Dell EMC SmartFabric OS10 User Guide Release 10.5.2 12 2020 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: About this guide......................................................................................................... 29 Conventions........................................................................................................................................................................29 Related Documents...........................................................................................................................................................
Candidate configuration...................................................................................................................................................70 Copy running configuration ............................................................................................................................................73 Restore startup configuration .......................................................................................................................................
alias................................................................................................................................................................................108 alias (multi-line)..........................................................................................................................................................109 default (alias)........................................................................................................................................
Breakout Switch Ports wizard................................................................................................................................139 Configure Jump Host wizard.................................................................................................................................. 140 Update Network Configuration wizard.................................................................................................................
Configure SNMP........................................................................................................................................................ 169 SNMP commands.......................................................................................................................................................173 Example: Configure SNMP......................................................................................................................................
Low Latency Modes....................................................................................................................................................... 349 Low Latency Modes CLI commands.....................................................................................................................352 Chapter 11: Interfaces............................................................................................................... 353 Ethernet interfaces...............................
default vlan-id............................................................................................................................................................ 396 description (Interface)............................................................................................................................................. 397 duplex.................................................................................................................................................................
Fibre Channel zoning......................................................................................................................................................426 F_Port on Ethernet........................................................................................................................................................ 428 Pinning FCoE traffic to a specific port of a port-channel.....................................................................................
Re-balance the FC sessions.................................................................................................................................... 501 show npg uplink-interface...................................................................................................................................... 503 show npg node-interface........................................................................................................................................505 show fc statistics....
RADIUS server commands...................................................................................................................................... 537 Far-end failure detection.............................................................................................................................................. 539 Enable FEFD globally.................................................................................................................................................
Extend PVLAN domain to another switch.......................................................................................................... 666 Configure PVLAN ports in a regular VLAN......................................................................................................... 667 Configure an IPv4 address and local proxy ARP on a PVLAN interface..................................................... 669 Convert a secondary or promiscuous port to a regular L2 port...............................
Advertise cost.............................................................................................................................................................791 4-Byte AS numbers................................................................................................................................................... 791 AS number migration.................................................................................................................................................
Neighbor Discovery................................................................................................................................................... 901 Duplicate address discovery...................................................................................................................................903 Static IPv6 routing....................................................................................................................................................
Interface/object tracking........................................................................................................................................1011 Configure tracking.................................................................................................................................................... 1011 VRRP commands......................................................................................................................................................
Spanned VLAN......................................................................................................................................................... 1094 VLT multicast peer routing timer.........................................................................................................................1094 Deployment considerations...................................................................................................................................
show mac address-table count virtual-network............................................................................................... 1162 show mac address-table extended...................................................................................................................... 1162 show mac address-table nve.................................................................................................................................1163 show mac address-table virtual-network..............
Port security..............................................................................................................................................................1410 Chapter 19: OpenFlow.............................................................................................................. 1427 OpenFlow logical switch instance............................................................................................................................. 1428 OpenFlow controller..................
VTY ACLs.........................................................................................................................................................................1467 SNMP ACLs.................................................................................................................................................................... 1467 Clear access-list counters.............................................................................................................................
ipv6 prefix-list seq permit...................................................................................................................................... 1491 logging access-list mgmt burst ...........................................................................................................................1492 logging access-list mgmt rate ............................................................................................................................. 1492 mac access-group.........
match extcommunity..............................................................................................................................................1525 match inactive-path-additive............................................................................................................................... 1525 match interface........................................................................................................................................................
Buffer statistics tracking....................................................................................................................................... 1574 Port to port-pipe and MMU mapping.......................................................................................................................1575 QoS commands.............................................................................................................................................................. 1578 bandwidth...
show control-plane buffers...................................................................................................................................1598 show control-plane buffer-stats..........................................................................................................................1599 show control-plane info.........................................................................................................................................
Configuring delay-restore orphan port - VLT...................................................................................................1642 VLT commands.............................................................................................................................................................. 1646 backup destination.................................................................................................................................................. 1646 delay-restore......
Configure PFC.......................................................................................................................................................... 1681 PFC commands........................................................................................................................................................ 1684 Enhanced transmission selection...............................................................................................................................
transport.................................................................................................................................................................... 1738 source-interface.......................................................................................................................................................1738 show telemetry...................................................................................................................................................
Schedule activity...................................................................................................................................................... 1781 View status................................................................................................................................................................1782 View warranty information....................................................................................................................................
1 About this guide This guide is intended for system administrators who are responsible for configuring and maintaining networks. It covers the following details: ● Installation and setup of Dell EMC SmartFabric OS10. ● Description, configuration information, limitations and restrictions, and examples of features that SmartFabric OS10 supports. ● Reference information and examples on configuring protocols.
2 Change history The following table provides an overview of the changes to this guide from a previous OS10 release to the 10.5.2.2 release. For more information about the new features, see the respective sections. Table 2. New in 10.5.2.2 Revision Date Feature Description A02 2020-12-16 Dynamic discovery of nonintegrated devices SmartFabric Services (SFS) can discover end-host devices (unknown servers) dynamically based on standard LLDP PDUs without custom TLVs sent out through the connected ports.
Table 3. New in 10.5.2.1 (continued) Revision Date Feature Description list, or any extended attribute from the extended community list. CLI enhancements ● The show techsupport command now displays transceiver information. ● The transceiver and interface parameters are now optional for the show interface phyeth command. ● Based on the BGP asnotation present in the configuration, the OSPFv2/v3 and BGP show configuration commands now display asnotation based output.
Table 3. New in 10.5.2.1 (continued) Revision Date Feature Description interface-ID (option 18) and remote-ID (option 37). Configuring BGP templates Ability to configure the BGP templates to support the following attributes in IPv4 and IPv6 address family level: next-hop-self, soft reconfiguration inbound, maximum-prefix, and addpath. Initiate SSH session with another switch Support to enable or disable the ssh command that lets you establish a connection between two switches. Table 4. New in 10.5.
Table 4. New in 10.5.2.0 (continued) Revision Date Feature Description ● Configuration of local user authentication by smart card with password ● Configuration of local user authentication by smart card without a password ● Security profile settings used by X.
3 Getting Started with Dell EMC SmartFabric OS10 Dell EMC SmartFabric OS10 is a network operating system (NOS) supporting multiple architectures and environments. The SmartFabric OS10 solution allows multi-layered disaggregation of network functionality. SmartFabric OS10 bundles industrystandard management, monitoring, and Layer 2 and Layer 3 networking stacks over CLI, SNMP, and REST interfaces. Users can choose their own third-party networking, monitoring, management, and orchestration applications.
Starting from Release 10.5.1.0, SmartFabric OS10 comes with a single partition. Both the active and standby software images are stored in this partition. OS10 installation and upgrade procedures continue to work as usual. However, after you install 10.5.1.0 (or later) image, if you want to downgrade to 10.5.0.0 (or earlier) image, you must backup the configuration and license files. See Downgrade to Release 10.5.0.0 or earlier releases for more information.
Log in Connect a terminal emulator to the console serial port on the switch using a serial cable. Serial port settings are 115200 baud rate, 8 data bits, and no parity. To log in to an OS10 switch, power up and wait for the system to perform a power-on self-test (POST). Enter admin for both the default user name and user password. Change the default admin password after the first OS10 login. The system saves the new password for future logins.
Architecture: x86_64 Up Time: 1 day 00:54:13 Install firmware upgrade You may need to upgrade the firmware components on an OS10 switch without upgrading the OS10 image. To upgrade firmware components in a separate operation: 1. Download the OS10 firmware file from a server using the image download server-filepath/firmware-filename command in EXEC mode; for example: OS10# image download http://10.11.8.184/tftpboot/users/regr//neteng/okelani/files /new/onie-firmware-x86_64-dellemc_s5200_c3538-r0.3.40.5.1-9.
Upgrade OS10 manually from the CLI To upgrade an OS10 image, first download and unpack the new OS10 binary image as described in Download OS10 image for upgrade. Then copy the binary image file to a local server and follow the steps in Install OS10 upgrade. NOTE: ● To upgrade a Dell EMC ONIE switch to OS10 from OS9 or another network operating system (NOS), follow the procedure in Baremetal switch with only ONIE installed.
1. (Optional) Backup the current running configuration to the startup configuration in EXEC mode. OS10# copy running-configuration startup-configuration 2. Backup the startup configuration in EXEC mode. OS10# copy config://startup.xml config:// 3. Download the new software image from the Dell Support Site, extract the bin files from the tar file, and save the file in EXEC mode.
● System is presently running a release earlier than 10.5.1.0 and you are installing 10.5.2.0 or later Reload the new software image in EXEC mode. OS10# reload ● System is presently running 10.5.1.0 or later release and you are installing 10.5.2.0 or later now a. Change the next boot image to the standby image in EXEC mode. OS10# boot system standby Check whether the next boot has changed to the standby image in EXEC mode. OS10# show boot detail b. Reload the new software image in EXEC mode.
In this example topology: ● ● ● ● VLT-Peer1 and VLT-Peer2 are leaf nodes that are connected to the spine switch through port channel 10. Host1 is connected to both the VLT peer nodes through port channel 20. Host2 uses switch-independent NIC teaming. Switch1 is connected to the VLT peer nodes through port channel 30. Summary of Upgrade Steps 1. Download the new OS10 image. 2. Install the image on VLT-Peer1 and VLT-Peer2 nodes. 3. Upgrade the secondary VLT node.
1. Download the new software image on both the VLT peer nodes from the Dell Support Site. Extract the bin files from the tar file, and save the file in EXEC mode. Download the extracted bin file to the OS10 switch using the image download command.
4. Use the show image status command to view the installation status.
12. Wait for VLT-Peer2 to come up. VLT adjacency will be established. VLT-Peer2 becomes the secondary node. Wait until VLTPeer2 starts to forward traffic after the delay-restore timer expires. Upgrade on VLT peer nodes is now complete. Both the nodes actively forward traffic. After upgrade, VLT-Peer1 is the primary node and VLT-Peer2 is the secondary node. VLT upgrade with minimal loss for upgrades from 10.5.0.x or previous release to 10.5.1.
OS10(configure-router-bgpv4-af)# network OS10(configure-router-bgpv4-af)# Check OS10 license To check the status of the pre-installed OS10 license, use the show license status command. A factory-installed OS10 image runs with a perpetual license. If you pre-order a Dell EMC switch with OS10, you do not need to install a license. If you download OS10 on a trial basis, OS10 comes with a 120-day trial license. Purchase and install a perpetual license after the trial period expires.
Upgrade commands boot system Sets the boot image to use for the next reboot. Syntax boot system {active | standby} Parameters ● active — Reset the running image as the next boot image. ● standby — Set the standby image as the next boot image. Default Active Command Mode EXEC Usage Information Use this command to configure the location of the OS10 image used to reload the software at boot time. Use the show boot command to view the configured next boot image.
Supported Releases 10.2.0E or later image download Downloads a new software image or firmware file to the local file system. Syntax image download file-url Parameters file-url—Enter the URL of the image file: ● ftp://userid:passwd@hostip/filepath—Enter the path to copy from the remote FTP server. ● http://hostip/filepath—Enter the path to copy from the remote HTTP server. ● scp://userid:passwd@hostip/filepath—Enter the path to copy from the remote SCP file system.
○ image://filename—Enter the path to use to install the image from a local file system. ○ usb://filepath—Enter the path to use to install the image from the USB file system. Default All Command Mode EXEC Usage Information Use the show image status command to view the installation progress. Example Supported Releases OS10# image install ftp://10.206.28.174:/PKGS_OS10-Enterprise-10.4.0E.55installer-x86_64.bin 10.2.0E or later reload onie Uninstalls existing operating system and reloads to ONIE.
Example OS10# show boot Current system image information: =================================== Type Boot Type Active Standby Next-Boo -----------------------------------------------------------------------------------Node-id 1 Flash Boot Example (Detail) Supported Releases [A] 10.5.0.4 [B] 10.5.1.0 [B] stand OS10# show boot detail Current system image information detail: ========================================== Type: Node-id 1 Boot Type: Flash Boot Active Partition: A Active SW Version: 10.5.0.
Supported Releases 10.5.0 or later show image status Displays image transfer and installation information. Syntax show image status Parameters None Default Not configured Command Mode EXEC Usage Information On older versions of OS10, the image install command may appear frozen and does not display the current image status. Duplicate the SSH or Telnet session and re-enter the show image status command to view the current status.
Supported Releases 10.2.0E or later Baremetal switch with only ONIE installed If your Dell EMC ONIE-enabled switch does not have a default OS installed, you can download an OS10 software image from the Dell Digital Locker and install it using ONIE. Also, install OS10 on a Dell EMC ONIE device when: ● You convert a switch from OS9 or any third-party OS. ● You receive a replacement device from Dell EMC return material authorization (RMA).
Download OS10 image If you purchase the OS10 Enterprise Edition image with an after point-of-sale order, your OS10 purchase allows you to download software images posted within the first 90 days of ownership. After the order is complete, you receive an email notification with a software entitlement ID, order number, and link to the DDL. To extend the software-entitled download period, you must have a Dell EMC ProSupport or ProSupport Plus contract on your hardware.
● Connect the Management port to the network to download an image over a network. To locate the Console port and the Management port, see the platform-specific Installation Guide at www.dell.com/support. Install OS10 For an ONIE-enabled switch, go to the ONIE boot menu. An ONIE-enabled switch boots up with pre-loaded diagnostics (DIAGs) and ONIE software.
2. Boot up the switch in ONIE: Install mode to install an OS10 image. Starting: discover... done. ONIE:/ # Info: eth0: Checking link... up. Info: Trying DHCPv4 on interface: eth0 ONIE: Using DHCPv4 addr: eth0: 10.10.10.17 / 255.0.0.0 Info: eth1: Checking link... down. ONIE: eth1: link down. Skipping configuration. ONIE: Failed to configure eth1 interface ONIE: Starting ONIE Service Discovery Info: Fetching tftp://10.10.10.2/onie-installer-x86_64-dellemc_s4148fe_c2338 ... Info: Fetching tftp://10.10.10.
For example, enter ONIE:/ # onie-nos-install ftp://a.b.c.d/PKGS_OS10–Enterprise-x.x.xx.bin Where a.b.c.d represents the location to download the image file from, and x.x.xx represents the version number of the software to install. The OS10 installer image creates several partitions. After installation completes, the switch automatically reboots and loads OS10 active image. The other image becomes the standby image.
-* Copyright (c) 1999-2018 by Dell Inc. All Rights Reserved. *-* *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*This product is protected by U.S. and international copyright and intellectual property laws. Dell EMC and the Dell EMC logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
Table 5. Install license using VRF (continued) File transfer method Default VRF Management VRF¹ Non-default VRF SFTP Yes Yes No TFTP Yes Yes No USB Yes Yes Yes ¹ Before you configure the management VRF for use in OS10 license installation, remove all IP addresses on the management interface. Install license — SCP OS10# license install scp://user:userpwd@10.1.1.10/0A900Q2-NOSEnterprise-License.xml License installation success.
Verify license installation OS10# show license status System Information --------------------------------------------------------Vendor Name : DELL EMC Product Name : S4148F-ON Hardware Version : X01 Platform Name : x86_64-dell_s4100_c2338-r0 PPID : TW09H9MN282987130026 Service Tag : 9531XC2 Product Base : Product Serial Number: Product Part Number : License Details ---------------Software : OS10-Enterprise Version : 10.5.1.
3. Back up the current running configuration to an external storage. OS10# copy running-configuration ftp://userid:passwd@hostip/filepath/10.5.2.0-runningconfiguration.txt 4. Back up the startup configuration (startup.xml) to an external storage. OS10# write memory OS10# copy config://startup.xml ftp://userid:passwd@hostip/filepath/10.5.2.0startup.xml 5. Download the OS10 binary image for Release 10.5.0.
Architecture: x86_64 Up Time: 1 day 00:54:13 11. If the saved configuration from Release 10.5.0.0 (or the earlier release to which you are downgrading to) is available, apply the saved configuration and license files, and reload the switch. OS10# copy ftp://userid:passwd@hostip/filepath/10.5.0.0-startup.xml config:// startup.xml OS10# license install scp://user:passwd@hostip/0A900Q2-NOSEnterprise-License.xml OS10# reload NOTE: While reloading, if the CLI prompts to save, select no for the save option.
1. Upgrade the ONIE to the latest version on the switch that is being downgraded. 2. Upgrade the Firmware to the latest version on the switch that is being downgraded. 3. Back up the current running configuration to an external storage. OS10# copy running-configuration ftp://userid:passwd@hostip/filepath/10.5.2.0-runningconfiguration.txt 4. Back up the startup configuration (startup.xml) to an external storage. OS10# write memory OS10# copy config://startup.xml ftp://userid:passwd@hostip/filepath/10.5.2.
Architecture: x86_64 Up Time: 1 day 00:54:13 11. If the saved configuration from Release 10.5.1.0 (or the later release to which you are downgrading to) is available, apply the saved configuration and license files, and reload the switch. OS10# copy ftp://userid:passwd@hostip/filepath/10.5.1.0-startup.xml config:// startup.xml OS10# license install scp://user:passwd@hostip/0A900Q2-NOSEnterprise-License.xml OS10# reload NOTE: While reloading, if the CLI prompts to save, select no for the save option.
Switch deployment options After you log in to OS10, configure the switch: ● Manually by using the command-line interface. ● Automatically using zero-touch deployment (ZTD). ● Automatically using customized scripts with Ansible. Manual CLI configuration Use the OS10 command-line interface to enter commands to monitor and configure an OS10 switch. Set up your switch by performing basic and advanced CLI tasks — CLI basics and Advanced CLI tasks.
● Location LED Remote access After you install or upgrade OS10 and log in, you can set up remote access to the OS10 command-line interface and the Linux shell. Connect to the switch using the serial port. Serial port settings are 115200 baud, 8 data bits, and no parity. Configure remote access 1. Configure the Management IP address. 2. Configure Management route. 3. Configure user name and password. Configure Management IP address To remotely access OS10, assign an IP address to the management port.
● ipv6-address/prefix-length — Enter an IPv6 address in x:x:x:x::x format with the prefix length in /x format. The prefix range is /0 to /128. ● forwarding-router-address — Enter the next-hop IPv4/IPv6 address of a forwarding router that serves as a management gateway to connect to a different subnet. ● managementethernet — Send traffic on the Management port for the configured IPv4/IPv6 subnet.
4 CLI Basics The OS10 CLI is the software interface you use to access a device running the software — from the console or through a network connection. The CLI is an OS10-specific command shell that runs on top of a Linux-based OS kernel. By leveraging industry-standard tools and utilities, the CLI provides a powerful set of commands that you can use to monitor and configure devices running OS10.
you commit them to activate the configuration. The start transaction command applies only to the current session. Changing the configuration mode of the current session to the Transaction-Based Configuration mode does not affect the configuration mode of other CLI sessions. ● After you explicitly enter the commit command to save changes to the candidate configuration, the session switches back to the default behavior of automatically saving the configuration changes to the running configuration.
Check device status Use show commands to check the status of a device and monitor activities. Refer Related Videos section for more information. ● Enter show ? from EXEC mode to view a list of commands to monitor a device; for example: OS10# show ? acl-table-usage alarms alias bfd boot candidate-configuration class-map clock ...
-- Fan Status -FanTray Status AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up NORMAL 1 13195 up 2 up NORMAL 1 13151 up 3 up NORMAL 1 13239 up 4 up NORMAL 1 13239 up Related Videos Check Device Status Command help To view a list of valid commands in any CLI mode, enter ?; for example: OS10# ? alarm alias batch boot clear clock commit configure copy crypto ...
Candidate configuration When you use OS10 configuration commands in Transaction-based configuration mode, changes do not take effect immediately and are stored in the candidate configuration. The configuration changes become active only after you commit the changes using the commit command. Changes in the candidate configuration are validated and applied to the running configuration. The candidate configuration allows you to avoid introducing errors during an OS10 configuration session.
To display only interface-related configurations in the candidate configuration, use the show candidate-configuration compressed and show running-configuration compressed commands. These views display only the configuration commands for VLAN and physical interfaces. OS10# show candidate-configuration compressed interface breakout 1/1/1 map 40g-1x interface breakout 1/1/2 map 40g-1x interface breakout 1/1/3 map 40g-1x interface breakout 1/1/4 map 40g-1x ...
Prevent configuration changes You can prevent configuration changes that are made on the switch in sessions other than the current CLI session using the lock command. To prevent and allow configuration changes in other sessions, use the lock and unlock commands in EXEC mode. When you enter the lock command, users in other active CLI sessions cannot make configuration changes.
OS10(conf-range-po-3)# switchport trunk allowed vlan 2-5 OS10(conf-range-po-3)# exit OS10(config)# no interface range vlan 2-4 OS10(conf-range-po-3)# % Error: Range configuration conflict - the last command was not applied. Please commit (or discard) the rest of the configuration changes and retry. If you see the error message in bold, commit the entire configuration and then delete a sub set of VLANs.
Copy running configuration to local directory or remote server OS10# copy running-configuration {config://filepath | home://filepath | ftp://userid:passwd@hostip/filepath | scp://userid:passwd@hostip/filepath | sftp://userid:passwd@hostip/filepath | tftp://hostip/filepath} OS10# copy running-configuration scp://root:calvin@10.11.63.120/tmp/qaz.
Restore startup file from server OS10# copy scp://admin:admin@hostip/backup-9-28.xml config://startup.xml OS10# reload System configuration has been modified. Save? [yes/no]:no Reload system image Reboot the system manually using the reload command in EXEC mode. You are prompted to confirm the operation. OS10# reload System configuration has been modified.
Common OS10 commands boot Configures the OS10 image to use the next time the system boots up. Syntax boot system [active | standby] Parameters ● active — Reset the running image as the next boot image. ● standby — Set the standby image as the next boot image. Default Not configured Command Mode EXEC Usage Information Use this command to configure the OS10 image that is reloaded at boot time. Use the show boot command to verify the next boot image. The boot system command applies immediately.
Example Supported Releases OS10# configure terminal OS10(config)# 10.2.0E or later copy Copies the current running configuration to the startup configuration and transfers files between an OS10 switch and a remote device.
Directory contents for folder: coredump Date (modified) Size (bytes) Name --------------------- ------------ -----------------2017-02-15T19:05:41Z 12402278 core.netconfdpro.2017-02-15_19-05-09.gz OS10# copy coredump://core.netconfd-pro.2017-02-15_19-05-09.gz scp:// os10user:os10passwd@10.11.222.1/home/os10/core.netconfd-pro.2017-02 -15_19-05-09.gz Example: Copy startup configuration OS10# dir config Directory contents for Date (modified) --------------------2017-02-15T20:38:12Z startup.
● supportbundle://filepath — (Optional) Delete from the support-bundle directory. ● usb://filepath — (Optional) Delete from the USB file system. Default Not configured Command Mode EXEC Usage Information Use this command to remove a regular file, software image, or startup configuration. Removing the startup configuration restores the system to the factory default. You must reboot the switch using the reload command for the operation to take effect.
--------------------2017-04-26T15:23:46Z -----------26704 OS10# dir severity-profile Date (modified) Size (bytes) --------------------- -----------2019-03-27T15:24:06Z 46741 2019-04-01T11:22:33Z 456 Supported Releases ----------startup.xml Name ------------default.xml mySevProf.xml 10.2.0E or later discard Discards changes made to the candidate configuration file.
end Returns to EXEC mode from any other command mode. Syntax end Parameters None Default Not configured Command Mode All Usage Information Use the end command to return to EXEC mode to verify currently configured settings with show commands. Example Supported Releases OS10(config)# end OS10# 10.2.0E or later exit Returns to the next higher command mode.
license Installs a license file from a local or remote location.
Parameters ● ipv4-address/mask — Enter an IPv4 network address in dotted-decimal format (A.B.C.D), then a subnet mask in prefix-length format (/xx). ● ipv6-address/prefix-length — Enter an IPv6 address in x:x:x:x::x format with the prefix length in /xxx format. The prefix range is /0 to /128. ● forwarding-router-address — Enter the next-hop IPv4/IPv6 address of a forwarding router (gateway) for network traffic from the Management port.
● debug — Disable debugging. ● support-assist-activity — SupportAssist-related activity. ● terminal — Reset terminal settings. Default Not configured Command Mode EXEC Usage Information Use this command in EXEC mode to disable or remove a configuration. Use the no ? in CONFIGURATION mode to view available commands. Example Supported Releases OS10# no alias goint 10.2.0E or later ping Tests network connectivity to an IPv4 device.
● ● ● ● ● ● ● ● ● ● ● ● ○ do prevents fragmentation, including local. ○ want performs PMTU discovery and fragments large packets locally. ○ dont does not set the Don’t Fragment (DF) flag. -p pattern — (Optional) Enter a maximum of 16 pad bytes to fill out the packet you send to diagnose data-related problems in the network; for example, -p ff fills the sent packet with all 1’s. -Q tos — (Optional) Enter a maximum of 1500 bytes in decimal or hex datagrams to set quality of service (QoS)-related bits.
ping6 Tests network connectivity to an IPv6 device. Syntax ping6 [vrf {management | vrf-name}] [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface] [-l preload] [-m mark] [-M pmtudisc_option] [-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline] [-W timeout] destination Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 86 CLI Basics vrf management — (Optional) Pings an IPv6 address in the management VRF instance.
● -w deadline — (Optional) Enter the time-out value in seconds before the ping exits regardless of how many packets are sent or received. ● -W timeout — (Optional) Enter the time to wait for a response in seconds. This setting affects the time-out only if there is no response, otherwise ping waits for two round-trip times (RTTs). ● hop1 ... (Optional) Enter the IPv6 addresses of the pre-specified hops for the ping packet to take.
show boot Displays detailed information about the boot image. Syntax show boot [detail] Parameters None Default Not configured Command Mode EXEC Usage Information The Next-Boot field displays the image that the next reload uses.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● compressed — (Optional) Current operating configuration in compressed format. control-plane — (Optional) Current operating control-plane configuration. dot1x — (Optional) Current operating dot1x configuration. evpn — (Optional) Current operating EVPN configuration. extcommunity-list — (Optional) Current operating extcommunity-list configuration. interface — (Optional) Current operating interface configuration.
! Last configuration change at Apr 11 10:36:43 2017 ! username admin password $6$q9QBeYjZ $jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/VKx8SloIhp4NoGZs0I/ UNwh8WVuxwfd9q4pWIgNs5BKH. aaa authentication local snmp-server contact http://www.dell.com/support snmp-server location "United States" logging monitor disable ip route 0.0.0.0/0 10.11.58.
show environment Displays information about environmental system components, such as temperature, fan, and voltage.
Supported Releases 10.2.0E or later show ip management-route Displays the IPv4 routes used to access the Management port. Syntax show ip management-route [all | connected | dynamic | static summary] Parameters ● ● ● ● all — (Optional) Display the IPv4 routes that the Management port uses. connected — (Optional) Display only routes directly connected to the Management port. dynamic — (Optional) Display active management routes that are learned by a routing protocol.
show license status Displays license status information. Syntax show license status Parameters None Default Not configured Command Mode EXEC Usage Information Use the show license status command to verify the current license for running OS10, its duration, and the service tag assigned to the switch.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● compressed — (Optional) Current operating configuration in compressed format. control-plane — (Optional) Current operating control-plane configuration. crypto — (Optional) Current operating cryptographic configuration. dot1x — (Optional) Current operating dot1x configuration. evpn — (Optional) Current operating EVPN configuration. extcommunity-list — (Optional) Current operating extcommunity-list configuration.
Example Example (compressed) OS10# show running-configuration ! Version 10.2.9999E ! Last configuration change at Apr 11 01:25:02 2017 ! username admin password $6$q9QBeYjZ $jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/VKx8SloIhp4NoGZs0I/ UNwh8WVuxwfd9q4pWIgNs5BKH. aaa authentication local snmp-server contact http://www.dell.com/support snmp-server location "United States" logging monitor disable ip route 0.0.0.0/0 10.11.58.
show startup-configuration Displays the contents of the startup configuration file. Syntax show startup-configuration [compressed] Parameters compressed — (Optional) View a compressed version of the startup configuration file. Default Not configured Command Mode EXEC Usage Information None Example Example (compressed) OS10# show startup-configuration username admin password $6$q9QBeYjZ $jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/VKx8SloIhp4NoGZs0I/ UNwh8WVuxwfd9q4pWIgNs5BKH.
! policy-map type application policy-iscsi ! class-map type application class-iscsi Supported Releases 10.2.0E or later show system Displays system information. Syntax show system [brief | node-id] Parameters ● brief — View an abbreviated list of the system information. ● node-id — View the node ID number.
Interface Breakout capable Breakout state ----------------------------------------------------Eth 1/1/5 No BREAKOUT_1x1 Eth 1/1/6 No BREAKOUT_1x1 Eth 1/1/7 No BREAKOUT_1x1 Eth 1/1/8 No BREAKOUT_1x1 Eth 1/1/9 No BREAKOUT_1x1 Eth 1/1/10 No BREAKOUT_1x1 Eth 1/1/11 No BREAKOUT_1x1 Eth 1/1/12 No BREAKOUT_1x1 Eth 1/1/13 No BREAKOUT_1x1 Eth 1/1/14 No BREAKOUT_1x1 Eth 1/1/15 No BREAKOUT_1x1 Eth 1/1/16 No BREAKOUT_1x1 Eth 1/1/17 No BREAKOUT_1x1 Eth 1/1/18 No BREAKOUT_1x1 Eth 1/1/19 No BREAKOUT_1x1 Eth 1/1/20 No BREA
Example Supported Releases OS10# show version Dell EMC Networking OS10 Enterprise Copyright (c) 1999-2020 by Dell Inc. All Rights Reserved. OS Version: 10.5.2.2 Build Version: 10.5.2.2.215 Build Time: 2020-12-11T21:35:41+0000 System Type: S5248F-ON Architecture: x86_64 Up Time: 1 day 00:54:13 10.2.0E or later start Activates Transaction-Based Configuration mode for the active session. Syntax start transaction Parameters transaction - Enables the transaction-based configuration.
system-cli disable Disables the system command. Syntax system-cli disable Parameters None Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command enables OS10 system command. Example Supported Releases OS10# configure terminal OS10(config)# system-cli disable 10.4.3.0 or later system-user linuxadmin disable Disables the linuxadmin account.
terminal Sets the number of lines to display on the terminal and enables logging. Syntax terminal {length lines | monitor} Parameters ● length lines — Enter the number of lines to display on the terminal from 0 to 512; default 24. ● monitor — Enables logging on the terminal. Default 24 terminal lines Command Mode EXEC Usage Information Enter zero (0) for the terminal to display without pausing. Example Supported Releases OS10# terminal monitor 10.2.
○ host — (Required) Enter the name or IP address of the destination device. ○ packet_len — (Optional) Enter the total size of the probing packet. The default is 60 bytes for IPv4 and 80 for IPv6. Default Not configured Command Mode EXEC Usage Information None Example Example (IPv6) Supported Releases OS10# traceroute www.dell.com traceroute to www.dell.com (23.73.112.54), 30 hops max, 60 byte packets 1 10.11.97.254 (10.11.97.254) 4.298 ms 4.417 ms 4.398 ms 2 10.11.3.254 (10.11.3.254) 2.121 ms 2.
● role role—Enter a user role: ○ sysadmin — Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell. A system administrator can create user IDs and user roles. ○ secadmin — Full access to configuration commands that set security policy and system access, such as password strength, AAA authorization, and cryptographic keys.
Supported Releases 104 CLI Basics 10.2.
5 Advanced CLI tasks Command alias Provides information to create shortcuts for commonly used commands, see Command alias. Batch mode Provides information to run a batch file to execute multiple commands, see Batch mode. Linux shell commands Provides information to run commands from the Linux shell, see Linux shell commands. OS9 commands Provides information to enter configuration commands using an OS9 command syntax, see Using OS9 commands.
View alias output for goint OS10(config)# goint 1/1/1 OS10(conf-if-eth1/1/1)# View alias information OS10# show alias Name ---govlt goint shconfig showint shver Type ---Config Config Local Local Local Number of config aliases : 2 Number of local aliases : 3 View alias information brief. Displays the first 10 characters of the alias value. OS10# show alias brief Name Type ------govlt Config goint Config shconfig Local showint Local shver Local Value ----"vlt-domain..." "interface ..." "show runni...
● (Optional) You can enter the default values to use for the parameters defined as $n in ALIAS mode. default n input-value ● (Optional) Enter a description for the multi-line alias in ALIAS mode. description string ● Use the no form of the command to delete an alias in CONFIGURATION mode. no alias alias-name You can modify an existing multi-line alias by entering the corresponding ALIAS mode.
Number of config aliases : 1 Number of local aliases : 0 View alias information brief. Displays the first 10 characters of each line of each alias. OS10# show alias brief Name Type ------mTest Config Value ----line 1 "interface ..." line 2 "no shutdow..." line 3 "show confi..." default 1 "ethernet" default 2 "1/1/1" Number of config aliases : 1 Number of local aliases : 0 View alias detail. Displays the entire alias value.
Eth 1/1/3 up 40G A 1 Eth 1/1/4 up 40G A 1 Eth 1/1/5 up 40G A 1 Eth 1/1/6 up 40G A 1 Eth 1/1/7 up 40G A 1 Eth 1/1/8 up 40G A 1 Eth 1/1/9 up 40G A 1 Eth 1/1/10 up 40G A 1 Eth 1/1/11 up 40G A 1 Eth 1/1/12 up 40G A 1 Eth 1/1/13 up 40G A 1 Eth 1/1/14 up 40G A 1 Eth 1/1/15 up 40G A 1 Eth 1/1/16 up 40G A 1 Eth 1/1/17 up 40G A 1 Eth 1/1/18 up 40G A 1 Eth 1/1/19 up 40G A 1 Eth 1/1/20 up 40G A 1 Eth 1/1/21 up 40G A 1 Eth 1/1/22 up 40G A 1 Eth 1/1/23 up 40G A 1 Eth 1/1/24 up 40G A 1 Eth 1/1/25 up 40G A 1 Eth 1/1/26 up
default (alias) Configures default values for input parameters in a multi-line alias. Syntax default n value Parameters ● n — Enter the number of the argument, from 1 to 9. ● value — Enter the value for the input parameter. Default Not configured Command Mode ALIAS Usage Information To use special characters in the input parameter value, enclose the string in double quotation marks ("). The no version of this command removes the default value.
Usage Information Example Supported Releases The no version of this command removes the line number and the corresponding command from the multi-line alias. OS10(config)# alias mTest OS10(config-alias-mTest)# line 1 "interface $1 $2" OS10(config-alias-mTest)# line 2 "no shutdown" OS10(config-alias-mTest)# line 3 "show configuration" 10.4.0E(R1) or later show alias Displays configured alias commands available in both Persistent and Non-Persistent modes.
shconfig showint shver Local Local Local default 2 "1/1/1" "show running-configuration" "show interface $*" "show version" Number of config aliases : 3 Number of local aliases : 3 Supported Releases 10.3.0E or later Batch mode To execute a sequence of multiple commands, create and run a batch file. A batch file is an unformatted text file that contains two or more commands. Store the batch file in the home directory.
● /home/filepath — Enter the username and the filepath as follows: batch /home/username/ filename. ● config://filepath — Enter the filepath. Default Not configured Command Mode EXEC Usage Information Use this command to create a batch command file on a remote machine. Copy the command file to the home directory on your switch. This command executes commands in batch mode. OS10 automatically commits all commands in a batch file; you do not have to enter the commit command.
! router bgp 100 ! neighbor 100.1.1.1 remote-as 104 no shutdown admin@OS10:/opt/dell/os10/bin$ User admin logged out at session 16 ● Use the ifconfig -a command to display the interface configuration. The Linux kernel port numbers that correspond to front-panel port, port-channel, and VLAN interfaces are displayed. Port-channel interfaces are in boportchannelnumber format. VLAN interfaces are in brvlan-id format. In this example, e101-001-0 identifies port 1/1/1.
Architecture: x86_64 Up Time: 1 day 00:54:13 Using OS9 commands To enter configuration commands using an OS9 command syntax, use the feature config-os9-style command in CONFIGURATION mode and log out of the session. If you do not log out of the OS10 session, configuration changes made with OS9 command syntaxes do not take effect. After you log in again, you can enter OS9 commands, but only in the new session.
6 Dell EMC SmartFabric OS10 zero-touch deployment Zero-touch deployment (ZTD) allows OS10 users to automate switch deployment: ● Upgrade an existing OS10 image. ● Execute a CLI batch file to configure the switch. ● Execute a post-ZTD script to perform additional functions. ZTD is enabled by default when you boot up a switch with a factory-installed OS10 for the first time or when you perform an ONIE: OS Install from the ONIE boot menu.
3. If you specify an OS10 CLI batch file with configuration commands for CLI_CONFIG_FILE, ZTD executes the commands in the PRE-CONFIG and POST-CONFIG sections. After executing the PRE-CONFIG commands, the switch reloads with the new OS10 image and then executes the POST-CONFIG commands. For more information, see ZTD CLI batch file. 4. If you specify a post-ZTD script file for POST_SCRIPT_FILE, ZTD executes the script. For more information, see Post-ZTD script.
ZTD generates log messages about its current status. [os10:notify], %Dell EMC (OS10) %ZTD-IN-PROGRESS: Zero Touch Deployment applying post configurations. ZTD also generates failure messages. [os10:notify], %Dell EMC (OS10) %ZTD-FAILED: Zero Touch Deployment failed to download the image. Troubleshoot configuration locked When ZTD is enabled, the CLI configuration is locked. If you enter a CLI command, the error message configuration is locked displays.
For the IMG_FILE, CLI_CONFIG_FILE, and POST_SCRIPT_FILE files, you can specify HTTP, SCP, SFTP, or TFTP URLs.
snmp-server community public ro snmp-server contact NOC@dell.com snmp-server location delltechworld ! clock timezone GMT 0 0 ! hostname LEAF-1 ! ip domain-list networks.dell.com ip name-server 8.8.8.8 1.1.1.1 ! ntp server 132.163.96.5 key 1 prefer ntp server 129.6.15.32 ! ! logging server 10.22.0.99 Post-ZTD script As a general guideline, use a post-ZTD script to perform any additional functions required to configure and operate the switch.
Default None Command Mode EXEC Usage Information None Examples OS10# show ztd-status ----------------------------------ZTD Status : disabled ZTD State : completed Protocol State : idle Reason : ZTD process completed successfully at Mon Jul 16 19:31:57 2018 ----------------------------------OS10# show ztd-status ----------------------------------ZTD Status : disabled ZTD State : failed Protocol State : idle Reason : ZTD process failed to download post script file ----------------------------------● ZT
ztd start Starts the ZTD process. Syntax ztd start Parameters None Default Not configured Command Mode EXEC Security and Access Sysadmin and secadmin Usage Information When you enter this command, if there are any configuration changes, the system prompts you for a confirmation to delete the startup configuration. If you have made configuration changes after the ZTD process stops, the system reloads. This command is similar to the reload ztd command.
7 Dell EMC SmartFabric OS10 provisioning OS10 supports automated switch provisioning — configuration and monitoring — using: ● RESTCONF API — REST-like protocol that uses HTTPS connections. Use the OS10 RESTCONF API to set up the configuration parameters on OS10 switches with JavaScript Object Notation (JSON)-structured messages. You can use any programming language to create and send JSON messages; see RESTCONF API.
Ansible inventory file The inventory file contains the list of hosts on which you want to run commands. Ansible can run tasks on multiple hosts at the same time. Ansible playbooks use /etc/ansible/hosts as the default inventory file. To specify a different inventory file, use the -i filepath command as an option when you run an Ansible playbook. Ansible playbook file Using playbooks, Ansible can configure multiple devices. Playbooks are human-readable scripts that are expressed in YAML format.
After you install Ansible, verify the version by entering: $ ansible --version 2. Download and install Dell EMC Networking Ansible roles from the Ansible Galaxy web page; for example: $ ansible-galaxy install dell-networking.dellos-users $ ansible-galaxy install dell-networking.dellos-logging $ ansible-galaxy install dell-networking.dellos-ntp 3. Create a directory to store inventory and playbook files; for example: $ mkdir AnsibleOS10 4. Navigate to the directory and create an inventory file.
state: present dellos_users: - username: u1 password: Test@1347 role: sysadmin privilege: 0 state: present dellos_ntp: server: - ip: 3.3.3.3 The dellos_cfg_generate parameter creates a local copy of the configuration commands applied to the remote switch on the Ansible controller node, and saves the commands in the directory defined in the build_dir path. 8. Create a playbook file. $ vim playbook.yaml - hosts: OS10switch-1 OS10switch-2 connection: network_cli roles: - dell-networking.
8 SmartFabric Services SmartFabric Services (SFS) is an application suite that provides network fabric automation and API-based programmability. A network fabric consists of physical resources, such as servers, switches, logical resources-networks, templates, and uplinks. SFS, which is an OS10 feature, has different personalities that can be used in multiple architectures and environments.
SFS, used in leaf and spine network, creates a fully integrated solution between the fabric and a hyperconverged domain infrastructure such as VxRail. SmartFabric Services for PowerEdge MX SFS is a capability of Dell EMC Networking OS10 Enterprise Edition running on Ethernet switches (IOMs) that are designed for the PowerEdge MX 7000 platform. In the SFS mode, the IOMs operate as a simple Layer 2 input output aggregation device, which enables complete interoperability with network equipment vendors.
In MX platform, SFS provides: ● A single pane of glass to monitor and manage the lifecycle operations on the IOMs. ● APIs to manage VLT fabric, data uplinks, storage uplinks, and server templates for the entire fabric. In a Dell EMC PowerEdge MX7000 infrastructure, the MX9116n fabric engine and MX5108n Ethernet switch support SFS. SmartFabric Services for leaf and spine SFS discovers the OS10 switches and builds a L2 or L3 network fabric using industry-standard L2 and L3 protocols.
The Out-of-band (OOB) management network is an isolated network for remote management of servers, switches, and storage devices using the respective management ports. An S3048-ON installed in each rack provides 1GE connectivity to the management network. The OOB management ports on each spine and leaf switch are connected to the S3048-ON switches. For the S3048-ON management switches, all ports are in L2 and in the default VLAN.
NOTE: You are not allowed to use these VLANs for general use. ● Cluster control VLAN 4000 — SFS automatically configures VLAN 4000 on all the switches in a fabric, and uses the network for all internal fabric operations. When SFS detects an ISL, it assigns the ISL to the tagged member of this VLAN. This VLAN is PVST enabled with root bridge that is forced on one of a spine switch. ● IP-peer VLAN 4001 to 4079 — SFS automatically configures the leaf and spine network using eBGP as the routing protocol.
● Multirack Layer 3 VLAN networks General purpose networks General purpose networks are L2 VLAN networks in VxRail and L2 VXLAN networks in L3 fabric. For L3 fabric, SmartFabric services automatically creates a virtual network corresponding to a network. This virtual network has one-to-one mapping with the network, which means for each VLAN, there exists a virtual network with VNI same as the VLAN ID. VXLAN networks VXLAN network extends L2 connectivity over an underlay L3 connected network.
Layer 3 uplinks can be configured on a leaf or a spine node. Using Layer 3 VLAN network Layer 3 VLAN network contains a list of IP addresses and a gateway IP address. Optionally, DHCP relay addresses can also be specified. Layer 3 VLAN network can be configured over a leaf or a spine node. Layer 3 VLAN network can be attached to an uplink. Each VLTi uplink interface contains an IP address that is allocated from the list of IP addresses that are configured on the Layer 3 VLAN network.
NOTE: Configuration of an Ethernet – No STP uplink with members from only one switch in the SmartFabric is not supported. It is required to have member ports from both switches in the SmartFabric. Dynamic onboarding for integrated devices SFS discovers and onboards the following vendor end-host devices based on specific custom originator TLVs in LLDP PDUs sent out through the connected ports.
Static onboarding for nonintegrated devices SmartFabric services support onboarding server on assigned ports instead of LLDP based discovery mechanism. SFS extent the server profile and server interface profile for you to provide onboarded interface. ● All existing bonding modes is supported on statically onboarded server. ● Wherever possible, STP is enabled on these ports. Since VXLAN does not support STP on access ports, this is not applicable for L3 Fabric. RPVST+ is enabled on Layer 3 VLAN networks.
To enable the SmartFabric Services in a switch from the OS10 CLI, use the smartfabric l3fabric enable command. For more information, see smartfabric l3fabric enable. After you enable the SFS on the switches and set a role, the system prompts for confirmation to reload and boots in the SFS mode. To apply the changes, confirm by typing Yes and the switch reloads in the SFS mode.
Launch SmartFabric Services GUI You access the SFS GUI using the latest version of the browsers, such as: ● Google Chrome ● Mozilla Firefox ● Microsoft Edge Launch the SFS GUI from the SmartFabric master switch to complete the SFS initial setup. You can access the SFS GUI in HTTPS using the IP address of the master switch that is deployed in the leaf-spine topology.
Update Default Fabric, Switch Names, and Descriptions wizard SFS assigns unique names for the network fabric, racks, and switches automatically. However, these names are not convenient to understand. Using this wizard, you can change the names and descriptions of the network fabric, racks, and switches. To do so: 1. 2. 3. 4. Launch the Update Default Fabric, Switch Names and Descriptions wizard. Change the name and description of the network fabric, and click NEXT.
Configure Layer 3 VLAN uplink For L3 VLAN underlay connectivity, create a L3 VLAN uplink and associate a network and routing policy with the uplink. To do so: 1. 2. 3. 4. Launch the Create Uplink for External Network Connectivity wizard. Select the Uplink Connectivity as Layer 3. Select the Network type as L3 VLAN. Create a L3 VLAN uplink by providing the name and description, and click NEXT. NOTE: L3 uplinks can be created on leaf and spine switches. 5.
This wizard allows you to breakout Ethernet ports. To do so: 1. 2. 3. 4. 5. Launch the Breakout Switch Ports wizard. Select the rack from the list. Select the leaf switch in the rack. Select a port-group or a physical Ethernet port of the leaf switch to breakout. Select the appropriate breakout option from the list, and click OK. NOTE: Breakout autoconfiguration is supported in spine. Auto-breakout in Spine By default, auto-breakout is enabled only on the spine in SmartFabric mode.
● ADD VIRTUAL NETWORK — A template to create a VXLAN network. From the SFS GUI Server Profiles tab, you can view the list of all server profiles configured in the SFS. The page displays the details of server profiles such as bonding technology, discovery of the server, and onboarding status. You can also delete a server profile from this tab. Select a server profile from the list, and click DELETE. From the SFS GUI Network Profiles tab, you can view the list of all networks configured in the SFS.
Configuring FEC using OME-M You can configure FEC on interfaces from OME-M when the switch is in Fabric mode. OME-M sends the FEC value that is to be configured for the interface and this value is configured for the interface. This configuration is not retained across breakout modes. Configuration of FEC from OME-M for IOM in full-switch mode is not supported. The FEC configuration from OME-M is supported for 25, 50, and 100G speeds and for uplink ports only in Smartfabric mode.
● SmartFabric personality ● SmartFabric status, nodes, and network profiles ● SmartFabric uplinks smartfabric l3fabric enable Enables the SmartFabric Services on the switches and creates a network fabric in a Clos-based spine-and-leaf architecture.
Usage Information Use this command to configure or update the VLTi information after the SFS is enabled on the node. The system will go for a reload and then comes back up with the configured VLTi ports. Before executing this command, the node should already be in Layer3 fabric mode. If not, the Layer3 fabric personality should be enabled. If you use any of the existing ports for the VLTi, those ports should also be specified as part of the VLTi configuration using the smartfabric commands.
PREFERRED-MASTER : true ---------------------------------------------------------Supported Releases 10.5.0.1 or later show smartfabric cluster member Displays cluster member information such as service tag, IP address, status, role, type of each switch or IOM and chassis model, and service tag of the chassis where the switch belongs to. Syntax show smartfabric cluster member Parameters None Default None Command Mode EXEC Usage Information Content display varies depending on the switch role.
Command Mode EXEC Usage Information Use this command to view a detailed list of fabrics configured. This command is supported in both Full Switch and SmartFabric modes. Supported on the MX9116n and MX5108n switches starting in release 10.5.0.1. Also available on SFSsupported OS10 switches starting in release 10.5.0.3. For supported platforms, see SmartFabric Services for leaf and spine.
Example (IOM) Example (VxRail) Supported Releases MX9116N-A1# show smartfabric networks Name Type QosPriority NetworkId Vlan --------------------------------------------------v5 GENERAL_PURPOSE BRONZE 8f018a8c-c355-4d81-9bee-85cfedcf8d2a 5 network100-105 GENERAL_PURPOSE BRONZE deb0886c-4a9b-47f2-8220-55afcb1f1756 100 - 105 fcor STORAGE_FCOE PLATINUM d1de8f16-ebd0-4b1a-9689-a802d23b2b26 777 VLAN 1 GENERAL_PURPOSE SILVER 4bb446a3-702c-4a0f-abdd-07dd0c14775a 1 v1 GENERAL_PURPOSE BRONZE 9f2bed94-9148-46d8-9d
AZY1234 FABRIC Supported Releases S5232F-ON ONLINE 10.5.0.1 or later show smartfabric personality Displays the personality of the node. Syntax show smartfabric personality Parameters None Default None Command Mode EXEC Usage Information The output varies depending on the role of the switch. This command is supported in both Full Swtich and SmartFabric modes. Supported on the MX9116n and MX5108n switches starting in release 10.5.0.1.
show smartfabric uplinks Displays all uplink information such as name, description, ID, media type, native VLAN, configured interfaces, and network profile associated with the uplink. Syntax show smartfabric uplinks Parameters None Default None Command Mode EXEC Usage Information Use the command to view all configured uplink information. This command is supported both in Full Switch and SmartFabric modes. Supported on the MX9116n and MX5108n switches starting in release 10.5.0.1.
Native Vlan : 0 Untagged-network : Networks : Network770 Configured-Interfaces : CAC00N2:ethernet1/1/22:3 ------------------------------------------------------------------------------------------------------------------Name : L2VxLANUplink Description : Uplink On L2VxLAN Network771 ID : L2VxLANUplink-771 Media Type : ETHERNET Native Vlan : 0 Untagged-network : Network771 Networks : Configured-Interfaces : CAC00N2:ethernet1/1/22:4 -----------------------------------------------------------------------------
Usage Information Example Supported Releases Use this command to view the discovered server information when used. This command is supported in both Full Switch and SmartFabric modes.
Example Supported Releases MX9116N-B1# show smartfabric configured-server ---------------------------------------------------------Service-Tag : 00FWX20 Server-Model : PowerEdge MX740c Chassis-Slot : 1 Chassis-Model : POWEREDGE MX7000 Chassis-Service-Tag : SKY002L Is-Discovered : TRUE Is-Onboarded : TRUE Is-Configured : TRUE ********************************************************** Bonding Technology : LACP BondMembers: Nic-Id : Switch-Interface ---------------------------------------------------------NI
Is-Discovered : TRUE Is-Onboarded : FALSE Is-Configured : TRUE NicBonded : FALSE Native-vlan : 0 Networks : c56d6202-0ec1-4fcd-b119-6abc761a1268 ---------------------------------------------------------Port-Id : NIC.Mezzanine.1A-1-1 Onboard-Interface : Fabric-id : Is-Discovered : FALSE Is-Onboarded : FALSE Is-Configured : TRUE NicBonded : FALSE Native-vlan : 0 Networks : c56d6202-0ec1-4fcd-b119-6abc761a1268 Supported Releases 10.5.1.
9 SmartFabric Director SmartFabric Director manages the switches in a data center with or without any virtual infrastructure. SmartFabric Director provides a single view of operating, managing, and troubleshooting of physical and virtual networks. SmartFabric Director features ● ● ● ● ● ● ● Define, build, and maintain a Layer 2 or Layer 3 leaf-spine data center fabric (underlay).
Set security profile to gNMI agent Before establishing a connection to the gNMI client in SmartFabric director, set a valid application-specific security profile for the gNMI agent. Also, configure an FQDN or an IP address for entry to the SmartFabric director server; assign client and CA certificates. A user role in SmartFabric director with Super Admin privileges can be used to access the agent. The security profile that is assigned to the gNMI agent must be pre-configured on the switch.
Table 7. Openconfig device Sensor group name YANG container oc-device ● openconfig-platform/components/component ● openconfig-network-instance/network-instances/network-instance Table 8. Openconfig system Sensor group name YANG container oc-system ● openconfig-system/system ● openconfig-platform/components/component Table 9. Openconfig environment Sensor group name YANG container oc-environment openconfig-platform/components/component Table 10.
Table 17. Openconfig STP Sensor group name YANG container oc-stp openconfig-spanning-tree/stp Table 18. Vendor UFD Sensor group name YANG container oc-vendor-ufd ufd/uplink-state-group-stats/ufd-groups Table 19. Vendor VXLAN Sensor group name YANG container oc-vendorvxlan vxlan/vxlan-state/remote-endpoint/stats Table 20. Openconfig VLAN Sensor group name YANG container oc-vlan openconfig-interfaces/interfaces/interface Table 21.
Table 23. activate API API Name Description activate Activates the newly installed OS10 image. Activation is a two stage process. In the first stage, the boot partition is set to standby for subsequent boot cycles. In the second stage, a system reload is issued to boot the newly installed OS10 image from the standby partition. The activate-image operation requires a system reload. As a result, the current services are affected. Table 24.
Example Supported releases OS10(config)# switch-operating-mode Full-Switch 10.4.3.0 or later gnmi-security-profile Set the security profile for the gNMI agent. Syntax gnmi-security-profile profile-name Parameters profile-name — Enter the name of the security profile to be associated with the gNMI agent. Default Not configured Command mode CONFIGURATION Usage information Before establishing a connection to the gNMI agent, set a valid application-specific security profile for the gNMI agent.
Examples Supported releases 160 OS10# show sfd status Controller IP Port Status ----------------------------------------------------------------------------10.14.8.102 8443 active OS10# 10.5.0.
10 System management System banners Provides information to configure a system login and message of the day (MOTD) text banners, see System banners. User session management Provides information to manage the active user sessions, see User session management. Telnet server Provides information to set up Telnet TCP/IP connections on the switch, see Telnet server. To set up secure, encrypted the secure shell (SSH) connections to the switch, see SSH server.
DellEMC S4148U-ON login Enter your username and password % To delete a login banner and reset it to the Dell EMC default banner, use the no banner login command. To disable the configured login banner, use the banner login disable command. Message of the day banner Configure a message of the day (MOTD) banner that displays after you log in. Enter any single delimiter character to start and end the MOTD banner.
Usage Information Example Supported Releases ● To enter a multiline banner text, use the interactive mode. Enter the command with the delimiter character and press Enter. Then enter each line and press Enter. Complete the banner configuration by entering a line that contains only the delimiter character. ● To delete a login banner and reset it to the Dell EMC default banner, use the no banner login command. To disable the configured login banner, use the banner login disable command.
Clear user session OS10# kill-session 3 View active user sessions OS10# show sessions Current session's operation mode: Non-transaction Session-ID User In-rpcs In-bad-rpcs Out-rpc-err Out-notify Login-time Lock -----------------------------------------------------------------------------------------3 snmp_user 114 0 0 0 2017-07-10T23:58:39Z 4 snmp_user 57 0 0 0 2017-07-10T23:58:40Z 6 admin 17 0 0 4 2017-07-12T03:55:18Z *7 admin 10 0 0 0 2017-07-12T04:42:55Z OS10# The asterisk (*) in the Session-ID column in
show sessions Displays the active management sessions. Syntax show sessions Parameters None Default Not configured Command Mode EXEC Usage Information Use this command to view information about the active user management sessions.
Telnet commands ip telnet server enable Enables Telnet TCP/IP connections to an OS10 switch. Syntax ip telnet server enable Parameters None Default Disabled Command Mode CONFIGURATION Usage Information By default, the Telnet server is disabled. When you enable the Telnet server, use the IP address configured on the management or any front-panel port to connect to an OS10 switch. After you reload the switch, the Telnet server configuration is maintained.
OS10 supports different security models and levels in SNMP communication between SNMP managers and agents. Each security model refers to an SNMP version used in SNMP messages. SNMP versions provide different levels of security, such as user authentication and message encryption. NOTE: OS10 does not support SNMP SET operations. Configuration notes All Dell EMC PowerSwitches except MX-Series, S4200-Series, S5200 Series, and Z9332F-ON: ● SNMP server is supported in non-default (data) VRFs.
Table 26. Standards MIBs (continued) Module Standard LLDP-EXT-DOT3-MIB IEEE 802.1AB LLDP-MIB IEEE 802.1AB OSPF-MIB RFC 4750 OSPFV3-MIB RFC 5643 Q-BRIDGE-MIB IEEE 802.1Q RFC1213-MIB RFC 1213 SFLOW-MIB RFC 3176 SNMP-FRAMEWORK-MIB RFC 3411 SNMP-MPD-MIB RFC 3412 SNMP-NOTIFICATION-MIB RFC 3413 SNMP-TARGET-MIB RFC 3413 SNMP-USER-BASED-SM-MIB RFC 3414 SNMP-VIEW-BASED-ACM-MIB RFC 3415 SNMPv2-MIB RFC 3418 TCP-MIB RFC 4022 UDP-MIB RFC 4113 Table 27.
SNMP engine ID An engine ID identifies the SNMP entity that serves as the local agent on the switch. The engine ID is an octet colon-separated number; for example, 00:00:17:8B:02:00:00:01. When you configure an SNMPv3 user, you can specify that a localized authentication and/or privacy key be generated. The localized password keys are generated using the engine ID of the switch. A localized key is more complex and provides greater privacy protection.
NOTE: Create a remote engine ID with the snmp-server engineID command before you configure a remote user with the snmp-server user command. If you change the configured engine ID for a remote device, you must reconfigure the authentication and privacy passwords for all remote users associated with the remote engine ID.
To configure a view of the MIB tree on the SNMP agent, use the snmp-server view command. To configure an SNMPv3 user's authentication and privacy settings, use the snmp-server user command. To display the configured SNMP groups, use the show snmp group command.
OS10(config)# snmp-server user n3user ngroup remote 172.31.1.
snmp-server host {ipv4–address | ipv6–address} {informs version version-number | traps version version-number | version version-number} [snmpv3-security-level] [community-name] [udp-port port-number] [dom | entity | envmon | lldp | snmp] Configure SNMP v1 or v2C traps OS10(config)# snmp-server host 10.11.73.
Parameters None Defaults None Command Mode EXEC Usage Information To configure an SNMP community, use the snmp-server community command. Example OS10# show snmp community Community : public Access : read-only Community Access ACL Supported Releases : dellOS10 : read-write : dellacl 10.4.2.0 or later show snmp engineID Displays the SNMP engine ID on the switch or on remote devices that access the SNMP agent on the switch.
groupname version security level notifyview readview writeview Supported Releases : : : : : : v3group 3 priv alltraps readview writeview 10.4.2.0 or later show snmp user Displays the users configured to access the SNMP agent on the switch, including the SNMP group and security model. Syntax show snmp user Parameters None Defaults None Command Mode EXEC Usage Information To configure an SNMP user, use the snmp-server user command.
Parameters ● community name — Set the community name string to act as a password for SNMPv1 and SNMPv2c access. A maximum of 20 alphanumeric characters. ● ro — Set read-only access for the SNMP community. ● rw — Set read-write access for the SNMP community. ● acl acl-name — Enter an existing IPv4 ACL name to limit SNMP access in the SNMP community. Defaults An SNMP community has read-only access.
Table 28. Notification types and options Notification type Notification option entity — Enable entity change traps. None envmon — Enable SNMP environmental monitor traps. ○ fan — Enable fan traps. ○ power-supply — Enable power-supply traps. ○ temperature — Enable temperature traps. lldp — Enable LLDP state change traps. ○ rem-tables-change — Enable the lldpRemTablesChange trap. snmp — Enable SNMP traps. ○ authentication — Enable authentication traps.
Usage Information The local engine ID generates the localized keys for the authentication and privilege passwords. These passwords authenticate SNMP users and encrypt SNMP messages. If you reconfigure the local Engine ID, the localized keys also change. The existing values are no longer valid, and a warning message displays. As a result, you must reconfigure SNMP users with new localized password keys.
The no version of the command deletes an SNMP group. Example Supported Releases OS10(config)# snmp-server group os10admin p3 priv read readonlyview 10.4.2.0 or later snmp-server host Configures a host to receive SNMP notifications.
Example — Send SNMP traps to host OS10(config)# snmp-server host 1.1.1.1 traps version 3 priv user01 udpport 32 entity lldp Example — Send SNMP informs to host OS10(config)# snmp-server host 1.1.1.1 informs version 2c public envmon snmp Example — Send SNMP notifications to host Supported Releases OS10(config)# snmp-server host 1.1.1.1 version 3 noauth u1 snmp lldp 10.2.0E or later snmp-server location Configures the location of the SNMP server.
● priv — (SNMPv3 only) Configure encryption for SNMPv3 messages sent to the user: ○ aes — Encrypt messages using AES 128-bit algorithm. ○ des — Encrypt messages using DES 56-bit algorithm. ○ priv-password — Enter a text string used to generate the privacy key used in encrypted messages. A maximum of 32 alphanumeric characters. For an encrypted password, enter the encrypted string instead of plain text. ● localized — (SNMPv3 only) Generate an SNMPv3 authentication and/or privacy key in localized key format.
● excluded — (Optional) Exclude the MIB family from the view. Defaults Not configured Command Mode CONFIGURATION Usage Information The oid-tree value specifies the OID in the MIB tree hierarchy at which a view starts. Enter included or excluded to include or exclude the remaining part of the MIB sub-tree contents in the view. The no version of the command removes an SNMPv3 view. Example Supported Releases OS10(config)# snmp-server view readview 1.3.6.5 excluded 10.4.2.
Example: Configure SNMP This example shows how to configure SNMP on the switch, including SNMP engine ID, views, groups, and users. OS10(config)# OS10(config)# OS10(config)# OS10(config)# OS10(config)# OS10(config)# OS10(config)# OS10(config)# OS10(config)# Local default snmp-server contact "Contact Support" snmp-server engineID remote 192.168.1.
● Before you downgrade, disable the DST configuration or update the setting using the clock timezone command to specify only the local time zone. ● After the downgrade is complete, ignore the CLI error and reconfigure the setting using the clock timezone command to specify only the local time zone. Configure system time and date ● Enter the time and date in EXEC mode.
Table 29.
Table 29.
Table 29.
Table 29.
Table 29.
Table 29.
Table 29.
Table 29.
Table 29.
Table 29.
Table 29.
Table 29.
Table 29.
Table 29.
Table 29.
Table 29.
Parameters time Enter time in the format hour:minute:second, where hour is 1 to 24; minute is 1 to 60; second is 1 to 60. For example, enter 5:15 PM as 17:15:00. year-month-day Enter year-month-day in the format YYYY-MM-DD, where YYYY is a four-digit year, such as 2016; MM is a month from 1 to 12; DD is a day from 1 to 31. Default Not configured Command Mode EXEC Usage Information Use this command to reset the system time if the system clock is out of synch with the NTP time.
Example Supported Releases OS10# show clock 2017-01-25T11:00:31.68-08:00 10.2.1E or later show clock timezone Displays the time zone that is configured in the system. Syntax show clock timezone Parameters None Default Etc/UTC Command Mode EXEC Usage Information None Example Supported Releases OS10# show clock timezone Brazil/West (-04, -0400) 10.5.0 or later Network Time Protocol Network Time Protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients.
NOTE: OS10 supports both NTP server and client roles. Enable NTP NTP is disabled by default. To enable NTP, configure an NTP server where the system synchronizes. To configure multiple servers, enter the command multiple times. Multiple servers may impact CPU resources. ● Enter the IP address of the NTP server where the system synchronizes in CONFIGURATION mode.
10.16.150.185 10.16.151.123 16 1024 0 0.00000 0.000000 3.99217 OS10# show ntp associations remote local st poll reach delay offset disp ======================================================================= 10.16.150.185 10.16.151.123 16 1024 0 0.00000 0.000000 3.99217 Broadcasts Receive broadcasts of time information and set all the interfaces within the system to receive NTP information through broadcast. NTP is enabled on all active interfaces by default.
Authentication NTP authentication and the corresponding trusted key provide a reliable exchange of NTP packets with trusted time sources. NTP authentication begins with creating the first NTP packet after the key configuration. NTP authentication uses the message digest 5 (MD5), SHA-1, and SHA2-256 algorithms. The key is embedded in the synchronization packet that is sent to an NTP time source. 1. Enable NTP authentication in CONFIGURATION mode. ntp authenticate 2.
Sample NTP configuration The following example shows an NTP master (11.0.0.2), server (10.0.0.1), and client (10.0.0.2) connected through a nondefault VRF instance (VRF Red). OS10 acts as an NTP server to synchronize its clock with the NTP master available in the nondefault VRF instance red and provides time to NTP clients in the VRF. To create this sample NTP configuration: 1. Configure the NTP server: a. Create a nondefault VRF instance and assign an interface to the VRF.
a. Create a nondefault VRF instance and assign an interface to the VRF. OS10(config)# ip vrf red OS10(conf-vrf)# exit OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip vrf forwarding red OS10(conf-if-eth1/1/1)# ip address 10.0.0.2/24 OS10(conf-if-eth1/1/1)# exit OS10(config)# b. Configure the NTP server IP address on the NTP client. OS10(config)# ntp server 10.0.0.1 OS10(config)# do show running-configuration ntp ntp server 10.0.0.1 OS10(config)# c.
OS10# show ntp status vrf red associd=0 status=0615 leap_none, sync_ntp, 1 event, clock_sync, system peer: 10.0.0.1:123 system peer mode: client leap indicator: 00 stratum: 11 log2 precision: -24 root delay: 0.991 root dispersion: 1015.099 reference ID: 10.0.0.1 reference time: dbc7b087.5d47aaa6 Sat, Nov 5 2016 1:12:39.364 system jitter: 0.000000 clock jitter: 0.462 clock wander: 0.003 broadcast delay: -50.000 symm. auth. delay: 0.000 OS10# 5. Verify that the NTP server (10.0.0.
Supported Releases 10.2.0E or later ntp authentication-key Configures the authentication key for trusted time sources. Syntax ntp authentication-key number {md5 | sha1 | sha2-256} {0 | 9} key Parameters ● ● ● ● ● ● ● Default 0 Command Mode CONFIGURATION Usage Information The authentication number must be the same as the number parameter configured in the ntp trusted-key command. Use the ntp authenticate command to enable NTP authentication.
Usage Information Use this command to configure OS10 to not listen to a particular server and prevent the interface from receiving NTP packets. The no version of this command reenables NTP on an interface. Example Supported Releases OS10(conf-if-eth1/1/7)# ntp disable 10.2.0E or later ntp enable vrf Enables NTP for the management or nondefault VRF instance. Syntax ntp enable vrf {management | vrf-name} Parameters ● management—Enter the keyword to enable NTP for the management VRF instance.
Default Not configured Command Mode CONFIGURATION Usage Information You can configure multiple time-serving hosts. From these time-serving hosts, the system chooses one NTP host to synchronize with. To determine which server to select, use the show ntp associations command. Dell Technologies recommends limiting the number of hosts you configure, as many polls to the NTP hosts can impact network performance. Example Supported Releases OS10(config)# ntp server eureka.com 10.2.
show ntp associations Displays the NTP master and peers. Syntax show ntp associations [vrf {management | vrf-name}] Parameters ● management—Enter the keyword to display NTP information corresponding to the management VRF instance. ● vrf-name—Enter the keyword then the name of the VRF to display NTP information corresponding to that nondefault VRF instance.
Command Mode EXEC Usage Information None Example (Status) OS10# show ntp status system peer: 0.0.0.0 system peer mode: unspec leap indicator: 11 stratum: 16 precision: -22 root distance: 0.00000 s root dispersion: 1.28647 s reference ID: [73.78.73.84] reference time: 00000000.00000000 Mon, Jan 1 1900 0:00:00.000 system flags: monitor ntp kernel stats jitter: 0.000000 s stability: 0.000 ppm broadcastdelay: 0.000000 s authdelay: 0.
PTP is more accurate than NTP because it uses hardware timestamping. PTP also accounts for device latency while synchronizing time. NTP synchronizes clocks with millisecond accuracy; PTP achieves submicrosecond accuracy. OS10 supports PTP on all platforms that support hardware time stamping. PTP-enabled devices consist of the following clock types: Ordinary clock A device with a single physical port is called an ordinary clock. This device could take on a master or slave clock role.
Message types ● Event messages: Timed messages with an accurate timestamp that is generated at both the transmit time and receive time. ○ Sync—Master sends a Sync message to distribute the time of the day. ○ Delay_Req—Slave sends a Delay_Req message to the master for end-to-end delay measurement, the requestresponse delay mechanism. ○ Pdelay_Req—Link node A sends a Pdelay_Req message to measure peer-to-peer delay. ○ Pdelay_Resp—Link node B sends a Pdelay_Resp message to measure peer-to-peer delay.
The following is the sequence of PTP messages during time synchronization: 1. 2. 3. 4. 5. 6. 7. Master sends a Sync message and makes note of the time t1 when the message was sent. Slave receives the Sync message and makes note of the time t2 when the message was sent. Master embeds the timestamp t1 in the Sync message. Slave sends a Delay_request message to the master and makes note of the time t3 when the message was sent.
● Priority1—Has the highest preference in the list of attributes used for master clock device selection. ● Priority2—Has the fifth preference in the list of attributes used for master clock device selection. ● LocalPriority—(Applicable only for the G.8275.1 profile) Determines the master clock device when two clocks are similar to each other.
● You can configure PTP on the port-channel interface and the port-channel member interfaces. ○ Port-channel interface: If the link aggregation is between two peer nodes, configure PTP on the port-channel interface. The forward and reverse paths must be symmetrical for PTP. In this case, the links of the port channel need not be the same for both forward and reverse paths. NOTE: Dell EMC recommends that you configure PTP on port-channel member interfaces.
Configure the PTP clock type on the switch and optionally specify a profile for the clock. OS10 supports the following clock types: boundary and end-to-end transparent. OS10 supports the system default profile and ITU G.8275.1 profile. The profile defines the set of parameters, allowed values of parameters, and default value of parameters.
While measuring the time delay between the master and slave nodes, PTP takes into account the communication delay. This delay is measured using a delay request message from the slave and a delay response message from the master. To configure PTP delay mechanism: OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp delay-mechanism end-to-end Configure the PTP transport Supported PTP transport methods include Layer2 (ethernet), IPv4 (unicast and multicast), and IPv6 (unicast and multicast).
You can configure the time interval in units of log 2 seconds between two successive announce messages. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp announce interval 1 Configure the PTP synchronization message interval You can configure the time interval in units of log 2 seconds between two successive synchronization messages.
Offset From Master(ns) Number of Ports : 6 : 2 View the PTP local parent and grandmaster clock OS10# show ptp parent Parent Clock Idenitity Parent Port Number Grandmaster Clock Identity Grandmaster Clock Quality Class Accuracy OffsetLogScaledVariance Grandmaster Clock Priority1 Grandmaster Clock Priority2 : 00:16:00:ff:fe:00:02:00 : 1 : 00:16:00:ff:fe:00:02:00 : : : : : 6 <=100ns 0 100 128 View time scale information OS10# show ptp time-properties Current UTC Offset Valid : False Current UTC Offset : 0
Delay request messages received Delay response messages transmitted Delay response messages received Management messages transmitted Management messages received Signaling messages transmitted Signaling messages received Interface : Ethernet1/1/23 Total number of peers : 1 Peer index : 0 Peer Clock Identity Peer Port number Peer Port Address Receiving Interface Announce messages transmitted Announce messages received Sync messages transmitted Sync messages received Follow up messages transmitted Follow up m
2. Enable PTP on interface 1 with L2 multicast transport mode. PTP role is dynamic by default. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp transport layer2 OS10(conf-if-eth1/1/1)# ptp enable 3. Enable PTP on interface 2 with L2 multicast transport mode. PTP role is dynamic by default.
PTP role is dynamic by default. For multicast transport mode, when you enable PTP, the system sends a join message. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp transport ipv4 multicast OS10(conf-if-eth1/1/1)# ptp enable 4. Enable PTP on interface 2 with IPv4 multicast transport mode. PTP role is dynamic by default. For IPv4, multicast is the default transport mode.
For both L2 and L3 interfaces, the configured source IP address is used as the source IP address for unicast transport from the master device to the slave device. OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/1)# ip address 30.30.30.1/24 OS10(conf-if-eth1/1/2)# ptp transport ipv4 unicast master OS10(conf-ethernet1/1/2-ptp-ipv4-master)# source 20.20.20.1 OS10(conf-ethernet1/1/2-ptp-ipv4-master)# slave 20.20.20.
Example: Configure boundary clock with IPv4 unicast transport method and L3 VLAN Ensure that the interface connected to the grandmaster clock is configured as a slave device with a list of master clock IP addresses. Configure the other interface as a master clock with a list of slave device IP addresses. Both the interfaces are only reachable through the L3 VLAN. In this example: ● ● ● ● Interface 1 that is part of VLAN 100 is connected to the grandmaster clock.
● The unicast IP traffic flows through PTP-enabled interface, interface 2. The system applies hardware time stamps on PTP packets. OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# ip address 20.20.20.1/24 OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# switchport access vlan 200 OS10(conf-if-eth1/1/2)# ptp transport ipv4 unicast master OS10(conf-ethernet1/1/2-ptp-ipv4-master)# source 20.20.20.1 OS10(conf-ethernet1/1/2-ptp-ipv4-master)# slave 20.20.20.
Table 32. Example PTP topology—Switch connections, port numbers, and IP addresses From To Port number IP address CR1 GM Eth1/1/28:1 Nondefault VLAN 1 IP as source AG1 Eth1/1/1:1 (VLT PO11) AG1 Eth1/1/3:1 (VLT PO11) Global IPv4/IPv6 addresses: ● 10.0.0.
Table 32. Example PTP topology—Switch connections, port numbers, and IP addresses (continued) From AG1 AG2 TR1 AG3 AG4 TR2 230 System management To Port number IP address AG1 Eth1/1/3:1 (VLT PO11) AG1 Eth1/1/8:1 (VLT PO11) Global IPv4/IPv6 addresses: ● 10.0.0.
CR1 switch 1. Configure IP address for the VLAN and loopback interfaces. CR1(config)# interface vlan1 CR1(conf-if-vl-1)# ip address 200.1.1.5/24 CR1(conf-if-vl-1)# exit CR1(config)# interface loopback1 CR1(conf-if-lo-1)# ip address 10.0.0.5/32 CR1(conf-if-lo-1)# ipv6 address 10:0:0::5/128 2. Configure PTP globally. CR1(config)# CR1(config)# CR1(config)# CR1(config)# CR1(config)# ptp ptp ptp ptp ptp clock boundary local-priority 127 source ipv4 10.0.0.5 source ipv6 10:0:0::6 system-time enable 3.
CR2(config)# ptp source ipv6 10:0:0::6 CR2(config)# ptp system-time enable 3. Configure PTP on the interfaces.
AG1(conf-if-eth1/1/5:3)# ptp transport ipv4 multicast AG1(config)# interface ethernet 1/1/7:4 AG1(conf-if-eth1/1/7:4)# ptp enable AG1(conf-if-eth1/1/7:4)# ptp transport ipv4 multicast AG1(config)# interface ethernet 1/1/9:1 AG1(conf-if-eth1/1/9:1)# ptp enable AG1(conf-if-eth1/1/9:1)# ptp vlan 3002 AG1(conf-if-eth1/1/9:1)# ptp transport ipv6 unicast master AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# slave 2001:101:2::200a AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# slave 2001:101:2::200b AG1(conf-ethernet1/1/9
AG2(conf-if-lo-1)# ip address 10.0.0.2/32 AG2(conf-if-lo-1)# ipv6 address 10:0:0::2/128 2. Configure PTP globally. AG2(config)# AG2(config)# AG2(config)# AG2(config)# ptp ptp ptp ptp clock boundary source ipv4 10.0.0.2 source ipv6 10:0:0::2 system-time enable 3. Configure PTP on the interfaces.
AG2(config)# interface ethernet 1/1/17:4 AG2(conf-if-eth1/1/17:4)# ptp enable AG2(conf-if-eth1/1/17:4)# ptp transport ipv6 multicast AG2(config)# interface ethernet 1/1/19:3 AG2(conf-if-eth1/1/19:3)# ptp enable AG2(conf-if-eth1/1/19:3)# ptp transport ipv4 multicast TR1 switch 1. Configure IP address for the VLAN and loopback interfaces.
AG3 switch 1. Configure IP address for the loopback interface. AG3(config)# interface loopback1 AG3(conf-if-lo-1)# ip address 10.0.0.3/32 AG3(conf-if-lo-1)# ipv6 address 10:0:0::3/128 2. Configure PTP globally. AG3(config)# AG3(config)# AG3(config)# AG3(config)# ptp ptp ptp ptp clock boundary source ipv4 10.0.0.3 source ipv6 10:0:0::3 system-time enable 3. Configure PTP on the interfaces.
2. Configure PTP globally. TR2(config)# TR2(config)# TR2(config)# TR2(config)# ptp ptp ptp ptp clock boundary source ipv4 10.0.0.11 source ipv6 10:0:0::b system-time enable 3. Configure PTP on the interfaces.
Command Mode EXEC Security and Access Netadmin and sysadmin Usage Information Debug log messages are stored in the following file: /var/log/ptp.log. The debug ptp system command logs all information about internal data structures and is useful for debugging issues. Example Supported Releases OS10# debug ptp servo level 2 10.5.1.0 or later master Configures master clocks for the PTP slave devices.
Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp announce interval 1 OS10(conf-if-eth1/1/1)# ptp announce timeout 5 10.5.1.0 or later ptp clock Configures the PTP clock type on the switch and specifies the profile for the clock. Syntax ptp clock {boundary [hybrid] | end-to-end-transparent} [profile {g8275.1 | system-default}] Parameters ● ● ● ● ● Defaults System default profile, when PTP clock is configured.
Usage Information Example Supported Releases This configuration is only applicable for the boundary clock. The no form of this command removes the configuration. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp delay-mechanism end-to-end 10.5.1.0 or later ptp delay-req-min-interval Configures the minimum interval between delay request messages.
ptp enable Enables PTP on a physical or port channel interface. Syntax ptp enable Parameters None Defaults Disabled Command Mode INTERFACE CONFIGURATION Security and Access Netadmin and sysadmin Usage Information The PTP protocol operates only on interfaces with a network address. Ensure that you have configured the PTP transport method for the interface using the ptp transport command. You can enable PTP on either the port channel interface or the port channel member interfaces, but not both.
Security and Access Netadmin and sysadmin Usage Information The clock with the lowest priority1 value becomes the master clock. The lower the value of this attribute, the higher is the priority. The no form of this command removes the configuration. Example Supported Releases OS10(config)# ptp priority1 125 10.5.1.0 or later ptp priority2 Configures the priority2 attribute for advertising PTP clock.
ptp source Configures the source IP address for the PTP multicast packets. Syntax ptp source {ipv4 ipv4-address | ipv6 ipv6-address} Parameters ● ipv4-address—Source IPv4 address for the PTP multicast packets ● ipv6-address—Source IPv6 address for the PTP multicast packets Defaults None Command Mode CONFIGURATION Security and Access Netadmin and sysadmin Usage Information Supports both IPv4 and IPv6 addresses.
Command Mode CONFIGURATION Security and Access Netadmin and sysadmin Usage Information When you enable this configuration, PTP sets the system time on the switch only if the servo clock is phase locked. You cannot enable the PTP system time if the system is configured as an NTP client. However, you can enable the PTP system time if the system is configured as an NTP server. The no form of this command removes the configuration. Example Supported Releases OS10(config)# ptp system-time enable 10.5.1.
○ If you enable the unicast slave mode, it leads to a sub mode where you can configure the master IP addresses. ○ If the unicast transport mode configuration conflicts with role configuration, the system returns an error. ● For multicast transport, you must configure an IP address in INTERFACE mode or a source IP address (in GLOBAL CONFIGURATION mode) to represent the interface. ● You can configure Layer2 transport method when the interface is in L2 or L3 mode.
Grandmaster Clock Identity : 00:16:00:ff:fe:00:02:00 Clock Mode : One-step Clock Quality Class : 248 Accuracy : <=100ns Offset Log Scaled Variance : 0 Domain : 0 Priority1 : 128 Priority2 : 128 Profile : System-default Steps Removed : 1 Mean Path Delay(ns) : 72 Offset From Master(ns) : -14 Number of Ports : 2 ---------------------------------------------------------------------------Interface State Port Identity ---------------------------------------------------------------------------Ethernet1/1/22 Slave
Security and Access Netadmin and sysadmin Usage Information None Example Boundary clock Example - Endto-end transparent clock Supported Releases OS10# show ptp clock PTP Clock Clock Identity Grandmaster Clock Identity Clock Mode Clock Quality Class Accuracy Offset Log Scaled Variance Domain Priority1 Priority2 Profile Steps Removed Mean Path Delay(ns) Offset From Master(ns) Number of Ports : : : : Boundary 68:4f:64:ff:ff:01:db:ec 00:16:00:ff:fe:00:02:00 One-step : : : : : : : : : : : 248 <=100ns 0
Total Management messages Received Total Signaling messages Sent Total Signaling messages Received Summary: Tx messages Rx messages Lost messages Interface : ethernet1/1/23 Port No : 2 Total Announce messages Sent Total Announce messages Received Total Sync messages Sent Total Sync messages Received Total Follow Up messages Sent Total Follow Up messages Received Total Delay Request messages Sent Total Delay Request messages Received Total Delay Response messages Sent Total Delay Response messages Received T
show ptp interface Displays PTP information about the interface. Syntax show ptp interface [{ethernet node/slot/port[:subport]} | {port-channel port-channel-id}] Parameters ● ethernet node/slot/port[:subport]—Enter the Ethernet interface information. ● port-channel port-channel-id—Enter the port channel interface number. Defaults None Command Mode EXEC Security and Access Netadmin and sysadmin Usage Information For boundary clocks, this command indicates if the port is enabled or disabled.
Grandmaster Clock Identity Grandmaster Clock Quality Class Accuracy OffsetLogScaledVariance Grandmaster Clock Priority1 Grandmaster Clock Priority2 Supported Releases : 00:16:00:ff:fe:00:02:00 : : : : : 6 <=100ns 0 100 128 10.5.1.0 or later show ptp peer Displays the count of PTP messages received from a peer at an interface or transmitted to a peer from an interface.
Delay response messages received Management messages transmitted Management messages received Signaling messages transmitted Signaling messages received Supported Releases : : : : : 0 0 0 0 0 10.5.1.0 or later show ptp servo Displays PTP servo information such as servo state and lock status.
slave Configures the IP address of PTP slave devices for the master clock. Syntax slave ip-address Parameters ip-address—IP address of the slave clock device Defaults No default IP address; unicast negotiation disabled Command Mode INTERFACE CONFIGURATION - MASTER submode Security and Access Netadmin and sysadmin Usage Information You can configure the IP addresses of multiple slaves. The format of the slave IP address depends on the configured unicast mode.
Synchronous Ethernet (SyncE) Frequency and time synchronization over a network is a key requirement for network service providers. Frequency synchronization over Ethernet interfaces can be achieved in two ways: ● Synchronous Ethernet (SyncE)—SyncE achieves frequency synchronization by recovering clock frequency from the physical layer of Ethernet. SyncE supports the frequency transfer from hop-to-hop. ● Precision Time Protocol (PTP)—PTP achieves frequency synchronization based on the timing event messages.
QL-enabled mode In the QL-enabled mode, the switch considers the following factors when selecting a clock source on the SyncE-enabled interfaces: ● ● ● ● Clock quality level (QL) Clock availability or signal fail through QL-FAILED Priority External commands (SyncE force switch or manual switch) In this mode, the switch always selects the clock source with the best QL value.
Standby clock source states Under normal circumstances, all network elements are synced to the active clock source. If the active clock source becomes faulty, a reference source from the available standby clock sources is selected based on the selection algorithm. The standby clock sources work in any of the following states: ● Available—The clock source is operationally up. ● Failed—The clock source is in signal fail state or the SyncE-enabled interfaces do not receive any clock signal.
Example - SyncE QL-enabled mode with ESMC and SSM SyncE is configured in the QL-enabled mode and ESMC is enabled on Switch A and Switch B. In this example, Switch A is synchronized to the best input clock source, SRC2 because it has higher QL. This QL value is transmitted from Ethernet interface 1/1/3 to Switch B, which also gets synchronized to the trail of clock source, SRC2. Switch A configuration 1. Enable SyncE on the switch. SwitchA: configure terminal SwitchA(config)# sync-e enable 2.
