmit interval must be the same on all routers in the OSPF network. Change the wait period between link state update packets sent out the interface.
ip ospf auth-change-wait-time seconds This setting is the amount of time OSPF has available to change its interface authentication type. When you configure the auth-change-wait-time, OSPF sends out only the old authentication scheme until the wait timer expires. After the wait timer expires, OSPF sends only the new authentication scheme.
• Helper-only: the OSPFv2 router supports graceful-restart only as a helper router. • Restart-only: the OSPFv2 router supports graceful-restart only during unplanned restarts. By default, OSPFv2 supports both restarting and helper roles. Selecting one or the other role restricts OSPFv2 to the single selected role. To disable OSPFv2 graceful-restart after you have enabled it, use the no graceful-restart grace-period command in CONFIGROUTEROSPF- id mode.
CONFIG-ROUTEROSPF-id mode distribute-list prefix-list-name in [interface] • Assign a configured prefix list to outgoing OSPF routes. CONFIG-ROUTEROSPF-id distribute-list prefix-list-name out [connected | isis | rip | static] Redistributing Routes You can add routes from other routing instances or protocols to the OSPF process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process.
• Have the OSPF routes been included in the routing table (not just the OSPF database)? Some useful troubleshooting commands are: • show interfaces • show protocols • debug IP OSPF events and/or packets • show neighbors • show routes To help troubleshoot OSPFv2, use the following commands. • View the summary of all OSPF process IDs enables on the router. EXEC Privilege mode show running-config ospf • View the summary information of the IP routes.
router-id 10.10.10.10 DellEMC# Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. You can copy and paste from these examples to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes. Basic OSPFv2 Router Topology The following illustration is a sample basic OSPFv2 topology.
network 10.0.13.0/24 area 0 network 10.0.23.0/24 area 0 ! interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface GigabitEthernet 3/1 ip address 10.1.13.3/24 no shutdown ! interface GigabitEthernet 3/2 ip address 10.2.13.3/24 no shutdown OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface GigabitEthernet 2/1 ip address 10.2.21.
Configuration Task List for OSPFv3 (OSPF for IPv6) This section describes the configuration tasks for Open Shortest Path First version 3 (OSPF for IPv6) on the switch. The configuration options of OSPFv3 are the same as those options for OSPFv2, but you may configure OSPFv3 with differently labeled commands. Specify process IDs and areas and include interfaces and addresses in the process. Define areas as stub or totally stubby.
Applying cost for OSPFv3 Change in bandwidth directly affects the cost of OSPF routes. • Explicitly specify the cost of sending a packet on an interface. INTERFACE mode ipv6 ospf interface-cost • – interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth. Specify how the OSPF interface cost is calculated based on the reference bandwidth method. The cost of an interface is calculated as Reference Bandwidth/Interface speed.
– process-id: the process ID number assigned. – area-id: the area ID for this interface. Assigning OSPFv3 Process ID and Router ID Globally To assign, disable, or reset OSPFv3 globally, use the following commands. • Enable the OSPFv3 process globally and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} • The range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} – number: the IPv4 address. The format is A.B.C.D.
no ipv6 router ospf process-id vrf {vrf-name} • Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf [vrf vrf-name] process Configuring Stub Areas To configure IPv6 stub areas, use the following command. • Configure the area as a stub area. CONF-IPV6-ROUTER-OSPF mode area area-id stub [no-summary] – no-summary: use these keywords to prevent transmission in to the area of summary ASBR LSAs. – Area ID: a number or IP address assigned when creating the area.
redistribute {bgp | connected | static} [metric metric-value | metric-type type-value] [routemap map-name] [tag tag-value] Configure the following required and optional parameters: – bgp | connected | static: enter one of the keywords to redistribute those routes. – metric metric-value: The range is from 0 to 4294967295. – metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. – route-map map-name: enter a name of a configured route map.
• The valid values are from 40 to 1800 seconds. Configure an OSPFv3 interface to not act on the Grace LSAs that it receives from a restarting OSPFv3 neighbor. INTERFACE mode ipv6 ospf graceful-restart helper-reject • Specify the operating mode and type of events that trigger a graceful restart. CONF-IPV6-ROUTER-OSPF mode graceful-restart mode [planned-only | unplanned-only] – Planned-only: the OSPFv3 router supports graceful restart only for planned restarts.
The following example shows the show ipv6 ospf database database-summary command. DellEMC#show ipv6 ospf database database-summary ! OSPFv3 Router with ID (200.1.1.
With IPsec-based authentication, Crypto images are used to include the IPsec secure socket application programming interface (API) required for use with OSPFv3. To ensure integrity, data origin authentication, detection and rejection of replays, and confidentiality of the packet, RFC 4302 and RFC 4303 propose using two security protocols — authentication header (AH) and encapsulating security payload (ESP).
NOTE: To encrypt all keys on a router, use the service password-encryption command in Global Configuration mode. However, this command does not provide a high level of network security. To enable key encryption in an IPsec security policy at an interface or area level, specify 7 for [key-encryption-type] when you enter the ipv6 ospf authentication ipsec or ipv6 ospf encryption ipsec command.
The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. Configure the same authentication policy (the same SPI and key) on each OSPFv3 interface in a link. • Enable IPsec encryption for OSPFv3 packets on an IPv6-based interface.
– spi number: is the SPI value. The range is from 256 to 4294967295. – MD5 | SHA1: specifies the authentication type: message digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1). – key-encryption-type: (optional) specifies if the key is encrypted. The valid values are 0 (key is not encrypted) or 7 (key is encrypted). • • – key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information.
show crypto ipsec policy Displaying OSPFv3 IPsec Security Policies To display the configuration of IPsec authentication and encryption policies, use the following commands. • Display the AH and ESP parameters configured in IPsec security policies, including the SPI number, key, and algorithms used. EXEC Privilege mode show crypto ipsec policy [name name] • – name: displays configuration details about a specified policy.
Outbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0c30808825fb5 Inbound ESP Cipher Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba10345a1039ba8f8a Outbound ESP Cipher Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba10345a1039ba8f8a Transform set : esp-128-aes esp-sha1-hmac The following example shows the show crypto ipsec sa ipv6 command.
• Did you configure the interfaces for Layer 3 correctly? • Is the router in the correct area type? • Did you include the routes in the OSPF database? • Did you include the OSPF routes in the routing table (not just the OSPF database)? Some useful troubleshooting commands are: • show ipv6 interfaces • show ipv6 protocols • debug ipv6 ospf events and/or packets • show ipv6 neighbors • show ipv6 routes Viewing Summary Information To get general route, configuration, links status, and debug i
MIB Support for OSPFv3 SNMPv3 context name support implements MIB views on multiple OSPV3 instances. Table 52. MIB Objects for OSPFv3 MIB Object OID Description ospfv3GeneralGroup 1.3.6.1.2.1.191.1.1 Contains a 32-bit unsigned integer uniquely identifying the router in the autonomous system. ospfv3AreaEntry 1.3.6.1.2.1.191.1.2.1 Contains information describing the parameter configuration and cumulative statistics of the router’s attached areas. ospfv3AsLsdbEntry 1.3.6.1.2.1.191.1.3.
34 Policy-based Routing (PBR) Policy-based routing (PBR) allows a switch to make routing decisions based on policies applied to an interface. Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria: size, source, protocol type, destination, and so on.
• • Destination port TCP Flags After you apply a redirect-list to an interface, all traffic passing through it is subjected to the rules defined in the redirect-list. Traffic is forwarded based on the following: • • • • Next-hop addresses are verified. If the specified next hop is reachable, traffic is forwarded to the specified next-hop. If the specified next-hops are not reachable, the normal routing table is used to forward the traffic.
The Dell EMC Networking OS assigns the first available sequence number to a rule configured without a sequence number and inserts the rule into the PBR CAM region next to the existing entries. Because the order of rules is important, ensure that you configure any necessary sequence numbers. Never apply the permit statement because the redirect list covers all source and destination IP addresses. ip redirect-list rcl0 seq 5 redirect 2.2.2.2 ip any any seq 10 permit ip host 3.3.3.
• FORMAT: slot/port • ip-protocol-number or protocol-type is the type of protocol to be redirected • FORMAT: 0-255 for IP protocol number, or enter protocol type • source ip-address or any or host ip-address is the Source’s IP address • FORMAT: A.B.C.D/NN, or ANY or HOST IP address • destination ip-address or any or host ip-address is the Destination’s IP address • FORMAT: A.B.C.D/NN, or ANY or HOST IP address To delete a rule, use the no redirect command.
! ip redirect-list test seq 10 redirect 10.1.1.2 ip 20.1.1.0/24 any seq 15 redirect 10.1.1.3 ip 20.1.1.0/25 any seq 20 redirect 10.1.1.3 ip 20.1.1.0/24 any DellEMC(conf-redirect-list)# NOTE: Starting with the Dell EMC Networking OS version 9.4(0.0), the use of multiple recursive routes with the same source-address and destination-address combination in a redirect policy on an router.
In addition to supporting multiple redirect-lists in a redirect-group, multiple redirect-groups are supported on a single interface. Dell EMC Networking OS has the capability to support multiple groups on an interface for backup purposes. Show Redirect List Configuration To view the configuration redirect list configuration, use the following commands. 1 View the redirect list configuration and the associated interfaces.
NOTE: If you apply the redirect-list to an interface, the output of the show ip redirect-list redirect-listname command displays reachability status for the specified next-hop.
Create the Redirect-List GOLD Assign Redirect-List GOLD to Interface 2/11 View Redirect-List GOLD Creating a PBR list using Explicit Track Objects for Redirect IPs Create Track Objects to track the Redirect IPs: DellEMC#configure terminal DellEMC(conf)#track 3 ip host 42.1.1.2 reachability DellEMC(conf-track-3)#probe icmp DellEMC(conf-track-3)#track 4 ip host 43.1.1.
reachable (via Vl 20) seq 25 redirect 43.1.1.2 track 4 ip host 7.7.7.7 host 144.144.144.144, Track 4 [up], Next-hop reachable (via Vl 20) Applied interfaces: Te 2/28 DellEMC# Creating a PBR list using Explicit Track Objects for Tunnel Interfaces Creating steps for Tunnel Interfaces: DellEMC#configure terminal DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#tunnel destination 40.1.1.2 DellEMC(conf-if-tu-1)#tunnel source 40.1.1.
DellEMC(conf-if-te-2/28)#exit DellEMC(conf)#end Verify the Applied Redirect Rules: DellEMC#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.0/24, Track 1 [up], Next-hop reachable (via Te 1/32) seq 10 redirect tunnel 1 track 1 tcp any any, Track 1 [up], Next-hop reachable (via Te 1/32) seq 15 redirect tunnel 1 track 1 udp 155.55.0.0/16 host 144.144.144.
35 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information The following information is necessary for implementing PIM-SM.
Refuse Multicast Traffic A host requesting to leave a multicast group sends an IGMP Leave message to the last-hop DR. If the host is the only remaining receiver for that group on the subnet, the last-hop DR is responsible for sending a PIM Prune message up the RPT to prune its branch to the RP. 1 After receiving an IGMP Leave message, the gateway removes the interface on which it is received from the outgoing interface list of the (*,G) entry.
CONFIGURATION mode {ip | ipv6} multicast-routing [vrf vrf-name] Related Configuration Tasks The following are related PIM-SM configuration tasks. • Configuring S,G Expiry Timers • Configuring a Static Rendezvous Point • Configuring a Designated Router • Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1 Enable IPv4 or IPv6 multicast routing on the system.
To display PIM neighbors for each interface, use the show {ip | ipv6} pim neighbor [detail] command EXEC Privilege mode. Following is an example of show ip pim neighbor command output: DellEMC#show Neighbor Address 127.87.5.5 127.87.3.5 127.87.50.
GigabitEthernet 1/11 GigabitEthernet 1/12 GigabitEthernet 1/13 Configuring S,G Expiry Timers You can configure a global expiry time (for all [S,G] entries). By default, [S,G] entries expire in 210 seconds. When you create, delete, or update an expiry time, the changes are applied when the keep alive timer refreshes. To configure a global expiry time, use the following command. Enable global expiry timer for S, G entries.
no shutdown DellEMC#show running-configuration pim ! ipv6 pim rp-address 2111:dddd:0eee::22/64 group-address 2111:dddd:0eee::22/128 Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group.
router with the greatest priority value is the DR. If the priority value is the same for two routers, then the router with the greatest IPv4 or IPv6 address is the DR. By default, the DR priority value is 192, so the IP address determines the DR. • Assign a DR priority value. INTERFACE mode {ip | ipv6} pim dr-priority priority-value • Change the interval at which a router sends hello messages. INTERFACE mode {ip | ipv6} pim query-interval seconds • Display the current value of these parameter.
Mode Count Intvl Prio Gi 1/3 v2/S 1 30 1 Address : fe80::201:e8ff:fe02:140f DR : this router Gi 1/11 v2/S 0 30 1 Address : fe80::201:e8ff:fe02:1417 DR : this router Dell# Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet.
To enable BSR election for IPv4 or IPv6, perform the following steps: 1 Enter the following IPv4 or IPv6 command to make a PIM router a BSR candidate: CONFIGURATION ip pim bsr-candidate ipv6 pim bsr-candidate 2 Enter the following IPv4 or IPv6 command to make a PIM router a RP candidate: CONFIGURATION ip pim rp-candidate ipv6 pim rp-candidate 3 Display IPv4 or IPv6 Bootstrap Router information.
36 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
2 Enable PIM-SSM for a range of addresses. Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1 Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2 Enter the ip pim ssm-range command and specify the ACL you created.
Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.
Some routers within the domain are configured to be C-RPs. Other routers are configured to be Bootstrap Router candidates (C-BSRs); one router is elected the BSR for the domain and the BSR is responsible for forwarding BSM containing RP-set information to other routers. The RP election process is as follows: 1 C-BSRs flood their candidacy throughout the domain in a BSM. Each message contains a BSR priority value, and the C-BSR with the highest priority value becomes the BSR.
Example: DellEMC#show ipv6 pim bsr-router PIMv2 Bootstrap information BSR address: 200::1 (?) BSR Priority: 0, Hash mask length: 126 Expires: 00:01:43 This system is a candidate BSR Candidate BSR address: 100::1, priority: 0, hash mask length: 126 Next Cand_RP_advertisement in 00:00:25 RP: 100::1(Lo 0) DellEMC# Enabling RP to Server Specific Multicast Groups When you configure an RP candidate, its advertisement is sent to the entire multicast address range and the group-to-RP mapping is advertised for the
37 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
• Single MD can be monitored on max. of 4 MG ports. Port Monitoring Port monitoring is supported on both physical and logical interfaces, such as VLAN and port-channel interfaces. The source port (MD) with monitored traffic and the destination ports (MG) to which an analyzer can be attached must be on the same switch. You can configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session.
DellEMC(conf-mon-sess-300)# DellEMC(conf-mon-sess-300)#do show monitor session SessID Source Destination Dir Mode TTL Drop Rate Gre-Protocol FcMonitor ------ ------------------ --------- -------------- -----0 Te 1/50 Te 1/51 rx Port A No N/A N/A yes 1 Gi 1/45 Gi 1/46 tx Port A No N/A N/A yes 2 NONE NONE N/A N/A A No N/A N/A No 300 Gi 1/17 Gi 1/4 tx Port A No N/A N/A No DellEMC(conf-mon-sess-300)# Source IP Dest IP DSCP --------- -------- ---- N/A N/A N/A N/ N/A N/A N/A N/ N/A N/A N/A N/ N
Dell EMC Networking OS Behavior: The platform continues to mirror outgoing traffic even after an MD participating in spanning tree protocol (STP) transitions from the forwarding to blocking. Configuring Port Monitoring To configure port monitoring, use the following commands. 1 Verify that the intended monitoring port has no configuration other than no shutdown, as shown in the following example.
A A A 0 1 N/A Po 10 N/A Vl 40 N/A No Gi 1/2 No Gi 1/3 No rx Port 0.0.0.0 0.0.0.0 0 0 No N/ rx Flow 0.0.0.0 0.0.0.0 0 0 No N/ NOTE: Source as VLAN is achieved via Flow based mirroring. Please refer section Enabling Flow-Based Monitoring. In the following example, the host and server are exchanging traffic which passes through the uplink interface 1/1.
show run monitor session DellEMC#show run monitor session ! monitor multicast-queue 7 DellEMC# Enabling Flow-Based Monitoring Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead of all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 3 ingress traffic. You can specify traffic using standard or extended access-lists. NOTE: Flow-based monitoring is supported for known unicast egress traffic.
DellEMC(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 ip address 10.11.1.254/24 ip access-group testflow in shutdown DellEMC(conf-if-gi-1/1)#exit DellEMC(conf)#do show ip accounting access-list testflow ! Extended Ingress IP access list testflow on GigabitEthernet 1/1 Total cam count 4 seq 5 permit icmp any any 53 monitor 53 count bytes (0 packets 0 bytes) seq 10 permit ip 102.1.1.
Figure 96. Remote Port Mirroring Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• The L3 interface configuration should be blocked for RPM VLAN. • The member port of the reserved VLAN should have MTU and IPMTU value as MAX+4 (to hold the VLAN tag parameter). • To associate with source session, the reserved VLAN can have at max of only 4 member ports. • To associate with destination session, the reserved VLAN can have multiple member ports.
• A destination port cannot be used in any spanning tree instance. • The reserved VLAN used to transport mirrored traffic must be a L2 VLAN. L3 VLANs are not supported. • On a source switch on which you configure source ports for remote port mirroring, you can add only one port to the dedicated RPM VLAN which is used to transport mirrored traffic. You can configure multiple ports for the dedicated RPM VLAN on intermediate and destination switches.
Configuring a RSPAN VLAN for RPM Following are the steps for configuring a RSPAN VLAN for RPM. You must repeat the below mentioned steps on source, intermediate, and destination switches. 1 Enter global configuration mode. EXEC mode configure terminal 2 Create a VLAN to transport mirrored traffic in RPM. CONFIGURATION mode interface vlan vlan-id 3 Configure the RSPAN VLAN to be used to transport mirrored traffic in RPM.
Configuring a destination session Following are the steps for configuring a destination session on a switch. You can configure the below steps on other destination switches to configure additional destination ports for this RPM session. 1 Configure the destination session for RPM. CONFIGURATION mode monitor session session-id 2 Associate the Layer 2 VLAN used to transport monitored traffic with this destination session.
• 8 is gigabitethernet 1/8 Configuring Remote Port Mirroring on a source switch The below configuration example shows that the source is a source port and the destination is the reserved VLAN (for example, remotevlan 10).
DellEMC(conf-mon-sess-2)#flow-based enable DellEMC(conf-mon-sess-2)#exit DellEMC(conf)#mac access-list standard mac_acl DellEMC(config-std-macl)#permit 00:00:00:00:11:22 count monitor DellEMC(config-std-macl)#exit DellEMC(conf)#interface vlan 100 DellEMC(conf-if-vl-100)#mac access-group mac_acl1 in DellEMC(conf-if-vl-100)#exit DellEMC(conf)# Configuring Remote Port Mirroring on an intermediate switch Following is a sample configuration of RPM on an intermediate switch.
Configuring Remote Port Mirroring on an intermediate switch Following is a sample configuration of RPM on an intermediate switch. DellEMC(conf)#interface vlan 30 DellEMC(conf-if-vl-20)#mode remote-port-mirroring DellEMC(conf-if-vl-20)#tagged gigabitethernet 1/4 DellEMC(conf-if-vl-20)#tagged gigabitethernet 1/5 DellEMC(conf-if-vl-20)#exit Configuring Remote Port Mirroring on a Destination switch Following is a sample configuration of RPM on a destination switch.
To configure an ERPM session: Table 53. Configuration steps for ERPM Step Command Purpose 1 configure terminal Enter global configuration mode. 2 monitor session type erpm Specify a session ID and ERPM as the type of monitoring session, and enter the Monitoring-Session configuration mode. The session number needs to be unique and not already defined. 3 source { interface | range } direction {rx | tx | both} Specify the source port or range of ports.
tagged GigabitEthernet 1/1-3 mac access-group flow in <<<<<<<<<<<<<< Only ingress packets are supported for mirroring shutdown ERPM Behavior on a typical Dell EMC Networking OS The Dell EMC Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. Figure 98.
