Dell S3048-ON Configuration Manual Download Page 269 | Manualshive

Page: 269 / 1036

background image

Enabling FIPS Mode

To enable or disable FIPS mode, use the console port.
Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual
terminal session are denied.

When you enable FIPS mode, the following actions are taken:

•

If enabled, the SSH server is disabled.

•

All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.

•

Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage.

•

FIPS mode is enabled.
•

If you enable the SSH server when you enter the

fips mode enable

command, it is re-enabled for version 2

only

.

•

If you re-enable the SSH server, a new RSA host key-pair is generated automatically. You can also manually create this key-pair

using the

crypto key generate

command.

NOTE:

Under certain unusual circumstances, it is possible for the

fips enable

command to indicate a failure.

•

This failure occurs if any of the self-tests fail when you enable FIPS mode.

•

This failure occurs if there were existing SSH/Telnet sessions that could not be closed successfully in a reasonable amount of time.

In general, this failure can occur if a user at a remote host is in the process of establishing an SSH session to the local system, and

has been prompted to accept a new host key or to enter a password, but is not responding to the request. Assuming this failure is a

transient condition, attempting to enable FIPS mode again should be successful.

To enable FIPS mode, use the following command.

•

Enable FIPS mode from a console port.
CONFIGURATION

fips mode enable

The following warning message displays:

WARNING: Enabling FIPS mode will close all SSH/Telnet connections, restart those servers, and
destroy all configured host keys. Proceed (y/n) ?

Generating Host-Keys

The following describes hot-key generation.

When you enable or disable FIPS mode, the system deletes the current public/private host-key pair, terminates any SSH sessions that are
in progress (deleting all the per-session encryption key information), actually enables/tests FIPS mode, generates new host-keys, and re-
enables the SSH server (assuming it was enabled before enabling FIPS).
For more information, refer to the

SSH Server and SCP Commands

section in the

Security

chapter of the

Dell Networking OS Command

Line Reference Guide

.

Monitoring FIPS Mode Status

To view the status of the current FIPS mode (enabled/disabled), use the following commands.

•

Use either command to view the status of the current FIPS mode.

show fips status

show system

FIPS Cryptography

269

«
...
267
268
269
270
271
...
»

Summary of Contents for S3048-ON

Page 1: ...Dell Configuration Guide for the S3048 ON System 9 11 2 5 ...

Page 2: ... to hardware or loss of data and tells you how to avoid the problem WARNING A WARNING indicates a potential for property damage personal injury or death Copyright 2017 Dell Inc or its subsidiaries All rights reserved Dell EMC and other trademarks are trademarks of Dell Inc or its subsidiaries Other trademarks may be trademarks of their respective owners 2017 10 Rev A00 ...

Page 3: ...ommands Using an SSH Connection 46 Executing Local CLI Scripts Using an SSH Connection 46 Default Configuration 47 Configuring a Host Name 47 Accessing the System Remotely 47 Accessing the System Remotely 47 Configure the Management Port IP Address 47 Configure a Management Route 48 Configuring a Username and Password 48 Configuring the Enable Password 48 Configuration File Management 49 Copy File...

Page 4: ...ity Tracking 68 Display Login Statistics 69 Limit Concurrent Login Sessions 70 Restrictions for Limiting the Number of Concurrent Sessions 70 Configuring Concurrent Session Limit 71 Enabling the System to Clear Existing Sessions 71 Enabling Secured CLI Mode 72 Log Messages in the Internal Buffer 72 Configuration Task List for System Log Management 72 Disabling System Logging 72 Sending System Mess...

Page 5: ...orizing a Port 95 Re Authenticating a Port 95 Configuring Timeouts 96 Configuring Dynamic VLAN Assignment with Port Authentication 97 Guest and Authentication Fail VLANs 98 Configuring a Guest VLAN 99 Configuring an Authentication Fail VLAN 99 6 Access Control List ACL VLAN Groups and Content Addressable Memory CAM 101 Optimizing CAM Utilization During the Attachment of ACLs to VLANs 101 Guideline...

Page 6: ...ol Plane 125 IP Prefix Lists 126 Implementation Information 126 Configuration Task List for Prefix Lists 126 ACL Resequencing 130 Resequencing an ACL or Prefix List 130 Route Maps 132 Implementation Information 132 Logging of ACL Processes 132 Guidelines for Configuring ACL Logging 133 Configuring ACL Logging 133 Flow Based Monitoring 134 Behavior of Flow Based Monitoring 134 Enabling Flow Based M...

Page 7: ...r Representation 178 AS Number Migration 180 BGP4 Management Information Base MIB 181 Important Points to Remember 181 Configuration Information 182 BGP Configuration 182 Enabling BGP 183 Configuring AS4 Number Representations 186 Configuring Peer Groups 188 Configuring BGP Fast Fall Over 190 Configuring Passive Peering 192 Maintaining Existing AS Numbers During an AS Migration 192 Allowing an AS ...

Page 8: ... 215 Configure IPv6 NH Automatically for IPv6 Prefix Advertised over IPv4 Neighbor 216 BGP Regular Expression Optimization 216 Debugging BGP 216 Storing Last and Bad PDUs 217 Capturing PDUs 218 PDU Counters 219 Sample Configurations 219 10 Content Addressable Memory CAM 226 CAM Allocation 226 Test CAM Usage 228 View CAM ACL Settings 228 View CAM Usage 230 CAM Optimization 230 Troubleshoot CAM Prof...

Page 9: ... DHCP Snooping 255 Drop DHCP Packets on Snooped VLANs Only 258 Dynamic ARP Inspection 259 Configuring Dynamic ARP Inspection 260 Source Address Validation 261 Enabling IP Source Address Validation 261 DHCP MAC Source Address Validation 262 Enabling IP MAC Source Address Validation 262 Viewing the Number of SAV Dropped Packets 263 Clearing the Number of SAV Dropped Packets 263 13 Equal Cost Multi P...

Page 10: ...ortant Points to Remember 282 16 GARP VLAN Registration Protocol GVRP 283 Important Points to Remember 283 Configure GVRP 284 Related Configuration Tasks 284 Enabling GVRP Globally 285 Enabling GVRP on a Layer 2 Interface 285 Configure GVRP Registration 285 Configure a GARP Timer 286 RPM Redundancy 286 17 High Availability HA 288 Component Redundancy 288 Automatic and Manual Stack Unit Failover 28...

Page 11: ...d to a Multicast Router 306 Configuring the Switch as Querier 306 Fast Convergence after MSTP Topology Changes 307 Egress Interface Selection EIS for HTTP and IGMP Applications 307 Protocol Separation 307 Enabling and Disabling Management Egress Interface Selection 308 Handling of Management Route Configuration 309 Handling of Switch Initiated Traffic 310 Handling of Switch Destined Traffic 310 Ha...

Page 12: ...finition and Standards 333 Port Channel Benefits 333 Port Channel Implementation 333 Interfaces in Port Channels 334 Configuration Tasks for Port Channel Interfaces 334 Creating a Port Channel 334 Adding a Physical Interface to a Port Channel 335 Reassigning an Interface to a New Port Channel 336 Configuring the Minimum Oper Up Links in a Port Channel 337 Adding or Removing a Port Channel from a V...

Page 13: ... Tasks for IP Addresses 361 Assigning IP Addresses to an Interface 361 Configuring Static Routes 362 Configure Static Routes for the Management Interface 363 IPv4 Path MTU Discovery Overview 364 Using the Configured Source IP Address in ICMP Messages 364 Configuring the ICMP Source Interface 364 Configuring the Duration to Establish a TCP Connection 365 Enabling Directed Broadcast 365 Resolution o...

Page 14: ...S 382 ICMPv6 383 Path MTU Discovery 384 IPv6 Neighbor Discovery 384 IPv6 Neighbor Discovery of MTU Packets 385 Configuration Task List for IPv6 RDNSS 385 Configuring the IPv6 Recursive DNS Server 385 Debugging IPv6 RDNSS Information Sent to the Host 386 Displaying IPv6 RDNSS Information 387 Secure Shell SSH Over an IPv6 Transport 387 Configuration Tasks for IPv6 388 Adjusting Your CAM Profile 388 ...

Page 15: ...s 415 Maximum Values in the Routing Table 415 Change the IS IS Metric Style in One Level Only 415 Leaks from One Level to Another 417 Sample Configurations 418 24 Link Aggregation Control Protocol LACP 420 Introduction to Dynamic LAGs and LACP 420 Important Points to Remember 420 LACP Modes 421 Configuring LACP Commands 421 LACP Configuration Tasks 422 Creating a LAG 422 Configuring the LAG Interf...

Page 16: ... Enabling FEFD on an Interface 446 Debugging FEFD 447 26 Link Layer Discovery Protocol LLDP 449 802 1AB LLDP Overview 449 Protocol Data Units 449 Optional TLVs 450 Management TLVs 450 TIA 1057 LLDP MED Overview 452 TIA Organizationally Specific TLVs 452 Configure LLDP 456 Related Configuration Tasks 456 Important Points to Remember 456 LLDP Compatibility 457 CONFIGURATION versus INTERFACE Configur...

Page 17: ...Active Cache 482 Enabling the Rejected Source Active Cache 482 Accept Source Active Messages that Fail the RFP Check 482 Specifying Source Active Messages 485 Limiting the Source Active Messages from a Peer 486 Preventing MSDP from Caching a Local Source 486 Preventing MSDP from Caching a Remote Source 487 Preventing MSDP from Advertising a Local Source 487 Logging Changes in Peership States 488 T...

Page 18: ...ulticast 511 Implementation Information 511 Multicast Policies 512 IPv4 Multicast Policies 512 Understanding Multicast Traceroute mtrace 519 Important Points to Remember 520 Printing Multicast Traceroute mtrace Paths 520 Supported Error Codes 521 mtrace Scenarios 522 31 Object Tracking 528 Object Tracking Overview 528 Track Layer 2 Interfaces 529 Track Layer 3 Interfaces 529 Track IPv4 and IPv6 Ro...

Page 19: ...figuring Passive Interface 566 Redistributing Routes 566 Configuring a Default Route 566 Enabling OSPFv3 Graceful Restart 567 OSPFv3 Authentication Using IPsec 569 Troubleshooting OSPFv3 575 33 Policy based Routing PBR 577 Overview 577 Implementing PBR 578 Configuration Task List for Policy based Routing 578 PBR Exceptions Permit 578 Create a Redirect List 579 Create a Rule for a Redirect list 579...

Page 20: ...ulticast Queue 602 Enabling Flow Based Monitoring 603 Remote Port Mirroring 604 Remote Port Mirroring Example 604 Configuring Remote Port Mirroring 605 Displaying Remote Port Mirroring Configurations 607 Configuring the Sample Remote Port Mirroring 607 Encapsulated Remote Port Monitoring 610 ERPM Behavior on a typical Dell Networking OS 612 Decapsulation of ERPM packets at the Destination IP Analy...

Page 21: ...QoS Configurations 640 Classify Traffic 641 Create a QoS Policy 644 Create Policy Maps 646 DSCP Color Maps 650 Creating a DSCP Color Map 650 Displaying DSCP Color Maps 651 Displaying a DSCP Color Policy Configuration 651 Enabling QoS Rate Adjustment 652 Enabling Strict Priority Queueing 653 Weighted Random Early Detection 653 Creating WRED Profiles 654 Applying a WRED Profile to Traffic 655 Displa...

Page 22: ...te Monitoring RMON 682 Implementation Information 682 Fault Recovery 682 Setting the RMON Alarm 683 Configuring an RMON Event 683 Configuring RMON Collection Statistics 684 Configuring the RMON Collection History 684 42 Rapid Spanning Tree Protocol RSTP 686 Protocol Overview 686 Configuring Rapid Spanning Tree 686 Related Configuration Tasks 686 Important Points to Remember 686 RSTP and VLT 687 Co...

Page 23: ...Configuring the HMAC Algorithm for the SSH Server 718 Configuring the HMAC Algorithm for the SSH Client 719 Configuring the SSH Server Cipher List 719 Configuring the SSH Client Cipher List 720 Secure Shell Authentication 720 Troubleshooting SSH 723 Telnet 723 VTY Line and Access Class Configuration 723 VTY Line Local Authentication and Authorization 724 VTY Line Remote Authentication and Authoriz...

Page 24: ... Setting Rate Limit BPDUs 754 Debugging Layer 2 Protocol Tunneling 755 Provider Backbone Bridging 755 46 sFlow 756 Overview 756 Implementation Information 756 Important Points to Remember 757 Enabling Extended sFlow 757 Enabling and Disabling sFlow on an Interface 758 Enabling sFlow Max Header Size Extended 758 sFlow Show Commands 759 Displaying Show sFlow Global 759 Displaying Show sFlow on an In...

Page 25: ...ry Size on Flash 780 Viewing the Available Flash Memory Size 780 MIB Support to Display the Software Core Files Generated by the System 781 Viewing the Software Core Files Generated by the System 781 SNMP Support for WRED Green Yellow Red Drop Counters 782 MIB Support to Display the Available Partitions on Flash 783 Viewing the Available Partitions on Flash 783 MIB Support to Display Egress Queue ...

Page 26: ... Units in an Stack 813 Creating a Virtual Stack Unit on a Stack 813 Displaying Information about a Stack 814 Influencing Management Unit Selection on a Stack 815 Managing Redundancy on a Stack 816 Resetting a Unit on a Stack 816 Verify a Stack Configuration 817 Displaying the Status of Stacking Ports 817 Remove Units or Front End Ports from a Stack 818 Removing a Unit from a Stack 818 Removing Fro...

Page 27: ...840 Configuring SupportAssist Manually 840 Configuring SupportAssist Activity 842 Configuring SupportAssist Company 843 Configuring SupportAssist Person 844 Configuring SupportAssist Server 844 Viewing SupportAssist Configuration 845 52 System Time and Date 847 Network Time Protocol 847 Protocol Overview 848 Configure the Network Time Protocol 848 Enabling NTP 849 Configuring NTP Broadcasts 849 Di...

Page 28: ...t Help with Upgrades 870 56 Virtual LANs VLANs 871 Default VLAN 872 Port Based VLANs 872 VLANs and Port Tagging 873 Configuration Task List 873 Creating a Port Based VLAN 873 Assigning Interfaces to a VLAN 874 Moving Untagged Interfaces 875 Assigning an IP Address to a VLAN 876 Configuring Native VLANs 876 Enabling Null VLAN as the Default VLAN 877 57 Virtual Link Trunking VLT 878 Overview 878 VLT...

Page 29: ...a Member of a PVLAN 929 MAC Synchronization for VLT Nodes in a PVLAN 929 PVLAN Operations When One VLT Peer is Down 930 PVLAN Operations When a VLT Peer is Restarted 930 Interoperation of VLT Nodes in a PVLAN with ARP Requests 930 Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN 930 Configuring a VLT VLAN or LAG in a PVLAN 932 Creating a VLT LAG or a VLT VLAN 932 Assoc...

Page 30: ... 958 Assigning an Interface to a VRF 959 Assigning a Front end Port to a Management VRF 959 View VRF Instance Information 959 Assigning an OSPF Process to a VRF Instance 960 Configuring VRRP on a VRF Instance 960 Configuring Management VRF 961 Configuring a Static Route 962 Sample VRF Configuration 962 Route Leaking VRFs 967 Dynamic Route Leaking 968 Configuring Route Leaking without Filtering Cri...

Page 31: ...pplication Core Dumps 1011 Mini Core Dumps 1011 Enabling TCP Dumps 1012 62 Standards Compliance 1013 IEEE Compliance 1013 RFC and I D Compliance 1014 General Internet Protocols 1014 General IPv4 Protocols 1016 General IPv6 Protocols 1017 Border Gateway Protocol BGP 1018 Open Shortest Path First OSPF 1019 Intermediate System to Intermediate System IS IS 1019 Routing Information Protocol RIP 1020 Mu...

Page 32: ...tificates 1033 Transport layer security TLS 1033 Syslog over TLS 1034 Online Certificate Status Protocol OSCP 1034 Configuring OCSP setting on CA 1034 Configuring OCSP behavior 1035 Configuring Revocation Behavior 1035 Configuring OSCP responder preference 1035 Verifying certificates 1035 Verifying Server certificates 1036 Verifying Client Certificates 1036 Event logging 1036 32 Contents ...

Page 33: ...ics Audience Conventions Related Documents Audience This document is intended for system administrators who are responsible for configuring and maintaining networks and assumes knowledge in Layer 2 L2 and Layer 3 L3 networking technologies Conventions This guide uses the following conventions to describe command syntax Keyword Keywords are in Courier a monospaced font and must be entered in the CL...

Page 34: ...ly differ between the platforms Differences are noted in each CLI description and related documentation Topics Accessing the Command Line CLI Modes The do Command Undoing Commands Obtaining Help Entering and Editing Commands Command History Filtering show Command Outputs Multiple Users in Configuration Mode Accessing the Command Line Access the CLI through a serial console port or a Telnet session...

Page 35: ...bmode command structure Two sub CONFIGURATION modes are important when configuring the chassis for the first time INTERFACE submode is the mode in which you configure Layer 2 and Layer 3 protocols and IP services specific to an interface An interface can be physical Management interface 1 Gigabit Ethernet 10 Gigabit Ethernet 25 Gigabit Ethernet 40 Gigabit Ethernet 50 Gigabit Ethernet or 100 Gigabi...

Page 36: ...el NOTE Sub CONFIGURATION modes all have the letters conf in the prompt with more modifiers to identify the mode and slot port information Table 1 Dell Networking OS Command Modes CLI Command Mode Prompt Access Command EXEC Dell Access the router through the console or terminal line EXEC Privilege Dell From EXEC mode enter the enable command From any other mode use the end command CONFIGURATION De...

Page 37: ...CONSOLE Dell config line console line LINE Modes VIRTUAL TERMINAL Dell config line vty line LINE Modes STANDARD ACCESS LIST Dell config std macl mac access list standard MAC ACCESS LIST Modes EXTENDED ACCESS LIST Dell config ext macl mac access list extended MAC ACCESS LIST Modes MULTIPLE SPANNING TREE Dell config mstp protocol spanning tree mstp Per VLAN SPANNING TREE Plus Dell config pvst protoc...

Page 38: ...ode LINE Dell config line console or Dell config line vty line console orline vty MONITOR SESSION Dell conf mon sess sessionID monitor session OPENFLOW INSTANCE Dell conf of instance of id openflow of instance PORT CHANNEL FAILOVER GROUP Dell conf po failover grp port channel failover group PRIORITY GROUP Dell conf pg priority group PROTOCOL GVRP Dell config gvrp protocol gvrp QOS POLICY Dell conf...

Page 39: ...ent 0 Fan Status Unit Bay TrayStatus Fan0 Speed Fan1 Speed 1 1 up up 0 up 0 1 2 up up 0 up 0 1 3 up up 0 up 0 Speed in RPM Undoing Commands When you enter a command the command line is added to the running configuration file running config To disable a command and remove it from the running config enter the no command then the original command For example to delete an IP address configured on an i...

Page 40: ...for entering commands The CLI is not case sensitive You can enter partial CLI keywords Enter the minimum number of letters to uniquely identify a command For example you cannot enter cl as a partial keyword because both the clock and class map commands begin with the letters cl You can enter clo however as a partial keyword because only one command begins with those three letters The TAB key auto ...

Page 41: ...cept find grep no more save specified_text after the command The variable specified_text is the text for which you are filtering and it IS case sensitive unless you use the ignore case sub option Starting with Dell Networking OS version 7 8 1 0 the grep command accepts an ignore case sub option that forces the search to case insensitive For example the commands show run grep Ethernet returns a sea...

Page 42: ...nStatus FanSpeed rpm 1 1 down AC up 8128 1 2 absent absent 0 Fan Status Unit Bay TrayStatus Fan0 Speed 1 1 up up 9900 1 2 up up 9900 1 3 up up 9900 Speed in RPM The display command displays additional configuration information The no more command displays the output all at once rather than one screen at a time This is similar to the terminal length command except that the no more option affects th...

Page 43: ...n the system that is connected over the console this message appears Warning User username on line vty0 10 11 130 2 is in configuration mode If either of these messages appears Dell Networking recommends coordinating with the users listed in the message so that you do not unintentionally overwrite each other s configuration changes Configuration Fundamentals 43 ...

Page 44: ...e console monitor displays the EXEC mode prompt For details about using the command line interface CLI refer to the Accessing the Command Line section in the Configuration Fundamentals chapter Topics Console Access Accessing the CLI Interface and Running Scripts Using SSH Default Configuration Configuring a Host Name Accessing the System Remotely Configuring the Enable Password Configuration File ...

Page 45: ...dapter 1 Install an RJ 45 copper cable into the console port Use a rollover crossover cable to connect the S4810 console port to a terminal server 2 Connect the other end of the cable to the DTE terminal server 3 Terminal settings on the console port cannot be changed in the software and are set as follows 115200 baud rate No parity 8 data bits 1 stop bit No flow control Pin Assignments You can co...

Page 46: ...ication mechanism Entering CLI commands Using an SSH Connection You can run CLI commands by entering any one of the following syntax to connect to a switch using the preconfigured user credentials using SSH ssh username hostname CLI Command or echo CLI Command ssh admin hostname The SSH server transmits the terminal commands to the CLI shell and the results are displayed on the screen non interact...

Page 47: ...ch is Dell You must configure the system using the CLI Configuring a Host Name The host name appears in the prompt The default host name is Dell Host names must start with a letter and end with a letter or digit Characters within the string can be letters digits and hyphens To create a host name use the hostname name command in Configuration mode hostname command example Dell conf hostname R1 R1 c...

Page 48: ...ly configure a system username and password To configure a system username and password use the following command Configure a username and password to access the system remotely CONFIGURATION mode username username password encryption type password encryption type specifies how you are inputting the password is 0 by default and is not required 0 is for inputting the password in clear text 7 is for...

Page 49: ... copying files is similar to UNIX The copy command uses the format copy source file url destination file url NOTE For a detailed description of the copy command refer to the Dell Networking OS Command Reference To copy a local file to a remote system combine the file origin syntax for a local file location with the file destination syntax for a remote file location To copy a remote file to Dell Ne...

Page 50: ...t nfs directory is the root of all mount points To mount an NFS file system perform the following steps Table 4 Mounting an NFS File System File Operation Syntax To mount an NFS file system mount nfs rhost path mount point username password The foreign file system remains mounted as long as the device is up and does not reboot You can run the file system commands without having to mount or un moun...

Page 51: ...smount Copy to nfs mount file system nfsmount filepath running config remote host Destination file name test c 225 bytes successfully copied Dell Save the Running Configuration The running configuration contains the current system configuration Dell Networking recommends coping your running configuration to the startup configuration The commands in this section follow the same format as those comm...

Page 52: ...es or the contents of a file use the following commands View a list of files on the internal flash EXEC Privilege mode dir flash View the running configuration EXEC Privilege mode show running config View the startup configuration EXEC Privilege mode show startup config Example of the dir Command The output of the dir command also shows the read write privileges size in bytes and date of modificat...

Page 53: ...can create groups of VLANs using the interface group command This command will create nonexistent VLANs specified in a range On successful command execution the CLI switches to the interface group context The configuration commands inside the group context will be the similar to that of the existing range command Two existing exec mode CLIs are enhanced to display and store the running configurati...

Page 54: ...ress 2 1 1 1 16 shutdown interface Vlan 2 no ip address no shutdown interface Vlan 3 snip interface TenGigabitEthernet 1 1 no ip address switchport shutdown Interface group TenGigabitEthernet 1 2 4 TenGigabitEthernet 1 10 no ip address shutdown interface TenGigabitEthernet 1 34 ip address 2 1 1 1 16 shutdown interface group Vlan 2 Vlan 100 no ip address no shutdown interface group Vlan 3 5 tagged ...

Page 55: ...figuration to the startup config file in the compressed mode In stacking scenario it will also take care of syncing it to all the standby and member units The following is the sample output Dell write memory compressed Jul 30 08 50 26 STKUNIT0 M CP FILEMGR 5 FILESAVED Copied running config to startup config in flash by default copy compressed config Copy one file after optimizing and reducing the ...

Page 56: ...ting with Release 9 4 0 0 you can enable or disable specific software features or applications that need to run on a device by using a command attribute in the CLI interface This enables effective streamlined management and administration of applications and utilities that run on a device You can employ this capability to perform an on demand activation or turn off a software component or protocol...

Page 57: ...ue of the downloaded image file on system s flash drive and optionally compares it to a Dell Networking published hash for that file The MD5 or SHA256 hash provides a method of validating that you have downloaded the original software Calculating the hash on the local image file and comparing the result to the hash published for that file on iSupport provides a high level of confidence that the lo...

Page 58: ...use HTTP to copy files or configuration details to a remote server To transfer files to an external server use the copy source file url http host port file path command Enter the following source file url keywords and information To copy a file from the internal FLASH enter flash followed by the filename To copy the running configuration enter the keyword running config To copy the startup configu...

Page 59: ...erface NOTE If the HTTP service is not VRF aware then it uses the global routing table to perform the look up To enable an HTTP client to look up the VRF table corresponding to either management VRF or any nondefault VRF use the ip http vrf command in CONFIGURATION mode Configure an HTTP client with a VRF that is used to connect to the HTTP server CONFIGURATION MODE Dell conf ip http vrf managemen...

Page 60: ...tting Timeout for EXEC Privilege Mode Using Telnet to get to Another Network Device Lock CONFIGURATION Mode LPC Bus Quality Degradation Reloading the system Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line There are 16 privilege levels of which three are pre defined The default privilege level is 1 Level Description Level 0 Access to the syst...

Page 61: ...URATION mode A user that enters CONFIGURATION mode remains at his privilege level and has access to only two commands end and exit You must individually specify each CONFIGURATION mode command you want to allow access to using the privilege configure level level command In the command specify the privilege level of the user or terminal line and specify all the keywords in the command to which you ...

Page 62: ... command keyword Allow access to a CONFIGURATION INTERFACE LINE ROUTE MAP and or ROUTER mode command CONFIGURATION mode privilege configure interface line route map router level level command command Example of EXEC Privilege Commands Dell conf do show run priv privilege exec level 3 capture privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp pdu p...

Page 63: ... line vty Dell conf interface group gigabitethernet GigabitEthernet interface IEEE 802 3z tengigabitethernet TenGigabit Ethernet interface vlan VLAN keyword Dell conf interface group vlan 1 2 gigabitethernet 1 1 Dell conf if group vl 1 2 gi 1 1 no shutdown Dell conf if group vl 1 2 gi 1 1 end Applying a Privilege Level to a Username To set the user privilege level use the following command Configu...

Page 64: ...u enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network You log audit and security events to a system log server using the logging extended command in CONFIGURATION mode This command is available with or without RBAC enabled For information about RBAC see Role Based Access Control Audit Logs The audit log con...

Page 65: ...splay audit logs use the show logging auditlog command in Exec mode To view these logs you must first enable the logging extended command Only the RBAC system administrator user role can view the audit logs Only the RBAC security administrator and system administrator user role can view the security logs If extended logging is disabled you can only view system events regardless of RBAC user role T...

Page 66: ... peer RPM is up RAM 6 RAM_TASK RPM1 is transitioning to Primary RPM RPM 2 MSG CP1 POLLMGR 2 MMC_STATE External flash disk missing in slot0 CHMGR 5 CARDDETECTED Line card 0 present CHMGR 5 CARDDETECTED Line card 2 present CHMGR 5 CARDDETECTED Line card 4 present CHMGR 5 CARDDETECTED Line card 5 present CHMGR 5 CARDDETECTED Line card 8 present CHMGR 5 CARDDETECTED Line card 10 present CHMGR 5 CARDDE...

Page 67: ...ll conf ip ssh server enable 2 On the syslog server create a reverse SSH tunnel from the syslog server to the Dell OS switch using following syntax ssh R remote port syslog server syslog server listen port user remote_host nNf In the following example the syslog server IP address is 10 156 166 48 and the listening port is 5141 The switch IP address is 10 16 131 141 and the listening port is 5140 s...

Page 68: ...in to the system and whether the current user s permissions have changed since the last login The system stores the number of unsuccessful login attempts that have occurred in the last 30 days by default You can change the default value to any number of days from 1 to 30 By default login activity tracking is disabled You can enable it using the login statistics enable command from the configuratio...

Page 69: ...gin attempt s in last 30 day s 0 Successful login attempt s in last 30 day s 1 Example of the show login statistics all command The show login statistics all command displays the successful and failed login details of all users in the last 30 days or the custom defined time period Dell show login statistics all User admin Last login time 08 54 28 UTC Wed Mar 23 2016 Last login location Line vty0 1...

Page 70: ...ample output of the show login statistics unsuccessful attempts user login id command Dell show login statistics unsuccessful attempts user admin There were 3 unsuccessful login attempt s for user admin in last 12 day s The following is sample output of the show login statistics successful attempts command Dell show login statistics successful attempts There were 4 successful login attempt s for u...

Page 71: ...ell config login concurrent session clear line enable Example of Clearing Existing Sessions When you try to log in the following message appears with all your existing concurrent sessions providing an option to close any one of the existing sessions telnet 10 11 178 14 Trying 10 11 178 14 Connected to 10 11 178 14 Escape character is Login admin Password Current sessions for user admin Line Locati...

Page 72: ... Messages in the Internal Buffer All error messages except those beginning with BOOTUP Message are log in the internal buffer For example BOOTUP RPM0 CP PORTPIPE INIT SUCCESS Portpipe 0 enabled Configuration Task List for System Log Management There are two configuration tasks for system log management Disable System Logging Send System Messages to a Syslog Server Disabling System Logging By defau...

Page 73: ...log Add line on a 5 7 SunOS UNIX system local7 debugging var adm ftos log In the previous lines local7 is the logging facility level and debugging is the severity level Changing System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location The default is to log all messages up to debug level that is all system messages By ...

Page 74: ...el Debugging Buffer logging level Debugging 40 Messages Logged Size 40960 bytes Trap logging level Informational IRC 6 IRC_COMMUP Link to peer RPM is up RAM 6 RAM_TASK RPM1 is transitioning to Primary RPM RPM 2 MSG CP1 POLLMGR 2 MMC_STATE External flash disk missing in slot0 CHMGR 5 CARDDETECTED Line card 0 present CHMGR 5 CARDDETECTED Line card 2 present CHMGR 5 CARDDETECTED Line card 4 present C...

Page 75: ...e local4 for local use local5 for local use local6 for local use local7 for local use lpr for line printer system messages mail for mail system messages news for USENET news messages sys9 system use sys10 system use sys11 system use sys12 system use sys13 system use sys14 system use syslog for syslog messages user for user programs uucp UNIX to UNIX copy protocol Example of the show running config...

Page 76: ...the range is from 0 to 7 The default is 2 Use the all keyword to include all messages limit the range is from 20 to 300 The default is 20 To view the logging synchronous configuration use the show config command in LINE mode Enabling Timestamp on Syslog Messages By default syslog messages do not include a time date stamp stating when the error or message was created To enable timestamp use the fol...

Page 77: ...VRF is configured on that interface For more information about FTP refer to RFC 959 File Transfer Protocol NOTE To transmit large files Dell Networking recommends configuring the switch as an FTP server Configuration Task List for File Transfer Services The configuration tasks for file transfer services are Enable FTP Server mandatory Configure FTP Server Parameters optional Configure FTP Client P...

Page 78: ...e enter the keyword TenGigabitEthernet then the slot port information For a Loopback interface enter the keyword loopback then a number from 0 to 16383 For a port channel interface enter the keywords port channel then a number For a VLAN interface enter the keyword vlan then a number from 1 to 4094 CONFIGURATION mode ip ftp source interface interface Configure a password CONFIGURATION mode ip ftp ...

Page 79: ...llowing command Apply an ACL to a VTY line LINE mode access class access list name ipv4 ipv6 NOTE If you already have configured generic IP ACL on a terminal line then you cannot further apply IPv4 or IPv6 specific filtering on top of this configuration Similarly if you have configured either IPv4 or IPv6 specific filtering on a terminal line you cannot apply generic IP ACL on top of this configur...

Page 80: ...a TACACS server to authenticate 1 Configure an authentication method list You may use a mnemonic name or use the keyword default The default authentication method for terminal lines is local and the default method list is empty CONFIGURATION mode aaa authentication login method list name default method 1 method 2 method 3 method 4 method 5 method 6 2 Apply the method list from Step 1 to a terminal...

Page 81: ... Device To telnet to another device use the following commands NOTE The device allows 120 Telnet sessions per minute allowing the login and logout of 10 Telnet sessions 12 times in a minute If the system reaches this non practical limit the Telnet service is stopped for 10 minutes You can use console and SSH service to access the system during downtime Telnet to a device with an IPv4 or IPv6 addre...

Page 82: ...f another user attempts to enter CONFIGURATION mode while a lock is in place the following appears on their terminal message 1 Error User on line console0 is in exclusive configuration mode If any user is already in CONFIGURATION mode when while a lock is in place the following appears on their terminal message 2 Error Can t lock configuration mode exclusively since the following users are current...

Page 83: ...ssues a warning syslog to the user to take appropriate action if signal degradation is seen LBQA LPC Bus Quality Analyzer Failure Detection mode The following functions are performed as a part of this mode 1 The LBQA will be started as part of FTOS application init typically as a poller in sysd 2 The LBQA will run as a fast poller typically 1 sec in failure detection mode 3 During every fast poll ...

Page 84: ...e the rescue parameter to reload the system and enter the Rescue mode to access the file system The following example shows how to reload the system Dell reload Proceed with reload confirm yes no yes The following example shows how to reload the system into Dell diagnostics mode Dell reload dell diag Proceed with reload confirm yes no yes The following example shows how to reload the system into O...

Page 85: ...ing a mandatory intermediary network access device in this case a Dell Networking switch The network access device mediates all communication between the end user device and the authentication server so that the network remains secure The network access device uses EAP over Ethernet EAPOL to communicate with the end user device and EAP over RADIUS to communicate with the server NOTE The Dell Netwo...

Page 86: ...tor The authentication server selects the authentication method verifies the information the supplicant provides and grants it network access privileges Ports can be in one of two states Ports are in an unauthorized state by default In this state non 802 1X traffic cannot be forwarded in or out of the port The authenticator changes the port state to authorized if the server can authenticate the su...

Page 87: ... translated and forwarded to the supplicant by the authenticator 5 The supplicant can negotiate the authentication method but if it is acceptable the supplicant provides the Requested Challenge information in an EAP response which is translated and forwarded to the authentication server as another Access Request frame 6 If the identity information provided by the supplicant is valid the authentica...

Page 88: ...ers Configuring 802 1X Configuring 802 1X on a port is a one step process For more information refer to Enabling 802 1X Related Configuration Tasks Configuring Request Identity Re Transmissions Forcibly Authorizing or Unauthorizing a Port Re Authenticating a Port Configuring Timeouts Configuring a Guest VLAN Configuring an Authentication Fail VLAN Important Points to Remember Dell Networking OS su...

Page 89: ...list of MAC addresses for a dot1x profile use the mac command You can configure 1 to 6 MAC addresses Configure a list of MAC addresses for a dot1x profile DOT1X PROFILE CONFIG conf dot1x profile mac mac address mac address Enter the keyword mac and type up to the 48 bit MAC addresses using the nn nn nn nn nn nn format A maximum of 6 MAC addresses are allowed Example of Configuring a List of MAC Ad...

Page 90: ...e Static MAB Enable Static MAB Profile Sample Tx Period 90 seconds Quiet Period 120 seconds ReAuth Max 10 Supplicant Timeout 30 seconds Server Timeout 30 seconds Re Auth Interval 7200 seconds Max EAP Req 10 Auth Type SINGLE_HOST Auth PAE State Authenticated Backend State Idle Configuring Critical VLAN By default critical VLAN is not configured If authentication fails because of a server which is n...

Page 91: ...on Disable Untagged VLAN id 400 Guest VLAN Enable Guest VLAN id 100 Auth Fail VLAN Disable Auth Fail VLAN id NONE Auth Fail Max Attempts NONE Mac Auth Bypass Enable Mac Auth Bypass Only Enable Tx Period 3 seconds Quiet Period 60 seconds ReAuth Max 2 Supplicant Timeout 30 seconds Server Timeout 30 seconds Re Auth Interval 3600 seconds Max EAP Req 2 Host Mode SINGLE_HOST Auth PAE State Authenticated...

Page 92: ...e or a range of interfaces INTERFACE mode interface range 3 Enable 802 1X on the supplicant interface only INTERFACE mode dot1x authentication Examples of Verifying that 802 1X is Enabled Globally and on an Interface Verify that 802 1X is enabled globally and at the interface level using the show running config find dot1x command from EXEC Privilege mode 92 802 1X ...

Page 93: ...econds ReAuth Max 2 Supplicant Timeout 30 seconds Server Timeout 30 seconds Re Auth Interval 3600 seconds Max EAP Req 2 Host Mode SINGLE_HOST Auth PAE State Initialize Backend State Initialize Configuring Request Identity Re Transmissions When the authenticator sends a Request Identity frame and the supplicant does not respond the authenticator waits for 30 seconds and then re transmits the frame ...

Page 94: ...ansmit a Request Identity frame after a failed authentication INTERFACE mode dot1x quiet period seconds The range is from 1 to 65535 The default is 60 seconds Example of Configuring and Verifying Port Authentication The following example shows configuration information for a port for which the authenticator re transmits an EAP Request Identity frame after 90 seconds and a maximum of 10 times for a...

Page 95: ...g a Port in Force Authorized State and Viewing the Configuration The example shows configuration information for a port that has been force authorized The bold line shows the new port control state Dell conf if Gi 1 1 dot1x port control force authorized Dell conf if Gi 1 1 show dot1x interface GigabitEthernet 1 1 802 1x information on Gi 1 1 Dot1x Status Enable Port Control FORCE_AUTHORIZED Port A...

Page 96: ...LAN id None Tx Period 90 seconds Quiet Period 120 seconds ReAuth Max 10 Supplicant Timeout 30 seconds Server Timeout 30 seconds Re Auth Interval 7200 seconds Max EAP Req 10 Auth Type SINGLE_HOST Auth PAE State Initialize Backend State Initialize Auth PAE State Initialize Backend State Initialize Configuring Timeouts If the supplicant or the authentication server is unresponsive the authenticator t...

Page 97: ...al 7200 seconds Max EAP Req 10 Auth Type SINGLE_HOST Auth PAE State Initialize Backend State Initialize Enter the tasks the user should do after finishing this task optional Configuring Dynamic VLAN Assignment with Port Authentication Dell Networking OS supports dynamic VLAN assignment when using 802 1X The basis for VLAN assignment is RADIUS attribute 81 Tunnel Private Group ID Dynamic VLAN assig...

Page 98: ...t access to the network until the supplicant is authenticated If the supplicant is authenticated the authenticator enables the port and places it in either the VLAN for which the port is configured or the VLAN that the authentication server indicates in the authentication data NOTE Ports cannot be dynamically assigned to the default VLAN If the supplicant fails authentication the authenticator typ...

Page 99: ... Dell conf if gi 2 1 dot1x guest vlan 200 Dell conf if gi 2 1 show config interface GigabitEthernet 2 1 switchport dot1x guest vlan 200 no shutdown Dell conf if gi 2 1 Configuring an Authentication Fail VLAN If the supplicant fails authentication the authenticator re attempts to authenticate after a specified amount of time NOTE For more information about authenticator re attempts refer to Configu...

Page 100: ...ilege mode 802 1x information on Gi 2 1 Dot1x Status Enable Port Control FORCE_AUTHORIZED Port Auth Status UNAUTHORIZED Re Authentication Disable Untagged VLAN id None Guest VLAN Disabled Guest VLAN id 200 Auth Fail VLAN Disabled Auth Fail VLAN id 100 Auth Fail Max Attempts 5 Tx Period 90 seconds Quiet Period 120 seconds ReAuth Max 10 Supplicant Timeout 15 seconds Server Timeout 15 seconds Re Auth...

Page 101: ...ACL agent on the line cards do not contain any information about the group After you enter the acl vlan group command the ACL manager application performs the validation If the command is valid it is processed and sent to the agent if required If a configuration error is found or if the maximum limit has exceeded for the ACL VLAN groups present on the system an error message displays After you ent...

Page 102: ...Port ACL optimization is applicable only for ACLs that are applied without the VLAN range If you enable the ACL VLAN group capability you cannot view the statistical details of ACL rules per VLAN and per interface You can only view the counters per ACL only using the show ip accounting access list command Within a port you can apply Layer 2 ACLs on a VLAN or a set of VLANs In this case CAM optimiz...

Page 103: ... 99 Group Name HostGroup Egress IP Acl Group5 Vlan Members 1 1000 Dell Configuring FP Blocks for VLAN Parameters To allocate the number of FP blocks for the various VLAN processes on the system use the cam acl vlan command To reset the number of FP blocks to the default use the no version of this command By default 0 groups are allocated for the ACL in VLAN contentaware processor VCAP ACL VLAN gro...

Page 104: ...GRP 1024 0 1024 IN L3 FIB 49152 3 49149 IN V6 ACL 0 0 0 IN NLB ACL 0 0 0 IPMAC ACL 0 0 0 OUT L2 ACL 206 9 197 OUT L3 ACL 178 9 169 OUT V6 ACL 178 4 174 2 0 IN L2 ACL 1536 0 1536 IN L3 ACL 1024 1 1023 IN L3 FIB 49152 3 49149 IN V6 ACL 0 0 0 IN NLB ACL 0 0 0 IPMAC ACL 0 0 0 OUT L2 ACL 206 9 197 OUT L3 ACL 178 9 169 OUT V6 ACL 178 4 174 3 0 IN L2 ACL 1536 0 1536 IN L3 ACL 1024 1 1023 IN L3 FIB 49152 ...

Page 105: ...0 IN L3 FIB 49152 3 49149 IN L3 ACL 1024 1 1023 IN V6 ACL 0 0 0 OUT L3 ACL 178 9 169 OUT V6 ACL 178 4 174 3 0 IN L3 FIB 49152 3 49149 IN L3 ACL 1024 1 1023 IN V6 ACL 0 0 0 OUT L3 ACL 178 9 169 OUT V6 ACL 178 4 174 Codes cam usage is above 90 Allocating FP Blocks for VLAN Processes The VLAN contentaware processor VCAP application is a pre ingress CAP that modifies the VLAN settings before packets a...

Page 106: ...the slices for CAM optimization To display the number of FP blocks that is allocated for the different VLAN services use the show cam acl vlan command After you configure the ACL VLAN groups reboot the system to store the settings in nonvolatile storage During CAM initialization the chassis manager reads the NVRAM and allocates the dynamic VCAP regions 106 Access Control List ACL VLAN Groups and C...

Page 107: ... can also configure VRF based ACLs on interfaces NOTE You can apply Layer 3 VRF aware ACLs only at the ingress level You can apply VRF aware ACLs on VRF Instances Interfaces In order to configure VRF aware ACLs on VRF instances you must carve out a separate CAM region You can use the cam acl command for allocating CAM regions As part of the enhancements to support VRF aware ACLs the cam acl comman...

Page 108: ...ons refer to the Dell Networking OS Command Reference Guide For extended ACL TCP and UDP filters you can match criteria on specific or ranges of TCP or UDP ports For extended ACL TCP filters you can also match criteria on established TCP sessions When creating an access list the sequence of the filters is important You have a choice of assigning sequence numbers to the filters as you enter them or...

Page 109: ...re than one physical interface on the same port pipe only a single copy of the policy is written only one FP entry is used When you disable this command the system behaves as described in this chapter Test CAM Usage This command applies to both IPv4 and IPv6 CAM profiles but is best used when verifying QoS optimization for IPv6 ACLs To determine whether sufficient ACL CAM space is available to ena...

Page 110: ...tended ACL Determine the Order in which ACLs are Used to Classify Traffic When you link class maps to queues using the service queue command Dell Networking OS matches the class maps according to queue priority queue numbers closer to 0 have lower priorities As shown in the following example class map cmap2 is matched against ingress packets before cmap1 ACLs acl1 and acl2 have overlapping rules b...

Page 111: ...R OSPF modes The following list includes the configuration tasks for route maps as described in the following sections Create a route map mandatory Configure route map filters optional Configure a route map for route redistribution optional Configure a route map for route tagging optional Creating a Route Map Route maps ACLs and prefix lists are similar in composition because all three contain fil...

Page 112: ...el stub area Dell The following example shows a route map with multiple instances The show config command displays only the configuration of the current route map instance To view all instances of a specific route map use the show route map command Dell show route map dilling route map dilling permit sequence 10 Match clauses Set clauses route map dilling permit sequence 15 Match clauses interface...

Page 113: ...map for any permit statement If there is a match anywhere the route is permitted However other instances of the route map deny it Example of the match Command to Permit and Deny Routes Dell conf route map force permit 10 Dell config route map match tag 1000 Dell conf route map force deny 20 Dell config route map match tag 1000 Dell conf route map force deny 30 Dell config route map match tag 1000 ...

Page 114: ... match ipv6 route source access list name prefix list prefix list name Match routes with a specific value CONFIG ROUTE MAP mode match metric metric value Match BGP routes based on the ORIGIN attribute CONFIG ROUTE MAP mode match origin egp igp incomplete Match routes specified as internal or external to OSPF ISIS level 1 ISIS level 2 or locally generated CONFIG ROUTE MAP mode match route type exte...

Page 115: ... CONFIG ROUTE MAP mode set weight value To create route map instances use these commands There is no limit to the number of set commands per route map but the convention is to keep the number of set filters in a route map low Set commands do not require a corresponding match command Configure a Route Map for Route Redistribution Route maps on their own cannot affect traffic and must be included in...

Page 116: ...enters a different routing domain it is tagged The tag is passed along with the route as it passes through different routing protocols You can use this tag when the route leaves a routing domain to redistribute those routes again In the following example the redistribute ospf command with a route map is used in ROUTER RIP mode to apply a tag of 34 to all internal OSPF routes that are redistributed...

Page 117: ... commands with the fragment keyword to filter fragmented packets Example of Permitting All Packets on an Interface The following configuration permits all packets both fragmented and non fragmented with destination IP 10 1 1 1 The second rule does not get hit at all Dell conf ip access list extended ABC Dell conf ext nacl permit ip any 10 1 1 1 32 Dell conf ext nacl deny ip any 10 1 1 1 32 fragmen...

Page 118: ... any any fragment Dell conf ext nacl deny ip any any log Dell conf ext nacl When configuring ACLs with the fragments keyword be aware of the following When an ACL filters packets it looks at the fragment offset FO to determine whether it is a fragment FO 0 means it is either the first fragment or the packet is a non fragment FO 0 means it is dealing with the fragments of the original packet Config...

Page 119: ...gns filters in multiples of 5 Configuring a Standard IP ACL Filter If you are creating a standard ACL with only one or two filters you can let Dell Networking OS assign a sequence number based on the order in which the filters are configured The software assigns filters in multiples of five 1 Configure a standard IP ACL and assign it a unique name CONFIGURATION mode ip access list standard access ...

Page 120: ...and UDP host addresses The traffic passes through the filter in the order of the filter s sequence and hence you can configure the extended IP ACL by first entering IP ACCESS LIST mode and then assigning a sequence number to the filter Configuring Filters with a Sequence Number To configure filters with a sequence number use the following commands 1 Enter IP ACCESS LIST mode by creating an extende...

Page 121: ...red before filter 5 but the show config command displays the filters in the correct order Dell config ext nacl seq 15 deny ip host 112 45 0 0 any log monitor 501 Dell config ext nacl seq 5 permit tcp 12 1 3 45 0 0 255 255 any Dell config ext nacl show config ip access list extended dilling seq 5 permit tcp 12 1 0 0 0 0 255 255 any seq 15 deny ip host 112 45 0 0 any log monitor 501 Dell config ext ...

Page 122: ...st example in Configure a Standard IP ACL Filter Configure Layer 2 and Layer 3 ACLs Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode If both L2 and L3 ACLs are applied to an interface the following rules apply When Dell Networking OS routes the packets only the L3 ACL governs them because they are not filtered against an L2 ACL When Dell Networking OS switches the pa...

Page 123: ...the interface number CONFIGURATION mode interface interface slot port 2 Configure an IP address for the interface placing it in Layer 3 mode INTERFACE mode ip address ip address 3 Apply an IP ACL to traffic entering or exiting an interface INTERFACE mode ip access group access list name in implicit permit vlan vlan range vrf vrf range layer3 NOTE The number of entries allowed per ACL is hardware d...

