Dell Configuration Guide for the S3048–ON System 9.9(0.0) September 2015 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2015 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents Chapter 1: About this Guide........................................................................................................... 28 Audience............................................................................................................................................................................... 28 Conventions.......................................................................................................................................................................
Removing a Command from EXEC Mode..................................................................................................................52 Moving a Command from EXEC Privilege Mode to EXEC Mode........................................................................... 52 Allowing Access to CONFIGURATION Mode Commands....................................................................................... 52 Allowing Access to Different Modes..........................................................
Create Maintenance Points................................................................................................................................................73 Creating a Maintenance End Point..............................................................................................................................74 Creating a Maintenance Intermediate Point...............................................................................................................
IP Fragment Handling........................................................................................................................................................106 IP Fragments ACL Examples...................................................................................................................................... 106 Layer 4 ACL Rules Examples......................................................................................................................................
BGP Attributes................................................................................................................................................................... 153 Best Path Selection Criteria........................................................................................................................................153 Weight............................................................................................................................................................
Route Map Continue.................................................................................................................................................... 191 Enabling MBGP Configurations........................................................................................................................................ 191 BGP Regular Expression Optimization............................................................................................................................
Dynamic ARP Inspection............................................................................................................................................ 230 Configuring Dynamic ARP Inspection........................................................................................................................231 Source Address Validation...............................................................................................................................................
Configure GVRP Registration..........................................................................................................................................255 Configure a GARP Timer..................................................................................................................................................256 RPM Redundancy.............................................................................................................................................................
Physical Interfaces............................................................................................................................................................ 284 Configuration Task List for Physical Interfaces.......................................................................................................284 Overview of Layer Modes..........................................................................................................................................
View Advanced Interface Information............................................................................................................................308 Configuring the Interface Sampling Size..................................................................................................................308 Dynamic Counters.............................................................................................................................................................
IPv6 Header Fields...................................................................................................................................................... 329 Extension Header Fields............................................................................................................................................. 330 Addressing................................................................................................................................................................
Change the IS-IS Metric Style in One Level Only.................................................................................................... 361 Leaks from One Level to Another............................................................................................................................. 362 Sample Configurations......................................................................................................................................................
TIA Organizationally Specific TLVs........................................................................................................................... 395 Configure LLDP................................................................................................................................................................. 398 CONFIGURATION versus INTERFACE Configurations............................................................................................... 399 Enabling LLDP............
Implementation Information....................................................................................................................................... 435 Configure Multiple Spanning Tree Protocol...................................................................................................................435 Related Configuration Tasks......................................................................................................................................
Setting OSPF Adjacency with Cisco Routers.......................................................................................................... 470 Configuration Information................................................................................................................................................ 470 Configuration Task List for OSPFv2 (OSPF for IPv4)............................................................................................
Important Points to Remember........................................................................................................................................ 511 Port Monitoring...................................................................................................................................................................511 Configuring Port Monitoring......................................................................................................................................
DSCP Color Maps............................................................................................................................................................. 555 Creating a DSCP Color Map......................................................................................................................................555 Displaying DSCP Color Maps.....................................................................................................................................
Enabling Rapid Spanning Tree Protocol Globally...........................................................................................................587 Adding and Removing Interfaces.................................................................................................................................... 589 Modifying Global Parameters..........................................................................................................................................
Chapter 46: Service Provider Bridging.......................................................................................... 627 VLAN Stacking...................................................................................................................................................................627 Configure VLAN Stacking.......................................................................................................................................... 628 Creating Access and Trunk Ports...
Reading Managed Object Values.................................................................................................................................... 654 Writing Managed Object Values......................................................................................................................................654 Configuring Contact and Location Information using SNMP......................................................................................
Creating a Virtual Stack Unit on a Stack..................................................................................................................685 Displaying Information about a Stack....................................................................................................................... 685 Influencing Management Unit Selection on a Stack............................................................................................... 687 Managing Redundancy on a Stack................
Chapter 53: System Time and Date............................................................................................... 715 Network Time Protocol..................................................................................................................................................... 715 Protocol Overview.......................................................................................................................................................
Chapter 58: VLT Proxy Gateway................................................................................................... 742 Proxy Gateway in VLT Domains...................................................................................................................................... 742 Configuring an LLDP VLT Proxy Gateway.....................................................................................................................746 Configuring a Static VLT Proxy Gateway................
Load VRF CAM............................................................................................................................................................ 794 Creating a Non-Default VRF Instance...................................................................................................................... 794 Assigning an Interface to a VRF................................................................................................................................
Chapter 63: Standards Compliance...............................................................................................849 IEEE Compliance............................................................................................................................................................... 849 RFC and I-D Compliance..................................................................................................................................................850 General Internet Protocols....
1 About this Guide This guide describes the protocols and features the Dell Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. S3048–ON stacking is supported with Dell Networking OS version 9.7(0.1) and beyond. Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Networking systems.
2 Configuration Fundamentals The Dell Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
• EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password section in the Getting Started chapter.
uBoot ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves you up one command mode level.
Table 1.
Table 1.
1 1 2 3 up up up up 0 0 up up 0 0 Speed in RPM Undoing Commands When you enter a command, the command line is added to the running configuration file (running-config). To disable a command and remove it from the running-config, enter the no command, then the original command. For example, to delete an IP address configured on an interface, use the no ip address ip-address command. NOTE: Use the help or ? command as described in Obtaining Help.
Entering and Editing Commands Notes for entering commands. • • • • • • The CLI is not case-sensitive. You can enter partial CLI keywords. ○ Enter the minimum number of letters to uniquely identify a command. For example, you cannot enter cl as a partial keyword because both the clock and class-map commands begin with the letters “cl.” You can enter clo, however, as a partial keyword because only one command begins with those three letters. The TAB key auto-completes keywords in commands.
Filtering show Command Outputs Filter the output of a show command to display specific information by adding | [except | find | grep | no-more | save] specified_text after the command. The variable specified_text is the text for which you are filtering and it IS case sensitive unless you use the ignore-case suboption. Starting with Dell Networking OS version 7.8.1.0, the grep command accepts an ignore-case sub-option that forces the search to case-insensitive.
1 1 1 1 2 3 up up up up up up 9900 9900 9900 Speed in RPM The display command displays additional configuration information. The no-more command displays the output all at once rather than one screen at a time. This is similar to the terminal length command except that the no-more option affects the output of the specified command only. The save command copies the output to a file for future reference. NOTE: You can filter a single command output multiple times.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port.Use a rollover (crossover) cable to connect the S4810 console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
Executing Local CLI Scripts Using an SSH Connection You can execute CLI commands by entering a CLI script in one of the following ways: ssh username@hostname or cat < CLIscript.file > | ssh admin@hostname The script is run and the actions contained in the script are performed. Following are the points to remember, when you are trying to establish an SSH session to the device to run commands or script files: • • There is an upper limit of 10 concurrent sessions in SSH.
Configure the Management Port IP Address To access the system remotely, assign IP addresses to the management ports. 1. Enter INTERFACE mode for the Management port. CONFIGURATION mode interface ManagementEthernet slot/port 2. Assign an IP address to the interface. INTERFACE mode ip address ip-address/mask • • ip-address: an address in dotted-decimal format (A.B.C.D). mask: a subnet mask in /prefix-length format (/ xx). 3. Enable the interface.
To configure an enable password, use the following command. • Create a password to access EXEC Privilege mode. CONFIGURATION mode enable [password | secret] [level level] [encryption-type] password ○ level: is the privilege level, is 15 by default, and is not required ○ encryption-type: specifies how you are inputting the password, is 0 by default, and is not required. ▪ ▪ 0 is for inputting the password in clear text. 7 is for inputting a password that is already encrypted using a DES hash.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 26292881 bytes successfully copied Mounting an NFS File System This feature enables you to quickly access data on an NFS mounted file system. You can perform file operations on an NFS mounted file system using supported file commands. This feature allows an NFS mounted device to be recognized as a file system.
Example of Copying to NFS Mount Dell#copy flash://test.txt nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied Dell#copy flash://ashu/capture.txt.pcap nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied Dell#copy flash://ashu/capture.txt.pcap nfsmount:///ashutosh/snoop.pcap ! 24 bytes successfully copied Dell# Dell#copy tftp://10.16.127.
• View the running-configuration. EXEC Privilege mode show running-config • View the startup-configuration. EXEC Privilege mode show startup-config The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.
Table 6. Standard and Compressed Configurations int vlan 2 int vlan 3 int vlan 4 int vlan 5 int vlan 100 int vlan 1000 no ip address tagged te 1/1 tagged te 1/1 tagged te 1/1 no ip address ip address 1.1.1.1/16 no shut no ip address no ip address no ip address no shut no shut shut shut shut int te 1/1 int te 1/2 int te 1/3 int te 1/4 int te 1/10 int te 1/34 no ip address no ip address no ip address no ip address no ip address ip address 2.1.1.
Table 6. Standard and Compressed Configurations (continued) tagged te 1/1 no ip address shutdown ! interface Vlan 4 tagged te 1/1 no ip address shutdown ! interface Vlan 5 tagged te 1/1 no ip address shutdown ! interface Vlan 100 no ip address no shutdown ! interface Vlan 1000 ip address 1.1.1.1/16 no shutdown Uncompressed config size – 52 lines write memory compressed The write memory compressed CLI will write the operating configuration to the startup-config file in the compressed mode.
The output of the show file-systems command in the following example shows the total capacity, amount of free memory, file structure, media type, read/write privileges for each storage device in use. Dell#show file-systems Size(b) Free(b) Feature Type Flags 520962048 213778432 dosFs2.0 USERFLASH 127772672 21936128 dosFs2.
To view the command-history trace, use the show command-history command. Example of the show command-history Command Dell#show command-history [12/5 10:57:8]: CMD-(CLI):service password-encryption [12/5 10:57:12]: CMD-(CLI):hostname Force10 [12/5 10:57:12]: CMD-(CLI):ip telnet server enable [12/5 10:57:12]: CMD-(CLI):line console 0 [12/5 10:57:12]: CMD-(CLI):line vty 0 9 [12/5 10:57:13]: CMD-(CLI):boot system rpm0 primary flash://FTOS-CB-1.1.1.2E2.
Examples: Entering the Hash Value for Verification MD5 Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin 275ceb73a4f3118e1d6bcf7d75753459 MD5 hash VERIFIED for FTOS-SE-9.5.0.0.bin SHA256 Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933 SHA256 hash VERIFIED for FTOS-SE-9.5.0.0.bin Using HTTP for File Transfers Stating with Release 9.3(0.1), you can use HTTP to copy files or configuration details to a remote server.
4 Management This chapter describes the different protocols or services used to manage the Dell Networking system.
Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.
privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} • Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...
vlan VLAN keyword Dell(conf)# interface group vlan 1 - 2 , gigabitethernet 1/1 Dell(conf-if-group-vl-1-2,gi-1/1)# no shutdown Dell(conf-if-group-vl-1-2,gi-1/1)# end Applying a Privilege Level to a Username To set the user privilege level, use the following command. • Configure a privilege level for a user. CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command.
Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode. This command is available with or without RBAC enabled. For information about RBAC, see Role-Based Access Control. Audit Logs The audit log contains configuration events and information.
Clearing Audit Logs To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is enabled, only the system administrator user role can issue this command. Example of the clear logging auditlog Command Dell# clear logging auditlog Configuring Logging Format To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version {0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
%IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8 %IFMGR-5-CSTATE_DN: changed interface Physical state to down: So 12/8 To view any changes made, use the show running-config logging command in EXEC privilege mode. Setting Up a Secure Connection to a Syslog Server You can use reverse tunneling with the port forwarding to securely connect to a syslog server. Figure 2.
If you do not, the system displays an error when you attempt to enable role-based only AAA authorization. Dell(conf)# logging localhost tcp port Dell(conf)#logging 127.0.0.1 tcp 5140 Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.
Display Login Statistics To view the login statistics, use the show login statistics command. Example of the show login statistics Command The show login statistics command displays the successful and failed login details of the current user in the last 30 days or the custom defined time period. Dell#show login statistics -----------------------------------------------------------------User: admin Last login time: Mon Feb 16 04:40:00 2015 Last login location: Line vty0 ( 10.14.1.
Restrictions for Limiting the Number of Concurrent Sessions These restrictions apply for limiting the number of concurrent sessions: • • Only the system and security administrators can limit the number of concurrent sessions and enable the clear-line option. Users can clear their existing sessions only if the system is configured with the login concurrent-session clear-line enable command.
3 vty 1 10.14.1.97 4 vty 2 10.14.1.97 5 vty 3 10.14.1.97 Kill existing session? [line number/Enter to cancel]: Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
○ Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log In the previous lines, local7 is the logging facility level and debugging is the severity level. Changing System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged.
Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
○ syslog (for syslog messages) ○ user (for user programs) ○ uucp (UNIX to UNIX copy protocol) To view nondefault settings, use the show running-config logging command in EXEC mode. Dell#show running-config logging ! logging buffered 524288 debugging service timestamps log datetime msec service timestamps debug datetime msec ! logging trap debugging logging facility user logging source-interface Loopback 0 logging 10.10.10.
To view the configuration, use the show running-config logging command in EXEC privilege mode. To disable time stamping on syslog messages, use the no service timestamps [log | debug] command. File Transfer Services With Dell Networking OS, you can configure the system to transfer files over the network using the file transfer protocol (FTP).
○ password: enter a text string. NOTE: You cannot use the change directory (cd) command until you have configured ftp-server topdir. To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode. Configuring FTP Client Parameters To configure FTP client parameters, use the following commands. • Enter the following keywords and slot/port or number information: ○ ○ ○ ○ ○ For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information.
NOTE: If you already have configured generic IP ACL on a terminal line, then you cannot further apply IPv4 or IPv6 specific filtering on top of this configuration. Similarly, if you have configured either IPv4 or IPv6 specific filtering on a terminal line, you cannot apply generic IP ACL on top of this configuration. Before applying any of these configurations, you must first undo the existing configuration using the no access-class access-list-name [ipv4 | ipv6] command.
aaa authentication login {method-list-name | default} [method-1] [method-2] [method-3] [method-4] [method-5] [method-6] 2. Apply the method list from Step 1 to a terminal line. CONFIGURATION mode login authentication {method-list-name | default} 3. If you used the line authentication method in the method list you applied to the terminal line, configure a password for the terminal line. LINE mode password In the following example, VTY lines 0-2 use a single authentication method, line.
telnet [ip-address] If you do not enter an IP address, Dell Networking OS enters a Telnet dialog that prompts you for one. Enter an IPv4 address in dotted decimal format (A.B.C.D). Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported. Dell# telnet 10.11.80.203 Trying 10.11.80.203... Connected to 10.11.80.203. Exit character is '^]'. Login: Login: admin Password: Dell>exit Dell#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201...
5 802.1ag Ethernet operations, administration, and maintenance (OAM) are a set of tools used to install, monitor, troubleshoot, and manage Ethernet infrastructure deployments. Ethernet OAM consists of three main areas: • • • Service layer OAM — IEEE 802.1ag connectivity fault management (CFM) Link layer OAM — IEEE 802.
Maintenance Domains Connectivity fault management (CFM) divides a network into hierarchical maintenance domains, as shown in the following illustration. A CFM maintenance domain is a management space on a network that a single management entity owns and operates. The network administrator assigns a unique maintenance level (from 0 to 7) to each domain to define the hierarchical relationship between domains.
Maintenance End Points A maintenance end point (MEP) is a logical entity that marks the end point of a domain. There are two types of MEPs defined in 802.1ag for an 802.1 bridge: • • Up-MEP — monitors the forwarding path internal to a bridge on the customer or provider edge. On Dell Networking systems, the internal forwarding path is effectively the switch fabric and forwarding engine. Down-MEP — monitors the forwarding path external another bridge.
Enable Ethernet CFM To enable the Ethernet CFM, use the following commands: 1. Spawn the CFM process. No CFM configuration is allowed until the CFM process is spawned. CONFIGURATION mode ethernet cfm 2. Disable Ethernet CFM without stopping the CFM process. ETHERNET CFM disable Creating a Maintenance Domain Connectivity fault management (CFM) divides a network into hierarchical maintenance domains, as shown in Maintenance Domains. 1. Create maintenance domain.
These roles define the relationships between all devices so that each device can monitor the layers under its responsibility. Creating a Maintenance End Point A maintenance endpoint (MEP) is a logical entity that marks the endpoint of a domain. There are two types of MEPs defined in 802.1ag for an 802.1 bridge: • Up-MEP — monitors the forwarding path internal to a bridge on the customer or provider edge.
Displaying the MP Databases CFM maintains two MP databases: • • MEP Database (MEP-DB): Every MEP must maintain a database of all other MEPs in the MA that have announced their presence via CCM. MIP Database (MIP-DB): Every MIP must maintain a database of all other MIPs in the MA that have announced their presence via CCM. To display the MEP and MIP databases, use the following commands. • Display the MEP Database.
Table 7. Continuity Check Message Processing Frames at Frames from UP-MEP Action Down-MEP Action MIP Action Less than my level Bridge-relay side or Wire side Drop Drop Drop My level Bridge-relay side Consume Drop Add to MIP-DB and forward My level Wire side Drop Consume add to MIP-DB and forward Greater than my level Bridge-relay side or Wire side Forward Forward Forward All the remote MEPs in the maintenance domain are defined on each MEP.
Sending Loopback Messages and Responses Loopback message and response (LBM, LBR), also called Layer 2 Ping, is an administrative echo transmitted by MEPs to verify reachability to another MEP or MIP within the maintenance domain. LBM and LBR are unicast frames.
ETHERNET CFM mode traceroute cache hold-time minutes The default is 100 minutes. The range is from 10 to 65535 minutes. Set the size of the Link Trace Cache. • ETHERNET CFM mode traceroute cache size entries The default is 100. The range is from 1 to 4095 entries. Display the Link Trace Cache. • EXEC Privilege mode show ethernet cfm traceroute-cache • Delete all Link Trace Cache entries.
snmp-server enable traps ecfm Dell#show ethernet cfm maintenance-points local mep -------------------------------------------------------------------MPID Domain Name Level Type Port CCM-Status MA Name VLAN Dir MAC --------------------------------------------------------------------100 cfm0 test0 7 10 MEP DOWN Gi 4/10 Enabled 00:01:e8:59:23:45 Dell(conf-if-gi-1/6)#do show ethernet cfm domain Domain Name: My_Name MD Index: 1 Level: 0 Total Service: 1 Services MA-Index MA-Name VLAN CC-Int X-CHK Status 1
LBR Pkts 0 LTR Pkts 0 Bad CFM Pkts 0 CFM Pkts Discarded 0 CFM Pkts forwarded 102417 TX Statistics ============= Total CFM Pkts 10303 CCM Pkts 0 LBM Pkts 0 LTM Pkts 3 LBR Pkts 0 LTR Pkts 0 80 802.
6 802.1X 802.1X is an IEEE Standard for port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). 802.1X employs Extensible Authentication Protocol (EAP) to transfer a device’s credentials to an authentication server (typically RADIUS) using a mandatory intermediary network access device, in this case, a Dell Networking switch.
Figure 8. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • • • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests the supplicant to prove that it is who it claims to be, using a specified method (an EAP-Method). The challenge is translated and forwarded to the supplicant by the authenticator. 5.
Figure 10. EAP Over RADIUS RADIUS Attributes for 802.1X Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 11. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode.
dot1x authentication no shutdown ! Dell# To view 802.1X configuration information for an interface, use the show dot1x interface command. In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default. Dell#show dot1x interface GigabitEthernet 2/1/ 802.
Configuring a Quiet Period after a Failed Authentication If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default. You can configure this period. NOTE: The quiet period (dot1x quiet-period) is the transmit interval after a failed authentication; the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive supplicant. To configure a quiet period, use the following command.
The bold line shows the new port-control state. Dell(conf-if-Gi-1/1)#dot1x port-control force-authorized Dell(conf-if-Gi-1/1)#show dot1x interface GigabitEthernet 1/1 802.
Auth Type: Auth PAE State: Backend State: Auth PAE State: Backend State: SINGLE_HOST Initialize Initialize Initialize Initialize Configuring Timeouts If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default. You can configure the amount of time the authenticator waits for a response.
Configuring Dynamic VLAN Assignment with Port Authentication Dell Networking OS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure: 1. The host sends a dot1x packet to the Dell Networking system 2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number 3.
Guest and Authentication-Fail VLANs Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured or the VLAN that the authentication server indicates in the authentication data. NOTE: Ports cannot be dynamically assigned to the default VLAN.
Dell(conf-if-gi-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 Dell(conf-if-gi-2/1)#show config ! interface GigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown Dell(conf-if-gi-2/1)# View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC Privilege mode. Example of Viewing Configured Authentication 802.
7 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This chapter describes the access control list (ACL) virtual local area network (VLAN) group and content addressable memory (CAM) enhancements.
Guidelines for Configuring ACL VLAN Groups Keep the following points in mind when you configure ACL VLAN groups: • • • • • • • • • • The interfaces where you apply the ACL VLAN group function as restricted interfaces. The ACL VLAN group name identifies the group of VLANs that performs hierarchical filtering. You can add only one ACL to an interface at a time. When you attach an ACL VLAN group to the same interface, validation performs to determine whether the ACL is applied directly to an interface.
show acl-vlan-group {group name | detail} Dell#show acl-vlan-group detail Group Name : TestGroupSeventeenTwenty Egress IP Acl : SpecialAccessOnlyExpertsAllowed Vlan Members : 100,200,300 Group Name : CustomerNumberIdentificationEleven Egress IP Acl : AnyEmployeeCustomerElevenGrantedAccess Vlan Members : 2-10,99 Group Name : HostGroup Egress IP Acl : Group5 Vlan Members : 1,1000 Dell# Configuring FP Blocks for VLAN Parameters To allocate the number of FP blocks for the various VLAN processes on the system,
========|========|=================|=============|=============|============== 1 | 0 | IN-L2 ACL | 1008 | 320 | 688 | | IN-L2 FIB | 32768 | 1132 | 31636 | | IN-L3 ACL | 12288 | 2 | 12286 | | IN-L3 FIB | 262141 | 14 | 262127 | | IN-L3-SysFlow | 2878 | 45 | 2833 | | IN-L3-TrcList | 1024 | 0 | 1024 | | IN-L3-McastFib | 9215 | 0 | 9215 | | IN-L3-Qos | 8192 | 0 | 8192 | | IN-L3-PBR | 1024 | 0 | 1024 | | IN-V6 ACL | 0 | 0 | 0 | | IN-V6 FIB | 0 | 0 | 0 | | IN-V6-SysFlow | 0 | 0 | 0 | | IN-V6-McastFib | 0 | 0 | 0 |
Allocating FP Blocks for VLAN Processes The VLAN contentaware processor (VCAP) application is a pre-ingress CAP that modifies the VLAN settings before packets are forwarded. To support ACL CAM optimization, the CAM carving feature is enhanced. A total of four VCAP groups are present: two fixed groups and two dynamic groups. Of the two dynamic groups, you can allocate zero, one, or two FP blocks to iSCSI Counters, Open Flow, and ACL Optimization. You can configure only two of these features at a time.
8 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• • • • • Destination IP address Source TCP port number Destination TCP port number Source UDP port number Destination UDP port number For more information about ACL options, refer to the Dell Networking OS Command Reference Guide. For extended ACL, TCP, and UDP filters, you can match criteria on specific or ranges of TCP or UDP ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions. When creating an access list, the sequence of the filters is important.
Implementing ACLs on Dell Networking OS You can assign one IP ACL per interface. If you do not assign an IP ACL to an interface, it is not used by the software. The number of entries allowed per ACL is hardware-dependent. If counters are enabled on ACL rules that are already configured, those counters are reset when a new rule which is inserted or prepended or appended requires a hardware shift in the flow table.
Dell(conf)#interface gigabitethernet 10/1 Dell(conf-if-gi-10/1)#service-policy input pmap Important Points to Remember • • • For route-maps with more than one match clause: ○ Two or more match clauses within the same route-map sequence have the same match commands (though the values are different), matching a packet against these clauses is a logical OR operation.
route-map zakho, permit, sequence 20 Match clauses: interface GigabitEthernet 1/1 Set clauses: tag 35 level stub-area Dell# To delete all instances of that route map, use the no route-map map-name command. To delete just one instance, add the sequence number to the command syntax.
In the following example, instance 10 permits the route having a tag value of 1000 and instances 20 and 30 deny the route having a tag value of 1000. In this scenario, Dell Networking OS scans all the instances of the route-map for any permit statement. If there is a match anywhere, the route is permitted. However, other instances of the route-map deny it.
match metric metric-value • Match BGP routes based on the ORIGIN attribute. CONFIG-ROUTE-MAP mode match origin {egp | igp | incomplete} • Match routes specified as internal or external to OSPF, ISIS level-1, ISIS level-2, or locally generated. CONFIG-ROUTE-MAP mode match route-type {external [type-1 | type-2] | internal | level-1 | level-2 | local } • Match routes with a specific tag. CONFIG-ROUTE-MAP mode match tag tag-value To create route map instances, use these commands.
To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low. Set commands do not require a corresponding match command. Configure a Route Map for Route Redistribution Route maps on their own cannot affect traffic and must be included in different commands to affect routing traffic.
Example of Using the continue Clause in a Route Map ! route-map test permit 10 match commu comm-list1 set community 1:1 1:2 1:3 set as-path prepend 1 2 3 4 5 continue 30! IP Fragment Handling Dell Networking OS supports a configurable option to explicitly deny IP fragmented packets, particularly second and subsequent packets. It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable to all Layer protocols (permit/ deny ip/tcp/udp/icmp).
• If a packet's FO = 0, the next ACL line is processed. In this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted. All others are denied. Example of Permitting All Packets from a Specified Host Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24 Dell(conf-ext-nacl)#deny ip any any fragment Dell(conf-ext-nacl) In the following example, the TCP packets that are first fragments or non-fragmented from host 10.1.1.
seq seq seq seq seq seq seq seq seq Dell# 10 15 20 25 30 35 40 45 50 deny deny deny deny deny deny deny deny deny 10.2.0.0 /16 10.3.0.0 /16 10.4.0.0 /16 10.5.0.0 /16 10.6.0.0 /16 10.7.0.0 /16 10.8.0.0 /16 10.9.0.0 /16 10.10.0.0 /16 The following example shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 25 was configured before filter 15, but the show config command displays the filters in the correct order.
seq 50 permit tcp 10.8.0.0 /16 10.50.188.118 /31 eq 49 seq 55 permit udp 10.15.1.0 /24 10.50.188.118 /31 range 1812 1813 To delete a filter, enter the show config command in IP ACCESS LIST mode and locate the sequence number of the filter you want to delete. Then use the no seq sequence-number command in IP ACCESS LIST mode.
The example below shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 15 was configured before filter 5, but the show config command displays the filters in the correct order. Dell(config-ext-nacl)#seq 15 deny ip host 112.45.0.0 any log Dell(config-ext-nacl)#seq 5 permit tcp 12.1.3.45 0.0.255.255 any Dell(config-ext-nacl)#show confi ! ip access-list extended dilling seq 5 permit tcp 12.1.0.0 0.0.255.255 any seq 15 deny ip host 112.45.0.
If a rule is simply appended, existing counters are not affected. Table 9. L2 and L3 Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Deny L3 ACL denies. Deny Permit L3 ACL permits. Permit Deny L3 ACL denies. Permit Permit L3 ACL permits. NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets. The L3 ACL applied to such a port does not affect traffic.
interface GigabitEthernet 1/1 ip address 10.2.1.100 255.255.255.0 ip access-group nimule in no shutdown Dell(conf-if)# To filter traffic on Telnet sessions, use only standard ACLs in the access-class command. Counting ACL Hits You can view the number of packets matching the ACL by using the count option when creating ACL entries. 1. Create an ACL that uses rules with the count option. Refer to Configure a Standard IP ACL Filter. 2. Apply the ACL as an inbound or outbound ACL on an interface. 3.