– The Header that gets attached to the packet is 38 bytes long. In case of a packet with L3 VLAN, it would be 42 bytes long. The original payload /original mirrored data starts from the 39th byte in a given ERPM packet. The first 38/42 bytes of the header needs to be ignored/ chopped off. – Some tools support options to edit the capture file. We can make use of such features (for example: editcap ) and chop the ERPM header part and save it to a new trace file. This new file (i.e.
VLT Non-fail over Scenario Consider a scenario where port monitoring is configured to mirror traffic on a VLT device's port or LAG to a destination port on some other device (TOR) on the network. When there is no fail over to the VLT peer, the VLTi link (ICL LAG) also receives the mirrored traffic as the VLTi link is added as an implicit member of the RPM vlan. As a result, the mirrored traffic also reaches the peer VLT device effecting VLTi link's bandwidth usage.
Scenario RPM Restriction Recommended Solution Mirroring using Intermediate VLT device — No restrictions apply In this scenario, the VLT device acts as the intermediate device in remote mirroring. The TOR switch contains the source-RPM configurations that enable mirroring of the VLT lag (of the TOR switch) to any orphan port in the VLT device. The packet analyzer is connected through the VLT device, but not directly to the VLT device. None.
38 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell EMC Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell EMC Networking OS Command Line Reference Guide. Private VLANs extend the Dell EMC Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
– A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the switch. – A primary VLAN has one or more promiscuous ports. – A primary VLAN might have one or more trunk ports, or none. • Secondary VLAN — a subdomain of the primary VLAN. – There are two types of secondary VLAN — community VLAN and isolated VLAN.
• Display primary-secondary VLAN mapping. EXEC mode or EXEC Privilege mode show vlan private-vlan mapping • Set the PVLAN mode of the selected port. INTERFACE switchport mode private-vlan {host | promiscuous | trunk} NOTE: Secondary VLANs are Layer 2 VLANs, so even if they are operationally down while primary VLANs are operationally up, Layer 3 traffic is still transmitted across secondary VLANs. NOTE: The outputs of the show arp and show vlan commands provide PVLAN data.
The following example shows the switchport mode private-vlan command on a port and on a port channel.
6 (OPTIONAL) Assign an IP address to the VLAN. INTERFACE VLAN mode ip address ip address 7 (OPTIONAL) Enable/disable Layer 3 communication between secondary VLANs. INTERFACE VLAN mode ip local-proxy-arp NOTE: If a promiscuous or host port is untagged in a VLAN and it receives a tagged packet in the same VLAN, the packet is NOT dropped. Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN.
3 Set the PVLAN mode of the selected VLAN to isolated. INTERFACE VLAN mode private-vlan mode isolated 4 Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add ports defined as host to the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 99. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: • Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • Te 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. • Te 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
In parallel, on S4810: • Te 1/3 is a promiscuous port and Te 1/25 is a PVLAN trunk port, assigned to the primary VLAN 4000. • Te 1/4-6 are host ports. Te 1/4 and Te 1/5 are assigned to the community VLAN 4001, while Te 1/6 is assigned to the isolated VLAN 4003. The result is that: • The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500.
The following example shows using the show vlan private-vlan mapping command. S50-1#show vlan private-vlan mapping Private Vlan: Primary : 4000 Isolated : 4003 Community : 4001 NOTE: In the following example, notice the addition of the PVLAN codes – P, I, and C – in the left column. The following example shows viewing the VLAN status.
39 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN).
Table 55. Spanning Tree Variations Dell EMC Networking OS Supports Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell EMC Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell EMC Networking OS implementation of PVST+ uses IEEE 802.
protocol spanning-tree pvst 2 Enable PVST+. PROTOCOL PVST mode no disable Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode disable • Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
Figure 101. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. • Assign a bridge priority.
Number of topology changes 5, last change occurred 00:34:37 ago on Gi 1/32 Port 375 (GigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.375 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. • Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
The values for interface PVST+ parameters are given in the output of the show spanning-tree pvst command, as previously shown. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states.
Figure 102. PVST+ with Extend System ID • Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id Example of Viewing the Extend System ID in a PVST+ Configuration DellEMC(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
no ip address tagged GigabitEthernet 1/22,32 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface GigabitEthernet 2/12 no ip address switchport no shutdown ! interface GigabitEthernet 2/32 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged GigabitEthernet 2/12,32 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthe
protocol spanning-tree pvst no disable vlan 300 bridge-priority 4096 Per-VLAN Spanning Tree Plus (PVST+) 689
40 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 57.
Feature Direction Create Policy Maps Ingress + Egress Create Input Policy Maps Ingress Honor DSCP Values on Ingress Packets Ingress Honoring dot1p Values on Ingress Packets Ingress Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 103.
• Policy-Based QoS Configurations • DSCP Color Maps • Enabling QoS Rate Adjustment • Enabling Strict-Priority Queueing • Weighted Random Early Detection • Pre-Calculating Available QoS CAM Space • Configuring Weights and ECN for WRED • Configuring WRED and ECN Attributes • Guidelines for Configuring ECN for Classifying and Color-Marking Packets • Applying Layer 2 Match Criteria on a Layer 3 Interface • Applying DSCP and VLAN Match Criteria on a Service Queue • Classifying Incoming Pac
Table 58. dot1p-priority Values and Queue Numbers dot1p Queue Number 0 0 1 0 2 0 3 1 4 2 5 3 6 3 7 3 • Change the priority of incoming traffic on the interface.
When priority-tagged frames ingress an untagged port or hybrid port, the frames are classified to the default VLAN of the port and to a queue according to their dot1p priority if you configure service-class dynamic dotp or trust dot1p. When priority-tagged frames ingress a tagged port, the frames are dropped because, for a tagged port, the default VLAN is 0. Dell EMC Networking OS Behavior: Hybrid ports can receive untagged, tagged, and priority tagged frames.
Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted. If any stream exceeds the configured bandwidth on a continuous basis, it can consume all of the buffer space that is allocated to the port. • Apply rate shaping to outgoing traffic on a port. INTERFACE mode rate shape • Apply rate shaping to a queue.
Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell EMC Networking OS matches packets against match criteria in the order that you configure them. Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value or IP precedence, and characteristics defined in an IP ACL.
DellEMC(conf-policy-map-in)#service-queue 1 class-map cmap2 DellEMC(conf-policy-map-in)#exit DellEMC(conf)#interface gigabitethernet 1/1 DellEMC(conf-if-gi-1/1)#service-policy input pmap Examples of Creating a Layer 3 IPv6 Class Map The following example matches the IPv6 traffic with a DSCP value of 40: DellEMC(conf)# class-map match-all test DellEMC(conf-class-map)# match ipv6 dscp 40 The following example matches the IPv4 and IPv6 traffic with a precedence value of 3: DellEMC(conf)# class-map match-any te
In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use the keyword order. Dell EMC Networking OS writes to the CAM ACL rules with lower order numbers (order numbers closer to 0) before rules with higher order numbers so that packets are matched as you intended. • Specify the order in which you want to apply ACL rules using the keyword order. order The order can range from 0 to 254. By default, all ACL rules have an order of 255.
The following example shows correct traffic classifications. DellEMC#show cam layer3-qos interface gigabitethernet 2/4 Cam Port Dscp Proto Tcp Src Dst SrcIp DstIp DSCP Queue Index Flag Port Port Marking ------------------------------------------------------------------------20416 1 18 IP 0x0 0 0 23.64.0.5/32 0.0.0.0/0 20 2 20417 1 0 IP 0x0 0 0 23.64.0.2/32 0.0.0.0/0 10 1 20418 1 0 IP 0x0 0 0 23.64.0.3/32 0.0.0.0/0 12 1 20419 1 10 0 0x0 0 0 0.0.0.0/0 0.0.0.0/0 14 1 24511 1 0 0 0x0 0 0 0.0.0.0/0 0.0.0.
Setting a dot1p Value for Egress Packets To set a dot1p value for egress packets, use the following command. • Set a dscp or dot1p value for egress packets. QOS-POLICY-IN mode set mac-dot1p Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1 Create an output QoS policy.
Queue Default Bandwidth Percentage for 4– Queue System Default Bandwidth Percentage for 8– Queue System 5 - 10% 6 - 25% 7 - 50% NOTE: The system supports 4 data queues. When you assign a percentage to one queue, note that this change also affects the amount of bandwidth that is allocated to other queues. Therefore, whenever you are allocating bandwidth to one queue, Dell EMC Networking recommends evaluating your bandwidth requirements for all other queues as well.
Applying a Class-Map or Input QoS Policy to a Queue To apply a class-map or input QoS policy to a queue, use the following command. • Assign an input QoS policy to a queue. POLICY-MAP-IN mode service-queue Applying an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the following command. • Apply an input QoS policy to an input policy map.
Table 61. Default dot1p to Queue Mapping dot1p Queue ID 0 0 1 0 2 0 3 1 4 2 5 3 6 3 7 3 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. • Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0.
• You cannot apply an input Layer 2 QoS policy on an interface you also configure with vlan-stack access. • If you apply a service policy that contains an ACL to more than one interface, Dell EMC Networking OS uses ACL optimization to conserve CAM space. The ACL optimization behavior detects when an ACL exists in the CAM rather than writing it to the CAM multiple times. • Apply an input policy map to an interface.
DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration. This sections consists of the following topics: • Creating a DSCP Color Map • Displaying Color Maps • Display Color Map Configuration Creating a DSCP Color Map You can create a DSCP color map to outline the differentiated services codepoint (DSCP) mappings to the appropriate color mapping (green, yellow, red) for the input traffic.
Create the DSCP color map profile, bat-enclave-map, with a yellow drop precedence , and set the DSCP values to 9,10,11,13,15,16 DellEMC(conf)# qos dscp-color-map bat-enclave-map DellEMC(conf-dscp-color-map)# dscp yellow 9,10,11,13,15,16 DellEMC(conf-dscp-color-map)# exit Assign the color map, bat-enclave-map to the interface.
Display detailed information about a color policy for a specific interface DellEMC# show qos dscp-color-policy detail gigabitethernet 1/10 Interface GigabitEthernet 1/10 Dscp-color-map mapONE yellow 4,7 red 20,30 Enabling QoS Rate Adjustment By default while rate limiting, policing, and shaping, Dell EMC Networking OS does not include the Preamble, SFD, or the IFG fields.
Weighted Random Early Detection Weighted random early detection (WRED) is a congestion avoidance mechanism that drops packets to prevent buffering resources from being consumed. The WRED congestion avoidance mechanism drops packets to prevent buffering resources from being consumed. Traffic is a mixture of various kinds of packets. The rate at which some types of packets arrive might be greater than others.
Creating WRED Profiles To create WRED profiles, use the following commands. 1 Create a WRED profile. CONFIGURATION mode wred-profile 2 Specify the minimum and maximum threshold values. WRED mode threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify to which traffic Dell EMC Networking OS should apply the profile. Dell EMC Networking OS assigns a color (also called drop precedence) — red, yellow, or green — to each packet based on it DSCP value before queuing it.
Displaying WRED Drop Statistics To display WRED drop statistics, use the following command. • Display the number of packets Dell EMC Networking OS the WRED profile drops.
The test cam-usage command allows you to verify that there are enough available CAM entries before applying a policy-map to an interface so that you avoid exceeding the QoS CAM space and partial configurations. This command measures the size of the specified policy-map and compares it to the available CAM space in a partition for a specified port-pipe.
Using ECN, the packets are marked for transmission at a later time after the network recovers from the heavy traffic state to an optimal load. In this manner, enhanced performance and throughput are achieved. Also, the devices can respond to congestion before a queue overflows and packets are dropped, enabling improved queue management. When a packet reaches the device with ECN enabled for WRED, the average queue size is computed. To measure the average queue size, a weight factor is used.
Queue Configuration Service-Pool Configuration WRED Threshold Expected Functionality Relationship Q threshold = Q-T, Service pool threshold = SP-T 1 0 0 X X Queue based WRED, 1 X Q-T < SP-T No ECN marking SP-T < Q-T SP based WRED, No ECN marking 1 1 0 X X Queue-based ECN marking above queue threshold. 1 X Q-T < SP-T ECN marking to shared buffer limits of the service-pool and then packets are tail dropped. SP-T < Q-T Same as above but ECN marking starts above SP-T.
Guidelines for Configuring ECN for Classifying and Color-Marking Packets Keep the following points in mind while configuring the marking and mapping of incoming packets using ECN fields in IPv4 headers: • Currently Dell EMC Networking OS supports matching only the following TCP flags: – ACK – FIN – SYN – PSH – RST – URG In the existing software, ECE/CWR TCP flag qualifiers are not supported.
Classifying Incoming Packets Using ECN and Color-Marking Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded. If you configure ECN for WRED, devices employ this functionality of ECN to mark the packets and reduce the rate of sending packets in a congested, heavily-loaded network.
Until Release 9.3(0.0), ACL supports classification based on the below TCP flags: • ACK • FIN • SYN • PSH • RST • URG You can now use the ‘ecn’ match qualifier along with the above TCP flag for classification.
seq 5 permit any dscp 50 ! ip access-list standard dscp_40 seq 5 permit any dscp 40 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40 ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50 ! policy-map-input pmap_dscp_40_50 servi
To apply a Layer 2 policy on a Layer 3 interface: 1 Configure an interface with an IP address or a VLAN sub-interface CONFIGURATION mode DellEMC(conf)# interface fo 1/49/1 INTERFACE mode DellEMC(conf-if-fo-1/49/1)# ip address 90.1.1.1/16 2 Configure a Layer 2 QoS policy with Layer 2 (Dot1p or source MAC-based) match criteria. CONFIGURATION mode DellEMC(conf)# policy-map-input l2p layer2 3 Apply the Layer 2 policy on a Layer 3 interface.
6 Create an input policy map. CONFIGURATION mode Dell(conf)#policy-map-input pp_policmap 7 Create a service queue to associate the class map and QoS policy map. POLICY-MAP mode Dell(conf-policy-map-in)#service-queue 0 class-map pp_classmap qos-policy pp_qospolicy Classifying Incoming Packets Using ECN and ColorMarking Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded.
(standard and Extended) are enhanced to add this qualifier. This new keyword ‘ecn’ is present for all L3 ACL types (TCP/UDP/IP/ICMP) at the level where the ‘DSCP’ qualifier is positioned in the current ACL commands. Dell EMC Networking OS supports the capability to contain DSCP and ECN classifiers simultaneously for the same ACL entry.
Guidelines for Configuring ECN for Classifying and Color-Marking Packets Keep the following points in mind while configuring the marking and mapping of incoming packets using ECN fields in IPv4 headers: • Currently Dell EMC Networking OS supports matching only the following TCP flags: – ACK – FIN – SYN – PSH – RST – URG In the existing software, ECE/CWR TCP flag qualifiers are not supported.
Sample configuration to mark non-ecn packets as “yellow” with single traffic class Consider the use case where the packet with DSCP value “40” need to be enqueued in queue#2 and packets with DSCP value as 50 need to be enqueued in queue#3. And all the packets with ecn value as ‘0’ must be marked as ‘yellow’. The above requirement can be achieved using either of the two approaches. The above requirement can be achieved using either of the two approaches.
! policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Quality of Service (QoS) 723
41 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Implementation Information Dell EMC Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on interfaces or both versions on the interfaces. The following table lists the defaults for RIP in Dell EMC Networking OS. Table 64.
Enabling RIP Globally By default, RIP is not enabled in Dell EMC Networking OS. To enable RIP globally, use the following commands. 1 Enter ROUTER RIP mode and enable the RIP process on Dell EMC Networking OS. CONFIGURATION mode router rip 2 Assign an IP network address as a RIP network to exchange routing information.
192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 1/49 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes. By default, interfaces that you enable and configure with an IP address in the same subnet as the RIP network address receive RIPv1 and RIPv2 routes and send RIPv1 routes.
Adding RIP Routes from Other Instances In addition to filtering routes, you can add routes from other routing instances or protocols to the RIP process. With the redistribute command, you can include open shortest path first (OSPF), static, or directly connected routes in the RIP process. To add routes from other routing instances or protocols, use the following commands. • Include directly connected or user-configured (static) routes in RIP.
INTERFACE mode ip rip send version [1] [2] Examples of the RIP Process To see whether the version command is configured, use the show config command in ROUTER RIP mode. The following example shows the RIP configuration after the ROUTER RIP mode version command is set to RIPv2. When you set the ROUTER RIP mode version command, the interface () participating in the RIP process is also set to send and receive RIPv2 (shown in bold).
Generating a Default Route Traffic is forwarded to the default route when the traffic’s network is not explicitly listed in the routing table. Default routes are not enabled in RIP unless specified. Use the default-information originate command in ROUTER RIP mode to generate a default route into RIP. In Dell EMC Networking OS, default routes received in RIP updates from other routes are advertised if you configure the default-information originate command.
– weight: the range is from 1 to 255. The default is 120. – ip-address mask: the IP address in dotted decimal format (A.B.C.D), and the mask in slash format (/x). • – access-list-name: the name of a configured IP ACL. Apply an additional number to the incoming or outgoing route metrics.
Figure 106. RIP Topology Example RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Example of Configuring RIPv2 on Core 2 Core2(conf-if-gi-2/3)# Core2(conf-if-gi-2/3)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
The following example shows the show ip route command to show the RIP setup on Core 2.
Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.20.0 Core3(conf-router_rip)#show config ! router rip network 10.0.0.0 network 192.168.1.0 network 192.168.2.0 version 2 Core3(conf-router_rip)# Core 3 RIP Output The examples in this section show the core 2 RIP output. • To display Core 3 RIP database, use the show ip rip database command. • To display Core 3 RIP setup, use the show ip route command.
The following example shows the show ip protocols command to show the RIP configuration activity on Core 3.
! interface GigabitEthernet 3/2 ip address 10.11.20.1/24 no shutdown ! interface GigabitEthernet 3/4 ip address 192.168.1.1/24 no shutdown ! interface GigabitEthernet 3/5 ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
42 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell EMC Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
Setting the RMON Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
CONFIGURATION mode [no] rmon event number [log] [trap community] [description string] [owner string] – number: assigned event number, which is identical to the eventIndex in the eventTable in the RMON MIB. The value must be an integer from 1 to 65,535 and be unique in the RMON Event Table. – log: (Optional) generates an RMON log entry when the event is triggered and sets the eventType in the RMON MIB to log or logand-trap. Default is no log.
[no] rmon collection history {controlEntry integer} [owner ownername] [buckets bucket-number] [interval seconds] – controlEntry: specifies the RMON group of statistics using a value. – integer: a value from 1 to 65,535 that identifies the RMON group of statistics. The value must be a unique index in the RMON History Table. – owner: (Optional) specifies the name of the owner of the RMON group of statistics. The default is a null-terminated string.
43 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanningtree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.
• Dell EMC Networking OS supports only one Rapid Spanning Tree (RST) instance. • All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. • Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command. When using the range command, Dell EMC Networking recommends limiting the range to five ports and 40 VLANs.
no shutdown DellEMC(conf-if-gi-1/1)# Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • Only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports.
Figure 107. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. DellEMC#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.379, designated path cost 0 Number of transitions to forwarding state 1 BPDU : sent 121, received 5 The port is not in the Edge port mode Port 380 (GigabitEthernet 2/4) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.380 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
The following table displays the default values for RSTP. Table 66.
Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following command. • Enable SNMP traps for RSTP, MSTP, and PVST+ collectively. snmp-server enable traps xstp Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port.
• Assign a number as the bridge priority or designate it as the primary or secondary root. PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value – priority-value The range is from 0 to 65535. The lower the number assigned, the more likely this bridge becomes the root bridge. The default is 32768. Entries must be multiples of 4096. Example of the bridge-priority Command A console message appears when a new root bridge has been assigned.
interface GigabitEthernet 2/1 no ip address switchport spanning-tree rstp edge-port shutdown DellEMC(conf-if-gi-2/1)# Configuring Fast Hellos for Link State Detection Use RSTP fast hellos to achieve sub-second link-down detection so that convergence is triggered faster. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed. To achieve sub-second link-down detection so that convergence is triggered faster, use RSTP fast hellos.