Page 124: ...interface gigabitethernet 1 1 Dell conf if gi1 1 ip access group abcd in Dell conf if gi1 1 show config gigabitethernet 1 1 no ip address ip access group abcd in no shutdown Dell conf if gi1 1 end Dell configure terminal Dell conf ip access list extended abcd Dell config ext nacl permit tcp any any Dell config ext nacl deny icmp any any Dell config ext nacl permit 1 1 1 2 Dell config ext nacl end ...

Page 125: ...5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1 1 1 2 Dell configure terminal Dell conf interface gigabitethernet 1 2 Dell conf if gi 1 2 ip vrf forwarding blue Dell conf if gi 1 2 show config interface GigabitEthernet 1 2 ip vrf forwarding blue no ip address shutdown Dell conf if gi 1 2 Dell conf if gi 1 2 Dell conf if gi 1 2 end Dell Applying Egress Layer 3 ACLs Control Plane By de...

Page 126: ...cimal address For example in 112 24 0 0 16 the first 16 bits of the address 112 24 0 0 match all addresses between 112 24 0 0 to 112 24 255 255 The following examples show permit or deny filters for specific routes using the le and ge parameters where x x x x x represents a route prefix To deny only 8 prefixes enter deny x x x x x ge 8 le 8 To permit routes with the mask greater than 8 but less th...

Page 127: ...g example shows how the seq command orders the filters according to the sequence number assigned In the example filter 20 was configured before filter 15 and 12 but the show config command displays the filters in the correct order Dell conf nprefixl seq 20 permit 0 0 0 0 0 le 32 Dell conf nprefixl seq 12 deny 134 23 0 0 16 Dell conf nprefixl seq 15 deny 120 23 14 0 8 le 16 Dell conf nprefixl show ...

Page 128: ...and in PREFIX LIST mode and locate the sequence number of the filter you want to delete then use the no seq sequence number command in PREFIX LIST mode Viewing Prefix Lists To view all configured prefix lists use the following commands Show detailed information about configured prefix lists EXEC Privilege mode show ip prefix list detail prefix name Show a table of summarized information about conf...

Page 129: ...ix list to outgoing routes You can specify an interface or type of route If you enter the name of a non existent prefix list all routes are forwarded CONFIG ROUTER RIP mode distribute list prefix list name out interface connected static ospf Example of Viewing Configured Prefix Lists ROUTER RIP mode To view the configuration use the show config command in ROUTER RIP mode or the show running config...

Page 130: ...g to create numbering space as shown in the second table In the same example apply resequencing if more than two rules must be placed between rules 7 and 10 You can resequence IPv4 and IPv6 ACLs prefixes and MAC ACLs No CAM writes happen as a result of resequencing so there is no packet loss the behavior is similar Hot lock ACLs NOTE ACL resequencing does not affect the rules remarks or order in w...

Page 131: ...e remark 8 this remark corresponds to permit ip any host 1 1 1 2 seq 8 permit ip any host 1 1 1 2 seq 10 permit ip any host 1 1 1 3 seq 12 permit ip any host 1 1 1 4 Remarks that do not have a corresponding rule are incremented as a rule These two mechanisms allow remarks to retain their original position in the list The following example shows remark 10 corresponding to rule 10 and as such they h...

Page 132: ...he system performance and efficiency To avoid an overload of ACL logs from being recorded you can configure the rate limiting functionality Specify the interval or frequency at which ACL logs must be triggered and also the threshold or limit for the maximum number of logs to be generated If you do not specify the frequency at which ACL logs must be generated a default interval of 5 minutes is used...

Page 133: ...leted that was previously enabled for ACL logging the match rule number used by it is released back to the pool or available set of match indices so that it can be reused for subsequent allocations If you enabled the count of packets for the ACL entry for which you configured logging and if the logging is deactivated in a specific interval owing to the threshold having exceeded the count of packet...

Page 134: ...de When you enable this flow based monitoring traffic with particular flows that are traversing through the interfaces are examined in accordance with the applied ACLs By default flow based monitoring is not enabled There are two ways in which you can enable flow based monitoring in Dell Networking OS You can create an ACL and apply that ACL either to an interface that needs to be monitored or app...

Page 135: ...s enabled The show monitor session session id command displays the Type field in the output which indicates whether a particular session is enabled for flow monitoring Example Output of the show Command Dell show monitor session 1 SessID Source Destination Dir Mode Source IP Dest IP DSCP TTL Drop Rate Gre Protocol FcMonitor 1 Gi 1 45 Gi 1 46 tx Port 0 0 0 0 0 0 0 0 0 0 No N A N A yes Dell The show...

Page 136: ...ell conf monitor session 0 Dell conf mon sess 0 flow based enable Dell conf ip access list ext testflow Dell config ext nacl seq 5 permit icmp any any count bytes monitor Dell config ext nacl seq 10 permit ip 102 1 1 0 24 any count bytes monitor Dell config ext nacl seq 15 deny udp any any count bytes Dell config ext nacl seq 20 deny tcp any any count bytes Dell config ext nacl exit Dell conf inte...

Page 137: ...0 Gi 1 1 Gi 1 2 rx Flow N A N A 0 0 No N A N A yes Access Control Lists ACLs 137 ...

Page 138: ...re reported to the BFD Manager on the route processor which in turn notifies the routing protocols that are registered with it BFD is an independent and generic protocol which all media topologies and routing protocols can support using any encapsulation Dell Networking has implemented BFD at Layer 3 and with user datagram protocol UDP encapsulation BFD is supported on static routing protocols and...

Page 139: ...to BFD Sessions Flag A bit that indicates packet function If the poll bit is set the receiving system must respond as soon as possible without regard to its transmit interval The responding system clears the poll bit and sets the final bit in its response The poll and final bits are used during the handshake and in Demand mode refer to BFD Sessions NOTE Dell Networking OS does not currently suppor...

Page 140: ...ol packet Transmit Interval Transmit interval is the agreed upon rate at which a system sends control packets Each system has its own transmit interval which is the greater of the last received remote Desired TX Interval and the local Required Min RX Interval Detection time Detection time is the amount of time that a system does not receive a control packet after which the system determines that t...

Page 141: ...d on this link The default session state on both ports is Down 1 The active system sends a steady stream of control packets that indicates that its session state is Down until the passive system responds These packets are sent at the desired transmit interval of the Active system The Your Discriminator field is set to zero 2 When the passive system receives any of these control packets it changes ...

Page 142: ...Figure 10 BFD Three Way Handshake State Changes 142 Bidirectional Forwarding Detection BFD ...

Page 143: ...sions per stack unit at 200 minimum transmit and receive intervals with a multiplier of 3 and 64 sessions at 100 minimum transmit and receive intervals with a multiplier of 4 Enable BFD on both ends of a link Demand mode authentication and the Echo function are not supported BFD is not supported on multi hop and virtual links Protocol Liveness is supported for routing protocols only Dell Networkin...

Page 144: ...ablish a session with a next hop neighbor Related Configuration Tasks Viewing Physical Port Session Parameters Disabling and Re Enabling BFD Enabling BFD Globally You must enable BFD globally on both routers To enable the BFD globally use the following command Enable BFD globally CONFIGURATION mode bfd enable Example of Verifying BFD is Enabled To verify that BFD is enabled globally use the show r...

Page 145: ...disable BFD all of the sessions on that interface are placed in an Administratively Down state the first message example and the remote systems are notified of the session state change the second message example To disable and re enable BFD on an interface use the following commands Disable BFD on an interface INTERFACE mode no bfd enable Enable BFD on an interface INTERFACE mode bfd enable If you...

Page 146: ...stablish a BFD session use the following command Establish BFD sessions for all neighbors that are the next hop of a static route CONFIGURATION mode ip route bfd prefix list prefix list name interval interval min_rx min_rx multiplier value role active passive Example of the show bfd neighbors Command to Verify Static Routes To verify that sessions have been created for static routes use the show b...

Page 147: ...enabled on all the eligible next hop neighbors You can use only valid IPv4 unicast address prefixes in the BFD prefix list An erroneous IP prefix in a prefix list causes the entire prefix list to be rejected A BFD session is enabled for the directly connected next hop neighbor specified in the configured destination prefix list If you attach an empty prefix list all the existing established BFD se...

Page 148: ...utes use the following command Disable BFD for static routes CONFIGURATION mode no ip route bfd prefix list prefix list name interval interval min_rx min_rx multiplier value role active passive Configure BFD for OSPF When you use BFD with OSPF the OSPF protocol registers with the BFD manager BFD sessions are established with all neighboring interfaces participating in OSPF If a neighboring interfa...

Page 149: ...n the OSPF adjacency is in the Full state Figure 13 Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface use the following commands Enable BFD globally CONFIGURATION mode bfd enable Establish sessions with all OSPF neighbors ROUTER OSPF mode bfd all neighbors Establish sessions with OSPF neighbors on a single interface Bidi...

Page 150: ...level the change affects all OSPF sessions on that interface To change parameters for all OSPF sessions or for OSPF sessions on a single interface use the following commands Change parameters for OSPF sessions ROUTER OSPF mode bfd all neighbors interval milliseconds min_rx milliseconds multiplier value role active passive Change parameters for all OSPF sessions on an interface INTERFACE mode ip os...

Page 151: ...ith all OSPFv3 neighbors or with OSPFv3 neighbors on a single interface use the following commands Establish sessions with all OSPFv3 neighbors ROUTER OSPFv3 mode bfd all neighbors Establish sessions with OSPFv3 neighbors on a single interface INTERFACE mode ipv6 ospf bfd all neighbors To view the established sessions use the show bfd neighbors command The following example shows the show bfd vrf ...

Page 152: ... of OSPFv2 and OSPFv3 with a timer of 300 300 3 for both default and nondefault VRFs The following example shows the configuration to establish sessions with all OSPFv3 neighbors in a specific VRF ipv6 router ospf 20 vrf vrf1 bfd all neighbors The following example shows the configuration to establish sessions with all OSPFv3 neighbors on a single interface in a specific VRF interface vlan 102 ip ...

Page 153: ...ace use the following commands To view session parameters use the show bfd neighbors detail command Change parameters for all OSPFv3 sessions ROUTER OSPFv3 mode bfd all neighbors interval milliseconds min_rx milliseconds multiplier value role active passive Change parameters for OSPFv3 sessions on a single interface INTERFACE mode ipv6 ospf bfd all neighbors interval milliseconds min_rx millisecon...

Page 154: ...S IS is a two step process 1 Enable BFD globally 2 Establish sessions for all or particular IS IS neighbors Related Configuration Tasks Changing IS IS Session Parameters Disabling BFD for IS IS Establishing Sessions with IS IS Neighbors BFD sessions can be established for all IS IS neighbors at once or sessions can be established for all neighbors out of a specific interface Figure 14 Establishing...

Page 155: ... interface level the change affects all IS IS sessions on that interface To change parameters for all IS IS sessions or for IS IS sessions on a single interface use the following commands To view session parameters use the show bfd neighbors detail command as shown in Verifying BFD Sessions with BGP Neighbors Using the show bfd neighbors Command in Displaying BFD for BGP Information Change paramet...

Page 156: ...GP on the routers that you want to interconnect as described in Border Gateway Protocol IPv4 BGPv4 2 Enable fast fall over for BGP neighbors to reduce convergence time the neighbor fall over command as described in BGP Fast Fall Over Establishing Sessions with BGP Neighbors Before configuring BFD for BGP you must first configure BGP on the routers that you want to interconnect For more information...

Page 157: ...supported only on directly connected BGP neighbors and only in BGP IPv4 networks Up to 128 simultaneous BFD sessions are supported As long as each BFD for BGP neighbor receives a BFD control packet within the configured BFD interval for failure detection the BFD session remains up and BGP maintains its adjacencies If a BFD for BGP neighbor does not receive a control packet within the detection int...

Page 158: ...ed with the bfd all neighbors command or configured for the peer group to which the neighbor belongs Also the neighbor only inherits the global timer values configured with the bfd all neighbors command interval min_rx and multiplier 6 Repeat Steps 1 to 5 on each BGP peer participating in a BFD session Disabling BFD for BGP You can disable BFD for BGP To disable a BFD for BGP session with a specif...

Page 159: ...P Information You can display related information for BFD for BGP To display information about BFD for BGP sessions on a router use the following commands and refer to the following examples Verify a BFD for BGP configuration EXEC Privilege mode show running config bgp Verify that a BFD for BGP session has been successfully established with a BGP neighbor A line by line listing of established BFD ...

Page 160: ...0ms Multiplier 3 Actual parameters TX 100ms RX 100ms Multiplier 3 Role Active Delete session on Down True Client Registered BGP Uptime 00 07 55 Statistics Number of packets received from neighbor 4762 Number of packets sent to neighbor 4490 Number of state changes 2 Number of messages from IFA about port state change 0 Number of messages communicated b w Manager and Agent 5 Session Discriminator 1...

Page 161: ...s 0 main routing table version 0 BFD is enabled Interval 100 Min_rx 100 Multiplier 3 Role Active 3 neighbor s using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up Down State Pfx 1 1 1 2 1 282 281 0 0 0 00 38 12 0 2 2 2 2 1 273 273 0 0 0 04 32 26 0 3 3 3 2 1 282 281 0 0 0 00 38 12 0 The following example shows viewing BFD information for a specified neighbor The bold lines sho...

Page 162: ...peer Connections established 1 dropped 0 Last reset never Local host 2 2 2 3 Local port 63805 Foreign host 2 2 2 2 Foreign port 179 E1200i_ExaScale R2 show ip bgp neighbors 2 2 2 3 BGP neighbor is 2 2 2 3 remote AS 1 external link Member of peer group pg1 for session parameters BGP version 4 remote router ID 12 0 0 4 BGP state ESTABLISHED in this state for 00 05 33 Neighbor is using BGP neighbor m...

Page 163: ...d for all VRRP neighbors at once or a session can be established with a particular neighbor Figure 16 Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors use the following command Establish sessions with all VRRP neighbors INTERFACE mode vrrp bfd all neighbors Establishing VRRP Sessions on VRRP Neighbors The master router does not care about the state of the...

Page 164: ...D 1 Net 2 2 5 1 VRF 0 default State Backup Priority 1 Master 2 2 5 2 Hold Down 0 sec Preempt TRUE AdvInt 1 sec Adv rcvd 95 Bad pkts rcvd 0 Adv sent 933 Gratuitous ARP sent 3 Virtual MAC address 00 00 5e 00 01 01 Virtual IP address 2 2 5 4 Authentication none BFD Neighbors RemoteAddr State 2 2 5 2 Up Changing VRRP Session Parameters BFD sessions are configured with default intervals and a default r...

Page 165: ...ors Disable all VRRP sessions in a VRRP group VRRP mode bfd disable Disable a particular VRRP session on an interface INTERFACE mode no vrrp bfd neighbor ip address Configuring Protocol Liveness Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled When you disable a client all BFD sessions for that protocol are torn down Neighbors on the remote system rec...

Page 166: ... interface Gi 4 24 diag 0 The following example shows hexadecimal output from the debug bfd packet command RX packet dump 20 c0 03 18 00 00 00 05 00 00 00 04 00 01 86 a0 00 01 86 a0 00 00 00 00 00 34 13 Sent packet for session with neighbor 2 2 2 2 on Gi 4 24 TX packet dump 20 c0 03 18 00 00 00 04 00 00 00 05 00 01 86 a0 00 01 86 a0 00 00 00 00 00 34 14 Received packet for session with neighbor 2 ...

Page 167: ... uniquely identifies each network on the internet The Internet Assigned Numbers Authority IANA has reserved AS numbers 64512 through 65534 to be used for private purposes IANA reserves ASNs 0 and 65535 and must not be used in a live environment You can group autonomous systems into three categories multihomed stub and transit defined by their connections and operation multihomed AS is one that mai...

Page 168: ...nd discarded BGP does not use a traditional interior gateway protocol IGP matrix but makes routing decisions based on path network policies and or rulesets Unlike most protocols BGP uses TCP as its transport protocol Since each BGP router talking to another router is a session a BGP network needs to be in full mesh This is a topology that has every router directly connected to every other router E...

Page 169: ...change between peers is driven by events and timers The focus in BGP is on the traffic routing policies In order to make decisions in its operations with other BGP peers a BGP process uses a simple finite state machine that consists of six states Idle Connect Active OpenSent OpenConfirm and Established For each peer to peer session a BGP implementation tracks which of these six states the session ...

Page 170: ...allowing groups of routers to share and inherit policies Peer groups also aid in convergence speed When a BGP process needs to send the same information to a large number of peers the BGP process needs to set up a long output queue to get that information to all the proper peers If the peers are members of a peer group however the information can be sent to one place and then passed onto the peers...

Page 171: ... the route selection process Weight Local Preference Multi Exit Discriminators MEDs Origin AS Path Next Hop NOTE There are no hard coded limits on the number of attributes that are supported in the BGP Taking into account other constraints such as the Packet Size maximum number of attributes are supported in BGP Communities BGP communities are sets of routes with one or more common attributes Comm...

Page 172: ...efer the path with the largest WEIGHT attribute 2 Prefer the path with the largest LOCAL_PREF attribute 3 Prefer the path that was locally Originated via a network command redistribute command or aggregate address command a Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate address command 4 Prefer the path with the ...

Page 173: ... the TCP connection with the local router After a number of best paths is determined this selection criteria is applied to group s best to determine the ultimate best path In non deterministic mode the bgp non deterministic med command is applied paths are compared in the order in which they arrive This method can lead to Dell Networking OS choosing different best paths from a set of paths dependi...

Page 174: ...e only attribute applied In the following illustration AS100 and AS200 connect in two places Each connection is a BGP session AS200 sets the MED for its T1 exit point to 100 and the MED for its OC3 exit point to 50 This sets up a path preference through the OC3 link The MEDs are advertised to AS100 routers so they know which is the preferred path MEDs are non transitive attributes If AS100 sends a...

Page 175: ...ator means that the route was derived inside the originating AS EGP generally means that a route was learned from an external gateway protocol An INCOMPLETE origin code generally results from aggregation redistribution or other indirect ways of installing routes into BGP In Dell Networking OS these origin codes appear as shown in the following example The question mark indicates an origin code of ...

Page 176: ...arried into the local AS A next hop attribute is set when a BGP speaker advertises itself to another BGP speaker outside its local AS and when advertising routes within an AS The next hop attribute also serves as a way to direct traffic to another BGP speaker rather than waiting for a speaker to advertise When a next hop BGP neighbor is unreachable then the connection to that BGP neighbor goes dow...

Page 177: ...internal IGP cost as the MED while setting others to a constant pre defined metric as MED value Use the set metric type internal command in a route map to advertise the IGP cost as the MED to outbound EBGP peers when redistributing routes The configured set metric value overwrites the default IGP cost By using the redistribute command with the route map command you can specify whether a peer adver...

Page 178: ...ions all the routers in a Confederation must be either 4 Byte or 2 Byte identified routers You cannot mix them Configure 4 byte AS numbers with the four octet support command AS4 Number Representation Dell Networking OS supports multiple representations of 4 byte AS numbers asplain asdot and asdot NOTE The ASDOT and ASDOT representations are supported only with the 4 Byte AS numbers feature If 4 B...

Page 179: ...gp BGP table version is 24901 local router ID is 172 30 1 57 output truncated ASDOT Dell conf router_bgp bgp asnotation asdot Dell conf router_bgp show conf router bgp 100 bgp asnotation asdot bgp four octet as support neighbor 172 30 1 250 local as 65057 output truncated Dell conf router_bgp do show ip bgp BGP table version is 31571 local router ID is 172 30 1 57 output truncated AS PLAIN Dell co...

Page 180: ...its customer When Router B is migrating to Router A it must maintain the connection with Router C without immediately updating Router C s configuration Local AS allows this behavior to happen by allowing Router B to appear as if it still belongs to Router B s old network AS 200 as far as communicating with Router C is concerned Figure 23 Before and After AS Number Migration with Local AS Enabled W...

Page 181: ...ibutes are not stored in the PA Table and cannot be retrieved using the index passed in command These fields are not populated in f10BgpM2PathAttrEntry f10BgpM2PathAttrClusterEntry and f10BgpM2PathAttrOriginatorIdEntry F10BgpM2PathAttrUnknownEntry contains the optional transitive attribute details Query for f10BgpM2LinkLocalNextHopEntry returns the default value for Link local Next hop RFC 2545 an...

Page 182: ...ftware supports BGPv4 as well as the following deterministic multi exit discriminator MED default a path with a missing MED is treated as worst path and assigned an MED value of 0xffffffff the community format follows RFC 1998 delayed configuration the software at system boot reads the entire configuration file prior to sending messages to start BGP peer sessions The following are not yet supporte...

Page 183: ...physically to one another unless you enable the EBGP multihop feature while internal BGP peers do not need to be directly connected The IP address of an EBGP neighbor is usually the IP address of the interface directly connected to the router First the BGP process determines if all internal BGP peers are reachable then it determines which peers outside the AS are reachable NOTE Sample Configuratio...

Page 184: ...ou change the configuration of a BGP neighbor always reset it by entering the clear ip bgp command in EXEC Privilege mode To view the BGP configuration enter show config in CONFIGURATION ROUTER BGP mode To view the BGP status use the show ip bgp summary command in EXEC Privilege mode The first example shows the summary with a 2 byte AS number displayed in bold the second example shows that the sum...

Page 185: ...he same information as the show running config bgp command The following example displays two neighbors one is an external internal BGP neighbor and the second one is an internal BGP neighbor The first line of the output for each neighbor displays the AS number and states whether the link is an external or internal shown in bold The third line of the show ip bgp neighbors output contains the BGP S...

Page 186: ...te as 65123 neighbor 192 168 10 1 update source Loopback 0 neighbor 192 168 10 1 no shutdown neighbor 192 168 12 2 remote as 65123 neighbor 192 168 12 2 update source Loopback 0 neighbor 192 168 12 2 no shutdown Dell Configuring AS4 Number Representations Enable one type of AS number representation ASPLAIN ASDOT or ASDOT Term Description ASPLAIN Default method for AS number representation With the...

Page 187: ...1 250 no shutdown 5332332 9911991 65057 18508 12182 7018 46164 i The following example shows the bgp asnotation asdot command output Dell conf router_bgp bgp asnotation asdot Dell conf router_bgp sho conf router bgp 100 bgp asnotation asdot bgp four octet as support neighbor 172 30 1 250 remote as 18508 neighbor 172 30 1 250 local as 65057 neighbor 172 30 1 250 route map rmap1 in neighbor 172 30 1...

Page 188: ...GP neighbor CONFIG ROUTERBGP mode neighbor ip address remote as as number 4 Enable the neighbor CONFIG ROUTERBGP mode neighbor ip address no shutdown 5 Add an enabled neighbor to the peer group CONFIG ROUTERBGP mode neighbor ip address peer group peer group name 6 Add a neighbor as a remote AS CONFIG ROUTERBGP mode neighbor ip address peer group name remote as as number Formats IP Address A B C D ...

Page 189: ...external fallover bgp log neighbor changes neighbor zanzibar peer group neighbor zanzibar shutdown neighbor 10 1 1 1 remote as 65535 neighbor 10 1 1 1 shutdown neighbor 10 14 8 60 remote as 18505 neighbor 10 14 8 60 no shutdown Dell conf router_bgp To enable a peer group use the neighbor peer group name no shutdown command in CONFIGURATION ROUTER BGP mode shown in bold Dell conf router_bgp neighbo...

Page 190: ...ly connected external peer fails When you enable fall over BGP tracks IP reachability to the peer remote address and the peer local address Whenever either address becomes unreachable for example no active route exists in the routing table for peer IPv6 destinations local address BGP brings down the session with the peer The BGP fast fall over feature is configured on a per neighbor or peer group ...

Page 191: ...in peer group outbound optimization For address family IPv4 Unicast BGP table version 52 neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0 denied 0 withdrawn 0 Connections established 6 dropped 5 Last reset 00 19 37 due to Reset by peer Notification History Connection Reset Sent 5 Recv 0 Local host 200 200 200 200 Local port 65519 Foreign host 100 100 100 100 Foreign por...

Page 192: ...gn a subnet to the peer group CONFIG ROUTER BGP mode neighbor peer group name subnet subnet number mask The peer group responds to OPEN messages sent on this subnet 3 Enable the peer group CONFIG ROUTER BGP mode neighbor peer group name no shutdown 4 Create and specify a remote peer for BGP neighbor CONFIG ROUTER BGP mode neighbor peer group name remote as as number Only after the peer group respo...

Page 193: ...or 192 168 10 1 update source Loopback 0 neighbor 192 168 10 1 no shutdown neighbor 192 168 12 2 remote as 65123 neighbor 192 168 12 2 update source Loopback 0 neighbor 192 168 12 2 no shutdown R2 conf router_bgp Allowing an AS Number to Appear in its Own AS Path This command allows you to set the number of times a particular AS number can occur in the AS path The allow as feature permits a BGP sp...

Page 194: ...vertised it had graceful restart capability Continues forwarding traffic to the peer Flags routes from the peer as Stale and sets a timer to delete them if the peer does not perform a graceful restart Deletes all routes from the peer if forwarding state information is not saved Speeds convergence by advertising a special update packet known as an end of RIB marker This marker indicates the peer ha...

Page 195: ... neighbor ip address peer group name graceful restart Set the maximum restart time for the neighbor or peer group CONFIG ROUTER BGP mode neighbor ip address peer group name graceful restart restart time time in seconds The default is 120 seconds Local router supports graceful restart for this neighbor or peer group as a receiver only CONFIG ROUTER BGP mode neighbor ip address peer group name grace...

Page 196: ... the software allows all routes Example of the show ip bgp paths Command To view all BGP path attributes in the BGP database use the show ip bgp paths command in EXEC Privilege mode Dell show ip bgp paths Total 30655 Paths Address Hash Refcount Metric Path 0x4014154 0 3 18508 701 3549 19421 i 0x4013914 0 3 18508 701 7018 14990 i 0x5166d6c 0 3 18508 209 4637 1221 9249 9249 i 0x5e62df4 0 2 18508 701...

Page 197: ...or community numbers _ underscore Matches a a a comma a space or a or a Placed on either side of a string to specify a literal and disallow substring matching You can precede or follow numerals enclosed by underscores by any of the characters listed pipe Matches characters on either side of the metacharacter logical OR As seen in the following example the expressions are displayed when using the s...

Page 198: ...tly connected or user configured static routes in BGP ROUTER BGP or CONF ROUTER_BGPv6_ AF mode redistribute connected static route map map name Configure the map name parameter to specify the name of a configured route map Include specific ISIS routes in BGP ROUTER BGP or CONF ROUTER_BGPv6_ AF mode redistribute isis level 1 level 1 2 level 2 metric value route map map name Configure the following ...

Page 199: ...n the IP community list IETF RFC 1997 defines the COMMUNITY attribute and the predefined communities of INTERNET NO_EXPORT_SUBCONFED NO_ADVERTISE and NO_EXPORT All BGP routes belong to the INTERNET community In the RFC the other communities are defined as follows All routes with the NO_EXPORT_SUBCONFED 0xFFFFFF03 community attribute are not sent to CONFED EBGP or EBGP peers but are sent to IBGP pe...

Page 200: ...y List To configure an IP extended community list use these commands 1 Create a extended community list and enter the EXTCOMMUNITY LIST mode CONFIGURATION mode ip extcommunity list extcommunity list name 2 Two types of extended communities are supported CONFIG COMMUNITY LIST mode permit deny rt soo ASN NN IPADDR N regex REGEX LINE Filter routes based on the type of extended communities they carry ...

Page 201: ...ed community list CONFIG ROUTE MAP mode match community community list name exact extcommunity extcommunity list name exact 3 Return to CONFIGURATION mode CONFIG ROUTE MAP mode exit 4 Enter ROUTER BGP mode CONFIGURATION mode router bgp as number AS number 0 to 65535 2 Byte or 1 to 4294967295 4 Byte or 0 1 to 65535 65535 Dotted format 5 Apply the route map to the neighbor or peer group s incoming o...

Page 202: ...p map name permit deny sequence number 2 Configure a set filter to delete all COMMUNITY numbers in the IP community list CONFIG ROUTE MAP mode set comm list community list name delete OR set community community number local as no advertise no export none Configure a community list by denying or permitting specific community numbers or types of community community number use AA NN format where AA i...

Page 203: ...55 i i 6 5 0 0 19 195 171 0 16 100 0 209 7170 1455 i i 6 8 0 0 20 195 171 0 16 100 0 209 7170 1455 i i 6 9 0 0 20 195 171 0 16 100 0 209 7170 1455 i i 6 10 0 0 15 195 171 0 16 100 0 209 7170 1455 i i 6 14 0 0 15 205 171 0 16 100 0 209 7170 1455 i i 6 133 0 0 21 205 171 0 16 100 0 209 7170 1455 i i 6 151 0 0 16 205 171 0 16 100 0 209 7170 1455 i More Changing MED Attributes By default Dell Networki...

Page 204: ...IG ROUTER BGP mode neighbor ip address peer group name route map map name in out To view the BGP configuration use the show config command in CONFIGURATION ROUTER BGP mode To view a route map configuration use the show route map command in EXEC Privilege mode Configuring the local System or a Different System to be the Next Hop for BGP Learned Routes You can configure the local router or a differe...

Page 205: ...t the range is from 0 to 65535 To view BGP configuration use the show config command in CONFIGURATION ROUTER BGP mode or the show running config bgp command in EXEC Privilege mode Enabling Multipath By default the software allows one path to a destination You can enable multipath to allow up to 64 parallel paths to a destination NOTE Dell Networking recommends not using multipath and add path simu...

Page 206: ...r routes using prefix lists use the following commands 1 Create a prefix list and assign it a name CONFIGURATION mode ip prefix list prefix name 2 Create multiple prefix list filters with a deny or permit action CONFIG PREFIX LIST mode seq sequence number deny permit any ip prefix ge le ge minimum prefix length to be matched le maximum prefix length to me matched For information about configuring ...

Page 207: ...r 2 Create multiple route map filters with a match or set action CONFIG ROUTE MAP mode match set For information about configuring route maps see Access Control Lists ACLs 3 Return to CONFIGURATION mode CONFIG ROUTE MAP mode exit 4 Enter ROUTER BGP mode CONFIGURATION mode router bgp as number 5 Filter routes based on the criteria in the configured route map CONFIG ROUTER BGP mode neighbor ip addre...

Page 208: ...nded for ASs with a large mesh they reduce the amount of BGP control traffic NOTE Dell Networking recommends not using multipath and add path simultaneously in a route reflector With route reflection configured properly IBGP routers are not fully meshed within a cluster but all receive routing information Configure clusters of routers where one router is a concentration router and the others are c...

Page 209: ...Network Next Hop Metric LocPrf Weight Path 7 0 0 0 29 10 114 8 33 0 0 18508 7 0 0 0 30 10 114 8 33 0 0 18508 a 9 0 0 0 8 192 0 0 0 32768 18508 701 7018 2686 3786 9 2 0 0 16 10 114 8 33 0 18508 701 i 9 141 128 0 24 10 114 8 33 0 18508 701 7018 2686 Dell Configuring BGP Confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations A...

Page 210: ...ng CONFIG ROUTER BGP mode bgp dampening half life reuse suppress max suppress time route map map name Enter the following optional parameters to configure route dampening parameters half life the range is from 1 to 45 Number of minutes after which the Penalty is decreased After the router assigns a Penalty of 1024 to a route the Penalty is decreased by half after the half life period expires The d...

Page 211: ...e the best path selection method to non deterministic Change the best path selection method to non deterministic CONFIG ROUTER BGP mode bgp non deterministic med NOTE When you change the best path selection method path selection for existing paths remains unchanged until you reset it by entering the clear ip bgp command in EXEC Privilege mode Examples of Configuring a Route and Viewing the Number ...

Page 212: ...keepalive holdtime keepalive the range is from 1 to 65535 Time interval in seconds between keepalive messages sent to the neighbor routers The default is 60 seconds holdtime the range is from 3 to 65536 Time interval in seconds between the last keepalive message and declaring the router dead The default is 180 seconds Configure timer values for all neighbors CONFIG ROUTER BGP mode timers bgp keepa...

Page 213: ...ghbor address AS Numbers ipv4 peer group name soft in out Clears all peers neighbor address Clears the neighbor with this IP address AS Numbers Peers AS numbers to be cleared ipv4 Clears information for the IPv4 address family peer group name Clears all members of the specified peer group Enable soft reconfiguration for the BGP neighbor specified CONFIG ROUTER BGP mode neighbor ip address peer gro...

Page 214: ...6 unicast groups using the following command ROUTER BGP Mode shutdown address family ipv6 unicast When you configure BGP you must explicitly enable the BGP neighbors using the following commands neighbor ip address peer group name remote as as number neighbor ip address peer group name no shutdown For more information on enabling BGP see Enabling BGP When you use the shutdown all command in global...

Page 215: ...ists Set a Clause with a Continue Clause If the route map entry contains sets with the continue clause the set actions operation is performed first followed by the continue clause jump to the specified route map entry If a set actions operation occurs in the first route map entry and then the same set action occurs with a different value in a subsequent route map entry the last set of actions over...

Page 216: ...ce manually To enable BGP to pick the next hop IPv6 address automatically for IPv6 prefix advertised over an IPv4 neighbor follow this procedure Enable the system to pick the next hop IPv6 address dynamically for IPv6 prefix advertised over an IPv4 neighbor ROUTER BGP mode mode neighbor neighbor ipv6 address peer group name auto local address Enter either the neighbor IPv6 address or the name of t...

Page 217: ...vilege mode To disable a specific debug command use the keyword no then the debug command For example to disable debugging of BGP updates use no debug ip bgp updates command To disable all BGP debugging use the no debug ip bgp command To disable all debugging use the undebug all command Storing Last and Bad PDUs Dell Networking OS stores the last notification sent received and the last bad protoco...

Page 218: ...rts a maximum value between 40 MB the default and 100 MB The capture buffers are cyclic and reaching the limit prompts the system to overwrite the oldest PDUs when new ones are received for a given neighbor or direction Setting the buffer size to a value lower than the current maximum might cause captured PDUs to be freed to set the new limit NOTE Memory on RP1 is not pre allocated and is allocate...

Page 219: ...172 30 1 56 local AS number 65056 BGP table version is 313511 main routing table version 313511 207896 network entrie s and 207896 paths using 42364576 bytes of memory 59913 BGP path attribute entrie s using 2875872 bytes of memory 59910 BGP AS PATH entrie s using 2679698 bytes of memory 3 BGP community entrie s using 81 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up Down State Pfx...

Page 220: ...i 1 21 no shutdown R1 conf if gi 1 21 show config interface GigabitEthernet 1 21 ip address 10 0 1 21 24 no shutdown R1 conf if gi 1 21 int gi 1 31 R1 conf if gi 1 31 ip address 10 0 3 31 24 R1 conf if gi 1 31 no shutdown R1 conf if gi 1 31 show config interface GigabitEthernet 1 31 ip address 10 0 3 31 24 no shutdown R1 conf if gi 1 31 router bgp 99 R1 conf router_bgp network 192 168 128 0 24 R1 ...

Page 221: ...itEthernet 2 11 ip address 10 0 1 22 24 no shutdown R2 conf if gi 2 11 int gi 2 31 R2 conf if gi 2 31 ip address 10 0 2 2 24 R2 conf if gi 2 31 no shutdown R2 conf if gi 2 31 show config interface GigabitEthernet 2 31 ip address 10 0 2 2 24 no shutdown R2 conf if gi 2 31 R2 conf if gi 2 31 router bgp 99 R2 conf router_bgp network 192 168 128 0 24 R2 conf router_bgp neighbor 192 168 128 1 remote 99...

Page 222: ...router_bgp neighbor BBB no shutdown R1 conf router_bgp neighbor 192 168 128 2 peer group AAA R1 conf router_bgp neighbor 192 168 128 3 peer group BBB R1 conf router_bgp R1 conf router_bgp show config router bgp 99 network 192 168 128 0 24 neighbor AAA peer group neighbor AAA no shutdown neighbor BBB peer group neighbor BBB no shutdown neighbor 192 168 128 2 remote as 99 neighbor 192 168 128 2 peer...

Page 223: ... route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Example of Enabling Peer Groups Router 2 R2 conf R2 conf router bgp 99 R2 conf router_bgp neighbor CCC peer group R2 conf router_bgp neighbor CC no shutdown R2 conf router_bgp neighbor BBB peer group R2 conf router_bgp neighbor BBB no shutdown R2 conf router_bgp neigh...

Page 224: ...120 1 0 0 00 00 11 1 R3 show ip bgp neighbor BGP neighbor is 192 168 128 1 remote AS 99 external link Member of peer group BBB for session parameters BGP version 4 remote router ID 192 168 128 1 BGP state ESTABLISHED in this state for 00 00 21 Last read 00 00 09 last write 00 00 08 Hold time is 180 keepalive interval is 60 seconds Received 93 messages 0 in queue 5 opens 0 notifications 5 updates 8...

Page 225: ...te for 00 18 51 Last read 00 00 45 last write 00 00 44 Hold time is 180 keepalive interval is 60 seconds Received 138 messages 0 in queue 7 opens 2 notifications 7 updates 122 keepalives 0 route refresh requests Sent 140 messages 0 in queue Border Gateway Protocol IPv4 BGPv4 225 ...

Page 226: ...pace is allotted in field processor FP blocks The total space allocated must equal 13 FP blocks The following table lists the default CAM allocation settings NOTE There are 16 FP blocks but the system flow requires three blocks that cannot be reallocated The following table displays the default CAM allocation settings To display the default CAM allocation enter the show cam acl command Table 11 De...

Page 227: ... other blocks must be in factors of 2 For example a CLI configuration of 5 4 2 1 1 blocks is not supported a configuration of 6 4 2 1 blocks is supported For the new settings to take effect you must save the new CAM settings to the startup config write mem or copy run start then reload the system for the new settings to take effect CAM Allocation for Egress To allocate the space for egress L2 IPV4...

Page 228: ...n Privilege mode The Status column in the command output indicates whether or not you can enable the policy Example of the test cam usage Command Dell test cam usage service policy input test cam usage stack unit 2 po 0 Stack Unit Portpipe CAM Partition Available CAM Estimated CAM per Port Status 2 0 IPv4Flow 192 3 Allowed 64 Dell View CAM ACL Settings The show cam acl command shows the cam acl se...

Page 229: ... acl command are Dell show cam acl Chassis Cam ACL Current Settings in block sizes 1 block 128 entries L2Acl 6 Ipv4Acl 4 Ipv6Acl 0 Ipv4Qos 2 L2Qos 1 L2PT 0 IpMacAcl 0 VmanQos 0 VmanDualQos 0 EcfmAcl 0 FcoeAcl 0 iscsiOptAcl 0 ipv4pbr 0 vrfv4Acl 0 Openflow 0 fedgovacl 0 Stack unit 0 Current Settings in block sizes 1 block 128 entries L2Acl 6 Ipv4Acl 4 Ipv6Acl 0 Ipv4Qos 2 L2Qos 1 L2PT 0 IpMacAcl 0 Vm...

Page 230: ...eshoot CAM Profiling The following section describes CAM profiling troubleshooting QoS CAM Region Limitation To store QoS service policies the default CAM profile allocates a partition within the IPv4Flow region If the QoS CAM space is exceeded a message similar to the following displays EX2YD 12 DIFFSERV 2 DSA_QOS_CAM_INSTALL_FAILED Not enough space in L3 Cam PolicyQos for class 2 Gi 1 20 entries...

Page 231: ...ses security on the system by protecting the routing processor from unnecessary or DoS traffic giving priority to important control plane and management traffic CoPP uses a dedicated control plane configuration through the ACL and QoS command line interfaces CLIs to provide filtering and rate limiting capabilities for the control plane packets The following illustration shows an example of the dif...

Page 232: ...d to BGP If ICMP packets come at 400 PPS BGP packets may be dropped though ICMP packets are rate limited to 100 PPS You can solve this by increasing Q6 bandwidth to 700 PPS to allow both ICMP and BGP packets and then applying per flow CoPP for ICMP and BGP packets The setting of this Q6 bandwidth is dependent on the incoming traffic for the set of protocols sharing the same queue If you are not aw...

Page 233: ...cess list extended name cpu qos permit arp frrp gvrp isis lacp lldp stp 2 Create a Layer 3 extended ACL for control plane traffic policing for a particular protocol CONFIGURATION mode ip access list extended name cpu qos permit bgp dhcp dhcp relay ftp icmp igmp msdp ntp ospf pim ip ssh telnet vrrp 3 Create an IPv6 ACL for control plane traffic policing for a particular protocol CONFIGURATION mode ...

Page 234: ...icy cpuqos exit Dell conf qos policy in rate_limit_400k cpu qos Dell conf in qos policy cpuqos rate police 400 50 peak 600 50 Dell conf in qos policy cpuqos exit Dell conf qos policy in rate_limit_500k cpu qos Dell conf in qos policy cpuqos rate police 500 50 peak 1000 50 Dell conf in qos policy cpuqos exit The following example shows creating the QoS class map Dell conf class map match any class_...

Page 235: ...N mode qos policy input name cpu qos 2 Create an input policy map to assign the QoS policy to the desired service queues l CONFIGURATION mode policy map input name cpu qos service queue queue number qos policy name 3 Enter Control Plane mode CONFIGURATION mode control plane cpuqos 4 Assign a CPU queue based service policy on the control plane in cpu qos mode Enabling this command sets the queue ra...

Page 236: ...W packets packet streams that are trapped to CPU for logging info on MAC learn limit exceeded and other violations L3 packets with unknown destination for soft forwarding etc Other 4 CMIC queues will carry the L2 L3 well known protocol streams However there are about 20 well known protocol streams that have to share these 4 CMIC queues Before 9 4 0 0 Dell Networking OS used only 8 queues most of t...

Page 237: ...ng Policing provides a method for protecting CPU bound control plane packets by policing packets transmited to CPU with a specified rate and from undesired or malicious traffic This is done at each CPU queue on each unit FP Entries for Distribution of NDP Packets to Various CPU Queues At present generic mac based entries in system flow region will take IPv6 packets to CPU OSPFv3 33 33 0 0 0 5 Q7 3...

Page 238: ...RP 11 32 300 PIM IGMP MSDP MLD Catch All Entry for IPv6 Packets Dell Networking OS currently supports configuration of IPv6 subnets greater than 64 mask length but the agent writes it to the default LPM table where the key length is 64 bits The device supports table to store up to 256 subnets of maximum of 128 mask lengths This can be enabled and agent can be modified to update the 128 table for m...

Page 239: ...icy input ospfv3_rate cpu qos Dell conf in qos policy cpuqos rate police 1500 16 peak 1500 16 3 Create a QoS class map to differentiate the control plane traffic and assign to the ACL CONFIGURATION mode Dell conf class map match any ospfv3 cpu qos Dell conf class map cpuqos match ipv6 access group ospfv3 4 Create a QoS input policy map to match to the class map and qos policy for each desired prot...

Page 240: ... TCP TELNET any 23 _ Q6 CP _ VRRP any any _ Q7 CP _ Dell To view the queue mapping for the MAC protocols use the show mac protocol queue mapping command Example of Viewing Queue Mapping for MAC Protocols Dell show mac protocol queue mapping Protocol Destination Mac EtherType Queue EgPort Rate kbps ARP any 0x0806 Q5 Q6 CP _ FRRP 01 01 e8 00 00 10 11 any Q7 CP _ LACP 01 80 c2 00 00 02 0x8809 Q7 CP _...

Page 241: ...Dell Control Plane Policing CoPP 241 ...

Page 242: ...lay Agent This is an intermediary network device that passes DHCP messages between the client and server when the server is not on the same subnet as the host Topics DHCP Packet Format and Options Assign an IP Address using DHCP Implementation Information Configure the System to be a DHCP Server Configure the System to be a Relay Agent Configure the System to be a DHCP Client Configure the System ...

Page 243: ...ELEASE 8 DHCPINFORM Parameter Request List Option 55 Clients use this option to tell the server which parameters it requires It is a series of octets where each octet is DHCP option code Renewal Time Option 58 Specifies the amount of time after the IP address is granted that the client attempts to renew its lease with the original server Rebinding Time Option 59 Specifies the amount of time after ...

Page 244: ...address to the accepted configuration parameters and stores the data in a database called a binding table The server then broadcasts a DHCPACK message which signals to the client that it may begin using the assigned parameters 5 When the client leaves the network or the lease time expires returns its IP address to the server in a DHCPRELEASE message There are additional messages that are used in c...

Page 245: ...support Dynamic ARP Inspection on 16 VLANs per system For more information refer to Dynamic ARP Inspection NOTE If the DHCP server is on the top of rack ToR and the VLTi ICL is down due to a failed link when a VLT node is rebooted in BMP Bare Metal Provisioning mode it is not able to reach the DHCP server resulting in BMP failure Configure the System to be a DHCP Server A DHCP server is a network ...

Page 246: ...rom 17 to 31 4 Display the current pool configuration DHCP POOL mode show config After an IP address is leased to a client only that client may release the address Dell Networking OS performs a IP MAC source address validation to ensure that no client can release another clients address This validation is a default behavior and is separate from IP MAC source address validation Configuration Tasks ...

Page 247: ...4 hours Specifying a Default Gateway The IP address of the default router should be on the same subnet as the client To specify a default gateway follow this step Specify default gateway s for the clients on the subnet in order of preference DHCP POOL default router address Configure a Method of Hostname Resolution Dell systems are capable of providing DHCP clients with parameters for two methods ...

Page 248: ...tically and then creates an entry in the binding table However the administrator can manually create an entry for a client manual bindings are useful when you want to guarantee that a particular network device receives a particular IP address Manual bindings can be considered single host address pools There is no limit on the number of manual bindings but you can only configure one manual binding ...

Page 249: ...d from INTERFACE mode as shown in the following illustration Specify multiple DHCP servers by using the ip helper address dhcp address command multiple times When you configure the ip helper address command the system listens for DHCP broadcast messages on port 67 The system rewrites packets received from the client and forwards them via unicast to the DHCP servers the system rewrites the destinat...

Page 250: ... 1 3 GigabitEthernet 1 3 is up line protocol is down Internet address is 10 11 0 1 24 Broadcast address is 10 11 0 255 Address determined by user input IP MTU is 1500 bytes Helper address is 192 168 0 1 192 168 0 2 Directed broadcast forwarding is disabled Proxy ARP is enabled Split Horizon is enabled Poison Reverse is disabled ICMP redirects are not sent ICMP unreachables are not sent 250 Dynamic...

Page 251: ...configure the switch so that it boots up in normal mode using the Dell Networking OS image and startup configuration file in local flash enter the reload type normal reload command and save it to the startup configuration Dell reload type normal reload Dell write memory Dell reload To re enable BMP mode for the next reload enter the reload type jump start command If the management port is associat...

Page 252: ... a new IP address from the DHCP server by releasing a dynamically acquired IP address while retaining the DHCP client configuration on the interface EXEC Privilege mode release dhcp interface type slot port 4 Acquire a new IP address with renewed lease time from a DHCP server EXEC Privilege mode renew dhcp interface type slot port To display DHCP client information use the following show commands ...

Page 253: ... by the DHCP client include the specific routes to reach a DHCP server in a different subnet and the management route DHCP Client Operation with Other Features The DHCP client operates with other Dell Networking OS features as the following describes Stacking The DHCP client daemon runs only on the master unit and handles all DHCP packet transactions It periodically synchronizes the lease file wit...

Page 254: ...ack groups Define the configuration parameters on the DHCP server for each chassis based on the chassis MAC address Configure the following parameters unit number priority stack group ID The received stacking configuration is always applied on the master stack unit option 230 unit number 3 priority 2 stack group 14 Configure Secure DHCP DHCP as defined by RFC 2131 provides no authentication or sec...

Page 255: ...and binding type Every time the relay agent receives a DHCPACK on a trusted port it adds an entry to the table The relay agent checks all subsequent DHCP client originated IP traffic DHCPRELEASE DHCPNACK and DHCPDECLINE against the binding table to ensure that the MAC IP address pair is legitimate and that the packet arrived on the correct port Packets that do not pass this check are forwarded to ...