Switch B configuration 1. Enable SyncE on the switch. SwitchB: configure terminal SwitchB(config)# sync-e enable 2. Set the SyncE mode to QL-enabled. SwitchB(config)# sync-e mode ql-enabled 3. Configure the synchronization network. The default value is 1, and it is a synchronization network that is designed for Europe. SwitchB(config)# sync-e ssm-network-option 1 4. Enable SyncE on the interfaces that are connected to the clock sources and interfaces transmitting to the neighboring SyncE node.
2. Set the SyncE mode to QL-disabled. SwitchA(config)# sync-e mode ql-disabled 3. Enable SyncE on the interfaces that are connected to the clock sources and interfaces transmitting to the neighboring SyncE node.
Local Clock Identity : 8c:04:ba:ff:fe:b0:a5:40 SSM Network Option : Option 1 Hold-off Time : 300 ms Wait-To-Restore Time : 300 s SyncE Interfaces -----------------------------------------------------------Interface Priority QL Signal State Status State -----------------------------------------------------------Ethl/1/1 128 Up Available Primary ------------------------------------------------------------ Example - PTP and SyncE enabled on different Ethernet ports In this example, SyncE and PTP are enabled o
7. Verify the SyncE configuration.
4. Enable SyncE on the interfaces that are connected to the clock sources and interfaces transmitting to the neighboring SyncE node. SwitchB(config)# interface ethernet 1/1/1 SwitchB(conf-if-eth1/1/2)# sync-e enable 5. Enable ESMC mode on the interfaces that are connected to the clock sources and interfaces transmitting ESMC to the neighboring SyncE nodes. SwitchB(config)# interface ethernet 1/1/1 SwitchB(conf-if-eth1/1/1)# sync-e esmc rx-only 6. Configure PTP boundary clock on the switch.
9. Verify the PTP state and lock status. switchA# show ptp servo Servo State : Locked Lock Status : Phase-locked Example - PTP and SyncE enabled on same Ethernet ports In this example, SyncE and PTP are enabled on Switch A and Switch B. PTP boundary clock is enabled on the switches. On Switch A, Ethernet interface 1/1/1 is a PTP-enabled port that is connected to the clock source, SRC-2 (PTP grandmaster). Ethernet interface 1/1/3 is a PTP master port to the neighboring boundary clock, Switch B .
SwitchA(conf-if-eth1/1/2)# ptp transport layer2 SwitchA(conf-if-eth1/1/2)# ptp role slave 7. Verify the SyncE configuration.
3. Configure the SSM network option ( default is option-1 for Europe). SwitchB(config)# sync-e ssm-network-option 1 4. Enable SyncE on the interfaces that are connected to the clock sources and interfaces transmitting to the neighboring SyncE node. SwitchB(config)# interface ethernet 1/1/1 SwitchB(conf-if-eth1/1/2)# sync-e enable 5. Enable ESMC mode on the interfaces that are connected to the clock sources and interfaces transmitting ESMC to the neighboring SyncE nodes.
Number of slave ports :1 Number of master ports :0 9. Verify the PTP state and lock status. switchA# show ptp servo Servo State : Locked Lock Status : Phase-locked SyncE commands clear sync-e counters Resets the statistics of the ESMC packets received at or transmitted from an interface. Syntax clear sync-e counters [ethernet node/slot/port] Parameters ethernet node/slot/port—(Optional) Enter a physical Ethernet interface.
Parameters None Default None Command Mode EXEC Security and Access Netadmin and sysadmin Usage Information This command clears the active manual or force switched clock reference. Clearing the force-switch reinitiates the clock selection process. Example Supported Releases OS10# clear sync-e switch 10.5.2.1 or later clear sync-e wait-restore-time Clears the wait-to-restore state of a specific interface or all interfaces.
show debug sync-e Shows the debug options enabled for Sync-E. Syntax show debug sync-e Parameters None Default None Command Mode EXEC Usage Information None Example Supported Releases OS10# show debug sync-e sync-e debug settings: debug sync-e all 10.5.2.1 or later show sync-e Displays the SyncE information and synchronization status.
Eth1/1/3 128 QL -EEC1 Up Available Eth1/1/4 128 QL -EEC1 Up Available ---------------------------------------------------------------------Example - QLdisabled mode Supported Releases OS10# show sync-e QL Mode : QL-Disabled Lock Status : Locked QL Out : Selection Process State : State 2A (QL-disabled and no active switch request) Primary Reference Interface : Ethernetl/1/2 Secondary Reference Interface : Ethernet1/1/1 Selected Reference Clock Identity : Local Clock Identity : d8:9e:f3:ff:fe:ab:47:20 55M N
show sync-e esmc Displays the ESMC information of all interfaces. Syntax show sync-e esmc Parameters None Default None Command Mode EXEC Usage Information This command prints the output of the interfaces only if ESMC and SyncE are enabled on the interfaces and SyncE i globally.
ESMC Capability : QL : QL Received : QL Transmitted : Hold-off Time : 300 ms Wait-To-Restore Time : 300 secs Interface : Ethernetl/1/2 SyncE : Enabled State : Available Status : Primary Signal State : Up Priority : 128 ESMC Capability : QL : QL Received : QL Transmitted : Hold-off Time : 300 ms Wait-To-Restore Time : 300 secs Supported Releases 10.5.2.1 or later sync-e enable Enables Synchronous Ethernet (SyncE) globally on a switch or on a physical interface.
Default Disabled Command Mode INTERFACE CONFIGURATION Security and Access Netadmin and sysadmin Usage Information Ensure to enable SyncE on the interfaces for ESMC to work on the interfaces. When ESMC capability is disabled, it indicates that the interface is not going to receive or transmit QL. In that case, QL of the interface can be configured using the sync-e quality-level command. The no form of this command removes the configuration.
Security and Access Netadmin and sysadmin Usage Information Ensure that SyncE is enabled on the interface before running this command. If you disable SyncE on a locked out interface, the lock out status of the interface is reset. If you disable SyncE globally on the switch, the lock out status of the locked out interfaces is reset. Example Supported Releases OS10# sync-e lockout ethernet 1/1/1 10.5.2.
sync-e quality-level Configures quality level on an interface. Syntax [no] sync-e quality-level value Parameters value—Enter quality level value. The supported values vary depending on the synchronization network that is selected using the sync-e ssm-network-option command. ● Supported quality-levels in option 1 SSM network: QL-ePRTC, QL-PRTC, QL-ePRC, QL-PRC, QLSSU-A, QL-SSU-B, QL-eEEC, QL-EEC1 and QL-DNU.
Parameters ethernet node/slot/port—Enter a physical Ethernet interface. Default None Command Mode EXEC Security and Access Netadmin and sysadmin Usage Information This command configures a switch to use the clock source that is enabled and not locked out. Example Supported Releases OS10# sync-e switch force ethernet 1/1/1 10.5.2.1 or later sync-e switch manual Configure the switch to select the clock source on the interface manually.
Supported Releases 10.5.2.1 or later Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations, also known as hosts, based on configuration policies network administrators determine. DHCP server Network device offering configuration parameters to the client. DHCP client Network device requesting configuration parameters from the server.
2. Run the show ip interface brief command to verify if an IP address is assigned to ethernet 1/1/2 port. OS10# show ip interface brief Interface Name IP-Address OK Method Status Protocol ==================================================================================== ===== Ethernet 1/1/1 unassigned YES unset up up Ethernet 1/1/2 40.1.1.1/24 YES manual up up … 3. Re-enable the DHCP server because it failed to start initially.
DHCP Option Description Domain name server 6 — Domain name servers (DNS) that are available to the client Domain name 15 — Domain name that clients use to resolve hostnames via DNS IP address lease time 51 — Amount of time that the client uses an assigned IP address DHCP message type 53: ● 1 — DHCPDISCOVER ● 2 — DHCPOFFER ● 3 — DHCPREQUEST ● 4 — DHCPDECLINE ● 5 — DHCPACK ● 6 — DHCPNACK ● 7 — DHCPRELEASE ● 8 — DHCPINFORM Parameter request list 55 — A list of parameters that a DHCP client requires
Automatic address allocation Automatic address allocation is an address assignment method that the DHCP server uses to lease an IP address to a client from a pool of available addresses. You cannot configure an empty DHCP pool under a DHCP pool configuration. For a successful commit, you must have either a network statement or host/hardware-address (manual binding) configuration. An IP address pool is a range of addresses that the DHCP server assigns. Both IPv4 and IPv6 DHCP pool configuration is supported.
1. Enable DHCP server-assigned dynamic addresses on an interface in CONFIGURATION mode. ip dhcp server 2. Create an IP address pool and provide a name in DHCP mode. pool name 3. Enter the default gateway(s) for the clients on the subnet in order of preference in DHCP mode. default-router address Change default gateway name OS10(config)# ip dhcp server OS10(conf-dhcp)# pool Dell OS10(conf-dhcp-Dell)# default-router 20.1.1.
2. Create an IP address pool and enter the pool name in DHCP mode. pool name 3. Enter the NetBIOS WINS name servers in the order of preference that they are available to DHCP clients in DHCP mode. netbios-name-server ip-address 4. Enter the keyword Hybrid as the NetBIOS node type in DHCP mode. netbios-node-type type Configure NetBIOS WINS address resolution OS10(config)# ip dhcp OS10(conf-dhcp)# pool OS10(conf-dhcp-Dell)# OS10(conf-dhcp-Dell)# server Dell netbios-name-server 192.168.10.
! interface ethernet1/1/2 no shutdown no switchport ip address 100.1.1.1/24 flowcontrol receive off OS10# show running-configuration ip dhcp ! ip dhcp server no disable ! pool host1 host 100.1.1.34 hardware-address 00:0c:29:ee:4c:f4 ! pool hostnetwork lease infinite network 100.1.1.0/24 ! pool host2 host 20.1.1.34 hardware-address 00:0c:29:aa:22:f4 View DHCP Information Use the show ip dhcp binding command to view the DHCP binding table entries.
In OS10, the MLD snooping and the Unknown Multicast Flood Control feature are enabled by default. Hence, all the unknown multicast packets are dropped. In this case, the DHCPv6 solicit message is considered an unknown multicast packet and is dropped. For the DHCPv6 solicit messages to reach the DHCP server: 1. On the intermediate switch (L2 switch), you must do one of the following: ● Disable multicast snooping flood-restrict globally.
This option secures all DHCP traffic that goes through a DHCP relay agent, and ensures that communication between the DHCP relay agent and the DHCP server is not compromised. The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the DHCP server. The DHCP server includes Option 82 back in its response to the relay agent. The relay agent uses this information to forward a reply out the interface on which the request was received rather than flooding it on the entire VLAN.
Option-82 is enabled by default. If you disable Option-82 Globally or at a specific Interface, Option-82 sub-options such as option 1,2,5,11,151,152 are also disabled. If Global DHCP snooping is enabled after disabling Option-82 globally, an error message displays. Similarly, if you disable Option-82 Globally after enabling Global DHCP snooping, an error message displays. If you enable DHCP snooping at the Interface level, you cannot disable the VLAN interface level Option-82.
If the client-connected interface is unnumbered, the server may not be able to reach the relay agent. This feature manually configures the interface for the relay agent to use as the source IP address for messages relayed to the DHCP server, which is used by the server to send the reply. This configuration allows the network administrator to specify a stable IP address (such as a Loopback interface). The specified interface IP address is used to fill the giaddr by the DHCP relay agent.
Loopback 0 is used as the relay source-interface for the default VRF clients. The server-override option is enabled on the default VRF. Configure the DHCP relay agent globally to insert the server ID override suboption (suboption-11) and link selection suboption (suboption-5) into the relay agent information option of the DHCP packet. The DHCP client sends a broadcast DHCP request on the network.
Use Case 2: Configuration of source-interface CLI, link selection, and server-override and VSS suboptions In this example, the DHCP client is connected to eth 1/1/1 on the default VRF and eth 1/1/3 is connected to VRF hello. Loopback 0 is used as the relay source-interface for the default VRF clients. The server-override option is enabled globally.
interface loopback1 ip vrf forwarding hello no shutdown ip address 5.1.1.1/32 interface loopback0 no shutdown ip address 3.1.1.1/32 ! interface Ethernet 1/1/1 no shutdown ip address 1.1.1.1/24 ip helper-address 20.1.1.2 ! interface Ethernet 1/1/2 no shutdown ip address 20.1.1.1/24 ! interface Ethernet 1/1/3 no shutdown ip vrf forwarding hello ip address 1.1.1.1/24 ip helper-address 30.1.1.
Use Case 3: DHCP Relay on VTEPs with DHCP Option-82 sub-options 5,11,151 The following example uses a Clos leaf-spine VXLAN with BGP EVPN topology to show how to set up DHCP relay on tenant VRFs with Option-82 sub-options 5,11,151 on the VTEPs. ● • Option 5 = Link selection sub-option ● Option 11 = Server ID Override Sub-option ● Option 151 = Virtual Subnet Selection Leaf1 configuration: 1.
Configure source interface (giaddr) to be used for DHCP relayed packets in each VRF. IP belonging to the loopback interface in underlay is given here as the server is reachable in the underlay network in default VRF. The response from the DHCP server comes to this IP in underlay default VRF. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# ip address 172.16.1.
OS10(config)# interface OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# virtual-network 20001 ip vrf forwarding Green ip address 10.2.0.2/24 ip virtual-router address 10.2.0.254 4. Configure DHCP server address and VSS info. Virtual-network 10001 uses type 0 VSS format (ASCII VPN identifier) and Virtual-network 20001 uses type 1 VSS format (VPN ID). The DHCP server should be configured with these identifiers in the network pools.
5. Configure route leaking and leak the DHCP Server route to the VRFs Yellow, Green and Red. OS10(config)# ip prefix-list PrefixList_DHCPServer permit 10.20.0.
4. Configure DHCP server address and VSS info. Virtual-network 10001 and 30001 uses type 0 VSS format (ASCII VPN identifier). The DHCP server should be configured with these identifiers in the network pools. OS10(config)# interface OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(config)# interface OS10(conf-if-vn-30001)# OS10(conf-if-vn-30001)# OS10(config)# virtual-network 10001 ip dhcp-relay vss-info type 0 Yellow exit virtual-network 30001 ip dhcp-relay vss-info type 0 Red exit 5.
DHCPv6 Remote-ID Option (option 37) The DHCPv6 remote-ID option (option 37) is used to specify the remote host identification in the RELAY-FORWARD packet to the DHCPv6 server. This option is similar to the DHCPv4 relay option 82 sub option 2 remote-id. The remote-ID field contains vendor specific enterprise-number and DHCPv6 relay agent DUID by default. The system uses 674 as the enterprise-number. The DHCPv6 server uses this option to select parameters based on the DHCPv6 relay agent.
: - e.g.: RED:vlan200-ethernet1/1/2 Both Host name and VRF Name as prefix : - : - e.g.
Parameter assignment based on Remote-ID option In this scenario, there are two DHCPv6 relay agents that are connected to the VLT peers. The hosts that are connected to the two DHCPv6 relay agents belong to different VLANs that are part of different VRFs. The link address subnet in the DHCPv6 RELAY-FORWARD message from either of the DHCPv6 relay agents can be the same.
ip address 10.1.1.1/24 ip helper-address 20.1.1.2 Ip vrf forwarding red ! interface Ethernet 1/1/2 no shutdown ip address 20.1.1.1 ! ip vrf red ! DHCPv6 Relay Agent 2: Global config: ipv6 dhcp-relay remote-id ipv6 dhcp-relay prefix remote-id hostname vrfname ipv6 dhcp-relay hostname DELL Interface configuration: OS10#show running-configuration interface Ethernet 1/1/1 no shutdown channel-group 10 mode active ! interface port channel 10 no shutdown vlt portchannel 10 ip address 10.1.1.
In this scenario, the remote-id value: DELL-red:90b11cf4a65d is added in the packet and sent out of the DHCPv6 relay agent. You can configure the DHCP server to allocate an IP address from a range of IP addresses based on the remote-id value received from the DHCPv6 packet. The prefix value is configured to take hostname and vrfname: DELL(DHCPv6 hostname), red(client interface's vrfname). By default, the DHCPv6 relay agent type 3 DUID (system mac - 90b11cf4a65d) is used as the remote-ID description.
DHCP snooping with DHCP relay In the following topology, the DHCP snooping switch is the DHCP relay agent for DHCP clients on VLAN 100. The DHCP server is reachable on VLAN 200 through eth 1/1/2. The switch forwards the client DHCP messages to the trusted DHCP server. The switch processes DHCP packets from the DHCP server before forwarding them to DHCP clients. As the rogue server is connected to the switch to the eth 1/1/3 interface which is untrusted, the switch drops DHCP packets from that interface.
DHCP snooping in a VLT environment OS10 supports DHCP snooping in a VLT environment. DHCP snooping switches in a VLT topology synchronize DHCP snooping binding information between them. The system interprets the VLTi link between VLT peers as trusted interfaces. To configure DHCP snooping in a VLT environment: ● Enable DHCP snooping on both VLT peers. ● Configure the VLT port-channel interfaces facing the DHCP server as trusted interfaces.
Enable and configure DHCP snooping globally 1. Enable DHCP snooping globally in CONFIGURATION mode. ip dhcp snooping 2. Specify physical or port-channel interfaces that have connections towards DHCP servers as trusted in INTERFACE mode. ip dhcp snooping trust Add static DHCP snooping entry in the binding table ● Add a static DHCP snooping entry in the binding table in CONFIGURATION mode.
● Remove a static DHCP snooping entry from the binding table in CONFIGURATION mode. no ip dhcp snooping binding mac mac-address vlan vlan-id interface [ethernet slot/ port/sub-port | port-channel port-channel-id] Example for removing static DHCP snooping entry in the binding table OS10(config)# no ip dhcp snooping binding mac 00:04:96:70:8a:12 vlan 100 ip 100.1.1.
DHCP server OS10(config)# interface ethernet 1/1/1 S10(conf-if-eth1/1/1)# no shutdown OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip address 10.1.1.1/24 OS10(conf-if-eth1/1/1)# exit OS10(config)# ip dhcp server OS10(config-dhcp)# no disable OS10(config-dhcp)# pool dell_server1 OS10(config-dhcp-dell_server1)# lease 0 1 0 OS10(config-dhcp-dell_server1)# network 10.1.1.0/24 OS10(config-dhcp-dell_server1)# range 10.1.1.2 10.1.1.
DHCP snooping switch as a relay agent This example uses a simple topology with a DHCP snooping switch configured as a DHCP relay agent. A DHCP server and a DHCP client are connected to the snooping switch through different VLANs. A rogue DHCP server attempts to pose as a legitimate DHCP server. With a configuration similar to the following, the DHCP snooping switch drops packets from the rogue DHCP server which is connected to an untrusted interface.
DHCP server OS10# configure terminal OS10(config)# ip dhcp server OS10(config-dhcp)# no disable OS10(config-dhcp)# pool dell_1 OS10(config-dhcp-dell_1)# network 10.1.1.0/24 OS10(config-dhcp-dell_1)# range 10.1.1.2 10.1.1.250 OS10(config-dhcp-dell_1)# exit OS10(config-dhcp)# pool dell_2 OS10(config-dhcp-dell_2)# network 10.2.1.
● Enable DHCP snooping globally. OS10(config)# ip dhcp snooping VLAN configuration ● Create a VLAN. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown VLT configuration 1. Create a VLT domain and configure VLTi. OS10(config)# interface range ethernet 1/1/4-1/1/5 OS10(conf-range-eth1/1/4-1/1/5)# no switchport OS10(conf-range-eth1/1/4-1/1/5)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/4-1/1/5 2. Configure a VLT MAC address.
● Create a VLAN. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown VLT configuration 1. Create a VLT domain and configure VLTi. OS10(config)# interface range ethernet 1/1/4-1/1/5 OS10(conf-range-eth1/1/4-1/1/5)# no switchport OS10(conf-range-eth1/1/4-1/1/5)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/4-1/1/5 2. Configure a VLT MAC address. OS10(conf-vlt-1)# vlt-mac 12:5e:23:f4:23:54 3.
The following output shows that the DHCP snooping switches (VLT peers) snooped DHCP messages. The interface column displays the local VLT port channel number. OS10# show ip dhcp snooping binding Number of entries : 1 Codes : S - Static D - Dynamic IPv4 Address MAC Address Expires(Sec) Type Interface VLAN ======================================================================================= 10.1.1.
● Create another VLAN and assign an IP address to it which can communicate with the DHCP server. OS10# configure terminal OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# no shutdown OS10(conf-if-vl-200)# ip address 10.2.1.1/24 OS10(conf-if-vl-200)# exit ● Configure SW 1 as the DHCP relay agent for the clients in the VM. The IP address that you specify here is the IP address of the DHCP server OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip helper-address 10.2.1.
● Enable DHCP snooping globally. OS10(config)# ip dhcp snooping VLAN configuration ● Create a VLAN and assign an IP address to it which acts as the gateway for the VMs. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown OS10(conf-if-vl-100)# ip address OS10(conf-if-vl-100)# ip address 10.1.1.2/24 OS10(conf-if-vl-100)# exit ● Create another VLAN and assign an IP address to it which can communicate with the DHCP server.
OS10(conf-if-po-20)# exit OS10(config)# interface ethernet 1/1/1,1/1/6 OS10(conf-if-eth1/1/1,1/1/6)# no shutdown OS10(conf-if-eth1/1/1,1/1/6)# channel-group 20 ( Optional) Peer routing configuration ● Configure peer routing. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# peer-routing DHCP server VLAN configuration OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# ip address 10.2.1.
DAI violation logging You can configure the system to log DAI validation failures corresponding to ARP packets. DAI violations are logged at the console if it is enabled. DAI violation logging is disabled by default. If you configure an interface as trusted, the switch interprets ARP packets that ingress the interface from hosts as legitimate packets. By default, all interfaces are in DAI untrusted state. For DAI to work, enable the DHCP snooping feature on the switch. DAI is disabled by default.
Address Hardware Address Interface VLAN -------------------------------------------------------------------10.2.1.1 00:40:50:00:00:00 port-channel100 vlan3001 10.1.1.13 00:2a:10:01:00:00 port-channel100 vlan3001 10.1.1.62 00:2a:10:01:00:01 port-channel100 vlan3001 View DAI statistics You can view valid and invalid ARP requests that the switch has received and replies that the switch has sent.
Source IP and MAC address validation This feature filters IP traffic, based on both source IP and source MAC addresses and permits traffic only from clients found in the DHCP snooping binding table. The switch compares the following in the packet to the DHCP snooping binding table: ● ● ● ● Source MAC address Source IP address The VLAN to which the client is connected The interface (physical or port channel) to which the client is connected If there is a match, the switch forwards the packet.
2. Add names to complete unqualified hostnames in CONFIGURATION mode. ip domain-list name You can configure a domain name and list corresponding to a non-default VRF instance. 1. Enter a domain name corresponding to a non-default VRF instance in the CONFIGURATION mode. ip domain-name vrf vrf-name server-name 2. Add names to complete unqualified hostnames corresponding to a non-default VRF instance.
Command Mode INTERFACE Usage Information The DHCP server is supported only on L3 interfaces. After you configure an IP helper address, the address forwards UDP broadcasts to the DHCP server. You can configure multiple helper addresses on an interface by repeating the same command for each DHCP server address. The no version of this command returns the value to the default. The client-facing and server-facing interfaces must be in the same VRF.
Table 34. Option-82 status Example Supported Releases Global Level Interface Level Option-82 status Enable Enable Adds Option-82 information to the packet. Enable Disable Does not add Option-82 information to the packet. Disable Enable Does not add Option-82 information to the packet. Disable Disable Does not add Option-82 information to the packet. OS10(config)# ip dhcp-relay information-option 10.5.2.
Command Mode INTERFACE CONFIGURATION Usage Information The VRF values for subnet selection are sent to the DHCP server in the option 151 field only if ip dhcp-relay vss-enable is enabled at the Global level. The value of the VRF name must match a VRF configured on the DHCP server for a DHCP pool. It is not the name of a VRF configured on the local switch, as a result, no validation is performed.
NOTE: Link-selection gets functionally enabled only if Option-82 is enabled Globally and at the interface level. This command is restricted to the netadmin and sysadmin role users. Example Supported Releases OS10(conf)# ip dhcp-relay link-selection 10.5.2 or later ip dhcp-relay source-interface Configures the source interface to be used by the DHCP relay agent to decide the Gateway IP address used for forwarding a DHCP packet received on the VRF.
ip dhcp-relay server-override Enables server identifier override (suboption-11) globally on the relay agent. Syntax ip dhcp-relay server-override Parameters None. Defaults Disabled on the relay agent. Command Mode CONFIGURATION Usage Information Enabling the server identifier option on the relay agent allows the DHCP relay agent to act as the proxy DHCP server such that the renew requests from the clients come to the relay agent rather than the DHCP server directly.
Example OS10(conf-if-eth1/1/1)# ip dhcp-relay source-interface ethernet loopback port-channel vlan virtual-network Ethernet interface type Loopback interface type Port-channel interface type VLAN interface type Virtual network type OS10(conf-if-eth1/1/1)# ip dhcp-relay source-interface loopback 1 Supported Releases 10.5.2 or later ip dhcp-relay server-override Enables server identifier override (suboption-11) globally on the relay agent. Syntax ip dhcp-relay server-override Parameters None.
Supported Releases 10.5.2 or later ipv6 dhcp-relay interface-id Enables or disables DHCPv6 interface-id option.. Syntax ipv6 dhcp-relay interface-id Parameters None Defaults Disabled Command Mode CONFIGURATION Usage Information After enabling the interface-id option, the interface name is used for interface description. Example NOTE: This command is restricted to the sysadmin and netadmin user roles.
string Except ':') Uses user-defined string for prefix(Max: 96 chars, OS10(config)# ipv6 dhcp-relay prefix interface-id hostname? vrfname Use interface vrfname OS10(config)# ipv6 dhcp-relay prefix interface-id vrfname? hostname User-defined string for hostname Supported Releases 10.5.2.1 or later ipv6 dhcp-relay remote-id Enables or disables DHCPv6 remote-id option and customized description configurations.
Defaults None. Command Mode CONFIGURATION Usage Information You must globally configure prefix as an optional parameter. You can configure hostname, VRF Name, or a customized string as prefix. Colon ( : ) is not allowed in the customized string prefix configuration. If you try to configure the prefix value with colon ( : ), the following error appears: OS10(config)# % Error: Colon ( : ) is not supported If the hostname is configured as a prefix, then the system hostname is used by default.
ipv6 dhcp-relay interface-id Configures customized string value for the interface-id option. Syntax ipv6 dhcp-relay interface-id description user-defined-string Parameters None Defaults None. Command Mode INTERFACE CONFIGURATION Usage Information You can optionally configure any customized value for the interface-id option. By default, interface name is sent as the interface-id value. It can be configured on all types of interfaces.
Usage Information This command displays the Global level status of Option-82 as well as the Interface level Option-82 status. The show ip dhcp-relay interface command displays the relay information corresponding to the requested interface enabled with the helper address. If you enable the Option-82 configuration, the Option-82 status appears as Enabled(Default). If you disable the Option-82 configuration, the Option-82 status appears as Disabled.
show ipv6 dhcp-relay Displays the DHCPv6 relay information on the client interfaces. Syntax show ipv6 dhcp-relay interface {{ethernet node/slot/port | port-channel idnumber} | vlan vlan-id [{ethernet node/slot/port | port-channel id-number}] | virtual-network vnid} Parameters ● ● ● ● Defaults None.
Interface Interface-id[option-18] Remote-id[option-37] Enterprise-number Remote-id value : : : : : ethernet 1/1/1 Enabled (OS10-red:vlan10-ethernet1/1/1) Enabled 674 OS10:force10 OS10(conf)#ipv6 dhcp-relay hostname DELL OS10(conf)#ipv6 dhcp-relay prefix interface-id hostname vrfname interface ethernet1/1/1 no shutdown no switchport switchport mode trunk switchport trunk allowed vlan 10 ipv6 dhcp-relay interface-id description chennai vlan 10 ip addrres 1::2/64 ip helper address 2::2 ip vrf forwarding red
* 1 2 Present Not Present Interface Relay Configuration Mismatch --------------------------------------------------------------------VLAN: 10 VLT Unit ID Server-Override VSS Source-Interface --------------------------------------------------------------------------------* 1 enabled type-0(Red) 2 disabled type-0(Blue) VNI: 20 VLT Unit ID Server-Override VSS Source-Interface --------------------------------------------------------------------------------* 1 type-0(Red) Present 2 type-1(ABC:1234) Not Present
--------------------------------------------------------VLAN: 10 VLT Unit ID description --------------------------------------------------------* 1 default 2 custom(santaclara) VNI: 20 VLT Unit ID description --------------------------------------------------------* 1 custom(force10) 2 default VLT-PORTCHANNEL: 100 VLT Unit ID description --------------------------------------------------------* 1 custom(force10) 2 custom(santaclara) Supported Releases 10.5.
VLT VLAN mismatch: No mismatch Example (mismatch) OS10# show vlt 1 mismatch Peer-routing mismatch: VLT Unit ID Peer-routing ----------------------------------* 1 Enabled 2 Disabled VLAN mismatch: No mismatch VLT VLAN mismatch: VLT ID : 1 VLT Unit ID Mismatch VLAN List ---------------------------------* 1 1 2 2 VLT ID : 2 VLT Unit ID Mismatch VLAN List ----------------------------------* 1 1 2 2 Example (mismatch peer routing) Example (mismatch VLAN) OS10# show vlt 1 mismatch peer-routing Peer-routing mi
available in the peer) Example (mismatch of VLTi and VLAN) Example (mismatch of VN mode) Example (mismatch of port and VLAN list) 1 * 2 10,104 - OS10# show vlt all mismatch virtual-network Virtual Network: 100 VLT Unit ID Configured VLTi-Vlans ---------------------------------------------------------------------------1 101 * 2 100 OS10# show vlt all mismatch virtual-network Virtual Network: 102 VLT Unit ID Configured Virtual Network Mode -----------------------------------------------------------------
* 2 10.16.128.20 Virtual-network: 20 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.26 * 2 10.16.128.30 Example (Anycast IP addresses not configured on one of the virtual networks on both peers) show vlt 1 mismatch virtual-network Interface virtual-network Anycast-IP mismatch: Virtual-network: 10 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.25 * 2 ABSENT Virtual-network: 20 VLT Unit ID Anycast-IP ------------------------------------1 ABSENT * 2 10.16.128.
---------------------------------------------------------------------------* 1 64::100, 64.6.7.88 2 100::100, 100.101.102.100 VLAN: 3000 VLT Unit ID Anycast-IPs ---------------------------------------------------------------------------* 1 100.101.102.100 2 Not configured VLAN: 4000 VLT Unit ID Anycast-IPs ---------------------------------------------------------------------------* 1 Not configured 2 Example (mismatch dhcprelay) 8.7.6.
● address2...address8 — (Optional) Enter up to eight IP addresses, in order of preference. Default Not configured Command Mode DHCP-POOL Usage Information Configure up to eight IP addresses, in order of preference. Use the no version of this command to remove the configuration. Example Supported Releases OS10(conf-dhcp-pool2)# default-router 20.1.1.100 10.2.0E or later disable Disables the DHCP server.
Default Not configured Command Mode DHCP-POOL Usage Information None Example Supported Releases OS10(conf-dhcp-Dell)# dns-server 192.168.1.1 10.2.0E or later hardware-address Configures the client's hardware address for manual configurations. Syntax hardware-address nn:nn:nn:nn:nn:nn Parameters nn:nn:nn:nn:nn:nn — Enter the 48-bit hardware address.
Usage Information Use the ip dhcp server command to enter the DHCP mode required to enable DHCP server-assigned dynamic addresses on an interface. Example Supported Releases OS10(config)# ip dhcp server OS10(conf-dhcp)# 10.2.0E or later lease Configures a lease time for the IP addresses in a pool. Syntax lease {infinite | days [hours] [minutes]} Parameters ● ● ● ● Default 24 hours Command Mode DHCP-POOL Usage Information The no version of this command removes the lease configuration.
Parameters type — Enter the NetBIOS node type: ● Broadcast — Enter b-node. ● Hybrid — Enter h-node. ● Mixed — Enter m-node. ● Peer-to-peer — Enter p-node. Default Hybrid Command Mode DHCP-POOL Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-dhcp-Dell)# netbios-node-type h-node 10.2.0E or later network Configures a range of IPv4 or IPv6 addresses in the address pool.
range Configures a range of IP addresses. Syntax range {ip-address1 [ip-address2]} Parameters ● ip-address1 — First IP address of the IP address range. ● ip-address2 — Last IP address of the IP address range. Default Not configured Command Mode DHCP-POOL Usage Information Use the range command to configure a range of IP addresses that the OS10 switch, acting as the DHCP server, can assign to DHCP clients.
Usage Information Example Supported Releases Dell EMC Networking recommends enabling DAI before enabling DHCP snooping. OS10(conf-if-vl-230)# arp inspection 10.5.0 or later arp inspection-trust Configures a port as trusted so that ARP frames are not validated against the DAI database.
Example (Global) Supported Release OS10# clear ip dhcp snooping binding 10.5.0 or later or later clear ip dhcp snooping binding Clears the dynamic entries in the DHCP snooping binding table. Syntax clear ip dhcp snooping binding [mac mac-address] [vlan vlan-id] [interface {ethernetslot/port/sub-port> | port-channel port-channel-id}] Parameters ● mac mac-address—Enter the MAC address of the host to which the server is leasing the IP address. ● vlan vlan-id—Enter the VLAN ID. The range is from 1 to 4093.
Supported Releases 10.5.0 or later or later ip dhcp snooping (interface) Enables DHCP snooping on a VLAN. Syntax ip dhcp snooping Parameters None Defaults Enabled if enabled globally Command Mode INTERFACE VLAN Usage Information When you enable this feature, the switch begins to monitor all transactions between DHCP servers and DHCP clients and use the information to build the DHCP snooping binding table.
ip dhcp snooping trust Configures an interface as trusted in a DHCP snooping enabled VLAN. Syntax ip dhcp snooping trust Parameters None Defaults Untrusted Command Mode INTERFACE Usage Information This command configures a physical or port channel interface as trusted. By default all physical and port channel interfaces in the DHCP snooping enabled VLAN are untrusted. You can configure a DHCP serverfacing physical or port channel interface as trusted.
-----------------------------------------------------------------------55.2.1.1 00:40:50:00:00:00 port-channel100 vlan3001 200.1.1.134 00:2a:10:01:00:00 port-channel100 vlan3001 200.1.1.62 00:2a:10:01:00:01 port-channel100 vlan3001 Supported Releases 10.5.0 or later show ip arp inspection statistics Displays valid and invalid ARP requests and reply statistics. Syntax show ip arp inspection statistics [vlan vlan-id] Parameters ● vlan vlan-id—Enter the VLAN ID. The range is from 1 to 4093.
Command Mode EXEC Usage Information The dynamically learned entries are displayed as D and statically configured entries are displayed as S. Example OS10# show ip dhcp snooping binding Codes : S - Static D – Dynamic IPv4 Address MAC Address Expires(Sec) Type Interface VLAN ========================================================================= 10.1.1.22 11:22:11:22:11:22 120331 S ethernet1/1/4 100 10.1.1.44 11:22:11:22:11:23 120331 S port-channel100 200 10.1.1.
Usage Information Example Supported Releases This domain appends to incomplete DNS requests. The no version of this command returns the value to the default. OS10(config)# ip domain-name vrf jay dell.com 10.2.0E or later ip host Configures mapping between the hostname server and the IP address. Syntax ip host [vrf vrf-name] [host-name] address Parameters ● vrf vrf-name — (Optional) Enter vrf and then the name of the VRF to configure the name server to IP address mapping for that VRF.
show hosts Displays the host table and DNS configuration. Syntax show hosts [vrf vrf-name] Parameters vrf vrf-name — Enter vrf then the name of the VRF to display DNS host information corresponding to that VRF. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show hosts Default Domain Name : dell.com Domain List : abc.com Name Servers : 1.1.1.
Or docker pull nginx:latest NOTE: Docker downloads the latest image if you do not specify the image file name.
● Display details of a volume: docker volume inspectvolume-name ● List all the volumes in the system: docker volume ls ● Remove a volume: docker volume rm volume-name Docker Management ● List all running Docker containers: docker ps ● List all running and stopped Docker containers: docker ps -a ● Remove a Docker container: docker rm container-name ● Remove a Docker image: docker rmi image-name ● Remove unused Docker images: docker image prune ● Remove unused Docker volumes: docker volume prune ● Remove all
Cut-through switching mode CT switching offers low-latency performance for SCSI traffic. Use CT switching in packet-switching systems. The switch forwards packets or frames to its destination immediately after the destination address is processed without waiting to receive the entire data. The egress scheduler block in the NPU pipeline schedules the packet to transmit out after the first cells of packet arrive.
Restrictions and limitations When the port is operating in CT mode, you can observe the following restrictions, depending on the configuration or timing of the incoming packet, PFC message, or port speed configurations. ● Layer 2/Layer 1/Layer 0, and queue level maximum shaper configurations are not considered.
Low Latency Modes CLI commands show switching-mode Displays the current configured switching-mode.
11 Interfaces You can configure and monitor physical interfaces (Ethernet), port-channels, and virtual local area networks (VLANs) in Layer 2 (L2) or Layer 3 (L3) modes. Table 38.
Unified port groups In an OS10 unified port group, all ports operate in either Ethernet or Fibre Channel (FC) mode. You cannot mix modes for ports in the same unified port group. To activate Ethernet interfaces, configure a port group to operate in Ethernet mode and specify the port speed. To activate Fibre Channel interfaces, see Fibre Channel interfaces. S4148U-ON On the S4148U-ON switch, the available Ethernet and Fibre Channel interfaces in a port group depend on the currently configured port profile.
interface ethernet1/1/41:1 no shutdown Z9264F-ON port-group profiles On the Z9264F-ON switch, the port-group profiles determine the available front-panel Ethernet ports and supported breakout interfaces. QSFP28 ports operate only in Ethernet mode. Use the port-group profile to configure breakout interfaces and specify the port speed. NOTE: The configuration steps to enable Ethernet interfaces on a Z9264F-ON port group are different than that of the S4100-ON series.
● 10g-4x — Split a port into four 10GE interfaces. 4. Return to CONFIGURATION mode. exit 5. Enter Ethernet Interface mode to configure other settings. Enter a single interface, a hyphen-separated range, or multiple interfaces separated by commas.
Table 39.
Table 40.
Table 41.
port-group1/1/6 port-group1/1/7 port-group1/1/8 port-group1/1/9 port-group1/1/10 port-group1/1/11 port-group1/1/12 port-group1/1/13 port-group1/1/14 port-group1/1/15 port-group1/1/16 port-group1/1/17 port-group1/1/18 port-group1/1/19 port-group1/1/20 port-group1/1/21 port-group1/1/22 port-group1/1/23 port-group1/1/24 port-group1/1/25 port-group1/1/26 port-group1/1/27 port-group1/1/28 port-group1/1/29 port-group1/1/30 port-group1/1/31 port-group1/1/32 Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth
Table 42.
Table 42. Port groups and breakout modes on the S5296F-ON switch (continued) Port Group Ports Supported breakout modes Port-group1/1/30 102 ● ● ● ● ● 100g-1x 50g-2x 40g-1x 25g-4x 10g-4x Port-group1/1/31 103 ● ● ● ● ● 100g-1x 50g-2x 40g-1x 25g-4x 10g-4x Port-group1/1/32 104 ● ● ● ● ● 100g-1x 50g-2x 40g-1x 25g-4x 10g-4x To configure breakout modes: 1. Configure a port group in CONFIGURATION mode. Enter 1/1 for node/slot and the port group number. port-group node/slot/port-group 2.
L2 mode configuration Each physical Ethernet interface uses a unique MAC address. Port-channels and VLANs use a single MAC address. By default, all the interfaces operate in L2 mode. From L2 mode you can configure switching and L2 protocols, such as VLANs and Spanning-Tree Protocol (STP) on an interface. Enable L2 switching on a port interface in Access or Trunk mode. By default, an interface is configured in Access mode.
OS10(conf-if-eth1/1/9)# ip address 10.10.1.92/24 OS10(conf-if-eth1/1/9)# no shutdown View L3 configuration error OS10(config)# interface ethernet 1/1/14 OS10(conf-if-eth1/1/14)# ip address 10.1.1.2/24 % Error: Interface ethernet1/1/14, IP address cannot exist with L2 modes. Fibre Channel interfaces OS10 unified port groups support FC interfaces. A unified port group operates in Fibre Channel or Ethernet mode.
6. Apply vfabric configuration on the interface. For more information about vfabric configuration, see Virtual fabric. vfabric fabric-ID 7. Enable the FC interface in INTERFACE mode.
NOTE: The supported wavelength range is from 1528.38 nm to 1568.77 nm. OS10(conf-if-eth1/1/14)# wavelength 1530.00 2. View the optical transmission values that you configured using the following command: show interface phy-eth [interface] [transceiver] OS10# show interface phy-eth 1/1/14 transceiver | grep "Tunable wavelength" SFP1/1/14 Tunable wavelength= 1530.000nm NOTE: To specify the wavelength value, you must enter exactly six digits - four before and two after the decimal point.
When using VLANs in a routing protocol, you must configure the no shutdown command to enable the VLAN for routing traffic. In VLANs, the shutdown command prevents L3 traffic from passing through the interface. L2 traffic is unaffected by this command. ● Configure an IP address in A.B.C.D/x format on the interface in INTERFACE mode. The secondary IP address is the interface’s backup IP address.
1. Configure the L2 VLAN scale profile in CONFIGURATION mode. scale-profile vlan 2. (Optional) Enable L3 routing on a VLAN in INTERFACE VLAN mode. mode L3 After you configure the VLAN scale profile and enable L3 routing on the respective VLANs, save the configuration and reload the switch for the scale profile settings to take effect. To reload the switch, use reload command.
Input 0 packets, 0 bytes, 0 multicast Received 0 errors, 0 discarded Output 0 packets, 0 bytes, 0 multicast Output 0 errors, Output 0 invalid protocol Time since last interface status change : 00:00:11 Port-channel interfaces Port-channels are not configured by default. Link aggregation (LA) is a method of grouping multiple physical interfaces into a single logical interface — a link aggregation group (LAG) or port-channel.
● Port-channels support 802.3ad LACP. LACP identifies similarly configured links and dynamically groups ports into a logical channel. LACP activates the maximum number of compatible ports that the switch supports in a port-channel. ● If you globally disable a spanning-tree operation, L2 interfaces that are LACP-enabled port-channel members may flap due to packet loops.
○ secondary-ip-address — Specify a secondary IP address in dotted-decimal A.B.C.D format, which acts as the interface’s backup IP address. Assign Port Channel IP Address OS10# configure terminal OS10(config)# interface port-channel 1 OS10(conf-if-po-1)# ip address 1.1.1.1/24 OS10(conf-if-po-1)# Remove or disable port-channel You can delete or disable a port-channel. 1. Delete a port-channel in CONFIGURATION mode. no interface port-channel channel-number 2.
Change hash algorithm The load-balancing command selects the hash criteria applied to traffic load balancing on port-channels. If you do not obtain even traffic distribution, use the hash-algorithm command to select the hash scheme for LAG. Rotate or shift the L2-bit LAG hash until you achieve the desired traffic distribution. ● Change the default (0) to another algorithm and apply it to LAG hashing in CONFIGURATION mode.
Configure range of port channels OS10(config)# interface range port-channel 1-25 OS10(conf-range-po-1-25)# Switch-port profiles A port profile determines the enabled front-panel ports and supported breakout modes on Ethernet and unified ports. Change the port profile on a switch to customize uplink and unified port operation, and the availability of front-panel data ports.
S4148-ON Series port profiles On the S4148-ON Series of switches, port profiles determine the available front-panel Ethernet ports and supported breakout interfaces on uplink ports. In the port profile illustration, blue boxes indicate the supported ports and breakout interfaces. Blank spaces indicate ports and speeds that are not available. ● ● ● ● ● 10GE mode is an SFP+ 10GE port or a 4x10G breakout of a QSFP+ or QSFP28 port. 25GE is a 4x25G breakout of a QSFP28 port.
S4148U-ON Ethernet modes—QSFP+ ports 27-28 and SFP+ ports 31-54: ● 10GE mode is an SFP+ 10GE port or a 4x10G breakout of a QSFP+ port. ● 40GE mode is a QSFP+ port. For example, all S4148U-ON activate support 10G speed on unified ports 1-24 and Ethernet ports 31-54, but only profile-1 and profile-2 activate QSFP+ ports 27-28 in 40GE mode with 4x10G breakouts.
● Z9332F-ON platform: OS10 supports 25G auto negotiation with third-party 25G NIC devices that comply with the IEEE 802.3by and 25G Ethernet Consortium standards. When you use a third-party NIC device that does not support the 25G Ethernet Consortium standard, to bring up the port: ○ If you have enabled SmartAN technology on the server, disable auto negotiation on the OS10 switch port. ○ Otherwise, disable auto negotiation on both the OS10 switch port and the third-party link partner.
Mode of IPv4 Address Assignment: not set Interface IPv6 oper status: Disabled MTU 1532 bytes, IP MTU 1500 bytes LineSpeed 100G, Auto-Negotiation on Configure breakout mode Using a supported breakout cable, you can split a 40GE QSFP+ or 100GE QSFP28 Ethernet port into separate breakout interfaces. All breakout interfaces have the same speed. You can set a QSFP28 port to operate in 40GE mode with a QSFP+ transceiver.
RJ-45 ports and ports that are members of a port group do not support breakout auto-configuration. Breakout autoconfiguration is disabled by default.
2. Return to CONFIGURATION mode. exit 3. Reset an interface to its default configuration in CONFIGURATION mode. Enter multiple interfaces in a comma-separated string or a port range using the default interface range command. default interface {ethernet | fibrechannel} node/slot/port[:subport] 4. Enter INTERFACE mode and verify the factory-default configuration.
Forward error correction Forward error correction (FEC) enhances data reliability.
Time since last interface status change: 00:00:13 --more-- Energy-efficient Ethernet Energy-efficient Ethernet (EEE) reduces power consumption of physical layer devices (PHYs) during idle periods. EEE allows Dell EMC Networking devices to conform to green computing standards. An Ethernet link consumes power when a link is idle. EEE allows Ethernet links to use Regular Power mode only during data transmission. EEE is enabled on devices that support LOW POWER IDLE (LPI) mode.
Clear counters for specific interface OS10# clear counters interface 1/1/48 eee Clear eee counters on ethernet1/1/48 [confirm yes/no]:yes View EEE status/statistics You can view the EEE status or statistics for a specified interface, or all interfaces, using the show commands.
EEE commands clear counters interface eee Clears all EEE counters. Syntax clear counters interface eee Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# clear counters interface eee Clear all eee counters [confirm yes/no]:yes 10.3.0E or later clear counters interface ethernet eee Clears EEE counters on a specified Ethernet interface.
Example (Disable EEE) Supported Releases OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# no eee 10.3.0E or later show interface eee Displays the EEE status for all interfaces. Syntax show interface eee Parameters None Default Not configured Command Mode EXEC Example OS10# show interface eee Port EEE Status Speed Duplex --------------------------------------------Eth 1/1/1 off up 1000M ...
show interface ethernet eee Displays the EEE status for a specified interface. Syntax show interface ethernet node/slot/port[:subport] eee Parameters node/slot/port[:subport]—Enter the interface information. Default Not configured Command Mode EXEC Example OS10# show interface ethernet 1/1/48 eee Port EEE Status Speed Duplex --------------------------------------------Eth 1/1/48 on up 1000M Supported Releases 10.3.
View interface information OS10# show interface Ethernet 1/1/1 is up, line protocol is down Hardware is Eth, address is 00:0c:29:66:6b:90 Current address is 00:0c:29:66:6b:90 Pluggable media present, QSFP+ type is QSFP+ 40GBASE CR4 Wavelength is 64 Receive power reading is 0.
Time since last interface status change: 02:46:35 --more-View specific interface information OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# show configuration ! interface ethernet1/1/1 ip address 1.1.1.1/24 no switchport no shutdown View candidate configuration OS10(conf-if-eth1/1/1)# show configuration candidate ! interface ethernet1/1/1 ip address 1.1.1.1/24 no switchport no shutdown View running configuration OS10# show running-configuration Current Configuration ...
Ethernet 1/1/23 Ethernet 1/1/24 Ethernet 1/1/25 Ethernet 1/1/26 Ethernet 1/1/27 Ethernet 1/1/28 Ethernet 1/1/29 Ethernet 1/1/30 Ethernet 1/1/31 Ethernet 1/1/32 Management 1/1/1 Vlan 1 Vlan 10 Vlan 20 Vlan 30 unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned 10.16.153.
● Warning threshold—The platform specification defines this value. If you have configured to allow high-power optics, an optic with power rating below this threshold is enabled. ● Alarm threshold—The platform specification defines this value. A high-power optic with power rating above this threshold is disabled. OS10 checks for the following: ● If you have enabled high-power optics on a port, OS10 checks the alarm threshold value.
● INTERFACE RANGE ETHERNET CONFIGURATION submode Usage Information By default, this command is enabled on all the physical interfaces. Use the no version of this command to disable high-power optics on the interface or interfaces. If you disable high-power optics, this configuration is displayed in the show running-configuration command output. This command is applicable only for the Z9332F-ON platform.
Digital optical monitoring The digital optical monitoring (DOM) feature monitors the digital optical media for temperature, voltage, bias, transmission power (Tx), and reception power (Rx). This feature also generates event logs, alarms, and traps for any fluctuations, when configured thresholds are reached.
1. Enable DOM. OS10(config)# dom enable 2. Enable DOM traps. OS10(config)# snmp-server enable traps dom You can run the show alarms command in EXEC mode to view any alarms that are generated. View DOM alarms OS10# show alarms Index ----0 Severity -------major Name ------------------EQM_MEDIA_TEMP_HIGH Raise-time Source ----------------------- -----Tue 06-04-2019 12:32:07 Node.1-Unit.
If you have not configured the MTU value for an interface, a default value of 1532 bytes is set automatically. Any packet exceeding this value is dropped. To build an MTU with higher value, configure the default MTU of the system to the required value. You can use the following commands for MTU configuration: ● ● ● ● default mtu - configure a custom MTU value to all the interfaces that do not have a user configured MTU.
Configure polling interval for Ethernet interface counters OS10 caches the interface counters every 15 s. The interface statistics include the number of packets that are sent or received through an interface. You can change this polling interval for Ethernet interface counters from 1 s to 15 s.
● An Ethernet interface is enabled using the no shutdown command; a Fibre Channel interface is disabled using the shutdown command. ● An Ethernet interface is assigned to the default VLAN. The default interface command removes all software settings and all L3, VLAN, and port-channel configurations on a physical interface. You must manually remove configured links to the interface from other software features; for example, if you configure an Ethernet interface as a discovery interface in a VLT domain.
! interface ethernet1/1/3 no shutdown no switchport ip address 192.28.43.1/31 ipv6 address 2000:28:43::28:43:1/127 ! interface ethernet1/1/4 no shutdown no switchport ip address 192.41.43.1/31 ipv6 address 2000:41:43::41:43:1/127 OS10(conf-range-eth1/1/1-1/1/4)# exit OS10(config)# default interface range ethernet 1/1/1,1/1/2-1/1/4 Proceed to cleanup interface range config? [confirm yes/no]:yes Mar 5 22:21:12 OS10 dn_l3_core_services[590]: Node.1-Unit.
Parameters vlan-id — Enter the default VLAN ID number, from 1 to 4093. Default VLAN1 Command Mode CONFIGURATION Usage Information By default, VLAN1 serves as the default VLAN for switching untagged L2 traffic on OS10 ports in Trunk or Access mode. If you use VLAN1 for network-specific data traffic, reconfigure the VLAN ID of the default VLAN. The command reconfigures the access VLAN ID, the default VLAN, of all ports in Switchport Acess mode.
Supported Releases 10.2.0E or later duplex Configures Duplex mode on the Management port. Syntax duplex {full | half | auto} Parameters ● full — Set the physical interface to transmit in both directions. ● half — Set the physical interface to transmit in only one direction. ● auto — Set the port to auto-negotiate speed with a connected device. Defaults Not configured Command Mode CONFIGURATION Usage Information You can only use this command on the Management port.
Usage Information The no version of this command disables the DOM traps. Example OS10# configure terminal OS10(config)# snmp-server enable traps dom temperature OS10# configure terminal OS10(config)# no snmp-server enable traps dom temperature Supported Releases 10.4.3.0 or later feature auto-breakout Enables front-panel Ethernet ports to automatically detect SFP media and autoconfigure breakout interfaces.
interface breakout Splits a front-panel Ethernet port into multiple breakout interfaces. Syntax interface breakout node/slot/port map {100g-1x | 50g-2x |40g-1x | 25g-4x | 10g-4x | 25g-4x} Parameters ● ● ● ● ● ● Default Not configured Command Mode CONFIGURATION Usage Information ● Each breakout interface operates at the configured speed; for example, 10G, 25G, or 50G. ● The no interface breakout node/slot/port command resets a port to its default speed: 40G or 100G.
Command Mode CONFIGURATION Usage Information The no version of this command deletes the Loopback interface. Example Supported Releases OS10(config)# interface loopback 100 OS10(conf-if-lo-100)# 10.2.0E or later interface mgmt Configures the Management port. Syntax interface mgmt node/slot/port Parameters node/slot/port — Enter the physical port interface information for the Management interface. Default Enabled Command Mode CONFIGURATION Usage Information You cannot delete a Management port.
Command Mode CONFIGURATION Usage Information The no version of this command deletes the interface. Example Supported Releases OS10(config)# interface port-channel 10 OS10(conf-if-po-10)# 10.2.0E or later interface range Configures a range of Ethernet, port-channel, or VLAN interfaces for bulk configuration. Syntax interface range {ethernet node/slot/port[:subport]-node/slot/ port[:subport],[...]} | {port-channel IDnumber-IDnumber,[ ...]} | vlan vlanID-vlanID,[...
NOTE: In SmartFabric Services mode, creation of VLAN is disabled. Example Supported Releases OS10(config)# interface vlan 10 OS10(conf-if-vl-10)# 10.2.0E or later link-bundle-utilization Configures link-bundle utilization. Syntax link-bundle-utilization trigger-threshold value Parameters value — Enter the percentage of port-channel bandwidth that triggers traffic monitoring on portchannel members, from 0 to 100.
Default S4148U-ON: Depends on the port profile activated. Command Mode PORT-GROUP Usage Information ● The mode {FC | Eth} command configures a port group to operate at line rate and guarantees no traffic loss. ● To configure oversubscription on a FC interface, use the speed command. ● To configure breakout interfaces on an Ethernet port, use the interface breakout command. ● To view the currently active ports and subports, use the show interfaces status command.
○ All members of a VLAN must have the same MTU value. ○ Tagged members must have a link MTU 4 bytes higher than untagged members to account for the packet tag. ○ Ensure that the MTU of VLAN members is greater than or equal to the VLAN MTU. OS10 selects the lowest MTU value configured on the VLAN or VLAN members to be the VLAN MTU. For example, the VLAN contains tagged members with Link MTU of 1522 and IP MTU of 1500 and untagged members with Link MTU of 1518 and IP MTU of 1500.
no shutdown switchport access vlan 1 negotiation on flowcontrol receive on OS10(conf-if-eth1/1/50)# no negotiation OS10(conf-if-eth1/1/50)# show configuration ! interface ethernet1/1/50 no shutdown switchport access vlan 1 flowcontrol receive on OS10(conf-if-eth1/1/50)# do show interface ethernet 1/1/50 Ethernet 1/1/50 is up, line protocol is up Hardware is Eth, address is e4:f0:04:3e:2d:86 Current address is e4:f0:04:3e:2d:86 Pluggable media present, QSFP28 type is QSFP28 100GBASE-CR4-2.
port-group Configures a group of front-panel unified ports, or a double-density QSFP28 (QSFP28-DD) or single-density QSFP28 port group. Syntax port-group node/slot/port-group Parameters ● node/slot — Enter 1/1 for node/slot when you configure a port group. ● port-group — Enter the port-group number, from 1 to 16. The available port-group range depends on the switch.
scale-profile vlan Configures the L2 VLAN scale profile on a switch. Syntax scale-profile vlan Parameters None Defaults Not configured Command Mode CONFIGURATION Usage Information Use the VLAN scale profile when you scale the number of VLANs so that the switch consumes less memory. Enable the scale profile before you configure VLANs on the switch. The scale profile globally applies L2 mode on all VLANs you create and disables L3 transmission. The no version of the command disables L2 VLAN scaling.
Queuing strategy: fifo Input statistics: 0 packets, 0 octets 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output statistics: 0 packets, 0 octets 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded,
show interface phy-eth Displays the optical details for an interface. Syntax show interface phy-eth [interface] [transceiver] Parameters ● interface—(Optional) Specify the interface corresponding to which you want to view the optical details. ● transceiver—(Optional) Displays the transceiver details. Defaults None Command Mode EXEC Usage Information Starting from Release 10.5.2.1, the interface and transceiver parameters are optional.
show link-bundle-utilization Displays information about the link-bundle utilization. Syntax show link-bundle-utilization Parameters None Default Not configured Command Mode EXEC Usage Information None Example OS10# show link-bundle-utilization Link-bundle trigger threshold - 60 Supported Releases 10.2.0E or later show port-channel summary Displays port-channel summary information.
1/1/19(P) 23 port-channel23 (D) Eth STATIC Supported Releases 10.2.0E or later show port-group Displays the current port-group configuration on a switch. Syntax show port-group Parameters None Default None Command Mode EXEC Usage Information To view the ports that belong to each port-group, use the show port-group command. To configure a port-group, use the port-group command.
Command Mode EXEC Usage Information A switch-port profile determines the available front-panel ports and breakout modes on Ethernet and unified ports. To display the current port profile, use the show switch-port-profile command. To reset the switch to the default port profile, use the no switch-port-profile node/slot command.
show vlan Displays the current VLAN configuration. Syntax show vlan [vlan-id] Parameters vlan-id — (Optional) Enter a VLAN ID, from 1 to 4093. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show vlan Codes: * - Default VLAN, M - Management VLAN, R - Remote Port Mirroring VLANs Q: A - Access (Untagged), T - Tagged NUM Status Description Q Ports 1 down 10.2.0E or later shutdown Disables an interface.
Command Mode INTERFACE Usage Information ● To configure oversubscription for bursty storage traffic on a FC interface, use the speed command. Oversubscription allows a port to operate faster, but may result in traffic loss. For example, QSFP28 port groups in 4x8GFC mode support 16GFC oversubscription on member interfaces. QSFP28 breakout interfaces in 4x16GFC mode support 32GFC oversubscription. ● The no version of this command resets the port speed to the default value auto.
switch-port-profile Configures a port profile on the switch. The port profile determines the available front-panel ports and breakout modes. Syntax switch-port-profile node/unit profile Parameters ● node/unit — Enter switch information. For a standalone switch, enter 1/1. ● profile — Enter the name of a platform-specific profile.
QSFP28 unified ports 25 and 29 operate in Ethernet 100GE mode by default, and support 40GE with QSFP+ transceivers and 4x10G breakouts. QSFP28 ports 25 and 29 support 1x32GFC, 2x16GFC, and 4x8GFC in FC mode. ■ QSFP28 unified ports 26 and 30 operate in Ethernet 40GE mode by default and support 4x10G breakouts. QSFP28 ports 26 and 30 support 1x32GFC, 2x16GFC, and 4x8GFC in FC mode. ■ QSFP+ Ethernet ports operate at 40GE by default and support 4x10G breakouts. ■ SFP+ Ethernet ports operate at 10GE.
Usage Information Example Supported Releases This command enables L2 switching for untagged traffic and assigns a port interface to default VLAN1. Use this command to change the assignment of the access VLAN that carries untagged traffic. You must create the VLAN before you can assign an access interface to it. The no version of this command resets access VLAN membership on a L2 access or trunk port to VLAN 1.
Example OS10(conf-if-eth1/1/2)# switchport trunk allowed vlan 1000 OS10(conf-if-eth1/1/2)# no switchport trunk allowed vlan 1000 Supported Releases 10.2.0E or later wavelength Configures wavelength for tunable 10-GB SFP+ optical transceiver. Syntax wavelength wavelength-value Parameters wavelength-value — Enter a value to set a wavelength for the SPF+ optics. The range is from 1528.38 to 1568.77. Defaults None.
Parameters None Defaults None Command Mode EXEC Usage Information The interface-level MTU may be different from the system-level MTU. Example Supported Releases 420 Interfaces OS10# show default mtu Default MTU 9216 bytes 10.5.1.
12 Fibre Channel OS10 switches with Fibre Channel (FC) ports operate in one of the following modes: Direct attach (F_Port), NPIV Proxy Gateway (NPG). In the FSB mode, you cannot use the FC ports. E_Port Expansion port (E_Port) in a switch is used to connect two fiber channel switches to form a multiswitch SAN fabric. The default port mode in a multiswitch setup is F.
Configuration notes Dell EMC PowerSwitch S4148U-ON: The total errors count in the show interface fibrechannel command output displays incorrect values during FC port flaps, IOM reboot, or port conversion from ETH to FC, followed by bringing up of the FC port. Fibre Channel over Ethernet Fibre Channel over Ethernet (FCoE) encapsulates Fibre channel frames over Ethernet networks. FCoE Initialization protocol (FIP) establishes Fibre channel connectivity with Ethernet ports.
5. Configure the maximum number of ENode sessions to be allowed using the fcoe max-sessions-per-enodemac maxsession-number command in CONFIGURATION mode, from 1 to 64. NOTE: OS10 switches do not support multi-hop FIP snooping bridge (multi-hop FSB) capability; links to other FIP snooping bridges on a FIP snooping-enabled device (bridge-to-bridge links) are not supported.
-------------------------- ---- -------54:7f:ee:37:34:40 port-channel5 100 0e:fc:00 -------------- -------------4000 2 OS10# show fcoe enode Enode MAC Enode Interface VLAN FCFs Sessions ----------------- ---------------- ---- ---- -------d4:ae:52:1b:e3:cd ethernet1/1/54 100 1 5 Terminology ENode End Node or FCoE node FC Fibre Channel FC ID A 3-byte address used by FC to identify the end points FC Map A 3-byte prefix configured per VLAN, used to frame FCoE MAC address FCF Fibre Channel Forwarder
OS10(conf-vfabric-100)# vlan 1023 OS10(conf-vfabric-100)# fcoe fcmap 0xEFC64 OS10(conf-vfabric-100)# zoneset activate set OS10(conf-vfabric-100)# zone default-zone permit OS10(conf-vfabric-100)# exit OS10(config)# interface fibrechannel 1/1/1 OS10(conf-if-fc1/1/1)# vfabric 100 View vfabric configuration OS10(conf-vfabric-100)# show configuration ! vfabric 100 name 100 vlan 1023 fcoe fcmap 0xEFC64 zoneset activate set zone default-zone permit OS10# show vfabric Fabric Name 100 Fabric Type FPORT Fabric Id 100
3. Add FCoE parameters with the fcoe {fcmap fc-map | fcf-priority fcf-priority-value | fka-advperiod adv-period | vlan-priority vlan-priority-value | keep-alive} command. 4. (Optional) Add a name to the vfabric using the name vfabric-name command. 5. Apply the vfabric to interfaces using the vfabric fabric-ID command in INTERFACE mode.
3. Create a zone using the fc zone zone-name command in CONFIGURATION mode. The switch enters Zone CONFIGURATION mode. 4. Add members to the zone with the member {alias-name alias-name | wwn wwn-ID | fc-id fc-id} command in Zone CONFIGURATION mode. 5. Create a zoneset using the fc zoneset zoneset-name command in CONFIGURATION mode. The switch enters Zoneset CONFIGURATION mode. 6. Add the existing zones to the zoneset with the member zone-name command in Zoneset CONFIGURATION mode. 7.
ZoneName ZoneMember ================================================ hba2 *20:01:00:0e:1e:e8:e4:99 20:35:78:2b:cb:6f:65:57 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:1f hba1 *10:00:00:90:fa:b8:22:19 *21:00:00:24:ff:7b:f5:c8 OS10# show fc zoneset set ZoneSetName ZoneName ZoneMember ========================================================== set hba1 21:00:00:24:ff:7b:f5:c8 10:00:00:90:fa:b8:22:19 21:00:00:24:ff:7f:ce:ee 21:00:00:24:ff:7f:ce:ef hba2 20:01:00:0e:1e:e8:e4:99 50:00:d3
response change to the unstable state. The sessions keep flapping until the request and response converge in the same port. To avoid this, pin one of the ports in the port-channel. To support FCoE on multi-level VLT networks, use port pinning in FCoE LAGs. Port pinning is a static configuration that restricts the FIP and FCoE traffic to one port of the port-channel overriding hardware LAG hashing.
Sample FSB configuration on VLT network 1. Enable the FIP snooping feature globally. OS10(config)# feature fip-snooping 2. Create the FCoE VLAN. OS10(config)#interface vlan 1001 OS10(conf-if-vl-1001)# fip-snooping enable 3. Configure the VLTi interface. OS10(config)# interface ethernet 1/1/27 OS10(conf-if-eth1/1/27)# no shutdown OS10(conf-if-eth1/1/27)# no switchport 4. Configure the VLT. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.151.
OS10(config)# policy-map type network-qos PFC OS10(config-pmap-network-qos)# class fcoematch OS10(config-pmap-c-nqos)# pause OS10(config-pmap-c-nqos)# pfc-cos 3 7. Create uplink and downlink port-channels, and configure the FCF facing port.
Version : 2.0 Local System MAC address : 50:9a:4c:d3:cf:70 Primary priority : 32768 VLT MAC address : 50:9a:4c:d3:cf:70 IP address : fda5:74c8:b79e:1::2 Delay-Restore timer : 90 seconds Peer-Routing : Disabled Peer-Routing-Timeout timer : 0 seconds VLTi Link Status port-channel1000 : up VLT Peer Unit ID System MAC Address Status IP Address Version ---------------------------------------------------------------------------------1 50:9a:4c:d3:e2:f0 up fda5:74c8:b79e:1::1 2.
2. Create the FC zones. OS10(config)# fc zone zoneA OS10(config-fc-zone-zoneA)# member wwn 10:00:00:90:fa:b8:22:19 <> OS10(config-fc-zone-zoneA)# member wwn 21:00:00:24:ff:7b:f5:c8 <> 3. Create the FC zoneset. OS10(config)# fc zoneset zonesetA OS10(conf-fc-zoneset-zonesetA)# member zoneA 4. Create the vfabric VLAN. OS10(config)# interface vlan 1001 5. Create vfabric and activate the FC zoneset.
OS10(conf-if-eth1/1/10)# OS10(conf-if-eth1/1/10)# OS10(conf-if-eth1/1/10)# OS10(conf-if-eth1/1/10)# OS10(conf-if-eth1/1/10)# no shutdown channel-group 10 mode active no switchport service-policy input type network-qos PFC priority-flow-control mode on View configuration Name server entries: OS10# show fc ns switch brief Total number of devices = 2 Intf# Domain port-channel10(Eth 1/1/9) 1 20:00:f4:e9:d4:a4:7d:c3 fibrechannel1/1/26 1 21:00:00:24:ff:7c:ae:0e FC-ID 01:00:00 Enode-WWPN 20:01:f4:e9:d4:a4:7d:c
OS10(conf-if-po-10)# switchport trunk allowed vlan 1001,10 OS10(conf-if-po-10)# fip-snooping port-mode fcf OS10(config)# interface port-channel 20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# switchport access vlan 1 OS10(conf-if-po-20)# switchport trunk allowed vlan 1001,10 6. Apply the PFC configuration on downlink and uplink interfaces. In addition, include the interfaces to the port-channel and configure one of the interfaces as pinned-port.
Pinned port status: OS10# show fcoe pinned-port Interface pinned-port FCoE Status ----------------- ---------------- ----------------Po 10 Eth 1/1/1 Up Po 20 Eth 1/1/3 Up Sample FC Switch configuration on non-VLT network 1. Enable the F_PORT mode. OS10(config)# feature fc domain-id 1 2. Create the FC zones.
OS10(conf-if-eth1/1/9)# service-policy input type network-qos PFC OS10(conf-if-eth1/1/9)# priority-flow-control mode on OS10(config)# interface ethernet 1/1/10 OS10(conf-if-eth1/1/10)# no shutdown OS10(conf-if-eth1/1/10)# channel-group 10 mode active OS10(conf-if-eth1/1/10)# no switchport OS10(conf-if-eth1/1/10)# service-policy input type network-qos PFC OS10(conf-if-eth1/1/10)# priority-flow-control mode on View configuration Name server entries: OS10# show fc ns switch brief Total number of devices = 2 In
rebuilding the fabric. When the principal ISL fails and if no other path exists between the two affected switches, then the build fabric (BF) operation is triggered. If the backup link (nonprincipal ISL) is available, then the link failure recovery is triggered. Whenever the principal switch election is retriggered nondisruptively, the switches check if the previously assigned domain IDs match the newly elected principal switch. The switches remember the previously assigned domain IDs.
Restrictions and limitations This section lists the restrictions, and limitations of the multiswitch fabric feature. ● The multiswitch feature does not support Virtual E-ports (VE), BB_credit configuration, autoport mode, static FC route, zone merging, ESC exchange between switches, and switch port initialization. ● Only one vfabric is supported per switch in the multiswitch mode. ● Interoperability with other vendors, such as non-OS10 switches are not supported.
Switch-1 configuration 1. Enable the multiswitch feature globally. OS10(config)# feature fc multi-switch 2. Create a vFabric VLAN. OS10(config)# interface vlan 1001 3. Create vFabric. OS10(config)# vfabric 1 OS10(conf-vfabric-1)# NOTE: The recommended configuration is to configure the same VLAN and fcmap values on all the switches. vFabric ID is of local significance, and hence the vFabric can have different values on different switches. 4. Create a port group.
9. Create and activate a zone set. OS10(config)# fc zoneset zoneset1 OS10(conf-fc-zoneset-zoneset1)# member zoneA OS10(config)# vfabric 1 OS10(conf-vfabric-1)# zoneset activate zoneset1 10. You can deactivate vFabric by removing either the VLAN or fcmap configuration. OS10(conf-vfabric-1)# no vlan 100 Warning: All traffic on this fabric will be lost. Continue? [yes/no]:yes Switch-2 configuration 1. Enable the multiswitch feature globally. OS10(config)# feature fc multi-switch 2. Create a vFabric VLAN.
Verify multiswitch fabric (E Port) configuration Verify the multiswitch configuration using the following show commands: ● To verify the current configured switch mode, run the show fc switch command. OS10# show fc switch Switch Mode : Disabled Switch WWN : ● To display the multiswitch mode after configuring the multiswitch feature, run the show fc switch command.
Switch Name 10:00:14:18:77:20:73:cf Domain Id 101 Switch Port FC1/1/1 FC-Id 65:00:01 Port Name 20:01:f4:e9:d4:f9:fc:44 Node Name 20:00:f4:e9:d4:f9:fc:43 Class of Service 8 Symbolic Port Name XXX Symbolic Node Name XXX Port Type N_Port Registered with NameServer Yes Registered for SCN No FC4-Types:FC4-Features fcp(0x08):0x2 ● To display the summary of the local switch name server entries, run the show fc ns switch brief command.
● To verify the fabric name server registration on switch-2, run the show fc ns fabric command.
========================================== Members fibrechannel1/1/1 fibrechannel1/1/2 ● To verify the vFabric in switch-2, principal switch, run the show vfabric command.
5 Error packets 0 Number of Reject packets received : ELP RJT 8 EFP RJT 12 BF RJT 3 RCF RJT 2 DIA RJT 5 RDI RJT 5 Error packets 0 Number of Request packets transmitted : ELP 8 EFP 12 BF 3 RCF 2 DIA 5 RDI 5 Error packets 0 Number of Accept packets transmitted : ELP ACC 8 EFP ACC 12 BF ACC 3 RCF ACC 2 DIA ACC 5 RDI ACC 5 Error packets 0 Number of Reject packets transmitted : ELP RJT 8 EFP RJT 12 BF RJT 3 RCF RJT 2 DIA RJT 5 RDI RJT 5 Error packets 0 ● To display the link state database information of switch-1
● To view the established shortest routes between the server and the target ports in switch-2, run the show fc fspf route command. OS10#show fc fspf route vfabric-Id Dest-Domain Route-Cost Next-hop -------------------------------------------------------------1 0x65(101) 125 fc1/1/2 ● To view the FSPF neighbor information in switch-1, use the show fc fspf neighbor command.
Supported Releases 10.5.1.0 or later clear fc flow-control-statistics Clears all flow-control counters for all domains. Syntax clear fc flow-control-statistics Parameters None Default None Command Mode EXEC Usage Information If multiswitch mode is disabled, this command returns silently.
Example Supported Releases OS10#clear fc fspf statistics interface fc 1/1/1 10.5.1.0 or later clear fc ns switch statistics Clears the Name Server statistics on all interfaces. Syntax clear fc ns switch statistics [interface type node/slot/port[:subport]| vfabric vfabric-id|vfabric vfabric-id domain [domain-id]] Parameters ● node/slot/port[:subport]—Enter the Interface type details. ● vfabric-ID—Enter the vfabric ID. ● domain-id—Enter the vfabric domain ID.
e_d_tov Configures the E_D_TOV FC timer value for every vfabric. Syntax e_d_tov timeout-val Parameters timeout-val—Valid values are from 1000 to 10000. Defaults 2000 ms Command Mode Vfabric CONFIGURATION Usage Information ● The configurations are supported only in the multiswitch mode. ● If you do not receive an expected response within the expected time, then consider the condition as an error condition.
feature fc Enables the multiswitch feature. Syntax feature fc [domain-id domain-id-val | npg | fip-snooping [with-cvl] | multi-switch] Parameters ● with-cvl—To enable CVL. ● domain-id—Enter the domain ID of the E_Port. ● domain-id-val—Valid values are from 1 to 239. Defaults Disabled Command Mode GLOBAL CONFIGURATION Usage Information ● ● ● ● Example Supported Releases Use the multiswitch option to support the multiswitch fabric mode. Delete multiswitch configurations when disabling a feature.
Usage Information Example Supported Releases ● The configurations are supported only in the multiswitch mode. ● This command specifies the maximum interval. You must first receive a hello message on the selected interface before the neighbor is considered lost and removed from the database. ● The no form of this command resets the command to default value, 80 s. OS10(config-if-fc-1/1/1)#fspf dead-interval 90 10.5.1.
fspf retransmit-interval Configures the FSPF retransmit interval value for every interface. Syntax fspf retransmit-interval timeout-val Parameters timeout-val—Valid values are from 1 to 65535. Defaults 5s Command Mode Fibre Channel INTERFACE Usage Information ● The configurations are supported only in multiswitch mode. ● This command specifies the retransmit time interval for unacknowledged link state updates. ● The no version of this command resets to the default value.
● This timer is used to mark the error conditions during domain ID allocation, SW-RSCN, and NS QUERY. Match this value with the other end, during port initialization. This type of configuration is not permitted when vfabric is active. ● If the configured R_A_TOV value is not the same on both the sides of the port, then the port is isolated. Ensure to configure the same R_A_TOV value on both the sides. ● You can change the R_A_TOV value only when vfabric is in inactive state.
○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ Example BB Credit Isolation R_A_TOV Mismatch E_D_TOV Mismatch Flow Control Not Supported Class of Services Not Supported Port Mode mismatch Isolation Invalid Switch Name Isolation Not Capable Principal Switch Domain ID Overlap Isolation due to ELP Failure Isolation due to Loop Back Connection Isolation due to EFP Max Retransmission Exceeded Isolation due to BF Max Retransmission Exceeded Isolation due to RCF Max Retransmission Exceeded Isolation due to DIA Max Retransmission
ACC 2 DIA ACC 5 RDI ACC 5 Number of Reject packets transmitted : ELP RJT 8 EFP RJT 12 BF RJT 3 RCF RJT 2 DIA RJT 5 RDI RJT 5 Supported Releases 10.5.1.0 or later show fc flow-control-statistics Displays flow-control counters for a specific domain or all domains. Syntax show fc flow-control-statistics [domain domain-id | vfabric vfabric-id] Parameters ● domain-id—Enter the domain ID of the E_Port, from 1 to 239. ● vfabric-id—Enter the vfabric ID.
Usage Information Example Supported Releases Use this command to display the FSPF link state database information of a switch. The database information includes the entire LSR information of the fabric that is constructed based on the LSRs received from other switches.
Usage Information Example Supported Releases Use this command to display the FSPF route information, and the route to reach every other switch in the fabric. OS10#show fc fspf route vfabric-Id Dest-Domain Route-Cost Next-hop --------------------------------------------------------------100 0x66(102) 125 fc1/1/2 10.5.1.0 or later show fc ns fabric Shows all the Name Server entries in the FC fabric shared among the fabric switches.
Supported Releases 10.5.1.0 or later show fc ns switch statistics Shows the Name Server statistics for an interface. Syntax show fc ns switch statistics [interface type node/slot/port[:subport]| vfabric vfabric-id|vfabric vfabric-id domain [domain-id]] Parameters ● node/slot/port[:subport]—Enter interface information. ● vfabric-id—Enter the vfabric ID. ● domain-id—Enter the vfabric domain ID.
show fc switch Shows the multiswitch mode. Syntax show fc switch Parameters None Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the current configured switch mode. Example Supported Releases OS10# show fc switch 10.5.1.0 or later show interface fibre channel Shows the fibre channel interface port type, BB_Credit, and other port configurations.
show vfabric Shows the fc timer, E_D_TOV, R_A_TOV, principal switch priority, and domain ID values in the show vfabric command. Syntax show vfabric value Parameters value—Valid values are from 1 to 255. Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the fc timers, E_D_TOVand R_A_TOV, principal switch priority and domain ID values.
Example Supported Releases OS10#show vfabric fspf FSPF routing for vfabric 10 SPF hold time is 0 msec MinLsArrival = 1000 msec , MinLsInterval = 5000 msec Local Domain is 0x64 (100) Number of LSRs = 3, Total Checksum = 0x0001288b Refresh time = 1800 sec Max age = 3600 sec Statistic counters : Number of SPF computations = 3 Number of checksum errors = 0 Number of transmitted packets : LSU 10 LSA 10 Hello 25 Retransmitted LSU 10 Number of received packets: LSU 10 LSA 10 Hello 25 Error packets 5 10.5.1.
Configure multi-hop FSB The following example shows a simple multi-hop FSB setup. CNA-2 and CNA-3 shown in this topology are for illustrative purposes only. The following example does not include CNA-2 and CNA-3 configurations. Ensure that the access and core FSB switches are running in FSB mode. To configure multi-hop FSB: 1. Configure the L2 switch. a. Disable flow control on the interfaces connected to CNA-4 and FSB1.
L2switch(config-pmap-network-qos)# class c3 L2switch(config-pmap-c-nqos)# pause L2switch(config-pmap-c-nqos)# pfc-cos 3 L2switch(config)# policy-map type queuing ets_policy L2switch(config-pmap-queuing)# class q0 L2switch(config-pmap-c-que)# bandwidth percent 30 L2switch(config-pmap-c-que)# class q3 L2switch(config-pmap-c-que)# bandwidth percent 70 f. Create a qos-map.
e. Create class-maps. FSB1(config)# class-map type network-qos c3 FSB1(config-cmap-nqos)# match qos-group 3 FSB1(config)# class-map type queuing q0 FSB1(config-cmap-queuing)# match queue 0 FSB1(config-cmap-queuing)# exit FSB1(config)# class-map type queuing q3 FSB1(config-cmap-queuing)# match queue 3 FSB1(config-cmap-queuing)# exit f. Create policy-maps.
j. Configure FIP snooping port mode on the L2 DCBX switch connected interface and FSB2 connected interface. The default port mode is ENode. Hence, CNA1-connected interface does not require additional configuration. On the L2 DCBX switch-connected interface: FSB1(config)# interface ethernet 1/1/5 FSB1(conf-if-eth1/1/5)# fip-snooping port-mode enode-transit On the FSB-connected interfaces: FSB1(config)# interface ethernet 1/1/2 FSB1(conf-if-eth1/1/2)# fip-snooping port-mode fcf 3.
h. Apply the QoS configurations on FSB1 and FCF connected interfaces.
FCF(conf-vfabric-2)# fcoe fcmap 0xEFC00 FCF(conf-vfabric-2)# zoneset activate zonesetA g. Enable DCBX. FCF(config)# dcbx enable h. Create class maps and policy maps.
FCOE VLAN List (Operational) : 777 FCFs : 1 Enodes : 2 Sessions : 2 ● To verify the discovered ENodes, use the show fcoe enode command. FSB1# show fcoe enode Enode MAC Enode Interface VLAN FCFs Sessions ----------------------------------------------------------------32:03:cf:45:00:00 Eth 1/1/31 777 1 1 f4:e9:d4:f9:fc:40 Eth 1/1/5 777 1 1 ● To verify the discovered FCFs, use the show fcoe fcf command. FSB1# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
Sample Multi-hop FSB configuration The following is a sample multi-hop FSB topology. In this topology: ● FSB1 and FSB2—access FSBs. ● FSB3 and FSB4—core FSBs. ● VLT is configured between FSB1 and FSB2, and requires port-pinning for VLT port channels configured between access FSBs and core FSBs.
Table 45. High-level configurations on FSB1, FSB3, and FCF1 FSB1/FSB2 FSB3/FSB4 FCF1/FCF2 Configure the uplink interface as the downlink interface as pinnedpinned-port. port. 12. Configure FIP snooping port mode on 12. Configure FIP snooping port mode on the uplink interface. the uplink interface and the port channel. FSB1 configuration 1. Enable FIP snooping. FSB1(config)# feature fip-snooping with-cvl 2. Enable DCBX. FSB1(config)# dcbx enable 3. Create FCoE VLAN and configure FIP snooping.
8. Configure VLTi interface member links.
FSB2 configuration 1. Enable FIP snooping. FSB2(config)# feature fip-snooping with-cvl 2. Enable DCBX. FSB2(config)# dcbx enable 3. Create FCoE VLAN and configure FIP snooping. FSB2(config)#interface vlan1001 FSB2(conf-if-vl-1001)# fip-snooping enable FSB2(conf-if-vl-1001)# no shutdown FSB2(config)#interface vlan1002 FSB2(conf-if-vl-1002)# fip-snooping enable FSB2(conf-if-vl-1002)# no shutdown 4. Create class-maps.
8. Configure VLTi interface member links.
FSB3 configuration 1. Enable FIP snooping. FSB3(config)# feature fip-snooping with-cvl 2. Enable DCBX. FSB3(config)# dcbx enable 3. Create FCoE VLAN and configure FIP snooping. FSB3(config)#interface vlan1001 FSB3(conf-if-vl-1001)# fip-snooping enable FSB3(conf-if-vl-1001)# no shutdown FSB3(config)#interface vlan1002 FSB3(conf-if-vl-1002)# fip-snooping enable FSB3(conf-if-vl-1002)# no shutdown 4. Create class-maps.
8. Configure VLTi interface member links.
12. Configure FIP snooping port mode on the port channel and the interface connected to FCF1. FSB3(config)# interface port-channel 10 FSB3(conf-if-po-10)# fip-snooping port-mode enode-transit FSB3(config)# interface ethernet 1/1/45 FSB3(conf-if-eth1/1/45)# fip-snooping port-mode fcf FSB4 configuration 1. Enable FIP snooping. FSB4(config)# feature fip-snooping with-cvl 2. Enable DCBX. FSB4(config)# dcbx enable 3. Create FCoE VLAN and configure FIP snooping.
8. Configure VLTi interface member links. FSB4(config)# interface ethernet1/1/34 FSB4(conf-if-eth1/1/34)# no shutdown FSB4(conf-if-eth1/1/34)# no switchport FSB4(conf-if-eth1/1/34)# channel-group 10 FSB4(config)# interface ethernet1/1/37 FSB4(conf-if-eth1/1/37)# no shutdown FSB4(conf-if-eth1/1/37)# no switchport FSB4(conf-if-eth1/1/37)# channel-group 10 9. Configure VLT domain. FSB4(config)# vlt-domain 3 FSB4(conf-vlt-2)# discovery-interface ethernet1/1/40 FSB4(conf-vlt-2)# vlt-mac 1a:2b:3c:2a:1b:1c 10.
3. Create zoneset. FCF1(config)# fc zoneset zonesetA FCF1(conf-fc-zoneset-setA)# member zoneA 4. Create a vfabric VLAN. FCF1(config)# interface vlan 1001 5. Create vfabric and activate the zoneset. FCF1(config)# vfabric FCF1(conf-vfabric-1)# FCF1(conf-vfabric-1)# FCF1(conf-vfabric-1)# 1 vlan 1001 fcoe fcmap 0xEFC00 zoneset activate zonesetA 6. Enable DCBX. FCF1(config)# dcbx enable 7. Create class-maps.