44 Software-Defined Networking (SDN) The Dell EMC Networking OS supports software-defined networking (SDN). For more information, see the SDN Deployment Guide.
45 Security This chapter describes several ways to provide security to the Dell EMC Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide.
Enabling AAA Accounting The aaa accounting command allows you to create a record for any or all of the accounting functions monitored. To enable AAA accounting, use the following command. • Enable AAA accounting and create a record for monitoring the accounting function.
System accounting can use only the default method list. Example of Configuring AAA Accounting to Track EXEC and EXEC Privilege Level Command Use In the following sample configuration, AAA accounting is set to track all usage of EXEC commands and commands on privilege level 15.
NAS receives the accounting request from the supplicant and sends the RADIUS request packet to the accounting server after successful authentication. The RADIUS Accounting request contains a RADIUS Acct-Status-Type as Start or Stop to update the supplicant session to the accounting server. NOTE: In RADIUS accounting, fallback behavior among RADIUS and TACACS servers is not supported as the RADIUS accounting feature is not available in Dell EMC Networking OS version earlier than 9.14.1.5.
Tmp-String-9 = "ai:" Acct-Unique-Session-Id = "2d6c5beef615d18fa21bbde29411f6d5" Timestamp = 1557508935 MAB START record: Fri May 10 23:30:21 2019 User-Name = "001122334455" Called-Station-Id = "00-11-33-44-77-88" Calling-Station-Id = "00-11-22-33-44-55" NAS-IP-Address = 10.16.133.
RADIUS Attribute code RADIUS Attribute Description 40 Acct-Status-Type START 44 Acct-Session-Id CLI Session-Id - To match start and stop session requests. 61 NAS-Port-Type ASYNC - for console session. Accounting Attributes VIRTUAL - for telnet/SSH session. Table 68. RADIUS Accounting Stop Record Attributes for CLI user RADIUS Attribute code RADIUS Attribute Description 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS.
RADIUS Attribute code RADIUS Attribute Description 95 NAS-IPv6–Address IPv6 address of the NAS. Session Identification Attributes 1 User-Name User name/ Supplicant MAC Address (for MAB). 5 NAS-Port Port on which session is terminated. 6 Service-Type Framed (2) for EAP /Call check (10) for MAB. 8 Framed-IP-Address IPv4 address of supplicant. 168 Framed-IPV6-Address IPv6 address of supplicant. 30 Called-Station-Id Switch MAC Address. 31 Calling-Station-Id Supplicant MAC Address.
RADIUS Attribute code RADIUS Attribute Description 61 NAS-Port-Type Ethernet NOTE: During the administrative initiated reload and system failover events, the accounting Stop records for the 802.1x authorized supplicants are not sent to RADIUS server. Table 72. Use cases for dot1x supplicant to trigger RADIUS Accounting Start/Stop records dot1x event Accounting type Attributes Dot1x user authentication success Start Start record attributes for dot1x supplicant.
AAA Authentication Dell EMC Networking OS supports a distributed client/server system implemented through authentication, authorization, and accounting (AAA) to help secure networks against unauthorized access.
2 • enable: use the password you defined using the enable secret, enable password, or enable sha256-password command in CONFIGURATION mode. In general, the enable secret command overrules the enable password command. If you configure the enable sha256-password command, it overrules both the enable secret and enable password commands. • line: use the password you defined using the password command in LINE mode. • local: use the username/password database defined in the local configuration.
3 Establish a host address and password. CONFIGURATION mode tacacs-server host x.x.x.x key some-password Examples of the enable commands for RADIUS To get enable authentication from the RADIUS server and use TACACS as a backup, issue the following commands. The following example shows enabling authentication from the RADIUS server. DellEMC(config)# aaa authentication enable default radius tacacs Radius and TACACS server has to be properly setup for this. DellEMC(config)# radius-server host x.x.x.
Example: DellEMC(config)#aaa authentication login vty_auth_list radius Force all logged-in users to re-authenticate (y/n)? 3 You are prompted to force the users to re-authenticate whenever there is a change in the RADIUS server list.. CONFIGURATION mode radius-server host IP Address Example: DellEMC(config)#radius-server host 192.100.0.12 Force all logged-in users to re-authenticate (y/n)? DellEMC(config)#no radius-server host 192.100.0.
Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network. However, at times, you might need to allow others access to the router and you can limit that access to a subset of commands. In Dell EMC Networking OS, you can configure a privilege level for users who need limited access to the system. Every command in Dell EMC Networking OS is assigned a privilege level of 0, 1, or 15. You can configure up to 16 privilege levels in Dell EMC Networking OS.
username name [access-class access-list-name] [nopassword | password [encryption-type] password] [privilege level][secret] Configure the optional and required parameters: – name: Enter a text string up to 63 characters long. – access-class access-list-name: Enter the name of a configured IP ACL. – nopassword: Do not require the user to enter a password. – encryption-type: Enter 0 for plain text or 7 for encrypted text. – password: Enter a string. – privilege level The range is from 0 to 15.
CONFIGURATION mode username name [access-class access-list-name] [privilege level] [nopassword | password [encryption-type] password Secret] Configure the optional and required parameters: 2 • name: Enter a text string up to 63 characters(maximum) long. • access-class access-list-name: Restrict access by access-class.. • privilege level: The range is from 0 to 15. • nopassword: No password is required for the user to log in. • encryption-type: Enter 0 for plain text or 7 for encrypted text.
DellEMC(conf)#privilege config level 8 snmp-server DellEMC(conf)#end DellEMC#show running-config Current Configuration ... ! hostname Force10 ! enable password level 8 notjohn enable password Force10 ! username admin password 0 admin username john password 0 john privilege 8 ! The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8. In EXEC Privilege mode, john can access only the commands listed.
Configure the following optional and required parameters: – encryption-type: Enter 0 for plain text or 7 for encrypted text. – password: Enter a text string up to 32 characters long. To view the password configured for a terminal, use the show config command in LINE mode. Enabling and Disabling Privilege Levels To enable and disable privilege levels, use the following commands. • Set a user’s security level.
• ACL Configuration Information • Auto-Command • Privilege Levels After gaining authorization for the first time, you may configure these attributes. NOTE: RADIUS authentication/authorization is done for every login. There is no difference between first-time login and subsequent logins. Idle Time Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30 minutes is used. RADIUS specifies idle-time allow for a user during a session before timeout.
Configuration Task List for RADIUS To authenticate users using RADIUS, you must specify at least one RADIUS server so that the system can communicate with and configure RADIUS as one of your authentication methods. The following list includes the configuration tasks for RADIUS.
login authentication {method-list-name | default} • This procedure is mandatory if you are not using default lists. To use the method list. CONFIGURATION mode authorization exec methodlist Specifying a RADIUS Server Host When configuring a RADIUS server host, you can set different communication parameters, such as the UDP port, the key password, the number of retries, and the timeout. To specify a RADIUS server host and configure its communication parameters, use the following command.
CONFIGURATION mode radius-server key [encryption-type] key – encryption-type: enter 7 to encrypt the password. Enter 0 to keep the password as plain text. • – key: enter a string. The key can be up to 42 characters long. You cannot use spaces in the key. Configure the number of times Dell EMC Networking OS retransmits RADIUS requests. CONFIGURATION mode radius-server retransmit retries • – retries: the range is from 0 to 100. Default is 3 retries.
CONFIGURATION mode aaa radius auth-method mschapv2 3 Establish a host address and password. CONFIGURATION mode radius-server host H key K 4 Log in to switch using console or telnet or ssh with a valid user role. When 1-factor authentication is used, the authentication succeeds enabling you to access the switch. When two-factor authentication is used, the system prompts you to enter a one-time password as a second step of authentication.
Allocate CAM for RADIUS-assigned DACL Allocate the CAM region to use the RADIUS-assigned DACL. Reload the switch for the CAM allocation to take effect. To allocate a CAM region for RADIUS-assigned DACL, use the cam-acl command. Enter the radius-v4acl allocation as a factor of 2 (2,4,6,8). The maximum number of FP blocks allocated for RADIUS-assigned DACLs is 8.
NOTE: The system displays error when both the filter-ID and RADIUS Filter Rule attributes are sent in the same RADIUS AccessAccept frame. RADIUS NAS-Filter-Rule attribute The switch or NAS saves the RADIUS-assigned DACL rules under a filter name derived from the supplicant MAC addresses. The NAS dynamically generates a filter for the rules downloaded through the RADIUS NAS-Filter-Rule attribute. The names of the downloaded filter rules have a prefix __Rad followed by the supplicant MAC addresses.
seq 72 permit udp 1.1.1.1 1.1.1.1 eq 65535 2.2.2.2 2.2.2.2 eq 65535 ! Extended Ingress IP access list __Rad1_64883d1000 on GigabitEthernet 1/1(Radius-ACL) Total cam count 4 seq 5 permit ip host 100.0.0.1 host 150.0.0.100 count (0 packets) seq 10 deny ip host 100.0.0.1 host 100.0.0.2 count (0 packets) seq 15 permit ip host 100.0.0.10 host 150.0.0.100 count (0 packets) seq 20 deny ip host 100.0.0.10 host 100.0.0.
Untagged VLAN id: ACL Name: Auth PAE State: Backend State: None __Rad_3_632426100 Authenticated Idle Filter-Id attribute The NAS dynamically applies the ACLs that are created using a OS9 CLI to a supplicant after authentication. Dell EMC Networking OS allows to apply the same filter for user ACL and RADIUS ACL on different interfaces. NOTE: It is not recommended to configure the same filter both as a user ACL and RADIUS ACL on an interface.
seq 42 permit ip any host 150.0.0.100 dscp 63 ecn 3 seq 47 permit ip 100.0.0.0/28 200.0.0.0/23 seq 52 permit ip 100.0.0.0/16 any seq 57 permit icmp host 1.1.1.1 200.0.0.0/23 seq 62 permit icmp any 200.0.0.0/27 seq 67 permit icmp host 1.1.1.1 any seq 72 permit udp 1.1.1.1 1.1.1.1 eq 65535 2.2.2.2 2.2.2.2 eq 65535 ! Extended Ingress IP access list test1 on GigabitEthernet 2/1(Radius-ACL)Supplicant MAC-38:8f: 17:91:00:00 Total cam count 3 seq 5 permit ip host 10.10.10.10 host 20.20.20.
Attributes In Disconnect messsage requests and CoA-Request packets, certain attributes are used to uniquely identify the NAS as well as user sessions on the NAS. The combination of NAS and session identification attributes included in a CoA-request or a disconnect-message request must match at least one session in order for a request to be successful; otherwise, a disconnect-Nak or CoA-Nak is sent.
Attribute code Attribute Description • v=6027 (Force10);Vendor-Type=1(Force10-av-pair) Length = value Table 77. DM Attributes Attribute code Attribute Description 1 User-Name(Mandatory) Name of the user associated with one or more sessions. Mandatory attributes The following tables describe the mandatory attributes for various message types: Table 78.
Table 80. CoA EAP/MAB Bounce Port Radius Attribute code Radius Attribute Description Mandatory NAS Identification Attributes 4 NAS-IP-Address IPv4 address of the NAS. No 95 NAS-IPv6–Address IPv6 address of the NAS. No Port on which session is terminated Yes t=26(vendor-specific);l=length;vendor-identificationattribute;Length=value; Data=”cmd=bounce-host-port” Yes Description Mandatory Session Identification Attributes 5 NAS-Port Authorization Attributes 26 Vendor-Specific Table 81.
Error-cause Values It is possible that a Dynamic Authorization Server cannot honor Disconnect Message request or CoA request packets for some reason. The Error-Cause Attribute provides more detail on the cause of the problem. It may be included within CoA-Nak and Disconnect-Nak packets. The following table describes various error causes for the CoA and DM requests: Table 83.
NOTE: The Invalid Attribute Value Error-Cause is applicable to following scenarios: – if the CoA request contains incorrect Vendor-Specific attribute value. – if the CoA request contains incorrect NAS-port or calling-station-id values. • rejects the CoA-Request containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match the NAS with a CoA-Nak; Error-Cause value is “NAS Identification Mismatch” (403).
Disconnect Message Processing This section lists various actions that the NAS performs during DM processing. The following activities are performed by NAS: • responds with DM-Nak, if no matching session is found in NAS for the session identification attributes in DM; Error-Cause value is “Session Context Not Found” (503). • responds with DM-Nak for any internal processing error in NAS; Error-Cause value is “Resources Unavailable” (506).
client-key encryption-type key Dell(conf-dynamic-auth#)client-key 7 password Disconnecting administrative users logged in through RADIUS Dell EMC Networking OS enables you to configure disconnect messages (DMs) to disconnect RADIUS administrative users who are logged in through an AAA interface. Before disconnecting an administrative user using the disconnect messages, ensure that the following prerequisites are satisfied: • Shared key is configured in NAS for DAC.
NAS disables the authentication port that is hosting the session and re-enables it after 10 seconds. All user sessions connected to this authentication port are affected. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)coa-bounce-port NAS takes the following actions whenever port-bounce is triggered: • validates the CoA request and the session identification attributes. • sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain the NAS-port attributes.
• sends-ACK if user is configured with forced-authorization. Terminating the 802.1x user session Dell EMC Networking OS provides RADIUS extension commands that terminate the 802.1x user session. When this request is initiated, the NAS disconnects the 802.1x user session without disabling the physical port that authenticated the current session. Before terminating the 802.1x user session, ensure that the following prerequisites are satisfied: • Shared key is configured in NAS for DAC.
NAS administratively shuts down the 802.1x enabled port that is hosting the session. You can re-enable this port only through a nonRADIUS mechanism or through bounce-port request. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)coa-disable-port NAS takes the following actions: • validates the CoA request and the session identification attributes. • sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain the NAS-port attribute.
NAS considers the new replay protection window value from next window period. The range is from 1 to 10 minutes. The default is 5 minutes. Dell(conf-dynamic-auth#)replay-prot-window 10 Rate-limiting RADIUS packets NAS enables you to allow or reject RADIUS dynamic authorization packets based on the rate-limiting value that you specify. NAS lets you to configure number of RADIUS dynamic authorization packets allowed per minute. The default value is 30 packets per minute.
To select TACACS+ as the login authentication method, use the following commands. 1 Configure a TACACS+ server host. CONFIGURATION mode tacacs-server host {ip-address | host} Enter the IP address or host name of the TACACS+ server. Use this command multiple times to configure multiple TACACS+ server hosts. 2 Enter a text string (up to 16 characters long) as the name of the method list you wish to use with the TACAS+ authentication method.
authentication success on vty0 ( 10.11.9.209 ) %RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line vty0 (10.11.9.209) DellEMC(conf)#username angeline password angeline DellEMC(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline on vty0 (10.11.9.209) %RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password authentication success on vty0 ( 10.11.9.209 ) Monitoring TACACS+ To view information on TACACS+ transactions, use the following command.
– key key: enter a string for the key. The key can be up to 42 characters long. This key must match a key configured on the TACACS+ server host. This parameter must be the last parameter you configure. If you do not configure these optional parameters, the default global values are applied. Example of Connecting with a TACACS+ Server Host To specify multiple TACACS+ server hosts, configure the tacacs-server host command multiple times.
To use the SSH client, use the following command. • Open an SSH connection and specify the hostname, username, port number,encryption cipher,HMAC algorithm and version of the SSH client. EXEC Privilege mode ssh {hostname} [-l username | -p port-number | -v 2}| -c encryption cipher | -m HMAC algorithm • • hostname is the IP address or host name of the remote device. Enter an IPv4 or IPv6 address in dotted decimal format (A.B.C.D). SSH V2 is enabled by default on all the modes.
copy scp: flash: Example of Using SCP to Copy from an SSH Server on Another Switch The following example shows the use of SCP and SSH to copy a software image from one switch running SSH server on UDP port 99 to the local switch. Other SSH related command include: • crypto key generate : generate keys for the SSH server. • debug ip ssh : enables collecting SSH debug information. • ip scp topdir : identify a location for files used in secure copy transfer.
• rekey-limit: volume-based rekey threshold for an SSH session. The range is from 1 to 4096 to megabytes. The default is 1024 megabytes. Examples The following example configures the time-based rekey threshold for an SSH session to 30 minutes. DellEMC(conf)#ip ssh rekey time 30 The following example configures the volume-based rekey threshold for an SSH session to 4096 megabytes.
• hmac-sha2-256 The default HMAC algorithms are the following: • hmac-sha2-256 • hmac-sha1 • hmac-sha1-96 • hmac-md5 • hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256,hmac-sha1,hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list.
Configuring the SSH Server Cipher List To configure the cipher list supported by the SSH server, use the ip ssh server cipher cipher-list command in CONFIGURATION mode. cipher-list-: Enter a space-delimited list of ciphers the SSH server will support. The following ciphers are available. • 3des-cbc • aes128-cbc • aes192-cbc • aes256-cbc • aes128-ctr • aes192-ctr • aes256-ctr The default cipher list is aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc.
Configuring DNS in the SSH Server Dell EMC Networking provides support to enable the DNS in SSH server configuration for host-based authentication. You can specify whether the SSH Server should look up the remote host name and check whether the resolved host name for the remote IP address maps to the same IP address. By default, the DNS in the SSH server configuration is disabled. To enable the DNS in the SSH server configuration, use the following command. • Enable the DNS in the SSH server configuration.
RSA Vty Authentication : disabled. Encryption HMAC Remote IP Using RSA Authentication of SSH The following procedure authenticates an SSH client based on an RSA key using RSA authentication. This method uses SSH version 2. 1 On the SSH client (Unix machine), generate an RSA key, as shown in the following example. 2 Copy the public key id_rsa.pub to the Dell EMC Networking system. 3 Disable password authentication if enabled.
no ip ssh password-authentication or no ip ssh rsa-authentication 6 Enable host-based authentication. CONFIGURATION mode ip ssh hostbased-authentication enable 7 Bind shosts and rhosts to host-based authentication. CONFIGURATION mode ip ssh pub-key-file flash://filename or ip ssh rhostsfile flash://filename Examples of Creating shosts and rhosts The following example shows creating shosts. admin@Unix_client# cd /etc/ssh admin@Unix_client# ls moduli sshd_config ssh_host_dsa_key.pub ssh_host_key.
Troubleshooting SSH To troubleshoot SSH, use the following information. You may not bind id_rsa.pub to RSA authentication while logged in via the console. In this case, this message displays:%Error: No username set for this term. Enable host-based authentication on the server (Dell EMC Networking system) and the client (Unix machine). The following message appears if you attempt to log in via SSH and host-based is disabled on the client.
1 Create a username. 2 Enter a password. 3 Assign an access class. 4 Enter a privilege level. You can assign line authentication on a per-VTY basis; it is a simple password authentication, using an access-class as authorization. Configure local authentication globally and configure access classes on a per-user basis. can assign different access classes to different users by username. Until users attempt to log in, does not know if they will be assigned a VTY line.
To apply a MAC ACL on a VTY line, use the same access-class command as IP ACLs. The following example shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login prompt.
A constrained RBAC model provides for separation of duty and as a result, provides greater security than the hierarchical RBAC model. Essentially, a constrained model puts some limitations around each role’s permissions to allow you to partition of tasks. However, some inheritance is possible. Default command permissions are based on CLI mode (such as configure, interface, router), any specific command settings, and the permissions allowed by the privilege and role commands.
If you do not, the following error displays when you attempt to enable role-based only AAA authorization: % Error: Exec authorization must be applied to more than one line to be useful, e.g. console and vty lines. Could use default authorization method list as alternative. 5 Verify the configuration is applied to the console or VTY line.
User Roles This section describes how to create a new user role and configure command permissions and contains the following topics. • Creating a New User Role • Modifying Command Permissions for Roles • Adding and Deleting Users from a Role Creating a New User Role Instead of using the system defined user roles, you can create a new user role that best matches your organization. When you create a new user role, you can first inherit permissions from one of the system defined roles.
netoperator netadmin secadmin sysadmin myrole secadmin Exec Exec Exec Exec Config Config Config Config Interface Router IP Route-map Protocol MAC Line Interface Line Router IP Route-map Protocol MAC. Line Modifying Command Permissions for Roles You can modify (add or delete) command permissions for newly created user roles and system defined roles using the role mode { { { addrole | deleterole } role-name } | reset } command command in Configuration mode.