Page 256: ...ATION mode ipv6 dhcp snooping 2 Specify ports connected to IPv6 DHCP servers as trusted INTERFACE mode ipv6 dhcp snooping trust 3 Enable IPv6 DHCP snooping on a VLAN or range of VLANs CONFIGURATION mode ipv6 dhcp snooping vlan vlan id Adding a Static Entry in the Binding Table To add a static entry in the binding table use the following command Add a static entry in the binding table EXEC Privileg...

Page 257: ...e following command Display the contents of the binding table EXEC Privilege mode show ip dhcp snooping Example of the show ip dhcp snooping Command View the DHCP snooping statistics with the show ip dhcp snooping command Dell show ip dhcp snooping IP DHCP Snooping Enabled IP DHCP Snooping Mac Verification Disabled IP DHCP Relay Information option Disabled IP DHCP Relay Trust Downstream Disabled D...

Page 258: ...st the mac address stored in the snooping binding table Enable IPV6 DHCP snooping CONFIGURATION mode ipv6 dhcp snooping verify mac address Drop DHCP Packets on Snooped VLANs Only Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE Line cards maintain a list of snooped VLANs When the binding table fills DHCP packets are dropped only on snooped VLANs wh...

Page 259: ... that specifies FF FF FF FF FF FF as the gateway s MAC address resulting in all clients broadcasting all internet bound packets MAC flooding An attacker can send fraudulent ARP messages to the gateway until the ARP cache is exhausted after which traffic from the gateway is broadcast Denial of service An attacker can send a fraudulent ARP messages to a client to associate a false MAC address with t...

Page 260: ... CP Dell To see how many valid and invalid ARP packets have been processed use the show arp inspection statistics command Dell show arp inspection statistics Dynamic ARP Inspection DAI Statistics Valid ARP Requests 0 Valid ARP Replies 1000 Invalid ARP Requests 1000 Invalid ARP Replies 0 Dell Bypassing the ARP Inspection You can configure a port to skip ARP inspection by defining the interface as t...

Page 261: ...hich the requesting client is attached and the VLAN the client belongs to When you enable IP source address validation on a port the system verifies that the source IP address is one that is associated with the incoming port and optionally that the client belongs to the permissible VLAN If an attacker is impostering as a legitimate client the source address appears on the wrong ingress port and th...

Page 262: ...itimate pair rather than validating each attribute individually You cannot configure IP MAC SAV with IP SAV 1 Allocate at least one FP block to the ipmacacl CAM region CONFIGURATION mode cam acl l2acl 2 Save the running config to the startup config EXEC Privilege mode copy running config startup config 3 Reload the system EXEC Privilege reload 4 Do one of the following Enable IP MAC SAV INTERFACE ...

Page 263: ...d packets on a particular interface Dell show ip dhcp snooping source address validation discard counters interface GigabitEthernet 1 1 deny access list on GigabitEthernet 1 1 Total cam count 2 deny vlan 10 count 0 packets deny vlan 20 count 0 packets Clearing the Number of SAV Dropped Packets To clear the number of SAV dropped packets use the clear ip dhcp snooping source address validation disca...

Page 264: ...default hash algorithm is 24 Enabling Deterministic ECMP Next Hop Deterministic ECMP next hop arranges all ECMPs in order before writing them into the content addressable memory CAM For example suppose the RTM learns eight ECMPs in the order that the protocols and interfaces came up In this case the forwarding information base FIB and CAM sorts them so that the ECMPs are always arranged This imple...

Page 265: ... A global default threshold of 60 is Link bundle monitoring allows the system to monitor the use of multiple links for an uneven distribution Links are monitored in 15 second intervals for three consecutive instances Any deviation within that time causes a syslog to be sent and an alarm event generate When the deviation clears another syslog is sent and a clear alarm event generates For example li...

Page 266: ... conf ip ecmp group maximum paths 3 User configuration has been changed Save the configuration and reload to take effect Dell conf Creating an ECMP Group Bundle Within each ECMP group you can specify an interface If you enable monitoring for the ECMP group the utilization calculation is performed when the average utilization of the link bundle as opposed to a single link within the bundle exceeds ...

Page 267: ... multipath routes to the same network The system can generate a maximum of 512 unique ecmp groups The ecmp group indices are generated in even numbers 0 2 4 6 1022 and are for information only You can configure ecmp group with id 2 for link bundle monitoring This ecmp group is different from the ecmp group index 2 that is created by configuring routes and is automatically generated These two ecmp ...

Page 268: ... 2 validated cryptography module SSH Client SSH Server RSA Host Key Generation SCP File Transfers Currently other features using cryptography do not use the embedded FIPS 140 2 validated cryptography module Topics Configuration Tasks Preparing the System Enabling FIPS Mode Generating Host Keys Monitoring FIPS Mode Status Disabling FIPS Mode Configuration Tasks To enable FIPS cryptography complete ...

Page 269: ...a remote host is in the process of establishing an SSH session to the local system and has been prompted to accept a new host key or to enter a password but is not responding to the request Assuming this failure is a transient condition attempting to enable FIPS mode again should be successful To enable FIPS mode use the following command Enable FIPS mode from a console port CONFIGURATION fips mod...

Page 270: ...d FTP file transfers close Any existing host keys both RSA and RSA1 are deleted from system memory and NVRAM storage FIPS mode disables The SSH server re enables The Telnet server re enables if it is present in the configuration New 1024 bit RSA and RSA1 host key pairs are created To disable FIPS mode use the following command To disable FIPS mode from a console port CONFIGURATION mode no fips mod...

Page 271: ...g The Master node checks the status of the Ring by sending ring health frames RHF around the Ring from its Primary port and returning on its Secondary port If the Master node misses three consecutive RHFs the Master node determines the ring to be in a failed state The Master then sends a Topology Change RHF to the Transit Nodes informing them that the ring has changed This causes the Transit Nodes...

Page 272: ...ode begins learning the new topology Ring Restoration The Master node continues sending ring health frames out its primary port even when operating in the Ring Fault state After the ring is restored the next status check frame is received on the Master node s Secondary port This causes the Master node to transition back to the Normal state The Master node then logically blocks non control frames o...

Page 273: ...oth FRRP groups Switch R3 has two instances of FRRP running on it one for each ring The example topology that follows shows R3 assuming the role of a Transit node for both FRRP 101 and FRRP 202 Figure 30 Example of Multiple Rings Connected by Single Switch Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks The Master node o...

Page 274: ... one of four states Blocking State Accepts ring protocol packets but blocks data packets LLDP FEFD or other Layer 2 control packets are accepted Only the Master node Secondary port can enter this state Pre Forwarding State A transition state before moving to the Forward state Control traffic is forwarded but data traffic is blocked The Master node Secondary port transitions through this state duri...

Page 275: ...rts must be Layer 2 ports This is required for both Master and Transit nodes A VLAN configured as a control VLAN for a ring cannot be configured as a control or member VLAN for any other ring The control VLAN is not used to carry any data traffic it carries only RHFs The control VLAN cannot have members that are not ring ports If multiple rings share one or more member VLANs they cannot share any ...

Page 276: ... Create a VLAN with this ID number CONFIGURATION mode interface vlan vlan id VLAN ID from 1 to 4094 2 Tag the specified interface or range of interfaces to this VLAN CONFIG INT VLAN mode tagged interface range Interface For a 1 GigabitEthernet interface enter the keyword GigabitEthernet then the slot port information For a 10 Gigabit Ethernet interface enter the keyword TenGigabitEthernet then the...

Page 277: ...faces to this VLAN CONFIG INT VLAN mode tagged interface range Interface For a 1 GigabitEthernet interface enter the keyword GigabitEthernet then the slot port information For a 10 Gigabit Ethernet interface enter the keyword TenGigabitEthernet then the slot port information 3 Assign the Primary and Secondary ports and the Control VLAN for the ports on the ring CONFIG FRRP mode interface primary i...

Page 278: ...ds Clear the counters associated with this Ring ID EXEC PRIVELEGED mode clear frrp ring id Ring ID the range is from 1 to 255 Clear the counters associated with all FRRP groups EXEC PRIVELEGED mode clear frrp Viewing the FRRP Configuration To view the configuration for the FRRP group use the following command Show the configuration for this FRRP group CONFIG FRRP mode show configuration Viewing th...

Page 279: ...itly for the interface The maximum number of rings allowed on a chassis is 255 Sample Configuration and Topology The following example shows a basic FRRP topology Example of R1 MASTER interface GigabitEthernet 1 24 no ip address switchport no shutdown interface GigabitEthernet 1 34 no ip address switchport no shutdown interface Vlan 101 no ip address tagged GigabitEthernet 1 24 34 no shutdown inte...

Page 280: ...ernet 3 14 21 no shutdown protocol frrp 101 interface primary GigabitEthernet 3 21 secondary GigabitEthernet 3 14 control vlan 101 member vlan 201 mode transit no disable FRRP Support on VLT Using FRRP rings you can inter connect VLT domains across data centers These FRRP rings make use of Layer2 VLANs that spawn across Data Centers and provide resiliency by detecting node or link level failures Y...

Page 281: ...e2 as the master node and VLT node1 as the trasit node In the FRRP ring R1 the primary interface for VLT Node1 is the VLTi P1 is the secondary interface which is an orphan port that is participating in the FRRP ring topology V1 is the control VLAN through which the RFHs are exchanged indicating the health of the nodes and the FRRP ring itself In addition to the control VLAN multiple member VLANS a...

Page 282: ...econdary port P2 is tagged to the control VLAN V1 VLTi is implicitly tagged to the member VLANs when these VLANs are configured in the VLT peer As a result of the VLT Node2 configuration on R2 the secondary interface P2 is blocked for the member VLANs M11 to Mn Following figure illustrated the FRRP Ring R1 topology Figure 32 FRRP Ring using VLTi links Important Points to Remember VLTi can be confi...

Page 283: ... As such the edge ports must still be statically configured with VLAN membership information and they do not run GVRP It is this information that is propagated to create dynamic VLAN membership in the core of the network Important Points to Remember GVRP propagates VLAN membership throughout a network GVRP allows end stations and switches to issue and revoke declarations relating to VLAN membershi...

Page 284: ...basis Enable GVRP on each port that connects to a switch where you want GVRP information exchanged In the following example GVRP is configured on VLAN trunk ports Figure 33 Global GVRP Configuration Example Basic GVRP configuration is a two step process 1 Enabling GVRP Globally 2 Enabling GVRP on a Layer 2 Interface Related Configuration Tasks Configure GVRP Registration Configure a GARP Timer 284...

Page 285: ... from INTERFACE mode or use the show gvrp interface command in EXEC or EXEC Privilege mode Configure GVRP Registration Configure GVRP registration There are two GVRP registration modes Fixed Registration Mode figuring a port in fixed registration mode allows for manual creation and registration of VLANs prevents VLAN deregistration and registers all VLANs known on other ports on the port For examp...

Page 286: ...ed The Leave timer must be greater than or equal to 3x the Join timer The Dell Networking OS default is 600ms LeaveAll After startup a GARP device globally starts a LeaveAll timer After expiration of this interval it sends out a LeaveAll message so that other GARP devices can re register all relevant attribute information The device then restarts the LeaveAll timer to begin a new cycle The LeaveAl...

Page 287: ... RPM Synchronization GARP VLAN Registration Protocol GVRP 287 ...

Page 288: ...siliency Hot Lock Behavior Topics Component Redundancy Pre Configuring a Stack Unit Slot Removing a Provisioned Logical Stack Unit Hitless Behavior Graceful Restart Software Resiliency Hot Lock Behavior Component Redundancy Dell Networking systems eliminate single points of failure by providing dedicated or load balanced redundancy for each component Automatic and Manual Stack Unit Failover Stack ...

Page 289: ...e Running Config no block sync done ACL Mgr no block sync done LACP no block sync done STP no block sync done SPAN no block sync done Dell Synchronization between Management and Standby Units Data between the Management and Standby units is synchronized immediately after bootup After the Management and Standby units have done an initial full synchronization block sync Dell Networking OS only updat...

Page 290: ...ronize Management and Standby units at any time use the following command Manually synchronize Management and Standby units EXEC Privilege mode redundancy synchronize full Pre Configuring a Stack Unit Slot You may also pre configure an empty stack unit slot with a logical stack unit To pre configure an empty stack unit slot use the following command Pre configure an empty stack unit slot with a lo...

Page 291: ...g table of the restarting router and its neighbors for a specified period to minimize the loss of packets A graceful restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change Packet loss is non zero but trivial and so is still called hitless Dell Networking OS supports graceful restart for the following protocols Border gateway Open sh...

Page 292: ...on and is used to identify the cause of the exception There are two types of core dumps application and kernel Application core dump is the contents of the memory allocated to a failed application at the time of an exception Kernel core dump is the central component of an operating system that manages system processors and memory allocation and makes these facilities available to applications A ke...

Page 293: ...ting an IGMP Version Viewing IGMP Groups Adjusting Timers Preventing a Host from Joining a Group Enabling IGMP Immediate Leave IGMP Snooping Fast Convergence after MSTP Topology Changes Egress Interface Selection EIS for HTTP and IGMP Applications Designating a Multicast Router Interface IGMP Protocol Overview IGMP has three versions Version 3 obsoletes and is backwards compatible with version 2 v...

Page 294: ...nt to join the same multicast group only the report from the first host to respond reaches the querier and the remaining hosts suppress their responses For how the delay timer mechanism works refer to Adjusting Query and Response Timers 3 The querier receives the report for a group and adds the group to the list of multicast groups associated with its outgoing port to the subnet Multicast traffic ...

Page 295: ...t of sources that must be filtered An additional query type the Group and Source Specific Query keeps track of state changes while the Group Specific and General queries still refresh the existing state Reporting is more efficient and robust hosts do not suppress query responses non suppression helps track state and enables the immediate leave and IGMP snooping features state change reports are re...

Page 296: ...uery to verify that there are no hosts interested in any other sources The multicast router must satisfy all hosts if they have conflicting requests For example if another host on the subnet is interested in traffic from 10 11 1 3 the router cannot record the include request There are no other interested hosts so the request is recorded At this point the multicast routing protocol prunes the tree ...

Page 297: ...essary 2 The querier before making any state changes sends a group and source query to see if any other host is interested in these two sources queries for state changes are retransmitted multiple times If any are they respond with their current state information and the querier refreshes the relevant state information 3 Separately in the following illustration the querier sends a general query to...

Page 298: ... Enable a multicast routing protocol Related Configuration Tasks Viewing IGMP Enabled Interfaces Selecting an IGMP Version Viewing IGMP Groups Adjusting Timers Preventing a Host from Joining a Group Enabling IGMP Immediate Leave IGMP Snooping Fast Convergence after MSTP Topology Changes Designating a Multicast Router Interface 298 Internet Group Management Protocol IGMP ...

Page 299: ...with version 3 on the same subnet If hosts require IGMP version 3 you can switch to IGMP version 3 To switch to version 3 use the following command Switch to a different IGMP version INTERFACE mode ip igmp version Example of the ip igmp version Command Dell conf if gi 1 13 ip igmp version 3 Dell conf if gi 1 13 do show ip igmp interface GigabitEthernet 1 13 is up line protocol is down Inbound IGMP...

Page 300: ...timer expires in version 2 if another host responds before the timer expires the timer is nullified and no response is sent The maximum response time is the amount of time that the querier waits for a response to a query before taking further action The querier advertises this value in the query refer to the illustration in IGMP Version 2 Lowering this value decreases leave latency but increases r...

Page 301: ...lears the multicast routing table and re learns all groups even those not covered by the rules in the access list because there is an implicit deny all rule at the end of all access lists Therefore configuring an IGMP join request filter in this order might result in data loss If you must enter the ip igmp access group command before creating the access list prevent the Dell Networking OS from cle...

Page 302: ...previous illustration Table 17 Preventing a Host from Joining a Group Description Location Description 1 21 Interface GigabitEthernet 1 21 ip pim sparse mode ip address 10 11 12 1 24 no shutdown 1 31 Interface GigabitEthernet 1 31 ip pim sparse mode ip address 10 11 13 1 24 302 Internet Group Management Protocol IGMP ...

Page 303: ...pim sparse mode ip address 10 11 5 1 24 no shutdown 3 11 Interface GigabitEthernet 3 11 ip pim sparse mode ip address 10 11 13 2 24 no shutdown 3 21 Interface GigabitEthernet 3 21 ip pim sparse mode ip address 10 11 23 2 24 no shutdown Receiver 1 Interface VLAN 300 ip pim sparse mode ip address 10 11 3 1 24 untagged GigabitEthernet 1 1 no shutdown Receiver 2 Interface VLAN 400 ip pim sparse mode i...

Page 304: ... in a virtual local area network VLAN by default even though there may be only some interested hosts which is a waste of bandwidth If you enable IGMP snooping on a VLT unit IGMP snooping dynamically learned groups and multicast router ports are made to learn on the peer by explicitly tunneling the received IGMP control packets IGMP Snooping Implementation Information IGMP snooping on Dell Networki...

Page 305: ... VLAN mode show config Example of Configuration Output After Removing a Group Port Association Dell conf if vl 100 show config interface Vlan 100 no ip address ip igmp snooping fast leave shutdown Dell conf if vl 100 Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned unregistered frame the switch floods that packet out of all...

Page 306: ...de ip igmp snooping querier IGMP snooping querier does not start if there is a statically configured multicast router interface in the VLAN The switch may lose the querier election if it does not have the lowest IP address of all potential queriers on the subnet When enabled IGMP snooping querier starts after one query interval in case no IGMP general query with IP SA lower than its VLAN IP addres...

Page 307: ... on the management port is dropped and received in the management port with destination on the front end port is dropped Switch destined traffic destination IP configured in the switch is Received in the front end port with destination IP equal to management port IP address or management port subnet broadcast address is dropped Received in the management port with destination IP not equal to manag...

Page 308: ... SNMP traps because these applications do not require a response after a packet is sent The switch also processes user specified port numbers for applications such as RADIUS TACACS SSH and sFlow The OS maintains a list of configured management applications and their port numbers You can configure two default routes one configured on the management port and the other on the front end port Two table...

Page 309: ...cations and route lookup for these applications is done in the default routing table only For ping and traceroute utilities that are initiated from the switch if reachability needs to be tested through routes in the management EIS routing table you must configure ICMP as a management application If ping and traceroute are destined to the management port IP address the response traffic for these pa...

Page 310: ...P packets received through the management interface a double route lookup is done one in the default routing table and another in the management EIS routing table This is because in the ARP layer we do not have TCP UDP port information to decide the table in which the route lookup should be done The show arp command is enhanced to show the routing table type for the ARP entry For the clear arp cac...

Page 311: ...ter is incremented for this case This counter is viewed using the netstat command like all other IP layer counters Consider a scenario in which ip1 is an address assigned to the management port and ip2 is an address assigned to any of the front panel port of a switch End users on the management and front panel port networks are connected In such an environment traffic received in the management po...

Page 312: ...ment port is an egress port for management applications If the management port is down or the destination is not reachable through the management port next hop ARP is not resolved and so on and if the destination is reachable through a data port then the management application traffic is sent out through the front end data port This fallback mechanism is required 2 Non Management Applications Appl...

Page 313: ... and also for ICMP based applications like ping and traceroute FTP SSH and Telnet are the applications that can function as servers for the TCP session EIS Behavior If source TCP or UDP port matches an EIS management or a non EIS management application and source IP address is management port IP address management port is the preferred egress port selected based on route lookup in EIS table If the...

Page 314: ...If DHCP Client is enabled on the management port a management default route is installed to the switch If management EIS is enabled this default route is added to the management EIS routing table and the default routing table ARP learn enable When ARP learn enable is enabled the switch learns ARP entries for ARP Request packets even if the packet is not destined to an IP configured in the box The ...

Page 315: ... Designate an interface as a multicast router interface ip igmp snooping mrouter interface Internet Group Management Protocol IGMP 315 ...

Page 316: ...annel Interfaces Advanced Interface Configuration Bulk Configuration Defining Interface Range Macros Monitoring and Maintaining Interfaces Link Dampening Link Bundle Monitoring Ethernet Pause Frames Configure the MTU Size on an Interface Port pipes Auto Negotiation on Ethernet Interfaces View Advanced Interface Information Topics Interface Types View Basic Interface Information Resetting an Interf...

Page 317: ...e Requires Creation Default State Physical L2 L3 Unset No Shutdown disabled Management N A N A No No Shutdown enabled Loopback L3 L3 Yes No Shutdown enabled Null N A N A No Enabled Port Channel L2 L3 L3 Yes Shutdown disabled VLAN L2 L3 L2 Yes except default L2 Shutdown disabled L3 No Shutdown enabled View Basic Interface Information To view basic interface information use the following command You...

Page 318: ...yte pkts 0 over 511 byte pkts 0 over 1023 byte pkts 0 Multicasts 3 Broadcasts 0 Unicasts 0 Vlans 0 throttles 0 discarded 0 collisions Rate info interval 299 seconds Input 00 00 Mbits sec 0 packets sec 0 00 of line rate Output 00 00 Mbits sec 0 packets sec 0 00 of line rate Time since last interface status change 00 00 31 Dell To view which interfaces are enabled for Layer 3 data transmission use t...

Page 319: ...id switchport rate interval 8 mac learning limit 10 no station move no shutdown 2 Reset an interface to its factory default state CONFIGURATION mode default interface interface type Dell conf default interface gigabitethernet 1 5 3 Verify the configuration INTERFACE mode show config Dell conf if gi 1 5 show config interface GigabitEthernet 1 5 no ip address shutdown All the applied configurations ...

Page 320: ...orts 1 To enable EEE use the eee command INTERFACE mode Dell conf interface gigabitethernet 1 1 Dell conf if gi 1 1 eee 2 To disable EEE use the no eee command INTERFACE mode Dell conf interface gigabitethernet 1 1 Dell conf if gi 1 1 no eee View EEE Information To view the details of Energy Efficient Ethernet EEE you can use the following show commands You have several options for viewing the det...

Page 321: ...Energy Efficient Ethernet Yes Last clearing of show interface counters 3d17h53m Queueing strategy fifo Input Statistics 0 packets 0 bytes 0 64 byte pkts 0 over 64 byte pkts 0 over 127 byte pkts 0 over 255 byte pkts 0 over 511 byte pkts 0 over 1023 byte pkts 0 Multicasts 0 Broadcasts 0 runts 0 giants 0 throttles 0 CRC 0 overrun 0 discarded Output Statistics 0 packets 0 bytes 0 underruns 0 64 byte p...

Page 322: ...Packet Frame Counter 0 RX Unicast Frame Counter 0 RX Multicast Frame Counter 0 RX Broadcast Frame Counter 0 RX Byte Counter 0 RX Control Frame Counter 0 RX Pause Control Frame Counter 0 RX Oversized Frame Counter 0 RX Jabber Frame Counter 0 RX VLAN Tag Frame Counter 0 RX Double VLAN Tag Frame Counter 0 RX RUNT Frame Counter 0 RX Fragment Counter 0 RX VLAN Tagged Packets 0 RX Ingress Dropped Packet...

Page 323: ...g Counter 6 0 TX Debug Counter 7 0 TX Debug Counter 8 0 TX Debug Counter 9 0 TX Debug Counter 10 0 TX Debug Counter 11 0 TX EEE LPI Event Counter 0 TX EEE LPI Duration Counter 0 Output Truncated The following example shows the hardware counters on specified stack unit Dell show hardware stack unit 10 unit 0 counters unit 0 port 1 interface Gi 10 1 Description Value RX IPV4 L3 Unicast Frame Counter...

Page 324: ...to 255 Byte Frame Counter 0 TX 256 to 511 Byte Frame Counter 0 TX 512 to 1023 Byte Frame Counter 0 TX 1024 to 1518 Byte Frame Counter 0 TX 1519 to 1522 Byte Good VLAN Frame Counter 0 TX 1519 to 2047 Byte Frame Counter 0 TX 2048 to 4095 Byte Frame Counter 0 TX 4096 to 9216 Byte Frame Counter 0 TX Good Packet Counter 0 TX Packet Frame Counter 0 TX Unicast Frame Counter 0 TX Multicast Frame Counter 0...

Page 325: ... 1 eee Clear eee counters on Gi 1 1 confirm y Dell Dell clear counters gigabitethernet 1 1 10 eee Clear eee counters on Gi 1 1 10 confirm y Dell Physical Interfaces The Management Ethernet interface is a single RJ 45 Fast Ethernet port on a switch The interface provides dedicated management access to the system Stack unit interfaces support Layer 2 and Layer 3 traffic over the 1 Gigabit Ethernet a...

Page 326: ...No Shutdown disabled Loopback Layer 3 Yes No shutdown enabled Null interface N A No Enabled Port Channel Layer 2 Layer 3 Yes Shutdown disabled VLAN Layer 2 Layer 3 Yes except for the default VLAN No shutdown active for Layer 2 Shutdown disabled for Layer 3 Configuring Layer 2 Data Link Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol STP on an interface unless th...

Page 327: ...tem must be in Layer 3 mode before you configure or enter a Layer 3 protocol mode for example OSPF Enable Layer 3 on an individual interface INTERFACE mode ip address ip address Enable the interface INTERFACE mode no shutdown Example of Error Due to Issuing a Layer 3 Command on a Layer 2 Interface If an interface is in the incorrect layer mode for a given command an error message is displayed show...

Page 328: ...llows you to isolate the management and front end port domains by preventing switch initiated traffic routing between the two domains This feature provides additional security by preventing flooding attacks on front end ports The following protocols support EIS DNS FTP NTP RADIUS sFlow SNMP SSH Syslog TACACS Telnet and TFTP This feature does not support sFlow on stacked units When you enable this ...

Page 329: ...ot supported on this interface To configure a management interface use the following commands Enter the slot and the port 1 to configure a Management interface CONFIGURATION mode interface managementethernet interface The slot range is 1 The port range is 1 Configure an IP address and mask on a Management interface INTERFACE mode ip address ip address mask ip address mask enter an address in dotte...

Page 330: ...y the virtual IP address not by the actual interface IP address assigned to it During an RPM failover you do not have to remember the IP address of the new RPM s management interface the system still recognizes the virtual IP address virtual ip is a CONFIGURATION mode command When applied the management port on the primary RPM assumes the virtual IP address Executing the show interfaces and show i...

Page 331: ...ation Gateway Dist Metric Last Change S 0 0 0 1 0 via 10 11 131 254 Gi 1 1 1 0 1d2h C 10 11 130 0 23 Direct Gi 0 48 0 0 1d2h Dell VLAN Interfaces VLANs are logical interfaces and are by default in Layer 2 mode Physical interfaces and port channels can be members of VLANs For more information about VLANs and Layer 2 see Layer 2 and Virtual LANs VLANs NOTE To monitor VLAN interfaces use Management I...

Page 332: ...cols on this interface to provide protocol stability You can place Loopback interfaces in default Layer 3 mode To configure view or delete a Loopback interface use the following commands Enter a number as the Loopback interface CONFIGURATION mode interface loopback number The range is from 0 to 16383 View Loopback interface configurations EXEC mode show interface loopback number Delete a Loopback ...

Page 333: ...pacity interfaces by utilizing a group of lower speed links For example you can build a 5 Gigabit interface by aggregating five 1 Gigabit Ethernet interfaces together If one of the five interfaces fails traffic is redistributed across the remaining interfaces Port Channel Implementation Dell Networking OS supports static and dynamic port channels Static Port channels that are statically configured...

Page 334: ...face speed that the first channel member sets That first interface may be either the interface that is physically brought up first or was physically operating when interfaces were added to the port channel For example if the first operational interface in the port channel is a Tengigabit Ethernet interface all interfaces at 10000 Mbps are kept up and all other interfaces that are not set to 10G sp...

Page 335: ...control Flow control can only be present on the physical interfaces if they are part of a port channel NOTE The system supports jumbo frames by default the default maximum transmission unit MTU is 1554 bytes To configure the MTU use the mtu command from INTERFACE mode To view the interface s configuration enter INTERFACE mode for that interface and use the show config command or from EXEC Privileg...

Page 336: ...the port channel to be the primary port The primary port replies to flooding and sends protocol data units PDUs An asterisk in the show interfaces port channel brief command indicates the primary port As soon as a physical interface is added to a port channel the properties of the port channel determine the properties of the physical interface The configuration and status of the port channel are a...

Page 337: ...Minimum Oper Up Links in a Port Channel You can configure the minimum links in a port channel LAG that must be in oper up status to consider the port channel to be in oper up status To set the oper up status of your links use the following command Enter the number of links in a LAG that must be in oper up status INTERFACE mode minimum links number The default is 1 Example of Configuring the Minimu...

Page 338: ... port channel perform the following 1 Configure VLAN membership on individual ports INTERFACE mode Dell conf if vlan tagged 2 3 4 2 Use the switchport command in INTERFACE mode to enable Layer 2 data transmissions through an individual interface INTERFACE mode Dell conf if switchport 3 Verify the manually configured VLAN membership show interfaces switchport interface command EXEC mode Dell conf i...

Page 339: ... hashing A flow is identified by the hash and is assigned to one link In packet based hashing a single flow can be distributed on the LAG and uses one link Packet based hashing is used to load balance traffic across a port channel based on the IP Identifier field within the packet Load balancing uses source and destination packet information to get the greatest advantage of resources by distributi...

Page 340: ...hm CONFIGURATION mode hash algorithm ecmp crc16 crc16cc crc32LSB crc32MSB crc upper dest ip lsb xor1 xor2 xor4 xor8 xor16 Example of the hash algorithm Command Dell conf hash algorithm ecmp xor 26 lag crc 26 nh ecmp checksum 26 Dell conf The hash algorithm command is specific to ECMP group The default ECMP hash configuration is crc lower This command takes the lower 32 bits of the hash key to comp...

Page 341: ...faces appear in the order they were entered and are not sorted The show range command is available under Interface Range mode This command allows you to display all interfaces that have been validated under the interface range context The show configuration command is also available under Interface Range mode This command allows you to display the running configuration only for interfaces that are...

Page 342: ... 1 1 1 23 Dell conf if range gi 1 1 1 23 Exclude a Smaller Port Range The following is an example show how the smaller of two port ranges is omitted in the interface range prompt Example of the Interface Range Prompt for Multiple Port Ranges Dell conf interface range gigabitethernet 2 1 2 23 gigab 2 1 2 10 Dell conf if range gi 2 1 2 23 Overlap Port Ranges The following is an example showing how t...

Page 343: ...ws how to define an interface range macro named test to select Ten Gigabit Ethernet interfaces 5 1 through 5 4 Example of the define interface range Command for Macros Dell config define interface range test gigabitethernet 5 1 5 4 Choosing an Interface Range Macro To use an interface range macro use the following command Selects the interfaces range to be configured using the values saved in a na...

Page 344: ...Input underruns 0 0 pps 0 Input giants 0 0 pps 0 Input throttles 0 0 pps 0 Input CRC 0 0 pps 0 Input IP checksum 0 0 pps 0 Input overrun 0 0 pps 0 Output underruns 0 0 pps 0 Output throttles 0 0 pps 0 m Change mode c Clear screen l Page up a Page down T Increase refresh interval t Decrease refresh interval q Quit q Dell Maintenance Using TDR The time domain reflectometer TDR is supported on all De...

Page 345: ...ces are administratively brought up or down or if an interface state changes Every time an interface changes a state or flaps routing protocols are notified of the status of the routes that are affected by the change in state These protocols go through the momentous task of re converging Flapping therefore puts the status of entire network at risk of transient loops and black holes Link dampening ...

Page 346: ... 19 1 24 dampening 1 2 3 4 no shutdown To view dampening information on all or specific dampened interfaces use the show interfaces dampening command from EXEC Privilege mode Dell show interfaces dampening Interface Supp Flaps Penalty Half Life Reuse Suppress Max Sup State Gi 1 2 Up 0 0 1 2 3 4 Gi 1 2 Up 0 0 1 2 3 4 Gi 1 3 Up 0 0 1 2 3 4 Dell To view a dampening summary for the entire system use t...

Page 347: ...n when planning MTU sizes across a network The following table lists the range for each transmission media Transmission Media MTU Range in bytes Ethernet 594 12000 link MTU 576 9234 IP MTU Link Bundle Monitoring Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time A threshold of 60 is defined as an acceptable amount o...

Page 348: ... enable reception of frames with destination address equal to this multicast address The PAUSE frame is defined by IEEE 802 3x and uses MAC Control frames to carry the PAUSE commands Ethernet pause frames are supported on full duplex only If a port is over subscribed Ethernet Pause Frame flow control does not ensure no loss behavior Restriction Ethernet Pause Frame flow control is not supported if...

Page 349: ...nter the keywords tx off so that flow control frames are not sent from this port to the connected device when a higher rate of traffic is received negotiate enable pause negotiation with the egress port of the peer device If the negotiate command is not used pause negotiation is disabled 40 gigabit Ethernet interfaces do not support pause negotiation Configure the MTU Size on an Interface If a pac...

Page 350: ...terfaces Only 10GE interfaces do not support auto negotiation When using 10GE interfaces verify that the settings on the connecting devices are set to no auto negotiation The local interface and the directly connected remote interface must have the same setting and auto negotiation is the easiest way to accomplish that as long as the remote interface is capable of auto negotiation NOTE As a best p...

Page 351: ...status use the show ip interface command Dell show interfaces status Port Description Status Speed Duplex Vlan Gi 1 1 Down 1000 Mbit Auto 1 Gi 1 2 Down Auto Auto 1 Gi 1 3 Down Auto Auto Gi 1 4 Force10Port Up 1000 Mbit Auto 30 130 Gi 1 5 Down Auto Auto Gi 1 6 Down Auto Auto Gi 1 7 Up 1000 Mbit Auto 1502 1504 1506 1508 1602 Gi 1 8 Down Auto Auto Gi 1 9 Down Auto Auto Gi 1 10 Down Auto Auto Gi 1 11 D...

Page 352: ... Guide NOTE While using 10GBASE T auto negotiation is enabled on the external PHY by default and auto negotiation should be enabled on the peer for the link to come up Adjusting the Keepalive Timer To change the time interval between keepalive messages on the interfaces use the keepalive command The interface sends keepalive messages to itself to test network connectivity on the interface To chang...

Page 353: ...hip Vlan 2 More Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds the default software polling is done once every 15 seconds So for example if you enter 19 you actually get a sample of the past 15 seconds All LAG members inherit the rate interval configuration from the LAG The following example shows how to configure rate interval when changing the...

Page 354: ...cksum 0 overrun 0 discarded 0 packets output 0 bytes 0 underruns Output 0 Multicasts 0 Broadcasts 0 Unicasts 0 IP Packets 0 Vlans 0 MPLS 0 throttles 0 discarded Rate info interval 100 seconds Input 00 00 Mbits sec 0 packets sec 0 00 of line rate Output 00 00 Mbits sec 0 packets sec 0 00 of line rate Time since last interface status change 1d23h42m Configuring the Traffic Sampling Size Globally You...

Page 355: ...00 of line rate Output 100 00 Mbits sec 4636111 packets sec 10 00 of line rate Time since last interface status change 01 07 44 Dell show int po 20 Port channel 20 is up line protocol is up Hardware address is 4c 76 25 f4 ab 02 Current address is 4c 76 25 f4 ab 02 Interface index is 1258301440 Minimum number of links to bring Port channel up is 1 Internet address is not set Mode of IPv4 Address As...

Page 356: ... or selected ones Without an interface specified the command clears all interface counters EXEC Privilege mode clear counters interface vrrp vrid learning limit OPTIONAL Enter the following interface keywords and slot port or number information For a 1 GigabitEthernet interface enter the keyword GigabitEthernet then the slot port information For a 10 Gigabit Ethernet interface enter the keyword Te...

Page 357: ...nters Command When you enter this command confirm that you want Dell Networking OS to clear the interface counters for that interface Dell clear counters gi 1 1 Clear counters on GigabitEthernet 1 1 confirm Dell Interfaces 357 ...

Page 358: ...cannot enable IPSec on all packets in a communication session IPSec uses the following protocols Authentication Headers AH Disconnected integrity and origin authentication for IP packets Encapsulating Security Payload ESP Confidentiality authentication and data integrity for IP packets Security Associations SA Necessary algorithmic parameters for AH and ESP functionality IPSec supports the followi...

Page 359: ...28 23 match 1 tcp a 1 128 23 a 2 128 0 match 2 tcp a 1 128 0 a 2 128 21 match 3 tcp a 1 128 21 a 2 128 0 match 4 tcp 1 1 1 1 32 0 1 1 1 2 32 23 match 5 tcp 1 1 1 1 32 23 1 1 1 2 32 0 match 6 tcp 1 1 1 1 32 0 1 1 1 2 32 21 match 7 tcp 1 1 1 1 32 21 1 1 1 2 32 0 3 Apply the crypto policy to management traffic CONFIGURATION mode management crypto policy myCryptoPolicy Internet Protocol Security IPSec...

Page 360: ...e Static Routes for the Management Interface IPv4 Path MTU Discovery Overview Using the Configured Source IP Address in ICMP Messages Configuring the Duration to Establish a TCP Connection Enabling Directed Broadcast Resolution of Host Names Enabling Dynamic Resolution of Host Names Specifying the Local System Domain and a List of Domains Configuring DNS with Traceroute ARP Configuration Tasks for...

Page 361: ...inks than 30 bit masks Dell Networking OS supports RFC 3021 with ARP NOTE Even though Dell Networking OS listens to all ports you can only use the ports starting from 35001 for IPv4 traffic Ports starting from 0 to 35000 are reserved for internal use and you cannot use them for IPv4 traffic Configuration Tasks for IP Addresses The following describes the tasks associated with IP address configurat...

Page 362: ...Routes A static route is an IP address that you manually configure and that the routing protocol does not learn such as open shortest path first OSPF Often static routes are used as backup routes in case other dynamically learned routes are unreachable You can enter as many static IP addresses as necessary To configure a static route use the following command Configure a static IP address CONFIGUR...

Page 363: ...e directly connected subnet of current IP address on the interface Dell Networking OS also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface s configured subnet When the interface goes down Dell Networking OS withdraws the route When the interface comes up Dell Networking OS re installs the route When the recursive resolu...

Page 364: ... the layer 3 VLAN interfaces Because all of the Layer 3 interfaces are mapped to the VLAN ID of 4095 when VLAN sub interfaces are configured on it it is not possible to configure unique layer 3 MTU values for each of the layer 3 interfaces If a VLAN interface contains both IPv4 and IPv6 addresses configured on it both the IPv4 and IPv6 traffic are applied the same MTU size you cannot specify diffe...

Page 365: ... the wait duration in seconds for the TCP connection to be established CONFIGURATION mode Dell conf ip tcp reduced syn ack wait 9 75 You can use the no ip tcp reduced syn ack wait command to restore the default behavior which causes the wait period to be set as 8 seconds 2 View the interval that you configured for the device to wait before the TCP connection is attempted to be established EXEC mod...

Page 366: ...m OK IP 2 2 2 2 patch1 perm OK IP 192 68 69 2 tomm 3 perm OK IP 192 68 99 2 gxr perm OK IP 192 71 18 2 f00 3 perm OK IP 192 71 23 1 Dell To view the current configuration use the show running config resolve command Specifying the Local System Domain and a List of Domains If you enter a partial domain Dell Networking OS can search different domains to finish or fully qualify that partial domain A f...

Page 367: ...raceroute www force10networks com Translating www force10networks com domain server 10 11 0 1 OK Type Ctrl C to abort Tracing the route to www force10networks com 10 11 84 18 30 hops max 40 byte packets TTL Hostname Probe1 Probe2 Probe3 1 10 11 199 190 001 000 ms 001 000 ms 002 000 ms 2 gwegress sjc 02 force10networks com 10 11 30 126 005 000 ms 001 000 ms 001 000 ms 3 fw sjc 01 force10networks co...

Page 368: ...rf vrf name use the VRF option to configure a static ARP on that particular VRF ip address IP address in dotted decimal format A B C D mac address MAC address in nnnn nnnn nnnn format interface enter the interface type slot port information Example of the show arp Command These entries do not age and can only be removed manually To remove a static ARP entry use the no arp ip address command To vie...

Page 369: ...extreme caution ARP Learning via Gratuitous ARP Gratuitous ARP can mean an ARP request or reply In the context of ARP learning via gratuitous ARP on Dell Networking OS the gratuitous ARP is a request A gratuitous ARP request is an ARP request that is not needed according to the ARP specification but one that hosts may send to detect IP address conflicts inform switches of their presence on a port ...

Page 370: ...with the source IP of the request Configuring ARP Retries You can configure the number of ARP retries The default backoff interval remains at 20 seconds On the device the time between ARP resend is configurable This timer is an exponential backoff timer Over the specified period the time between ARP requests increases This time increase reduces the potential for the system to slow down while waiti...

Page 371: ...re disabled When enabled ICMP unreachable messages are created and sent out all interfaces To disable and re enable ICMP unreachable messages use the following commands To disable ICMP unreachable messages INTERFACE mode no ip unreachable Set Dell Networking OS to create and send ICMP unreachable messages on the interface INTERFACE mode ip unreachable To view if ICMP unreachable messages are sent ...

Page 372: ...f gi 1 1 ip udp helper udp port 1000 Dell conf if gi 1 1 show config interface GigabitEthernet 1 1 ip address 2 1 1 1 24 ip udp helper udp port 1000 no shutdown To view the interfaces and ports on which you enabled UDP helper use the show ip udp helper command from EXEC Privilege mode Dell show ip udp helper Port UDP port list Gi 1 1 1000 Configuring a Broadcast Address To configure a broadcast ad...

Page 373: ...e address to match the configured broadcast address In the following illustration 1 Packet 1 is dropped at ingress if you did not configure UDP helper address 2 If you enable UDP helper using the ip udp helper udp port command and the UDP destination port of the packet matches the UDP port configured the system changes the destination address to the configured broadcast 1 1 255 255 and routes the ...

Page 374: ...ed on VLAN 101 in its original condition as the forwarding process is Layer 2 Figure 43 UDP Helper with Subnet Broadcast Addresses UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces In the following illustration Packet 1 has a destination IP address that ma...

Page 375: ...ffffff will be sent on Gi 5 2 Gi 5 3 Vlan 3 01 44 54 Pkt rcvd on Gi 7 1 is handed over for DHCP processing When using the IP helper and UDP helper on the same interface use the debug ip dhcp command Example Output from the debug ip dhcp Command Packet 0 0 0 0 68 255 255 255 255 67 TTL 128 2005 11 05 11 59 35 RELAY I PACKET BOOTP REQUEST Unicast received at interface 172 21 50 193 BOOTP Request XID...

Page 376: ...rms refer to Implementing IPv6 with Dell Networking OS NOTE Even though Dell Networking OS listens to all ports you can only use the ports starting from 1024 for IPv6 traffic Ports from 0 to 1023 are reserved for internal use and you cannot use them for IPv6 traffic Topics Protocol Overview Implementing IPv6 with Dell Networking OS ICMPv6 Path MTU Discovery IPv6 Neighbor Discovery Configuration Ta...

Page 377: ...dresses using the dynamic host control protocol DHCP servers via stateful auto configuration NOTE Dell Networking OS provides the flexibility to add prefixes on Router Advertisements RA to advertise responses to Router Solicitations RS By default RA response messages are sent when an RS message is received Dell Networking OS manipulation of IPv6 stateless autoconfiguration supports the router side...

Page 378: ...ding and forwarding routers use this field to identify different IPv6 classes and priorities Routers understand the priority settings and handle them appropriately during conditions of congestion Flow Label 20 bits The Flow Label field identifies packets requiring special treatment in order to manage real time data traffic The sending router can label sequences of IPv6 packets so that forwarding r...

Page 379: ...gmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE This table is not a comprehensive list of Next Header field values For a complete and current listing refer to the Internet Assigned Numbers Authority IANA web page at Hop Limit 8 bits The Hop Limit field shows the number of hops remaining for packet processing In IPv4 this is know...

Page 380: ... by the value 0 zero in the Next Header field Extension headers are processed in the order in which they appear in the packet header Hop by Hop Options Header The Hop by Hop options header contains information that is examined by every router along the packet s path It follows the IPv6 header and is designated by the Next Header value 0 zero When a Hop by Hop Options header is not included the rou...

Page 381: ...e written using classless inter domain routing CIDR notation An IPv6 network or subnet is a contiguous group of IPv6 addresses the size of which must be a power of two the initial bits of addresses which are identical for all hosts in the network are called the network s prefix A network is denoted by the first address in the network and the size in bits of the prefix in decimal separated with a s...

Page 382: ...troduction Documentation and Chapter Location S3048 ON Basic IPv6 Commands 9 8 0 0 IPv6 Basic Commands in the Dell Networking OS Command Line Interface Reference Guide IPv6 Basic Addressing IPv6 address types Unicast 9 7 0 1 Extended Address Space IPv6 neighbor discovery 9 7 0 1 IPv6 Neighbor Discovery IPv6 stateless autoconfiguration 9 7 0 1 Stateless Autoconfiguration IPv6 MTU path discovery 9 7...

Page 383: ...and Line Reference Guide Telnet server over IPv6 inbound Telnet 9 7 0 1 Configuring Telnet with IPv6 Control and Monitoring in the Dell Networking OS Command Line Reference Guide Secure Shell SSH client support over IPv6 outbound SSH Layer 3 only 9 7 0 1 Secure Shell SSH Over an IPv6 Transport Secure Shell SSH server support over IPv6 inbound SSH Layer 3 only 9 7 0 1 Secure Shell SSH Over an IPv6 ...

Page 384: ...reater MTU settings increase processing efficiency because each packet carries more data while protocol overheads for example headers or underlying per packet delays remain fixed Figure 46 Path MTU Discovery Process IPv6 Neighbor Discovery The IPv6 neighbor discovery protocol NDP is a top level protocol for neighbor discovery on an IPv6 network In place of address resolution protocol ARP NDP uses ...

Page 385: ...List for IPv6 RDNSS This section describes how to configure the IPv6 Recursive DNS Server This sections contains the following configuration task list for IPv6 RDNSS Configuring the IPv6 Recursive DNS Server Debugging IPv6 RDNSS Information Sent to the Host Displaying IPv6 RDNSS Information Configuring the IPv6 Recursive DNS Server You can configure up to four Recursive DNS Server RDNSS addresses ...

Page 386: ...onfigured correctly use the debug ipv6 nd command in EXEC Privilege mode Example of Debugging IPv6 RDNSS Information Sent to the Host The following example debugs IPv6 RDNSS information sent to the host Dell conf if gi 1 1 do debug ipv6 nd gigabitethernet 1 1 ICMPv6 Neighbor Discovery packet debugging is on for gigabitethernet 1 1 Dell conf if gi 1 1 00 13 02 cp ICMPV6 ND Sending RA on Gi 1 1 curr...

Page 387: ...ND router advertisements are sent every 198 to 600 seconds ND router advertisements live for 1800 seconds ND advertised hop limit is 64 IPv6 hop limit for originated packets is 64 ND dns server address is 1000 1 with lifetime of 1 seconds ND dns server address is 3000 1 with lifetime of 1 seconds ND dns server address is 2000 1 with lifetime of 0 seconds IP unicast RPF check is not supported To di...

Page 388: ...rofile allocations can use either even or odd numbered ranges The default option sets the CAM Profile as follows L3 ACL ipv4acl 6 L2 ACL l2acl 5 IPv6 L3 ACL ipv6acl 0 L3 QoS ipv4qos 1 L2 QoS l2qos 1 To have the changes take effect save the new CAM settings to the startup config write mem or copy run start then reload the system for the new settings Allocate space for IPV6 ACLs Enter the CAM profil...

Page 389: ...ros is accepted as described in Addressing Assigning a Static IPv6 Route To configure IPv6 static routes use the ipv6 route command NOTE After you configure a static IPv6 route the ipv6 route command and configure the forwarding router s address specified in the ipv6 route command on a neighbor s interface the IPv6 neighbor does not display in the show ipv6 route command output Set up IPv6 static ...

Page 390: ...notifications from a device running Dell Networking OS IPv6 The Dell Networking OS SNMP server commands for IPv6 have been extended to support IPv6 For more information regarding SNMP commands refer to the SNMP and SYSLOG chapters in the Dell Networking OS Command Line Interface Reference Guide snmp server host snmp server user ipv6 snmp server community ipv6 snmp server community access list name...