To create an egress ACL, use the ip access-group command in EXEC Privilege mode. The example shows viewing the configuration, applying rules to the newly created access group, and viewing the access list. NOTE: VRF based ACL configurations are not supported on the egress traffic. Example of Applying ACL Rules to Egress Traffic and Viewing ACL Configuration To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list extended abcd command.
permit ip {source mask | any | host ip-address} {destination mask | any | host ip-address} count FTOS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group management protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU traffic. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface MAC address instead of VRRP virtual MAC address. IP Prefix Lists IP prefix lists control routing policy.
seq sequence-number {deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] The optional parameters are: • • ge min-prefix-length: the minimum prefix length to match (from 0 to 32). le max-prefix-length: the maximum prefix length to match (from 0 to 32). If you want to forward all routes that do not match the prefix list criteria, configure a prefix list filter to permit all routes (permit 0.0.0.0/0 le 32). The “permit all” filter must be the last filter in your prefix list.
Viewing Prefix Lists To view all configured prefix lists, use the following commands. • Show detailed information about configured prefix lists. EXEC Privilege mode show ip prefix-list detail [prefix-name] • Show a table of summarized information about configured Prefix lists. EXEC Privilege mode show ip prefix-list summary [prefix-name] The following example shows the show ip prefix-list detail command.
router rip distribute-list prefix juba out network 10.0.0.0 Dell(conf-router_rip)#router ospf 34 Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. • Enter OSPF mode. CONFIGURATION mode router ospf • Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded.
Table 10. ACL Resequencing (continued) Rules Resquencing seq 20 permit any host 1.1.1.4 Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs. To resequence an ACL or prefix list, use the following commands. You must specify the list name, starting number, and increment when using these commands.
Dell# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.1 remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.1.1.2 seq 8 permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.3 seq 12 permit ip any host 1.1.1.
If the packet contains an unidentified EtherType or transport layer protocol, the values for these parameters are saved as Unknown in the log message. If you also enable the logging of the count of packets in the ACL entry, and if the logging is deactivated in a specific interval because the threshold has exceeded, the count of packets that exceeded the logging threshold value during that interval is recorded when the subsequent log record (in the next interval) is generated for that ACL entry.
Flow-Based Monitoring Support for ACLs Flow-based monitoring is supported on the platform. Flow-based monitoring conserves bandwidth by monitoring only the specified traffic instead of all traffic on the interface. It is available for Layer 2 and Layer 3 ingress traffic. You can specify traffic using standard or extended access-lists. This mechanism copies incoming packets that matches the ACL rules applied on the ingress port and forwards (mirrors) them to another port.
Example Output of the show Command (conf-mon-sess-11)#show config ! monitor session 11 flow-based enable source GigabitEthernet 1/1 destination GigabitEthernet 1/1 direction both The show ip | mac | ipv6 accounting commands have been enhanced to display whether monitoring is enabled for traffic that matches with the rules of the specific ACL.
Dell(conf)#do show ip accounting access-list testflow ! Extended Ingress IP access list testflow on GigabitEthernet 1/1 Total cam count 4 seq 5 permit icmp any any monitor count bytes (0 packets 0 bytes) seq 10 permit ip 102.1.1.
9 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 13. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
State Description Up Both systems are exchanging control packets. The session is declared down if: • • • A control packet is not received within the detection time. Sufficient echo packets are lost. Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 15.
Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet. When you enable BFD, the local system removes the route as soon as it stops receiving periodic control packets from the remote system.
CONFIGURATION mode interface 2. Assign an IP address to the interface if one is not already assigned. INTERFACE mode ip address ip-address 3. Identify the neighbor that the interface participates with the BFD session. INTERFACE mode bfd neighbor ip-address To verify that the session is established, use the show bfd neighbors command. The bold line shows the BFD session.
Example of Viewing Session Parameters R1(conf-if-gi-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive R1(conf-if-gi-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.
3. Configure an IP route to connect BFD on the static routes using the ip route bfd command. Related Configuration Tasks • • Changing Static Route Session Parameters Disabling BFD for Static Routes Establishing Sessions for Static Routes Sessions are established for all neighbors that are the next hop of a static route. Figure 17. Establishing Sessions for Static Routes To establish a BFD session, use the following command.
ip route bfd interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information Disabling BFD for Static Routes If you disable BFD, all static route BFD sessions are torn down. A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change to the Down state. To disable BFD for static routes, use the following command.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 18. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors.
I O R - ISIS - OSPF - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Gi 2/1 Up 100 100 3 O * 2.2.3.1 2.2.3.2 Gi 2/2 Up 100 100 3 O Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role.
Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface. Sessions are only established when the OSPFv3 adjacency is in the Full state. To establish BFD with all OSPFv3 neighbors or with OSPFv3 neighbors on a single interface, use the following commands. • Establish sessions with all OSPFv3 neighbors. ROUTER-OSPFv3 mode bfd all-neighbors • Establish sessions with OSPFv3 neighbors on a single interface.
Related Configuration Tasks • • Changing IS-IS Session Parameters Disabling BFD for IS-IS Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 19. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors.
O R - OSPF - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Gi 2/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface.
For example, the following illustration shows a sample BFD configuration on Router 1 and Router 2 that use eBGP in a transit network to interconnect AS1 and AS2. The eBGP routers exchange information with each other as well as with iBGP routers to maintain connectivity and accessibility within each autonomous system. Figure 20.
CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number 4. Enable the BGP neighbor. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group-name} no shutdown 5. Configure parameters for a BFD session established with all neighbors discovered by BGP. OR Establish a BFD session with a specified BGP neighbor or peer group using the default BFD session parameters.
Displaying BFD for BGP Information You can display related information for BFD for BGP. To display information about BFD for BGP sessions on a router, use the following commands and refer to the following examples. • Verify a BFD for BGP configuration. EXEC Privilege mode show running-config bgp • Verify that a BFD for BGP session has been successfully established with a BGP neighbor. A line-by-line listing of established BFD adjacencies is displayed.
Configured parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Neighbor parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Actual parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Role: Active Delete session on Down: True Client Registered: BGP Uptime: 00:07:55 Statistics: Number of packets received from neighbor: 4762 Number of packets sent to neighbor: 4490 Number of state changes: 2 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 5 Session Discriminato
Registration De-registration Init Up Down Admin Down : : : : : : 1 0 0 1 0 2 The following example shows viewing BFD summary information. The bold line shows the message displayed when you enable BFD for BGP connections. R2# show ip bgp summary BGP router identifier 10.0.0.
R2# show ip bgp neighbors 2.2.2.3 BGP neighbor is 2.2.2.3, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP neighbor mode BFD configuration Peer active in peer-group outbound optimization ... R2# show ip bgp neighbors 2.2.2.4 BGP neighbor is 2.2.2.4, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 21. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. • Establish sessions with all VRRP neighbors.
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.5.1 2.2.5.2 Gi 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command. The bold line shows the VRRP BFD session. Dell(conf-if-gi-4/25)#do show vrrp -----------------GigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1 VRF:0 default State: Backup, Priority: 1, Master: 2.2.5.
Configuring Protocol Liveness Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled. When you disable a client, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state. To enable protocol liveness, use the following command. • Enable Protocol Liveness.
The output for the debug bfd event command is the same as the log messages that appear on the console by default.
10 Border Gateway Protocol IPv4 (BGPv4) This chapter provides a general description of BGPv4 as it is supported in the Dell Networking Operating System (OS). BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
Figure 22. Internal BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 23. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies.
State Description Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state. OpenSent After successful OpenSent transition, the router sends an Open message and waits for one in return.
1. Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2. Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B. 3.
Figure 25. BGP Best Path Selection Best Path Selection Details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. a. Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate-address command. 4.
a. if the Router-ID is the same for multiple paths (because the routes were received from the same route) skip this step. b. if the Router-ID is NOT the same for multiple paths, prefer the path that was first received as the Best Path. The path selection algorithm returns without performing any of the checks detailed here. 11. Prefer the external path originated from the BGP router with the lowest router ID. If both paths are external, prefer the oldest path (first received path).
Figure 26. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 27. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
Example of Viewing AS Paths Dell#show ip bgp paths Total 30655 Paths Address Hash Refcount Metric 0x4014154 0 3 18508 0x4013914 0 3 18508 0x5166d6c 0 3 18508 0x5e62df4 0 2 18508 0x3a1814c 0 26 18508 0x567ea9c 0 75 18508 0x6cc1294 0 2 18508 0x6cc18d4 0 1 18508 0x5982e44 0 162 18508 0x67d4a14 0 2 18508 0x559972c 0 31 18508 0x59cd3b4 0 2 18508 0x7128114 0 10 18508 0x536a914 0 3 18508 0x2ffe884 0 1 18508 Path 701 3549 19421 i 701 7018 14990 i 209 4637 1221 9249 9249 i 701 17302 i 209 22291 i 209 3356 2529 i 20
path becomes unavailable, the BGP speaker withdraws its path from its local RIB and recalculates a new best path. This situation requires both IGP and BGP convergence and can be a lengthy process. BGP add-path also helps switchover to the next new best path when the current best path is unavailable. Advertise IGP Cost as MED for Redistributed Routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes.
Traditional Format DOT Format 65536 1.0 100000 1.34464 4294967295 65535.65535 When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte identified routers. You cannot mix them. Configure 4-byte AS numbers with the four-octet-support command. AS4 Number Representation Dell Networking OS supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot.
Figure 28. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
Important Points to Remember • • • • • • • • • • • • • • • • • • • • • • • • Because eBGP packets are not controlled by the ACL, packets from BGP neighbors cannot be blocked using the deny ip command. The f10BgpM2AsPathTableEntry table, f10BgpM2AsPathSegmentIndex, and f10BgpM2AsPathElementIndex are used to retrieve a particular ASN from the AS path. These indices are assigned to the AS segments and individual ASN in each segment starting from 0.
• delayed configuration (the software at system boot reads the entire configuration file prior to sending messages to start BGP peer sessions) The following are not yet supported: • • auto-summarization (the default is no auto-summary) synchronization (the default is no synchronization) BGP Configuration To enable the BGP process and begin exchanging information, assign an AS number and use commands in ROUTER BGP mode to configure a BGP neighbor. By default, BGP is disabled.
an EBGP neighbor is usually the IP address of the interface directly connected to the router. First, the BGP process determines if all internal BGP peers are reachable, then it determines which peers outside the AS are reachable. NOTE: Sample Configurations for enabling BGP routers are found at the end of this chapter. 1. Assign an AS number and enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.
1 BGP path attribute entrie(s) using 72 bytes of memory 1 BGP AS-PATH entrie(s) using 47 bytes of memory 5 neighbor(s) using 23520 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 10.10.21.1 10.10.32.3 100.10.92.9 192.168.10.1 192.168.12.
Last reset never Local host: 10.114.8.39, Local port: 1037 Foreign host: 10.114.8.60, Foreign port: 179 BGP neighbor is 10.1.1.1, remote AS 65535, internal link Administratively shut down BGP version 4, remote router ID 10.0.0.
Only one form of AS number representation is supported at a time. You cannot combine the types of representations within an AS. To configure AS4 number representations, use the following commands. • Enable ASPLAIN AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asplain NOTE: ASPLAIN is the default method Dell Networking OS uses and does not appear in the configuration display. • Enable ASDOT AS Number representation.
A maximum of 256 peer groups are allowed on the system. Create a peer group by assigning it a name, then adding members to the peer group. After you create a peer group, you can configure route policies for it. For information about configuring route policies for a peer group, refer to Filtering BGP Routes. NOTE: Sample Configurations for enabling peer groups are found at the end of this chapter. 1. Create a peer group by assigning a name to it. CONFIG-ROUTERBGP mode neighbor peer-group-name peer-group 2.
When you create a peer group, it is disabled (shutdown). The following example shows the creation of a peer group (zanzibar) (in bold). Dell(conf-router_bgp)#neighbor zanzibar peer-group Dell(conf-router_bgp)#show conf ! router bgp 45 bgp fast-external-fallover bgp log-neighbor-changes neighbor zanzibar peer-group neighbor zanzibar shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.1 shutdown neighbor 10.14.8.60 remote-as 18505 neighbor 10.14.8.
10.68.181.1 10.68.182.1 10.68.183.1 10.68.184.1 10.68.185.1 Dell> Configuring BGP Fast Fall-Over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fall-over feature reduces the convergence time while maintaining stability. The connection to a BGP peer is immediately reset if a link to a directly connected external peer fails.
Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 200.200.200.200, Local port: 65519 Foreign host: 100.100.100.100, Foreign port: 179 Dell# To verify that fast fall-over is enabled on a peer-group, use the show ip bgp peer-group command (shown in bold).
Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED. After the peer group is ESTABLISHED, the peer group is the same as any other peer group. For more information about peer groups, refer to Configure Peer Groups. Maintaining Existing AS Numbers During an AS Migration The local-as feature smooths out the BGP network migration operation and allows you to maintain existing ASNs during a BGP network migration.
○ Number: 1 through 10. Format: IP Address: A.B.C.D. You must Configure Peer Groups before assigning it to an AS. The lines shown in bold are the number of times ASN 65123 can appear in the AS path (allows–in 9). To disable this feature, use the no neighbor allow-as in number command in CONFIGURATION ROUTER BGP mode. R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.
• Set maximum restart time for all peers. CONFIG-ROUTER-BGP mode bgp graceful-restart [restart-time time-in-seconds] • The default is 120 seconds. Set maximum time to retain the restarting peer’s stale paths. CONFIG-ROUTER-BGP mode bgp graceful-restart [stale-path-time time-in-seconds] • The default is 360 seconds. Local router supports graceful restart as a receiver only.
{deny | permit} filter parameter This is the filter that is used to match the AS-path. The entries can be any format, letters, numbers, or regular expressions. You can enter this command multiple times if multiple filters are desired. For accepted expressions, refer to Regular Expressions as Filters. 3. Return to CONFIGURATION mode. AS-PATH ACL mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Use a configured AS-PATH ACL for route filtering and manipulation.
Regular Expression Definition * (asterisk) Matches 0 or more sequences of the immediately previous character or pattern. + (plus) Matches 1 or more sequences of the immediately previous character or pattern. ? (question) Matches 0 or 1 sequence of the immediately previous character or pattern.
Redistributing Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP process. With the redistribute command, you can include ISIS, OSPF, static, or directly connected routes in the BGP process. To add routes from other routing instances or protocols, use any of the following commands in ROUTER BGP mode. • Include, directly connected or user-configured (static) routes in BGP.
IETF RFC 1997 defines the COMMUNITY attribute and the predefined communities of INTERNET, NO_EXPORT_SUBCONFED, NO_ADVERTISE, and NO_EXPORT. All BGP routes belong to the INTERNET community. In the RFC, the other communities are defined as follows: • • • All routes with the NO_EXPORT_SUBCONFED (0xFFFFFF03) community attribute are not sent to CONFED-EBGP or EBGP peers, but are sent to IBGP peers within CONFED-SUB-AS. All routes with the NO_ADVERTISE (0xFFFFFF02) community attribute must not be advertised.
CONFIG-COMMUNITY-LIST mode {permit | deny} {{rt | soo} {ASN:NN | IPADDR:N} | regex REGEX-LINE} Filter routes based on the type of extended communities they carry using one of the following keywords: • • • rt: route target. soo: route origin or site-of-origin. Support for matching extended communities against regular expression is also supported. Match against a regular expression using the following keyword. regexp: regular expression.
To view which BGP routes meet an IP community or IP extended community list’s criteria, use the show ip bgp {community-list | extcommunity-list} command in EXEC Privilege mode. Manipulating the COMMUNITY Attribute In addition to permitting or denying routes based on the values of the COMMUNITY attributes, you can manipulate the COMMUNITY attribute value and send the COMMUNITY attribute with the route information. By default, Dell Networking OS does not send the COMMUNITY attribute.
* i 3.0.0.0/8 *>i 4.2.49.12/30 * i 4.21.132.0/23 *>i 4.24.118.16/30 *>i 4.24.145.0/30 *>i 4.24.187.12/30 *>i 4.24.202.0/30 *>i 4.25.88.0/30 *>i 6.1.0.0/16 *>i 6.2.0.0/22 *>i 6.3.0.0/18 *>i 6.4.0.0/16 *>i 6.5.0.0/19 *>i 6.8.0.0/20 *>i 6.9.0.0/20 *>i 6.10.0.0/15 *>i 6.14.0.0/15 *>i 6.133.0.0/21 *>i 6.151.0.0/16 --More-- 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.
set local-preference value 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
To allow more than one path, use the following command. The show ip bgp network command includes multipath information for that network. • Enable multiple parallel paths. CONFIG-ROUTER-BGP mode maximum-paths {ebgp | ibgp} number Filtering BGP Routes Filtering routes allows you to implement BGP policies. You can use either IP prefix lists, route maps, AS-PATH ACLs or IP community lists (using a route map) to control which routes the BGP neighbor or peer group accepts and advertises.
• out: apply the prefix list to outbound routes. As a reminder, the following are rules concerning prefix lists: • • • If the prefix list contains no filters, all routes are permitted. If none of the routes match any of the filters in the prefix list, the route is denied. This action is called an implicit deny. (If you want to forward all routes that do not match the prefix list criteria, you must configure a prefix list filter to permit all routes.
4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured route map. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} filter-list as-path-name {in | out} Configure the following parameters: • • • • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. as-path-name: enter the name of a configured AS-PATH ACL. in: apply the AS-PATH ACL map to inbound routes.
In the show ip bgp command, aggregates contain an ‘a’ in the first column (shown in bold) and routes suppressed by the aggregate contain an ‘s’ in the first column. Dell#show ip bgp BGP table version is 0, local router ID is 10.101.15.13 Status codes: s suppressed, d damped, h history, * valid, > best Path source: I - internal, a - aggregate, c - confed-external, r - redistributed, n - network Origin codes: i - IGP, e - EGP, ? - incomplete Network *> 7.0.0.0/29 *> 7.0.0.0/30 *>a 9.0.0.0/8 *> 9.2.0.
• • dampened path — a path that is no longer advertised penalized path — a path that is assigned a penalty To configure route flap dampening parameters, set dampening parameters using a route map, clear information on route dampening and return suppressed routes to active state, view statistics on route flapping, or change the path selection from the default mode (deterministic) to non-deterministic, use the following commands. • Enable route dampening.
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode. The following example shows how to configure values to reuse or restart a route. In the following example, default = 15 is the set time before the value decrements, bgp dampening 2 ? is the set re-advertise value, bgp dampening 2 2000 ? is the suppress value, and bgp dampening 2 2000 3000 ? is the time to suppress a route. Default values are also shown.
○ keepalive: the range is from 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. The default is 60 seconds. ○ holdtime: the range is from 3 to 65536. Time interval, in seconds, between the last keepalive message and declaring the router dead. The default is 180 seconds. To view non-default values, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode.
Route Map Continue The BGP route map continue feature, continue [sequence-number], (in ROUTE-MAP mode) allows movement from one routemap entry to a specific route-map entry (the sequence number). If you do not specify a sequence number, the continue feature moves to the next sequence number (also known as an “implied continue”). If a match clause exists, the continue feature executes only after a successful match occurs. If there are no successful matches, continue is ignored.
BGP Regular Expression Optimization Dell Networking OS optimizes processing time when using regular expressions by caching and re-using regular expression evaluated results, at the expense of some memory in RP1 processor. BGP policies that contain regular expressions to match against as-paths and communities might take a lot of CPU processing time, thus affect BGP routing convergence.
Example of the show ip bgp neighbor Command to View Last and Bad PDUs Dell(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2 BGP neighbor is 1.1.1.2, remote AS 2, external link BGP version 4, remote router ID 2.4.0.
To change the maximum buffer size, use the capture bgp-pdu max-buffer-size command. To view the captured PDUs, use the show capture bgp-pdu neighbor command. Dell#show capture bgp-pdu neighbor 20.20.20.2 Incoming packet capture enabled for BGP neighbor 20.20.20.
The following illustration shows the configurations described on the following examples. These configurations show how to create BGP areas using physical and virtual links. They include setting up the interfaces and peers groups with each other. Figure 29. Sample Configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.
R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 R1(conf-router_bgp)#neighbor 192.168.128.3 remote 100 R1(conf-router_bgp)#neighbor 192.168.128.3 no shut R1(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0 R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.
R3(conf-if-gi-3/11)#show config ! interface GigabitEthernet 3/11 ip address 10.0.3.33/24 no shutdown R3(conf-if-lo-0)#int gi 3/21 R3(conf-if-gi-3/21)#ip address 10.0.2.3/24 R3(conf-if-gi-3/21)#no shutdown R3(conf-if-gi-3/21)#show config ! interface GigabitEthernet 3/21 ip address 10.0.2.3/24 no shutdown R3(conf-if-gi-3/21)# R3(conf-if-gi-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#network 192.168.128.0/24 R3(conf-router_bgp)#neighbor 192.168.128.
ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1, neighbor version 1 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections established 2; dropped 1 Last reset 00:00:57, due to user reset Notification History 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:00:57 ago ffffffff ffffffff fffffff
192.168.128.1 99 140 136 2 0 (0) 00:11:24 1 192.168.128.3 100 138 140 2 0 (0) 00:18:31 1 Example of Enabling Peer Groups (Router 3) R3#conf R3(conf)#router bgp 100 R3(conf-router_bgp)# neighbor AAA peer-group R3(conf-router_bgp)# neighbor AAA no shutdown R3(conf-router_bgp)# neighbor CCC peer-group R3(conf-router_bgp)# neighbor CCC no shutdown R3(conf-router_bgp)# neighbor 192.168.128.2 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.2 no shutdown R3(conf-router_bgp)# neighbor 192.168.128.
122 keepalives, 0 route refresh requests Sent 140 messages, 0 in queue 200 Border Gateway Protocol IPv4 (BGPv4)
11 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On Dell Networking systems, CAM stores Layer 2 (L2) and Layer 3 (L3) forwarding information, access-lists (ACLs), flows, and routing policies.
Table 13. Default Cam Allocation Settings (continued) CAM Allocation Setting fedgovacl 0 NOTE: When you reconfigure CAM allocation, use the nlbclusteracl number command to change the number of NLB ARP entries. The range is from 0 to 2. The default value is 0. At the default value of 0, eight NLB ARP entries are available for use. This platform supports upto 512 CAM entries. Select 1 to configure 256 entries. Select 2 to configure 512 entries.
cam-acl {default | l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt number ipmacacl number vman-qos | vman-dual-qos number ecfmacl number nlbcluster number ipv4pbr number openflow number | fcoe number iscsioptacl number [vrfv4acl number] NOTE: If you do not enter the allocation values for the CAM regions, the value is 0. 3. Execute write memory and verify that the new settings are written to the CAM on the next boot. EXEC Privilege mode show cam-acl 4. Reload the system.
IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 Dell(conf)# NOTE: If you change the cam-acl setting from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis.
VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : 0 0 0 0 0 0 0 0 Dell# View CAM Usage View the amount of CAM space available, used, and remaining in each ACL partition using the show cam-usage command from EXEC Privilege mode.
QoS CAM Region Limitation To store QoS service policies, the default CAM profile allocates a partition within the IPv4Flow region. If the QoS CAM space is exceeded, a message similar to the following displays.
12 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 31. CoPP Implemented Versus CoPP Not Implemented Topics: • Configure Control Plane Policing Configure Control Plane Policing The system can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
The following example shows creating the QoS input policy.
• • Queues 8 to 15 process packets destined to the Route Processor CPU. Queues 16 to 23 process packets destined to the line-card CPU. 3. Enter Control Plane mode. CONFIGURATION mode control-plane-cpuqos 4. Assign a CPU queue-based service policy on the control plane in cpu-qos mode. Enabling this command sets the queue rates according to those configured. CONTROL-PLANE mode service-policy rate-limit-cpu-queues input-policy-map The following example shows creating the QoS policy.
Currently, there are 4 Queues for data and 4 for control in both front-end and back-plane ports. In stacked systems, the control streams that reach standby or slave units will be tunneled through the backplane ports across stack-units to reach the CPU of the master unit. In this case, the packets that reach slave unit’s CMIC via queues 0 – 7 will take same queues 0 – 7 on the back-plane ports while traversing across units and finally on the master CMIC, they are queued on the same queues 0 – 7.
• ○ VLT peer routing enable cases each VLT node will have route entry for link local address of both self and peer VLT node. Peer VLT link local entry will have egress port as ICL link. And Actual link local address will have entry to CopyToCpu. But NDP packets destined to peer VLT node needs to be taken to CPU and tunneled to the peer VLT node.. NDP packets in VLT peer routing disable case ○ NDP packets intended to peer VLT chassis taken to CPU and tunnel to peer.
for OSPFv3. The control plane management support for IPv6 ICMPv6 packets is enhanced to enable more number of CPU queues on port to be available and other COPP improvements have been implemented. To configure control-plane policing, perform the following: 1. Create an IPv6 ACL for control-plane traffic policing for ospfv3. CONFIGURATION mode Dell(conf)#ipv6 access-list ospfv3 cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit ospf 2. Create a QoS input policy for the router and assign the policing.
TCP (BGP) UDP (DHCP) UDP (DHCP-R) TCP (FTP) ICMP IGMP TCP (MSDP) UDP (NTP) OSPF PIM UDP (RIP) TCP (SSH) TCP (TELNET) VRRP Dell# any/179 67/68 67 any any any any/639 any any any any any any any 179/any 68/67 67 21 any any 639/any 123 any any 520 22 23 any _ _ _ _ _ _ _ _ _ _ _ _ _ _ Q6 Q6/Q5 Q6 Q6 Q6 Q7 Q6 Q6 Q7 Q7 Q7 Q6 Q6 Q7 CP CP CP CP CP CP CP CP CP CP CP CP CP CP 100 _ _ _ _ _ _ _ _ _ _ _ _ _ To view the queue mapping for the MAC protocols, use the show mac protocol-queue-mapping command.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters. Multiple servers might respond to a single DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer. 3. The client broadcasts a DHCPREQUEST message in response to the offer, requesting the offered values. 4.
• • This platform supports 4000 DHCP Snooping entries. All platforms support Dynamic ARP Inspection on 16 VLANs per system. For more information, refer to Dynamic ARP Inspection. NOTE: If the DHCP server is on the top of rack (ToR) and the VLTi (ICL) is down due to a failed link, when a VLT node is rebooted in BMP (Bare Metal Provisioning) mode, it is not able to reach the DHCP server, resulting in BMP failure.
show config After an IP address is leased to a client, only that client may release the address. Dell Networking OS performs a IP + MAC source address validation to ensure that no client can release another clients address. This validation is a default behavior and is separate from IP+MAC source address validation.
Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1. Create a domain. DHCP domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client.
EXEC Privilege mode debug ip dhcp server [events | packets] Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. • Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. clear ip dhcp binding • Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode.
Figure 34. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gigabitethernet 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
• The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (Dell Networking OS version and a configuration file). BMP is enabled as a factory-default setting on a switch. A switch cannot operate with BMP and as a DHCP client simultaneously. To disable BMP in EXEC mode, use the stop bmp command. After BMP stops, the switch acts as a DHCP client.
interface type slot/port 2. Acquire the IP address for an Ethernet interface from a DHCP network server. INTERFACE mode ip address dhcp Dynamically assigned IP addresses can be released without removing the DHCP client operation on the interface on a switch configured as a DHCP client. 3. Manually acquire a new IP address from the DHCP server by releasing a dynamically acquired IP address while retaining the DHCP client configuration on the interface.