The following example allows the security administrator (secadmin) to only access 10-Gigabit Ethernett interfaces and then shows that the secadmin, highlighted in bold, can now access Interface mode. However, the secadmin can only access 10-Gigabit Ethernet interfaces.
Adding and Deleting Users from a Role To create a user name that is authenticated based on a user role, use the username name password encryption-type password role role-name command in CONFIGURATION mode. Example The following example creates a user name that is authenticated based on a user role. DellEMC(conf)# username john password 0 password role secadmin The following example deletes a user role.
commands. Users with defined roles can use commands provided their role is permitted to use those commands. Role inheritance is also used to determine authorization. Users with roles and privileges are authorized with the same mechanism. There are six methods available for authorization: radius, tacacs+, local, enable, line, and none. When role-based only AAA authorization is enabled, the enable, line, and none methods are not available.
line vty 6 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 7 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 8 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 9 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin ! ucraaa ucraaa ucraaa ucraaa Configuring TACACS+ and RADIUS VSA Attributes for RBAC For RBAC and privilege lev
Role Accounting This section describes how to configure role accounting and how to display active sessions for roles. This sections consists of the following topics: • Configuring AAA Accounting for Roles • Applying an Accounting Method to a Role • Displaying Active Accounting Sessions for Roles Configuring AAA Accounting for Roles To configure AAA accounting for roles, use the aaa accounting command in CONFIGURATION mode.
• Displaying Information About Roles Logged into the Switch • Displaying Active Accounting Sessions for Roles Displaying User Roles To display user roles using the show userrole command in EXEC Privilege mode, use the show userroles and show users commands in EXEC privilege mode.
Two Factor Authentication (2FA) Two factor authentication also known as 2FA, strengthens the login security by providing one time password (OTP) in addition to username and password. 2FA supports RADIUS authentications with Console, Telnet, and SSHv2. To perform 2FA, follow these steps: • When the Network access server (NAS) prompts for the username and password, provide the inputs. • If the credentials are valid: – RADIUS server sends a request to the SMS–OTP daemon to generate an OTP for the user.
Hostbased Authentication : disabled. RSA Authentication : disabled. Challenge Response Auth : enabled. Vty Encryption HMAC 2 aes128-cbc hmac-md5 4 aes128-cbc hmac-md5 * 5 aes128-cbc hmac-md5 DellEMC# Remote IP 10.16.127.141 10.16.127.141 10.16.127.141 SMS-OTP Mechanism A short message service one time password (SMS-OTP) is a free RADIUS module to implement two factor authentication. There are multiple 2FA mechanisms that can be deployed with the RADIUS.
ICMPv4 message types Timestamp reply (14) Information request (15) Information reply (16) Address mask request (17) Address mask reply (18) NOTE: The Dell EMC Networking OS does not suppress the ICMP message type echo request (8). Table 86.
Dell EMC Networking OS Security Hardening The security of a network consists of multiple factors. Apart from access to the device, best practices, and implementing various security features, security also lies with the integrity of the device. If the software itself is compromised, all of the aforementioned methods become ineffective. The Dell EMC Networking OS is enhanced verify whether the OS image and the startup configuration file are altered before loading.
After enabling and configuring OS image hash verification, the device verifies the hash checksum of the OS boot image during every reload. DellEMC# verified boot hash system-image A: 619A8C1B7A2BC9692A221E2151B9DA9E Image Verification for Subsequent OS Upgrades After enabling OS image hash verification, for subsequent Dell EMC Networking OS upgrades, you must enter the hash checksum of the new OS image file.
CONFIGURATION mode verified startup-config 2 Generate the hash checksum for your startup configuration file. EXEC Privilege generate hash {md5 | sha1 | sha256} {flash://filename | startup-config} 3 Verify the hash checksum of the current startup configuration on the local file system. EXEC Privilege verified boot hash startup—config hash-value NOTE: The verified boot hash command is only applicable for the startup configuration file in the local file system.
Locking Access to GRUB Interface You can configure the Dell EMC Networking OS to lock the GRUB interface using a password. If you configure a GRUB password, the system prompts for the password when you try to access the GRUB interface. CAUTION: After configuring the boot access password, save it to a secure location. If you forget it, you will not be able to access the options in the startup menu. If you forget both the boot access password and the enable password, the system may become inaccessible.
46 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell EMC Networking OS. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 108. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. • Dell EMC Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
2 Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3 Enabling VLAN-Stacking for a VLAN. Related Configuration Tasks • Configuring the Protocol Type Value for the Outer VLAN Tag • Configuring Dell EMC Networking OS Options for Trunk Ports • Debugging VLAN Stacking • VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands.
Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible Example of Viewing VLAN Stack Member Status To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLAN-Stackingenabled VLAN are marked with an M in column Q.
NOTE: You can add a trunk port to an 802.1Q VLAN as well as a Stacking VLAN only when the TPID 0x8100. 2 Add the port to a 802.1Q VLAN as tagged or untagged. INTERFACE VLAN mode [tagged | untagged] Example of Configuring a Trunk Port as a Hybrid Port and Adding it to Stacked VLANs In the following example, GigabitEthernet 1/1 is a trunk port that is configured as a hybrid port and then added to VLAN 100 as untagged VLAN 101 as tagged, and VLAN 103, which is a stacking VLAN.
DellEMC#debug member port gigabitethernet 2/4 vlan id : 603 (MT), 100(T), 101(NU) DellEMC# VLAN Stacking in Multi-Vendor Networks The first field in the VLAN tag is the tag protocol identifier (TPID), which is 2 bytes. In a VLAN-stacking network, after the frame is double tagged, the outer tag TPID must match the TPID of the next-hop system. While 802.1Q requires that the inner tag TPID is 0x8100, it does not require a specific value for the outer tag TPID.
Figure 109.
Figure 110.
Figure 111. Single and Double-Tag TPID Mismatch The following table details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the S-Series. Table 87. Behaviors for Mismatched TPID Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Honoring the Incoming DEI Value To honor the incoming DEI value, you must explicitly map the DEI bit to an Dell EMC Networking OS drop precedence. Precedence can have one of three colors. Precedence Description Green High-priority packets that are the least preferred to be dropped. Yellow Lower-priority packets that are treated as best-effort. Red Lowest-priority packets that are always dropped (regardless of congestion status).
Gi 2/9 Gi 2/10 Yellow Yellow 0 0 Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.1p bits on the S-Tag may be configured statically for each customer or derived from the C-Tag using Dynamic Mode CoS. Dynamic Mode CoS maps the C-Tag 802.1p value to a S-Tag 802.1p value. Figure 112.
Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3. All other packets will have outer dot1p 0 and hence are queued to Queue 1. They are therefore policed according to qos-policy-input 1.
Layer 2 Protocol Tunneling Spanning tree bridge protocol data units (BPDUs) use a reserved destination MAC address called the bridge group address, which is 01-80C2-00-00-00. Only spanning-tree bridges on the local area network (LAN) recognize this address and process the BPDU.
Dell EMC Networking OS Behavior: In Dell EMC Networking OS versions prior to 8.2.1.0, the MAC address that Dell EMC Networking systems use to overwrite the Bridge Group Address on ingress was non-configurable. The value of the L2PT MAC address was the Dell EMC Networking-unique MAC address, 01-01-e8-00-00-00.
Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1 Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2 Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3 Tunnel BPDUs the VLAN.
4 Set a maximum rate at which the RPM processes BPDUs for L2PT. VLAN STACKING mode protocol-tunnel rate-limit The default is: no rate limiting. The range is from 64 to 320 kbps. Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.
47 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
hardware sampling rate is backed-off from 512 to 1024. Note that port 1 maintains its sampling rate of 16384; port 1 is unaffected because it maintains its configured sampling rate of 16384.: • If the interface states are up and the sampling rate is not configured on the port, the default sampling rate is calculated based on the line speed. • If the interface states are shut down, the sampling rate is set using the global sampling rate.
Examples of Verifying Extended sFlow The bold line shows that extended sFlow settings are enabled on all three types. DellEMC#show sflow sFlow services are enabled Egress Management Interface sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 20 Global default extended maximum header size: 128 bytes Global extended information enabled: none 1 collectors configured Collector IP addr: 100.1.1.1, Agent IP addr: 1.1.1.
• To reset the maximum header size of a packet, use the following command [no] sflow max-header-size extended • View the maximum header size of a packet.
EXEC mode show sflow Example of Viewing sFlow Configuration (Global) The first bold line indicates sFlow is globally enabled. The second bold lines indicate sFlow is enabled on Gi 1/16 and Gi 1/17 DellEMC#show sflow sFlow services are enabled Global default sampling rate: 32768 Global default counter polling interval: 20 1 collectors configured Collector IP addr: 133.33.33.53, Agent IP addr: 133.33.33.
Displaying Show sFlow on a Stack-unit To view sFlow statistics on a specified Stack-unit, use the following command. • Display sFlow configuration information and statistics on the specified interface.
Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until the CPU condition is cleared. This is as per sFlow version 5 draft.
Global default sampling rate: 32768 Global default counter polling interval: 20 Global extended information enabled: none 0 collectors configured 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Important Points to Remember • To export extended-gateway data, BGP must learn the IP destination address. • If the IP destination address is not learned via BGP the Dell EMC Networking system does not export extended-gateway data.
48 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell EMC Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
• Troubleshooting SNMP Operation • Transceiver Monitoring • Configuring SNMP context name Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB).
To enable security for SNMP packets transferred between the server and the client, you can use the snmp-server user username group groupname 3 auth authentication-type auth-password priv aes128 priv-password command to specify that AES-CFB 128 encryption algorithm needs to be used.
Important Points to Remember • Typically, 5-second timeout and 3-second retry values on an SNMP server are sufficient for both LAN and WAN applications. If you experience a timeout with these values, increase the timeout value to greater than 3 seconds, and increase the retry value to greater than 2 seconds on your SNMP server. • User ACLs override group ACLs. Set up SNMP As previously stated, Dell EMC Networking OS supports SNMP version 1 and version 2 that are community-based security models.
• auth — password privileges. Select this option to set up a user with password authentication. • priv — password and privacy privileges. Select this option to set up a user with password and privacy privileges. To set up user-based security (SNMPv3), use the following commands. • Configure the user with view privileges only (no password or privacy privileges).
Enable SNMPv3 traps You must configure notify option for the SNMPv3 traps to work. • Configure an SNMPv3 traps. CONFIGURATION mode snmp-server group group-name {oid-tree} priv read name write name notify name Enter the keyword notify then a name (a string of up to 20 characters long) as the notify view name. • Configure an SNMPv3 view for notify.
Writing Managed Object Values You may only alter (write) a managed object value if your management station is a member of the same community as the SNMP agent, and the object is writable. Use the following command to write or write-over the value of a managed object. • To write or write-over the value of a managed object. snmpset -v version -c community agent-ip {identifier.instance | descriptor.instance}syntax value Example of Writing the Value of a Managed Object > snmpset -v 2c -c mycommunity 10.11.
The default is None. Subscribing to Managed Object Value Updates using SNMP By default, the Dell EMC Networking system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system. Dell EMC Networking OS supports the following three sets of traps: • • • RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss.
• Enable a subset of SNMP traps. snmp-server enable traps NOTE: The envmon option enables all environment traps including those traps that are enabled with the envmon supply, envmon temperature, and envmon fan options. NOTE: You must configure notify option for the SNMPv3 traps to work.
32768:00d0.038a.2c01. %SPANMGR-5-MSTP_TOPOLOGY_CHANGE: Topology change BridgeAddr: 0001.e801.fc35 Mstp Instance Id 0 port Gi 1/8 transitioned from forwarding to discarding state.
CONFIGURATION MODE snmp-server enable traps snmp syslog-reachable Table 91. List of Syslog Server MIBS that have read access MIB Object OID Object Values Description dF10SysLogTraps 1.3.6.1.4.1.6027.3.30.1.1 1 = reachable2 = unreachable Specifies whether the syslog server is reachable or unreachable. The following example shows the SNMP trap that is sent when connectivity to the syslog server is lost: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (19738) 0:03:17.38 SNMPv2-MIB::snmpTrapOID.
MIB Object OID Object Values Description copySrcFileLocation and copySrcFileName. copySrcFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.3 1 = flash 2 = slot0 3 = tftp Specifies the location of source file. • 4 = ftp If copySrcFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. 5 = scp 6 = usbflash copySrcFileName copyDestFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.4 .1.3.6.1.4.1.6027.3.5.1.1.1.1.
MIB Object OID Object Values Description also specify copyUserPassword. copyUserPassword .1.3.6.1.4.1.6027.3.5.1.1.1.1.10 Password for the server. Password for the FTP, TFTP, or SCP server. Copying a Configuration File To copy a configuration file, use the following commands. NOTE: In UNIX, enter the snmpset command for help using the following commands. Place the f10-copy-config.mib file in the directory from which you are executing the snmpset command or in the snmpset tool path.
• Copy the running-config to the startup-config from the UNIX machine. snmpset -v 2c -c public force10system-ip-address copySrcFileType.index i 2 copyDestFileType.index i 3 Examples of Copying Configuration Files The following examples show the command syntax using MIB object names and the same command using the object OIDs. In both cases, a unique index number follows the object. The following example shows copying configuration files using MIB object names. > snmpset -v 2c -r 0 -t 60 -c private -m .
• precede the values for copyUsername and copyUserPassword by the keyword s. Example of Copying Configuration Files via FTP From a UNIX Machine > snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.110 i 2 copyDestFileName.110 s /home/startup-config copyDestFileLocation.110 i 4 copyServerAddress.110 a 11.11.11.11 copyUserName.110 s mylogin copyUserPassword.110 s mypass FTOS-COPY-CONFIG-MIB::copySrcFileType.110 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileName.
Additional MIB Objects to View Copy Statistics Dell EMC Networking provides more MIB objects to view copy statistics, as shown in the following table. Table 93. Additional MIB Objects for Copying Configuration Files via SNMP MIB Object OID Values Description copyState .1.3.6.1.4.1.6027.3.5.1.1.1.1.11 1= running Specifies the state of the copy operation. 2 = successful 3 = failed copyTimeStarted .1.3.6.1.4.1.6027.3.5.1.1.1.1.
• the server OS is UNIX • you are using SNMP version 2c • the community name is public • the file f10-copy-config.mib is in the current directory NOTE: In UNIX, enter the snmpset command for help using this command. The following examples show the command syntax using MIB object names and the same command using the object OIDs. In both cases, the same index number used in the snmpset command follows the object. The following command shows how to get a MIB object value using the object name.
MIB Support for Power Monitoring Dell EMC Networking provides MIB objects to display the information for Power Monitoring. The OIDs specific to Power Monitoring are appended to the DellITaMIbs. There are three separate DellITaMIbs available to display the current input power, average input power and average input-power start time. These statistics can also be obtained by using the CLI command:show environment. The following table lists the related MIB objects, OID and description for the same: Table 95.
MIB Support to Display the Software Core Files Generated by the System Dell EMC Networking provides MIB objects to display the software core files generated by the system. The chSysSwCoresTable contains the list of software core files generated by the system. The following table lists the related MIB objects. Table 97. MIB Objects for Displaying the Software Core Files Generated by the System MIB Object OID Description chSysSwCoresTable 1.3.6.1.4.1.6027.3.10.1.2.
enterprises.6027.3.10.1.2.10.1.5.1.3 = "vrrp" Hex: 76 72 72 70 enterprises.6027.3.10.1.2.10.1.5.2.1 = "sysd" Hex: 73 79 73 64 The output above displays that the software core files generated by the system. SNMP Support for WRED Green/Yellow/Red Drop Counters Dell EMC Networking provides MIB objects to display the information for WRED Green (Green Drops)/Yellow (Yellow Drops)/Red (Out of Profile Drops) Drop Counters.
MIB Support to Display the Available Partitions on Flash Dell EMC Networking provides MIB objects to display the information of various partitions such as /flash, /tmp, /usr/pkg, and /f10/ConfD. The dellNetFlashStorageTable table contains the list of all partitions on disk. The following table lists the related MIB objects: Table 99. MIB Objects to Display the Available Partitions on Flash MIB Object OID Description dellNetFlashPartitionNumber 1.3.6.1.4.1.6027.3.26.1.4.8.1.1 Index for the table.
.1.3.6.1.4.1.6027.3.26.1.4.8.1.3.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.5 .1.3.6.1.4.1.6027.3.
snmpwalk -c public -v 2c 10.16.151.191 1.3.6.1.4.1.6027.3.9 SNMPv2-SMI::enterprises.6027.3.9.1.1.1.2.1.1 = Counter64: 79 SNMPv2-SMI::enterprises.6027.3.9.1.1.1.2.1.2 = Counter64: 1 SNMPv2-SMI::enterprises.6027.3.9.1.3.0 = Gauge32: 18 SNMPv2-SMI::enterprises.6027.3.9.1.4.0 = Gauge32: 1 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.10.1.1.0.24.0.0.0.0 = INTEGER: 2098693 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.10.1.1.1.32.1.4.10.1.1.1.1.4.10.1.1.1 = INTEGER: 2098693 SNMPv2-SMI::enterprises.6027.3.9.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.90.90.90.2.32.1.4.90.90.90.2.1.4.90.90.90.2 = Hex-STRING: 00 00 DA FE 04 0B SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.100.100.100.0.24.1.4.10.1.1.1.1.4.10.1.1.1 = Hex-STRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.100.100.100.0.24.1.4.20.1.1.1.1.4.20.1.1.1 = Hex-STRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.100.100.100.0.24.1.4.30.1.1.1.1.4.30.1.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.80.80.80.0.24.1.4.20.1.1.1.1.4.20.1.1.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.80.80.80.0.24.1.4.30.1.1.1.1.4.30.1.1.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.90.90.90.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.90.90.90.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.90.90.90.2.32.1.4.90.90.90.2.1.4.90.90.90.
MIB Support for LAG Dell EMC Networking provides a method to retrieve the configured LACP information (Actor and Partner). Actor (local interface) is to designate the parameters and flags pertaining to the sending node, while the term Partner (remote interface) is to designate the sending node’s view of its peer parameters and flags. LACP provides a standardized means for exchanging information, with partner systems, to form a link aggregation group (LAG).
MIB Object OID Description microseconds, that may be imposed by the frame collector between receiving a frame from an Aggregator Parser, and either delivering the frame to its MAC Client or discarding the frame. dot3adAggPortListTable 1.2.840.10006.300.43.1.1.2 Contains a list of all the ports associated with each Aggregator. Each LACP channel in a device occupies an entry in the table. dot3adAggPortListEntry 1.2.840.10006.300.43.1.1.2.
MIB Object OID Description lldpRemUnknownTLVType 1.0.8802.1.1.2.1.4.3.1.1 Contains value extracted from the type field of the TLV. lldpRemUnknownTLVInfo 1.0.8802.1.1.2.1.4.3.1.2 Contains value extracted from the value field of the TLV. Viewing the Details of Reserved Unrecognized LLDP TLVs • To view the information of reserved unrecognized LLDP TLVs using SNMP, use the following commands. snmpwalk -v2c -c mycommunity 10.16.150.83 1.0.8802.1.1.2.1.4 iso.0.8802.1.1.2.1.4.1.1.6.0.2113029.
MIB Object OID Description lldpRemOrgDefInfoSubtype 1.0.8802.1.1.2.1.4.4.1.2 Contains integer value used to identify the subtype of the organizationally defined information received from the remote system. lldpRemOrgDefInfoIndex 1.0.8802.1.1.2.1.4.4.1.3 Contains the object represents an arbitrary local integer value used by this neighbor to identify a particular unrecognized organizationally defined information instance. lldpRemOrgDefInfo 1.0.8802.1.1.2.1.4.4.1.