11. Apply vfabric on the interfaces connected to FSB3 and the target. FCF1(config)# interface ethernet 1/1/45 FCF1(conf-if-eth1/1/45)# switchport access vlan 1 FCF1(conf-if-eth1/1/45)# vfabric 1 FCF1(config)# interface fibrechannel 1/1/3 FCF1(conf-if-fc1/1/3)# description target_connected_port FCF1(conf-if-fc1/1/3)# no shutdown FCF1(conf-if-fc1/1/3)# vfabric 1 FCF2 configuration 1. Enable Fiber Channel F-Port mode globally. FCF2(config)# feature fc domain-id 3 2. Create zones.
FCF2(config-pmap-c-que)# class q3 FCF2(config-pmap-c-que)# bandwidth percent 70 9. Create a qos-map. FCF2(config)# qos-map traffic-class tc-q-map1 FCF2(config-qos-map)# queue 3 qos-group 3 FCF2(config-qos-map)# queue 0 qos-group 0-2,4-7 10. Apply QoS configurations on the interface connected to FSB4.
MAC FC-ID PORT WWPN PORT WWNN -----------------------------------------------------------------------------------------------------------------------------------------------00:0e:1e:f1:f1:84 Eth 1/1/1 14:18:77:20:80:ce Po 10(Eth 1/1/44:1)1002 0e:fc:00:02:01:00 02:01:00 20:01:00:0e:1e:f1:f1:84 20:00:00:0e:1e:f1:f1:84 FSB2# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
14:18:77:20:80:ce 1 Eth 1/1/42 F FSB4# show fcoe system Mode CVL Status FCOE VLAN List (Operational) FCFs Enodes Sessions : : : : : : 1002 0e:fc:00 8000 FSB Enabled 1001,1002 1 1 1 FCF1 FCF1# show fcoe sessions Enode MAC Enode Interface FCF MAC FCF interface VLAN FCoE MAC FC-ID PORT WWPN PORT WWNN ----------------------------------------------------------------------------------------------------------------------------------------------f4:e9:d4:f9:fc:42 Eth 1/1/45 14:18:77:20:86:ce ~ 1001 0e:fc:00:
● While configuring or unconfiguring the FC-Gateway uplink, the uplink interface flaps. As UFD is enabled by default for NPG (FCGateway Uplink) in SmartFabric mode; UFD brings down the server facing ports which are deployed with same FCoE VLAN as FCGateway uplink. ● Fibrechannel port flaps are observed on the IOM side if the IOM is operationally up and is connected to a storage device without configuring the FCDirectAttach uplink (vfabric) on this port.
5. Enable DCBX globally. OS10(config)# dcbx enable 6. Create a class map and policy map. OS10(config)# class‐map type network‐qos cmap1 OS10(config‐cmap‐nqos)# match qos‐group 3 OS10(config)# policy‐map type network‐qos pmap1 OS10(config‐pmap‐network‐qos)# class cmap1 OS10(config‐pmap‐c‐nqos)# pause OS10(config‐pmap‐c‐nqos)# pfc‐cos 3 7. Disable LLFC on the interface that connects to CNA 1. OS10(config)# interface ethernet 1/1/50 OS10(conf‐if‐eth1/1/50)# no flowcontrol receive 8.
OS10(config‐pmap‐c‐nqos)# pause OS10(config‐pmap‐c‐nqos)# pfc‐cos 3 7. Disable LLFC on the interface that connects to CNA 2. OS10(config)# interface ethernet 1/1/1 OS10(conf‐if‐eth1/1/1)# no flowcontrol receive 8. Enable PFC mode on the interface that connects to CNA 2. OS10(config)# interface ethernet 1/1/1 OS10(conf‐if‐eth1/1/1)# priority‐flow‐control mode on 9. Apply the service policy on the interface that connects to CNA 2.
Now the logical FCF takes care of the FIP functionality in the VLAN configured for the fabric. With this implementation, all control frames originating from the logical FCF use a system generated MAC address instead of the port's MAC address. This system generated MAC address of logical FCF is same for all the fabrics configured in the gateway switch; because, every FCF is uniquely identified by the end device using VLAN-MAC address pair and the VLAN used is unique for every fabric.
Switch WWN : 10:00:14:18:77:20:73:cf OS10# VLAN creation OS10(config)# interface vlan 100 vFabric Creation OS10(config)# vfabric 100 OS10(conf-vfabric-100)# vlan 100 OS10(conf-vfabric-100)# name NPG_Fabric OS10(conf-vfabric-100)# fcoe fcmap 0efc01 OS10(conf-vfabric-100)# exit Apply vFabric configuration on the FC upstream interfaces OS10(config)# interface range fibrechannel 1/1/1,1/1/2 OS10(conf-range-fc1/1/1,1/1/2)# vfabric 100 OS10(conf-range-fc1/1/1,1/1/2)# no shut OS10(conf-range-fc1/1/1,1/1/2)# exit A
Apply Service policy and Enable PFC mode on the interface that connects to FCoE End points(CNA) OS10(conf-range-eth1/1/54,1/1/55)# service-policy input type network-qos pmap1 OS10(conf-range-eth1/1/54,1/1/55)# priority-flow-control mode on Apply vFabric configuration on the interface that connects to FCoE End points(CNA) OS10(conf-range-eth1/1/54,1/1/55)# vfabric 100 OS10(conf-range-eth1/1/54,1/1/55)# no shut OS10(conf-range-eth1/1/54,1/1/55)# exit Apply fcoe delay FCF advertisement configuration globally (
Use case 2 - NPG fabric is connected to multiple upstream switches belonging to the same SAN fabric In this topology, the NPG device is connected to multiple FCF switches and all those FCF switches are part of same SAN fabric. Configurations in NPG device remains same as in Use case 1. Configuration in upstream devices remains same as well and it needs to be done in both the switches in the SAN fabric.
Usage Information Example Supported Releases The no version of this command deletes the FC zone. To delete an FC zone, first remove it from the FC zoneset. OS10(config)# fc zone hba1 OS10(config-fc-zone-hba1)# member wwn 10:00:00:90:fa:b8:22:19 OS10(config-fc-zone-hba1)# member wwn 21:00:00:24:ff:7b:f5:c8 10.3.1E or later fc zoneset Creates an FC zoneset and adds the existing FC zones to the zoneset. Syntax fc zoneset zoneset-name Parameters zoneset-name — Enter a name for the FC zoneset.
Defaults Not configured Command Mode Alias CONFIGURATION Usage Information The no version of this command removes the member from the FC alias. Example Supported Releases OS10(config)# fc alias test OS10(config-fc-alias-test)# member wwn 21:00:00:24:ff:7b:f5:c9 OS10(config-fc-alias-test)# member wwn 20:25:78:2b:cb:6f:65:57 10.3.1E or later member (zone) Adds members to existing zones. Identify a member by an FC alias, a world wide name (WWN), or an FC ID.
show fc alias Displays the details of a FC alias and its members. Syntax show fc alias [alias-name] Parameters alias-name — (Optional) Enter the FC alias name. Default Not configured Command Mode EXEC Usage Information Example OS10# show fc alias Alias Name Alias Member ============================================== test 21:00:00:24:ff:7b:f5:c9 20:25:78:2b:cb:6f:65:57 OS10# Supported Releases 10.3.1E or later show fc interface-area-id mapping Displays the FC ID to interface mapping details.
Example OS10# show fc ns switch Total number of devices = 1 Switch Name 10:00:14:18:77:13:38:28 Domain Id 4 Switch Port port-channel10(Eth 1/1/9) FC-Id 04:00:00 Port Name 50:00:d3:10:00:ec:f9:05 Node Name 50:00:d3:10:00:ec:f9:00 Class of Service 8 Symbolic Port Name Compellent Port QLGC FC 8Gbps; Slot=06 Port=01 in Controller: SN 60665 of Storage Center: DEVTEST 60665 Symbolic Node Name Compellent Storage Center: DEVTEST 60665 Port Type N_PORT Registered with NameServer Yes Registered for SCN No Example (
Supported Releases 10.3.1E or later show fc zoneset Displays the FC zonesets, the zones in the zoneset, and the zone members. Syntax show fc zoneset [active | zoneset-name] Parameters zoneset-name — Enter the FC zoneset name.
================================================================== set hba1 21:00:00:24:ff:7b:f5:c8 10:00:00:90:fa:b8:22:19 21:00:00:24:ff:7f:ce:ee 21:00:00:24:ff:7f:ce:ef hba2 Supported Releases 20:01:00:0e:1e:e8:e4:99 50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1f 20:35:78:2b:cb:6f:65:57 10.3.1E or later zone default-zone permit Enables access between all logged-in FC nodes of the vfabric in the absence of an active zoneset configuration.
fc port-mode F Configures port mode on Fibre Channel interfaces. Syntax fc port-mode F Parameters None Defaults N_Port Command Mode Fibre Channel INTERFACE Usage Information Configure the port mode when the port is in Shut mode and when NPG mode is enabled. The no version of this command returns the port mode to default. Example Supported Releases OS10(config)# interface fibrechannel 1/1/1 OS10(conf-if-fc1/1/1)# fc port-mode F 10.4.1.0 or later feature fc npg Enables the NPG mode globally.
ENode WWNN :20:00:d4:ae:52:1a:ee:54 FCoE MAC :0e:fc:00:01:04:02 FC-ID :01:04:02 Login Method :FLOGI Time since discovered(in Secs) :6253 Status :LOGGED_IN Example (brief) Supported Releases Total NPG Devices = 1 ENode-Interface ENode-WWPN FCoE-Vlan Fabric-Intf Vfabric-Id Log ---------------------------------------------------------------------------------Po 10(Eth 1/1/9) 20:01:d4:ae:52:1a:ee:54 1001 Fc 1/1/25 10 FLO LOGGED_IN 10.4.
Fc 1/1/1 Fc 1/1/2 01:00:01 01:00:02 8 8 8 16 3 1 3 9 6 10 6 15 OS10#show npg uplink-interfaces VFabric Id : 100 Uplink Speed Intf FC Id BB Credit (Gbps) FLOGI FDISC Total Redistributed ----------------------------------------------------------------------------Fc 1/1/1 01:00:01 8 8 3 3 6 6 Fc 1/1/2 01:00:02 8 16 1 9 10 15 VFabric Id : 200 Uplink Speed Intf FC Id BB Credit (Gbps) FLOGI FDISC Total Redistributed -------------------------------------------------------------------------------Fc 1/1/11 0
F_Port and NPG commands The following commands are supported on both F_Port and NPG modes: clear fc statistics Clears FC statistics for specified vfabric or fibre channel interface. Syntax clear fc statistics [vfabric vfabric-ID | interface fibrechannel] Parameters ● vfabric-ID — Enter the vfabric ID. ● fibrechannel — Enter the fibre channel interface name.
fcoe delay fcf-adv Delay the Multicast Discovery Advertisement from FCFs to be sent to Enodes. Syntax fcoe delay fcf-adv timeout Parameters timeout - Timeout range specified in seconds. Range is 1 to 30 seconds. Default Not configured Command Mode Global config Usage Information Time to wait after the first FCF in the vFabric connects to the NPG switch to send the Multicast discovery Advertisement. This command is supported in NPG mode.
Table 46. Fields and Descriptions Example Fields Description Uplink Intf The name of the FC uplink interface FLOGI Number of Fabric Login Sessions in the FC uplink interface FDISC Number of Fabric Discovery Sessions in the FC uplink interface Load Total number of sessions (FLOGI and FDISC) in the FC uplink interface Speed Link speed of the FC uplink interface Excess Load Excess load is the absolute (Current load on the link - ((Minimum load per 8G speed in c state) * port-speed/8G)).
21:01:d4:ae:52:1a:ee:54 22:01:d4:ae:52:1a:ee:54 23:01:d4:ae:52:1a:ee:54 Fc 1/1/2 Fc 1/1/2 Fc 1/1/2 Fc 1/1/1 Fc 1/1/1 Fc 1/1/1 2 2 2 OS10#re-balance npg sessions vfabric 100 Fabric Id 100 State before Re-balancing Uplink FLOGI FDISC Load Speed Excess Intf (Gbps) Load ----------------------------------------------------------------Fc 1/1/1 1 9 10 8 7 Fc 1/1/2 3 3 6 16 0 ----------------------------------------------------------------4 12 16 24 7 ------------------------------------------------------------
1. FC Port Down 2. No Response For FLOGI 3. Duplicate FC ID 4. FLOGI Rejected Duplicate FC IDs—Number of Duplicate address(FC ID) assignments happened in the interface. FC ID—FC-ID allocated to the initial FLOGI request from NPG switch on the interface. BB Credit—Transmit Buffer to Buffer Credit. Speed—Link speed of the FC uplink interface. FLOGI—Number of Fabric Login Sessions in the FC uplink interface. FDISC—Number of Fabric Discovery Session in the FC uplink interface.
Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) ----------------------------------------------------------------Fc 1/1/13 20:01:d4:ae:52:1a:ee:53 NONE 1 Fc 1/1/14 20:01:d4:ae:52:7d:aa:54 NONE 0 OS10#show npg uplink-interfaces vfabric 200 fcf-info VFabric Id : 200 FAD Timeout Left : 10 second(s) FCF Availability Status : No Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) ----------------------------------------------------------------Fc 1/1/11 10:01:d4:ae:52:1a:ee:50 FLOGI_R
Fc 1/1/9 Fc 1/1/10 Eth 1/1/54 Eth 1/1/55 1 1 1 1 1 1 1 9 2 2 2 10 VFabric Id : 200 Node Intf FLOGI FDISC Re-distributed --------------------------------------------------Fc 1/1/7 1 1 2 VFabric Id : 300 Node Intf FLOGI FDISC Re-distributed --------------------------------------------------Eth 1/1/51 1 9 10 Supported Releases 10.5.2.0 or later show fc statistics Displays the FC statistics.
Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show fc switch Switch Mode : FPORT Switch WWN : 10:00:14:18:77:20:8d:cf 10.3.1E or later show running-config vfabric Displays the running configuration for the vfabric.
Switch Config Parameters ========================================== Domain ID 4 ========================================== Switch Zoning Parameters ========================================== Default Zone Mode: Deny Active ZoneSet: zoneset5 ========================================= Members fibrechannel1/1/25 port-channel10(Eth 1/1/9) Supported Releases 10.3.1E or later vfabric Configures a vfabric. Syntax vfabric fabric-ID Parameters fabric-ID — Enter the fabric ID, from 1 to 255.
vlan Associates an existing VLAN ID to the vfabric to carry traffic. Syntax vlan vlan-ID Parameters vlan-ID — Enter an existing VLAN ID. Defaults Not configured Command Mode Vfabric CONFIGURATION Usage Information Create the VLAN ID before associating it to the vfabric. Do not use spanned VLAN as vfabric VLAN. The no version of this command removes the VLAN ID from the vfabric.
fip-snooping enable Enables FIP snooping on a specified VLAN. Syntax fip-snooping enable Parameters None Defaults Disabled Command Mode VLAN INTERFACE Usage Information Enable FIP snooping on a VLAN only after enabling the FIP snooping feature globally using the feature fip-snooping command. OS10 supports FIP snooping on a maximum of 12 VLANs. The no version of this command disables FIP snooping on the VLAN.
You cannot disable FIP snooping when the port mode is set to a non-default value (enode-transit, fcf, or fcf-transit). If you want to change the port mode from one value to another, you can directly use the fip-snooping port mode command. You do not have to explicitly use the no form of the command. The no version of this command resets the port mode to ENode. Example Supported Releases OS10(config)# interface ethernet 1/1/32 OS10(conf-if-eth1/1/32)# fip-snooping port-mode fcf 10.4.0E(R1) or later10.4.3.
Supported Releases 10.4.0E(R1) or later fcoe delay fcf-adv Delay the Multicast Discovery Advertisement from FCFs to be sent to Enodes. Syntax fcoe delay fcf-adv timeout Parameters timeout - Timeout range specified in seconds. Range is 1 to 30 seconds. Default Not configured Command Mode Global config Usage Information Time to wait after the first FCF in the vFabric connects to the NPG switch to send the Multicast discovery Advertisement. This command is supported in NPG mode.
Example Supported Releases OS10(config)# fcoe max-sessions-per-enodemac 64 10.4.0E(R1) or later fcoe priority-bits Configures the priority bits for FCoE application TLVs. Syntax fcoe priority-bits priority-value Parameter priority-value — Enter PFC priority value advertised in FCoE application TLV. You can enter one of the following values: 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, or 0x80.
Command Mode EXEC Usage Information Triggers the load-balancing mechanism to redistribute the sessions across the FC uplinks. The dry-run option displays the current state of the system, sessions that would be cleared, and the system state after the load balancing is done without actually doing it. You can use the brief option (both in dry run and actual run) to view only the session redistribution information.
16 Session Re-distribution(s) ----------------------------------------------------------------------Node WWPN From Uplink Intf To Uplink Intf No.
show fcoe fcf Displays details of the FCFs connected to the switch. Syntax show fcoe fcf [fcf-mac-address] Parameters fcf-mac-address — (Optional) Enter the MAC address of the FCF. This option displays details of the specified FCF. Default Not configured Command Mode EXEC Usage Information In NPG mode, displays all the logical FCF(s) associated with various fabrics available in the gateway switch.
Po 10 Eth 1/1/1 Up Po 20 Eth 1/1/3 Up Po 30 Eth 1/1/7 Down Supported Releases 10.4.2.0 or later show fcoe sessions Displays the details of the established FCoE sessions. Syntax show fcoe sessions [interface vlan vlan-id] Parameters vlan-id — (Optional) Enter the VLAN ID. This option displays the sessions established on the specified VLAN.
Number Number Number Number Number Number Number Number Number Number Number Supported Releases of of of of of of of of of of of Unicast Discovery Advertisement :2 FLOGI Accepts :2 FLOGI Rejects :0 FDISC Accepts :16 FDISC Rejects :0 FLOGO Accepts :0 FLOGO Rejects :0 CVL :0 FCF Discovery Timeouts :0 VN Port Session Timeouts :0 Session failures due to Hardware Config :0 10.4.0E(R1) or later show fcoe system Displays system information related to the FCoE.
show npg node-interface Display details in a Node-facing interface. Syntax show npg node-interfaces [vfabric vfabric-id] Parameters None Default Not configured Command Mode EXEC Usage Information Displays the statistics of node facing interfaces in all available or specified vFabrics. This command is supported in NPG mode. The following table lists the fields and descriptions displayed in the output: Table 48.
show npg uplink-interface Display information in a FC upstream interface. Syntax show npg uplink-interfaces [vfabric vfabric-id [fcf-info] | [fcf-info]] Parameters ● fcf-info - FCF Availability Status, fabric name of the FC upstream switch connected, error reason, FCF advertisement delay timeout left and duplicate FC id assignment counter.
Fc 1/1/11 Fc 1/1/12 01:00:0B 01:00:0C 8 8 8 16 3 1 3 0 6 1 10 1 VFabric Id : 300 Uplink Speed Intf FC Id BB Credit (Gbps) FLOGI FDISC Total Redistributed --------------------------------------------------------------------------------Fc 1/1/13 01:00:03 8 8 3 3 6 0 Fc 1/1/14 01:00:04 8 16 1 6 7 5 OS10#show npg uplink-interfaces fcf-info VFabric Id : 200 FAD Timeout Left : 10 second(s) FCF Availability Status : No Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) -----------------------
● port—Enables debug messages that relate to the interface. ● tx—Enables debug messages that are involved during packet transmission (Tx). ● pse—Enables debug messages that are generated during the Principal Switch Election (PSE) phase of the Multi-switch mode. ● ns—Enables debug messages that are generated during the name server registration and management process. ● fspf—Enables debug messages that are generated during the Fabric Shortest Path First (FSPF) process of Multi-switch mode.
Usage Information Examples Displays the list of debug types that are enabled globally and at the specific interface level. OS10# show debug fc FC global debug settings: debug fc acl debug fc pse debug fc rx-disc FC interface specific debug settings: debug fc rx-sw-rscn interface fibrechannel1/1/1 Supported Releases 10.5.2.
13 Layer 2 802.1X Verifies device credentials before sending or receiving packets using the Extensible Authentication Protocol (EAP), see 802.1X Commands. Link Aggregation Control Protocol (LACP) Exchanges information between two systems and automatically establishes a link aggregation group (LAG) between the systems, see LACP Commands.
The authentication process contains three devices: ● Supplicant — The device attempting to access the network performs the role of supplicant. Regular traffic from this device does not reach the network until the port associated to the device is authorized. Before that, the supplicant can only exchange 802.1x messages (EAPOL frames) with the authenticator.
EAP over RADIUS 802.1X uses RADIUS to transfer EAP packets between the authenticator and the authentication server. EAP messages are encapsulated in RADIUS packets as an attribute of type, length, value (TLV) format—the type value for EAP messages is 79. Configure 802.1X You can configure and enable 802.1X on a port in a single process. OS10 supports 802.1X with EAP-MD5, EAP-TLS, and EAPTTLS. All platforms support RADIUS as the authentication server.
Enable 802.1X 1. Enable 802.1X globally in CONFIGURATION mode. dot1x system-auth-control 2. Enter an interface or a range of interfaces in CONFIGURATION mode. interface range 3. Enable 802.1X on the supplicant interface only in INTERFACE mode. dot1x port-control auto Configure and verify 802.
Identity retransmissions If the authenticator sends a Request Identity frame but the supplicant does not respond, the authenticator waits 30 seconds and then retransmits the frame. There are several reasons why the supplicant might fail to respond—the supplicant maybe booting when the request arrived, there may be a physical layer problem, and so on. 1.
The Request Identity Retransmit interval is for an unresponsive supplicant. You can configure the interval for a maximum of 10 times for an unresponsive supplicant. 1. Configure the amount of time that the authenticator waits to retransmit a Request Identity frame after a failed authentication in INTERFACE mode from 1 to 65535, default 60 seconds.
● Place a port in the auto, force-authorized (default), or force-unauthorized state in INTERFACE mode. dot1x port-control {auto | force-authorized | force-unauthorized} Configure and verify force-authorized state OS10(conf-range-eth1/1/7-1/1/8)# dot1x port-control force-authorized OS10(conf-range-eth1/1/7-1/1/8)# do show dot1x interface ethernet 1/1/7 802.
Tx Period: Quiet Period: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: 120 seconds 120 seconds 30 seconds 30 seconds 3600 seconds 5 MULTI_HOST Initialize Initialize View interface running configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration interface ...
View interface running configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration interface ...
Command Mode INTERFACE Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x host-mode multi-host 10.2.0E or later dot1x max-req Changes the maximum number of requests that the device sends to a supplicant before restarting 802.1X authentication. Syntax dot1x max-req retry-count Parameters max-req retry-count — Enter the retry count for the request sent to the supplicant before restarting 802.
Default Disabled Command Mode INTERFACE Usage Information The no version of this command disables the periodic reauthentication of 8021.X supplicants. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x re-authentication 10.2.0E or later dot1x timeout quiet-period Sets the number of seconds that the device remains in the quiet state following a failed authentication exchange with a supplicant.
Default 30 seconds Command Mode INTERFACE Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x server-timeout 60 10.2.0E or later dot1x timeout supp-timeout Sets the number of seconds that the device waits for the supplicant to respond to an EAP request frame before the device retransmits the frame.
Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show dot1x PAE Capability: Protocol Version: System Auth Control: Auth Server: Authenticator only 2 Enable Radius 10.2.0E or later show dot1x interface Displays 802.1X configuration information. Syntax show dot1x interface ethernet node/slot/port[:subport] Parameters ethernet node/slot/port[:subport]—Enter the Ethernet interface information.
RADIUS server commands radius-server host Configures a RADIUS server and the key used to authenticate the switch on the server. Syntax radius-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Parameters ● hostname — Enter the host name of the RADIUS server. ● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server. ● key 0 authentication-key — Enter an authentication key in plain text.
Usage Information For RADIUS over TLS authentication, configure the radsec shared key on the server and OS10 switch. The show running-configuration output displays both the unencrypted and encrypted key in encrypted format. Configure global settings for the timeout and retransmit attempts allowed on a RADIUS over TLS servers using the radius-server retransmit and radius-server timeout commands. RADIUS over TLS authentication requires that X.
radius-server timeout Configures the timeout used to resend RADIUS authentication requests. Syntax radius-server timeout seconds Parameters seconds — Enter the time in seconds for retransmission, from 1 to 100. Default An OS10 switch stops sending RADIUS authentication requests after five seconds. Command Mode CONFIGURATION Usage Information Use this command to globally configure the timeout value used on RADIUS servers. The no version of this command resets the value to the default.
FEFD helps detect far-end failure when the following problems occur: ● Only one side receives packets although the physical layer (L1) of the link is up on both sides. ● Transceivers are not connected to the correct ports. FEFD states FEFD comprises the following four states: ● Idle—FEFD is disabled. ● Unknown—Shown when FEFD is enabled and changes to bi-directional after successful handshake with the peer. Also shown if the peer goes down in normal mode.
Table 49. FEFD state changes Local event (User intervention ) Configured FEFD mode Local state Local admin (Show display) State (Result) (Result) Local line protocol Remote state Status (Show display) (Result) Remote admin state Remote line protocol status (Result) Shutdown(us Normal er configuration) Admin Shutdown Down Down Line protocol is down. Up Down Shutdown(us Aggressive er configuration) Admin Shutdown Down Down Line protocol is down.
● Configure FEFD Aggressive mode globally using the fefd-global mode aggressive command in CONFIGURATION mode. OS10(Config)# fefd-global mode aggressive 2. (Optional) Configure the FEFD interval using the fefd-global interval command in CONFIGURATION mode and enter the interval in seconds. The range is from 3 to 255 seconds. OS10(Config)# fefd-global interval 20 3. (Optional) Disable FEFD on a specific interface if required using the fefd disable command in INTERFACE mode.
eth1/1/4 eth1/1/5 eth1/1/6 eth1/1/7 NA NA NA NA NA NA NA NA Idle Idle Idle Idle (Not (Not (Not (Not running) running) running) running) The following is a sample output of FEFD information for an interface: rt-maa-s4248FBL-3# show fefd ethernet 1/1/1 FEFD is globally 'ON', interval is 15 seconds, mode is Normal. INTERFACE MODE INTERVAL STATE ============================================================ eth1/1/1 NA NA Idle (Not running) FEFD Commands debug fefd Enables debugging of FEFD.
To unconfigure FEFD on an interface, use either the no fefd command or the no fefd mode command. To return to the default FEFD interval, use the no fefd interval command. Example OS10(conf-if-eth1/1/9)# fefd OS10(conf-if-eth1/1/9)# fefd mode aggressive OS10(conf-if-eth1/1/9)# fefd mode interval 10 Supported Releases 10.4.3.0 or later fefd-global Configures FEFD globally.
Usage Information Example If you do not enter the interface name, this command resets the error-disabled state of all interfaces because FEFD is set to Aggressive mode. OS10# fefd reset OS10# fefd reset ethernet 1/1/2 Supported Releases 10.4.3.0 or later show fefd Displays FEFD information globally or for a specific interface. Syntax show fefd [interface] Parameters ● (Optional) interface—Enter the interface information.
Link Aggregation Control Protocol Group Ethernet interfaces to form a single link layer interface called a LAG or port channel. Aggregating multiple links between physical interfaces creates a single logical LAG, which balances traffic across the member links within an aggregated Ethernet bundle and increases the uplink bandwidth. If one member link fails, the LAG continues to carry traffic over the remaining links. For information about LAG load balancing and hashing, see Load balancing.
Configure LACP OS10(config)# lacp system-priority 65535 OS10(config)# interface range ethernet 1/1/7-1/1/8 OS10(conf-range-eth1/1/7-1/1/8)# lacp port-priority 4096 OS10(conf-range-eth1/1/7-1/1/8)# lacp rate fast Verify LACP configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration ... ! interface ethernet1/1/7 lacp port-priority 4096 lacp rate fast no shutdown ! interface ethernet1/1/8 lacp port-priority 4096 lacp rate fast no shutdown ! ...
Configure LACP timeout OS10(conf-if-eth1/1/29)# lacp rate fast View port status OS10# show lacp port-channel Port-channel 41 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address e4:f0:04:fe:9f:e1 Partner System ID: Priority 4096, Address de:11:de:11:de:11 Actor Admin Key 41, Oper Key 41, Partner Oper Key 41 Fallback: Not configured, Fallback port preemption: Configured, Fallback timeout: 15 seconds Fallback Port Elected: LACP LAG ID 41 is an aggregatable link A - Active LACP, B - Passive LA
OS10(conf-if-eth1/1/29)# OS10(conf-if-eth1/1/29)# OS10(conf-if-eth1/1/29)# OS10(conf-if-eth1/1/30)# OS10(conf-if-eth1/1/30)# OS10(conf-if-eth1/1/30)# OS10(conf-if-eth1/1/31)# OS10(conf-if-eth1/1/31)# no switchport channel-group 1 mode active interface ethernet 1/1/30 no switchport channel-group 1 mode active interface ethernet 1/1/31 no switchport channel-group 1 mode active Alpha verify LAG port configuration OS10# show lacp port-channel Port-channel 41 admin up, oper up, mode lacp Actor System ID: Prior
227562 64-byte pkts, 9344941 over 64-byte pkts, 1772495308 over 127-byte pkts 3544631784 over 255-byte pkts, 7088975548 over 511-byte pkts, 5.
42975359 64-byte pkts, 148695530 over 64-byte pkts, 36673423689 over 127-byte pkts 73342977260 over 255-byte pkts, 146685062757 over 511-byte pkts, 1.
You can set the timer using the lacp fallback timeout timer-value command. The LACP fallback feature adds a member port to LACP port channel if it does not receive LACP PDUs from the peer for a particular period. The server uses the fallback port to finalize the PXE-boot process. When the server starts with the operating system, the process completes the LACP handshake and the fallback port reunites the other members. The member port becomes active and sends packets to the PXE server.
LACP fallback in non-VLT network In a non-VLT network, LACP fallback enables rebooting of ToR or server that is connected to the switch through normal LACP. The other end of the switch is connected to a DHCP/PXE server, as shown in the following figure: In the above scenario, LACP fallback works as follows: 1. The ToR/server boots 2. The switch detects the link that is up and checks fallback enabled status. If fallback is enabled, the device waits for the timeout period for any LACP BPDUs.
In the above scenario, LACP fallback works as follows: 1. The ToR/server boots 2. One of the VLT peers takes care of controlling the LACP fallback mode. All events are sent to the controlling VLT peer for deciding the port that should be brought up and then the decision is passed on to peer device. 3. The controlling VLT peer can decide to bring up one of the ports in either the local port channel or in the peer VLT port channel. 4.
Usage Information Example Supported Releases When you delete the last physical interface from a port channel, the port channel remains. Configure these attributes on an individual member port. If you configure a member port with an incompatible attribute, OS10 suspends that port in the port channel. The member ports in a port channel must have the same setting for link speed capability and duplex capability. The no version of this command removes the interface from the port channel.
lacp fallback preemption Enables or disables LACP fallback port preemption. Syntax lacp fallback preemption {enable | disable} Parameters ● enable—Enables preemption on the port channel. ● disable—Disables preemption on the port channel. Default Enabled Command Mode Port-channel INTERFACE Usage Information When you enable preemption, the fallback port election preempts the already elected fallback port and elects a new fallback port.
Parameters max-bundle-number — Enter the maximum bundle size (1 to 32). Default 32 Command Mode INTERFACE Usage Information The no version of this command resets the maximum bundle size to the default value. Example Supported Releases OS10(conf-if-po-10)# lacp max-bundle 10 10.2.0E or later Lacp port-priority Sets the priority for the physical interfaces for LACP. Syntax lacp port-priority priority Parameters priority — Enter the priority for the physical interfaces (0 to 65535).
Default 32768 Command Mode CONFIGURATION Usage Information Each device that runs LACP has an LACP system priority value. LACP uses the system priority with the MAC address to form the system ID and also during negotiation with other systems. The system ID is unique for each device. The no version of this command resets the system priority to the default value. Example Supported Releases OS10(config)# lacp system-priority 32768 10.2.
Example OS10# show lacp interface ethernet 1/1/129 Invalid Port id, Max.
Partner Oper Key: 1 Partner Oper State:aggregation synchronization collecting distributing defaulted expired Supported Releases 10.2.0E or later show lacp port channel Displays information about LACP port channels. Syntax show lacp port-channel [interface port-channel channel-number] Parameters ● interface port channel — (Optional) Enter the interface port-channel. ● channel-number — (Optional) Enter the port channel number for the LACP neighbor (1 to 128).
Supported Releases 10.2.0E or later Link Layer Discovery Protocol Dell EMC SmartFabric OS10 supports: ● Link Layer Discovery protocol (LLDP) ● Link Layer Discovery Protocol — Media Endpoint Discovery (LLDP-MED) LLDP is a one-way protocol that enables network devices on a local area network (LAN) to discover and advertise its capabilities to adjacent LAN devices. LLDP devices advertise its capabilities in the form of LLDP data units (LLDPDUs).
Mandatory TLVs OS10 supports the three mandatory TLVs. These mandatory TLVs are at the beginning of the LLDPDU in the following order: ● Chassis ID TLV ● Port ID TLV ● Time-to-live TLV Table 50. Mandatory TLVs Mandatory TLVs Type Description Chassis ID 1 Identifies the chassis. Port ID 2 Identifies a port through which the LAN device transmits LLDPDUs. Time-to-live 3 Number of seconds that the received information in this LLDPDU is valid. End of LLDPDU 0 Marks the end of an LLDPDU.
Table 51. Basic TLVs (continued) TLV Type Description Management address 8 Network address of the management interface. Organizationally specific TLVs Table 52. 802.1x organizationally specific TLVs (Type – 127, OUI – 00-80-C2) TLV Subtype Description Link aggregation 7 ● Indicates whether the link associated with the port on which the LLDPDU is transmitted is aggregated. ● Provides the aggregated port identifier. Port VLAN ID 1 Untagged VLAN to which a port belongs.
Custom TLVs iDRAC organizationally specific TLVs Table 56. iDRAC organizationally specific TLVs; Subtypes used in iDRAC custom TLVs (Type – 127, OUI – 0xF8-0xB1-0x56) TLV Subtype Description Originator 1 Indicates the iDRAC string that is used as the originator. This string enables external switches to identify iDRAC LLDPDUs. Port type 2 Following are the applicable port types: 1. iDRAC port (dedicated) 2. NIC port 3.
Table 57. Isilon-related TLVs (Type – 127, OUI – 0xF8-0xB1-0x56) (continued) TLV Subtype Description address for the specific fabric instance. The RA prefix is different for each fabric. Fabric ID 3 Indicates the ID of the fabric the LLDPDU is originating from. Isilon-related TLVs – Subtypes used in LLDP custom TLVs that are transacted by the OS10 switches Originator 1 Indicates the OS10 string that is used as the originator. The string enables the OS10 switches to identify LLDPDUs.
Enable LLDP globally in CONFIGURATION mode. OS10(config)# lldp enable ● To enable LLDP on an interface: When you enable LLDP globally, it is enabled on all interfaces. You can enable or disable LLDP on individual interfaces to both transmit and receive LLDP information. Also, you can configure an interface to only transmit or receive LLDP information. Enable LLDP in INTERFACE mode.
For example, LLDP timer transmit interval is set to 30 seconds and the holdtime-multiplier is set to 4, the TTL is 120 seconds (30 x 4). The default TTL of 120 seconds. You can adjust the TTL value by changing the multiplier value of the holdtime. 1. Adjust the TTL value in CONFIGURATION mode. lldp holdtime-multiplier 2. Return to the default multiplier value in CONFIGURATION mode.
4. Specify a name for VLAN 1 in INTERFACE VLAN mode. vlan-name vlan1 Transmit the VLAN names of a specific set of VLANs When you configure the interface to send the names of specific VLANs using lldp vlan-name-tlv allowed vlan command, the interface can transmit a maximum of eight VLAN names. If you specify 10 VLANs and the default VLAN has a name, the interface transmits LLDPDUs with VLAN names of the default VLAN and the first seven VLANs configured with a name.
The interface transmits the name of the default VLAN even if the default VLAN ID is not explicitly configured. The interface transmits the first eight VLAN names and excludes the names of VLAN 9 and VLAN 10. Following shows that the interface transmits the names of VLANs 1 to 8: OS10# show lldp interface ethernet 1/1/1 local-device Device ID: 34:17:eb:f2:05:c4 Port ID: ethernet1/1/1 System Name: OS10 Capabilities: Router, Bridge, Repeater System description: Dell EMC Networking OS10 Enterprise.
5 vlan5 6 vlan6 7 vlan7 8 vlan8 9 vlan9 Maximum size of LLDP PDU: 1500 Current LLDP PDU Size: 386 LLDP PDU Truncated(Too many TLV's): false LLDP MED Capabilities: Supported: LLDP-MED Capabilities, Network Policy, Inventory Management Current: LLDP-MED Capabilities, Network Policy LLDP MED Device Type: Network connectivity Disable and reenable LLDP TLVs By default, the interfaces advertise all LLDP TLVs except VLAN name TLV. ● Disable LLDP TLVs in INTERFACE mode.
Enable LLDP TLVs OS10(config)# interface mgmt 1/1/1 OS10(conf-if-ma-1/1/1)# lldp tlv-select basic-tlv system-name system-description OS10(conf-if-ma-1/1/1)# lldp tlv-select dot1tlv port-vlan-id Advertise management address TLVs in a VLT domain The management address TLV advertises the IP address of the management interface to adjacent LAN devices. The system advertises this information in the management address TLV of all the physical ports.
R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# lldp lldp lldp lldp lldp lldp tlv-select basic-tlv system-name tlv-select dot3tlv macphy-config tlv-select dot3tlv max-framesize tlv-select dot1tlv link-aggregation tlv-select dot1tlv port-vlan-id management-addr-tlv ipv4 virtual-ip Sample configuration on R2: Enable the list of LLDP TLVs needs to be advertised from R2.
Total Total Total Total Total Total Total Med Med Med Med Med Med Med Frames Out : Frames In : Frames Discarded : TLVS Discarded : Capability TLVS Discarded: Policy TLVS Discarded : Inventory TLVS Discarded : 0 0 0 0 0 0 0 View LLDP neighbor advertisements ● View brief information about the LLDP neighbors learned by the OS10 switch.
LLDP-MED Capabilities, Network Policy, Location Identification, Extended Power via MDI - PSE, Extended Power via MDI - PD, Inventory Management Current: LLDP-MED Capabilities, Network Policy, Location Identification, Extended Power via MDI - PD, Inventory Management Device Class: Endpoint Class 3 Network Policy: Application: voice, Tag: Tagged, Vlan: 50, L2 Priority: 6, DSCP Value: 46 Inventory Management: H/W Revision : 12.1.1 F/W Revision : 10.1.9750B S/W Revision : 10.1.
Table 58. LLDP-MED organizationally specific TLVs (Type – 127) (continued) TLV Subtype Description ● Coordinate-based LCI ● Civic address LCI ● Emergency call services ELIN Extended power-via-MDI 4 ● Power requirements ● Priority ● Power status NOTE: Only Rx function is supported for location identification and extended power via MDI TLVs. LLDP-MED capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and network-connectivity device support.
● VLAN tagged or untagged status ● L2 priority ● DSCP value You can configure a LLDP-MED network policy to generate an individual network policy TLV for each application type. For more information, see Define network policies. NOTE: Signaling is a series of control packets that are exchanged between an endpoint device and a network-connectivity device to establish and maintain a connection. These signal packets might require a different network policy than the media packets where a connection is made.
● Disable LLDP-MED on an interface, use the lldp med disable command in INTERFACE mode. OS10(conf-if-eth1/1/1)# lldp med disable Enable LLDP-MED When LLDP-MED is disabled, you can reenable LLDP-MED on an interface. ● Enable LLDP-MED on an interface, use lldp med enable command in INTERFACE mode. OS10(conf-if-eth1/1/1)# lldp med enable NOTE: If you enable LLDP MED on an interface, the system transmits MED TLVs only when it receives a TLV from a peer.
Rapid availability is crucial for applications such as emergency call service location (E911). ● Configure fast start repeat count which is the number of packets that are sent during activation in CONFIGURATION mode, from 1 to 10, default 3. lldp-med fast-start-repeat-count number Configure fast start repeat count OS10(config)# lldp med fast-start-repeat-count 5 LLDP commands clear lldp counters Clears LLDP and LLDP-MED transmit, receive, and discard statistics from all physical interfaces.
Command Mode CONFIGURATION Usage Information This command enables LLDP globally for all Ethernet PHY interfaces, except on those interfaces where you manually disable LLDP. The no version of this command disables LLDP globally irrespective of whether you manually disable LLDP on an interface. Example Supported Releases OS10(config)# lldp enable 10.3.1E or later lldp holdtime-multiplier Configures the multiplier value for the hold time.
Command Mode INTERFACE Usage Information LLDP-MED communicates the types of TLVs that the endpoint device and network-connectivity device support. Use the no lldp med or lldp med disable command to disable LLDP-MED on a specific interface. Example Supported Releases OS10(conf-if-eth1/1/1)# lldp med disable 10.2.0E or later lldp med network-policy Manually defines an LLDP-MED network policy.
Default Not configured Command Mode INTERFACE Usage Information Attach only one network policy for per interface. Example Supported Release OS10(conf-if-eth1/1/5)# lldp med network-policy add 1 10.2.0E or later lldp med tlv-select Configures the LLDP-MED TLV type to transmit or receive. Syntax lldp med tlv-select {network—policy | inventory} Parameters ● network-policy — Enable or disable the port description TLV. ● inventory — Enable or disable the system TLV.
lldp receive Enables or disables the LLDP packet reception on a specific interface. Syntax lldp receive Parameters None Default Not configured Command Mode INTERFACE Usage Information Enable LLDP globally on the system before using the lldp receive command. The no version of this command disables the reception of LLDP packets. Example Supported Releases OS10(conf-if-eth1/1/3)# lldp receive 10.2.0E or later lldp reinit Configures the delay time in seconds for LLDP to initialize on any interface.
lldp tlv-select basic-tlv Enables or disables TLV attributes to transmit and receive LLDP packets. Syntax lldp tlv-select basic-tlv {port-description | system-name | systemdescription | system-capabilities | management-address [ipv4 | ipv6]} Parameters ● ● ● ● ● ● ● Default Enabled Command Mode INTERFACE Usage Information The no form of the command disables TLV attribute transmission and reception in LLDP packets.
● link-aggregation — Enable the link aggregation TLV. ● vlan-name — Configure dot1 TLVs to send and receive the names of VLANs in LLDP frames. Default Enabled. vlan-name is disabled. Command Mode INTERFACE Usage Information The link-aggregation parameter advertises link aggregation as a dot1 TLV in the LLDPDUs. The vlan-name parameter advertises the names of VLANs in LLDP frames. The no version of this command disables TLV transmissions.
lldp vlan-name-tlv allowed vlan Specifies a single or multiple VLANs' names to transmit in LLDPDUs. Syntax lldp vlan-name-tlv allowed vlan vlan-id Parameters vlan-id—Specify a single VLAN or multiple VLANs. Default Disabled Command Mode INTERFACE Usage Information This command specifies VLANs' names to transmit in LLDPDUs along with the configured default VLAN. If you do not use this command, the interface sends the name of the default VLAN if a name is configured.
System Name: 0075 Capabilities: Router, Bridge, Repeater System description: Dell EMC Networking OS10 Enterprise. Copyright (c) 1999-2019 by Dell Inc. All Rights Reserved. System Description: OS10 Enterprise. OS Version: 10.4.9999EX.
show lldp med Displays the LLDP MED information for all the interfaces. Syntax show lldp med Parameters None Default Not configured Command Mode EXEC Usage Information Use the show lldp interface command to view MED information for a specific interface.
Usage Information Example Example (Detail) This command status information includes local port ID, remote hostname, remote port ID, remote VLAN names, and remote node ID.
Example Supported Releases OS10# show lldp timers LLDP Timers: Holdtime in seconds: 120 Reinit-time in seconds: 6 Transmit interval in seconds: 30 10.2.0E or later show lldp tlv-select interface Displays the TLVs enabled for an interface. Syntax show lldp tlv-select interface ethernet node/slot/port[:subport] Parameters ethernet node/slot/port[:subport] — Enter the Ethernet interface information, from 1 to 253.
Example (Interface) OS10# show lldp traffic interface ethernet 1/1/2 LLDP Traffic Statistics: Total Frames Out : 45 Total Entries Aged : 1 Total Frames In : 33 Total Frames Received In Error : 0 Total Frames Discarded : 0 Total TLVS Unrecognized : 0 Total TLVs Discarded : 0 LLDP MED Traffic Statistics: Total Med Frames Out : Total Med Frames In : Total Med Frames Discarded : Total Med TLVS Discarded : Total Med Capability TLVS Discarded: Total Med Policy TLVS Discarded : Total Med Inventory TLVS Discarded
● Enter an aging time (in seconds) in CONFIGURATION mode, from 0 to 1000000, default 1800. mac address-table aging-time seconds NOTE: On the Dell EMC PowerSwitch S4200-ON series, the default MAC aging time is set as 550 seconds. This is the maximum value that can be configured.
View MAC Address Table Entries OS10# show mac address-table VlanId Mac Address 1 00:00:15:c6:ca:49 1 00:00:20:2a:25:55 1 90:b1:1c:f4:aa:ce 1 90:b1:1c:f4:aa:c6 10 34:17:eb:02:8c:33 Type dynamic dynamic dynamic dynamic static Interface ethernet1/1/21 ethernet1/1/21 ethernet1/1/21 ethernet1/1/21 ethernet1/1/1 View MAC Address Table Count OS10# show mac address-table count MAC Entries for all vlans : Dynamic Address Count : Static Address (User-defined) Count : Total MAC Addresses in Use: 4 1 5 Clear MAC A
Usage Information Example Example (VLAN) Supported Releases Use the all parameter to remove all dynamic entries from the address table. OS10# clear mac address-table dynamic all OS10# clear mac address-table dynamic vlan 20 10.2.0E or later mac address-table aging-time Configures the aging time for entries in the L2 address table. Syntax mac address-table aging-time seconds Parameters seconds — Enter the aging time for MAC table entries in seconds, from 0 to 1000000.
show mac address-table Displays information about the MAC address table. Syntax show mac address-table [address mac-address | aging-time | [count [vlan vlan-id] | dynamic | interface {ethernet node/slot/port[:subport] | portchannel number}]| static [address mac-address] | vlan vlan-id Parameters ● ● ● ● ● address mac-address — (Optional) Displays MAC address table information. aging-time — (Optional) Displays MAC address table aging-time information.
Supported Releases 10.2.0E or later Spanning-tree protocol This section describes how spanning-tree features work and also about the different variants of STP. Introduction to STP The spanning-tree protocol is a Layer 2 network protocol that prevents loops in a network topology. Spanning-tree is useful when more than one network path exists and devices in the network are either competing for or sharing these paths.
Use the spanning-tree disable command to disable the STP. Backward compatibility and interoperability Spanning tree modes are backward compatible and interoperable with the STP version. The OS10 interoperability feature is designed to support the convergence when the peer switch is running PVST+. When an OS10 switch running Rapid PVST+ is connected to a CISCO switch running PVST+, convergence occurs only on VLAN 1.
2. Enable STP BPDU guard in INTERFACE mode. spanning-tree bpduguard enable BPDU guard violation causes the system to perform the following actions in the port channel: ● The interface and all member ports are disabled in the hardware. ● When the port is added to the port channel that is in the Error Disable state, the new member port is disabled in the hardware.
Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID -------------------------------------------------------------------------------------------ethernet1/1/7 128.56 128 500 FWD 500 32769 90b1.1cf4.a625 128.
Example configuration OS10(config)# errdisable detect cause bpduguard OS10(config)# errdisable recovery interval 45 OS10(config)# errdisable recovery cause bpduguard View detect and recovery details OS10# show errdisable detect Error-Disable Cause Detect Status ----------------------------------------------bpduguard Enabled OS10# show errdisable recovery Error-Disable Recovery Timer Interval: 300 seconds Error-Disable Reason Recovery Status --------------------------------------------------bpduguard Enabled
For RSTP, the threshold is set to a higher value (65,535) because RSTP does not require this optimization. Even when this feature is enabled, the global flush is invoked only after the flush count reaches 65,535. MSTP MSTP allows (VLAN-list, port) based flush until the number of calls sent is equal to the MAC flush threshold value that you have configured. When the number of calls exceeds the configured threshold, MSTP ignores further (VLAN-list, port) based flush and starts the MAC flush timer.
your individual devices. Use the show spanning-tree mst command to view the MST configuration, or use the show running-configuration command to view the overall MST configuration. MST flags for communication received from the same region The MST routers are located in the same region. If the debug logs indicate that packets are coming from a Different Region, one of the key parameters does not match. MST region name The configured name and revisions must be identical among all devices.
Root-Guard: Enable, Loop-Guard: Disable Bpdus (MRecords) Sent: 6, Received: 6410 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID -------------------------------------------------------------------------------------------ethernet1/1/7 128.56 128 500 FWD 500 32769 90b1.1cf4.a625 128.56 Common STP commands This section explains about the common commands in STP. STP variant specific commands are explained in the individual sections under RSTP, MSTP, and Rapid-PVST.
Supported Releases 10.5.0 or later errdisable detect cause bpduguard Configures the port to be shut down or moves the port to blocked state on detecting a BPDU guard violation. Syntax errdisable detect cause bpduguard Parameters None Default Enabled Command Mode CONFIGURATION Usage Information This command applies only to STP-enabled ports. The command takes effect only when the BPDU guard is configured on a port.
Parameters interval-value—Enter the time interval in seconds. The range is from 30 to 65535. Default 300 seconds Command Mode CONFIGURATION Usage Information This command applies only to STP-enabled ports. The command takes effect only when the BPDU guard is configured on a port. The recovery timer value is applicable only for shutdown case. For blocking case, the default value of 300 seconds is used. The recovery timer starts whenever there is a BPDU guard violation.
spanning-tree bpduguard Enables or disables the BPDU guard on an interface. Syntax spanning-tree bpduguard {enable | disable} Parameters ● enable — Enables the BPDU guard filter on an interface. ● disable — Disables the BPDU guard filter on an interface. Default Disabled Command Mode INTERFACE Usage Information BPDU guard prevents a port from receiving BPDUs. If the port receives a BPDU, it is placed in the ErrorDisabled state.
Supported Releases 10.2.0E or later spanning-tree link-type Sets the spanning-tree link-type for faster convergence. Syntax spanning-tree link-type {auto | point-to-point | shared} Parameters ● auto — Enter the keyword to sets the link-type based on the duplex setting of the interface. ● point-to-point—Specifies that the interface is a point-to-point or full-duplex link. ● shared—Specifies that the interface is a half-duplex medium.
Parameters ● rstp — Sets STP mode to RSTP. Default Rapid-PVST Command Mode CONFIGURATION Usage Information All STP instances stop in the previous STP mode and restart in the new mode. You can also change to RSTP/MST mode. Example Supported Releases OS10(config)# spanning-tree mode rstp 10.2.0E or later spanning-tree port Sets the port type as the EdgePort.
bpduguard Enabled MLL violation Enabled MAC-move-violation Enabled Recovery Time Left Interface Errdisable Cause (seconds) -------------------------------------------------------------------------ethernet1/1/1:1 bpduguard 30 ethernet1/1/1:2 bpduguard 1 ethernet1/1/10 bpduguard/mac-learning-limit/mac-move 10 port-channel100 Mac-learning-limit 50 port-channel128 mac-move 49 Supported Releases 10.4.2.
Each VLAN is assigned an incremental default bridge priority. For example, if VLAN 1 is assigned a bridge priority value of 32769, then VLAN 2 (if created) is assigned a bridge priority value of 32770; similarly, VLAN 10 (if created) is assigned a bridge priority value of 32778, and so on. All three instances have the same forwarding topology. NOTE: Z9332F-ON supports a total of 64 instances, of which 3 VLANs are used for internal purposes.
Load balance and root selection By default, all VLANs use the same forwarding topology — R2 is elected as the root and all 10G Ethernet ports have the same cost. Bridge priority can be modified for each VLAN to enable different forwarding topologies. To achieve Rapid-PVST load balancing, assign a different priority on each bridge. Enable Rapid-PVST By default, Rapid-PVST is enabled and creates an instance during VLAN creation.
ethernet1/1/27 128.216 128 500 BLK 0 32769 3417.ec37.1400 128.56 ethernet1/1/28 128.224 128 500 BLK 0 32769 3417.ec37.1400 128.64 Interface Name Role PortID Prio Cost Sts Cost Link-type Edge -------------------------------------------------------------------------------------------ethernet1/1/5 Altr 128.40 128 500 BLK 500 AUTO No ethernet1/1/6 Altr 128.48 128 500 BLK 500 AUTO No ethernet1/1/7 Desg 128.56 128 500 FWD 500 AUTO No ethernet1/1/8 Altr 128.64 128 500 BLK 500 AUTO No ethernet1/1/9 Altr 128.
ethernet1/1/5 ethernet1/1/6 Desg Desg 128.276 128.280 128 128 500 500 FWD FWD 0 0 AUTO AUTO No No View brief configuration OS10# show spanning-tree brief Spanning tree enabled protocol rapid-pvst with force-version rstp VLAN 1 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 4097, Address 90b1.1cf4.a523 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 4097, Address 90b1.1cf4.
spanning-tree vlan vlan-id root primary command ensures that the switch has the lowest bridge priority value by setting the predefined value of 24,576. If an alternate root bridge is required, use the spanning-tree vlan vlan-id root secondary command. The command sets the priority for the switch to the predefined value of 28,672. If the primary root bridge fails, the command ensures that the alternate switch becomes the root bridge.
View Rapid-PVST global parameters OS10# show spanning-tree active Spanning tree enabled protocol rapid-pvst with force-version rstp VLAN 1 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32769, Address 90b1.1cf4.a523 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32769, Address 90b1.1cf4.
Usage Information Example Supported Releases The media speed of a LAN interface determines the STP port path cost default value. OS10(conf-if-eth1/1/4)# spanning-tree vlan 10 cost 1000 10.2.0E or later spanning-tree vlan disable Disables spanning tree on a specified VLAN. Syntax spanning-tree vlan vlan-id disable Parameters vlan-id — Enter the VLAN ID number, from 1 to 4093.
Example Supported Releases OS10(config)# spanning-tree rpvst force-version stp 10.2.0E or later spanning-tree vlan hello-time Sets the time interval between generation and transmission of Rapid-PVST BPDUs. Syntax spanning-tree vlan vlan-id hello-time seconds Parameters ● vlan-id — Enter the VLAN ID number, from 1 to 4093. ● seconds — Enter a hello-time interval value in seconds, from 1 to 10.
Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree vlan 10 max-age 10 10.2.0E or later spanning-tree vlan priority Sets the priority value for Rapid-PVST. Syntax spanning-tree vlan vlan-id priority priority value Parameters priority priority value — Enter a bridge-priority value in increments of 4096, from 0 to 61440.
Default Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree vlan 1 root primary 10.2.0E or later spanning-tree rapid-pvst default behavior Allows Rapid PVST+ switching between the current OS10 behavior and behavior expected by vendors other than OS9 or OS10.
Example (RapidPVST mode) OS10# show spanning-tree compatibility-mode Interface Name Instance Compatibility-mode -----------------------------------------------ethernet1/1/1 VLAN 1 RSTP ethernet1/1/1 VLAN 2 RSTP ethernet1/1/1 VLAN 3 RSTP ethernet1/1/1 VLAN 4 RSTP ethernet1/1/1 VLAN 5 RSTP ethernet1/1/2 VLAN 1 STP ethernet1/1/2 VLAN 2 STP ethernet1/1/2 VLAN 3 STP ethernet1/1/2 VLAN 4 STP ethernet1/1/2 VLAN 5 STP OS10# show spanning-tree compatibility-mode port-channel 1 Interface Name Instance Compatibility
Usage Information Example Supported Releases Forces a bridge that supports Rapid-PVST to operate in an STP-compatible mode. OS10(config)# spanning-tree rapid-pvst force-version stp 10.2.0E or later Rapid Spanning-Tree Protocol Rapid Spanning-Tree Protocol (RSTP) is similar to STP, but provides faster convergence and interoperability with devices configured with STP and MSTP. RSTP is disabled by default. All enabled interfaces in L2 mode automatically add to the RSTP topology.
View all port participating in RSTP OS10# show spanning-tree Spanning tree enabled protocol rstp with force-version rstp Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 3417.4455.667f Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 90b1.1cf4.
Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ------------------------------------------------------------------------ethernet1/1/1 Disb 128.260 128 200000000 BLK 0 AUTO No ethernet1/1/2 Disb 128.264 128 200000000 BLK 0 AUTO No ethernet1/1/3 Disb 128.268 128 200000000 BLK 0 AUTO No ethernet1/1/4 Disb 128.272 128 200000000 BLK 0 AUTO No ethernet1/1/5:1 Disb 128.
ethernet1/1/2 248.128 128 500 BLK 0 32768 90b1.1cf4.9b8a ethernet1/1/3 252.128 128 500 FWD 0 32768 90b1.1cf4.9b8a ethernet1/1/4 256.128 128 500 BLK 0 32768 90b1.1cf4.9b8a Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ---------------------------------------------------------ethernet1/1/1 Altr 128.244 128 500 BLK 0 AUTO No ethernet1/1/2 Altr 128.248 128 500 BLK 0 AUTO No ethernet1/1/3 Root 128.252 128 500 FWD 0 AUTO No ethernet1/1/4 Altr 128.256 128 500 BLK 0 AUTO No 128.248 128.252 128.
View bridge priority and root bridge assignment OS10# show spanning-tree active Spanning tree enabled protocol rstp with force-version rstp Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 3417.4455.667f Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 36864, Address 90b1.1cf4.
ethernet1/1/3 252.128 128 500 FWD 0 32768 90b1.1cf4.9b8a ethernet1/1/4 256.128 128 500 BLK 0 32768 90b1.1cf4.9b8a Interface Name Role PortID Prio Cost Sts Cost Link-type Edge -----------------------------------------------------------ethernet1/1/1 Altr 128.244 128 500 BLK 0 AUTO No ethernet1/1/2 Altr 128.248 128 500 BLK 0 AUTO No ethernet1/1/3 Root 128.252 128 500 FWD 0 AUTO No ethernet1/1/4 Altr 128.256 128 500 BLK 0 AUTO No Supported Releases 128.252 128.256 10.2.
Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree rstp forward-time 16 10.2.0E or later spanning-tree rstp hello-time Sets the time interval between generation and transmission of RSTP BPDUs. Syntax spanning-tree rstp hello-time seconds Parameters seconds — Enter a hello-time interval value in seconds, from 1 to 10.
Default 20 seconds Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree rstp max-age 10 10.2.0E or later spanning-tree rstp priority Sets the priority value for RSTP. Syntax spanning-tree rspt priority priority value Parameters priority priority value — Enter a bridge-priority value in increments of 4096, from 0 to 61440.
1. Enable MST, if the current running spanning-tree protocol (STP) version is not MST. 2. (Optional) Map the VLAN to different instances in such a way that the traffic is load balanced well and the link utilization is efficient. 3. Ensure the same region name is configured in all the bridges running MST. 4. (Optional) Configure the revision number. The revision number is the same on all the bridges.
OS10(conf-mst)# OS10(conf-mst)# OS10(conf-mst)# OS10(conf-mst)# revision instance instance instance 100 1 vlan 2-10 2 vlan 11-20 3 vlan 21-30 View VLAN instance mapping OS10# show spanning-tree mst configuration Region Name: Dell Revision: 100 MSTI VID 0 1,31-4093 1 2-10 2 11-20 3 21-30 View port forwarding/discarding state os10# show spanning-tree msti 0 brief Spanning tree enabled protocol msti with force-version mst MSTI 0 VLANs mapped 1-3999,4091-4093 Executing IEEE compatible Spanning Tree Protocol
ethernet1/1/13 128.104 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.104 ethernet1/1/14 128.112 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.112 ethernet1/1/15 128.120 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.120 ethernet1/1/16 128.128 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.128 ethernet1/1/17 128.136 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.136 ethernet1/1/18 128.144 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.144 ethernet1/1/19 128.152 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.
ethernet1/1/9 AUTO No ethernet1/1/10 AUTO No ethernet1/1/11 AUTO No ethernet1/1/12 AUTO No ethernet1/1/13 AUTO No ethernet1/1/14 AUTO No ethernet1/1/15 AUTO No ethernet1/1/16 AUTO No ethernet1/1/17 AUTO No ethernet1/1/18 AUTO No ethernet1/1/19 AUTO No ethernet1/1/20 AUTO No ethernet1/1/21 AUTO No ethernet1/1/22 AUTO No ethernet1/1/23 AUTO No ethernet1/1/24 AUTO No ethernet1/1/25 AUTO No ethernet1/1/26 AUTO No ethernet1/1/27 AUTO No ethernet1/1/28 AUTO No ethernet1/1/29 AUTO No ethernet1/1/30 AUTO No etherne
Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 3417.4455.667f Root Bridge hello time 2, max age 20, forward delay 15, max hops 20 Bridge ID Priority 32768, Address 90b1.1cf4.a523 Configured hello time 2, max age 20, forward delay 15, max hops 20 CIST regional root ID Priority 32768, Address 90b1.1cf4.
Max-hops A maximum number of hops a BPDU travels before a receiving device discards it. NOTE: Dell EMC recommends that only experienced network administrators change MST parameters. Poorly planned modification of MST parameters can negatively affect network performance. 1. Change the forward-time parameter in CONFIGURATION mode, from 4 to 30, default 15. spanning-tree mst forward-time seconds 2. Change the hello-time parameter in CONFIGURATION mode, from 1 to 10, default 2.
● Port-channel with 1-Gigabit Ethernet interfaces — 18000 ● Port-channel with 10-Gigabit Ethernet interfaces — 1800 1. Change the port cost of an interface in INTERFACE mode, from 1 to 200000000. spanning-tree msti number cost 1 2. Change the port priority of an interface in INTERFACE mode, from 0 to 240 in increments of 16, default 128.
Usage Information By default, the MST protocol assigns the system MAC address as the region name. Two MST devices within the same region must share the same region name, including matching case. Example Supported Releases OS10(conf-mst)# name my-mst-region 10.2.0E or later revision Configures a revision number for the MSTP configuration. Syntax revision number Parameters number — Enter a revision number for the MSTP configuration, from 0 to 65535.
spanning-tree msti Configures the MSTI, cost, and priority values for an interface. Syntax spanning-tree msti instance {cost cost | priority value} Parameters ● msti instance — Enter the MST instance number, from 0 to 63. For Z9332F-ON platform, enter a MST instance value from 0 to 61. ● cost cost — (Optional) Enter a port cost value, from 1 to 200000000.
Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command enables spanning tree on the specified MST instance. Example Supported Releases OS10(config)# spanning-tree mst 10 disable 10.4.0E(R1) or later spanning-tree mst force-version Configures a forced version of STP to transmit BPDUs. Syntax spanning-tree mst force-version {stp | rstp} Parameters ● stp — Forces the version for the BPDUs transmitted by MST to STP.
Default 2 seconds Command Mode CONFIGURATION Usage Information Dell EMC recommends increasing the hello-time for large configurations, especially configurations with multiple ports. The no version of this command resets the value to the default. Example Supported Releases OS10(config)# spanning-tree mst hello-time 5 10.2.0E or later spanning-tree mst mac-flush-threshold Configures the mac-flush threshold value for a specific instance.
spanning-tree mst max-hops Configures the maximum hop count for a BPDU to travel before it is discarded. Syntax spanning-tree mst max-hops number Parameters number — Enter a maximum hop value, from 6 to 40. Default 20 Command Mode CONFIGURATION Usage Information A device receiving BPDUs waits until the max-hops value expires before discarding it. When a device receives the BPDUs, it decrements the received value of the remaining hops and uses the resulting value as remaining-hops in the BPDUs.
○ ethernet node/slot/port[:subport] — Enter the Ethernet port information, from 1 to 48. ○ port-channel — Enter the port-channel interface information, from 1 to 128. Default Not configured Command Mode EXEC Usage Information View the MST instance information for a specific MST instance number in detail or brief, or view physical Ethernet ports or port-channel information.
Example (virtualinterface) Command History agg-6146 # show spanning-tree msti 0 virtual-interface VFP(VirtualFabricPort) of MSTI 0 is Designated Forwarding Edge port: No (default) Link type: point-to-point (auto) Boundary: No, Bpdu-filter: Disable, Bpdu-Guard: Disable, Shutdown-on-Bpdu-Guard-violation: No Root-Guard: Disable, Loop-Guard: Disable Bpdus (MRecords) Sent: 250, Received: 240 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------------------------------------------------
Create or remove VLANs You can create VLANs and add physical interfaces or port-channel LAG interfaces to the VLAN as tagged or untagged members. You can add an Ethernet interface as a trunk port or as an access port, but it cannot be added as both simultaneously.
Internet address is 10.1.1.
Configure port in Access mode OS10(config)# interface ethernet 1/1/9 OS10(config-if-eth1/1/9)# switchport mode access OS10(config-if-eth1/1/9)# switchport access vlan 604 Show running configuration OS10# show running-configuration ... ! interface ethernet1/1/5 ... switchport access vlan 604 no shutdown ! interface vlan1 no shutdown ... Trunk mode A trunk port can be a member of multiple VLANs set up on an interface. A trunk port transmits traffic for all VLANs.
Do not assign an IP address to the default VLAN (VLAN 1). NOTE: However, the zero-touch deployment (ZTD) application requires this functionality. While ZTD is in progress, the system assigns an IP address to the default VLAN to establish connectivity. After ZTD is complete, the system removes the IP address that is assigned to the default VLAN. You can place VLANs and other logical interfaces in L3 mode to receive and send routed traffic. 1. Create a VLAN in CONFIGURATION mode, from 1 to 4093.
LineSpeed 0 ARP type: ARPA, ARP Timeout: 60 Last clearing of "show interface" counters: 15:47:04 Queuing strategy: fifo Input statistics: 0 packets, 0 octets Output statistics: 0 packets, 0 octets Time since last interface status change: 15:47:04 View VLAN configuration You can view configuration information related to VLANs using show commands. ● View the VLAN status and configuration information in EXEC mode. show vlan ● View the VLAN interface configuration in EXEC mode.
Internet address is 10.1.15.
CM which matches the same . For example when vlanid 100 with a traffic class of type 4 the classmap created will be: classmap type qos match vlan 100 CM100 A single policymap is created to hold all the VLAN classmaps and its applied at the system qos level which gets applied to all the interfaces. policymap type qos PM_VLAN class CM100 set qos-group 4 Any addition, deletion, or modification to the VLAN or the traffic class happens within the same policymap.
The following figure shows the anycast IP-based gateway configuration for a VLAN: The ip virtual-router address and ipv6 virtual-router address commands assign the specified address as the virtual IPv4 or IPv6 address for the VLAN interface, respectively. Before assigning the anycast IP address to a VLAN interface, configure a virtual MAC address to the switch using the ip virtual-router mac-address command. All virtual addresses on all VLAN interfaces resolve to the configured virtual MAC address.
● Ensure that the anycast IPv4 or IPv6 address is different from the primary IPv4 or IPv6 address, respectively. For IPv6, you can configure more than one primary IP address. Even when more than one primary IPv6 addresses or subnets are configured, you can only configure one IPv6 address as gateway IP address. ● To ping an IPv6 host present in a remote VLAN, use the ping -I command and specify the interface IP address. The -I option is not required when you ping an IPv6 local host in a VLAN.
Example - Anycast IP Gateway for VLANs in VLT topology This section provides a sample anycast IP gateway configuration for VLANs in a VLT topology. AG1 configuration 1. Configure a global anycast MAC address. AG1# configure terminal AG1(config)# ip virtual-router mac-address 00:00:5e:00:01:01 2. Configure a VLAN Interface with the anycast virtual address. AG1(config)# interface vlan 3001 AG1(conf-if-vl-3001)# no shutdown AG1(conf-if-vl-3001)# ip address 10.1.1.
AG1(conf-if-vl-3001)# ipv6 virtual-router address 10:1:1::5 AG1(conf-if-vl-3001)# exit 3. Configure the VLT domain. AG1(config)# vlt-domain 1 AG1(conf-vlt-1)# backup destination 172.16.1.4 interval 3 AG1(conf-vlt-1)# delay-restore 300 AG1(conf-vlt-1)# discovery-interface ethernet1/1/25:1-1/1/25:4 AG1(conf-vlt-1)# peer-routing AG1(conf-vlt-1)# primary-priority 1 AG1(conf-vlt-1)# vlt-mac de:11:de:11:de:11 AG1(conf-vlt-1)# multicast peer-routing timeout 450 AG1(conf-vlt-1)# exit 4.
ethernet1/1/25:2 ethernet1/1/25:3 ethernet1/1/25:4 ethernet1/1/17:1 ethernet1/1/17:2 ethernet1/1/17:3 ethernet1/1/17:4 ethernet1/1/19:1 ethernet1/1/19:2 ethernet1/1/19:3 ethernet1/1/19:4 AG2 AG2 AG2 TR1 TR1 TR1 TR1 TR1 TR1 TR1 TR1 ethernet1/1/25:2 ethernet1/1/25:3 ethernet1/1/25:4 ethernet1/1/39 ethernet1/1/40 ethernet1/1/41 ethernet1/1/42 ethernet1/1/43 ethernet1/1/44 ethernet1/1/45 ethernet1/1/46 50:9a:4c:d4:d0:f0 50:9a:4c:d4:d0:f0 50:9a:4c:d4:d0:f0 e4:f0:04:fe:9f:e1 e4:f0:04:fe:9f:e1 e4:f0:04:fe:9f:e1
4. Configure a port channel interface towards AG3, AG4, TR1, CR1, and CR2.
7. View VLAN members. AG2# show vlan 3001 Codes: * - Default VLAN, M - Management VLAN, R - Remote Port Mirroring VLANs, @ - Attached to Virtual Network, P - Primary, C - Community, I - Isolated Q: A - Access (Untagged), T - Tagged NUM Status Description Q Ports 3001 Active T Eth1/1/9:1-1/1/9:2 T Po1,41-48,1000 8. View port channel members.
AG3(config)# interface port-channel 53 AG3(conf-if-po-53)# vlt-port-channel 53 AG3(config)# interface port-channel 54 AG3(conf-if-po-54)# vlt-port-channel 54 AG3(config)# interface port-channel 55 AG3(conf-if-po-55)# vlt-port-channel 55 AG3(config)# interface port-channel 56 AG3(conf-if-po-56)# vlt-port-channel 56 AG3(config)# interface port-channel 57 AG3(conf-if-po-57)# vlt-port-channel 57 AG3(config)# interface port-channel 58 AG3(conf-if-po-58)# vlt-port-channel 58 5.
51 52 53 54 55 56 57 58 L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID up up up up up up up up 01:41:40 01:41:39 01:41:39 01:41:38 01:41:37 01:41:36 01:41:36 01:41:35 Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/24:3 1/1/24:4 1/1/26:1 1/1/26:2 1/1/26:3 1/1/26:4 1/1/17:1 1/1/17:2 1/1/17:3 1/1/17:4 1/1/19:1 1/1/19:2 1/1/19:3 1/1/19:4 (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) AG4 configuration 1.
5. Configure the interfaces as VLAN trunk ports and specify the allowed VLANs.
AG1 AG1# show ip arp 10.1.1.10 Codes: pv - private vlan where the mac is originally learnt Address Hardware address Interface Egress Interface ---------------------------------------------------------------10.1.1.10 00:41:30:01:00:00 vlan3001 port-channel41 AG1# show mac address-table address 00:41:30:01:00:00 Codes: pv - private vlan where the mac is originally learnt VlanId Mac Address Type Interface 3001 00:41:30:01:00:00 dynamic port-channel41 AG1# AG2 AG2# show ip arp 10.1.1.
Usage Information ● To use special characters as a part of the description string, enclose the string in double quotes. ● To use comma as a part of the description string add double back slash before the comma. Example Supported Releases OS10(config)# interface vlan 3 OS10(conf-if-vl-3)# description vlan3 10.2.0E or later interface vlan Creates a VLAN interface. Syntax interface vlan vlan-id Parameters vlan-id — Enter the VLAN ID number, from 1 to 4093.
ip virtual-router mac-address Configures the MAC address of an anycast L3 gateway for VLAN routing. Syntax ip virtual-router mac-address mac-address Parameters mac-address mac-address—Enter the MAC address of the anycast L3 gateway. Default Not configured Command mode CONFIGURATION Usage information Configure the same MAC address on all VLT switches. As the configured MAC address is automatically used for all VLANs, configure it in Global Configuration mode.
Example Supported Releases OS10# show vlan Codes: * - Default VLAN, M - Management VLAN, R - Remote Port Mirroring VLANs, @ - Attached to Virtual Network, P - Primary, C - Community, I Isolated Q: A - Access (Untagged), T - Tagged NUM Status Description Q Ports * 1 Active A Eth1/1/15 A Po100 2101 Active T Eth1/1/1,1/1/3 T Po100 2102 Active T Eth1/1/1,1/1/3 10.2.0E or later show vlt mismatch Displays the anycast IP configuration mismatch between VLT peers.
Example PVLAN uses: ● Guest access management—The network administrator in a hotel uses an isolated VLAN for providing guest users access to the Internet. Using isolated VLANs restricts direct access between the guest users. ● Service provider networks—Using PVLAN, a service provider can provide L2 security for customers and use IP addresses more efficiently. For example, the service provider can have a separate community VLAN per customer.
○ You can associate the PVLAN trunk port to both primary and secondary VLANs. This port carries traffic from both the primary and secondary VLANs. ○ To configure a PVLAN trunk port, associate a regular tagged port that is not a promiscuous or secondary port to a VLAN within a PVLAN domain. There are no specific CLI commands to configure a port as a PVLAN trunk port. NOTE: OS10 supports MAC address movement within a PVLAN domain.
● You can configure a regular VLAN as a PVLAN only when it does not have any member ports associated with it. Remove the member ports from a VLAN before you configure it as a PVLAN. ● To convert a PVLAN to a regular VLAN, you must remove the PVLAN mode. Ensure that you remove the member ports from the PVLAN and the primary and secondary VLAN mapping before you remove the PVLAN mode. ● You can configure an L2 switch port as a PVLAN port using the private-vlan mode {promiscuous | secondaryport} command.
a. Create a VLAN. OS10(config)# interface vlan 30 b. Configure the PVLAN mode as a community VLAN. OS10(conf-if-vl-20)# private-vlan mode community c. Configure a secondary port. OS10(config)# interface ethernet 1/1/3 OS10(conf-if-eth1/1/3)# switchport mode trunk OS10(conf-if-eth1/1/3)# private-vlan mode secondary-port d. Associate the secondary port to the community VLAN. OS10(conf-if-eth1/1/2)# switchport trunk allowed vlan 30 4. Associate the list of secondary VLANs to the primary VLAN.
NOTE: ● For a regular switch port in Trunk mode, you must tag all VLANs of the PVLAN domain. ● If you enable local proxy arp in the primary VLAN, both the host and the primary VLAN (as the local proxy) send an ARP reply. 1. Enter Configuration mode. OS10# configure terminal 2. Enter Interface Configuration mode. OS10(config)# interface ethernet 1/1/4 3. Configure the Switchport mode as trunk for the port to carry more than single VLAN traffic. OS10(conf-if-eth1/1/4)# switchport mode trunk 4.
5. Associate the port to be a trunk member of a PVLAN secondary VLAN. In this example, vlan 20 is an isolated secondary VLAN. OS10(conf-if-eth1/1/2)# switchport trunk allowed vlan 20 6. Associate the port to be a trunk member of a regular VLAN (non-PVLAN). OS10(conf-if-eth1/1/2)# switchport trunk allowed vlan 100 7. Configure the PVLAN port as member of untagged VLAN. Here VLAN 101 is a regular VLAN.
6. Associate the port to be a trunk member of regular VLAN.
1. Enter Configuration mode. OS10# configure terminal 2. Enter Interface Configuration mode. OS10(config)# interface ethernet 1/1/5 3. Remove the port from the PVLANs. OS10(conf-if-eth1/1/5)# no switchport access vlan OS10(conf-if-eth1/1/5)# no switchport trunk allowed vlan 10 OS10(conf-if-eth1/1/5)# show configuration ! interface ethernet1/1/5 no shutdown private-vlan mode promiscuous switchport mode trunk 4. Reset PVLAN Port mode.
no shutdown private-vlan mode secondary-port OS10(conf-if-vl-20)# View PVLAN information View PVLAN mapping information OS10# show vlan private-vlan mapping Private Vlan: Primary : 10 Isolated : 20 Community : 30 OS10# show vlan private-vlan Primary Secondary Type Active ------- --------- --------- -----10 Primary Yes 20 Isolated Yes 30 Community Yes Ports -------------------------------------------Eth1/1/1,1/1/5 Eth1/1/2 Eth1/1/3 OS10# show vlan Codes: * - Default VLAN, M - Management VLAN, R - Remote P
To view PVLAN ARP entries that are resolved or configured through a secondary VLAN, use the show ip arp command. OS10# show ip arp Codes: pv – private vlan where the mac is originally learnt Address Hardware address Interface Egress Interface ----------------------------------------------------------------------------11.1.1.2 90:b1:1c:f4:a6:ee ethernet1/1/25:1 ethernet1/1/25:1 41.1.1.2 4c:d9:8f:fa:2b:59 vlan100 port-channel100 pv 20 12.1.1.
1 Secondary-port * 2 vlt-port-channel ID : 30 VLT Unit ID Configured port-mode ---------------------------------------------------------------------------1 Secondary-port * 2 ● To view VLAN mode configuration mismatch: OS10# show vlt 1 mismatch private-vlan vlan-mode Private VLAN mode mismatch: VLAN: 10 VLT Unit ID Configured PVLAN mode ---------------------------------------------------------------------------1 Isolated * 2 Community Interaction with other features Port security OS10 supports the followin
L2 communication is not permitted between hosts connected to ports in an isolated VLAN and hosts connected to ports in any of the secondary VLANs. Also, hosts connected to ports in a community VLAN cannot communicate with hosts connected to ports in another community or isolated VLAN. However, these hosts can communicate with each other over L3 through the primary VLAN. To configure an L3 VLAN interface, enable the local proxy ARP feature. For more information, see Configure Layer 3 VLAN interface.
PVLAN commands ip local-proxy-arp Enables the local proxy Address Resolution Protocol (ARP) on an interface. Syntax ip local-proxy-arp Parameters None Default Not applicable Command Mode VLAN INTERFACE CONFIGURATION Usage Information ● The router responds to ARP requests for addresses that are on the same subnetwork of that interface. ● This command is applicable only for the primary VLAN. ● Ensure that you configure an IPv4 address on the primary VLAN before you enable local proxy ARP.
● isolated—Configures the VLAN as an isolated VLAN. ● primary—Configures the VLAN as a primary VLAN. Default Regular VLAN Command Mode VLAN INTERFACE CONFIGURATION Usage Information ● Configures a PVLAN as a community, isolated, or primary VLAN. You must not add VLAN members before you configure PVLAN mode.
Example—To configure an interface as PVLAN promiscuous port. OS10(config)# interface port-channel20 OS10(conf-if-po-20)# private-vlan mode promiscuous OS10(conf-if-po-20)#exit OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# private-vlan mode promiscuous Example—To configure an interface as a secondary port. OS10(conf-if-po-20)# private-vlan mode secondary-port OS10(conf-if-po-20)# no private-vlan mode Example—To configure a secondary port as a trunk port.
Parameters vlan-id—(Optional) Enter a VLAN ID, from 1 to 4093. Command Mode EXEC Usage Information This command displays information about primary and secondary VLANs.
show vlan private-vlan isolated Displays the isolated VLANs and their members (secondary-port) in the device. Syntax show vlan private-vlan isolated Parameters None Command Mode EXEC Usage Information Use this command to verify information about the isolated VLANs and the associated primary VLAN.
Parameters interface-name—Enter the interface information in node/slot/port[:subport] format. Command Mode EXEC Usage Information Use this command to verify information about the PVLAN-specific details of an interface. This command displays the VLAN ID associated with the interface.
Example: PVLAN deployment with L2-L3 boundary at the spine layer The following use case illustrates a deployment scenario in which the end devices that belong to different tenants are segregated using secondary VLANs. Here, the private VLAN domain is spanned across two data centers using an ISL trunk port. In this example: ● The configured trunk port carries the traffic for both the primary and secondary VLANs.
AG1 Leaf Switch 1. Configure the VLTi member links between AG1 and AG2. AG1(config)# interface ethernet1/1/11 AG1(conf-if-eth1/1/11)# no shutdown AG1(conf-if-eth1/1/11)# no switchport AG1(conf-if-eth1/1/11)# exit AG1(config)# interface ethernet1/1/12 AG1(conf-if-eth1/1/12)# no shutdown AG1(conf-if-eth1/1/12)# no switchport AG1(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG1(config)# vlt-domain 255 AG1(conf-vlt-255)# backup destination 100.104.80.
AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# discovery-interface ethernet1/1/11-1/1/12 peer-routing primary-priority 1 vlt-mac 00:00:00:00:01:01 exit 3. Configure the VLT port channels.
AG1(conf-if-po-101)# vlt-port-channel 1022 AG1(conf-if-po-101)# exit 4. Configure the primary VLANs and the PVLAN mode. AG1(config)# interface vlan 100 AG1(conf-if-vl-100)# private-vlan mode primary AG1(conf-if-vl-100)# exit AG1(config)# interface vlan 200 AG1(conf-if-vl-200)# private-vlan mode primary AG1(conf-if-vl-200)# exit 5. Configure the secondary VLANs and the respective PVLAN modes.
AG1(conf-if-eth1/1/2)# no shutdown AG1(conf-if-eth1/1/2)# private-vlan mode secondary-port AG1(conf-if-eth1/1/2)# exit 8. Associate the member ports to the secondary VLANs.
AG2(conf-if-eth1/1/12)# no switchport AG2(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG2(config)# vlt-domain 255 AG2(conf-vlt-255)# backup destination 100.104.80.14 AG2(conf-vlt-255)# discovery-interface ethernet1/1/11-1/1/12 AG2(conf-vlt-255)# peer-routing AG2(conf-vlt-255)# primary-priority 65535 AG2(conf-vlt-255)# vlt-mac 00:00:00:00:01:01 AG2(conf-vlt-255)# exit 3. Configure the VLT port channels.
AG2(conf-if-eth1/1/10)# no switchport AG2(conf-if-eth1/1/10)# channel-group 101 mode active AG2(conf-if-eth1/1/10)# exit AG2(config)# interface port-channel 101 AG2(conf-if-po-101)# vlt-port-channel 1022 AG2(conf-if-po-101)# exit 4. Configure the primary VLANs and the PVLAN mode. AG2(config)# interface vlan 100 AG2(conf-if-vl-100)# private-vlan mode primary AG2(conf-if-vl-100)# exit AG2(config)# interface vlan 200 AG2(conf-if-vl-200)# private-vlan mode primary AG2(conf-if-vl-200)# exit 5.
AG2(conf-if-eth1/1/1)# no shutdown AG2(conf-if-eth1/1/1)# private-vlan mode secondary-port AG2(conf-if-eth1/1/1)# exit AG2(config)# interface AG2(conf-if-eth1/1/2)# AG2(conf-if-eth1/1/2)# AG2(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown private-vlan mode secondary-port exit 8. Associate the member ports to the secondary VLANs.
AG3(config)# interface ethernet1/1/12 AG3(conf-if-eth1/1/12)# no shutdown AG3(conf-if-eth1/1/12)# no switchport AG3(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG3(config)# vlt-domain 255 AG3(conf-vlt-255)# backup destination 100.104.80.15 AG3(conf-vlt-255)# discovery-interface ethernet1/1/11-1/1/12 AG3(conf-vlt-255)# peer-routing AG3(conf-vlt-255)# primary-priority 1 AG3(conf-vlt-255)# vlt-mac 00:00:00:00:00:02 AG3(conf-vlt-255)# exit 3. Configure the VLT port channels.
AG3(config)# interface vlan 13 AG3(conf-if-vl-13)# private-vlan mode isolated AG3(conf-if-vl-13)# exit AG3(config)# interface vlan 21 AG3(conf-if-vl-21)# private-vlan mode community AG3(conf-if-vl-21)# exit AG3(config)# interface vlan 22 AG3(conf-if-vl-22)# private-vlan mode isolated AG3(conf-if-vl-22)# exit 6. Associate the secondary VLANs to the primary VLAN.