DHCP Client Operation with Other Features The DHCP client operates with other Dell Networking OS features, as the following describes. Stacking The DHCP client daemon runs only on the master unit and handles all DHCP packet transactions. It periodically synchronizes the lease file with the standby unit. When a stack failover occurs, the new master requires the same DHCP server-assigned IP address on DHCP client interfaces.
Configure Secure DHCP DHCP as defined by RFC 2131 provides no authentication or security mechanisms. Secure DHCP is a suite of features that protects networks that use dynamic address allocation from spoofing and attacks. • • • • Option 82 DHCP Snooping Dynamic ARP Inspection Source Address Validation Option 82 RFC 3046 (the relay agent information option, or Option 82) is used for class-based IP address assignment.
Binding table entries are deleted when a lease expires or when the relay agent encounters a DHCPRELEASE. Line cards maintain a list of snooped VLANs. When the binding table is exhausted, DHCP packets are dropped on snooped VLANs, while these packets are forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made. However, DHCPRELEASE and DHCPDECLINE packets are allowed so that the DHCP snooping table can decrease in size.
• Delete all of the entries in the binding table. EXEC Privilege mode clear ip dhcp snooping binding Clearing the DHCP IPv6 Binding Table To clear the DHCP IPv6 binding table, use the following command. • Delete all of the entries in the binding table. EXEC Privilege mode clear ipv6 dhcp snooping binding Dell# clear ipv6 dhcp snooping? binding Clear the snooping binding database Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command.
33::22 333:22::22 11:22:11:22:11:23 11:22:11:22:11:24 120331 120331 S D Vl 200 Vl 300 Gi 1/1 Gi 1/2 Debugging the IPv6 DHCP To debug the IPv6 DHCP, use the following command. • Display debug information for IPV6 DHCP. EXEC Privilege mode debug ipv6 dhcp IPv6 DHCP Snooping MAC-Address Verification Configure to enable verify source mac-address in the DHCP packet against the mac address stored in the snooping binding table. • Enable IPV6 DHCP snooping .
Broadcast An attacker can broadcast an ARP reply that specifies FF:FF:FF:FF:FF:FF as the gateway’s MAC address, resulting in all clients broadcasting all internet-bound packets. MAC flooding An attacker can send fraudulent ARP messages to the gateway until the ARP cache is exhausted, after which, traffic from the gateway is broadcast.
Bypassing the ARP Inspection You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multi-switch environments. ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default. To bypass the ARP inspection, use the following command. • Specify an interface as trusted so that ARPs are not validated against the binding table.
DHCP MAC Source Address Validation DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against the client hardware address field (CHADDR) in the payload. Dell Networking OS ensures that the packet’s source MAC address is checked against the CHADDR field in the DHCP header only for packets from snooped VLANs. • Enable DHCP MAC SAV.
The following output of the show ip dhcp snooping source-address-validation discard-counters interface interface command displays the number of SAV dropped packets on a particular interface.
14 Equal Cost Multi-Path (ECMP) This chapter describes configuring ECMP. This chapter describes configuring ECMP. Topics: • • ECMP for Flow-Based Affinity Link Bundle Monitoring ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features.
Dell Networking OS provides a command line interface (CLI)-based solution for modifying the hash seed to ensure that on each configured system, the ECMP selection is same. When configured, the same seed is set for ECMP, LAG, and NH, and is used for incoming traffic only. NOTE: While the seed is stored separately on each port-pipe, the same seed is used across all CAMs. NOTE: You cannot separate LAG and ECMP, but you can use different algorithms across the chassis with the same seed.
• Configure the maximum number of paths per ECMP group. CONFIGURATION mode. ip ecmp-group maximum-paths {2-64} • Enable ECMP group path management. CONFIGURATION mode. ip ecmp-group path-fallback Dell(conf)#ip ecmp-group maximum-paths 3 User configuration has been changed. Save the configuration and reload to take effect Dell(conf)# Creating an ECMP Group Bundle Within each ECMP group, you can specify an interface.
interface gigabitethernet 1/3 link-bundle-monitor enable Dell(conf-ecmp-group-5)# 238 Equal Cost Multi-Path (ECMP)
15 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms.
• • • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed. Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. FIPS mode is enabled. ○ If you enable the SSH server when you enter the fips mode enable command, it is re-enabled for version 2 only. ○ If you re-enable the SSH server, a new RSA host key-pair is generated automatically. You can also manually create this key-pair using the crypto key generate command.
Current Type Master priority Hardware Rev Num Ports Up Time Dell Networking Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs ... : S4810 - 52-port GE/TE/FG (SE) : 0 : 3.0 : 64 : 7 hr, 3 min OS Version : 4810-8-3-7-1061 : yes : no : enabled : 00:01:e8:8a:ff:0c : 3 The following example shows the show system command on the Z9500. Dell#show system System MAC Reload-Type : 74:86:7a:ff:71:8c : normal-reload [Next boot : normal-reload] -- CP -Status : active Next Boot : online Hardware Rev : 1.
Auto Reboot Last Restart Burned In MAC No Of MACs : : : : disabled powered-on 74:86:7a:ff:71:8c 3 -- Linecard 1 -Unit Type : Linecard Status : online Next Boot : online Required Type : Z9500LC12 - 12-port TE/FG (ZC) Hardware Rev : 1.0 Num Ports : 48 Up Time : 2 min, 8 sec Dell Networking OS Version : 1-0(0-4072) Jumbo Capable : yes Boot Flash : 3.2.1.0 Boot Selector : 3.2.0.
0 0 0 0 1 2 3 4 absent absent absent absent Speed in RPM Current BootSelector-Boot: Backup BIOS Disabling FIPS Mode When you disable FIPS mode, the following changes occur: • • • • • • • The SSH server disables. All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, close. Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. FIPS mode disables. The SSH server re-enables. The Telnet server re-enables (if it is present in the configuration).
16 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Figure 35. Example of Multiple Rings Connected by Single Switch Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. • • • • • • • • • • The Master node transmits ring status check frames at specified intervals. You can run multiple physical rings on the same switch.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202, as shown in the illustration in Member VLAN Spanning Two Rings Connected by One Switch. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose.
• Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP. • • Creating the FRRP Group Configuring the Control VLAN • ○ Configure Primary and Secondary ports Configuring and Adding the Member VLANs ○ Configure Primary and Secondary ports Other FRRP related commands are: • • • Clearing the FRRP Counters Viewing the FRRP Configuration Viewing the FRRP Information Creating the FRRP Group Create the FRRP group on each switch in the ring.
Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-PortSlot/Port. 3. Assign the Primary and Secondary ports and the control VLAN for the ports on the ring. CONFIG-FRRP mode. interface primary interface slot/port secondary int slot/port control-vlan vlan id Interface: • • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
• Slot/Port: Slot and Port ID for the interface. Range is entered Slot/Port-PortSlot/Port. VLAN ID: Identification number of the Control VLAN. 4. Configure a Transit node. CONFIG-FRRP mode. mode transit 5. Identify the Member VLANs for this FRRP group. CONFIG-FRRP mode. member-vlan vlan-id {range} VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6. Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command.
EXEC or EXEC PRIVELEGED mode. show frrp ring-id • Ring ID: the range is from 1 to 255. Show the state of all FRRP groups. EXEC or EXEC PRIVELEGED mode. show frrp summary Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • • • • • Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group.
no shutdown ! interface GigabitEthernet 2/31 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 2/14 secondary GigabitEthernet 2/31 control-vlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface GigabitEthernet 3/14 no ip address switchport no shutdown ! interface GigabitEthernet 3/21 no i
17 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and deregister attribute values, such as VLAN IDs, with each other.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-byswitch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 36. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
gvrp enable Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
no shutdown Dell(conf-if-gi-1/21)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. • • • Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The Dell Networking OS default is 200ms.
18 High Availability (HA) High availability (HA) is supported on Dell Networking OS. HA is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. To support all the features within the HA collection, you should have the latest boot code. The following table lists the boot code requirements as of this Dell Networking OS release. Table 18. Boot Code Requirements Component Boot Code S3048–ON 1 2.0.
Peer Stack-unit: not present -- Stack-unit Redundancy Configuration ------------------------------------------------Primary Stack-unit: mgmt-id 0 Auto Data Sync: Full Failover Type: Hot Failover Auto reboot Stack-unit: Enabled Auto failover limit: 3 times in 60 minutes -- Stack-unit Failover Record ------------------------------------------------Failover Count: 0 Last failover timestamp: None Last failover Reason: None Last failover type: None -- Last Data Block Sync Record: ------------------------------
redundancy auto-failover-limit • Re-Enable the auto-failover-limit with its default parameters. CONFIGURATION mode redundancy auto-failover-limit (no parameters) Disabling Auto-Reboot To disable auto-reboot, use the following command. • Prevent a failed stack unit from rebooting after a failover. CONFIGURATION mode redundancy disable-auto-reboot Manually Synchronizing Management and Standby Units To manually synchronize Management and Standby units at any time, use the following command.
• • Link aggregation control protocol. Spanning tree protocol. Refer to Configuring Spanning Trees as Hitless. Graceful Restart Graceful restart (also known as non-stop forwarding) is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change.
• • Application core dump is the contents of the memory allocated to a failed application at the time of an exception. Kernel core dump is the central component of an operating system that manages system processors and memory allocation and makes these facilities available to applications. A kernel core dump is the contents of the memory in use by the kernel at the time of an exception. System Log Event messages provide system administrators diagnostics and auditing information.
19 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 37. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
• • To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered. An additional query type, the Group-and-Source-Specific Query, keeps track of state changes, while the Group-Specific and General queries still refresh the existing state.
3. The host’s third message indicates that it is only interested in traffic from sources 10.11.1.1 and 10.11.1.2. Because this request again prevents all other sources from reaching the subnet, the router sends another group-and-source query so that it can satisfy all other hosts. There are no other interested hosts so the request is recorded. Figure 40.
Figure 41. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1. Enable multicast routing using the ip multicast-routing command. 2. Enable a multicast routing protocol.
• View IGMP-enabled interfaces. EXEC Privilege mode show ip igmp interface Dell#show ip igmp interface GigabitEthernet 3/10 Inbound IGMP access group is not set Internet address is 165.87.34.5/24 IGMP is up on the interface IGMP query interval is 60 seconds IGMP querier timeout is 0 seconds IGMP max query response time is 10 seconds IGMP last member query response interval is 1000 ms IGMP immediate-leave is disabled IGMP activity: 2 joins IGMP querying router is 165.87.34.
Adjusting Timers The following sections describe viewing and adjusting timers. To view the current value of all IGMP timers, use the following command. • View the current value of all IGMP timers. EXEC Privilege mode show ip igmp interface For more information, refer to the example shown in Viewing IGMP Enabled Interfaces. Adjusting Query and Response Timers The querier periodically sends a general query to discover which multicast groups are active. A group must have at least one host to be active.
In the following example, virtual local area network (VLAN) 400 is configured with an access list to permit only IGMP reports for group 239.0.0.1. Though Receiver 2 sends a membership report for groups 239.0.0.1 and 239.0.0.2, a multicast routing table entry is created only for group 239.0.0.1. VLAN 300 has no access list limiting Receiver 1, so both IGMP reports are accepted, and two corresponding entries are created in the routing table. Figure 42.
Table 19. Preventing a Host from Joining a Group — Description (continued) Location Description 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
show ip igmp interface View the enable status of this feature using the command from EXEC Privilege mode, as shown in the example in Selecting an IGMP Version. IGMP Snooping IGMP snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers.
INTERFACE VLAN mode ip igmp fast-leave • View the configuration. INTERFACE VLAN mode show config Dell(conf-if-vl-100)#show config ! interface Vlan 100 no ip address ip igmp snooping fast-leave shutdown Dell(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN.
Adjusting the Last Member Query Interval To adjust the last member query interval, use the following command. When the querier receives a Leave message from a receiver, it sends a group-specific query out of the ports specified in the forwarding table. If no response is received, it sends another. The amount of time that the querier waits to receive a response to the initial query before sending a second one is the last member query interval (LMQI).
Table 20.
• • • • • • • • • • • Applications can be configured or unconfigured as management applications using the application or no application command. All configured applications are considered as management applications and the rest of them as non-management applications. All the management routes (connected, static and default) are duplicated and added to the management EIS routing table. Any new management route added is installed to both the EIS routing table and default routing table.
• • • • • • • • If route lookup in EIS routing table succeeds, the application-specific packet count is incremented. This counter is viewed using the show management application pkt-cntr command. This counter is cleared using clear management application pkt-cntr command. If the route lookup in the EIS routing table fails or if management port is down, then packets are dropped.
Mapping of Management Applications and Traffic Type The following table summarizes the behavior of applications for various types of traffic when the management egress interface selection feature is enabled. Table 21. Mapping of Management Applications and Traffic Type Traffic type / Application type Switch initiated traffic Switch-destined traffic Transit Traffic EIS Management Application Management is the preferred egress port selected based on route lookup in EIS table.
EIS Behavior for ICMP: ICMP packets do not have TCP/UDP ports. To do an EIS route lookup for ICMP-based applications (ping and traceroute) using the source ip option, the management port IP address should be specified as the source IP address. If management port is down or route lookup fails, packets are dropped. Default Behavior: Route lookup is done in the default routing table and appropriate egress port is selected. Table 22.
Table 23.
20 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell Networking Operating System (OS). • The system supports 1 Gigabit Ethernet and 10 Gigabit Ethernet interfaces. NOTE: Only Dell-qualified optics are supported on these interfaces. Non-Dell optics are set to error-disabled state by default.
• • • • • • • • Link Dampening Link Bundle Monitoring Using Ethernet Pause Frames for Flow Control Configure the MTU Size on an Interface Port-Pipes Auto-Negotiation on Ethernet Interfaces View Advanced Interface Information Dynamic Counters Interface Types The following table describes different interface types. Table 24.
Last clearing of "show interface" counters 00:09:54 Queueing strategy: fifo Input Statistics: 0 packets, 0 bytes 0 Vlans 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 3 packets, 192 bytes, 0 underruns 3 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0
Resetting an Interface to its Factory Default State You can reset the configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1. View the configurations applied on an interface. INTERFACE mode show config Dell(conf-if-gi-1/5)#show config ! interface GigabitEthernet 1/5 no ip address portmode hybrid switchport rate-interval 8 mac learning-limit 10 no-station-move no shutdown 2. Reset an interface to its factory default state.
Physical Interfaces The Management Ethernet interface is a single RJ-45 Fast Ethernet port on a switch. The interface provides dedicated management access to the system. Stack-unit interfaces support Layer 2 and Layer 3 traffic over the 1-Gigabit Ethernet and 10-Gigabit Ethernet , 25–Gigabit Ethernet, 40– Gigabit Ethernet, 50–Gigabit Ethernet, and 100–Gigabit Ethernet interfaces. These interfaces can also become part of virtual interfaces such as virtual local area networks (VLANs) or port channels.
switchport Dell(conf-if)#show config ! interface Port-channel 1 no ip address switchport no shutdown Dell(conf-if)# Configuring Layer 2 (Interface) Mode To configure an interface in Layer 2 mode, use the following commands. • Enable the interface. INTERFACE mode no shutdown • Place the interface in Layer 2 (switching) mode. INTERFACE mode switchport To view the interfaces in Layer 2 mode, use the show interfaces switchport command in EXEC mode.
INTERFACE mode no shutdown • Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx). Add the keyword secondary if the IP address is the interface’s backup IP address. You can only configure one primary IP address per interface. You can configure up to 255 secondary IP addresses on a single interface.
NOTE: If you configure SNMP as the management application for EIS and you add a default management route, when you perform an SNMP walk and check the debugging logs for the source and destination IPs, the SNMP agent uses the destination address of incoming SNMP packets as the source address for outgoing SNMP responses for security. Management Interfaces The system supports the Management Ethernet interface as well as the standard interface on any port. You can use either method to connect to the system.
Output 21 packets, 3300 bytes, 20 multicast Output 0 errors, 0 invalid protocol Time since last interface status change: 00:06:03 If there are two RPMs on the system, configure each Management interface with a different IP address. Unless you configure the management route command, you can only access the Management interface from the local LAN. To access the Management interface from another LAN, configure the management route command to point to the Management interface.
L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is 10.11.131.254 to network 0.0.0.0 Destination ----------*S 0.0.0.1/0 C 10.11.130.0/23 Dell# Gateway ------via 10.11.131.254, Gi 1/1 Direct, Gi 0/48 Dist/Metric Last Change ----------- ----------1/0 1d2h 0/0 1d2h VLAN Interfaces VLANs are logical interfaces and are, by default, in Layer 2 mode. Physical interfaces and port channels can be members of VLANs.
EXEC mode show interface loopback number • Delete a Loopback interface. CONFIGURATION mode no interface loopback number Many of the commands supported on physical interfaces are also supported on a Loopback interface. Null Interfaces The Null interface is another virtual interface. There is only one Null interface. It is always up, but no traffic is transmitted through this interface. To enter INTERFACE mode of the Null interface, use the following command. • Enter INTERFACE mode of the Null interface.
As soon as you configure a port channel, Dell Networking OS treats it like a physical interface. For example, IEEE 802.1Q tagging is maintained while the physical interface is in the port channel. Member ports of a LAG are added and programmed into the hardware in a predictable order based on the port ID, instead of in the order in which the ports come up. With this implementation, load balancing yields predictable results across line card resets and chassis reloads.
Adding a Physical Interface to a Port Channel The physical interfaces in a port channel can be on any line card in the chassis, but must be the same physical type. NOTE: Port channels can contain a mix of Ethernet interfaces, but Dell Networking OS disables the interfaces that are not the same speed of the first channel member in the port channel (refer to 10/100/1000 Mbps Interfaces in Port Channels). You can add any physical interface to a port channel if the interface configuration is minimal.
69164 over 255-byte pkts, 143346 over 511-byte pkts, 942523 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 42 CRC, 0 IP Checksum, 0 overrun, 0 discarded 2456590833 packets output, 203958235255 bytes, 0 underruns Output 1640 Multicasts, 56612 Broadcasts, 2456532581 Unicasts 2456590654 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 5 minutes): Input 00.01Mbits/sec, 2 packets/sec Output 81.
Dell(conf-if-po-3)#sho conf ! interface Port-channel 3 no ip address channel-member GigabitEthernet 1/8 shutdown Dell(conf-if-po-3)# Configuring the Minimum Oper Up Links in a Port Channel You can configure the minimum links in a port channel (LAG) that must be in “oper up” status to consider the port channel to be in “oper up” status. To set the “oper up” status of your links, use the following command. • Enter the number of links in a LAG that must be in “oper up” status.
2. Use the switchport command in INTERFACE mode to enable Layer 2 data transmissions through an individual interface INTERFACE mode Dell(conf-if)#switchport 3. Verify the manually configured VLAN membership (show interfaces switchport interface command).
Dell Networking OS allows you to modify the hashing algorithms used for flows and for fragments. The load-balance and hash-algorithm commands are available for modifying the distribution algorithms. Changing the Hash Algorithm The load-balance command selects the hash criteria applied to port channels. If you do not obtain even distribution with the load-balance command, you can use the hash-algorithm command to select the hash scheme for LAG, ECMP and NH-ECMP.
Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range. Bulk configuration excludes from configuration any non-existing interfaces from an interface range.
Exclude Duplicate Entries The following is an example showing how duplicate entries are omitted from the interface-range prompt.
Define the Interface Range The following example shows how to define an interface-range macro named “test” to select Ten Gigabit Ethernet interfaces 5/1 through 5/4. Example of the define interface-range Command for Macros Dell(config)# define interface-range test gigabitethernet 5/1 - 5/4 Choosing an Interface-Range Macro To use an interface-range macro, use the following command. • Selects the interfaces range to be configured using the values saved in a named interface-range macro.
Over 1023B packets: Error statistics: Input underruns: Input giants: Input throttles: Input CRC: Input IP checksum: Input overrun: Output underruns: Output throttles: m l T q - 0 0 pps 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Change mode Page up Increase refresh interval Quit pps pps pps pps pps pps pps pps c - Clear screen a - Page down t - Decrease refresh interval q Dell# Maintenance Using TDR The time domain reflectometer (TDR) is supported on all Dell Networking switch/routers.
• • The quad port must be in a default configuration before you can split it into 4x10G ports. The 40G port is lost in the configuration when the port is split; be sure that the port is also removed from other L2/L3 feature configurations. The system must be reloaded after issuing the CLI for the change to take effect. Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port You can convert a QSFP or QSFP+ port to an SFP or SFP+ port using the Quad to Small Form Factor Pluggable Adapter (QSA).
• QSFP port 12 in 40 G mode is plugged in with QSFP optical cables. For these configurations, the following examples show the command output that the show interfaces tengigbitethernet transceiver, show interfaces tengigbitethernet, and show inventory media commands displays: NOTE: In the following show interfaces tengigbitethernet commands, the ports 1,2, and 3 are inactive and no physical SFP or SFP+ connection actually exists on these ports.
To view a dampening summary for the entire system, use the show interfaces dampening summary command from EXEC Privilege mode. Dell# show interfaces dampening summary 20 interfaces are configured with dampening. 3 interfaces are currently suppressed. Following interfaces are currently suppressed: Gi 1/2 Gi 3/1 Gi 4/2 Dell# Clearing Dampening Counters To clear dampening counters and accumulated penalties, use the following command. • Clear dampening counters.
• ecmp-group View all LAG link bundles being monitored. show running-config ecmp-group Using Ethernet Pause Frames for Flow Control Ethernet pause frames and threshold settings are supported on the Dell Networking OS. Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it.
○ negotiate: enable pause-negotiation with the egress port of the peer device. If the negotiate command is not used, pausenegotiation is disabled. 40 gigabit Ethernet interfaces do not support pause-negotiation. ○ threshold: when you configure tx on, you can set the threshold values for: ▪ ▪ ▪ Number of flow-control packet pointers: the range is from 1 to 2047 (default = 75). Flow-control buffer threshold in KB: the range is from 1 to 2013 (default = 49KB).
NOTE: When you use a copper SFP2 module with catalog number GP-SFP2-1T in the S25P model, you can manually set its speed with the speed command. When the speed is set to 10Mbps or 100Mbps, you can use the duplex command. The local interface and the directly connected remote interface must have the same setting, and auto-negotiation is the easiest way to accomplish that, as long as the remote interface is capable of auto-negotiation.
Gi 1/8 Gi 1/9 Gi 1/10 Gi 1/11 Gi 1/12 [output omitted] Down Down Down Down Down Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto ------ In the previous example, several ports display “Auto” in the Speed field. In the following example, the speed of port 1/1 is set to 100Mb and then its auto-negotiation is disabled.
View Advanced Interface Information The following options have been implemented for the show [ip | running-config] interfaces commands for (only) stackunit interfaces. When you use the configured keyword, only interfaces that have non-default configurations are displayed. Dummy stack-unit interfaces (created with the stack-unit command) are treated like any other physical interface.
Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 1d23h44m Queueing strategy: fifo 0 packets input, 0 bytes Input 0 IP Packets, 0 Vlans 0 MPLS 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 byte
• • L2 ACL L2 FIB Clearing Interface Counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters any SNMP program captures. To clear the counters, use the following the command. • Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones. Without an interface specified, the command clears all interface counters.
21 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3. Apply the crypto policy to management traffic.
22 IPv4 Routing The Dell Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
IP Addresses Dell Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported. To subnet, you add a mask to the IP address to separate the network and host portions of the IP address. At its most basic level, an IP address is 32-bits composed of network and host portions and represented in dotted decimal format.
• • ip-address mask: the IP address must be in dotted decimal format (A.B.C.D). The mask must be in slash prefix-length format (/24). secondary: add the keyword secondary if the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. To view the configuration, use the show config command in INTERFACE mode or use the show ip interface command in EXEC privilege mode, as shown in the second example.
S 11.1.1.0/24 Direct, Lo 0 --More-- Direct, Nu 0 0/0 00:02:30 Dell Networking OS installs a next hop that is on the directly connected subnet of current IP address on the interface (for example, if interface GigabitEthernet 1/1 is on 172.31.5.0 subnet, Dell Networking OS installs the static route). Dell Networking OS also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface's configured subnet.
Using the Configured Source IP Address in ICMP Messages ICMP error or unreachable messages are now sent with the configured IP address of the source interface instead of the front-end port IP address as the source IP address. Enable the generation of ICMP unreachable messages through the ip unreachable command in Interface mode. When a ping or traceroute packet from an endpoint or a device arrives at the null 0 interface configured with a static route, it is discarded.
ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode. Resolution of Host Names Domain name service (DNS) maps host names to IP addresses. This feature simplifies commands such as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless you enable the feature, the system resolves only host names entered into the host table with the ip host command.
CONFIGURATION mode ip domain-name name • Enter up to 63 characters to configure names to complete unqualified host names. CONFIGURATION mode ip domain-list name Configure this command up to six times to specify a list of possible domain names. Dell Networking OS searches the domain names in the order they were configured until a match is found or the list is exhausted. Configuring DNS with Traceroute To configure your switch to perform DNS with traceroute, use the following commands.
Configuration Tasks for ARP For a complete listing of all ARP-related commands, refer to the Dell Networking OS Command Line Reference Guide.
○ no-refresh (OPTIONAL): enter the keywords no-refresh to delete the ARP entry from CAM. Or to specify which dynamic ARP entries you want to delete, use this option with interface or ip ip-address. ○ ○ ○ ○ For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a port channel interface, enter the keywords port-channel then a number.
Figure 44. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP. It only updates the ARP entry for the Layer 3 interface with the source IP of the request. Configuring ARP Retries You can configure the number of ARP retries. The default backoff interval remains at 20 seconds. On the device, the time between ARP resend is configurable. This timer is an exponential backoff timer.
Enabling ICMP Unreachable Messages By default, ICMP unreachable messages are disabled. When enabled, ICMP unreachable messages are created and sent out all interfaces. To disable and re-enable ICMP unreachable messages, use the following commands. • To disable ICMP unreachable messages. INTERFACE mode no ip unreachable • Set Dell Networking OS to create and send ICMP unreachable messages on the interface.
-------------------------------------------------Gi 1/1 1000 Configuring a Broadcast Address To configure a broadcast address, use the following command. • Configure a broadcast address on an interface. ip udp-broadcast-address Dell(conf-if-vl-100)#ip udp-broadcast-address 1.1.255.255 Dell(conf-if-vl-100)#show config ! interface Vlan 100 ip address 1.1.0.1/24 ip udp-broadcast-address 1.1.255.
2. If you enabled UDP helper, the system changes the destination IP address to the configured broadcast address 1.1.255.255 and forwards the packet to VLAN 100. 3. Packet 2 is also forwarded to the ingress interface with an unchanged destination address because it does not have broadcast address configured. Figure 45.
Figure 47. UDP Helper with Configured Broadcast Addresses UDP Helper with No Configured Broadcast Addresses The following describes UDP helper with no broadcast addresses configured. • • If the incoming packet has a broadcast destination IP address, the unaltered packet is routed to all Layer 3 interfaces. If the Incoming packet has a destination IP address that matches the subnet broadcast address of any interface, the unaltered packet is routed to the matching interfaces.
23 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
• Prefix Renumbering — Useful in transparent renumbering of hosts in the network when an organization changes its service provider. NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration. NOTE: Dell Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS).
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 48. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Value Description 41 IPv6 43 Routing header 44 Fragmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) web page at . Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing.
This field identifies the length of the Hop-by-Hop Options header in 8-byte units, but does not include the first 8 bytes. Consequently, if the header is less than 8 bytes, the value is 0 (zero). • Options (size varies) This field can contain one or more options. The first byte if the field identifies the Option type, and directs the router how to handle the option. 00 Skip and continue processing. 01 Discard the packet.
In IPv6, every interface, whether using static or dynamic address assignments, also receives a local-link address automatically in the fe80::/64 subnet. Implementing IPv6 with Dell Networking OS Dell Networking OS supports both IPv4 and IPv6 and both may be used simultaneously in your system. The following table lists the Dell Networking OS version in which an IPv6 feature became available for each platform. The sections following the table give greater detail about the feature. Table 27.