Page 391: ...a number from 1 to 4094 Example of the show ipv6 interface Command Dell show ipv6 int ManagementEthernet 1 1 ManagementEthernet 1 1 is up line protocol is up IPV6 is enabled Stateless address autoconfiguration is enabled Link Local address fe80 201 e8ff fe8b 386e Global Unicast address es Actual address is 400 201 e8ff fe8b 386e subnet is 400 64 Actual address is 412 201 e8ff fe8b 386e subnet is 4...

Page 392: ...6 route summary command Dell show ipv6 route summary Route Source Active Routes Non active Routes connected 5 0 static 0 0 Total 5 0 The following example shows the show ipv6 route command Dell show ipv6 route Codes C connected L local S static R RIP B BGP IN internal BGP EX external BGP LO Locally Originated O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OS...

Page 393: ...utdown Dell Clearing IPv6 Routes To clear routes from the IPv6 routing table use the following command Clear refresh all or a specific route from the IPv6 routing table EXEC mode clear ipv6 route ipv6 address prefix length all routes ipv6 address the format is x x x x x mask the prefix length is from 0 to 128 NOTE IPv6 addresses are normally written as eight groups of four hexadecimal digits where...

Page 394: ...vice role host router Use the keyword host to set the device role as host Use the keyword router to set the device role as router 5 Set the hop count limit POLICY LIST CONFIGURATION mode hop limit maximum minimum limit The hop limit range is from 0 to 254 6 Set the managed address configuration flag POLICY LIST CONFIGURATION mode managed config flag on off 7 Enable verification of the sender IPv6 ...

Page 395: ...on time range is from 100 to 4 294 967 295 milliseconds 15 Display the configurations applied on the RA guard policy mode POLICY LIST CONFIGURATION mode show config Example of the show config Command Dell conf ra_guard_policy_list show config ipv6 nd ra guard policy test device role router hop limit maximum 251 mtu 1350 other config flag on reachable time 540 retrans timer 101 router preference ma...

Page 396: ... nd ra guard policy test ipv6 nd ra guard policy test device role router hop limit maximum 1 match ra ipv6 access list access other config flag on router preference maximum medium trusted port Interfaces Gi 1 1 Dell Monitoring IPv6 RA Guard To debug IPv6 RA guard use the following command EXEC Privilege mode debug ipv6 nd ra guard interface slot port count value The count range is from 1 to 65534 ...

Page 397: ...uters Only Level 2 routers can exchange data packets or routing information directly with external routers located outside of the routing domains Level 1 2 systems manage both inter area and intra area traffic by maintaining two separate link databases one for Level 1 routes and one for Level 2 routes A Level 1 2 router does not advertise Level 2 routes to a Level 1 router To establish adjacencies...

Page 398: ...rtise IPv6 information in link state packets LSPs are defined to use only extended metrics The multi topology ID is shown in the first octet of the IS IS packet Certain MT topologies are assigned to serve predetermined purposes MT ID 0 Equivalent to the standard topology MT ID 1 Reserved for IPv4 in band management purposes MT ID 2 Reserved for IPv6 routing topology MT ID 3 Reserved for IPv4 multi...

Page 399: ...omputed by an active RPM have been downloaded into the forwarding information base FIB on the line cards the data plane For packets that have existing FIB content addressable memory CAM entries forwarding between ingress and egress ports can continue uninterrupted while the control plane IS IS process comes back to full functionality and rebuilds its routing tables A new TLV the Restart TLV is int...

Page 400: ... the PDUs Processes IPv6 information received in the PDUs Computes routes to IPv6 destinations Downloads IPv6 routes to the RTM for installing in the FIB Accepts external IPv6 information and advertises this information in the PDUs The following table lists the default IS IS values Table 26 IS IS Default Values IS IS Parameter Default Value Complete sequence number PDU CSNP interval 10 seconds IS ...

Page 401: ...outer forms Level 1 adjacencies with a neighboring Level 1 router and forms Level 2 adjacencies with a neighboring Level 2 router NOTE Even though you enable IS IS globally enable the IS IS process on an interface for the IS IS process to exchange protocol information and form adjacencies To configure IS IS globally use the following commands 1 Create an IS IS routing process CONFIGURATION mode ro...

Page 402: ...he IPv4 interface ROUTER ISIS mode ip router isis tag If you configure a tag variable it must be the same as the tag variable assigned in step 1 7 Enable IS IS on the IPv6 interface ROUTER ISIS mode ipv6 router isis tag If you configure a tag variable it must be the same as the tag variable assigned in step 1 Examples of the show isis Commands The default IS type is level 1 2 To change the IS type...

Page 403: ...ardless of the area address configured However if the area addresses are different the link between the Level 2 routers is only at Level 2 Configuring Multi Topology IS IS MT IS IS To configure multi topology IS IS MT IS IS use the following commands 1 Enable multi topology IS IS for IPv6 ROUTER ISIS AF IPV6 mode multi topology transition Enter the keyword transition to allow an IS IS IPv6 user to...

Page 404: ... time that the graceful restart timer T1 defines for a restarting router to use for each interface as an interval before regenerating Restart Request an IIH with RR bit set in Restart TLV after waiting for an acknowledgement ROUTER ISIS mode graceful restart t1 interval seconds retry times value interval wait time the range is from 5 to 120 The default is 5 retry times number of times an unacknowl...

Page 405: ...1 0 level 2 Restart ACK rcv count 0 level 1 0 level 2 Restart Req rcv count 0 level 1 0 level 2 Suppress Adj rcv count 0 level 1 0 level 2 Restart CSNP rcv count 0 level 1 0 level 2 Database Sync count 0 level 1 0 level 2 Circuit GigabitEthernet 2 10 Mode Normal L1 State NORMAL L2 State NORMAL L1 Send Receive RR 0 0 RA 0 0 SA 0 0 T1 time left 0 retry count left 0 L2 Send Receive RR 0 0 RA 0 0 SA 0...

Page 406: ...m 0 to 120 The default is 5 seconds The default level is Level 1 Set the LSP size ROUTER ISIS mode lsp mtu size size the range is from 128 to 9195 The default is 1497 Set the LSP refresh interval ROUTER ISIS mode lsp refresh interval seconds seconds the range is from 1 to 65535 The default is 900 seconds Set the maximum time LSPs lifetime ROUTER ISIS mode max lsp lifetime seconds seconds the range...

Page 407: ...Cost Range Supported on IS IS Interfaces narrow Sends and accepts narrow or old TLVs Type Length Value 0 to 63 wide Sends and accepts wide or new TLVs 0 to 16777215 transition Sends both wide new and narrow old TLVs 0 to 63 narrow transition Sends narrow old TLVs and accepts both narrow old and wide new TLVs 0 to 63 wide transition Sends wide new TLVs and accepts both narrow old and wide new TLVs ...

Page 408: ...an IPv6 link or interface INTERFACE mode isis ipv6 metric default metric level 1 level 2 default metric the range is from 0 to 63 for narrow and transition metric styles The range is from 0 to 16777215 for wide metric styles The default is 10 The default level is level 1 For more information about this command refer to Configuring the IS IS Metric Style The following table describes the correct va...

Page 409: ...nk State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT P OL B233 00 00 0x00000003 0x07BF 1088 0 0 0 eljefe 00 00 0x00000009 0xF76A 1126 0 0 0 eljefe 01 00 0x00000001 0x68DF 1122 0 0 0 eljefe 02 00 0x00000001 0x2E7F 1113 0 0 0 Force10 00 00 0x00000002 0xD1A7 1102 0 0 0 IS IS Level 2 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT P OL B233 00 00 0x00000006 0xC38A 1124...

Page 410: ...e information For a 1 GigabitEthernet interface enter the keyword GigabitEthernet then the slot port information For a 10 Gigabit Ethernet interface enter the keyword TenGigabitEthernet then the slot port information For a Loopback interface enter the keyword loopback then a number from 0 to 16383 For a port channel interface enter the keywords port channel then a number For a VLAN interface enter...

Page 411: ...OUTER ISIS AF IPV6 mode distribute list redistributed override in Redistributing IPv4 Routes In addition to filtering routes you can add routes from other routing instances or protocols to the IS IS process With the redistribute command syntax you can include BGP OSPF RIP static or directly connected routes in the IS IS process NOTE Do not route iBGP routes to IS IS unless there are route maps ass...

Page 412: ...l 2 assign all redistributed routes to a level The default is level 2 metric value the range is from 0 to 16777215 The default is 0 metric type choose either external or internal The default is internal map name enter the name of a configured route map Include specific OSPF routes in IS IS ROUTER ISIS mode redistribute ospf process id level 1 level 1 2 level 2 metric value match external 1 2 match...

Page 413: ...n EXEC Privilege mode To remove a password use either the no area password or no domain password commands in ROUTER ISIS mode Setting the Overload Bit Another use for the overload bit is to prevent other routers from using this router as an intermediate hop in their shortest path first SPF calculations For example if the IS IS routing database is out of memory and cannot accept new LSPs Dell Netwo...

Page 414: ...about IS IS local update packets EXEC Privilege mode debug isis local updates interface To view specific information enter the following optional parameter interface Enter the type of interface and slot port information to view IS IS information on that interface only View IS IS SNP packets include CSNPs and PSNPs EXEC Privilege mode debug isis snp packets interface To view specific information en...

Page 415: ...e TLV Configure Metric Values For any level Level 1 Level 2 or Level 1 2 the value range possible in the isis metric command in INTERFACE mode changes depending on the metric style The following describes the correct value range for the isis metric command Metric Style Correct Value Range for the isis metric Command wide 0 to 16777215 narrow 0 to 63 wide transition 0 to 16777215 narrow transition ...

Page 416: ...de original value narrow transition original value narrow narrow transition original value narrow wide transition original value transition wide original value transition narrow original value transition narrow original value transition wide transition original value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value narro...

Page 417: ...ffer Leaks from One Level to Another In the following scenarios each IS IS level is configured with a different metric style Table 30 Metric Value with Different Levels Configured with Different Metric Styles Level 1 Metric Style Level 2 Metric Style Resulting Metric Value narrow wide original value narrow wide transition original value narrow narrow transition original value narrow transition ori...

Page 418: ... the router Dell clear isis ISIS not enabled Dell clear isis 9999 You can configure IPv6 IS IS routes in one of the following three different methods Congruent Topology You must configure both IPv4 and IPv6 addresses on the interface Enable the ip router isis and ipv6 router isis commands on the interface Enable the wide metrics parameter in router isis configuration mode Multi topology You must c...

Page 419: ...4 0000 0000 AAAA 00 Dell conf router_isis Dell conf if gi 3 17 show config interface GigabitEthernet 3 17 ipv6 address 24 3 1 76 ipv6 router isis no shutdown Dell conf if gi 3 17 Dell conf router_isis show config router isis net 34 0000 0000 AAAA 00 address family ipv6 unicast multi topology exit address family Dell conf router_isis Dell conf if gi 3 17 show config interface GigabitEthernet 3 17 i...

Page 420: ...ntly exchanging custom MAC protocol data units PDUs across local area network LAN Ethernet links The protocol packets are only exchanged between ports that are configured as LACP capable Important Points to Remember LACP allows you to add members to a port channel LAG as long as it has no static members Conversely if the LAG already contains a statically defined member the channel member command t...

Page 421: ... port in Active state A port in Active state can set up a LAG with another port in Passive state A port in Passive state cannot set up a LAG with another port in Passive state Configuring LACP Commands If you configure aggregated ports with compatible LACP modes Off Active Passive LACP can automatically link them as defined in IEEE 802 3 Section 43 To configure LACP use the following commands Conf...

Page 422: ...G is in the default VLAN To place the LAG into a non default VLAN use the tagged command on the LAG Dell conf interface vlan 10 Dell conf if vl 10 tagged port channel 32 Configuring the LAG Interfaces as Dynamic After creating a LAG configure the dynamic LAG interfaces To configure the dynamic LAG interfaces use the following command Configure the dynamic LAG interfaces CONFIGURATION mode port cha...

Page 423: ...n enter the lacp long timeout command for static LAGs but it has no effect To configure LACP long timeout use the following command Set the LACP timeout value to 30 seconds CONFIG INT PO mode lacp long timeout Example of the lacp long timeout and show lacp Commands Dell conf interface port channel 32 Dell conf if po 32 no shutdown Dell conf if po 32 switchport Dell conf if po 32 lacp long timeout ...

Page 424: ...c through the next lowest cost link R3 to R4 Dell Networking OS has the ability to bring LAG 2 down if LAG 1 fails so that traffic can be redirected This redirection is what is meant by shared LAG state tracking To achieve this functionality you must group LAG 1 and LAG 2 into a single entity called a failover group Configuring Shared LAG State Tracking To configure shared LAG state tracking you c...

Page 425: ...Changed interface state to down Po 2 To view the status of a failover group member use the show interface port channel command Dell show interface port channel 2 Port channel 2 is up line protocol is down Failover group 1 is down Hardware address is 00 01 e8 05 e8 4c Current address is 00 01 e8 05 e8 4c Interface index is 1107755010 Minimum number of links to bring Port channel up is 1 Port channe...

Page 426: ...ased on the following example topology Two routers are named ALPHA and BRAVO and their hostname prompts reflect those names Figure 52 LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA Example of Configuring a LAG Alpha conf interface port channel 10 Alpha conf if po 10 no ip address Alpha conf if po 10 switchport Alpha conf if po 10 no shutdown ...

Page 427: ...s 12 over 64 byte pkts 120 over 127 byte pkts 0 over 255 byte pkts 0 over 511 byte pkts 0 over 1023 byte pkts 132 Multicasts 0 Broadcasts 0 runts 0 giants 0 throttles 0 CRC 0 overrun 0 discarded Output Statistics 136 packets 16718 bytes 0 underruns 0 64 byte pkts 15 over 64 byte pkts 121 over 127 byte pkts 0 over 255 byte pkts 0 over 511 byte pkts 0 over 1023 byte pkts 136 Multicasts 0 Broadcasts ...

Page 428: ...Figure 53 Inspecting the LAG Configuration 428 Link Aggregation Control Protocol LACP ...

Page 429: ...Figure 54 Inspecting Configuration of LAG 10 on ALPHA Link Aggregation Control Protocol LACP 429 ...

Page 430: ...ha conf if gi 2 31 port channel protocol lacp Alpha conf if gi 2 31 lacp port channel 10 mode active Alpha conf if gi 2 31 lacp no shut Alpha conf if gi 2 31 show config interface GigabitEthernet 2 31 no ip address port channel protocol LACP port channel 10 mode active no shutdown Alpha conf if gi 2 31 interface Port channel 10 no ip address switchport no shutdown interface GigabitEthernet 2 31 no...

Page 431: ...1 Bravo conf no ip address Bravo conf no switchport Bravo conf shutdown Bravo conf if gi 3 21 port channel protocol lacp Bravo conf if gi 3 21 lacp port channel 10 mode active Bravo conf if gi 3 21 lacp no shut Bravo conf if gi 3 21 end interface GigabitEthernet 3 21 no ip address port channel protocol LACP port channel 10 mode active no shutdown Bravo conf if gi 3 21 end int port channel 10 no ip...

Page 432: ...Figure 56 Inspecting a LAG Port on BRAVO Using the show interface Command 432 Link Aggregation Control Protocol LACP ...

Page 433: ...Figure 57 Inspecting LAG 10 Using the show interfaces port channel Command Link Aggregation Control Protocol LACP 433 ...

Page 434: ...ed on both synchronous and asynchronous lines and can operate in Half Duplex or Full Duplex mode It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection As its name implies it is for point to point connections between exactly two devices and assumes that frames are sent and received in the same order 434 Link Aggregatio...

Page 435: ...ed entry all deletes all dynamic entries interface deletes all entries for the specified interface vlan deletes all entries for the specified VLAN Setting the Aging Time for Dynamic Entries Learned MAC addresses are entered in the table as dynamic entries which means that they are subject to aging For any dynamic entry if no packet arrives on the switch with the MAC address as the source or destin...

Page 436: ... entries for the specified VLAN MAC Learning Limit MAC address learning limit is a method of port security on Layer 2 port channel and physical interfaces and VLANs It allows you to set an upper limit on the number of MAC addresses that learned on an interface VLAN After the limit is reached the system drops all traffic from a device with an unlearned MAC address This section describes the followi...

Page 437: ...ress entries When you enable MAC learning limit entries created on this port are static by default When you configure the dynamic option learned MAC addresses are stored in the dynamic region and are subject to aging Entries created before this option is set are not affected Dell Networking OS Behavior If you do not configure the dynamic option the system does not detect station moves in which a M...

Page 438: ...d before you set this option are not affected To display a list of all interfaces with a MAC learning limit use the following command Display a list of all interfaces with a MAC learning limit EXEC Privilege mode show mac learning limit Dell Networking OS Behavior The systems do not generate a station move violation log entry for physical interfaces or port channels when you configure mac learning...

Page 439: ...learning limit violate action NOTE When the MAC learning limit MLL is configured as no station move the MLL will be processed as static entries internally For static entries the MAC address will be installed in all port pipes irrespective of the VLAN membership Recovering from Learning Limit and Station Move Violations After a learning limit or station move violation shuts down an interface you mu...

Page 440: ...cing and to fully utilize network adapter resources The following illustration shows a topology where two NICs have been teamed together In this case if the primary NIC fails traffic switches to the secondary NIC because they are represented by the same set of addresses Figure 59 Redundant NICs with NIC Teaming When you use NIC teaming consider that the server MAC address is originally learned on ...

Page 441: ...t links in networks that do not use STP by configuring backup interfaces for the interfaces on either side of the primary link NOTE For more information about STP refer to Spanning Tree Protocol STP Assign a backup interface to an interface using the switchport backup command The backup interface remains in a Down state until the primary fails at which point it transitions to Up state If the prima...

Page 442: ...or dynamic LAG primary interface is a static or dynamic LAG the backup interface can be a physical interface primary interface is a static or dynamic LAG the backup interface can be a static or dynamic LAG In a redundant pair any combination of physical and port channel interfaces is supported as the two interfaces in a redundant pair For example you can configure a static without LACP or dynamic ...

Page 443: ...shutdown interface GigabitEthernet 3 42 no ip address switchport no shutdown Dell conf if range Gi 3 41 42 Dell conf if range Gi 3 41 42 do show ip int brief find 3 41 GigabitEthernet 3 41 unassigned YES Manual up up GigabitEthernet 3 42 unassigned NO Manual up down output omitted Dell conf if range Gi 3 41 42 interface gig 3 41 Dell conf if Gi 3 41 shutdown 00 24 53 RPM0 P CP IFMGR 5 ASTATE_DN Ch...

Page 444: ...on Far end failure detection FEFD is a protocol that senses remote data link errors in a network FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval You can enable FEFD globally or locally on an interface basis Disabling the global FEFD configuration does not disable the interface configuration Figure 62 Configuring Far End Failure Dete...

Page 445: ... intervals the state changes to Err disabled You must manually reset all interfaces in the Err disabled state using the fefd reset interface command in EXEC privilege mode it can be done globally or one interface at a time before the FEFD enabled system can become operational again Table 31 State Change When Configuring FEFD Local Event Mode Local State Remote State Local Admin Status Local Protoc...

Page 446: ...hutdown 3 Enable fefd globally CONFIGURATION mode fefd global interval mode Example of the show fefd Command To display information about the state of each interface use the show fefd command in EXEC privilege mode Dell show fefd FEFD is globally ON interval is 3 seconds mode is Normal INTERFACE MODE INTERVAL STATE second Gi 1 1 Normal 3 Bi directional Gi 1 2 Normal 3 Admin Shutdown Gi 1 3 Normal ...

Page 447: ...de normal no shutdown Dell conf if gi 1 1 do show fefd grep 1 1 Gi 1 1 Normal 3 Unknown Debugging FEFD To debug FEFD use the first command To provide output for each packet transmission over the FEFD enabled connection use the second command Display output whenever events occur that initiate or disrupt an FEFD enabled connection EXEC Privilege mode debug fefd events Provide output for each packet ...

Page 448: ... 1 1 Peer info Mgmt Mac 00 01 e8 14 89 25 Slot Port Gi 4 1 Sender hold time 3 second An RPM Failover In the event that an RPM failover occurs FEFD becomes operationally down on all enabled ports for approximately 8 10 seconds before automatically becoming operational again 02 05 2009 12 40 38 Local7 Debug 10 16 151 12 Feb 5 07 06 09 RPM1 S CP RAM 6 FAILOVER_REQ RPM failover request from active pee...

Page 449: ... The kind of information included in the TLV Length The value in octets of the TLV after the Length field Value The configuration information that the agent is advertising The chassis ID TLV is shown in the following illustration Figure 63 Type Length Value TLV Segment TLVs are encapsulated in a frame called an LLDP data unit LLDPDU shown in the following table which is transmitted from one LLDP e...

Page 450: ... sub types are Management TLVs IEEE 802 1 IEEE 802 3 and TIA 1057 Organizationally Specific TLVs Figure 64 LLDPDU Frame Optional TLVs The Dell Networking OS supports these optional TLVs management TLVs IEEE 802 1 and 802 3 organizationally specific TLVs and TIA 1057 organizationally specific TLVs Management TLVs A management TLV is an optional TLVs sub type This kind of TLV contains essential mana...

Page 451: ...phone DOCSIS cable device end station only or other 8 Management address Indicates the network address of the management interface Dell Networking OS does not currently support this TLV IEEE 802 1 Organizationally Specific TLVs 127 Port VLAN ID On Dell Networking systems indicates the untagged VLAN to which a port belongs 127 Port and Protocol VLAN ID On Dell Networking systems indicates the tagge...

Page 452: ...MED Endpoint Device any device that is on an IEEE 802 LAN network edge can communicate using IP and uses the LLDP MED framework LLDP MED Network Connectivity Device any device that provides access to an IEEE 802 LAN to an LLDP MED endpoint device and supports IEEE 802 1AB LLDP and TIA 1057 LLDP MED The Dell Networking system is an LLDP MED network connectivity device Regarding connected endpoint d...

Page 453: ...l in LLDP MED devices None or all TLVs must be supported Dell Networking OS does not currently support these TLVs 127 5 Inventory Hardware Revision Indicates the hardware revision of the LLDP MED device 127 6 Inventory Firmware Revision Indicates the firmware revision of the LLDP MED device 127 7 Inventory Software Revision Indicates the software revision of the LLDP MED device 127 8 Inventory Ser...

Page 454: ...g OS using the advertise med command the system begins transmitting this TLV Figure 66 LLDP MED Capabilities TLV Table 35 Dell Networking OS LLDP MED Capabilities Bit Position TLV Dell Networking OS Support 0 LLDP MED Capabilities Yes 1 Network Policy Yes 2 Location Identification Yes 3 Extended Power via MDI PSE Yes 4 Extended Power via MDI PD No 5 Inventory No 6 15 reserved No Table 36 LLDP MED ...

Page 455: ...ting interactive voice services 2 Voice Signaling Specify this application type only if voice control packets use a separate network policy than voice data 3 Guest Voice Specify this application type for a separate limited voice service for guest users with their own IP telephony handsets and other appliances supporting interactive voice services 4 Guest Voice Signaling Specify this application ty...

Page 456: ...working advertises the maximum amount of power that can be supplied on the port By default the power is 15 4W which corresponds to a power value of 130 based on the TIA 1057 specification You can advertise a different power value using the max milliwatts option with the power inline auto static command Dell Networking also honors the power value power requirement the powered device sends when the ...

Page 457: ...ello LLDP hello configuration mode LLDP mode configuration default rx and tx multiplier LLDP multiplier configuration no Negate a command or set its defaults show Show LLDP configuration Dell conf lldp exit Dell conf interface gigabitethernet 1 3 Dell conf if gi 1 3 protocol lldp Dell conf if gi 1 3 lldp advertise Advertise TLVs disable Disable LLDP protocol on this interface end Exit from configu...

Page 458: ...DP on management ports use the following command 1 Enter Protocol LLDP mode CONFIGURATION mode protocol lldp 2 Enter LLDP management interface mode LLDP MANAGEMENT INTERFACE mode management interface 3 Enter the disable command LLDP MANAGEMENT INTERFACE mode To undo an LLDP management port configuration precede the relevant command with the keyword no Advertising TLVs You can configure the system ...

Page 459: ...s system capabilities system description For 802 1 TLVs port protocol vlan id port vlan id vlan name For 802 3 TLVs max frame size For TIA 1057 TLVs guest voice guest voice signaling location identification power via mdi softphone voice streaming video video conferencing video signaling voice voice signaling In the following example LLDP is enabled globally R1 and R2 are transmitting periodic LLDP...

Page 460: ...31 protocol lldp Dell conf if gi 1 31 lldp show config protocol lldp Dell conf if gi 1 31 lldp Viewing Information Advertised by Adjacent LLDP Neighbors To view brief information about adjacent devices or to view all the information that neighbors are advertising use the following commands Display brief information about adjacent devices show lldp neighbors Display all of the information that neig...

Page 461: ... 4 109 4 110 4 111 4 112 4 113 4 114 4 115 4 116 4 117 4 118 4 119 4 120 4 121 4 122 4 123 4 124 4 125 4 126 4 The neighbors are given below Remote Chassis ID Subtype Mac address 4 Remote Chassis ID 00 00 00 00 00 03 Remote Port Subtype Interface name 5 Remote Port ID TenGigabitEthernEt 0 40 Local Port ID GigabitEthernet 1 1 Locally assigned remote Neighbor Index 1 Remote TTL 120 Information valid...

Page 462: ...nds Time since last information change of this neighbor 01 03 07 Remote System Name MANAGEMENT C5 Remote System Desc Force10 Networks Real Time Operating System Software Force10 Operating System Version 1 0 Force10 Application Software Version 8 3 5 0 Copyright c 1999 2010 by Force10 Networks Inc Build Time Sat Dec 11 19 35 32 2010 Existing System Capabilities Repeater Bridge Router Enabled System...

Page 463: ...an be configured through three methods CLI Through the snmp notification interval CLI Example snmp notification interval 5 3600 SNMP Through the snmpset command Example snmpset c public v2c 10 16 127 10 LLDP MIB lldpNotificationInterval 0 I 20 REST API Through configuring by REST API method Configuring Transmit and Receive Mode After you enable LLDP the system transmits and receives LLDPDUs by def...

Page 464: ...of 120 seconds Adjust the TTL value CONFIGURATION mode or INTERFACE mode multiplier Return to the default multiplier value CONFIGURATION mode or INTERFACE mode no multiplier Example of the multiplier Command to Configure Time to Live R1 conf lldp show config protocol lldp advertise dot1 tlv port protocol vlan id port vlan id advertise dot3 tlv max frame size advertise management tlv system capabil...

Page 465: ...gnized TLVs The following is an example of LLDPDU with unrecognized TLVs NOS conf do debug lldp interface managementethernet 1 1 packet detail rx NOS conf 23 22 29 Recieved LLDP pkt on Ma 1 1 of length 1514 23 22 29 Packet dump 23 22 29 01 80 c2 00 00 0e 64 00 6a e6 9a 58 88 cc 02 07 23 22 29 04 64 00 6a e6 9a 56 04 15 05 47 69 67 61 62 69 23 22 29 74 45 74 68 65 72 6e 65 74 20 31 2f 31 32 06 02 2...

Page 466: ...TL lldpRxInfoTTL Time to live for received TLVs txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs Basic TLV Selection mibBasicTLVsTxEnable lldpPortConfigTLVsTxEnable Indicates which management TLVs are enabled for system ports mibMgmtAddrInstanceTxEnable lldpManAddrPortsTxEnable The management addresses defined for the system and the ports through which they are enabled for transmission LL...

Page 467: ...ocPortDesc Remote lldpRemPortDesc 5 System Name system name Local lldpLocSysName Remote lldpRemSysName 6 System Description system description Local lldpLocSysDesc Remote lldpRemSysDesc 7 System Capabilities system capabilities Local lldpLocSysCapSupported Remote lldpRemSysCapSupported 8 Management Address enabled capabilities Local lldpLocSysCapEnabled Remote lldpRemSysCapEnabled management addre...

Page 468: ...na bled PPVID Local lldpXdot1LocProtoVlanId Remote lldpXdot1RemProtoVlanId 127 VLAN Name VID Local lldpXdot1LocVlanId Remote lldpXdot1RemVlanId VLAN name length Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName VLAN name Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Table 41 LLDP MED System MIB Objects TLV Sub Type TLV Name TLV Variable System LLDP MED MIB Object 1 LLDP MED Capabilit...

Page 469: ...PolicyP riority DSCP Value Local lldpXMedLocMediaPolicyDs cp Remote lldpXMedRemMediaPolicyD scp 3 Location Identifier Location Data Format Local lldpXMedLocLocationSubty pe Remote lldpXMedRemLocationSubt ype Location ID Data Local lldpXMedLocLocationInfo Remote lldpXMedRemLocationInfo 4 Extended Power via MDI Power Device Type Local lldpXMedLocXPoEDeviceTy pe Remote lldpXMedRemXPoEDeviceT ype Powe...

Page 470: ...ocXPoEPSEPort PDPriority Remote lldpXMedRemXPoEPSEPo werPriority lldpXMedRemXPoEPDPow erPriority Power Value Local lldpXMedLocXPoEPSEPort PowerAv lldpXMedLocXPoEPDPowe rReq Remote lldpXMedRemXPoEPSEPo werAv lldpXMedRemXPoEPDPow erReq 470 Link Layer Discovery Protocol LLDP ...

Page 471: ...forwards to all the servers in the VLAN corresponding to the cluster virtual IP address NLB Unicast Mode Scenario Consider a topology in which you configure four servers S1 through S4 as a cluster or a farm This set of servers connects to a Layer 3 switch which connects to the end clients The servers contain a single IP address IP cluster address of 172 16 2 20 and a single unicast MAC address MAC...

Page 472: ...irtual MAC address is never learned Because the virtual MAC address is never learned traffic is forwarded to only one server rather than the entire cluster and failover and balancing are not preserved To preserve failover and balancing the switch forwards the traffic destined for the server cluster to all member ports in the VLAN connected to the cluster To ensure that this happens use the ip vlan...

Page 473: ...ch CONFIGURATION mode arp ip address multicast mac address interface This setting causes the multicast MAC address to be mapped to the Cluster IP address for the NLB mode of operation of the switch NOTE While configuring static ARP for the Cluster IP provide any one of the interfaces that is used in the static multicast MAC configuration where the Cluster host is connected As the switch does not a...

Page 474: ...ol TCP Through this connection peers advertise the sources in their domain 1 When an RP in a PIM SM domain receives a PIM register message from a source it sends a source active SA message to MSDP peers as shown in the following illustration 2 Each MSDP peer receives and forwards the message to its peers away from the originating RP 3 When an MSDP peer receives an SA message it determines if there...

Page 475: ...ng MSDP anycast RP provides load sharing and redundancy in PIM SM networks Anycast RP allows two or more rendezvous points RPs to share the load for source registration and the ability to act as hot backup routers for each other Anycast RP allows you to configure two or more RPs with the same IP address on Loopback interfaces The Anycast RP Loopback address are configured with a 32 bit mask making...

Page 476: ...Refer to the following figures The MSDP Sample Configurations show the OSPF BGP configuration used in this chapter for MSDP Also refer to Open Shortest Path First OSPFv2 and Border Gateway Protocol IPv4 BGPv4 2 Configure PIM SM within each EGP routing domain Refer to the following figures The MSDP Sample Configurations show the PIM SM configuration in this chapter for MSDP Also refer to PIM Sparse...

Page 477: ...Figure 73 Configuring Interfaces for MSDP Multicast Source Discovery Protocol MSDP 477 ...

Page 478: ...Figure 74 Configuring OSPF and BGP for MSDP 478 Multicast Source Discovery Protocol MSDP ...

Page 479: ...Figure 75 Configuring PIM in Multiple Routing Domains Multicast Source Discovery Protocol MSDP 479 ...

Page 480: ...SDP CONFIGURATION mode ip multicast msdp 2 Peer PIM systems in different administrative domains CONFIGURATION mode ip msdp peer connect source Examples of Configuring and Viewing MSDP R3 conf ip multicast msdp R3 conf ip msdp peer 192 168 0 1 connect source Loopback 0 480 Multicast Source Discovery Protocol MSDP ...

Page 481: ...lower join latency RPs can transmit SA messages periodically to prevent SA storms only sources that are in the cache are advertised in the SA to prevent transmitting multiple copies of the same source information Viewing the Source Active Cache To view the source active cache use the following command View the SA cache EXEC Privilege mode show ip msdp sa cache Example of the show ip msdp sa cache ...

Page 482: ...he rejected sources CONFIGURATION mode ip msdp cache rejected sa Accept Source Active Messages that Fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check Referring to the following illustrations In Scenario 1 all MSPD peers are up In Scenario 2 the peership between RP1 and RP2 is down but the link and routing protocols between them i...

Page 483: ...Figure 77 MSDP Default Peer Scenario 2 Multicast Source Discovery Protocol MSDP 483 ...

Page 484: ...Figure 78 MSDP Default Peer Scenario 3 484 Multicast Source Discovery Protocol MSDP ...

Page 485: ...t specify an access list the peer accepts all sources that peer advertises All sources from RPs that the ACL denies are subject to the normal RPF check Example of the ip msdp default peer Command and Viewing Denied Sources Dell conf ip msdp peer 10 0 50 2 connect source Vlan 50 Dell conf ip msdp default peer 10 0 50 2 list fifty Dell conf ip access list standard fifty Dell conf seq 5 permit host 2...

Page 486: ... discarded To enforce the limit in such a situation first clear the SA cache Preventing MSDP from Caching a Local Source You can prevent MSDP from caching an active source based on source and or group Because the source is not cached it is not advertised to remote RPs 1 OPTIONAL Cache sources that are denied by the redistribute list in the rejected SA cache CONFIGURATION mode ip msdp cache rejecte...

Page 487: ... expires and is not stored in the rejected SA cache Router 3 R3 conf do show run msdp ip multicast msdp ip msdp peer 192 168 0 1 connect source Loopback 0 ip msdp sa filter in 192 168 0 1 list myremotefilter R3 conf do show run acl ip access list extended myremotefilter seq 5 deny ip host 239 0 0 1 host 10 11 4 2 R3 conf do show ip msdp sa cache MSDP Source Active Cache 1 entries GroupAddr SourceA...

Page 488: ... configured SA filters for a peer use the show ip msdp peer command from EXEC Privilege mode Logging Changes in Peership States To log changes in peership states use the following command Log peership state changes CONFIGURATION mode ip msdp log adjacency changes Terminating a Peership MSDP uses TCP as its transport protocol In a peering relationship the peer with the lower IP address initiates th...

Page 489: ...ering Input S G filter myremotefilter Output S G filter none R3 conf do clear ip msdp peer 192 168 0 1 R3 conf do show ip msdp peer Peer Addr 192 168 0 1 Local Addr 0 0 0 0 0 Connect Source Lo 0 State Inactive Up Down Time 00 00 04 Timers KeepAlive 30 sec Hold time 75 sec SourceActive packet count in out 0 0 SAs learned from this peer 0 SA Filtering Input S G filter myremotefilter Output S G filte...

Page 490: ...alancing requires prior knowledge of traffic distributions lack of scalable register decasulation With only a single RP per group all joins are sent to that RP regardless of the topological distance between the RP sources and receivers and data is transmitted to the RP until the SPT switch threshold is reached slow convergence when an active RP fails When you configure multiple RPs there can be co...

Page 491: ...each RP serving the group with the same IP address CONFIGURATION mode interface loopback 2 Make this address the RP for the group CONFIGURATION mode ip pim rp address 3 In each routing domain that has multiple RPs serving a group create another Loopback interface on each RP serving the group with a unique IP address CONFIGURATION mode interface loopback Multicast Source Discovery Protocol MSDP 491...

Page 492: ...h group use the following command Create a mesh group CONFIGURATION mode ip msdp mesh group Specifying the RP Address Used in SA Messages The default originator id is the address of the RP that created the message In the case of Anycast RP there are multiple RPs all with the same address To use the unique address of another interface as the originator id use the following command Use the address o...

Page 493: ...11 1 21 24 no shutdown interface GigabitEthernet 2 31 ip pim sparse mode ip address 10 11 0 23 24 no shutdown interface Loopback 0 ip pim sparse mode ip address 192 168 0 1 32 no shutdown interface Loopback 1 ip address 192 168 0 22 32 no shutdown router ospf 1 network 10 11 1 0 24 area 0 network 10 11 4 0 24 area 0 network 192 168 0 22 32 area 0 redistribute static redistribute connected redistri...

Page 494: ...192 168 0 22 no shutdown ip multicast msdp ip msdp peer 192 168 0 11 connect source Loopback 0 ip msdp peer 192 168 0 22 connect source Loopback 0 ip msdp sa filter out 192 168 0 22 ip route 192 168 0 1 32 10 11 0 23 ip route 192 168 0 22 32 10 11 0 23 ip pim rp address 192 168 0 3 group address 224 0 0 0 4 MSDP Sample Configurations The following examples show the running configurations described...

Page 495: ... pim sparse mode ip address 10 11 0 23 24 no shutdown interface Loopback 0 ip address 192 168 0 2 32 no shutdown router ospf 1 network 10 11 1 0 24 area 0 network 10 11 4 0 24 area 0 network 192 168 0 2 32 area 0 redistribute static redistribute connected redistribute bgp 100 router bgp 100 redistribute ospf 1 neighbor 192 168 0 3 remote as 200 neighbor 192 168 0 3 ebgp multihop 255 neighbor 192 1...

Page 496: ... 168 0 2 no shutdown ip multicast msdp ip msdp peer 192 168 0 1 connect source Loopback 0 ip route 192 168 0 2 32 10 11 0 23 MSDP Sample Configuration R4 Running Config ip multicast routing interface GigabitEthernet 4 1 ip pim sparse mode ip address 10 11 5 1 24 no shutdown interface GigabitEthernet 4 22 ip address 10 10 42 1 24 no shutdown interface GigabitEthernet 4 31 ip pim sparse mode ip addr...

Page 497: ...iple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances In contrast PVST allows a spanning tree instance for each VLAN This 1 1 approach is not suitable if you have many VLANs because each spanning tree instance costs bandwidth and processing resources In the following illustration three VLANs are mapped to two mu...

Page 498: ...otocol RSTP 802 1w Multiple Spanning Tree Protocol MSTP 802 1s Per VLAN Spanning Tree Plus PVST Third Party Implementation Information MSTP is implemented as follows in Dell Networking OS The Dell Networking OS MSTP implementation is based on IEEE 802 1Q 2003 and interoperates only with bridges that also use this standard implementation MSTP is compatible with STP and RSTP Dell Networking OS suppo...

Page 499: ...ysical VLAN and port channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0 Within an MSTI only one path from any bridge to any other bridge is enabled Bridges block a redundant path by disabling one of the link ports 1 Enter PROTOCOL MSTP mode CONFIGURATION mode protocol spanning tree mstp 2 Enable MSTP PROTOCOL MSTP mode no disable Example of Verifying MSTP ...

Page 500: ...xit Dell conf do show spanning tree mst config MST region name my mstp region Revision 0 MSTI VID 1 100 2 200 300 To view the forwarding discarding state of the ports participating in an MSTI use the show spanning tree msti command from EXEC Privilege mode Dell show spanning tree msti 1 MSTI 1 VLANs mapped 100 Root Identifier has priority 32768 Address 0001 e806 953e Root Bridge hello time 2 max a...

Page 501: ...h elects a different root bridge than MSTI 2 To view the bridge priority use the show config command from PROTOCOL MSTP mode R3 conf mstp msti 2 bridge priority 0 1d2h51m RPM0 P RP2 SPANMGR 5 STP_ROOT_CHANGE MSTP root changed for instance 2 My Bridge ID 0 0001 e809 c24a Old Root 32768 0001 e806 953e New Root 0 0001 e809 c24a R3 conf mstp show config protocol spanning tree mstp no disable MSTI 1 VL...

Page 502: ...terface waits in the Listening state and the Learning state before it transitions to the Forwarding state Hello time the time interval in which the bridge sends MSTP bridge protocol data units BPDUs Max age the length of time the bridge maintains configuration information before it refreshes that information by recomputing the MST topology Max hops the maximum number of hops a BPDU can travel befo...

Page 503: ...stp protocol spanning tree mstp no disable name my mstp region MSTI 1 VLAN 100 MSTI 2 VLAN 200 300 forward delay 16 MSTI 2 bridge priority 4096 Dell conf Modifying the Interface Parameters You can adjust two interface parameters to increase or decrease the probability that a port becomes a forwarding port Port cost is a value that is based on the interface type The greater the port cost the less l...

Page 504: ...FACE mode Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise it does not go through the Learning and Listening states The bpduguard shutdown on violation option causes the interface hardware to be shut ...

Page 505: ...EdgePort on an Interface To verify that EdgePort is enabled use the show config command from INTERFACE mode Dell conf if gi 3 11 spanning tree mstp edge port Dell conf if gi 3 11 show config interface GigabitEthernet 3 11 no ip address switchport spanning tree mstp edge port spanning tree MSTI 1 priority 144 no shutdown Dell conf if gi 3 11 Flush MAC Addresses after a Topology Change Dell Networki...

Page 506: ...ped to MSTP instances tag interfaces to the VLANs Step 1 protocol spanning tree mstp no disable name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200 300 Step 2 interface GigabitEthernet 1 21 no ip address switchport no shutdown interface GigabitEthernet 1 31 no ip address switchport no shutdown Step 3 interface Vlan 100 no ip address tagged GigabitEthernet 1 21 31 no shutdown interface Vlan 20...

Page 507: ...rt no shutdown interface GigabitEthernet 2 31 no ip address switchport no shutdown Step 3 interface Vlan 100 no ip address tagged GigabitEthernet 2 11 31 no shutdown interface Vlan 200 no ip address tagged GigabitEthernet 2 11 31 no shutdown interface Vlan 300 no ip address tagged GigabitEthernet 2 11 31 no shutdown Router 3 Running Configuration This example uses the following steps 1 Enable MSTP...

Page 508: ...region name and revision map MSTP instances to the VLANs 2 Assign Layer 2 interfaces to the MSTP topology 3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs Step 1 spanning tree spanning tree configuration name Tahiti spanning tree configuration revision 123 spanning tree MSTi instance 1 spanning tree MSTi vlan 1 100 spanning tree MSTi instance 2 spanning tree MSTi vlan 2 200 span...

Page 509: ...dicate communication received from the same region As shown in the following the MSTP routers are located in the same region Does the debug log indicate that packets are coming from a Different Region If so one of the key parameters is not matching MSTP Region Name and Revision The configured name and revisions must be identical among all the routers Is the Region name blank That may mean that a n...

Page 510: ... Cost 0 Rem Hops 19 Bridge Id 32768 0001 e8d5 cbbd 4w0d4h INST 1 MSTP Instance Flags 0x78 Reg Root 32768 0001 e806 953e Int Root Cost 0 Brg Port Prio 32768 128 Rem Hops 19 INST 2 MSTP Instance Flags 0x78 Reg Root 32768 0001 e806 953e Int Root Cost 0 Brg Port Prio 32768 128 Rem Hops 19 Indicates MSTP routers are in the single region MSTP Instance MSTP Region name The following example shows viewing...

Page 511: ...tworking OS is redirected using the MAC address and multicast control traffic and multicast data traffic might map to the same MAC address the Dell Networking OS might forward data traffic with certain MAC addresses to the CPU in addition to control traffic As the upper five bits of an IP Multicast address are dropped in the translation 32 different multicast group IDs map to the same Ethernet add...

Page 512: ...ough it still processes leave messages until the number of entries decreases below 95 of the limit When the limit falls below 95 after hitting the maximum the system begins relearning route entries through IGMP MLD and multicast source discovery protocol MSDP If you increase the limit after it is reached subsequent join requests are accepted In this case increase the limit by at least 10 for IGMP ...

Page 513: ... mode ip igmp access group access list name Dell Networking OS Behavior Do not enter the ip igmp access group command before creating the access list If you do after entering your first deny rule the Dell Networking OS clears the multicast routing table and re learns all groups even those not covered by the rules in the access list because there is an implicit deny all rule at the end of all acces...

Page 514: ...own in the previous illustration Table 44 Preventing a Host from Joining a Group Description Location Description 1 21 Interface GigabitEthernet 1 21 ip pim sparse mode ip address 10 11 12 1 24 no shutdown 1 31 Interface GigabitEthernet 1 31 ip pim sparse mode ip address 10 11 13 1 24 514 Multicast Features ...

Page 515: ...net 3 1 ip pim sparse mode ip address 10 11 5 1 24 no shutdown 3 11 Interface GigabitEthernet 3 11 ip pim sparse mode ip address 10 11 13 2 24 no shutdown 3 21 Interface GigabitEthernet 3 21 ip pim sparse mode ip address 10 11 23 2 24 no shutdown Receiver 1 Interface VLAN 300 ip pim sparse mode ip address 10 11 3 1 24 untagged GigabitEthernet 1 1 no shutdown Receiver 2 Interface VLAN 400 ip pim sp...

Page 516: ...egister packets to the RP no hosts can ever discover the source and create a shortest path tree SPT to it Prevent a source from transmitting to a particular group CONFIGURATION mode ip pim register filter In the following example Source 1 and Source 2 are both transmitting packets for groups 239 0 0 1 and 239 0 0 2 R3 has a PIM register filter that only permits packets destined for group 239 0 0 2...

Page 517: ...own in the previous illustration Table 45 Preventing a Source from Transmitting to a Group Description Location Description 1 21 Interface GigabitEthernet 1 21 ip pim sparse mode ip address 10 11 12 1 24 no shutdown 1 31 Interface GigabitEthernet 1 31 ip pim sparse mode ip address 10 11 13 1 24 Multicast Features 517 ...

Page 518: ...rface GigabitEthernet 3 1 ip pim sparse mode ip address 10 11 5 1 24 no shutdown 3 11 Interface GigabitEthernet 3 11 ip pim sparse mode ip address 10 11 13 2 24 no shutdown 3 21 Interface GigabitEthernet 3 21 ip pim sparse mode ip address 10 11 23 2 24 no shutdown Receiver 1 Interface VLAN 300 ip pim sparse mode ip address 10 11 3 1 24 untagged GigabitEthernet 1 1 no shutdown Receiver 2 Interface ...

Page 519: ...ace query packet is forwarded hop by hop untill it reaches the last hop router NOTE If the system initiating the mtrace is the last hop router then the Query message will not be initiated Instead the router sends the request message to it previous router The last hop router converts this query packet to a request packet by adding a response data block This response data block contains the last hop...

Page 520: ... and print the details from received responses MTRACE Transit when a Dell Networking system is an intermediate router between the source and destination in an MTRACE query Dell Networking OS computes the RPF neighbor for the source fills in the request and forwards the request to the RPF neighbor When a Dell Networking system is the last hop to the destination Dell Networking OS sends a response t...

Page 521: ...e will be displayed In cases where the IP cannot be resolved it is displayed as 0 1 1 1 1 Destination The first row in the table corresponds to the destination provided by the user 1 1 1 1 1 PIM Reached RP Core 103 103 103 0 24 The information in each of the response blocks is displayed as follows o 1 Hop count is always a negative number to indicate reverse path o 1 1 1 1 Outgoing interface addre...

Page 522: ...rface for this source and group 0x0A NO_MULTICAST Traceroute request arrived on an interface which is not enabled for multicast 0x81 NO_SPACE There is not enough room to insert another response data block in the packet mtrace Scenarios This section describes various scenarios that may result when an mtrace command is issued The following table describes various scenarios when the mtrace command is...

Page 523: ... enabled interface on this node You invoke a weak mtrace request by specifying only the source without specifying the mulicast tree or multicast group information for the source Mtrace traces a path towards the source by using the RPF neighbor at each node R1 mtrace 103 103 103 3 Type Ctrl C to abort Querying reverse path for source 103 103 103 3 via RPF From source to this node Hop OIF IP Proto F...

Page 524: ... error code is displayed on the node In this scenario the Source Network Mask column for that particular node displays the the value as default R1 mtrace 6 6 6 6 4 4 4 5 234 1 1 1 Type Ctrl C to abort Querying reverse path for source 6 6 6 6 to destination 4 4 4 5 via group 234 1 1 1 From source to destination Hop OIF IP Proto Forwarding Code Source Network Mask 0 4 4 4 5 Destination 1 4 4 4 4 PIM...