AG4(conf-if-eth1/1/11)# no switchport AG4(conf-if-eth1/1/11)# exit AG4(config)# interface ethernet1/1/12 AG4(conf-if-eth1/1/12)# no shutdown AG4(conf-if-eth1/1/12)# no switchport AG4(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG4(config)# vlt-domain 255 AG4(conf-vlt-255)# backup destination 100.104.80.
AG4(conf-if-vl-12)# private-vlan mode community AG4(conf-if-vl-12)# exit AG4(config)# interface vlan 13 AG4(conf-if-vl-13)# private-vlan mode isolated AG4(conf-if-vl-13)# exit AG4(config)# interface vlan 21 AG4(conf-if-vl-21)# private-vlan mode community AG4(conf-if-vl-21)# exit AG4(config)# interface vlan 22 AG4(conf-if-vl-22)# private-vlan mode isolated AG4(conf-if-vl-22)# exit 6. Associate the secondary VLANs to the primary VLAN.
AG4(conf-if-po-128)# switchport trunk allowed vlan 11-13,21-22,100,200 AG4(conf-if-po-128)# exit Spine Switch 1. Create the primary VLANs extended from AG1 and AG2. SPINE(config)# interface vlan 100 SPINE(conf-if-vl-100)# ip address 172.1.1.1/16 SPINE(conf-if-vl-100)# exit SPINE(config)# interface vlan 200 SPINE(conf-if-vl-200)# ip address 172.2.1.1/16 SPINE(conf-if-vl-200)# exit 2. Associate the VLT port channels to the primary VLANs extended from AG1 and AG2.
To verify private VLAN configurations, use the show vlan private-vlan mapping command. AG1# show vlan private-vlan mapping Private Vlan: Primary : 100 Isolated : 13 Community : 11-12 Private Vlan: Primary : 200 Isolated : 22 Community : 21 AG1# To verify the MAC address table entries for the primary VLAN, use the show mac address-table command. On primary VLAN The output of this show command displays: ● The MAC addresses that are learned on the primary VLAN.
AG1 Leaf Switch 1. Configure the VLTi member links between AG1 and AG2. AG1(config)# interface ethernet1/1/11 AG1(conf-if-eth1/1/11)# no shutdown AG1(conf-if-eth1/1/11)# no switchport AG1(conf-if-eth1/1/11)# exit AG1(config)# interface ethernet1/1/12 AG1(conf-if-eth1/1/12)# no shutdown AG1(conf-if-eth1/1/12)# no switchport AG1(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG1(config)# vlt-domain 255 AG1(conf-vlt-255)# backup destination 100.104.80.
AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# discovery-interface ethernet1/1/11-1/1/12 peer-routing primary-priority 1 vlt-mac 00:00:00:00:01:01 exit 3. Configure the VLT port channels.
AG1(conf-if-po-3)# vlt-port-channel 1022 AG1(conf-if-po-3)# exit 4. Configure the primary VLANs and the PVLAN mode. AG1(config)# interface vlan 100 AG1(conf-if-vl-100)# private-vlan mode primary AG1(conf-if-vl-100)# exit AG1(config)# interface vlan 200 AG1(conf-if-vl-200)# private-vlan mode primary AG1(conf-if-vl-200)# exit 5. Configure the secondary VLANs and the respective PVLAN modes.
AG1(conf-if-eth1/1/2)# no shutdown AG1(conf-if-eth1/1/2)# private-vlan mode secondary-port AG1(conf-if-eth1/1/2)# exit 8. Associate the member ports to the secondary VLANs.
AG2 Leaf Switch 1. Configure the VLTi member links between AG1 and AG2. AG2(config)# interface ethernet1/1/11 AG2(conf-if-eth1/1/11)# no shutdown AG2(conf-if-eth1/1/11)# no switchport AG2(conf-if-eth1/1/11)# exit AG2(config)# interface ethernet1/1/12 AG2(conf-if-eth1/1/12)# no shutdown AG2(conf-if-eth1/1/12)# no switchport AG2(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG2(config)# vlt-domain 255 AG2(conf-vlt-255)# backup destination 100.104.80.
AG2(config)# interface ethernet1/1/22 AG2(conf-if-eth1/1/22)# no shutdown AG2(conf-if-eth1/1/22)# no switchport AG2(conf-if-eth1/1/22)# channel-group 128 mode active AG2(conf-if-eth1/1/22)# exit AG2(config)# interface port-channel 128 AG2(conf-if-po-3)# vlt-port-channel 1024 AG2(conf-if-po-3)# exit AG2(config)# interface ethernet1/1/10 AG2(conf-if-eth1/1/10)# no shutdown AG2(conf-if-eth1/1/10)# no switchport AG2(conf-if-eth1/1/10)# channel-group 101 mode active AG2(conf-if-eth1/1/10)# exit AG2(config)# inte
AG2(config)# interface port-channel3 AG2(conf-if-po-3)# no shutdown AG2(conf-if-po-3)# private-vlan mode secondary-port AG2(conf-if-po-3)# exit AG2(config)# interface port-channel4 AG2(conf-if-po-4)# no shutdown AG2(conf-if-po-4)# private-vlan mode secondary-port AG2(conf-if-po-4)# exit AG2(config)# interface AG2(conf-if-eth1/1/1)# AG2(conf-if-eth1/1/1)# AG2(conf-if-eth1/1/1)# ethernet1/1/1 no shutdown private-vlan mode secondary-port exit AG2(config)# interface AG2(conf-if-eth1/1/2)# AG2(conf-if-eth1/1/2
AG2(conf-if-vl-200)# ip virtual-router address 172.2.0.254 AG2(conf-if-vl-200)# exit AG3 Leaf Switch 1. Configure the VLTi member links between AG1 and AG2. AG3(config)# interface ethernet1/1/11 AG3(conf-if-eth1/1/11)# no shutdown AG3(conf-if-eth1/1/11)# no switchport AG3(conf-if-eth1/1/11)# exit AG3(config)# interface ethernet1/1/12 AG3(conf-if-eth1/1/12)# no shutdown AG3(conf-if-eth1/1/12)# no switchport AG3(conf-if-eth1/1/12)# exit 2. Configure the VLT domain.
AG3(config)# interface vlan 200 AG3(conf-if-vl-200)# private-vlan mode primary AG3(conf-if-vl-200)# exit 5. Configure the secondary VLANs and the respective PVLAN modes.
9. Associate the ISL to the primary and the secondary VLANs as a normal trunk port. AG3(config)# interface port-channel128 AG3(conf-if-po-128)# switchport mode trunk AG3(conf-if-po-128)# switchport trunk allowed vlan 11-13,21-22,100,200 AG3(conf-if-po-128)# exit 10. Configure anycast MAC address. AG3(config)# ip virtual-router mac-address 00:00:00:44:44:44 11. Configure IP address and anycast IP address on the primary VLANs. AG3(config)# interface vlan 100 AG3(conf-if-vl-100)# ip address 172.1.1.
AG4(conf-if-eth1/1/21)# AG4(conf-if-eth1/1/21)# AG4(conf-if-eth1/1/21)# AG4(conf-if-eth1/1/21)# no shutdown no switchport channel-group 128 mode active exit AG4(config)# interface ethernet1/1/24 AG4(conf-if-eth1/1/24)# no shutdown AG4(conf-if-eth1/1/24)# no switchport AG4(conf-if-eth1/1/24)# channel-group 128 mode active AG4(conf-if-eth1/1/24)# exit AG4(config)# interface port-channel128 AG4(conf-if-po-128)# vlt-port-channel 1024 AG4(conf-if-po-128)# exit 4. Configure the primary VLANs and the PVLAN mode.
AG4(config)# interface AG4(conf-if-eth1/1/2)# AG4(conf-if-eth1/1/2)# AG4(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown private-vlan mode secondary-port exit 8. Associate the member ports to the secondary VLANs.
SPINE(config)# interface ethernet1/1/11 SPINE(conf-if-eth1/1/11)# no shutdown SPINE(conf-if-eth1/1/11)# no switchport SPINE(conf-if-eth1/1/11)# channel-group 101 mode active SPINE(conf-if-eth1/1/11)# exit 3. (Optional) To enable connectivity between end devices that belong to different secondary VLANs (community or isolated or both) of a PVLAN domain, enable ip local-proxy arp on the VLAN in the spine switch. SPINE(config)# interface vlan100 SPINE(conf-if-vl-100)# ip address 172.1.1.
Configure local monitoring session 1. Verify that the intended monitoring port has no configuration other than no shutdown and no switchport. show running-configuration 2. Create a monitoring session in CONFIGURATION mode. monitor session session-id [local] 3. Enter the source and direction of the monitored traffic in MONITOR-SESSION mode. source interface interface-type {both | rx | tx} 4. Enter the destination of traffic in MONITOR-SESSION mode.
Session and VLAN requirements RPM requires the following: ● Source session, such as monitored ports on different source devices. ● Reserved tagged VLAN for transporting monitored traffic configured on source, intermediate, and destination devices. ● Destination session, where destination ports connect to analyzers on destination devices. Configure any network device with source and destination ports.
Restrictions ● When you use a source VLAN, enable flow-based monitoring using the flow-based enable command. ● In a source VLAN, only received (rx) traffic is monitored. ● If the port channel or VLAN has a member port configured as a destination port in a remote port monitoring session, you cannot configure a source port channel or source VLAN in a source session.
OS10(conf-if-po-1)# switchport mode trunk OS10(conf-if-po-1)# switchport trunk allowed vlan 1000 OS10(conf-if-po-1)# exit OS10(config)# monitor session 10 type rpm-source OS10(conf-mon-rpm-source-10)# source interface ethernet 1/1/1 rx OS10(conf-mon-rpm-source-10)# destination remote-vlan 1000 OS10(conf-mon-rpm-source-10)# no shut Switch2 - intermediate switch configuration OS10(config)# interface vlan 1000 OS10(conf-if-vl-1000)# description "used for remote span" OS10(conf-if-vl-1000)# exit OS10(config)# i
● ERPM does not support Equal Cost Multi Path (ECMP). ● You can use third-party devices as only tunnel-transit devices. ● OS10 does not support monitoring VLAN subinterfaces and CPU-generated packets. Configure encapsulated remote port monitoring Encapsulated remote port monitoring requires valid source and destination IP addresses. Ensure that the source IP address is local and destination IP address is remote.
Flow-based monitoring Flow-based monitoring conserves bandwidth by inspecting only specified traffic instead of all interface traffic. Using flow-based monitoring, you can monitor only traffic received by the source port that matches criteria in ingress access-lists (ACLs). IPv4 ACLs, IPv6 ACLs, and MAC ACLs support flow-based monitoring. 1. Enable flow-based monitoring for a monitoring session in MONITOR-SESSION mode. flow-based enable 2. Return to CONFIGURATION mode. exit 3.
RPM on VLT scenarios Consider a simple VLT setup where two VLT devices are connected using VLTi and a top-of-rack switch is connected to both the VLT peers using VLT LAGs in a ring topology. In this setup, the following table describes the possible scenarios when you use RPM to mirror traffic. NOTE: Ports that connect to the VLT domain, but not part of the VLT-LAG, are called orphan ports. Table 62.
Table 62. RPM on VLT scenarios (continued) Scenario Recommendation destination interface ethernet 1/1/10 flow-based enable source interface ethernet1/1/1 no shut ! Mirror a VLAN with a VLTi LAG as the member to the VLT LAG on the same VLT device. The packet analyzer connects to the ToR switch. — Mirror a VLT LAG of the ToR, or any port in the ToR to any orphan port in the VLT device. Configure VLT nodes as intermediate devices. The packet analyzer connects to the ToR switch.
Example OS10(conf-mon-local-1)# description remote OS10(conf-mon-rpm-source-5)# description "RPM Sesssion" OS10(conf-mon-erpm-source-10)# description "ERPM Session" Supported Releases 10.2.0E or later destination Sets the destination where monitored traffic is sent to. The monitoring session can be local, RPM, or ERPM. Syntax destination {interface interface-type | remote-vlan vlan-id} Parameters interface-type—Enter the interface type for a local monitoring session.
ip Configures the IP time-to-live (TTL) value and the differentiated services code point (DSCP) value for the ERPM traffic. Syntax ip {ttl ttl-number | dscp dscp-number} Parameters ● ttl-number—Enter the TTL value, from 1 to 255. ● dscp-number—Enter the DSCP value, from 0 to 63. Default ● TTL: 255 ● DSCP: 0 Command Mode MONITOR-SESSION (ERPM) Usage Information The no version of this command removes the configured TTL and DSCP values.
Default All Command Mode EXEC Usage Information In the State field, true indicates that the port is enabled. In the Reason field, Is UP indicates that hardware resour Example (specific session) Example (all sessions) Supported Releases OS10# show monitor session 1 S.Id Source Destination Dir Mode Source IP Dest IP DSCP TTL Gre-Pr ---------------------------------------------------------------------------------1 ethernet1/1/1 remote-ip both port 11.11.11.1 11.11.11.
○ port-channel id-number—Enter the port-channel interface number as the monitored source, from 1 to 128. ○ vlan vlan-id—Enter the VLAN identifier as the monitored source, from 1 to 4093. ● both—Monitor both receiving and transmitting packets. This option is not supported on VLAN interfaces. ● rx—Monitor only received packets. ● tx—Monitor only transmitted packets. This option is not supported on VLAN interfaces.
14 Layer 3 Bidirectional forwarding detection (BFD) Provides rapid failure detection in links with adjacent routers (see BFD commands). Border Gateway Protocol (BGP) Provides an external gateway protocol that transmits inter-domain routing information within and between autonomous systems (see BGP Commands). Equal Cost Multi- Provides next-hop packet forwarding to a single destination over multiple best paths (see ECMP Path (ECMP) Commands).
1. Enter the ip vrf management command in CONFIGURATION mode. Use Non-Transaction-Based Configuration mode only. Do not use Transaction-Based mode. 2. Add the management interface using the interface management command in VRF CONFIGURATION mode. Configure management VRF OS10(config)# ip vrf management OS10(conf-vrf)# interface management You can enable various services in both management or default VRF instances. The services that are supported in the management and default VRF instances are: Table 63.
The following example shows removing IP address, configuring management VRF, and then adding IP address: OS10(conf-if-ma-1/1/1)# do show version Dell EMC Networking OS10 Enterprise Copyright (c) 1999-2020 by Dell Inc. All Rights Reserved. OS Version: 10.5.2.0 Build Version: 10.5.2.0.
When you create a new non-default VRF instance, OS10 does not assign any interface to it. You can assign the new VRF instance to any of the existing physical or logical interfaces, provided they are not already assigned to another non-default VRF. NOTE: When you create a new logical interface, OS10 assigns it automatically to the default VRF instance. In addition, OS10 initially assigns all physical Layer 3 interfaces to the default VRF instance.
ip address 10.1.1.1/24 4. Assign an IPv6 address to the interface. INTERFACE CONFIGURATION ipv6 address 1::1/64 You can also auto configure an IPv6 address using the ipv6 address autoconfig command. Assign an interface back to the default VRF instance Table 64. Configurations to be deleted CONFIGURATION MODE COMMAND IP address—In interface configuration mode, undo the IP address configuration.
Deleting a non-default VRF instance Before deleting a non-default VRF instance, ensure all the dependencies and associations corresponding to that VRF instance are first deleted or disabled. The following procedure describes how to delete a non-default VRF instance: After deleting all dependencies, you can delete the non-default VRF instances that you have created.
Figure 4. Setup VRF Interfaces Router 1 ip vrf blue ! ip vrf orange ! ip vrf green ! interface ethernet 1/1/1 no shutdown switchport mode trunk switchport access vlan 1 switchport trunk allowed vlan 128,192,256 flowcontrol receive off ! interface ethernet1/1/2 no shutdown no switchport ip vrf forwarding blue ip address 20.0.0.
no switchport ip vrf forwarding orange ip address 30.0.0.1/24 ! interface ethernet1/1/4 no shutdown no switchport ip vrf forwarding green ip address 40.0.0.1/24 ! interface vlan128 mode L3 no shutdown ip vrf forwarding blue ip address 1.0.0.1/24 ! interface vlan192 mode L3 no shutdown ip vrf forwarding orange ip address 2.0.0.1/24 ! ! interface vlan256 mode L3 no shutdown ip vrf forwarding green ip address 3.0.0.1/24 ! ip route vrf green 31.0.0.0/24 3.0.0.
ip vrf forwarding orange ip address 2.0.0.2/24 ! interface vlan256 mode L3 no shutdown ip vrf forwarding green ip address 3.0.0.2/24 ! ip route vrf green 30.0.0.0/24 3.0.0.
Router 2 show command output OS10# show ip vrf VRF-Name blue Interfaces Eth1/1/5 Vlan128 default Mgmt1/1/1 Vlan1,24-25,200 green Eth1/1/7 Vlan256 orange Eth1/1/6 Vlan192 OS10# show ip route vrf blue Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of las
Static route leaking Route leaking enables routes that are configured in a default or non-default VRF instance to be made available to another VRF instance. You can leak routes from a source VRF instance to a destination VRF instance. The routes need to be leaked in both source and destination VRFs to achieve end-to-end traffic flow. If there are any connected routes in the same subnet as statically leaked routes, then the connected routes take precedence.
--------------------------------------------------------------------------------------------------C 120.0.0.0/24 via 120.0.0.1 ethernet1/1/1 0/0 00:00:57 S 140.0.0.
Figure 5. Route leaking between VRFs with asymmetric IRB routing For VXLAN-related configurations, see Configure VXLAN. To configure route leaking between VRFs with asymmetric IRB routing: VTEP1 1. Configure IP helper address specifying the DHCP server ip address in the client-connected virtual networks with the clientconnected VRF name. For IPv6 DHCP helper address, specify the server VRF in the helper-address command. VTEP1(config)# interface virtual-network 10 VTEP1(conf-if-vn-10)# ip helper-address 20.
VTEP2 1. Configure IP helper address specifying the DHCP server ip address in the client-connected virtual networks with the clientconnected VRF name. For IPv6 DHCP helper address, specify the server VRF in the helper-address command. VTEP2(config)# interface virtual-network 10 VTEP2(conf-if-vn-10)# ip helper-address 20.1.1.100 vrf GREEN 2. Configure loopback interfaces. Assign the loopback interfaces as source interfaces for the VRF.
Table 65. Unsupported export and import route map attributes (continued) Route map option Attribute Protocol set community BGP set comm-list BGP set tag OSPF set extcommunity BGP set extcomm-list BGP set local-preference BGP set origin BGP set metric-type BGP set weight BGP set route-type local BGP Table 66.
● If a route is present in the local VRF and the same route is leaked from another VRF with the same administrative distance, OS10 prefers the local route. ● When OS10 compares routes that are received from different sources, the software prefers routes with the lowest administrative distance. If the administrative distance is the same, the software prefers the route with lowest metric value. If the metric is also the same, the software prefers the local route, if available.
Leak all IPv6 routes from one VRF to another VRF Use the following procedure to export (leak) all IPv6 routes from all routing protocols from one VRF instance to another VRF instance: 1. Enter the VRF from which you want to leak routes in CONFIGURATION mode. ip vrf source-vrf-name 2. Export all routes that belong to one VRF instance in VRF-CONFIGURATION mode. ipv6 route-export route-target 3. Enter the VRF instance to which you want to leak routes in CONFIGURATION mode. ip vrf destination-vrf-name 4.
● Enter the VRF instance to which you want to leak routes in CONFIGURATION mode. ip vrf destination-vrf-name ● Import routes from another VRF instance in VRF-CONFIGURATION mode using the same route target. ip route-import route-target route-map route-map-name Or ipv6 route-import route-target route-map route-map-name Use any of the supported match or set attributes as required. ● Export routes from the second VRF instance to the first VRF instance in VRF-CONFIGURATION mode using a different route target.
In the following example, a route map exports only the static routes from vrf1 and is received by vrf2.
In the following example, a route map exports only the iBGP routes from vrf1 and is received by vrf2.
Redistribute leaked routes from one VRF to another VRF Use the following procedure to export (leak) and redistribute specific IPv4 routes from one VRF instance to another VRF instance: ● Create a route map. route-map route-map-name Use any of the supported match or set attributes as required. ● Enter the VRF from which you want to leak routes in CONFIGURATION mode. ip vrf source-vrf-name ● Export all routes that belong to one VRF instance in VRF-CONFIGURATION mode.
○ Redistribute leaked EVPN routes in BGP-AF-CONFIGURATION mode. redistribute l2vpn evpn [route-map rmap-name] ○ Use the following command to redistribute leaked routes across routing protocols as available: redistribute {connected | bgp | ospf | static | l2vpn evpn} Use any of the supported match or set attributes as required.
OS10(config)# ip vrf vrf1 OS10(conf-vrf)# ipv6 route-export 1:1 route-map export_iBGP OS10(conf-vrf)# ipv6 route-import 2:2 OS10(conf-vrf)# exit OS10(config)# ip vrf vrf2 OS10(conf-vrf)# ipv6 route-import 1:1 OS10(conf-vrf)# ipv6 route-export 2:2 route-map export_iBGP OS10(config)# router bgp 65000 OS10(config-router-bgp-65000)# vrf vrf2 OS10(config-router-bgp-65000-vrf)# address-family ipv6 unicast OS10(configure-router-bgpv6-vrf-af)# redistribute imported-bgp-routes vrf vrf1 Example - Redistribute leaked
OS10(config)# ip vrf vrf1 OS10(conf-vrf)# ipv6 route-export 1:1 route-map export_EVPN OS10(conf-vrf)# ipv6 route-import 2:2 OS10(conf-vrf)# exit OS10(config)# ipv6 route-import 1:1 OS10(config)# ipv6 route-export 2:2 route-map export_EVPN OS10(config)# router bgp 100 OS10(config-router-bgp-100)# address-family ipv6 unicast OS10(configure-router-bgpv6-af)# redistribute l2vpn evpn Example - Route leaking across VRFs in a VXLAN BGP EVPN symmetric IRB topology The following VXLAN with BGP EVPN example uses a C
The following explains how the network is configured: ● All VTEPs perform symmetric IRB routing. In this example, all spine nodes are in one autonomous system and each VTEP in the leaf network belongs to a different autonomous system. Spine switch 1 is in AS 101. Spine switch 2 is in AS 101. For leaf nodes, VLT domain 1 is in AS 201; VLT domain 2 is in AS 202. VLT domain 2 is a border leaf VTEP.
● On VTEPs 1 and 2, two VRFs are present – VRF-Yellow and VRF-Green. VN10001 is part of VRF-Yellow and VN20001 is part of VRF-Green. ● On VTEPs 3 and 4, three VRFs are present – VRF-Yellow, VRF-Green and VRF-Red. VN10001 is part of VRF-Yellow and VN30001 is part of VRF-Red. VRF-Green does not have local VNs. ● On all VTEPs, symmetric IRB is configured in EVPN mode using a unique, dedicated VXLAN VNI, and Auto RD/RT values for each tenant VRF.
3. Configure EVPN with IP-VRFs.
OS10(config-evpn)# vrf Green OS10(config-evpn-vrf-Green)# advertise ipv4 bgp OS10(config-evpn-vrf-Green)# exit b. If the border-leaf does not get a default route from an external router: Configure a static null default route in each VRF and advertise it using advertise ipv4 static command for each VRF in the EVPN. OS10(config)# ip route vrf Yellow 0.0.0.0/0 interface null 0 OS10(config)# ip route vrf Green 0.0.0.
OS10(config-route-map)# match ip address prefix-list PrefixList_Deny_YellowVrfRoutes OS10(config-route-map)# OS10(config-route-map)# router bgp 202 OS10(config-router-bgp-202)# address-family ipv4 unicast OS10(configure-router-bgpv4-af)# redistribute l2vpn evpn OS10(configure-router-bgpv4-af)# redistribute connected OS10(configure-router-bgpv4-af)# exit OS10(config-router-bgp-202)# neighbor 192.168.2.
4. Configure a border-leaf to advertise the default route into the EVPN in each VRF. From the other VTEPs, any traffic to external network and also to networks which are not within the local VRF reaches the Border-Leaf router using this default route. a. If the border-leaf is already getting a default route from an external router for each VRF: Advertise the BGP route using the advertise ipv4 bgp command for each VRF in the EVPN.
OS10(config)# ip vrf Red OS10(conf-vrf)# ip route-export 3:3 route-map RouteMap_RedVrf_Export OS10(conf-vrf)# ip route-import 1:1 OS10(conf-vrf)# exit 7. (Optional) For advertising leaked routes from the Yellow VRF only to an external router in the default VRF and not to an underlay network, use route-maps on spine facing eBGP neighbors and also on the iBGP neighbor between the VLT peers. OS10(config)# ip prefix-list PrefixList_Deny_YellowVrfRoutes deny 10.1.0.
O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of last resort is Direct to network 0.0.0.0 Destination Gateway Dist/ Metric Last Change --------------------------------------------------------------------------------------------------------*S 0.0.0.0/0 Direct null0 0/0 00:39:24 C 10.1.0.0/24 via 10.1.0.
B EX 172.16.1.1/32 20/0 00:22:58 B EX 172.16.1.2/32 20/0 00:22:58 B EX 172.16.1.3/32 20/0 00:22:58 B EX 172.16.1.4/32 20/0 00:22:58 B EX 172.16.1.201/32 20/0 00:22:58 B EX 172.16.1.202/32 20/0 00:22:58 B EX 192.168.0.1/32 20/0 00:22:58 B EX 192.168.0.2/32 20/0 00:22:58 B EX 192.168.2.0/31 20/0 00:14:11 B EX 192.168.2.2/31 20/0 00:14:11 B EX 192.168.2.4/31 20/0 00:13:49 B EX 192.168.2.6/31 20/0 00:13:49 B EX 192.168.2.240/31 20/0 00:14:11 via 10.10.0.1 via 10.10.0.2 via 10.10.0.1 via 10.10.0.2 via 10.10.0.
ip domain-list vrf Configures a domain list for the management VRF instance or any non-default VRF instance that you create. Syntax ip domain-list vrf {management | vrf-name} domain-names Parameters ● management—Enter the keyword management to configure a domain list for the management VRF instance. ● vrf-name—Enter the name of the non-default VRF instance to configure a domain list for that nondefault VRF instance. ● domain-names—Enter the list of domain names.
Usage Information Example Supported Releases Enter the ip vrf vrf-name command only in non-transaction-based configuration mode. Do not use transaction-based mode. You can create up to a maximum of 128 non-default VRF instances. The no ip vrf vrf-name command removes the non-default VRF instance that you specify. OS10(config)# ip vrf vrf-test OS10(conf-vrf-test)# 10.4.1.0 or later ip ftp vrf Configures an FTP client for the management or non-default VRF instance.
ip http vrf Configures an HTTP client for the management or non-default VRF instance. Syntax ip http vrf {management | vrf vrf-name} Parameters ● management — Enter the keyword to configure an HTTP client for the management VRF instance. ● vrf vrf-name — Enter the keyword then the name of the VRF to configure an HTTP client for that non-default VRF instance.
To filter IPv4 routes imported from across VRFs, use a route map. Use the no form of this command to remove the imported routes. Example OS10(conf-vrf)# ip route-import 1:1 ==> No route-map attached OS10(conf-vrf)# ip route-import 1:1 route-map importOSPFBGProutes Supported Releases 10.4.3.0 or later ip route-export Exports an IPv4 static route from one VRF instance to another.
To filter IPv6 routes imported from across VRFs, use a route map. Use the no form of this command to remove the imported routes. Example OS10(conf-vrf)# ipv6 route-import 1:1 ==> No route-map attached OS10(conf-vrf)# ipv6 route-import 1:1 route-map importOSPFBGProutes Supported Releases 10.4.3.0 or later ipv6 route-export Exports an IPv6 static route from a VRF instance to another VRF instance.
Example Supported Releases OS10(config)# ip scp vrf management OS10(config)# ip scp vrf vrf-blue 10.4.0E(R1) or later ip sftp vrf Configures an SFTP client for the management or non-default VRF instance. Syntax ip sftp vrf {management | vrf vrf-name} Parameters ● management — Enter the keyword to configure an SFTP client for a management VRF instance. ● vrf vrf-name — Enter the keyword then the name of the VRF to configure an SFTP client for that non-default VRF instance.
Usage Information Example Supported Releases Enter the ip vrf management command only in non-transaction-based configuration mode. Do not use transaction-based mode. The no version of this command removes the management VRF instance configuration. OS10(config)# ip vrf management OS10(conf-vrf)# 10.4.0E(R1) or later match source-protocol Matches the source routing protocol in a route map.
redistribute imported-bgp-routes Redistributes leaked eBGP and iBGP routes from a VRF domain into the BGP session of another VRF domain. Syntax redistribute imported-bgp-routes vrf vrf-name [route-map route-map-name] Parameters ● vrf vrf-name—Enter the VRF instance from which to import routes. ● route-map route-map-name—Enter the route map name to filter the leaked BGP routes.
Usage Information Redistribute leaked routes from all imported VRFs to another VRF with additional filtering using a route map. There is no option to redistribute a specific leaked OSPF routes of a VRF.
show hosts vrf Displays the host table in the management or non-default VRF instance. Syntax show hosts vrf {management | vrf-name} Parameters ● management—Enter the keyword management to display the host table in the management VRF instance. ● vrf-name—Enter the name of the non-default VRF instance to display the host table in that VRF instance. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show hosts vrf management Default Domain Name : dell.
update-source-ip Configures a source IP interface for any leaked route in a VRF instance. Syntax update-source-ip interface interface-id To undo this configuration, use the no update-source-ip command. Parameters ● interface interface-id — Enter the loopback interface identifier. The range is from 0 to 16383. Default Not configured Command Mode VRF CONFIGURATION Example Supported Releases OS10(conf-vrf)# update-source-ip loopback 1 10.4.2E or later.
A BFD session can have four states: Administratively Down, Down, Init, and Up. The default BFD session state is Down. ● Administratively Down — The local BFD router does not participate in the session. ● Down — The remote BFD router is not sending control packets or does not send them within the detection time for the session. ● Init — The local BFD outer is communicating to the remote router in the session. ● Up — Both BFD routers are sending control packets.
state change or change in a session parameter, the passive system sends a final response indicating the state change. After this, periodic control packets exchange. BFD configuration Before you configure BFD for a routing protocol, first enable BFD globally on both routers in the link. BFD is disabled by default. ● ● ● ● OS10 does not support Demand mode, authentication, and Echo function. OS10 does not support BFD on multi-hop and virtual links. OS10 supports protocol liveness only for routing protocols.
● min_rx milliseconds — Enter the maximum waiting time for receiving control packets from BFD peers, from 50 to 1000. The default is 200. Dell EMC recommends using more than 100 milliseconds. ● multiplier number — Enter the number of consecutive packets that must not be received from a BFD peer before the session state changes to Down, from 3 to 50. The default is 3. ● role {active | passive} — Enter active if the router initiates BFD sessions. Both BFD peers can be active at the same time.
When you configure a BFD session with a BGP neighbor, you can: ● Establish a BFD session with a specified BGP neighbor using the neighbor ip-address and bfd commands. ● Establish BFD sessions with all neighbors discovered by BGP using the bfd all-neighbors command. For example: Router 1 OS10(conf)# bfd enable OS10(conf)# router bgp 1 OS10(config-router-bgp-1)# neighbor 2.2.4.
Configure BFD for BGP OS10 supports BFD sessions with IPv4 or IPv6 BGP neighbors using the default VRF. When you configure BFD for BGP, you can enable BFD sessions with all BGP neighbors discovered by BGP or with a specified neighbor. 1. Configure BFD session parameters and enable BFD globally on all interfaces in CONFIGURATION mode as described in Configure BFD globally. bfd interval milliseconds min_rx milliseconds multiplier number role {active | passive} bfd enable 2.
OS10(config-router-bgp-4)# bfd all-neighbors interval 200 min_rx 200 multiplier 6 role active BFD for BGP single-neighbor configuration OS10(conf)# bfd interval 200 min_rx 200 multiplier 6 role active OS10(conf)# bfd enable OS10(conf)# router bgp 1 OS10(config-router-bgp-1)# neighbor 150.150.1.
Last read 00:24:31 seconds Hold time is 180, keepalive interval is 60 seconds Configured hold time is 180, keepalive interval is 60 seconds Fall-over disabled Neighbor is using Global level BFD Configuration Received 784 messages 1 opens, 0 notifications, 0 updates 783 keepalives, 0 route refresh requests Sent 780 messages 2 opens, 0 notifications, 0 updates 778 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Ca
CONFIGURATION Mode 2. Enter ROUTER-OSPF mode router ospf ospf-instance CONFIGURATION Mode 3. Establish sessions with all OSPFv2 neighbors. bfd all-neighbors ROUTER-OSPF Mode 4. Enter INTERFAC E CONFIGURATION mode. interface interface-name CONFIGURATION Mode 5. Establish BFD sessions with OSPFv2 neighbors corresponding to a single OSPF interface.
ip vrf forwarding red ip address 30.1.1.1/24 ip ospf 200 area 0.0.0.0 ! router ospf 200 vrf red bfd all-neighbors log-adjacency-changes router-id 2.3.3.1 ! In this example OSPF is enabled in non-default VRF red. BFD is enabled globally at the router OSPF level and all the interfaces associated with this VRF OSPF instance inherit the global BFD configuration. However, this global BFD configuration does not apply to interfaces in which the interface level BFD configuration is already present.
1. Enable BFD Globally. 2. Establish sessions with OSPFv3 neighbors. Establishing BFD sessions with OSPFv3 neighbors To establish BFD sessions with OSPFv3 neighbors: 1. Enable BFD globally bfd enable CONFIGURATION Mode 2. Enter ROUTER-OSPF mode router ospfv3 ospfv3-instance CONFIGURATION 3. Establish sessions with all OSPFv3 neighbors. bfd all-neighbors ROUTER-OSPFv3 Mode 4. Enter INTERFAC E CONFIGURATION mode. interface interface-name CONFIGURATION Mode 5.
Changing OSPFv3 session parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all OSPFv3 sessions on a particular interface. If you change a parameter globally, the change affects all OSPFv3 neighbors sessions.
3. Configure BFD for static route using the ip route bfd command. Establishing BFD Sessions for IPv4 Static Routes Sessions are established for all neighbors that are the next hop of a static route. To establish a BFD session, use the following command. Establish BFD sessions for all neighbors that are the next hop of a static route.
Establishing BFD Sessions for IPv6 Static Routes To establish a BFD session for IPv6 static routes, use the following command. Establish BFD sessions for all neighbors that are the next hop of a static route. ipv6 route bfd [interval interval min_rx min_rx multiplier value role {active | passive}] CONFIGURATION Mode Enter the time interval for sending and receiving BFD control packets from 50 to 1000.
The following example enables BFD for specific static routes on a nondefault VRF: OS10(config)#ip route vrf LAN2 10.2.2.0/24 10.1.1.
OS10(config-router-neighbor)# bfd OS10(config-router-neighbor)# no shutdown OS10(config)# router bgp 300 OS10(config-router-bgp-300)# template ebgppg OS10(config-router-template)# bfd OS10(config-router-template)# exit OS10(config-router-bgp-300)# neighbor 3.1.1.1 OS10(config-router-neighbor)# inherit template ebgppg OS10(config-router-neighbor)# no shutdown Supported releases 10.4.1.
Parameters None Default Not configured Command Mode ROUTER-NEIGHBOR Usage Information Use the neighbor ip-address command in ROUTER-BGP mode to specify a neighbor. Use the bfd disable command to disable BFD sessions with the neighbor. Example Supported releases OS10(conf)# router bgp 1 OS10(config-router-bgp-1)# neighbor 10.1.1.1 OS10(config-router-neighbor)# bfd disable 10.4.1.0 or later bfd enable Enables BFD on all interfaces on the switch.
command. The no version of this command deletes the configured global settings and returns to the default values. If you enable BFD on a specific static route, use the bfd interval command to configure the BFD parameters for that specific static route. Example Supported releases OS10(config)# bfd interval 250 min_rx 300 multiplier 4 role passive 10.4.1.0 or later ip ospf bfd all-neighbors Enables and configures the default BFD parameters for all OSPFv2 neighbors in this interface.
● min_rx milliseconds — Enter the maximum waiting time for receiving control packets from BFD peers, from 100 to 1000. Dell EMC recommends using more than 100 milliseconds. ● multiplier number — Enter the maximum number of consecutive packets that must not be received from a BFD peer before the session state changes to Down, from 3 to 50. ● role {active | passive} — Enter active if the router initiates BFD sessions. Both BFD peers can be active at the same time.
Supported releases 10.4.2E or later ipv6 route bfd Enables or disables BFD on IPv6 static routes. Syntax ipv6 route [vrf vrf-name] bfd [interval millisec min_rx min_rx multiplier role {active | passive}] Parameters ● vrf vrf-name — Enter the keyword VRF and then the name of the VRF to configure static route in that VRF. ● interval milliseconds — Enter the time interval for sending control packets to BFD peers, from 50 to 1000.
Example OS10# show bfd neighbors * - Active session role ---------------------------------------------------------------------------------LocalAddr RemoteAddr Interface State RxInt TxInt Mult VR ---------------------------------------------------------------------------------* 100.100.1.1 100.100.1.2 ethernet1/1/26:1 up 200 200 3 re * 100.100.3.1 100.100.3.2 ethernet1/1/26:3 up 200 200 3 de * 200.1.1.2 200.1.1.1 vlan102 up 200 200 3 bl * 200.1.5.2 200.1.5.1 vlan105 up 200 200 3 de * 200.1.11.2 200.1.11.
Autonomous systems BGP autonomous systems are a collection of nodes under a single administration with shared network routing policies. Each AS has a number, which an Internet authority assigns—you do not assign the BGP number. The Internet Assigned Numbers Authority (IANA) identifies each network with a unique AS number (ASN). AS numbers 64512 through 65534 are reserved for private purposes. AS numbers 0 and 65535 cannot be used in a live environment.
● When you redistribute OSPFv3 routes to BGP, including External Type-2 routes, the multi-exit discriminator (MED) attribute is set to the OSPF route metric plus one instead of the OSPF route metric value. ● When you configure the bgp bestpath router-id ignore command, for non-best paths, the show ip bgp output displays Inactive reason: Router ID. ● Do not configure the IP address of the router as a BGP neighbor. This action causes the address being accepted as an invalid neighbor address.
FE80::/16 ● ::0002-::FFFF- all prefixes Route reflectors Route reflectors (RRs) reorganize the IBGP core into a hierarchy and allow route advertisement rules. Route reflection divides IBGP peers into two groups — client peers and nonclient peers. ● If a route is received from a nonclient peer, it reflects the route to all client peers ● If a route is received from a client peer, it reflects the route to all nonclient and client peers An RR and its client peers form a route reflection cluster.
Attributes Routes learned using BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination. These properties are called BGP attributes which influence route selection for designing robust networks. There are no hard coded limits on the number of supported BGP attributes.
8. If you enable the bgp bestpath router-id ignore command and: ● If the Router-ID is the same for multiple paths because the routes were received from the same route—skip this step. ● If the Router-ID is not the same for multiple paths, prefer the path that was first received as the Best Path. The path selection algorithm returns without performing any of the checks detailed. 9. Prefer the external path originated from the BGP router with the lowest router ID.
One AS assigns the MED a value. Other AS uses that value to decide the preferred path. Assume that the MED is the only attribute applied and there are two connections between AS 100 and AS 200. Each connection is a BGP session. AS 200 sets the MED for its Link 1 exit point to 100 and the MED for its Link 2 exit point to 50. This sets up a path preference through Link 2. The MEDs advertise to AS 100 routers so they know which is the preferred path. MEDs are nontransitive attributes.
Best path selection Best path selection selects the best route out of all paths available for each destination, and records each selected route in the IP routing table for traffic forwarding. Only valid routes are considered for best path selection. BGP compares all paths, in the order in which they arrive, and selects the best paths. Paths for active routes are grouped in ascending order according to their neighboring external AS number.
Advertise cost As the default process for redistributed routes, OS10 supports IGP cost as MED. Both autosummarization and synchronization are disabled by default. BGPv4 and BGPv6 support ● Deterministic MED, default ● A path with a missing MED is treated as worst path and assigned an 0xffffffff MED value. ● Delayed configuration at system boot—OS10 reads the entire configuration file BEFORE sending messages to start BGP peer sessions.
Router A, Router B, and Router C belong to AS 100, 200, and 300, respectively. Router A acquired Router B — Router B has Router C as its client. When Router B is migrating to Router A, it must maintain the connection with Router C without immediately updating Router C’s configuration. Local-AS allows Router B to appear as if it still belongs to Router B’s old network, AS 200, to communicate with Router C.
Enable BGP Before enabling BGP, assign a BGP router ID to the switch using the following command: ● In the ROUTER BGP mode, enter the router-id ip-address command. Where in, ip-address is the IP address corresponding to a configured L3 interface (physical, loopback, or LAG). BGP is disabled by default. The system supports one AS number — you must assign an AS number to your device. To establish BGP sessions and route traffic, configure at least one BGP neighbor or peer.
Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 5.1.1.2 4294967295 0 0 0 0 0 00:00:00 Active For the router ID, the system selects the first configured IP address or a random number. To view the status of BGP neighbors, use the show ip bgp neighbors command. For BGP neighbor configuration information, use the show runningconfig bgp command. The example shows two neighbors — one is an external BGP neighbor; and the other is an internal BGP neighbor.
4. Add a remote AS in ROUTER-NEIGHBOR mode, from 1 to 65535 for 2-byte or 1 to 4294967295 for 4-byte. remote-as as-number 5. Enable the BGP neighbor in ROUTER-NEIGHBOR mode. no shutdown 6. (Optional) Add a description text for the neighbor in ROUTER-NEIGHBOR mode. description text To reset the configuration when you change the configuration of a BGP neighbor, use the clear ip bgp * command. To view the BGP status, use the show ip bgp summary command.
4. Enable BGP on the device. router bgp as-number 5. Enter an unnumbered neighbor in ROUTER-BGP mode. neighbor interface interface-type interface interface-type — (Optional) Enter one of the following interface types: ● ethernet node/slot/port[:subport] — Display Ethernet interface information. ● port-channel id-number — Display port channel interface IDs, from 1 to 128. ● vlan vlan-id — Display the VLAN interface number, from 1 to 4093. 6. Enable the BGP neighbor in ROUTER-NEIGHBOR mode.
4_OCTET_AS(65) Extended Next Hop Encoding (5) Capabilities advertised to neighbor for IPv4 Unicast: MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) 4_OCTET_AS(65) Extended Next Hop Encoding (5) Prefixes accepted 0, Prefixes advertised 0 Connections established 1; dropped 0 Last reset never Prefixes ignored due to: Martian address 0, Our own AS in AS-PATH 0 Invalid Nexthop 0, Invalid AS-PATH length 0 Wellknown community 0, Locally originated 0 Local host: fe80::76e6:e2ff:fef5:b281, Local port: 45
Configure an auto-unnumbered neighbor To configure an auto-unnumbered neighbor: 1. Configure minimum and maximum RA intervals in CONFIGURATION mode. ipv6 nd min-ra-interval interval ipv6 nd max-ra-interval interval 2. Configure physical or port-channel interfaces as Layer 3 interfaces in INTERFACE mode. interface range ethernet 1/1/1-1/1/4 no shutdown no switchport 3. Enable RAs on the interfaces in INTERFACE mode. ipv6 nd send-ra 4.
Router A configuration 1. Configure recommended RA timers globally for fast convergence in CONFIGURATION mode. OS10-A(config)# ipv6 nd min-ra-interval 3 OS10-A(config)# ipv6 nd max-ra-interval 4 2. Make the required interfaces in CONFIGURATION mode and convert them to Layer 3 routing interfaces. OS10-A(config)# interface range ethernet 1/1/1-1/1/4 OS10-A(conf-range-eth1/1/1-1/1/4)# no shutdown OS10-A(conf-range-eth1/1/1-1/1/4)# no switchport 3.
3. Enable RA transmission on all the interfaces in the range in INTERFACE mode. OS10-B(conf-range-eth1/1/1-1/1/8)# ipv6 nd send-ra 4. Configure the interfaces as BGP auto-unnumbered interfaces in INTERFACE mode. OS10-B(conf-range-eth1/1/1-1/1/4)# ipv6 bgp unnumbered ebgp-template OS10-B(conf-range-eth1/1/5-1/1/8)# ipv6 bgp unnumbered ibpg-template 5. Create BGP instance in CONFIGURATION mode. OS10-B(config)# router bgp 100 6. Create a template and assign necessary parameters in ROUTER-BGP mode.
7. Configure the BGP auto-unnumbered neighbor in ROUTER-BGP mode. OS10-C(config-router-bgp-100)# neighbor unnumbered-auto OS10-C(config-router-neighbor)# no shutdown 8. Configure the peer group template that the neighbors use to inherit peer-group configuration in ROUTER-NEIGHBOR mode. This template is applied only to the auto-unnumbered interfaces configured with the ipv6 bgp unnumbered command. OS10-C(config-router-neighbor)# inherit ibgp-template int-bgp 9.
2. Use one of the following commands to enter the respective ADDRESS-FAMILY mode from ROUTER-BGP mode: IPv4: address-family ipv4 unicast IPv6: address-family ipv6 unicast 3. Change the administrative distance for BGP from the respective ADDRESS-FAMILY mode.
7. (Optional) Add a remote neighbor, and enter the AS number in ROUTER-TEMPLATE mode. remote-as as-number ● To add an EBGP neighbor, configure the as-number parameter with a number different from the BGP as-number configured in the router bgp as-number command. ● To add an IBGP neighbor, configure the as-number parameter with the same BGP as-number configured in the router bgp as-number command. NOTE: When you configure an unnumbered interface, do not configure the remote AS number. 8.
100.5.1.1 100.6.1.1 OS10# show ip bgp peer-group bg1 Peer-group bg1, remote AS 0 BGP version 4 Minimum time between advertisement runs is 30 seconds For address family: Unicast BGP neighbor is bg1, peer-group external Update packing has 4_OCTET_AS support enabled Number of peers in this group 2 Peer-group members: 40.1.1.2 ethernet 1/1/1 OS10# show ip bgp peer-group leaf_v4 summary BGP router identifier 100.0.0.8 local AS number 64601 Neighbor AS MsgRcvd MsgSent Up/Down 100.5.1.1 64802 376 325 04:28:25 100.
1. Enable BGP, and assign the AS number to the local BGP speaker in CONFIGURATION mode, from 1 to 65535 for 2 bytes, 1 to 4294967295 | 0.1 to 65535.65535 for 4 bytes, or 0.1 to 65535.65535, in dotted format. router bgp as-number 2. Enter CONFIG-ROUTER-VRF mode to create a peer template for the nondefault VRF instance that you create. vrf vrf-name 3. Create a peer template by assigning a neighborhood name to it in CONFIG-ROUTER-VRF mode. template template-name 4.
Neighbor fall-over The BGP neighbor fall-over feature reduces the convergence time while maintaining stability. When you enable fall-over, BGP tracks IP reachability to the peer remote address and the peer local address. When remote or peer local addresses become unreachable, BGP brings the session down with the peer. For example, if no active route exists in the routing table for peer IPv6 destinations/local address, BGP brings the session down. By default, the hold time governs a BGP session.
Prefixes ignored due Martian address 0, Invalid Nexthop 0, Wellknown community to: Our own AS in AS-PATH 0 Invalid AS-PATH length 0 0, Locally originated 0 For address family: IPv6 Unicast Allow local AS number 0 times in AS-PATH attribute Local host: 3.1.1.3, Local port: 58633 Foreign host: 3.1.1.1, Foreign port: 179 Verify neighbor fall-over on peer-group OS10# show running-configuration ! router bgp 102 ! address-family ipv4 unicast aggregate-address 6.1.0.0/16 ! neighbor 40.1.1.
Peer 1 in ROUTER-TEMPLATE mode OS10# configure terminal OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# no switchport OS10(conf-if-eth1/1/5)# ip address 11.1.1.1/24 OS10(conf-if-eth1/1/5)# router bgp 10 OS10(config-router-bgp-10)# template pass OS10(config-router-template)# password 9 f785498c228f365898c0efdc2f476b4b27c47d972c3cd8cd9b91f518c14ee42d OS10(config-router-template)# exit OS10(config-router-bgp-10)# neighbor 11.1.1.
remote-as 20 no shutdown OS10(config-router-neighbor)# do show running-configuration bgp ! router bgp 20 neighbor 11.1.1.2 password 9 f785498c228f365898c0efdc2f476b4b27c47d972c3cd8cd9b91f518c14ee42d remote-as 20 no shutdown Fast external fallover Fast external fallover terminates EBGP sessions of any directly adjacent peer if the link used to reach the peer goes down. BGP does not wait for the hold-down timer to expire. Fast external fallover is enabled by default.
! address-family ipv6 unicast activate OS10(config-router-bgp-300)# OS10(conf-if-eth1/1/1)# do clear ip bgp * OS10# show ip bgp summary BGP router identifier 11.11.11.11 local AS number 300 Neighbor AS MsgRcvd MsgSent Up/Down State/Pfx ----------------------------------------------------------------3.1.1.1 100 7 4 00:00:08 3 3::1 100 9 5 00:00:08 4 OS10# OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# shutdown OS10(conf-if-eth1/1/1)# do show ip bgp summary BGP router identifier 11.11.11.
OS10(conf-router-template)# remote-as 100 OS10(conf-router-template)# listen 32.1.0.0/8 limit 10 Local AS During BGP network migration, you can maintain existing AS numbers. Reconfigure your routers with the new information to disable after the migration. Network migration is not supported on passive peer templates. You must configure Peer templates before assigning it to an AS.
AS number limit Sets the number of times an AS number occurs in an AS path. The allow-as parameter permits a BGP speaker to allow the AS number for a configured number of times in the updates received from the peer. The AS-PATH loop is detected if the local AS number is present more than the number of times in the command. 1. Enter the neighbor IP address to use the AS path in ROUTER-BGP mode. neighbor ip address 2. Enter Address Family mode in ROUTER-NEIGHBOR mode.
r - redistributed/network, S - stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric *>I 55::/64 172:16:1::2 0 i *>I 55:0:0:1::/64 172:16:1::2 0 i *>I 55:0:0:2::/64 172:16:1::2 0 i LocPrf 0 Weight 0 Path 100 200 300 400 0 0 100 200 300 400 0 0 100 200 300 400 Redistribute routes Add routes from other routing instances or protocols to the BGP process. You can include OSPF, static, or directly connected routes in the BGP process with the redistribute command.
Redistribute active and inactive IPv4 OSPF routes into BGP OS10# configure terminal OS10(config)# route-map redis-inactive-routes OS10(config-route-map)# match inactive-path-additive OS10(config-route-map)# exit OS10(config)# router bgp 100 OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(configure-router-bgpv4-af)# redistribute ospf 10 route-map redis-inactive-r outes Redistribute active and inactive IPv6 L2 VPN EVPN routes into BGP OS10# configure terminal OS10(config)# route-map redis-inacti
● confed—Selects the best path MED comparison of paths learned from BGP confederations. ● missing-as-best—Treats a path missing an MED as the most preferred one. ● missing-as-worst—Treats a path missing an MED as the least preferred one. Modify MED attributes OS10(config)# router bgp 100 OS10(conf-router-bgp-100)# always-compare-med OS10(conf-router-bgp-100)# bestpath med confed Local preference attribute You can change the value of the LOCAL_PREFERENCE attributes for all routes the router receives.
View route-map OS10(conf-route-map)# do show route-map route-map bgproutemap, permit, sequence 1 Match clauses: Set clauses: local-preference 500 metric 400 origin incomplete Weight attribute You can influence the BGP routing based on the weight value. Routes with a higher weight value have preference when multiple routes to the same destination exist. 1. Assign a weight to the neighbor connection in ROUTER-BGP mode. neighbor {ip-address} 2.
Route-map filters Filtering routes allows you to implement BGP policies. Use route-maps to control which routes the BGP neighbor or peer group accepts and advertises. 1. Enter the neighbor IP address to filter routes in ROUTER-BGP mode. neighbor ipv4-address 2. Enter Address Family mode in ROUTER-NEIGHBOR mode. address-family {[ipv4 | ipv6] [unicast]} 3. Create a route-map and assign a filtering criteria in ROUTER-BGP-NEIGHBOR-AF mode, then return to CONFIG-ROUTERBGP mode.
4. Assign a peer group template as part of the route-reflector cluster in ROUTER-BGP mode. template template-name 5. Configure the template as the route-reflector client in ROUTER-TEMPLATE mode. route-reflector-client When you enable a route reflector, the system automatically enables route reflection to all clients. To disable route reflection between all clients in this reflector, use the no bgp client-to-client reflection command in ROUTER-BGP mode.
Confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, Dell EMC recommends BGP confederations only for IBGP peering involving many IBGP peering sessions per router. When you configure BGP confederations, you break the AS into smaller sub-ASs. To devices outside your network, the confederations appear as one AS.
History entry Entry that stores information about a downed route. Dampened path Path that is no longer advertised. Penalized path Path that is assigned a penalty. 1. Enable route dampening in ROUTER-BGP mode. dampening [half-life | reuse | max-suppress-time] ● half-life — Number of minutes after which the penalty decreases (1 to 45, default 15). After the router assigns a penalty of 1024 to a route, the penalty decreases by half after the half-life period expires.
Timers To adjust the routing timers for all neighbors, configure the timer values using the timers command. If both the peers negotiate with different keepalive and hold time values, the final hold time value is the lowest values received. The new keepalive value is one-third of the accepted hold time value. ● Configure timer values for all neighbors in ROUTER-NEIGHBOR mode.
4. Clear all information or only specific details in EXEC mode. clear ip bgp {neighbor-address | * | interface interface-type} [soft in] ● * — Clears all peers. ● neighbor-address— Clears the neighbor with this IP address. ● interface interface-type— Clears an unnumbered neighbor. Soft-reconfiguration of IPv4 neighbor OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-bgp-neighbor-af)# soft-reconfiguration inbound OS10(conf-router-bgp-neighbor-af)# end OS10# clear ip bgp 10.2.1.
OS10(config-router-bgp-100-vrf)# address-family ipv4 unicast OS10(configure-router-bgpv4-vrf-af)# bgp redistribute-internal OS10(config)# router ospf 20 vrf dell OS10(config-router-ospf-20)# redistribute bgp 100 View BGP routes information Use the following commands to view all BGP routes that match any of the community filters for a default or nondefault VRF instance. ● View BGP routes that match a standard community number.
Example - BGP in a VLT topology The following spine-leaf VLT topology runs BGP for Layer 3 communication. Spine 1 configuration 1. Configure a VLAN interface on which the BGP session has to be formed with VLT peers. Spine1(config)# interface vlan101 Spine1(conf-if-vl-101)# ip address 10.0.1.1/29 Spine1(conf-if-vl-101)# mtu 9216 Spine1(conf-if-vl-101)# exit 2. Configure port channel interfaces between Spine and VLT peers. Add it as part of the created VLAN.
3. Configure eBGP neighbor with VLT peer1 and VLT peer2. Spine1(config)# router bgp 65101 Spine1(config-router-bgp-65101)# router-id 10.1.1.1 Spine1(config-router-bgp-65101)# neighbor 10.0.1.2 Spine1(config-router-neighbor)# remote-as 65201 Spine1(config-router-neighbor)# no shutdown Spine1(config-router-neighbor)# exit Spine1(config-router-bgp-65101)# neighbor 10.0.1.
Leaf1(config)# interface ethernet1/1/6 Leaf1(conf-if-eth1/1/6)# channel-group 3 mode active Leaf1(conf-if-eth1/1/6)# exit 5. Configure the eBGP neighbor with Spine 1 and iBGP neighbor with ToR 1 and ToR 2. Leaf1(config)# router bgp 65201 Leaf1(config-router-bgp-65201)# router-id 10.2.1.1 Leaf1(config-router-bgp-65201)# neighbor 10.0.1.1 Leaf1(config-router-neighbor)# remote-as 65101 Leaf1(config-router-neighbor)# no shutdown Leaf1(config-router-neighbor)# exit Leaf1(config-router-bgp-65201)# neighbor 10.0.
4. Configure VLT port-channels with ToR 1 and ToR 2.
3. Configure the host facing VLAN and add host connected interfaces to it. ToR1(config)# interface vlan2001 ToR1(conf-if-vl-2001)# ip address 172.16.1.1/24 ToR1(conf-if-vl-2001)# mtu 9216 ToR1(conf-if-vl-2001)# exit ToR1(config)# interface ethernet1/1/3 ToR1(conf-if-eth1/1/3)# mtu 9216 ToR1(conf-if-eth1/1/3)# switchport mode trunk ToR1(conf-if-eth1/1/3)# switchport trunk allowed vlan 2001 ToR1(conf-if-eth1/1/3)# exit 4. Configure the iBGP neighbor with VLT peers and advertise the host subnet.
ToR2(config-router-neighbor)# no shutdown ToR2(config-router-neighbor)# exit ToR2(config-router-bgp-65201)# neighbor 10.0.2.2 ToR2(config-router-neighbor)# remote-as 65201 ToR2(config-router-neighbor)# no shutdown ToR2(config-router-neighbor)# exit Example - Three-tier CLOS topology with eBGP This section provides a sample three-tier topology with external BGP. Spine 1 configuration 1. Configure an IP address on leaf-facing interfaces.
Spine1(config)# interface Spine1(conf-if-eth1/1/4)# Spine1(conf-if-eth1/1/4)# Spine1(conf-if-eth1/1/4)# Spine1(conf-if-eth1/1/4)# Spine1(conf-if-eth1/1/4)# ethernet1/1/4 description Spine1-Leaf4 no switchport mtu 9216 ip address 10.1.2.2/31 exit 2. Configure BGP neighbors. This example uses passive peering which simplifies neighbor configuration. Spine1(config)# router bgp 65101 Spine1(config-router-bgp-65101)# router-id 10.0.0.
Leaf1(conf-if-eth1/1/2)# Leaf1(conf-if-eth1/1/2)# Leaf1(conf-if-eth1/1/2)# Leaf1(conf-if-eth1/1/2)# Leaf1(conf-if-eth1/1/2)# description Leaf1-Spine2 no switchport mtu 9216 ip address 10.2.1.1/31 exit 2. Configure an IP address on ToR facing interfaces. Leaf1(config)# interface Leaf1(conf-if-eth1/1/1)# Leaf1(conf-if-eth1/1/1)# Leaf1(conf-if-eth1/1/1)# Leaf1(conf-if-eth1/1/1)# Leaf1(conf-if-eth1/1/1)# ethernet1/1/3 description Leaf1-ToR1 no switchport mtu 9216 ip address 10.3.1.0/31 exit 3.
Leaf2(config-router-neighbor)# no shutdown Leaf2(config-router-neighbor)# exit Leaf 3 configuration 1. Configure an IP address on spine-facing interfaces.
3. Configure BGP neighbors. Leaf4(config)# router bgp 65202 Leaf4(config-router-bgp-65202)# router-id 10.0.1.4 Leaf4(config-router-bgp-65202)# neighbor 10.1.2.2 Leaf4(config-router-neighbor)# remote-as 65101 Leaf4(config-router-neighbor)# no shutdown Leaf4(config-router-neighbor)# exit Leaf4(config-router-bgp-65202)# neighbor 10.2.2.2 Leaf4(config-router-neighbor)# remote-as 65101 Leaf4(config-router-neighbor)# no shutdown Leaf4(config-router-neighbor)# exit Leaf4(config-router-bgp-65202)# neighbor 10.6.1.
ToR2(conf-if-eth1/1/1)# ToR2(config)# interface ToR2(conf-if-eth1/1/2)# ToR2(conf-if-eth1/1/2)# ToR2(conf-if-eth1/1/2)# ToR2(conf-if-eth1/1/2)# ToR2(conf-if-eth1/1/2)# exit ethernet1/1/2 description ToR2-Leaf4 no switchport mtu 9216 ip address 10.6.1.1/31 exit 2. Configure a VLAN interface and a VLAN member for end devices. ToR2(config)# interface vlan 2001 ToR2(conf-if-vl-2001)# ip address 172.16.2.
3. Configure add-path capability in IPv4 AFI, with add-path on both directions with count as 4. OS10(config-router-template)# address-family ipv4 unicast OS10(config-router-bgp-template-af)# add-path both 4 4. Configure soft-reconfiguration inbound for IPv6 AFI. OS10(config-router-template)# address-family ipv6 unicast OS10(config-router-bgp-template-af)# soft-reconfiguration inbound 5. Configure next-hop-self for IPv6 AFI.
NOTE: Only the system administers (sysadmin) role is allowed to manage this configuration. NOTE: The add-path configuration is not supported on the unnumbered peers when applied through the template.
Example (Receive) Supported Releases OS10(conf-router-bgpv6-af)# add-path receive 10.2.0E or later address-family Enters Global Address Family Configuration mode for the IP address family. Syntax address-family {[ipv4 | ipv6] unicast} Parameters ● ipv4 unicast — Enter an IPv4 unicast address family. ● ipv6 unicast — Enter an IPv6 unicast address family.
Command Mode ROUTER-NEIGHBOR Usage Information The time interval applies to all the peer group members of the template in ROUTER-TEMPLATE mode. The no version of this command disables the advertisement-start time interval. Example Supported Releases OS10(conf-router-neighbor)# advertisement-start 30 10.3.0E or later aggregate-address Summarizes a range of prefixes to minimize the number of entries in the routing table.
Example (IPv6) Example (l2vpn) Supported Releases OS10(conf-router-template)# address-family ipv6 unicast OS10(conf-router-bgp-template-af)# allowas-in 5 OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# allowas-in 3 10.3.0E or later always-compare-med Compares MULTI_EXIT_DISC (MED) attributes in the paths that are received from different neighbors.
router bgp 100 as-notation asdot Example - asdot+ format OS10(conf-router-bgp-100)# as-notation asdot+ OS10(conf-router-bgp-100)# show configuration ! router bgp 0.100 as-notation asdot+ Example - asplain format Supported Releases OS10(conf-router-bgp-100)# as-notation asplain OS10(conf-router-bgp-100)# show configuration ! router bgp 100 10.1.0E or later bestpath as-path Configures the AS path selection criteria for best path computation.
NOTE: To configure these settings for a nondefault VRF instance, you must first enter the ROUTERCONFIG-VRF sub mode using the following commands: 1. Enter the ROUTER BGP mode using the router bgp as-number command. 2. From the ROUTER BGP mode, enter the ROUTER BGP VRF mode using the vrf vrf-name command. Example Supported Releases OS10(conf-router-bgp-2)# bestpath med confed 10.3.0E or later bestpath router-id Ignores comparing router-id information for external paths during best-path selection.
Command Mode ROUTER-BGP-AF Usage Information To reduce the instability of the BGP process, setup route flap dampening parameters. After setting up the dampening parameters, clear information about route dampening and return the suppressed routes to the Active state. You can also view statistics on route flapping or change the path selection from Default Deterministic mode to Non-Deterministic mode. The no version of this command resets the value to the default.
● soft — (Optional) Enter to configure and activate policies without resetting the BGP TCP session — BGP soft reconfiguration. ● in — (Optional) Enter to activate only ingress (inbound) policies. Default Not configured Command Mode EXEC Usage Information None. Example OS10# clear ip bgp 1.1.15.4 The following is an example to clear BGP information learned through an unnumbered neighbor: OS10# clear ip bgp interface ethernet 1/1/1 Supported Releases 10.3.
Supported Releases 10.3.0E or later clear ip bgp flap-statistics Clears all or specific IPv4 or IPv6 flap counts of prefixes. Syntax clear ip bgp [vrf vrf-name] [ipv4–address | ipv6–address] flap-statistics [ipv4–prefix | ipv6–prefix] Parameters ● vrf vrf-name — (OPTIONAL) Enter vrf then the name of the VRF to clear flap statistics information. ● ipv4–address — (Optional) Enter an IPv4 address to clear the flap counts of the prefixes learned from the given peer.
confederation Configures an identifier for a BGP confederation. Syntax confederation {identifier as-num | peers as-number} Parameters ● identifier as-num —Enter an AS number, from 0 to 65535 for 2 bytes, 1 to 4294967295 for 4 bytes, or 0.1 to 65535.65535 for dotted format. ● peers as-number—Enter an AS number for peers in the BGP confederation, from 1 to 4294967295.
cluster-id Assigns a cluster ID to a BGP cluster with multiple route reflectors. Syntax cluster-id {number | ip-address} Parameters ● number—Enter a route reflector cluster ID as a 32-bit number, from 1 to 4294967295. ● ip-address—Enter an IP address as the route-reflector cluster ID. Default Router ID Command Mode ROUTER-BGP Usage Information If a cluster contains only one route reflector, the cluster ID is the route reflector’s router ID.
Usage Information Example Supported Releases ● To use special characters as a part of the description string, enclose the string in double quotes. ● To use comma as a part of the description string add double back slash before the comma. ● The no version of this command removes the description. OS10# configure terminal OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 8.8.8.
Example Supported Releases OS10(conf-router-bgp-10)# template lunar OS10(conf-router-bgp-template)# address-family ipv6 unicast OS10(conf-router-template-af)# default-originate route-map rmap-bgp 10.4.1.0 or later distance bgp Sets the administrative distance for BGP routes. Syntax distance bgp external-distance internal-distance local-distance Parameters ● external-distance—Enter a number to assign to routes learned from a neighbor external to the AS, from 1 to 255.
distribute-list Distributes BGP information through an established prefix list. Syntax distribute-list prefix-list-name {in | out} Parameters ● prefix-list-name—Enter the name of established prefix list. ● in—Enter to distribute inbound traffic. ● out—Enter to distribute outbound traffic. Defaults None Command Modes ROUTER-BGP-NEIGHBOR-AF ROUTER-TEMPLATE-AF Usage Information Example The no version of this command removes the route-map.
Example Supported Releases OS10(conf-router-neighbor)# ebgp-multihop 2 10.3.0E or later enforce-first-as Enforces the first AS in the AS path of the route received from an EBGP peer to be the same as the configured remote AS. Syntax enforce-first-as Parameters None Default Enabled Command Mode ROUTER-BGP Usage Information To verify statistics of routes rejected, use the show ip bgp neighbors command. If routes are rejected, the session is reset.
fast-external-fallover Resets BGP sessions immediately when a link to a directly connected external peer fails. Syntax fast-external-fallover Parameters None Default Not configured Command Mode ROUTER-BGP Usage Information Fast external fall-over terminates the EBGP session immediately after the IP unreachability or link failure is detected. This only applies after you manually reset all existing BGP sessions. For the configuration to take effect, use the clear ip bgp command.
Parameters ● ebgp-template—Enter an external BGP template to establish a BGP neighborship through this interface. ● ebgp-template—Enter an internal BGP template to establish a BGP neighborship through this interface. ● template-name—Enter the name of the template. Default Not configured Command Mode ROUTER-NEIGHBOR Usage Information This command is available only if you use the neighbor unnumbered-auto command.
Parameters ● ebgp-template—Indicates to inherit an eBGP template for this auto-unnumbered interface using the inherit ebgp-template command. If there is no configuration under unnumbered-auto neighbor, the system does not inheit any templates from this neighbor. ● ibgp-template—Indicates to inherit an iBGP template for this auto-unnumbered interface using the inherit ibgp-template command.
● replace-as—(Optional) Enter so that globally configured AS values are not prepended to the AS_PATH attribute. Default Disabled Command Mode ROUTER-NEIGHBOR or ROUTER-TEMPLATE Usage Information Facilitates the BGP network migration operation and allows you to maintain existing AS numbers. The no version of this command resets the value to the default.
Parameters ● ebgp—Enable multipath support for external BGP routes. ● ibgp—Enable multipath support for internal BGP routes. ● number—Enter the number of parallel paths, from 1 to 64. Default 64 paths Command Mode ROUTER-BGP Usage Information Dell EMC recommends not using multipath and add path simultaneously in a route reflector. To recompute the best path, use the clear ip bgp * command.
neighbor Creates a remote IP or unnumbered peer and enters Neighbor Configuration mode. Syntax neighbor {ip-address | interface interface-type | unnumbered-auto} Parameters ● ip-address—Enter the IPv4 or IPv6 address of the neighbor. ● interface interface-type—Enter the interface that connects to an unnumbered neighbor. ● unnumbered-auto—Configure one or more BGP auto unnumbered neighbors.
network Configures a network as local to this AS and adds it to the BGP routing table. Syntax network ip-address/prefix [route-map map-name] Parameters ● ip-address/prefix—Enter the IPv4 or IPv6 address and the prefix number to the network. ● route-map map-name—(Optional) Enter the name of an established route-map. Defaults None Command Modes ROUTER-AF Usage Information The no version of this command removes the network.
Usage Information Paths compare in the order they arrive. OS10 uses this method to choose different best paths from a set of paths, depending on the order they are received from the neighbors. MED may or may not be compared between adjacent paths. When you change the path selection from deterministic to nondeterministic, the path selection for the existing paths remains deterministic until you use the clear ip bgp command to clear the existing paths.
Usage Information Example You can enter the password either as plain text or in encrypted format. The password that is provided in ROUTER-NEIGHBOR mode takes preference over the password in ROUTER-TEMPLATE mode. The no version of this command disables authentication. OS10(conf-router-neighbor)# password abcdell OS10(conf-router-neighbor)# password 9 f785498c228f365898c0efdc2f476b4b27c47d972c3cd8cd9b91f518c14ee42d Supported Releases 10.3.
remote-as Adds a remote AS to the specified BGP neighbor or peer group. Syntax remote-as as-number Parameters as-number — Specify AS number ranging from 1 to 65535 for 2 byte or 1 to 4294967295 for 4 byte. Defaults None Command Modes CONFIG-ROUTER-NEIGHBOR CONFIG-ROUTER-TEMPLATE Usage Information Example Supported Releases The no version of this command deletes the remote AS. OS10(config)# router bgp 300 OS10(config-router-bgp-300)# template ebgppg OS10(config-router-template)# remote-as 100 10.4.
Example OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-bgp-neighbor-af)# route-map bgproutemap in OS10(conf-router-template)# address-family ipv4 unicast OS10(conf-router-bgp-template-af)# route-map bgproutemap in Supported Releases 10.4.1.0 or later route-reflector-client Configures a neighbor as a member of a route-reflector cluster.
Command Mode ROUTER-BGP Usage Information Change the router ID of a BGP router to reset peer-sessions. The no version of this command resets the value to the default. By default, OS10 sets a loopback IP address as the router ID. If there is no loopback address, the software chooses the highest IP address that is configured to a physical interface. NOTE: To configure these settings for a nondefault VRF instance, you must first enter the ROUTERCONFIG-VRF sub mode using the following commands: 1.
Example (IPv6) Supported Releases OS10(conf-router-bgp-102)# neighbor 32::1 OS10(conf-router-neighbor)# address-family ipv6 unicast OS10(conf-router-bgp-neighbor-af)# no sender-side-loop-detection 10.3.0E or later show ip bgp Displays information that BGP neighbors exchange. Syntax show ip bgp [vrf vrf-name] ip-address/mask Parameters ● vrf vrf-name — (OPTIONAL) Enter vrf and then the name of the VRF to view route information corresponding to that VRF.
*>r 32768 31.1.1.0/24 ? *> 32768 41.1.1.0/24 ? 0.0.0.0 ethernet 1/1/1 0 100 0 100 When you filter routes by IP addresses, if the system does not find a match, it displays the following error message: OS10# show ip bgp 40.40.40.0/24 %Error: Prefix does not exist. Supported Releases 10.3.0E or later show ip bgp community Displays the BGP routes that match a standard community number.
Parameters ● vrf vrf-name—(Optional) Enter the name of the VRF to view routes that are related to a specific community list corresponding to that VRF. ● ipv4 unicast—Displays information that is related to IPv4 unicast routes. ● ipv4 unicast—Displays information that is related to IPv6 unicast routes. ● community-list community-list-name—Enter the name of a configured IP community list (maximum 140 characters).
Supported Releases 10.3.0E or later show ip bgp extcommunity-list Displays BGP routes that match any of the extended community attributes from an extended community list. Syntax show ip bgp [vrf vrf-name] [{ipv4 | ipv6} unicast] [extcommunity-list extcommunity-list-name] Parameters ● vrf vrf-name—Enter the name of the VRF to view information about all routes with extended community attributes corresponding to that VRF. ● ipv4 unicast—Displays information that is related to IPv4 unicast routes.
Status codes: s suppressed, S stale, d dampened, h history, * valid, > best Origin codes: i - IGP, e - EGP, ? - incomplete Network From Flaps Duration Reuse Path *> 3.1.2.0/24 80.1.1.2 1 00:00:11 00:00:00 800 9 8 i *> 3.1.3.0/24 80.1.1.2 1 00:00:11 00:00:00 800 9 8 i *> 3.1.4.0/24 80.1.1.2 1 00:00:11 00:00:00 800 9 8 i *> 3.1.5.0/24 80.1.1.2 1 00:00:11 00:00:00 800 9 8 i *> 3.1.6.0/24 80.1.1.2 1 00:00:11 00:00:00 800 9 8 i Total number of prefixes: 5 Supported Releases 10.3.
suppressed, S stale, d dampened, h history, * valid, > best Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 31.1.1.0/24 fe80::3617:ebff:fefd:dc5e 0 100 0 10 OS10# show ip bgp ipv4 unicast neighbors interface ethernet 1/1/1 received-routes BGP local router ID is 40.1.1.2 Status codes: D denied Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 41.1.1.
● neighbors — Displays IPv6 neighbor information. ● ip-address — Displays information about a specific neighbor. ● interface interface-type — Displays BGP information that is learned through an unnumbered neighbor. ● summary — Displays IPv6 unicast summary information. ● advertised-routes — Displays the routes that are advertised to a neighbor. ● dampened-paths — Displays the suppressed routes that are received from a neighbor.
Summary information for unnumbered neighbors: OS10# show ip bgp ipv6 unicast summary BGP router identifier 89.101.17.125 local AS number 100 Neighbor AS MsgRcvd MsgSent Up/Down State/Pfx ethernet1/1/1 200 19 19 00:15:34 0 OS10# show ip bgp ipv6 unicast BGP local RIB : Routes to be Added , Replaced , Withdrawn BGP local router ID is 14.233.209.
● Sent messages — Displays the number of BGP messages sent, the number of notifications or error messages, and the number of messages waiting in a queue for processing. ● Description — Displays the descriptive name that is configured for the BGP neighbor. This field is displayed only when the description is configured. ● Local host — Displays the peering address of the local router and the TCP port number. ● Foreign host — Displays the peering address of the neighbor and the TCP port number.
For address family: IPv6 Unicast Max prefix set to 20 with threshold 10 warning only Next hop set to self Soft-reconfiguration inbound configured Allow local AS number 0 times in AS-PATH attribute Local host: 1.1.1.1, Local port: 49872 Foreign host: 1.1.1.2, Foreign port: 179 OS10#show ip bgp neighbors interface ethernet 1/1/1 BGP neighbor is fe80::250:56ff:fe80:7f39 via ethernet1/1/1, remote AS 100, local AS 200 external link BGP version 4, remote router ID 2.2.2.
Route map for outgoing advertisements is filter_ipv6_intf_out Prefixes ignored due to: Martian address 0, Our own AS in AS-PATH 0 Invalid Nexthop 0, Invalid AS-PATH length 0 Wellknown community 0, Locally originated 0 Local host: fe80::250:56ff:fe80:8d56, Local port: 39054 Foreign host: fe80::250:56ff:fe80:7f39, Foreign port: 179 Example advertisedroutes Example received-routes Example deniedroutes OS10# show ip bgp ipv6 unicast neighbors 192:168:1::2 advertised-routes BGP local router ID is 100.1.1.
Total number of prefixes: 3 OS10# Example routes Example unnumbered neighbors OS10# show ip bgp ipv6 unicast neighbors 172:16:1::2 routes BGP local router ID is 100.1.1.
unnumbered neighbors Example received-routes from unnumbered neighbors Example routes from unnumbered neighbors Example deniedroutes from unnumbered neighbors Example Global AS Status codes: s suppressed, S stale, d dampened, h history, * valid, > best Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 41.1.1.0/24 fe80::3617:ebff:fef1:dc5e 0 0 0 10 OS10# show ip bgp neighbors interface ethernet 1/1/1 received-routes BGP local router ID is 40.1.1.
● Administratively shut — Displays the status of the peer group if you do not enable the peer group. If you enable the peer group, this line does not display. ● BGP version — Displays the BGP version supported. ● Description — Displays the descriptive name that is configured for the BGP peer template. This field is displayed only when the description is configured. ● For address family — Displays IPv4 unicast as the address family. ● BGP neighbor — Displays the name of the BGP neighbor.
ethernet 1/1/1 OS10# show ip bgp peer-group bg1 summary BGP router identifier 14.233.209.106 local AS number 10 Neighbor AS MsgRcvd MsgSent Down State/Pfx 40.1.1.2 20 15 19 00:00:32 0 ethernet 1/1/1 00:00:32 Supported Releases 0 20 15 Up/ 19 10.2.0E or later show ip bgp summary Displays the status of all BGP connections.
show ip route Displays information about IPv4 BGP routing table entries. Syntax show ip route [vrf vrf-name] bgp Parameters ● vrf vrf-name — Enter vrf and then the name of the VRF to view information that is exchanged between BGP neighbors corresponding to that VRF Default Not configured Command Mode EXEC Usage Information This command displays information about IPv4 BGP routing table entries.
Example OS10# show ipv6 route OS10# show ipv6 route bgp Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last C ---------------------------------------------------------------------------------B IN 1::/
NOTE: Before applying the soft-reconfiguration, you must clear all the BGP configurations at the VRF level. You must also clear the BGP configurations at template level using the clear ip bgp template command.
Example Supported Releases OS10(conf-router-bgp)# timers 30 90 10.3.0E or later update-source Enables using Loopback interfaces for TCP connections to stabilize BGP sessions. Syntax update—source loopback interface-id Parameters loopback interface-id — Specify a Loopback interface ID, from 0 to 16383.
Usage Information Example Supported Releases The path with the highest weight value is preferred in the best-path selection process. The no version of this command resets the value to the default. OS10(conf-router-bgp-neighbor)# weight 4096 10.3.0E or later Equal cost multi-path ECMP is a routing technique where next-hop packet forwarding to a single destination occurs over multiple best paths. When you enable ECMP, OS10 uses a hash algorithm to determine the next-hop.
IPV4 Load Balancing : Enabled IPV6 Load Balancing : Enabled MAC Load Balancing : Enabled TCP-UDP Load Balancing : Enabled Ingress Port Load Balancing : Enabled IPV4 FIELDS : source-ip destination-ip protocol vlan-id l4-destination-port l4-sourceport IPV6 FIELDS : source-ip destination-ip protocol vlan-id l4-destination-port l4-sourceport MAC FIELDS : source-mac destination-mac ethertype vlan-id TCP-UDP FIELDS: l4-destination-port l4-source-port Configuration notes Dell EMC PowerSwitch S4200–ON Series: The l
Examples Normal traffic flow without resilient hashing Traffic flow with resilient hashing enabled When you enable resilient hashing for ECMP groups, the flow-map table is created with 64 paths (the OS10 default maximum number of ECMP paths) and traffic is equally distributed. In the following example, traffic 1 maps to next hop 'A'; traffic 2 maps to next hop 'C'; and traffic 3 maps to next hop 'B.
Member link is added However, when a new member link is added, resilient hashing completes minimal remapping for better load balancing, as shown: Important notes ● Resilient hashing on port channels applies only for unicast traffic. ● For resilient hashing on ECMP groups, the ECMP path must be in multiples of 64. Before you enable resilient hashing, ensure that the maximum ECMP path is set to a multiple of 64. You can configure this value using the ip ecmp-group maximum-paths command.
Maximum ECMP groups and paths The maximum number of ECMP groups supported on the switch depends on the maximum ECMP paths configured on the switch. To view the maximum number of ECMP groups and paths, use the show ip ecmp-group details command. OS10# show ip ecmp-group details Maximum Number of ECMP Groups : 256 Maximum ECMP Path per Group : 64 Next boot configured Maximum ECMP Path per Group : 64 The default value for the maximum number of ECMP paths per group is 64.
● ● ● ● ● ● ● ● ● ● ● ● ● lag—Enables the LAG hash configuration for Layer 2 (L2) only. seed—Changes the hash algorithm seed value to get a better hash value. seed-value—Enter a hash algorithm seed value, from 0 to 4294967295. crc—Enables the cyclic redundancy check (CRC) polynomial for hash computation.
Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command disables the configuration. Example Supported Releases OS10(config)# link-bundle-utilization trigger-threshold 80 10.2.0E or later load-balancing Distributes or load balances incoming traffic using the default parameters in the hash algorithm.
Example (IP Selection) Supported Releases OS10(config)# load-balancing ip-selection destination-ip source-ip 10.2.0E or later show enhanced-hashing resilient-hashing Displays the status of the enhanced-hashing command. Syntax show enhanced-hashing resilient-hashing {lag | ecmp} Parameters lag | ecmp—Enter the keyword to view enhanced-hashing for a port channel or ECMP group.
Command Mode EXEC Usage Information None Example Supported Releases OS10# show ip ecmp-group details Maximum Number of ECMP Groups : 256 Maximum ECMP Path per Group : 64 Next boot configured Maximum ECMP Path per Group : 64 10.4.3.0 or later show load-balance Displays the global traffic load-balance configuration.
1. Enter the interface type information to assign an IP address in CONFIGURATION mode. interface interface ● ethernet—Physical interface ● port-channel—Port-channel ID number ● vlan—VLAN ID number ● loopback—Loopback interface ID ● mgmt—Management interface 2. Enable the interface in INTERFACE mode. no shutdown 3. Remove the interface from the default VLAN in INTERFACE mode. no switchport 4. Configure a primary IP address and mask on the interface in INTERFACE mode.
Configure static routing You can configure a manual or static route for open shortest path first (OSPF). ● Configure a static route in CONFIGURATION mode. ip route ip-prefix/mask {next-hop | interface interface [route-preference]} ○ ○ ○ ○ ○ ip-prefix—IPv4 address in dotted decimal in A.B.C.D format. mask—Mask in slash prefix-length format (/X). next-hop—Next-hop IP address in dotted decimal in A.B.C.D format.
These entries do not age, and you can only remove them manually. To remove a static ARP entry, use the no arp ipaddress command. Configure static ARP entries OS10(config)# interface ethernet 1/1/6 OS10(conf-if-eth1/1/6)# ip arp 10.1.1.5 08:00:20:b7:bd:32 View ARP entries OS10# show ip arp interface ethernet 1/1/6 Address Hardware address Interface Egress Interface -------------------------------------------------------------10.1.1.
● A.B.C.D/mask —Specify the IP route to remove from the IP routing table. This option refreshes all the routes in the routing table. Traffic flow is affected only for the specified route in the switch. Default Not configured Command Mode EXEC Usage Information This command does not remove the static routes from the routing table. Example Supported Releases OS10# clear ipv6 route 10.1.1.0/24 10.3.0E or later ip address Configure the IP address to an interface.
Default Not configured Command Mode INTERFACE Usage Information Do not use Class D (multicast) or Class E (reserved) IP addresses. Zero MAC addresses (00:00:00:00:00:00) are invalid. The no version of this command disables the IP ARP configuration. Example Supported Releases OS10(conf-if-eth1/1/6)# ip arp 10.1.1.5 08:00:20:b7:bd:32 10.2.0E or later ip arp gratuitous Enables an interface to receive or send gratuitous ARP requests and updates.
Parameters ● vrf vrf-name — (Optional) Enter vrf and then the name of the VRF to configure a static route corresponding to that VRF. Use this VRF option after the ip route keyword to configure a static route on that specific VRF. ● dest-ip-prefix — Enter the destination IP prefix in dotted decimal A.B.C.D format. ● mask — Enter the mask in slash prefix-length /x format. ● next-hop — Enter the next-hop IP address in dotted decimal A.B.C.D format.
1.1.1.5 1.1.1.6 Example (IP Address) 00:00:00:00:00:05 00:00:00:00:00:06 vlan100 vlan100 port-channel1000 port-channel1000 pv 10 OS10# show ip arp 192.168.2.2 Address Hardware address Interface Egress Interface -------------------------------------------------------------------192.168.2.
Example OS10# show ip route Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change -----------------------------------------------------------------C 10.1.1.0/24 via 10.1.1.1 vlan100 0/0 01:16:56 B EX 10.1.2.0/24 via 10.1.2.
Enable or disable IPv6 By default: ● IPv6 forwarding is enabled on physical Ethernet interfaces, VLANs, and port groups. IPv6 forwarding is disabled only when you enable IPv6 address autoconfiguration on an interface and set it in host mode using the ipv6 address autoconfig command. ● IPv6 forwarding is permanently disabled on the management Ethernet interface so that it remains in Host mode and does not operate as a router regardless of the ipv6 address autoconfig setting.