Table 27. Dell Networking OS versions and supported platforms with IPv6 support (continued) Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location S3048–ON ISIS for IPv6 support for distribute lists and administrative distance 9.7.(0.1) OSPF for IPv6 (OSPFv3) 9.7.(0.1) Equal Cost Multipath for IPv6 9.7.(0.1) Intermediate System to Intermediate System IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide.
Path MTU Discovery Path MTU, in accordance with RFC 1981, defines the largest packet size that can traverse a transmission path without suffering fragmentation. Path MTU for IPv6 uses ICMPv6 Type-2 messages to discover the largest MTU along the path from source to destination and avoid the need to fragment the packet. The recommended MTU for IPv6 is 1280.
Figure 50. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
ND reachable time is 20120 milliseconds ND base reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 198 to 600 seconds ND router advertisements live for 1800 seconds ND advertised hop limit is 64 IPv6 hop limit for originated packets is 64 ND dns-server address is 1000::1 with lifetime of 1 seconds ND dns-server address is 3000::1 with lifetime of 1 seconds ND dns-server address is 200
To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings. • Allocate space for IPV6 ACLs. Enter the CAM profile name then the allocated amount. CONFIGURATION mode cam-acl { ipv6acl } When not selecting the default option, enter all of the profiles listed and a range for each. The total space allocated must equal 13. The ipv6acl range must be a factor of 2. • Show the current CAM settings.
Enter the keyword interface then the type of interface and slot/port information: ○ ○ ○ ○ ○ ○ For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. For a port channel interface, enter the keywords port-channel then a number.
rpf Dell# RPF table Displaying an IPv6 Interface Information To view the IPv6 configuration for a specific interface, use the following command. • Show the currently running configuration for the specified interface. EXEC mode show ipv6 interface interface {slot/port} Enter the keyword interface then the type of interface and slot/port information: ○ ○ ○ ○ ○ ○ ○ For all brief summary of IPv6 status and configuration, enter the keyword brief.
○ ○ ○ ○ ○ ○ ○ To display information about brief summary of all IPv6 routes, enter summary. To display information about Border Gateway Protocol (BGP) routes, enter bgp. To display information about ISO IS-IS routes, enter isis. To display information about Open Shortest Path First (OSPF) routes, enter ospf. To display information about Routing Information Protocol (RIP), enter rip. To display information about static IPv6 routes, enter static.
○ For the Management interface on the stack-unit, enter the keyword ManagementEthernet then the slot/port information. Dell#show run int gigabitethernet 2/2 ! interface GigabitEthernet 2/2 no ip address ipv6 address 3:4:5:6::8/24 shutdown Dell# Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. • Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} ○ *: all routes.
POLICY LIST CONFIGURATION mode match ra{ipv6-access-list name | ipv6-prefix-list name | mac-access-list name} 8. Enable verification of the advertised other configuration parameter. POLICY LIST CONFIGURATION mode other-config-flag {on | off} 9. Enable verification of the advertised default router preference value. The preference value must be less than or equal to the specified limit. POLICY LIST CONFIGURATION mode router-preference maximum {high | low | medium} 10. Set the router lifetime.
2. Apply the IPv6 RA guard to a specific interface. INTERFACE mode ipv6 nd ra-guard attach policy policy-name [vlan [vlan 1, vland 2, vlan 3.....]] 3. Display the configurations applied on all the RA guard policies or a specific RA guard policy. EXEC Privilege mode show ipv6 nd ra-guard policy policy-name The policy name string can be up to 140 characters.
24 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS.
Figure 51. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. Use this feature to place a virtual physical topology into logical routing domains, which can each support different routing and security policies. All routers on a LAN or point-to-point must have at least one common supported topology when operating in Multi-Topology IS-IS mode.
Graceful Restart Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change. Normally, when an IS-IS router is restarted, temporary disruption of routing occurs due to events in both the restarting router and the neighbors of the restarting router.
• Accepts external IPv6 information and advertises this information in the PDUs. The following table lists the default IS-IS values. Table 28.
To configure IS-IS globally, use the following commands. 1. Create an IS-IS routing process. CONFIGURATION mode router isis [tag] tag: (optional) identifies the name of the IS-IS process. 2. Configure an IS-IS network entity title (NET) for a routing process. ROUTER ISIS mode net network-entity-title Specify the area address and system ID for an IS-IS routing process. The last byte must be 00. For more information about configuring a NET, refer to IS-IS Addressing. 3. Enter the interface configuration mode.
47.0004.004d.0001 Interfaces supported by IS-IS: Vlan 2 GigabitEthernet 4/22 Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: level-1-2 Accept narrow metrics: level-1-2 Generate wide metrics: none Accept wide metrics: none Dell# To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
4. Implement a wide metric-style globally. ROUTER ISIS AF IPV6 mode isis ipv6 metric metric-value [level-1 | level-2 | level-1-2] To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215. Configuring IS-IS Graceful Restart To enable IS-IS graceful restart globally, use the following commands. Additionally, you can implement optional commands to enable the graceful restart settings. • Enable graceful restart on ISIS processes.
To view all graceful restart-related configurations, use the show isis graceful-restart detail command in EXEC Privilege mode.
lsp-gen-interval [level-1 | level-2] seconds ○ seconds: the range is from 0 to 120. The default is 5 seconds. • The default level is Level 1. Set the LSP size. ROUTER ISIS mode lsp-mtu size ○ size: the range is from 128 to 9195. • The default is 1497. Set the LSP refresh interval. ROUTER ISIS mode lsp-refresh-interval seconds ○ seconds: the range is from 1 to 65535. • The default is 900 seconds. Set the maximum time LSPs lifetime.
Table 29. Metric Styles (continued) Metric Style Characteristics Cost Range Supported on IS-IS Interfaces narrow transition Sends narrow (old) TLVs and accepts both narrow (old) and wide (new) TLVs. 0 to 63 wide transition Sends wide (new) TLVs and accepts both narrow (old) and wide (new) TLVs. 0 to 16777215 To change the IS-IS metric style of the IS-IS process, use the following command. • Set the metric style for the IS-IS process.
For more information about this command, refer to Configuring the IS-IS Metric Style. The following table describes the correct value range for the isis metric command. Metric Sytle Correct Value Range wide 0 to 16777215 narrow 0 to 63 wide transition 0 to 16777215 narrow transition 0 to 63 transition 0 to 63 To view the interface’s current metric, use the show config command in INTERFACE mode or the show isis interface command in EXEC Privilege mode.
Dell# Controlling Routing Updates To control the source of IS-IS route information, use the following command. • Disable a specific interface from sending or receiving IS-IS routing information. ROUTER ISIS mode passive-interface interface ○ ○ ○ ○ ○ For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
Applying IPv6 Routes To apply prefix lists to incoming or outgoing IPv6 routes, use the following commands. NOTE: These commands apply to IPv6 IS-IS only. To apply prefix lists to IPv4 routes, use ROUTER ISIS mode, previously shown. • Apply a configured prefix list to all incoming IPv6 IS-IS routes.
redistribute ospf process-id [level-1| level-1-2 | level-2] [metric value] [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: ○ ○ ○ ○ ○ ○ ○ process-id the range is from 1 to 65535. level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. metric value the range is from 0 to 16777215. The default is 0. match external the range is from 1 or 2.
FTOS supports HMAC-MD5 authentication. • This password is inserted in Level 1 LSPs, Complete SNPs, and Partial SNPs. Set the authentication password for a routing domain. ROUTER ISIS mode domain-password [encryption-type | hmac-md5] password FTOS supports both DES and HMAC-MD5 authentication methods. This password is inserted in Level 2 LSPs, Complete SNPs, and Partial SNPs.
○ interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. • View information about IS-IS local update packets. EXEC Privilege mode debug isis local-updates [interface] To view specific information, enter the following optional parameter: ○ interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. • View IS-IS SNP packets, include CSNPs and PSNPs.
Metric Style Correct Value Range for the isis metric Command wide transition 0 to 16777215 narrow transition 0 to 63 transition 0 to 63 Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow.
Table 30. Metric Value When the Metric Style Changes (continued) Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value wide transition wide original value wide transition narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Table 32.
Figure 52. IPv6 IS-IS Sample Topography The following is a sample configuration for enabling IPv6 IS-IS. IS-IS Sample Configuration — Congruent Topology Dell(conf-if-gi-3/17)#show config ! interface GigabitEthernet 3/17 ip address 24.3.1.1/24 ipv6 address 24:3::1/76 ip router isis ipv6 router isis no shutdown Dell (conf-if-gi-3/17)# Dell (conf-router_isis)#show config ! router isis metric-style wide level-1 metric-style wide level-2 net 34.0000.0000.AAAA.
IS-IS Sample Configuration — Multi-topology Transition Dell (conf-if-gi-3/17)#show config ! interface GigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell (conf-if-gi-3/17)# Dell (conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
25 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic.
LACP Modes Dell Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. • • • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state.
Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. • Create a dynamic port channel (LAG). CONFIGURATION mode interface port-channel • Create a dynamic port channel (LAG). CONFIGURATION mode switchport Dell(conf)#interface port-channel 32 Dell(conf-if-po-32)#no shutdown Dell(conf-if-po-32)#switchport The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the tagged command on the LAG.
To configure LACP long timeout, use the following command. • Set the LACP timeout value to 30 seconds. CONFIG-INT-PO mode lacp long-timeout Dell(conf)# interface port-channel 32 Dell(conf-if-po-32)#no shutdown Dell(conf-if-po-32)#switchport Dell(conf-if-po-32)#lacp long-timeout Dell(conf-if-po-32)#end Dell# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.a12b Partner System ID: Priority 32768, Address 0001.e801.
Figure 53. Shared LAG State Tracking To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). Dell Networking OS has the ability to bring LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group. Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group.
Figure 54. Configuring Shared LAG State Tracking The following are shared LAG state tracking console messages: • • 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 1 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 To view the status of a failover group member, use the show interface port-channel command.
LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 55. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec,0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec,0 packets/sec, 0.
Figure 57.
Figure 58.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-gi-3/21-lacp)#no shut Bravo(conf-if-gi-3/21)#end ! interface GigabitEthernet 3/21 no ip address ! port-channel-
Figure 59.
Figure 60.
Figure 61. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
26 Layer 2 This chapter describes the Layer 2 features supported on the device. Topics: • • • • • Manage the MAC Address Table MAC Learning Limit NIC Teaming Configure Redundant Pairs Far-End Failure Detection Manage the MAC Address Table You can perform the following management tasks in the MAC address table.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
Setting the MAC Learning Limit To set a MAC learning limit on an interface, use the following command. • Specify the number of MAC addresses that the system can learn off a Layer 2 interface. INTERFACE mode mac learning-limit address_limit Three options are available with the mac learning-limit command: ○ dynamic ○ no-station-move ○ station-move NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations.
To display a list of all interfaces with a MAC learning limit, use the following command. Display a list of all interfaces with a MAC learning limit. EXEC Privilege mode show mac learning-limit Dell Networking OS Behavior: The systems do not generate a station-move violation log entry for physical interfaces or port-channels when you configure mac learning-limit or when you configure mac learning-limit station-move-violation log.
Recovering from Learning Limit and Station Move Violations After a learning-limit or station-move violation shuts down an interface, you must manually reset it. To reset the learning limit, use the following commands. NOTE: Alternatively, you can reset the interface by shutting it down using the shutdown command and then re-enabling it using the no shutdown command. • Reset interfaces in the ERR_Disabled state caused by a learning limit violation or station move violation.
Figure 63. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 64. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
As shown in the above illustration, interface 3/41 is a backup interface for 3/42, and 3/42 is in the Down state. If 3/41 fails, 3/42 transitions to the Up state, which makes the backup link active. A message similar to the following message appears whenever you configure a backup port.
and Gi 1/2 Dell(conf-if-po-1)# Far-End Failure Detection Far-end failure detection (FEFD) is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis. Disabling the global FEFD configuration does not disable the interface configuration. Figure 65.
EXEC privilege mode (it can be done globally or one interface at a time) before the FEFD enabled system can become operational again. Table 33.
Gi Gi Gi Gi 1/1 1/2 1/3 1/4 Normal Normal Normal Normal (second) 3 3 3 3 Bi-directional Admin Shutdown Admin Shutdown Admin Shutdown Dell#show run fefd ! fefd-global mode normal fefd-global interval 3 Enabling FEFD on an Interface To enable, change, or disable FEFD on an interface, use the following commands. • Enable FEFD on a per interface basis. INTERFACE mode • fefd Change the FEFD mode. INTERFACE mode • fefd [mode {aggressive | normal}] Disable FEFD protocol on one interface.
EXEC Privilege mode debug fefd packets Dell#debug fefd events Dell#config Dell(conf)#int gi 1/1 Dell(conf-if-gi-1/1)#shutdown 2w1d22h: %RPM0-P:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Gi 1/1 Dell(conf-if-gi-1/1)#2w1d22h : FEFD state on Gi 1/1 changed from ANY to Unknown 2w1d22h: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Gi 1/1 2w1d22h: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Gi 4/1 2w1d22h: %RPM0-P:CP %IFMGR-5-INACTIVE: Changed Vlan interfac
27 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). Topics: • • • • • • • • • • • • • • • 802.
TLVs are encapsulated in a frame called an LLDP data unit (LLDPDU) (shown in the following table), which is transmitted from one LLDPenabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements. There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs.
IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 35. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. Dell Networking OS does not currently support this TLV.
Table 35. Optional TLV Types (continued) Type TLV Description 127 Maximum Frame Size Indicates the maximum frame size capability of the MAC and PHY.
Table 36. TIA-1057 (LLDP-MED) Organizationally Specific TLVs (continued) Type SubType TLV Description Inventory Management TLVs Implementation of this set of TLVs is optional in LLDP-MED devices. None or all TLVs must be supported. Dell Networking OS does not currently support these TLVs. 127 5 Inventory — Hardware Revision Indicates the hardware revision of the LLDP-MED device. 127 6 Inventory — Firmware Revision Indicates the firmware revision of the LLDP-MED device.
Table 37. Dell Networking OS LLDP-MED Capabilities (continued) Bit Position TLV Dell Networking OS Support 6–15 reserved No Table 38. LLDP-MED Device Types Value Device Type 0 Type Not Defined 1 Endpoint Class 1 2 Endpoint Class 2 3 Endpoint Class 3 4 Network Connectivity 5–255 Reserved LLDP-MED Network Policies TLV A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated Layer 2 and Layer 3 configurations.
Table 39. Network Policy Applications (continued) Type Application Description 7 Streaming Video Specify this application type for dedicated video conferencing and other similar appliances supporting real-time interactive video. 8 Video Signaling Specify this application type only if video control packets use a separate network policy than video data. 9–255 Reserved — Figure 70.
• Debugging LLDP Important Points to Remember • • • • • LLDP is enabled by default. Dell Networking systems support up to eight neighbors per interface. Dell Networking systems support a maximum of 8000 total neighbors per system. If the number of interfaces multiplied by eight exceeds the maximum, the system does not configure more than 8000. INTERFACE level configurations override all CONFIGURATION level configurations. LLDP is not hitless.
CONFIGURATION or INTERFACE mode protocol lldp 2. Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP To disable or undo LLDP, use the following command. • Disable LLDP globally or for an interface. disable To undo an LLDP configuration, precede the relevant command with the keyword no. Enabling LLDP on Management Ports LLDP on management ports is enabled by default. To enable LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode.
PROTOCOL LLDP mode advertise {dcbx-appln-tlv | dcbx-tlv | dot3-tlv | interface-port-desc | management-tlv | med } Include the keyword for each TLV you want to advertise. • • • • For management TLVs: system-capabilities, system-description. For 802.1 TLVs: port-protocol-vlan-id, port-vlan-id vlan-name. For 802.3 TLVs: max-frame-size.
no disable Dell(conf-lldp)# Dell(conf-lldp)#exit Dell(conf)#interface gigabitethernet 1/31 Dell(conf-if-gi-1/31)#show config ! interface GigabitEthernet 1/31 no ip address switchport no shutdown Dell(conf-if-gi-1/31)#protocol lldp Dell(conf-if-gi-1/31-lldp)#show config ! protocol lldp Dell(conf-if-gi-1/31-lldp)# Viewing Information Advertised by Adjacent LLDP Agents To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands.
Dell Application Software Version: 9.4.0.0.
no mode R1(conf)#protocol lldp R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx no disabl
advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Debugging LLDP You can view the TLVs that your system is sending and receiving. To view the TLVs, use the following commands. • View a readable version of the TLVs. debug lldp brief • View a readable version of the TLVs plus a hexadecimal version of the entire LLDPDU. debug lldp detail Figure 73.
Table 40. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
Table 41.
Table 42. LLDP 802.1 Organizationally specific TLV MIB Objects (continued) TLV Type TLV Name TLV Variable System LLDP MIB Object Remote lldpXdot1RemVlanName Table 43.
Table 43.
28 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
• • • The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN. When a large volume of traffic is processed, the clustering performance might be impacted in a small way. This limitation is applicable to switches that perform unicast flooding in the software. The ip vlan-flooding command applies globally across the system and for all VLANs.
This setting causes the multicast MAC address to be mapped to the cluster IP address for the NLB mode of operation of the switch. 2. Associate specific MAC or hardware addresses to VLANs.
29 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 75.
Implementation Information The Dell Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 76.
Figure 77.
Figure 78.
Figure 79. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error. • Cache rejected sources. CONFIGURATION mode ip msdp cache-rejected-sa Accept Source-Active Messages that Fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check.
Figure 81.
Figure 82.
Figure 83. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. Dell(conf)#ip msdp peer 10.0.50.
3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1. OPTIONAL: Store sources that are received after the limit is reached in the rejected SA cache.
ip msdp cache-rejected-sa 2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2. It is already in the SA cache of R3 when an ingress SA filter is applied to R3. The entry remains in the SA cache until it expires and is not stored in the rejected SA cache.
R3(conf)#do show ip msdp sa-cache R3(conf)# To display the configured SA filters for a peer, use the show ip msdp peer command from EXEC Privilege mode. Logging Changes in Peership States To log changes in peership states, use the following command. • Log peership state changes. CONFIGURATION mode ip msdp log-adjacency-changes Terminating a Peership MSDP uses TCP as its transport protocol.
SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none R3(conf)#do clear ip msdp peer 192.168.0.1 R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:04 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none Debugging MSDP To debug MSDP, use the following command.
Figure 84. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3.
network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group. A mesh in this context is a topology in which each RP in a set of RPs has a peership with all other RPs in the set.
The following example shows an R2 configuration for MSDP with Anycast RP. ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.
no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.
no shutdown ! interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 1/1 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.
30 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• • • • • Modifying the Interface Parameters Configuring an EdgePort Flush MAC Addresses after a Topology Change MSTP Sample Configurations Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree, as shown in the following table. Table 44. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .
Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • • Within an MSTI, only one path from any bridge to any other bridge is enabled. Bridges block a redundant path by disabling one of the link ports. 1. Enter PROTOCOL MSTP mode. CONFIGURATION mode protocol spanning-tree mstp 2. Enable MSTP.
To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode. Dell(conf-mstp)#name my-mstp-region Dell(conf-mstp)#exit Dell(conf)#do show spanning-tree mst config MST region name: my-mstp-region Revision: 0 MSTI VID 1 100 2 200-300 To view the forwarding/discarding state of the ports participating in an MSTI, use the show spanning-tree msti command from EXEC Privilege mode.
protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 MSTI 2 bridge-priority 0 Interoperate with Non-Dell Bridges Dell Networking OS supports only one MSTP region. A region is a combination of three unique qualities: • • • Name is a mnemonic string you assign to the region. The default region name is null. Revision is a 2-byte number. The default revision number OS is 0. VLAN-to-instance mapping is the placement of a VLAN in an MSTI.
PROTOCOL MSTP mode forward-delay seconds The range is from 4 to 30. The default is 15 seconds. 2. Change the hello-time parameter. PROTOCOL MSTP mode hello-time seconds NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. 3. Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4.
Table 45. Default Values for Port Costs by Interface (continued) Port Cost Default Value Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 To change the port cost or priority of an interface, use the following commands. 1. Change the port cost of an interface. INTERFACE mode spanning-tree msti number cost cost The range is from 0 to 200000.
To verify that EdgePort is enabled, use the show config command from INTERFACE mode.
no disable name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 ! (Step 2) interface GigabitEthernet 1/21 no ip address switchport no shutdown ! interface GigabitEthernet 1/31 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged GigabitEthernet 1/21,31 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example us
! interface Vlan 300 no ip address tagged GigabitEthernet 2/11,31 no shutdown Router 3 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
(Step 2) interface 1/0/31 no shutdown spanning-tree port mode enable switchport protected 0 exit interface 1/0/32 no shutdown spanning-tree port mode enable switchport protected 0 exit (Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs.
The following example shows the show run spanning-tree mstp command. Dell#show run spanning-tree mstp ! protocol spanning-tree mstp name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 The following example shows viewing the debug log of a successful MSTP configuration. Dell#debug spanning-tree mstp bpdu MSTP debug bpdu is ON Dell# 4w0d4h : MSTP: Sending BPDU on Gi 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x6e CIST Root Bridge Id: 32768:0001.e806.
31 Multicast Features Dell Networking OS supports the following multicast protocols: NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default VRFs.
Multicast Policies The Dell Networking OS supports multicast features for IPv4. IPv4 Multicast Policies The following sections describe IPv4 multicast policies.
ip igmp access-group access-list-name Dell Networking OS Behavior: Do not enter the ip igmp access-group command before creating the access-list. If you do, after entering your first deny rule, Dell Networking OS clears the multicast routing table and re-learns all groups, even those not covered by the rules in the access-list, because there is an implicit deny all rule at the end of all access-lists. Therefore, configuring an IGMP join request filter in this order might result in data loss.
Table 46. Preventing a Host from Joining a Group — Description (continued) Location Description • • ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.
INTERFACE mode ip pim neighbor-filter Preventing a Source from Registering with the RP To prevent the PIM source DR from sending register packets to RP for the specified multicast source and group, use the following command. If the source DR never sends register packets to the RP, no hosts can ever discover the source and create a shortest path tree (SPT) to it. • Prevent a source from transmitting to a particular group.
Table 47. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
32 Object Tracking IPv4 or IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 89. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • • UP and DOWN thresholds used to report changes in a route metric. A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
A tracked route matches a route in the routing table only if the exact address and prefix length match an entry in the routing table. For example, when configured as a tracked route, 10.0.0.0/24 does not match the routing table entry 10.0.0.0/8. If no route-table entry has the exact address and prefix length, the tracked route is considered to be DOWN.
VRRP Object Tracking As a client, VRRP can track up to 20 objects (including route entries, and Layer 2 and Layer 3 interfaces) in addition to the 12 tracked interfaces supported for each VRRP group. You can assign a unique priority-cost value from 1 to 254 to each tracked VRRP object or group interface. The priority cost is subtracted from the VRRP group priority if a tracked VRRP object is in a DOWN state.
Dell(conf-track-100)#description San Jose data center Dell(conf-track-100)#end Dell#show track 100 Track 100 Interface GigabitEthernet 7/1 line-protocol Description: San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface.
Track 101 Interface GigabitEthernet 7/2 ip routing Description: NYC metro The following is an example of configuring object tracking for an IPv6 interface: Dell(conf)#track 103 interface gigabitethernet 7/11 ipv6 routing Dell(conf-track-103)#description Austin access point Dell(conf-track-103)#end Dell#show track 103 Track 103 Interface GigabitEthernet 7/11 ipv6 routing Description: Austin access point Track an IPv4/IPv6 Route You can create an object that tracks the reachability or metric of an IPv4 or IP
Tracking Route Reachability Use the following commands to configure object tracking on the reachability of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1. Configure object tracking on the reachability of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} reachability [vrf vrf-name] Valid object IDs are from 1 to 65535.
Tracking a Metric Threshold Use the following commands to configure object tracking on the metric threshold of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1. (Optional) Reconfigure the default resolution value used by the specified protocol to scale the metric for IPv4 or IPv6 routes. CONFIGURATION mode track resolution {ip route | ipv6 route} {isis resolution-value | ospf resolution-value} The range of resolution values is: • • ISIS routes - 1 to 1000.
The following example configures object tracking on the metric threshold of an IPv6 route: Dell(conf)#track 8 ipv6 route 2::/64 metric threshold Dell(conf-track-8)#threshold metric up 30 Dell(conf-track-8)#threshold metric down 40 Displaying Tracked Objects To display the currently configured objects used to track Layer 2 and Layer 3 interfaces, and IPv4 and IPv6 routes, use the following show commands.
ISIS OSPF 1 1 IPv6 Route Resolution ISIS 1 Example of the show track vrf Command Dell#show track vrf red Track 5 IP route 192.168.0.0/24 reachability, Vrf: red Reachability is Up (CONNECTED) 3 changes, last change 00:02:39 First-hop interface is GigabitEthernet 1/4 Example of Viewing Object Tracking Configuration Dell#show running-config track track 1 ip route 23.0.0.
33 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 90. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a nonbackbone area and function as if they were direct links.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
• • • • • (for example, the ASBR where the Type 5 advertisement originated. The link-state ID for Type 4 LSAs is the router ID of the described ASBR). Type 5: LSA — These LSAs contain information imported into OSPF from other routing processes. They are flooded to all areas, except stub areas. The link-state ID of the Type 5 LSA is the external network number.
Figure 92. Priority and Cost Examples OSPF with Dell Networking OS The Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within the that 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. Dell Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell Networking OS supports only one OSPFv3 process per VRF.
to interrupt the forwarding of data packets. This behavior is supported because the forwarding tables previously computed by an active RPM have been downloaded into the forwarding information base (FIB) on the line cards (the data plane) and are still resident. For packets that have existing FIB/CAM entries, forwarding between ingress and egress ports/VLANs, and so on, can continue uninterrupted while the control plane OSPF process comes back to full functionality and rebuilds its routing tables.
Processing SNMP and Sending SNMP Traps Only the process in default vrf can process the SNMP requests and send SNMP traps. NOTE: SNMP gets request corresponding to the OspfNbrOption field in the OspfNbrTable returns a value of 66. OSPF ACK Packing The OSPF ACK packing feature bundles multiple LS acknowledgements in a single packet, significantly reducing the number of ACK packets transmitted when the number of LSAs increases.
NOTE: By default, OSPF is disabled. Configuration Task List for OSPFv2 (OSPF for IPv4) You can perform the following tasks to configure Open Shortest Path First version 2 (OSPF for IPv4) on the switch. Two of the tasks are mandatory; others are optional.
2. Enable the interface. CONFIG-INTERFACE mode no shutdown 3. Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf {vrf name}] • vrf name: enter the keyword VRF and the instance name to tie the OSPF instance to the VRF. All network commands under this OSPF instance are later tied to the VRF instance. The range is from 0 to 65535. The OSPF process ID is the identifying number assigned to the OSPF process.
When configuring the network command, configure a network address and mask that is a superset of the IP subnet configured on the Layer-3 interface for OSPFv2 to use. You can assign the area in the following step by a number or with an IP interface address. • Enable OSPFv2 on an interface and assign a network address range to a specific OSPF area. CONFIG-ROUTER-OSPF-id mode network ip-address mask area area-id The IP Address Format is A.B.C.D/M. The area ID range is from 0 to 65535 or A.B.C.D/M.
Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 13.1.1.1 (Designated Router) Dell> Loopback interfaces also help the OSPF process. OSPF picks the highest interface address as the router-id and a Loopback interface address has a higher precedence than other interface addresses. Example of Viewing OSPF Status on a Loopback Interface Dell#show ip ospf 1 int GigabitEthernet 1/23 is up, line protocol is up Internet Address 10.168.0.1/24, Area 0.0.0.1 Process ID 1, Router ID 10.168.253.