Global MIB objects for port security This section describes about the scalar MIB objects of the global MIB dellNetPortSecGlobalObjects. The following table shows the scalar global MIB objects for port security. Table 107. Global MIB Objects for Port Security MIB Object OID Access or Permission Description dellNetGlobalPortSecurityMode 1.3.6.1.4.1.6027.3.31.1.1.1 read-write Enables or disables port security feature globally on the device. dellNetGlobalTotalSecureAddress 1.3.6.1.4.1.6027.3.31.1.1.
MIB Object OID Access or Permission Description dellNetPortSecIfStationMoveEn able 1.3.6.1.4.1.6027.3.31.1.2.1.1.5 read-write Enable or disable station movement on the dynamically secured MAC addresses learnt on the interface. dellNetPortSecIfSecureMacViola 1.3.6.1.4.1.6027.3.31.1.2.1.1.6 tionAction read-write Determines the action to be taken when MAC limit violation occurs in the system. dellNetPortSecIfStmvViolationA ction 1.3.6.1.4.1.6027.3.31.1.2.1.1.
NOTE: MAC addresses cannot be retrieved using dellNetPortSecSecureStaticMacAddrTable and dellNetPortSecSecureMacAddrTable. These tables are valid only if port security feature is enabled globally in the system. Table 109. MIB Objects for configuring MAC addresses MIB Object OID dellNetPortSecIfSecureStaticMa 1.3.6.1.4.1.6027.3.31.1.2.2.1.4 cRowStatus Access or Permission Description read-write Allows adding or deleting entries to or from the table dellNetPortSecSecureStaticMac AddrTable.
To retrieve the dellNetSecureMacAddrType on a MAC address (00:00:00:00:11:11) learnt or configured on a VLAN 10, use the following command. snmpwalk -v 2c -c public 10.16.129.24 1.3.6.1.4.1.6027.3.31.1.3.1.1.4.6.0.0.0.0.17.17.10 SNMPv2-SMI::enterprises.6027.3.31.1.3.1.1.4.6.0.0.0.0.17.17.10 = INTEGER: 1 Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs.
LineSpeed auto ARP type: ARPA, ARP Timeout 04:00:00 To display the ports in a VLAN, send an snmpget request for the object dot1qStaticEgressPorts using the interface index as the instance number, as shown for an S-Series. The following example shows viewing VLAN ports using SNMP with no ports assigned. > snmpget -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.
• • To add a tagged port to a VLAN, write the port to the dot1qVlanStaticEgressPorts object. To add an untagged port to a VLAN, write the port to the dot1qVlanStaticEgressPorts and dot1qVlanStaticUntaggedPorts objects. NOTE: Whether adding a tagged or untagged port, specify values for both dot1qVlanStaticEgressPorts and dot1qVlanStaticUntaggedPorts. Example of Adding an Untagged Port to a VLAN using SNMP In the following example, Port 0/2 is added as an untagged member of VLAN 10.
1.3.6.1.4.1.6027.3.18.1.4 To set time to wait set 1.3.6.1.4.1.6027.3.18.1.2 and 1.3.6.1.4.1.6027.3.18.1.5 respectively To set time to wait till bgp session are up set 1.3.6.1.4.1.6027.3.18.1.3 and 1.3.6.1.4.1.6027.3.18.1.6 Enabling and Disabling a Port using SNMP To enable and disable a port using SNMP, use the following commands. 1 Create an SNMP community on the Dell system.
Each object comprises an OID concatenated with an instance number. In the case of these objects, the instance number is the decimal equivalent of the MAC address; derive the instance number by converting each hex pair to its decimal equivalent. For example, the decimal equivalent of E8 is 232, and so the instance number for MAC address 00:01:e8:06:95:ac is.0.1.232.6.149.172. The value of dot1dTpFdbPort is the port number of the port off which the system learns the MAC address.
MIB Objects for Viewing the System Image on Flash Partitions To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 112. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVers 1.3.6.1.4.1.6027.3.10.1.2.8.1.11 List the version string of the system image in Flash Partition A.
• timers bgp 30 90 • neighbor 30.1.1.1 remote-as 200 • neighbor 30.1.1.1 no shutdown • exit-address-family To map the context to a VRF instance for SNMPv3, follow these steps: 1 2 Create a community and map a VRF to it. Create a context and map the context and community, to a community map.
SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.3.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.4.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.5.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.3.1.1.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.3.1.2.0.1.30.1.1.2.1.30.1.1.
SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_DN: Changed interface state Po 1" 2010-02-10 14:22:40 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500932) 23:36:49.32 SNMPv2-MIB::snmpTrapOID.0 = IF-MIB::linkUp IF-MIB::ifIndex.33865785 = INTEGER: 33865785 SNMPv2-SMI::enterprises. 6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Gi 1/1" 2010-02-10 14:22:40 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500934) 23:36:49.
"REACHABLE: Syslog server 10.11.226.121 (port: 9140) is reachable"SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 2 Following is the sample audit log message that other syslog servers that are reachable receive: Oct 21 05:26:04: dv-fedgov-s4810-6: %EVL-6-REACHABLE:Syslog server 10.11.226.121 (port: 9140) is reachable Troubleshooting SNMP Operation When you use SNMP to retrieve management data from an SNMP agent on a Dell EMC Networking router, take into account the following behavior.
Field (OID) Description SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.3 Optics Present SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.4 Optics Type SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.5 Vendor Name SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.6 Part Number SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.7 Serial Number SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.8 Transmit Power Lane1 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.9 Transmit Power Lane2 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.
49 Stacking Using the Dell EMC Networking OS stacking feature, you can interconnect multiple switch units with stacking ports or front end user ports. The stack becomes manageable as a single switch through the stack management unit. The system accepts Unit ID numbers from 1 to 6 and it supports stacking up to six units.
• Switch insertion • Switch removal If the master switch goes off line, the standby replaces it as the new master and the switch with the next highest priority or MAC address becomes standby. Stack Master Election The stack elects a master and standby unit at bootup time based on two criteria. • Unit priority — User-configurable. The range is from 1 to 14. A higher value (14) means a higher priority. The default is 0.
After the former master switch recovers, despite having a higher priority or MAC address, it does not recover its master role but instead takes the next available role. To view failover details, use the show redundancy command. MAC Addressing on Stacks The stack has three MAC addresses: the chassis MAC, interface MAC, and null interface MAC. All interfaces in the stack use the interface MAC address of the management unit, and the chassis MAC for the stack is the master’s chassis MAC.
Going for reboot.
Figure 115. Supported Stacking Topologies High Availability on Stacks Stacks have master and standby management units analogous to Dell EMC Networking route processor modules (RPM). The master unit synchronizes the running configuration and protocol states so that the system fails over in the event of a hardware or software fault on the master unit. In such an event, or when the master unit is removed, the standby unit becomes the stack manager and Dell EMC Networking OS elects a new standby unit.
Failover Count: Last failover timestamp: Last failover Reason: Last failover type: 0 None None None -- Last Data Block Sync Record: ------------------------------------------------stack-unit Config: no block sync done Start-up Config: no block sync done Runtime Event Log: no block sync done Running Config: no block sync done ACL Mgr: no block sync done LACP: no block sync done STP: no block sync done SPAN: no block sync done DellEMC# Management Access on Stacks You can access the stack via the console po
• You cannot stack one system with other system types. • You cannot enable stacking and virtual link trunking (VLT) simultaneously on the device. To convert a stacked unit to VLT, see Reconfiguring Stacked Switches as VLT. • Each 10G data port is configured as stacking port in predefined groups called stack-group. • When using the 40G ports, you can configure a single port as a stack port; each 40G port is a stack-group. • The S3048–ON has one port assigned to each stack group.
Figure 116. Stack-Group Assignments You can connect the units while they are powered down or up. Stacking ports are bi-directional. When a unit is added to a stack, the management unit performs a system check on the new unit to ensure the hardware type is compatible. A similar check is performed on the Dell EMC Networking OS version. Syslog messages are generated by the management unit: • • the syslog includes the unit number, previous version, and version being downloaded.
3 Reload the switch. EXEC Privilege mode reload Dell EMC Networking OS automatically assigns a number to the new unit and adds it as member switch in the stack. The new unit synchronizes its running and startup configurations with the stack. 4 After the units are reloaded, the system reboots. The units come up in a stack after the reboot completes. To view the port assignments, use the show system stack-unit command.
Example of a Syslog In the above example, stack unit 1 is the master management unit, stack unit 2 is the standby unit. The cables are connected to each unit.
2 2 3 3 3 4 4 4 2 3 1 2 3 1 2 3 up up up up up up up up up up up up up up up up 7200 7200 7200 7200 7200 7200 7200 7200 The following example shows how to configure two new switches for stacking using 10G ports. Dell-1(conf)#stack-unit 1 stack-group 1 Setting ports Te 1/50 as stack group will make their interface configs obsolete after a reload. [confirm yes/no]:yes Dell-2(conf)#stack-unit 2 stack-group 0 Setting ports Te 2/49 as stack group will make their interface configs obsolete after a reload.
3 (OPTIONAL) On the new unit, assign a management priority based on whether you want the new unit to be the stack manager. CONFIGURATION mode stack-unit stack-unit-number priority priority-number 4 Assign a stack group to each unit. CONFIGURATION mode stack-unitstack-unit-number stack-group stack-group-number 5 Connect the new unit to the stack using stacking cables.
5 • Password: ***** • DellEMC> enable • DellEMC# configure Configure the ports on the added switch for stacking. CONFIGURATION mode stack-unit 1 stack-group group-number 6 • stack-unit 1: defines the default ID unit-number in the initial configuration of a switch. • stack-group group-number: configures a port for stacking. Save the stacking configuration on the ports. EXEC Privilege mode write memory 7 Reload the switch.
For a parent stack that is split into two child stacks, A and B, each with multiple units: • If one of the new stacks receives the master and the standby management units, it is unaffected by the split. • If one of the new stacks receives only the master unit, that unit remains the stack manager, and Dell EMC Networking OS elects a new standby management unit.
Displaying Information about a Stack To display information about the stack, use the following command. • Display for stack-identity, status, and hardware information on every unit in a stack. EXEC Privilege mode • show system Display most of the information in show system, but in a more convenient tabular form. EXEC Privilege mode • show system brief Display the same information in show system, but only for the specified unit.
Speed in RPM DellEMC# The following is an example of the show system brief command to view the stack summary information. DellEMC#show system brief Stack MAC Reload-Type : 00:12:13:34:12:40 : normal-reload [Next boot : normal-reload] -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports -----------------------------------------------------------------------------------1 Member not present S3048-ON 2 Member not present 3 Management online S3048-ON S3048-ON 9.8(0.
• Influence the selection of the stack management units. CONFIGURATION mode stack-unit unit-number priority priority-value The unit with the numerically highest priority is elected the master management unit, and the unit with the second highest priority is the standby unit. The range is from 1 to 14. The default is 0. Managing Redundancy on a Stack Use the following commands to manage the redundancy on a stack. • Reset the current management unit and make the standby unit the new master unit.
Verify a Stack Configuration The light of the LED status indicator on the front panel of the stack identifies the unit’s role in the stack. • Off indicates the unit is a stack member. • The master LED is in OFF state for the standby unit. • Solid green indicates the unit is the stack master (management unit). Displaying the Status of Stacking Ports To display the status of the stacking ports, including the topology, use the following command. • Display the stacking ports.
-- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) --------------------------------------------------------------------------3 1 up AC up 8032 3 2 absent absent 0 -- Fan Status -Unit Bay TrayStatus Fan1 Speed -----------------------------------------------------------------------------------3 1 up up 18000 3 2 up up 18000 3 3 down Speed in RPM DellEMC# The following example shows three switches stacked together in a daisy chain topology.
Stack MAC Reload-Type : 00:21:22:23:24:25 : normal-reload [Next boot : normal-reload] -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports -----------------------------------------------------------------------------------1 Standby online S3048-ON S3048-ON 9.8(0.0P2) 52 2 Management online S3048-ON S3048-ON 9.8(0.0P2) 52 3 Member online S3048-ON S3048-ON 9.8(0.0P2) 52 4 Member not present 5 Member not present 6 Member not present The following example shows removing a stack member (after).
Recover from Stack Link Flaps Stack link integrity monitoring enables units to monitor their own stack ports and disable any stack port that flaps five times within 10 seconds. Dell EMC Networking OS displays console messages for the local and remote members of a flapping link, and on the primary (master) and standby management units as KERN-2-INT messages if the flapping port belongs to either of these units. In the following example, a stack-port on the master flaps.
-- Power Supplies -Unit Bay Status Type FanStatus -----------------------------------0 0 down DC down 0 1 up DC up 1 0 absent absent 1 1 up AC up -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -------------------------------------------0 0 up up 9360 up 9360 0 1 up up 9600 up 9360 1 0 up up 6720 up 6720 1 1 up up 6960 up 6720 Speed in RPM stack-1# Stacking 909
50 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell EMC Networking Operating System (OS) Behavior: Dell EMC Networking OS supports unknown-unicast, muticast, and broadcast control for Layer 2 and Layer 3 traffic. Dell EMC Networking OS Behavior: The minimum number of packets per second (PPS) that storm control can limit on the device is two.
• Configure the packets per second of broadcast traffic allowed on an interface (ingress only). INTERFACE mode storm-control broadcast packets_per_second in • Configure the packets per second of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode storm-control multicast packets_per_second in • Shut down the port if it receives the PFC/LLFC packets more than the configured rate.
51 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell EMC Networking OS.
Configure Spanning Tree Configuring spanning tree is a two-step process.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 117. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1 If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2 Place the interface in Layer 2 mode. INTERFACE switchport 3 Enable the interface.
Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. DellEMC(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 no ip address switchport no shutdown DellEMC(conf-if-gi-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
no disable Examples of Verifying Spanning Tree Information To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP.
• Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology). PROTOCOL SPANNING TREE mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally.
• Enable PortFast on an interface. INTERFACE mode spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] Example of Verifying PortFast is Enabled on an Interface To verify that PortFast is enabled on a port, use the show spanning-tree command from EXEC Privilege mode or the show config command from INTERFACE mode. Dell EMC Networking recommends using the show config command.
Figure 119. Enabling BPDU Guard Dell EMC Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. • drops the BPDU after it reaches the RP and generates a console message.
DellEMC(conf-if-gi-1/7)#do show ip interface brief gigabitEthernet 1/7 Interface IP-Address OK Method Status Protocol GigabitEthernet 1/7 unassigned YES Manual up up Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command.
the port on Switch C transitions from a forwarding to a root-inconsistent state (shown by the green X icon). As a result, Switch A becomes the root bridge. Figure 120. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell EMC Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
spanning-tree {0 | mstp | rstp | pvst} rootguard – 0: enables root guard on an STP-enabled port assigned to instance 0. – mstp: enables root guard on an MSTP-enabled port. – rstp: enables root guard on an RSTP-enabled port. – pvst: enables root guard on a PVST-enabled port. To disable STP root guard on a port or port-channel interface, use the no spanning-tree 0 rootguard command in an interface configuration mode.
lower left), Switch C does not receive BPDUs from Switch B. When the max-age timer expires, the STP port on Switch C becomes unblocked and transitions to Forwarding state. A loop is created as both Switch A and Switch C transmit traffic to Switch B. As shown in the following illustration (STP topology 2, upper right), a loop can also be created if the forwarding port on Switch B becomes busy and does not forward BPDUs within the configured forward-delay time.
Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: • Loop guard is supported on any STP-enabled port or port-channel interface.
Example of Viewing STP Guard Configuration DellEMC#show spanning-tree 0 guard Interface Name Instance Sts Guard type --------- -------- --------- ---------Gi 1/1 0 INCON(Root) Rootguard Gi 1/2 0 LIS Loopguard Gi 1/3 0 EDS (Shut) Bpduguard 926 Spanning Tree Protocol (STP)
52 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell EMC Networking device. For more information on SmartScripts, see Dell EMC Networking Open Automation guide. Figure 122.
Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist. The generated commands are added to the running configuration, including the DNS resolve commands, if configured. This command starts the configuration wizard for the SupportAssist. At any time, you can exit by entering Ctrl-C. If necessary, you can skip some data entry. Enable the SupportAssist service.
making such transfers, Dell shall ensure appropriate protection is in place to safeguard the Collected Data being transferred in connection with SupportAssist. If you are downloading SupportAssist on behalf of a company or other legal entity, you are further certifying to Dell that you have appropriate authority to provide this consent on behalf of that entity.
support-assist activity {full-transfer | core-transfer} start now DellEMC#support-assist activity full-transfer start now DellEMC#support-assist activity core-transfer start now Configuring SupportAssist Activity SupportAssist Activity mode allows you to configure and view the action-manifest file for a specific activity. To configure SupportAssist activity, use the following commands. 1 Move to the SupportAssist Activity mode for an activity.
action-manifest remove DellEMC(conf-supportassist-act-full-transfer)#action-manifest remove custom_file1.json DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist-act-event-transfer)#action-manifest remove custom_event_file1.json DellEMC(conf-supportassist-act-event-transfer)# 6 Enable a specific SupportAssist activity. By default, the full transfer includes the core files. When you disable the core transfer activity, the full transfer excludes the core files.
Configuring SupportAssist Person SupportAssist Person mode allows you to configure name, email addresses, phone, method and time zone for contacting the person. SupportAssist Person configurations are optional for the SupportAssist service. To configure SupportAssist person, use the following commands. 1 Configure the contact name for an individual.
[no] server server-name DellEMC(conf-supportassist)#server default DellEMC(conf-supportassist-serv-default)# 2 Configure a proxy for reaching the SupportAssist remote server. SUPPORTASSIST SERVER mode [no] proxy-ip-address {ipv4-address | ipv6-address}port port-number [ username userid password [encryption-type] password ] DellEMC(conf-supportassist-serv-default)#proxy-ip-address 10.0.0.
show running-config support-assist DellEMC# show running-config support-assist ! support-assist enable all ! activity event-transfer enable action-manifest install default ! activity core-transfer enable ! contact-company name Dell street-address F lane , Sector 30 address city Brussels state HeadState country Belgium postalcode S328J3 ! contact-person first Fred last Nash email-address primary des@sed.com alternate sed@dol.
53 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell EMC Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell EMC Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell EMC Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Following conventions established by the telephone industry [BEL86], the accuracy of each server is defined by a number called the stratum, with the topmost level (primary servers) assigned as one and each level downwards (secondary servers) in the hierarchy assigned as one greater than the preceding level. Dell EMC Networking OS synchronizes with a time-serving host to get the correct time. You can set Dell EMC Networking OS to poll specific NTP time-serving hosts for the current time.
Related Configuration Tasks • Configuring NTP Broadcasts • Disabling NTP on an Interface • Configuring a Source IP Address for NTP Packets (optional) Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell EMC Networking system synchronizes. To specify multiple servers, enter the command multiple times. You may specify an unlimited number of servers at the expense of CPU resources. • Specify the NTP server to which the Dell EMC Networking system synchronizes.
Disabling NTP on an Interface By default, NTP is enabled on all active interfaces. If you disable NTP on an interface, Dell EMC Networking OS drops any NTP packets sent to that interface. To disable NTP on an interface, use the following command. • Disable NTP on the interface. INTERFACE mode ntp disable To view whether NTP is configured on the interface, use the show config command in INTERFACE mode. If ntp disable is not listed in the show config command output, NTP is enabled.
To configure NTP authentication, use the following commands. 1 Enable NTP authentication. CONFIGURATION mode ntp authenticate 2 Set an authentication key. CONFIGURATION mode ntp authentication-key number {md5 | sha1} key Configure the following parameters: 3 • number: the range is from 1 to 65534. This number must be the same as the number in the ntp trusted-key command. • key: enter a text string. This text string is encrypted. Define a trusted key.
ntp server 10.16.127.144 Dell EMC (conf)# Dell EMC#show ntp associations remote vrf-Id ref clock st when poll reach delay offset disp ==================================================================================== LOCAL(0) 0 .LOCL. 7 7 16 7 0.000 0.000 0.002 10.16.127.86 0 10.16.127.26 5 3 16 7 0.498 361.760 0.184 10.16.127.144 0 10.16.127.26 5 1 16 7 0.492 359.171 0.219 10.16.127.44 0 10.16.127.26 5 5 16 7 0.498 355.501 0.