In ● ● ● ● ● ● the following example, all the addresses are valid and equivalent: 2001:0db8:0000:0000:0000:0000:1428:57ab 2001:0db8:0000:0000:0000::1428:57ab 2001:0db8:0:0:0:0:1428:57ab 2001:0db8:0:0::1428:57ab 2001:0db8::1428:57ab 2001:db8::1428:57ab Write IPv6 networks using CIDR notation. An IPv6 network or subnet is a contiguous group of IPv6 addresses which must be a power of two. The initial bits of addresses, which are identical for all hosts in the network, are the network's prefix.
Configure link-local address OS10(config)# interface ethernet 1/1/8 OS10(conf-if-eth1/1/8)# ipv6 address FE80::1/64 link-local Stateless autoconfiguration When an interface comes up, OS10 uses stateless autoconfiguration to generate a unique link-local IPv6 address with a FE80::/64 prefix and an interface ID generated from the MAC address. To use stateless autoconfiguration to assign a globally unique address using a prefix received in router advertisements, use the ipv6 address autoconfig command.
● ipv6 nd hop-limit hops — (Optional) Sets the hop limit advertised in RA messages and included in IPv6 data packets sent by the router, from 0 to 255; default 64. 0 indicates that no hop limit is specified by the router. ● ipv6 nd managed-config-flag — (Optional) Sent in RA messages to tell hosts to use stateful address autoconfiguration, such as DHCPv6, to obtain IPv6 addresses.
Duplicate address discovery To determine if an IPv6 unicast address is unique before assigning it to an interface, an OS10 switch sends a neighbor solicitation message. If the process of duplicate address discovery (DAD) detects a duplicate address in the network, the address does not configure on the interface. DAD is enabled by default. By default, IPv6 is not disabled when a duplicate address is detected. Only the duplicate address is not applied. Other IPv6 addresses are still active on the interface.
IPv6 destination unreachable By default, when no matching entry for an IPv6 route is found in the IPv6 routing table, a packet drops and no error message is sent. You can enable the capability to send an IPv6 destination unreachable error message to the source without dropping the packet.
This feature is applicable only for an environment where all messages between IPv6 end devices traverse through an RA guardenabled Layer 2 (L2) switch. This feature is not supported if the end devices communicate directly without an RA guard-capable L2 device. Limitations ● RA guard validation is not applicable for IPv6-tunneled RA packets. ● This feature is supported only in the ingress direction and not supported at egress.
6. The system permits or denies the RA guard packets based on the results of the validation. Specify the prefix, access, or MAC list against which the RA guard packet is validated. OS10(conf-ra_guard_policy_list)# match ra ipv6-prefix-list example_prefix_list OS10(conf-ra_guard_policy_list)# exit OS10(conf-ra_guard_policy_list)# match ra ipv6-access-list example-access-list OS10(conf-ra_guard_policy_list)# exit OS10(conf-ra_guard_policy_list)# match ra mac-access-list example-maclist 7.
Parameters ● ethernet node/slot/port[:subport]—Enter the Ethernet interface information. ● port-channel channel-id—Enter the port-channel ID, from 1 to 128. Default None Command Mode EXEC Usage Information This command clears the RA packet statistics from all the interfaces that have RA guard policy configured. Example Supported Releases OS10# clear ipv6 nd ra-guard statistics interface port-channel 10 10.5.2.0 or later device-role Configures the attached device as a host or a router.
● If you choose the all option: ○ The system applies the RA guard policy to all the VLANs that are associated with this interface. ○ The system applies the RA guard policy to any new VLANs that you associate with this interface in the future. ● When you apply the RA guard policy to a primary VLAN, the primary VLAN works as a regular VLAN. The RA packets received on the promiscuous ports flood to all the member ports of the primary and secondary VLANs.
RAGUARD: Denied RA Packet on Vlan : vlan100 Port : ethernet1/1/10:3 Example Supported Releases OS10(config)# ipv6 nd ra-guard logging enable 10.5.2.0 or later ipv6 nd ra-guard policy Configures RA guard policy. Syntax ipv6 nd ra-guard policy policy-name Parameters policy-name—Enter the policy name. A maximum of 140 characters. Default None Command Mode CONFIGURATION Usage Information This command takes you to the RA guard policy list configuration submode.
Examples OS10(conf-ra_guard_policy_list)# managed-config-flag on OS10(conf-ra_guard_policy_list)# managed-config-flag off Supported Releases 10.5.2.0 or later match ra Verifies the source IPv6 address, prefix address, and the source MAC address of the inspected messages. Syntax match ra {ipv6-access-list | ipv6-prefix-list | mac-access-list} name Parameters ● ipv6-access-list name—Enter ipv6-access-list and the name of the access list.
reachable-time Verifies the configured reachability time in the received RA packets. Syntax reachable-time value Parameters value—Enter the advertised reachability time in milliseconds, from 0 to 3600000. Default None Command Mode RA GUARD POLICY LIST CONFIGURATION Usage Information The no form of this command resets the advertised reachability time. Example Supported Releases OS10(conf-ra_guard_policy_list)# reachable-time 100 10.5.2.
Parameters ● high—Enter high to set the DRP value as high. ● low—Enter low to set the DRP value as low. ● medium—Enter medium to set the DRP value as medium. Default None Command Mode RA GUARD POLICY LIST CONFIGURATION Usage Information The DRP value is lower than or equal to the specified limit. If you do not configure this command, the system bypasses this verification. The no form of this command removes the configuration.
device-role router hop-limit maximum 1 match ra ipv6-access-list access other-config-flag on router-preference maximum medium Interfaces : ethernet1/1/2 Supported Releases 10.5.2.0 or later show ipv6 nd ra-guard statistics Displays the statistics of all RA guard-enabled interfaces or a specific interface. Syntax show ipv6 nd ra-guard statistics [interface interface-name] Parameters interface-name—Enter the physical or port-channel interface name.
show vlt mismatch Displays the RA guard configuration mismatch between VLT peers. Syntax show vlt domain-id mismatch [ra-guard] Parameters domain-id—Enter the VLT domain ID. Command Mode EXEC Usage Information None Example OS10# show vlt 100 mismatch ra-guard RA Guard Mismatch: Global RA Guard Configuration Mismatch: No Interface Vlan Reason --------------------------------------------------------------------port-channel100 Device Role Supported Releases 10.5.2.
clear ipv6 route Clears routes from the IPv6 routing table. Syntax clear ipv6 route [vrf vrf-name] {* | A::B/mask} Parameters ● vrf vrf-name — (Optional) Enter vrf then the name of the VRF to clear the IPv6 routes corresponding to that VRF. ● *— Clears all routes and refreshes the IPv6 routing table. Traffic flow for all the routes in the switch is affected. ● A::B/mask — Removes the IPv6 route and refreshes the IPv6 routing table. Traffic flow in the switch is affected only for the specified route.
Usage Information Example Supported Releases ● This command sets an interface in Host mode to perform IPv6 stateless auto-configuration by discovering prefixes on local links, and adding an EUI-64 based interface identifier to generate each IPv6 address. The command disables IPv6 forwarding. Addresses are configured depending on the prefixes received in RA messages.
ipv6 address eui-64 Configures a global IPv6 address on an interface by entering only the network prefix and length. Syntax ipv6 address ipv6-prefix/prefix-length eui-64 Parameters ipv6-prefix — Enter an IPv6 prefix in x:x::y/mask format. Defaults None Command Mode INTERFACE Usage Information Use this command to manually configure an IPv6 address in addition to the link-local address generated with stateless autoconfiguration. Specify only the network prefix and length.
Example: Disable hop-by-hop option processing Supported Releases OS10(config)# interface ethernet 1/2/3 OS10(conf-if-eth1/2/3)# no ipv6 hop-by-hop 10.4.0E(R1) or later ipv6 nd dad Disables or re-enables IPv6 duplicate address discovery (DAD). Syntax ipv6 nd dad {disable | enable | disable-ipv6-on-dad-failure} Parameters ● disable — Disable duplicate address discovery on the interface. ● enable — Re-enable IPv6 duplicate address discovery if you have disabled it.
ipv6 nd managed-config-flag Sends RA messages that tell hosts to use stateful address autoconfiguration, such as DHCPv6, to obtain IPv6 addresses. Syntax ipv6 nd managed-config-flag Parameters None Defaults Not configured Command Mode INTERFACE Usage Information The no version of this command disables the managed-config-flag option in RA messages. Example Supported Releases OS10(config)# interface ethernet 1/2/3 OS10(conf-if-eth1/2/3)# ipv6 nd managed-config-flag 10.4.
Example Supported Releases OS10(config)# interface ethernet 1/2/3 OS10(conf-if-eth1/2/3)# ipv6 nd mtu 2500 10.4.0E(R1) or later ipv6 nd other-config-flag Sends RA messages that tell hosts to use stateful autoconfiguration to obtain nonaddress-related information. Syntax ipv6 nd other-config-flag Parameters None Defaults Not configured Command Mode INTERFACE Usage Information The no version of this command disables the other-config-flag option in RA messages.
Usage Information ● By default, all prefixes configured in IPv6 addresses on an interface advertise. To advertise all default parameters in the subnet prefixes on an interface, enter the default keyword. ● If you configure a prefix with valid or preferred lifetime values, the ipv6 nd prefix default no autoconfig command does not apply the default prefix values. ● On-link determination is used to forward IPv6 packets to a destination IPv6 address.
Example Supported Releases OS10(config)# interface ethernet 1/2/3 OS10(conf-if-eth1/2/3)# ipv6 nd reachable-time 1000 10.4.0E(R1) or later ipv6 nd retrans-timer Sets the time between retransmitting neighbor solicitation messages. Syntax ipv6 nd retrans-timer seconds Parameters ● retrans-timer seconds — Enter the retransmission time interval in milliseconds, from 100 to 4292967295.
● next-hop — Enter the next-hop IPv6 address in x:x:x:x::x format. ● interface interface-type — Enter the interface type then the slot/port or number information. The interface types supported are: Ethernet, port-channel, VLAN, and Null. ● route-preference — (Optional) Enter a route-preference range, from 1 to 255. ● bfd — (Optional) Enable BFD on a specific static route. Default Not configured Command Mode CONFIGURATION Usage Information When the interface fails, the system withdraws the route.
● ipv6-address — Enter the IPv6 address of the neighbor in the x:x:x:x::x format. The :: notation specifies successive hexadecimal fields of zero. ● interface interface — Enter interface then the interface type and slot/port or number information: ○ For a 10-Gigabit Ethernet interface, enter TenGigabitEthernet then the slot/port/subport[/subport] information. ○ For a 40-Gigabit Ethernet interface, enter fortyGigE then the slot/port information.
Example (Connected) Example (Summary) Supported Releases OS10# show ipv6 route connected Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF,IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change -----------------------------------------------------------------C 2001:db86::/32 via 2001:db8
Open shortest path first OSPF routing is a link-state routing protocol that allows sending link-state advertisements (LSAs) to all other routers within the same autonomous system (AS) area. OSPF LSAs include information about attached interfaces, metrics used, and other attributes. OSPF routers accumulate link-state information, and use the shortest path first (SPF) algorithm to calculate the shortest path to each node. Autonomous system areas OSPF operates in a hierarchy.
Configure all routers within an assigned stub area as stubby and do not generate LSAs that do not apply. For example, a Type 5 LSA is intended for external areas and the stubby area routers may not generate external LSAs. A virtual link cannot traverse stubby areas. Networks and neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The Up or Down state of those links is important.
Internal router The internal router (IR) has adjacencies with ONLY routers in the same area—shown as Routers E, F, I, K, and M in the example. Designated and backup designated routers OSPF elects a designated router (DR) and a backup designated router (BDR). The DR generates LSAs for the entire multiaccess network. Designated routers allow a reduction in network traffic and in the size of the topological database.
Type 11—Grace LSA (OSPFv3) Link-local opaque LSA for OSPFv3 only is sent during a graceful restart by an OSPFv3 router. The LSA header is common to LSA types. Its size is 20 bytes. One of the fields of the LSA header is the link-state ID. Each router link is defined as one of four types—type 1, 2, 3, or 4. The LSA includes a link ID field that identifies the object this link connects to, by the network number and mask. Depending on the type, the link ID has different meanings.
1. Configure an OSPF instance from CONFIGURATION mode, from 1 to 65535. router {ospf | ospfv3} instance-number 2. Set OSPF throttling timers in OSPF INSTANCE mode. timers spf [start-time [hold-time [max-wait]]] ● start-time — Configure the initial delay before performing an SPF calculation after a topology change, from 1 to 600000 milliseconds; default 1000.
NOTE: With the redistribute static command in the running configuration, if a static route is configured which is also learned through OSPF, the static route is installed in the routing table even if the static route preference is higher than OSPF. ● Enter the routes that redistribute into the OSPFv2 process in ROUTER-OSPF mode. redistribute {bgp as-number| connected | static} [route-map map-name] ○ bgp | connected | static—Enter a keyword to redistribute those routes.
OS10(config)# router ospfv3 20 OS10(config-router-ospfv3-20)# redistribute static route-map redis-inactive-routes OSPFv2 OSPFv2 supports IPv4 address families. OSPFv2 routers initially exchange hello messages to set up adjacencies with neighbor routers. The hello process establishes adjacencies between routers of the AS. It is not required that every router within the AS areas establish adjacencies.
Enable OSPFv2 in a non-default VRF instance To enable OSPFv2 in a non-default VRF instance: 1. Create a non-default VRF instance in which you want to enable OSPFv2: ip vrf vrf-name 2. Enable OSPF and configure an OSPF instance in VRF CONFIGURATION mode. router ospf instance-number vrf vrf-name 3. Enter the interface information to configure the interface for OSPF in INTERFACE mode. interface ethernet node/slot/port[:subport] 4. Enable the interface in INTERFACE mode. no shutdown 5.
Assign router identifier For managing and troubleshooting purposes, you can assign a router ID for the OSPFv2 process. Use the router’s IP address as the router ID. ● Assign the router ID for the OSPFv2 process in ROUTER-OSPF mode router-id ip-address Assign router ID OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# router-id 10.10.1.5 View OSPFv2 status OS10# show ip ospf 10 Routing Process ospf 10 with ID 10.10.1.
SPF algorithm executed 1 times Area ranges are OS10# show running-configuration ospf ! router ospf 10 area 10.10.5.1 stub Passive interfaces A passive interface does not send or receive routing information. Configuring an interface as a passive interface suppresses both receiving and sending routing updates. Although the passive interface does not send or receive routing updates, the network on that interface is included in OSPF updates sent through other interfaces. 1.
Configure fast convergence OS10(config)# router ospf 65535 OS10(conf-router-ospf-65535)# fast-converge 1 View fast convergence OS10(conf-router-ospf-65535)# do show ip ospf Routing Process ospf 65535 with ID 99.99.99.
6. Change the retransmission interval time, in seconds, between LSAs in INTERFACE mode, from 1 to 3600. The default retransmission interval time is 5. The retransmit interval must be the same on all routers in the OSPF network. ip ospf retransmit-interval seconds 7. Change the wait period between link state update packets sent out the interface in INTERFACE mode, from 1 to 3600. The default wait period is 1. The transmit delay must be the same on all routers in the OSPF network.
View summary address OS10(config-router-ospf-100)# show configuration ! router ospf 100 summary-address 10.0.0.0/8 not-advertise Graceful restart When a networking device restarts, the adjacent neighbors and peers detect the condition. During a graceful restart, the restarting device and neighbors continue to forward the packets without interrupting network performance. The neighbors that help in the restart process are called helper routers.
ip ospf 100 area 0.0.0.0 ip ospf message-digest-key 2 md5 sample12345 Troubleshoot OSPFv2 You can troubleshoot OSPFv2 operations, and check questions for typical issues that interrupt a process.
OSPFv2 commands area default-cost Sets the metric for the summary default route generated by the ABR and sends it to the stub area. Syntax area area-id default-cost cost Parameters ● area-id — Enter the OSPF area in dotted decimal A.B.C.D format or enter a number, from 0 to 65535. ● cost — Enter a cost for the stub area’s advertised external route metric, from 0 to 65535. Default Cost is 1 Command Mode ROUTER-OSPF Usage Information The cost is also referred as reference-bandwidth or bandwidth.
Usage Information Example Supported Releases The no version of this command disables the route summarizations. OS10(conf-router-ospf-10)# area 0 range 10.1.1.4/8 no-advertise 10.2.0E or later area stub Defines an area as the OSPF stub area. Syntax area area-id stub [no-summary] Parameters ● area-id—Set the OSPF area ID as an IP address in A.B.C.D format or number, from 1 to 65535. ● no-summary—(Optional) Prevents an ABR from sending summary LAs into the stub area.
Command Mode EXEC Usage Information This command clears all entries in the OSPF routing table. Example Supported Releases OS10# clear ip ospf 3 vrf vrf-test process 10.2.0E or later clear ip ospf statistics Clears OSPF traffic statistics. Syntax clear ip ospf [instance-number] [vrf vrf-name] statistics Parameters ● instance-number — (Optional) Enter an OSPF instance number, from 1 to 65535.
Usage Information Example Supported Releases The no version of this command disables the distribution of default route. OS10(config)# router ospf 10 OS10(config-router-ospf-10)# default-information originate always 10.3.0E or later default-metric Assigns a metric value to redistributed routes for the OSPF process. Syntax default-metric number Parameters number — Enter a default-metric value, from 1 to 16777214.
Usage Information Example Supported Releases The no version of this command disables Helper mode. OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# graceful-restart role helper-only 10.3.0E or later ip ospf area Attaches an interface to an OSPF area. Syntax ip ospf process-id area area-id Parameters ● process-id — Set an OSPF process ID for a specific OSPF process, from 1 to 65535. ● area area-id — Enter the OSPF area ID in dotted decimal A.B.C.
Usage Information Example Supported Releases if not configured, interface cost is based on the auto-cost command. This command configures OSPF over multiple vendors to ensure that all routers use the same cost. If you manually configure the cost, the calculated cost based on the reference bandwidth does not apply to the interface. The no version of this command removes the IP OSPF cost configuration. OS10(config)# interface vlan 10 OS10(conf-if-vl-1)# ip ospf cost 10 10.2.
Defaults Not configured Command Mode INTERFACE Usage Information All neighboring routers in the same network must use the same key value to exchange OSPF information. The no version of this command deletes the authentication key. Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ip ospf message-digest-key 2 md5 sample12345 10.3.
ip ospf passive Configures an interface as a passive interface and suppresses both receiving and sending routing updates to the passive interface. Syntax ip ospf passive Parameters None Default Not configured Command Mode INTERFACE Usage Information You must configure the interface before setting the interface to Passive mode. The no version of the this command disables the passive interface configuration.
ip ospf transmit-delay Sets the estimated time required to send a link state update packet on the interface. Syntax ip ospf transmit-delay seconds Parameters seconds — Set the time in seconds required to send a link-state update, from 1 to 3600. Default 1 second Command Mode INTERFACE Usage Information When you set the ip ospf transmit-delay value, take into account the transmission and propagation delays for the interface. The no version of this command resets the value to the default.
maximum-paths Enables forwarding of packets over multiple paths. Syntax maximum—paths number Parameters number —Enter the number of paths for OSPF, from 1 to 128. Default 64 Command Mode ROUTER-OSPF Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# maximum-paths 1 10.2.
Usage Information Example Supported Releases Configure an arbitrary value in the IP address format for each router. Each router ID must be unique. Use the fixed router ID for the active OSPF router process. Changing the router ID brings down the existing OSPF adjacency. The new router ID becomes effective immediately. The no version of this command disables the router ID configuration. OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# router-id 10.10.1.5 10.2.
Supported Releases 10.2.0E or later show ip ospf asbr Displays all the ASBR visible to OSPF. Syntax show ip ospf [process-id] [vrf vrf-name] asbr Parameters ● process-id—(Optional) Displays information based on the process ID. ● vrf vrf-name — (Optional) Displays the ASBR router visible to the OSPF process configured in the specified VRF. Default Not configured Command Mode EXEC Usage Information You can isolate problems with external routes.
112.2.1.1 112.112.112.1 112.112.112.2 112.2.1.1 112.112.112.1 112.112.112.2 1282 1305 1305 0x8000000b 0x80000250 0x80000250 0x0485 0xbab2 0xbeaa Seq# 0x80000008 0x80000008 0x80000008 0x80000008 0x80000008 Checksum 0xd2b1 0x1b8f 0x198f 0x287c 0x267c 3 1 1 Network (Area 0.0.0.0) Link ID 110.1.1.2 111.1.1.1 111.2.1.1 112.1.1.1 112.2.1.1 ADV Router 112.2.1.1 111.2.1.1 111.2.1.1 112.2.1.1 112.2.1.1 Age 1287 1458 1458 1372 1372 Summary Network (Area 0.0.0.0) Supported Releases 10.2.
show ip ospf database external Displays information about the AS external Type 5 LSAs. Syntax show ip ospf [process-id] [vrf vrf-name] database external Parameters ● process-id—(Optional) Displays AS external Type 5 LSA information for a specified OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays AS external (Type 5) LSA information for a specified OSPF Process ID corresponding to a VRF.
Usage Information ● ● ● ● ● ● ● ● ● ● ● Example LS Age—Displays the LS age. Options—Displays optional capabilities. LS Type—Displays the LS type. Link State ID—Identifies the router ID. Advertising Router—Identifies the advertising router’s ID. LS Seq Number—Identifies the LS sequence number. This identifies old or duplicate LSAs. Checksum—Displays the Fletcher checksum of an LSA’s complete contents. Length—Displays the LSA length in bytes.
Example OS10# show ip ospf database nssa external OSPF Router with ID (2.2.2.2) (Process ID 100) NSSA External (Area 0.0.0.1) LS age: 98 Options: (No TOS-Capability, No DC, No Type 7/5 translation) LS type: NSSA External Link State ID: 0.0.0.0 Advertising Router: 1.1.1.1 LS Seq Number: 0x80000001 Checksum: 0x430C Length: 36 Network Mask: /0 Metric Type: 1 TOS: 0 Metric: 16777215 Forward Address: 0.0.0.
LS Seq Number: 0x80000001 Checksum: 0xA303 Length: 36 Network Mask: /24 Metric Type: 2 TOS: 0 Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 0 Supported Releases 10.2.0E or later show ip ospf database opaque-area Displays information about the opaque-area Type 10 LSA. Syntax show ip ospf [process-id] [vrf vrf-name] database opaque-area Parameters ● process-id — (Optional) Displays the opaque-area Type 10 information for an OSPF process ID.
show ip ospf database opaque-as Displays information about the opaque-as Type 11 LSAs. Syntax show ip ospf [process-id] opaque—as Parameters process-id — (Optional) Displays opaque-as Type 11 LSA information for a specified OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process. Default Not configured Command Mode EXEC Usage Information ● ● ● ● ● ● ● ● ● ● Example LS Age — Displays the LS age.
● ● ● ● ● Example LS Seq Number — Identifies the LS sequence number. This identifies old or duplicate LSAs. Checksum — Displays the Fletcher checksum of an LSA’s complete contents. Length — Displays the LSA length in bytes. Opaque Type — Identifies the Opaque type field, the first 8 bits of the LS ID. Opaque ID — Identifies the Opaque type-specific ID, the remaining 24 bits of the LS ID. OS10# show ip ospf 100 database opaque-link OSPF Router with ID (1.1.1.
LS Seq Number: 0x8000000d Checksum: 0x9bf2 Length: 60 AS Boundary Router Number of Links: 3 Link connected to: a Transit Network (Link ID) Designated Router address: 110.1.1.2 (Link Data) Router Interface address: 110.1.1.1 Number of TOS metric: 0 TOS 0 Metric: 1 Link connected to: a Transit Network (Link ID) Designated Router address: 111.1.1.1 (Link Data) Router Interface address: 111.1.1.
Checksum: 0x4a67 Length: 28 Network Mask: /24 TOS: 0 Metric: 0 Supported Releases 10.2.0E or later show ip ospf interface Displays the configured OSPF interfaces. You must enable OSPF to display output. Syntax show ip ospf interface [process-id] [vrf vrf-name] interface or show ip ospf [process-id] [vrf vrf-name] interface [interface] Parameters ● process-id — (Optional) Displays information for an OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process.
111.1.1.0 111.2.1.0 Supported Releases 1 1 0.0.0.0 0.0.0.0 vlan3051 vlan3053 0.0.0.0 0.0.0.0 intra-area intra-area 10.2.0E or later show ip ospf statistics Displays OSPF traffic statistics. Syntax ● show ip ospf [instance-number] [vrf vrf-name] statistics [interface interface] Parameters ● instance-number — (Optional) Enter an OSPF instance number, from 1 to 65535.
show ip ospf topology Displays routers that directly connect to OSPF areas. Syntax show ip ospf [process-id] [vrf vrf-name] topology Parameters ● process-id — (Optional) Displays OSPF process information. If you do not enter a process ID, this applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays the routers in the directly connected OSPF areas in the configured VRF.
Command Mode ROUTER-OSPF Usage Information Setting the LSA arrival time between receiving the LSA repeatedly ensures that the system gets enough time to accept the LSA. The no version of this command resets the value to the default. Example Supported Releases OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# timers lsa arrival 2000 10.2.0E or later timers spf Enables shortest path first (SPF) throttling to delay an SPF calculation when a topology change occurs.
timers throttle lsa all Configures the LSA transmit intervals. Syntax timers lsa all [start-interval | hold-interval | max-interval] Parameters ● start-interval — Sets the minimum interval between initial sending and re-sending the same LSA in milliseconds, from 0 to 600,000. ● hold-interval — Sets the next interval to send the same LSA in milliseconds. This is the time between sending the same LSA after the start-interval is attempted, from 1 to 600,000.
Enable OSPFv3 OS10(config)# router ospfv3 100 OS10(config-router-ospfv3-100)# exit OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no shutdown OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ipv6 ospfv3 300 area 0.0.0.0 Enable OSPFv3 in a non-default VRF instance 1. Create the non-default VRF instance in which you want to enable OSPFv3: ip vrf vrf-name CONFIGURATION Mode 2.
Assign Router ID You can assign a router ID for the OSPFv3 process. Configure an arbitrary value in the IP address format for each router. Each router ID must be unique. Use the fixed router ID for the active OSPFv3 router process. Changing the router ID brings down the existing OSPFv3 adjacency. The new router ID becomes effective immediately. ● Assign the router ID for the OSPFv3 process in ROUTER-OSPFv3 mode.
ADV Router Age Seq# Fragment ID Link count Bits ------------------------------------------------------------------199.205.134.103 32 0x80000002 0 1 202.254.156.15 33 0x80000002 0 1 B Net Link States (Area 0.0.0.2) ADV Router Age Seq# Link ID Rtr count ---------------------------------------------------------202.254.156.15 38 0x80000001 12 2 Inter Area Prefix Link States (Area 0.0.0.2) ADV Router Age Seq# Prefix ----------------------------------------------------------------202.254.156.
Interface OSPFv3 Parameters To avoid routing errors, interface parameter values must be consistent across all interfaces. For example, set the same time interval for the hello packets on all routers in the OSPF network to prevent misconfiguration of OSPF neighbors. 1. Enter the interface to change the OSPFv3 parameters in CONFIGURATION mode. interface interface-name 2. Change the cost associated with OSPFv3 traffic on the interface in INTERFACE mode, from 1 to 65535.
Default route You can generate an external default route and distribute the default information to the OSPFv3 routing domain. ● Generate the default route, using the default-information originate [always] command in ROUTER-OSPFv3 mode.
○ key — Enter the text string used in the authentication type. All neighboring OSPFv3 routers must share the key to exchange information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be 32 plain hex digits. For SHA-1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported. To delete an IPsec authentication policy, use the no ipv6 ospf authentication ipsec spi number or no ipv6 ospf authentication null command.
● Enable IPsec authentication for OSPFv3 packets in an area in Router-OSPFv3 mode. area area-id ○ ○ ○ ○ ○ authentication ipsec spi number {MD5 | SHA1} key area area-id — Enter an area ID as a number or IPv6 prefix. ipsec spi number — Enter a unique security policy index (SPI) value, from 256 to 4294967295. md5 — Enable message digest 5 (MD5) authentication. sha1 — Enable secure hash algorithm 1 (SHA1) authentication. key — Enter the text string used in the authentication type.
Troubleshoot OSPFv3 You can troubleshoot OSPFv3 operations and check questions for typical issues that interrupt a process.
hex digits. For SHA1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported. Example Supported Releases OS10(config-router-ospfv3-100)# area 1 authentication ipsec spi 400 md5 12345678123456781234567812345678 10.4.0E(R1) or later area encryption Configures encryption for an OSPFv3 area. Syntax area area-id encryption ipsec spi number esp encryption-type key authentication-type key Parameters ● area area-id — Enter an area ID as a number or IPv6 prefix.
Usage Information Example Supported Releases The no version of this command deletes a stub area. OS10(config)# router ospfv3 10 OS10(conf-router-ospfv3-10)# area 10.10.1.5 stub 10.3.0E or later auto-cost reference-bandwidth Calculates default metrics for the interface based on the configured auto-cost reference bandwidth value.
Default Not configured Command Mode EXEC Usage Information This command clears the OSPFv3 traffic statistics in a specified instance or in all the configured OSPFv3 instances, and resets them to zero. Example Supported Releases OS10# clear ipv6 ospf 100 statistics 10.4.0E(R1) or later debug ip ospfv3 Enables Open Shortest Path First version 3(OSPFv3) debugging and displays messages related to processing of OSPFv3.
Command Mode INTERFACE Usage Information The no version of this command removes an interface from an OSPFv3 area. Example OS10(config)# interface vlan 10 OS10(conf-if-vl-10)# ipv6 ospf 10 area 1 Supported Releases 10.3.0E or later ipv6 ospf authentication Configures OSPFv3 authentication on an IPv6 interface. Syntax ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} key} Parameters ● ● ● ● ● Default IPv6 OSPF authentication is not configured on an interface.
Example Supported Releases OS10(config)# interface vlan 10 OS10(conf-if-vl-10)# ipv6 ospf cost 10 10.3.0E or later ipv6 ospf dead-interval Sets the time interval since the last hello-packet was received from a router. After the interval elapses, the neighboring routers declare the router dead. Syntax ipv6 ospf dead-interval seconds Parameters seconds — Enter the dead interval value in seconds, from 1 to 65535.
Example OS10(config)# interface ethernet 1/1/6 OS10(conf-if-eth1/1/6)# ipv6 ospf encryption ipsec spi 500 esp des 1234567812345678 md5 12345678123456781234567812345678 OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# ipv6 ospf encryption null Supported Releases 10.4.0E(R1) or later ipv6 ospf hello-interval Sets the time interval between hello packets sent on an interface.
Parameters ● point-to-point — Sets the interface as part of a point-to-point network. ● broadcast — Sets the interface as part of a broadcast network. Default Broadcast Command Mode INTERFACE Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ipv6 ospf network broadcast 10.3.
log-adjacency-changes Enables logging of syslog messages about changes in the OSPFv3 adjacency state. Syntax log-adjacency-changes Parameters None Default Disabled Command Mode ROUTER-OSPFv3 Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(config)# router ospfv3 100 OS10(config-router-ospfv3-100)# log-adjacency-changes 10.3.0E or later maximum-paths Enables forwarding of packets over multiple paths.
Example (Connected) OS10((config-router-ospfv3-100)# redistribute connected route-map dell2 Example (AS number notation in asdot+ format) OS10(config)# router ospfv3 100 OS10(config-router-ospfv3-100)# redistribute bgp 0.100 Supported Releases 10.3.0E or later router-id Configures a fixed router ID for the OSPFv3 process. Syntax router-id ip-address Parameters ip-address — Enter the IP address of the router as the router ID.
Default None Command Mode EXEC Usage Information None Example Supported Releases OS10# show ipv6 ospf Routing Process ospfv3 200 with ID 1.1.1.1 It is an Area Border Router Min LSA origination 5000 msec, Min LSA arrival 1000 Min LSA hold time 0 msec, Max LSA wait time 0 msec Number of area in this router is 2, normal 2 stub 0 Area (0.0.0.0) Number of interface in this area is 1 SPF algorithm executed 42 times Area (0.0.0.
Net Link States (Area 0.0.0.0) ADV Router Age Seq# Link ID Rtr count ---------------------------------------------------------2.2.2.2 1045 0x80000001 5 2 Inter Area Router States (Area 0.0.0.0) ADV Router Age Seq# Link ID Dest RtrID --------------------------------------------------------------1.1.1.1 1605 0x80000027 1 3.3.3.3 Link (Type-8) Link States (Area 0.0.0.0) ADV Router Age Seq# Link ID Interface -------------------------------------------------------------------1.1.1.
Default Not configured Command Mode EXEC Usage Information ● ● ● ● ● ● Example Supported Releases Neighbor ID—Displays the neighbor router ID. Pri—Displays the priority assigned neighbor. State—Displays the OSPF state of the neighbor. Dead Time—Displays the expected time until the system declares the neighbor dead. Interface ID—Displays the neighbor interface ID Interface—Displays the interface type, node/slot/port or number information.
Supported Releases 10.4.0E(R1) or later timers spf (OSPFv3) Enables shortest path first (SPF) throttling to delay an SPF calculation when a topology change occurs. Syntax timers spf [start-time [hold-time [max-wait]]] Parameters ● start-time — Sets the initial SPF delay in milliseconds, from 1 to 600000; default 1000. ● hold-time — Sets the additional hold time between two SPF calculations in milliseconds, from 1 to 600000; default 10000.
how you configure the new priority for the tracked state. When the tracked state comes up, VRRP restores the original priority for the virtual router group. Figure 6. Object tracking Interface tracking You can create an object that tracks the line-protocol state of an L2 interface, and monitors its operational up or down status. You can configure up to 500 objects. Each object is assigned a unique ID. When the link-level status goes down, the tracked resource status is also considered Down.
2. (Optional) Enter interface object tracking on the line-protocol state of an L2 interface in OBJECT TRACKING mode. interface interface line-protocol 3. (Optional) Configure the time delay used before communicating a change to the status of a tracked interface in OBJECT TRACKING mode, from 0 to 80 seconds; default 0. delay [up seconds] [down seconds] 4. (Optional) View the tracked object information in EXEC mode. show track object-id 5. (Optional) View all interface object information in EXEC mode.
OS10 (conf-track-2)# do show track 2 IP Host 1.1.1.
View interface object tracking information OS10# show track interface TrackID Resource Parameter Status LastChange --------------------------------------------------------------------------------1 line-protocol ethernet1/1/1 DOWN 2017-02-03T08:41:25Z1 OS10# show track ip TrackID Resource Parameter Status LastChange --------------------------------------------------------------------------------2 ipv4-reachablity 1.1.1.
● mgmt — Enter the Management interface. Defaults Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(conf-track-100)# interface ethernet line-protocol 10.3.0E or later ip reachability Configures an object to track a specific next-hop host's reachability. Syntax ip host-ip-address reachability Parameters host-ip-address — Enter the IPv4 host address.
Defaults 0 seconds Command Mode CONFIGURATION Usage Information Set the interval to 0 to disable the refresh. Example Supported Releases OS10(conf-track-100)# reachability-refresh 600 10.3.0E or later show track Displays tracked object information. Syntax show track [brief] [object-id] [interface] [ip | ipv6] Parameters ● ● ● ● ● Defaults None Command Mode CONFIGURATION Usage Information None Example (Brief) Supported Releases brief — (Optional) Displays brief tracked object information.
Policy-based routing PBR provides a mechanism to redirect IPv4 and IPv6 data packets based on the policies defined to override the switch’s forwarding decisions based on the routing table. Policy-based route-maps A route-map is an ordered set of rules that controls the redistribution of IP routes into a protocol domain. When you enable PBR on an interface, all IPv4 or IPv6 data packets process based on the policies that you define in the route-maps.
Apply match and set parameters to IPv6 route-map OS10(conf-route-map)# route-map map1 OS10(conf-route-map)# match ipv6 address acl8 OS10(conf-route-map)# set ipv6 next-hop 20::20 Assign route-map to interface You can assign a route-map to an interface for IPv4 or IPv6 policy-based routing to an interface. ● Assign the IPv4 or IPv6 policy-based route-map to an interface in INTERFACE mode.
Policy-based routing per VRF Configure PBR per VRF instance for both IPv4 and IPv6 traffic flows. Policy-based routing (PBR) enables packets with certain match criteria, such as packets from specific source and destination addresses, to be re-directed to a different next-hop. You can also use PBR to re-direct packets arriving on a VRF instance to a next-hop that is reachable through a different VRF instance.
SW1 VLAN configuration ● Create a VLAN and assign an IP address to it which acts as the gateway for the hosts in the VM. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown OS10(conf-if-vl-100)# ip address 10.1.1.1/24 OS10(conf-if-vl-100)# exit ● Create another VLAN, and assign an IP address to it. OS10# configure terminal OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# no shutdown OS10(conf-if-vl-200)# ip address 10.2.1.
3. Specify the management IP address of the VLT peer as a backup link. OS10(conf-vlt-1)# backup destination 10.10.10.2 4. Configure VLT port channels.
OS10(conf-if-vl-200)# ip address 10.2.1.3/24 OS10(conf-if-vl-200)# exit VLT configuration 1. Create a VLT domain, and configure VLTi. OS10(config)# interface range ethernet 1/1/4-1/1/5 OS10(conf-range-eth1/1/4-1/1/5)# no switchport OS10(conf-range-eth1/1/4-1/1/5)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/4-1/1/5 2. Configure a VLT MAC address. OS10(conf-vlt-1)# vlt-mac 12:5e:23:f4:23:54 3. Specify the management IP address of the VLT peer as a backup link.
Using the following PBR configuration, you can re-direct traffic ingresssing to VRF RED to a destination that is reachable through the next-hop IP address 2.2.2.2 in VRF BLUE: 1. Create a route-map. OS10(config)# route-map test 2. Enter the IP address to match the specified access list. OS10(config-route-map)# match ip 4.4.4.4 acl1 3. Set the next-hop address to 2.2.2.2, which is reachable through VRF BLUE. OS10(config-route-map)# OS10(config-route-map)# set ip vrf BLUE next-hop 2.2.2.
ip ip-address reachablility vrf vrf-name OS10(conf-track-200)# OS10(conf-track-200)# ip 1.1.1.1 reachability vrf red OS10(conf-track-200)#exit 3. Configure the route-map. route-map route-map-name OS10(config-route-map)# OS10(config-route-map)# match ip address acl1 4. Set the track ID configured in step 1 to the route-map. set ip vrf vrf-name nexy-hop next-hop-address track-id track-id-number OS10(config-route-map)# set ip vrf red next-hop 1.1.1.1 track-id 200 5.
seq 30 permit tcp 10.99.0.0/16 10.0.0.0/8 eq 21 seq 40 permit icmp 10.99.0.0/16 10.0.0.0/8 ● Create a route-map to block specific traffic from PBR processing. route-map TEST-RM deny 5 match ip address TEST-ACL-DENY ● Create a route-map to permit traffic for PBR processing. route-map TEST-RM permit 10 match ip address TEST-ACL set ip next-hop 10.0.40.235 ● Apply the policy to the previously created interface.
PBR commands clear route-map pbr-statistics Clears all PBR counters. Syntax clear route-map [map-name] pbr-statistics Parameters map-name—Enter the name of a configured route-map. A maximum of 140 characters. Defaults None Command Mode EXEC Usage Information None Example Supported Releases OS10# clear route-map map1 pbr-statistics 10.3.0E or later match address Matches the access-list to the route-map. Syntax match {ip | ipv6} address [name] Parameters name—Enter the name of an access-list.
route-map pbr-statistics Enables counters for PBR statistics. Syntax route-map [map-name] pbr-statistics Parameters map-name—Enter the name of a configured route-map. A maximum of 140 characters. Defaults Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# route-map map1 pbr-statistics 10.3.0E or later set next-hop Sets an IPv4 or IPv6 next-hop address for policy-based routing.
Command Mode ROUTE-MAP Usage Information You must configure next-hop IP address tracking and PBR next-hop with the same VRF instance. For next-hop reachability in the same VRF instance, you must configure both PBR per VRF and object tracking. Missing either the next-hop IP address tracking or PBR next-hop configuration in a VRF instance results in an erroneous configuration. However, the system does not display an error message indicating problems in the configuration.
VRRP: ● Provides a virtual default routing platform ● Provides load balancing ● Supports multiple logical IP subnets on a single LAN segment ● Enables simple traffic routing without the single point of failure of a static default route ● Avoids issues with dynamic routing and discovery protocols ● Takes over a failed default router: ○ Within a few seconds ○ With a minimum of VRRP traffic ○ Without any interaction from hosts NOTE: ● The default behavior of VRRP is active-active.
The example shows a typical network configuration using VRRP. Instead of configuring the hosts on network 10.10.10.0 with the IP address of either Router A or Router B as the default router, the default router of all hosts is set to the IP address of the virtual router. When any host on the LAN segment requests Internet access, it sends packets to the IP address of the virtual router.
interface ethernet 1/1/5 ip address 10.10.10.1/24 ! vrrp-group 254 no shutdown ... Group version Configure a VRRP version for the system. Define either VRRPv2 — vrrp version 2 or VRRPv3 — vrrp version 3. ● Configure the VRRP version for IPv4 in INTERFACE mode. vrrp version Configure VRRP version 3 OS10(config)# vrrp version 3 1. Set the switch with the lowest priority to vrrp version 2. 2. Set the switch with the highest priority to vrrp version 3. 3. Set all switches from vrrp version 2 to vrrp version 3.
1. Configure a VRRP group in INTERFACE mode, from 1 to 255. vrrp-group vrrp-id 2. Configure virtual IP addresses for this VRRP ID in INTERFACE-VRRP mode. A maximum of 10 IP addresses. virtual-address ip-address1 [...ip-address10] Configure virtual IP address OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip address 10.1.1.1/24 OS10(conf-if-eth1/1/1)# vrrp-group 10 OS10(conf-eth1/1/1-vrid-10)# virtual-address 10.1.1.
Configure virtual IP address in a VRF You can configure a VRRP group in a non-default VRF instance and assign a virtual address to this group. To configure VRRP under a specific VRF: 1. Create the non-default VRF in which you want to configure VRRP. ip vrf vrf-name CONFIGURATION Mode 2. In the VRF Configuration mode, enter the desired interface. interface interface-id VRF CONFIGURATION Mode 3. Remove the interface from L2 switching mode. no switchport INTERFACE CONFIGURATION Mode 4.
Set VRRP group priority OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# vrrp-group 254 OS10(conf-eth1/1/5-vrid-254)# priority 200 Verify VRRP group priority OS10(conf-eth1/1/5-vrid-254)# do show vrrp 254 Interface : ethernet1/1/5 IPv4 VRID : 254 Primary IP Address : 10.1.1.1 State : master-state Virtual MAC Address : 00:00:5e:00:01:01 Version : version-3 Priority : 200 Preempt : Hold-time : Authentication : no-authentication Virtual IP address : 10.1.1.
You must configure all virtual routers in the VRRP group with the same settings. Configure all routers with preempt enabled or configure all with preempt disabled. 1. Create a virtual router for the interface with the VRRP identifier in INTERFACE mode, from 1 to 255. vrrp-group vrrp-id 2. Prevent any backup router with a higher priority from becoming the Master router in INTERFACE-VRRP mode.
Change advertisement interval OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# vrrp-group 1 OS10(conf-eth1/1/1-vrid-1)# advertise-interval centisecs 200 View running configuration OS10(conf-eth1/1/1-vrid-1)# do show running-configuration ! Version 10.1.9999P.2281 ! Last configuration change at Jul 26 12:22:33 2016 ! aaa authentication system:local ! interface ethernet1/1/1 ip address 10.1.1.
Configure interface tracking OS10(config)# track 10 OS10(conf-track-10)# interface ethernet 1/1/7 line-protocol View running configuration OS10(conf-track-10)# do show running-configuration ! Version 10.1.9999P.2281 ! Last configuration change at Jul 27 03:24:01 2016 ! aaa authentication system:local ! interface ethernet1/1/1 ip address 10.1.1.1/16 no switchport no shutdown ! vrrp-group 1 priority 200 virtual-address 10.1.1.
Default 1 second or 100 centisecs Command Mode INTERFACE-VRRP Usage Information Dell EMC recommends keeping the default setting for this command. If you change the time interval between VRRP advertisements on one router, change it on all routers. The no version of this command sets the VRRP advertisements timer interval back to its default value, 1 second or 100 centisecs. Example Supported Releases OS10(conf-eth1/1/6-vrid-250)# advertise-interval 120 centisecs 100 10.2.
Default 100 Command Mode INTERFACE-VRRP Usage Information To guarantee that a VRRP group becomes master, configure the priority of the VRRP group to the 254, which is the highest priority. OS10 does not support priority 255. The no version of this command resets the value to the default of 100. Example Supported Releases OS10(conf-eth1/1/5-vrid-254)# priority 200 10.2.0E or later show vrrp Displays VRRP group information.
● priority cost value — (Optional) Enter a cost value to subtract from the priority value, from 1 to 254. Default 10 Command Mode INTERFACE-VRRP Usage Information If you disable the interface, the cost value subtracts from the priority value and forces a new master election. This election process is applicable when the priority value is lower than the priority value in the backup virtual router. You can associate only one track object with a VRRP group.
Example Supported Releases OS10(conf-eth1/1/5-vrid-254)# virtual address 10.1.1.15 10.2.0E or later vrrp delay reload Sets the delay time for VRRP initialization after a system reboot. Syntax vrrp delay reload seconds Parameters seconds — Enter the number of seconds for the VRRP reload time, from 0 to 900. Default 0 Command Mode CONFIGURATION Usage Information VRRP delay reload time of zero seconds indicates no delays. This command configuration applies to all the VRRP configured interfaces.
Usage Information Example Supported Releases The VRRP group only becomes active and sends VRRP packets when you configure a virtual IP address. When you delete the virtual address, the VRRP group stops sending VRRP packets. The no version of this command removes the vrrp-ipv6–group configuration. OS10(conf-if-eth1/1/7)# vrrp-ipv6-group 250 10.2.0E or later vrrp version Sets the VRRP version for the IPv4 group. Syntax vrrp version {2 | 3} Parameters ● 2 — Set to VRRP version 2.
15 Multicast Multicast is a technique that allows networking devices to send data to a group of interested receivers in a single transmission. For instance, this technique is widely used for streaming videos. Multicast allows you to more efficiently use network resources, specifically for bandwidth-consuming services such as audio and video transmission.
OS10 does not support the following: ● ● ● ● Fast leave support with a prefix list IGMPv2 SSM mapping Static multicast group configuration Simple Network Management Protocol (SNMP) MIB for Internet Group Management Protocol (IGMP) or Protocol Independent Multicast (PIM) NOTE: Layer 3 (L3) PIM and IGMP multicast is not supported on the S3048-ON switch. IGMP and Multicast Listener Discovery (MLD) snooping is supported on all switches.
The following describes a scenario where a multicast frame is flooded on all ports of all switches. The switches and hosts in the network need not receive these frames because they are not the intended destinations. With multicast flood control, multicast frames, whose destination is not known, are forwarded only to the designated mrouter port. OS10 learns of the mrouter interface dynamically based on the interface where an IGMP membership query is received.
Enable multicast flood control Multicast flood control is enabled on OS10 by default. If it is disabled, use the following procedure to enable multicast flood control: 1. Configure IGMP snooping. To know how to configure IGMP snooping, see the IGMP snooping section. 2. Configure MLD snooping. To know how to configure MLD snooping, see the MLD Snooping section. 3. Enable the multicast flood control feature.
For multicast flood restrict to be effective on a VLAN, IGMP snooping and MLD snooping must be enabled at both global and VLAN levels. To disable multicast snooping flood control, use the no multicast snooping flood-restrict command. Example Supported Releases OS10(config)# multicast snooping flood-restrict 10.4.3.0 or later Internet Group Management Protocol Internet Group Management Protocol (IGMP) is a communications protocol that establishes multicast group memberships using IPv4 networks.
Supported IGMP versions IGMP has three versions. Version 3 obsoletes and is backwards-compatible with version 2; version 2 obsoletes version 1. OS10 supports the following IGMP versions: ● Router—IGMP versions 2 and 3. The default is version 3. ● Host—IGMP versions 1, 2, and 3. In IGMP version 2, the host expresses interest in a particular group membership (*, G).
IGMP immediate leave reduces leave latency by enabling a router to immediately delete the group membership on an interface after receiving a leave message. Immediate leave does not send group-specific or group-and-source queries before deleting the entry. To configure IGMP immediate leave: OS10# configure terminal OS10# interface vlan14 OS10(conf-if-vl-14)# ip igmp immediate-leave Select an IGMP version OS10 enables IGMP version 3 by default.
To view IGMP groups: OS10# show ip igmp groups Total Number of Groups: 100 IGMP Connected Group Membership Group Address Interface Mode 225.1.1.1 vlan121 IGMPv2-Compat 225.1.1.2 vlan121 IGMPv2-Compat 225.1.1.3 vlan121 IGMPv2-Compat 225.1.1.4 vlan121 IGMPv2-Compat 225.1.1.5 vlan121 IGMPv2-Compat 225.1.1.6 vlan121 IGMPv2-Compat 225.1.1.7 vlan121 IGMPv2-Compat 225.1.1.8 vlan121 IGMPv2-Compat 225.1.1.9 vlan121 IGMPv2-Compat 225.1.1.10 vlan121 IGMPv2-Compat 225.1.1.11 vlan121 IGMPv2-Compat 225.1.1.
● ● ● ● ● IGMP snooping dynamically detects the mrouter interface based on IGMP queries that it receives. If there are more than one multicast routers connected to the snooping switch, one of them will send IGMP queries and the interface connected to that router is dynamically learnt as an mrouter port. You must configure the interfaces connected to other multicast routers as static mrouter port. (Optional) Configure the IGMP version using the ip igmp version version-number command in VLAN INTERFACE mode.
IGMP snooping querier is disabled on this interface Multicast flood-restrict is enabled on this interface show ip igmp snooping mrouter Interface Router Ports Vlan 100 ethernet 1/1/32 IGMP commands clear ip igmp groups Clears entries from the group cache table. Syntax clear ip igmp [vrf vrf-name] groups Parameters vrf vrf-name—Enter the keyword vrf, then the name of the VRF. Default None Command Mode EXEC Usage Information None Example Supported Releases OS10# clear ip igmp groups 10.4.3.
Parameters milliseconds—Enter the amount of time in milliseconds to configure the time interval between groupspecific query messages. The range is from 100 to 65535. Default 1000 milliseconds Command Mode INTERFACE Usage Information None Example Supported Releases OS10# configure terminal OS10# interface vlan11 OS10(conf-if-vl-11)# ip igmp last-member-query-interval 200 10.4.3.0 or later ip igmp query-interval Changes the frequency of IGMP general queries sent by the querier.
ip igmp snooping enable Enables IGMP snooping globally. Syntax ip igmp snooping enable Parameters None Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command disables IGMP snooping. Example Supported Releases OS10(config)# ip igmp snooping enable 10.4.0E(R1) or later ip igmp snooping Enables IGMP snooping on the specified VLAN interface. Syntax ip igmp snooping Parameters None Default Depends on the global configuration.
ip igmp snooping last-member-query-interval Configures the time interval between group-specific IGMP query messages. Syntax ip igmp snooping last-member-query-interval query-interval-time Parameters query-interval-time—Enter the query time interval in milliseconds, from 100 to 65535. Default 1000 milliseconds Command Mode VLAN INTERFACE Usage Information The no version of this command resets the last member query interval time to the default value.
ip igmp snooping query-interval Configures time interval for sending IGMP general queries. Syntax ip igmp snooping query-interval query-interval-time Parameters query-interval-time—Enter the interval time in seconds, from 2 to 18000. Default 60 seconds Command Mode VLAN INTERFACE Usage Information The no version of this command resets the query interval to the default value. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip igmp snooping query-interval 120 10.
show ip igmp groups Displays the IGMP groups. Syntax show ip igmp [vrf vrf-name] groups [group-address [detail] | detail | interface-name [group-address [detail]]] Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● group-address—Enter the group address in dotted decimal format to view specific group information. ● interface-name—Enter the interface name.
Example OS10# show ip igmp interface Vlan103 is up, line protocol is up Internet address is 2.1.1.2 IGMP is enabled on interface IGMP version is 3 IGMP query interval is 60 seconds IGMP querier timeout is 130 seconds IGMP last member query response interval is 1000 ms IGMP max response time is 10 seconds IGMP immediate-leave is disabled on this interface IGMP joins count: 0 IGMP querying router is 2.1.1.1 Vlan121 is up, line protocol is up Internet address is 121.1.1.
00:01:26 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.4 vlan3031 IGMPv2-Compat 00:01:26 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.5 vlan3031 IGMPv2-Compat 00:01:26 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.6 vlan3031 IGMPv2-Compat 00:01:26 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.7 vlan3031 IGMPv2-Compat 00:01:26 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.
00:01:44 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 Example (with detail) Example (with VLAN) OS10# show ip igmp snooping groups detail Interface vlan10 Group 234.1.1.1 Source List -Member Port Mode Uptime ethernet1/1/36 Exclude 00:01:33 ethernet1/1/38 Exclude 00:01:33 15.1.1.1 Member Port Mode Uptime ethernet1/1/36 Exclude 00:01:33 21.1.1.
Supported Releases 10.4.0E(R1) or later show ip igmp snooping groups detail Displays the IGMP source information along with detailed member port information. Syntax show ip igmp snooping groups [vlan vlan-id [ip-address]]show ip igmp snooping groups [vlan vlan-id] [group ip-address] detail Parameters ● vlan-id—(Optional) Enter the VLAN ID, from 1 to 4093. ● ip-address—(Optional) Enter the IP address of the multicast group.
Source List 101.41.0.21 Member Port port-channel51 --more-Example (with VLAN and multicast IP address) Example (with PVLAN) Supported Releases Mode Include Uptime 1d:20:26:07 Expires 00:01:41 OS10# show ip igmp snooping groups vlan 3041 232.11.0.0 detail Interface vlan3041 Group 232.11.0.0 Source List 101.41.0.
Example OS10# show ip igmp snooping interface Vlan3031 is up, line protocol is up IGMP version is 3 IGMP snooping is enabled on interface IGMP snooping query interval is 60 seconds IGMP snooping querier timeout is 130 seconds IGMP snooping last member query response interval is 1000 ms IGMP Snooping max response time is 10 seconds IGMP snooping fast-leave is disabled on this interface IGMP snooping querier is enabled on this interface Vlan3032 is up, line protocol is up IGMP version is 3 IGMP snooping is e
IGMP snooping fast-leave is disabled on this interface IGMP snooping querier is enabled on this interface Multicast snooping flood-restrict is enabled on this interface Example (with PVLAN) Supported Releases OS10# show ip igmp snooping interface vlan 100 Vlan100 is up, line protocol is up Isolated VLAN: 200 Community VLANs: 300, 350-355 IGMP version is 3 IGMP snooping is enabled on interface IGMP snooping query interval is 60 seconds IGMP snooping querier timeout is 130 seconds IGMP snooping last member
Example (with VLAN) Supported Releases OS10# show ip igmp snooping mrouter vlan 3031 Interface Router Ports vlan3031 port-channel31 10.4.0E(R1) or later show ip igmp snooping summary Displays the number of IGMP-enabled snooping instances.
● (Optional) The fast leave option allows the MLD snooping switch to remove an interface from the multicast group immediately on receiving the leave message. Enable fast leave with the ipv6 mld snooping fast-leave command in VLAN INTERFACE mode. ● (Optional) Configure the time interval for sending MLD general queries with the ipv6 mld snooping queryinterval query-interval-time command in VLAN INTERFACE mode.
MLD snooping max response time is 10 seconds MLD snooping fast-leave is disabled on this interface MLD snooping querier is disabled on this interface OS10# show ipv6 mld snooping interface vlan 2 Vlan2 is up, line protocol is up MLD version is 2 MLD snooping is enabled on interface MLD snooping query interval is 60 seconds MLD snooping querier timeout is 130 seconds MLD snooping last member query response interval is 1000 ms MLD snooping max response time is 10 seconds MLD snooping fast-leave is disabled on
ipv6 mld snooping fast-leave Enables fast leave in MLD snooping for specified VLAN. Syntax ipv6 mld snooping fast-leave Parameters None Default Disabled Command Mode VLAN INTERFACE Usage Information The fast leave option allows the MLD snooping switch to remove an interface from the multicast group immediately on receiving the leave message. The no version of this command disables the fast leave functionality.
ipv6 mld snooping querier Enables MLD querier on the specified VLAN interface. Syntax ipv6 mld snooping querier Parameters None Default Not configured Command Mode VLAN INTERFACE Usage Information The no version of this command disables the MLD querier on the VLAN interface. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ipv6 mld snooping querier 10.4.1.0 or later ipv6 mld snooping query-interval Configures the time interval for sending MLD general queries.
ipv6 mld version Configures the MLD version. Syntax ipv6 mld version version-number Parameters version-number—Enter the version number as 1 or 2. Default 2 Command Mode VLAN INTERFACE Usage Information The no version of this command resets the version number to the default value. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ipv6 mld version 1 10.4.1.0 or later show ipv6 mld snooping groups Displays MLD snooping group membership details.
Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff02::2 vlan3532 Exclude 00:01:47 ff0e:225:2:: vlan3532 MLDv1Compat 00:01:56 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff0e:225:2::1 vlan3532 MLDv1Compat 00:01:56 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff0e:225:2::2 vlan3532 MLDv1Compat 00:01:56 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52
Usage Information Example None OS10# show ipv6 mld snooping groups detail Interface vlan3041 Group ff02::2 Source List -Member Port Mode Uptime port-channel31 Exclude 2d:11:57:08 Expires 00:01:44 Interface vlan3041 Group ff3e:232:b:: Source List 2001:101:29::1b Member Port Mode port-channel31 Include ethernet1/1/51:1 Include ethernet1/1/52:1 Include Uptime 2d:11:50:17 2d:11:50:36 2d:11:50:36 Expires 00:01:42 00:01:38 00:01:25 Uptime 2d:11:50:17 2d:11:50:36 2d:11:50:36 Expires 00:01:29 00:01:25 00:01
Example (with PVLAN) Supported Releases OS10# show ipv6 mld snooping groups detail Interface Vlan 100 Private-VLAN Type : Primary Group ff02::2 Source List ----------Member Port Mode Uptime Expires port-channel11 Exclude 15:50:28 00:01:28 port-channel12 Exclude 15:50:33 00:01:25 port-channel13 Exclude 15:50:29 00:01:22 Interface Vlan 200 Private-VLAN Type : Isolated Group ff02::2 Source List ----------Member Port Mode Uptime Expires port-channel11 Exclude 15:50:28 00:01:28 Interface Vlan 300 Private-VLAN
MLD snooping last member query response interval is 1000 ms MLD snooping max response time is 10 seconds MLD snooping fast-leave is disabled on this interface MLD snooping querier is disabled on this interface Multicast flood-restrict is enabled on this interface Example (with PVLAN) Supported Releases OS10# show ipv6 mld snooping interface vlan 100 Vlan 100 is up, line protocol is up Isolated VLAN: 200 Community VLANs: 300, 350-355 MLD snooping is enabled on interface MLD snooping query interval is 60 se
Multicast snooping on VLANs OS10 supports multicast snooping (IGMP and MLD snooping) on all the supported platforms in the Full Switch Mode and the SmartFabric Services Mode. Starting from Release 10.5.2.1 and later releases: ● OS10 supports multicast snooping with VLAN scale profile configuration. However, this support is not available on the S4200-ON series switches. ● To enable the snooping querier functionality on scaled VLANs, you must use the mode l3 command.
Table 71. SmartFabric Services Mode (continued) Scale profile VLAN configu ration Upgrade from 10.5.0.x or earlier to 10.5.2.1 or later Upgrade from 10.5.1.0 to 10.5.2.1 or later NOTE: Multicast snooping configuration is enabled at the global as well. Enabled ● Global: Disabled ● Per VLAN: Enabled ● Global: Enabled ● Global: Disabled ● Per VLAN: Disabled ● Per VLAN: Enabled NOTE: Multicast snooping is disabled at the per VLAN interface level and enabled globally. Restrictions instances.
Table 72. PIM terminology (continued) Terminology Definition Shortest path tree (SPT) The root node of the SPT is the multicast source. The multicast traffic routes to the receiver on the shortest path. This setup reduces network latency and traffic congestion at the RP. Outgoing interface (OIF) The OIF is the interface through which a multicast packet is sent out towards the receiver.
4. Configure an IP address for each interface of the nodes in the PIM-SM topology in INTERFACE mode. ip address A.B.C.D/prefix-length 5. Enable a routing protocol (OSPF) for route updates in INTERFACE mode. ip ospf ospf-instance area area-address Sample configuration in FHR node: FHR# configure terminal FHR(config)# FHR(config)# ip multicast-routing FHR(config)# interface ethernet 1/1/31 FHR(conf-if-eth1/1/31)# no switchport FHR(conf-if-eth1/1/31)# ip address 3.3.3.
The show ip pim neighbor command displays the PIM neighbor of FHR and the interface to reach the neighbor. FHR# show ip pim neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority/Mode -------------------------------------------------------------------------------------------2.2.2.1 ethernet1/1/17 00:04:31/00:01:43 v2 1 / S 3.3.3.1 ethernet1/1/31 00:05:45/00:01:31 v2 1 / S FHR# The show ip pim rp mapping command displays the multicast groups to RP mapping and information about how RP is learned.
Sample configuration in LHR node: LHR# configure terminal LHR(config)# ip multicast-routing LHR(config)# interface ethernet 1/1/17 LHR(conf-if-eth1/1/17)# LHR(conf-if-eth1/1/17)# no switchport LHR(conf-if-eth1/1/17)# ip address 1.1.1.1/24 LHR(conf-if-eth1/1/17)# ip pim sparse-mode LHR(conf-if-eth1/1/17)# ip ospf 1 area 0 LHR(conf-if-eth1/1/17)# exit LHR(config)# LHR(config)# interface ethernet 1/1/29 LHR(conf-if-eth1/1/29)# no switchport LHR(conf-if-eth1/1/29)# ip address 2.2.2.
Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (22.1.1.10, 224.1.1.1), uptime 00:02:20, expires 00:01:09, flags: T Incoming interface: ethernet1/1/48, RPF neighbor 0.0.0.0 Outgoing interface list: ethernet1/1/17 Forward/Sparse 00:00:19/00:03:10 The show ip pim mcache command output displays multicast route entries. FHR# show ip pim mcache PIM Multicast Routing Cache Table (22.1.1.10,224.1.1.
Outgoing interface list: vlan2001 Forward/Sparse 00:00:05/Never LHR# show ip pim mcache PIM Multicast Routing Cache Table (*, 224.1.1.1) Incoming interface : ethernet1/1/29 Outgoing interface list : vlan2001 (22.1.1.10,224.1.1.1) Incoming interface : ethernet1/1/17 Outgoing interface list : vlan2001 PIM-SSM PIM-SSM uses source-based trees. A separate multicast distribution tree is built for each multicast source that sends data to a multicast group.
2. Enable PIM-SSM for the range of addresses using the ip pim ssm-range command. OS10(config)# ip pim ssm-range ssm-1 You can use the show ip pim ssm-range command to view the groups added in PIM-SSM configuration. OS10# show ip pim ssm-range Group Address / MaskLen 236.0.0.0 / 8 PIM-SSM sample configuration This section describes how to enable PIM-SSM using the topology show in the following illustration.
R1(config)# interface Lo0 R1(conf-if-lo-0)# ip vrf forwarding red R1(conf-if-lo-0)# ip address 2.2.2.
R2(conf-if-po-11)# R2(conf-if-po-11)# R2(conf-if-po-11)# R2(conf-if-po-11)# R2(conf-if-po-11)# R2(conf-if-po-11)# interface port-channel 11 ip vrf forwarding red ip address 193.1.1.2/24 ip pim sparse-mode no shutdown end R2# configure terminal R2(config)# interface Lo0 R2(conf-if-lo-0)# ip vrf forwarding red R2(conf-if-lo-0)# ip address 4.4.4.
The show ip pim vrf red mcache command output displays multicast route entries. R1# show ip pim vrf red mcache PIM Multicast Routing Cache Table (201.1.1.1, 224.1.1.1) Incoming interface : ethernet1/1/7 Outgoing interface list : port-channel11 Use the following show commands on R2: The show ip igmp vrf red groups command output displays the IGMP database. R2# show ip igmp vrf red groups Total Number of Groups: 1 IGMP Connected Group Membership Group Address Interface Mode 224.1.1.
Configure static rendezvous point The rendezvous point (RP) is an interface on a router that acts as the root to a group-specific tree; every group must have an RP. You must configure the RP on all nodes in your network. To configure a static RP: OS10# configure terminal OS10(config)# ip pim rp-address 171.1.1.1 group-address 225.1.1.
Every PIM router within a domain must map a particular multicast group address to the same RP. With BSR, group-to-RP mapping is dynamic. You can configure a subset of routers within a domain as C-RPs. Each PIM router selects an RP for a multicast group from the list of group-to-RP mappings learnt from the BSR messages. The RP election process is: 1. The C-BSRs announce their candidacy throughout the domain in BSMs. Each BSM contains a BSR priority. The C-BSR with the highest priority becomes the BSR. 2.
2. (Optional) Configure the BSR timer. OS10(config)# ip pim bsr-candidate-timers ethernet 1/1/9 advt-interval 40 To view the BSR timer value: OS10# show ip pim bsr-router This system is the Bootstrap Router (v2) BSR address: 10.1.1.8 BSR Priority: 255, Hash mask length: 31 Next bootstrap message in 00:00:39 This system is a candidate BSR Candidate BSR address: 11.1.1.8, priority: 255, hash mask length: 31 3. Configure candidate RP.
Next Cand_RP_advertisement in 00:00:09 RP: 10.1.2.8(loopback10) To view RP-mapping details: OS10# show ip pim rp mapping Group(s) : 225.1.1.0/24 RP : 10.1.2.8, v2 Info source: 10.1.1.8, via bootstrap, priority 23 expires: 00:01:04 Configure designated router priority Multiple PIM-SM routers can connect to a single local area network (LAN) segment. One of these routers is elected as the designated router (DR). The DR is elected using hello messages.
● Do not to configure a PIM join-filter on a source connected interface (IIF) on first hop router (FHR) node. Applying PIM joinfilter with the rule, deny ip any any might block creation of the S,G entries. ● When you configure a join filter, it applies for both incoming and outgoing joins. There is no option to specify in or out parameters while configuring a join filter.
2. Configure an Ethernet interface. This command enables INTERFACE configuration mode. OS10(config)# interface ethernet 1/1/1 3. Configure a filter that applies the previously created ACL (pim_nbr_filter) to the PIM interface. OS10(conf-if-eth1/1/1)# ip pim neighbor-filter pim_nbr_filter PIM register filters The PIM register filter prevents the PIM source Designated Router (DR) from sending register packets to a Rendezvous Point (RP) for the specified multicast source and group.
● ip-address—IP address of the RP. The system clears the associated group-to-RP mapping entries for the specified RP. If you do not specify the RP IP address, the system clears all the group-to-RP mapping entries present in the VRF. Default None Command Mode EXEC Usage Information This command removes only the group-to-RP mapping entries learned by a bootstrap router (BSR) from the RP mapping cache. Example Supported Releases OS10# clear ip pim rp-mapping Clear PIM rp-mapping? [y/n]: y 10.5.2.
Example Supported Releases OS10# configure terminal OS10(config)# ip multicast-routing 10.4.3.0 or later ip pim bsr-candidate Configures the router as an IPv4 PIM BSR candidate. Syntax ip pim [vrf vrf-name] bsr-candidate {ethernet node/slot/port[:subport] | loopback loopback-interface-number | vlan vlan-number | port-channel portchannel-number} [hash-mask-len length] [priority priority-value] no ip pim [vrf vrf-name] bsr-candidate Parameters ● ● ● ● ● ● Default ● Hash mask length is 30.
Example Supported Releases OS10(config)# ip pim vrf red bsr-candidate-timers loopback 10 advtinterval 40 10.5.0 or later ip pim bsr-timeout Configures the BSR timeout value.
Parameters access-list-name—Enter the name of the access list. You can specify the ACL name up to 140 characters. Default Disabled Command Mode INTERFACE CONFIGURATION Usage Information Before you configure PIM join filter, ensure that: ● Multicast is enabled globally using the ip multicast-routing command. ● The interface is enabled. Use the no shutdown command to enable the interface. ● The interface is in Layer 3 mode. PIM-SM is enabled only on a Layer 3 interface.
ip pim query-interval Changes the frequency of PIM router query messages. Syntax ip pim query-interval seconds Parameters seconds—Enter the amount of time, in seconds, the router waits before sending a PIM hello packet out of each PIM-enabled interface, from 2 to 18000. Default 30 seconds Command Mode INTERFACE CONFIGURATION Usage Information The no form of this command returns the frequency of PIM router query messages to the default value.
● group-address group-address mask—Enter the keyword group-address, then the groupaddress mask in dotted-decimal format (/xx) to assign the group address to the RP. ● [override]—Overrides BSR updates with static RP for groups with the same prefix length. Default None Command Mode CONFIGURATION Usage Information First hop routers use this address to send register packets on behalf of the source multicast hosts. The RP addresses are stored in the order in which they are entered.
Supported Releases 10.5.0 or later ip pim rp-candidate-timers Configures the time interval between periodic candidate RP advertisements.
OS10(conf-if-vl-2)# ip address 1.1.1.2/24 OS10(conf-if-vl-2)# ip pim sparse-mode Supported Releases 10.4.3.0 or later ip pim sparse-mode sg-expiry-timer Enables expiry timers globally for all sources. Syntax ip pim [vrf vrf-name] sparse-mode sg-expiry-timer seconds Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● seconds—Enter the number of seconds the S, G entries are retained. The range is from 211 to 65535 seconds.
Usage Information Example None OS10# show ip pim bsr-router PIMv2 Bootstrap information BSR address: 101.0.0.1 BSR Priority: 199, Hash mask length: 31 Expires: 00:00:24 This system is a candidate BSR Candidate BSR address: 104.0.0.1, priority: 99, hash mask length: 31 Next Cand_RP_advertisement in 00:00:15 RP: 104.0.0.1(loopback101) Supported Releases 10.5.0 or later show ip pim interface Displays information about IP PIM-enabled interfaces.
Examples OS10# show ip pim mcache vlt PIM Multicast Routing Cache Table Flags: S - Synced (*, 225.1.1.1), flags: S Incoming interface: Vlan 502 outgoing interface list: Vlan 2002 (S) (2.2.2.2, 225.1.1.1), flags: S Incoming interface: Vlan 501 outgoing interface list: Vlan 1000, Vlan 2003 (S) OS10# show ip pim mcache PIM Multicast Routing Cache Table (*, 225.1.1.1) Incoming interface : vlan105 Outgoing interface list : vlan121 (101.1.1.10,225.1.1.
show ip pim register-filter Displays the details of the register filter. Syntax show ip pim [vrf vrf-name] register-filter group-address source-address Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● group-address—Enter the group address to which the multicast traffic is destined. ● source-address—Enter the source address from which the multicast traffic originates.
Group(s): 230.1.1.1/32 RP:14.1.1.1, v2 Info source: 42.1.1.1, via bootstrap, priority 255 expires: 00:01:53 Group(s): 231.1.1.1/32 RP: 9.1.1.1, v2 Info source: 42.1.1.1, via bootstrap, priority 254 expires: 00:01:54 Supported Releases 10.4.3.0 or later show ip pim ssm-range Displays the non-default groups added using the SSM range feature. Syntax show ip pim [vrf vrf-name] ssm-range Parameters vrf vrf-name—Enter the keyword vrf, then the name of the VRF.
1 RPs 2 sources Message summary: 150/50 Joins/Prunes sent/received 0/0 Candidate-RP advertisements sent/received 6/4 BSR messages sent/received 0 Null Register messages received 0/50 Register-stop messages sent/received Data path event summary: 100 no-cache messages received 50 last-hop switchover messages received 0/0 pim-assert messages sent/received 0/0 register messages sent/received VLT Multicast summary: 0(*,G) synced entries in MFC 281(S,G) synced entries in MFC 0(S,G,Rpt) synced entries in MFC Suppo
vlan121 Forward/Sparse 13:07:53/Never (101.1.1.10, 225.1.1.1), uptime 13:07:51, expires 00:06:09, flags: T Incoming interface: vlan103, RPF neighbor 2.1.1.1 Outgoing interface list: vlan121 Forward/Sparse 13:07:50/Never Supported Releases 10.4.3.0 or later show ip rpf Displays reverse path forwarding (RPF) information. Syntax show ip rpf [vrf vrf-name] [summary] Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● summary—RPF summary.
Configure PIM Anycast RP To configure PIM Anycast RP, enable PIM-SM and IGP on the participating Loopback interfaces. Also, configure Loopback interfaces with unique IP addresses on each of the RPs. To configure static Anycast RP: 1. Enter CONFIGURATION mode. OS10# configure terminal OS10(config)# 2. Configure the rendezvous point (RP) IP address statically and specify the multicast group address range. The RP address must be reachable across the PIM domain. OS10(config)# ip pim rp-address 100.1.1.
View mismatch of PIM Anycast RP on VLT nodes To identify the configuration mismatch of PIM Anycast RP on VLT nodes, use the show vlt mismatch command. The following example shows PIM Anycast RP mismatch information for a specific VLT domain. OS10# show vlt 1 mismatch <
Default Not configured Command Mode EXEC Usage Information None Example OS10# show ip pim rp mapping Anycast-RP 100.1.1.1 members: 192.10.1.1* 192.10.2.2 Group(s) : 224.0.0.0/4 RP : 1.1.1.1, v2 Info source: 192.10.2.2, via bootstrap, priority 192 expires: 00:02:15 Supported Releases 1084 Multicast 10.5.2.
Sample configuration: Multicast VRF using PIM-SM This section describes how to configure IPv4 multicast in a non-default VRF instance using the topology shown in the following illustration. Perform the following configuration on each of the nodes, R1, R2, R3, and R4.
R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# no ip vrf forwarding no switchport channel-group 11 end R1# configure terminal R1(config)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# no switchport R1(conf-if-eth1/1/7)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# ip vrf forwarding red R1(conf-if-eth1/1/7)# ip address 201.1.1.
R2(conf-vrf)# end R2# configure terminal R2(config)# interface vlan 1001 R2(conf-if-vl-1001)# ip vrf forwarding red R2(conf-if-vl-1001)# end R2# configure terminal R2(config)# interface ethernet 1/1/21:4 R2(conf-if-eth1/1/21:4)# switchport mode trunk R2(conf-if-eth1/1/21:4)# switchport trunk allowed vlan 1001 R2(conf-if-eth1/1/21:4)# end R2# configure terminal R2(config)# interface ethernet 1/1/12:1 R2(conf-if-eth1/1/12:1)# no switchport R2(conf-if-eth1/1/12:1)# ip vrf forwarding red R2(conf-if-eth1/1/12:1)
R3(conf-if-eth1/1/12)# switchport trunk allowed vlan 1001 R3(conf-if-eth1/1/12)# end R3# configure terminal R3(config)# interface port-channel 12 R3(conf-if-po-12)# no switchport R3(conf-if-po-12)# ip vrf forwarding red R3(conf-if-po-12)# end R3# configure terminal R3(config)# interface ethernet 1/1/5 R3(conf-if-eth1/1/5)# no ip vrf forwarding R3(conf-if-eth1/1/5)# no switchport R3(conf-if-eth1/1/5)# channel-group 12 R3(conf-if-eth1/1/5)# end R3# configure terminal R3(config)# interface vlan 1001 R3(conf-if
R3(config)# ip pim vrf red rp-address 182.190.168.224 group-address 224.0.0.
R4(conf-if-po-12)# end R4# configure terminal R4(config)# interface Lo0 R4(conf-if-lo-0)# ip vrf forwarding red R4(conf-if-lo-0)# ip address 4.4.4.
--------------------------------224.1.1.1 182.190.168.224 R1# show ip pim vrf red rp mapping Group(s) : 224.0.0.0/4, Static RP : 182.190.168.224, v2 R1# show ip pim vrf red mcache PIM Multicast Routing Cache Table (201.1.1.1, 224.1.1.1) Incoming interface : ethernet1/1/7 Outgoing interface list : port-channel11 Rendezvous point (R3) R3# show ip pim vrf red neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority / Mode ---------------------------------------------------------------------------192.
--------------------------------224.1.1.1 182.190.168.224 R3# show ip pim vrf red tib PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 224.1.1.1), uptime 00:04:41, expires 00:00:00, RP 182.190.168.224, flags: S Incoming interface: Null, RPF neighbor 0.0.0.
(*, 224.1.1.1), uptime 00:05:44, expires 00:00:15, RP 182.190.168.224, flags: SCJ Incoming interface: port-channel12, RPF neighbor 194.1.1.1 Outgoing interface list: vlan2001 Forward/Sparse 00:05:44/Never (201.1.1.1, 224.1.1.1), uptime 00:02:58, expires 00:00:31, flags: CT Incoming interface: port-channel11, RPF neighbor 193.1.1.1 Outgoing interface list: vlan2001 Forward/Sparse 00:02:58/Never R4# show ip pim vrf red mcache PIM Multicast Routing Cache Table (*, 224.1.1.
● Provides traffic resiliency in the event of a VLT node failure. The traffic is forwarded until the PIM protocol reconverges and builds a new tree. IGMP message synchronization VLT nodes use the VLTi link to synchronize IGMP messages across their peers. Any IGMP join message that is received on one of the VLT nodes synchronizes with the peer node. Therefore, the IGMP tables are identical in a VLT domain.
● In VLT deployments, Dell Technologies recommends not to change the PIM designated router by configuring a non-default value using the ip pim dr-priority command. ● In large-scale multicast deployments, you might see frequent bursts of multicast control traffic. For such deployments, Dell Technologies recommends that you increase the burst size for queue 2 on all PIM routers using control-plane policing.
core(conf-if-vl-12)# exit core(config)# interface loopback 103 core(conf-if-lo-103)# no shutdown core(conf-if-lo-103)# ip address 103.0.0.3/32 core(conf-if-lo-103)# ip pim sparse-mode core(conf-if-lo-103)# ip ospf 100 area 0.0.0.0 core(conf-if-lo-103)# exit PIM neighbors of core and the interface to reach the neighbors The show ip pim neighbor command displays the PIM neighbors of core and the interface to reach the neighbors.
Sample configuration on AG1: AG1# configure terminal AG1(config)# ip multicast-routing AG1 (config)# ip pim rp-address 103.0.0.3 group-address 224.0.0.0/4 AG1(config)# router ospf 100 AG1(config-router-ospf-100)# exit AG1(config)# vlt-domain 255 AG1(conf-vlt-255)# backup destination 10.16.132.
AG1(conf-if-po-12)# vlt-port-channel 12 AG1(conf-if-po-12)# exit PIM neighbors of AG1 and the interface to reach the neighbors The show ip pim neighbor command displays the PIM neighbors of AG1 and the interface to reach the neighbors. AG1# show ip pim neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority / Mode ---------------------------------------------------------------------11.0.0.2 vlan11 00:00:43/00:01:33 v2 10 / S 12.0.0.2 vlan12 00:01:01/00:01:44 v2 10 / S 12.0.0.
K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 225.1.1.1), uptime 00:10:15, expires 00:00:44, RP 103.0.0.3, flags: SCJ Incoming interface: vlan12, RPF neighbor 12.0.0.3 Outgoing interface list: vlan11 Forward/Sparse 00:10:15/Never (16.0.0.10, 225.1.1.1), uptime 00:00:55, expires 00:02:34, flags: CT Incoming interface: vlan12, RPF neighbor 12.0.0.
AG2(config)# interface vlan 11 AG2(conf-if-vlan-11)# no shutdown AG2(conf-if-vlan-11)# ip address 11.0.0.2/24 AG2(conf-if-vlan-11)# ip pim sparse-mode AG2(conf-if-vlan-11)# ip pim dr-priority 10 AG2(conf-if-vlan-11)# ip ospf 100 area 0.0.0.0 AG2(conf-if-vlan-11)# ip ospf cost 3000 AG2(conf-if-vlan-11)# exit AG2(config)# interface vlan 12 AG2(conf-if-vlan-12)# no shutdown AG2(conf-if-vlan-12)# ip address 12.0.0.
225.1.1.1 00:02:00 00:01:47 vlan11 0.0.0.0 Exclude The output of the show ip pim tib command. AG2# show ip pim tib PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 225.1.1.1), uptime 00:02:15, expires 00:00:00, RP 103.0.0.3, flags: SC Incoming interface: vlan12, RPF neighbor 12.0.0.
(*, 225.1.1.1),flags: S Incoming interface : vlan12 Outgoing interface list : vlan11 (S) (16.0.0.10, 225.1.1.
● ● ● ● CR1, CR2, AG1, AG2, AG3, and AG4 are multicast routers. CR1 and CR2 are the BSR and RP nodes. TR1 and TR2 are IGMP-enabled L2 nodes. OSPFv2 is the unicast routing protocol. CR1 switch 1. Disable STP. CR1(config)# spanning-tree disable 2. Configure the VLT domain.
CR1(conf-vlt-128)# CR1(conf-vlt-128)# CR1(conf-vlt-128)# CR1(conf-vlt-128)# CR1(conf-vlt-128)# backup destination 10.222.208.160 discovery-interface ethernet1/1/27:2 peer-routing primary-priority 1 vlt-mac 9a:00:00:aa:aa:aa 3. Configure a port channel interface towards AG1 and AG2.
● VLAN 1001 towards AG1 and AG2 CR1(config)# interface vlan 1001 CR1(conf-if-vl-1001)# ip address 10.1.2.5/24 CR1(conf-if-vl-1001)# ip ospf 1 area 0.0.0.0 CR1(conf-if-vl-1001)# ip pim sparse-mode CR1(conf-if-vl-1001)# ip igmp snooping mrouter interface port-channel11 ● VLAN 1101 towards AG3 CR1(config)# interface vlan 1101 CR1(conf-if-vl-1101)# ip address 10.1.3.5/24 CR1(conf-if-vl-1101)# ip ospf 1 area 0.0.0.
3. Configure a port channel interface towards AG1 and AG2. CR2(config)# interface port-channel 11 CR2(config)# interface ethernet 1/1/1:1 CR2(conf-if-eth1/1/1:1)# channel-group 11 mode active CR2(config)# interface ethernet 1/1/9:1 CR2(conf-if-eth1/1/9:1)# channel-group 11 mode active CR2(config)# interface port-channel 11 CR2(conf-if-po-11)# vlt-port-channel 11 4. Configure a port channel interface towards AG3.
CR2(conf-if-vl-1001)# ip pim sparse-mode CR2(conf-if-vl-1001)# ip igmp snooping mrouter interface port-channel11 ● VLAN 1151 towards AG3 CR2(config)# interface vlan 1151 CR2(conf-if-vl-1151)# ip address 10.110.1.5/24 CR2(conf-if-vl-1151)# ip ospf 1 area 0.0.0.0 CR2(conf-if-vl-1151)# ip pim sparse-mode CR2(conf-if-vl-1151)# ip ospf cost 65535 CR2(conf-if-vl-1151)#ip igmp snooping mrouter interface port-channel22 ● VLAN 1251 towards AG4 CR2(config)# interface vlan 1251 CR2(conf-if-vl-1251)# ip address 10.192.
AG1(conf-if-eth1/1/1:1)# channel-group 11 mode active AG1(config)# interface ethernet 1/1/3:1 AG1(conf-if-eth1/1/3:1)# channel-group 11 mode active AG1(config)# interface port-channel 11 AG1(conf-if-po-11)# vlt-port-channel 11 AG1(conf-if-po-11)# spanning-tree disable 4. Configure a port channel interface towards AG3 and AG4.
10. Configure the interfaces as VLAN trunk ports and specify the allowed VLANs.
AG2(config)# interface ethernet 1/1/17:1 AG2(conf-if-eth1/1/17:1)# channel-group 41 mode active 6. Configure Loopback interface and enable PIM-SM. AG2(config)# interface loopback 1 AG2(conf-if-lo-1)# ip address 10.1.100.2/32 AG2(conf-if-lo-1)# ip pim sparse-mode 7. Enable multicast routing on the default VRF. AG2(config)# ip multicast-routing 8. Configure OSPF for unicast routing.
AG3 switch 1. Configure RSTP. AG3(config)# spanning-tree mode rstp AG3(config)# spanning-tree rstp priority 8192 2. Configure the VLT domain. AG3(config)# interface ethernet 1/1/25:1 AG3(conf-if-eth1/1/25:1)# no switchport AG3(config)#vlt-domain 1 AG3(conf-vlt-255)# backup destination 10.222.208.39 AG3(conf-vlt-255)# discovery-interface ethernet1/1/25:1 AG3(conf-vlt-255)# peer-routing AG3(conf-vlt-255)# primary-priority 1 AG3(conf-vlt-255)# vlt-mac f0:ce:10:f0:ce:10 3.