3.3.3.3 Dell# 1 0 0 0 0 1 To view information on areas, use the show ip ospf process-id command in EXEC Privilege mode. Enabling Passive Interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface does not send or receive routing updates, the network on that interface is still included in OSPF updates sent via other interfaces.
Setting the convergence parameter (from 1 to 4) indicates the actual convergence level. Each convergence setting adjusts the LSA parameters to zero, but the fast-convergence parameter setting allows for even finer tuning of the convergence speed. The higher the number, the faster the convergence. To enable or disable fast-convergence, use the following command. • Enable OSPF fast-convergence and specify the convergence level.
The dead interval must be four times the hello interval. • The dead interval must be the same on all routers in the OSPF network. Change the time interval between hello-packet transmission. CONFIG-INTERFACE mode ip ospf hello-interval seconds ○ seconds: the range is from 1 to 65535 (the default is 10 seconds). • The hello interval must be the same on all routers in the OSPF network. Use the MD5 algorithm to produce a message digest or key, which is sent instead of the key.
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:06 Neighbor Count is 0, Adjacent neighbor count is 0 Dell# Enabling OSPFv2 Authentication To enable or change various OSPF authentication parameters, use the following commands. • Set a clear text authentication scheme on the interface. CONFIG-INTERFACE mode ip ospf authentication-key key Configure a key that is a text string no longer than eight characters.
CONFIG-ROUTEROSPF- id mode graceful-restart role [helper-only | restart-only] Dell Networking OS supports the following options: • • Helper-only: the OSPFv2 router supports graceful-restart only as a helper router. Restart-only: the OSPFv2 router supports graceful-restart only during unplanned restarts. By default, OSPFv2 supports both restarting and helper roles. Selecting one or the other role restricts OSPFv2 to the single selected role.
Redistributing Routes You can add routes from other routing instances or protocols to the OSPF process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process. NOTE: Do not route iBGP routes to OSPF unless there are route-maps associated with the OSPF redistribution. To redistribute routes, use the following command. • Specify which routes are redistributed into OSPF process.
• View the summary information for the OSPF database. EXEC Privilege mode show ip ospf database • View the configuration of OSPF neighbors connected to the local router. EXEC Privilege mode show ip ospf neighbor • View the LSAs currently in the queue. EXEC Privilege mode show ip ospf timers rate-limit • View debug messages.
Figure 93. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Te 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface GigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.
network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface GigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface GigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown Configuration Task List for OSPFv3 (OSPF for IPv6) This section describes the configuration tasks for Open Shortest Path First version 3 (OSPF for IPv6) on the switch.
Applying cost for OSPFv3 Change in bandwidth directly affects the cost of OSPF routes. • Explicitly specify the cost of sending a packet on an interface. INTERFACE mode ipv6 ospf interface-cost ○ interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth. • Specify how the OSPF interface cost is calculated based on the reference bandwidth method. The cost of an interface is calculated as Reference Bandwidth/Interface speed.
• The range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} ○ number: the IPv4 address. The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. • Disable OSPF. CONFIGURATION mode no ipv6 router ospf process-id • Reset the OSPFv3 process.
Configuring Passive-Interface To suppress the interface’s participation on an OSPFv3 interface, use the following command. This command stops the router from sending updates on that interface. • Specify whether some or all some of the interfaces are passive. CONF-IPV6-ROUTER-OSPF mode passive-interface {interface slot/port} Interface: identifies the specific interface that is passive. ○ ○ ○ ○ For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information.
Enabling OSPFv3 Graceful Restart Follow the procedure in this section to configure graceful restart for OSPFv3. By default, OSPFv3 graceful restart is disabled and functions only in a helper role to help restarting neighbor routers in their graceful restarts when it receives a Grace LSA. . By default, OSPFv3 graceful restart is disabled and functions only in a helper role to help restarting neighbor routers in their graceful restarts when it receives a Grace LSA.
The following example shows the show run ospf command. Dell#show run ospf ! router ospf 1 router-id 200.1.1.1 log-adjacency-changes graceful-restart grace-period 180 network 20.1.1.0/24 area 0 network 30.1.1.0/24 area 0 ! ipv6 router ospf 1 log-adjacency-changes graceful-restart grace-period 180 The following example shows the show ipv6 ospf database database-summary command. Dell#show ipv6 ospf database database-summary ! OSPFv3 Router with ID (200.1.1.
IPsec is a set of protocols developed by the internet engineering task force (IETF) to support secure exchange of packets at the IP layer. IPsec supports two encryption modes: transport and tunnel. • • Transport mode — encrypts only the data portion (payload) of each packet, but leaves the header untouched. Tunnel mode — is more secure and encrypts both the header and payload. On the receiving side, an IPsec-compliant device decrypts each packet.
security policy at an interface or area level, specify 7 for [key-encryption-type] when you enter the ipv6 ospf authentication ipsec or ipv6 ospf encryption ipsec command.
○ ipsec spi number: is the security policy index (SPI) value. The range is from 256 to 4294967295. ○ esp encryption-algorithm: specifies the encryption algorithm used with ESP. The valid values are 3DES, DES, AES-CBC, and NULL. For AES-CBC, only the AES-128 and AES-192 ciphers are supported. ○ key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information.
Configuring IPsec Encryption for an OSPFv3 Area To configure, remove, or display IPsec encryption in an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)). The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router.
○ For a port channel interface, enter the keywords port-channel then a number. ○ For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. In the first example, the keys are not encrypted (shown in bold). In the second and third examples, the keys are encrypted (shown in bold). The following example shows the show crypto ipsec policy command.
Interface: GigabitEthernet 1/2 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3
EXEC Privilege mode debug ipv6 ospf [event | packet] {type slot/port} ○ ○ ○ ○ For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a port channel interface, enter the keywords port-channel then a number. For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
34 Policy-based Routing (PBR) Policy-based Routing (PBR) allows a switch to make routing decisions based on policies applied to an interface. Topics: • • • • Overview Implementing Policy-based Routing with Dell Networking OS Configuration Task List for Policy-based Routing Sample Configuration Overview When a router receives a packet it normally decides where to forward it based on the destination address in the packet, which is used to look up an entry in a routing table.
• • • Source port Destination port TCP Flags After a redirect-list is applied to an interface, all traffic passing through it is subjected to the rules defined in the redirect-list. The traffic is forwarded based on the following: • • • • Next-hop addresses are verified. If the specified next hop is reachable, the traffic is forwarded to the specified next-hop. If the specified next-hops are not reachable, the normal routing table is used to forward the traffic.
Ineffective PBR Exception due to Low Sequence Number. ip redirect-list rcl0 seq 5 redirect 2.2.2.2 ip any any seq 10 permit ip host 3.3.3.3 any To ensure that the permit permit statement or PBR exception is effective, use a lower sequence number, as shown below: ip redirect-list rcl0 seq 10 permit ip host 3.3.3.3 any seq 15 redirect 2.2.2.2 ip any any Create a Redirect List To create a redirect list, use the following commands. Create a redirect list by entering the list name.
• • • • IP address of the next-hop router in the forwarding route IP protocol number Source address with mask information Destination address with mask information Example: Creating a Rule Dell(conf-redirect-list)#redirect ? A.B.C.D Forwarding router's address Dell(conf-redirect-list)#redirect 3.3.3.3 ? <0-255> An IP protocol number icmp Internet Control Message Protocol ip Any Internet Protocol tcp Transmission Control Protocol udp User Datagram Protocol Dell(conf-redirect-list)#redirect 3.3.3.3 ip ? A.
Apply a Redirect-list to an Interface using a Redirectgroup IP redirect lists are supported on physical interfaces as well as virtual local area network (VLAN) and port-channel interfaces. NOTE: When you apply a redirect-list on a port-channel, when traffic is redirected to the next hop and the destination port-channel is shut down, the traffic is dropped. However, the traffic redirected to the destination port-channel is sometimes switched.
[up], Next-hop reachable (via Vl 20) [up], Next-hop reachable (via Po 5) [up], Next-hop reachable (via Po 7) [up], Next-hop reachable (via Gi 2/18) [up], Next-hop reachable (via Gi 2/19) , Track 200 , Track 200 , Track 200 , Track 200 , Track 200 Use the show ip redirect-list (without the list name) to display all the redirect-lists configured on the device. Dell#show ip redirect-list IP redirect-list rcl0: Defined as: seq 5 permit ip 200.200.200.200 200.200.200.200 199.199.199.199 199.199.199.
Policy-based Routing (PBR)
35 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
which the message was received is added to the outgoing interface list associated with the (*,G) entry, and the message is not (and does not need to be) forwarded towards the RP. Refuse Multicast Traffic A host requesting to leave a multicast group sends an IGMP Leave message to the last-hop DR. If the host is the only remaining receiver for that group on the subnet, the last-hop DR is responsible for sending a PIM Prune message up the RPT to prune its branch to the RP. 1.
• Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1. Enable multicast routing on the system. CONFIGURATION mode ip multicast-routing 2. Enable PIM-Sparse mode. INTERFACE mode ip pim sparse-mode To display which interfaces are enabled with PIM-SM, use the show ip pim interface command from EXEC Privilege mode. Dell#show ip pim interface Address Interface Ver/ Mode 165.87.34.5 Gi 1/10 v2/S 10.1.1.2 Vl 10 v2/S 20.1.1.5 Vl 20 v2/S 165.87.31.
Configuring S,G Expiry Timers By default, S, G entries expire in 210 seconds. You can configure a global expiry time (for all [S,G] entries) or configure an expiry time for a particular entry. If you configure both, the ACL supersedes the global configuration for the specified entries. When you create, delete, or update an expiry time, the changes are applied when the keep alive timer refreshes.
Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group. If you do not use the override option with the following command, the RPs advertised in the BSR updates take precedence over any statically configured RPs.
36 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode. R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.
R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:07 Member Ports: Te 1/1 239.0.0.1 Vlan 400 INCLUDE 00:00:10 Never 10.11.4.2 R1(conf)#do show ip igmp ssm-map IGMP Connected Group Membership Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:36 Member Ports: Te 1/1 R1(conf)#do show ip igmp ssm-map 239.0.0.
37 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
The maximum number of source ports that can be supported in a session is 128. The maximum number of destination ports that can be supported is 4 per port pipe. In the following examples, ports 1/13, 1/14, 1/15, and 1/16 all belong to the same port-pipe. They are pointing to four different destinations (1/1, 1/2, 1/3, and 1/37). Now it is not possible for another source port from the same port-pipe (for example, 1/17) to point to another new destination (for example, 1/4).
Figure 94. Port Monitoring Configurations Dell Networking OS Behavior: All monitored frames are tagged if the configured monitoring direction is egress (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs. If the MD port is a Layer 3 port, the frames are tagged with VLAN ID 4095.
0 0 Gi 1/1 Po 10 Gi 1/2 Gi 1/2 rx rx Port Port N/A N/A Dell(conf)#monitor session 1 Dell(conf-mon-sess-1)#source vl 40 dest ten 1/3 dir rx Dell(conf-mon-sess-1)#flow-based enable Dell(conf-mon-sess-1)#exit Dell(conf)#do show monitor session SessID Source Destination Dir Mode Source IP ------ ------------------ ---- --------0 Gi 1/1 Gi 1/2 rx Port N/A 0 Po 10 Gi 1/2 rx Port N/A 1 Vl 40 Gi 1/3 rx Flow N/A N/A N/A Dest IP -------N/A N/A N/A NOTE: Source as VLAN is achieved via Flow based mirroring.
show run monitor session Dell#show run monitor session ! monitor multicast-queue 7 Dell# Enabling Flow-Based Monitoring Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead of all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 2 and Layer 3 ingress and egress traffic. You can specify traffic using standard or extended access-lists. 1. Enable flow-based monitoring for a monitoring session.
Remote Port Mirroring While local port monitoring allows you to monitor traffic from one or more source ports by directing it to a destination port on the same switch/router, remote port mirroring allows you to monitor Layer 2 and Layer 3 ingress and/or egress traffic on multiple source ports on different switches and forward the mirrored traffic to multiple destination ports on different switches.
Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• • You can configure the same source port to be used in multiple source sessions. You cannot configure a source port channel or source VLAN in a source session if the port channel or VLAN has a member port that is configured as a destination port in a remote-port mirroring session. A destination port for remote port mirroring cannot be used as a source port, including the session in which the port functions as the destination port. A destination port cannot be used in any spanning tree instance.
Table 48. Configuration Steps for RPM (continued) 2 monitor session type rpm The needs to be unique and not already defined in the box specifying type as 'rpm' defines a RPM session. 3 source Interface | Range Specify the port or list of ports that needs to be monitored 4 direction Specify rx, tx or both in case to monitor ingress/egress or both ingress and egress packets on the specified port..
Dell(conf-mon-sess-3)# Dell(conf-mon-sess-3)#exit Dell(conf)#end Dell# Dell#show monitor session SessID Source Destination ------ ---------------1 Gi 1/5 remote-vlan 10 2 Vl 100 remote-vlan 20 3 Po 10 remote-vlan 30 Dell# Dir --rx rx both Mode ---Port Flow Port Source IP --------N/A N/A N/A Dest IP -------N/A N/A N/A Configuring the sample Source Remote Port Mirroring Dell(conf)#inte gi 1/1 Dell(conf-if-gi-1/1)#switchport Dell(conf-if-gi-1/1)#no shutdown Dell(conf-if-gi-1/1)#exit Dell(conf)#interface g
1. Enable control plane egress acl using the following command: mac control-plane egress-acl 2. Create an extended MAC access list and add a deny rule of (0x0180c2xxxxxx) packets using the following commands: mac access-list extended mac2 seq 5 deny any 01:80:c2:00:00:00 00:00:00:ff:ff:ff count 3. Apply ACL on that RPM VLAN. In this example RPM vlan is 10.
Changes to Default Behavior • • • Rate-limiting ïs no longer done for ERSPAN traffic. Same port can be configured as both source and destination in an ERSPAN session. TTL and ToS values can be configured in IP header of ERSPAN traffic. Configuration steps for ERPM To configure an ERPM session: Table 49. Configuration steps for ERPM Step Command Purpose 1 configure terminal Enter global configuration mode.
no ip address tagged GigabitEthernet 1/1-3 mac access-group flow in <<<<<<<<<<<<<< Only ingress packets are supported for mirroring shutdown Dell# ERPM Behavior on a typical Dell Networking OS The Dell Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. Figure 97.
○ Some tools support options to edit the capture file. We can make use of such features (for example: editcap ) and chop the ERPM header part and save it to a new trace file. This new file (i.e. the original mirrored packet) can be converted back into stream and fed to any egress interface. 2. Using Python script ○ Either have a Linux server's ethernet port ip as the ERPM destination ip or connect the ingress interface of the server to the ERPM MirrorToPort.
38 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell Networking OS Command Line Reference Guide. Private VLANs extend the Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
PVLAN port types include: • • Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports. Host port — in the context of a private VLAN, is a port in a secondary VLAN: • • ○ The port must first be assigned that role in INTERFACE mode. ○ A port assigned the host role cannot be added to a regular VLAN.
NOTE: The outputs of the show arp and show vlan commands provide PVLAN data. For more information, refer to the Dell Networking OS Command Line Reference Guide. Configuration Task List The following sections contain the procedures that configure a private VLAN. • • • • Creating PVLAN Ports Creating a Primary VLAN Creating a Community VLAN Creating an Isolated VLAN Creating PVLAN ports PVLAN ports are ports that will be assigned to the PVLAN. 1.
Creating a Primary VLAN A primary VLAN is a port-based VLAN that is specifically enabled as a primary VLAN to contain the promiscuous ports and PVLAN trunk ports for the private VLAN. A primary VLAN also contains a mapping to secondary VLANs, which comprise community VLANs and isolated VLANs. 1. Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3.
INTERFACE VLAN mode private-vlan mode community 4. Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add host (isolated) ports to the VLAN. Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 98. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: • • • • • Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. Te 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. Te 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
• • The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500. For transmission between switches, tagged packets originating from host PVLAN ports in one secondary VLAN and destined for host PVLAN ports in the other switch travel through the promiscuous ports in the local VLAN 4000 and then through the trunk ports (1/25 in each switch). Inspecting the Private VLAN Configuration The standard methods of inspecting configurations also apply in PVLANs.
NUM * 1 100 P 200 I 201 Status Inactive Inactive Inactive Inactive Description Q Ports primary VLAN in PVLAN T Gi 1/19-20 isolated VLAN in VLAN 200 T Gi 1/21 The following example shows viewing a private VLAN configuration.
39 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN).
Figure 99. Per-VLAN Spanning Tree The Dell Networking OS supports three other variations of spanning tree, as shown in the following table. Table 50. Spanning Tree Variations Dell Networking OS Supports Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
4. Optionally, for load balancing, select a nondefault bridge-priority for a VLAN.
Figure 100. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. • Assign a bridge priority.
The port is not in the Edge port mode Port 385 (GigabitEthernet 1/32) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.385 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.385 , designated path cost 0 Modifying Global PVST+ Parameters The root bridge sets the values for forward-delay and hello-time, and overwrites the values set on other PVST+ bridges.
Table 51. Default Values for Port Cost (continued) Port Cost Default Value 10-Gigabit Ethernet interfaces 2000 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 NOTE: The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs. Other implementations use IEEE 802.1w costs as the default costs.
○ Perform a shutdown command on the interface. ○ Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command). ○ Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). ○ Disabling global spanning tree (the no spanning-tree command in CONFIGURATION mode).
We are the root of Vlan 5 Configured hello time 2, max age 20, forward delay 15 PVST+ Sample Configurations The following examples provide the running configurations for the topology shown in the previous illustration.
no disable vlan 200 bridge-priority 4096 Example of PVST+ Configuration (R3) interface GigabitEthernet 3/12 no ip address switchport no shutdown ! interface GigabitEthernet 3/22 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged GigabitEthernet 3/12,22 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 3/12,22 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 3/12,22 no shutdown ! protocol spanning-tree pvst no disable vlan 300 bridge-priori
40 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 52.
Table 52. Dell Networking Operating System (OS) Support for Port-Based, Policy-Based Features (continued) Feature Direction Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 102.
• • • • • • Applying Layer 2 Match Criteria on a Layer 3 Interface Applying DSCP and VLAN Match Criteria on a Service Queue Classifying Incoming Packets Using ECN and Color-Marking Guidelines for Configuring ECN for Classifying and Color-Marking Packets Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class Sample configuration to mark non-ecn packets as “yellow” with single traffic class Implementation Information The Dell Networking QoS implementation complies with IEEE 802
Dell(conf-if-gi-1/1)#dot1p-priority 1 Dell(conf-if-gi-1/1)#end Honoring dot1p Priorities on Ingress Traffic By default, Dell Networking OS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces.
Traffic Monitor 4: normal NA peak NA Out of profile yellow 0 red 0 Configuring Port-Based Rate Shaping Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted. If any stream exceeds the configured bandwidth on a continuous basis, it can consume all of the buffer space that is allocated to the port. Dell Networking OS Behavior: Rate shaping is effectively rate limiting because of its smaller buffer size.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 103. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell Networking OS matches packets against match criteria in the order that you configure them.
CONFIGURATION mode class-map match-all 3. Specify your match criteria. CLASS MAP mode match {ip | ipv6 | ip-any} After you create a class-map, Dell Networking OS places you in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL. 4. Link the class-map to a queue. POLICY MAP mode service-queue Dell(conf)#ip access-list standard acl1 Dell(config-std-nacl)#permit 20.0.0.
Match-any class maps allow up to five access-lists. Match-all class-maps allow only one. You can match against only one VLAN ID. 4. Link the class-map to a queue. POLICY MAP mode service-queue Determining the Order in Which ACLs are Used to Classify Traffic When you link class-maps to queues using the service-queue command, Dell Networking OS matches the class-maps according to queue priority (queue numbers closer to 0 have lower priorities).
seq 10 deny ip any any Dell# show cam layer3-qos interface gigabitethernet 2/4 Cam Port Dscp Proto Tcp Src Dst SrcIp DstIp DSCP Queue Index Flag Port Port Marking ----------------------------------------------------------------------20416 1 18 IP 0x0 0 0 23.64.0.5/32 0.0.0.0/0 20 2 20417 1 18 IP 0x0 0 0 0.0.0.0/0 0.0.0.0/0 0 20418 1 0 IP 0x0 0 0 23.64.0.2/32 0.0.0.0/0 10 1 20419 1 0 IP 0x0 0 0 0.0.0.0/0 0.0.0.0/0 0 20420 1 0 IP 0x0 0 0 23.64.0.3/32 0.0.0.0/0 12 1 20421 1 0 IP 0x0 0 0 0.0.0.0/0 0.0.0.
Configuring Policy-Based Rate Policing To configure policy-based rate policing, use the following command. • Configure rate police ingress traffic. QOS-POLICY-IN mode rate-police Setting a dot1p Value for Egress Packets To set a dot1p value for egress packets, use the following command. • Set a dscp or dot1p value for egress packets. QOS-POLICY-IN mode set mac-dot1p Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1. Create an output QoS policy.
NOTE: In Dell Networking OS we support 8 data queues in S4048, S6000, Z9500 and 4 data queues in S3048, S4810. S4820T and, S5000. When you assign a percentage to one queue, note that this change also affects the amount of bandwidth that is allocated to other queues. Therefore, whenever you are allocating bandwidth to one queue, Dell Networking recommends evaluating your bandwidth requirements for all other queues as well.
Table 55.
The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. • Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets.
Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. • Apply an output QoS policy to queues. INTERFACE mode service-queue Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. • Specify an aggregate QoS policy. POLICY-MAP-OUT mode policy-aggregate Applying an Output Policy Map to an Interface To apply an output policy map to an interface, use the following command.
dscp {yellow | red} {list-dscp-values} 3. Apply the map profile to the interface. CONFIG-INTERFACE mode qos dscp-color-policy color-map-name Example: Create a DSCP Color Map The following example creates a DSCP color map profile, color-awareness policy, and applies it to interface te 1/11.
Display summary information about a color policy for a specific interface.
Weighted Random Early Detection Weighted random early detection (WRED) is a congestion avoidance mechanism that drops packets to prevent buffering resources from being consumed. The WRED congestion avoidance mechanism drops packets to prevent buffering resources from being consumed. Traffic is a mixture of various kinds of packets. The rate at which some types of packets arrive might be greater than others.
WRED mode threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify to which traffic Dell Networking OS should apply the profile. Dell Networking OS assigns a color (also called drop precedence) — red, yellow, or green — to each packet based on it DSCP value before queuing it. DSCP is a 6–bit field. Dell Networking uses the first three bits (LSB) of this field (DP) to determine the drop precedence.
EXEC Privilege mode show qos statistics egress-queue Dell#show qos statistics egress-queue Interface Gi 1/1 Queue# Q# Type TxPkts TxBytes DroppedPkts DroppedBytes ------------------------------------------------------------------------------0 UCAST 0 0 0 0 1 UCAST 0 0 0 0 2 UCAST 0 0 0 0 3 UCAST 0 0 0 0 4 UCAST 0 0 0 0 5 UCAST 0 0 0 0 6 UCAST 0 0 0 0 7 UCAST 0 0 0 0 8 UCAST 204 13056 0 0 9 MCAST 0 0 0 0 10 MCAST 0 0 0 0 11 MCAST 0 0 0 0 12 MCAST 0 0 0 0 13 MCAST 0 0 0 0 14 MCAST 0 0 0 0 15 MCAST 0 0 0 0 16
NOTE: The show cam-usage command provides much of the same information as the test cam-usage command, but whether a policy-map can be successfully applied to an interface cannot be determined without first measuring how many CAM entries the policy-map would consume; the test cam-usage command is useful because it provides this measurement. • Verify that there are enough available CAM entries.
• When WRED is configured on the global service-pool (regardless of whether ECN on global service-pool is configured), and one or more queues are enabled with both WRED and ECN, ECN marking takes effect. The packets are ECN marked up to shared- buffer limits as determined by the shared-ratio for that global service-pool. WRED/ECN configurations for the queues that belong to backplane ports are common to all the backplane ports and cannot be specified separately for each backplane port granularity.
4. Create a global buffer pool that is a shared buffer pool accessed by multiple queues when the minimum guaranteed buffers for the queue are consumed.
Classifying Incoming Packets Using ECN and ColorMarking Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded. If you configure ECN for WRED, devices employ this functionality of ECN to mark the packets and reduce the rate of sending packets in a congested, heavily-loaded network.
• • Classification based on ECN only Classification based on ECN and DSCP concurrently You can now use the set-color yellow keyword with the match ip access-group command to mark the color of the traffic as ‘yellow’ would be added in the ‘match ip’ sequence of the class-map configuration. By default, all packets are considered as ‘green’ (without the rate-policer and trust-diffserve configuration) and hence support would be provided to mark the packets as ‘yellow’ alone will be provided.
! ip access-list standard dscp_40_ecn seq 5 permit any dscp 40 ecn 1 seq 10 permit any dscp 40 ecn 2 seq 15 permit any dscp 40 ecn 3 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40_ecn ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-g
a service queue using the service-queue command. In this way, the system applies the match criteria in a class map according to queue priority (queue numbers closer to 0 have a lower priority). To configure IP VLAN and DSCP match criteria in a Layer 3 class map, and apply the class and policy maps to a service queue: 1. Create a match-any or a match-all Layer 3 class map, depending on whether you want the packets to meet all or any of the match criteria.
As a part of this feature, the 2-bit ECN field of the IPv4 packet will also be available to be configured as one of the match qualifier. This way the entire 8-bit ToS field of the IPv4 header shall be used to classify traffic. The Dell Networking OS Release 9.3(0.0) supports the following QOS actions in the ingress policy based QOS: 1. Rate Policing 2. Queuing 3. Marking For the L3 Routed packets, the DSCP marking is the only marking action supported in the software.
Guidelines for Configuring ECN for Classifying and Color-Marking Packets Keep the following points in mind while configuring the marking and mapping of incoming packets using ECN fields in IPv4 headers: • Currently Dell Networking OS supports matching only the following TCP flags: ○ ○ ○ ○ ○ ○ ACK FIN SYN PSH RST URG In the existing software, ECE/CWR TCP flag qualifiers are not supported.
Approach without explicit ECN match qualifiers for ECN packets: ! ip access-list standard dscp_50 seq 5 permit any dscp 50 ! ip access-list standard dscp_40 seq 5 permit any dscp 40 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40 ! class-map match-any class_dscp_50 match ip access-group dscp_
41 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Table 60. RIP Defaults (continued) Feature Default • Transmit RIPv1 RIP timers • • • • update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Auto summarization Enabled ECMP paths supported 16 Configuration Information By default, RIP is disabled in Dell Networking OS. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
To view the global RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. Dell(conf-router_rip)#show config ! router rip network 10.0.0.0 Dell(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. Dell#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 1/49 160.160.0.0/16 auto-summary 2.0.0.
• You can use this command multiple times to exchange RIP information with as many RIP networks as you want. Disable a specific interface from sending or receiving RIP routing information. ROUTER RIP mode passive-interface interface Assigning a Prefix List to RIP Routes Another method of controlling RIP (or any routing protocol) routing information is to filter the information through a prefix list. A prefix list is applied to incoming or outgoing routes.
Setting the Send and Receive Version To change the RIP version globally or on an interface in Dell Networking OS, use the following command. To specify the RIP version, use the version command in ROUTER RIP mode. To set an interface to receive only one or the other version, use the ip rip send version or the ip rip receive version commands in INTERFACE mode. You can set one RIP version globally on the system using system.
Default redistribution metric is 1 Default version control: receive version 2, send version 2 Interface Recv Send GigabitEthernet 1/1 2 1 2 Routing for Networks: 10.0.0.0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 120) Dell# Generating a Default Route Traffic is forwarded to the default route when the traffic’s network is not explicitly listed in the routing table. Default routes are not enabled in RIP unless specified.