Configuring a Custom-defined Period for NTP time Synchronization You can configure the system to send an audit log message to a syslog server if the time difference from the NTP server is greater than a threshold value (offset-threshold). However, time synchronization still occurs. To configure the offset-threshold, follow this procedure. • Specify the threshold time interval before which the system generates an NTP audit log message if the system time deviates from the NTP server.
• Set the system software clock to the current time and date. EXEC Privilege mode clock set time month day year – time: enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format; for example, 17:15:00 is 5:15 pm. – month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. – day: enter the number of the day. The range is from 1 to 31.
clock summer-time time-zone date start-month start-day start-year start-time end-month end-day end-year end-time [offset] – time-zone: enter the three-letter name for the time zone. This name displays in the show clock output. – start-month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. – start-day: enter the number of the day. The range is from 1 to 31.
◦ week-number: Enter a number from 1 to 4 as the number of the week in the month to start daylight saving time. ◦ first: Enter the keyword first to start daylight saving time in the first week of the month. ◦ last: Enter the keyword last to start daylight saving time in the last week of the month. – end-month: Enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. – end-day: Enter the number of the day.
54 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
tunnel destination 90.1.1.1 tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): DellEMC(conf)#interface tunnel 3 DellEMC(conf-if-tu-3)#tunnel source 5::5 DellEMC(conf-if-tu-3)#tunnel destination 8::9 DellEMC(conf-if-tu-3)#tunnel mode ipv6 DellEMC(conf-if-tu-3)#ip address 3.1.1.
The following sample configuration shows how to use the interface tunnel configuration commands. DellEMC(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 ip address 20.1.1.1/24 ipv6 address 20:1::1/64 no shutdown DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#ip unnumbered gigabitethernet 1/1 DellEMC(conf-if-tu-1)#ipv6 unnumbered gigabitethernet 1/1 DellEMC(conf-if-tu-1)#tunnel source 40.1.1.
! interface Tunnel 1 ip address 1.1.1.1/24 ipv6 address 1abd::1/64 tunnel source anylocal tunnel allow-remote 40.1.1.
55 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 124. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 125. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• • • If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
4 (Optional) Enable auto-recovery so that UFD-disabled downstream ports in the uplink-state group come up when a disabled upstream port in the group comes back up. UPLINK-STATE-GROUP mode downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5 (Optional) Enter a text description of the uplink-state group.
3/50 02:36:43: 3/51 02:36:43: 02:36:43: 02:36:43: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Downstream interface set to UFD error-disabled: Te %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 3/49 %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 3/50 %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 3/51 02:37:29: %RPM0-P:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Gi 1/7 02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: G
– group-id: The values are from 1 to 16. Examples of Viewing UFD Information (S50) The following example shows viewing the uplink state group status.
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Time since last interface status change: 00:01:23 The following example shows viewing the UFD configuration.
DellEMC# 00:13:06: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from console by console DellEMC# show running-config uplink-state-group ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream GigabitEthernet 1/1-2,5,9,11-12 upstream GigabitEthernet 1/3-4 DellEMC# show uplink-state-group 3 Uplink State Group: 3 Status: Enabled, Up DellEMC# show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: Enabled
56 Upgrade Procedures To find the upgrade procedures, go to the Dell EMC Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell EMC Networking OS version. To upgrade your system type, follow the procedures in the Dell EMC Networking OS Release Notes. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.
57 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
Default VLAN When you configure interfaces for Layer 2 mode, they are automatically placed in the Default VLAN as untagged interfaces. Only untagged interfaces can belong to the Default VLAN. The following example displays the outcome of placing an interface in Layer 2 mode. To configure an interface for Layer 2 mode, use the switchport command.
VLANs and Port Tagging To add an interface to a VLAN, the interface must be in Layer 2 mode. After you place an interface in Layer 2 mode, the interface is automatically placed in the Default VLAN. supports IEEE 802.1Q tagging at the interface level to filter traffic. When you enable tagging, a tag header is added to the frame after the destination and source MAC addresses. That information is preserved as the frame moves through the network.
• Configure a port-based VLAN (if the VLAN-ID is different from the Default VLAN ID) and enter INTERFACE VLAN mode. CONFIGURATION mode interface vlan vlan-id To activate the VLAN, after you create a VLAN, assign interfaces in Layer 2 mode to the VLAN. Example of Verifying a Port-Based VLAN To view the configured VLANs, use the show vlan command in EXEC Privilege mode.
Codes: * - Default VLAN, G - GVRP VLANs NUM Status Q * 1 Inactive 2 Active T T 3 Active T T Ports Po1(So 0/0-1) Gi 1/1 Po1(So 0/0-1) Gi 1/2 DellEMC#config DellEMC(conf)#interface vlan 4 DellEMC(conf-if-vlan)#tagged po 1 DellEMC(conf-if-vlan)#show conf ! interface Vlan 4 no ip address tagged Port-channel 1 DellEMC(conf-if-vlan)#end DellEMC#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM Status Q * 1 Inactive 2 Active T T 3 Active T T 4 Active T Ports Po1(So 0/0-1) Gi 1/1 Po1(So 0/0-1) Gi 1/2 Po1(So
Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 Status Active Active 3 Active Q U T T T T Ports Gi 1/2 Po1(So 0/0-1) Gi 1/3 Po1(So 0/0-1) Gi 1/1 4 Inactive DellEMC#conf DellEMC(conf)#interface vlan 4 DellEMC(conf-if-vlan)#untagged gigabitethernet 1/2 DellEMC(conf-if-vlan)#show config ! interface Vlan 4 no ip address untagged GigabitEthernet 1/2 DellEMC(conf-if-vlan)#end DellEMC#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 3 4 Status Q Inactive Active T T Active T T Active U Ports Po
Native VLAN support breaks this barrier so that you can connect a port to both VLAN-aware and VLAN-unaware stations. Such ports are referred to as hybrid ports. Physical and port-channel interfaces may be hybrid ports. Native VLAN is useful in deployments where a Layer 2 port can receive both tagged and untagged traffic on the same physical port. The classic example is connecting a voice-over-IP (VOIP) phone and a PC to the same port of the switch.
58 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is a Dell EMC technology that provides two Dell EMC switches the ability to function as a single switch. VLT allows physical links between two Dell EMC switches to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). As a result, the two physical switches appear as a single switch to the connected devices.
Figure 128. VLT providing multipath VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches and supporting a loop-free topology. To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol. After VLT is established, you may use rapid spanning tree protocol (RSTP) to prevent loops from forming with new links that are incorrectly connected and outside the VLT domain.
Figure 129. Example of VLT Deployment VLT offers the following benefits: • Allows a single device to use a LAG across two upstream devices. • Eliminates STP-blocked ports. • Provides a loop-free topology. • Uses all available uplink bandwidth. • Provides fast convergence if either the link or a device fails. • Optimized forwarding with virtual router redundancy protocol (VRRP). • Provides link-level resiliency. • Assures high availability. • Active-Active load sharing with VRRP.
VLT Terminology The following are key VLT terms. • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. • VLT backup link — The backup link monitors the connectivity between the VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. • VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches.
Layer-2 Traffic in VLT Domains In a VLT domain, the MAC address of any host connected to the VLT peers is synchronized between the VLT nodes. In the following example, VLAN 10 is spanned across three VLT domains. Figure 130. Layer-2 Traffic in VLT Domains If Host 1 from a VLT domain sends a frame to Host 2 in another VLT domain, the frame can use any link shown to reach Host 2.
30 30 30 30 30 30 a0:00:a1:00:00:07 a0:00:a1:00:00:08 a0:00:a1:00:00:09 a0:00:a1:00:00:0a a0:00:a1:00:00:0b a0:00:a1:00:00:0c Dynamic Dynamic Dynamic Dynamic Dynamic Dynamic (N) Po 11 Active (N) Po 11 Active (N) Po 11 Active (N) Po 11 Active (N) Po 11 Active Po 11 Active VLT-10-PEER-2#show vlt statistics mac VLT MAC Statistics -------------------L2 Info Pkts sent:0, L2 Mac-sync Pkts Sent:7 L2 Info Pkts Rcvd:0, L2 Mac-sync Pkts Rcvd:9 L2 Reg Request sent:0 L2 Reg Request rcvd:0 L2 Reg Response sent:0 L2
Figure 131. VLT on Core Switches The aggregation layer is mostly in the L2/L3 switching/routing layer. For better resiliency in the aggregation, Dell EMC Networking recommends running the internal gateway protocol (IGP) on the VLTi VLAN to synchronize the L3 routing table across the two nodes on a VLT system. Enhanced VLT Enhanced VLT (eVLT)) refers to the ability to connect two VLT domains.
Figure 132. Enhanced VLT Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember • • • • • • • • • • • You cannot enable stacking simultaneously with VLT. If you enable both at the same time, unexpected behavior can occur. VLT port channel interfaces must be switch ports. If you include RSTP on the system, configure it before VLT.
• BMP uses untagged dynamic host configuration protocol (DHCP) packets to communicate with the DHCP server. • o disable this feature on VLT and port channels, use no lacp ungroup member-independent {vlt | port-channel} command under the configuration mode. • When you enable IGMP snooping on the VLT peers, ensure the value of the delay-restore command is not less than the query interval.
– A VLT domain supports two chassis members, which appear as a single logical device to network access devices connected to VLT ports through a port channel. – A VLT domain consists of the two core chassis, the interconnect trunk, backup link, and the LAG members connected to attached devices. – Each VLT domain has a unique MAC address that you create or VLT creates automatically. – ARP tables are synchronized between the VLT peer nodes.
– If the size of the MTU for VLTi members is less than 1496 bytes, MAC addresses may not synchronize between VLT peers. Dell EMC Networking does not recommend using an MTU size lower than the default of 1554 bytes for VLTi members. • VLT backup link – In the backup link between peer switches, heartbeat messages are exchanged between the two chassis for health checks. The default time interval between heartbeat messages over the backup link is 1 second. You can configure this interval.
• Software features supported on VLT physical ports – In a VLT domain, the following software features are supported on VLT physical ports: 802.1p, LLDP, flow control, IPv6 dynamic routing, port monitoring, DHCP snooping, and jumbo frames. • Software features not supported with VLT – In a VLT domain, the following software features are not supported on VLT ports: 802.1x, GVRP, and BFD.
RSTP and VLT VLT provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures. Spanning tree topology changes are distributed to the entire layer 2 network, which can cause a network-wide flush of learned MAC and ARP addresses, requiring these addresses to be re-learned. However, enabling RSTP can detect potential loops caused by non-system issues such as cabling errors or incorrect configurations.
VLT IPv6 The following features have been enhanced to support IPv6: • VLT Sync — Entries learned on the VLT interface are synced on both VLT peers. • Non-VLT Sync — Entries learned on non-VLT interfaces are synced on both VLT peers. • Tunneling — Control information is associated with tunnel traffic so that the appropriate VLT peer can mirror the ingress port as the VLT interface rather than pointing to the VLT peer’s VLTi link.
Figure 133. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers. To verify the PIM neighbors on the VLT VLAN and on the multicast port, use the show ip pim neighbor, show ip igmp snooping mrouter, and show running config commands.
Figure 134. Packets without peer routing enabled If you enable peer routing, a VLT node acts as a proxy gateway for its connected VLT peer as shown in the image below. Even though the gateway address of the packet is different, Peer-1 routes the packet to its destination on behalf of Peer-2 to avoid sub-optimal routing. Figure 135. Packets with peer routing enabled Benefits of Peer Routing • • Avoids sub-optimal routing • Reduces latency by avoiding another hop in the traffic path.
• You can reduce the number of VLTi port channel members based on your specific design. With peer routing, you need not configure VRRP for the participating VLANs. As both VLT nodes act as a gateway for its peer, irrespective of the gateway IP address, the traffic flows upstream without any latency. There is no limitation for the number of VLANS. VLT Unicast Routing VLT unicast routing is a type of VLT peer routing that locally routes unicast packets destined for the L3 endpoint of the VLT peer.
The advantages of syncing the multicast routes between VLT peers are: • VLT resiliency — After a VLT link or peer failure, if the traffic hashes to the VLT peer, the traffic continues to be routed using multicast until the PIM protocol detects the failure and adjusts the multicast distribution tree. • Optimal routing — The VLT peer that receives the incoming traffic can directly route traffic to all downstream routers connected on VLT ports.
NOTE: ARP entries learned on non-VLT, non-spanned VLANs are not synced with VLT peers. RSTP Configuration RSTP is supported in a VLT domain. Before you configure VLT on peer switches, configure RSTP in the network. RSTP is required for initial loop prevention during the VLT startup phase. You may also use RSTP for loop prevention in the network outside of the VLT port channel. For information about how to configure RSTP, Rapid Spanning Tree Protocol (RSTP). Run RSTP on both VLT peer switches.
Configure RSTP on VLT peers to prevent forwarding loops—VLT peer 1 (primary) Dell_VLTpeer1(conf)#protocol spanning-tree rstp Dell_VLTpeer1(conf-rstp)#no disable Dell_VLTpeer1(conf-rstp)#bridge-priority 4096 Configure RSTP on VLT peers to prevent forwarding loops—VLT peer 2 (secondary) Dell_VLTpeer2(conf)#protocol spanning-tree rstp Dell_VLTpeer2(conf-rstp)#no disable Dell_VLTpeer2(conf-rstp)#bridge-priority 8192 NOTE: When you remove the VLT configuration, RSTP is recommended as a backup solution to avoid
CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2 Remove any IP address from the interface if already present. INTERFACE PORT-CHANNEL mode no ip address 3 Add one or more port interfaces to the port channel.
You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 3 Configure the port channel to be used as the VLT interconnect between VLT peers in the domain. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 4 Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer.
4 Configure a VLT backup link using the IPv4 or IPv6 address of the VLT peer’s management interface. MANAGEMENT INTERFACE mode back-up destination {ip address ipv4-address/ mask | ipv6 address ipv6-address/ mask} 5 Repeat Steps 1 to 4 on the VLT peer switch. To set an amount of time, in seconds, to delay the system from restoring the VLT port, use the delay-restore command at any time. For more information, refer to VLT Port Delayed Restoration.
Use this command to minimize the time required for the VLT system to synchronize the default MAC address of the VLT domain on both peer switches when one peer switch reboots. 4 (Optional) When you create a VLT domain on a switch, Dell EMC Networking OS automatically assigns a unique unit ID (0 or 1) to each peer switch. VLT DOMAIN CONFIGURATION mode unit-id {0 | 1} To explicitly configure the default values on each peer switch, use the unit-id command.
8 On an attached switch or server: To connect to the VLT domain and add port channels to it, configure a port channel. For an example of how to verify the port-channel configuration, refer to VLT Sample Configuration. To configure the VLAN where a VLT peer forwards received packets over the VLTi from an adjacent VLT peer that is down, use the peerdown-vlan parameter. When a VLT peer with BMP reboots, untagged DHCP discover packets are sent to the peer over the VLTi.
VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 5 Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages. VLT DOMAIN CONFIGURATION mode back-up destination ip-address [interval seconds] You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds.
12 Add links to the eVLT port. Configure a range of interfaces to bulk configure. CONFIGURATION mode interface range {port-channel id} 13 Enable LACP on the LAN port. INTERFACE mode port-channel-protocol lacp 14 Configure the LACP port channel mode. INTERFACE mode port-channel number mode [active] 15 Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 16 Enable peer routing.
7 Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 1. EXEC mode or EXEC Privilege mode show interfaces interface 8 Configure the VLT links between VLT peer 1 and VLT peer 2 to the top of rack unit (shown in the following example). 9 Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit.
Dell-2# show interfaces managementethernet 1/1 Internet address is 10.11.206.43/16 Dell-4#show running-config vlt ! vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.43 Dell-4# Dell-4#show running-config interface managementethernet 1/1 ip address 10.11.206.58/16 no shutdown Configure the VLT links between VLT peer 1 and VLT peer 2 to the Top of Rack unit.
! interface Port-channel 100 no ip address switchport no shutdown s60-1#show interfaces port-channel 100 brief Codes: L - LACP Port-channel L LAG 100 Mode L2 Status up Uptime 03:33:48 Ports Gi 1/8 (Up) Gi 1/30 (Up) Verify VLT is up. Verify that the VLTi (ICL) link, backup link connectivity (heartbeat status), and VLT peer link (peer chassis) are all up.
Sample PVST+ Configuration The following examples show the PVST+ configuration that you must perform on each peer switch to prevent forwarding loops.
Figure 136. Peer Routing Configuration Example Dell-1 Switch Configuration In the following output, RSTP is enabled with a bridge priority of 0. This ensures that Dell-1 becomes the root bridge. DellEMC#1#show run | find protocol protocol spanning-tree pvst no disable vlan 1,20,800,900 bridge-priority 0 The following output shows the existing VLANs.
The following is the configuration in interfaces: DellEMC#1#sh run int ma0/0 interface ManagementEthernet 0/0 description Used_for_VLT_Keepalive ip address 10.10.10.1/24 no shutdown (The management interfaces are part of a default VRF and are isolated from the switch’s data plane.) In Dell-1, te 0/0 and te 0/1 are used for VLTi.
Port channel 2 connects the access switch A1. DellEMC#1#sh run int po2 interface Port-channel 2 description port-channel_to_access_switch_A1 no ip address portmode hybrid switchport vlt-peer-lag port-channel 2 no shutdown Vlan 20 is used in Dell-1, Dell-2, and R1 to form OSPF adjacency. When OSPF is converged, the routing tables in all devices are synchronized. DellEMC#1#sh run int vlan 20 interface Vlan 20 description OSPF PEERING VLAN ip address 192.168.20.
----------------Destination: Peer HeartBeat status: Destination VRF: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.10.10.2 Up default 1 3 34998 4 5 Use the show vlt detail command to verify that VLT is functional and that the correct VLANs are allowed.
Verify if peer routing has populated the CAM table with the correct information using the show cam mac command.
no ip address no shutdown The following example shows that te 0/0 and te 0/1 are included in port channel 10. Also note that configuration on the VLTi links does not contain the switchport command. Dell-2#sh run int po10 interface Port-channel 10 description VLTi Port-Channel no ip address channel-member TenGigabitEthernet 0/0-1 no shutdown Te 0/4 connects to the access switch A1.
tagged Port-channel 2 no shutdown The following output shows Dell-2 is configured with VLT domain 1. The peer-link port-channel command makes port channel 10 as the VLTi link. The peer-routing command enables peer routing between VLT peers in VLT domain 1. The IP address configured with the backupdestination command is the management IP address of the VLT peer (Dell-1). A priority value of 55000 makes Dell-2 as the secondary VLT peer.
network 192.168.8.0/24 area 0 network 192.168.9.0/24 area 0 network 172.16.1.0/24 area 0 network 192.168.20.0/29 area 0 passive-interface default no passive-interface vlan 20 While the passive-interface default command prevents all interfaces from establishing an OSPF neighborship, the no passive-interface vlan 20 command allows the interface for VLAN 20, the OSPF peering VLAN, to establish OSPF adjacencies. The following output displays that Dell-1 forms neighborship with Dell-2 and R1.
! interface Loopback4 ip address 4.4.4.2 255.255.255.0 R1#show run int port-channel 1 interface Port-channel1 switchport ip address 192.168.20.3 255.255.255.248 R1#show run | find router router ospf 1 router-id 172.15.1.1 passive-interface default no passive-interface Port-channel1 network 2.2.2.0 0.0.0.255 area 0 network 3.3.3.0 0.0.0.255 area 0 network 4.4.4.0 0.0.0.255 area 0 (The above subnets correspond to loopback interfaces lo2, lo3 and lo4.
This default route is configured for testing purposes, as described in the next section. The access switch (A1) is used to generate ICMP test PINGs to a loopback interface on CR1. This default route points to DellEMC#2’s VLAN 800 SVI interface. It’s in place to ensure that routed test traffic has DellEMC#2’s MAC address as the destination address in the Ethernet frame’s header When A1 sends a packet to R1, the VLT peers act as the default gateway for each other.