AG3(conf-if-vl-1101)# ip pim sparse-mode AG3(conf-if-vl-1101)# ip igmp snooping mrouter interface port-channel21 ● VLAN 1151 towards CR2 AG3(config)# interface vlan 1151 AG3(conf-if-vl-1151)# ip address 10.110.1.3/24 AG3(conf-if-vl-1151)# ip ospf 1 area 0.0.0.0 AG3(conf-if-vl-1151)# ip pim sparse-mode AG3(conf-if-vl-1151)# ip igmp snooping mrouter interface port-channel22 ● VLAN 1301 towards AG1 and AG2 AG3(config)# interface vlan 1301 AG3(conf-if-vl-1301)# ip address 10.112.1.
AG4(conf-vlt-255)# peer-routing AG4(conf-vlt-255)# primary-priority 65535 AG4(conf-vlt-255)# vlt-mac f0:ce:10:f0:ce:10 3. Configure a port channel interface towards CR1. AG4(config)# interface port-channel 31 AG4(config)# interface ethernet 1/1/1:1 AG4(conf-if-eth1/1/1:1)# channel-group 31 mode active 4. Configure a port channel interface towards CR2. AG4(config)# interface port-channel 32 AG4(config)# interface ethernet 1/1/4:1 AG4(conf-if-eth1/1/4:1)# channel-group 32 mode active 5.
AG4(conf-if-vl-1301)# ip pim sparse-mode AG4(conf-if-vl-1301)# ip igmp snooping mrouter interface port-channel1 ● VLAN 2001 towards TR2 AG4(config)# interface vlan 2001 AG4(conf-if-vl-2001)# ip address 192.168.1.4/24 AG4(conf-if-vl-2001)# ip pim sparse-mode AG4(conf-if-vl-2001)# ip igmp snooping mrouter interface port-channel1 10. Configure the interfaces as VLAN trunk ports and specify the allowed VLANs.
TR1(conf-if-eth1/1/31)# switchport trunk allowed vlan 2001 TR1(conf-if-eth1/1/31)# spanning-tree port type edge TR1(config)# interface ethernet 1/1/32 TR1(conf-if-eth1/1/32)# switchport mode trunk TR1(conf-if-eth1/1/32)# switchport trunk allowed vlan 2001 TR1(conf-if-eth1/1/32)# spanning-tree port type edge TR2 switch 1. Configure RSTP. TR2(config)# spanning-tree mode rstp 2. Configure a port channel interface towards AG3.
The show ip pim neighbor command displays the PIM neighbor of the node and the interface to reach the neighbor. CR1# show ip pim neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority / Mode ------------------------------------------------------------------------------------10.1.1.6 vlan100 00:24:19/00:01:25 v2 4294967295 / DR S 10.1.3.3 vlan1101 00:20:28/00:01:18 v2 1 / S 10.1.4.4 vlan1201 00:18:21/00:01:24 v2 1 / S 10.1.2.1 vlan1001 00:22:12/00:01:36 v2 1 / S 10.1.2.
(172.16.1.201, 225.1.0.0), uptime 01:24:45, expires 00:02:46, flags: CTP Incoming interface: vlan100, RPF neighbor 0.0.0.0 Outgoing interface list: The show ip pim mcache command displays the multicast route entries. CR1# show ip pim mcache PIM Multicast Routing Cache Table (192.168.1.201, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan1 (192.168.1.202, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan1 (172.16.1.201, 225.1.0.
--------------------------------225.1.0.0 10.1.100.6 CR1# show ip pim rp mapping Group(s) : 225.0.0.0/8 RP : 10.1.100.5, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:00:56 Group(s) : 225.0.0.0/8 RP : 10.1.100.6, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:01:07 The show ip igmp snooping groups command displays the IGMP database. CR1# show ip igmp snooping groups Total Number of Groups: 320 CR1# show ip igmp snooping groups vlan 1 225.1.0.
TIB Summary: 20/20 (*,G) entries in PIM-TIB/MFC 39/39 (S,G) entries in PIM-TIB/MFC 39/0 (S,G,Rpt) entries in PIM-TIB/MFC 2 RP 3 sources 16 Register states Message Summary: 208/885 Joins/Prunes sent/received 60/0 Candidate-RP advertisements sent/received 310/405 BSR messages sent/received 205 Null Register messages received 268/181 Register-stop messages sent/received Data path event summary: 11 last-hop switchover messages received 28/28 pim-assert messages sent/received 186/79 register messages sent/receiv
Outgoing interface list : vlan1 (192.168.1.202, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan1 (172.16.1.201, 225.1.0.0) Incoming interface : vlan1 Outgoing interface list : vlan1001 vlan1251 The show ip pim mcache vlt command displays the multicast route entries synchronized between the VLT peers. CR2# show ip pim mcache vlt PIM Multicast Routing Cache Table Flags: S - Synced (192.168.1.201, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan1 (192.168.1.
The show ip igmp snooping groups command displays the IGMP database. CR2# show ip igmp snooping groups Total Number of Groups: 320 CR2# show ip igmp snooping groups vlan 1 225.1.0.0 detail Interface vlan1 Group 225.1.0.0 Source List -Member Port Mode Uptime Expires port-channel1000 IGMPv2-Compat 01:57:20 00:01:39 ethernet1/1/28:4 IGMPv2-Compat 01:57:31 00:01:39 AG1 The show ip pim interface command displays the PIM-enabled interfaces on the node.
0/459 Register-stop messages sent/received Data path event summary: 20 last-hop switchover messages received 23/159 pim-assert messages sent/received 499/0 register messages sent/received VLT Multicast summary: 0(*,G) synced entries in MFC 0(S,G) synced entries in MFC 0(S,G,Rpt) synced entries in MFC The show ip pim tib command displays the PIM tree information base (TIB).
(192.168.1.201, 225.1.0.0) Incoming interface : vlan2001 Outgoing interface list : vlan1001 vlan2002 vlan2003 vlan2004 vlan2005 (192.168.1.202, 225.1.0.0) Incoming interface : vlan2001 Outgoing interface list : vlan1001 vlan2002 vlan2003 vlan2004 vlan2005 (172.16.1.201, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan2002 vlan2003 vlan2004 vlan2005 The show ip pim mcache vlt command displays the multicast route entries synchronized between the VLT peers.
BSR Priority: 199, Hash mask length: 31 Expires: 00:00:23 The show ip pim rp mapping command displays information about all multicast group-to-RP mappings. AG1# show ip pim rp Group RP --------------------------------225.1.0.0 10.1.100.6 AG1# show ip pim rp mapping Group(s) : 225.0.0.0/8 RP : 10.1.100.5, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:00:45 Group(s) : 225.0.0.0/8 RP : 10.1.100.6, v2 Info source: 10.1.100.
The show ip pim summary command displays the PIM summary.
The show ip pim mcache command displays the multicast route entries. AG2# show ip pim mcache PIM Multicast Routing Cache Table (*, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan2002 vlan2003 vlan2004 vlan2005 (192.168.1.201, 225.1.0.0) Incoming interface : vlan2001 Outgoing interface list : vlan1001 vlan2002 vlan2003 vlan2004 vlan2005 (192.168.1.202, 225.1.0.0) Incoming interface : vlan2001 Outgoing interface list : vlan1001 vlan2002 vlan2003 vlan2004 vlan2005 (172.16.1.201, 225.1.
Incoming interface : vlan1001 Outgoing interface list : vlan2002 (S) vlan2003 (S) vlan2004 (S) vlan2005 (S) The show ip pim bsr-router command displays information about the BSR. AG2# show ip pim bsr-router PIMv2 Bootstrap information BSR address: 10.1.100.5 BSR Priority: 199, Hash mask length: 31 Expires: 00:00:26 The show ip pim rp mapping command displays information about all multicast group-to-RP mappings. AG2# show ip pim rp Group RP --------------------------------225.1.0.0 10.1.100.
-----------------------------------------------------------------------10.112.1.1 vlan1301 00:22:45/00:01:24 v2 1 / S 10.112.1.2 vlan1301 00:20:24/00:01:20 v2 1 / S 10.112.1.4 vlan1301 00:21:09/00:01:20 v2 1 / DR S 192.168.1.4 vlan2001 00:22:47/00:01:22 v2 4294967295 / DR S 192.168.1.3 vlan2001 00:20:22/00:01:22 v2 4294967290 / S 192.168.1.1 vlan2001 00:21:07/00:01:23 v2 1 / S 10.110.1.5 vlan1151 00:22:58/00:01:16 v2 1 / DR S 10.1.3.
(192.168.1.201, 225.1.0.0), uptime 01:26:40, expires 00:00:52, flags: CTP Incoming interface: vlan2001, RPF neighbor 0.0.0.0 Outgoing interface list: (192.168.1.202, 225.1.0.0), uptime 01:26:40, expires 00:00:52, flags: CTP Incoming interface: vlan2001, RPF neighbor 0.0.0.0 Outgoing interface list: The show ip pim mcache command displays the multicast route entries. AG3# show ip pim mcache PIM Multicast Routing Cache Table (192.168.1.201, 225.1.0.
AG4 The show ip pim interface command displays the PIM-enabled interfaces on the node. AG4# show ip pim interface Address Interface Ver/Mode Nbr Count Query Intvl DR Prio DR -----------------------------------------------------------------------------10.1.4.4 vlan1201 v2/S 1 30 1 10.1.4.5 10.112.1.4 vlan1301 v2/S 3 30 1 10.112.1.4 192.168.1.1 vlan2001 v2/S 3 30 1 192.168.1.4 10.192.168.4 vlan1251 v2/S 1 30 1 10.192.168.
PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 225.1.0.0), uptime 01:40:17, expires 00:00:58, RP 10.1.100.6, flags: SCJ Incoming interface: vlan1251, RPF neighbor 10.192.168.
--------------------------------225.1.0.0 10.1.100.6 AG4# show ip pim rp mapping Group(s) : 225.0.0.0/8 RP : 10.1.100.5, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:01:02 Group(s) : 225.0.0.0/8 RP : 10.1.100.6, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:00:43 The show ip igmp snooping groups command displays the IGMP database. AG4# show ip igmp snooping groups Total Number of Groups: 1600 AG4# show ip igmp snooping groups vlan 2001 225.1.0.
225.1.0.2 vlan2001 00:01:36 Member-ports :ethernet1/1/21,ethernet1/1/22 IGMPv2-Compat <> VLT multicast routing commands multicast peer-routing-timeout Configures the time duration for a VLT node to retain synchronized multicast routes if there is a VLT peer node failure. Syntax multicast peer-routing-timeout value Parameters value—Enter the timeout value in seconds, from 1 to 1200.
show vlt mismatch Displays configuration mismatch between VLT peers. Syntax show vlt {domain-id | all} mismatch Parameters domain-id—Enter a VLT domain ID, from 1 to 255. Default None Command Mode EXEC Usage Information The show vlt mismatch command displays multicast configuration mismatches.
16 VXLAN A virtual extensible LAN (VXLAN) extends Layer 2 (L2) server connectivity over an underlying Layer 3 (L3) transport network in a virtualized data center. A virtualized data center consists of virtual machines (VMs) in a multi-tenant environment. OS10 supports VXLAN as described in RFC 7348. VXLAN provides a L2 overlay mechanism on an existing L3 network by encapsulating the L2 frames in L3 packets.
● N3248TE-ON Configuration notes In a static VXLAN, overlay routing is supported on: ● ● ● ● ● S4100-ON Series S4200-ON Series S5200-ON Series S4048T-ON S6010-ON VXLAN concepts Network virtualization overlay (NVO) An overlay network extends L2 connectivity between server virtual machines (VMs) in a tenant segment over an underlay L3 IP network. A tenant segment can be a group of hosts or servers that are spread across an underlay network.
Port-scoped VLAN A Port,VLAN pair that maps to a virtual network ID (VNID) in OS10. Assign an individual member interface to a virtual network either with an associated tagged VLAN or as an untagged member. Using a portscoped VLAN, you can configure: ● The same VLAN ID on different access interfaces to different virtual networks. ● Different VLAN IDs on different access interfaces to the same virtual network.
3. Return to CONFIGURATION mode. exit 4. Enter NVE mode from CONFIGURATION mode. NVE mode allows you to configure the VXLAN tunnel endpoint on the switch. nve 5. Configure the Loopback interface as the source tunnel endpoint for all virtual networks on the switch in NVE mode. source-interface loopback number 6. Return to CONFIGURATION mode. exit Configure a VXLAN virtual network To create a VXLAN, assign a VXLAN segment ID (VNI) to a virtual network ID (VNID) and configure a remote VTEP.
switchport trunk allowed-vlan vlan-id exit The local physical ports assigned to the VLAN transmit packets over the virtual network. NOTE: A switch-scoped VLAN assigned to a virtual network cannot have a configured IP address and cannot participate in L3 routing; for example: OS10(config)# interface vlan 102 OS10(conf-if-vlan-102)# ip address 1.1.1.1/24 % Error: vlan102, IP address cannot be configured for VLAN attached to Virtual Network.
3. Assign the trunk interfaces as untagged members of the virtual network in VIRTUAL-NETWORK mode. You cannot use the reserved VLAN ID for a legacy VLAN or for tagged traffic on member interfaces of virtual networks. virtual-network vn-id member-interface ethernet node/slot/port[:subport] untagged exit If at least one untagged member interface is assigned to a virtual network, you cannot delete the reserved untagged VLAN ID.
4. Configure an anycast gateway IPv4 or IPv6 address for each virtual network in INTERFACE-VIRTUAL-NETWORK mode. This anycast IP address must be in the same subnet as the IP address of the virtual-network interface in Step 3. Configure the same IPv4 or IPv6 address as the anycast IP address on all VTEPs in a virtual network. All hosts use the anycast gateway IP address as the default gateway IP address in the subnet that connects to the virtual-network interface configured in Step 3.
● Configure a unique IP address on the virtual-network interface on each VTEP across all virtual networks. Configure the same anycast gateway IP address on all VTEPs in a virtual-network subnet. For example: Table 74. IP address on the virtual-network interface on each VTEP Virtual network VTEP Virtual-network IP address Anycast gateway IP address VNID 11 VTEP 1 10.10.1.201 10.10.1.254 VTEP 2 10.10.1.202 10.10.1.254 VTEP 3 10.10.1.203 10.10.1.254 VTEP 1 10.20.1.201 10.20.1.254 VTEP 2 10.
Configure the same VLTi VLAN ID on both VLT peers. You cannot use the ID of an existing VLAN on a VLT peer or the reserved untagged VLAN ID. You can use the VLTi VLAN ID to assign tagged or untagged access interfaces to a virtual network. virtual-network vn-id vlti-vlan vlan-id ● Although a VXLAN virtual network has no access port members that connect to downstream servers, you must configure a switch-scoped VLAN or VLTi VLAN.
Each overlay ARP entry requires a routing next-hop in the hardware to bind a destination tenant VM IP address to the corresponding tenant VM MAC address and VNI. Each virtual-network interface assigned to an IP subnet requires a routing interface in the hardware. OS10 supports preset profiles to re-allocate the number of resources reserved for overlay ARP entries. The number of entries reserved for each preset mode differs according to OS10 switch. Table 75.
● View the currently configured overlay routing profile; for example, in the S5200-ON series: show hardware overlay-routing-profile mode Overlay Setting Mode Next-hop Entries Current default-overlay-routing 8192 Next-boot default-overlay-routing 8192 Underlay Next-hop Entries 57344 57344 Overlay L3 RIF Entries 2048 2048 Underlay L3 RIF Entries 14336 14336 DHCP relay on VTEPs Dynamic Host Configuration Protocol (DHCP) clients in overlay communicate with a DHCP server using the DHCP relay on the VTEP swit
View the VXLAN virtual-network VLAN OS10# show virtual-network vlan 100 Vlan Virtual-network Interface 100 1000 ethernet1/1/1,ethernet1/1/2 100 5000 ethernet1/1/2 View the VXLAN virtual-network VLANs OS10# show vlan Codes: * - Default VLAN, M - Management VLAN, R - Remote Port Mirroring VLANs, @ – Attached to Virtual Network Q: A - Access (Untagged), T - Tagged NUM * 1 @ 100 @ 101 200 Status Description Q Ports up A Eth1/1/1-1/1/48 up T Eth1/1/2,Eth1/1/3 A Eth1/1/1 up T port-channel5 up T Eth1/1/11-1/1/15
The show ip arp vrf and show ipv6 neighbors vrf command output displays information about IPv4 and IPv6 neighbors learned in a non-default VRF on the switch. The show ip route vrf command displays the IPv4 and IPv6 routes learned. OS10# show ip arp vrf tenant1 Address Hardware address Interface Egress Interface ---------------------------------------------------------------111.0.0.2 00:c5:15:02:12:f1 virtual-network20 ethernet1/1/5 111.0.0.3 00:c5:15:02:12:a2 virtual-network20 port-channel5 111.0.0.
Table 76. Display VXLAN MAC addresses Command Description show mac address-table virtual-network [vn-id | local | remote | static | dynamic | address mac-address | interface {ethernet node/slot/ port:subport | port-channel number}] Displays all MAC addresses learned on all or a specified virtual network. vn-id: Displays only information about the specified virtual network. local: Displays only locally-learned MAC addresses. remote: Displays only remote MAC addresses.
Table 76. Display VXLAN MAC addresses (continued) Command Description vn-id: Displays the number of MAC addresses learned on the specified virtual network. show mac address-table count nve {remote-vtep ip-address | vxlan-vni vn-id} Displays the number of MAC addresses learned for a virtual network or from a remote VTEP. remote-vtep ip-address: Displays the number of MAC addresses learned on the specified remote VTEP.
Parameters Default balancedoverlayrouting Reserve routing entries for balanced VXLAN tenant routing: ● S4048T-ON and S6010-ON: 24576 entries ● S4100-ON series: 16384 entries ● S5200-ON series switches: 32768 entries scaledoverlayrouting Reserve routing entries for scaled VXLAN tenant routing: ● S4048T-ON and S6010-ON: 36864 entries ● S4100-ON series: 24576 entries ● S5200-ON series switches: 53248 entries disableoverlayrouting Allocate 0 next-hop entries for overlay routing and all next-hop entries f
ip virtual-router address Configures an anycast gateway IP address for a VXLAN virtual network. Syntax Parameters ip virtual-router address ip-address address ipaddress Enter the IP address of the anycast L3 gateway. Default Not configured Command mode INTERFACE-VIRTUAL-NETWORK Usage information Configure the same anycast gateway IP address on all VTEPs in a VXLAN virtual network.
vlan-tag vlan-id Assign tagged traffic on the specified VLAN to a virtual network. Default Not configured Command mode VIRTUAL-NETWORK Usage information Use this command to assign traffic on the same VLAN or interface to different virtual networks. The no version of this command removes the configured value. Example Supported releases OS10(config)# virtual-network 10000 OS10(config-vn)# member-interface port-channel 10 vlan-tag 200 OS10(config-vn)# member-interface port-channel 20 untagged 10.4.2.
show hardware overlay-routing-profile mode Displays the number of hardware resources available for overlay routing in different profiles. Syntax Parameters show hardware overlay-routing-profile mode [all] all View the number of tenant entries available in each hardware partition for overlay routing profiles.
89 packets, 10056 octets Output statistics: 207 packets, 7376 octets Time since last interface status change: 10:23:21 Supported releases 10.4.3.0 or later show nve remote-vtep Displays information about remote VXLAN tunnel endpoints. Syntax show nve remote-vtep [ip-address | summary | counters] Parameters ip-address Display detailed information about a specified remote VTEP. summary Display summary information about remote VTEPs. counters Display statistics on remote VTEP traffic.
Supported releases 10.4.2.0 or later show nve vxlan-vni Displays information about the VXLAN virtual networks on the switch. Syntax show nve vxlan-vni Parameters None Default Not configured Command mode EXEC Usage information Use this command to display information about configured VXLAN virtual networks. Each VXLAN virtual network is identified by its virtual-network ID.
show virtual-network counters Displays packet statistics for virtual networks. Syntax show virtual-network [vn-id] counters Parameters vn-id Enter a virtual-network ID, from 1 to 65535. Default Not configured Command mode EXEC Usage information Use this command to monitor the packet throughput on virtual networks, including VXLANs. Use the clear virtual-network counters command to clear virtual-network counters.
show virtual-network interface Displays the VXLAN virtual networks and server VLANs where a port is assigned. Syntax Parameters show virtual-network interface {ethernet node/slot/port:subport | portchannel number} interface ethernet node/slot/ port[:subport ] Enter the port information for an Ethernet interface. interface port-channel number Enter a port-channel number, from 1 to 128.
Default Not configured Command mode EXEC Usage information Use this command to display the VLAN port interfaces that transmit VXLAN packets over a virtual network.
Usage information Example Supported releases The virtual network operates as a L2 bridging domain. To add a VXLAN to the virtual network, use the vxlan-vni command. The no version of this command removes the configured virtual network. OS10(config)# virtual-network 1000 OS10(config-vn)# 10.4.2.0 or later virtual-network untagged-vlan Configures a dedicated VLAN for internal use to transmit untagged traffic on member ports in virtual networks on the switch.
Parameters remote-vtep ip-address Clear MAC addresses learned from the specified remote VTEP. Default Not configured Command mode EXEC Usage information To display the MAC addresses learned from a remote VTEP, use the show mac address-table nve remote-vtep command. Use this command to delete all MAC address entries learned from a remote VTEP. Example Supported releases OS10# clear mac address-table dynamic nve remote-vtep 32.1.1.1 10.4.2.
show mac address-table count extended Displays the number of MAC addresses learned on all VLANs and VXLAN virtual networks. Syntax Parameters show mac address-table count extended [interface {ethernet node/slot/ port:subport | port-channel number}] interface ethernet node/slot/ port[:subport ] Display the number of MAC addresses learned on all VLANs and VXLANs on the specified interface.
Supported releases 10.4.2.0 or later show mac address-table count virtual-network Displays the number of MAC addresses learned on virtual networks. Syntax show mac address-table count virtual-network [dynamic | local | remote | static | interface {ethernet node/slot/port:subport | port-channel number} | vn-id] Parameters dynamic Display the number of local dynamically-learned MAC addresses. local Display the number of local MAC addresses.
interface port-channel number Display only MAC addresses learned on the specified port channel. static Display only static MAC addresses. dynamic Display only dynamic MAC addresses. Default Not configured Command mode EXEC Usage information By default, MAC learning from a remote VTEP is enabled. Use this command to verify the MAC addresses learned both on VXLAN virtual networks and VLANs on the switch.
--------------------------------------------------------------10000 9999 00:00:00:00:00:77 dynamic VxLAN(32.1.1.1) Supported releases 10.4.2.0 or later show mac address-table virtual-network Displays the MAC addresses learned on all or a specified virtual network.
Example: VXLAN with static VTEP This example uses a typical Clos leaf-spine topology with static VXLAN tunnel endpoints (VTEPs) in VLT dual-homing domains. The individual switch configuration shows how to set up an end-to-end VXLAN. The underlay IP network routes advertise using OSPF. ● On VTEPs 1 and 2, access ports are assigned to the virtual network using a switch-scoped VLAN configuration. ● On VTEPs 3 and 4, access ports are assigned to the virtual network using a port-scoped VLAN configuration.
Do not configure the same IP address for the router ID and the source loopback interface in Step 2. OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 172.16.0.1 OS10(config-router-ospf-1)# exit 2. Configure a Loopback interface. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# ip ospf 1 area 0.0.0.0 OS10(conf-if-lo-0)# exit 3. Configure the Loopback interface as the VXLAN source tunnel interface.
OS10(conf-if-eth1/1/6)# no switchport OS10(conf-if-eth1/1/6)# exit 7. Configure upstream network-facing ports. OS10(config)# interface OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# ethernet1/1/1 no shutdown no switchport mtu 1650 ip address 172.16.1.0/31 ip ospf 1 area 0.0.0.
9. Configure overlay IP routing Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure the anycast L3 gateway MAC address for all VTEPs. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing with an anycast gateway IP address for each virtual network. OS10(config)# interface virtual-network 10000 OS10(config-if-vn-10000)# ip vrf forwarding tenant1 OS10(config-if-vn-10000)# ip address 10.1.0.231/16 OS10(config-if-vn-10000)# ip virtual-router address 10.1.
5. Assign a switch-scoped VLAN to a virtual network. OS10(config)# interface OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config)# interface OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config-if-vl-100)# vlan100 virtual-network 10000 no shutdown exit vlan200 virtual-network 20000 no shutdown exit 6. Configure access ports as VLAN members.
OS10(config)# interface port-channel20 OS10(conf-if-po-20)# vlt port-channel 20 OS10(conf-if-po-20)# exit Configure VLTi member links. OS10(config)# interface OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# ethernet1/1/3 no shutdown no switchport exit OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet1/1/4 no shutdown no switchport exit Configure a VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.
Do not configure the same IP address for the router ID and the source loopback interface in Step 2. OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 172.18.0.1 OS10(config-router-ospf-1)# exit 2. Configure a Loopback interface. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.2.1/32 OS10(conf-if-lo-0)# ip ospf 1 area 0.0.0.0 OS10(conf-if-lo-0)# exit 3. Configure the Loopback interface as the VXLAN source tunnel interface.
OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit NOTE: This step shows how to add access ports using port-scoped VLAN-to-VNI mapping. You can also add access ports using a switch-scoped VLAN-to-VNI mapping. However, you cannot use both methods at the same time; you must use either a port-scoped or switch-scoped VLAN-to-VNI mapping. 8. Configure upstream network-facing ports.
Configure a VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.3 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:dd:cc:ff:ee OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
4. Configure VXLAN virtual networks with a static VTEP. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# remote-vtep OS10(config-vn-vxlan-vni-remote-vtep)# OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# remote-vtep OS10(config-vn-vxlan-vni-remote-vtep)# OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 192.168.1.1 exit 192.168.1.
OS10(conf-if-eth1/1/2)# ip ospf 1 area 0.0.0.0 OS10(conf-if-eth1/1/2)# exit 9. Configure VLT Configure VLTi VLAN for the VXLAN virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vlti-vlan 200 OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vlti-vlan 100 OS10(config-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of network failure.
Configure an anycast L3 gateway for all VTEPs in all virtual networks. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing with an anycast gateway IP address for each virtual network. OS10(config)# interface virtual-network 10000 OS10(config-if-vn-10000)# ip vrf forwarding tenant1 OS10(config-if-vn-10000)# ip address 10.1.0.234/16 OS10(config-if-vn-10000)# ip virtual-router address 10.1.0.
OS10(conf-if-eth1/1/1)# exit OS10(config)# interface OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown no switchport ip address 172.17.2.1/31 ip ospf 1 area 0.0.0.0 exit OS10(config)# interface OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# ethernet1/1/3 no shutdown no switchport ip address 172.18.2.1/31 ip ospf 1 area 0.0.0.
Table 78. Differences between Static VXLAN and VXLAN BGP EVPN Static VXLAN VXLAN BGP EVPN To start sending and receiving virtual-network traffic to and from a remote VTEP, manually configure the VTEP as a member of the virtual network. No manual configuration is required. Each remote VTEP is automatically learned as a member of a virtual network from the EVPN routes received from the remote VTEP. After a remote VTEP address is learned, VXLAN traffic is sent to, and received from, the VTEP.
Leaf nodes are typically top-of-rack (ToR) switches in a data center network. They act as the VXLAN tunnel endpoints and perform VXLAN encapsulation and decapsulation. Leaf nodes also participate in the MP-BGP EVPN to support control plane and data plane functions. Control plane functions include: ● Initiate and maintain route adjacencies using any routing protocol in the underlay network. ● Advertise locally learned routes to all MP-BGP EVPN peers.
the export RT associated with the EVI. A receiving VTEP downloads information in the BGP EVPN route to EVIs that have a matching import RT value. You can autogenerate or manually configure the RT import and export for each EVI. In auto-EVI mode, RT autogenerates. In manual EVI configuration mode, you can autogenerate or manually configure the RT. The RT consists of a 2-octet type and a 6-octet value.
g. Assign the BGP neighbor to an autonomous system in ROUTER-BGP-NEIGHBOR mode. remote-as as-number h. Enable the peer session with the BGP neighbor in ROUTER-BGP-NEIGHBOR mode. no shutdown i. Return to ROUTER-BGP mode. exit For each BGP peer session in the overlay network: a. Configure the BGP peer using its Loopback IP address on the VTEP in ROUTER-BGP mode. neighbor loopback-ip-address b. Assign the BGP neighbor Loopback address to the autonomous system in ROUTER-BGP-NEIGHBOR mode.
OS10(config-router-neighbor-af)# exit OS10(config-router-bgp-neighbor)# exit ● On each spine switch, disable sender-side loop detection to leaf switch neighbors in ROUTER-BGP-NEIGHBOR-AF mode. OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit m.
Display the EVPN instance configuration OS10# show evpn evi 1 EVI : 65447, State : up Bridge-Domain : Route-Distinguisher : Route-Targets : Inclusive Multicast : (Virtual-Network)100, (VNI)100 1:110.111.170.102:65447(auto) 0:101:268435556(auto) both 110.111.170.107 Display the VXLAN overlay for the EVPN instance OS10# show VXLAN-VNI 100001 100010 evpn EVI 1 2 vxlan-vni Virtual-Network-Instance 1 2 Display the BGP neighbors in the EVPN instances OS10# show ip bgp neighbors 110.111.170.
*> Route distinguisher: 110.111.170.107:64536 [3]:[0]:[32]:[110.111.170.107]/152 110.111.170.107 0 100 0 100 101 ? Display the EVPN routes for host MAC addresses OS10# show evpn mac Type -(lcl): Local (rmt): remote EVI 50 50 Mac-Address 00:00:00:aa:aa:aa 00:00:00:cc:cc:cc Type rmt lcl Seq-No 0 0 Interface/Next-Hop 55.1.1.3 ethernet1/1/8:1 Seq-No 0 0 Interface/Next-Hop 55.1.1.
The ingress VTEP is configured with all destination virtual networks, and has the ARP entries and MAC addresses for all destination hosts in its hardware tables. Each VTEP learns the host MAC and MAC-to-IP bindings using ARP snooping for local addresses and type-2 route advertisements from remote VTEPs. For VXLAN BGP EVPN examples that use asymmetric IRB, see Example: VXLAN with BGP EVPN and Example: VXLAN BGP EVPN — Multiple AS topology.
OS10(config-evpn-vrf-vrf-tenant)# route-target {auto | value {import | export | both} [asn4]} OS10(config-evpn-vrf-vrf-tenant)# exit 3. (Optional) Advertise the IP prefixes learned from external networks and directly connected networks into EVPN type-5 route advertisements in EVPN-VRF mode; for example: OS10(config)# evpn OS10(config-evpn)# vrf vrf-tenant1 OS10(config-evpn-vrf-vrf-tenant1)# advertise {ipv4 | ipv6} {connected | static| ospf | bgp} [route-map map-name] 4.
Route-Distinguisher : 1:80.80.1.1:5050(auto) Route-Targets : 0:200:268430506(auto) both Remote VTEP : 4.4.4.4 Display the router MAC address used in overlay network for symmetric IRB show evpn router-mac Local Router MAC : 14:18:77:25:4e:4d Remote-VTEP 4.4.4.4 5.5.5.5 Router's-MAC 14:18:77:25:6f:4d 00:00:01:00:a3:b4 Display the learned EVPN Type 5 routes OS10# show ip bgp l2vpn evpn BGP local RIB : Routes to be Added , Replaced , Withdrawn BGP local router ID is 95.0.0.
BGP EVPN with VLT OS10 supports BGP EVPN operation between VLT peers that you configure as VTEPs. For more information about configurations and best practices to set up VLT for VXLAN, see Configure VXLAN — Configure VLT. This information also applies to BGP EVPN for VXLAN. Dell EMC recommends configuring iBGP peering for the IPv4 address family between the VTEPs in a VLT pair on a dedicated L3 VLAN that is used when connectivity to the underlay L3 network is lost.
Figure 10. BGP EVPN in VLT domain VXLAN BGP commands activate (l2vpn evpn) Enables the exchange of L2 VPN EVPN address family information with a BGP neighbor or peer group. Syntax activate Parameters None Default Not configured Command Mode ROUTER-BGP-NEIGHBOR-AF Usage Information Use this command to exchange L2 VPN EVPN address information for VXLAN host-based routing with a BGP neighbor. The IPv4 unicast address family is enabled by default.
Example Supported Releases OS10(conf-router-neighbor)# address-family l2vpn evpn unicast OS10(conf-router-bgp-neighbor-af)# activate 10.2.0E or later address-family l2vpn evpn Configures the L2 VPN EVPN address family for VXLAN host-based routing to a BGP neighbor.
sender-side-loop-detection Enables the sender-side loop detection process for a BGP neighbor. Syntax sender-side-loop-detection Parameters None Default Enabled Command Mode ROUTER-BGP-NEIGHBOR-AF Usage Information This command helps detect routing loops, based on the AS path before it starts advertising routes. To configure a neighbor to accept routes use the neighbor allowas-in command. The no version of this command disables sender-side loop detection for that neighbor.
*> Route distinguisher: 110.111.170.107:64536 [3]:[0]:[32]:[110.111.170.107]/152 110.111.170.107 0 100 101 ? OS10# show BGP router Neighbor Pfx 3.3.3.3 4.4.4.4 5.5.5.5 6.6.6.6 0 100 ip bgp l2vpn evpn summary identifier 2.2.2.2 local AS number 4294967295 AS MsgRcvd MsgSent Up/Down State/ 4294967295 4294967295 4294967295 4294967295 504 504 11514 504 2831 2364 4947 2413 9130 9586 8399 7310 05:57:27 05:56:43 01:10:39 05:51:56 OS10# show ip bgp l2vpn evpn neighbors BGP neighbor is 3.3.3.
Received 20 messages 1 opens, 0 notifications, 0 updates 19 keepalives, 0 route refresh requests Sent 20 messages 1 opens, 1 notifications, 0 updates 18 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast: MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) 4_OCTET_AS(65) MP_L2VPN_EVPN(1) Extended Next Hop Encoding (5) Capabilities advertised to neighbor
Supported releases 10.4.2.0 or later VXLAN EVPN commands advertise Advertises the IP prefixes learned from external networks and directly connected neighbors into EVPN. Syntax advertise {ipv4 | ipv6} {connected | static | ospf | bgp} [route-map mapname] Parameters ● ● ● ● ● ● ● Default None Command Mode EVPN-VRF Usage Information EVPN uses Type 5 route advertisements. To specify the types of learned routes to use in EVPN Type 5 advertisements in a tenant VRF, use the advertise command.
auto-evi Creates an EVPN instance automatically, including Route Distinguisher (RD) and Route Target (RT) values. Syntax auto-evi Parameters None Default Not configured Command mode EVPN Usage information In deployments running BGP with 2-byte or 4-byte autonomous systems, auto-EVI automatically creates EVPN instances when you create a virtual network on a VTEP in the overlay network.
Example 2 Supported releases OS10(config)# evpn OS10(config-evpn)# disable-rt-asn OS10(config-evpn)# evi 1001 OS10(config-evpn-evi-1001)# route-target auto OS10(config-evpn)# vrf BLUE OS10(config-evpn-vrf-BLUE)# vni 64001 OS10(config-evpn-vrf-BLUE)# route-target auto OS10(config-evpn-vrf-BLUE)# 10.5.1.0 or later evi Creates an EVPN instance (EVI) in EVPN mode. Syntax evi id Parameters id Enter the EVPN instance ID, from 1 to 65535.
Parameters A.B.C.D: [1-65535] Manually configure the RD with a 4-octet IPv4 address, then a 2-octet-number from 1 to 65535. auto Configure the RD to automatically generate. Default Not configured Command mode EVPN-EVI and EVPN-VRF Usage information A RD maintains the uniqueness of an EVPN route between different EVPN instances. Configure a route distinguisher in a tenant VRF used for EVPN symmetric IRB traffic.
Parameters value {import | export | both} Configure an RT import or export value, or both values in the format 2-octetASN:4-octet-number or 4-octet-ASN:2-octet-number. ● The 2-octet ASN or number is 1 to 65535. ● The 4-octet ASN or number is 1 to 4294967295. auto Configure the RT import and export values to automatically generate. asn4 (Optional) Advertises a 4-byte AS number in RT values.
show evpn evi Displays the configuration settings of EVPN instances. Syntax show evpn evi [id] Parameters id — (Optional) Enter the EVPN instance ID, from 1 to 65535. Default Not configured Command mode EXEC Usage information Use this command to verify EVPN instance status, associated VXLAN virtual networks and the RD and RT values the BGP EVPN routes use in the EVI. The status of integrated routing and bridging (IRB) and the VRF used for EVPN traffic also display.
Local MAC Address Count : Remote MAC Address Count : 1 2 OS10# show evpn mac evi 811 next-hop 80.80.1.8 count EVI 811 next-hop 80.80.1.8 MAC Entries : Remote MAC Address Count : 2 Supported releases 10.4.2.0 or later show evpn mac-ip Displays the BGP EVPN Type 2 routes used for host MAC-IP address binding.
106 106 14:18:77:25:6f:84 14:18:77:25:6f:84 lcl lcl 0 0 16.16.16.2 2001:16::16:2 OS10# show evpn mac-ip evi 104 Type EVI 104 104 104 104 -(lcl): Local (rmt): remote Mac-Address 14:18:77:25:4d:b9 14:18:77:25:4d:b9 14:18:77:25:6e:b9 14:18:77:25:6e:b9 Type rmt rmt lcl lcl Seq-No 0 0 0 0 Host-IP Interface/Next-Hop 14.14.14.1 95.0.0.3 2001:14::14:1 95.0.0.3 14.14.14.
show evpn vrf Displays the VRF instances used to forward EVPN routes in VXLAN overlay networks. Syntax show evpn vrf [vrf-name] Parameters vrf-name — (Optional) Enter the name of a non-default tenant VRF instance. Default Not configured Command mode EXEC Usage information Use this command to verify the tenant VRF instances used in EVPN instances to exchange BGP EVPN routes in VXLANs.
OS10# show evpn vrf l3-vni vrf_30 VRF : vrf_30, State : up L3-VNI : 3030 Route-Distinguisher : 1:80.80.1.1:3030(auto) Route-Targets : 0:200:268435557(auto) both Remote VTEP : 4.4.4.4 Supported releases 10.5.1.0 or later show evpn vxlan-vni Displays the VXLAN overlay network for EVPN instances. Syntax show evpn vxlan-vni [vni] Parameters vni — (Optional) Enter the VXLAN virtual-network ID, from 1 to 16,777,215.
vrf Creates a non-default VRF instance for EVPN symmetric IRB traffic. Syntax vrf vrf-name Parameters ● vrf-name — Enter the name of a non-default tenant VRF; 32 characters maximum. Default Not configured Command Mode EVPN Usage Information Configure a non-default VRF for symmetric IRB for each tenant VRF. The tenant VRF is created using the ip vrf command when you enable overlay routing with IRB; see Enable overlay routing between virtual networks.
Figure 11. VXLAN BGP EVPN use case VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface.
3. Configure VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4. Assign VLAN member interfaces to the virtual networks.
OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(config-router-bgp-af)# redistribute connected OS10(config-router-bgp-af)# exit 8. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.16.1.
12. Configure VLT. Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.0/31 OS10(config-if-vl-4000)# exit Configure the VLT port channel.
Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network 10000 ip vrf forwarding tenant1 ip address 10.1.0.231/16 ip virtual-router address 10.1.0.
OS10(conf-if-eth1/1/5)# exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# switchport access vlan 200 OS10(conf-if-po-20)# exit OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethernet1/1/6 no shutdown channel-group 20 mode active no switchport exit 6. Configure upstream network-facing ports.
OS10(config-router-neighbor)# update-source loopback1 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor
OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports. OS10(config)# uplink-state-group OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# 1 enable downstream ethernet1/1/1-1/1/2 upstream port-channel10 upstream port-channel20 exit Configure iBGP IPv4 peering between VLT peers.
OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4. Configure unused VLAN ID for untagged membership. OS10(config)# virtual-network untagged-vlan 1000 5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.18.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor 172.18.2.
OS10(config-evpn-evi-10000)# route-target auto OS10(config-evpn-evi-10000)# exit OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn)# exit vni 20000 rd auto route-target auto exit 13. Configure VLT. Configure a VLTi VLAN for the virtual network.
Configure iBGP IPv4 peering between VLT peers. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.16.250.11 OS10(config-router-neighbor)# remote-as 100 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 14. Configure IP routing in the overlay network. Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address.
5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 10. Configure a Loopback interface for BGP EVPN peering different from the VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.19.0.
Configure a VLTi VLAN for the virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vlti-vlan 100 OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(conf-vn-20000)# vlti-vlan 200 OS10(conf-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.
Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network 10000 ip vrf forwarding tenant1 ip address 10.1.0.234/16 ip virtual-router address 10.1.0.
OS10(conf-router-bgp-101)# neighbor 172.17.1.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.18.1.
OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-101)# neighbor 172.19.0.
OS10(conf-router-bgp-101)# neighbor 172.18.2.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.19.2.
OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# send-community extended OS10(conf-router-neighbor)# update-source loopback1 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit
64 bytes from 10.2.0.10: icmp_seq=4 ttl=63 time=0.944 ms 64 bytes from 10.2.0.10: icmp_seq=5 ttl=63 time=0.806 ms --- 10.2.0.10 ping statistics --5 packets transmitted, 5 received, 0% packet loss, time 4078ms rtt min/avg/max/mdev = 0.806/0.851/0.944/0.051 ms root@HOST-A:~# 5. Check connectivity between host A and host C. root@HOST-A:~# ping 10.1.0.20 -c 5 PING 10.1.0.20 (10.1.0.20) 56(84) bytes of 64 bytes from 10.1.0.20: icmp_seq=1 ttl=64 64 bytes from 10.1.0.20: icmp_seq=2 ttl=64 64 bytes from 10.1.0.
Figure 12. VXLAN BGP EVPN with multiple AS VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface.
3. Configure VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4. Assign VLAN member interfaces to the virtual networks.
OS10(config-router-bgp-99)# address-family ipv4 unicast OS10(config-router-bgp-af)# redistribute connected OS10(config-router-bgp-af)# exit 8. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-99)# neighbor 172.16.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-99)# neighbor 172.16.2.
OS10(config-evpn-evi-20000)# route-target 100:20000 import OS10(config-evpn-evi-20000)#exit OS10(config-evpn)# 12. Configure VLT. Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.0/31 OS10(config-if-vl-4000)# exit Configure the VLT port channel.
Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.231/16 ip virtual-router address 10.1.0.
OS10(config)# interface OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# ethernet1/1/5 no shutdown channel-group 10 mode active no switchport exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# switchport access vlan 200 OS10(conf-if-po-20)# exit OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethern
OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-99)# neighbor 172.202.0.
OS10(conf-if-eth1/1/4)# no switchport OS10(conf-if-eth1/1/4)# exit Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.2 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
2. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4.
OS10(conf-if-eth1/1/1)# mtu 1650 OS10(conf-if-eth1/1/2)# ip address 172.18.2.0/31 OS10(conf-if-eth1/1/2)# exit 8. Configure eBGP. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# router-id 172.18.0.1 OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.18.1.
OS10(config-evpn-evi-10000)# rd 192.168.2.1:10000 OS10(config-evpn-evi-10000)# route-target 99:10000 import OS10(config-evpn-evi-10000)# route-target 100:10000 both OS10(config-evpn-evi-10000)#exit OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# vni 20000 OS10(config-evpn-evi-20000)# rd 192.168.2.1:20000 OS10(config-evpn-evi-20000)# route-target 99:20000 import OS10(config-evpn-evi-20000)# route-target 100:20000 both OS10(config-evpn-evi-20000)#exit OS10(config-evpn)# 13. Configure VLT.
Configure iBGP IPv4 peering between VLT peers. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.16.250.11 OS10(config-router-neighbor)# remote-as 100 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 14. Configure IP routing in the overlay network. Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address.
5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 10. Configure a Loopback interface for BGP EVPN peering different from the VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.19.0.1/32 OS10(conf-if-lo-1)# exit 11. Configure BGP EVPN peering. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.201.0.
OS10(conf-vn-20000)# vlti-vlan 200 OS10(conf-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.11/31 OS10(config-if-vl-4000)# exit Configure VLT port channels.
Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.234/16 ip virtual-router address 10.1.0.
OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# exit 4. Configure a Loopback interface for BGP EVPN peering. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.201.0.1/32 OS10(conf-if-lo-1)# exit 5. Configure BGP EVPN peer sessions. OS10(config)# router bgp 101 OS10(conf-router-bgp-101)# neighbor 172.16.0.
Spine Switch 2 1. Configure downstream ports on the underlay links to the leaf switches.
OS10(conf-router-neighbor)# update-source loopback1 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-102)# neighbor 172.17.0.
2. Verify EVPN configurations and EVPN parameters. LEAF1# show evpn evi EVI : 10000, State : up Bridge-Domain : Route-Distinguisher : Route-Targets : Inclusive Multicast : IRB : EVI : 20000, State : up Bridge-Domain : Route-Distinguisher : Route-Targets : Inclusive Multicast : IRB : LEAF1# Virtual-Network 10000, VNI 10000 1:192.168.1.1:10000 0:99:10000 both, 0:100:10000 import 192.168.2.1 Enabled(tenant1) Virtual-Network 20000, VNI 20000 1:192.168.1.1:20000 0:99:10000 both, 0:100:10000 import 192.168.2.
rtt min/avg/max/mdev = 0.640/0.669/0.707/0.041 ms root@HOST-A:~# NOTE: Follow Steps 1 to 6 to check ping connectivity between combinations of other hosts, and between hosts through different virtual-network IP addresses. Example: VXLAN BGP EVPN — Centralized L3 gateway The following VXLAN with BGP EVPN example uses a centralized Layer 3 gateway to perform virtual-network routing. It is based on the sample configuration in Example: VXLAN BGP EVPN — Multiple AS topology.
Figure 13. VXLAN BGP EVPN with centralized L3 gateway NOTE: This centralized L3 gateway example for VXLAN BGP EVPN uses the same configuration steps as in Example: VXLAN BGP EVPN — Multiple AS topology. Configure each spine and leaf switch as in the Multiple AS topology example, except: ● Because VTEPs 1 and 2 operate only in Layer 2 VXLAN mode, do not configure IP switching in the overlay network.
Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.233/16 ip virtual-router address 10.1.0.
S4048T-ON, S6010-ON, and the S4100-ON series, routing after decapsulation is performed only between virtual networks. You can connect an egress virtual network to a VLAN in an external router, which connects to the external network. In the following example, VLT domain 1 is a VLT VTEP. VLT domain 2 is the border leaf VLT VTEP pair. All virtual networks in the data center network are configured in all VTEPs with virtual-network IP and anycast IP gateway addresses.
Figure 14. VXLAN BGP EVPN with border leaf gateway NOTE: This border leaf gateway example for VXLAN BGP EVPN uses the same configuration steps as in Example: VXLAN BGP EVPN — Multiple AS topology. Configure each spine and leaf switch as in the Multiple AS topology example and add the following additional configuration steps on each VTEP. VTEP 1 Leaf Switch 1. Configure a dedicated VXLAN virtual network.
2. Configure routing on the virtual network. OS10(config)# interface virtual-network 500 OS10(conf-if-vn-10000)# ip vrf forwarding tenant1 OS10(conf-if-vn-10000)# ip address 10.5.0.231/16 3. Configure a static route for outbound traffic sent to the anycast MAC address of the dedicated virtual network. OS10(config)#ip route 0.0.0.0/0 10.5.0.100 VTEP 2 Leaf Switch 1. Configure a dedicated VXLAN virtual network.
5. Configure a static route for outbound traffic sent to VLAN 200. OS10(config)#ip route 0.0.0.0/0 10.10.0.3 VTEP 4 Leaf Switch 1. Configure a dedicated VXLAN virtual network. OS10(config)# virtual-network 500 OS10(config-vn-500)# vxlan-vni 500 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit 2. Configure an anycast gateway MAC address on the boder leaf VTEP. This MAC address must be different from the anycast gateway MAC address configured on non-border-leaf VTEPs.
VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface.
3. Configure the VXLAN virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit 4. Assign VLAN member interfaces to the virtual network. Use a switch-scoped VLAN-to-VNI mapping: OS10(config)# interface OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config-if-vl-100)# vlan100 virtual-network 10000 no shutdown exit 5. Configure access ports as VLAN members for a switch-scoped VLAN-to-VNI mapping.
OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 9. Configure a Loopback interface for BGP EVPN peering different from the VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.16.0.1/32 OS10(conf-if-lo-1)# exit 10. Configure BGP EVPN peering. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.201.0.
OS10(conf-if-eth1/1/3)# no switchport OS10(conf-if-eth1/1/3)# exit OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet1/1/4 no shutdown no switchport exit Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.1 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
15. Configure advertisement of connected networks through EVPN type-5 routes. OS10(config)# evpn OS10(config-evpn)# vrf tenant1 OS10(config-evpn-vrf-tenant1)# advertise ipv4 connected OS10(config-evpn-vrf-tenant1)# exit VTEP 2 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using the same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2.
OS10(conf-if-eth1/1/2)# ip address 172.17.2.0/31 OS10(conf-if-eth1/1/2)# exit 7. Configure eBGP. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# router-id 172.17.0.1 OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 8. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.17.1.
11. Configure EVPN for the VXLAN virtual network. Configure the EVPN instance, RD, and RT using auto-EVI mode. OS10(config)# evpn OS10(config-evpn)# auto-evi OS10(config-evpn)# exit 12. Configure VLT. Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.1/31 OS10(config-if-vl-4000)# exit Configure the VLT port channel.
Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network 10000 ip vrf forwarding tenant1 ip address 10.1.0.232/16 ip virtual-router address 10.1.0.100 no shutdown exit 14. Configure symmetric IRB.
OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethernet1/1/6 no shutdown channel-group 20 mode active no switchport exit 6. Add the access ports to the virtual network. OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit 7. Configure upstream network-facing ports.
OS10(config-router-neighbor)# update-source loopback1 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor
Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.3 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ff:ee OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
OS10(conf-if-eth1/1/7)# switchport mode trunk OS10(conf-if-eth1/1/7)# switchport trunk allowed vlan 200 17. Configure advertisement of the connected networks via EVPN Type-5 routes. OS10(config)# evpn OS10(config-evpn)# vrf tenant1 OS10(config-evpn-vrf-tenant1)# advertise ipv4 connected OS10(config-evpn-vrf-tenant1)# exit 18. Configure BGP session with external router on the border-leaf VTEPs. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# vrf tenant1 OS10(config-router-bgp-100-vrf)# neighbor 10.
VTEP 4 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.2.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure the VXLAN virtual network.
OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.19.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor 172.19.2.
OS10(config-evpn-evi-20000)# route-target auto OS10(config-evpn-evi-20000)# exit OS10(config-evpn)# exit 13. Configure VLT. Configure a VLTi VLAN for the virtual network. OS10(config)# virtual-network 20000 OS10(conf-vn-20000)# vlti-vlan 200 OS10(conf-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.
Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# virtual-network 20000 ip vrf forwarding tenant1 ip address 10.2.0.234/16 ip virtual-router address 10.2.0.100 no shutdown exit 15. Configure symmetric IRB.
With connected routes of virtual networks present in an individual VTEP advertised as type-5 routes, the border-leaf router has information about all the virtual networks present in the pod.
3. Configure eBGP IPv4 peer sessions on the P2P links. OS10(conf-router-bgp-101)# neighbor 172.16.1.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.17.1.
OS10(conf-router-bgp-101)# neighbor 172.18.0.
OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.17.2.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.18.2.
OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-101)# neighbor 172.19.0.
4. Check connectivity between host A and host B. root@HOST-A:~# ping 10.2.0.20 -c 5 PING 10.2.0.10 (10.2.0.10) 56(84) bytes of 64 bytes from 10.2.0.10: icmp_seq=1 ttl=63 64 bytes from 10.2.0.10: icmp_seq=2 ttl=63 64 bytes from 10.2.0.10: icmp_seq=3 ttl=63 64 bytes from 10.2.0.10: icmp_seq=4 ttl=63 64 bytes from 10.2.0.10: icmp_seq=5 ttl=63 data. time=0.824 time=0.847 time=0.835 time=0.944 time=0.806 ms ms ms ms ms --- 10.2.0.
Example - VXLAN BGP EVPN symmetric IRB with unnumbered BGP peering The following BGP EVPN example uses a Clos leaf-spine topology with BGP over unnumbered interfaces. The following explains how the network is configured: ● External BGP (eBGP) over unnumbered interfaces is used to exchange both IPv4 routes and EVPN routes. ● You need not configure IP addresses on links that connect Spine and Leaf switches. BGP Unnumbered peering works without an IP address configuration on Spine-Leaf links.
● On leaf switches 1 and 2, access ports are assigned to a virtual network using a switch-scoped VLAN. EVPN for the overlay VXLAN is configured using auto-EVI mode. ● On leaf switches 3 and 4, access ports are assigned to a virtual network using a port-scoped VLAN. EVPN for the overlay VXLAN is configured using manual EVI mode with RT and RD values configured in auto mode.
OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-101)# neighbor interface ethernet1/1/4 OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit Spine Switch 2 configuration 1. Configure downstream ports as unnumbered interfaces.
OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit VTEP Leaf Switch 1 configuration 1. Configure a loopback interface for the VXLAN underlay using the same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the loopback interface as the VXLAN source tunnel interface.
OS10(config-router-bgp-af)# redistribute connected OS10(config-router-bgp-af)# exit 8. Configure a BGP unnumbered neighbor over network facing ports. Use a template to simplify the configuration on multiple interfaces. These neighbors are configured to carry IPv4 address family (default) and L2VPN EVPN address family.
● Configure UFD with uplink VLT ports and downlink network ports. OS10(config)# uplink-state-group OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# 1 enable downstream ethernet1/1/1-1/1/2 upstream port-channel10 exit ● Configure iBGP unnumbered peering between VLT peers with both IPv4 and L2VPN EVPN address families.
2. Configure the loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure the VXLAN virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn)# exit 4. Assign VLAN member interfaces to the virtual network. Use a switch-scoped VLAN-to-VNI mapping.
OS10(config-router-bgp-201)# neighbor interface ethernet1/1/2 OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 9. Configure EVPN for the VXLAN virtual network. Configure the EVPN instances using Auto EVI mode and Disable ASN in the generated RT.
OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 11. Configure IP routing in overlay network. ● Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network.
OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# no switchport access vlan OS10(conf-if-po-20)# exit OS10(config)# interface ethernet1/1/6 OS10(conf-if-eth1/1/6)# no shutdown OS10(conf-if-eth1/1/6)# channel-group 20 mode active OS10(conf-if-eth1/1/6)# exit 6. Add the access ports to the virtual network. OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit 7.
NOTE: Use the disable-rt-asn command to autoderive RT that does not include the ASN in the RT value. This allows auto RT to be used even if the Clos leaf-spine design has separate ASN for each leaf node. Configure this command only when all the VTEPs are OS10 switches. 11. Configure VLT. ● Configure a VLTi VLAN for the virtual network.
● Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# virtual-network 20000 ip vrf forwarding tenant1 ip address 10.2.0.233/16 ip virtual-router address 10.2.0.100 no shutdown exit 13.
4. Configure an unused VLAN ID for untagged membership. OS10(config)# virtual-network untagged-vlan 1000 5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn)# exit vni 20000 rd auto route-target auto exit NOTE: Use the disable-rt-asn command to autoderive RT that does not include the ASN in the RT value. This allows auto RT to be used even if the Clos leaf-spine design has separate ASN for each leaf node. Configure this command only when all the VTEPs are OS10 switches. 11. Configure VLT.
OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 12. Configure IP routing in the overlay network. ● Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network.
Asymmetric to Symmetric IRB migration steps 1. Make the spines to send overlay traffic only to Leaf-2 by making Leaf-1 advertise VTEP IP with a higher metric in the underlay network. Leaf-1 configuration a. Configure route-map with prefix-list to set the metric higher for the VTEP IP. Leaf-1(config)# ip prefix-list vtep_ip seq 10 permit 10.10.10.
2. Spines would now send the overlay traffic destined to VLT domain 1 (Rack1) only to Leaf-2. 3. Configure Symmetric IRB mode in Leaf-2. Leaf-2 configuration a. Configure router-mac. Leaf-2(config)# evpn Leaf-2(config-evpn)# router-mac 02:10:10:10:10:10 b. Configure IP VRF with L3 VNI. Leaf-2(config-evpn)# vrf BLUE Leaf-2(config-evpn-vrf-VRF001)# vni 65001 c. Configure RT (auto or manual) and RD (optional, default is auto). Leaf-2(config-evpn-vrf-BLUE)# route-target auto d.
b. Default route configured in VTEPs pointing to border leaf using an intermediate VNI could be removed. Default route or external routes could now be advertised to the VTEPs from border leaf using advertise commands under EVPN-IPVRF mode. Example - Route leaking across VRFs in a VXLAN BGP EVPN symmetric IRB topology The following VXLAN with BGP EVPN example uses a Clos leaf-spine topology to show how to set up route leaking across VRF in a symmetric IRB topology.
● The individual switch configuration shows how to configure VRFs in the VTEPs and configure route leaking between VRFs. For other VXLAN and BGP EVPN configuration, see other examples and the VXLAN section. ● Route leaking is performed on the Border Leaf VTEP. ● There are three nondefault VRFs present in the network – Yellow, Green, and Red. ● Route leaking is done between: ○ VRF-Yellow and VRF-Green. ○ VRF-Yellow and VRF-Red.
2. Configure Layer 3 virtual-network interfaces with VRFs and IP addresses. OS10(config)# interface OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(config)# interface OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# virtual-network 10001 ip vrf forwarding Yellow ip address 10.1.0.2/24 ip virtual-router address 10.1.0.254 virtual-network 20001 ip vrf forwarding Green ip address 10.2.0.2/24 ip virtual-router address 10.2.0.254 3.
OS10(config-evpn-vrf-Red)# advertise ipv4 connected OS10(config-evpn-vrf-Red)# exit 4. Configure the border-leaf to advertise the default route into the EVPN in each VRF. From the other VTEPs, any traffic to an external network and also to networks which are not within the local VRF reaches the Border Leaf router using this default route. a.
OS10(conf-vrf)# ip route-import 1:1 OS10(conf-vrf)# exit OS10(config)# ip vrf Red OS10(conf-vrf)# ip route-export 3:3 route-map RouteMap_RedVrf_Export OS10(conf-vrf)# ip route-import 1:1 OS10(conf-vrf)# exit 7. (Optional) For advertising leaked routes from Yellow VRF only to an external router on the default VRF and not to an underlay network, use route-maps on spine-facing eBGP neighbors and also on the iBGP neighbor between the VLT peers.
OS10(config-evpn-vrf-Yellow)# advertise ipv4 connected OS10(config-evpn-vrf-Yellow)# exit OS10(config-evpn)# vrf Green OS10(config-evpn-vrf-Green)# vni 65002 OS10(config-evpn-vrf-Green)# route-target auto OS10(config-evpn-vrf-Green)# advertise ipv4 connected OS10(config-evpn-vrf-Green)# exit OS10(config-evpn)# vrf Red OS10(config-evpn-vrf-Red)# vni 65003 OS10(config-evpn-vrf-Red)# route-target auto OS10(config-evpn-vrf-Red)# advertise ipv4 connected OS10(config-evpn-vrf-Red)# exit 4.
● Yellow VRF and Red VRF.
C 10.1.0.0/24 via 10.1.0.3 virtual-network10001 0/0 00:47:11 B EV 10.1.0.1/32 via 192.168.0.1 200/0 00:48:55 B EV 10.1.0.2/32 via 192.168.0.1 200/0 00:48:55 B EV 10.2.0.0/24 via 192.168.0.1,Green 200/0 00:35:48 C 10.3.0.0/24 via 10.3.0.1,Red virtual-network30001 0/0 00:35:48 C 10.10.0.0/24 via 10.10.0.
Gateway of last resort is not set Destination Gateway Dist/ Metric Last Change --------------------------------------------------------------------------------------------------------B EX 10.1.0.0/24 via 10.10.0.1 20/0 00:13:49 via 10.10.0.2 B EX 10.1.0.1/32 via 10.10.0.1 20/0 00:14:22 via 10.10.0.2 B EX 10.1.0.2/32 via 10.10.0.1 20/0 00:14:24 via 10.10.0.2 C 10.10.0.0/24 via 10.10.0.3 vlan100 0/0 00:23:16 B EX 172.16.1.1/32 via 10.10.0.1 20/0 00:22:58 via 10.10.0.2 B EX 172.16.1.2/32 via 10.10.0.
The NSX controller communicates with an OS10 VTEP using the OVSDB management protocol over a Secure Sockets Layer (SSL) connection. Establishing the communication between the controller and VTEP involves generating the SSL certificate at a VTEP and copying the certificate to the NSX controller. After SSL authentication, a secure connection over SSL is established between the controller and the VTEP. The VTEP then receives and processes the configuration data from the controller.
● Only one mode of VxLAN provisioning is supported at a time: NSX controller-based, static VXLAN, or BGP EVPN. ● An OS10 switch does not send VXLAN access port statistics to the NSX controller. ● Controller-provisioned VXLAN is not supported on VTEPs configured as peers in a VLT domain. Only VTEPs in standalone mode are supported. Specify the controller reachability information In OS10 VTEP, the controller configuration command initializes a connection to an OVSDB-based controller.
4. Assign the interface to the controller. OS10(config-if-eth1/1/1)# nve-controller To view the controller information and the ports the controller manages, use the show nve controller command. OS10# show nve controller Management IP Gateway IP Max Backoff Configured Controller Controller Cluster IP 10.16.140.173 10.16.140.171 10.16.140.172 Port 6640 6640 6640 : : : : 10.16.140.29/16 55.55.5.5 1000 10.16.140.
NOTE: In controller-provisioned VXLAN, the VTEP establishes a BFD session with the service nodes using the controllerprovided parameters instead of the parameters configured at the VTEP. If BFD is not enabled in the VTEP, the VTEP uses IP reachability information to monitor connectivity to the service node. To view established sessions, use the show bfd neighbors command.
0pDXiqS3uJwGmfxlhvmFio8EeHM/Z79DkBRD6FUMwacAnb3yCIKZH50AWq7qRmmG NZOgYUT+8oaj5tO/hEQfDYuv32E5z4d3FhiBJMFT86T4YvpJYyJkiKmaQWInkthL V3VxEMXI5vJQclMhwYbKfPB4hh3+qdS5o+uVco76CVrcWi7rO3XmsBkbnQIDAQAB MA0GCSqGSIb3DQEBDQUAA4IBAQATuFVD20GcHD8zdpYf0YaP4b6TuonUzF0jwoV+ Qr9b4kOjEBGuoPdevX3AeV/dvAa2Q6o1iOBM5z74NgHizhr067pFP841Nv7DAVb7 cPHHSSTTSeeJjIVMh0kv0KkVefsYuI4r1jqJxu0GZgBinqehXxVKlceouLvwbhb1 MFYXN3lcE2AXR746q1VIc6stNkxf3nrlOpSDz3P4VOnbAnIrY+SvUVmAT0tdrowH 99y2AzoAxUHOdWsH8EjCFch7VilmCVVhyghXdfyl6lv/F6vMRwjc343Bp
3. Create a logical switch. You can create a logical network that acts as the forwarding domain for virtualized and nonvirtualized server workloads on the physical and virtual infrastructure. The following steps configure the logical switch for NSX controller management. a. Click Logical Switches from the left navigation pane. b. Click the green + icon under Logical Switches. The New Logical Switch dialog window opens. c. Enter a name and select Unicast as the replicate mode and click OK 4.
5. (Optional) Enable or disable BFD globally. The following steps enable or disable BFD configuration in the controller. a. Click Service Definitions from the left navigation pane. b. Click the Hardware Devices tab. c. Click the Edit button in the BFD Configuration. d. Check or clear the Enable BFD check box and provide the Probe interval, in milliseconds, if required. After you configure a VMware NSX controller on a server VM, connect to the controller from the VXLAN gateway switch.
To configure an NSX controller-provisioned VXLAN: ● Configure the controller and the interfaces to be managed by the controller, in the OS10 VTEPs ● Configure the NSX controller in VMware vCenter. For more information about configuring the NSX controller using the GUI, see the Configure and control VXLAN from the VMware vCenter. You must configure an OS10 VTEP with the controller configuration so that the VTEP can communicate with the NSX controller.
OS10(config-nve-ovsdb)# max-backoff 10000 OS10(config-nve-ovsdb)# exit 5. Assign interfaces to be managed by the controller. OS10(config)# interface ethernet 1/1/54:3 OS10(config-if-eth1/1/54:3)# switchport mode trunk OS10(config-if-eth1/1/54:3)# no switchport access vlan OS10(config-if-eth1/1/54:3)# nve-controller 6. (Optional) Enable BFD. OS10(config)# bfd enable VTEP 2 1. Configure the OSPF protocol in the underlay.
Gateway IP Max Backoff Configured Controller Controller Cluster IP 10.16.140.182 10.16.140.183 10.16.140.181 : 200.0.0.1 : 10000 : 10.16.140.181:6640 ssl (connected) Port 6640 6640 6640 Protocol ssl ssl ssl Connected true true true State ACTIVE ACTIVE ACTIVE Max-Backoff 10000 10000 10000 NVE Controller Ports ethernet1/1/54:3 To display the VNID, port members, source interface, and remote VTEPs of the VXLAN, use the show virtual-network command.
NVE Controller Ports ethernet1/1/25:3 To display the VNID, port members, source interface, and remote VTEPs of the VXLAN, use the show virtual-network command. OS10# show virtual-network Codes: DP - MAC-learn Dataplane, CP - MAC-learn Controlplane, UUD - Unknown-Unicast-Drop Virtual Network: 0 Members: Virtual Network: 6000 Members: VLAN 20: ethernet1/1/25:3 VxLAN Virtual Network Identifier: 6000 Source Interface: loopback1(202.0.0.1) Remote-VTEPs (flood-list): 13.0.0.
Example Supported releases OS10(config)# nve OS10(config-nve)# controller ovsdb 10.4.3.0 or later ip port ssl Configures the OVSDB controller reachability information such as IP address, port number, and the connection type of session, in the switch. Syntax ip ip-address port port-number ssl Parameters ● ip-address — Specify the IP address of the OVSDB controller to connect with. ● port-number — Specify the port number through which the connection to the OVSDB controller is made.
nve-controller Assigns the interfaces to be managed by the controller. Syntax nve-controller Parameters None Default None Command mode INTERFACE Usage information The interface must be in Switchport Trunk mode when adding the interface to the controller. If the interface is not in the Switchport Trunk mode, the system displays the following error message: % Error: Interface ethernet1/1/1, must be in switchport trunk for controller mode.
Management IP Gateway IP Max Backoff Configured Controller Controller Cluster IP Backoff 10.16.140.173 10.16.140.171 10.16.140.172 : : : : 10.16.140.29/16 55.55.5.5 1000 10.16.140.172:6640 ssl (connected) Port Protocol Connected State Max- 6640 6640 6640 ssl ssl ssl true false true ACTIVE BACKOFF ACTIVE 1000 1000 1000 NVE Controller Ports ethernet1/1/1:1 ethernet1/1/15 Supported releases 10.4.3.
Parameters None Default None Command mode EXEC Usage information When you specify the VNID, the output displays details about the service nodes available for the VNID. Example (without VNID) OS10# show nve replicators Codes: * - Active Replicator BFD Status:Enabled Replicators State ----------------------2.2.2.3 Up 2.2.2.
show ovsdb-tables mac-remote-ucast Displays information about remote MAC address entries including each MAC address, IP address, local switch name, and VNID. Syntax show ovsdb-tables mac-remote-ucast Parameters None Default None Command mode EXEC Usage information This command is available only for netadmin, sysadmin, and secadmin roles.
show ovsdb-tables tunnel Displays information about the tunnels created by the physical switch to the service nodes. Syntax show ovsdb-tables tunnel Parameters None Default None Command mode EXEC Usage information This command is available only for netadmin, sysadmin, and secadmin roles.
17 UFT modes A switch in a Layer 2 (L2) network may require a larger MAC address table size, while a switch in a Layer 3 (L3) network may require a larger routing table size. Unified forwarding table (UFT) offers the flexibility to configure internal L2/L3 forwarding table sizes. OS10 supports several UFT modes for the forwarding tables. By default, OS10 selects a UFT mode that provides a reasonable size for all tables.
Table 83. UFT Modes — Table Size for Z9264F-ON UFT Mode L2 MAC Table Size L3 Host Table Size L3 Routes Table Size Scaled-l2–switch 270336 8192 32768 Scaled-l3–hosts 8192 270336 32768 Scaled-l3–routes 8192 8192 262144 Default 139264 139264 32768 Table 84.
L3 Host Entries L3 Route Entries : : 147456 32768 212992 98304 View UFT information for all modes OS10# show hardware forwarding-table mode all Mode default scaled-l2 scaled-l3-routes L2 MAC Entries 163840 294912 32768 L3 Host Entries 147456 16384 16384 L3 Route Entries 32768 32768 131072 scaled-l3-hosts 98304 212992 98304 IPv6 extended prefix routes IPv6 addresses that contain prefix routes with mask between /64 to /128 are called as IPv6 extended prefix routes.
Syntax hardware forwarding-table mode {scaled-l2 | scaled-l3-routes | scaled-l3hosts} Parameters ● scaled-l2 —Enter the L2 MAC address table size. ● scaled-l3-routes — Enter the L3 routes table size. ● scaled-l3-hosts — Enter the L3 hosts table size. Defaults The default parameters vary according to the platform. See UFT modes on page 1318. Command Mode CONFIGURATION Usage Information Configure the sizes of internal L2 and L3 forwarding tables for your requirements of the network environment.
L2 MAC Entries L3 Host Entries L3 Route Entries Supported Releases : : : 163840 147456 32768 98304 212992 98304 10.3.0E or later show hardware forwarding-table mode all Displays table sizes for the hardware forwarding table modes.
18 Security Dell EMC SmartFabric OS10 has several security features to protect the usability and integrity of the data available in the switch. OS10 also has security features to the user network from attacks and restrict network traffic. Switch security Dell EMC SmartFabric OS10 has various inbuilt security features to secure the administrative access to the switch. User management OS10 controls the user access to the switch and what can they do after login based on the set roles and privileges.
Assign user role To limit OS10 system access, assign a role when you configure each user. ● Enter a user name, password, and role in CONFIGURATION mode. username username password password role role ○ username username — Enter a text string. A maximum of 32 alphanumeric characters; 1 character minimum. ○ password password — Enter a text string. A maximum of 32 alphanumeric characters; 9 characters minimum.
Verify the linuxadmin password using the show running-configuration command. OS10# show running-configuration system-user linuxadmin password $6$5DdOHYg5$JCE1vMSmkQOrbh31U74PIPv7lyOgRmba1IxhkYibppMXs1KM4Y.gbTPcxyMP/PHUkMc5rdk/ ZLv9Sfv3ALtB61 Disable linuxadmin user To disable or lock the linuxadmin user, use the system-user linuxadmin disable command in CONFIGURATION mode.
○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port-channel, and VLAN modes. ○ route-map — Accesses route-map mode. ○ router — Accesses router-bgp and router-ospf modes. ○ line — Accesses line-vty mode. ● priv-lvl privilege-level — Enter the number of a privilege level, from 2 to 14. ● command-string — Enter the commands supported at the privilege level. 2.
○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port-channel, and VLAN modes. ○ route-map — Accesses route-map mode. ○ router — Accesses router-bgp and router-ospf modes. ○ line — Accesses line-vty mode. ● priv-lvl privilege-level — Enter the number of a privilege level, from 2 to 14. ● command-string — Enter the command supported at the privilege level.
NOTE: Dell Technologies recommends that you configure the lockout period to be a nonzero value. If you set this value to zero, no lockout period is configured. Any number of failed login attempts do not lock out a user. ○ console-exempt—Applicable only if the user lockout feature is enabled. Enables the user to log in through the console, even though the user ID is blocked because of an existing lockout.
Create strong password rules OS10(config)# password-attributes min-length 7 character-restriction upper 4 numeric 2 Display password rules OS10# show running-configuration password-attributes password-attributes min-length 7 character-restriction upper 4 numeric 2 Disable strong password check OS10(config)# password-attributes min-length 7 character-restriction upper 4 numeric 2 OS10(config)# username admin2 password 4newhire4 role sysadmin %Error: Password fail: it does not contain enough DIFFERENT charact
Configuration notes All Dell EMC PowerSwitches: ● Obscure password (service obscure-password) is enabled by default when upgrading to 10.5.2.0 or later if the setting is not changed before the upgrade. ● If the Obscure password configuration is explicitly disabled before the upgrade, it remains disabled after the upgrade as well. User management commands disable Lowers the privilege level. Syntax disable privilege-level Parameters ● privilege-level—Enter the privilege level, from 0 to 15.
enable password priv-lvl Sets a password for a privilege level. Syntax enable password encryption-type password-string priv-lvl privilege-level Parameters ● encryption-type — Enter the type of password encryption: ○ 0 — Use an unencrypted password. ○ sha-256 — Use a SHA-256 encrypted password. ○ sha-512 — Use a SHA-512 encrypted password. ● priv-lvl privilege-level — Enter a privilege number from 1 to 15.
Usage Information By default, the password you configure with the username password command must be at least nine alphanumeric characters. Use this command to increase password strength. When you enter the command, at least one parameter is required. When you enter the character-restriction parameter, at least one option is required. To reset parameters to their default values, use the no password-attributes command.
○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port-channel, and VLAN modes. ○ route-map — Accesses route-map mode. ○ router — Accesses router-bgp and router-ospf modes. ○ line — Accesses line-vty mode. ● priv-lvl privilege-level — Enter the number of a privilege level, from 2 to 14. ● command-string — Enter the commands supported at the privilege level.
Usage Information Example Supported Releases Use service obscure-password command so that the text characters of passwords are not displayed in show command output. The command obscures the passwords that you configure for user names, NTP, BGP, SNMP, RADIUS servers, and TACACS+ servers. To disable the obscure passwords function, use the no service obscure-password command. OS10(config)# service obscure-password 10.5.0 or later show users Displays information for all users logged into OS10.
Example Supported Releases OS10# show running-configuration privilege privilege exec priv-lvl 3 configure privilege configure priv-lvl 4 "interface ethernet" enable password sha-512 $6$Yij02Phe2n6whp7b$ladskj0HowijIlkajg981 privlvl 12 10.4.3.0 or later system-user linuxadmin password Configures a password for the linuxadmin user.
Parameters ● default inherit — Reconfigure the default permissions assigned to an authenticated user with a missing or unknown role or privilege level. ● name inherit — Enter the name of the RADIUS or TACACS+ user role that inherits permissions from an OS10 user role; 32 characters maximum.
Default ● User name and password entries are in clear text. ● There is no default user role. ● The default privilege levels are level 1 for netoperator, and level 15 for sysadmin, secadmin, and netadmin. Command Mode CONFIGURATION Usage Information By default, the password must be at least nine alphanumeric characters. Only the following special characters are supported: ! # % & ' ( ) ; < = > [ ] * + - . / : ^ _ Enter the password in clear text.
○ local—Use the local username, password, and role entries configured with the username password role command. ○ group radius—Configure RADIUS servers using the radius-server host command. ○ group tacacs+—Configure TACACS+ servers using the tacacs-server host command. Configure user role on server If a console user logs in with RADIUS or TACACS+ authentication, the role you configured for the user on the RADIUS or TACACS+ server applies.
Table 87. OS10 user roles and privilege levels User role Default privilege level sysadmin 15 secadmin 15 netadmin 15 netoperator 1 Use the VSA Dell-group-name values when you create users on a Radius or TACACS+ server. For more information about privilege levels, see Privilege levels. For detailed information about how to configure vendor-specific attributes on a RADIUS or TACACS+ server, see the respective RADIUS or TACACS+ server documentation.
Configure global settings for the timeout and retransmit attempts that are allowed on RADIUS servers. By default, OS10 supports three RADIUS authentication attempts and times out after five seconds. No source interface is configured. The default VRF instance is used to contact RADIUS servers. NOTE: You cannot configure both a nondefault VRF instance (including management VRF) and a source interface at the same time for RADIUS authentication.
View RADIUS server configuration OS10# show running-configuration ... radius-server host 1.2.4.5 key 9 3a95c26b2a5b96a6b80036839f296babe03560f4b0b7220d6454b3e71bdfc59b radius-server retransmit 10 radius-server timeout 10 ip radius source-interface mgmt 1/1/1 ... Delete RADIUS server OS10# no radius-server host 1.2.4.5 RADIUS over TLS authentication Traditional RADIUS-based user authentication runs over UDP and uses the MD5 message-digest algorithm for secure communications.
AAA with TACACS+ authentication Configure a TACACS+ authentication server by entering the server IP address or host name. You must also enter a text string for the key used to authenticate the OS10 switch on a TACACS+ host. The Transmission Control Protocol (TCP) port entry is optional. TACACS+ provides greater data security by encrypting the entire protocol portion in a packet sent from the switch to an authentication server. RADIUS encrypts only passwords.
Delete TACACS+ server OS10# no tacacs-server host 1.2.4.5 TACACS as Primary Authentication The AAA authentication configuration must be present as one of the authentication methods. The following error message is displayed when you atempt to configure AAA authentication without first configuring the local authentication method: % Error: local authentication not configured After upgrading to 10.5.
● All configuration commands entered from a non-console session with the sysadmin user role are authorized using the configured TACACS+ servers. OS10(config)# aaa authorization config-commands role sysadmin default group tacacs+ Remove AAA authorization methods OS10(config)# no aaa authorization commands role sysadmin console Enable AAA accounting To record information about all user-entered commands, use the AAA accounting feature — not supported for RADIUS accounting.
Default AAA accounting is disabled. Command Mode CONFIGURATION Usage Information You can enable the recording of accounting events in both the syslog and on TACACS+ servers. Example Supported Releases The no version of the command disables AAA accounting. OS10(config)# aaa accounting commands all console start-stop logging group tacacs+ 10.4.1.0 or later aaa authentication login Configures the AAA authentication method for console, SSH, and Telnet logins.
● console — Configure authorization for console-entered commands. ● default — Configure authorization for non-console-entered commands and commands entered in non-console sessions, such as in SSH and VTY. ● local — Use the local username, password, and role entries configured with the username password role command for command authorization. ● group tacacs+ — Use the TACACS+ servers configured with the tacacs-server host command for command authorization.
tacacs-server host Configures a TACACS+ server and the key used to authenticate the switch on the server. Syntax tacacs-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Parameters ● hostname — Enter the host name of the TACACS+ server. ● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the TACACS+ server. ● key 0 authentication-key — Enter an authentication key in plain text. A maximum of 42 characters.
● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server. ● key 0 authentication-key — Enter an authentication key in plain text. A maximum of 42 characters. ● key 9 authentication-key — Enter an authentication key in encrypted format. A maximum of 128 characters. ● authentication-key — Enter an authentication in plain text. A maximum of 42 characters. It is not necessary to enter 0 before the key.
Example Supported Releases OS10(config)# radius-server host 1.5.6.4 tls security-profile radiusadmin key radsec 10.4.3.0 or later radius-server retransmit Configures the number of authentication attempts allowed on RADIUS servers. Syntax radius-server retransmit retries Parameters retries — Enter the number of retry attempts, from 0 to 10. Default An OS10 switch retransmits a RADIUS authentication request three times.
The no version of this command removes the RADIUS server from the management VRF instance. Example Supported Releases OS10(config)# radius-server vrf management OS10(config)# radius-server vrf blue 10.4.0E(R1) or later tacacs-server vrf Creates an association between a TACACS server group and a VRF and source interface. Syntax tacacs-server vrf {management | vrf-name} Parameters ● management — Enter the keyword to associate TACACS servers to the management VRF instance.
ip tacacs source-interface Specifies the interface whose IP address is used as the source IP address for user authentication with a TACACS+ server. Syntax ip tacacs source-interface interface Parameters interface: ● ethernet node/slot/port[:subport] — Enter a physical Ethernet interface. ● loopback number — Enter a Loopback interface, from 0 to 16383. ● mgmt 1/1/1 — Enter the management interface. ● port-channel channel-id — Enter a port-channel ID, from 1 to 28.
Secure Boot OS10 secure boot verifies the authenticity and integrity of the OS10 image. Secure boot protects a system from malicious code being loaded and executed during the boot process. Using secure boot, you can validate the OS10 image during installation and on demand at any time.
boot operation using the show secure-boot status and show secure boot file-integrity-status commands.
Validate the OS10 kernel, system binaries, and startup configuration file You can validate the OS10 kernel binary image, system binary files, and startup configuration file at system startup and CLI execution using the secure-boot verify command in EXEC mode. OS10# secure-boot verify {kernel | file-system-integrity | startup-config} Validate and upgrade OS10 image You can validate and upgrade the OS10 installer image files with digital signatures using the image secure-install command in EXEC mode.
Version Number Serial Number Signature Algorithm Issuer Validity : : : : : 3 (0x2) 17154672033164819608 (0xee11a353271dfc98) sha256WithRSAEncryption C=IN, ST=Some-State, L=some-city, O=Internet Widgits Pty Ltd Aug 1 11:45:39 2019 GMT - Jul 31 11:45:39 2020 GMT Revoke an installed key If either the public key or private key used in CA certificates is compromised, revoke the key by using the revoke key command in EXEC mode.
OS10 system binary validation fails for both installed OS10 images If the system binary validation fails for one of the installed images, the system allows you to log into OS10 CLI EXEC mode. You cannot access CONFIGURATION mode. The following log message appears when you use the show logging log-file command: Dell EMC (OS10) %SECURE_BOOT: OS10 sytem file integrity failed. OS10 image needs to be reinstalled. To recover from this validation failure: 1. Boot into ONIE. 2.
Default Not configured Command Mode EXEC Usage Information Displays the current list of authorised users for bootloader protection, but hides their passwords for security reasons. Example (Disabled) Example (Enabled) Supported Releases OS10# show boot protect Boot protection disabled OS10# show boot protect Boot protection enabled Authorized users: root linuxadmin admin 10.4.3.0 or later show secure-boot pki-certificates Displays PKI certificates that are installed in the system.
● file-integrity-status—(Applicable only when you enable the secure boot feature) Displays file integrity status.
Standby Partition File-system integrity verified:success Example 3 Startup config verification Supported Releases OS10# secure-boot verify startup-config Latest startup config protected: yes 10.5.1.0 or later secure-boot revoke key Revokes an installed key. Syntax secure-boot revoke key key-id Parameters key-id—key number of the installed key that is compromised.
Default Disabled Security and Access Sysadmin Command Mode CONFIGURATION Usage Information If you enable secure boot, ensure that you manually protect the startup configuration file before you reload the switch. The protected version of the startup configuration file is applied during the boot up process. If a protected version of the startup configuration file is not available, the system applies the default configuration. The no version of this command removes the configuration.
Supported Releases 10.5.1.0 or later image secure-install Validates and installs the specified image. Syntax image secure-install image-filepath {sha256 signature signature-filepath | gpg signature signature-filepath | pki signature signature-filepath publickey key-file} Parameters ● image-filepath—Enter the absolute path name of the OS10 image file. ● sha256 signature signature-filepath—Verify the SHA-256 cryptographic hash signature of the image file.
Security and Access Sysadmin Command Mode EXEC Usage Information This command uses the key-server name and key-id to install the key into the switch GPG key ring. Use this command before you use the image verify or image secure-install commands with the GPG option. If the key is not installed in the key ring, the image verify and image secureinstall commands fail when used with the GPG key. Example Supported Releases OS10# image gpg-key key-server pool.sks-keyservers.net key-id 47CB9029 10.5.1.
NOTE: RSA1 and DSA keys are not supported on the OS10 SSH server. An SSH client must exchange the same public key to establish a secure SSH connection to the OS10 switch. If necessary, you can regenerate the keys used by the SSH server with a customized bit size. You cannot change the default size of the Ed25519 key. The crypto key generate command is available only to the sysadmin and secadmin roles. 1. Regenerate keys for the SSH server in EXEC mode.
● Configure the maximum number of concurrent login sessions in CONFIGURATION mode. OS10(config)# login concurrent-session limit number ○ limit number — Sets the maximum number of concurrent login sessions allowed for a user ID, from 1 to 12; default 10. When you configure the maximum number of allowed concurrent login sessions, take into account that: ● Each remote VTY connection counts as one login session. ● All login sessions from a terminal emulator on an attached console count as one session.