○ weight: the range is from 1 to 255. The default is 120. ○ ip-address mask: the IP address in dotted decimal format (A.B.C.D), and the mask in slash format (/x). ○ access-list-name: the name of a configured IP ACL. • Apply an additional number to the incoming or outgoing route metrics.
RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Core2(conf-if-gi-2/3)# Core2(conf-if-gi-2/3)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
Core2# R 192.168.1.0/24 R 192.168.2.0/24 via 10.11.20.1, Gi 2/3 via 10.11.20.1, Gi 2/3 120/1 00:05:22 120/1 00:05:22 Core2# The following example shows the show ip protocols command to show the RIP configuration activity on Core 2.
[120/1] via 10.11.20.2, 00:00:13, GigabitEthernet 10.300.10.0/24 [120/1] via 10.11.20.2, 00:00:13, GigabitEthernet 10.11.20.0/24 directly connected,GigabitEthernet 10.11.30.0/24 directly connected,GigabitEthernet 10.0.0.0/8 auto-summary 192.168.1.0/24 directly connected,GigabitEthernet 192.168.1.0/24 auto-summary 192.168.2.0/24 directly connected,GigabitEthernet 192.168.2.
RIP Configuration Summary The following example shows viewing the RIP configuration on Core 2. ! interface GigabitEthernet 2/1 ip address 10.11.10.1/24 no shutdown ! interface GigabitEthernet 2/3 ip address 10.11.20.2/24 no shutdown ! interface GigabitEthernet 2/4 ip address 10.200.10.1/24 no shutdown ! interface GigabitEthernet 2/5 ip address 10.250.10.1/24 no shutdown router rip version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.0 The following example shows viewing the RIP configuration on Core 3.
42 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
CONFIGURATION mode [no] rmon alarm number variable interval {delta | absolute} rising-threshold [value eventnumber] falling-threshold value event-number [owner string] OR [no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value eventnumber falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: ○ number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table.
In the following example, the configuration creates RMON event number 1, with the description “High ifOutErrors”, and generates a log entry when an alarm triggers the event. The user nms1 owns the row that is created in the event table by this command. This configuration also generates an SNMP trap when the event is triggered using the SNMP community string “eventtrap”.
43 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanningtree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP).
• • • Enabling SNMP Traps for Root Elections and Topology Changes Configuring Fast Hellos for Link State Detection Flush MAC Addresses after a Topology Change Important Points to Remember • • • • RSTP is disabled by default. Dell Networking OS supports only one Rapid Spanning Tree (RST) instance. All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology.
no shutdown Dell(conf-if-gi-1/1)# Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • • Only one path from any bridge to any other bridge is enabled. Bridges block a redundant path by disabling one of the link ports.
To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Gi 3/4 R3# Altr 128.684 128 20000 BLK 20000 P2P No Adding and Removing Interfaces To add and remove interfaces, use the following commands. To add an interface to the Rapid Spanning Tree topology, configure it for Layer 2 and it is automatically added. If you previously disabled RSTP on the interface using the command no spanning-tree 0 command, re-enable it using the spanning-tree 0 command. • Remove an interface from the Rapid Spanning Tree topology.
NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. • The default is 2 seconds. Change the max-age parameter. PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode.
Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority or designate it as the primary or secondary root. PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value ○ priority-value The range is from 0 to 65535.
In the following example, the bold line indicates that the interface is in EdgePort mode. Dell(conf-if-gi-2/1)#show config ! interface GigabitEthernet 2/1 no ip address switchport spanning-tree rstp edge-port shutdown Dell(conf-if-gi-2/1)# Configuring Fast Hellos for Link State Detection Use RSTP fast hellos to achieve sub-second link-down detection so that convergence is triggered faster. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed.
44 Software-Defined Networking (SDN) Dell Networking operating software supports Software-Defined Networking (SDN). For more information, refer to the SDN Deployment Guide.
45 Security This chapter describes several ways to provide security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
○ ○ ○ ○ ○ exec: sends accounting information when a user has logged in to EXEC mode. command level: sends accounting of commands executed at the specified privilege level. suppress: Do not generate accounting records for a specific type of user. default | name: enter the name of a list of accounting methods. start-stop: use for more accounting information, to send a start-accounting notice at the beginning of the requested event and a stop-accounting notice at the end.
• Step through all active sessions and print all the accounting records for the actively accounted functions.
Possible methods are: • • • • • • enable: use the password you defined using the enable secret or enable password command in CONFIGURATION mode. line: use the password you defined using the password command in LINE mode. local: use the username/password database defined in the local configuration. none: no authentication. radius: use the RADIUS servers configured with the radius-server host command. tacacs+: use the TACACS+ servers configured with the tacacs-server host command. 2. Enter LINE mode.
To use local authentication for enable secret on the console, while using remote authentication on VTY lines, issue the following commands. The following example shows enabling local authentication for console and remote authentication for the VTY lines.
Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network. However, at times, you might need to allow others access to the router and you can limit that access to a subset of commands. In Dell Networking OS, you can configure a privilege level for users who need limited access to the system. Every command in Dell Networking OS is assigned a privilege level of 0, 1, or 15. You can configure up to 16 privilege levels in Dell Networking OS.
Configuring the Enable Password Command To configure Dell Networking OS, use the enable command to enter EXEC Privilege level 15. After entering the command, Dell Networking OS requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. You can always change a password for any privilege level. To change to a different privilege level, enter the enable command, then the privilege level.
3. Configure level and commands for a mode or reset a command’s level. CONFIGURATION mode privilege mode {level level command | reset command} Configure the following required and optional parameters: • • • • mode: enter a keyword for the modes (exec, configure, interface, line, route-map, or router) level level: the range is from 0 to 15. Levels 0, 1, and 15 are pre-configured. Levels 2 to 14 are available for custom configuration. command: an Dell Networking OS CLI keyword (up to five keywords allowed).
snmp-server Dell(conf)# Modify SNMP parameters Specifying LINE Mode Password and Privilege You can specify a password authentication of all users on different terminal lines. The user’s privilege level is the same as the privilege level assigned to the terminal line, unless a more specific privilege level is assigned to the user. To specify a password for the terminal line, use the following commands. • Configure a custom privilege level for the terminal lines.
RADIUS Authentication Dell Networking OS supports RADIUS for user authentication (text password) at login and can be specified as one of the login authentication methods in the aaa authentication login command. When configuring AAA authorization, you can configure to limit the attributes of services available to a user. When you enable authorization, the network access server uses configuration information from the user profile to issue the user's session.
Configuration Task List for RADIUS To authenticate users using RADIUS, you must specify at least one RADIUS server so that the system can communicate with and configure RADIUS as one of your authentication methods. The following list includes the configuration tasks for RADIUS.
• Enter the host name or IP address of the RADIUS server host. CONFIGURATION mode radius-server host {hostname | ip-address} [auth-port port-number] [retransmit retries] [timeout seconds] [key [encryption-type] key] Configure the optional communication parameters for the specific host: ○ ○ ○ ○ auth-port port-number: the range is from 0 to 65535. Enter a UDP port number. The default is 1812. retransmit retries: the range is from 0 to 100. Default is 3. timeout seconds: the range is from 0 to 1000.
Monitoring RADIUS To view information on RADIUS transactions, use the following command. • View RADIUS transactions to troubleshoot problems. EXEC Privilege mode debug radius TACACS+ Dell Networking OS supports terminal access controller access control system (TACACS+ client, including support for login authentication. Configuration Task List for TACACS+ The following list includes the configuration task for TACACS+ functions.
Second bold line: User authenticated using the secondary method.
Specifying a TACACS+ Server Host To specify a TACACS+ server host and configure its communication parameters, use the following command. • Enter the host name or IP address of the TACACS+ server host. CONFIGURATION mode tacacs-server host {hostname | ip-address} [port port-number] [timeout seconds] [key key] Configure the optional communication parameters for the specific host: ○ port port-number: the range is from 0 to 65535. Enter a TCP port number. The default is 49.
NOTE: The Windows-based WinSCP client software is not supported for secure copying between a PC and a Dell Networking OS-based system. Unix-based SCP client software is supported. To use the SSH client, use the following command. • Open an SSH connection and specify the hostname, username, port number,encryption cipher,HMAC algorithm and version of the SSH client.
Other SSH related command include: • • • • • • • • • • • • • • • crypto key generate : generate keys for the SSH server. debug ip ssh : enables collecting SSH debug information. ip scp topdir : identify a location for files used in secure copy transfer. ip ssh authentication-retries : configure the maximum number of attempts that should be used to authenticate a user. ip ssh connection-rate-limit : configure the maximum number of incoming SSH connections per minute.
Configuring the SSH Server Key Exchange Algorithm To configure the key exchange algorithm for the SSH server, use the ip ssh server kex key-exchange-algorithm command in CONFIGURATION mode. key-exchange-algorithm : Enter a space-delimited list of key exchange algorithms that will be used by the SSH server.
The following ciphers are available. • • • • • • • 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr The default cipher list is 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr Example of Configuring a Cipher List The following example shows you how to configure a cipher list. Dell(conf)#ip ssh server cipher 3des-cbc aes128-cbc aes128-ctr Secure Shell Authentication Secure Shell (SSH) is enabled by default using the SSH Password Authentication method.
5. Install User’s public key for RSA authentication in SSH. CONFIGURATION Mode ip ssh rsa-authentication my-authorized-keys flash://public_key admin@Unix_client#ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/admin/.ssh/id_rsa): /home/admin/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa.
The following example shows creating rhosts. admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.201 admin Using Client-Based SSH Authentication To SSH from the chassis to the SSH client, use the following command. This method uses SSH version 1 or version 2. If the SSH port is a non-default value, use the ip ssh server port number command to change the default port number. You may only change the port number when SSH is disabled.
VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in Dell Networking OS. These depend on which authentication scheme you use — line, local, or remote. Table 63. VTY Access Authentication Method VTY access-class support? Username access-class support? Remote authorization support? Line YES NO NO Local NO YES NO TACACS+ YES NO YES (with Dell Networking OS version 5.2.1.0 and later) RADIUS YES NO YES (with Dell Networking OS version 6.1.1.
and you have configured an access class for the VTY line, Dell Networking OS immediately applies it. If the access-class is set to deny all or deny for the incoming subnet, Dell Networking OS closes the connection without displaying the login prompt. The following example shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login prompt. The example uses TACACS+ as the authentication mechanism.
• • Displaying Information About Roles Logged into the Switch Display Role Permissions Assigned to a Command Overview of RBAC With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role. Users are granted permissions based on their user roles, not on their individual user ID. User roles are created for job functions and through those roles they acquire the permissions to perform their associated job function. Each user can be assigned only a single role.
For consistency, the best practice is to define the same authorization method list across all lines, in the same order of comparison; for example VTY and console port. You could also use the default authorization method list to apply to all the LINES (console port, VTY). If you do not, the following error is displayed when you attempt to enable role-based only AAA authorization. % Error: Exec authorization must be applied to more than one line to be useful, e.g. console and vty lines.
Creating a New User Role Instead of using the system defined user roles, you can create a new user role that best matches your organization. When you create a new user role, you can first inherit permissions from one of the system defined roles. Otherwise you would have to create a user role’s command permissions from scratch. You then restrict commands or add commands to that role. For more information about this topic, see Modifying Command Permissions for Roles.
When you modify a command for a role, you specify the role, the mode, and whether you want to restrict access using the deleterole keyword or grant access using the addrole keyword followed by the command you are controlling access. For information about how to create new roles, see also Creating a New User Role. The following output displays the modes available for the role command.
The following example removes the secadmin access to LINE mode and then verifies that the security administrator can no longer access LINE mode, using the show role mode configure line command in EXEC Privilege mode.
This section contains the following AAA Authentication and Authorization for Roles configuration tasks: • • • Configuring AAA Authentication for Roles Configuring AAA Authorization for Roles Configuring TACACS+ and RADIUS VSA Attributes for RBAC Configure AAA Authentication for Roles Authentication services verify the user ID and password combination. Users with defined roles and users with privileges are authenticated with the same mechanism.
NOTE: Note that the methods were not applied to the console so the default methods (if configured) are applied there.
The following section shows you how to create an AV pair to allow a user to login from a network access server to have access to commands based on the user’s role. The format to create an AV pair for a user role is Force10-avpair= ”shell:role=“ where user-role is a user defined or system-defined role. In the following example, you create an AV pair for a system-defined role, sysadmin. Force10-avpair= "shell:role=sysadmin" In the following example, you create an AV pair for a user-defined role.
Task ID 2, EXEC Accounting record, 00:00:26 Elapsed, service=shell Display Information About User Roles This section describes how to display information about user roles.
Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the show users command in EXEC Privilege mode. The output displays privilege level and/or user role. The mode is displayed at the start of the output and both the privilege and roles for all users is also displayed. If the role is not defined, the system displays "unassigned" .
46 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell Networking OS. Topics: • • • • • VLAN Stacking VLAN Stacking Packet Drop Precedence Dynamic Mode CoS for VLAN Stacking Layer 2 Protocol Tunneling Provider Backbone Bridging VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.
Figure 107. VLAN Stacking in a Service Provider Network Important Points to Remember • • • • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
• • • Configuring Dell Networking OS Options for Trunk Ports Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • • Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
M Te 3/13 Dell# Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. • Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode. Dell Networking OS displays the S-Tag TPID only if it is a non-default value.
NUM * 1 100 101 103 Status Inactive Inactive Inactive Inactive Description Q Ports U Gi 1/1 T Gi 1/1 M Gi 1/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. • Debug the internal state and membership of a VLAN and its ports. debug member The port notations are as follows: • • • • • MT — stacked trunk MU — stacked access port T — 802.1Q trunk port U — 802.
Figure 108.
Figure 109.
Figure 110. Single and Double-Tag TPID Mismatch The following table details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the S-Series. Table 64. Behaviors for Mismatched TPID Network Position Incoming Packet TPID Ingress Access Point untagged single-tag (0x8100) Core untagged System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Table 64. Behaviors for Mismatched TPID (continued) Network Position Egress Access Point Incoming Packet TPID untagged System TPID Match Type 0xUVYZ double-tag first-byte switch to VLAN match switch to default VLAN 0xQRST double-tag mismatch switch to default VLAN switch to default VLAN 0xUVWX — switch to default VLAN switch to default VLAN double-tag match switch to VLAN switch to VLAN double-tag 0xUVWX 0xUVWX Pre-Version 8.2.1.0 Version 8.2.1.
Precedence Description Red Lowest-priority packets that are always dropped (regardless of congestion status). • Honor the incoming DEI value by mapping it to an Dell Networking OS drop precedence. INTERFACE mode dei honor {0 | 1} {green | red | yellow} You may enter the command once for 0 and once for 1. Packets with an unmapped DEI value are colored green.
Figure 111. Statically and Dynamically Assigned dot1p for VLAN Stacking When configuring Dynamic Mode CoS, you have two options: • • Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. In this case, you must have other dot1p QoS configurations; this option is classic dot1p marking. Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p.
! interface GigabitEthernet 1/21 no ip address switchport vlan-stack access vlan-stack dot1p-mapping c-tag-dot1p 0-3 sp-tag-dot1p 7 service-policy input in layer2 no shutdown Mapping C-Tag to S-Tag dot1p Values To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly, use the following commands. 1. Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag.
Figure 112. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 113. VLAN Stacking with L2PT Implementation Information • • • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. No protocol packets are tunneled when you enable VLAN stacking. L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2.
protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell Networking OS uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command. • Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
The same is true for GARP VLAN registration protocol (GVRP). 802.1ad specifies that provider bridges participating in GVRP use a reserved destination MAC address called the Provider Bridge GVRP Address, 01-80-C2-00-00-0D, to exchange GARP PDUs instead of the GVRP Address, 01-80-C2-00-00-21, specified in 802.1Q. Only bridges in the service provider network use this destination MAC address so these bridges treat GARP PDUs originating from the customer network as normal data frames, rather than consuming them.
47 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
To avoid the back-off, either increase the global sampling rate or configure all the line card ports with the desired sampling rate even if some ports have no sFlow configured. Important Points to Remember • • • • • • • • • • The Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. By default, sFlow collection is supported only on data ports.
If you did not enable any extended information, the show output displays the following (shown in bold). Dell#show sflow sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 20 Global extended information enabled: none 0 collectors configured 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Enabling and Disabling sFlow on an Interface By default, sFlow is disabled on all interfaces.
Configured sampling rate Actual sampling rate Counter polling interval Extended max header size :256 Samples rcvd from h/w :16384 :16384 :20 :0 Example of the show running-config sflow Command Dell#show running-config sflow ! sflow collector 100.1.1.12 agent-addr 100.1.1.
show sflow interface interface-name The following example shows the show sflow interface command. Dell#show sflow interface gigabitethernet 1/1 Gi 1/1 sFlow type :Ingress Configured sampling rate :16384 Actual sampling rate :16384 Counter polling interval :20 Extended max header size :128 Samples rcvd from h/w :0 The following example shows the show running-config interface command.
• Change the global default counter polling interval. CONFIGURATION mode or INTERFACE mode sflow polling-interval interval value ○ interval value: in seconds. The range is from 15 to 86400 seconds. The default is 20 seconds. Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions.
If you did not enable any extended information, the show output displays the following (shown in bold).
48 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
• SNMP traps for the spanning tree protocol (STP) and multiple spanning tree protocol (MSTP) state changes are based on BRIDGE MIB (RFC 1483) for STP and IEEE 802.1 draft ruzin-mstp-mib-02 for MSTP. SNMPv3 Compliance With FIPS SNMPv3 is compliant with the Federal information processing standard (FIPS) cryptography standard. The Advanced Encryption Standard (AES) Cipher Feedback (CFB) 128-bit encryption algorithm is in compliance with RFC 3826.
Configuring SNMP version 3 requires configuring SNMP users in one of three methods. Refer to Setting Up User-Based Security (SNMPv3).
! snmp-server community mycommunity ro Setting Up User-Based Security (SNMPv3) When setting up SNMPv3, you can set users up with one of the following three types of configuration for SNMP read/write operations. Users are typically associated to an SNMP group with permissions provided, such as OID view. • • • noauth — no password or privacy. Select this option to set up a user with no password or privacy privileges. This setting is the basic configuration.
Reading Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same community as the SNMP agent. Dell Networking supports RFC 4001, Textual Conventions for Internet Work Addresses that defines values representing a type of internet address. These values display for ipAddressTable objects using the snmpwalk command. There are several UNIX SNMP commands that read data. • Read the value of a single managed object.
• (From a Dell Networking system) Identify the system manager along with this person’s contact information (for example, an email address or phone number). CONFIGURATION mode snmp-server contact text You may use up to 55 characters. • The default is None. (From a Dell Networking system) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1). CONFIGURATION mode snmp-server location text You may use up to 55 characters. • The default is None.
3. Specify the interfaces out of which Dell Networking OS sends SNMP traps. CONFIGURATION mode snmp-server trap-source The following example lists the RFC-defined SNMP traps and the command used to enable each. The coldStart and warmStart traps are enabled using a single command. snmp authentication community string. snmp coldstart snmp linkdown snmp linkup SNMP_AUTH_FAIL:SNMP Authentication failed.Request with invalid SNMP_COLD_START: Agent Initialized - SNMP COLD_START.
envmon fan FAN_TRAY_BAD: Major alarm: fantray %d is missing or down FAN_TRAY_OK: Major alarm cleared: fan tray %d present FAN_BAD: Minor alarm: some fans in fan tray %d are down FAN_OK: Minor alarm cleared: all fans in fan tray %d are good vlt Enable VLT traps. vrrp Enable VRRP state change traps xstp %SPANMGR-5-STP_NEW_ROOT: New Spanning Tree Root, Bridge ID Priority 32768, Address 0001.e801.fc35.
The SNMP trap is sent only when a syslog connection fails and the time-interval between the last syslog notification and current time is greater than or equal to 5 minutes. This restriction also applies to the console message. NOTE: If a syslog server failure event is generated before the SNMP agent service starts, the SNMP trap is not sent.
Table 69. MIB Objects for Copying Configuration Files via SNMP MIB Object OID Object Values Description copySrcFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.2 1 = Dell Networking OS file Specifies the type of file to copy from. The range is: 2 = running-config 3 = startup-config • • copySrcFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.3 1 = flash 2 = slot0 3 = tftp If copySrcFileType is running-config or startupconfig, the default copySrcFileLocation is flash.
Table 69. MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Object Values Description • copyUserPassword .1.3.6.1.4.1.6027.3.5.1.1.1.1.10 Password for the server. If you specify copyUserName, you must also specify copyUserPassword. Password for the FTP, TFTP, or SCP server. Copying a Configuration File To copy a configuration file, use the following commands. NOTE: In UNIX, enter the snmpset command for help using the following commands. Place the f10-copy-config.
The following examples show the command syntax using MIB object names and the same command using the object OIDs. In both cases, a unique index number follows the object. The following example shows copying configuration files using MIB object names. > snmpset -v 2c -r 0 -t 60 -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.101 i 2 copyDestFileType.101 i 3 FTOS-COPY-CONFIG-MIB::copySrcFileType.101 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileType.
Copying the Startup-Config Files to the Server via TFTP To copy the startup-config to the server via TFTP from the UNIX machine, use the following command. NOTE: Verify that the file exists and its permissions are set to 777. Specify the relative path to the TFTP root directory. • Copy the startup-config to the server via TFTP from the UNIX machine. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 3 copyDestFileType.index i 1 copyDestFileName.
Table 70. Additional MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Values Description 7 = unknown copyEntryRowStatus .1.3.6.1.4.1.6027.3.5.1.1.1.1.15 Row status Specifies the state of the copy operation. Uses CreateAndGo when you are performing the copy. The state is set to active when the copy is completed. Obtaining a Value for MIB Objects To obtain a value for any of the MIB objects, use the following command. • Get a copy-config MIB object value.
Viewing the Available Flash Memory Size • To view the available flash memory using SNMP, use the following command. snmpget -v2c -c public 192.168.60.120 .1.3.6.1.4.1.6027.3.10.1.2.9.1.6.1 enterprises.6027.3.10.1.2.9.1.5.1 = Gauge32: 24 The output above displays that 24% of the flash memory is used. MIB Support to Display the Software Core Files Generated by the System Dell Networking provides MIB objects to display the software core files generated by the system.
enterprises.6027.3.10.1.2.10.1.4.1.2 enterprises.6027.3.10.1.2.10.1.4.1.3 enterprises.6027.3.10.1.2.10.1.4.2.1 enterprises.6027.3.10.1.2.10.1.5.1.1 enterprises.6027.3.10.1.2.10.1.5.1.2 enterprises.6027.3.10.1.2.10.1.5.1.3 enterprises.6027.3.10.1.2.10.1.5.2.1 = = = = = = = 1 1 0 "flashmntr" "l2mgr" "vrrp" Hex: 76 72 72 70 "sysd" Hex: 73 79 73 64 The output above displays that the software core files generated by the system.
To display the ports in a VLAN, send an snmpget request for the object dot1qStaticEgressPorts using the interface index as the instance number, as shown for an S-Series. The following example shows viewing VLAN ports using SNMP with no ports assigned. > snmpget -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.
Example of Adding an Untagged Port to a VLAN using SNMP In the following example, Port 0/2 is added as an untagged member of VLAN 10. >snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" .1.3.6.1.2.1.17.7.1.4.3.1.4.
Enabling and Disabling a Port using SNMP To enable and disable a port using SNMP, use the following commands. 1. Create an SNMP community on the Dell system. CONFIGURATION mode snmp-server community 2. From the Dell Networking system, identify the interface index of the port for which you want to change the admin status. EXEC Privilege mode show interface Or, from the management system, use the snmpwwalk command to identify the interface index. 3.
>snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.2.1.17.4.3.1 SNMPv2-SMI::mib-2.17.4.3.1.1.0.1.232.6.149.172 = Hex-STRING: 00 01 E8 06 95 AC Example of Fetching MAC Addresses Learned on a Non-default VLAN Using SNMP In the following example, GigabitEthernet 1/21 is moved to VLAN 1000, a non-default VLAN. To fetch the MAC addresses learned on nondefault VLANs, use the object dot1qTpFdbTable. The instance number is the VLAN number concatenated with the decimal conversion of the MAC address.
To display the interface number, use the following command. • Display the interface index number. EXEC Privilege mode show interface To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 74. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVers 1.3.6.1.4.1.6027.3.10.1.2.8.1.
SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.4.1.0.0.0.0.0.1.1 = INTEGER: 1 << Status active, 2 – status inactive Layer 3 LAG does not include this support. SNMP trap works for the Layer 2 / Layer 3 / default mode LAG. Example of Viewing Changed Interface State for Monitored Ports SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500842) 23:36:48.42 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkDown IF-MIB::ifIndex.33865785 = INTEGER: 33865785 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.
10.11.226.121 (port: 9140) is not reachable" SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 2 Following is the sample audit log message that other syslog servers that are reachable receive: Oct 21 00:46:13: dv-fedgov-s4810-6: %EVL-6-NOT_REACHABLE:Syslog server 10.11.226.121 (port: 9140) is not reachable Following example shows the SNMP trap that is sent when connectivity to the syslog server is resumed: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10230) 0:01:42.30 SNMPv2MIB::snmpTrapOID.
49 Stacking Using the Dell Networking OS stacking feature, you can interconnect multiple switch units with stacking ports or front end user ports. (The S3048–ON uses front end user ports for stacking.) The stack becomes manageable as a single switch through the stack management unit. The system accepts Unit ID numbers from 1 to 6 and the it supports stacking up to six units.
Stack Master Election The stack elects a master and standby unit at bootup time based on two criteria. • • Unit priority — User-configurable. The range is from 1 to 14. A higher value (14) means a higher priority. The default is 1. By removing the stack-unit priority using the no stack-unit priority command, you can set the priority back to the default value of zero.
A standalone is added to a stack. The standalone and the master unit have the same priority, but the standalone has a lower MAC address, so the standalone reboots. In the second example, a standalone is added to a stack. The standalone has a higher priority than the stack, so the stack (excluding the new unit) reloads.
5 6 Member Member not present not present ---------------STANDALONE AFTER CONNECTION-------------------------Standalone#%STKUNIT0-M:CP%POLLMGR-2-ALT_STACK_UNIT_STATE:Alternate Stack-unit is present 00:20:20: %STKUNIT0-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit 1 present 00:20:22: %STKUNIT0-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit 2 present Going for reboot.
Figure 114. Supported Stacking Topologies High Availability on Stacks Stacks have master and standby management units analogous to Dell Networking route processor modules (RPM). The master unit synchronizes the running configuration and protocol states so that the system fails over in the event of a hardware or software fault on the master unit. In such an event, or when the master unit is removed, the standby unit becomes the stack manager and Dell Networking OS elects a new standby unit.
-- Last Data Block Sync Record: ------------------------------------------------stack-unit Config: no block sync done Start-up Config: no block sync done Runtime Event Log: no block sync done Running Config: no block sync done ACL Mgr: no block sync done LACP: no block sync done STP: no block sync done SPAN: no block sync done Dell# Management Access on Stacks You can access the stack via the console port or VTY line.
• • Stack Group Port 0 49 1 50 2 51 3 52 Stacking on the device is accomplished through 10G SFP+ front-end user ports on the chassis. All stack units must have the same version of Dell Networking OS. Stacking Installation Tasks The following are the stacking installation tasks. • • • Create a Stack Add Units to an Existing Stack Split a Stack Create an Stack Stacking is enabled on the device using the front end ports. No configuration is allowed on front end ports used for stacking.
• when the firmware synchronization is complete. NOTE: You must enter the stack-unit stack-unit stack-group stack-group command when adding units to a stack to ensure the units are assigned to the correct groups. NOTE: Any scripts used to streamline the stacking configuration process must be updated to reflect the Command Mode change from EXEC to CONFIGURATION to allow the scripts to work correctly.