Domain_1_Peer1(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer1(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 1. Domain_1_Peer1(conf)#interface range gigabitethernet 1/16 - 1/17 Domain_1_Peer1(conf-if-range-gi-1/16-17)# port-channel-protocol LACP Domain_1_Peer1(conf-if-range-gi-1/16-17)# port-channel 100 mode active Domain_1_Peer1(conf-if-range-gi-1/16-17)# no shutdown Next, configure the VLT domain and VLTi on Peer 2.
Domain_1_Peer4#no shutdown Domain_2_Peer4(conf)#vlt domain 200 Domain_2_Peer4(conf-vlt-domain)# peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)# back-up destination 10.18.130.12 Domain_2_Peer4(conf-vlt-domain)# system-mac mac-address 00:0b:00:0b:00:0b Domain_2_Peer4(conf-vlt-domain)# peer-routing Domain_2_Peer4(conf-vlt-domain)# unit-id 1 Configure eVLT on Peer 4.
Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. • Display information on backup link operation. EXEC mode • show vlt backup-link Display general status information about VLT domains currently configured on the switch.
HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 3 34998 1026 1025 Dell_VLTpeer2# show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.20 Up 1 3 34998 1030 1014 The following example shows the show vlt brief command.
VLT Role ---------VLT Role: System MAC address: System Role Priority: Local System MAC address: Local System Role Priority: Secondary 00:01:e8:8a:df:bc 32768 00:01:e8:8a:df:e6 32768 The following example shows the show running-config vlt command. Dell_VLTpeer1# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.18 Dell_VLTpeer2# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.
Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e88a.dff8 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e88a.dff8 We are the root Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- -------- ---- ------- -------- - ------- ------------Po 1 128.2 128 200000 DIS 0 0 0001.e88a.dff8 128.2 Po 3 128.4 128 200000 DIS 0 0 0001.e88a.dff8 128.4 Po 4 128.
NUM Status Description Q Ports 10 Active U Po110(Te 1/51) T Po100(Te 1/49,50) Configuring Virtual Link Trunking (VLT Peer 2) Enable VLT and create a VLT domain with a backup-link VLT interconnect (VLTi). Dell_VLTpeer2(conf)#vlt domain 999 Dell_VLTpeer2(conf-vlt-domain)#peer-link port-channel 100 Dell_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.23 Dell_VLTpeer2(conf-vlt-domain)#exit Configure the backup link.
Troubleshooting VLT To help troubleshoot different VLT issues that may occur, use the following information. NOTE: For information on VLT Failure mode timing and its impact, contact your Dell EMC Networking representative. Table 117. Troubleshooting VLT Description Behavior at Peer Up Behavior During Run Time Action to Take Bandwidth monitoring A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above the 80% threshold and when it drops below 80%.
Description Behavior at Peer Up Behavior During Run Time Action to Take information, refer to the Release Notes for this release. VLT LAG ID is not configured on one VLT peer A syslog error message is generated. The peer with the VLT configured remains active. A syslog error message is generated. The peer with the VLT configured remains active. Verify the VLT LAG ID is configured correctly on both VLT peers. VLT LAG ID mismatch The VLT port channel is brought down.
Keep the following points in mind when you configure VLT nodes in a PVLAN: • Configure the VLTi link to be in trunk mode. Do not configure the VLTi link to be in access or promiscuous mode. • You can configure a VLT LAG or port channel to be in trunk, access, or promiscuous port modes when you include the VLT LAG in a PVLAN. The VLT LAG settings must be the same on both the peers. If you configure a VLT LAG as a trunk port, you can associate that LAG to be a member of a normal VLAN or a PVLAN.
PVLAN Operations When One VLT Peer is Down When a VLT port moves to the Admin or Operationally Down state on only one of the VLT nodes, the VLT Lag is still considered to be up. All the PVLAN MAC entries that correspond to the operationally down VLT LAG are maintained as synchronized entries in the device. These MAC entries are removed when the peer VLT LAG also becomes inactive or a change in PVLAN configuration occurs.
Table 118.
VLT LAG Mode Peer1 PVLAN Mode of VLT VLAN Peer2 ICL VLAN Membership Mac Synchronization Peer1 Peer2 - Primary VLAN Y - Primary VLAN X No No Promiscuous Access Primary Secondary No No Trunk Access Primary/Normal Secondary No No Configuring a VLT VLAN or LAG in a PVLAN You can configure the VLT peers or nodes in a private VLAN (PVLAN).
7 Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 8 (Optional) To configure a VLT LAG, enter the VLAN ID number of the VLAN where the VLT forwards packets received on the VLTi from an adjacent peer that is down.
• Specified with this command even before they have been created. • Amended by specifying the new secondary VLAN to be added to the list. Proxy ARP Capability on VLT Peer Nodes The proxy ARP functionality is supported on VLT peer nodes. A proxy ARP-enabled device answers the ARP requests that are destined for the other router in a VLT domain. The local host forwards the traffic to the proxy ARP-enabled device, which in turn transmits the packets to the destination. By default, proxy ARP is enabled.
When a VLT node detects peer up, it does not perform proxy ARP for the peer IP addresses. IP address synchronization occurs again between the VLT peers. Proxy ARP is enabled only if you enable peer routing on both the VLT peers. If you disable peer routing by using the no peerroutingcommand in VLT DOMAIN node, a notification is sent to the VLT peer to disable the proxy ARP.
INTERFACE PORT-CHANNEL mode vlan-stack {access | trunk} 2 Configure VLAN as VLAN-stack compatible on both the peers. INTERFACE VLAN mode vlan-stack compatible 3 Add the VLT LAG as a member to the VLAN-stack on both the peers. INTERFACE VLAN mode member port-channel port—channel ID 4 Verify the VLAN-stack configurations.
DellEMC#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown DellEMC# Configure the VLAN as a VLAN-Stack VLAN and add the VLT LAG as Members to the VLAN DellEMC(conf)#interface vlan 50 DellEMC(conf-if-vl-50)#vlan-stack compatible DellEMC(conf-if-vl-50-stack)#member port-channel 10 DellEMC(conf-if-vl-50-stack)#member port-channel 20 DellEMC#show running-config interface vlan 50 ! interface Vlan 50 vlan-sta
DellEMC(conf-if-po-10)#no shutdown DellEMC#show running-config interface port-channel 10 ! interface Port-channel 10 no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown DellEMC# DellEMC(conf)#interface port-channel 20 DellEMC(conf-if-po-20)#switchport DellEMC(conf-if-po-20)#vlt-peer-lag port-channel 20 DellEMC(conf-if-po-20)#vlan-stack trunk DellEMC(conf-if-po-20)#no shutdown DellEMC#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switc
Configure BFD in VLT Domain Dell EMC Networking OS supports Bidirectional Forwarding Detection (BFD) to detect communication failures on an interface that is a part of a VLT link aggregation group (LAG). In VLT domain, BFD provides high availability path when there are communication failures in any one of the VLT LAG links. The VLT nodes and top of rack (ToR) use the VLT LAG links to carry the BFD packets.
4 Configure a VLAN. TOR(conf)#interface vlan 100 TOR(conf-if-vl-100)#ip address 100.1.1.3/24 TOR(conf-if-vl-100)#tagged port-channel 10 TOR(conf-if-vl-100)#arp timeout 1 TOR(conf-if-vl-100)#no shutdown TOR(conf-if-vl-100)#exit 5 Enable BFD over OSPF. TOR(conf)# router ospf 1 TOR(conf-router_ospf)# network 100.1.1.0/24 area 0 TOR(conf-router_ospf)# bfd all-neighbors VLT Primary 1 Enable BFD globally. VLT_Primary(conf)# bfd enable 2 Configure port channel which is used as VLTi link.
VLT_Secondary(conf-if-po-100)# channel-member gigabitethernet 1/1, 1/2 VLT_Secondary(conf-if-po-100)# no shutdown 3 4 Enable VLT and configure a VLT domain. VLT_Secondary(conf)# vlt domain VLT_Secondary(conf-vlt-domain)# VLT_Secondary(conf-vlt-domain)# VLT_Secondary(conf-vlt-domain)# 100 peer-link port-channel 100 back-up destination 10.16.206.80 peer-routing Configure a VLT peer LAG.
ICL Link Status: HeartBeat Status: VLT Peer Status: Version: Local System MAC address: Remote System MAC address: Remote system version: Delay-Restore timer: Delay-Restore Abort Threshold: Peer-Routing : Peer-Routing-Timeout timer: Multicast peer-routing timeout: Up Up Up 6(9) 00:e6:e2:f5:5c:15 f4:8e:38:6a:97:3f 6(9) 90 seconds 60 seconds Enabled 0 seconds 150 seconds IPv6 Peer Routing in VLT Domains Overview VLT enables the physical links between two devices that are called VLT nodes or peers, and within
ND entries synchronization scenarios: • When you enable and configure VLT on both VLT node1 and node2, any dynamically learned ND entry in VLT node1 be synchronizes instantaneously to VLT node2 and vice-versa. The link-local address also synchronizes if learned on the VLT VLAN interface. • During failure cases, when a VLT node goes down and comes back up all the ND entries learned via VLT interface must synchronize to the peer VLT node.
Figure 138. Sample Configuration of IPv6 Peer Routing in a VLT Domain Sample Configuration of IPv6 Peer Routing in a VLT Domain Consider a sample scenario as shown in the following figure in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link. To the south of the VLT domain, Unit1 and Unit2 are connected to a ToR switch named Node B. Also, Unit1 is connected to another node, Node A, and Unit2 is linked to a node, Node C.
Figure 139. Sample Configuration of IPv6 Peer Routing in a VLT Domain Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL.
Consider a situation in which NA for VLT node1 reaches VLT node1 on a non-VLT interface and NA for VLT node1 reaches VLT node2 on a non-VLT interface. When VLT node1 receives NA on a VLT interface, it learns the Host MAC address on the received interface. This learned neighbor entry is synchronized to VLT node2 as it is learned on ICL.
Non-VLT host to Non-VLT host traffic flow When VLT node receives traffic from non-VLT host intended to the non-VLT host, it does neighbor entry lookup and routes traffic over ICL interface. If traffic reaches wrong VLT peer, it routes the traffic over ICL. Router Solicitation When VLT node receives router Solicitation on VLT interface/non-VLT interface it consumes the packets and will send RA back on the received interface. VLT node will drop the RS message if it is received over ICL interface.
59 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Command Line Reference Guide.
Figure 140. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: • Proxy gateway is supported only for VLT; for example, across a VLT domain. • You must enable the VLT peer-routing command for the VLT proxy gateway to function.
• You cannot change the VLT LAG to a legacy LAG when it is part of proxy-gateway. • You cannot change the link layer discovery protocol (LLDP) port channel interface to a legacy LAG when you enable a proxy gateway. • Dell EMC Networking recommends the vlt-peer-mac transmit command only for square VLTs without diagonal links. • The virtual router redundancy (VRRP) protocol and IPv6 routing is not supported. • Private VLANs (PVLANs) are not supported.
• You must configure the interface proxy gateway LLDP to enable or disable a proxy-gateway LLDP TLV on specific interfaces. • The interface is typically a VLT port-channel that connects to a remote VLT domain. • The new proxy gateway TLV is carried on the physical links under the port channel only. • You must have at least one link connection to each unit of the VLT domain. Following are the prerequisites for Proxy Gateway LLDP configuration: • You must globally enable LLDP.
LLDP VLT Proxy Gateway in a Square VLT Topology Figure 141. Sample Configuration for a VLT Proxy Gateway • The preceding figure shows a sample square VLT Proxy gateway topology. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing.
• Any L3 packet, when it gets an L3 hit and is routed, it has a time to live (TTL) decrement as expected. • You can disable the VLT Proxy Gateway for a particular VLAN using an "Exclude-VLAN" configuration. The configuration has to be done in both the VLT domains [C and D in VLT domain 1 and C1 and D1 in VLT domain 2].
Figure 142. VLT Proxy Gateway Sample Topology VLT Domain Configuration Dell-1 and Dell-2 constitute VLT domain 120. Dell-3 and Dell-4 constitute VLT domain 110. These two VLT domains are connected using a VLT LAG P0 50. To know how to configure the interfaces in VLT domains, see the Configuring VLT section. Dell-1 VLT Configuration vlt domain 120 peer-link port-channel 120 back-up destination 10.1.1.
switchport no spanning-tree vlt-peer-lag port-channel 50 no shutdown Note that on the inter-domain link, the switchport command is enabled. On a VLTi link between VLT peers in a VLT domain, the switchport command is not used. VLAN 100 is used as the OSPF peering VLAN between Dell-1 and Dell-2. interface Vlan 100 description OSPF Peering VLAN to Dell-2 ip address 10.10.100.1/30 ip ospf network point-to-point no shutdown VLAN 101 is used as the OSPF peering VLAN between the two VLT domains.
The following output shows that Dell-1 forms OSPF neighborship with Dell-2. Dell-2#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.4 1 FULL/ - 00:00:33 10.10.100.1 Vl 100 0 Dell-3 VLT Configuration vlt domain 110 peer-link port-channel 110 back-up destination 10.1.1.
The following output shows that Dell-4 and VLT domain 120 form OSPF neighborship with Dell-3. Dell-3#sh ip ospf nei ! Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.4 1 FULL/ - 00:00:33 10.10.101.1 Vl 101 0 1.1.1.1 1 FULL/ - 00:00:34 10.10.102.2 Vl 102 0 Dell-4 VLT Configuration vlt domain 110 peer-link port-channel 110 back-up destination 10.1.1.
60 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time. VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices.
Figure 143. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
If the next-hop IP in a static route VRF statement is VRRP IP of another VRF, this static route does not get installed on the VRRP master. VRF supports some routing protocols only on the default VRF (default-vrf) instance. Table 1 displays the software features supported in VRF and whether they are supported on all VRF instances or only the default VRF. NOTE: To configure a router ID in a non-default VRF, configure at least one IP address in both the default as well as the nondefault VRF. Table 119.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF OSPFv3 Yes Yes IS-IS Yes Yes BGP Yes Yes ACL Yes No Multicast No No NDP Yes Yes RAD Yes Yes DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance.
Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface. NOTE: You can configure an IP address or subnet on a physical or VLAN interface that overlaps the same IP address or subnet configured on another interface only if the interfaces are assigned to different VRFs. If two interfaces are assigned to the same VRF, you cannot configure overlapping IP subnets or the same IP address on them.
show ip vrf [vrf-name] Assigning an OSPF Process to a VRF Instance OSPF routes are supported on all VRF instances. See the Open Shortest Path First (OSPFv2) chapter for complete OSPF configuration information. Assign an OSPF process to a VRF instance . Return to CONFIGURATION mode to enable the OSPF process. The OSPF Process ID is the identifying number assigned to the OSPF process, and the Router ID is the IP address associated with the OSPF process.
Task Command Syntax Command Mode 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 43, Gratuitous ARP sent: 0 Virtual MAC address: 00:00:5e:00:01:0a Virtual IP address: 10.1.1.100 Authentication: (none) Configuring Management VRF You can assign a management interface to a management VRF. NOTE: The loopback interface cannot be added into the management VRF. 1 Create a management VRF.
Configuring a Static Route • Configure a static route that points to a management interface. CONFIGURATION management route ip-address mask managementethernet ormanagement route ipv6-address prefixlength managementethernet You can also have the management route to point to a front-end port in case of the management VRF. For example: management route 2::/64 gigabitethernet 1/1 . • Configure a static entry in the IPv6 neighbor discovery.
Figure 145. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface GigabitEthernet 3/1 no ip address switchport no shutdown ! interface GigabitEthernet 1/1 ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface GigabitEthernet 1/2 ip vrf forwarding orange ip address 20.0.0.
ip vrf forwarding green ip address 30.0.0.1/24 no shutdown ! interface Vlan 128 ip vrf forwarding blue ip address 1.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.
ip address 2.0.0.2/24 tagged GigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.2/24 tagged GigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface GigabitEthernet 2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface GigabitEthernet 2/2 ! ip route vrf green30.0.0.0/24 3.0.0.
DellEMC#show ip route vrf orange Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set C C O Destination ----------2.0.0.0/24 20.
O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway ----------------C 1.0.0.0/24 Direct, Vl 128 O 10.0.0.0/24 via 1.0.0.1, Vl 128 C 11.0.0.
The following example illustrates how route leaking between two VRFs can be performed: interface GigabitEthernet 1/9 ip vrf forwarding VRF1 ip address 120.0.0.1/24 interface GigabitEthernet 1/10 ip vrf forwarding VRF2 ip address 140.0.0.1/24 ip route vrf VRF1 20.0.0.0/16 140.0.0.2 vrf VRF2 ip route vrf VRF2 40.0.0.0/16 120.0.0.
ip vrf vrf-shared interface interface-type slot/port ip vrf forwarding vrf-shared ip address ip—address mask A non-default VRF named VRF-Shared is created and the interface 1/4 is assigned to this VRF. 2 Configure the export target in the source VRF:. ip route-export 1:1 3 Configure VRF-red. ip vrf vrf-red interface-type slot/port ip vrf forwarding VRF-red ip address ip—address mask A non-default VRF named VRF-red is created and the interface is assigned to this VRF.
The show run output for the above configuration is as follows: ip vrf ip ip ! ip vrf ip ip ! ip vrf ! ip vrf ip ip ip VRF-Red route-export route-import 2:2 1:1 VRF-Blue route-export route-import 3:3 1:1 VRF-Green VRF-shared route-export route-import route-import 1:1 2:2 3:3 Show routing tables of all the VRFs (without any route-export and route-import tags being configured) DellEMC# show ip route vrf VRF-Red O 11.1.1.1/32 via 111.1.1.1 110/0 C 111.1.1.
DellEMC# show ip route vrf VRF-Shared O 11.1.1.1/32 via VRF-Red:111.1.1.1 110/0 C 111.1.1.0/24 Direct, VRF-Red:Gi 1/11 0/0 O 22.2.2.2/32 via VRF-Blue:122.2.2.2 110/0 C 122.2.2.0/24 Direct, VRF-Blue:Gi 1/22 0/0 O 44.4.4.4/32 via 144.4.4.4 110/0 00:00:11 C 144.4.4.
interface-type slot/port ip vrf forwarding VRF-red ip address ip—address mask A non-default VRF named VRF-red is created and the interface is assigned to this VRF. 2 Define a route-map export_ospfbgp_protocol. DellEMC(config)route-map export_ospfbgp_protocol permit 10 3 Define the matching criteria for the exported routes.
The show VRF commands displays the following output: DellEMC# show ip route vrf VRF-Blue C 122.2.2.0/24 Direct, Gi 1/22 0/0 O 22.2.2.2/32 via 122.2.2.2 110/0 00:00:11 O 44.4.4.4/32 22:39:61 via vrf-red:144.4.4.4 0/0 00:32:36 << only OSPF and BGP leaked from VRF-red Important Points to Remember • Only Active routes are eligible for leaking. For example, if VRF-A has two routes from BGP and OSPF, in which the BGP route is not active. In this scenario, the OSPF route takes precedence over BGP.
61 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 146. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. In conjunction with Virtual Link Trunking (VLT), you can configure optimized forwarding with virtual router redundancy protocol (VRRP).
CAUTION: Increasing the advertisement interval increases the VRRP Master dead interval, resulting in an increased failover time for Master/Backup election. Take caution when increasing the advertisement interval, as the increased dead interval may cause packets to be dropped during that switch-over time. NOTE: In a VLT environment, VRRP configuration acts as active-active and if route is not present in any of the VRRP nodes, the packet to the destination is dropped on that VRRP node. Table 121.
The VRID range is from 1 to 255. • NOTE: The interface must already have a primary IP address defined and be enabled, as shown in the second example. Delete a VRRP group. INTERFACE mode no vrrp-group vrid Examples of Configuring and Verifying VRRP The following examples how to configure VRRP. DellEMC(conf)#interface gigabitethernet 1/1 DellEMC(conf-if-gi-1/1)#vrrp-group 111 DellEMC(conf-if-gi-1/1-vrid-111)# The following examples how to verify the VRRP configuration.