Page 525: ...R1 mtrace 6 6 6 6 5 5 5 5 234 1 1 1 Type Ctrl C to abort Querying reverse path for source 6 6 6 6 to destination 4 4 4 5 via group 234 1 1 1 From source to destination Hop OIF IP Proto Forwarding Code Source Network Mask 0 5 5 5 5 Destination 1 5 5 5 4 PIM Wrong Last Hop 6 6 6 0 24 2 20 20 20 2 PIM 6 6 6 0 24 3 10 10 10 1 PIM 6 6 6 0 24 4 6 6 6 6 Source If a router in the network does not process ...

Page 526: ... error is displayed in the output You can initiate a new mtrace query by specifying the destination as the last IP address from the output of the previous trace query R1 mtrace 99 99 99 99 1 1 1 1 Type Ctrl C to abort Querying reverse path for source 99 99 99 99 to destination 1 1 1 1 via RPF From source to destination Hop OIF IP Proto Forwarding Code Source Network Mask 0 1 1 1 1 Destination 1 1 ...

Page 527: ... 6 0 24 3 10 10 10 1 PIM Wrong interface 6 6 6 0 24 R1 mtrace 6 6 6 6 4 4 4 5 Type Ctrl C to abort Querying reverse path for source 6 6 6 6 to destination 4 4 4 5 via RPF From source to destination Hop OIF IP Proto Forwarding Code Source Network Mask 0 4 4 4 5 Destination 1 4 4 4 4 PIM 6 6 6 0 24 2 20 20 20 2 PIM 6 6 6 0 24 3 10 10 10 1 PIM RPF Interface 6 6 6 0 24 Multicast Features 527 ...

Page 528: ...available free memory will be supported You can configure client applications such as VRRP to receive a notification when the state of a tracked object changes The following example shows how object tracking is performed Router A and Router B are both connected to the internet via interfaces running OSPF Both routers belong to a VRRP group with a virtual router at 10 0 0 1 on the local area networ...

Page 529: ...e link level status goes down the tracked resource status is considered to be DOWN if the link level status goes up the tracked resource status is considered to be UP For logical interfaces such as port channels or virtual local area networks VLANs the link protocol status is considered to be UP if any physical interface under the logical interface is UP Track Layer 3 Interfaces You can create an ...

Page 530: ...e for different clients route metrics are scaled in the range from 0 to 255 where 0 is connected and 255 is inaccessible The scaled metric value communicated to a client always considers a lower value to have priority over a higher value The resulting scaled value is compared against the threshold values to determine the state of a tracked route as follows If the scaled metric for a route entry is...

Page 531: ...ct is in a DOWN state If a VRRP group router acts as owner master the run time VRRP group priority remains fixed at 255 and changes in the state of a tracked object have no effect NOTE In VRRP object tracking the sum of the priority costs for all tracked objects and interfaces cannot equal or exceed the priority of the VRRP group Object Tracking Configuration You can configure three types of objec...

Page 532: ...ll conf track 100 end Dell show track 100 Track 100 Interface GigabitEthernet 1 1 line protocol Description San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface You can track the routing status of any of the following Layer 3 interfaces For a 1 GigabitEthernet interface enter the keyword GigabitEthernet then ...

Page 533: ... tracked interface OBJECT TRACKING mode delay up seconds down seconds Valid delay times are from 0 to 180 seconds The default is 0 3 Optional Identify the tracked object with a text description OBJECT TRACKING mode description text The text string can be up to 80 characters 4 Optional Display the tracking configuration and the tracked object s status EXEC Privilege mode show track object id Exampl...

Page 534: ... current entries in the route table The UP DOWN state of the tracked route is determined by the threshold for the current value of the route metric in the routing table To provide a common tracking interface for different clients route metrics are scaled in the range from 0 to 255 where 0 is connected and 255 is inaccessible The scaled metric value communicated to a client always considers a lower...

Page 535: ... communicating a change in the status of a tracked route OBJECT TRACKING mode delay up seconds down seconds Valid delay times are from 0 to 180 seconds The default is 0 3 Optional Identify the tracked object with a text description OBJECT TRACKING mode description text The text string can be up to 80 characters 4 Optional Display the tracking configuration and the tracked object s status EXEC Priv...

Page 536: ...1 to 1000 The default is 1 OSPF routes 1 to 1592 The efault is 1 2 Configure object tracking on the metric of an IPv4 or IPv6 route CONFIGURATION mode track object id ip route ip address prefix len ipv6 route ipv6 address prefix len metric threshold vrf vrf name Valid object IDs are from 1 to 500 Enter an IPv4 address in dotted decimal format Valid IPv4 prefix lengths are from 0 to 32 Enter an IPv...

Page 537: ... 30 Dell conf track 8 threshold metric down 40 Displaying Tracked Objects To display the currently configured objects used to track Layer 2 and Layer 3 interfaces and IPv4 and IPv6 routes use the following show commands To display the configuration and status of currently tracked Layer 2 or Layer 3 interfaces IPv4 or IPv6 routes or a VRF instance use the show track command You can also display the...

Page 538: ...16 Example of the show track resolution Command Dell show track resolution IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 Example of the show track vrf Command Dell show track vrf red Track 5 IP route 192 168 0 0 24 reachability Vrf red Reachability is Up CONNECTED 3 changes last change 00 02 39 First hop interface is GigabitEthernet 1 4 Example of Viewing Object Tracking Configura...

Page 539: ...SPF algorithm to calculate the shortest path to each node OSPF routers initially exchange HELLO messages to set up adjacencies with neighbor routers The HELLO process is used to establish adjacencies between routers of the AS It is not required that every router within the AS areas establish adjacencies If two routers on the same subnet agree to become neighbors through the HELLO process they begi...

Page 540: ...nformation between areas It consists of all area border routers networks not wholly contained in any area and their attached routers NOTE If you configure two non backbone areas then you must enable the B bit in OSPF The backbone is the only area with a default area number All other areas can have their Area ID assigned in the configuration In the previous example Routers A B C G H and I are the B...

Page 541: ...rs are neighbors they may proceed to exchange and synchronize their databases which creates an adjacency Router Types Router types are attributes of the OSPF process A given physical router may be a part of one or more OSPF processes For example a router connected to more than one area receiving routing from a border gateway protocol BGP process connected to another AS acts as both an area border ...

Page 542: ... in the previous example Area Border Router ABR Within an AS an area border router ABR connects one or more areas to the backbone The ABR keeps a copy of the link state database for every area it connects to so it may keep multiple copies of the link state database An ABR takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is c...

Page 543: ...ssigns them OSPF looks at the priority of the routers on the segment to determine which routers are the DR and BDR The router with the highest priority is elected the DR If there is a tie the router with the higher router ID takes precedence After the DR is elected the BDR is elected the same way A router with a router priority set to zero cannot become the DR or BDR Link State Advertisements LSAs...

Page 544: ...or system acceptance of arriving LSAs However some networks may require reduced intervals for LSA transmission and acceptance Throttling timers allow for this improved convergence times The LSA throttling timers are configured in milliseconds with the interval time increasing exponentially until a maximum time has been reached If the maximum time is reached the system the system continues to trans...

Page 545: ...l Networking OS supports only one OSPFv3 process per VRF OSPFv2 and OSPFv3 can co exist but you must configure them individually Dell Networking OS supports stub areas totally stub no summary and not so stubby areas NSSAs and supports the following LSAs as described earlier Router type 1 Network type 2 Network Summary type 3 AS Boundary type 4 LSA type 5 External LSA type 7 Link LSA OSPFv3 only ty...

Page 546: ...following OSPF graceful restart functionality Restarting role in which an enabled router performs its own graceful restart Helper role in which the router s graceful restart function is to help a restarting neighbor router in its graceful restarts Helper reject role in which OSPF does not participate in the graceful restart of a neighbor OSPFv2 supports helper only and restarting only roles By def...

Page 547: ...continue to function Processing SNMP and Sending SNMP Traps Only the process in default vrf can process the SNMP requests and send SNMP traps NOTE SNMP gets request corresponding to the OspfNbrOption field in the OspfNbrTable returns a value of 66 OSPF ACK Packing The OSPF ACK packing feature bundles multiple LS acknowledgements in a single packet significantly reducing the number of ACK packets t...

Page 548: ...terfaces must be in Layer 3 mode assigned an IP address and enabled so that they can send and receive traffic The OSPF process must know about these interfaces To make the OSPF process aware of these interfaces they must be assigned to OSPF areas You must configure OSPF GLOBALLY on the system in CONFIGURATION mode NOTE Loop back routes are not installed in the Route Table Manager RTM as non active...

Page 549: ...mand Line Reference Guide document Enabling OSPFv2 To enable Layer 3 routing assign an IP address to an interface physical or Loopback By default OSPF similar to all routing protocols is disabled You must configure at least one interface for Layer 3 before enabling OSPFv2 globally If implementing multi process OSPF create an equal number of Layer 3 enabled interfaces and OSPF process IDs For examp...

Page 550: ...cess id Example of Viewing the Current OSPFv2 Status Dell show ip ospf 55555 Routing Process ospf 55555 with ID 10 10 10 10 Supports only single TOS TOS0 routes SPF schedule delay 5 secs Hold time between two SPFs 10 secs Number of area in this router is 0 normal 0 stub 0 nssa 0 Dell Assigning an OSPFv2 Area After you enable OSPFv2 assign the interface to an OSPF area Set up OSPF areas and enable ...

Page 551: ... no shutdown Dell conf if gi 4 14 ex Dell conf router ospf 1 Dell conf router_ospf 1 network 1 2 3 4 24 area 0 Dell conf router_ospf 1 network 10 10 10 10 24 area 1 Dell conf router_ospf 1 network 20 20 20 20 24 area 2 Dell conf router_ospf 1 Dell Dell Networking recommends using the interface IP addresses for the OSPFv2 router ID for easier management and troubleshooting To view the configuration...

Page 552: ...Hello due in 00 00 08 Neighbor Count is 3 Adjacent neighbor count is 2 Adjacent with neighbor 10 168 253 5 Designated Router Adjacent with neighbor 10 168 253 3 Backup Designated Router Loopback 0 is up line protocol is up Internet Address 10 168 253 2 32 Area 0 0 0 1 Process ID 1 Router ID 10 168 253 2 Network Type LOOPBACK Cost 1 Loopback interface is treated as a stub Host Dell Configuring Stub...

Page 553: ...some of the interfaces are passive CONFIG ROUTEROSPF id mode passive interface default interface The default is enabled passive interfaces on ALL interfaces in the OSPF process Entering the physical interface type slot and number enables passive interface on only the identified interface For a 1 GigabitEthernet interface enter the keyword GigabitEthernet then the slot port information For a 10 Gig...

Page 554: ...arameter from 1 to 4 indicates the actual convergence level Each convergence setting adjusts the LSA parameters to zero but the fast convergence parameter setting allows for even finer tuning of the convergence speed The higher the number the faster the convergence To enable or disable fast convergence use the following command Enable OSPF fast convergence and specify the convergence level CONFIG ...

Page 555: ...1 to 65535 the default depends on the interface speed Change the time interval the router waits before declaring a neighbor dead CONFIG INTERFACE mode ip ospf dead interval seconds seconds the range is from 1 to 65535 the default is 40 seconds The dead interval must be four times the hello interval The dead interval must be the same on all routers in the OSPF network Change the time interval betwe...

Page 556: ... ip ospf interface command in EXEC mode The bold lines in the example show the change on the interface The change is reflected in the OSPF configuration Dell conf if ip ospf cost 45 Dell conf if show config interface GigabitEthernet 1 1 ip address 10 1 2 100 255 255 255 0 no shutdown ip ospf cost 45 Dell conf if end Dell show ip ospf 34 interface GigabitEthernet 1 1 is up line protocol is up Inter...

Page 557: ...tart role the role or roles the configured router can perform NOTE By default OSPFv2 graceful restart is disabled To enable and configure OSPFv2 graceful restart use the following commands 1 Enable OSPFv2 graceful restart globally and set the grace period CONFIG ROUTEROSPF id mode graceful restart grace period seconds The seconds range is from 40 and 3000 This setting is the time that an OSPFv2 ro...

Page 558: ... OSPFv2 router the show run ospf command displays information similar to the following Dell show run ospf router ospf 1 graceful restart grace period 300 graceful restart role helper only graceful restart mode unplanned only graceful restart helper reject 10 1 1 1 graceful restart helper reject 20 1 1 1 network 10 0 2 0 24 area 0 Dell Creating Filter Routes To filter routes use prefix lists OSPF a...

Page 559: ...figure the following required and optional parameters bgp connected isis rip static enter one of the keywords to redistribute those routes metric metric value the range is from 0 to 4294967295 metric type metric type 1 for OSPF external route type 1 2 for OSPF external route type 2 route map map name enter a name of a configured route map tag tag value the range is from 0 to 4294967295 Example of ...

Page 560: ...lege mode show ip route summary View the summary information for the OSPF database EXEC Privilege mode show ip ospf database View the configuration of OSPF neighbors connected to the local router EXEC Privilege mode show ip ospf neighbor View the LSAs currently in the queue EXEC Privilege mode show ip ospf timers rate limit View debug messages EXEC Privilege mode debug ip ospf process id event pac...

Page 561: ...s You can copy and paste from these examples to your CLI To support your own IP addresses interfaces names and so on be sure that you make the necessary changes Basic OSPFv2 Router Topology The following illustration is a sample basic OSPFv2 topology Figure 89 Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 Te 1 1 and 1 2 router ospf 11111 network 10 0 11 0 24 area 0 network 10 0 12 0 24 ar...

Page 562: ...ion options of OSPFv3 are the same as those options for OSPFv2 but you may configure OSPFv3 with differently labeled commands Specify process IDs and areas and include interfaces and addresses in the process Define areas as stub or totally stubby The interfaces must be in IPv6 Layer 3 mode assigned an IPv6 IP address and enabled so that they can send and receive traffic The OSPF process must know ...

Page 563: ...l conf ipv6 router_ospf show config ipv6 router ospf 1 timers spf 2 5 msec Dell conf ipv6 router_ospf Dell conf ipv6 router_ospf end Dell Enabling IPv6 Unicast Routing To enable IPv6 unicast routing use the following command Enable IPv6 unicast routing globally CONFIGURATION mode ipv6 unicast routing Applying cost for OSPFv3 Change in bandwidth directly affects the cost of OSPF routes Explicitly s...

Page 564: ...mands to accomplish the same tasks the router ospf command to create the OSPF process then the network area command to enable OSPFv2 on an interface NOTE The OSPFv2 network area command enables OSPFv2 on multiple interfaces with the single command Use the OSPFv3 ipv6 ospf area command on each interface that runs OSPFv3 Assign the OSPFv3 process and an OSPFv3 area to this interface CONF INT type sl...

Page 565: ...ocess ID The process ID range is from 0 to 65535 Assign the router ID for this OSPFv3 process CONF IPV6 ROUTER OSPF mode router id number number the IPv4 address The format is A B C D NOTE Enter the router id for an OSPFv3 router as an IPv4 IP address Disable OSPF CONFIGURATION mode no ipv6 router ospf process id Reset the OSPFv3 process EXEC Privilege mode clear ipv6 ospf process Configuring Stub...

Page 566: ...interface the show ipv6 ospf interface command adds the words passive interface Redistributing Routes You can add routes from other routing instances or protocols to the OSPFv3 process With the redistribute command you can include RIP static or directly connected routes in the OSPF process Route redistribution is also supported between OSPF Routing process IDs To add redistributing routes use the ...

Page 567: ...eject role on an interface using the ipv6 ospf graceful restart helper reject command you reconfigure OSPFv3 graceful restart to function in a restarting only role OSPFv3 does not participate in the graceful restart of a neighbor NOTE Enter the ipv6 ospf graceful restart helper reject command in Interface configuration mode Enable OSPFv3 graceful restart globally by setting the grace period in sec...

Page 568: ...s The following example shows the show run ospf command Dell show run ospf router ospf 1 router id 200 1 1 1 log adjacency changes graceful restart grace period 180 network 20 1 1 0 24 area 0 network 30 1 1 0 24 area 0 ipv6 router ospf 1 log adjacency changes graceful restart grace period 180 The following example shows the show ipv6 ospf database database summary command Dell show ipv6 ospf datab...

Page 569: ...curity protocols authentication header AH and encapsulating security payload ESP For OSPFv3 these two IPsec protocols provide interoperable high quality cryptographically based security HA IPsec authentication header is used in packet authentication to verify that data is not altered during transmission and ensures that users are communicating with the intended individual or organization Insert th...

Page 570: ...d extension headers MD5 and SHA1 authentication types are supported encrypted and unencrypted keys are supported In an OSPFv3 encryption policy Both encryption and authentication are used IPsec security associations SAs are supported only in Transport mode Tunnel mode is not supported ESP with null encryption is supported for authenticating only OSPFv3 protocol headers ESP with non null encryption...

Page 571: ...ou configure encryption using the ipv6 ospf encryption ipsec command you enable both IPsec encryption and authentication However when you enable authentication on an interface using the ipv6 ospf authentication ipsec command you do not enable encryption at the same time The SPI value must be unique to one IPsec security policy authentication or encryption on the router Configure the same authentic...

Page 572: ...figured is applied to the interface Enable IPSec authentication for OSPFv3 packets in an area CONF IPV6 ROUTER OSPF mode area id authentication ipsec spi number MD5 SHA1 key encryption type key area area id specifies the area for which OSPFv3 traffic is to be authenticated For area id enter a number or an IPv6 prefix spi number is the SPI value The range is from 256 to 4294967295 MD5 SHA1 specifie...

Page 573: ...r AES 128 and 48 or 96 hex digits for AES 192 key encryption type optional specifies if the key is encrypted Valid values 0 key is not encrypted or 7 key is encrypted authentication algorithm specifies the authentication algorithm to use for encryption The valid values are MD5 or SHA1 key specifies the text string used in authentication All neighboring OSPFv3 routers must share key to exchange inf...

Page 574: ...0 0x1F4 Outbound AH SPI 500 0x1F4 Inbound AH Key bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e Outbound AH Key bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e Transform set ah md5 hmac Crypto IPSec client security policy data Policy name OSPFv3 0 501 Policy refcount 1 Inbound ESP SPI 501 0x1F5 Outbound ESP SPI 501 0x1F5 Inbound ESP Auth Key bbdd96e6eb4828e2e27bc...

Page 575: ...section is meant to be a comprehensive list but only to provide some examples of typical troubleshooting checks Have you enabled OSPF globally Is the OSPF process active on the interface Are the adjacencies established correctly Did you configure the interfaces for Layer 3 correctly Is the router in the correct area type Did you include the routes in the OSPF database Did you include the OSPF rout...

Page 576: ...nterfaces EXEC Privilege mode debug ipv6 ospf vrf vrf name event packet type slot port For a 1 GigabitEthernet interface enter the keyword GigabitEthernet then the slot port information For a 10 Gigabit Ethernet interface enter the keyword TenGigabitEthernet then the slot port information For a port channel interface enter the keywords port channel then a number For a VLAN interface enter the keyw...

Page 577: ...ing Internet control message protocol ICMP In these situations you can a configure switch route packet according to a policy applied to interfaces In another scenario when the packet comes from one source and wants to go to another destination then route it to this next hop or onto that specific interface This permits routing over different links or towards different networks even while the destin...

Page 578: ...next hops and or Tunnel Interfaces These options allow you to backup Indirect next hop with another Choose the specific Indirect next hop and or Tunnel interface which is available by sending ICMP pings to verify the reach ability and or check the Tunnel interface UP or DOWN status and then route traffic out to that next hop and or Tunnel Interface Implementing PBR Non contiguous bitmasks for PBR ...

Page 579: ... name redirect list name 16 characters To delete the redirect list use the no ip redirect list command The following example creates a redirect list by the name of xyz Dell conf ip redirect list WORD Redirect list name max 16 chars Dell conf ip redirect list xyz Create a Rule for a Redirect list To set the rules for the redirect list use the following command You can enter the command multiple tim...

Page 580: ...ess any Any source host host A single source host Dell conf redirect list redirect 3 3 3 3 ip 222 1 1 1 Mask A B C D or nn Mask in dotted decimal or in slash format Dell conf redirect list redirect 3 3 3 3 ip 222 1 1 1 32 A B C D Destination address any Any destination host host A single destination host Dell conf redirect list redirect 3 3 3 3 ip 222 1 1 1 32 77 1 1 1 Mask A B C D or nn Mask in d...

Page 581: ...t channel is sometimes switched To apply a redirect list to an interface use the following command You can apply multiple redirect lists can be applied to a redirect group It is also possible to create two or more redirect groups on one interface for backup purposes Apply a redirect list policy based routing to an interface INTERFACE mode ip redirect group redirect list name test l2 switch redirec...

Page 582: ...i 1 32 seq 15 redirect tunnel 2 udp 155 55 0 0 16 host 144 144 144 144 Track 1 up Next hop reachable via Gi 1 32 seq 35 redirect 155 1 1 2 track 5 ip 7 7 7 0 24 8 8 8 0 24 Track 5 up Next hop reachable via Po 5 seq 30 redirect 155 1 1 2 track 6 icmp host 8 8 8 8 any Track 5 up Next hop reachable via Po 5 seq 35 redirect 42 1 1 2 icmp host 8 8 8 8 any Next hop reachable via Vl 20 seq 40 redirect 43...

Page 583: ...00 00 00 00 09 8 1 Sample Configuration You can use the following example configuration to set up a PBR These are not comprehensive directions but are intended to give you a guidance with typical configurations You can copy and paste from these examples to your CLI Make the necessary changes to support your own IP addresses interfaces names and so on The Redirect List GOLD defined in this example ...

Page 584: ...irect 43 1 1 2 track 4 ip host 7 7 7 7 host 144 144 144 144 Dell conf redirect list end Verify the Status of the Track Objects Up Down Dell show track brief ResId Resource Parameter State LastChange 1 Interface ip routing Tunnel 1 Up 00 02 16 2 Interface ipv6 routing Tunnel 2 Up 00 03 31 3 IP Host reachability 42 1 1 2 32 Up 00 00 59 4 IP Host reachability 43 1 1 2 32 Up 00 00 59 Apply the Redirec...

Page 585: ...rack Objects to track the Tunnel Interfaces Dell configure terminal Dell conf track 1 interface tunnel 1 ip routing Dell conf track 1 exit Dell conf track 2 interface tunnel 2 ipv6 routing Dell conf track 2 end Verify the Status of the Track Objects Up Down Dell show track brief ResId Resource Parameter State LastChange 1 Interface ip routing Tunnel 1 Up 00 00 00 2 Interface ipv6 routing Tunnel 2 ...

Page 586: ...e 1 32 seq 10 redirect tunnel 1 track 1 tcp any any Track 1 up Next hop reachable via Te 1 32 seq 15 redirect tunnel 1 track 1 udp 155 55 0 0 16 host 144 144 144 144 Track 1 up Next hop reachable via Te 1 32 seq 20 redirect tunnel 2 track 2 tcp 155 55 2 0 24 222 22 2 0 24 Track 2 up Next hop reachable via Te 1 33 seq 25 redirect tunnel 2 track 2 tcp any any Track 2 up Next hop reachable via Te 1 3...

Page 587: ...ous point RP to the receivers After a receiver receives traffic from the RP PM SM switches to SPT to forward multicast traffic Every multicast group has an RP and a unidirectional shared tree group specific shared tree Requesting Multicast Traffic A host requesting multicast traffic for a particular group sends an Internet group management protocol IGMP Join message to its gateway router The gatew...

Page 588: ...ssage was received as an outgoing interface thus recreating a SPT to the source 3 After the RP starts receiving multicast traffic via the S G it unicasts a Register Stop message to the first hop DR so that multicast packets are no longer encapsulated in PIM Register packets and unicast After receiving the first multicast packet from a particular source the last hop DR sends a PIM Join message to t...

Page 589: ...30 1 20 1 1 5 165 87 31 200 Vl 30 v2 S 1 30 1 165 87 31 201 NOTE You can influence the selection of the Rendezvous Point by enabling PIM Sparse mode on a Loopback interface and assigning a low IP address To display PIM neighbors for each interface use the show ip pim neighbor command EXEC Privilege mode Dell show ip pim neighbor Neighbor Interface Uptime Expires Ver DR Address Prio Mode 127 87 5 5...

Page 590: ... 210 2 Set the expiry time for a specific S G entry as shown in the following example CONFIGURATION mode ip pim sparse mode sg expiry timer seconds sg list access list name The range is from 211 to 86 400 seconds The default is 210 Example Configuring an S G Expiry Time NOTE The expiry time configuration is nullified and the default global expiry time is used if an ACL is specified in the ip pim s...

Page 591: ...the Rendezvous Point Multicast Group Information To display the assigned RP for a group use the show ip pim rp command from EXEC privilege mode Dell show ip pim rp Group RP 225 0 1 40 165 87 50 5 226 1 1 1 165 87 50 5 To display the assigned RP for a group range group to RP mapping use the show ip pim rp mapping command in EXEC privilege mode Dell show ip pim rp mapping PIM Group to RP Mappings Gr...

Page 592: ...ary defined by PIM multicast border routers PMBRs PMBRs connect each PIM domain to the rest of the Internet Create multicast boundaries and domains by filtering inbound and outbound bootstrap router BSR messages per interface The following command is applied to the subsequent inbound and outbound updates Timeout removes existing BSR advertisements Create multicast boundaries and domains by filteri...

Page 593: ...dresses because if multiple applications use the same address receivers receive unwanted traffic However global multicast address space is limited Currently GLOP EGLOP is used to statically assign Internet routable multicast addresses but each autonomous system number yields only 255 multicast addresses For short term applications an address could be leased but no global dynamic multicast address ...

Page 594: ...ivers support only IGMP version 1 or version 2 by translating G entries to S G entries Translate G entries to S G entries using the ip igmp ssm map acl command source from CONFIGURATION mode In a standard access list specify the groups or the group ranges that you want to map to a source Then specify the multicast source When an SSM map is in place and Dell Networking OS cannot find any matching a...

Page 595: ...d Group Membership Group Address Interface Mode Uptime Expires Last Reporter 239 0 0 2 Vlan 300 IGMPv2 Compat 00 00 07 Never 10 11 3 2 Member Ports Te 1 1 239 0 0 1 Vlan 400 INCLUDE 00 00 10 Never 10 11 4 2 R1 conf do show ip igmp ssm map IGMP Connected Group Membership Group Address Interface Mode Uptime Expires Last Reporter 239 0 0 2 Vlan 300 IGMPv2 Compat 00 00 36 Never 10 11 3 2 Member Ports ...

Page 596: ... are announced or an RP failure occurs To enable RP election perform the following steps 1 Enter the following command to make a PIM router a BSR candidate CONFIGURATION ip pim bsr candidate 2 Enter the following command to make a PIM router a RP candidate CONFIGURATION ip pim rp candidate 3 Display Bootstrap Router information EXEC Privilege show ip pim bsr router Enabling RP to Server Specific M...

Page 597: ...andidate interface priority acl name The specified acl list is associated to the rp candidate NOTE You can create the ACL list of multicast prefix using the ip access list standard command PIM Source Specific Mode PIM SSM 597 ...

Page 598: ...hat it can be sent across a routed network Topics Important Points to Remember Port Monitoring Configuring Port Monitoring Configuring Monitor Multicast Queue Enabling Flow Based Monitoring Remote Port Mirroring Encapsulated Remote Port Monitoring ERPM Behavior on a typical Dell Networking OS Port Monitoring on VLT Important Points to Remember Port Monitoring is supported on both physical and logi...

Page 599: ...not possible for another source port from the same port pipe for example 1 17 to point to another new destination for example 1 4 If you attempt to configure another destination to create 5 MG port this message displays Error will be thrown in case of RPM and ERPM features Example of Changing the Destination Port in a Monitoring Session Dell conf mon sess 5 do show moni session SessID Source Desti...

Page 600: ...0 Gi 1 13 Gi 2 1 rx interface N A N A 0 0 No N A N A yes 10 Gi 1 14 Gi 2 2 rx interface N A N A 0 0 No N A N A yes 20 Gi 1 15 Gi 2 3 rx interface N A N A 0 0 No N A N A yes 30 Gi 1 16 Gi 2 4 rx interface N A N A 0 0 No N A N A yes 100 Gi 1 25 Gi 2 5 tx interface N A N A 0 0 No N A N A yes 110 Gi 1 26 Gi 2 5 tx interface N A N A 0 0 No N A N A yes 300 Gi 1 17 Gi 2 5 tx interface N A N A 0 0 No N A ...

Page 601: ...rce and destination port and direction of traffic as shown in the following example MONITOR SESSION mode source Example of Viewing Port Monitoring Configuration To display information on currently configured port monitoring sessions use the show monitor session command from EXEC Privilege mode Dell conf monitor session 0 Dell conf mon sess 0 source GigabitEthernet 1 1 dest GigabitEthernet 1 2 dir ...

Page 602: ... host and server are exchanging traffic which passes through the uplink interface 1 1 Port 1 1 is the monitored port and port 1 42 is the destination port which is configured to only monitor traffic received on gigabitethernet 1 1 host originated traffic Figure 91 Port Monitoring Example Configuring Monitor Multicast Queue To configure monitor QoS multicast queue ID use the following commands 1 Co...

Page 603: ...king OS only considers traffic matching rules with the monitor keyword CONFIGURATION mode ip access list To define access lists see the Access Control Lists ACLs chapter 5 Allocate a CAM region so that you can apply the ACL you created to the monitoring session CONFIGURATION mode cam acl l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt number ipmacacl number vman qos num...

Page 604: ... port mirroring helps network administrators monitor and analyze traffic to troubleshoot network problems in a time saving and efficient way In a remote port mirroring session monitored traffic is tagged with a VLAN ID and switched on a user defined non routable L2 VLAN The VLAN is reserved in the network to carry only mirrored traffic which is forwarded on all egress ports of the VLAN Each interm...

Page 605: ...sion for a reserved VLAN at the same time for multiple remote port mirroring sessions You can enable and disable individual mirroring sessions BPDU monitoring is not required to use remote port mirroring A remote port mirroring session mirrors monitored traffic by prefixing the reserved VLAN tag to monitored packets so that they are copied to the reserve VLAN Mirrored traffic is transported across...

Page 606: ...tionally configure one or more source VLANs to specify the VLAN traffic to be mirrored on source ports You can use the default VLAN and native VLANs as a source VLAN You cannot configure the dedicated VLAN used to transport mirrored traffic as a source VLAN Egressing remote vlan packets are rate limited to a default value of 100 Mbps To change the mirroring rate configure rate limit within the RPM...

Page 607: ... 300 rx Port N A N A 2 Po 10 remote vlan 300 rx Port N A N A To display the current configuration of the reserved VLAN enter the show vlan command Dell show vlan Codes Default VLAN G GVRP VLANs R Remote Port Mirroring VLANs P Primary C Community I Isolated O Openflow Q U Untagged T Tagged x Dot1x untagged X Dot1x tagged o OpenFlow untagged O OpenFlow tagged G GVRP tagged M Vlan stack i Internal un...

Page 608: ...ode remote port mirroring Dell conf if vl 20 tagged gi 1 6 Dell conf if vl 20 exit Dell conf monitor session 2 type rpm Dell conf mon sess 2 source vlan 100 destination remote vlan 20 dir rx Dell conf mon sess 2 no disable Dell conf mon sess 2 flow based enable Dell conf mon sess 2 exit Dell conf mac access list standard mac_acl Dell config std macl permit 00 00 00 00 11 22 count monitor Dell conf...

Page 609: ...0 tagged gi 1 2 Dell conf if vl 20 exit Dell conf interface vlan 30 Dell conf if vl 30 mode remote port mirroring Dell conf if vl 30 tagged gi 1 3 Dell conf if vl 30 exit Dell conf monitor session 1 type rpm Dell conf mon sess 1 source remote vlan 10 dest gi 1 4 Dell conf mon sess 1 exit Dell conf monitor session 2 type rpm Dell conf mon sess 2 source remote vlan 20 destination gi 1 5 Dell conf mo...

Page 610: ...ied in the session NOTE When configuring ERPM follow these guidelines The Dell Networking OS supports ERPM source session only Encapsulated packets terminate at the destination IP address or at the analyzer You can configure up to four ERPM source sessions on switch Configure the system MTU to accommodate the increased size of the ERPM mirrored packet The maximum number of source ports you can def...

Page 611: ... example shows an ERPM configuration Dell conf monitor session 0 type erpm Dell conf mon sess 0 source gigabitethernet 1 9 direction rx Dell conf mon sess 0 source port channel 1 direction tx Dell conf mon sess 0 erpm source ip 1 1 1 1 dest ip 7 1 1 2 gre protocol 111 Dell conf mon sess 0 no disable Dell conf monitor session 1 type erpm Dell conf mon sess 1 source vlan 11 direction rx Dell conf mo...

Page 612: ...ew L2 header and sent to the destination ip address Port D s ip address on the sniffer The Header that gets attached to the packet is 38 bytes long If the sniffer does not support IP interface a destination switch will be needed to receive the encapsulated ERPM packet and locally mirror the whole packet to the Sniffer or a Linux Server Decapsulation of ERPM packets at the Destination IP Analyzer I...

Page 613: ...nother interface on the Linux server via which the decapsulation packets can Egress In case there is only one interface the ingress interface itself can be specified as Egress and the analyzer can listen in the tx direction Port Monitoring on VLT Devices on which VLT is configured are seen as a single device in the network You can apply port monitoring function on the VLT devices in the network Po...

Page 614: ...rios Scenario RPM Restriction Recommended Solution Mirroring an Orphan Port on a VLT LAG In this scenario the orphan port on a VLT device is mirrored to the VLT LAG that connects a top of rack TOR switch to the VLT device The packet analyzer is connected to the TOR switch The bandwidth of the VLTi link is unnecessarily used by mirrored traffic if max rate limit value is configured in the RPM mirro...

Page 615: ...e configuration on the secondary VLT device source remote vlan destination orphan port None Mirroring member port of ICL LAG to Orphan Port of peer vlt device In this scenario a member port of the ICL LAG or a member port of the VLT LAG is mirrored to an orphan port on the peer VLT device The packet analyzer is connected to the peer VLT device The bandwidth of the VLTi link is unnecessarily used b...

Page 616: ...rvice provider environment because multiple customers are likely to maintain servers that must be strictly separated in customer specific groups A set of servers owned by a customer could comprise a community VLAN so that those servers could communicate with each other and would be isolated from other customers Another customer might have another set of servers in another community VLAN Another cu...

Page 617: ...ular VLAN Trunk port carries traffic between switches A trunk port in a PVLAN is always tagged In tagged mode the trunk port carries the primary or secondary VLAN traffic The tag on the packet helps identify the VLAN to which the packet belongs A trunk port can also belong to a regular VLAN non private VLAN Each of the port types can be any type of physical Ethernet port including port channels LA...

Page 618: ...efer to the Dell Networking OS Command Line Reference Guide Configuration Task List The following sections contain the procedures that configure a private VLAN Creating PVLAN Ports Creating a Primary VLAN Creating a Community VLAN Creating an Isolated VLAN Creating PVLAN ports PVLAN ports are ports that will be assigned to the PVLAN 1 Access INTERFACE mode for the port that you want to assign to a...

Page 619: ...specifically enabled as a primary VLAN to contain the promiscuous ports and PVLAN trunk ports for the private VLAN A primary VLAN also contains a mapping to secondary VLANs which comprise community VLANs and isolated VLANs 1 Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces CONFIGURATION mode interface vlan vlan id 2 Enable the VLAN INTERFACE VLAN mode no shu...

Page 620: ... other and with the promiscuous ports in the primary VLAN 1 Access INTERFACE VLAN mode for the VLAN that you want to make a community VLAN CONFIGURATION mode interface vlan vlan id 2 Enable the VLAN INTERFACE VLAN mode no shutdown 3 Set the PVLAN mode of the selected VLAN to community INTERFACE VLAN mode private vlan mode community 4 Add one or more host ports to the VLAN INTERFACE VLAN mode tagge...

Page 621: ... of Configuring Private VLAN Members The following example shows the use of the PVLAN commands that are used in VLAN INTERFACE mode to configure the PVLAN member VLANs primary community and isolated VLANs Dell conf Dell conf interface vlan 10 Dell conf vlan 10 private vlan mode primary Dell conf vlan 10 private vlan mapping secondary vlan 100 101 Dell conf vlan 10 untagged Gi 2 1 Dell conf vlan 10...

Page 622: ... to community VLAN 4002 The result is that The ports in community VLAN 4001 can communicate directly with each other and with promiscuous ports The ports in community VLAN 4002 can communicate directly with each other and with promiscuous ports The ports in isolated VLAN 4003 can only communicate with the promiscuous ports in the primary VLAN 4000 All the ports in the secondary VLANs both communit...

Page 623: ...PVLAN parts of the running config from the S50V switch in the topology diagram previously shown Display the type and status of the configured PVLAN interfaces show interfaces private vlan interface interface This command is specific to the PVLAN feature For more information refer to the Security chapter in the Dell Networking OS Command Line Reference Guide Display the configured PVLANs or interfa...

Page 624: ... VLAN 200 T Gi 1 21 The following example shows viewing a private VLAN configuration interface GigabitEthernet 1 3 no ip address switchport switchport mode private vlan promiscuous no shutdown interface GigabitEthernet 1 4 no ip address switchport switchport mode private vlan host no shutdown interface GigabitEthernet 1 5 no ip address switchport switchport mode private vlan host no shutdown inter...

Page 625: ...verview PVST is a variation of spanning tree developed by a third party that allows you to configure a separate spanning tree instance for each virtual local area network VLAN For more information about spanning tree refer to the Spanning Tree Protocol STP chapter Figure 95 Per VLAN Spanning Tree The Dell Networking OS supports three other variations of spanning tree as shown in the following tabl...

Page 626: ...o set up VLANs refer to Virtual LANs VLANs Configure Per VLAN Spanning Tree Plus Configuring PVST is a four step process 1 Configure interfaces for Layer 2 2 Place the interfaces in VLANs 3 Enable PVST 4 Optionally for load balancing select a nondefault bridge priority for a VLAN Related Configuration Tasks Modifying Global PVST Parameters Modifying Interface PVST Parameters Configuring an EdgePor...

Page 627: ... conf pvst show config verbose protocol spanning tree pvst no disable vlan 100 bridge priority 4096 Influencing PVST Root Selection As shown in the previous per VLAN spanning tree illustration all VLANs use the same forwarding topology because R2 is elected the root and all TenGigabitEthernet ports have the same cost The following per VLAN spanning tree illustration changes the bridge priority of ...

Page 628: ... mode vlan bridge priority The range is from 0 to 61440 The default is 32768 Example of the show spanning tree pvst vlan Command To display the PVST forwarding topology use the show spanning tree pvst vlan vlan id command from EXEC Privilege mode Dell_E600 conf do show spanning tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096 Address 0001 e80d b6d6 Root Bridge hello time 2 max age 20 ...

Page 629: ... other PVST bridges Forward delay the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state Hello time the time interval in which the bridge sends bridge protocol data units BPDUs Max age the length of time the bridge maintains configuration information before it refreshes that information by recomputing the PVST topology To c...

Page 630: ...terfaces 200 Port Channel with 100 Mb s Ethernet interfaces 180000 Port Channel with 1 Gigabit Ethernet interfaces 18000 Port Channel with 10 Gigabit Ethernet interfaces 1800 Port Channel with 25 Gigabit Ethernet interfaces 1200 Port Channel with 50 Gigabit Ethernet interfaces 200 Port Channel with 100 Gigabit Ethernet interfaces 180 NOTE The Dell Networking OS implementation of PVST uses IEEE 802...

Page 631: ...on this physical port the physical port is enabled in the hardware You can clear the Error Disabled state with any of the following methods Perform a shutdown command on the interface Disable the shutdown on violation command on the interface the no spanning tree stp id portfast bpduguard shutdown on violation command Disable spanning tree on the interface the no spanning tree command in INTERFACE...

Page 632: ...768 sys id ext 5 Address 0001 e832 73f7 We are the root of Vlan 5 Configured hello time 2 max age 20 forward delay 15 PVST Sample Configurations The following examples provide the running configurations for the topology shown in the previous illustration Example of PVST Configuration R1 interface GigabitEthernet 1 22 no ip address switchport no shutdown interface GigabitEthernet 1 32 no ip address...

Page 633: ...erface Vlan 200 no ip address tagged GigabitEthernet 2 12 32 no shutdown interface Vlan 300 no ip address tagged GigabitEthernet 2 12 32 no shutdown protocol spanning tree pvst no disable vlan 200 bridge priority 4096 Example of PVST Configuration R3 interface GigabitEthernet 3 12 no ip address switchport no shutdown interface GigabitEthernet 3 22 no ip address switchport no shutdown interface Vla...

Page 634: ...protocol spanning tree pvst no disable vlan 300 bridge priority 4096 634 Per VLAN Spanning Tree Plus PVST ...

Page 635: ...ure Port based Rate Policing Ingress Configure Port based Rate Shaping Egress Policy Based QoS Configurations Ingress Egress Classify Traffic Ingress Create a Layer 3 Class Map Ingress Set DSCP Values for Egress Packets Based on Flow Ingress Create a Layer 2 Class Map Ingress Create a QoS Policy Ingress Egress Create an Input QoS Policy Ingress Configure Policy Based Rate Policing Ingress Set a DS...

Page 636: ... Values on Ingress Packets Ingress Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 98 Dell Networking QoS Architecture Topics 636 Quality of Service QoS ...

Page 637: ...QoS Indication It also implements these Internet Engineering Task Force IETF documents RFC 2474 Definition of the Differentiated Services Field DS Field in the IPv4 Headers RFC 2475 An Architecture for Differentiated Services RFC 2597 Assured Forwarding PHB Group RFC 2598 An Expedited Forwarding PHB You cannot configure port based and policy based QoS on the same interface Port Based QoS Configura...

Page 638: ...ION mode which applies the configuration to all interfaces A CONFIGURATION mode service class dynamic dot1p entry supersedes any INTERFACE entries For more information refer to Mapping dot1p Values to Service Queues NOTE You cannot configure service policy input and service class dynamic dot1p on the same interface Honor dot1p priorities on ingress traffic INTERFACE mode service class dynamic dot1...

Page 639: ...f if gi 1 1 end Dell show interfaces tengigabitEthernet 1 2 rate police Rate police 300 50 peak 800 50 Traffic Monitor 0 normal 300 50 peak 800 50 Out of profile yellow 23386960 red 320605113 Traffic Monitor 1 normal NA peak NA Out of profile yellow 0 red 0 Traffic Monitor 2 normal NA peak NA Out of profile yellow 0 red 0 Traffic Monitor 3 normal NA peak NA Out of profile yellow 0 red 0 Traffic Mo...

Page 640: ...outgoing traffic on a port INTERFACE mode rate shape Apply rate shaping to a queue QoS Policy mode rate shape Example of rate shape Command Dell configure terminal Dell conf interface gigabitethernet 1 1 Dell conf if gi 1 1 rate shape 500 50 Dell conf if gi 1 1 end Policy Based QoS Configurations Policy based QoS configurations consist of the components shown in the following example Figure 99 Con...

Page 641: ...ION mode class map match all 3 Specify your match criteria CLASS MAP mode seq sequence number match ip ipv6 ip any After you create a class map Dell Networking OS places you in CLASS MAP mode Match any class maps allow up to five ACLs Match all class maps allow only one ACL NOTE Within a class map the match rules are installed in the sequence number order 4 Link the class map to a queue POLICY MAP...

Page 642: ...etworking OS places you in CLASS MAP mode Match any class maps allow up to five access lists Match all class maps allow only one You can match against only one VLAN ID 4 Link the class map to a queue POLICY MAP mode service queue Determining the Order in Which ACLs are Used to Classify Traffic When you link class maps to queues using the service queue command Dell Networking OS matches the class m...

Page 643: ...lass map ClassAF2 qos policy QosPolicyIn 2 Dell show running config class map class map match any ClassAF1 match ip access group AF1 FB1 set ip dscp 10 match ip access group AF1 FB2 set ip dscp 12 match ip dscp 10 set ip dscp 14 match ipv6 dscp 20 set ip dscp 14 class map match all ClassAF2 match ip access group AF2 match ip dscp 18 Dell show running config ACL ip access list extended AF1 FB1 seq ...

Page 644: ...and WRED NOTE When changing a service queue configuration in a QoS policy map all QoS rules are deleted and re added automatically to ensure that the order of the rules is maintained As a result the Matched Packets value shown in the show qos statistics command is reset NOTE To avoid issues misconfiguration causes Dell Networking recommends configuring either DCBX or Egress QoS features but not bo...

Page 645: ...Drop Precedence Configuring Policy Based Rate Shaping To configure policy based rate shaping use the following command Configure rate shape egress traffic QOS POLICY OUT mode rate shape Allocating Bandwidth to Queue The switch schedules packets for egress based on Deficit Round Robin DRR This strategy offers a guaranteed data rate Allocate bandwidth to queues only in terms of percentage in 4 queue...

Page 646: ...in an output QoS policy Specify a WRED profile to yellow and or green traffic QOS POLICY OUT mode wred For more information refer to Applying a WRED Profile to Traffic Create Policy Maps There are two types of policy maps input and output Creating Input Policy Maps There are two types of input policy maps Layer 3 and Layer 2 1 Create a Layer 3 input policy map CONFIGURATION mode policy map input C...

Page 647: ... DSCP values When you configure trust DSCP the matched packets and matched bytes counters are not incremented in the show qos statistics Table 57 Default DSCP to Queue Mapping DSCP CP hex range XXX xxx DSCP Definition Traditional IP Precedence Internal Queue ID DSCP CP decimal 111XXX Network Control 3 48 63 110XXX Internetwork Control 3 48 63 101XXX EF Expedited Forwarding CRITIC ECP 2 32 47 100XX...

Page 648: ...ues to Service Queues All traffic is by default mapped to the same queue Queue 0 If you honor dot1p on ingress you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets You may apply this queuing strategy globally by entering the following command from CONFIGURATION mode All dot1p traffic is mapped to Queue 0 unless you enable service class dynamic dot1...

Page 649: ... policy on an interface you also configure with vlan stack access If you apply a service policy that contains an ACL to more than one interface Dell Networking OS uses ACL optimization to conserve CAM space The ACL optimization behavior detects when an ACL exists in the CAM rather than writing it to the CAM multiple times Apply an input policy map to an interface INTERFACE mode service policy inpu...

Page 650: ...sed on the DSCP value of each packet and assigns it an initial drop precedence of green yellow or red The default setting for each DSCP value 0 63 is green low drop precedence The DSCP color map allows you to set the number of specific DSCP values to yellow or red Traffic marked as yellow delivers traffic to the egress interface which will either transmit or drop the packet based on configured que...

Page 651: ...yellow 9 10 11 13 15 16 Dell conf dscp color map exit Assign the color map bat enclave map to interface gi 1 11 Dell conf interface gigabitethernet 1 11 Dell conf if gi 1 11 qos dscp color policy bat enclave map Displaying DSCP Color Maps To display DSCP color maps use the show qos dscp color map command in EXEC mode Examples for Creating a DSCP Color Map Display all DSCP color maps Dell show qos ...

Page 652: ...while rate limiting policing and shaping Dell Networking OS does not include the Preamble SFD or the IFG fields These fields are overhead only the fields from MAC destination address to the CRC are used for forwarding and are included in these rate metering calculations The Ethernet packet format consists of Preamble 7 bytes Preamble Start frame delimiter SFD 1 byte Destination MAC address 6 bytes...

Page 653: ...o prevent buffering resources from being consumed The WRED congestion avoidance mechanism drops packets to prevent buffering resources from being consumed Traffic is a mixture of various kinds of packets The rate at which some types of packets arrive might be greater than others In this case the space on the buffer and traffic manager BTM ingress or egress can be consumed by only one or a few type...

Page 654: ...shold Maximum Threshold Maximum Drop Rate wred_drop 0 0 100 wred_teng_y 467 4671 100 wred_teng_g 467 4671 50 wred_fortyg_y 467 4671 50 wred_fortyg_g 467 4671 25 Creating WRED Profiles To create WRED profiles use the following commands 1 Create a WRED profile CONFIGURATION mode wred profile 2 Specify the minimum and maximum threshold values WRED mode threshold 654 Quality of Service QoS ...

Page 655: ...ed Displaying Default and Configured WRED Profiles To display the default and configured WRED profiles use the following command Display default and configured WRED profiles and their threshold values EXEC mode show qos wred profile Displaying WRED Profiles Example of the show qos wred profile Command Dell show qos wred profile Wred profile name min threshold max threshold max drop rate wred_drop ...