Begin with the first port on the management unit. Next, configure both ports on each subsequent unit. Finally, return to the management unit and configure the last port. (refer to the following example.) 6. Connect the units using stacking cables. NOTE: The device does not require special stacking cables. The cables used to connect the data ports are sufficient. 7. Reload the stack one unit at a time.
-- Fan Status -Unit Bay TrayStatus Fan0 Speed ----------------------------------------1 1 up up 7200 1 2 up up 7200 1 3 up up 7200 2 1 up up 7200 2 2 up up 7200 2 3 up up 7200 3 1 up up 7200 3 2 up up 7200 3 3 up up 7200 4 1 up up 7200 4 2 up up 7200 4 3 up up 7200 The following example shows how to configure two new switches for stacking using 10G ports. Dell-1(conf)#stack-unit 1 stack-group 1 Setting ports Te 1/50 as stack group will make their interface configs obsolete after a reload.
CONFIGURATION mode stack-unit stack-unit-number priority priority-number 4. Assign a stack group to each unit. CONFIGURATION mode stack-unitstack-unit-number stack-group stack-group-number 5. Connect the new unit to the stack using stacking cables. The following example shows adding a stack unit with a conflicting stack number (before).
• • stack-unit 1: defines the default ID unit-number in the initial configuration of a switch. stack-group group-number: configures a port for stacking. 6. Save the stacking configuration on the ports. EXEC Privilege mode write memory 7. Reload the switch. EXEC Privilege mode reload Dell Networking OS automatically assigns a number to the new unit and adds it as member switch in the stack. The new unit synchronizes its running and startup configurations with the stack. 8.
• • Resetting a Unit on a Stack Recover from Stack Link Flaps Assigning Unit Numbers to Units in an Stack Each unit in the stack has a stack number that is either assigned by you or Dell Networking OS. units. Units are numbered from 1 to 6. Stack numbers are stored in NVRAM and are preserved upon reload. • Assign a stack-number to a unit. EXEC Privilege mode stack-unit renumber Renumbering the stack manager triggers the whole stack to reload, as shown in the message below.
Unit Type : Management Unit Status : online Next Boot : online Required Type : S3048-ON - 52-port GE/TE (SG-ON) Current Type : S3048-ON - 52-port GE/TE (SG-ON) Master priority : 0 Hardware Rev : 0.0 Num Ports : 52 Up Time : 18 min, 28 sec Dell Networking OS Version : 9.8(0.
(Gb/s) Status Status Group -----------------------------------------------------------------1/56 3/56 40 up up 1/60 3/60 40 up up 3/48 40 up down 3/52 40 up down 3/56 0/56 40 up up 3/60 0/60 40 up up Influencing Management Unit Selection on a Stack Stack priority is the system variable that Dell Networking OS uses to determine which units in the stack are the master and standby management units. If multiple units tie for highest priority, the unit with the highest MAC address prevails.
• Reload a member unit, from the unit itself. EXEC Privilege mode reset-self • Reset a stack-unit when the unit is in a problem state. EXEC Privilege mode reset stack-unit {hard} Verify a Stack Configuration The light of the LED status indicator on the front panel of the stack identifies the unit’s role in the stack. • • • Off indicates the unit is a stack member. The master LED is in OFF state for the standby unit. Solid green indicates the unit is the stack master (management unit).
Auto Reboot Burned In MAC No Of MACs : enabled : 00:12:13:34:12:40 : 3 -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) --------------------------------------------------------------------------3 1 up AC up 8032 3 2 absent absent 0 -- Fan Status -Unit Bay TrayStatus Fan1 Speed -----------------------------------------------------------------------------------3 1 up up 18000 3 2 up up 18000 3 3 down Speed in RPM Dell# The following example shows three switches stacked together in a daisy cha
Reload-Type : normal-reload [Next boot : normal-reload] -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports -----------------------------------------------------------------------------------1 Standby online S3048-ON S3048-ON 9.8(0.0P2) 52 2 Management online S3048-ON S3048-ON 9.8(0.0P2) 52 3 Member online S3048-ON S3048-ON 9.8(0.0P2) 52 4 Member not present 5 Member not present 6 Member not present The following examples shows removing a stack member (after).
Example of Console Messages About Flapping Link ---------------------MANAGMENT UNIT-----------------------------Error: Stack Port 50 has flapped 5 times within 10 seconds.Shutting down this st ack port now. Error: Please check the stack cable/module and power-cycle the stack. 10:55:20: %STKUNIT1-M:CP %KERN-2-INT: Error: Stack Port 50 has flapped 5 times w ithin 10 seconds.Shutting down this stack port now.
50 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports unknown-unicast, muticast, and broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. Dell Networking OS Behavior: The minimum number of packets per second (PPS) that storm control can limit on the device is two.
INTERFACE mode storm-control multicast packets_per_second in • Shut down the port if it receives the PFC/LLFC packets more than the configured rate. INTERFACE mode storm-control pfc-llfc pps in shutdown NOTE: PFC/LLFC storm control enabled interface disables the interfaces if it receives continuous PFC/LLFC packets. It can be a result of a faulty NIC/Switch that sends spurious PFC/LLFC packets.
51 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell Networking OS.
• • • • • • Modifying Interface STP Parameters Enabling PortFast Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Important Points to Remember • • • • • STP is disabled by default. The Dell Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+).
To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface. INTERFACE mode no shutdown To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode.
To enable STP globally, use the following commands. 1. Enter PROTOCOL SPANNING TREE mode. CONFIGURATION mode protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Gi 1/4 Dell# 8.514 8 4 FWD 0 32768 0001.e80d.2462 8.514 Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP.
The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port.
Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 118. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: • • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. drops the BPDU after it reaches the RP and generates a console message.
Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. • Assign a number as the bridge priority or designate it as the root or secondary root.
Figure 119. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • • • • • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps individually or collectively, use the following commands. • Enable SNMP traps for spanning tree state changes. snmp-server enable traps stp • Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
Figure 120. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: • • Loop guard is supported on any STP-enabled port or port-channel interface.
• ○ If no BPDU is received from a remote device, loop guard places the port in a Loop-Inconsistent Blocking state and no traffic is forwarded on the port. When used in a PVST+ network, STP loop guard is performed per-port or per-port channel at a VLAN level. If no BPDUs are received on a VLAN interface, the port or port-channel transitions to a Loop-Inconsistent (Blocking) state only for this VLAN. To enable a loop guard on an STP-enabled port or port-channel interface, use the following command.
52 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell Networking device. Figure 121.
Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist. The generated commands are added to the running configuration, including the DNS resolve commands, if configured. This command starts the configuration wizard for the SupportAssist. At any time, you can exit by entering Ctrl-C. If necessary, you can skip some data entry. Enable the SupportAssist service.
the collection, transmission and/or use of the Collected Data, you may not download, install or otherwise use SupportAssist. 2. Move to the SupportAssist Configuration mode, if the EULA has been accepted. To manually configure SupportAssist, use the following set of configuration. CONFIGURATION mode support-assist Dell(conf)#support-assist Dell(conf-supportassist)# 3. (Optional) Configure the contact information for the company. SUPPORTASSIST mode contact-company name {company-name}[company-next-name] ...
[no] activity {full-transfer} Dell(conf-supportassist)#activity full-transfer Dell(conf-supportassist-act-full-transfer)# 2. Copy an action-manifest file for an activity to the system. SUPPORTASSIST ACTIVITY mode action-manifest get tftp | ftp | flash Dell(conf-supportassist-act-full-transfer)#action-manifest get tftp://10.0.0.1/test file Dell(conf-supportassist-act-full-transfer)# The custom action-manifest file is a JSON file.
Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company. SupportAssist Company configurations are optional for the SupportAssist service. To configure SupportAssist company, use the following commands. 1. Configure the contact information for the company. SUPPORTASSIST mode [no] contact-company name {company-name}[company-next-name] ...
[no] phone primary phone [alternate phone] Dell(conf-supportassist-pers-john_doe)#phone primary +919999999999 Dell(conf-supportassist-pers-john_doe)# 4. Configure the preferred method for contacting the person. SUPPORTASSIST PERSON mode preferred-method {email | no-contact | phone] Dell(conf-supportassist-pers-john_doe)#preferred-method email Dell(conf-supportassist-pers-john_doe)# 5. Configure the time frame for contacting the person.
1. Display information on SupportAssist feature status including any activities, status of communication, last time communication sent, and so on. EXEC Privilege mode show support-assist status Dell#show support-assist status SupportAssist Service: Installed EULA: Accepted Server: default Enabled: Yes URL: https://stor.g3.ph.dell.com Server: chennai Enabled: Yes URL: http://10.16.148.
entitlement to receive related repair services from Dell,. You further agree to allow Dell to transmit and store the Collected Data from SupportAssist in accordance with these terms. You agree that the provision of SupportAssist may involve international transfers of data from you to Dell and/or to Dells affiliates, subcontractors or business partners.
53 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. R6_E300(conf)#do show ntp status Clock is synchronized, stratum 2, reference is 192.168.1.1 frequency is -369.623 ppm, stability is 53.319 ppm, precision is 4294967279 reference time is CD63BCC2.0CBBD000 (16:54:26.049 UTC Thu Mar 12 2009) clock offset is 997.529984 msec, root delay is 0.00098 sec root dispersion is 10.04271 sec, peer dispersion is 10032.
○ For a port channel interface, enter the keywords port-channel then a number. ○ For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. To view the configuration, use the show running-config ntp command in EXEC privilege mode (refer to the example in Configuring NTP Authentication). Configuring NTP Authentication NTP authentication and the corresponding trusted key provide a reliable means of exchanging NTP packets with trusted time sources.
To configure the switch as NTP Server use the ntp master command. stratum number identifies the NTP Server's hierarchy. The following example shows configuring an NTP server. R6_E300(conf)#1w6d23h : NTP: xmit packet to 192.168.1.1: leap 0, mode 3, version 3, stratum 2, ppoll 1024 rtdel 0219 (8.193970), rtdsp AF928 (10973.266602), refid C0A80101 (192.168.1.1) ref CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) org CD7F4F63.68000000 (14:51:15.406 UTC Thu Apr 2 2009) rec CD7F4F63.
• Receive Timestamp — the arrival time on the client of the last NTP message from the server. If the server becomes unreachable, the value is set to zero. • Transmit Timestamp — the departure time on the server of the current NTP message from the sender. • Filter dispersion — the error in calculating the minimum delay from a set of sample data from a peer. To view the NTP configuration, use the show running-config ntp command in EXEC privilege mode.
• Set the clock to the appropriate timezone. CONFIGURATION mode clock timezone timezone-name offset ○ timezone-name: enter the name of the timezone. Do not use spaces. ○ offset: enter one of the following: ▪ ▪ a number from 1 to 23 as the number of hours in addition to UTC for the timezone. a minus sign (-) then a number from 1 to 23 as the number of hours.
To set a recurring daylight saving time, use the following command. • Set the clock to the appropriate timezone and adjust to daylight saving time every year. CONFIGURATION mode clock summer-time time-zone recurring start-week start-day start-month start-time end-week end-day end-month end-time [offset] ○ time-zone: Enter the three-letter name for the time zone. This name displays in the show clock output.
pacific Sun Nov 1 2009" System Time and Date 723
54 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.1/24 Dell(conf-if-tu-3)#ipv6 address 3::1/64 Dell(conf-if-tu-3)#no shutdown Dell(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#ip unnumbered gigabitethernet 1/1 Dell(conf-if-tu-1)#ipv6 unnumbered gigabitethernet 1/1 Dell(conf-if-tu-1)#tunnel source 40.1.1.1 Dell(conf-if-tu-1)#tunnel mode ipip decapsulate-any Dell(conf-if-tu-1)#no shutdown Dell(conf-if-tu-1)#show config ! interface Tunnel 1 ip unnumbered GigabitEthernet 1/1 ipv6 unnumbered GigabitEthernet 1/1 tunnel source 40.1.1.
55 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link.
Figure 123. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 124. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• • If you disable an uplink-state group, the downstream interfaces are not disabled regardless of the state of the upstream interfaces. ○ If an uplink-state group has no upstream interfaces assigned, you cannot disable downstream interfaces when an upstream link goes down. To enable the debug messages for events related to a specified uplink-state group or all groups, use the debug uplink-stategroup [group-id] command, where the group-id is from 1 to 16.
description text The maximum length is 80 alphanumeric characters. 6. (Optional) Disable upstream-link tracking without deleting the uplink-state group. UPLINK-STATE-GROUP mode no enable The default is upstream-link tracking is automatically enabled in an uplink-state group. To re-enable upstream-link tracking, use the enable command. Clearing a UFD-Disabled Interface You can manually bring up a downstream interface in an uplink-state group that UFD disabled and is in a UFD-Disabled Error state.
02:38:53: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 3/51 02:38:53: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 3/52 Displaying Uplink Failure Detection To display information on the UFD feature, use any of the following commands. • Display status information on a specified uplink-state group or all groups. EXEC mode show uplink-state-group [group-id] [detail] ○ group-id: The values are from 1 to 16.
Uplink State Group : 7 Upstream Interfaces : Downstream Interfaces : Status: Enabled, Up Uplink State Group : 16 Status: Disabled, Up Upstream Interfaces : Gi 1/4(Dwn) Po 8(Dwn) Downstream Interfaces : Gi 1/10(Dwn) The following example shows viewing the interface status with UFD information.
Sample Configuration: Uplink Failure Detection The following example shows a sample configuration of UFD on a switch/router in which you configure as follows. • • • • • • Configure uplink-state group 3. Add downstream links Gigabitethernet 1/1, 1/2, 1/5, 1/9, 1/11, and 1/12. Configure two downstream links to be disabled if an upstream link fails. Add upstream links Gigabitethernet 1/3 and 1/4. Add a text description for the group. Verify the configuration with various show commands.
56 Upgrade Procedures To find the upgrade procedures, go to the Dell Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell Networking OS version. To upgrade your system type, follow the procedures in the Dell Networking OS Release Notes. Get Help with Upgrades Direct any questions or concerns about the Dell Networking OS upgrade procedures to the Dell Technical Support Center. You can reach Technical Support: • • • On the web: http://www.dell.
57 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
• • Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN. Alternatively, use the no switchport command, and Dell Networking OS removes the interface from the Default VLAN. A tagged interface requires an additional step to remove it from Layer 2 mode. Because tagged interfaces can belong to multiple VLANs, remove the tagged interface from all VLANs using the no tagged interface command.
Information contained in the tag header allows the system to prioritize traffic and to forward information to ports associated with a specific VLAN ID. Tagged interfaces can belong to multiple VLANs, while untagged interfaces can belong only to one VLAN. Configuration Task List This section contains the following VLAN configuration tasks.
To tag frames leaving an interface in Layer 2 mode, assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2. Enable an interface to include the IEEE 802.1Q tag header.
INTERFACE mode untagged interface This command is available only in VLAN interfaces. The no untagged interface command removes the untagged interface from a port-based VLAN and places the interface in the Default VLAN. You cannot use the no untagged interface command in the Default VLAN. The following example shows the steps and commands to move an untagged interface from the Default VLAN to another VLAN. To determine interface status, use the show vlan command.
○ secondary — This is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Configuring Native VLANs Traditionally, ports can be either untagged for membership to one VLAN or tagged for membership to multiple VLANs. You must connect an untagged port to a VLAN-unaware station (one that does not understand VLAN tags), and you must connect a tagged port to a VLAN-aware station (one that generates and understands VLAN tags).
58 VLT Proxy Gateway The Virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, refer to Dell Networking OS Command Line Reference Guide.
Figure 126. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: • • • • • • • • • • • • • Proxy gateway is supported only for VLT; for example, across a VLT domain. You must enable the VLT peer-routing command for the VLT proxy gateway to function.
• • • • When a Virtual Machine (VM) moves from one VLT domain to the another VLT domain, the VM host sends the gratuitous ARP (GARP) , which in-turn triggers a mac movement from the previous VLT domain to the newer VLT domain. After a station move, if the host sends a TTL1 packet destined to its gateway; for example, a previous VLT node, the packet can be dropped.
• • Any proxy gateway configuration or LLDP configuration is not working. LLDP packets fail to reach the remote VLT domain devices (for example, because the system is down, rebooting, or the port physical link connection is down). Figure 127. Sample Configuration for a VLT Proxy Gateway • The above figure shows a sample VLT Proxy gateway scenario. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2.
Sample Configuration LLDP Method Dell(conf-vlt-domain)#proxy-gateway ll Dell(conf-vlt-domain-pxy-gw-lldp)#peer-domain-link port-channel 1 exclude-vlan 10 Sample Configuration Static Method Dell(conf-vlt-domain)#proxy-gateway static Dell(conf-vlt-domain-pxy-gw-static)#remote-mac-address exclude-vlan 10 • • Packet duplication may happen with “Exclude-VLAN” configuration – Assume you used the exclude-vlan option (called VLAN 10) in C and D and in C1 and D1; If packets for VLAN 10 with C’s
59 Virtual Link Trunking (VLT) Virtual link trunking (VLT) allows physical links between two chassis to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR).
The following example shows how VLT is deployed. The switches appear as a single virtual switch from the point of view of the switch or server supporting link aggregation control protocol (LACP). Figure 128. Example of VLT Deployment VLT on Core Switches Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing.
Figure 129. Enhanced VLT VLT Terminology The following are key VLT terms. • • • • • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches.
• • • • • • • • • • If you reboot both VLT peers in BMP mode and the VLT LAGs are static, the DHCP server reply to the DHCP discover offer may not be forwarded by the ToR to the correct node. To avoid this scenario, configure the VLT LAGs to the ToR and the ToR port channel to the VLT peers with LACP. If supported by the ToR, enable the lacp-ungroup feature on the ToR using the lacp ungroup member-independent port-channel command.
• ○ ARP tables are synchronized between the VLT peer nodes. ○ VLT peer switches operate as separate chassis with independent control and data planes for devices attached on non-VLT ports. ○ One chassis in the VLT domain is assigned a primary role; the other chassis takes the secondary role. The primary and secondary roles are required for scenarios when connectivity between the chassis is lost. VLT assigns the primary chassis role according to the lowest MAC address. You can configure the primary role.
• ○ In order that the chassis backup link does not share the same physical path as the interconnect trunk, Dell Networking recommends using the management ports on the chassis and traverse an out-of-band management network. The backup link can use user ports, but not the same ports the interconnect trunk uses. ○ The chassis backup link does not carry control plane information or data traffic. Its use is restricted to health checks only.
• ○ VRRP elects the router with the highest priority as the master in the VRRP group. To ensure VRRP operation in a VLT domain, configure VRRP group priority on each VLT peer so that a peer is either the master or backup for all VRRP groups configured on its interfaces. For more information, refer to Setting VRRP Group (Virtual Router) Priority. ○ To verify that a VLT peer is consistently configured for either the master or backup role in all VRRP groups, use the show vrrp command on each peer.
• Even with this configuration, if the node has non-VLT ports using RSTP that you did not configure as edge ports and are connected to other Layer 2 switches, spanning tree topology changes are still detected after VLT node recovery. To avoid this scenario, ensure that you configure any non-VLT ports as edge ports or disable RSTP. VLT Bandwidth Monitoring When bandwidth usage of the VLTi (ICL) exceeds 80%, a syslog error message (shown in the following message) and an SNMP trap are generated.
If you enable IGMP snooping, IGMP queries are also sent out on the VLT ports at this time allowing any receivers to respond to the queries and update the multicast table on the new node. This delay in bringing up the VLT ports also applies when the VLTi link recovers from a failure that caused the VLT ports on the secondary VLT peer node to be disabled.
not apply to server-side L2 VLT ports because they do not connect to any PIM routers. These VLT ports can be members of multiple PIMenabled L3 VLANs for compatibility with IGMP. To route traffic to and from the multicast source and receiver, enable PIM on the L3 side connected to the PIM router using the ip pim sparse-mode command. Each VLT peer runs its own PIM protocol independently of other VLT peers.
VLT DOMAIN mode peer-routing 3. Configure the peer-routing timeout. VLT DOMAIN mode peer-routing—timeout value value: Specify a value (in seconds) from 1 to 65535. chThe default value is infinity (without configuring the timeout). VLT Multicast Routing VLT Multicast Routing provides resiliency to multicast routed traffic during the multicast routing protocol convergence period after a VLT link or VLT peer fails using the least intrusive method (PIM) and does not alter current protocol behavior.
Non-VLT ARP Sync ARP entries (including ND entries) learned on other ports are synced with the VLT peer to support station move scenarios. NOTE: ARP entries learned on non-VLT, non-spanned VLANs are not synced with VLT peers. RSTP Configuration RSTP is supported in a VLT domain. Before you configure VLT on peer switches, configure RSTP in the network. RSTP is required for initial loop prevention during the VLT startup phase.
Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 1) Dell_VLTpeer1(conf)#protocol spanning-tree rstp Dell_VLTpeer1(conf-rstp)#no disable Dell_VLTpeer1(conf-rstp)#bridge-priority 4096 Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 2) Dell_VLTpeer2(conf)#protocol spanning-tree rstp Dell_VLTpeer2(conf-rstp)#no disable Dell_VLTpeer2(conf-rstp)#bridge-priority 0 Configuring VLT To configure VLT, use the following procedure.
4. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 5. Repeat Steps 1 to 4 on the VLT peer switch to configure the VLT interconnect. Enabling VLT and Creating a VLT Domain To enable VLT and create a VLT domain, use the following steps. 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id The domain ID range is from 1 to 1000.
{ip address ipv4-address/ mask | ipv6 address ipv6-address/ mask} This is the IP address to be configured on the VLT peer with the back-up destination command. 3. Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 4. Configure a VLT backup link using the IPv4 or IPv6 address of the VLT peer’s management interface. MANAGEMENT INTERFACE mode back-up destination {ip address ipv4-address/ mask | ipv6 address ipv6-address/ mask} 5. Repeat Steps 1 to 4 on the VLT peer switch.
Configure a different unit ID (0 or 1) on each peer switch. Unit IDs are used for internal system operations. Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots. Connecting a VLT Domain to an Attached Access Device (Switch or Server) To connect a VLT domain to an attached access device, use the following commands.
The range is from 1 to 128. 3. Enter the VLAN ID number of the VLAN where the VLT forwards packets received on the VLTi from an adjacent peer that is down. VLT DOMAIN CONFIGURATION mode peer-down-vlan vlan interface number The range is from 1 to 4094. Configuring Enhanced VLT (eVLT) (Optional) To configure enhanced VLT (eVLT) between two VLT domains on your network, use the following procedure. For a sample configuration, refer to eVLT Configuration Example.
Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots. 8. Configure enhanced VLT. Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command in the Enabling VLT and Creating a VLT Domain. 9.
5. Configure the backup link between the VLT peer units (shown in the following example). 6. Configure the peer 2 management ip/ interface ip for which connectivity is present in VLT peer 1. EXEC Privilege mode show running-config vlt 7. Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 1. EXEC mode or EXEC Privilege mode show interfaces interface 8.
Dell-4#show running-config vlt ! vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.43 Dell-4# Dell-4#show running-config interface managementethernet 1/1 ip address 10.11.206.58/16 no shutdown Configure the VLT links between VLT peer 1 and VLT peer 2 to the Top of Rack unit. In the following example, port Gi 1/4 in VLT peer 1 is connected to Gi 1/8 of TOR and port Gi 1/18 in VLT peer 2 is connected to Gi 1/30 of TOR. 1.
s60-1#show interfaces port-channel 100 brief Codes: L - LACP Port-channel L LAG 100 Mode L2 Status up Uptime 03:33:48 Ports Gi 1/8 (Up) Gi 1/30 (Up) Verify VLT is up. Verify that the VLTi (ICL) link, backup link connectivity (heartbeat status), and VLT peer link (peer chassis) are all up.
Configure PVST+ on VLT Peers to Prevent Forwarding Loops (VLT Peer 1) Dell_VLTpeer1(conf)#protocol spanning-tree pvst Dell_VLTpeer1(conf-pvst)#no disable Dell_VLTpeer1(conf-pvst)#vlan 1000 bridge-priority 0 Configure PVST+ on VLT Peers to Prevent Forwarding Loops (VLT Peer 2) Dell_VLTpeer2(conf)#protocol spanning-tree pvst Dell_VLTpeer2(conf-pvst)#no disable Dell_VLTpeer2(conf-pvst)#vlan 1000 bridge-priority 4096 Configure both ends of the VLT interconnect trunk with identical PVST+ configurations.
Figure 131. eVLT Configuration Example eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1. Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)# channel-member GigabitEthernet 1/8-1/9 Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.
Domain_1_Peer2(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer2(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 2. Domain_1_Peer2(conf)#interface range gigabitethernet 1/28 - 1/29 Domain_1_Peer2(conf-if-range-gi-1/28-29)# port-channel-protocol LACP Domain_1_Peer2(conf-if-range-gi-1/28-29)# port-channel 100 mode active Domain_1_Peer2(conf-if-range-gi-1/28-29)# no shutdown In Domain 2, configure the VLT domain and VLTi on Peer 3.
PIM-Sparse Mode Configuration Example The following sample configuration shows how to configure the PIM Sparse mode designated router functionality on the VLT domain with two VLT port-channels that are members of VLAN 4001. For more information, refer to PIM-Sparse Mode Support on VLT. Examples of Configuring PIM-Sparse Mode The following example shows how to enable PIM multicast routing on the VLT node globally.
show vlt role • Display the current configuration of all VLT domains or a specified group on the switch. EXEC mode show running-config vlt • Display statistics on VLT operation. EXEC mode show vlt statistics • Display the RSTP configuration on a VLT peer switch, including the status of port channels used in the VLT interconnect trunk and to connect to access devices. EXEC mode show spanning-tree rstp • Display the current status of a port or port-channel interface used in the VLT domain.
Peer-Routing-Timeout timer Multicast peer-routing timeout Dell# : 0 seconds : 150 seconds The following example shows the show vlt detail command.
HeartBeat Messages Sent: HeartBeat Messages Received: ICL Hello's Sent: ICL Hello's Received: 994 978 89 89 The following example shows the show spanning-tree rstp command. The bold section displays the RSTP state of port channels in the VLT domain. Port channel 100 is used in the VLT interconnect trunk (VLTi) to connect to VLT peer2. Port channels 110, 111, and 120 are used to connect to access switches or servers (vlt).
Dell_VLTpeer1(conf-if-ma-1/1)#no shutdown Dell_VLTpeer1(conf-if-ma-1/1)#exit Configure the VLT interconnect (VLTi). Dell_VLTpeer1(conf)#interface port-channel 100 Dell_VLTpeer1(conf-if-po-100)#no ip address Dell_VLTpeer1(conf-if-po-100)#channel-member tenGigE 1/49,50 Dell_VLTpeer1(conf-if-po-100)#no shutdown Dell_VLTpeer1(conf-if-po-100)#exit Configure the port channel to an attached device.
Verify that the port channels used in the VLT domain are assigned to the same VLAN.
Table 78. Troubleshooting VLT (continued) Description Behavior at Peer Up Behavior During Run Time Action to Take System MAC mismatch A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. Verify that the unit ID of VLT peers is not the same on both units and that the MAC address is the same on both units. Unit ID mismatch The VLT peer does not boot up. The VLTi is forced to a down state. The VLT peer does not boot up.
LAGs, you can associate the same port channel or LAG bundle that is a part of a VLT to a PVLAN by using the interface interface and switchport mode private-vlan commands. When a VLTi port in trunk mode is a member of symmetric VLT PVLANs, the PVLAN packets are forwarded only if the PVLAN settings of both the VLT nodes are identical. You can configure the VLTi in trunk mode to be a member of non-VLT PVLANs if the VLTi is configured on both the peers.