Example: Migrating an IPv4 VRRP Group from VRRPv2 to VRRPv3 NOTE: Carefully following this procedure, otherwise you might introduce dual master switches issues. To migrate an IPv4 VRRP Group from VRRPv2 to VRRPv3: 1 Set the backup switches to VRRP version to both. Dell_backup_switch1(conf-if-gi-1/1-vrid-100)#version both Dell_backup_switch2(conf-if-gi-1/2-vrid-100)#version both 2 Set the master switch to VRRP protocol version 3.
Examples of the Configuring and Verifying a Virtual IP Address The following example shows how to configure a virtual IP address. DellEMC(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.1 DellEMC(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.2 DellEMC(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.3 The following example shows how to verify a virtual IP address configuration. NOTE: In the following example, the primary IP address and the virtual IP addresses are on the same subnet.
• Configure the priority for the VRRP group. INTERFACE -VRID mode priority priority The range is from 1 to 255. The default is 100. Examples of the priority Command DellEMC(conf-if-gi-1/2)#vrrp-group 111 DellEMC(conf-if-gi-1/2-vrid-111)#priority 125 To verify the VRRP group priority, use the show vrrp command. Dellshow vrrp -----------------GigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 VRF: 0 default State: Master, Priority: 255, Master: 10.10.10.
Examples of the authentication-type Command The bold section shows the encryption type (encrypted) and the password. DellEMC(conf-if-gi-1/1-vrid-111)#authentication-type ? DellEMC(conf-if-gi-1/1-vrid-111)#authentication-type simple 7 force10 The following example shows verifying the VRRP authentication configuration using the show conf command. The bold section shows the encrypted password.
Changing the Advertisement Interval By default, the MASTER router transmits a VRRP advertisement to all members of the VRRP group every one second, indicating it is operational and is the MASTER router. If the VRRP group misses three consecutive advertisements, the election process begins and the BACKUP virtual router with the highest priority transitions to MASTER.
Track an Interface or Object You can set Dell EMC Networking OS to monitor the state of any interface according to the virtual group. Each VRRP group can track up to 12 interfaces and up to 20 additional objects, which may affect the priority of the VRRP group. If the tracked interface goes down, the VRRP group’s priority decreases by a default value of 10 (also known as cost). If the tracked interface’s state goes up, the VRRP group’s priority increases by 10.
• (Optional) Display the configuration of tracked objects in VRRP groups on a specified interface. EXEC mode or EXEC Privilege mode show running-config interface interface Examples of Configuring and Viewing the track Command The following example shows how to configure tracking using the track command. DellEMC(conf-if-gi-1/1)#vrrp-group 111 DellEMC(conf-if-gi-1/1-vrid-111)#track gigabitethernet 1/2 The following example shows how to verify tracking using the show conf command.
The following example shows verifying the VRRP configuration on an interface. DellEMC#show running-config interface gigabitethernet 1/8 interface GigabitEthernet 1/8 no ip address ipv6 address 2007::30/64 vrrp-ipv6-group 1 track 2 priority-cost 20 track 3 priority-cost 30 virtual-address 2007::1 virtual-address fe80::1 no shutdown Setting VRRP Initialization Delay When configured, VRRP is enabled immediately upon system reload or boot.
Sample Configurations Before you set up VRRP, review the following sample configurations. VRRP for an IPv4 Configuration The following configuration shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#interface gigabitethernet 2/31 R2(conf-if-gi-2/31)#ip address 10.1.1.1/24 R2(conf-if-gi-2/31)#vrrp-group 99 R2(conf-if-gi-2/31-vrid-99)#priority 200 R2(conf-if-gi-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-gi-2/31-vrid-99)#no shut R2(conf-if-gi-2/31)#show conf ! interface GigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
Figure 148. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
R2(conf-if-gi-1/1-vrid-10)#virtual-address fe80::10 R2(conf-if-gi-1/1-vrid-10)#virtual-address 1::10 R2(conf-if-gi-1/1-vrid-10)#no shutdown R2(conf-if-gi-1/1)#show config interface GigabitEthernet 1/1 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-gi-1/1)#end R2#show vrrp -----------------GigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c
VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN. The following example shows a typical use case in which you create three virtualized overlay networks by configuring three VRFs in two switches. The default gateway to reach the Internet in each VRF is a static route with the next hop being the virtual IP address configured in VRRP. In this scenario, a single VLAN is associated with each VRF.
S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface GigabitEthernet 1/1 S1(conf-if-gi-1/1)#ip vrf forwarding VRF-1 S1(conf-if-gi-1/1)#ip address 10.10.1.5/24 S1(conf-if-gi-1/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177. S1(conf-if-gi-1/1-vrid-101)#priority 100 S1(conf-if-gi-1/1-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-gi-1/1)#no shutdown ! S1(conf)#interface GigabitEthernet 1/2 S1(conf-if-gi-1/2)#ip vrf forwarding VRF-2 S1(conf-if-gi-1/2)#ip address 10.10.1.
! S2(conf)#interface GigabitEthernet 1/3 S2(conf-if-gi-1/3)#ip vrf forwarding VRF-3 S2(conf-if-gi-1/3)#ip address 20.1.1.6/24 S2(conf-if-gi-1/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S2(conf-if-gi-1/3-vrid-105)#priority 100 S2(conf-if-gi-1/3-vrid-105)#virtual-address 20.1.1.
DellEMC#show vrrp vrf vrf1 vlan 400 -----------------Vlan 400, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 1 vrf1 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 278, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) DellEMC#show vrrp vrf vrf2 port-channel 1 -----------------Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.
S2(conf-if-vl-300)#no shutdown DellEMC#show vrrp vrf vrf1 vlan 400 -----------------Vlan 400, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 1 vrf1 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 278, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) Vlan 400, IPv4 VRID: 10, Version: 2, Net: 20.1.1.
Figure 150. VRRP for IPv6 Topology NOTE: This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, and so on.
NOTE: The virtual IPv6 address you configure should be the same as the IPv6 subnet to which the interface belongs.
Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 DellEMC#show vrrp gigabitethernet 2/8 GigabitEthernet 2/8, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:e9ed VRF: 0 default State: Master, Priority: 110, Master: fe80::201:e8ff:fe8a:e9ed (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 120 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80:
Proxy Gateway with VRRP VLT proxy gateway solves the inefficient traffic trombone problem when VLANs are extended between date centers and when VMs are migrated between the two DCs. Starting from Dell EMC Networking OS 9.14.0.0, VRRP provides a much simpler method to solve the traffic trombone problem. This is achieved by configuring same VRRP group IDs to the extended L3 VLANs and VRRP stays active-active across all four VLT nodes even though they are in two different VLT domains.
• The core routers C1 and D1 in local VLT Domain along with C2 and D2 in the remote VLT Domain are part of a Layer 3 cloud. • The core routers C1, D1, C2, D2 are in a VRRP group with the same vrrp-group ID. When a virtual machine running in Server Rack 1 migrates to Server Rack 2, L3 packets for that VM are routed through the default gateway. The following examples show sample configurations of the core routers.
back-up destination 10.16.140.5 system-mac mac-address 00:00:aa:00:00:00 unit-id 1 peer-routing interface port-channel 128 channel member ten 1/1/1 channel member ten 1/1/2 no shutdown int ten 1/5/1 port-channel-protocol lacp port-channel 10 mode active no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.
no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.3/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.
no shutdown int vlan 100 ip address 100.1.1.4/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.
62 Debugging and Diagnostics This chapter describes debugging and diagnostics for the device. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, Level 0 diagnostics verify the identification registers of the components on the board.
EXEC Privilege mode show system brief 3 Start diagnostics on the unit. diag stack-unit stack-unit-number When the tests are complete, the system displays the following message and automatically reboots the unit. DellEMC#00:09:42 : Diagnostic test results are stored on file: flash:/TestReport-SU-0.txt Diags completed...
Hardware Watchdog Timer The hardware watchdog command automatically reboots an Dell EMC Networking OS switch/router with a single RPM that is unresponsive. This is a last resort mechanism intended to prevent a manual power cycle. Using the Show Hardware Commands The show hardware command tree consists of commands used with the system. These commands display information from a hardware sub-component and from hardware-based feature tables.
EXEC Privilege mode • show hardware stack-unit {1–6} stack-port {portnumber} View the counters in the field processors of the stack unit. EXEC Privilege mode • show hardware stack-unit {1–6} unit {0-1} counters View the details of the FP Devices and Hi gig ports on the stack-unit. EXEC Privilege mode • show hardware stack-unit {1–6} unit {0-1} details Execute a specified bShell command from the CLI without going into the bShell.
QSFP QSFP QSFP QSFP QSFP 52 52 52 52 52 BR max BR min Vendor SN Datecode CheckCodeExt = = = = = 0 0 QC050955 120205 0x2b QSFP 52 Diagnostic Information =================================== QSFP 52 Rx Power measurement type =================================== QSFP 52 Temp High Alarm threshold QSFP 52 Voltage High Alarm threshold QSFP 52 Bias High Alarm threshold QSFP 52 RX Power High Alarm threshold QSFP 52 Temp Low Alarm threshold QSFP 52 Voltage Low Alarm threshold QSFP 52 Bias Low Alarm threshold QSFP
---------------------------------------------------------------Minor Off Minor Major Off Major Shutdown Unit3 55 60 75 80 85 Troubleshoot an Over-temperature Condition To troubleshoot an over-temperature condition, use the following information. 1 Use the show environment commands to monitor the temperature levels. 2 Check air flow through the system. Ensure that the air ducts are clean and that all fans are working correctly.
OID String OID Name Description NOTE: These OIDs only generate if you enable the enable opticinfo-update-interval is enabled command. Hardware MIB Buffer Statistics .1.3.6.1.4.1.6027.3.27.1.4 dellNetFpPacketBufferTable View the modular packet buffers details per stack unit and the mode of allocation. .1.3.6.1.4.1.6027.3.27.1.5 dellNetFpStatsPerPortTable View the forwarding plane statistics containing the packet buffer usage per port per stack unit. .1.3.6.1.4.1.6027.3.27.1.
Example of the show hardware stack-unit Command to View Drop Counters Statistics Example of show hardware drops interface interface DellEMC#show hardware drops interface gigabitethernet 2/1 Drops in Interface Gi 2/1: --- Ingress Drops --Ingress Drops IBP CBP Full Drops PortSTPnotFwd Drops IPv4 L3 Discards Policy Discards Packets dropped by FP (L2+L3) Drops Port bitmap zero Drops Rx VLAN Drops --- Ingress MAC counters--Ingress FCSDrops Ingress MTUExceeds --- MMU Drops --Ingress MMU Drops HOL DROPS(TOTAL) HOL
Egress Drops 1 0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 0 10 0 11 0 12 0 13 0 14 0 15 0 16 0 17 0 18 0 19 0 20 0 21 0 22 0 23 0 24 0 25 0 26 0 27 0 28 0 29 0 30 0 31 0 32 0 33 0 34 0 1102 1 0 0 0 2 0 0 0 3 0 0 0 4 0 0 0 5 0 0 0 6 0 0 0 7 0 0 0 8 0 0 0 9 0 0 0 10 0 0 0 11 0 0 0 12 0 0 0 13 0 0 0 14 0 0 0 15 0 0 0 16 0 0 0 17 2144854 0 124904297 18 0 0 0 19 0 0 0 20 0 0 0 21 0 0 0 22 0 0 0 23 0 0 0 24 0 0 0 25 0 0 0 2
35 0 51 0 0 0 52 0 0 0 61 0 0 0 62 0 0 0 63 0 0 0 64 0 0 0 65 0 0 0 66 0 0 0 67 0 0 0 68 0 0 0 69 0 0 0 70 0 0 0 71 0 0 0 72 0 0 0 53 0 0 0 57 4659499 0 0 0 0 0 0 0 50 0 0 0 0 0 0 0 49 0 0 0 0 0 0 0 48 0 0 0 0 0 0 0 47 0 0 0 0 0 0 0 46 0 0 0 0 0 0 0 45 0 0 0 0 0 0 0 44 0 0 0 0 0 0 0 43 0 0 0 0 0 0 0 42 0 0 0 0 0 0 0 41 0 0 0 0 0 0 0 40 0 0 0 0 0 0 0 3
Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command provides insight into the packet types coming to the CPU. The show hardware stack-unit cpu party-bus statistics command displays input and output statistics on the party bus, which carries inter-process communication traffic between CPUs. The command output in the following example has been augmented, providing detailed RX/ TX packet statistics on a per-queue basis.
1649566 packets, 1935316203 bytes 0 errors Display Stack Port Statistics The show hardware stack-unit stack-port command displays input and output statistics for a stack-port interface.
RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - RUNT frame counter Fragment counter VLAN tagged packets 64 Byte Frame Counter 64 to 127 Byte Frame Counter 128 to 255 Byte Frame Counter 256 to 511 Byte Frame Counter 512 to 1023 Byte Frame Counter 1024 to 1518 Byte Frame Counter 1519 to 1522 Byte Good VLAN Frame Counter 1519 to 2047 Byte Frame Counter 2048 to 4095 Byte Frame Counter 4096 to 9216 Byte Frame Counter Good Packet Counter Packet/frame Counter Unicast Packet Cou
RX - VLAN Tag Frame Counter RX - Double VLAN Tag Frame Counter RX - RUNT Frame Counter RX - Fragment Counter RX - VLAN Tagged Packets RX - Ingress Dropped Packet RX - MTU Check Error Frame Counter RX - PFC Frame Priority 0 RX - PFC Frame Priority 1 RX - PFC Frame Priority 2 RX - PFC Frame Priority 3 RX - PFC Frame Priority 4 RX - PFC Frame Priority 5 RX - PFC Frame Priority 6 RX - PFC Frame Priority 7 RX - Debug Counter 0 RX - Debug Counter 1 RX - Debug Counter 2
Example of a Mini Core Text File VALID MAGIC -----------------PANIC STRING ----------------panic string is : ---------------STACK TRACE START--------------0035d60c : 00274f8c : 0024e2b0 : 0024dee8 : 0024d9c4 : 002522b0 : 0026a8d0 : 0026a00c : ----------------STACK TRACE END-----------------------------------FREE MEMORY--------------uvmexp.
63 Standards Compliance This chapter describes standards compliance for Dell EMC Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell EMC Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
SFF-8431 SFP+ Direct Attach Cable (10GSFP+Cu) MTU 12,000 bytes RFC and I-D Compliance Dell EMC Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell EMC Networking OS first supports the standard. General Internet Protocols The following table lists the Dell EMC Networking OS support per platform for general internet protocols. Table 124.
R F C # Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 24 Definition of 7.7.1 74 the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 26 PPP over 15 SONET/SDH 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 26 A Two Rate 9 Three Color 8 Marker 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.
General IPv4 Protocols The following table lists the Dell EMC Networking OS support per platform for general IPv4 protocols. Table 125. General IPv4 Protocols RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 791 Internet Protocol 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 826 An Ethernet Address Resolution 7.6.1 Protocol 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
General IPv6 Protocols The following table lists the Dell EMC Networking OS support per platform for general IPv6 protocols. Table 126. General IPv6 Protocols RFC # Full Name S-Series 1886 DNS Extensions to support IP 7.8.1 version 6 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1981 Path MTU Discovery for IP (Part version 6 ial) 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Border Gateway Protocol (BGP) The following table lists the Dell EMC Networking OS support per platform for BGP protocols. Table 127. Border Gateway Protocol (BGP) RFC# Full Name S-Series/ZSeries S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1997 BGP ComAmtturnibituitees 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2385 Protection of BGP Sessions via the TCP MD5 Signature Option 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2439 BGP Route Flap Damping 7.8.
Open Shortest Path First (OSPF) The following table lists the Dell EMC Networking OS support per platform for OSPF protocol. Table 128. Open Shortest Path First (OSPF) RFC # Full Name S-Series/ZSeries S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1587 The OSPF Not-SoStubby Area (NSSA) Option 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2154 OSPF with Digital Signatures 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2370 The OSPF Opaque LSA Option 7.6.1 9.8(0.
RFC# Full Name S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 3784 Intermediate System to Intermediate System (IS-IS) Extensions in Support of Generalized Multi-Protocol Label Switching (GMPLS) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 5120 MT-ISIS: Multi Topology (MT) 9.8(0.0P2) Routing in Intermediate System to Intermediate Systems (ISISs) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 5306 Restart Signaling for IS-IS 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Multicast The following table lists the Dell EMC Networking OS support per platform for Multicast protocol. Table 131. Multicast RFC# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1112 Host Extensions for IP Multicasting 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2236 Internet Group Management Protocol, Version 2 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 3376 Internet Group Management Protocol, Version 3 7.8.1 9.8(0.0P2) 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) dot1dTpLearnedEntryDiscards object] 1724 RIP Version 2 MIB Extension 1850 OSPF Version 2 Management Information Base 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1901 Introduction to Community-based SNMPv2 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2 7.6.1 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Internet-standard Network Management Framework 2578 Structure of Management Information Version 2 (SMIv2) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2579 Textual Conventions for SMIv2 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2580 Conformance Statements for SMIv2 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Network Management Protocol (SNMP) 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3434 Remote Monitoring MIB 7.6.1 Extensions for High Capacity Alarms, High-Capacity Alarm Table (64 bits) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3580 IEEE 802.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.2(0.0) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) isisISAdjIPAddrTable isisISAdjProtSuppTable draftietfnetmod interfac escfg-03 Defines a YANG data model for the configuration of network interfaces. Used in the Programmatic Interface RESTAPI feature. IEEE 802.1A B Management Information Base 7.7.1 module for LLDP configuration, statistics, local system data and remote systems data components. 9.8(0.0P2) 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 E-Series Enterprise 10Chassis MIB CHASS IS-MIB 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 File Copy MIB (supporting 7.7.1 10SNMP SET operation) COPYCONFI G-MIB 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON FORCE Force10 Textual Convention 10-TCMIB 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 Trap Alarm MIB 10TRAPALARM -MIB 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) ONENT -MIB MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.
64 X.509v3 supports X.509v3 standards. Topics: • Introduction to X.509v3 certificates • X.509v3 support in • Information about installing CA certificates • Information about Creating Certificate Signing Requests (CSR) • Information about installing trusted certificates • Transport layer security (TLS) • Online Certificate Status Protocol (OSCP) • Verifying certificates • Event logging Introduction to X.509v3 certificates X.
1 An entity or organization that wants a digital certificate requests one through a CSR. 2 To request a digital certificate through a CSR, a key pair is generated and the CSR is signed using the secret private key. The CSR contains information identifying the applicant and the applicant's public key. This public key is used to verify the signature of the CSR and the Distinguished Name (DN). 3 This CSR is sent to a Certificate Authority (CA).
The Root CA generates a private key and a self-signed CA certificate. The Intermediate CA generates a private key and a Certificate Signing Request (CSR). Using its private key, the root CA signs the intermediate CA’s CSR generating a CA certificate for the Intermediate CA. This intermediate CA can then sign certificates for hosts in the network and also for further intermediate CAs.
During the initial TLS protocol negotiation, both participating parties also check to see if the other’s certificate is revoked by the CA. To do this check, the devices query the CA’s designated OCSP responder on the network. The OCSP responder information is included in the presented certificate, the Intermediate CA inserts the info upon signing it, or it may be statically configured on the host. Information about installing CA certificates Dell EMC Networking OS enables you to download and install X.
If you do not specify the cert-file option, the system prompts you to enter metadata information related to the CSR as follows: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value; if you enter '.', the field will be left blank.
NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell EMC Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS. This trusted certificate is also presented to the TLS server implementations that require client authentication such as Syslog.
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic. However, the maximum time allowed for a TLS session to resume without repeating the TLS authentication or handshake process is configurable with a default of 1 hour.
NOTE: If you have an IPv6 address in the URL, then enclose this address in square brackets. For example, http:// [1100::203]:6514. Configuring OCSP behavior You can configure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders. To configure this behavior, follow this step: In CONFIGURATION mode, enter the following command: crypto x509 ocsp {[nonce] [sign-request]} Both the none and sign-request parameters are optional.
Verifying Server certificates Verifying server certificates is mandatory in the TLS protocol. As a result, all TLS-enabled applications require certificate verification, including Syslog servers. The system checks the Server certificates against installed CA certificates. NOTE: As part of the certificate verification, the hostname or IP address of the server is verified against the hostname or IP address specified in the application.