Page 656: ...e entries than are available In this case the system writes as many entries as possible and then generates an CAM full error message shown in the following example The partial policy map configuration might cause unintentional system behavior EX2YD 12 DIFFSERV 2 DSA_QOS_CAM_INSTALL_FAILED Not enough space in L3 Cam PolicyQos for class 2 TeGi 12 20 entries on portpipe 1 The test cam usage command a...

Page 657: ... WRED devices employ ECN to mark the packets and reduce the rate of sending packets in a congested network In a best effort network topology data packets are transmitted in a manner in which latency or throughput is not maintained to be at an effective level Packets are dropped when the network experiences a large traffic load This best effort network deployment is not suitable for applications th...

Page 658: ...igured on the global service pool regardless of whether ECN on global service pool is configured and one or more queues are enabled with both WRED and ECN ECN marking takes effect The packets are ECN marked up to shared buffer limits as determined by the shared ratio for that global service pool WRED ECN configurations for the queues that belong to backplane ports are common to all the backplane p...

Page 659: ...policy out wred profile weight number 2 Configure a WRED profile and specify the threshold and maximum drop rate WRED mode Dell conf wred wred profile thresh 1 Dell conf wred threshold min 100 max 200 max drop rate 40 3 Configure another WRED profile and specify the threshold and maximum drop rate WRED mode Dell conf wred wred profile thresh 2 Dell conf wred threshold min 300 max 400 max drop rate...

Page 660: ...ackets Using ECN and Color Marking Explicit Congestion Notification ECN is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded If you configure ECN for WRED devices employ this functionality of ECN to mark the packets and reduce the rate of sending packets in a congested heavily loaded network ECN is a mechanism using whi...

Page 661: ...ion to the DSCP categorization The IPv4 ACLs standard and Extended are enhanced to add this qualifier This new keyword ecn is present for all L3 ACL types TCP UDP IP ICMP at the level where the DSCP qualifier is positioned in the current ACL commands Dell Networking OS supports the capability to contain DSCP and ECN classifiers simultaneously for the same ACL entry You can use the ecn keyword with...

Page 662: ... need to be enqueued in queue 2 and packets with DSCP value as 50 need to be enqueued in queue 3 And all the packets with ecn value as 0 must be marked as yellow The above requirement can be achieved using either of the two approaches The above requirement can be achieved using either of the two approaches Approach without explicit ECN match qualifiers for ECN packets ip access list standard dscp_...

Page 663: ...packets that contain a dot1p IEEE 802 1p VLAN Layer 2 header configure VLAN tags on a Layer 3 port interface which is configured with an IP address but has no VLAN associated with it You can also configure a VLAN sub interface on the port interface and apply a policy map that classifies packets using the dot1p VLAN ID To apply an input policy map with Layer 2 match criteria to a Layer 3 port inter...

Page 664: ...tch any or a match all Layer 3 class map depending on whether you want the packets to meet all or any of the match criteria By default a Layer 3 class map is created if you do not enter the layer2 option with the class map command When you create a class map you enter the class map configuration mode CONFIGURATION mode Dell conf class map match all pp_classmap 2 Configure a DSCP value as a match c...

Page 665: ...ach the policy map to the interface Dell Networking OS support different types of match qualifiers to classify the incoming traffic Match qualifiers can be directly configured in the class map command or it can be specified through one or more ACL which in turn specifies the combination of match qualifiers Until Release 9 3 0 0 support is available for classifying traffic based on the 6 bit DSCP f...

Page 666: ...ets are considered as green without the rate policer and trust diffserve configuration and hence support would be provided to mark the packets as yellow alone will be provided By default Dell Networking OS drops all the RED or violate packets The following combination of marking actions to be specified match sequence of the class map command set a new DSCP for the packet set the packet color as ye...

Page 667: ...Consider the example where there are no different traffic classes that is all the packets are egressing on the default queue0 Dell Networking OS can be configured as below to mark the non ecn packets as yellow packets ip access list standard ecn_0 seq 5 permit any ecn 0 class map match any ecn_0_cmap match ip access group ecn_0 set color yellow policy map input ecn_0_pmap service queue 0 class map...

Page 668: ...cess list standard dscp_50_ecn seq 5 permit any dscp 50 ecn 1 seq 10 permit any dscp 50 ecn 2 seq 15 permit any dscp 50 ecn 3 ip access list standard dscp_40_ecn seq 5 permit any dscp 40 ecn 1 seq 10 permit any dscp 40 ecn 2 seq 15 permit any dscp 40 ecn 3 ip access list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ip access list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 c...

Page 669: ...ation that is used to update the routing table is sent as either a request or response message In RIPv1 automatic updates to the routing table are performed as either one time requests or periodic responses every 30 seconds RIP transports its responses or requests by means of user datagram protocol UDP over port 520 RIP must receive regular routing updates to maintain a correct routing table Respo...

Page 670: ...OUTER RIP and INTERFACE Commands executed in the ROUTER RIP mode configure RIP globally while commands executed in the INTERFACE mode configure RIP features on that interface only RIP is best suited for small homogeneous networks You must configure all devices within the RIP network to support RIP if they are to participate in the RIP Configuration Task List The following is the configuration task...

Page 671: ...UTER RIP mode Dell conf router_rip show config router rip network 10 0 0 0 Dell conf router_rip When the RIP process has learned the RIP routes use the show ip rip database command in EXEC mode to view those routes Dell show ip rip database Total number of routes in RIP database 978 160 160 0 0 16 120 1 via 29 10 10 12 00 00 26 Fa 1 49 160 160 0 0 16 auto summary 2 0 0 0 8 120 1 via 29 10 10 12 00...

Page 672: ...ion between it and the Dell Networking system ROUTER RIP mode neighbor ip address You can use this command multiple times to exchange RIP information with as many RIP networks as you want Disable a specific interface from sending or receiving RIP routing information ROUTER RIP mode passive interface interface Assigning a Prefix List to RIP Routes Another method of controlling RIP or any routing pr...

Page 673: ...oute map map name Configure the following parameters process id the range is from 1 to 65535 metric the range is from 0 to 16 map name the name of a configured route map To view the current RIP configuration use the show running config command in EXEC mode or the show config command in ROUTER RIP mode Setting the Send and Receive Version To change the RIP version globally or on an interface in Del...

Page 674: ...Information Sources Gateway Distance Last Update Distance default is 120 Dell To configure an interface to receive or send both versions of RIP include 1 and 2 in the command syntax The command syntax for sending both RIPv1 and RIPv2 and receiving only RIPv2 is shown in the following example Dell conf if ip rip send version 1 2 Dell conf if ip rip receive version 2 The following example of the sho...

Page 675: ...orm routing between discontiguous subnets disable automatic summarization With automatic route summarization disabled subnets are advertised The autosummary command requires no other configuration commands To disable automatic route summarization enter no autosummary in ROUTER RIP mode NOTE If you enable the ip split horizon command on an interface the system does not advertise the summarized addr...

Page 676: ...en you enable debugging you can view information on RIP protocol changes or RIP routes To enable RIP debugging use the following command debug ip rip interface database events trigger EXEC privilege mode Enable debugging of RIP Example of the debug ip rip Command The following example shows the confirmation when you enable the debug function Dell debug ip rip RIP protocol debug is ON Dell To disab...

Page 677: ... display Core 2 RIP setup use the show ip route command To display Core 2 RIP activity use the show ip protocols command The following example shows the show ip rip database command to view the learned RIP routes on Core 2 Core2 conf router_rip end 00 12 24 RPM0 P CP SYS 5 CONFIG_I Configured from console by console Core2 show ip rip database Total number of routes in RIP database 7 10 11 30 0 24 ...

Page 678: ... 24 via 10 11 20 1 Gi 2 3 120 1 00 05 22 Core2 The following example shows the show ip protocols command to show the RIP configuration activity on Core 2 Core2 show ip protocols Routing Protocol is RIP Sending updates every 30 seconds next due in 17 Invalid after 180 seconds hold down 180 flushed after 240 Output delay 8 milliseconds between packets Automatic network summarization is in effect Out...

Page 679: ...onnected GigabitEthernet 3 21 10 11 30 0 24 directly connected GigabitEthernet 3 11 10 0 0 0 8 auto summary 192 168 1 0 24 directly connected GigabitEthernet 3 23 192 168 1 0 24 auto summary 192 168 2 0 24 directly connected GigabitEthernet 3 24 192 168 2 0 24 auto summary Core3 The following command shows the show ip routes command to view the RIP setup on Core 3 Core3 show ip routes Codes C conn...

Page 680: ...Routing for Networks 10 11 20 0 10 11 30 0 192 168 2 0 192 168 1 0 Routing Information Sources Gateway Distance Last Update 10 11 20 2 120 00 00 22 Distance default is 120 Core3 RIP Configuration Summary Examples of Viewing RIP Configuration on Core 2 and Core 3 The following example shows viewing the RIP configuration on Core 2 interface GigabitEthernet 2 1 ip address 10 11 10 1 24 no shutdown in...

Page 681: ...nterface GigabitEthernet 3 4 ip address 192 168 1 1 24 no shutdown interface GigabitEthernet 3 5 ip address 192 168 2 1 24 no shutdown router rip version 2 network 10 11 20 0 network 10 11 30 0 network 192 168 1 0 network 192 168 2 0 Routing Information Protocol RIP 681 ...

Page 682: ... following tasks Setting the rmon Alarm Configuring an RMON Event Configuring RMON Collection Statistics Configuring the RMON Collection History RMON implements the following standard request for comments RFCs for more information refer to the Standards Compliance chapter RFC 2819 RFC 3273 RFC 3434 RFC 4502 Fault Recovery RMON provides the following fault recovery functions Interface Down When an ...

Page 683: ...e RMON MIB If there is no corresponding rising threshold event the value should be zero falling threshold value value at which the falling threshold alarm is triggered or reset For the rmon alarm command this setting is a 32 bits value for the rmon hc alarm command this setting is a 64 bits value event number event number to trigger when the falling threshold exceeds its limit This value is identi...

Page 684: ...this command This configuration also generates an SNMP trap when the event is triggered using the SNMP community string eventtrap Dell conf rmon event 1 log trap eventtrap description High ifOutErrors owner nms1 Configuring RMON Collection Statistics To enable RMON MIB statistics collection on an interface use the RMON collection statistics command in INTERFACE CONFIGURATION mode Enable RMON MIB s...

Page 685: ...ssociated with the number of buckets specified for the RMON collection history group of statistics The value is limited to from 1 to 1000 The default is 50 as defined in RFC 2819 interval Optional specifies the number of seconds in each polling cycle seconds Optional the number of seconds in each polling cycle The value is ranged from 5 to 3 600 Seconds The default is 1 800 as defined in RFC 2819 ...

Page 686: ...iations Dell Networking OS Supports Dell Networking Term IEEE Specification Spanning Tree Protocol STP 802 1d Rapid Spanning Tree Protocol RSTP 802 1w Multiple Spanning Tree Protocol MSTP 802 1s Per VLAN Spanning Tree Plus PVST Third Party Configuring Rapid Spanning Tree Configuring RSTP is a two step process 1 Configure interfaces for Layer 2 2 Enable the rapid spanning tree protocol Related Conf...

Page 687: ...e ports which are directly connected to end stations or server racks Ports connected directly to Layer 3 only routers not running STP should have RSTP disabled or be configured as edge ports Ensure that the primary VLT node is the root bridge and the secondary VLT peer node has the second best bridge ID in the network If the primary VLT peer node fails the secondary VLT peer node becomes the root ...

Page 688: ...enable RSTP globally for all Layer 2 interfaces use the following commands 1 Enter PROTOCOL SPANNING TREE RSTP mode CONFIGURATION mode protocol spanning tree rstp 2 Enable RSTP PROTOCOL SPANNING TREE RSTP mode no disable Examples of the RSTP show Commands To disable RSTP globally for all Layer 2 interfaces enter the disable command from PROTOCOL SPANNING TREE RSTP mode To verify that RSTP is enabl...

Page 689: ...ath cost 20000 Port priority 128 Port Identifier 128 377 Designated root has priority 32768 address 0001 e801 cbb4 Designated bridge has priority 32768 address 0001 e801 cbb4 Designated port id is 128 377 designated path cost 0 Number of transitions to forwarding state 1 BPDU sent 121 received 9 The port is not in the Edge port mode Port 378 GigabitEthernet 2 2 is designated Forwarding Port path c...

Page 690: ...1 e801 cbb4 128 380 Interface Name Role PortID Prio Cost Sts Cost Link type Edge Gi 3 1 Altr 128 681 128 20000 BLK 20000 P2P No Gi 3 2 Altr 128 682 128 20000 BLK 20000 P2P No Gi 3 3 Root 128 683 128 20000 FWD 20000 P2P No Gi 3 4 Altr 128 684 128 20000 BLK 20000 P2P No R3 Adding and Removing Interfaces To add and remove interfaces use the following commands To add an interface to the Rapid Spanning...

Page 691: ...use the following commands Change the forward delay parameter PROTOCOL SPANNING TREE RSTP mode forward delay seconds The range is from 4 to 30 The default is 15 seconds Change the hello time parameter PROTOCOL SPANNING TREE RSTP mode hello time seconds NOTE With large configurations especially those configurations with more ports Dell Networking recommends increasing the hello time The range is fr...

Page 692: ...wing commands Change the port cost of an interface INTERFACE mode spanning tree rstp cost cost The range is from 0 to 65535 The default is listed in the previous table Change the port priority of an interface INTERFACE mode spanning tree rstp priority priority value The range is from 0 to 15 The default is 128 To view the current values for interface parameters use the show spanning tree rstp comm...

Page 693: ...st mode in Spanning Tree CAUTION Configure EdgePort only on links connecting to an end station If you enable EdgePort on an interface connected to a network it can cause loops Dell Networking OS Behavior Regarding bpduguard shutdown on violation behavior If the interface to be shut down is a port channel all the member ports are disabled in the hardware When you add a physical port to a port chann...

Page 694: ... is available only for RSTP Configure a hello time on the order of milliseconds PROTOCOL RSTP mode hello time milli second interval The range is from 50 to 950 milliseconds Example of Verifying Hello Time Interval Dell conf rstp do show spanning tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0 Address 0001 e811 2233 Root Bridge hello time 50 ms max age 20 forward...

Page 695: ...Software Defined Networking SDN The Dell Networking OS supports software defined networking SDN For more information see the SDN Deployment Guide 43 Software Defined Networking SDN 695 ...

Page 696: ...g OS Command Reference Guide AAA accounting enables tracking of services that users are accessing and the amount of network resources being consumed by those services When you enable AAA accounting the network server reports user activity to the security server in the form of accounting records Each accounting record comprises accounting attribute value AV pairs and is stored on the access control...

Page 697: ...instructs the TACACS server to send a stop record accounting notice at the end of the requested user process tacacs designate the security service Currently Dell Networking OS supports only TACACS Suppressing AAA Accounting for Null Username Sessions When you activate AAA accounting the Dell Networking OS software issues accounting records for all users on the system including users whose username...

Page 698: ...ounted functions CONFIGURATION mode or EXEC Privilege mode show accounting Example of the show accounting Command for AAA Accounting Dell show accounting Active accounted actions on tty2 User admin Priv 1 Task ID 1 EXEC Accounting record 00 00 39 Elapsed service shell Active accounted actions on tty3 User admin Priv 1 Task ID 2 EXEC Accounting record 00 00 26 Elapsed service shell Dell AAA Authent...

Page 699: ...ds To configure an authentication method and method list use the following commands Dell Networking OS Behavior If you use a method list on the console port in which RADIUS or TACACS is the last authentication method and the server is not reachable Dell Networking OS allows access even though the username and password credentials cannot be verified Only the console port behaves this way and does s...

Page 700: ... do not set the default list only the local enable is checked This setting has the same effect as issuing an aaa authentication enable default enable command Enabling AAA Authentication RADIUS To enable authentication from the RADIUS server and use TACACS as a backup use the following commands 1 Enable RADIUS and set up TACACS as backup CONFIGURATION mode aaa authentication enable default radius t...

Page 701: ...r whenever there is a change in the authenticators The change in authentication happens when Add or remove an authentication server RADIUS TACACS Modify an AAA authentication authorization list Change to role only RBAC mode The re authentication is also applicable for authenticated 802 1x devices When there is a change in the authetication servers the supplicants connected to all the ports are for...

Page 702: ...nd Keys Dell config service obscure passwords AAA Authorization Dell Networking OS enables AAA new model by default You can set authorization to be either local or remote Different combinations of authentication and authorization yield different results By default Dell Networking OS sets both to local Privilege Levels Overview Limiting access to the system is one method of protecting the system an...

Page 703: ...on tasks for privilege levels and passwords Configuring a Username and Password mandatory Configuring the Enable Password Command mandatory Configuring Custom Privilege Levels mandatory Specifying LINE Mode Password and Privilege optional Enabling and Disabling Privilege Levels optional For a complete listing of all commands related to Dell Networking OS privilege levels and passwords refer to the...

Page 704: ... entered Dell Networking OS you can enter the enable 15 command to access and configure all CLIs Configuring Custom Privilege Levels In addition to assigning privilege levels to the user you can configure the privilege levels of commands so that they are visible in different privilege levels Within Dell Networking OS commands have certain privilege levels With the privilege command you can change ...

Page 705: ...l Commands To view the configuration use the show running config command in EXEC Privilege mode The following example shows a configuration to allow a user john to view only EXEC mode commands and all snmp server commands Because the snmp server commands are enable level commands and by default found in CONFIGURATION mode also assign the launch command for CONFIGURATION mode configure to the same ...

Page 706: ...NE Mode Password and Privilege You can specify a password authentication of all users on different terminal lines The user s privilege level is the same as the privilege level assigned to the terminal line unless a more specific privilege level is assigned to the user To specify a password for the terminal line use the following commands Configure a custom privilege level for the terminal lines LI...

Page 707: ...plain text RADIUS uses UDP as the transport protocol between the RADIUS server host and the client For more information about RADIUS refer to RFC 2865 Remote Authentication Dial in User Service RADIUS Authentication Dell Networking OS supports RADIUS for user authentication text password at login and can be specified as one of the login authentication methods in the aaa authentication login comman...

Page 708: ...ing Only standard ACLs in authorization both RADIUS and TACACS are supported Authorization is denied in cases using Extended ACLs Auto Command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line The auto command command is executed when the user is authenticated and before the prompt appears to the user Automatically execute...

Page 709: ...y To create a method list use the following commands Enter a text string up to 16 characters long as the name of the method list you wish to use with the RADIUS authentication method CONFIGURATION mode aaa authentication login method list name radius Create a method list with RADIUS and TACACS as authorization methods CONFIGURATION mode aaa authorization exec method list name default radius tacacs...

Page 710: ...the software connects with the RADIUS server hosts one at a time until a RADIUS server host responds with an accept or reject response If you want to change an optional parameter setting for a specific host use the radius server host command To change the global communication settings to all RADIUS server hosts refer to Setting Global Communication Parameters for all RADIUS Server Hosts To view th...

Page 711: ...ocol for sending the login credentials to the RADIUS server The user password attribute is added to the access request message that is sent to the RADIUS server Depending on the success or failure of authentication the RADIUS server sends back an access accept or access reject message respectively MS CHAPv2 is secure than PAP MS CHAPv2 does not send user password in the Access Request message It i...

Page 712: ...ing TACACS as the Authentication Method One of the login authentication methods available is TACACS and the user s name and password are sent for authentication to the TACACS hosts specified To use TACACS to authenticate users specify at least one TACACS server for the system to communicate with and configure TACACS as one of your authentication methods To select TACACS as the login authentication...

Page 713: ...none aaa accounting exec default start stop tacacs aaa accounting commands 1 default start stop tacacs aaa accounting commands 15 default start stop tacacs Dell conf Dell conf do show run tacacs tacacs server key 7 d05206c308f4d35b tacacs server host 10 10 10 10 timeout 1 Dell conf tacacs server key angeline Dell conf RPM0 P CP SEC 5 LOGIN_SUCCESS Login successful for user admin on vty0 10 11 9 20...

Page 714: ...arameters use the following command Enter the host name or IP address of the TACACS server host CONFIGURATION mode tacacs server host hostname ip address port port number timeout seconds key key Configure the optional communication parameters for the specific host port port number the range is from 0 to 65535 Enter a TCP port number The default is 49 timeout seconds the range is from 0 to 1000 Def...

Page 715: ...d 3128 proposes a countermeasure to the problem This countermeasure is configured into the line cards and enabled by default Enabling SCP and SSH Secure shell SSH is a protocol for secure remote login and other secure network services over an insecure network Dell Networking OS is compatible with SSH versions 1 5 and 2 in both the client and server modes SSH sessions are encrypted and use authenti...

Page 716: ...switch to another use the following commands 1 On Switch 1 set the SSH port number port 22 by default CONFIGURATION MODE ip ssh server port number 2 On Switch 1 enable SSH CONFIGURATION MODE copy ssh server enable 3 On Switch 2 invoke SCP CONFIGURATION MODE copy scp flash 4 On Switch 2 in response to prompts enter the path to the desired file and enter the port number specified in Step 1 EXEC Priv...

Page 717: ...ir Any memory currently holding these keys is zeroized written over with zeroes and the NVRAM location where the keys are stored for persistence across reboots is also zeroized To remove the generated RSA host keys and zeroize the key storage location use the crypto key zeroize rsa command in CONFIGURATION mode Dell conf crypto key zeroize rsa Configuring When to Re generate an SSH Key You can con...

Page 718: ...a1 When FIPS is enabled the default is diffie hellman group14 sha1 Example of Configuring a Key Exchange Algorithm The following example shows you how to configure a key exchange algorithm Dell conf ip ssh server kex diffie hellman group exchange sha1 diffie hellman group14 sha1 Configuring the HMAC Algorithm for the SSH Server To configure the HMAC algorithm for the SSH server use the ip ssh serv...

Page 719: ...ing HMAC algorithms are available hmac md5 hmac md5 96 hmac sha1 hmac sha1 96 hmac sha2 256 The default list of HMAC algorithm is in the following order hmac sha2 256 hmac sha1 hmac sha1 96 hmac md5 hmac md5 96 When FIPS is enabled the default HMAC algorithm is hmac sha2 256 hmac sha1 hmac sha1 96 Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algor...

Page 720: ...es256 cbc aes128 ctr aes192 ctr aes256 ctr The default cipher list is in the given order aes256 ctr aes256 cbc aes192 ctr aes192 cbc aes128 ctr aes128 cbc 3des cbc Example of Configuring a Cipher List The following example shows you how to configure a cipher list Dell conf ip ssh cipher aes128 ctr aes128 cbc 3des cbc Secure Shell Authentication Secure Shell SSH is enabled by default using the SSH ...

Page 721: ...ub to the Dell Networking system 3 Disable password authentication if enabled CONFIGURATION mode no ip ssh password authentication enable 4 Enable RSA authentication in SSH CONFIGURATION Mode ip ssh rsa authentication enable 5 Install user s public key for RSA authentication in SSH EXEC Privilege Mode ip ssh rsa authentication my authorized keys flash public_key Example of Generating RSA Keys admi...

Page 722: ...lient cat ssh_host_rsa_key pub ssh rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8K7jLZRVfjgHJzUOmXxuIbZx AyWhVgJDQh39k8v3e8eQvLnHBIsqIL8jVy1QHhUeb7GaDlJVEDAMz30myqQbJgXBBRTWgBpLWwL doyUXFufjiL9YmoVTkbKcFmxJEMkE3JyHanEi7hg34LChjk9hL1by8cYZP2kYS2lnSyQWk admin Unix_client ls id_rsa id_rsa pub shosts admin Unix_client cat shosts 10 16 127 201 ssh rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8K7jLZRVfjgHJzUOmXxuIbZx AyW hVgJDQh...

Page 723: ...rst enable SSH as previously described By default the Telnet daemon is enabled If you want to disable the Telnet daemon use the following command or disable Telnet in the startup config To enable or disable the Telnet daemon use the no ip telnet server enable command The Telnet server or client is VRF aware You can enable a Telnet server or client to listen to a specific VRF by using the vrf vrf i...

Page 724: ...zation Based on Access Class Retrieved from a Local Database Per User Dell conf user gooduser password abc privilege 10 access class permitall Dell conf user baduser password abc privilege 10 access class denyall Dell conf Dell conf aaa authentication login localmethod local Dell conf Dell conf line vty 0 9 Dell config line vty login authentication localmethod Dell config line vty end VTY Line Rem...

Page 725: ...Access Control With Role Based Access Control RBAC access and authorization is controlled based on a user s role Users are granted permissions based on their user roles not on their individual user ID User roles are created for job functions and through those roles they acquire the permissions to perform their associated job function This chapter consists of the following sections Overview Privile...

Page 726: ...omatically placed in EXEC Priv mode For greater security the ability to view event audit and security system log is associated with user roles For information about these topics see Audit and Security Logs Privilege or Role Mode versus Role only Mode By default the system provides access to commands determined by the user s role or by the user s privilege level The user s role takes precedence ove...

Page 727: ...est line vty 1 login authentication test authorization exec test To enable role based only AAA authorization enter the following command in Configuration mode Dell conf aaa authorization role only System Defined RBAC User Roles By default the Dell Networking OS provides 4 system defined user roles You can create up to 8 additional user roles NOTE You cannot delete any system defined roles The syst...

Page 728: ...herited from the system administrator can create roles and user names Only the system administrator security administrator and roles inherited from these can use the role command to modify command permissions The security administrator and roles inherited by security administrator can only modify permissions for commands they already have access to Make sure you select the correct role you want to...

Page 729: ...mmand for a role you specify the role the mode and whether you want to restrict access using the deleterole keyword or grant access using the addrole keyword followed by the command you are controlling access The following output displays the modes available for the role command Dell conf role configure Global configuration mode exec Exec Mode interface Interface configuration mode line Line Confi...

Page 730: ...rotocol MAC Example Remove Security Administrator Access to Line Mode The following example removes the secadmin access to LINE mode and then verifies that the security administrator can no longer access LINE mode using the show role mode configure line command in EXEC Privilege mode Dell conf role configure deleterole secadmin LINE Initial keywords of the command to modify Dell conf role configur...

Page 731: ...s Configuring AAA Authentication for Roles Configuring AAA Authorization for Roles Configuring TACACS and RADIUS VSA Attributes for RBAC Configure AAA Authentication for Roles Authentication services verify the user ID and password combination Users with defined roles and users with privileges are authenticated with the same mechanism There are six methods available for authentication radius tacac...

Page 732: ...information about how to configure authentication for roles see Configure AAA Authentication for Roles aaa authorization exec method list name default method method4 You can further restrict users permissions using the aaa authorization command command in CONFIGURATION mode aaa authorization command method list name default method method4 Examples of Applying a Method List The following configurat...

Page 733: ...tes allow the full set of features available for TACACS authorization and are authorized with the same attributes for RADIUS Example for Configuring a VSA Attribute for a Privilege Level 15 The following example configures an AV pair which allows a user to login from a network access server with a privilege level of 15 to have access to EXEC commands The format to create a Dell Network OS AV pair ...

Page 734: ...g method list to a role executed by a user with that user role use the accounting command in LINE mode accounting exec commands level role role name method list Example of Applying an Accounting Method to a Role The following example applies the accounting default method to the user role secadmin security administrator Dell conf vty 0 accounting commands role secadmin default Displaying Active Acc...

Page 735: ...xec Exec Mode interface Interface configuration mode line Line Configuration mode route map Route map configuration mode router Router configuration mode Dell show role mode configure username Role access sysadmin Dell show role mode configure password attributes Role access secadmin sysadmin Dell show role mode configure interface Role access netadmin sysadmin Dell show role mode configure line R...

Page 736: ...If the user credentials are valid the NAS server receives an Access Challenge request from the RADIUS server Access Accept NAS validates the username and password If the credentials are valid the RADIUS server sends an Access Request to the short message service one time password SMS OTP daemon to generate an OTP The OTP is sent to the user s e mail ID or mobile If the OTP is valid the RADIUS serv...

Page 737: ... from the RADIUS server NAS sends the input OTP in an Access Request to the RADIUS server and the user authentication succeeds or fails depending upon the Access Accept or Access Reject response received at NAS from the RADIUS server Configuring the System to Drop Certain ICMP Reply Messages You can configure the Dell Networking OS to drop ICMP reply messages When you configure the drop icmp comma...

Page 738: ... reply 129 Who are you request 139 Who are you reply 140 Mtrace response 200 Mtrace messages 201 NOTE The Dell Networking OS does not suppress the following ICMPv6 message types Packet too big 2 Echo request 128 Multicast listener query 130 Multicast listener report 131 Multicast listener done 132 Router solicitation 133 Router advertisement 134 Neighbor solicitation 135 Neighbor advertisement 136...

Page 739: ...tions customers and the provider would still share the 4094 available VLANs Instead 802 1ad allows service providers to add their own VLAN tag to frames traversing the provider network The provider can then differentiate customers even if they use the same VLAN ID and providers can map multiple customers to a single VLAN to overcome the 4094 VLAN limitation Forwarding decisions in the provider net...

Page 740: ...k enabled VLAN Dell Networking cautions against using the same MAC address on different customer VLANs on the same VLAN Stack VLAN You cannot ping across the trunk port link if one or both of the systems is an S3048 ON This limitation becomes relevant if you enable the port as a multi purpose port carrying single tagged and double tagged traffic Configure VLAN Stacking Configuring VLAN Stacking is...

Page 741: ...hysical ports and port channels can be access or trunk ports 1 Assign the role of access port to a Layer 2 port on a provider bridge that is connected to a customer INTERFACE mode vlan stack access 2 Assign the role of trunk port to a Layer 2 port on a provider bridge that is connected to another provider bridge INTERFACE mode vlan stack trunk 3 Assign all access ports and trunk ports to service p...

Page 742: ...Tag is user configurable To set the S Tag TPID use the following command Select a value for the S Tag TPID CONFIGURATION mode vlan stack protocol type The default is 9100 To display the S Tag TPID for a VLAN use the show running config command from EXEC privilege mode Dell Networking OS displays the S Tag TPID only if it is a non default value Configuring Dell Networking OS Options for Trunk Ports...

Page 743: ...l conf if vl 100 untagged gigabitethernet 1 1 Dell conf if vl 100 interface vlan 101 Dell conf if vl 101 tagged gigabitethernet 1 1 Dell conf if vl 101 interface vlan 103 Dell conf if vl 103 vlan stack compatible Dell conf if vl 103 stack member gigabitethernet 1 1 Dell conf if vl 103 stack do show vlan Codes Default VLAN G GVRP VLANs Q U Untagged T Tagged x Dot1x untagged X Dot1x tagged G GVRP ta...

Page 744: ...3 VLAN Stacking The default TPID for the outer VLAN tag is 0x9100 The system allows you to configure both bytes of the 2 byte TPID Previous versions allowed you to configure the first byte only and thus the systems did not differentiate between TPIDs with a common first byte For example 0x8100 and any other TPID beginning with 0x81 were treated as the same TPID as shown in the following illustrati...

Page 745: ...Figure 104 Single and Double Tag TPID Match Service Provider Bridging 745 ...

Page 746: ...Figure 105 Single and Double Tag First byte TPID Match 746 Service Provider Bridging ...

Page 747: ...ition Incoming Packet TPID System TPID Match Type Pre Version 8 2 1 0 Version 8 2 1 0 Ingress Access Point untagged 0xUVWX switch to default VLAN switch to default VLAN single tag 0x8100 0xUVWX single tag mismatch switch to default VLAN switch to default VLAN 0x8100 single tag match switch to VLAN switch to VLAN 0x81XY single tag first byte match switch to VLAN switch to default VLAN Service Provi...

Page 748: ...rop eligible indicator DEI bit in the S Tag indicates to a service provider bridge which packets it should prefer to drop when congested Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value When you enable drop eligibility DEI mapping or marking takes place according to the defaults In this case the CFI is affected according to the following table T...

Page 749: ...onoring configuration use the show interface dei honor interface slot port in EXEC Privilege mode Dell show interface dei honor Default Drop precedence Green Interface CFI DEI Drop precedence Gi 1 1 0 Green Gi 1 1 1 Yellow Gi 2 9 1 Red Gi 2 10 0 Yellow Marking Egress Packets with a DEI Value On egress you can set the DEI value according to a different mapping than ingress For ingress information r...

Page 750: ...ck NOTE The ability to map incoming C Tag dot1p to any S Tag dot1p requires installing up to eight entries in the Layer 2 QoS and Layer 2 ACL table for each configured customer VLAN The scalability of this feature is limited by the impact of the 1 8 expansion in these content addressable memory CAM tables Dell Networking OS Behavior For Option A shown in the previous illustration when there is a c...

Page 751: ...pv6acl number ipv4qos number l2qos number l2pt number ipmacacl number ecfmacl number vman qos vman qos dual fp number vman qos mark the S Tag dot1p and queue the frame according to the original C Tag dot1p This method requires half as many CAM entries as vman qos dual fp vman qos dual fp mark the S Tag dot1p and queue the frame according to the S Tag dot1p This method requires twice as many CAM en...

Page 752: ... illustration Figure 108 VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address rewriting the destination MAC to a user configured non reserved address and forwarding the frames Because t...

Page 753: ...iate network because only Dell Networking OS could recognize the significance of the destination MAC address and rewrite it to the original Bridge Group Address In Dell Networking OS version 8 2 1 0 and later the L2PT MAC address is user configurable so you can specify an address that non Dell Networking systems can recognize and rewrite the address at egress edge Figure 109 VLAN Stacking with L2P...

Page 754: ... command Overwrite the BPDU with a user specified destination MAC address when BPDUs are tunneled across the provider network CONFIGURATION mode protocol tunnel destination mac The default is 01 01 e8 00 00 00 Setting Rate Limit BPDUs CAM space is allocated in sections called field processor FP blocks There are a total of 13 user configurable FP blocks The default number of blocks for L2PT is 0 yo...

Page 755: ...ridges treat BPDUs originating from the customer network as normal data frames rather than consuming them The same is true for GARP VLAN registration protocol GVRP 802 1ad specifies that provider bridges participating in GVRP use a reserved destination MAC address called the Provider Bridge GVRP Address 01 80 C2 00 00 0D to exchange GARP PDUs instead of the GVRP Address 01 80 C2 00 00 21 specified...

Page 756: ...ce counters into sFlow datagrams and forwards them to the sFlow collector at regular intervals The datagrams consist of information on but not limited to packet header ingress and egress interfaces sampling parameters and interface counters Application specific integrated circuits ASICs typically complete packet sampling sFlow collector analyses the sFlow datagrams received from different devices ...

Page 757: ...elds are not filled in extended gateway element in the sFlow datagram 802 1P source priority field is not filled in extended switch element in sFlow datagram Only Destination and Destination Peer AS number are packed in the dst as path field in extended gateway element If the packet being sampled is redirected using policy based routing PBR the sFlow datagram may contain incorrect extended gateway...

Page 758: ...ed due to sub sampling Enabling and Disabling sFlow on an Interface By default sFlow is disabled on all interfaces This CLI is supported on physical ports and link aggregation group LAG ports To enable sFlow on a specific interface use the following command Enable sFlow on an interface INTERFACE mode no sflow ingress enable To disable sFlow on an interface use the no version of this command Enabli...

Page 759: ...bitethernet 1 1 Gi 1 1 sFlow type Ingress Configured sampling rate 16384 Actual sampling rate 16384 Counter polling interval 20 Extended max header size 256 Samples rcvd from h w 0 Example of the show running config sflow Command Dell show running config sflow sflow collector 100 1 1 12 agent addr 100 1 1 1 sflow enable sflow max header size extended Dell show run int gigabitEthernet 1 10 interfac...

Page 760: ...ecific interface use the following command Display sFlow configuration information and statistics on a specific interface EXEC mode show sflow interface interface name Examples of the sFlow show Commands The following example shows the show sflow interface command Dell show sflow interface gigabitethernet 1 1 Gi 1 1 sFlow type Ingress Configured sampling rate 16384 Actual sampling rate 16384 Count...

Page 761: ... configure an interface to use a different polling interval To configure the polling intervals globally in CONFIGURATION mode or by interface in INTERFACE mode use the following command Change the global default counter polling interval CONFIGURATION mode or INTERFACE mode sflow polling interval interval value interval value in seconds The range is from 15 to 86400 seconds The default is 20 second...

Page 762: ...e extended information in the datagram is disabled Confirm that extended information packing is enabled show sflow Examples of Verifying Extended sFlow The bold line shows that extended sFlow settings are enabled on all three types Dell show sflow sFlow services are enabled Egress Management Interface sFlow services are disabled Global default sampling rate 32768 Global default counter polling int...

Page 763: ...ress traffic The previous points are summarized in following table Table 70 Extended Gateway Summary IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS Description static connected IGP static connected IGP Extended gateway data is not exported because there is no AS information static connected IGP BGP 0 Exported src_as and src_peer_as are zero because there is no AS information for IGP BGP stati...

Page 764: ...et of SNMP Traps Enabling an SNMP Agent to Notify Syslog Server Failure Copy Configuration Files Using SNMP MIB Support for Power Monitoring MIB Support to Display the Available Memory Size on Flash MIB Support to Display the Software Core Files Generated by the System SNMP Support for WRED Green Yellow Red Drop Counters MIB Support to Display the Available Partitions on Flash MIB Support to Displ...

Page 765: ...iance with RFC 3826 SNMPv3 provides multiple authentication and privacy options for user configuration A subset of these options are the FIPS approved algorithms HMAC SHA1 96 for authentication and AES128 CFB for privacy The other options are not FIPS approved algorithms because of known security weaknesses The AES128 CFB privacy option is supported and is compliant with RFC 3826 The SNMPv3 featur...

Page 766: ...ttempt to enable or disable FIPS mode and if any SNMPv3 users are previously configured an error message is displayed stating you must delete all of the SNMP users before changing the FIPS mode 4 A message is logged indicating whether FIPS mode is enabled for SNMPv3 This message is generated only when the first SNMPv3 user is configured because you can modify the FIPS mode only when users are not ...

Page 767: ...P community is a group of SNMP agents and managers that are allowed to interact Communities are necessary to secure communication between SNMP managers and agents SNMP agents do not respond to requests from management stations that are not part of the community Dell Networking OS enables SNMP automatically when you create an SNMP community and displays the following message You must specify whethe...

Page 768: ...ssword Configure an SNMP group password privileges only CONFIGURATION mode snmp server group groupname oid tree auth read name write name Configure an SNMPv3 view CONFIGURATION mode snmp server view view name 3 noauth included excluded NOTE To give a user read and write privileges repeat this step for each privilege type Configure an SNMP group with password or privacy privileges CONFIGURATION mod...

Page 769: ...1 161 1 3 6 1 2 1 1 3 0 The following example shows reading the value of the next managed object snmpgetnext v 2c c mycommunity 10 11 131 161 1 3 6 1 2 1 1 3 0 SNMPv2 MIB sysContact 0 STRING snmpgetnext v 2c c mycommunity 10 11 131 161 sysContact 0 The following example shows reading the value of the many managed objects at one time snmpwalk v 2c c mycommunity 10 11 131 161 1 3 6 1 2 1 1 SNMPv2 MI...

Page 770: ...ment station Identify the system manager along with this person s contact information for example an email address or phone number CONFIGURATION mode snmpset v version c community agent ip sysContact 0 s contact info You may use up to 55 characters The default is None From a management station Identify the physical location of the system for example San Jose 350 Holger Way 1st floor lab rack A1 1 ...

Page 771: ... OS sends SNMP traps CONFIGURATION mode snmp server trap source Example of RFC Defined SNMP Traps and Related Enable Commands The following example lists the RFC defined SNMP traps and the command used to enable each The coldStart and warmStart traps are enabled using a single command snmp authentication SNMP_AUTH_FAIL SNMP Authentication failed Request with invalid community string snmp coldstart...

Page 772: ...ture reaches or exceeds threshold of dC MAJOR_TEMP_CLR Major alarm cleared chassis temperature lower s d temperature is within threshold of dC envmon fan FAN_TRAY_BAD Major alarm fantray d is missing or down FAN_TRAY_OK Major alarm cleared fan tray d present FAN_BAD Minor alarm some fans in fan tray d are down FAN_OK Minor alarm cleared all fans in fan tray d are good vlt Enable VLT traps vrrp Ena...

Page 773: ...e syslog server If a connectivity failure occurs on a syslog server that is configured for reliable transmission an SNMP trap is sent and a message is displayed on the console The SNMP trap is sent only when a syslog connection fails and the time interval between the last syslog notification and current time is greater than or equal to 5 minutes This restriction also applies to the console message...

Page 774: ...n files from the Dell Networking system to a server copy configuration files from a server to the Dell Networking system You can perform all of these tasks using IPv4 or IPv6 addresses The examples in this section use IPv4 addresses however you can substitute IPv6 addresses for the IPv4 addresses in all of the examples The following table lists the relevant MIBs for these functions are Table 73 MI...

Page 775: ...is not in the default directory and filename Specifies the name of destination file copyServerAddress 1 3 6 1 4 1 6027 3 5 1 1 1 1 8 IP Address of the server The IP address of the server If you specify copyServerAddress you must also specify copyUserName and copyUserPassword copyUserName 1 3 6 1 4 1 6027 3 5 1 1 1 1 9 Username for the server Username for the FTP TFTP or SCP server If you specify c...

Page 776: ...ersion either 1 2 2d or 3 The following examples show the snmpset command to copy a configuration These examples assume that the server OS is UNIX you are using SNMP version 2c the community name is public the file f10 copy config mib is in the current directory or in the snmpset tool path Copying Configuration Files via SNMP To copy the running config to the startup config from the UNIX machine u...

Page 777: ...m f10 copy config mib force10system ip address copySrcFileType index i 2 copyDestFileName index s filepath filename copyDestFileLocation index i 4 copyServerAddress index a server ip address copyUserName index s server login id copyUserPassword index s server login password precede server ip address by the keyword a precede the values for copyUsername and copyUserPassword by the keyword s Example ...

Page 778: ...Name index s server login id copyUserPassword index s server login password Example of Copying a Binary File From the Server to the Startup Configuration via FTP snmpset v 2c c private m f10 copy config mib 10 10 10 10 copySrcFileType 10 i 1 copySrcFileLocation 10 i 4 copyDestFileType 10 i 3 copySrcFileName 10 s home myfilename copyServerAddress 10 a 172 16 1 56 copyUserName 10 s mylogin copyUserP...

Page 779: ... public the file f10 copy config mib is in the current directory NOTE In UNIX enter the snmpset command for help using this command The following examples show the command syntax using MIB object names and the same command using the object OIDs In both cases the same index number used in the snmpset command follows the object The following command shows how to get a MIB object value using the obje...

Page 780: ...10 7 2 1 6 12 INTEGER 26 snmpwalk v 2c c public 10 16 131 156 1 3 6 1 4 1 674 10895 3000 1 2 110 7 2 1 7 SNMPv2 SMI enterprises 674 10895 3000 1 2 110 7 2 1 7 11 STRING 04 25 2017 18 32 SNMPv2 SMI enterprises 674 10895 3000 1 2 110 7 2 1 7 12 STRING 04 25 2017 18 32 MIB Support to Display the Available Memory Size on Flash Dell Networking provides more MIB objects to display the available memory s...

Page 781: ...ns information that includes the process names that generated each core file Viewing the Software Core Files Generated by the System To view the software core files generated by the system use the following command snmpwalk v2c c public 192 168 60 120 1 3 6 1 4 1 6027 3 10 1 2 10 enterprises 6027 3 10 1 2 10 1 1 1 1 1 enterprises 6027 3 10 1 2 10 1 1 1 2 2 enterprises 6027 3 10 1 2 10 1 1 1 3 3 en...

Page 782: ...3 27 1 3 1 8 2107012 Counter64 0 SNMPv2 SMI enterprises 6027 3 27 1 3 1 9 2107012 Counter64 0 SNMPv2 SMI enterprises 6027 3 27 1 3 1 10 2107012 Counter64 0 SNMPv2 SMI enterprises 6027 3 27 1 3 1 11 2107012 Counter64 0 SNMPv2 SMI enterprises 6027 3 27 1 3 1 12 2107012 Counter64 357782091 SNMPv2 SMI enterprises 6027 3 27 1 3 1 13 2107012 Counter64 0 SNMPv2 SMI enterprises 6027 3 27 1 3 1 14 2107012 ...

Page 783: ...2 1 STRING tmpfs 1 3 6 1 4 1 6027 3 26 1 4 8 1 2 2 STRING dev wd0i 1 3 6 1 4 1 6027 3 26 1 4 8 1 2 3 STRING mfs 477 1 3 6 1 4 1 6027 3 26 1 4 8 1 2 4 STRING dev wd0e 1 3 6 1 4 1 6027 3 26 1 4 8 1 3 1 INTEGER 40960 1 3 6 1 4 1 6027 3 26 1 4 8 1 3 2 INTEGER 4128782 1 3 6 1 4 1 6027 3 26 1 4 8 1 3 3 INTEGER 148847 1 3 6 1 4 1 6027 3 26 1 4 8 1 3 4 INTEGER 4186108 1 3 6 1 4 1 6027 3 26 1 4 8 1 4 1 INT...

Page 784: ...t egress queue The following table lists the related MIB objects Table 80 MIB Objects to display egress queue statistics MIB Object OID Description dellNetFpEgrQTxPacketsRate 1 3 6 1 4 1 6027 3 27 1 20 1 6 Rate of Packets transmitted per Unicast Multicast Egress queue dellNetFpEgrQTxBytesRate 1 3 6 1 4 1 6027 3 27 1 20 1 7 Rate of Bytes transmitted per Unicast Multicast Egress queue dellNetFpEgrQD...

Page 785: ...0 1 1 4 127 0 0 1 INTEGER 0 SNMPv2 SMI enterprises 6027 3 9 1 5 1 8 1 1 4 90 90 90 2 32 1 4 90 90 90 2 1 4 90 90 90 2 INTEGER 2097157 SNMPv2 SMI enterprises 6027 3 9 1 5 1 8 1 1 4 100 100 100 0 24 1 4 10 1 1 1 1 4 10 1 1 1 INTEGER 2098693 SNMPv2 SMI enterprises 6027 3 9 1 5 1 8 1 1 4 100 100 100 0 24 1 4 20 1 1 1 1 4 20 1 1 1 INTEGER 1258296320 SNMPv2 SMI enterprises 6027 3 9 1 5 1 8 1 1 4 100 100...

Page 786: ... 1 1 4 20 1 1 1 STRING Po 10 SNMPv2 SMI enterprises 6027 3 9 1 5 1 10 1 1 4 80 80 80 0 24 1 4 30 1 1 1 1 4 30 1 1 1 STRING Po 20 SNMPv2 SMI enterprises 6027 3 9 1 5 1 10 1 1 4 90 90 90 0 24 0 0 0 0 STRING CP SNMPv2 SMI enterprises 6027 3 9 1 5 1 10 1 1 4 90 90 90 1 32 1 4 127 0 0 1 1 4 127 0 0 1 STRING CP SNMPv2 SMI enterprises 6027 3 9 1 5 1 10 1 1 4 90 90 90 2 32 1 4 90 90 90 2 1 4 90 90 90 2 ST...

Page 787: ...he following table lists the related MIB objects Table 82 MIB Objects for entAliasMappingTable MIB Object OID Description entAliasMappingTable 1 3 6 1 2 1 47 1 3 2 Contains information about entAliasMapping table entAliasMappingEntry 1 3 6 1 2 1 47 1 3 2 1 Contains information about a particular logical entity entAliasLogicalIndexOrZero 1 3 6 1 2 1 47 1 3 2 1 1 Contains a non zero value and identi...

Page 788: ...octet read write value indicating the priority value associated with the Actor s system ID dot3adAggActorSystemID 1 2 840 10006 300 43 1 1 1 1 3 Contains a six octet read write MAC address value used as a unique identifier for the system that contains the Aggregator dot3adAggAggregateOrIndividual 1 2 840 10006 300 43 1 1 1 1 4 Contains a read only boolean value True or False indicating whether the...