PVLAN Operations When a VLT Peer is Restarted When the VLT peer node is rebooted, the VLAN membership of the VLTi link is preserved and when the peer node comes back online, a verification is performed with the newly received PVLAN configuration from the peer. If any differences are identified, the VLTi link is either added or removed from the VLAN. When the peer node restarts and returns online, all the PVLAN configurations are exchanged across the peers.
Table 79.
Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2. Remove an IP address from the interface. INTERFACE PORT-CHANNEL mode no ip address 3. Add one or more port interfaces to the port channel.
5. Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces. CONFIGURATION mode interface vlan vlan-id 6. Enable the VLAN. INTERFACE VLAN mode no shutdown 7. To obtain maximum VLT resiliency, configure the PVLAN IDs and mappings to be identical on both the VLT peer nodes. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 8. Map secondary VLANs to the selected primary VLAN.
ICL link or peer is down, and the ARP request for a private VLAN IP address reaches the wrong peer, then the wrong peer responds to the ARP request with the peer MAC address. The IP address of the VLT node VLAN interface is synchronized with the VLT peer over ICL when the VLT peers are up. Whenever an IP address is added or deleted, this updated information is synchronized with the VLT peer. IP address synchronization occurs regardless of the VLAN administrative state.
INTERFACE PORT-CHANNEL mode vlan-stack {access | trunk} 2. Configure VLAN as VLAN-stack compatible on both the peers. INTERFACE VLAN mode vlan-stack compatible 3. Add the VLT LAG as a member to the VLAN-stack on both the peers. INTERFACE VLAN mode member port-channel port—channel ID 4. Verify the VLAN-stack configurations.
no shutdown Dell# Configure VLAN as VLAN-Stack VLAN and add the VLT LAG as Members to the VLAN Dell(conf)#interface vlan 50 Dell(conf-if-vl-50)#vlan-stack compatible Dell(conf-if-vl-50-stack)#member port-channel 10 Dell(conf-if-vl-50-stack)#member port-channel 20 Dell#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown Dell# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN Dell#show vlan id 50 Codes: * - D
no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)#vlt-peer-lag port-channel 20 Dell(conf-if-po-20)#vlan-stack trunk Dell(conf-if-po-20)#no shutdown Dell#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown Dell# Configure the VLAN as VLAN-Stack VLAN and add the VLT LAG as members to the VLAN Dell(conf)#interface vlan 50 Dell(conf-if-vl-50)#vlan-stack
• • • Synchronizing the neighbor entries learned on VLT VLAN interfaces between VLT primary and secondary node. Synchronizing the IP address of VLT VLAN interfaces between the VLT primary node and secondary node. Performing routing on behalf of peer VLT nodes for a configured time period when a peer VLT node goes down. When you configure Layer 3 VLT peer routing by using the peer-routing command in VLT DOMAIN mode, it applies for both IPv4 and IPv6 traffic in VLT domains.
• NA messages are almost always sent in response to an NS message from a node. In this case the solicited NA has the destination address field set to the unicast MAC address of the initial NS sender. This solicited NA need to be tunneled when they reach the wrong peer. Consider a sample scenario in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link. To the south of the VLT domain, Unit1 and Unit2 are connected to a ToR switch named Node B.
Figure 133. Sample Configuration of IPv6 Peer Routing in a VLT Domain Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in TOR. When VLT node1 receives NS from VLT VLAN interface, it unicasts NA packet on the VLT interface. When NS reaches VLT node2 it is flooded on all interfaces including ICL. When VLT node 1 receives NS on ICL then it floods NA packet on the VLAN.
Traffic Destined to VLT Nodes Hosts can send traffic to one of the VLT nodes using global IP or Link-Local address. When host communicates with VLT node using LLA and traffic reaches wrong peer due to LAG level hashing in TOR, the wrong peer should route the packet to correct VLT node though the destination IP is LLA. Consider a case in which traffic destined for VLT node1 reaches VLT node1 on VLT interface and traffic destined for VLT node1 reaches VLT node2 due to LAG level hashing in TOR.
60 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time.
Figure 134. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
Table 80. Software Features Supported on VRF Feature/Capability Support Status for Default VRF Support Status for Non-default VRF Configuration rollback for commands introduced or modified Yes No LLDP protocol on the port Yes No 802.
Table 80. Software Features Supported on VRF (continued) Feature/Capability Support Status for Default VRF Support Status for Non-default VRF Basic Yes No OSPFv3 Yes Yes IS-IS Yes Yes BGP Yes Yes ACL Yes No Multicast Yes No NDP Yes Yes RAD Yes Yes Ingress/Egress Storm-Control (perinterface/global) Yes No DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance. VRF Configuration The VRF configuration tasks are: 1.
Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface. NOTE: You can configure an IP address or subnet on a physical or VLAN interface that overlaps the same IP address or subnet configured on another interface only if the interfaces are assigned to different VRFs. If two interfaces are assigned to the same VRF, you cannot configure overlapping IP subnets or the same IP address on them. Table 83.
Assign an OSPF process to a VRF instance . Return to CONFIGURATION mode to enable the OSPF process. The OSPF Process ID is the identifying number assigned to the OSPF process, and the Router ID is the IP address associated with the OSPF process. Table 86. Assigning an OSPF Process to a VRF Instance Task Command Syntax Command Mode Enable the OSPFv2 process globally for a VRF instance. Enter the VRF key word and instance name to tie the OSPF instance to the VRF.
Configuring Management VRF You can assign a management interface to a management VRF. Table 88. Configuring Management VRF Task Command Syntax Command Mode Create a management VRF. ip vrf management CONFIGURATION Assign a management port to a management VRF.
Table 90. Configuring a Static Entry in the IPv6 Neighbor Discovery Task Command Syntax Command Mode Configure a static neighbor. ipv6 neighbor vrf management 1::1 gigabitethernet 1/1 xx:xx:xx:xx:xx:xx CONFIGURATION Sample VRF Configuration The following configuration illustrates a typical VRF set-up. Figure 135.
Figure 136. Setup VRF Interfaces The following example relates to the configuration shown in Figure1 and Figure 2. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface GigabitEthernet 3/1 no ip address switchport no shutdown ! interface GigabitEthernet 1/1 ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface GigabitEthernet 1/2 ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface GigabitEthernet 1/3 ip vrf forwarding green ip address 30.0.0.
ip vrf forwarding blue ip address 1.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.0/24 area 0 ! router ospf 2 vrf orange router-id 2.0.0.1 network 2.0.0.0/24 area 0 network 20.0.0.
ip address 3.0.0.2/24 tagged GigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface GigabitEthernet 2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface GigabitEthernet 2/2 ! ip route vrf green30.0.0.0/24 3.0.0.
L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination ----------2.0.0.0/24 20.0.0.0/24 21.0.0.0/24 C C O Gateway ------Direct, Vl 192 Direct, Gi 1/2 via 2.0.0.
C 11.0.0.
You can also leak global routes to be made available to VRFs. As the global RTM usually contains a large pool of routes, when the destination VRF imports global routes, these routes will be duplicated into the VRF's RTM. As a result, it is mandatory to use route-maps to filter out leaked routes while sharing global routes with VRFs. Configuring Route Leaking without Filtering Criteria You can use the ip route-export tag command to export all the IPv4 routes corresponding to a source VRF.
ip address ip—address mask A non-default VRF named VRF-blue is created and the interface 1/12 is assigned to it. 7. Configure the import target in VRF-blue. ip route-import 1:1 8. Configure the export target in VRF-blue. ip route-import 3:3 9. Configure VRF-green. ip vrf vrf-green interface-type slot/port ip vrf forwarding VRF-green ip address ip—address mask A non-default VRF named VRF-green is created and the interface is assigned to it. 10.
Show routing tables of VRFs( after route-export and route-import tags are configured). Dell# show ip route vrf VRF-Red O C O C 11.1.1.1/32 111.1.1.0/24 44.4.4.4/32 144.4.4.0/24 via 111.1.1.1 110/0 00:00:10 Direct, Gi 1/11 0/0 22:39:59 via VRF-shared:144.4.4.4 0/0 00:32:36 Direct, VRF-shared:Gi 1/4 0/0 00:32:36 Dell# show ip route vrf VRF-Blue O 22.2.2.2/32 via 122.2.2.2 00:00:11 C O C 122.2.2.0/24 44.4.4.4/32 144.4.4.0/24 110/0 Direct, Gi 1/12 0/0 22:39:61 via vrf-shared:144.4.4.
For leaking these routes from VRF-red to VRF-blue, you can use the ip route-export route-map command on VRF-red (source VRF, that is exporting the routes); you must also specify a match criteria for these routes using the match source-protocol command. When you leak these routes into VRF-blue, only the routes (OSPF and BGP) that satisfy the matching criteria defined in route-map export_ospfbgp_protocol are exposed to VRF-blue.
!this action accepts only OSPF routes from VRF-red even though both OSPF as well as BGP routes are shared The show VRF commands displays the following output: Dell# show ip route vrf VRF-Blue C 122.2.2.0/24 Direct, Gi 1/22 O 22.2.2.2/32 via 122.2.2.2 00:00:11 O 44.4.4.4/32 0/0 110/0 22:39:61 via vrf-red:144.4.4.4 0/0 00:32:36 << only OSPF and BGP leaked from VRF-red Important Points to Remember • • • Only Active routes are eligible for leaking.
61 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. Topics: • • • • • VRRP Overview VRRP Benefits VRRP Implementation VRRP Configuration Sample Configurations VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 137. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
Table 91. Recommended VRRP Advertise Intervals Recommended Advertise Interval Groups/Interface Total VRRP Groups Groups/Interface Less than 250 1 second 12 Between 250 and 450 2–3 seconds 24 Between 450 and 600 3–4 seconds 36 Between 600 and 800 4 seconds 48 Between 800 and 1000 5 seconds 84 Between 1000 and 1200 7 seconds 100 Between 1200 and 1500 8 seconds 120 VRRP Configuration By default, VRRP is not configured.
The following examples how to verify the VRRP configuration. Dell(conf-if-gi-1/1)#show conf ! interface GigabitEthernet 1/1 ip address 10.10.10.
For more information, refer to VRRP Implementation. To activate a VRRP group on an interface (so that VRRP group starts transmitting VRRP packets), configure at least one virtual IP address in a VRRP group. The virtual IP address is the IP address of the virtual router and does not require the IP address mask. You can configure up to 12 virtual IP addresses on a single VRRP group (VRID).
Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 1768, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------GigabitEthernet 1/2, VRID: 111, Version: 2 Net: 10.10.2.1 State: Master, Priority: 100, Master: 10.10.2.
Configuring VRRP Authentication Simple authentication of VRRP packets ensures that only trusted routers participate in VRRP processes. When you enable authentication, Dell Networking OS includes the password in its VRRP transmission. The receiving router uses that password to verify the transmission. NOTE: You must configure all virtual routers in the VRRP group the same: you must enable authentication with the same password or authentication is disabled. NOTE: Authentication for VRRPv3 is not supported.
The following example shows how to verify preempt is disabled using the show conf command. Dell(conf-if-gi-1/1-vrid-111)#show conf ! vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.
Track an Interface or Object You can set Dell Networking OS to monitor the state of any interface according to the virtual group. Each VRRP group can track up to 12 interfaces and up to 20 additional objects, which may affect the priority of the VRRP group. If the tracked interface goes down, the VRRP group’s priority decreases by a default value of 10 (also known as cost). If the tracked interface’s state goes up, the VRRP group’s priority increases by 10.
The following example shows how to verify tracking using the show conf command. Dell(conf-if-gi-1/1-vrid-111)#show conf ! vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 track GigabitEthernet 1/2 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 The following example shows verifying the tracking status.
Setting VRRP Initialization Delay When configured, VRRP is enabled immediately upon system reload or boot. You can delay VRRP initialization to allow the IGP and EGP protocols to be enabled prior to selecting the VRRP Master. This delay ensures that VRRP initializes with no errors or conflicts. You can configure the delay for up to 15 minutes, after which VRRP enables normally.
Figure 138. VRRP for IPv4 Topology Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#interface gigabitethernet 2/31 R2(conf-if-gi-2/31)#ip address 10.1.1.1/24 R2(conf-if-gi-2/31)#vrrp-group 99 R2(conf-if-gi-2/31-vrid-99)#priority 200 R2(conf-if-gi-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-gi-2/31-vrid-99)#no shut R2(conf-if-gi-2/31)#show conf ! interface GigabitEthernet 2/31 ip address 10.1.1.
State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#interface tengigabitethernet 3/21 R3(conf-if-gi-3/21)#ip address 10.1.1.2/24 R3(conf-if-gi-3/21)#vrrp-group 99 R3(conf-if-gi-3/21-vrid-99)#virtual 10.1.1.
Figure 139. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
interface GigabitEthernet 1/1 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-gi-1/1)#end R2#show vrrp -----------------GigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default-vrf State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Vir
Both Switch-1 and Switch-2 have three VRF instances defined: VRF-1, VRF-2, and VRF-3. Each VRF has a separate physical interface to a LAN switch and an upstream VPN interface to connect to the Internet. Both Switch-1 and Switch-2 use VRRP groups on each VRF instance in order that there is one MASTER and one backup router for each VRF. In VRF-1 and VRF-2, Switch-2 serves as owner-master of the VRRP group and Switch-1 serves as the backup. On VRF-3, Switch-1 is the owner-master and Switch-2 is the backup.
S1(conf-if-gi-1/2-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-gi-1/2)#no shutdown ! S1(conf)#interface GigabitEthernet 1/3 S1(conf-if-gi-1/3)#ip vrf forwarding VRF-3 S1(conf-if-gi-1/3)#ip address 20.1.1.5/24 S1(conf-if-gi-1/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-gi-1/3-vrid-105)#priority 255 S1(conf-if-gi-1/3-vrid-105)#virtual-address 20.1.1.
This VLAN scenario often occurs in a service-provider network in which you configure VLAN tags for traffic from multiple customers on customer-premises equipment (CPE), and separate VRF instances associated with each VLAN are configured on the provider edge (PE) router in the point-of-presence (POP).
10.1.1.100 Authentication: (none) VRRP in VRF: Switch-2 VLAN Configuration Switch-2 S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface GigabitEthernet 1/1 S2(conf-if-gi-1/1)#no ip address S2(conf-if-gi-1/1)#switchport S2(conf-if-gi-1/1)#no shutdown ! S2(conf-if-gi-1/1)#interface vlan 100 S2(conf-if-vl-100)#ip vrf forwarding VRF-1 S2(conf-if-vl-100)#ip address 10.10.1.
Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) VRRP for IPv6 Configuration This section shows VRRP IPv6 topology with CLI configurations.
NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be master even if one of two routers has a higher IP or IPv6 address. Router 2 R2(conf)#interface gigabitethernet 1/1 R2(conf-if-gi-1/1)#no ip address R2(conf-if-gi-1/1)#ipv6 address 1::1/64 R2(conf-if-gi-1/1)#vrrp-group 10 NOTE: You must configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 11, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP address: 1::10 fe80::10 Dell#show vrrp gigabitethernet 1/1 GigabitEthernet 1/1, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 0 default State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 10
State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 548, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 Virtual Router Redundancy Protocol (VRRP) 831
62 Debugging and Diagnostics This chapter describes debugging and diagnostics for the device. Topics: • • • • • • • • • • • Offline Diagnostics Trace Logs Auto Save on Crash or Rollover Last Restart Reason Hardware Watchdog Timer Using the Show Hardware Commands Enabling Environmental Monitoring Troubleshooting Packet Loss Enabling Application Core Dumps Mini Core Dumps Enabling TCP Dumps Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware.
NOTE: The system reboots when the offline diagnostics complete. This is an automatic process. The following warning message appears when you implement the offline stack-unit command: Warning - Diagnostic execution will cause stack-unit to reboot after completion of diags. Proceed with OfflineDiags [confirm yes/no]:y After the system goes offline, you must reload or run the online stack-unit stack-unit-number command for the normal operation. 2. Confirm the offline status.
Hardware Watchdog Timer The hardware watchdog command automatically reboots an Dell Networking OS switch/router with a single RPM that is unresponsive. This is a last resort mechanism intended to prevent a manual power cycle. Using the Show Hardware Commands The show hardware command tree consists of commands used with the system. These commands display information from a hardware sub-component and from hardware-based feature tables.
EXEC Privilege mode show hardware stack-unit {0-11} unit {0-1} execute-shell-cmd {command} • View the Multicast IPMC replication table from the bShell. EXEC Privilege mode show hardware stack-unit {0-11} unit {0-1} ipmc-replication • View the internal statistics for each port-pipe (unit) on per port basis. EXEC Privilege mode show hardware stack-unit {0-11} unit {0-1} port-stats [detail] • View the stack-unit internal registers for each port-pipe.
Minor Off 55 Unit3 Minor 60 Major Off 75 Major 80 Shutdown 85 Troubleshoot an Over-temperature Condition To troubleshoot an over-temperature condition, use the following information. 1. Use the show environment commands to monitor the temperature levels. 2. Check air flow through the system. Ensure that the air ducts are clean and that all fans are working correctly. 3. After the software has determined that the temperature levels are within normal limits, you can re-power the card safely.
Table 93. SNMP Traps and OIDs (continued) OID String OID Name Description .1.3.6.1.4.1.6027.3.16.1.1.6 fpStatsPerCOSTable View the forwarding plane statistics containing the packet buffer statistics per COS per port. Troubleshooting Packet Loss The show hardware stack-unit command is intended primarily to troubleshoot packet loss. To troubleshoot packet loss, use the following commands.
Port bitmap zero Drops Rx VLAN Drops --- Ingress MAC counters--Ingress FCSDrops Ingress MTUExceeds --- MMU Drops --Ingress MMU Drops HOL DROPS(TOTAL) HOL DROPS on COS0 HOL DROPS on COS1 HOL DROPS on COS2 HOL DROPS on COS3 HOL DROPS on COS4 HOL DROPS on COS5 HOL DROPS on COS6 HOL DROPS on COS7 HOL DROPS on COS8 HOL DROPS on COS9 HOL DROPS on COS10 HOL DROPS on COS11 HOL DROPS on COS12 HOL DROPS on COS13 HOL DROPS on COS14 HOL DROPS on COS15 HOL DROPS on COS16 HOL DROPS on COS17 TxPurge CellErr Aged Drops ---
HOL DROPS on COS10 HOL DROPS on COS11 HOL DROPS on COS12 HOL DROPS on COS13 HOL DROPS on COS14 HOL DROPS on COS15 HOL DROPS on COS16 HOL DROPS on COS17 TxPurge CellErr Aged Drops --- Egress MAC counters--Egress FCS Drops --- Egress FORWARD PROCESSOR IPv4 L3UC Aged & Drops TTL Threshold Drops INVALID VLAN CNTR Drops L2MC Drops PKT Drops of ANY Conditions Hg MacUnderflow TX Err PKT Counter --- Error counters--Internal Mac Transmit Errors Unknown Opcodes Internal Mac Receive Errors : : : : : : : : : : 0 0 0
Hg MacUnderflow TX Err PKT Counter --- Error counters--Internal Mac Transmit Errors Unknown Opcodes Internal Mac Receive Errors : 0 : 0 : 0 : 0 : 0 Dell#show hardware stack-unit 1 drops UNIT No: 1 Total Total Total Total Total Ingress Drops IngMac Drops Mmu Drops EgMac Drops Egress Drops : : : : : 6804353 0 124904297 0 0 Dell#show hardware stack-unit 1 drops unit 0 UserPort PortNumber Egress Drops 1 1 0 0 2 2 0 0 3 3 0 0 4 4 0 0 5 5 0 0 6 6 0 0 7 7 0 0 8 8 0 0 9 9 0 0 10 10 0 0 11 11 0 0 12 12 0 0 13
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 49 49 49 52 52 52 52 53 53 53 53 54/1 54/2 54/3 27 0 28 0 29 0 30 0 31 0 32 0 33 0 34 0 35 0 36 0 37 0 38 0 39 0 40 0 41 0 42 0 43 0 44 0 45 0 46 0 47 0 48 0 49 0 50 0 51 0 52 0 61 0 62 0 63 0 64 0 65 0 66 0 67 0 68 0 69 0 70 0 71 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 54/4 Internal 0 0 0 0 Internal 72 0 0 0 53 0 0 0 57 4659499 0 0 Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command provides insight into the packet types coming to the CPU. The show hardware stack-unit cpu party-bus statistics command displays input and output statistics on the party bus, which carries inter-process communication traffic between CPUs.
Display Stack Port Statistics The show hardware stack-unit stack-port command displays input and output statistics for a stack-port interface.
RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - 128 to 255 Byte Frame Counter 256 to 511 Byte Frame Counter 512 to 1023 Byte Frame Counter 1024 to 1518 Byte Frame Counter 1519 to 1522 Byte Good VLAN Frame Counter 1519 to 2047 Byte Frame Counter 2048 to 4095 Byte Frame Counter 4096 to 9216 Byte Frame Counter Good Packet Counter Packet/frame Counter Unicast Packet Counter Multicast Packet Counter Broadcast Frame C
RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - 2048 to 4095 Byte Frame Counter 4096 to 9216 Byte Frame Counter Good Packet Counter Packet/frame Counter Unicast Packet Counter Multicast Packet Counter Broadcast Frame Counter Byte Counter Control frame counter PAUSE frame counter Oversized frame counter Jabber frame counter VLAN tag frame counter Double VLAN tag frame counter RUNT frame counter Fragment counter VLAN tagged packets
RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - Double VLAN tag frame counter RUNT frame counter Fragment counter VLAN tagged packets 64 Byte Frame Counter 64 to 127 Byte Frame Counter 128 to 255 Byte Frame Counter 256 to 511 Byte Frame Counter 512 to 1023 Byte Frame Counter 1024 to 1518 Byte Frame Counter 1519 to 1522 Byte Good VLAN Frame Counter 1519 to 2047 Byte Frame Counter 2048 to 4095 Byte Frame Counter 4096 to 9216 Byte Frame Counter Good Packet Counter Packet
RX - RUNT Frame Counter RX - Fragment Counter RX - VLAN Tagged Packets RX - Ingress Dropped Packet RX - MTU Check Error Frame Counter RX - PFC Frame Priority 0 RX - PFC Frame Priority 1 RX - PFC Frame Priority 2 RX - PFC Frame Priority 3 RX - PFC Frame Priority 4 RX - PFC Frame Priority 5 RX - PFC Frame Priority 6 RX - PFC Frame Priority 7 RX - Debug Counter 0 RX - Debug Counter 1 RX - Debug Counter 2
13 -rw- 156 Aug 31 2009 16:14:56 +00:00 f10StkUnit0.acl.acore.mini.
63 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance Dell Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell Networking OS first supports the standard. General Internet Protocols The following table lists the Dell Networking OS support per platform for general internet protocols. Table 94. General Internet Protocols RFC# Full Name Z-Series S-Series 768 User Datagram Protocol 7.6.
Table 95. General IPv4 Protocols (continued) R F C # Full Name 8 2 6 An Ethernet Address Resolution Protocol Z-Series S-Series 7.6.1 10 Using ARP to 2 Implement 7 Transparent Subnet Gateways 7.6.1 10 DOMAIN NAMES 3 IMPLEMENTATION 5 AND SPECIFICATION (client) 7.6.1 10 A Standard for the 4 Transmission of IP 2 Datagrams over IEEE 802 Networks 7.6.1 11 Path MTU 91 Discovery 7.6.1 13 Network Time 0 Protocol (Version 3) 5 Specification, Implementation and Analysis 7.6.
Table 95. General IPv4 Protocols (continued) R F C # Full Name 3 0 6 9 VLAN Aggregation for Efficient IP Address Allocation Z-Series S-Series 7.8.1 31 Protection Against a 2 Variant of the Tiny 8 Fragment Attack 7.6.1 General IPv6 Protocols The following table lists the Dell Networking OS support per platform for general IPv6 protocols. Table 96. General IPv6 Protocols RF C# Full Name Z-Series 188 6 DNS Extensions to support IP version 6 7.8.
Table 96. General IPv6 Protocols (continued) RF C# Full Name Z-Series S-Series 429 Internet 1 Protocol Version 6 (IPv6) Addressing Architecture 7.8.1 444 Internet 3 Control Message Protocol (ICMPv6) for the IPv6 Specification 7.8.1 486 Neighbor 1 Discovery for IPv6 8.3.12.0 486 IPv6 Stateless 2 Address Autoconfigurati on 8.3.12.0 517 5 8.3.12.
Table 97. Border Gateway Protocol (BGP) (continued) RFC# Full Name S-Series/Z-Series draft-ietf-idrrestart- 06 Graceful Restart Mechanism for BGP 7.8.1 Open Shortest Path First (OSPF) The following table lists the Dell Networking OS support per platform for OSPF protocol. Table 98. Open Shortest Path First (OSPF) RFC# Full Name S-Series/Z-Series 1587 The OSPF Not-So-Stubby Area (NSSA) Option 7.6.1 2154 OSPF with Digital Signatures 7.6.1 2328 OSPF Version 2 7.6.
Routing Information Protocol (RIP) The following table lists the Dell Networking OS support per platform for RIP protocol. Table 100. Routing Information Protocol (RIP) RFC# Full Name S-Series 1058 Routing Information Protocol 7.8.1 2453 RIP Version 7.8.1 4191 Default Router Preferences and More-Specific Routes 8.3.12.0 Multicast The following table lists the Dell Networking OS support per platform for Multicast protocol. Table 101.
Table 102. Network Management (continued) RFC# Full Name S4810 1212 Concise MIB Definitions 7.6.1 1215 A Convention for Defining Traps for use with the SNMP 7.6.1 1493 Definitions of Managed Objects for Bridges [except for the dot1dTpLearnedEntryDiscards object] 7.6.1 1724 RIP Version 2 MIB Extension 1850 OSPF Version 2 Management Information Base 7.6.1 1901 Introduction to Community-based SNMPv2 7.6.1 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2 7.6.
Table 102. Network Management (continued) RFC# Full Name S4810 S4820T Z-Series 9.5.(0.0) 9.5.(0.0) Internet-standard Network Management Framework 2578 Structure of Management Information Version 2 (SMIv2) 7.6.1 2579 Textual Conventions for SMIv2 7.6.1 2580 Conformance Statements for SMIv2 7.6.1 2618 RADIUS Authentication Client MIB, except the following four counters: 7.6.
Table 102. Network Management (continued) RFC# Full Name S4810 S4820T Z-Series 3434 Remote Monitoring MIB 7.6.1 Extensions for High Capacity Alarms, High-Capacity Alarm Table (64 bits) 3580 IEEE 802.1X Remote 7.6.1 Authentication Dial In User Service (RADIUS) Usage Guidelines 3815 Definitions of Managed Objects for the Multiprotocol Label Switching (MPLS), Label Distribution Protocol (LDP) 4001 Textual Conventions for Internet Network Addresses 8.3.12 4292 IP Forwarding Table MIB 9.5.(0.
Table 102. Network Management (continued) RFC# Full Name S4810 S4820T Z-Series 9.2.(0.0) 9.2.(0.0) information. (LLDP DOT1 MIB and LLDP DOT3 MIB) IEEE 802.1AB The LLDP Management 7.7.1 Information Base extension module for IEEE 802.3 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) ruzin-mstp-mib-0 2 (Traps) Definitions of Managed Objects 7.6.1 for Bridges with Multiple Spanning Tree Protocol sFlow.org sFlow Version 5 7.7.1 sFlow.org sFlow Version 5 MIB 7.7.
Table 102. Network Management (continued) RFC# Full Name S4810 FORCE10-TC-MIB Force10 Textual Convention 7.6.1 FORCE10-TRAP-ALARM- Force10 Trap Alarm MIB MIB S4820T 7.6.1 MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/CSPortal20/Main/Login.