Initiate an SSH session with another switch To initiate an SSH session to another switch: 1. Enter configuration mode. OS10# configure terminal 2. Enable SSH client cli command. OS10(config)#ip ssh client cli enable By default, SSH Client CLI command is disabled. User cannot access the ssh command. This command must be performd to enable the SSH CLI. You must execute the no ip ssh client enable command to disable the SSH command. 3. Initiate an SSH session. OS10# ssh 9.1.1.
Example Supported Releases OS10(config)# ip ssh server enable 10.3.0E or later ip ssh server challenge-response-authentication Enables challenge response authentication in the SSH server. Syntax ip ssh server challenge-response-authentication Parameters None Default Disabled Command Mode CONFIGURATION Usage Information The no version of this command disables the challenge response authentication. Example Supported Releases OS10(config)# ip ssh server challenge-response-authentication 10.3.
Supported Releases 10.3.0E or later ip ssh server hostbased-authentication Enables host-based authentication in an SSH server. Syntax ip ssh server hostbased-authentication Parameters None Default Disabled Command Mode CONFIGURATION Usage Information The no version of this command disables the host-based authentication. Example Supported Releases OS10(config)# ip ssh server hostbased-authentication 10.3.
ip ssh server mac Configures the hash message authentication code (HMAC) algorithms used in the SSH server. Syntax ip ssh server mac hmac-algorithm Parameters hmac-algorithm — Enter the supported HMAC algorithms separated by a blank space. The SSH server supports these HMAC algorithms: ● hmac-md5 ● hmac-md5-96 ● hmac-ripemd160 ● hmac-sha1 ● hmac-sha1-96 ● hmac-sha2-256 ● hmac-sha2-512 ● umac-64@openssh.com ● umac-128@openssh.com ● hmac-md5-etm@openssh.com ● hmac-md5-96-etm@openssh.
Example Supported Releases OS10(config)# ip ssh server password-authentication 10.3.0E or later ip ssh server port Configures the SSH server listening port. Syntax ip ssh server port port-number Parameters port-number — Enter the listening port number, from 1 to 65535. Default 22 Command Mode CONFIGURATION Usage Information The no version of this command removes the configuration. Example Supported Releases OS10(config)# ip ssh server port 255 10.3.
Supported Releases 10.4.0E(R1) or later show ip ssh Displays the SSH server information. Syntax show ip ssh Parameters None Default Not configured Command Mode EXEC Usage Information Use this command to view information about the established SSH sessions. Example OS10# show ip ssh SSH Server: Enabled -------------------------------------------------SSH Server Ciphers: chacha20-poly1305@openssh.com,aes128-ctr, aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256gcm@openssh.
○ For Virtual-Network, enter virtual-network; for example, virtual-network20. ○ For a port-channel interface, enter port-channelchannel-id; for example, port-channel11. ● -c encryption-cypher - (Optional) Enter the supported encryption ciphers. You can issue multi encryption ciphers. For example, ssh -c chacha20-poly1305@openssh.com,aes128ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com 9.1.1.2.
etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmacsha2-256,hmac-sha2-512,hmac-sha1 ● -p - 22 ● -b and -B - The default values depend on the source IP / Interface from the routing table for that specific destination. Command Mode EXEC Usage Information SSH is a command for logging into a remote machine and for executing commands on a remote machine. This provides a secure encrypted communication between two un-trusted hosts over an insecure network.
-B [Source Interface] Source Interface of the connection -c [Encryption Cipher] Encryption cipher to use -l [Username] User name option -m [HMAC Algorithm] HMAC algorithm to use -p [Port Number] SSH server port option (default 22) Hostname IP address or hostname of a remote system S4000-6216# Supported Releases 10.5.2.1 or Later show crypto ssh-key Displays the current host public keys used in SSH authentication.
Remote client system stores the public key of a user in the ~/.ssh/id_rsa.pub file. Use public key as the sshkey-string parameter.
sysadmin username user10 sshkey filename /test_file.txt Supported Releases 10.4.1.0 or later crypto ssh-key generate Regenerates the public keys used in SSH authentication. Syntax crypto ssh-key generate {rsa bits | ecdsa bits | ed25519} Parameters ● rsa bits — Regenerates the RSA key with the specified bit size: 2048, 3072, or 4096; default 2048. ● ecdsa bits — Regenerates the ECDSA key with the specified bit size: 256, 384, or 521; default 256.
line vty Enters virtual terminal line mode to access the virtual terminal (VTY). Syntax line vty Parameters None Default Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# line vty OS10(config-line-vty)# 10.4.0E(R1) or later ipv6 access-class Filters connections in a virtual terminal line using an IPv6 access list. Syntax ipv6 access-class access-list-name Parameters access-list-name — Enter the access list name.
Switch management statistics OS10 monitors user and system activities and provides output-related user login statistics. Enable login statistics To monitor system security, allow users to view their own login statistics when they sign in to the system. A large number of login failures or an unusual login location may indicate a system hacker.
Clear audit log ● Clear all events in the audit log in CONFIGURATION mode. clear logging audit Example OS10(config)# logging audit enable OS10(config)# exit OS10# show logging audit 4 <14>1 2019-02-14T13:15:06.283337+00:00 OS10 audispd - - - Node.1-Unit.1:PRI [audit], Dell EMC (OS10) node=OS10 type=USER_END msg=audit(1550150106.277:597): pid=7908 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_close acct="admin" exe="/bin/su" hostname=? addr=? terminal=??? res=success' <110>1 2019-02-14T13:15:16.
● all — Displays login statistics for all system users. Default Not configured Command Mode EXEC Usage Information Only the sysadmin and secadmin roles can access this command. The show output displays login information for system users, including the number of successful and failed logins, role changes, and the last time a user logged in.
● number — Display the specified number of audit log entries users, from 1 to 65535. Default Display 24 entries starting with the oldest events. Command Mode EXEC Usage Information Only the sysadmin and secadmin roles can display the audit log. Enter reverse to display entries starting with the most recent events. You can change the number of entries displayed. Audit log records do not display on the console as they occur. They are saved in the audit log and forwarded to any configured Syslog servers.
The information in the certificate allows both devices to prove ownership and the validity of a public key. Assuming the CA is trusted, the switch and authentication server validate each other's identity and set up a secure, encrypted communications channel.
To set up a PKI using X.509v3 certificates, Dell EMC Networking recommends: 1. Configure a root CA that generates a private key and a self-signed CA certificate. 2. Configure one or more intermediate CAs that generate a private key and a certificate signing request (CSR), and send the CSR to the root CA. ● Using its private key, the root CA signs an intermediate CA’s CSR and generates a CA certificate for the intermediate CA. ● The intermediate CA downloads and installs the CA certificate.
Display CA server certificate OS10# show crypto ca-certs -------------------------------------| Locally installed certificates | -------------------------------------Dell_rootCA1.crt OS10# show crypto ca-certs Dell_rootCA1.
8e:0c:50:18:5f:db:cc:80:5c:6e:ce:43:29:32:2e:0b:70:96: db:e8:23:c9:15:a2:99:72:d6:01:c9:61:8e:ed:8d:f8:4d:2f: 99:57:bf:52:1f:4a:5b:7b:ff:24:23:5f:eb:3e:e8:8e:0c:d4: 94:0f:20:a7:e3:3b:18:e9:76:06:5a:ae:65:38:d4:3a:98:d6: 0b:73:5b:b5:8e:4c:b5:74:02:9a:9d:9a:7d:7a:18:2f:32:38: 9e:0e:7b:de:15:3c:f1:33:e8:2d:3f:92:f0:f2:4e:7a:7f:e2: a5:2e:04:3a:2f:3b:1b:05:71:39:70:6d:a4:6e:8f:25:31:0e: 2c:8a:7e:b4:30:7c:38:2f:48:df:19:56:42:4f:be:5f:d3:02: 70:18:7e:76:66:ca:13:1c:e3:9c:4d:aa:d3:67:96:be:d9:49: 5c:69:10:75:26:53
2. Install CRLs that have been downloaded from CDPs in EXEC mode. crypto crl install crl-path [crl-filename] Display a list of the CRLs installed on the switch in EXEC mode. show crypto crl [crl-filename] To delete a manually installed CRL that was configured with the crypto crl install command, use the crypto crl delete [crl-filename] command. To enable CRL checking on the switch, see Security profiles. Example: Configure CDP OS10# crypto cdp add cert1_cdp http://crl.chambersign.org/chambersignroot.
● Create a private key and a CSR in EXEC mode. Store the CSR file in the home directory or flash: so that you can later copy it to a CA server. Specify a keypath to store the device.key file in a secure persistent location, such as the home directory, or use the private option to store the key file in a private hidden location in the internal file system that is not visible to users.
○ key-file {key-path | private} specifies the local path to retrieve the downloaded or locally generated private key. Enter private to install the key from a local hidden location and rename the key file with the certificate name. ○ password passphrase specifies the password used to decrypt the private key if it was generated using a password. ○ fips installs the certificate-key pair as FIPS-compliant.
Certificate: Data: Version: 3 (0x2) Serial Number: 4096 (0x1000) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = California, O = Dell EMC, OU = Networking, CN = Dell_interCA1 Validity Not Before: Jul 25 19:11:19 2018 GMT Not After : Jul 22 19:11:19 2028 GMT Subject: C = US, ST = California, L = Santa Clara, O = Dell EMC, OU = Networking, CN = Dell_host1_CA1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e7:81:4b:4a:12:8d:ce:88:e6:73:3f:da:19
● Create a self-signed certificate in EXEC mode. Store the device.key file in a secure, persistent location, such as NVRAM.
Certificate and keys were successfully installed as "DellHost.pem" that may be used in a security profile. CN = DellHost. Display self-signed certificate OS10# show crypto cert -------------------------------------| Installed non-FIPS certificates -------------------------------------DellHost.pem -------------------------------------| Installed FIPS certificates | -------------------------------------- | OS10# show crypto cert DellHost.
1. Create an application-specific security profile in CONFIGURATION mode. crypto security-profile profile-name 2. Assign a certificate and private key pair to the security profile in SECURITY-PROFILE mode. For certificate-name, enter the name of the certificate-key pair as it appears in the show crypto certs output without the .pem extension. certificate certificate-name exit 3. (Optional) Enable CRL checking for certificates received from external devices in SECURITY-PROFILE mode.
Replace the default certificate-key pair used for cluster applications: ● In a deployment where untrusted devices access management or data ports on an OS10 switch. ● Before the default X.509v3 certificate expires on July 27, 2021. If the default certificate-key pair expires, the VLT domain on peer switches does not come up. NOTE: The expiration date for the default certificate-key pair that is installed by OS10 on a switch running the 10.5.0.0 release is July 27, 2021.
OS10(config)# crypto security-profile secure-cluster OS10(config-sec-profile)# certificate s4048-001 OS10(config-sec-profile)# exit 4. Configure the cluster security profile. OS10(config)# cluster security-profile secure-cluster OS10(config)# exit SSH Smart Card Authentication OS10 allows you to use Common Access Card (CAC) and Personal Identity Verification (PIV) smart cards for authenticating users when connecting with Secure Shell (SSH). CAC and PIV smart cards contain Public Key Infrastructure (PKI) X.
7. The OS10 SSH server validates the public certificate, including validating the trust chain, valid date range, and usage fields. If any of the fields are invalid, the authentication fails. 8. If the configured OS10 security profile calls for revocation checking, the OS10 SSH server verifies that the certificate is not revoked. Verification is done by checking either the appropriate CRL or by sending an OCSP request to the appropriate OCSP responder. 9.
● Enable RADIUS or TACACS+ authentication. radius-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] aaa authentication login default group radius local ● Enable X.509v3 authentication in the SSH server. ip ssh server x509v3-authentication security-profile profile-name ● If all SSH login attempts require an X.509v3 certificate, disable the plain password authentication and SSH public key authentication in the SSH server.
Security profile settings used by X.509v3 authentication When you log in with an X.509v3 certificate, OS10 validates the certificate before granting access. The options to control the applied validation are determined by the specific security profile that you configured for X.509v3 SSH authentication. The following table describes each of the available security profile options, and how they are applied to X.509v3 SSH authentication. Table 88. Security profile settings used by X.
2. Generate a CSR, copy the CSR to a CA server, download the signed certificate, and install the host certificate. OS10# crypto cert generate request cert-file home://s4048-001-csr.pem key-file home://tsr6-key.pem cname "Top of Rack 6" altname "IP:10.0.0.6 DNS:tor6.dell.com" email admin@dell.com organization "Dell EMC" orgunit Networking locality "santa Clara" state California country US length 1024 Processing certificate ... Successfully created CSR file /home/admin/tor6-csr.
When you install a certificate-key pair, both take the name of the certificate. Enter the certificate-key pair name without an extension as the certificate-name value. To remove a certificate-key pair from the profile, enter the no certificate command. Example Supported releases OS10# crypto security-profile secure-radius-profile OS10(config-sec-profile)# certificate Dell_host1 10.4.3.0 or later cluster security-profile Creates a security profile for a cluster application.
crypto ca-cert install Installs a certificate from a Certificate Authority that is copied to the switch. Syntax crypto ca-cert install ca-cet-filepath [filename] Parameters ● ca-cert-filepath — Enter the local path where the downloaded CA certificate is stored; for example, home://CAcert.pem or usb://CA-cert.pem. ● filename — (Optional) Enter the filename that the CA certificate is stored under in the OS10 trust store directory. Enter the filename in the filename.crt format.
Example Supported Releases OS10# crypto cdp delete Comsign 10.5.0 or later crypto cert delete Deletes an installed host certificate and the private key created with it. Syntax crypto cert delete filename [fips] Parameters ● filename — Enter the file name of the host certificate as displayed in the show crypto cert command. ● fips — (Optional) Delete a FIPS-compliant certificate-key pair. To verify whether a certificate is non-FIPS or FIPS-compliant., use the show crypto cert command.
● orgunit unit-name — Enter name of the unit. ● cname common-name — Enter the common name assigned to the certificate. Common name is the main identity presented to connecting devices. By default, the switch’s host name is the common name. You can configure a different common name for the switch; for example, an IP address. If the common-name value does not match the device’s presented identity, a signed certificate does not validate.
Supported releases 10.4.3.0 or later crypto cert install Installs a host certificate and private key on the switch. A host certificate may be trusted from a CA or self-signed. Syntax crypto cert install cert-file cert-path key-file {key-path | private} [password passphrase] [fips] Parameters ● cert-file cert-path — Enter the local path to where the downloaded certificate is stored. You can enter a full path or a relative path; for example, home://s4048-001-cert.pem or usb:// s4048-001-cert.
Usage Information Example Supported Releases The crypto crl delete command deletes only manually installed CRLs. Before you delete a CRL, use the show crypto crl command to display a list of all CRLs installed on the switch. OS10# crypto crl delete COMODO_Certification_Authority.0.crl.pem 10.5.0 or later crypto crl install Installs the Certificate Revocation List files that you copied to the switch.
If you enable FIPS using the crypto fips enable command, RADIUS over TLS operates in FIPS mode. In FIPS mode, RADIUS over TLS requires that a FIPS-compliant certificate and key pair are installed on the switch. Example Supported releases OS10# crypto fips enable 10.4.3.0 or later crypto security-profile Creates an application-specific security profile. Syntax crypto security-profile profile-name Parameters profile-name — Enter the name of the security profile; a maximum of 32 characters.
Default Not configured Command mode SEC-PROFILE Usage information Use the revocation-check command to enable the verification of certificates presented by external devices for a PKI-enablled application on the switch. Use the show crypto crl command to display the CRLs installed on the switch and used to ensure the validity and trustworthiness of certificates from external devices. The no version of the command disables CRL checking in a security profile.
c2:3a:b5:b9:21:82:1c:25:45:f4:7e:84:f9:d3:af: 28:06:0b:8d:da:72:c1:41:1a:ca:c1:63:de:d6:25: ef:f8:ec:a7:93:88:e0:a0:4f:93:14:81:a6:e8:90: 31:7a:b8:53:4c:52:44:e1:5c:6a:aa:94:b6:0d:eb: 73:b8:18:21:d5:9c:a4:73:a4:54:16:5b:af:b0:35: 0d:36:ff:cb:72:04:63:d1:df:48:59:d3:e9:51:e1: cb:2a:61:20:ee:31:25:51:68:0e:be:98:c3:22:98: 29:f9:13:03:c4:2d:bb:4a:d2:cf:7d:00:f9:4c:2e: 46:70:e3:ab:e7:3c:91:b0:c9:f7:48:89:ea:e7:df: 4f:f4:f5:fc:3a:17:dc:f8:8c:48:e5:aa:03:84:d7: 20:7b:55:2e:73:63:85:1c:97:a1:bb:96:95:a1:d3: ae:0c:
Usage information Example To delete a certificate, use the crypto cert delete filename command. OS10# show crypto cert -------------------------------------| Installed non-FIPS certificates | -------------------------------------Dell_host1_CA1.pem -------------------------------------| Installed FIPS certificates | -------------------------------------OS10# show crypto cert Dell_host1_CA1.
show crypto crl Displays the list of installed Certificate Revocation List files. Syntax show crypto crl [crl-filename] Parameters ● crl-filename — (Optional) Enter a CRL filename with the .pem extension. Default Not configured Command Mode EXEC Usage Information Use the show crypto crl command to verify the CRLs installed on the switch. In the show output: ● Manually installed CRLs are installed using the crypto crl install command.
ip ssh server x509v3-authentication security-profile Enables RFC 6187 X.509v3 authentication in a SSH server. Syntax ip ssh server x509v3-authentication security-profile profile-name [password-less] Parameters profile-name — Enter the name of the security profile; a maximum of 32 characters. password-less - Use X.509v3 authentication for password-less authentication.
Network security OS10 switch has security features to restrict network traffic, protect the network from attacks, and prevent unauthorized access to the network. Access control lists Access control lists (ACLs) restrict network traffic using policies and improve network performance. For more information about ACL, see Access control lists. DHCP snooping DHCP snooping protects your network from attacks by monitoring the DHCP messages and blocking untrusted or rogue DHCP servers.
When you configure MAC address learning limit, ensure that the number of static MAC addresses present on the system is not greater than the MAC address learning limit that you configure. If the number of dynamically-learned MAC addresses is greater than your MAC address limit, the system flushes all dynamically-learned MAC addresses. You can configure an interface to learn a maximum of 3072 MAC addresses.
1. Enter the following command in CONFIGURATION mode: switchport port-security NOTE: By default, port security is enabled globally. To disable the port security feature on the system, use the no switchport port-security command in CONFIGURATION mode. Enable port security on an interface To enable port security on an interface: 1. Enter the following command in INTERFACE mode: switchport port-security 2.
MAC address learning limit violation actions configuration example OS10# configure terminal OS10(config)#interface ethernet 1/1/1 OS10(config-if-eth1/1/1)#switchport port-security OS10(config-if-port-sec)#no disable OS10(config-if-port-sec)#mac-learn limit 100 OS10(config-if-port-sec)#mac-learn limit violation shutdown Configure sticky MAC addresses To enable sticky MAC address learning on an interface: Enter the following command in INTERFACE PORT SECURITY mode: sticky NOTE: Before enabling sticky MAC addr
Recover an error-disabled interface 1. Shut down the interface in INTERFACE mode. shutdown 2. Bring the interface up in INTERFACE mode.
Remove statically-configured secure MAC addresses configuration example OS10# clear mac address-table secure sticky vlan 1 OS10#clear mac address-table secure sticky interface port-channel 128 OS10#clear mac address-table secure sticky address 00:00:00:00:00:01 vlan 100 View statically-configured secure MAC addresses To view the statically-configured secure MAC addresses, use the following command in EXEC mode: show mac address-table secure {{dynamic | static | sticky} {vlan vlan-id | interface {ethernet no
Mac learn limit Mac-learn limit-Violation action Sticky Mac-move-allow mac-move-violation action Aging Total MAC Addresses Secure static MAC Addresses Sticky MAC Addresses Secure Dynamic MAC addresses :100 :Shutdown :Disabled :Not Allowed :shutdown-both :Enabled :10 :0 :10 :0 Interface name : eth1/1/10 Port Security Port Status Mac learn limit Mac-learn-limit-Violation action Sticky Mac-move-allow mac-move-violation action Aging Total MAC Addresses Secure static MAC Addresses Sticky MAC Addresses Secure
Error-Disable Reason Recovery Status ---------------------------------------bpduguard Enabled MLL violation Enabled MAC-move-violation Enabled Recovery Time Left Interface Errdisable Cause (seconds) ----------------------------------------------------------------------ethernet1/1/1:1 bpduguard 30 ethernet1/1/1:2 bpduguard 1 ethernet1/1/10 bpduguard/mac-learn limit/mac-move 10 port-channel100 Mac-learn limit 50 port-channel128 mac-move 49 Related Videos Port security on SmartFabric OS10 Port security comma
errdisable recovery cause Brings up an error-disabled interface automatically after the recovery timer expires. Syntax errdisable recovery cause {mac-learn-limit-violation | mac-move-violation} Parameters ● mac-learn-limit-violation — Brings up an error disabled interface that exceeded the maximum number of MAC addresses that it can learn. ● mac-move-violation — Brings up an error disabled interface that was brought down due to station move violation.
Usage Information After you enable port security on an interface, by default, the interface learns a maximum of one MAC address. Use the mac-learn limit command to configure the number of MAC addresses an interface can learn. If the system contains more static MAC addresses than the MAC address learn limit, the system displays an error message. You can delete a few static MAC addresses or increase the number of MAC addresses the port can learn.
The no version of this command disables MAC address movement. Example Supported Releases OS10(config-if-port-sec)# mac-move allow 10.5.1.0 or later mac-move violation Configures station move violation actions. Syntax mac-move violation {drop | log | shutdown-both | shutdown-offending | shutdown-original} Parameters ● drop — Drops the received packet when an interface detects the same MAC address that the system has already learned on a different interface.
The no version of this command resets the value to the default. Example (VLAN) Example (PortChannel) Supported Releases OS10(config)# mac address-table static 34:17:eb:f2:ab:c6 vlan 1 interface ethernet 1/1/30 OS10(config)# mac address-table static 34:17:eb:02:8c:33 vlan 10 interface port-channel 1 10.2.0E or later show switchport port-security Displays port security information of interfaces.
Sticky MAC Addresses Secure Dynamic MAC addresses :0 :11 OS10# show switchport port-security interface ethernet 1/1/1 Global Port-security status :Enable Interface name : ethernet1/1/1 Port Security Port Status Mac-learn-limit MaC-learn-limit-Violation Action Sticky Mac-move-allow Mac-move-violation Aging Total MAC Addresses Secure static MAC Addresses Sticky MAC Addresses Secure Dynamic MAC addresses :Enabled :Error-Disable :1024 :Shutdown :Enabled :Not Allowed :shutdown-both :Disbaled :10 :0 :10 :0
Supported Releases 10.5.1.0 or later switchport port-security (global) Enables the port security feature on the system globally. Syntax switchport port-security Parameters None Default Port security is enabled globally. Command Mode ● CONFIGURATION Usage Information After you enable the port security feature on the system globally, enable port security on the required interfaces using this command in INTERFACE CONFIGURATION mode.
Example Supported Releases OS10(config-if-port-sec)# aging on 10.5.1.0 or later show mac address-table secure Displays information about the secure MAC addresses in the MAC address table. Syntax show mac address-table secure {{dynamic | static | sticky} {vlan vlan-id | interface {ethernet node/slot/port[:subport] | port-channel}} | address mac-address} Parameters ● ● ● ● ● dynamic — Displays secure dynamic MAC address table entries. static — Displays secure static MAC address table entries.
Usage Information Example The Errdisable Cause column displays one or more reasons for the error-disabled state of an interface. If an interface is put in to error disabled state for multiple reasons, the interface does not come up unless you enable automatic recovery for all reasons.
Supported Releases 1426 Security 10.1.
19 OpenFlow Switches implement the control plane and data plane in the same hardware. Software-defined network (SDN) decouples the software (control plane) from the hardware (data plane). A centralized SDN controller handles the control plane traffic and hardware configuration for data plane flows. The SDN controller is the "brain" of an SDN.
The ONOS controller does not encode the DSCP flow entry values that are matched according to the Openflow 1.0 specification. Hence when you install a flow entry in OpenFlow 1.0, that matches the IP DSCP, the ONOS controller sets an incorrect flow-entry encoding value for IP DSCP. OpenFlow logical switch instance In OpenFlow-only mode, you can configure only one logical switch instance. After you enable OpenFlow mode, create a logical switch instance. The logical switch instance is disabled by default.
Flow table An OpenFlow flow table consists of flow entries. Each flow table entry contains the following fields: Table 90. Supported fields Fields Support match_fields Supported priority Supported counters Supported instructions Supported timeouts Supported cookie Not supported Group table Not supported Meter table Not supported Instructions Each flow entry contains a set of instructions that execute when a packet matches the entry. Table 91.
Table 92. Supported action sets (continued) Action set Support decrement TTL Not supported set Supported (selective fields) qos Not supported group Not supported output Supported Action types An action type associates with each packet. Table 93.
Table 94.
Table 94. Supported counters (continued) Required/Optional Counter Bits Support Optional In-band packet count 64 Not supported Optional In-band byte count 64 Not supported Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● In the show interface vlan command output, the VLAN octet counters are not displayed accurately. ● If a packet hits two ACL tables, the counter with higher priority statistics gets incremented and the other actions are merged and applied.
Connection setup TCP Table 98. Supported modes Modes Supported/Not supported Connection interruption ● fail-secure-mode—Supported ● fail-standalone-mode—Not supported TLS encryption Supported Multiple controller Not supported Auxiliary connections Not supported Number of logical switches One Supported controllers REST APIs on ● RYU ● ONOS Flow table modification messages Table 99.
Table 100.
Table 101.
Table 101. Supported fields (continued) Flow match fields Supported/Not supported OFPXMT_OFB_TUNNEL_ID = 38 Not supported OFPXMT_OFB_IPV6_EXTHDR = 39 Not supported Action structures Table 102.
Table 103. Supported capabilities (continued) Capabilities Supported/Not supported OFPC_IP_REASM = 1 << 5 Not supported OFPC_QUEUE_STATS = 1 << 6 Not supported OFPC_PORT_BLOCKED = 1 << 8 Not supported Multipart message types Table 104.
Table 104.
Table 106. Supported properties (continued) Property type Supported/Not supported OFPTFPT_WRITE_ACTIONS_MISS = 5 Not supported OFPTFPT_APPLY_ACTIONS = 6 Supported OFPTFPT_APPLY_ACTIONS_MISS = 7 Not supported OFPTFPT_MATCH = 8 Supported OFPTFPT_WILDCARDS = 10 Supported OFPTFPT_WRITE_SETFIELD = 12 Supported OFPTFPT_WRITE_SETFIELD_MISS = 13 Not supported OFPTFPT_APPLY_SETFIELD = 14 Supported OFPTFPT_APPLY_SETFIELD_MISS = 15 Not supported Group configuration Table 107.
Flow-removed reasons Table 110. Supported reasons Flow-removed reasons Supported/Not supported OFPRR_IDLE_TIMEOUT = 0 Supported OFPRR_HARD_TIMEOUT = 1 Supported OFPRR_DELETE = 2 Supported OFPRR_GROUP_DELETE = 3 Not supported Error types from switch to controller Table 111.
Table 111.
Table 111.
Table 111.
Table 111.
Consider the case of dynamic learning of flows for bidirectional traffic. Flows are learnt as and when a packet arrives. With dynamic learning in an OpenFlow network, the OpenFlow switch receives a packet that does not match the flow table entries and sends the packet to the SDN controller to process it. The controller identifies the path the packet has to traverse and updates the flow table with a new entry. The controller also decides the caching time of the flow table entries.
iii. Configure the logical switch instance, of-switch-1. OS10# configure terminal OS10 (config)# openflow OS10 (config-openflow)# switch of-switch-1 4. Configure one or more OpenFlow controllers with either IPv4 or IPv6 addresses to establish a connection with the logical switch instance. You can configure up to eight OpenFlow controllers.
OpenFlow commands controller Configures an OpenFlow controller that the logical switch instance connects to. Syntax controller {ipv4 ipv4-address| ipv6 ipv6-address [port port-number] [security {none|tls}] Parameters ● ipv4 ipv4-address—Enter ipv4, then the IP address of the controller. ● ipv6 ipv6-address—Enter ipv6, then the IPv6 address of the controller. ● port port-number—Enter the keyword, then the port number, from 1 to 65,535. The default port is 6653.
OS10 OS10 OS10 OS10 Supported Releases (config-openflow-switch)# (config-openflow-switch)# (config-openflow-switch)# (config-openflow-switch)# controller controller controller controller ipv4 ipv4 ipv6 ipv6 10.1.23.12 port 6633 10.1.99.121 port 6633 2025::1 port 6633 2025::12 port 6633 10.4.1.0 or later dpid-mac-address Specifies the MAC address bits of the datapath ID (DPID) of the logical switch instance.
OS10 (config-openflow)# in-band-mgmt interface ethernet 1/1/1 OS10 (config-openflow)# no shutdown Supported Releases 10.4.1.0 or later max-backoff Configures the time interval, in seconds, that the logical switch instance waits after requesting a connection with the OpenFlow controller. Syntax max-backoff interval Parameters interval—Enter the amount of time, in seconds, that the logical switch instance waits after it attempts to establish a connection with the OpenFlow controller, from 1 to 65,535.
openflow Enters OPENFLOW configuration mode. Syntax openflow Parameters None Default None Command Mode CONFIGURATION Usage Information All OpenFlow configurations are performed in this mode. The no form of this command prompts a switch reload. If you enter yes, the system deletes all OpenFlow configurations and the switch returns to the normal mode after the reload. Example OS10# configure terminal OS10(config)# openflow OS10 (config-openflow)# Supported Releases 10.4.1.
Usage Information NOTE: Only use this command should be run when the logical switch instance is disabled. Use the shutdown command to disable the logical switch instance. After you run this command, enter the no shutdown command to enable the logical switch instance again. ● When you specify, negotiate, the switch negotiates versions 1.0 and 1.3 and selects the highest of the versions supported by the controller. The negotiation is based on the hello handshake described in the OpenFlow Specification 1.3.
Supported Releases 10.4.1.0 or later show openflow Displays general OpenFlow switch and the logical switch instance information. Syntax show openflow Parameters None Default None Command Mode EXEC Usage Information None Example OS10# show openflow Manufacturer : DELL Hardware Description : Software Description : Dell Networking OS10-Premium, Dell Networking Application Software Version: 10.4.
Total flows: 1 Flow: 0 Table ID: 0, Table: Ingress ACL TCAM table Flow ID: 0 Priority: 32768, Cookie: 0 Hard Timeout: 0, Idle Timeout: 0 Packets: 0, Bytes: 0 Match Parameters: In Port: ethernet1/1/1 EType: 0x800 SMAC: 00:0b:c4:a8:22:b0/ff:ff:ff:ff:ff:ff DMAC: 00:0b:c4:a8:22:b1/ff:ff:ff:ff:ff:ff VLAN id: 2/4095 VLAN PCP: 1 IP DSCP: 4 IP ECN: 1 IP Proto: 1 Src Ip: 10.0.0.1/255.255.255.255 Dst Ip: 20.0.0.1/255.255.255.
ethernet1/1/5:4 NO FIBER ethernet1/1/6 NO NONE ethernet1/1/7 NO NONE ethernet1/1/8 YES COPPER ethernet1/1/9 NO NONE ethernet1/1/10 NO NONE ethernet1/1/11 YES COPPER ethernet1/1/12 YES COPPER ethernet1/1/13 NO NONE ethernet1/1/14 NO NONE ethernet1/1/15 NO NONE ethernet1/1/16 NO NONE ethernet1/1/17 NO NONE ethernet1/1/18 NO NONE ethernet1/1/19 NO NONE ethernet1/1/20 NO NONE ethernet1/1/21 NO NONE ethernet1/1/22 NO NONE ethernet1/1/23 NO NONE ethernet1/1/24 NO NONE ethernet1/1/25 NO COPPER ethernet1/1/26 NO CO
Command Mode EXEC Usage Information None Example OS10# show openflow switch Logical switch name: of-switch-1 Internal switch instance ID: 0 Config state: true Signal Version: negotiate Data plane: secure Max backoff (sec): 8 Probe Interval (sec): 5 DPID: 90:b1:1c:f4:a5:23 Switch Name : of-switch-1 Number of buffers: 0 Number of tables: 1 Table ID: 0 Table name: Ingress ACL TCAM table Max entries: 1000 Active entries: 0 Lookup count: 0 Matched count: 0 Controllers: 10.16.208.
Supported Releases 10.4.1.0 or later switch Creates a logical switch instance or modifies an existing logical switch instance. Syntax switch logical-switch-name Parameters logical-switch-name—Enter the name of the logical switch instance that you want to create or modify, a maximum of 15 characters. OS10 supports only one instance of the logical switch. Default None Command Mode OPENFLOW CONFIGURATION Usage Information You must configure a controller for the logical switch instance.
Table 112.
Table 112. Modes and CLI commands (continued) Mode Available CLI commands ● debug tacacs+ LAG INTERFACE CONFIGURATION LAG is not supported. LOOPBACK INTERFACE CONFIGURATION Loopback interface is not supported. INTERFACE CONFIGURATION description end exit ip mtu negotiation ntp show shutdown VLAN INTERFACE CONFIGURATION 1458 OpenFlow VLAN is not supported.
20 Access Control Lists OS10 uses two types of access policies — hardware-based ACLs and software-based route-maps. Use an ACL to filter traffic and drop or forward matching packets. To redistribute routes that match configured criteria, use a route-map. ACLs ACLs are a filter containing criterion to match; for example, examine internet protocol (IP), transmission control protocol (TCP), or user datagram protocol (UDP) packets, and an action to take such as forwarding or dropping packets at the NPU.
To permit these packets, you must configure an explicit permit statement for the specific hosts or subnetworks with the deny rule having a lower priority to drop the rest of the packets. The deny ip any any and deny ipv6 any any rules are implicit. You do not have to configure them explicitly. MAC ACLs MAC ACLs filter traffic on the header of a packet.
Control-plane ACL qualifiers This section lists the supported control-plane ACL rule qualifiers. NOTE: OS10 supports only the qualifiers listed below. Ensure that you use only these qualifiers in ACL rules.
Deny second and subsequent fragments OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# deny ip any 10.1.1.1/32 fragments OS10(conf-ipv4-acl)# permit ip any 10.1.1.1/32 Permit all packets on interface OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# permit ip any 10.1.1.1/32 OS10(conf-ipv4-acl)# deny ip any 10.1.1.1/32 fragments L3 ACL rules Use ACL commands for L3 packet filtering. TCP packets from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all others are denied.
Assign sequence number to filter IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. Traffic passes through the filter by filter sequence. Configure the IP ACL by first entering IP ACCESSLIST mode and then assigning a sequence number to the filter. User-provided sequence number ● Enter IP ACCESS LIST mode by creating an IP ACL in CONFIGURATION mode.
For example, if you configured the following rules: deny ip 1.1.1.1/24 2.2.2.2/24 deny ip any any Using the no deny ip any any command deletes only the deny ip any any rule. To delete the deny ip 1.1.1.1/24 2.2.2.2/24 rule, you must explicitly use the no deny ip 1.1.1.1/24 2.2.2.2/24 command. NOTE: Wildcard option is not supported. ● You can no longer configure the same ACL rule multiple times using different sequence numbers.
2. Configure an IP address for the interface, placing it in L3 mode in INTERFACE mode. ip address ip-address 3. Apply an IP ACL filter to traffic entering or exiting an interface in INTERFACE mode. ip access-group access-list-name {in | out} Configure IP ACL OS10(config)# interface ethernet 1/1/28 OS10(conf-if-eth1/1/28)# ip address 10.1.2.
Apply ACL rules to access-group and view access-list OS10(config)# interface ethernet 1/1/28 OS10(conf-if-eth1/1/28)# ip access-group abcd in OS10(conf-if-eth1/1/28)# exit OS10(config)# ip access-list acl1 OS10(conf-ipv4-acl)# permit ip host 10.1.1.1 host 100.1.1.1 count Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● The following applications require ACL tables: VLT, iSCSI, L2 ACL, L3 v4 ACL, L3 v6 ACL, PBR v4, PBR v6, QoS L2, QoS L3, FCoE.
Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● You can create either Layer 2 ACL or Layer 3 ACL. You cannot create both the tables at a time. ● In egress L3 IPv4 ACL, the fragment, TCP flags, and DSCP fields are not supported. ● IPv6 user ACL table is not supported. ● In egress ACLs, L2 user table is utilized only for switched packets and L3 user table is utilized only for routed packets. ● In L2 user ACL, Ether type is not supported.
● ● ● ● To To To To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8 permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8 le 12 deny routes with a mask less than /24, enter deny x.x.x.x/x le 24 permit routes with a mask greater than /20, enter permit x.x.x.
Table 114. Multiple match commands under a single route-map (continued) Route-map clause deny Prefix list Incoming Route Action permit NO MATCH Continue with next route-map clause. deny MATCH Continue with next route-map clause. deny NO MATCH Continue with next route-map clause. permit MATCH The route is denied. permit NO MATCH Continue with next route-map clause. deny MATCH Continue with next route-map clause. deny NO MATCH Continue with next route-map clause.
○ vlan — Enter the VLAN ID number. Check match routes OS10(config)# route-map test permit 1 0S10(conf-route-map)# match tag 250000 OS10(conf-route-map)# set weight 100 Set conditions There is no limit to the number of set commands per route map, but keep the number of set filters in a route-map low. The set commands do not require a corresponding match command. ● Enter the IP address in A.B.C.D format of the next-hop for a BGP route update in ROUTE-MAP mode.
ACL flow-based monitoring Flow-based monitoring conserves bandwidth by selecting only the required flow to mirror instead of mirroring entire packets from an interface. This feature is available for L2 and L3 ingress traffic. Specify flow-based monitoring using ACL rules. Flowbased monitoring copies incoming packets that match the ACL rules applied on the ingress port and forwards, or mirrors them to another port.
2. Enable flow-based monitoring for the mirroring session in MONITOR-SESSION mode. flow-based enable 3. Define ACL rules that include the keywords capture session session-id in CONFIGURATION mode. The system only considers port monitoring traffic that matches rules with the keywords capture session. ip access-list 4. Apply the ACL to the monitored port in INTERFACE mode.
rows Max rows -----------------------------------------------------------------------------------------------------0 SYSTEM_FLOW 49 975 1024 1 SYSTEM_FLOW 49 975 1024 2 USER_IPV4_ACL 3 1021 1024 3 USER_L2_ACL 2 1022 1024 4 USER_IPV6_ACL 2 510 512 5 USER_IPV6_ACL 2 510 512 6 FCOE 55 457 512 7 FCOE 55 457 512 8 ISCSI_SNOOPING 12 500 512 9 FREE 0 512 512 10 PBR_V6 1 511 512 11 PBR_V6 1 511 512 -----------------------------------------------------------------------------------------------------Service Pools ---
App Allocated pools App group Configured rules Used rows Free rows Max rows -----------------------------------------------------------------------------------------------------USER_L2_ACL_EGRESS Shared:1 G1 1 2 254 256 USER_IPV4_EGRESS Shared:1 G0 1 2 254 256 USER_IPV6_EGRESS Shared:2 G2 1 2 254 256 Known behavior ● On the S4200-ON platform, the show acl-table-usage detail command output lists several hardware pools as available (FREE), but you will see an "ACL CAM table full" warning log when the system
By default, the interval is set to 5 minutes and logs are created every 5 minutes. During this interval, the system continues to examine the packets against the configured ACL rule and permits or denies traffic, but logging is halted temporarily. This value is configurable, and the range is from 1 to 10 minutes. For example, if you have configured a threshold value of 20 and an interval of 10 minutes, after an initial packet match is logged, the 20th packet that matches the ACE is logged.
Example Supported Releases OS10# clear ipv6 access-list counters 10.2.0E or later clear mac access-list counters Clears counters for a specific or all MAC access lists. Syntax clear mac access-list counters [access-list-name] Parameters access-list-name — (Optional) Enter the name of the MAC access list to clear counters. A maximum of 140 characters. Default Not configured Command Mode EXEC Usage Information If you do not enter an access-list name, all MAC access-list counters clear.
Example Supported Releases OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# deny udp any any 10.2.0E or later deny (IPv6) Configures a filter to drop packets with a specific IPv6 address. Syntax deny [protocol-number | icmp | ipv6 | tcp | udp] [A::B | A::B/x | any | host ipv6-address] [A::B | A::B/x | any | host ipv6-address] [capture | count | dscp value | fragment | log] Parameters ● protocol-number — (Optional) Enter the protocol number identified in the IP header, from 0 to 255.
○ protocol-number — (Optional) MAC protocol number identified in the header, from 600 to ffff. ○ capture — (Optional) Capture packets the filter processes. ○ cos — (Optional) CoS value, from 0 to 7. ○ count — (Optional) Count packets the filter processes. ○ vlan — (Optional) VLAN number, from 1 to 4093. Default Disabled Command Mode MAC-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment.
● ● ● ● ● ● ● ● ● A::B/x — Enter the number of bits to match to the IPv6 address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ipv6-address — (Optional) Enter the IPv6 address to use a host address only. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63.
Parameters ● A::B — (Optional) Enter the source IPv6 address from which the packet was sent and the destination address. ● A::B/x — (Optional) Enter the source network mask in /prefix format (/x) and the destination mask. ● any — (Optional) Set all routes which are subject to the filter: ○ capture — (Optional) Capture packets the filter processes. ○ count — (Optional) Count packets the filter processes. ○ byte — (Optional) Count bytes the filter processes.
Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# deny tcp any any capture session 1 10.2.0E or later deny tcp (IPv6) Configures a filter that drops TCP IPv6 packets meeting the filter criteria.
Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.D/x — Enter the number of bits to match to the dotted decimal address.
● ● ● ● ● ● count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. operator — (Optional) Enter a logical operator to match the packets on the specified port number.
Usage Information Example Example (Control-plane ACL) Supported Releases Use this command in the CONTROL-PLANE mode to apply a control-plane ACL. Control-plane ACLs are only applied on the ingress traffic. By default, the control-plane ACL is applied to the front-panel ports as well as the management port.The no version of this command deletes the IPv4 ACL configuration.
Table 115. Special characters supported in regular expression (continued) Example Supported Release Character Supported/Not supported Pipe (|) Supported Plus (+) Supported Caret (^) Supported; use the caret (^) character to represent the beginning of a new line. Dollar ($) Supported Square brackets ([ ]) Supported Asterisk (*) Supported Dot (.) Supported Backslash (\) Supported; precede the character with a backslash(\). For example, enter \\.
Usage Information Example Supported Release The no version of this command removes the community list. OS10(config)# ip community-list standard STD_LIST deny local-AS 10.3.0E or later ip community–list standard permit Creates a standard community list for BGP to permit access. Syntax ip community-list standard name permit {aa:nn | no-advertise | local-as | no-export | internet} Parameters ● name — Enter the name of the standard community list used to identify one more permit groups of communities.
Supported Release 10.3.0E or later ip extcommunity-list standard permit Creates an extended community list for BGP to permit access. Syntax ip extcommunity-list standard name permit {4byteas-generic | rt | soo} Parameters ● name — Enter the name of the community list used to identify one or more permit groups of extended communities. Do not use the term none as the name of the extended community list. ● rt — Enter the route target. ● soo — Enter the route origin or site-of-origin.
Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list. Example Supported Release OS10(config)# ip prefix-list denyprefix deny 10.10.10.2/16 le 30 10.3.0E or later ip prefix-list permit Creates a prefix-list to permit route filtering from a specified network address. Syntax ip prefix-list name permit [A.B.C.
ip prefix-list seq permit Configures a filter to permit route filtering from a specified prefix list. Syntax ipv6 prefix-list [name] seq num permit A::B/x [ge | le} prefix-len Parameters ● ● ● ● ● ● Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix list. Example Supported Release name — Enter the name of the prefix list. num — Enter the sequence list number. A.B.C.
Parameters access-list-name — Enter the name of an IPv6 access list. A maximum of 140 characters. Default Not configured Command Mode CONFIGURATION Usage Information None Example Supported Release OS10(config)# ipv6 access-list acl6 10.2.0E or later ipv6 prefix-list deny Creates a prefix list to deny route filtering from a specified IPv6 network address.
ipv6 prefix-list permit Creates a prefix-list to permit route filtering from a specified IPv6 network address. Syntax ipv6 prefix-list prefix-list-name permit {A::B/x [ge | le] prefix-len} Parameters ● ● ● ● ● Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list. Example Supported Release prefix-list-name — Enter the IPv6 prefix-list name. A::B/x — Enter the IPv6 address to permit.
Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list. Example Supported Release OS10(config)# ipv6 prefix-list TEST seq 65535 permit AB10::1/128 ge 30 10.3.0E or later logging access-list mgmt burst Configures the burst size for control-plane ACL applied on the management interface. Syntax [no] logging access-list mgmt burst value Parameters value—Specify the burst size (maximum tokens), from 1 to 10.
Default Not configured Command Mode CONFIGURATION CONTROL-PLANE Usage Information Example Example (Control-plane ACL) Supported Releases Use this command in the CONTROL-PLANE mode to apply a control-plane ACL. Control-plane ACLs are only applied on the ingress traffic. By default, the control-plane ACL is applied to the front-panel ports. The no version of this command resets the value to the default.
● ● ● ● byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Permit a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment.
permit (MAC) Configures a filter to allow packets with a specific MAC address. Syntax permit {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} [protocol-number | capture | count [byte] | cos | vlan] Parameters ● nn:nn:nn:nn:nn:nn — Enter the MAC address. ● 00:00:00:00:00:00 — (Optional) Enter which bits in the MAC address must match. If you do not enter a mask, a mask of 00:00:00:00:00:00 applies.
Example Supported Releases OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# permit icmp any any capture session 1 10.2.0E or later permit icmp (IPv6) Configures a filter to permit all or specific ICMP messages.
Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(conf-ipv4-acl)# permit ip any any capture session 1 10.2.0E or later permit ipv6 Configures a filter to permit all or specific packets from an IPv6 address.
● ● ● ● ● ● ● ● urg — (Optional) Set the bit set as urgent. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Permit a packet based on the DSCP values, 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged.
Supported Releases 10.2.0E or later permit udp Configures a filter that allows UDP packets meeting the filter criteria. Syntax permit udp [A.B.C.D | A.B.C.D/x | any | host ip-address [eq | lt | gt | neq | range]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [eq | lt | gt | neq | range] ] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.
Parameters ● A::B — Enter the IPv6 address in hexadecimal format separated by colons. ● A::B/x — Enter the number of bits that must match the IPv6 address. ● any — (Optional) Enter the keyword any to specify any source or destination IP address. NOTE: The control-plane ACL supports only the eq operator. ● host ipv6-address — (Optional) Enter the keyword and the IPv6 address to use a host address only. ● ack — (Optional) Set the bit as acknowledgement.
seq deny Assigns a sequence number to deny IPv4 addresses while creating the filter. Syntax seq sequence-number deny [protocol-number | icmp | ip | tcp | udp] [A.B.C.D | A.B.C.D/x | any | host ip-address] [A.B.C.D | A.B.C.D/x | any | host ipaddress] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the ACL for editing and sequencing number, from 1 to 16777214. ● protocol-number — (Optional) Enter the protocol number, from 0 to 255.
● ● ● ● ● ● ● host ipv6-address — (Optional) Enter to use an IPv6 host address only. capture — (Optional) Enter to capture packets the filter processes. count — (Optional) Enter to count packets the filter processes. byte — (Optional) Enter to count bytes the filter processes. dscp value — (Optional) Enter to deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Enter to use ACLs to control packet fragments. log — (Optional) Enables ACL logging.
seq deny icmp Assigns a filter to deny ICMP messages while creating the filter. Syntax seq sequence-number deny icmp [A.B.C.D | A.B.C.D/x | any | host ip-address] [A.B.C.D | A.B.C.D/x | any | host ip-address] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.C.D — Enter the IPv4 address in dotted decimal format. ● A.B.C.
Usage Information Example Supported Releases OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. OS10(config)# ipv6 access-list ipv6test OS10(conf-ipv6-acl)# seq 10 deny icmp any any capture session 1 log 10.2.0E or later seq deny ip Assigns a sequence number to deny IPv4 addresses while creating the filter.
● ● ● ● ● ● ● host ip-address — (Optional) Enter the IPv6 address to use a host address only. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged.
Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. Example Supported Releases OS10(config)# ip access-list egress OS10(conf-ipv4-acl)# seq 10 deny tcp any any capture session 1 log 10.2.
Supported Releases 10.2.0E or later seq deny udp Assigns a filter to deny UDP packets while creating the filter. Syntax seq sequence-number deny udp [A.B.C.D | A.B.C.D/x | any | host ip-address [operator]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [operator] ] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.C.
seq deny udp (IPv6) Assigns a filter to deny UDP packets while creating the filter. Syntax seq sequence-number deny udp [A::B | A::B/x | any | host ipv6-address [operator]] [A::B | A:B/x | any | host ipv6-address [operator]] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214.
● ● ● ● ● ● ● ● ● ● ● protocol-number — (Optional) Enter the protocol number, from 0 to 255. A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the IPv4 address to use a host address only. capture — (Optional) Capture packets the filter processes.
Supported Releases 10.2.0E or later seq permit (MAC) Assigns a sequence number to permit MAC addresses while creating a filter. Syntax seq sequence-number permit {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} [protocol-number | capture | cos | count [byte] | vlan] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing, from 1 to 16777214.
● dscp value — (Optional) Permit a packet based on the DSCP values, from 0 to 63. ● fragment — (Optional) Use ACLs to control packet fragments. ● log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment.
Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.C.D — Enter the IPv4 address in dotted decimal format. ● A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. ● any — (Optional) Enter the keyword any to specify any source or destination IP address. ● host ip-address — (Optional) Enter the IPv4 address to use a host address only.
Supported Releases 10.2.0E or later seq permit tcp Assigns a sequence number to allow TCP packets while creating the filter. Syntax seq sequence-number permit tcp [A.B.C.D | A.B.C.D/x | any | host ip-address [operator]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [operator] ] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.
seq permit tcp (IPv6) Assigns a sequence number to allow TCP IPv6 packets while creating the filter. Syntax seq sequence-number permit tcp [A::B | A::B/x | any | host ipv6-address [operator]] [A::B | A:B/x | any | host ipv6-address [operator]] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the IPv4 address to use a host address only. operator — (Optional) Enter a logical operator to match the packets on the specified port number.
● ● ● ● ● ● ● ● ● ● ● ● ○ neq — Not equal to ○ range — Range of ports, including the specified port numbers. ack — (Optional) Set the bit as acknowledgment. fin — (Optional) Set the bit as finish—no more data from sender. psh — (Optional) Set the bit as push. rst — (Optional) Set the bit as reset. syn — (Optional) Set the bit as synchronize. urg — (Optional) Set the bit set as urgent. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes.
Ingress IPV6 access list aaa on ethernet1/1/2 Egress IPV6 access list aaa on ethernet1/1/2 Example (Control-plane ACL - IP) OS10# show ip access-group aaa-cp-acl Ingress IP access-list aaa-cp-acl on control-plane data mgmt Example (Control-plane ACL - MAC) OS10# show mac access-group aaa-cp-acl Ingress MAC access-list aaa-cp-acl on control-plane data Example (Control-plane ACL - IPv6) OS10# show ipv6 access-group aaa-cp-acl Ingress IPV6 access-list aaa-cp-acl on control-plane data mgmt Supported Relea
Example (IP Out) Example (IPv6 In) Example (IPv6 Out) Example (IP In Control-plane ACL) Example (IPv6 In - Control-plane ACL) Example (MAC In - Control-plane ACL) Supported Releases OS10# show ip access-lists out Egress IP access list aaaa Active on interfaces : ethernet1/1/1 ethernet1/1/2 seq 10 permit ip any any seq 20 permit tcp any any count (0 packets) seq 30 permit udp any any count bytes (0 bytes) OS10# show ipv6 access-lists in Ingress IPV6 access list bbb Active on interfaces : ethernet1/1/1
Parameters None Default None Command Mode EXEC Usage Information The hardware pool displays the ingress application groups (pools), the features mapped to each of these groups, and the amount of used and free space available in each of the pools. The amount of space required to store a single ACL rule in a pool depends on the keywidth of the TCAM slice. The service pool displays the amount of used and free space for each of the features.
-----------------------------Service Pools -----------------------------------------------------------------------------------------------------App Allocated pools App group Configured rules Used rows Free rows Max rows -----------------------------------------------------------------------------------------------------SYSTEM_FLOW Shared:3 G0 49 49 207 256 -----------------------------------------------------------------------------------------------------Ingress ACL utilization - Pipe 2 Hardware Pools ----
Egress ACL utilization Hardware Pools -----------------------------------------------------------------------------------------------------Pool ID App(s) Used rows Free rows Max rows -----------------------------------------------------------------------------------------------------0 FREE 0 256 256 1 FREE 0 256 256 2 FREE 0 256 256 3 FREE 0 256 256 -----------------------------------------------------------------------------------------------------Service Pools ---------------------------------------------
55 457 512 -----------------------------------------------------------------------------------------------------Egress ACL utilization Hardware Pools ------------------------------------------------------------------Pool ID App(s) Used rows Free rows Max rows ------------------------------------------------------------------0 USER_IPV4_EGRESS 2 254 256 1 USER_L2_ACL_EGRESS 2 254 256 2 USER_IPV6_EGRESS 2 254 256 3 USER_IPV6_EGRESS 2 254 256 --------------------------------------------------------------------
Usage Information Example Supported Releases None OS10# show ip as-path-access-list ip as-path access-list hello permit 123 deny 35 10.3.0E or later show ip prefix-list Displays configured IPv4 or IPv6 prefix list information. Syntax show {ip | ipv6} prefix-list [prefix-name] Parameters ● ip | ipv6—(Optional) Displays information related to IPv4 or IPv6. ● prefix-name — Enter a text string for the prefix list name. A maximum of 140 characters.
Route-map commands continue Configures the next sequence of the route map. Syntax continue seq-number Parameters seq-number — Enter the next sequence number, from 1 to 65535. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes a match. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# continue 65535 10.3.0E or later match as-path Configures a filter to match routes that have a certain AS path in their BGP paths.
Supported Releases 10.3.0E or later match extcommunity Configures a filter to match routes that have a certain EXTCOMMUNITY attribute in their BGP path. Syntax match extcommunity extcommunity-list-name [exact-match] Parameters ● extcommunity-list-name — Enter the name of a configured extcommunity list. ● exact-match — (Optional) Select only those routes with the specified extcommunity list name.
Usage Information Example Supported Releases The no version of this command deletes the match. OS10(conf-route-map)# match interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# 10.2.0E or later match ip address Configures a filter to match routes based on IP addresses specified in IP prefix lists. Syntax match ip address {prefix-list prefix-list-name | access-list-name} Parameters ● prefix-list-name — Enter the name of the configured prefix list. A maximum of 140 characters.
Command Mode ROUTE-MAP Usage Information The no version of this command deletes the match. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match ipv6 address test100 10.3.0E or later match ipv6 next-hop Configures a filter to match based on the next-hop IPv6 addresses specified in IP prefix lists. Syntax match ipv6 next-hop prefix-list prefix-list Parameters prefix-list — Enter the name of the configured prefix list. A maximum of 140 characters.
Command Mode ROUTE-MAP Usage Information The no version of this command deletes the match. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match origin egp 10.3.0E or later match route-type Configures a filter to match routes based on how the route is defined. Syntax match route-type {{external {type-1 | type-2} | internal | local } Parameters ● external — Match only on external OSPF routes.
route-map Enables a route-map statement and configures its action and sequence number. Syntax route-map map-name [permit | deny | sequence-number] Parameters ● map-name — Enter the name of the route-map. A maximum of 140 characters. ● sequence-number — (Optional) Enter the number to identify the route-map for editing and sequencing number from 1 to 65535. The default is 10. ● permit — (Optional) Set the route-map default as permit. ● deny — (Optional) Set the route default as deny.
Usage Information Example Supported Releases Configure the community list you use in the set comm-list delete command so that each filter contains only one community. For example, the filter deny 100:12 is acceptable, but the filter deny 120:13 140:33 results in an error. If you configure the set comm-list delete command and the set community command in the same route map sequence, the deletion set comm-list delete command processes before the insertion set community command .
set extcomm-list delete Remove communities in the specified list from the EXTCOMMUNITY attribute in a matching inbound or outbound BGP route. Syntax set extcomm-list extcommunity-list-name delete Parameter extcommunity-list-name — Enter the name of an established extcommunity list. A maximum of 140 characters. Defaults None Command Mode ROUTE-MAP Usage Information To add communities in an extcommunity list to the EXTCOMMUNITY attribute in a BGP route, use the set extcomm-list add command.
Supported Releases 10.2.0E or later set metric Set a metric value for a routing protocol. Syntax set metric [+ | -] metric-value Parameters ● + — (Optional) Add a metric value to the redistributed routes. ● - — (Optional) Subtract a metric value from the redistributed routes. ● metric-value — Enter a new metric value, from 0 to 4294967295. Default Not configured Command Mode ROUTE-MAP Usage Information To establish an absolute metric, do not enter a plus or minus sign before the metric value.
Example Supported Releases OS10(conf-route-map)# set metric-type internal 10.2.0E or later set next-hop Sets an IPv4 or IPv6 address as the next-hop. Syntax set {ip | ipv6} next-hop ip-address Parameters ip-address — Enter the IPv4 or IPv6 address for the next-hop. Default Not configured Command Mode ROUTE-MAP Usage Information If you apply a route-map with the set next-hop command in ROUTER-BGP mode, it takes precedence over the next-hop-self command used in ROUTER-NEIGHBOR mode.
Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes the set clause from a route map. Example Supported Releases OS10(conf-route-map)# set tag 23 10.2.0E or later set weight Set the BGP weight for the routing table. Syntax set weight weight Parameters weight — Enter a number as the weight the route uses to meet the route map specification, from 0 to 65535. Default Default router-originated is 32768 — all other routes are 0.
21 Quality of service Quality of service (QoS) reserves network resources for highly critical application traffic with precedence over less critical application traffic. QoS prioritizes different types of traffic and ensures quality of service. You can control the following traffic flow parameters: Delay, Bandwidth, Jitter, and Drop. Different QoS features control the traffic flow parameters, as the traffic traverses a network device from ingress to egress interfaces.
Configure quality of service Network traffic processes based on classification and policies that apply to the traffic. Configuring QoS is a three-step process: 1. Create class-maps to classify the traffic flows. The following are the different types of class-maps: ● qos (default)—Classifies ingress data traffic. ● queuing —Classifies egress queues. ● control-plane—Classifies control-plane traffic. ● network-qos—Classifies traffic-class IDs for ingress buffer configurations.
When you apply a policy at the system level (System-QoS mode), the policy is effective on all the ports in the system. However, the interface-level policy takes precedence over the system-level policy. Ingress traffic classification Ingress traffic can either be data or control traffic. OS10 groups network traffic into different traffic classes, from class 0 to 7 based on various parameters. Grouping traffic into different classes helps to identify and prioritize traffic as it goes through the switch.
1. Create a dot1p trust map. OS10(config)# trust dot1p-map example-dot1p-trustmap-name OS10(config-tmap-dot1p-map)# 2. Define the set of dot1p values mapped to traffic-class, the qos-group ID. OS10(config-tmap-dot1p-map)# qos-group 3 dot1p 0-4 OS10(config-tmap-dot1p-map)# qos-group 5 dot1p 5-7 3. Verify the map entries.
Table 117. Default DSCP trust map (continued) DSCP values Traffic class ID Color 24-27 3 G 28-31 3 Y 32-35 4 G 36-39 4 Y 40-43 5 G 44-47 5 Y 48-51 6 G 52-55 6 Y 56-59 7 G 60-62 7 Y 63 7 R NOTE: You cannot modify the default DSCP trust map. User–defined DCSP trust map You can override the default mapping by creating a user-defined DSCP trust map. All the unspecified DSCP entries map to the default traffic class ID 0 and color G. Configure user–defined DSCP trust map 1.
You must apply the trust map at the interface or system-qos level. To apply the trust map on a specific interface or on systemqos (global) level: ● Interface level OS10(conf-if-eth1/1/1)# trust-map dscp example-dscp-trustmap-name ● System-qos level OS10(config-sys-qos)# trust-map dscp example-dscp-trustmap-name ACL-based classification Classify the ingress traffic by matching the packet fields using ACL entries.
ACL-based classification with trust This section describes how to configure ACL based classification when you configure trust-based classification. If you configure ACL-based classification for a set of DSCP/COS values as well as trust-based classification on a particular port, the ACL-based classification takes precedence over trust-based classification. 1. Create a user defined dscp or dot1p trust-map.
● You have a CoPP policy configured for queue 5 in release 10.4.1, which is for ARP Request, ICMPv6-RS-NS, iSCSI snooping, and iSCSI-COS. ● After upgrade to release 10.4.2, the CoPP policy for queue 5 is remapped based on the new CoPP protocol mappings to queues as follows: ○ ARP Request is mapped to queue 6 ○ ICMPv6-RS-NS is mapped to queue 5 ○ iSCSI is mapped to queue 0 The rate limit configuration in CoPP policy before upgrade is automatically remapped to queues 6, 5, and 0 respectively after upgrade.
Table 118. CoPP: Protocol mappings to queues - prior to release 10.4.2 (continued) Queue Protocol 9 BGPv4, OSPFv6 10 DHCPv6, DHCPv4, VRRP 11 OSPF Hello, OpenFlow The following table lists the CoPP protocol mappings to queues, and default rate limits and buffer sizes on the S4148FE-ON platform. The number of control-plane queues is dependent on the hardware platform. Table 119. CoPP: Protocol mappings to queues, and default rate limits and buffer sizes - from release 10.4.
Table 119. CoPP: Protocol mappings to queues, and default rate limits and buffer sizes - from release 10.4.
OS10(config-pmap-c)# set qos-group 2 OS10(config-pmap-c)# police cir 100 pir 100 View policy-map OS10(config)# do show policy-map Service-policy (control-plane) input: example-copp-policy-map-name Class-map (control-plane): example-copp-class-map-name set qos-group 2 police cir 100 bc 100 pir 100 be 100 Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● Shaping does not support traffic less than 468 kbps. Configure the shaping rates in multiples of 468.
● show control-plane info default — Displays the default protocol-to-queue mapping. ● show control-plane info — Displays the currently configured protocol-to-queue mapping.
15 16 17 18 19 20 21 22 23 24 600 500 600 700 700 100 100 100 300 100 1000 500 1000 700 1000 100 100 100 6400 100 BGP IPV6_DHCP IPV4_DHCP BFD OPEN_FLOW REMOTE CPS MCAST DATA ACL LOGGING MCAST KNOWN DATA PTP PORT_SECURITY View configuration Use show commands to display the protocol traffic assigned to each control-plane queue and the current rate-limit applied to each queue. Use the show command output to verify the CoPP configuration.
Dropped Bytes 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 26 0 0 0 36 36 919 67 0 0 0 80662 2779 0 1265 422 0 0 0 0 1768 0 0 0 3816 3096 58816 4288 0 0 0 5539376 462189 0 108790 36075 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Egress traffic classification Egress traffic is classified into different queues based on the traffic-class ID marked on the traffic flow.
NOTE: For the Z9332F-ON platform, you must specify the type of queue. For example: OS10(config-qos-map)# queue 3 qos-group 0-3 type ucast 3. Verify the map entries. OS10# show qos maps type tc-queue Traffic-Class to Queue Map: tc-q-map Queue Traffic-Class -------------------------3 0-3 4. Apply the map on a specific interface or on a system-QoS global level.
3. Apply the QoS type policy-map to an interface. OS10(config)# interface ethernet 1/1/14 OS10(conf-if-eth1/1/14)# service-policy input type qos example-interface-policer Flow rate policing controls the rate of flow of traffic. Configure flow rate policing 1. Create a QoS type class-map to match the traffic flow. OS10(config)# class-map example-cmap-cos3 OS10(config-cmap-qos)# match cos 3 2.
2. Create a QoS type policy-map to color the traffic flow. OS10(config)# policy-map type qos example-pmap-ect-color OS10(config-pmap-qos)# class example-cmap-dscp-3-ect OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)# set color yellow Modify packet fields You can modify the value of CoS or DSCP fields. 1. Create a QoS type class-map to match a traffic flow. OS10(config)# class-map cmap-dscp-3 OS10(config-cmap-qos)# match ip dscp 3 2. Modify the policy-map to update the DSCP field.
1. Create a queuing type class-map and configure a name for the class-map in CONFIGURATION mode. class-map type queuing example-que-cmap-name 2. Apply the match criteria for the queue in CLASS-MAP mode. match queue queue-number 3. Return to CONFIGURATION mode. exit 4. Create a queuing type policy-map and configure a policy-map name in CONFIGURATION mode. policy-map type queuing example-que-pmap-name 5. Configure a queuing class in POLICY-MAP mode. class example-que-cmap-name 6.
1. Define a policy-map and create a policy-map name CONFIGURATION mode. policy-map type queuing policy-map-name 2. Create a queuing class and configure a name for the policy-map in POLICY-MAP mode. class class-map-name 3. Set the scheduler as strict priority in POLICY-MAP-CLASS-MAP mode. priority Apply policy-map 1. Apply the policy-map to the interface in INTERFACE mode or all interfaces in SYSTEM-QOS mode. system qos OR interface ethernet node/slot/port[:subport] 2.
Rate adjustment QoS features such as policing and shaping do not include overhead fields such as Preamble, smart frame delimiter (SFD), interframe gap (IFG), and so on. For rate calculations, these feature only include the frame length between the destination MAC address (DMAC) and the CRC field.
● Default buffer—By default, the system allocates a certain amount of default buffer to all the ports. ● Reserved buffer—The system reserves a dedicated amount of buffer to a port or a priority group (at ingress) and a port or a queue (at egress). ● Shared buffer—Is the total available buffer space minus the reserved buffer space. Shared buffer is used for CPU control traffic and is dynamically allocated to the ports when memory space is needed.
Table 122. Default ingress buffers on the S4100-ON series platform Speed 10G 25G 40G 50G 100G Reserved buffers for PG 7 (default) 9KB 9KB 9KB 9KB 9KB The following lists the link-level flow control (LLFC) buffer settings for default priority group 7: Table 123.
Table 125. Default egress buffers on the S4100-ON series platform Speed 10G Reserved buffers 1664 bytes for each queue of a port (default) 25G 40G 50G 100G 1664 bytes 1664 bytes 1664 bytes 1664 bytes The default dynamic shared buffer threshold is 8. 1. Create a queuing type class-map to match the queue. OS10(config)# class-map type queuing example-cmap-eg-buffer OS10(config-cmap-queuing)# match queue 1 2.
Configure Deep Buffer mode By default, Deep Buffer mode is disabled. To configure Deep Buffer mode on a switch, enable the mode, save the configuration, and reload the switch for the feature to take effect. NOTE: Disable all the network QoS configurations; for example, PFC and LLFC, before configuring the Deep Buffer mode. To configure Deep Buffer mode: 1. Enable Deep Buffer mode in CONFIGURATION mode.
Congestion avoidance Congestion avoidance anticipates and takes necessary actions to avoid congestion. The following mechanisms avoid congestion: ● Tail drop—Packets are buffered at traffic queues. When the buffers are exhausted or reach the configured threshold, excess packets drop. By default, OS10 uses tail drop for congestion avoidance. ● Random early detection (RED)—In tail drop, different flows are not considered in buffer utilization.
2. Configure WRED threshold parameters for different colors in WRED CONFIGURATION mode. OS10(config-wred)# random-detect color yellow minimum-threshold 100 maximum-threshold 300 drop-probability 40 3. Configure the exponential weight value for the WRED profile in WRED CONFIGURATION mode. OS10(config-wred)# random-detect weight 4 4. Configure the ECN threshold parameters in WRED CONFIGURATION mode. OS10(config-wred)#random-detect ecn minimum-threshold 100 maximum-threshold 300 dropprobability 40 5.
RoCE for faster access and lossless connectivity Remote Direct Memory Access (RDMA) enables memory transfers between two computers in a network without involving the CPU of either computer. RDMA networks provide high bandwidth and low latency without appreciable CPU overhead for improved application performance, storage and data center utilization, and simplified network management. RDMA was traditionally supported only in an InfiniBand environment.
○ If the network is non-VLAN tagged, use the trust-map dscp default command or the user-defined trust-map dscp configuration. OS10 (config)# system qos OS10 (config-sys-qos)# trust-map dot1p default 5. Create a network-qos type class-map and policy-map for priority flow control (PFC). This configuration fine tunes the buffer settings for the particular priority.
7. Create a QoS map for ETS to map the lossy and lossless traffic to the respective queues. OS10 (config)# qos-map traffic-class 2Q OS10(config-qos-map)# queue 0 qos-group 0-2, 4-7 OS10(config-qos-map)# queue 3 qos-group 3 NOTE: On the Z9332F-ON platform, you must also specify the type of queue, whether it is a unicast or multicast queue.
e. Apply the qos-map for ETS configurations on the interface. OS10 (conf-if-eth1/1/1)# qos-map traffic-class 2Q f. Enable PFC on the interface. OS10 (conf-if-eth1/1/1)# priority-flow-control mode on ● For RoCEv2 (tagged L3 traffic): a. Create a VLAN. OS10(config)# interface vlan 55 OS10(conf-if-vl-55)# no shutdown b. Enter INTERFACE mode and enter the no shutdown command. OS10 (config)# interface ethernet 1/1/1 OS10 (conf-if-eth1/1/1)# no shutdown c.
● To view the PFC configuration, operational status, and statistics on the interface, use the show interface interface-name priority-flow-control details command: OS10(config)# show interface ethernet 1/1/15 priority-flow-control details ● To view the ECN markings on an interface, use the show queuing statistics interface interface-name wred command: OS10# show queuing statistics interface ethernet 1/1/1 wred ● To view any egress packet loss, use the show queuing statistics command: NOTE: There should not b
The following examples show each device in this network and their respective configuration: SW1 configuration VXLAN configuration — SW1 OS10# configure terminal OS10(config)# interface vlan 3000 OS10(conf-if-vl-3000)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# exit OS10(config)# interface loopback 1 OS10(conf-if-lo-1)# ip address 1.1.1.1/32 OS10(conf-if-lo-1)# exit OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 8.8.8.
OS10(config)# configure terminal OS10(config)# nve OS10(conf-nve)# source-interface loopback 1 OS10(conf-nve)# exit OS10(config)# virtual-network 5 OS10(conf-vn-5)# vxlan-vni 1000 OS10(conf-vn-vxlan-vni)# remote-vtep 2.2.2.
WRED and ECN configuration — SW1 OS10# configure terminal OS10(config)# wred w1 OS10(config-wred)# random-detect ecn OS10(config-wred)# random-detect color green minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# random-detect color yellow minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# random-detect color red minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# exit OS10(config)# class-map type queuing cq OS
OS10(config-router-ospf-1)# router-id 9.9.9.
OS10(config)# policy-map type network-qos llfc OS10(config-pmap-network-qos)# class llfc OS10(config-pmap-c-nqos)# pause buffer-size 120 pause-threshold 50 resume-threshold 12 OS10(config-pmap-c-nqos)# end OS10# configure terminal OS10(config)# interface range ethernet 1/1/1,1/1/20,1/1/31,1/1/32 OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# flowcontrol transmit on OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# flowcontrol receive on OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# service-policy input typ
VXLAN configuration — VLT peer 2 OS10(config)# configure terminal OS10(config)# interface vlan 3000 OS10(conf-if-vl-3000)# ip address 5.5.5.3/24 OS10(conf-if-vl-3000)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# exit OS10(config)# interface loopback 1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 2.2.2.2/32 OS10(conf-if-lo-1)# exit OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 10.10.10.
OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# service-policy input type network-qos p5 OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# trust-map dot1p t1 OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# end LLFC configuration — VLT peer 2 Instead of PFC, you can configure LLFC as follows: OS10# configure terminal OS10(config)# class-map type network-qos llfc OS10(config-cmap-nqos)# match qos-group 0-7 OS10(config-cmap-nqos)# exit OS10(config)# policy-map type network-qos llfc OS10(config-pmap-network-qos)#
NOS# NOS# configure terminal NOS(config)# interface ethernet 1/1/3 NOS(conf-if-eth1/1/3)# switchport mode trunk NOS(conf-if-eth1/1/3)# switchport trunk allowed vlan 200 NOS(conf-if-eth1/1/3)# end NOS# NOS# configure terminal NOS(config)# interface port-channel 2 NOS(conf-if-po-2)# switchport mode trunk NOS(conf-if-po-2)# switchport trunk allowed vlan 200 NOS(conf-if-po-2)# end PFC configuration — ToR device NOS# configure terminal NOS(config)# trust dot1p-map t1 NOS(config-tmap-dot1p-map)# qos-group 0 dot1p
NOS(config-wred)# random-detect color red minimum-threshold 100 maximum-threshold 500 drop-probability 100 NOS(config-wred)# exit NOS(config)# class-map type queuing cq NOS(config-cmap-queuing)# match queue 5 NOS(config-cmap-queuing)# exit NOS(config)# policy-map type queuing pq NOS(config-pmap-queuing)# class cq NOS(config-pmap-c-que)# random-detect w1 NOS(config-pmap-c-que)# end NOS# configure terminal NOS(config)# interface range ethernet 1/1/1,1/1/2,1/1/3 NOS(conf-range-eth1/1/1,1/1/2,1/1/3)# flowcontro
● Detecting microburst congestions ● Monitoring buffer utilization and historical trends ● Determining optimal sizes and thresholds for the ingress or egress shared buffers and headroom on a given port or queue based on real-time data NOTE: BST is not supported on the S4248F-ON platforms. After you disable BST, be sure to clear the counter using the clear qos statistics type buffer-statisticstracking command.
Eth 1/1/22 0 0, 1 0, 2 down Eth 1/1/23 0 0, 1 0, 2 down Eth 1/1/24 0 0, 1 0, 2 down Eth 1/1/25 3 0, 1 1, 3 up Eth 1/1/26 3 0, 1 1, 3 down Eth 1/1/27 3 0, 1 1, 3 down Eth 1/1/28 3 0, 1 1, 3 down Eth 1/1/29 0 0, 1 0, 2 down Eth 1/1/30 0 0, 1 0, 2 down Eth 1/1/31 0 0, 1 0, 2 down Eth 1/1/32 0 0, 1 0, 2 down Eth 1/1/33 1 2, 3 0, 2 up Eth 1/1/34 2 2, 3 1, 3 up View information for a single interface: OS10# show qos port-map details interface ethern
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/16 1/1/17:1 1/1/19:1 1/1/19:2 1/1/19:3 1/1/19:4 1/1/21:1 1/1/21:2 1/1/21:3 1/1/21:4 1/1/23 1/1/24 1/1/25:1 1/1/25:2 1/1/25:3 1/1/25:4 1/1/27:1 1/1/27:2 1/1/27:3 1/1/27:4 1/1/29:1 1/1/29:2 1/1/29:3 1/1/29:4 1/1/31 1/1/32
View information for a single interface: OS10# show qos port-map details interface ethernet 1/1/1 --------------------------------------------------------------------------Interface Port Pipe Ingress MMU Egress MMU Oper Status --------------------------------------------------------------------------Eth 1/1/1:1 0 0, 1 0, 2 up View information for a single interface: OS10# show qos port-map details interface ethernet 1/1/1 --------------------------------------------------------------------------Interface Po
class Creates a QoS class for a type of policy-map. Syntax class class—name Parameters class-name — Enter a name for the class-map. A maximum of 32 characters. Default Not configured Command Mode POLICY-MAP-QUEUEING POLICY-MAP-QOS POLICY-MAP-NQOS POLICY-MAP-CP POLICY-MAP-APPLICATION Usage Information If you define a class-map under a policy-map, the qos, queuing, or control-plane type is the same as the policy-map. You must create this map in advance.
clear qos statistics Clears all QoS-related statistics in the system, including PFC counters. Syntax clear qos statistics Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# clear qos statistics 10.2.0E or later clear qos statistics type Clears all queue counters, including PFC, for control-plane, qos, and queueing.
control-plane Enters CONTROL-PLANE mode. Syntax control-plane Parameters None Default Not configured Command Mode CONTROL-PLANE Usage Information If you attach an access-list to the class-map type of control-plane, the access-list ignores the permit and deny keywords. Example (classmap) OS10(config)# class-map type control-plane c1 OS10(config-cmap-control-plane)# Example (policymap) Supported Releases OS10(config)# policy-map type control-plane p1 OS10(config-pmap-control-plane)# 10.2.
Default Disabled (off) Command Mode INTERFACE Usage Information The no version of this command returns the value to the default. Example Supported Releases OS10(conf-if-eth1/1/2)# flowcontrol transmit on 10.3.0E or later hardware deep-buffer-mode Configures Deep Buffer mode. Syntax hardware deep-buffer-mode Parameters None Defaults Disabled Command Modes CONFIGURATION Usage Information Applicable only for the S4200-ON series switches.
● mac access-group name name — Enter an access-group name for the MAC access-list match criteria. A maximum of 140 characters. ● dscp dscp-value — Enter a DSCP value for marking the DSCP packets, from 0 to 63. ● not — Enter the IP or CoS to negate the match criteria. ● vlan vlan-id — Enter a VLAN number for VLAN match criteria, from 1 to 4093. ● protocol-or-application-name — Enter the name of the protocol or application that you want to move from one queue to another.
Command Mode CLASS-MAP Usage Information You cannot enter two match statements with the same filter-type. If you enter two match statements with the same filter-type, the second statement overwrites the first statement. The match-all option in a class-map does not support ip-any. Select either ip or IPv6 for the match-all criteria. If you select ip-any, you cannot select ip or ipv6 for the same filter type. Example Supported Releases OS10(conf-cmap-qos)# match ip-any dscp 17-20 10.2.
match vlan Configures a match criteria based on the VLAN ID number. Syntax match vlan vlan-id Parameters vlan-id — Enter a VLAN ID number, from 1 to 4093. Default Not configured Command Mode CLASS-MAP Usage Information You cannot enter two match statements with the same filter-type. If you enter two match statements with the same filter-type, the second statement overwrites the first statement. Example Supported Releases OS10(conf-cmap-qos)# match vlan 100 10.2.
Example Example (global and shared buffer) OS10(conf-pmap-c-nqos)# pause buffer-size 45 pause-threshold 25 resumethreshold 10 OS10(config)# policy-map type network-qos nqGlobalpolicy1 OS10(conf-cmap-nqos)# class CLASS-NAME OS10(conf-cmap-nqos-c)# pause buffer-size 45 pause-threshold 30 resumethreshold 30 OS10(config)# policy-map type network-qos nqGlobalpolicy1 OS10(conf-cmap-nqos)# class type network-qos nqclass1 OS10(conf-cmap-nqos-c)# pause buffer-size 45 pause-threshold 30 resumethreshold 10 Supporte
Command Mode SYSTEM-QOS Usage Information This command configures the maximum size of the lossless buffer pool. The no version of this command removes the maximum buffer size limit. Example Supported Releases OS10(config-sys-qos)# pfc-max-buffer-size 2000 10.4.0E(R1) or later pfc-shared-buffer-size Changes the shared buffers size limit for priority flow-control enabled flows.
police Configures traffic policing on incoming traffic. Syntax police {cir committed-rate [bc committed-burst-size]} {pir peak-rate [be peak-burst-size]} Parameters ● cir committed-rate — Enter a committed rate value in kilo bits per second, from 0 to 4000000. ● bc committed-burst-size — (Optional) Enter the committed burst size in packets for control plane policing and in KB for data packets, from 16 to 200000. ● pir peak-rate — Enter a peak-rate value in kilo bits per second, from 0 to 40000000.
priority Sets the scheduler as a strict priority. Syntax priority Parameters None Default WDRR — when priority is mentioned, it moves to SP with default level 1. Command Mode POLICY-MAP-CLASS-MAP Usage Information If you use this command, bandwidth is not allowed. Only the egress QoS policy type supports this command. Example Supported Releases OS10(config-pmap-c-que)# priority 10.2.0E or later priority-flow-control mode Enables or disables Priority Flow-Control mode on an interface.
Supported Releases 10.3.0E or later qos-group dscp Configures a DSCP trust map to the traffic class. Syntax qos-group tc-list [dscp values] Parameters ● qos-group tc-list — Enter the traffic single value class ID, from 0 to 7. ● dscp values — (Optional) Enter either single, comma-delimited, or a hyphenated range of DSCP values, from 0 to 63.
Parameters value-of-adjust—Number of bytes to add to overhead fields in each frame, from 1 to 31. Default 0 Command Mode CONFIGURATION Usage Information The no form of this command removes the rate adjustment configuration and is the same as using the qos-rate-adjust 0 command. Example Supported Releases OS10(config)# qos-rate-adjust 10 10.4.3.0 or later queue-limit Configures static or dynamic shared buffer thresholds.
Supported Releases 10.3.0E or later queue bandwidth Configures a bandwidth for a given queue on interface. Syntax queue queue-number bandwidth bandwidth-percentage Parameters ● queue-number — Enter the queue number. ● bandwidth-percentage — Enter the percentage of bandwidth. Default Not configured Command Mode POLICY-MAP-CLASS-MAP Usage Information The no version of this command removes the bandwidth from the queue. Example None Supported Releases 10.4.
Usage Information Example Supported Releases The command applies to Z9332F-ON. The no version of this command returns the value to the default. OS10(config-qos-map)# queue 2 qos-group 2-5 type unicast 10.5.0 or later random-detect (interface) Assigns a WRED profile to the specified interface. Syntax random-detect wred-profile Parameters wred-profile — Enter the name of an existing WRED profile.
● drop-rate — Enter the rate of drop precedence in percentage, from 0 to 100. Default Not configured Command Mode WRED CONFIGURATION Usage Information The no version of this command removes the WRED profile. Example Supported Releases OS10(config)# wred test_wred OS10(config-wred)# random-detect color green minimum-threshold 100 maximum-threshold 300 drop-probability 40 10.4.0E(R1) or later random-detect ecn Enables explicit congestion notification (ECN) for the WRED profile.
random-detect pool Assigns a WRED profile to the specified global buffer pool. Syntax random-detect pool pool-value wred-profile-name Parameters ● pool-value — Enter the pool value, from 0 to 1. ● wred-profile-name — Enter the name of an existing WRED profile. Default Not configured Command Mode SYSTEM-QOS Usage Information The no version of this command removes the WRED profile from the interface.
network-qos type policy-maps. When you configure interface-level policies and system-level policies, the interface-level policy takes precedence over the system-level policy. To apply the network-QoS policy to a single interface or a range of interfaces, perform the following steps: 1. Run the interface ethernet or interface range ethernet command to select a single or a range of upstream and downstream interfaces, respectively. 2.
set qos-group Configures marking for the QoS-group queues. Syntax set qos-group queue-number Parameters queue-number — Enter a queue number, from 0 to 7. Default Not configured Command Mode POLICY-MAP-CLASS-MAP Usage Information This command supports only the qos or control-plane ingress policy type. When the class-map type is control-plane, the qos-group corresponds to CPU queues 0 to 11. When the class-map type is qos, the qos-group corresponds to data queues 0 to 7.
● control-plane — Displays all policy-maps of control-plane type. ● class-map-name — Displays the QoS class-map name. Default Not configured Command Mode EXEC Usage Information This command displays all class-maps of qos, queuing, network-qos, or control-plane type. The class-map-name parameter displays all details of a configured class-map name. Example Supported Releases OS10# show class-map type qos c1 Class-map (qos): c1 (match-all) Match(not): ip-any dscp 10 10.2.
48880 17 48880 18 48880 19 48880 20 20800 21 20800 22 20800 Supported Releases lossy 1664 static lossy 1664 static lossy 1664 static lossy 1664 static lossy 1664 static lossy 1664 static 10.4.2 and later show control-plane buffer-stats Displays the control plane buffer statistics for each of the CPU queues. Syntax show control-plane buffer-stats Parameters None Default A predefined default profile exists.
0 16 0 17 0 18 0 19 0 20 0 21 0 22 0 Supported Releases 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10.4.2 and later show control-plane info Displays control-plane queue mapping and rate limits. Syntax show control-plane info [default] Parameters default—Enter the keyword default to view the default protocol-to-queue mapping and default rate limits for the particular platform.
23 24 Supported Releases 300 100 6400 100 PTP PORT_SECURITY 10.2.0E or later show control-plane statistics Displays counters of all the CPU queue statistics.