Page 789: ...iso 2 840 10006 300 43 1 1 1 1 3 1258356224 Hex STRING 00 01 E8 8A E8 44 iso 2 840 10006 300 43 1 1 1 1 3 1258356736 Hex STRING 00 01 E8 8A E8 44 iso 2 840 10006 300 43 1 1 1 1 4 1258356224 INTEGER 1 iso 2 840 10006 300 43 1 1 1 1 4 1258356736 INTEGER 1 iso 2 840 10006 300 43 1 1 1 1 5 1258356224 INTEGER 127 iso 2 840 10006 300 43 1 1 1 1 5 1258356736 INTEGER 128 MIB Support to Display LLDP TLVs D...

Page 790: ...llDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellD ellDellDellDellDellDellDellDellDellDellDel iso 0 8802 1 1 2 1 4 3 1 2 0 4209668 6 10 STRING DellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellD ellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDellDel lDellDellDellDellDellDellDellDellDellDellDe...

Page 791: ...P Unix system output snmpset v2c c mycommunity 10 11 131 185 1 3 6 1 2 1 17 7 1 4 3 1 1 1107787786 s My VLAN SNMPv2 SMI mib 2 17 7 1 4 3 1 1 1107787786 STRING My VLAN Dell system output Dell show int vlan 10 Vlan 10 is down line protocol is down Vlan alias name is My VLAN Address is 00 01 e8 cc cc ce Current address is 00 01 e8 cc cc ce Interface index is 1107787786 Internet address is not set MTU...

Page 792: ... indicates that the port is not a member of the VLAN a 1 indicates VLAN membership All hex pairs are 00 indicating that no ports are assigned to VLAN 10 In the following example Port 0 2 is added to VLAN 10 as untagged the first hex pair changes from 00 to 04 The following example shows viewing VLAN ports using SNMP with ports assigned Dell Networking OS system output R5 conf do show vlan id 10 Co...

Page 793: ...7 7 1 4 3 1 2 1107787786 x 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1 3 6 1 2 1 17 7 1 4 3 1 4 1107787786 x 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...

Page 794: ...efine them As a switchport must belong a VLAN the default VLAN or a configured VLAN all MAC address learned on a switchport are associated with a VLAN For this reason the Q Bridge MIB is used for MAC address query Moreover specific to MAC address query the MAC address indexes dot1dTpFdbTable only for a single forwarding database while dot1qTpFdbTable has two indices VLAN ID and MAC address to allo...

Page 795: ...h the learned MAC address of a port channel The instance number is the decimal conversion of the MAC address concatenated with the port channel number MAC Addresses on Force10 System Dell conf do show mac address table VlanId Mac Address Type Interface State 1000 00 01 e8 06 95 ac Dynamic Po 1 Active Query from Management Station snmpwalk v 2c c techpubs 10 11 131 162 1 3 6 1 4 1 6027 3 2 1 1 5 SN...

Page 796: ...et 1 21 is down line protocol is down Hardware is DellEth address is f8 b1 56 82 de 70 Current address is f8 b1 56 82 de 70 Pluggable media not present Interface index is 2099715 Monitor Port Channels To check the status of a Layer 2 port channel use f10LinkAggMib 1 3 6 1 4 1 6027 3 2 In the following example Po 1 is a switchport and Po 2 is in Layer 3 mode Example of SNMP Trap for Monitored Port ...

Page 797: ...27 3 1 1 4 1 2 STRING OSTATE_DN Changed interface state to down Po 1 2010 02 10 14 22 40 10 16 130 4 10 16 130 4 SNMPv2 MIB sysUpTime 0 Timeticks 8500932 23 36 49 32 SNMPv2 MIB snmpTrapOID 0 OID IF MIB linkUp IF MIB ifIndex 33865785 INTEGER 33865785 SNMPv2 SMI enterprises 6027 3 1 1 4 1 2 STRING OSTATE_UP Changed interface state to up Gi 1 1 2010 02 10 14 22 40 10 16 130 4 10 16 130 4 SNMPv2 MIB s...

Page 798: ...servers that are reachable receive Oct 21 05 26 04 dv fedgov s4810 6 EVL 6 REACHABLE Syslog server 10 11 226 121 port 9140 is reachable Troubleshooting SNMP Operation When you use SNMP to retrieve management data from an SNMP agent on a Dell Networking router take into account the following behavior When you query an IPv4 icmpMsgStatsInPkts object in the ICMP table by using the snmpwalk command th...

Page 799: ...1 1 19 2113540 SNMPv2 SMI enterprises 6027 3 11 1 3 1 1 20 2113540 SNMPv2 SMI enterprises 6027 3 11 1 3 1 1 21 2113540 Table 89 SNMP OIDs for Transceiver Monitoring Field OID Description SNMPv2 SMI enterprises 6027 3 11 1 3 1 1 1 Device Name SNMPv2 SMI enterprises 6027 3 11 1 3 1 1 2 Port SNMPv2 SMI enterprises 6027 3 11 1 3 1 1 3 Optics Present SNMPv2 SMI enterprises 6027 3 11 1 3 1 1 4 Optics Ty...

Page 800: ...thernet Port 1 on Stack Unit 1 enter interface tengigabitethernet 1 1 from CONFIGURATION mode Stack Management Roles The stack elects the management units for the stack management Stack master primary management unit also called the master unit Standby secondary management unit Stack units the remaining units in the stack also called stack members The system supports up to six stack units The mast...

Page 801: ...me units are powered down just after reloading and powered up later to join the stack they do not participate in the election process even though the units that boot up late may have a higher priority configured This happens because the master and standby have already been elected hence the unit that boots up late joins only as a member When an up and running standalone unit or stack is merged wit...

Page 802: ...the stack so the stack excluding the new unit reloads Example of Adding a Standalone with a Lower MAC Address to a Stack STANDALONE BEFORE CONNECTION Standalone show system brief Stack MAC 00 01 e8 d5 ef 81 Stack Info Unit UnitType Status ReqTyp CurTyp Version Ports 1 Management online S3048 ON S3048 ON 9 8 0 0P2 52 2 Member not present 3 Member not present 4 Member not present 5 Member not presen...

Page 803: ... 0 0P2 52 2 Management online S3048 ON S3048 ON 9 8 0 0P2 52 3 Member not present 4 Member not present 5 Member not present 6 Member not present Stacking LAG When multiple links are used between stack units Dell Networking OS automatically bundles them in a stacking LAG to provide aggregated throughput and redundancy The stacking LAG is established automatically and transparently by Dell Networkin...

Page 804: ...r and Dell Networking OS elects a new standby unit Dell Networking OS resets the failed master unit after online it becomes a member unit the remaining members remain online Example of Stack Manager Redundancy Dell show redundancy Stack unit Status Mgmt ID 1 Stack unit ID 1 Stack unit Redundancy Role Primary Stack unit State Active Stack unit SW Version 9 8 0 0P2 Link to Peer Down Peer Stack unit ...

Page 805: ...elnet Example of Accessing Non Master Units on a Stack via the Console Port CONSOLE ACCESS ON A STANDBY Dell standby cd Change current directory clear Reset functions copy Copy from one file to another delete Delete a file dir List files on a filesystem disable Turn off privileged commands enable Turn on privileged commands exit Exit from the EXEC format Format a filesystem fsck Filesystem check u...

Page 806: ...The following are the stacking installation tasks Create a Stack Add Units to an Existing Stack Split a Stack Create a Stack Stacking is enabled on the device using the front end ports No configuration is allowed on front end ports used for stacking Stacking can be made between 10G ports of two units The stack links between the two units are grouped into a single LAG Stack Group Port Numbers By de...

Page 807: ...ess must be updated to reflect the Command Mode change from EXEC to CONFIGURATION to allow the scripts to work correctly Enabling Front End Port Stacking To enable the front ports on a unit for stacking use the following commands NOTE You can stack a maximum of eight 10G stack ports NOTE After a port is allocated for stacking you can only use it for stacking If stack group 1 is allocated for stack...

Page 808: ...EXEC Privilege mode stack unit stack unit number renumber stack unit number Renumbering causes the unit to reboot The stack unit default for all new units is stack unit 1 4 Configure the switch priority for each unit to make management unit selection deterministic CONFIGURATION mode stack unit stack unit number priority priority 5 Assign a stack group for each unit CONFIGURATION mode stack unit st...

Page 809: ...rts Please save and reload for config to take effect Dell conf Dell 02 39 18 STKUNIT4 M CP SYS 5 CONFIG_I Configured from console Reload each unit in the stack After the reload is complete the four units come up as a stack with unit 1 as the management unit unit 2 as the standby unit and the remaining units as stack members All units in the stack can be accessed from the management unit NOTE Befor...

Page 810: ...xisting stack you can either allow Dell Networking OS to automatically assign the new unit a position in the stack or manually determine each units position in the stack by configuring each unit to correspond with the stack before connecting it If you add a unit that has a stack number that conflicts with the stack the stack assigns the first available stack number If the stack has a provision for...

Page 811: ... conflicting stack number after Dell show system brief Stack MAC 00 01 e8 8a df e6 Reload Type normal reload Stack Info Unit UnitType Status ReqTyp CurTyp Version Ports 1 Management online S3048 ON S3048 ON 9 8 0 0 64 2 Member online S3048 ON S3048 ON 9 8 0 0 64 3 Member not present 4 Standby online S3048 ON S3048 ON 9 8 0 0 64 5 Member not present 6 Member not present Adding a Configured Unit to ...

Page 812: ...igning the new switch the first available stack number If the stack has been provisioned for the stack number that is assigned to the new unit the pre configured provisioning must match the switch type If there is a conflict between the provisioned switch type and the new unit a mismatch error message is displayed Merge Two Stacks You may merge two stacks while they are powered and online To merge...

Page 813: ...Management Unit Selection on a Stack Managing Redundancy on a Stack Resetting a Unit on a Stack Recover from Stack Link Flaps Assigning Unit Numbers to Units in an Stack Each unit in the stack has a stack number that is either assigned by you or Dell Networking OS Units are numbered from 1 to 6 Stack numbers are stored in NVRAM and are preserved upon reload Assign a stack number to a unit EXEC Pri...

Page 814: ...tem Commands Display information about a switch stack using the show system command The following is an example of the show system command to view the stack details Dell show system Stack MAC 00 12 13 34 12 40 Reload Type normal reload Next boot normal reload Unit 3 Unit Type Management Unit Status online Next Boot online Required Type S3048 ON 52 port GE TE SG ON Current Type S3048 ON 52 port GE ...

Page 815: ...0 40 up up 3 48 40 up down 3 52 40 up down 3 56 0 56 40 up up 3 60 0 60 40 up up Influencing Management Unit Selection on a Stack Stack priority is the system variable that Dell Networking OS uses to determine which units in the stack are the master and standby management units If multiple units tie for highest priority the unit with the highest MAC address prevails If management was determined by...

Page 816: ...comes back online it becomes a member unit Prevent the stack master from rebooting after a failover CONFIGURATION mode redundancy disable auto reboot stack unit This command does not affect a forced failover manual reset or a stack link disconnect Display redundancy information EXEC Privilege mode show redundancy Resetting a Unit on a Stack You may reset any stack unit except for the master manage...

Page 817: ...nection Link Speed Admin Link Gb s Status Status 2 49 10 up down 2 50 10 up down Dell The following example shows the parameters for the management unit in the stack Dell show system stack unit 3 Unit 3 Unit Type Management Unit Status online Next Boot online Required Type S3048 ON 52 port GE TE SG ON Current Type S3048 ON 52 port GE TE SG ON Master priority 0 Hardware Rev 0 0 Num Ports 52 Up Time...

Page 818: ...up stack 2 Remove Units or Front End Ports from a Stack To remove units or front end ports from a stack use the following instructions Removing a Unit from a Stack Removing Front End Port Stacking Removing a Unit from a Stack The running configuration and startup configuration are synchronized on all stack units A stack member that is disconnected from the stack maintains this configuration To rem...

Page 819: ...esent 6 Member not present NOTE Each unit in the stack has a stack number that is either assigned by you or Dell Networking OS To manually renumber stack members use the stack unit old unit number renumber new unit number command Renumbering stack members causes the entire stack to reload Removing Front End Port Stacking To remove the configuration on the front end ports used for stacking use the ...

Page 820: ...NDBY UNIT 10 55 18 STKUNIT1 M CP KERN 2 INT Error Stack Port 50 has flapped 5 times within 10 seonds Shutting down this stack port now 10 55 18 STKUNIT1 M CP KERN 2 INT Error Please check the stack cable module and power cycle the stack MEMBER 2 Error Stack Port 51 has flapped 5 times within 10 seconds Shutting down this stack port now Error Please check the stack cable module and power cycle the ...

Page 821: ...atus 0 0 down DC down 0 1 up DC up 1 0 absent absent 1 1 up AC up Fan Status Unit Bay TrayStatus Fan0 Speed Fan1 Speed 0 0 up up 9360 up 9360 0 1 up up 9600 up 9360 1 0 up up 6720 up 6720 1 1 up up 6960 up 6720 Speed in RPM stack 1 Stacking 821 ...

Page 822: ...ticast unknown unicast pfc llfc interface command EXEC Privilege Example Dell show storm control multicast gigabitethernet 1 1 Multicast storm control configuration Interface Direction Packets Second Gi 1 1 Ingress 5 Dell To display the storm control unknown unicast configuration use the show storm control unknown unicast interface command EXEC Privilege Configure Storm Control Storm control is su...

Page 823: ...s Configuring Storm Control from CONFIGURATION Mode To configure storm control from CONFIGURATION mode use the following command From CONFIGURATION mode you can configure storm control for ingress and egress traffic Do not apply per virtual local area network VLAN quality of service QoS on an interface that has storm control enabled either on an interface or globally Configure storm control CONFIG...

Page 824: ...ates loops in a bridged topology by enabling only a single path through the network By eliminating loops the protocol improves scalability in a large network and allows you to implement redundant paths which can be activated after the failure of active paths Layer 2 loops which can occur in a network due to poor network design and without enabling protocols like xSTP can cause unnecessarily high s...

Page 825: ...t The Dell Networking OS supports only one spanning tree instance 0 For multiple instances enable the multiple spanning tree protocol MSTP or per VLAN spanning tree plus PVST You may only enable one flavor of spanning tree at any one time All ports in virtual local area networks VLANs and all enabled interfaces in Layer 2 mode are automatically added to the spanning tree topology at the time you e...

Page 826: ...ample of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2 use the following command 1 If the interface has been assigned an IP address remove it INTERFACE mode no ip address 2 Place the interface in Layer 2 mode INTERFACE switchport 3 Enable the interface INTERFACE mode no shutdown 826 Spanning Tree Protocol STP ...

Page 827: ...ed by default When you enable STP all physical VLAN and port channel interfaces that are enabled and in Layer 2 mode are automatically part of the Spanning Tree topology Only one path from any bridge to any other bridge participating in STP is enabled Bridges block a redundant path by disabling one of the link ports Figure 113 Spanning Tree Enabled Globally To enable STP globally use the following...

Page 828: ...tEthernet 2 1 is Forwarding Port path cost 4 Port priority 8 Port Identifier 8 289 Designated root has priority 32768 address 0001 e80d 2462 Designated bridge has priority 32768 address 0001 e80d 2462 Designated port id is 8 496 designated path cost 0 Timers message age 1 forward delay 0 hold 0 Number of transitions to forwarding state 1 BPDU sent 21 received 486 The port is not in the portfast mo...

Page 829: ...lt Values STP Parameters Default Value Forward Delay 15 seconds Hello Time 2 seconds Max Age 20 seconds Port Cost 100 Mb s Ethernet interfaces 1 Gigabit Ethernet interfaces 10 Gigabit Ethernet interfaces Port Channel with 100 Mb s Ethernet interfaces Port Channel with 1 Gigabit Ethernet interfaces Port Channel with 10 Gigabit Ethernet interfaces 200000 20000 2000 180000 18000 1800 Port Priority 8 ...

Page 830: ...ted in Modifying Global Parameters Change the port priority of an interface INTERFACE mode spanning tree 0 priority priority value The range is from 0 to 15 The default is 8 To view the current values for interface parameters use the show spanning tree 0 command from EXEC privilege mode Refer to the second example in Enabling Spanning Tree Protocol Globally Enabling PortFast The PortFast feature e...

Page 831: ...in an Error Disabled state when receiving the BPDU the physical interface remains up and spanning tree will only drop packets after a BPDU violation The following example shows a scenario in which an edgeport might unintentionally receive a BPDU The port on the Dell Networking system is configured with Portfast If the switch is connected to the hub the BPDUs that the switch generates might trigger...

Page 832: ... do show spanning tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768 Address 0001 e805 fb07 Root Bridge hello time 2 max age 20 forward delay 15 Bridge ID Priority 32768 Address 0001 e85d 0e90 Configured hello time 2 max age 20 forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID Gi 1 6 128 263 128 20000 FWD 20000 32768 0001 e80...

Page 833: ...ches have the same priority the switch with the lower MAC address is selected as the root All other switches in the network use the root bridge as the reference used to calculate the shortest forwarding path Because any switch in an STP network with a lower priority can become the root bridge the forwarding topology may not be stable The location of the root bridge can change resulting in unpredic...

Page 834: ...e Protocol RSTP Multiple Spanning Tree Protocol MSTP Per VLAN Spanning Tree Plus PVST When enabled on a port root guard applies to all VLANs configured on the port You cannot enable root guard and loop guard at the same time on an STP port For example if you configure root guard on a port on which loop guard is already configured the following error message displays Error LoopGuard is configured C...

Page 835: ...een the RPMs so that RPM failover is seamless and no topology change is triggered To be hitless per spanning tree type or for all spanning tree types use the following commands Configure LACP to be hitless CONFIGURATION mode redundancy protocol lacp Configure all spanning tree types to be hitless CONFIGURATION mode redundancy protocol xstp Example of Configuring all Spanning Tree Types to be Hitle...

Page 836: ...h C transmit traffic to Switch B STP topology 2 lower right As shown in STP topology 3 bottom middle after you enable loop guard on an STP port or port channel on Switch C if no BPDUs are received and the max age timer expires the port transitions from a blocked state to a Loop Inconsistent state instead of to a Forwarding state Loop guard blocks the STP port so that no traffic is transmitted and ...

Page 837: ...med per port or per port channel at a VLAN level If no BPDUs are received on a VLAN interface the port or port channel transitions to a Loop Inconsistent Blocking state only for this VLAN To enable a loop guard on an STP enabled port or port channel interface use the following command Enable loop guard on a port or port channel interface INTERFACE mode or INTERFACE PORT CHANNEL mode spanning tree ...

Page 838: ...iewing STP Guard Configuration Dell show spanning tree 0 guard Interface Name Instance Sts Guard type Gi 1 1 0 INCON Root Rootguard Gi 1 2 0 LIS Loopguard Gi 1 3 0 EDS Shut Bpduguard 838 Spanning Tree Protocol STP ...

Page 839: ...ice For more information on SmartScripts see Dell Networking Open Automation guide Figure 117 SupportAssist NOTE SupportAssist is enabled by default on the system To disable SupportAssist enter the eula consent support assist reject command in Global Configuration mode and save the configuration Topics Configuring SupportAssist Using a Configuration Wizard Configuring SupportAssist Manually Config...

Page 840: ...r your Dell products and services Dell may use the information for providing recommendations to improve your IT infrastructure Dell SupportAssist also collects and stores machine diagnostic information which may include but is not limited to configuration information user supplied contact information names of data volumes IP addresses access control lists diagnostics performance information networ...

Page 841: ...and CONFIGURATION mode support assist Dell conf support assist Dell conf supportassist 3 Optional Configure the contact information for the company SUPPORTASSIST mode contact company name company name company next name company next name Dell conf support assist Dell conf supportassist contact company name test Dell conf supportassist cmpy test 4 Optional Configure the contact name for an individua...

Page 842: ...le specification local file name Dell conf supportassist act full transfer action manifest get tftp 10 0 0 1 test file Dell conf supportassist act full transfer Dell conf supportassist act event transfer action manifest get tftp 10 0 0 1 test file Dell conf supportassist act event transfer 3 Configure the action manifest to use for a specific activity SUPPORTASSIST ACTIVITY mode no action manifest...

Page 843: ...upportAssist Company configurations are optional for the SupportAssist service To configure SupportAssist company use the following commands 1 Configure the contact information for the company SUPPORTASSIST mode no contact company name company name company next name company next name Dell conf supportassist contact company name test Dell conf supportassist cmpy test 2 Configure the address informa...

Page 844: ...ers john_doe 4 Configure the preferred method for contacting the person SUPPORTASSIST PERSON mode preferred method email no contact phone Dell conf supportassist pers john_doe preferred method email Dell conf supportassist pers john_doe 5 Configure the time frame for contacting the person SUPPORTASSIST PERSON mode no time zone zone HH MM start time HH MM end time HH MM Dell conf supportassist pers...

Page 845: ...SupportAssist configurations use the following commands 1 Display information on the SupportAssist feature status including any activities status of communication last time communication sent and so on EXEC Privilege mode show support assist status Dell show support assist status SupportAssist Service Installed EULA Accepted Server default Enabled Yes URL https stor g3 ph dell com Server Dell Enab...

Page 846: ...iguration information host server configuration performance information and related data Collected Data and transmits this information to Dell By downloading SupportAssist and agreeing to be bound by these terms and the Dell end user license agreement available at www dell com aeula you agree to allow Dell to provide remote monitoring services of your IT environment and you give Dell the right to ...

Page 847: ...hree products clock offset roundtrip delay and dispersion all of which are relative to a selected reference clock Clock offset represents the amount to adjust the local clock to bring it into correspondence with the reference clock Roundtrip delay provides the capability to launch a message to arrive at the reference clock at a specified time Dispersion represents the maximum error of the local cl...

Page 848: ...king device propagates the time information throughout its local network Protocol Overview The NTP messages to one or more servers and processes the replies as received The server interchanges addresses and ports fills in or overwrites certain fields in the message recalculates the checksum and returns it immediately Information included in the NTP message allows each client server peer to determi...

Page 849: ... time is CD63BCC2 0CBBD000 16 54 26 049 UTC Thu Mar 12 2009 clock offset is 997 529984 msec root delay is 0 00098 sec root dispersion is 10 04271 sec peer dispersion is 10032 715 msec peer mode is client To display the calculated NTP synchronization variables received from the server that the system uses to synchronize its clock use the show ntp associations command from EXEC Privilege mode R6_E30...

Page 850: ...om 0 to 16383 For a port channel interface enter the keywords port channel then a number For a VLAN interface enter the keyword vlan then a number from 1 to 4094 To view the configuration use the show running config ntp command in EXEC privilege mode refer to the example in Configuring NTP Authentication Configuring NTP Authentication NTP authentication and the corresponding trusted key provide a ...

Page 851: ...he format 0000 0000 0000 0000 0000 0000 0000 0000 Elision of zeros is supported key keyid Configure a text string as the key exchanged between the NTP server and the client prefer Enter the keyword prefer to set this NTP server as the preferred server version number Enter a number as the NTP version The range is from 1 to 4 5 Configure the switch as NTP master CONFIGURATION mode ntp master stratum...

Page 852: ...lay to the primary reference source at the root of the synchronization subnet in seconds This variable can take on both positive and negative values depending on clock precision and skew Root Dispersion sys rootdispersion peer rootdispersion pkt rootdispersion a signed fixed point number indicating the maximum error relative to the primary reference source at the root of the synchronization subnet...

Page 853: ... Once Setting Recurring Daylight Saving Time Setting the Time and Date for the Switch Software Clock You can change the order of the month and day parameters to enter the time and date as time day month year You cannot delete the software clock The software clock runs only when the software is up The clock restarts based on the hardware clock when the switch reboots To set the software clock use t...

Page 854: ...e or on a recurring basis every year Setting Daylight Saving Time Once Set a date and time zone on which to convert the switch to daylight saving time on a one time basis To set the clock for daylight savings time once use the following command Set the clock to the appropriate timezone and daylight saving time CONFIGURATION mode clock summer time time zone date start month start day start year sta...

Page 855: ... end time week number Enter a number from 1 to 4 as the number of the week in the month to start daylight saving time first Enter the keyword first to start daylight saving time in the first week of the month last Enter the keyword last to start daylight saving time in the last week of the month start month Enter the name of one of the 12 months in English You can enter the name of a day to change...

Page 856: ...at Mar 14 2009 Summer time ends 00 00 00 pacific Sat Nov 7 2009 NOTE If you enter CR after entering the recurring command parameter and you have already set a one time daylight saving time date the system uses that time and date as the recurring setting The following example shows the clock summer time recurring parameters Dell conf clock summer time pacific recurring 1 4 Week number to start firs...

Page 857: ...e either an IPv6 address or an IPv4 address for the logical address of the tunnel but in IPv6IP mode the logical address must be an IPv6 address The following sample configuration shows a tunnel configured in IPv6 mode carries IPv6 and IPv4 traffic Dell conf interface tunnel 1 Dell conf if tu 1 tunnel source 30 1 1 1 Dell conf if tu 1 tunnel destination 50 1 1 1 Dell conf if tu 1 tunnel mode ipip ...

Page 858: ...ration shows how to use the tunnel keepalive command Dell conf if gi 1 12 show config interface GigabitEthernet 1 12 ip address 40 1 1 1 24 ipv6 address 500 10 1 64 no shutdown Dell conf if gi 1 12 Dell conf interface tunnel 1 Dell conf if tu 1 ipv6 address 1abd 1 64 Dell conf if tu 1 ip address 1 1 1 1 24 Dell conf if tu 1 tunnel source 40 1 1 1 Dell conf if tu 1 tunnel destination 40 1 1 2 Dell ...

Page 859: ...re a tunnel allow remote address Dell conf interface tunnel 1 Dell conf if tu 1 ipv6 address 1abd 1 64 Dell conf if tu 1 ip address 1 1 1 1 24 Dell conf if tu 1 tunnel source 40 1 1 1 Dell conf if tu 1 tunnel mode ipip decapsulate any Dell conf if tu 1 tunnel allow remote 40 1 1 2 Dell conf if tu 1 no shutdown Dell conf if tu 1 show config interface Tunnel 1 ip address 1 1 1 1 24 ipv6 address 1abd...

Page 860: ... interface Tunnel 1 ip address 1 1 1 1 24 ipv6 address 1abd 1 64 tunnel source anylocal tunnel allow remote 40 1 1 2 tunnel mode ipip decapsulate any no shutdown 860 Tunneling ...

Page 861: ...wnstream links Failures on the downstream links allow downstream devices to recognize the loss of upstream connectivity For example as shown in the following illustration Switches S1 and S2 both have upstream connectivity to Router R1 and downstream connectivity to the server UFD operation is shown in Steps A through C In Step A the server configuration uses the connection to S1 as the primary pat...

Page 862: ...nterface or a port channel LAG aggregation of physical interfaces An enabled uplink state group tracks the state of all assigned upstream interfaces Failure on an upstream interface results in the automatic disabling of downstream interfaces in the uplink state group As a result downstream devices can execute the protection or recovery procedures they have in place to establish alternate connectiv...

Page 863: ...e associated downstream link port to the server To continue to transmit traffic upstream the server with NIC teaming detects the disabled link and automatically switches over to the backup link in order Important Points to Remember When you configure UFD the following conditions apply You can configure up to 16 uplink state groups By default no uplink state groups are created An uplink state group...

Page 864: ...link state group group id group id values are from 1 to 16 To delete an uplink state group use the no uplink state group group id command 2 Assign a port or port channel to the uplink state group as an upstream or downstream interface UPLINK STATE GROUP mode upstream downstream interface For interface enter one of the following interface types 1 Gigabit Ethernet enter gigabitethernet slot port slo...

Page 865: ...ace types For a 1 Gigabit Ethernet interface enter the keyword GigabitEthernet then the slot port information For a 10 Gigabit Ethernet interface enter the keyword TenGigabitEthernet then the slot port information For a port channel interface enter port channel 1 512 port channel range Where port range and port channel range specify a range of ports separated by a dash and or individual ports port...

Page 866: ...ce state to up Te 3 49 02 38 53 RPM0 P CP IFMGR 5 OSTATE_UP Changed interface state to up Te 3 50 02 38 53 RPM0 P CP IFMGR 5 OSTATE_UP Changed interface state to up Te 3 51 02 38 53 RPM0 P CP IFMGR 5 OSTATE_UP Changed interface state to up Te 3 52 Displaying Uplink Failure Detection To display information on the UFD feature use any of the following commands Display status information on a specifie...

Page 867: ...3 15 Dis Uplink State Group 6 Status Enabled Up Upstream Interfaces Downstream Interfaces Uplink State Group 7 Status Enabled Up Upstream Interfaces Downstream Interfaces Uplink State Group 16 Status Disabled Up Upstream Interfaces Gi 1 4 Dwn Po 8 Dwn Downstream Interfaces Gi 1 10 Dwn The following example shows viewing the interface status with UFD information Dell show interfaces gigabitethernet...

Page 868: ... follows Configure uplink state group 3 Add downstream links Gigabitethernet 1 1 1 2 1 5 1 9 1 11 and 1 12 Configure two downstream links to be disabled if an upstream link fails Add upstream links Gigabitethernet 1 3 and 1 4 Add a text description for the group Verify the configuration with various show commands Example of Configuring UFD Dell conf uplink state group 3 00 08 11 STKUNIT0 M CP IFMG...

Page 869: ...Ethernet 1 1 2 5 9 11 12 upstream GigabitEthernet 1 3 4 Dell show uplink state group 3 Uplink State Group 3 Status Enabled Up Dell show uplink state group detail Up Interface up Dwn Interface down Dis Interface disabled Uplink State Group 3 Status Enabled Up Upstream Interfaces Gi 1 3 Up Gi 1 4 Dwn Downstream Interfaces Gi 1 1 Dis Gi 1 2 Dwn Gi 1 5 Dwn Gi 1 9 Dwn Gi 1 11 Dwn Gi 1 12 Dwn Uplink Fai...

Page 870: ...ystem type follow the procedures in the Dell Networking OS Release Notes Get Help with Upgrades Direct any questions or concerns about the Dell Networking OS upgrade procedures to the Dell Technical Support Center You can reach Technical Support On the web http www dell com support By email Dell Force10_Technical_Support Dell com By phone US and Canada 866 965 5800 International 408 965 5800 55 87...

Page 871: ...2 1Q Virtual Bridged Local Area Networks In this guide also refer to Bulk Configuration in the Interfaces chapter VLAN Stacking in the Service Provider Bridging chapter For a complete listing of all commands related to Dell Networking OS VLANs refer to these Dell Networking OS Command Reference Guide chapters Interfaces 802 1X GARP VLAN Registration Protocol GVRP Service Provider Bridging Per VLAN...

Page 872: ...ong to multiple VLANs remove the tagged interface from all VLANs using the no tagged interface command Only after the interface is untagged and a member of the Default VLAN can you use the no switchport command to remove the interface from Layer 2 mode For more information refer to VLANs and Port Tagging Example of Configuring an Interface for Layer 2 Belonging to the Default VLAN Dell conf interf...

Page 873: ...rioritize traffic and to forward information to ports associated with a specific VLAN ID Tagged interfaces can belong to multiple VLANs while untagged interfaces can belong only to one VLAN Configuration Task List This section contains the following VLAN configuration tasks Creating a Port Based VLAN mandatory Assigning Interfaces to a VLAN optional Assigning an IP Address to a VLAN optional Enabl...

Page 874: ...Ns are configured and two interfaces are assigned to VLAN 2 The Q column in the show vlan command example notes whether the interface is tagged T or untagged U For more information about this command refer to the Layer 2 chapter of the Dell Networking OS Command Reference Guide To tag frames leaving an interface in Layer 2 mode assign that interface to a port based VLAN to tag it with that VLAN ID...

Page 875: ...another VLAN use the following commands 1 Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface CONFIGURATION mode interface vlan vlan id 2 Configure an interface as untagged INTERFACE mode untagged interface This command is available only in VLAN interfaces Move an Untagged Interface to Another VLAN The no untagged interface command removes the untagged interface from a...

Page 876: ...e interface the shutdown command only prevents Layer 3 traffic from traversing over the interface NOTE You cannot assign an IP address to the Default VLAN VLAN 1 To assign another VLAN ID to the Default VLAN use the default vlan id vlan id command In Dell Networking OS you can place VLANs and other logical interfaces in Layer 3 mode to receive and send routed traffic For more information refer to ...

Page 877: ...interface INTERFACE mode 2 Configure the interface for Hybrid mode INTERFACE mode portmode hybrid 3 Configure the interface for Switchport mode INTERFACE mode switchport 4 Add the interface to a tagged or untagged VLAN VLAN INTERFACE mode tagged untagged Enabling Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment service providers who perform frequent reconfiguration...

Page 878: ...s to prevent loops in the network Although loops are prevented bandwidth of all links is not effectively utilized by the connected devices Figure 122 Traditional switched topology VLT not only overcomes this caveat but also provides a multipath to the connected devices In the example shown below the two physical VLT peers appear as a single logical device to the connected devices As the connected ...

Page 879: ...thing creating redundancy through increased bandwidth enabling multiple parallel paths between nodes and load balancing traffic where alternate paths exist L2 L3 control plane protocols and system management features function normally in VLT mode Features such as VRRP and internet group management protocol IGMP snooping require state information coordination between the two VLT chassis The IGMP an...

Page 880: ...ame time unexpected behavior may occur As shown in the following example VLT presents a single logical Layer 2 domain from the perspective of attached devices that have a virtual link trunk terminating on separate chassis in the VLT domain However the two VLT chassis are independent Layer2 Layer3 L2 L3 switches for devices in the upstream network L2 L3 control plane protocols and system management...

Page 881: ...3 control planes across the two VLT peer switches A separate backup link maintains heartbeat messages across an out of band OOB management network The backup link ensures that node failure conditions are correctly detected and are not confused with failures of the VLT interconnect VLT ensures that local traffic on a chassis does not traverse the VLTi and takes the shortest path to the destination ...

Page 882: ...een VLT peers VLT 10 PEER 1 show mac address table count MAC Entries for all vlans Dynamic Address Count 1007 Static Address User defined Count 1 Sticky Address Count 0 Total Synced Mac from Peer N 503 Total MAC Addresses in Use 1008 VLT 10 PEER 1 show vlt counter mac Total MAC VLT counters L2 Total MAC Address Count 1007 VLT 10 PEER 1 show mac address table Codes N VLT Peer Synced MAC VlanId Mac ...

Page 883: ...ultiple racks with the same VLAN With routed VLT you can configure a VLAN as layer 3 in a VLT domain and as layer 2 VLAN in all other VLT domains By configuring a VLAN as layer 3 in a VLT domain and as layer 2 VLAN in all other VLT domains you can confine the ARP entries to one particular VLT domain At the core aggregation layer VLT domain you can configure common layer 3 VLANs for inter VLAN rout...

Page 884: ...ers connected by a standard link aggregation control protocol LACP LAG to form a loop free Layer 2 topology in the aggregation layer This configuration supports a maximum of four switches increasing the number of available ports and allowing for dual redundancy of the VLT The following example shows how the core aggregation port density in the Layer 2 topology is increased using eVLT For inter VLA...

Page 885: ...node To avoid this scenario configure the VLT LAGs to the ToR and the ToR port channel to the VLT peers with LACP If supported by the ToR enable the lacp ungroup feature on the ToR using the lacp ungroup member independent port channel command If the lacp ungroup feature is not supported on the ToR reboot the VLT peers one at a time After rebooting verify that VLTi ICL is active before attempting ...

Page 886: ... and traffic does not reach half of the hosts To mitigate this issue ensure that you configure the following settings on both the Peers Peer1 and Peer2 arp learn enable and mac address table station move refresh arp In a topology in which two VLT peer nodes that are connected by a VLTi link and are connected to a ToR switch using a VLT LAG interface if you configure an egress IP ACL and apply it o...

Page 887: ...features are supported on VLTi link layer discovery protocol LLDP flow control port monitoring and jumbo frames When you enable the VLTi link the link between the VLT peer switches is established if the following configured information is true on both peer switches the VLT system MAC address matches the VLT unit id is not identical NOTE If you configure the VLT system MAC address or VLT unit id on...

Page 888: ...ls In a VLT domain the following software features are supported on VLT port channels 802 1p ingress and egress ACLs BGP DHCP relay IS IS OSPF active active PIM SM PIM SSM VRRP Layer 3 VLANs LLDP flow control port monitoring jumbo frames IGMP snooping sFlow ingress and egress ACLs and Layer 2 control protocols RSTP and PVST only NOTE Peer VLAN spanning tree plus PVST passthrough is supported in a ...

Page 889: ...vice available in the network In either case after recovery of the peer link or reestablishment of message forwarding across the interconnect trunk the two VLT peers resynchronize any MAC addresses learned while communication was interrupted and the VLT system continues normal data forwarding If the primary chassis fails the secondary chassis takes on the operational role of the primary The SNMP M...

Page 890: ... shown in the following message and an SNMP trap STKUNIT0 M CP VLTMGR 6 VLT LAG ICL Overall Bandwidth utilization of VLT ICL LAG port channel 25 reaches below threshold Bandwidth usage 74 VLT show remote port channel status VLT and Stacking You cannot enable stacking on the units with VLT If you enable stacking on a unit on which you want to enable VLT you must first remove the unit from the exist...

Page 891: ...l members in the port channel The default is 90 seconds To change the duration of the configurable timer use the delay restore command If you enable IGMP snooping IGMP queries are also sent out on the VLT ports at this time allowing any receivers to respond to the queries and update the multicast table on the new node This delay in bringing up the VLT ports also applies when the VLTi link recovers...

Page 892: ... first hop or last hop routers the peer node can also act as an intermediate router On a VLT enabled PIM router if any PIM neighbor is reachable through a Spanned Layer 3 L3 VLAN interface this must be the only PIM enabled interface to reach that neighbor A Spanned L3 VLAN is any L3 VLAN configured on both peers in a VLT domain This does not apply to server side L2 VLT ports because they do not co...

Page 893: ...n IP addresses to these VLANs VLT Unicast and VLT Multicast routing protocols require VLAN IP interfaces for operation Protocols such as BGP ISIS OSPF and PIM are compatible with VLT Unicast Routing and VLT Multicast Routing Layer 2 protocols from the ToR devices to the server are intra rack and inter rack Although no spanning tree is required interoperability with spanning trees at the aggregatio...

Page 894: ...e image below Even though the gateway address of the packet is different Peer 1 routes the packet to its destination on behalf of Peer 2 to avoid sub optimal routing Figure 130 Packets with peer routing enabled Benefits of Peer Routing Avoids sub optimal routing Reduces latency by avoiding another hop in the traffic path 894 Virtual Link Trunking VLT ...

Page 895: ...mand output If you enable VLT unicast routing the following actions occur L3 routing is enabled on any new IP address IPv6 address configured for a VLAN interface that is up L3 routing is enabled on any VLAN with an admin state of up NOTE If the CAM is full do not enable peer routing NOTE The peer routing and peer routing timeout is applicable for both IPv6 IPv4 Configuring VLT Unicast To enable a...

Page 896: ...interfaces over non VLT VLAN interfaces When using factory default settings on a new switch deployed as a VLT node packet loss may occur due to the requirement that all ports must be open ECMP is not compatible on VLT nodes using VLT multicast You must use a single VLAN Configuring VLT Multicast To enable and configure VLT multicast follow these steps 1 Enable VLT on a switch then configure a VLT ...

Page 897: ...y secondary roles are determined To prevent the interfaces in the VLT interconnect trunk and RSTP enabled VLT ports from entering a Forwarding state and creating a traffic loop in a VLT domain take the following steps 1 Configure RSTP in the core network and on each peer switch as described in Rapid Spanning Tree Protocol RSTP Disabling RSTP on one VLT peer may result in a VLT domain failure 2 Ena...

Page 898: ...LT domain The primary and secondary switch roles in the VLT domain are automatically assigned after you configure both sides of the VLTi NOTE If you use a third party ToR unit to avoid potential problems if you reboot the VLT peers Dell recommends using static LAGs on the VLTi between VLT peers 2 Enable VLT and create a VLT domain ID VLT automatically selects a system MAC address 3 Configure a bac...

Page 899: ...VLT MAC address for the domain To disable VLT use the no vlt domain command NOTE Do not use MAC addresses such as reserved or multicast 2 Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out of band hello messages VLT DOMAIN CONFIGURATION mode back up destination ipv4 address ipv6 address interval seconds You ...

Page 900: ...d 1 Specify the management interface to be used for the backup link through an out of band management network CONFIGURATION mode interface managementethernet slot port Enter the slot 0 1 and the port 0 2 Configure an IPv4 address A B C D or IPv6 address X X X X X and mask x on the interface MANAGEMENT INTERFACE mode ip address ipv4 address mask ipv6 address ipv6 address mask This is the IP address...

Page 901: ... lower priority later comes back online it is assigned the secondary role there is no preemption 3 Optional When you create a VLT domain on a switch Dell Networking OS automatically creates a VLT system MAC address used for internal system operations VLT DOMAIN CONFIGURATION mode system mac mac address mac address To explicitly configure the default MAC address for the domain by entering a new MAC...

Page 902: ...Ensure that the port channel is active INTERFACE PORT CHANNEL mode no shutdown 6 Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an attached device INTERFACE PORT CHANNEL mode vlt peer lag port channel id number 7 Repeat Steps 1 to 6 on the VLT peer switch to configure the same port channel as part of the VLT domain 8 On an attached switch or ...

Page 903: ... specify one of the following interface types For a 1 GigabitEthernet interface enter the keyword GigabitEthernet then the slot port information For a 10 Gigabit Ethernet interface enter the keyword TenGigabitEthernet then the slot port information 3 Enter VLT domain configuration mode for a specified VLT domain CONFIGURATION mode vlt domain domain id The range of domain IDs is from 1 to 1000 4 En...

Page 904: ...channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode CONFIGURATION mode interface port channel id number Enter the same port channel number configured with the peer link port channel command in the Enabling VLT and Creating a VLT Domain 9 Place the interface in Layer 2 mode INTERFACE PORT CHANNEL mode switchport 10 Associate the port channel to the cor...

Page 905: ...LTs used as facing hosts switches with LACP Ensure both peers use the same port channel ID 4 Configure the peer link port channel in the VLT domains of each peer unit INTERFACE PORTCHANNEL mode channel member 5 Configure the backup link between the VLT peer units shown in the following example 6 Configure the peer 2 management ip interface ip for which connectivity is present in VLT peer 1 EXEC Pr...

Page 906: ...annel member GigabitEthernet 1 4 1 7 Dell 4 conf interface port channel 1 Dell 4 conf if po 1 channel member GigabitEthernet 1 4 1 7 Configure the backup link between the VLT peer units 1 Configure the peer 2 management ip interface ip for which connectivity is present in VLT peer 1 2 Configure the peer 1 management ip interface ip for which connectivity is present in VLT peer 2 Dell 2 show runnin...

Page 907: ...l LAG Mode Status Uptime Ports L 2 L2L3 up 03 33 14 Gi 1 4 Up In the ToR unit configure LACP on the physical ports s60 1 show running config interface gigabitethernet 1 8 interface GigabitEthernet 1 8 no ip address port channel protocol LACP port channel 100 mode active no shutdown s60 1 show running config interface gigabitethernet 1 30 interface GigabitEthernet 1 30 no ip address port channel pr...

Page 908: ...m PVST instances running in the Primary Peer control the VLT LAGs on both Primary and Secondary peers Only the Primary VLT switch determines the PVST roles and states on VLT ports and ensures that the VLT interconnect link is never blocked The PVST instance in Primary peer sends the role state of VLT LAGs for all VLANs to the Secondary peer The Secondary peer uses this information to program the h...

Page 909: ...4 9b79 128 233 Interface Name Role PortID Prio Cost Sts Cost Link type Edge Po 1 Desg 128 2 128 188 FWD 0 vltI P2P No Po 2 Desg 128 3 128 2000 FWD 0 vlt P2P No Gi 1 10 Desg 128 230 128 2000 FWD 0 P2P Yes Gi 1 13 Desg 128 233 128 2000 FWD 0 P2P No Dell Peer Routing Configuration Example This section provides a detailed explanation of how to configure peer routing in a VLT domain In the following ex...

Page 910: ...ow run find protocol protocol spanning tree pvst no disable vlan 1 20 800 900 bridge priority 0 The following output shows the existing VLANs Dell 1 show vlan find NUM NUM Status Description Q Ports 1 Active U Po10 Te 0 0 1 U Te 0 4 47 20 Active OSPF PEERING VLAN U Po1 Te 0 6 V Po10 Te 0 0 1 800 Active Client VLAN V Po10 Te 0 0 1 900 Active Client VLAN 2 V Po10 Te 0 0 1 910 Virtual Link Trunking V...

Page 911: ...te that configuration on the VLTi links does not contain the switchport command Dell 1 sh run int po10 interface Port channel 10 description VLTi Port Channel no ip address channel member TenGigabitEthernet 0 0 1 no shutdown Te 0 4 connects to the access switch A1 Dell 1 sh run int te0 4 interface TenGigabitEthernet 0 4 description To_Access_Switch_A1_fa0 13 no ip address port channel protocol LAC...

Page 912: ...g command enables peer routing between VLT peers in VLT domain 1 The IP address configured with the backup destination command is the management IP address of the VLT peer Dell 2 Dell 1 sh run find vlt vlt domain 1 peer link port channel 10 back up destination 10 10 10 2 primary priority 4096 system mac MAC address 90 b1 1c f4 01 01 unit id 0 peer routing Verify if VLT on Dell 1 is functional Dell...

Page 913: ...cies The following output displays that Dell 1 forms neighborship with Dell 2 and R1 Dell 1 show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface Area 172 16 1 2 1 FULL BDR 00 00 31 192 168 20 2 Vl 20 0 172 15 1 1 1 FULL DROTHER 00 00 39 192 168 20 3 Vl 20 0 The following output displays the routes learned using OSPF Dell 1 show ip route ospf Destination Gateway Dist Metric Last ...

Page 914: ...ir destinations without being sent to the peer switch Dell 2 Switch Configuration In the following output RSTP is enabled with a bridge priority of 32768 which is the second lowest in this topology This ensures that Dell 2 becomes the root bridge if Dell 1 fails Dell 2 sh run find protocol protocol spanning tree pvst no disable vlan 1 20 800 900 bridge priority 32768 The following output shows the...

Page 915: ...col LACP port channel 1 mode active no shutdown Port channel 1 connects the uplink switch R1 Dell 2 sh run int po1 interface Port channel 1 description port channel_to_R1 no ip address switchport vlt peer lag port channel 1 no shutdown Port channel 2 connects the access switch A1 Dell 2 sh run int po2 interface Port channel 2 description port channel_to_access_switch_A1 no ip address portmode hybr...

Page 916: ...1 1c f4 29 f1 Remote System MAC address 90 b1 1c f4 2c bb Configured System MAC address 90 b1 1c f4 01 01 Remote system version 6 3 Delay Restore timer 90 seconds Peer routing Enabled Peer routing Timeout timer 0 seconds Multicast peer routing timeout 150 seconds Verify if the heartbeat mechanism is operational on Dell 2 Dell 2 sh vlt backup link VLT Backup Link Destination 10 10 10 1 Peer HeartBe...

Page 917: ... of all interfaces in the system All interfaces physical and virtual have the same MAC address This is the address used for peer routing Dell 2 show interfaces grep Hardware Hardware is DellEth address is 90 b1 1c f4 29 f3 Hardware is DellEth address is 90 b1 1c f4 29 f3 Hardware is DellEth address is 90 b1 1c f4 29 f3 Hardware is DellEth address is 90 b1 1c f4 29 f3 Output truncated for brevity V...

Page 918: ...0 24 110 2 via 192 168 20 2 02 02 34 Port channel1 110 2 via 192 168 20 1 02 02 34 Port channel1 OSPF learned route back to client subnet VLAN 800 4 0 0 0 24 is subnetted 1 subnets C 4 4 4 0 is directly connected Loopback4 O 192 168 9 0 24 110 2 via 192 168 20 2 02 02 34 Port channel1 110 2 via 192 168 20 1 02 02 34 Port channel1 OSPF learned route back to client subnet 2 VLAN 900 172 17 0 0 24 is...

Page 919: ...ains Domain 1 consists of Peer 1 and Peer 2 Domain 2 consists of Peer 3 and Peer 4 as shown in the following example In Domain 1 configure Peer 1 fist then configure Peer 2 When that is complete perform the same steps for the peer nodes in Domain 2 The interface used in this example is TenGigabitEthernet Figure 132 eVLT Configuration Example eVLT Configuration Step Examples In Domain 1 configure t...