Example Example: default setting OS10# show hardware deep-buffer-mode Deep Buffer Mode Configuration Status ------------------------------------------Current-boot Settings : Disabled Next-boot Settings : Disabled Example: saved to startup configuration OS10# show hardware deep-buffer-mode Deep Buffer Mode Configuration Status ------------------------------------------Current-boot Settings : Disabled Next-boot Settings : Enabled Example: switch reloaded OS10# show hardware deep-buffer-mode Deep Buffer M
show qos interface Displays the QoS configuration applied to a specific interface. Syntax show qos interface ethernet node/slot/port[:subport] Parameters node/slot/port[:subport] — Enter the Ethernet interface information.
Parameters None Default Not configured Command Mode EXEC Usage Information Monitors statistics for the control-plane and troubleshoots CoPP. Example Supported Releases OS10# show qos control-plane Service-policy (Input): p1 10.2.0E or later show qos egress buffers interface Displays egress buffer configurations. Syntax show qos egress buffers interface [interface node/slot/port[:subport]] Parameters ● interface — (Optional) Enter the interface type.
Example Supported Releases OS10# show qos egress buffer-statistics-tracking interface ethernet 1/1/1 Interface : ethernet1/1/1 Speed : 0 QType Queue Total buffers peak count ---------------------------------------------------------------------------Unicast 0 0 Unicast 1 0 Unicast 2 0 Unicast 3 0 Unicast 4 0 Unicast 5 0 Unicast 6 0 Unicast 7 0 Multicast 0 0 Multicast 1 0 Multicast 2 0 Multicast 3 0 Multicast 4 0 Multicast 5 0 Multicast 6 0 Multicast 7 0 10.4.3.
show qos headroom-pool buffer-statistics-tracking Displays headroom-pool level peak buffer usage count in bytes. Syntax show qos headroom-pool buffer-statistics-tracking [detail] Parameters detail—Displays headroom-pool statistics per memory management unit (MMU) instance in platforms with multiple MMU instances such as the Z9100-ON, Z9264F-ON. Default Not configured Command Mode EXEC Usage Information Supported platforms include Z9100-ON series, Z9200-ON series, and S5200-ON series.
7 0 Supported Releases - 0 0-2,5-7 8 STATIC 0 10.3.0E or later show qos ingress buffer-statistics-tracking Displays ingress priority group level peak buffer usage count in bytes for the given priority group on a given interface. Syntax show qos ingress buffer-statistics-tracking interface ethernet [node/slot/ port] [priority-group {0-7}] [detail] Parameters ● node/slot/port—Enter the port information. ● [priority-group {0-7}]—Enter the priority-group keyword, followed by the group number.
Usage Information None Example Supported Releases OS10(config)# show qos ingress buffer-stats interface ethernet 1/1/15 Interface : ethernet1/1/15 Speed : 10G Priority Used reserved Used shared Used HDRM Group buffers buffers buffers -----------------------------------------------0 9360 681824 35984 1 0 0 0 2 0 0 0 3 0 0 0 4 0 0 0 5 0 0 0 6 0 0 0 7 0 0 0 10.3.0E or later show qos maps Displays the active system trust map.
Queue Traffic-Class -------------------------1 5 2 6 3 7 DOT1P Priority to Traffic-Class Map : map1 Traffic-Class DOT1P Priority ------------------------------DOT1P Priority to Traffic-Class Map : dot1p-trustmap1 Traffic-Class DOT1P Priority ------------------------------0 2 1 3 2 4 3 5 4 6 5 7 6 1 DSCP Priority to Traffic-Class Map : dscp-trustmap1 Traffic-Class DSCP Priority ------------------------------0 8-15 2 16-23 1 0-7 Default Dot1p Priority to Traffic-Class Map Traffic-Class DOT1P Priority --------
5 6 7 Supported Releases 40-47 48-55 56-63 10.3.0E or later show qos maps (Z9332F-ON) Displays the QoS maps configuration of the dot1p-to-traffic class, DSCP-to-traffic class, and traffic-class to queue mapping in the device. Syntax show qos maps type tc-queue Parameters ● ● ● ● Default NA Command Mode EXEC Usage Information The command applies to the Z9332F-ON only. The command provides priority-to-traffic-class and trafficclass-to-queue mapping, both default and user configured.
Eth 1/1/1 1 2, 3 0, 2 up Eth 1/1/2 1 2, 3 0, 2 up Eth 1/1/3 1 2, 3 0, 2 up Eth 1/1/4 1 2, 3 0, 2 up Eth 1/1/5 2 2, 3 1, 3 up Eth 1/1/6 2 2, 3 1, 3 up Eth 1/1/7 2 2, 3 1, 3 up Eth 1/1/8 2 2, 3 1, 3 up Eth 1/1/9 1 2, 3 0, 2 up Eth 1/1/10 1 2, 3 0, 2 up Eth 1/1/11 1 2, 3 0, 2 up Eth 1/1/12 1 2, 3 0, 2 up Eth 1/1/13 2 2, 3 1, 3 down Eth 1/1/14 2 2, 3 1, 3 down Eth 1/1/15 2 2, 3 1, 3 down Eth 1/1/16 2 2, 3 1, 3 down Eth 1/1/17 3 0,
View information for a single interface: OS10# show qos port-map details interface ethernet 1/1/1 --------------------------------------------------------------------------Interface Port Pipe Ingress MMU Egress MMU Oper Status --------------------------------------------------------------------------Eth 1/1/1 1 2, 3 0, 2 up Z9264F-ON switch: OS10# show qos port-map details --------------------------------------------------------------------------Interface Port Pipe Ingress MMU Egress MMU Oper Stat
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/33 1/1/34 1/1/35:1 1/1/35:2 1/1/35:3 1/1/35:4 1/1/37:1 1/1/37:2 1/1/37:3 1/1/37:4 1/1/39:1 1/1/39:2 1/1/39:3 1/1/39:4 1/1/41:1 1/1/41:2 1/1/41:3 1/1/41:4 1/1/43 1/1/44 1/1/45 1/1/46 1/1/47 1/1/48 1/1/49 1/1/50 1/1/51:1 1/1/51:2 1/1/51:3 1/1/51:4 1/1/53 1/1/54 1/1/55 1/1/56 1/1/57:1 1/1/57:2 1/1/57:3 1/1/57:4 1/1/59 1/1/60
show qos-rate-adjust Displays the status of the rate adjust limit for policing and shaping. Syntax show qos-rate-adjust Parameters None Default Not configured Command Mode EXEC Usage Information Not applicable for the S4200-ON series switches. Example OS10# show qos-rate-adjust QoS Rate adjust configured for Policer and Shaper (in bytes) : 10 Supported Releases 10.4.3.0 or later show qos service-pool buffer-statistics-tracking Displays service-pool level peak buffer usage count in bytes.
Example Supported Releases show qos system ETS Mode : off ECN Mode : off buffer-statistics-tracking : off 10.4.1.0 or later show qos system buffers Displays the system buffer configurations and utilization. Syntax show qos system {ingress | egress} buffers [detail] Parameters detail — Displays system buffers per MMU level in platforms that support multiple MMU instances such as the Z9100-ON, Z9264F-ON.
Total lossless buffers - 0 Total shared lossless buffers - 0 Total used shared lossless buffers Total lossy buffers - 11567 Total shared lossy buffers - 9812 Total used shared lossy buffers - 0 Total CPU buffers - 620 Total shared CPU buffers - 558 Total used shared CPU buffers - 0 The following command is supported on platforms such as the Z9100-ON, Z9264F-ON: OS10# show qos system egress buffer detail All values are in kb Total buffers Total lossless buffers Total shared lossless buffers Total used shared
S4200 o/p OS10# show qos wred-profile Profile Name | Green | Yellow | Red | -------------|-----------------------|---------------------|-----------------------------------| | MIN MAX DROP-RATE | MIN MAX DROP-RATE | MIN MAX DROP-RATE | WEIGHT | ECN| | KB KB % | KB KB % | KB KB % | | | -------------|-----------------------|-------------------- |--------------------|--------|-----| profile1 | 10 100 100 | | | | Off| -------------|-----------------------|---------------------|--------------------|--------|----
Green Drop 0 Yellow Drop 0 Red Drop 0 ECN marked count Example (queue) Supported Releases 0 0 0 0 0 OS10# show queuing statistics interface ethernet 1/1/1 queue 3 Interface ethernet1/1/1 Queue Packets Bytes DroppedPackets Dropped-Bytes 3 0 0 0 0 10.2.0E or later system qos Enters SYSTEM-QOS mode to configure system-level QoS configurations.
trust dscp-map Creates a user-defined trust map for DSCP flows. Syntax trust dscp-map map-name Parameters map-name — Enter the name of the DSCP trust map. A maximum of 32 characters. Default Not configured Command Mode CONFIGURATION Usage Information If you enable trust, traffic obeys this trust map. default-dscp-trust is a reserved trust-map name. The no version of this command returns the value to the default. Example Supported Releases OS10(config)# trust dscp-map dscp-trust1 10.3.
Parameters wred-profile-name — Enter a name for the WRED profile. Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the WRED profile. Example Supported Releases 1620 OS10(config)# wred test_wred OS10(config-wred)# 10.4.
22 Virtual Link Trunking Virtual Link Trunking (VLT) is a Layer 2 aggregation protocol used between an end device such as a server and two or more connected network devices. VLT helps to aggregate ports terminating on multiple switches. OS10 currently supports VLT port channel terminations on two different switches. VLT: ● ● ● ● ● ● ● ● ● Provides node-level redundancy by using the same port channel terminating on multiple upstream nodes.
Optimized forwarding with VRRP To ensure the same behavior on both sides of the VLT nodes, VRRP requires state information coordination. VRRP Active-Active mode optimizes L3 forwarding over VLT. By default, VRRP ActiveActive mode is enabled on all the VLAN interfaces. VRRP Active-Active mode enables each peer to locally forward L3 packets, resulting in reduced traffic flow between peers over the VLTi link. Spanning-Tree Protocol VLT ports support RSTP, RPVST+, and MSTP.
● If the primary peer fails, the secondary peer takes the primary role. If the primary peer (with the lower priority) later comes back online, it is assigned the secondary role (there is no preemption). ● In a VLT domain, the peer network devices must run the same OS10 software version. NOTE: A temporary exception is allowed during the upgrade process. See the Dell EMC SmartFabric OS 10.5.0.x Release Notes for more information. ● Configure the same VLT domain ID on peer devices.
The following shows a scenario where VLT Peer A is being reloaded or going down: Until LACP convergence happens, the server continues to forward traffic to VLT Peer A resulting in traffic loss for a longer time interval.
These PDUs notify the server to direct the traffic to VLT Peer B hence minimizing traffic loss. Configure VLT Verify that both VLT peer devices are running the same operating system version. For VRRP operation, configure VRRP groups and L3 routing on each VLT peer. Configure the following settings on each VLT peer device separately: 1. To prevent loops in a VLT domain, Dell EMC Networking recommends enabling STP globally using the spanning-tree mode command.
NOTE: If a VLT peer is reloaded, it automatically becomes the secondary peer regardless of the VLT primary-priority setting. 4. Configure VLTi interfaces with the no switchport command. 5. Configure the VLTi interfaces on each peer using the discovery-interface command. After you configure both sides of the VLTi, the primary and secondary roles in the VLT domain are automatically assigned if primary priority is not configured. NOTE: Dell EMC recommends that you disable flow-control on discovery interfaces.
RPVST+ configuration Configure RPVST+ on both the VLT peers. This creates an RPVST+ instance for every VLAN configured in the system. With RPVST+ configured on both VLT nodes, OS10 supports a maximum of 60 VLANs. The RPVST+ instances in the primary VLT peer control the VLT port channels on both the primary and secondary peers. NOTE: RPVST+ is the default STP mode running on the switch. Use the following command only if you have another variant of the STP running on the switch.
RSTP configuration ● Enable RSTP on each peer node in CONFIGURATION mode.
instance instance-number vlan from-vlan-id — to-vlan-id 4. Configure the MST revision number, from 0 to 65535. MULTIPLE-SPANNING-TREE revision revision-number 5. Configure the MST region name. MULTIPLE-SPANNING-TREE name name-string The following example shows that both VLT nodes are configured with the same MST VLAN-to-instance mapping.
Number of transitions to forwarding state: 1 Edge port: No (default) Link Type: Point-to-Point BPDU Sent: 2714, Received: 1234 Port 2001 (VLT-LAG -1(vlt-portid-1)) of MSTI 0 is designated Forwarding Port path cost 200000, Port priority 128, Port Identifier 128.2001 Designated root priority: 32768, address: 34:17:44:55:66:7f Designated bridge priority: 32768, address: 90:b1:1c:f4:a5:23 Designated port ID: 128.
Peer 2 OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# exit OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# no switchport OS10(conf-if-eth1/1/2)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet1/1/1-1/1/2 Configure the VLT MAC address You can manually configure the VLT MAC address. Configure the same VLT MAC address on both the VLT peer switches to avoid any unpredictable behavior during a VLT failover.
Configure the VLT backup link using the backup destination {ip-address | ipv6 ipv6–address} [vrf management] [interval interval-time]. The interval range is from 1 to 30 seconds. The default interval is 30 seconds. Irrespective of the interval that is configured, when the VLTi link fails, the system checks for the heartbeat connection without waiting for the timed intervals, thus allowing faster convergence. Example configuration: OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.151.
VLT Peer 2 is not synchronized with the MAC address of Host 2 because the VLTi link is down. When traffic from Host 1 is sent to VLT Peer 2, VLT Peer 2 floods the traffic. When the VLT backup link is enabled, the secondary VLT Peer 2 identifies the node liveliness through the backup link. If the primary is up, the secondary peer brings down VLT port channels. The traffic from Host 1 reaches VLT Peer 1 and then reaches the destination, Host 2.
Role of VLT backup link in the prevention of loops during VLTi failure When the VLTi is down, STP may fail to detect any loops in the system. This failure creates a data loop in an L2 network. As shown, STP is running in all three switches: In the steady state, VLT Peer 1 is elected as the root bridge. When the VLTi is down, both the VLT nodes become primary. In this state, VLT Peer 2 sends STP BPDU to TOR assuming that TOR sends BPDU to VLT Peer 1.
When the VLT backup link is enabled, the secondary VLT peer identifies the node liveliness of primary through the backup link. If the primary VLT peer is up, the secondary VLT peer brings down the VLT port channels. In this scenario, the STP opens up the orphan port and there is no loop in the system, as shown: Configure a VLT port channel A VLT port channel, also known as a virtual link trunk, links an attached device and VLT peer switches. OS10 supports a maximum of 128 VLT port channels per node. 1.
Configure VLT port channel — peer 1 OS10(config)# interface port-channel 20 OS10(conf-if-po-20)# vlt-port-channel 20 Configure VLT port channel — peer 2 OS10(config)# interface port-channel 20 OS10(conf-if-po-20)# vlt-port-channel 20 Configure VLT peer routing VLT peer routing enables optimized routing where packets destined for the L3 endpoint of the VLT peer are locally routed. VLT supports unicast routing of both IPv4 and IPv6 traffic. To enable VLT unicast routing, both VLT peers must be in L3 mode.
Migrate VMs across data centers with eVLT OS10 switches support movement of virtual machines (VMs) across data centers using VRRP Active-Active mode. Configure symmetric VRRP with the same VRRP group ID and virtual IP in VLANs stretched or spanned across data centers. VMs use the VRRP Virtual IP address of the VLAN as Gateway IP. As the VLAN configurations are symmetric across data centers, you can move the VMs from one data center to another.
● Configure VRRP on L2 links between core routers: C1(config)# interface vlan 100 C1(conf-if-vl-100)# ip address 10.10.100.1/24 C1(conf-if-vl-100)# vrrp-group 10 C1(conf-vlan100-vrid-10)# priority 250 C1(conf-vlan100-vrid-10)# virtual-address 10.10.100.
D1(config)# interface ethernet 1/1/4 D1(conf-if-eth1/1/4)# channel-group 10 D1(conf-if-eth1/1/4)# exit ● Configure OSPF on L3 side of core router: D1(config)# router ospf 100 D1(config-router-ospf-100)# redistribute connected D1(conf-router-ospf-100)# exit D1(config)# interface vlan 200 D1(conf-if-vl-200)# ip ospf 100 area 0.0.0.
● Add members to port channel 20: C2(config)# interface C2(conf-if-eth1/1/5)# C2(conf-if-eth1/1/5)# C2(config)# interface C2(conf-if-eth1/1/6)# C2(conf-if-eth1/1/6)# ethernet 1/1/5 channel-group 20 exit ethernet 1/1/6 channel-group 20 exit Sample configuration of D2: ● Configure VRRP on L2 links between core routers: D2(config)# interface vlan 100 D2(conf-if-vl-100)# ip address 10.10.100.4/24 D2(conf-if-vl-100)# vrrp-group 10 D2(conf-vlan100-vrid-10)# virtual-address 10.10.100.
View VLT information To monitor the operation or verify the configuration of a VLT domain, use a VLT show command on primary and secondary peers. ● View detailed information about the VLT domain configuration in EXEC mode, including VLTi status, local and peer MAC addresses, peer-routing status, and VLT peer parameters. show vlt domain-id ● View the role of the local and remote VLT peer in EXEC mode. show vlt domain-id role ● View any mismatches in the VLT configuration in EXEC mode.
Configuring delay-restore port - non-VLT Following table shows how to configure delay-restore ports on an interface and with a timer value: Table 127. Configuring delay-restore port on an interface Step Command Description 1 OS10# configure terminal Enters Configuration mode. 2 OS10(config)# interface ethernet 1/1/1 Enters Interface configuration mode. 3 OS10(conf-if-eth1/1/1)# delay-restore-port enable Enables delay-restore port.
Table 129. Configuring delay-restore orphan ports Steps Command Description 1 OS10# configure terminal Enters Configuration mode. 2 OS10(config)# interface ethernet 1/1/1 Enters Interface configuration mode. 3 OS10(conf-if-eth1/1/1)# vlt delay-restore orphan-port enable Enables delay-restore orphan port. 4 OS10(conf-if-eth1/1/1)# exit Exits Interface configuration mode and enters Configuration mode. 5 OS10(conf)# vlt-domain 1 Enters VLT domain mode.
● ● ● ● ● When VLTi fails and the VLT heart-beat is down, both the VLT peers become primary (split brain). Ethernet1/1/1 in both the VLT peers are kept up. When VLTi recovers, election occurs. The port remains up in the peer elected as the primary node. In the secondary VLT peer, ethernet1/1/1 is brought down (since ignore vlti-failure configuration is disabled) and the delayrestore timer is started. A syslog indicating that the delay-restore timer has started is thrown on the console.
Table 131. Disable delay-restore orphan ports (continued) Steps Command Description 3 OS10(conf-if-eth1/1/1)# no vlt delay-restore orphan-port ignore-vlti-failure Disables orphan port to ignore VLTi failures. 4 OS10(conf-if-eth1/1/1)# no vlt delay-restore orphan-port enable Disables delayrestore orphan port. The following table provides the behavior of orphan ports with different DROP configurations and events: Table 132.
If delay-restore orphan ports are configured in the system and if VLT domain is removed, delay-restore orphan ports commands is considered to be inactive; the delay-restore timer is not applied for orphan ports. After the VLT domain is configured back, the command becomes active again on the configured interfaces.
device was up at the time the VLTi link failed, use this command after you reload a VLT device. The no version of this command resets the delay time to the default value. Example Supported Releases OS10(conf-vlt-1)# delay-restore 100 10.3.0E or later delay-restore-port enable Enables or disables delay-restore configuration at interface level. Syntax delay-restore-port enable To disable the delay-restore configuration, enter the no delay-restore-port enable command. Parameters None.
delay-restore-port timeout Configures delay-restore port timer value. Syntax delay-restore-port timeout timeout-value To remove configured timer value and return to default, enter the no delay-restore-port timeout command. Parameters ● timeout timeout-value - Enter the keyword timeout followed by the timeout value. The range is from 1 to 1200.
peer-routing Enables optimized routing where packets destined for the L3 endpoint of the VLT peer are locally routed. Syntax peer-routing Parameters None Default Disabled Command Mode VLT-DOMAIN Usage Information The no version of this command disables peer routing. Example Supported Releases OS10(conf-vlt-1)# peer-routing 10.2.0E or later peer-routing-timeout Configures the delay after which, the system disables peer routing when the peer is not available.
● If the heartbeat is up and the VLTi link goes down between the VLT peers, both the VLT peers retain their primary and secondary roles. However, the VLT port channel on the secondary VLT peer shuts down. NOTE: When you configure a priority for VLT peers using this command, the configuration does not take effect immediately. The primary priority configuration comes into effect the next time election is triggered. Example Supported Releases OS10(conf-vlt-1)#primary-priority 2 10.4.1.
Root-Guard: Disable, Loop-Guard: Disable Bpdus (MRecords) Sent: 11, Received: 7 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID --------------------------------------------------------------------------------------------VFP(VirtualFabricPort) 0.1 0 1 FWD 0 32768 0078.7614.6062 0.
Example (MSTP information on VLT) OS10# show spanning-tree virtual-interface detail Port 1 (VFP(VirtualFabricPort)) of MSTI 0 is designated Forwarding Port path cost 0, Port priority 128, Port Identifier 128.1 Designated root priority: 32768, address: 34:17:44:55:66:7f Designated bridge priority: 32768, address: 90:b1:1c:f4:a5:23 Designated port ID: 128.
show vlt Displays information on a VLT domain. Syntax show vlt domain-id delay-restore-orphan-port Parameter ● domain-id — Enter a VLT domain ID, from 1 to 255. ● delay-restore orphan-port - Enter the delay-restore orphan-port keyword to display the delayrestore orphan-port status. Default Not configured Command Mode EXEC Usage Information In the following example, the status of the VLT node should be up.
Po1 Po4 Delay-Restore Orphan-Port Ignore VLTi Fail enabled interfaces : Eth1/1/10 Po4 Supported Releases 10.2.0E or later show vlt domain-id delay restore orphan port Displays the delay restore orphan port information on a VLT domain. Syntax show vlt domain-id delay-restore-orphan-port Parameter ● domain-id — Enter a VLT domain ID, from 1 to 255. ● delay-restore orphan-port - Enter the delay-restore orphan-port keyword to display the delay-restore orphan-port status.
Delay-Restore Orphan-Port Ignore VLTi Fail enabled interfaces : Eth1/1/10 Po4 Supported Releases 10.5.2.0 or later show vlt backup-link Displays detailed status of the heartbeat Syntax show vlt domain-id backup-link Parameters domain-id — Enter the VLT domain ID.
Default egress mask: In-ports qualifier : ethernet1/1/1-1/1/2 Blocked ports : ethernet1/1/1-1/1/2, 1/1/10-1/1/14, 1/1/16 Supported Releases 10.5.2.1 or later show vlt error-disabled-ports Displays VLT ports that are in the error-disabled state. Syntax show vlt id error-disabled-ports Parameters id—Enter the VLT domain ID, from 1 to 255. Default Not configured Command Mode EXEC Usage Information Use this command to view VLT ports that are in error-disabled state.
Use this command if there are traffic convergence issues. Example OS10# show vlt-mac-inconsistency Checking Vlan 228 .. Found 7 inconsistencies ..
No mismatch VLAN mismatch: No mismatch VLT VLAN mismatch: No mismatch Example (mismatch) OS10# show vlt 1 mismatch Peer-routing mismatch: VLT Unit ID Peer-routing ----------------------------------* 1 Enabled 2 Disabled VLAN mismatch: No mismatch VLT VLAN mismatch: VLT ID : 1 VLT Unit ID Mismatch VLAN List ---------------------------------* 1 1 2 2 VLT ID : 2 VLT Unit ID Mismatch VLAN List ----------------------------------* 1 1 2 2 Example (mismatch peer routing) Example (mismatch VLAN) OS10# show vlt
Example (mismatch — Virtual Network (VN) name not available in the peer) Example (mismatch of VLTi and VLAN) Example (mismatch of VN mode) Example (mismatch of port and VLAN list) OS10# show vlt all mismatch virtual-network Virtual Network Name Mismatch: VLT Unit ID Mismatch Virtual Network List ---------------------------------------------------------------------------1 10,104 * 2 OS10# show vlt all mismatch virtual-network Virtual Network: 100 VLT Unit ID Configured VLTi-Vlans -------------------------
Virtual-network: 10 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.25 * 2 10.16.128.20 Virtual-network: 20 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.26 * 2 10.16.128.30 Example (Anycast IP addresses not configured on one of the virtual networks on both peers) show vlt 1 mismatch virtual-network Interface virtual-network Anycast-IP mismatch: Virtual-network: 10 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.
Example (mismatch VLAN anycast IP) OS10# show vlt 1 mismatch vlan-anycast VLAN anycast ip Mismatch: VLAN: 2000 VLT Unit ID Anycast-IPs ---------------------------------------------------------------------------* 1 64::100, 64.6.7.88 2 100::100, 100.101.102.100 VLAN: 3000 VLT Unit ID Anycast-IPs ---------------------------------------------------------------------------* 1 100.101.102.
Parameters id — Enter the VLT domain ID, from 1 to 255. Default Not configured Command Mode EXEC Usage Information The * in the mismatch output indicates a local mismatch. Example Supported Releases OS10# show vlt 1 role VLT Unit ID Role -----------------------* 1 primary 2 secondary 10.2.0E or later show vlt vlt-port-detail Displays detailed status information about the VLT ports. Syntax show vlt id vlt-port-detail Parameters id — Enter a VLT domain ID, from 1 to 255.
Example Supported Releases OS10(config)# vlt-domain 1 10.2.0E or later vlt delay-restore orphan-port enable Enables or disables delay-restore orphan port on an interface. Syntax vlt delay-restore orphan-port enable To disable the delay-restore orphan port configuration, enter the no delay-restore orphan-port enable command. Parameters None.
vlt delay-restore orphan-port ignore vlti-failure Considers or ignores VLTi failures for delay-restore orphan port. Syntax vlt delay-restore orphan-port ignore vlti-failure To disable the delay-restore orphan port configuration, enter the no delay-restore orphan-port ignore vlti-failure command. Parameters None. Default Disabled Command Mode INTERFACE CONFIGURATION MODE Usage Information Use the range command to enable delay-restore orphan ports on all interfaces or on selected range of interfaces.
Example (peer 1) Example (peer 2) Supported Releases OS10(conf-if-po-10)# vlt-port-channel 1 OS10(conf-if-po-20)# vlt-port-channel 1 10.2.0E or later vlt-mac Configures a MAC address for all peer switches in a VLT domain. Syntax vlt-mac mac-address Parameters mac-address — Enter a MAC address for the topology in nn:nn:nn:nn:nn:nn format.
23 Uplink Failure Detection Uplink failure detection (UFD) indicates the loss of upstream connectivity to servers connected to the switch. A switch provides upstream connectivity for devices, such as servers. If the switch loses upstream connectivity, the downstream devices also lose connectivity. However, the downstream devices do not generally receive an indication that the upstream connectivity was lost because connectivity to the switch is still operational. To solve this issue, use UFD.
Configure uplink failure detection Consider the following before configuring an uplink-state group: ● ● ● ● ● ● ● An uplink-state group is considered to be operationally up if it has at least one upstream interface in the Link-Up state. An uplink-state group is considered to be operationally down if it has no upstream interfaces in the Link-Up state. You can assign a physical port or a port channel to an uplink-state group. You can assign an interface to only one uplink-state group at a time.
● If you disable an uplink-state group, the downstream interfaces are not disabled, regardless of the state of the upstream interfaces. ● If you do not assign upstream interfaces to an uplink-state group, the downstream interfaces are not disabled. Configuration: 1. Create an uplink-state group in CONFIGURATION mode. uplink-state-group group-id 2. Configure the upstream and downstream interfaces in UPLINK-STATE-GROUP mode.
Eth 1/1/5(Dwn) Eth 1/1/9:2(Dwn) Eth 1/1/9:3(Dwn) OS10#show uplink-state-group 1 detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled (NA): Not Available *: VLT port-channel, V: VLT status, P: Peer Operational status ^: Tracking status Uplink State Group : 1 Name: iscsi_group, Status: Enabled, Up Upstream Interfaces : eth1/1/35(Up) *po10(V:Up, ^P:Dwn) VLTi(NA) Downstream Interfaces : eth1/1/2(Up) *po20(V: Up,P: Up) OS10#show uplink-state-group 2 detail (Up): Interface up (Dwn): Interfa
Table 133. UFD on VLT network (continued) Event VLT action on primary node VLT action on secondary node UFD action VLTi Link is operationally up with heartbeat up No action VLT module sends VLT portchannel enable request to Interface Manager (IFM) for both uplink and downlink. UFD receives operationally up of upstream VLT port-channel and sends clear error-disable of downstream VLT portchannel to IFM. Reboot of VLT secondary peer No action After reboot, runs the delay restore timer.
Sample configurations of UFD on VLT The following examples show some of the uplink-state groups on VLT. In the following illustration, both the upstream and downstream members are part of VLT port-channels. The uplink-state group includes both the VLT port-channels as members. In the following example, the upstream member is part of VLT port-channel and the downstream member is an orphan port. The uplink-state group includes the VLT port-channel, VLT node, and the downstream port.
OS10 does not support adding a VLTi link member to the uplink-state group. You can add the VLTi link as upstream member to an uplink-state group using the upstream VLTi command. If the VLTi link is not available in the system, OS10 allows adding the VLTi link as an upstream member. In this case, UFD starts tracking the operational status of the VLTi link when the link is available. Until the VLTi link is available, the show uplink-state-group details command displays the status of the link as NA.
UFD commands clear ufd-disable Overrides the uplink-state group configuration and brings up the downstream interfaces. Syntax clear ufd-disable {interface interface-type | uplink-state-group group-id} Parameters ● interface-type — Enter the interface type. ● group-id — Enter the uplink state group ID, from 1 to 32. Default None Command Mode EXEC Usage Information This command manually brings up a disabled downstream interface that is in an UFD-disabled error state.
Mode. See upstream CLI command for more information. The no version of this command removes the interface from the uplink-state group. Example Supported Releases OS10(config)# uplink-state-group 1 OS10(conf-uplink-state-group-1)# downstream ethernet 1/1/1 10.4.0E(R3) or later downstream auto-recover Enables auto-recovery of the disabled downstream interfaces.
Usage Information Example Supported Releases The no version of this command disables tracking of an uplink-state group. OS10(config)# uplink-state-group 1 OS10(conf-uplink-state-group-1)# enable 10.4.0E(R3) or later name Configures a descriptive name for the uplink-state group. Syntax name string Parameters string — Enter a description for the uplink-state group. A maximum of 32 characters.
● detail — Displays detailed information on the status of the uplink-state groups.
Supported Releases 10.4.0E(R3) or later uplink-state-group Creates an uplink-state group and enables upstream link tracking. Syntax uplink-state-group group-id Parameters group-id — Enter a unique ID for the uplink-state group, from 1 to 32. Default None Command Mode CONFIGURATION Usage Information The no version of this command removes the uplink-state group. Example Supported Releases OS10(config)# uplink-state-group 1 10.4.
24 Converged data center services OS10 supports converged data center services, including IEEE 802.1 data center bridging (DCB) extensions to classic Ethernet. DCB provides I/O consolidation in a data center network. Each network device carries multiple traffic classes while ensuring lossless delivery of storage traffic with best-effort for local area network (LAN) traffic and latency-sensitive scheduling of service traffic. ● 802.1Qbb — Priority flow control ● 802.
Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● Provisioning PFC is not supported when deep buffer mode is enabled. ● Configure the traffic class ID to queue mapping policy on egress interfaces. ● You cannot enable PFC on all the physical interfaces, when you have split the ports to multiple breakout interfaces. For more information, see the 'PFC configuration notes' section in the Dell EMC SmartFabric OS10 User Guide.
● Apply the default trust map specifying that dot1p values are trusted in SYSTEM-QOS or INTERFACE mode. trust-map dot1p default Configure a non-default dot1p-priority-to-traffic class mapping 1. Configure a trust map of dot1p traffic classes in CONFIGURATION mode. A trust map does not modify ingress dot1p values in output flows. Assign a qos-group to trusted dot1p values in TRUST mode using 1-to-1 mappings. Dot1p priorities are 0 to 7.
Default TC-to-queue mapping format The following is the format for Z9332F-ON: Default Traffic-Class to Queue Map Traffic Class Queue Number --------------------------------------------0 0 0-2 0 1 1 3-5 1 2 2 6-7 2 3 3 4 4 5 5 6 6 7 7 Type Unicast Multicast Unicast Multicast Unicast Multicast Unicast Unicast Unicast Unicast Unicast The following is the default TC-to-Queue Mapping format: Default Traffic-Class to Queue Map Traffic-Class Queue number Type ---------------------------------------0 0 Both 1 1 B
4. (Optional) Configure the PFC shared buffer for lossless traffic. Create PFC dot1p traffic classes 1. Create a network-qos class map to classify PFC traffic classes in CONFIGURATION mode, from 1 to 7. Specify the traffic classes using the match qos-group command. QoS-groups map 1:1 to traffic classes 1 to 7; for example, qos-group 1 corresponds to traffic class 1. Enter a single value, a hyphen-separated range, or multiple qos-group values separated by commas in CLASS-MAP mode.
PFC is enabled on traffic classes with dot1p 3 and 4 traffic. The two traffic classes require different ingress queue processing. In the network-qos pp1 policy map, class cc1 uses customized PFC buffer size and pause frame settings; class cc2 uses the default settings.
1 2 3 4 5 6 7 - - - - - - - - - - - - - - - - - - - - 9360 static 12779520 - View PFC system buffer configuration OS10# show qos system ingress buffer All values are in kb Total buffers Total lossless buffers Maximum lossless buffers Total shared lossless buffers Total used shared lossless buffers Total lossy buffers Total shared lossy buffers Total used shared lossy buffers - 12187 0 5512 0 11567 11192 0 OS10# show qos system egress buffer All values are in kb Total buffers - 121
pause Configures the ingress buffer size and buffer threshold limit for pause and resume operations. Syntax pause [buffer-size kilobytes pause-threshold kilobytes resume-threshold kilobytes] Parameters ● buffer-size kilobytes — Enter the reserved (guaranteed) ingress-buffer size in kilobytes for PFC dot1p traffic, from 0 to 7787.
mapping, see PFC configuration notes. A PFC traffic class requires a 1-to-1 mapping — only one dot1p value is mapped to a qos-group number. Example Example (policymap) Supported Releases OS10(config)# class-map type network-qos cc1 OS10(conf-cmap-nqos)# match qos-group 3 OS10(conf-cmap-nqos)# exit OS10(config)# policy-map type network-qos pp1 OS10(conf-pmap-network-qos)# class cc1 OS10(conf-pmap-c-nqos)# pfc-cos 3 10.3.
queue-limit Sets the static and dynamic thresholds that are used to limit the shared-buffer size of PFC traffic-class queues. Syntax queue-limit {thresh-mode [static kilobytes | dynamic weight]} Parameters ● thresh-mode —Specifies the Buffer threshold mode. ● static kilobytes — Enter the static followed by the fixed shared-buffer limit available for PFC traffic-class queues in kilobytes, from 0 to 7787.
Supported Releases 10.3.0E or later Enhanced transmission selection ETS provides customized bandwidth allocation to 802.1p classes of traffic. Assign different amounts of bandwidth to Ethernet, FCoE, or iSCSI traffic classes that require different bandwidth, latency, and best-effort treatment during network congestion. ETS divides traffic into different priority groups using their 802.1p priority value.
1. Configure trust maps of dot1p and DSCP values in CONFIGURATION mode. A trust map does not modify ingress values in output flows. Assign a qos-group, traffic class from 0 to 7, to trusted dot1p/DSCP values in TRUST mode. A qos-group number is used only internally to schedule classes of ingress traffic. Enter multiple dot1p and dscp values in a hyphenated range or separated by commas.
8. Apply the queuing policy to egress traffic in SYSTEM-QOS or INTERFACE mode. service-policy output type queuing policy—map-name 9. Enable ETS globally in SYSTEM-QOS mode or on an interface/interface range in INTERFACE mode. NOTE: If you have not enabled PFC on all the interfaces, this configuration at the global level is not required. Enable ETS on the specific interfaces.
View QoS maps: traffic-class to queue mapping OS10# show qos maps Traffic-Class to Queue Map: tc-q-map1 queue 0 qos-group 0 queue 1 qos-group 1 Traffic-Class to Queue Map: dot1p_map1 qos-group 0 dot1p 0-3 qos-group 1 dot1p 4-7 DSCP Priority to Traffic-Class Map : dscp_map1 qos-group 0 dscp 0-31 qos-group 1 dscp 32-63 ETS commands ets mode on Enables ETS on an interface.
DCBX configuration notes ● DCBX is a prerequisite for using DCB features, such as PFC and ETS, to exchange link-level configurations in a converged network. ● DCBX, when deployed in topologies, enables lossless operation for FCoE or iSCSI traffic. In these scenarios, all network devices in the topology must have DCBX-enabled. ● DCBX uses LLDP to advertise and automatically negotiate the administrative state and PFC or ETS configuration with directly connected DCB peers.
● OS10 supports DCBX versions CEE and IEEE2.5. ● If ETS and PFC are enabled, DCBX advertises ETS configuration, ETS recommendation, and PFC configuration. When you configure application-specific parameters such as FCoE or iSCSI to be advertised, DCBX advertises the respective Application Priority TLVs. ● A DCBX-enabled port operates only in a manual role. In this mode, the port operates only with user-configured settings and does not autoconfigure with DCB settings that are received from a DCBX peer.
Interface ethernet1/1/3 Port Role is Manual DCBX Operational Status is Disabled Reason: Port Shutdown Is Configuration Source? FALSE Local DCBX Compatibility mode is AUTO Local DCBX Configured mode is AUTO Peer Operating version is Not Detected Local DCBX TLVs Transmitted: erpfi 0 Input PFC TLV pkts, 0 Output PFC TLV pkts, 0 Error PFC 0 Input ETS Conf TLV Pkts, 0 Output ETS Conf TLV Pkts, 0 0 Input ETS Reco TLV pkts, 0 Output ETS Reco TLV pkts, 0 0 Input Appln Priority TLV pkts, 0 Output Appln Priority Prio
Priority TLV Pkts Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames received 0 Frame errors 0 Frames unrecognized 0
Local ISCSI PriorityMap is 0x10 Remote ISCSI PriorityMap is 0x10 220 Input TLV pkts, 350 Output TLV pkts, 0 Error pkts 71 Input Appln Priority TLV pkts, 80 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts View DCBX ETS TLV status OS10# show lldp dcbx interface ethernet 1/1/15 ets detail Interface ethernet1/1/15 Max Supported PG is 8 Number of Traffic Classes is 8 Admin mode is on Admin Parameters : -----------------Admin is enabled PG-grp Priority# Bandwidth TSA ------------------------------
DCBX commands dcbx enable Enables DCBX globally on all interfaces. Syntax dcbx enable Parameters None Default Disabled Command Mode CONFIGURATION Usage Information DCBX is disabled at a global level and enabled at an interface level by default. For DCBX to be operational, DCBX must be enabled at both the global and interface levels. Enable DCBX globally using the dcbx enable command to activate the exchange of DCBX TLV messages with PFC, ETS, and iSCSI configurations.
Command Mode INTERFACE Usage Information In Auto mode, a DCBX-enabled port detects an incompatible DCBX version on a peer device port and automatically reconfigures a compatible version on the local port. The no version of this command disables the DCBX version. Example Supported Releases OS10(conf-if-eth1/1/2)# dcbx version cee 10.3.0E or later debug dcbx Enables DCBX debugging.
Supported Releases 10.3.0E or later show debug dcbx Displays the list of debug options that are enabled for DCBX. Syntax show debug dcbx Parameters None Command Mode EXEC Usage Information None Example OS10# show debug dcbx Dcbx debug settings: debug dcbx all no debug dcbx events interface mgmt debug dcbx pdu in interface ethernet 1/1/1 Supported Releases 10.5.1.0 or later show lldp dcbx Displays the DCBX configuration and PFC or ETS TLV status on an interface.
Peer Operating version is Not Detected Local DCBX TLVs Transmitted: erpfi 0 Input PFC TLV pkts, 0 Output PFC TLV pkts, 0 Error PFC pkts 0 Input ETS Conf TLV Pkts, 0 Output ETS Conf TLV Pkts, 0 Error ETS Conf TLV Pkts 0 Input ETS Reco TLV pkts, 0 Output ETS Reco TLV pkts, 0 Error ETS Reco TLV Pkts 0 Input Appln Priority TLV pkts, 0 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames received 0 Frame errors 0 Frames unrecogn
Interface ethernet1/1/15 Port Role is Manual DCBX Operational Status is Enabled Is Configuration Source? FALSE Local DCBX Compatibility mode is IEEEv2.5 Local DCBX Configured mode is IEEEv2.5 Peer Operating version is IEEEv2.
6 7 0% 0% SP SP Oper status is init ETS DCBX Oper status is Up State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 5 Input Conf TLV Pkts, 2 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 5 Input Reco TLV Pkts, 2 Output Reco TLV Pkts, 0 Error Reco TLV Pkts Example (PFC detail) OS10# show lldp dcbx interface ethernet 1/1/15 pfc detail Interface ethernet1/1/15 Admin mode is on Admin is enabled, Priority list is 4,5,6,7 Remote is enabled, Priority list is 4,5,6,7 Remote
In an iSCSI session, a switch connects CNA servers (iSCSI initiators) to a storage array (iSCSI targets) in a SAN or TCP/IP network. iSCSI optimization running on the switch uses dot1p priority-queue assignments to ensure that iSCSI traffic receives priority treatment. iSCSI configuration notes ● Enable iSCSI optimization so the switch autodetects and autoconfigures Dell EMC EqualLogic storage arrays that are directly connected to an interface.
1. Configure an interface or interface range to detect a connected storage device. interface ethernet node/slot/port:[subport] interface range ethernet node/slot/port:[subport]-node/slot/port[:subport] 2. Enable the interface to support a storage device that is directly connected to the port and not automatically detected by iSCSI. Use this command for storage devices that do not support LLDP.
OS10(config)# iscsi target port 3261 ip-address 10.1.1.
● Starting from release 10.4.1.1, when you perform a fresh installation of OS10, iSCSI autoconfig is enabled and flowcontrol receive is set to on. However, when you upgrade from an earlier release to release 10.4.1.1 or later, the existing iSCSI configuration is retained and the flowcontrol receive could be set to on or off, depending on the iSCSI configuration before the upgrade.
Command Mode CONFIGURATION Usage Information iSCSI optimization automatically detects storage arrays and autoconfigures switch ports with the iSCSI parameters that are received from a connected device. The no version of this command disables iSCSI autodetection. Starting from release 10.4.1.1, when you perform a fresh installation of OS10, iSCSI autoconfig is enabled and flow control receive is set to on. However, when you upgrade from an earlier release to release 10.4.1.
iscsi session-monitoring enable Enables iSCSI session monitoring. Syntax iscsi session-monitoring enable Parameter None Default Disabled Command Mode CONFIGURATION Usage Information To configure the aging timeout in iSCSI monitoring sessions, use the iscsi aging time command. To configure the TCP ports that listen for connected storage devices in iSCSI monitoring sessions use the iscsi target port command. The no version of this command disables iSCSI session monitoring.
Example Supported Releases OS10(conf-if-eth1/1/1)# lldp tlv-select dcbxp-appln iscsi 10.3.0E or later show iscsi Displays the current configured iSCSI settings. Syntax show iscsi Parameters None Command Mode EXEC Usage Information This command output displays global iSCSI configuration settings. To view target and initiator information use the show iscsi session command.
Initiator:iqn.1991-05.com.microsoft:win-rlkpjo4jun2 Up Time:00:00:16:02(DD:HH:MM:SS) Time for aging out:29:23:59:35(DD:HH:MM:SS) ISID:400001370000 Initiator Initiator Target Target Connection IP Address TCP Port IP Address TCP Port ID ---------------------------------------------------------10.10.10.210 54835 10.10.10.40 3260 1 Supported Releases 10.3.0E or later show iscsi storage-devices Displays information about the storage arrays directly attached to OS10 ports.
2. PFC configuration (global) PFC is enabled on traffic classes with dot1p 4, 5, 6, and 7 traffic. All the traffic classes use the default PFC pause settings for shared buffer size and pause frames in ingress queue processing in the network-qos policy map. The trust-map dot1p default honors (trusts) all dot1p ingress traffic.
OS10(config-cmap-queuing)# match queue 1 OS10(config-cmap-queuing)# exit OS10(config)# policy-map type queuing pmap1 OS10(config-pmap-queuing)# class cmap1 OS10(config-pmap-c-que)# bandwidth percent 30 OS10(config-pmap-c-que)# exit OS10(config-pmap-queuing)# class cmap2 OS10(config-pmap-c-que)# bandwidth percent 70 OS10(config-pmap-c-que)# end OS10(config)# system qos OS10(config-sys-qos)# trust-map dot1p default 5.
Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames received 0 Frame errors 0 Frames unrecognized 0 8.
PG-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,3, 30% ETS 1 4,5,6,7 70% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Oper status is init ETS DCBX Oper status is Up State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 2 Input Conf TLV Pkts, 27 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 2 Input Reco TLV Pkts, 27 Output Reco TLV Pkts, 0 Error Reco TLV Pkts 10.
4 Input Appln Priority TLV pkts, 3 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts 12. DCBX configuration (interface) This example shows how to configure and verify different DCBX versions.
service-policy input type network-qos test trust-map dot1p default service-policy output type queuing pmap1 ets mode on qos-map traffic-class tmap2 trust-map dot1p tmap1 priority-flow-control mode on OS10(conf-if-eth1/1/53)# do show lldp dcbx interface ethernet 1/1/53 E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Appl
25 sFlow sFlow is a standard-based sampling technology embedded within switches and routers that monitors network traffic. It provides traffic monitoring for high-speed networks with many switches and routers.
● Enable sFlow in CONFIGURATION mode. sflow enable ● Disable sFlow in CONFIGURATION mode.
sflow collector 10.16.150.1 agent-addr 10.16.132.67 6767 max-datagram-size 800 sflow collector 10.16.153.176 agent-addr 3.3.3.3 6666 ! interface ethernet1/1/1 sflow enable ! Collector configuration Configure the IPv4 or IPv6 address for the sFlow collector. When you configure the collector, enter a valid and reachable IPv4 or IPv6 address. You can configure a maximum of two sFlow collectors. If you specify two collectors, samples are sent to both.
Global default extended maximum header size: 128 bytes Global extended information enabled: none 1 collector(s) configured Collector IP addr:4.4.4.1 Agent IP addr:1.1.1.1 UDP port:6343 VRF:RED 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected Polling-interval configuration The polling interval for an interface is the number of seconds between successive samples of counters sent to the collector. You can configure the duration for polled interface statistics.
● Set the sampling rate in CONFIGURATION mode, from 4096 to 65535. The default is 32768. sflow sample-rate sampling-size ● Disable packet sampling in CONFIGURATION mode. no sflow sample-rate ● View the sampling rate in EXEC mode.
OS10(config)# sflow source-interface loopback 1 OS10(config)# sflow source-interface vlan 10 View sFlow running configuration OS10# sflow sflow sflow sflow show running-configuration sflow enable all-interfaces source-interface vlan10 collector 5.1.1.1 agent-addr 4.1.1.1 6343 collector 6.1.1.1 agent-addr 4.1.1.1 6343 OS10(config)#show running-configuration interface vlan ! interface vlan1 no shutdown ! interface vlan10 no shutdown ip address 10.1.1.
● View the sFlow running configuration in EXEC mode. OS10# show running-configuration sflow sflow enable sflow max-header-size 80 sflow polling-interval 30 sflow sample-rate 4096 sflow collector 10.16.150.1 agent-addr 10.16.132.67 6767 max-datagram-size 800 sflow collector 10.16.153.176 agent-addr 3.3.3.3 6666 ! interface ethernet1/1/1 sflow enable ! sFlow commands sflow collector Configures an sFlow collector IP address where sFlow datagrams are forwarded. You can configure a maximum of two collectors.
Default Disabled Command Mode CONFIGURATION Usage Information The no version of this command to disables sFlow.
sflow sample-rate Configures the sampling rate. Syntax sflow sample-rate value Parameter value — Enter the packet sample rate, from 4096 to 65535. The default is 32768. Default 32768 Command Mode CONFIGURATION Usage Information Sampling rate is the number of packets skipped before the sample is taken. For example, if the sampling rate is 4096, one sample generates for every 4096 packets observed. The no version of the command resets the sampling rate to the default value.
Parameter interface type — (Optional) Enter either ethernet or port-channel for the interface type. Command Mode EXEC Usage Information OS10 does not support statistics for UDP packets dropped and samples received from the hardware.
26 Telemetry Network health relies on performance monitoring and data collection for analysis and troubleshooting. Network data is often collected with SNMP and CLI commands using the pull mode. In pull mode, a management device sends a get request and pulls data from a client. As the number of objects in the network and the metrics grow, traditional methods limit network scaling and efficiency. Using multiple management systems further limits network scaling.
Table 136. BGP peers YANG Container Minimum sampling interval (milliseconds) infra-bgp/peer-state/peer-status 0 Buffer statistics Table 137. Buffer statistics YANG Container Minimum sampling interval (milliseconds) base-qos/queue-stat 15000 base-qos/priority-group-stat 15000 base-qos/buffer-pool-stat 15000 base-qos/buffer-pool 15000 Device information Table 138.
System statistics Table 142. System statistics YANG Container Minimum sampling interval (milliseconds) system-status/current-status 15000 Configure telemetry NOTE: To set up a streaming telemetry collector, download and use the OS10 telemetry .proto files from the Dell EMC Support site. To enable the streaming of telemetry data to destinations in a subscription profile: 1. Enable telemetry on the switch. 2. Configure a destination group. 3.
1. Enter the destination group name in TELEMETRY mode. A maximum of 32 characters. OS10(conf-telemetry)# destination-group group-name 2. Enter the IPv4 or IPv6 address and transport-service port number in DESTINATION-GROUP mode. Only one destination is supported in the 10.4.3.0 release. You can enter a fully qualified domain name (FQDN) for ip-address. The destination domain name resolves to an IP address — see System domain name and list.
View telemetry configuration Use the following show commands to display telemetry configuration. OS10# show telemetry Telemetry Status : enabled -- Telemetry Destination Groups -Group : dest1 Destination : 10.11.56.
View destination group OS10# show telemetry destination-group Telemetry Status : enabled -- Telemetry Destination Groups -Group : dest1 Destination : 10.11.56.
Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The connection 10.11.56.204:40001 is in connected state Verify telemetry in running configuration OS10# show running-configuration telemetry ! telemetry enable ! destination-group dest1 destination 10.11.56.
Default Telemetry is disabled on the switch. Command mode CONFIGURATION Usage information Enable and disable streaming telemetry in Telemetry mode. Example Supported releases OS10(config)# telemetry OS10(conf-telemetry)# 10.4.3.0 or later enable Enables telemetry on the switch. Syntax enable Parameters None Default Telemetry is disabled. Command mode TELEMETRY Usage information Enter the no enable command to disable telemetry. Example Supported releases OS10(conf-telemetry)# enable 10.4.
● domain-name — Enter the fully qualified domain name of the destination device. A maximum of 32 characters. ● port-number — Enter the transport-service port number to which telemetry data is sent on the destination device. Default Not configured Command mode DESTINATION-GROUP Usage information When you associate a destination group with a subscription, telemetry data is sent to the IP address and port specified by the destination command. In the 10.4.3.0 release, only one destination is supported.
Supported releases 10.4.3.0 or later sensor-group (subscription-profile) Assigns a sensor group with sampling interval to a subscription profile for streaming telemetry.
Usage information This command assigns the sensors from which data is collected for streaming telemetry to a subscription profile and specifies the sampling rate. To add sensor groups to the subscription profile, reenter the command. The interface sensor group supports only physical and port channel interfaces. The no version of this command deletes the sensor group from the subscription profile. NOTE: The subscription profile should contain either OS10 sensor groups or openconfig sensor groups.
transport Configures the transport protocol used to stream telemetry data to a remote management device. Syntax transport protocol [no-tls] Parameters ● protocol — Enter the gRPC (Google remote procedure call) transport protocol used for telemetry sessions. ● no-tls — (Optional) Disable Transport Security Layer (TLS) certificate exchange with gRPC transport. Default OS10 telemetry uses the gRPC protocol for transport with TLS certificates enabled.
show telemetry Displays the configured destination-group, sensor-group, and subscription profiles for streaming telemetry. Syntax show telemetry [destination-group [group-name] | sensor-group [group-name] | subscription-profile [profile-name]] Parameters ● destination-group — Display only destination groups or a specified group. ● sensor-group — Display only sensor groups or a specified group. ● subscription-profile — Display only subscription profiles or a specified profile.
Sensor Path : openconfig-lacp/lacp Group : oc-lag Sensor Path : openconfig-interfaces/interfaces/interface Group : oc-lldp Sensor Path : openconfig-lldp/lldp Group : oc-stp Sensor Path : openconfig-spanning-tree/stp Group : oc-system Sensor Path : openconfig-system/system Sensor Path : openconfig-platform/components/component Group : oc-vendor-ufd Sensor Path : ufd/uplink-state-group-stats/ufd-groups Group : oc-vendor-vxlan Sensor Path : vxlan/vxlan-state/remote-endpoint/stats Group : oc-vlan Sensor Path :
Sensor Path : openconfig-bgp/bgp/neighbors/neighbor Sensor Path : openconfig-bgp/bgp/rib/afi-safis/afi-safi Group : oc-buffer Sensor Path : openconfig-qos/qos/interfaces/interface Group : oc-device Sensor Path : openconfig-platform/components/component Sensor Path : openconfig-network-instance/network-instances/networkinstance Group : oc-environment Sensor Path : openconfig-platform/components/component Group : oc-interface Sensor Path : openconfig-interfaces/interfaces/interface Group : oc-lacp Sensor Path
Name : subscription-2 Destination Groups(s) : dest2 Sensor-group Sample-interval ----------------------------------oc-bfd 15000 oc-bgp 15000 oc-buffer 15000 oc-device 15000 oc-environment 15000 oc-interface 15000 oc-lacp 15000 oc-lag 0 oc-lldp 15000 oc-stp 15000 oc-system 15000 oc-vendor-ufd 15000 oc-vendor-vxlan 15000 oc-vlan 15000 oc-vrrp 15000 Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The conne
Sensor Path : infra-bgp/peer-state/peer-status Group : buffer Sensor Path : base-qos/queue-stat Sensor Path : base-qos/priority-group-stat Sensor Path : base-qos/buffer-pool-stat Sensor Path : base-qos/buffer-pool Group : device Sensor Path : base-pas/chassis Sensor Path : base-pas/card Sensor Path : base-switch/switching-entities/switch-stats Group : environment Sensor Path : base-pas/entity Sensor Path : base-pas/psu Sensor Path : base-pas/fan-tray Sensor Path : base-pas/fan Sensor Path : base-pas/led Sen
interface lag system 180000 0 300000 Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The connection 10.11.56.
27 RESTCONF API RESTCONF is a representational state transfer (REST)-like protocol that uses HTTPS connections. Use the OS10 RESTCONF API to set up the configuration parameters on OS10 switches using JavaScript Object Notation (JSON)-structured messages. Use any programming language to create and send JSON messages. The examples in this chapter use curl. The OS10 RESTCONF implementation complies with RFC 8040. You can use the RESTCONF API to configure and monitor an OS10 switch.
● ecdhe-rsa-with-aes-256-gcm-SHA384 rest https cipher-suite 4. Enable RESTCONF API in CONFIGURATION mode. rest api restconf RESTCONF API configuration OS10(config)# rest https server-certificate name OS10.dell.
Error {"ietf-restconf:errors":{"error":[{"error-type":"rpc","error-tag":"invalid-value","errorapp-tag":"data-invalid","error-path":"/classifier-entry","error-message":"unknown resource instance","error-info":{"bad-value":"/restconf/data/dell-diffserv-classifier:classifierentry=test","error-number":388}}]}} POST request curl -i -k -H "Accept: application/json" -H "Content-Type: application/json" -u $USER_NAME:$PASSWORD -d '{"dell-diffserv-classifier:classifier-entry": [{"name":"test","mtype":"qos","match":"m
Translated RESTCONF requests example Config command OS10# cli mode rest-translate Commands executed in this mode will not alter current system state.
Restconf request(s): curl -i -k -H "Accept: application/json" -u $USER_NAME:$PASSWORD -X GET https://$MGMT_IP/ restconf/data/dell-system-software:system-sw-state/sw-version curl -i -k -H "Accept: application/json" -u $USER_NAME:$PASSWORD -X GET https://$MGMT_IP/ restconf/data/dell-system:system-state/system-status Action/RPC based command OS10# cli mode rest-translate Commands executed in this mode will not alter current system state.
Do you want to proceed? [confirm yes/no]:yes REST-TRANSLATE-OS10# configure terminal CLI command: configure terminal Restconf request(s): curl -i -k -H "Accept: application/json" -u $USER_NAME:$PASSWORD -X GET https://$MGMT_IP/ restconf/data/dell-mgmt-cm:cms REST-TRANSLATE-OS10(config)# interface ethernet 1/1/1 CLI command: interface ethernet 1/1/1 Restconf request(s): curl -i -k -H "Accept: application/json" -H "Content-Type: application/json" -u $USER_NAME:$PASSWORD -d '{"ietf-interfaces:interfaces":{"int
REST Token-Based Authentication Limitations The following limitations are applicable in 10.5.1: ● REST token authentication is disabled when FIPS mode is enabled. Acquire new token You can acquire a new token by calling the Login REST API. A successful Login API call using the basic authentication generates a new set of token. $ curl -X GET -k -u admin:admin -H "Content-Type: application/json" https://$TARGET/ login { "access_token": "abc.123.xyz", "token_type": "bearer", "refresh_token": "efg.456.
CLI commands for RESTCONF API rest api restconf Enables the RESTCONF API service on the switch. Syntax rest api restconf Parameters None Default RESTCONF API is disabled. Command Mode CONFIGURATION Usage Information ● After you enable the RESTCONF API, you can send curl commands in HTTPS requests from a remote device. ● The no version of the command disables the RESTCONF API. Example Supported Releases OS10(config)# rest api restconf 10.4.1.
Usage Information Example Supported Releases The no version of the command removes the host name from the SSL server certificate. OS10(config)# rest https server-certificate name 10.10.10.10 10.4.1.0 or later rest https session timeout Configures the timeout a RESTCONF HTTPS connection uses. Syntax rest https session timeout seconds Parameters seconds — Enter the switch timeout for an HTTPS request from a RESTCONF client, from 30 to 65535 seconds.
Usage Information Example Supported Releases This command disables translation of CLI command into equivalent RESTCONF requests in the current session. REST-TRANSLATE-OS10# no cli mode 10.5.1.0 or later show cli mode Display the current CLI session mode. Syntax show cli mode Parameters None Default None Command Mode Exec Usage Information This command displays the active mode of the current CLI session and also the file name where the RESTCONF requests are stored.
rest authentication token max-refresh Configures the maximum refresh time. Syntax rest authentication token max-refresh count Parameters count — Enter the refresh count limit, from 0 to 10. The count indicates the maximum number of times the tokens refresh. If you do not want to refresh, enter 0. Default 3 Command Mode CONFIGURATION Usage Information This command updates the maximum number of times the tokens refresh. The no version of the command resets the count to the default value.
● -u specifies the user name and password to use for server authentication. ● -k specifies a text file to read curl arguments from. The command line arguments found in the text file will be used as if they were provided on the command line. Use the IP address or URL of the OS10 switch when you access the OS10 RESTCONF API from a remote orchestration system. ● -H specifies an extra header to include in the request when sending HTTPS to a server. You can enter multiple extra headers.
Request: merge stop-on-error set PAGE 1758JSON content { } Parameters "interface": [{ "type": "iana-if-type:softwareLoopback", "enabled": true, "description":"loopback interface", "name":"loopback1"}] ● type string —Enter iana-if-type:softwareLoopback for a loopback interface. ● enabled bool— Enter true to enable the interface; enter false to disable. ● description string — Enter a text string to describe the interface. A maximum of 80 alphanumeric characters.
28 Troubleshoot Dell EMC SmartFabric OS10 Critical workloads and applications require constant availability. Dell EMC Networking offers tools to help you monitor and troubleshoot problems before they happen.
* 1 S4148F-ON 985 006 10 1 S4148F-ON-PWR-1-AC 1 S4148F-ON-FANTRAY-1 1 S4148F-ON-FANTRAY-2 1 S4148F-ON-FANTRAY-3 1 S4148F-ON-FANTRAY-4 09H9MN X01 TW-09H9MN-28298-713-0026 06FKHH 0N7MH8 0N7MH8 0N7MH8 0N7MH8 A00 X01 X01 X01 X01 CN-06FKHH-28298-6B5-03NY TW-0N7MH8-28298-713-0101 TW-0N7MH8-28298-713-0102 TW-0N7MH8-28298-713-0103 TW-0N7MH8-28298-713-0104 9531XC2 198 Boot information Display system boot and image information. ● View all boot information in EXEC mode.
30452 admin 1 root 2 root 3 root 5 root 7 root 8 root 10 root 11 root 12 root 13 root 14 root 15 root 16 root 17 root 19 root 20 root 21 root 22 root 23 root 24 root 25 root --more-- 20 20 20 20 0 20 20 20 20 20 rt rt rt rt 20 0 0 20 0 20 0 25 0 0 0 0 -20 0 0 0 0 0 0 0 0 0 0 -20 -20 0 -20 0 -20 5 22076 112100 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2524 5840 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2100 3032 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 R S S S S R S S S S S S S S S S S S S S S S 6.1 0.0 0.
Capture packets from Ethernet interface $ tcpdump -i e101-003-0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on e101-003-0, link-type EN10MB (Ethernet), capture size 262144 bytes 01:39:22.457185 IP 3.3.3.1 > 3.3.3.4: ICMP echo request, id 5320, seq 26, length 64 01:39:22.457281 IP 3.3.3.1 > 3.3.3.
When you execute a traceroute, the output shows the path a packet takes from your device to the destination IP address. It also lists all intermediate hops (routers) that the packet traverses to reach its destination, including the total number of hops traversed. Check IPv4 connectivity OS10# ping 172.31.1.255 Type Ctrl-C to abort. Sending 5, 100-byte ICMP Echos to 172.31.1.255, timeout is 2 seconds: Reply to request 1 from 172.31.1.208 0 ms Reply to request 1 from 172.31.1.
1 3ffe:501:ffff:100:201:e8ff:fe00:4c8b 000.000 ms 000.000 ms 000.000 ms Faulty media This section describes the behavior of pluggable media that OS10 cannot read because of some hardware or mechanical fault. Detect faulty media If the pluggable media that you insert into an interface is faulty, you will see a message similar to the following one on the console: Nov 09 15:03:23 OS10 dn_alm[997]: Node.1-Unit.1:PRI [event], Dell EMC (OS10) %EQM_MEDIA_PRESENT: Media inserted .
Unit Type Part Number Rev Piece Part ID Svc Tag Exprs Svc Code ---------------------------------------------------------------------------------------------* 1 S4248FB-ON CN-0W1K08-77931-647-0017 OS11SIM 1 S4248FB-ON-PWR-2-AC 02RPHX A00 CN-02RPHX-17972-5BH-00RE 1 S4248FB-ON-FANTRAY-1 03CH15 A00 CN-03CH15-77931-62T-0039 1 S4248FB-ON-FANTRAY-2 03CH15 A00 CN-03CH15-77931-62T-0133 1 S4248FB-ON-FANTRAY-3 03CH15 A00 CN-03CH15-77931-62T-0067 1 S4248FB-ON-FANTRAY-4 03CH15 A00 CN-03CH
------------------------------------1 up 43 Thermal sensors Unit Sensor-Id Sensor-name Temperature -----------------------------------------------------------------------------1 1 CPU On-Board temp sensor 32 1 2 Switch board temp sensor 28 1 3 System Inlet Ambient-1 temp sensor 27 1 4 System Inlet Ambient-2 temp sensor 25 1 5 System Inlet Ambient-3 temp sensor 26 1 6 Switch board 2 temp sensor 31 1 7 Switch board 3 temp sensor 41 1 8 NPU temp sensor 43 View hash algorithm OS10# show hash-algorithm LagAlgo -
2 fail -- Fan Status -FanTray Status AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up NORMAL 1 13195 up 2 up NORMAL 1 13151 up 3 up NORMAL 1 13239 up 4 up NORMAL 1 13239 up Diagnostic commands location-led interface Changes the location LED of the interface. Syntax location-led interface ethernet {chassis/slot/port[:subport]} {on | off} Parameters ● chassis/slot/port[:subport] — Enter the ethernet interface number.
show boot Displays boot-related information. Syntax show boot [detail] Parameters detail — (Optional) Enter to display detailed information. Default Not configured Command Mode EXEC Usage Information Use the boot system command to set the boot image for the next reboot.
00:04.0 PCI bridge: Intel Corporation Atom processor C2000 PCIe Root Port 4 (rev 02) 00:0e.0 Host bridge: Intel Corporation Atom processor C2000 RAS (rev 02) 00:0f.0 IOMMU: Intel Corporation Atom processor C2000 RCEC (rev 02) 00:13.0 System peripheral: Intel Corporation Atom processor C2000 SMBus 2.0 (rev 02) 00:14.0 Ethernet controller: Intel Corporation Ethernet Connection I354 (rev 03) 00:14.1 Ethernet controller: Intel Corporation Ethernet Connection I354 (rev 03) 00:16.
Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show hash-algorithm LagAlgo - CRC EcmpAlgo - CRC 10.2.0E or later show inventory Displays system inventory information.
0.34 Tasks: 208 total, %Cpu(s): 9.7 us, 0.
Supported Releases 10.3.0E or later show system Displays system information. Syntax show system [brief | node-id] Parameters ● brief — View an abbreviated list of the system information. ● node-id — View the node ID number.
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Example (brief) 1/1/9 1/1/10 1/1/11 1/1/12 1/1/13 1/1/14 1/1/15 1/1/16 1/1/17 1/1/18 1/1/19 1/1/20 1/1/21 1/1/22 1/1/23 1/1/24 1/1/25 No No No No No No No No No No No No No No No No Yes BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 OS10# show system brief Node Id M
● -p port — (Optional) Enter a destination port: ○ For UDP tracing, enter the destination port base that traceroute uses. The destination port number is incremented by each probe. ○ For ICMP tracing, enter the initial ICMP sequence value, incremented by each probe. ○ For TCP tracing, enter the constant destination port to connect. ○ -P protocol — (Optional) Use a raw packet of the specified protocol for traceroute. The default protocol is 253 (RFC 3692).
Recover Linux password If you lose or forget your Linux administrator password, you can reconfigure it from the CLI using the system-user linuxadmin password {clear-text-password | hashed-password} command in CONFIGURATION mode. Save the password using the write memory command. For example: OS10(config)# system-user linuxadmin password Dell@Force10!@ OS10(config)# exit OS10# write memory For more information, see Linuxadmin user configuration.
9. Configure the password by using the /opt/dell/os10/bin/recover_linuxadmin_password.sh plainpassword command. Enter the linuxadmin password in plain text. root@OS10: /# /opt/dell/os10/bin/recover_linuxadmin_password.sh Dell@admin0!@ 10. Enter the sync command to save the new password. root@OS10: /# sync 11. Reboot the system, and then enter your new password. root@OS10: /# reboot -f Rebooting.[ 822.327073] sd 0:0:0:0: [sda] Synchronizing SCSI cache [ 822.340656] reboot: Restarting system [ 822.
5. At the linuxadmin prompt, enter sudo -i and the linuxadmin password to enter root mode. linuxadmin@s4048t-1:~$ sudo -i [sudo] password for linuxadmin: root@s4048t-1:~# 6. At the root mode prompt, enter the passwd username command to recover the password for the specified user name. Enter the new password twice; for example: root@s4048t-1:~# passwd admin New password: Retype new password: passwd: password updated successfully 7. Exit and log out from root mode and linuxadmin mode.
If it is not possible to restore your factory defaults with the installed OS, reboot the system from the Grub menu and select ONIE: Rescue. ONIE Rescue bypasses the installed operating system and boots the system into ONIE until you reboot the system. After ONIE Rescue completes, the system resets and boots to the ONIE console. 1. Restore the factory defaults on your system from the Grub menu using the ONIE: Uninstall OS command. To select which entry is highlighted, use the up and down arrow keys.
NOTE: When you upgrade from an earlier release (prior to Release 10.5.0.0), the switch does not retain the SupportAssist configuration. After the upgrade is complete, enable and configure SupportAssist again. You must reconfigure SupportAssist because the OS10 switch (starting from Release 10.5.0.0) connects to a different Dell EMC server, and you must accept the EULA and reconfigure the server again.
Or OS10(conf-support-assist)# server url https://domain username example-username password example-password 5. (Required) Configure the interface to connect to the SupportAssist server in SUPPORT-ASSIST mode. OS10(conf-support-assist)# source-interface interface 6. (Required) Configure the contact information for your company in SUPPORT-ASSIST mode. OS10(conf-support-assist)# contact-company name ExampleCompanyName OS10(conf-support-assist-ExampleCompanyName)# 7.
1. (Required) Enter the contact name in SUPPORT-ASSIST mode. OS10(config)# support-assist OS10(conf-support-assist)# contact-company name ExampleCompanyName OS10(conf-support-assist-ExampleCompanyName)# contact-person first firstname last lastname 2. (Required) Enter the email addresses in SUPPORT-ASSIST mode. OS10(conf-support-assist-ExampleCompanyName)# email-address primary email-address [alternate alternate-email-address] You can optionally configure an alternate email address. 3.
Set default activity schedule OS10(conf-support-assist)# no support-assist-activity full-transfer schedule View status View the SupportAssist configuration status, details, and EULA information using the following show commands: 1. View the SupportAssist activity in EXEC mode. show support-assist status 2. View the EULA license agreement in EXEC mode.
View EULA license OS10# show support-assist eula SUPPORTASSIST ENTERPRISE - SOFTWARE TERMS *** IMPORTANT INFORMATION - PLEASE READ CAREFULLY *** This SupportAssist Software ("Software") contains computer programs and other proprietary material and information, the use of which is governed by and expressly conditioned upon acceptance of this SupportAssist Enterprise Software Terms ("Agreement").
9 Fri Jun 30 05:13:37 UTC 2019 Full-transfer bundle upload failed due to communication error 10 Fri Jun 30 05:14:00 UTC 2019 Alert bundle upload failed due to communication error 11 Fri Jun 30 05:14:03 UTC 2019 Alert bundle uploaded to ESRS Server List of country names and codes This section provides a list of country codes that you must use in the address command. Table 145.
Table 145.
Table 145.
Table 145.
Table 145.
Table 145.
Table 145.
SupportAssist commands eula-consent Accepts or rejects the SupportAssist end-user license agreement (EULA). Syntax eula—consent {support-assist} {accept | reject} Parameters ● support-assist — Enter to accept or reject the EULA for the service. ● accept — Enter to accept the EULA-consent. ● reject — Enter to reject EULA-consent. Default Not configured Command Mode CONFIGURATION Usage Information If you reject the end-user license agreement, you cannot access the SupportAssist Configuration submode.
Usage Information Example This command displays the warranty information for the OS10 switch and the relevant service contracts.
Usage Information Example Supported Releases OS10(config)# support-assist OS10(conf-support-assist)# 10.2.0E or later support-assist-activity Schedules a time for data collection and transfer activity or performs on-demand data collection and managed file transfer.
Examples OS10# support-assist-activity full-transfer start-now OS10# support-assist-activity full-transfer schedule hourly min 59 OS10# support-assist-activity full-transfer schedule daily hour 23 min 59 OS10# support-assist-activity full-transfer schedule weekly day-of-week 1 hour 23 min 59 OS10# support-assist-activity full-transfer schedule monthly day 30 hour 23 min 59 OS10# support-assist-activity full-transfer schedule yearly month 12 day 31 hour 23 min 59 Supported Releases 10.2.
Examples OS10(conf-support-assist)# activity event-notification enable OS10(conf-support-assist)# activity full-transfer enable Supported Releases 10.2.0E or later contact-company Configures the company contact information. Syntax contact-company name company-name Parameters company-name—Enter the contact company name. Default Not configured Command Mode SUPPORT-ASSIST Usage Information You can enter only one contact company.
Default Not configured Command Mode SUPPORT-ASSIST Example Supported Releases OS10(conf-support-assist)# show configuration ! support-assist server url https://esrs3stg.emc.
Default None Command Mode EXEC Usage Information Use this command to view the EULA for SupportAssist.
Activity Schedule Schedule created on ---------------------------------------------------full-transfer None Never Activity Status : Activity Status last start last success ---------------------------------------------------------------------------full-transfer Success 2019-06-13 16:08:51 2019-06-13 16:15:19 event-notification Success 2019-06-13 16:04:35 2019-06-13 16:04:39 keep-alive Success 2019-06-13 18:00:00 2019-06-13 17:30:03 Server Status : Last KeepAlive Status Last KeepAlive Successful Last Keep
SupportAssist company commands address Configures the company address. Syntax address city name state name country name zipcode number Parameters ● ● ● ● Default Not configured Command Mode SUPPORT-ASSIST contact company sub-mode Usage Information Enter ? to view a list of supported country names and codes. You can also find this information at the following location: Country names and codes. The no version of this command removes the configuration.
Example Supported Releases OS10(conf-support-assist-ExampleCompanyName)# street-address "One Dell Way" "Suite 100" "Santa Clara" 10.2.0E or later territory Configures the place where the company is located. Syntax territory territory-name Parameters territory-name—Enter the territory where the company is located. Default Not configured Command Mode CONF-SUPPORT-ASSIST Usage Information The no version of this command removes the configuration.
Usage Information Example Supported Releases The no version of this command removes the configuration. OS10(conf-support-assist-ExampleCompanyName-FirstnameLastname)# phone primary 000-123-4567 10.2.0E or later preferred-method Configures a preferred method to contact an individual. Syntax preferred-method {email | phone | no-contact} Parameters ● email—Enter to select email as the preferred contact method. ● phone—Enter to select phone as the preferred contact method.
Event notifications Event notifications for the generate support-bundle command process at the start and end of the bundle they support, and reports either success or failure. Support bundle generation start event Apr 19 16:57:55: %Node.1-Unit.1:PRI:OS10 %log-notice:SUPPORT_BUNDLE_STARTED: generate support-bundle execution has started successfully:All Plugin options disabled Apr 19 16:57:55: %Node.1-Unit.
All Dell EMC PowerSwitches except MX-Series, S4200-Series, S5200 Series, and Z9332F-ON: Logging is enabled by default on a terminal emulator that is connected to the console serial port. However, in an SSH or Telnet terminal session, logging is disabled by default. To enable logging on a remote terminal in an SSH or Telnet session, use the terminal monitor command in EXEC mode. To disable logging in a remote or directly connected terminal, use the no terminal monitor command.
● Custom severity profile—Contains events that you modify. You can classify events as CRITICAL, MAJOR, MINOR, WARNING, or INFORMATIONAL in severity. Events and their characteristics that are defined in the custom profile take precedence over the default profile. To create a custom severity profile, copy the default severity profile to a remote host and modify it. After the custom profile is created, copy it from the remote host to the OS10 switch and apply it.
NOTE: You must restart the switch for the changes to take effect. 6. Restart the switch. OS10# reload 7. Use the show event severity-profile command to view the custom profile that is active. OS10# show event severity-profile Severity Profile Details -------------------------------------------Currently Active : default Active after restart : mySevProf_1.xml Delete custom severity profile You can delete custom severity profiles that you no longer need.
Disable system logging You can use the no version of any logging command to disable system logging. ● Disable console logging, and reset the minimum logging severity to the default in CONFIGURATION mode. no logging console severity ● Disable log-file logging, and reset the minimum logging severity to the default in CONFIGURATION mode. no logging log-file severity ● Disable monitor logging, and reset the minimum logging severity to the default in CONFIGURATION mode.
When you install an X.509v3 certificate-key pair: ● Both take the name of the certificate. For example, if you install a certificate using: OS10# crypto cert install cert-file home://Dell_host1.pem key-file home://abcd.key The certificate-key pair is installed as Dell_host1.pem and Dell_host1.key. In configuration commands, refer to the pair as Dell_host1. When you configure a security profile, you would enter Dell_host1 in the certificate certificate-name command.
clientkey.pem cname "Top of Rack 6" altname "IP:10.0.0.6 DNS:tor6.dell.com" email admin@dell.com organization "Dell EMC" orgunit Networking locality "Santa Clara" state California country US length 2048 Processing certificate ... Successfully created CSR file /home/admin/clientreq.pem and key OS10# copy home://clientreq.pem scp://CAadmin:secret@172.11.222.1/clientreq.pem OS10# copy scp://CAadmin:secret@172.11.222.1/clientcert.pem home://clientcert.pem OS10# copy scp://CAadmin:secret@172.11.222.1/clientkey.
ade service is up:software upgrade service up --More-View logging process names OS10# show logging process-names dn_alm dn_app_vlt dn_app_vrrp dn_bgp dn_dot1x dn_eqa dn_eqm dn_eth_drv dn_etl dn_i3 dn_ifm dn_infra_afs dn_issu dn_l2_services dn_l2_services_ dn_l2_services_ dn_l2_services_ dn_l2_services_ dn_l3_core_serv dn_l3_service dn_lacp dn_lldp dn_mgmt_entity_ --More-- Environmental monitoring Monitors the hardware environment to detect temperature, CPU, and memory utilization.
View link-bundle monitoring threshold configuration OS10(config)# do show running-configuration link-bundle-trigger-threshold 10 ! ... Show link-bundle utilization OS10(config)# do show link-bundle-utilization Link-bundle trigger threshold - 10 Alarm commands alarm acknowledge Acknowledges an active alarm. Syntax alarm acknowledge sequence-number Parameters ● sequence-number — Acknowledge the alarm corresponding to the sequence number.
show alarms Displays all current active alarms in the system.
Default None Command Mode EXEC Usage Information The output of the show alarms details command indicates if an alarm is acknowledged or not. If an alarm is not acknowledged, the Acknowledged field is set to false and the Ack-time value is empty. If an alarm is acknowledged, the Acknowledged field is set to true and the system displays the time the alarm was acknowledged.
Name: EQM_MORE_PSU_FAULT Description: psu 2 is not working correctly Raise-time: Sun 10-07-2018 18:39:47 Ack-time: State: raised ------------------------------------------Supported Releases 10.4.3E or later show alarms severity Displays all active alarms corresponding to a specific severity level. Syntax show alarms severity severity Parameters severity — Set the alarm severity: ● critical — Critical alarm severity. ● major — Major alarm severity. ● minor — Minor alarm severity.
Source: /psu/1 Name: EQM_MORE_PSU_FAULT Description: psu 2 is not working correctly Raise-time: Sun 10-07-2018 18:39:47 Ack-time: Sun 10-07-2018 20:39:47 New: true State: acknowledged ------------------------------------------Supported Releases 10.4.3 or later show alarms summary Displays the summary of all active alarms.
Example (severity) Example (reverse) Example (sequence) Example (details) Example (summary) 6 5 4 3 2 1 Cleared Ack Raised Raised Raised Stateless EQM_FANTRAY_FAULT EQM_MORE_PSU_FAULT EQM_MORE_PSU_FAULT EQM_MORE_PSU_FAULT EQM_FANTRAY_FAULT SYSTEM_REBOOT Sun Sun Sun Sun Sun Sun 10-07-2018 10-07-2018 10-07-2018 10-07-2018 10-07-2018 10-07-2018 22:39:50 20:39:49 18:39:47 18:39:44 16:39:42 15:39:41 /fantray/3 /psu/1 /psu/1 /psu/2 /fantray/3 - OS10# Sq No ----4 3 2 show event history severity critic
Raised-count: 4 Ack-count: 0 Cleared-count: 0 Stateless-count: 579 Next Sequence Number: 584 Last Rollover Time: ------------------------------------------Supported Releases 10.5.0 or later show event severity-profile Displays the active severity profile and the profile that becomes active after a system restart.
logging console Disables, enables, or configures the minimum severity level for logging to the console. Syntax logging console {disable | enable | severity} Parameters severity—Set the minimum logging severity level: ● log-emerg—Set to unusable. ● log-alert—Set to immediate action is needed. ● log-crit—Set to critical conditions. ● log-err—Set to error conditions. ● log-warning—Set to warning conditions. ● log-notice—Set to normal but significant conditions, the default.
Parameters severity — Set the minimum logging severity level: ● log-emerg — Set the system as unusable. ● log-alert — Set to immediate action is needed. ● log-crit — Set to critical conditions. ● log-err — Set to error conditions. ● log-warning — Set to warning conditions. ● log-notice — Set to normal but significant conditions, the default. ● log-info — Set to informational messages. ● log-debug — Set to debug messages.
logging security-profile Creates a TLS security profile for system logging. Syntax logging security-profile profile-name Parameters profile-name — Enter the name of the Syslog over TLS security profile created with the crypto security-profile profile-name command; a maximum of 32 characters. Default Not configured Command mode CONFIGURATION Usage information Use this command to specify the configured crypto security profile to use to send system messages to a remote server over TLS.
Example OS10(config)# logging server 10.11.86.139 severity log-info OS10(config)# logging server fda8:6c3:ce53:a890::2 tcp 1468 OS10(config)# logging server 10.11.86.139 vrf management severity logdebug Supported Releases 10.5.0 or later show logging Displays system logging messages by log file, process-names, or summary. Syntax show logging {log-file [process-name | line-numbers] | process-names} Parameters ● process-name — (Optional) Enter the process-name to use as a filter in syslog messages.
show trace Displays trace messages. Syntax show trace [number-lines] Parameters number-lines — (Optional) Enter the number of lines to include in log messages, from 1 to 65535. Default Enabled Command Mode EXEC Usage Information The output from this command is the /var/log/syslog file. Example Supported Releases OS10# show trace May 23 17:10:03 OS10 base_nas: [NETLINK:NHEVENT]:ds_api_linux_neigh.
The util-threshold cpu command allows you to configure the high and low threshold values. Before configuring the threshold values, configure a syslog server to collect and store the syslog messages. To view the configured CPU utilization thresholds, use the show util-threshold cpu command. NOTE: During image installation, upgrade, or reload with default threshold values, CPU utilization might cross the threshold values and therefore trigger alarms.
show util-threshold cpu Displays the configured CPU utilization threshold values. Syntax show util-threshold cpu Parameters None Defaults None Command Mode EXEC Usage Information This command displays the CPU utilization thresholds that trigger alarms. When the CPU utilization percentage across different time durations crosses the threshold values, an alarm generates. To reconfigure the threshold values, use the util-threshold cpu command.
warning alarm triggers. The alarms clear when memory utilization goes below the corresponding thresholds. To view the current active alarms in the system, use the show alarms command. To configure the high or low memory utilization threshold values, use the util-threshold memory command. Before configuring the threshold values, configure a syslog server to collect and store the syslog messages. To display the configured utilization thresholds, use the show util-threshold memory command.
Usage Information Example This command displays the memory utilization thresholds that trigger alarms. When the memory exceeds the high or low configured threshold values, an alarm generated. To reconfigure the threshold values, use the util-threshold memory command. OS10# show util-threshold memory Processor High Low ============================ Overall 80 60 Supported Releases 10.5.2.0 or later util-threshold memory Configures the high or low memory utilization thresholds for SNMP traps.
permitted by applicable law. -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Dell EMC Network Operating System (OS10) *-* *-* Copyright (c) 1999-2017 by Dell Inc. All Rights Reserved. *-* *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*This product is protected by U.S. and international copyright and intellectual property laws. Dell EMC and the Dell EMC logo are trademarks of Dell Inc. in the United States and/or other jurisdictions.
Hardware What are the default console settings for ON-Series devices? ● Set the data rate to 115200 baud ● Set the data format to 8 bits, stop bits to 1, and no parity ● Set flow control to none How do I view the hardware inventory? Use the show inventory command to view complete system inventory. How do I view the process-related information? Use the show processes node-id node-id-number [pid process-id] command to view the process CPU utilization information.
Use the show ip ospf neighbor command. System management How can I view the current interface configuration? Use the show running-configuration command to view all currently configured interfaces. How can I view a list of all system devices? Use the show inventory command to view a complete list. How can I view the software version? Use the show version command to view the currently running software version.
Monitoring How can I check if SupportAssist is enabled? Use the show support-assist status command to view current configuration information. How can I view a list of alarms? Use the show alarms details to view a list of all system alarms. How do I enable or disable system logging? Use the logging enable command or the logging disable command. How do I view system logging messages? Use the show logging command to view messages by log file or process name.
29 Support resources The Dell EMC Support site provides a range of documents and tools to assist you with effectively using Dell EMC devices. Through the support site you can obtain technical information regarding Dell EMC products, access software upgrades and patches, download available management software, and manage your open cases. The Dell EMC support site provides integrated, secure access to these services. To access the Dell EMC Support site, go to www.dell.com/support/.