Page 920: ...2 conf if range gi 1 28 29 port channel protocol LACP Domain_1_Peer2 conf if range gi 1 28 29 port channel 100 mode active Domain_1_Peer2 conf if range gi 1 28 29 no shutdown In Domain 2 configure the VLT domain and VLTi on Peer 3 Domain_2_Peer3 configure Domain_2_Peer3 conf interface port channel 1 Domain_2_Peer3 conf if po 1 channel member GigabitEthernet 1 8 1 9 Domain_1_Peer3 no shutdown Domai...

Page 921: ...Examples of Configuring PIM Sparse Mode The following example shows how to enable PIM multicast routing on the VLT node globally VLT_Peer1 conf ip multicast routing The following example shows how to enable PIM on the VLT port VLANs VLT_Peer1 conf interface vlan 4001 VLT_Peer1 conf if vl 4001 ip address 140 0 0 1 24 VLT_Peer1 conf if vl 4001 ip pim sparse mode VLT_Peer1 conf if vl 4001 tagged port...

Page 922: ...on the switch EXEC mode show running config vlt Display statistics on VLT operation EXEC mode show vlt statistics Display the RSTP configuration on a VLT peer switch including the status of port channels used in the VLT interconnect trunk and to connect to access devices EXEC mode show spanning tree rstp Display the current status of a port or port channel interface used in the VLT domain EXEC mod...

Page 923: ...system version 6 3 Delay Restore timer 90 seconds Delay Restore Abort Threshold 60 seconds Peer Routing Disabled Peer Routing Timeout timer 0 seconds Multicast peer routing timeout 150 seconds Dell The following example shows the show vlt detail command Dell_VLTpeer1 show vlt detail Local LAG Id Peer LAG Id Local Status Peer Status Active VLANs 100 100 UP UP 10 20 30 127 2 UP UP 20 30 Dell_VLTpeer...

Page 924: ...bold section displays the RSTP state of port channels in the VLT domain Port channel 100 is used in the VLT interconnect trunk VLTi to connect to VLT peer2 Port channels 110 111 and 120 are used to connect to access switches or servers vlt Dell_VLTpeer1 show spanning tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0 Address 0001 e88a dff8 Root Bridge hello time 2 ...

Page 925: ... trunk VLTi Dell_VLTpeer1 conf vlt domain 999 Dell_VLTpeer1 conf vlt domain peer link port channel 100 Dell_VLTpeer1 conf vlt domain back up destination 10 11 206 35 Dell_VLTpeer1 conf vlt domain exit Configure the backup link Dell_VLTpeer1 conf interface ManagementEthernet 1 1 Dell_VLTpeer1 conf if ma 1 1 ip address 10 11 206 23 Dell_VLTpeer1 conf if ma 1 1 no shutdown Dell_VLTpeer1 conf if ma 1 ...

Page 926: ...ure the port channel to an attached device Dell_VLTpeer2 conf interface port channel 110 Dell_VLTpeer2 conf if po 110 no ip address Dell_VLTpeer2 conf if po 110 switchport Dell_VLTpeer2 conf if po 110 channel member tenGigE 1 53 Dell_VLTpeer2 conf if po 110 no shutdown Dell_VLTpeer2 conf if po 110 vlt peer lag port channel 110 Dell_VLTpeer2 conf if po 110 end Verify that the port channels used in ...

Page 927: ...how vlt brief commands to view the VLT port channel status information Spanning tree mismatch at global level All VLT port channels go down on both VLT peers A syslog error message is generated No traffic is passed on the port channels A one time informational syslog message is generated During run time a loop may occur as long as the mismatch lasts To resolve enable RSTP on both VLT peers Spannin...

Page 928: ... are terminated on two different nodes PVLAN configuration of VLT VLANs and VLT LAGs are symmetrical and identical on both the VLT peers PVLANs provide Layer 2 isolation between ports within the same VLAN A PVLAN partitions a traditional VLAN into sub domains identified by a primary and secondary VLAN pair With VLT being a Layer 2 redundancy mechanism support for configuration of VLT nodes in a PV...

Page 929: ...d to cause the VLTi to be a member of that VLAN Whenever a change in the VLAN mode on one of the peers occurs the information is synchronized with the other peer and VLTi is either added or removed from the VLAN based on the validation of the VLAN parity For VLT VLANs the association between primary VLAN and secondary VLANs is examined on both the peers Only if the association is identical on both...

Page 930: ...atches or PVLAN port mode mismatches occur Also you can view these discrepancies if any occur by using the show vlt mismatch command Interoperation of VLT Nodes in a PVLAN with ARP Requests When an ARP request is received and the following conditions are applicable the IP stack performs certain operations The VLAN on which the ARP request is received is a secondary VLAN community or isolated VLAN ...

Page 931: ...Secondary Isolated No No Access Access Secondary Community Secondary Isolated No No Primary X Primary X Yes Yes Promiscuous Promiscuous Primary Primary Yes Yes Secondary Community Secondary Community Yes Yes Secondary Isolated Secondary Isolated Yes Yes Promiscuous Trunk Primary Normal No No Promiscuous Trunk Primary Primary Yes No Access Access Secondary Community Secondary Community Yes Yes Prim...

Page 932: ...the port channel for the VLT interconnect on a VLT switch and enter interface configuration mode CONFIGURATION mode interface port channel id number Enter the same port channel number configured with the peer link port channel command as described in Enabling VLT and Creating a VLT Domain NOTE To be included in the VLTi the port channel must be in Default mode no switchport or VLAN assigned 2 Remo...

Page 933: ...the PVLAN mode INTERFACE mode switchport mode private vlan host promiscuous trunk host isolated or community VLAN port promiscuous intra VLAN communication port trunk inter switch PVLAN hub port 5 Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces CONFIGURATION mode interface vlan vlan id 6 Enable the VLAN INTERFACE VLAN mode no shutdown 7 To obtain maximum VL...

Page 934: ...ches node 1 node 1 does not perform the ARP request for 20 1 1 2 Proxy ARP is supported only for the IP address that belongs to the received interface IP network Proxy ARP is not supported if the ARP requested IP address is different from the received interface IP subnet For example if you configure VLAN 100 and 200 on the VLT peers and if you configured the VLAN 100 IP address as 10 1 1 0 24 and ...

Page 935: ...the device For the S G routes that are synchronized from the VLT peer after the RP starts receiving multicast traffic via these routes these S G routes are considered valid and are downloaded to the device Only S G routes are used to forward the multicast traffic from the source to the receiver You can configure VLT nodes which function as RP as Multicast source discovery protocol MSDP peers in di...

Page 936: ...1 11 Dell conf vlt domain unit id 0 Dell conf vlt domain Dell show running config vlt vlt domain 1 peer link port channel 1 back up destination 10 16 151 116 primary priority 100 system mac mac address 00 00 00 11 11 11 unit id 0 Dell Configure the VLT LAG as VLAN Stack Access or Trunk Port Dell conf interface port channel 10 Dell conf if po 10 switchport Dell conf if po 10 vlt peer lag port chann...

Page 937: ...agged x Dot1x untagged X Dot1x tagged o OpenFlow untagged O OpenFlow tagged G GVRP tagged M Vlan stack i Internal untagged I Internal tagged v VLT untagged V VLT tagged NUM Status Description Q Ports 50 Active M Po10 Gi 1 8 M Po20 Gi 1 12 V Po1 Gi 1 30 32 Dell Sample Configuration of VLAN Stack Over VLT Peer 2 Configure the VLT domain Dell conf vlt domain 1 Dell conf vlt domain peer link port chan...

Page 938: ... conf interface vlan 50 Dell conf if vl 50 vlan stack compatible Dell conf if vl 50 stack member port channel 10 Dell conf if vl 50 stack member port channel 20 Dell conf if vl 50 stack Dell show running config interface vlan 50 interface Vlan 50 vlan stack compatible member Port channel 10 20 shutdown Dell Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN Stack VLAN De...

Page 939: ...ation NS and ND messages These NS or neighbor advertisement NA messages can be either destined to the VLT node or to any nodes on the same network as the VLT interface These learned neighbor entries are propagated to another VLT node so that the peer does not need to relearn the entries IPv6 Peer Routing When you enable peer routing on VLT nodes the MAC address of the peer VLT node is stored in th...

Page 940: ...ll tunneling process involves the VLT nodes that are connected from the ToR through a LAG The following illustration is a basic VLT setup which describes the communication between VLT nodes to tunnel the NA from one VLT node to its peer NA messages can be sent in two scenarios NA messages are almost always sent in response to an NS message from a node In this case the solicited NA has the destinat...

Page 941: ...T domain using an ICL or VLTi link To the south of the VLT domain Unit1 and Unit2 are connected to a ToR switch named Node B Also Unit1 is connected to another node Node A and Unit2 is linked to a node Node C The network between the ToR and the VLT nodes is Layer 2 Servers or hosts that are connected to the ToR Node B generate Layer 3 control data traffic from the South or lower end of the vertica...

Page 942: ...T interface which is destined to VLT node1 node 2 lifts the NA packet to CPU using an ACL entry then it adds a tunnel header to the received NA and forwards the packet to VLT node1 over ICL When VLT node1 receives NA over ICL with tunnel header it learns the Host MAC address on VLT port channel interface This learned neighbor entry is synchronized to VLT node2 as it is learned on VLT interface of ...

Page 943: ...ect for peers LLA VLT host to North Bound traffic flow One of the VLT peer is configured as the default gateway router on VLT hosts If the VLT node receives Layer 3 traffic intended for the other VLT peer it routes the traffic to next hop instead of forwarding the traffic to the VLT peer If the neighbor entry is not present the VLT node resolves the next hop There may be traffic loss during the ne...

Page 944: ...router advertisement on VLT interface non VLT interface it consumes the packets VLT node will drop the RA message if it is received over ICL interface Upgrading from Releases That Do Not Support IPv6 Peer Routing During an upgrade to Release 9 4 0 0 from earlier releases VLT peers might contain different versions of FTOS You must upgrade both the VLT peers to Release 9 4 0 0 to leverage the benefi...

Page 945: ...ive migration of running virtual machines VMs from one host to another without downtime For example consider a square VLT connecting two data centers If a VM VM1 on Server Rack 1 has C as its default gateway and VM1 performs a virtual movement to Server Rack 2 with no change in default gateway In this case L3 packets destined for C can be routed either by C1 or D1 locally To do this install the lo...

Page 946: ...ou must maintain VLAN symmetry within a VLT domain The connection between DCs must be a L3 VLT in eVLT format For more information refer to the eVLT Configuration Example The trace route across the DCs can show extra hops To ensure no traffic drops you must maintain route symmetry across the VLT domains When the routing table across DCs is not symmetrical there is a possibility of a routing miss b...

Page 947: ...oxy gateway Configuration mode Specify the port channel interface of the square VLT link on which LLDP packets are sent using thepeer domain link port channel command Configuring the proxy gateway lldp and the peer domain link port channel LLDP sets TLV flags on the interfaces for receiving and transmitting private TLV packets After defining these organizational TLV settings LLDP encodes the local...

Page 948: ...proxy gateway and you must enable both transmission and reception You must connect both units of the remote VLT domain by the port channel member If you connect more than one port to a unit of the remote VLT domain the connection must be completed by the time you enable the proxy gateway LLDP You cannot have other conflicting configurations for example you cannot have a static proxy gateway config...

Page 949: ...y Gateway LLDP mode in both C and D VLT domain 1 and C1 and D1 VLT domain 2 This behavior is applicable only in the LLDP configuration and not required in the static configuration Sample Configuration Dell conf vlt domain proxy gateway lldp Dell conf vlt domain pxy gw lldp vlt peer mac transmit Assume the inter chassis link ICL between C1 and D1 is shutdown and if D1 is the secondary VLT one half ...

Page 950: ... following configurations in the Core L3 Routers C and D in local VLT domain and C1 and D1 in the remote VLT domain 1 Configure proxy gateway static in VLT Domain Configuration mode 2 Configure remote mac address mac address in VLT Domain Proxy Gateway LLDP mode Configure the system mac addresses of both C and D in C1 and also in D1 in the remote VLT domain and vice versa Sample Static Configurati...

Page 951: ... 1 3 primary priority 4096 system mac mac address 02 01 e8 d8 93 e3 unit id 0 peer routing proxy gateway static remote mac address 00 01 e8 8b ff 4f remote mac address 00 01 e8 d8 93 04 The MAC addresses configured using the remote mac address command belong to Dell 3 and Dell 4 interface TenGigabitEthernet 0 8 description To DELL 3 10Gb no ip address interface TenGigabitEthernet 0 9 description T...

Page 952: ...etwork 10 10 100 0 30 area 0 network 10 10 101 0 30 area 0 The following output shows that Dell 2 and VLT domain 110 form OSPF neighborship with Dell 1 Dell 1 show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface Area 2 2 2 2 1 FULL 00 00 39 10 10 100 2 Vl 100 0 3 3 3 3 1 FULL 00 00 32 10 10 101 2 Vl 101 0 Dell 2 VLT Configuration vlt domain 120 peer link port channel 120 back up...

Page 953: ...0 8 description To Dell 1 10Gb no ip address interface TenGigabitEthernet 0 9 description To Dell 1 10Gb no ip address port channel protocol LACP port channel 50 mode active no shutdown interface Port channel 50 description mVLT port channel to Dell 1 no ip address switchport no spanning tree STP is disabled between sites vlt peer lag port channel 50 no shutdown interface Vlan 101 description ospf...

Page 954: ...s 00 01 e8 d8 93 e5 These MAC addresses are the system L2 interface addresses for each switch at the remote site Dell 1 and Dell 2 interface Vlan 102 description ospf peering vlan to DELL 3 ip address 10 10 102 2 30 ip ospf network point to point no shutdown The following is the OSPF configuration on Dell 4 router ospf 1 router id 1 1 1 1 network 10 10 102 0 30 area 0 The following output shows th...

Page 955: ...VPNs for customers VRF is also referred to as VPN routing and forwarding VRF acts like a logical router while a physical router may include many routing tables a VRF instance uses only a single routing table VRF uses a forwarding table that designates the next hop for each data packet a list of devices that may be called upon to forward the packet and a set of rules and routing protocols that gove...

Page 956: ... on following types of interface Physical Ethernet interfaces Port channel interfaces static dynamic using LACP VLAN interfaces Loopback interfaces VRF supports route redistribution between routing protocols including static routes only when the routes are within the same VRF Dell Networking OS uses both the VRF name and VRF ID to manage VRF instances The VRF name and VRF ID number are assigned us...

Page 957: ...n physical and logical interfaces Yes Yes NOTE RIP is not supported on non default VRF Dynamic Port channel LACP on VLAN port or a Layer 3 port Yes Yes Static Port channel as VLAN port or a Layer 3 port Yes Yes Encapsulated Remote Port Monitoring Yes No BFD on physical and logical interfaces Yes No Multicast protocols PIM SM MSDP Yes Yes NOTE MSDP is not supported in non default VRF PIM DM No No L...

Page 958: ...F Instance Information Connect an OSPF Process to a VRF Instance Configure VRRP on a VRF Loading VRF CAM Load CAM memory for the VRF feature CONFIGURATION feature vrf After you load VRF CAM CLI parameters that allow you to configure non default VRFs are made available on the system Creating a Non Default VRF Instance VRF is enabled by default on the switch and supports up to 64 VRF instances 1 to ...

Page 959: ...agement VRF perform the following steps 1 Enter the front end interface that you want to assign to a management interface CONFIGURATION interface gigabitethernet 1 1 2 Assign the interface to management VRF INTERFACE CONFIGURATION ip vrf forwarding management Before assigning a front end port to a management VRF ensure that no IP address is configured on the interface 3 Assign an IPv4 address to t...

Page 960: ...at belong to a VRF instance In a virtualized network that consists of multiple VRFs various overlay networks can exist on a shared physical infrastructure Nodes hosts and servers that are part of the VRFs can be configured with IP static routes for reaching specific destinations through a given gateway in a VRF VRRP provides high availability and protection for next hop static routes by eliminatin...

Page 961: ...s originated by the router ipv6 nd managed config flag Hosts should use DHCP for address config ipv6 nd max ra interval Set IPv6 Max Router Advertisement Interval ipv6 nd mtu Configure MTU advertisements in RA packets ipv6 nd other config flag Hosts should use DHCP for non address config ipv6 nd prefix Configure IPv6 Routing Prefix Advertisement ipv6 nd ra guard Configure IPv6 ra guard ipv6 nd ra ...

Page 962: ... the management route to point to a front end port in case of the management VRF For example management route 2 64 gigabitethernet 1 1 Configure a static entry in the IPv6 neighbor discovery CONFIGURATION ipv6 neighbor vrf management 1 1 gigabitethernet 1 1 xx xx xx xx xx xx Sample VRF Configuration The following configuration illustrates a typical VRF set up Figure 139 Setup OSPF and Static Route...

Page 963: ... vrf orange 2 ip vrf green 3 interface GigabitEthernet 3 1 no ip address switchport no shutdown interface GigabitEthernet 1 1 ip vrf forwarding blue ip address 10 0 0 1 24 no shutdown interface GigabitEthernet 1 2 ip vrf forwarding orange ip address 20 0 0 1 24 no shutdown interface GigabitEthernet 1 3 Virtual Routing and Forwarding VRF 963 ...

Page 964: ...nge router id 2 0 0 1 network 2 0 0 0 24 area 0 network 20 0 0 0 24 area 0 ip route vrf green 31 0 0 0 24 3 0 0 2 Router 2 ip vrf blue 1 ip vrf orange 2 ip vrf green 3 interface GigabitEthernet 3 1 no ip address switchport no shutdown interface GigabitEthernet 2 1 ip vrf forwarding blue ip address 11 0 0 1 24 no shutdown interface GigabitEthernet 2 2 ip vrf forwarding orange ip address 21 0 0 1 24...

Page 965: ... 2 Vl 192 green 3 Gi 1 3 Vl 256 Dell show ip ospf 1 neighbor Neighbor ID Pri State Dead Time Address Interface Area 1 0 0 2 1 FULL DR 00 00 32 1 0 0 2 Vl 128 0 Dell sh ip ospf 2 neighbor Neighbor ID Pri State Dead Time Address Interface Area 2 0 0 2 1 FULL DR 00 00 37 2 0 0 2 Vl 192 0 Dell show ip route vrf blue Codes C connected S static R RIP B BGP IN internal BGP EX external BGP LO Locally Orig...

Page 966: ...1 E2 OSPF external type 2 i IS IS L1 IS IS level 1 L2 IS IS level 2 IA IS IS inter area candidate default non active route summary route Gateway of last resort is not set Destination Gateway Dist Metric Last Change C 3 0 0 0 24 Direct Vl 256 0 0 00 20 52 C 30 0 0 0 24 Direct Gi 1 3 0 0 00 09 45 S 31 0 0 0 24 via 3 0 0 2 Vl 256 1 0 00 09 06 The following shows the output of the show commands on Rou...

Page 967: ...s C connected S static R RIP B BGP IN internal BGP EX external BGP LO Locally Originated O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 i IS IS L1 IS IS level 1 L2 IS IS level 2 IA IS IS inter area candidate default non active route summary route Gateway of last resort is not set Destination Gateway Dist Metric La...

Page 968: ...ultiple route import targets because a VRF can accept routes from multiple VRFs After the target VRF learns routes that are leaked by the source VRF the source VRF in turn can leak the export target corresponding to the destination VRFs that have imported its routes The source VRF learns the export target corresponding to the destinations VRF using the ip route import tag or ipv6 route import tag ...

Page 969: ...rwarding VRF blue ip address ip address mask A non default VRF named VRF blue is created and the interface 1 12 is assigned to it 7 Configure the import target in VRF blue ip route import 1 1 8 Configure the export target in VRF blue ip route import 3 3 9 Configure VRF green ip vrf vrf green interface type slot port ip vrf forwarding VRF green ip address ip address mask A non default VRF named VRF...

Page 970: ...irect Gi 1 4 0 0 00 32 36 Show routing tables of VRFs after route export and route import tags are configured Dell show ip route vrf VRF Red O 11 1 1 1 32 via 111 1 1 1 110 0 00 00 10 C 111 1 1 0 24 Direct Gi 1 11 0 0 22 39 59 O 44 4 4 4 32 via VRF shared 144 4 4 4 0 0 00 32 36 C 144 4 4 0 24 Direct VRF shared Gi 1 4 0 0 00 32 36 Dell show ip route vrf VRF Blue O 22 2 2 2 32 via 122 2 2 2 110 0 00...

Page 971: ...tocol matches You can use the match source protocol or match ip address commands to specify matching criteria for importing or exporting routes between VRFs NOTE You must use the match source protocol or match ip address commands in conjunction with the route map command to be able to define the match criteria for route leaking Consider a scenario where you have created two VRF tables VRF red and ...

Page 972: ...col ospf This action specifies that the route map contains OSPF as the matching criteria for importing routes into vrf blue 8 Configure the import target in VRF blue with route map import_ospf_protociol ip route import 1 1 import_ospf_protocol When you import routes into VRF blue using the route map import_ospf_protocol only OSPF routes are imported into VRF blue Even though VRF red has leaked bot...

Page 973: ...ort target and import target support only the match protocol and match prefix list options Other options that are configured in the route maps are ignored You can expose a unique set of routes from the Source VRF for Leaking to other VRFs For example in VRF red there is no option for exporting one set of routes for example OSPF to VRF blue and another set of routes for example BGP routes to some o...

Page 974: ...nd allows for up to 255 VRRP routers on a network The following example shows a typical network configuration using VRRP Instead of configuring the hosts on the network 10 10 10 0 with the IP address of either Router A or Router B as their default router their default router is the IP address configured on the virtual router When any host on the LAN segment wants to access the Internet it sends pa...

Page 975: ...RRP group up to 12 virtual IP addresses are supported Virtual IP addresses can belong to the primary or secondary IP address subnet configured on the interface You can ping all the virtual IP addresses configured on the Master VRRP router from anywhere in the local subnet The S Series supports varying number of maximum VRRP groups per interface The supports a total of 2000 VRRP groups on a switch ...

Page 976: ...een 1200 and 1500 8 seconds 120 VRRP Configuration By default VRRP is not configured Configuration Task List The following list specifies the configuration tasks for VRRP Creating a Virtual Router mandatory Configuring the VRRP Version for an IPv4 Group optional Assign Virtual IP Addresses mandatory Setting VRRP Group Virtual Router Priority optional Configuring VRRP Authentication optional Disabl...

Page 977: ...RRP Version 3 for IPv4 and IPv6 You can also migrate a IPv4 group from VRRPv2 to VRRP3 To configure the VRRP version for IPv4 use the version command in INTERFACE mode Example Configuring VRRP to Use Version 3 The following example configures the IPv4 VRRP 100 group to use VRRP protocol version 3 Dell conf if gi 1 1 vrrp group 100 Dell conf if gi 1 1 vrid 100 version 2 VRRPv2 3 VRRPv3 both Interop...

Page 978: ...ses on a single VRRP group VRID The following rules apply to virtual IP addresses The virtual IP addresses must be in the same subnet as the primary or secondary IP addresses configured on the interface Though a single VRRP group can contain virtual IP addresses belonging to multiple IP subnets configured on the interface Dell Networking recommends configuring virtual IP addresses belonging to the...

Page 979: ... address 10 10 10 2 virtual address 10 10 10 3 vrrp group 222 no shutdown The following example shows the same VRRP group VRID 111 configured on multiple interfaces on different subnets Dell show vrrp GigabitEthernet 1 1 VRID 111 Version 2 Net 10 10 10 1 VRF 0 default State Master Priority 255 Master 10 10 10 1 local Hold Down 0 sec Preempt TRUE AdvInt 1 sec Adv rcvd 0 Bad pkts rcvd 0 Adv sent 176...

Page 980: ...the show vrrp command Dellshow vrrp GigabitEthernet 1 1 VRID 111 Net 10 10 10 1 VRF 0 default State Master Priority 255 Master 10 10 10 1 local Hold Down 0 sec Preempt TRUE AdvInt 1 sec Adv rcvd 0 Bad pkts rcvd 0 Adv sent 2343 Gratuitous ARP sent 5 Virtual MAC address 00 00 5e 00 01 6f Virtual IP address 10 10 10 1 10 10 10 2 10 10 10 3 10 10 10 10 Authentication none GigabitEthernet 1 2 VRID 111 ...

Page 981: ...ystem to change the MASTER router if another router with a higher priority comes online Prevent the BACKUP router with the higher priority from becoming the MASTER router by disabling preempt NOTE You must configure all virtual routers in the VRRP group the same you must configure all with preempt enabled or configure all with preempt disabled Because preempt is enabled by default disable the pree...

Page 982: ...figured for VRRP version 2 the timer values must be in multiples of whole seconds For example timer value of 3 seconds or 300 centisecs are valid and equivalent However a timer value of 50 centisecs is invalid because it not is not multiple of 1 second If are using VRRP version 3 you must configure the timer values in multiples of 25 centisecs To change the advertisement interval in seconds or cen...

Page 983: ...mation For a 10 Gigabit Ethernet interface enter the keyword TenGigabitEthernet then the slot port information For a port channel interface enter the keywords port channel then a number For a VLAN interface enter the keyword vlan then a number from 1 to 4094 For a virtual group you can also track the status of a configured object the track object id command by entering its object number NOTE You c...

Page 984: ...address 10 10 10 1 virtual address 10 10 10 2 virtual address 10 10 10 3 virtual address 10 10 10 10 The following example shows verifying the tracking status Dell show track Track 2 IPv6 route 2040 64 metric threshold Metric threshold is Up STATIC 0 0 5 changes last change 00 02 16 Metric threshold down 255 up 254 First hop interface is GigabitEthernet 1 3 Tracked by VRRP GigabitEthernet 1 8 IPv6...

Page 985: ...ad a VLT node configured for VRRP the local destination address is not seen on the reloaded node causing suboptimal routing Set the delay timer on individual interfaces The delay timer is supported on all physical interfaces VLANs and LAGs When you configure both CLIs the later timer rules VRRP enabling For example if you set vrrp delay reload 600 and vrrp delay minimum 300 the following behavior ...

Page 986: ...n comprehensive directions and is intended to provide guidance for only a typical VRRP configuration You can copy and paste from the example to your CLI To support your own IP addresses interfaces names and so on be sure that you make the necessary changes The VRRP topology was created using the CLI configuration shown in the following example Figure 142 VRRP for IPv4 Topology 986 Virtual Router R...

Page 987: ...t 1 sec Adv rcvd 0 Bad pkts rcvd 0 Adv sent 817 Gratuitous ARP sent 1 Virtual MAC address 00 00 5e 00 01 63 Virtual IP address 10 1 1 3 Authentication none R2 Router 3 R3 conf interface tengigabitethernet 3 21 R3 conf if gi 3 21 ip address 10 1 1 2 24 R3 conf if gi 3 21 vrrp group 99 R3 conf if gi 3 21 vrid 99 virtual 10 1 1 3 R3 conf if gi 3 21 vrid 99 no shut R3 conf if gi 3 21 show conf interfa...

Page 988: ...he VRRPv3 group becomes active as soon as you configure the link local address Afterward you can configure the group s virtual IPv6 address The virtual IPv6 address you configure must be the same as the IPv6 subnet to which the interface belongs Although R2 and R3 have the same default priority 100 R2 is elected master in the VRRPv3 group because the Gigabitethernet 1 1 interface has a higher IPv6...

Page 989: ...2 vrrp group 10 R2 conf if gi 1 2 vrid 10 virtual address fe80 10 R2 conf if gi 1 2 vrid 10 virtual address 1 10 R3 conf if gi 1 2 vrid 10 no shutdown R3 conf if gi 1 2 show config interface GigabitEthernet 1 2 ipv6 address 1 2 64 vrrp group 10 priority 100 virtual address fe80 10 virtual address 1 10 no shutdown R3 conf if gi 1 2 end R3 show vrrp GigabitEthernet 1 2 IPv6 VRID 10 Version 3 Net VRF...

Page 990: ...here is one MASTER and one backup router for each VRF In VRF 1 and VRF 2 Switch 2 serves as owner master of the VRRP group and Switch 1 serves as the backup On VRF 3 Switch 1 is the owner master and Switch 2 is the backup In VRF 1 and VRF 2 on Switch 2 the virtual IP and node IP address subnet and VRRP group are the same On Switch 1 the virtual IP address subnet and VRRP group are the same in VRF ...

Page 991: ...l show vrrp gigabitethernet 2 8 GigabitEthernet 2 8 IPv4 VRID 1 Version 2 Net 10 1 1 1 VRF 0 default State Master Priority 100 Master 10 1 1 1 local Hold Down 0 sec Preempt TRUE AdvInt 1 sec Adv rcvd 0 Bad pkts rcvd 0 Adv sent 119 Gratuitous ARP sent 1 Virtual MAC address 00 00 5e 00 01 01 Virtual IP address 10 1 1 100 Authentication none Example of Configuring VRRP in a VRF on Switch 2 Non VLAN C...

Page 992: ...1 conf ip vrf VRF 2 2 S1 conf ip vrf VRF 3 3 S1 conf interface GigabitEthernet 1 1 S1 conf if gi 1 1 no ip address S1 conf if gi 1 1 switchport S1 conf if gi 1 1 no shutdown S1 conf if gi 1 1 interface vlan 100 S1 conf if vl 100 ip vrf forwarding VRF 1 S1 conf if vl 100 ip address 10 10 1 5 24 S1 conf if vl 100 tagged Gigabitethernet 1 1 S1 conf if vl 100 vrrp group 11 Info The VRID used by the VR...

Page 993: ...terface vlan 100 S2 conf if vl 100 ip vrf forwarding VRF 1 S2 conf if vl 100 ip address 10 10 1 2 24 S2 conf if vl 100 tagged Gigabitethernet 1 1 S2 conf if vl 100 vrrp group 11 Info The VRID used by the VRRP group 11 in VRF 1 will be 177 S2 conf if vl 100 vrid 101 priority 255 S2 conf if vl 100 vrid 101 virtual address 10 10 1 2 S2 conf if vl 100 no shutdown S2 conf if gi 1 1 interface vlan 200 S...

Page 994: ...Bad pkts rcvd 0 Adv sent 0 Gratuitous ARP sent 0 Virtual MAC address 00 00 5e 00 01 0a Virtual IP address 20 1 1 100 Authentication none Dell show vrrp vrf vrf2 port channel 1 Port channel 1 IPv4 VRID 1 Version 2 Net 10 1 1 1 VRF 2 vrf2 State Master Priority 100 Master 10 1 1 1 local Hold Down 0 sec Preempt TRUE AdvInt 1 sec Adv rcvd 0 Bad pkts rcvd 0 Adv sent 419 Gratuitous ARP sent 1 Virtual MAC...

Page 995: ...dy has MASTER status the router with master status continues to be master even if one of two routers has a higher IP or IPv6 address Router 2 R2 conf interface gigabitethernet 1 1 R2 conf if gi 1 1 no ip address R2 conf if gi 1 1 ipv6 address 1 1 64 R2 conf if gi 1 1 vrrp group 10 NOTE You must configure a virtual link local fe80 address for each VRRPv3 group created for an interface The VRRPv3 gr...

Page 996: ...onf interface gigabitethernet 1 2 R3 conf if gi 1 2 no ipv6 address R3 conf if gi 1 2 ipv6 address 1 2 64 R3 conf if gi 1 2 vrrp group 10 R2 conf if gi 1 2 vrid 10 virtual address fe80 10 R2 conf if gi 1 2 vrid 10 virtual address 1 10 R3 conf if gi 1 2 vrid 10 no shutdown R3 conf if gi 1 2 show config interface GigabitEthernet 1 2 ipv6 address 1 2 64 vrrp group 10 priority 100 virtual address fe80...

Page 997: ...e8a fd76 VRF 1 vrf1 State Backup Priority 90 Master fe80 201 e8ff fe8a e9ed Hold Down 0 centisec Preempt TRUE AdvInt 100 centisec Accept Mode FALSE Master AdvInt 100 centisec Adv rcvd 399 Bad pkts rcvd 0 Adv sent 0 Virtual MAC address 00 00 5e 00 02 ff Virtual IP address 10 1 1 255 fe80 255 Dell show vrrp vrf vrf2 port channel 1 Port channel 1 IPv6 VRID 255 Version 3 Net fe80 201 e8ff fe8a e9ed VR...

Page 998: ... can only perform offline diagnostics on an offline standalone unit or offline member unit of a stack of three or more You cannot perform diagnostics on the management or standby unit in a stack of two or more if you do a message similar to this displays Running Diagnostics on master standby unit is not allowed on stack Diagnostics only test connectivity not the entire data path Diagnostic results...

Page 999: ...message provides the date time and name of the Dell Networking OS process All messages are stored in a ring buffer You can save the messages to a file either manually or automatically after failover Auto Save on Crash or Rollover Exception information for MASTER or standby units is stored in the flash TRACE_LOG_DIR directory This directory contains files that save trace information when there has ...

Page 1000: ...rol traffic which the CPU must process View the modular packet buffers details per stack unit and the mode of allocation EXEC Privilege mode show hardware stack unit 1 6 buffer total buffer View the modular packet buffers details per unit and the mode of allocation EXEC Privilege mode show hardware stack unit 1 6 buffer unit 0 1 total buffer View the forwarding plane statistics containing the pack...

Page 1001: ...egister View the tables from the bShell through the CLI without going into the bShell EXEC Privilege mode show hardware stack unit 1 6 unit 0 1 table dump table name Enabling Environmental Monitoring The device components use environmental monitoring hardware to detect transmit power readings receive power readings and temperature updates To receive periodic power updates you must enable the follo...

Page 1002: ...QSFP 52 TX4 Bias Current 0 000mA QSFP 52 RX1 Power 0 000mW QSFP 52 RX2 Power 0 000mW QSFP 52 RX3 Power 0 000mW QSFP 52 RX4 Power 0 000mW Recognize an Overtemperature Condition An overtemperature condition occurs for one of two reasons the card genuinely is too hot or a sensor has malfunctioned Inspect cards adjacent to the one reporting the condition to discover the cause If directly adjacent card...

Page 1003: ...HMGR 1 CARD_SHUTDOWN Major alarm stack unit 2 down auto shutdown due to under voltage This message indicates that the specified card is not receiving enough power In response the system first shuts down Power over Ethernet PoE If the under voltage condition persists line cards are shut down then the RPMs Troubleshoot an Under Voltage Condition To troubleshoot an under voltage condition check that ...

Page 1004: ...pipeline 0 3 show hardware ip qos stack unit stack unit number port set 0 show hardware system flow layer2 stack unit stack unit number port set 0 counters pipeline 0 3 show hardware drops interface interface show hardware buffer inteface interface priority group id all queue id all buffer info show hardware buffer stats snapshot resource interface interface priority group id all queue ucast id al...

Page 1005: ...14 0 HOL DROPS on COS15 0 HOL DROPS on COS16 0 HOL DROPS on COS17 0 TxPurge CellErr 0 Aged Drops 0 Egress MAC counters Egress FCS Drops 0 Egress FORWARD PROCESSOR Drops IPv4 L3UC Aged Drops 0 TTL Threshold Drops 0 INVALID VLAN CNTR Drops 0 L2MC Drops 0 PKT Drops of ANY Conditions 0 Hg MacUnderflow 0 TX Err PKT Counter 0 Error counters Internal Mac Transmit Errors 0 Unknown Opcodes 0 Internal Mac R...

Page 1006: ... 0 17 17 2144854 0 124904297 0 0 18 18 0 0 0 0 0 19 19 0 0 0 0 0 20 20 0 0 0 0 0 21 21 0 0 0 0 0 22 22 0 0 0 0 0 23 23 0 0 0 0 0 24 24 0 0 0 0 0 25 25 0 0 0 0 0 26 26 0 0 0 0 0 27 27 0 0 0 0 0 28 28 0 0 0 0 0 29 29 0 0 0 0 0 30 30 0 0 0 0 0 31 31 0 0 0 0 0 32 32 0 0 0 0 0 33 33 0 0 0 0 0 34 34 0 0 0 0 0 35 35 0 0 0 0 0 36 36 0 0 0 0 0 37 37 0 0 0 0 0 38 38 0 0 0 1006 Debugging and Diagnostics ...

Page 1007: ... 0 0 0 0 0 49 49 0 0 0 0 0 49 50 0 0 0 0 0 49 51 0 0 0 0 0 49 52 0 0 0 0 0 52 61 0 0 0 0 0 52 62 0 0 0 0 0 52 63 0 0 0 0 0 52 64 0 0 0 0 0 53 65 0 0 0 0 0 53 66 0 0 0 0 0 53 67 0 0 0 0 0 53 68 0 0 0 0 0 54 1 69 0 0 0 0 0 54 2 70 0 0 0 0 0 54 3 71 0 0 0 0 0 54 4 72 0 0 0 0 0 Internal 53 0 0 0 0 0 Internal 57 4659499 0 0 0 0 Debugging and Diagnostics 1007 ...

Page 1008: ...are stack unit 1 cpu data plane statistics bc pci driver statistics for device rxHandle 773 noMhdr 0 noMbuf 0 noClus 0 recvd 773 dropped 0 recvToNet 773 rxError 0 rxFwdError 0 rxDatapathErr 0 rxPkt COS0 0 rxPkt COS1 0 rxPkt COS2 0 rxPkt COS3 0 rxPkt COS4 0 rxPkt COS5 0 rxPkt COS6 0 rxPkt COS7 0 rxPkt COS8 773 rxPkt COS9 0 rxPkt COS10 0 rxPkt COS11 0 rxPkt UNIT0 773 transmitted 12698 txRequested 12...

Page 1009: ...isplay internal receive and transmit statistics based on the selected command option The following example is a sample of the output for the counters option Example of Displaying Counter Values for all Interface in the Selected Stack Member and Port Pipe Dell show hardware stack unit 1 unit 0 counters Interface Gi 1 1 Description Value RX IPV4 L3 Unicast Frame Counter 0 RX IPV4 L3 routed multicast...

Page 1010: ... 0 RX IPV4 L3 routed multicast Packets 0 RX IPV6 L3 Unicast Frame Counter 0 Example of Displaying Counter Information for a Specific Interface Dell show hardware counters interfac gigabitethernet 5 1 unit 0 port 2 interface Gi 5 1 Description Value RX IPV4 L3 Unicast Frame Counter 0 RX IPV4 L3 Routed Multicast Packets 0 RX IPV6 L3 Unicast Frame Counter 0 RX IPV6 L3 Routed Multicast Packets 0 RX Un...

Page 1011: ... always enabled The mini core dumps contain the stack space and some other minimal information that you can use to debug a crash These files are small files and are written into flash until space is exhausted When the flash is full the write process is stopped A mini core dump contains critical information in the event of a crash Mini core dump files are located in flash root dir The application m...

Page 1012: ...ze for a TCP dump capture is 1MB When a file reaches 1MB a new file is created up to the specified total number of files Maximize the number of packets recorded in a file by specifying the snap length to capture the file headers only The tcpdump command has a finite run process When you enable the tcpdump command it runs until the capture duration timer and or the packet count counter threshold is...

Page 1013: ...ce MIB Location IEEE Compliance The following is a list of IEEE compliance 802 1AB LLDP 802 1D Bridging STP 802 1p L2 Prioritization 802 1Q VLAN Tagging Double VLAN Tagging GVRP 802 1s MSTP 802 1w RSTP 802 1X Network Access Control Port Authentication 802 3ab Gigabit Ethernet 1000BASE T 802 3ac Frame Extensions for VLAN Tagging 802 3ad Link Aggregation with LACP 802 3ae 10 Gigabit Ethernet 10GBASE...

Page 1014: ... 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 79 3 Transmission Control Protocol 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 8 5 4 Telnet Protocol Specification 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 9 5 9 File Transfer Protocol FTP 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 13 21 The MD5 Message Digest Algorithm 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 ...

Page 1015: ...ition of the Differentiated Services Field DS Field in the IPv4 and IPv6 Headers 7 7 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 26 15 PPP over SONET SDH 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 26 9 8 A Two Rate Three Color Marker 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 31 6 4 The BSD syslog Protocol 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 dr af t iet f bf d ba se 0 3 B...

Page 1016: ...etwork Time Protocol Version 3 Specification Implementation and Analysis 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 1519 Classless Inter Domain Routing CIDR an Address Assignment and Aggregation Strategy 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 154 2 Clarifications and Extensions for the Bootstrap Protocol 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 1812 Requirements fo...

Page 1017: ... 8 1 0 9 10 0 1 9 10 0 1 2675 IPv6 Jumbograms 7 8 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 2711 IPv6 Router Alert Option 8 3 12 0 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 3587 IPv6 Global Unicast Address Format 7 8 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 4007 IPv6 Scoped Address Architecture 8 3 12 0 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 4291 Internet Protocol Version 6...

Page 1018: ... 10 0 1 9 10 0 1 2842 Capabilities Advertisement with BGP 4 7 8 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 2858 Multiprotocol Extensions for BGP 4 7 8 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 2918 Route Refresh Capability for BGP 4 7 8 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 3065 Autonomous System Confederations for BGP 7 8 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 4360 B...

Page 1019: ...ion Avoidance 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 Intermediate System to Intermediate System IS IS The following table lists the Dell EMC Networking OS support per platform for IS IS protocol Table 104 Intermediate System to Intermediate System IS IS RFC Full Name S3048 ON S4048 ON Z9100 ON S4048T ON S6010 ON 1142 OSI IS IS Intra Domain Routing Protocol ISO DP 10589 9 8 0 0P2 9 8 0...

Page 1020: ... 06 Point to point operation over LAN in link state routing protocols 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 draft kaplan isis e xt eth 02 Extended Ethernet Frame Size Support 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 Routing Information Protocol RIP The following table lists the Dell EMC Networking OS support per platform for RIP protocol Table 105 Routing Information Protocol RIP RFC ...

Page 1021: ...ation Revised 7 8 1 PIM SM for IPv4 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 10 0 1 9 10 0 1 Network Management The following table lists the Dell EMC Networking OS support per platform for network management protocol Table 107 Network Management RFC Full Name S4810 S3048 ON S4048 ON Z9100 ON S4048T ON S6010 ON 1155 Structure and Identification of Management Information for TCP IP based Internets 7 6 1 9 8 0...

Page 1022: ...IP Forwarding Table MIB 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 2558 Definitions of Managed Objects for the Synchronous Optical Network Synchronous Digital Hierarchy SONET SDH Interface Type 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 2570 Introduction and Applicability Statements for Internet Standard Management Framework 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 2571 An Archite...

Page 1023: ... 8 1 0 2674 Definitions of Managed Objects for Bridges with Traffic Classes Multicast Filtering and Virtual LAN Extensions 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 2787 Definitions of Managed Objects for the Virtual Router Redundancy Protocol 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 2819 Remote Network Monitoring Management Information Base Ethernet Statistics Table Ethernet Hist...

Page 1024: ... 9 5 0 0 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 4750 OSPF Version 2 Management Information Base 9 5 0 0 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 4502 RMON v2 MIB 9 5 0 0 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 5060 Protocol Independent Multicast MIB 7 8 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 ANSI TIA 105 7 The LLDP Management Information Base extension module for TIA TR41 4 Medi...

Page 1025: ...le for IEEE 802 3 organizationally defined discovery information LLDP DOT1 MIB and LLDP DOT3 MIB 7 7 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 ruzin mstp mib 0 2 Traps Definitions of Managed Objects for Bridges with Multiple Spanning Tree Protocol 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 sFlow o rg sFlow Version 5 7 7 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 sFlow o rg sFlow Vers...

Page 1026: ...HASS IS MIB Force10 E Series Enterprise Chassis MIB 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 FORCE 10 COPY CONFI G MIB Force10 File Copy MIB supporting SNMP SET operation 7 7 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 FORCE 10 MONM IB Force10 Monitoring MIB 7 6 1 9 8 0 0P2 9 8 0 0P5 9 8 1 0 9 8 1 0 9 8 1 0 FORCE 10 PRODU CTS MIB Force10 Product Object Identifier MIB 7 6 1 9 8 0 0P2 9 8 0 0P5...

Page 1027: ...IBs subhead on the Documentation page of iSupport https www force10networks com CSPortal20 KnowledgeBase Documentation aspx You also can obtain a list of selected MIBs and their OIDs at the following URL https www force10networks com CSPortal20 Main Login aspx Some pages of iSupport require a login To request an iSupport account go to https www force10networks com CSPortal20 AccountRequest Account...

Page 1028: ... TLS relies on public key certificates to work X 509v3 certificates A X 509v3 or digital certificate is an electronic document used to prove ownership of a public key It contains information about the key s identity information about the key s owner and the digital signature of an entity that has verified the certificate s content as correct Certificate authority CA The entity that verifies the co...

Page 1029: ...Dell Networking OS supports X 509v3 standards Many organizations or entities need to let their customers know that the connection to their devices and network is secure These organizations pay an internationally trusted Certificate Authorities CAs such as VeriSign DigiCert and so on to sign a certificate for their domain To implement a X 509v3 infrastructure Dell Networking OS recommends you to ac...

Page 1030: ...ust any certificates signed by these CAs NOTE You can download and install CA certificates in one step using the crypto ca cert install command The intermediate CA signs the CSRs and makes the resulting certificates available for download through FTP root or otherwise Alternatively the Intermediate CA can also generate private keys and certificates for the hosts The CA then makes the private key o...

Page 1031: ...er then the certificate is signed by another CA farther up the chain These certificates are also called intermediate certificates If a higher CA certificate is installed on the switch then the system verifies the downloaded certificate with the CA s public key The system repeats this process until the root certificate is reached The certificate is rejected if the signature verification fails If a ...

Page 1032: ...t 5 is NOT be set The ExtendedKeyUsage fields indicate serverAuth and clientAuth The attribute CA FALSE is set in the Extensions section of the certificate The certificate is NOT used to validate other certificates The CSR is then copied out to the CA server It can be copied from flash to a destination like usbflash TFTP FTP or SCP The CA server signs the CSR with its private key The CA server the...

Page 1033: ...ver implementations NOTE There are three modern versions of the TLS protocol 1 0 1 1 and 1 2 Older versions are called SSL v1 v2 and v3 and should not be supported The TLS protocol implementation in Dell Networking OS takes care of the following activities Session negotiation and shutdown Protocol Version Cryptographic algorithm selection Session resumption and renegotiation Certificate revocation...

Page 1034: ...rmation is specified in the authorityInfoAccess extension A CA can verify the revocation status of a certificate with multiple OCSP responders When multiple OCSP responders exist you can configure the order or preference the CA takes while contacting various OCSP responders for verification Upon receiving a presented certificate the system sends an OCSP request to an OCSP responder through HTTP Th...

Page 1035: ...P revocation settings In CONFIGURATION mode enter the following command crypto x509 revocation ocsp accept reject The default behavior is to accept certificates if either an OCSP responder is unavailable or if no responder is identified Configuring OSCP responder preference You can configure the preference or order that the CA or a device follows while contacting multiple OCSP responders Enter the...

Page 1036: ...ield in the server certificate Verifying Client Certificates Verifying client certificates is optional in the TLS protocol and is not explicitly required by Common Criteria However TLS protected Syslog and RADIUS protocols mandate that certificate based mutual authentication be performed Event logging The system logs the following events A CA certificate is installed or deleted A self signed certi...

Reviews:

No comments

Related manuals for S3048-ON

Brand: Contemporary Controls Pages: 4

Signature ANTENNA GENIUS 8x2 v2 PLUS

Brand: 4O3A Pages: 57

Brand: Konig Pages: 40

Brand: J-Tech Digital Pages: 12

3 x 4 SWITCH PLUS

Brand: W2IIHY Pages: 28

Brand: JDS Uniphase Pages: 113

Brand: StarTech.com Pages: 2

Sun Network QDR InfiniBand Gateway Switch

Brand: Oracle Pages: 96

Brand: Encore Pages: 1

Brand: Raritan Pages: 2

Brand: HeroSpeed Pages: 2

Brand: H3C Pages: 8

Brand: StarTech.com Pages: 2

Brand: HP Pages: 100

Brand: HP Pages: 27

invent ProCurve J4908A

Brand: HP Pages: 38

FlexFabric 5700

Brand: HP Pages: 56

FlexFabric 7900 Series

Brand: HP Pages: 58

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands