Dell | Force10 | Configuration manual | Dell Force10 Configuration manual

Dell Networking Configuration Guide for the
MXL 10/40GbE Switch I/O Module
9.5(0.1)
Notes, Cautions, and Warnings
NOTE: A NOTE indicates important information that helps you make better use of your computer.
CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you
how to avoid the problem.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
Copyright © 2014 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. Dell™ and the Dell logo are trademarks of Dell Inc. in the United States and/or other
jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
2014 - 07
Rev. A00
Contents
1 About this Guide................................................................................................. 32
Audience..............................................................................................................................................32
Conventions........................................................................................................................................ 32
Information Symbols...........................................................................................................................32
Related Documents............................................................................................................................ 33
2 Configuration Fundamentals........................................................................... 34
Accessing the Command Line............................................................................................................34
CLI Modes............................................................................................................................................34
Navigating CLI Modes................................................................................................................... 36
The do Command...............................................................................................................................39
Undoing Commands...........................................................................................................................39
Obtaining Help....................................................................................................................................40
Entering and Editing Commands....................................................................................................... 40
Command History............................................................................................................................... 41
Filtering show Command Outputs.....................................................................................................42
Multiple Users in Configuration Mode............................................................................................... 43
3 Getting Started................................................................................................... 44
Console Access................................................................................................................................... 45
Serial Console................................................................................................................................45
External Serial Port with a USB Connector...................................................................................47
Accessing the CLI Interface and Running Scripts Using SSH............................................................ 47
Entering CLI commands Using an SSH Connection....................................................................47
Executing Local CLI Scripts Using an SSH Connection............................................................... 47
Boot Process....................................................................................................................................... 48
Default Configuration......................................................................................................................... 50
Configuring a Host Name...................................................................................................................50
Configuring a Host Name...................................................................................................................50
Accessing the System Remotely......................................................................................................... 51
Accessing the MXL Switch Remotely............................................................................................ 51
Configure the Management Port IP Address................................................................................51
Configure a Management Route...................................................................................................51
Configuring a Username and Password.......................................................................................52
Configuring the Enable Password...................................................................................................... 52
Configuration File Management.........................................................................................................53
Copy Files to and from the System.............................................................................................. 53
Save the Running-Configuration..................................................................................................54
Viewing Files.................................................................................................................................. 55
Managing the File System................................................................................................................... 56
View the Command History................................................................................................................57
Using HTTP for File Transfers............................................................................................................. 58
Upgrading and Downgrading the Dell Networking OS.....................................................................58
Using Hashes to Validate Software Images........................................................................................58
4 Management....................................................................................................... 60
Configuring Privilege Levels............................................................................................................... 60
Creating a Custom Privilege Level............................................................................................... 60
Customizing a Privilege Level....................................................................................................... 61
Applying a Privilege Level to a Username.................................................................................... 62
Applying a Privilege Level to a Terminal Line...............................................................................63
Configuring Logging........................................................................................................................... 63
Audit and Security Logs.................................................................................................................63
Configuring Logging Format ...................................................................................................... 65
Setting Up a Secure Connection to a Syslog Server....................................................................66
Display the Logging Buffer and the Logging Configuration..............................................................67
Log Messages in the Internal Buffer...................................................................................................68
Configuration Task List for System Log Management................................................................ 68
Disabling System Logging.................................................................................................................. 68
Sending System Messages to a Syslog Server................................................................................... 68
Configuring a UNIX System as a Syslog Server............................................................................68
Changing System Logging Settings................................................................................................... 69
Display the Logging Buffer and the Logging Configuration............................................................. 70
Configuring a UNIX Logging Facility Level.........................................................................................70
Synchronizing Log Messages..............................................................................................................72
Enabling Timestamp on Syslog Messages..........................................................................................72
File Transfer Services...........................................................................................................................73
Configuration Task List for File Transfer Services........................................................................ 73
Enabling the FTP Server.................................................................................................................73
Configuring FTP Server Parameters..............................................................................................73
Configuring FTP Client Parameters.............................................................................................. 74
Terminal Lines..................................................................................................................................... 74
Denying and Permitting Access to a Terminal Line..................................................................... 74
Configuring Login Authentication for Terminal Lines..................................................................75
Setting Time Out of EXEC Privilege Mode......................................................................................... 76
Using Telnet to get to Another Network Device................................................................................77
Lock CONFIGURATION Mode............................................................................................................ 77
Viewing the Configuration Lock Status........................................................................................ 78
Recovering from a Forgotten Password............................................................................................ 78
Recovering from a Forgotten Enable Password................................................................................ 79
Recovering from a Failed Start........................................................................................................... 80
5 802.1X................................................................................................................... 81
The Port-Authentication Process.......................................................................................................83
EAP over RADIUS...........................................................................................................................85
Configuring 802.1X............................................................................................................................. 85
Related Configuration Tasks.........................................................................................................85
Important Points to Remember......................................................................................................... 86
Enabling 802.1X...................................................................................................................................86
Configuring Request Identity Re-Transmissions......................................................................... 88
Configuring a Quiet Period after a Failed Authentication........................................................... 88
Forcibly Authorizing or Unauthorizing a Port....................................................................................89
Re-Authenticating a Port....................................................................................................................90
Configuring Timeouts......................................................................................................................... 91
Configuring Dynamic VLAN Assignment with Port Authentication..................................................92
Guest and Authentication-Fail VLANs.......................................................................................... 93
Configuring a Guest VLAN............................................................................................................94
Configuring an Authentication-Fail VLAN....................................................................................94
6 Access Control List (ACL) VLAN Groups and Content Addressable
Memory (CAM)........................................................................................................96
Optimizing CAM Utilization During the Attachment of ACLs to VLANs........................................... 96
Guidelines for Configuring ACL VLAN groups................................................................................... 97
Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters..........................98
Configuring ACL VLAN Groups.................................................................................................... 98
Configuring FP Blocks for VLAN Parameters............................................................................... 99
Viewing CAM Usage..........................................................................................................................100
Allocating FP Blocks for VLAN Processes.........................................................................................101
7 Access Control Lists (ACLs).............................................................................103
IP Access Control Lists (ACLs).......................................................................................................... 103
Implementing ACL on the Dell Networking OS.............................................................................. 104
ACLs and VLANs................................................................................................................................104
ACL Optimization..............................................................................................................................104
Determine the Order in which ACLs are Used to Classify Traffic................................................... 104
Example of the order Keyword to Determine ACL Sequence...................................................105
IP Fragment Handling....................................................................................................................... 105
IP Fragments ACL Examples............................................................................................................. 105
Layer 4 ACL Rules Examples.............................................................................................................106
Configure a Standard IP ACL............................................................................................................ 107
Configuring a Standard IP ACL Filter................................................................................................108
Configure an Extended IP ACL......................................................................................................... 109
Configuring Filters with a Sequence Number..................................................................................109
Configuring Filters Without a Sequence Number............................................................................ 110
Established Flag................................................................................................................................. 110
Configure Layer 2 and Layer 3 ACLs................................................................................................. 111
Assign an IP ACL to an Interface....................................................................................................... 111
Applying an IP ACL.............................................................................................................................112
Counting ACL Hits............................................................................................................................. 112
Configure Ingress ACLs..................................................................................................................... 113
Configure Egress ACLs...................................................................................................................... 113
Applying Egress Layer 3 ACLs (Control-Plane).................................................................................114
IP Prefix Lists...................................................................................................................................... 115
Implementation Information....................................................................................................... 115
Configuration Task List for Prefix Lists..............................................................................................115
Creating a Prefix List..........................................................................................................................116
Creating a Prefix List Without a Sequence Number......................................................................... 117
Viewing Prefix Lists............................................................................................................................ 117
Applying a Prefix List for Route Redistribution................................................................................. 118
Applying a Filter to a Prefix List (OSPF)............................................................................................. 119
ACL Resequencing............................................................................................................................ 119
Resequencing an ACL or Prefix List..................................................................................................120
Route Maps........................................................................................................................................ 121
Implementation Information.......................................................................................................122
Important Points to Remember........................................................................................................122
Configuration Task List for Route Maps........................................................................................... 122
Creating a Route Map....................................................................................................................... 122
Configure Route Map Filters............................................................................................................. 124
Configuring Match Routes................................................................................................................125
Configuring Set Conditions.............................................................................................................. 126
Configure a Route Map for Route Redistribution............................................................................ 126
Configure a Route Map for Route Tagging...................................................................................... 127
Continue Clause................................................................................................................................ 127
Logging of ACL Processes................................................................................................................ 128
Guidelines for Configuring ACL Logging......................................................................................... 129
Configuring ACL Logging................................................................................................................. 130
Flow-Based Monitoring Support for ACLs....................................................................................... 130
Behavior of Flow-Based Monitoring........................................................................................... 131
Enabling Flow-Based Monitoring..................................................................................................... 132
8 Bidirectional Forwarding Detection (BFD).................................................. 134
How BFD Works................................................................................................................................ 134
BFD Packet Format......................................................................................................................135
BFD Sessions................................................................................................................................ 137
BFD Three-Way Handshake........................................................................................................ 137
Session State Changes................................................................................................................ 138
Important Points to Remember........................................................................................................139
Configure BFD...................................................................................................................................139
Configure BFD for Physical Ports............................................................................................... 140
Enabling BFD Globally.................................................................................................................140
Establishing a Session on Physical Ports.....................................................................................141
Changing Physical Port Session Parameters..............................................................................142
Disabling and Re-Enabling BFD.................................................................................................. 143
Configure BFD for Static Routes.......................................................................................................143
Related Configuration Tasks.......................................................................................................144
Establishing Sessions for Static Routes...................................................................................... 144
Changing Static Route Session Parameters............................................................................... 145
Disabling BFD for Static Routes.................................................................................................. 145
Configure BFD for OSPF................................................................................................................... 145
Related Configuration Tasks....................................................................................................... 145
Establishing Sessions with OSPF Neighbors.............................................................................. 146
Changing OSPF Session Parameters.......................................................................................... 147
Disabling BFD for OSPF............................................................................................................... 147
Configure BFD for OSPFv3............................................................................................................... 148
Related Configuration Tasks.......................................................................................................148
Establishing Sessions with OSPFv3 Neighbors...........................................................................148
Changing OSPFv3 Session Parameters...................................................................................... 148
Disabling BFD for OSPFv3...........................................................................................................149
Configure BFD for BGP.....................................................................................................................149
Prerequisites................................................................................................................................ 149
Establishing Sessions with BGP Neighbors................................................................................ 150
Disabling BFD for BGP.................................................................................................................152
Use BFD in a BGP Peer Group.................................................................................................... 152
Displaying BFD for BGP Information.......................................................................................... 152
Configure BFD for VRRP................................................................................................................... 156
Related Configuration Tasks....................................................................................................... 157
Establishing Sessions with All VRRP Neighbors..........................................................................157
Establishing VRRP Sessions on VRRP Neighbors....................................................................... 158
Changing VRRP Session Parameters.......................................................................................... 159
Disabling BFD for VRRP...............................................................................................................159
Configure BFD for VLANs................................................................................................................. 159
Related Configuration Task........................................................................................................ 160
Establish Sessions with VLAN Neighbors................................................................................... 160
Changing VLAN Session Parameters...........................................................................................161
Disabling BFD for VLANs............................................................................................................. 161
Configure BFD for Port-Channels.................................................................................................... 161
Related Configuration Tasks....................................................................................................... 162
Establish Sessions on Port-Channels......................................................................................... 162
Changing Physical Port Session Parameters..............................................................................163
Disabling BFD for Port-Channels................................................................................................163
Configuring Protocol Liveness......................................................................................................... 163
Troubleshooting BFD........................................................................................................................ 163
9 Border Gateway Protocol IPv4 (BGPv4).......................................................165
Autonomous Systems (AS)................................................................................................................165
Sessions and Peers............................................................................................................................ 167
Establish a Session.......................................................................................................................168
Route Reflectors................................................................................................................................169
Communities............................................................................................................................... 169
BGP Attributes................................................................................................................................... 170
Best Path Selection Criteria.........................................................................................................170
Weight.......................................................................................................................................... 172
Local Preference..........................................................................................................................172
Multi-Exit Discriminators (MEDs)................................................................................................ 173
Origin........................................................................................................................................... 174
AS Path......................................................................................................................................... 175
Next Hop...................................................................................................................................... 175
Multiprotocol BGP............................................................................................................................. 175
Implement BGP with the Dell Networking OS.................................................................................176
Additional Path (Add-Path) Support............................................................................................176
Advertise IGP Cost as MED for Redistributed Routes................................................................ 176
Ignore Router-ID for Some Best-Path Calculations.................................................................. 177
Four-Byte AS Numbers................................................................................................................177
AS4 Number Representation.......................................................................................................178
AS Number Migration.................................................................................................................. 179
BGP4 Management Information Base (MIB)...............................................................................181
Important Points to Remember.................................................................................................. 181
Configuration Information................................................................................................................182
BGP Configuration............................................................................................................................ 182
Enabling BGP............................................................................................................................... 183
Enabling MBGP Configurations...................................................................................................217
BGP Regular Expression Optimization............................................................................................. 218
Debugging BGP.................................................................................................................................218
Storing Last and Bad PDUs......................................................................................................... 219
PDU Counters..............................................................................................................................219
Sample Configurations..................................................................................................................... 220
10 Content Addressable Memory (CAM)......................................................... 229
CAM Allocation................................................................................................................................. 229
Test CAM Usage................................................................................................................................230
View CAM-ACL Settings................................................................................................................... 230
CAM Optimization.............................................................................................................................231
11 Control Plane Policing (CoPP)..................................................................... 232
Configure Control Plane Policing.................................................................................................... 233
Configuring CoPP for Protocols................................................................................................ 234
Configuring CoPP for CPU Queues........................................................................................... 236
Show Commands........................................................................................................................237
12 Data Center Bridging (DCB)......................................................................... 239
Ethernet Enhancements in Data Center Bridging........................................................................... 239
Priority-Based Flow Control.......................................................................................................240
Enhanced Transmission Selection..............................................................................................241
Data Center Bridging Exchange Protocol (DCBx)..................................................................... 242
Data Center Bridging in a Traffic Flow....................................................................................... 243
Enabling Data Center Bridging.........................................................................................................243
QoS dot1p Traffic Classification and Queue Assignment...............................................................244
Configuring Priority-Based Flow Control........................................................................................ 245
Configuring Lossless Queues..................................................................................................... 247
Configuring the PFC Buffer in a Switch Stack........................................................................... 248
Configure Enhanced Transmission Selection................................................................................. 249
ETS Prerequisites and Restrictions............................................................................................. 249
Creating a QoS ETS Output Policy.............................................................................................250
Creating an ETS Priority Group................................................................................................... 251
Applying an ETS Output Policy for a Priority Group to an Interface.........................................252
ETS Operation with DCBx...........................................................................................................254
Configuring Bandwidth Allocation for DCBx CIN..................................................................... 254
Applying DCB Policies in a Switch Stack..........................................................................................255
Applying DCB Policies with an ETS Configuration.......................................................................... 256
Configure a DCBx Operation........................................................................................................... 256
DCBx Operation.......................................................................................................................... 257
DCBx Port Roles.......................................................................................................................... 257
DCB Configuration Exchange.................................................................................................... 259
Configuration Source Election................................................................................................... 259
Propagation of DCB Information............................................................................................... 260
Auto-Detection and Manual Configuration of the DCBx Version............................................260
DCBx Example............................................................................................................................. 261
DCBx Prerequisites and Restrictions.......................................................................................... 262
Configuring DCBx....................................................................................................................... 262
Verifying the DCB Configuration..................................................................................................... 266
PFC and ETS Configuration Examples............................................................................................. 276
Using PFC and ETS to Manage Data Center Traffic...................................................................276
Using PFC and ETS to Manage Converged Ethernet Traffic in a Switch Stack........................ 280
Hierarchical Scheduling in ETS Output Policies........................................................................ 280
Configuring DCB Maps and its Attributes........................................................................................ 281
DCB Map: Configuration Procedure.......................................................................................... 281
Important Points to Remember................................................................................................. 282
Applying a DCB Map on a Port...................................................................................................282
Configuring PFC without a DCB Map........................................................................................ 283
Configuring Lossless Queues.....................................................................................................283
Priority-Based Flow Control Using Dynamic Buffer Method..........................................................284
Pause and Resume of Traffic......................................................................................................284
Buffer Sizes for Lossless or PFC Packets....................................................................................285
Interworking of DCB Map With DCB Buffer Threshold Settings.................................................... 286
Configuring the Dynamic Buffer Method........................................................................................ 286
13 Debugging and Diagnostics......................................................................... 288
Offline Diagnostics........................................................................................................................... 288
Important Points to Remember................................................................................................. 288
Running Offline Diagnostics.......................................................................................................288
Trace Logs......................................................................................................................................... 291
Auto Save on Crash or Rollover..................................................................................................291
Using the Show Hardware Commands........................................................................................... 292
Enabling Environmental Monitoring................................................................................................ 293
Recognize an Over-Temperature Condition............................................................................ 294
Troubleshoot an Over-Temperature Condition........................................................................295
Recognize an Under-Voltage Condition................................................................................... 296
Troubleshoot an Under-Voltage Condition.............................................................................. 296
Buffer Tuning.....................................................................................................................................297
Deciding to Tune Buffers............................................................................................................298
Using a Pre-Defined Buffer Profile............................................................................................. 301
Sample Buffer Profile Configuration.......................................................................................... 301
Troubleshooting Packet Loss...........................................................................................................302
Displaying Drop Counters.......................................................................................................... 302
Dataplane Statistics.....................................................................................................................303
Display Stack Port Statistics........................................................................................................304
Display Stack Member Counters................................................................................................ 305
Enabling Application Core Dumps...................................................................................................305
Mini Core Dumps..............................................................................................................................306
Enabling TCP Dumps........................................................................................................................307
14 Dynamic Host Configuration Protocol (DHCP)........................................308
DHCP Packet Format and Options.................................................................................................. 308
Assign an IP Address using DHCP.............................................................................................. 310
Implementation Information.............................................................................................................311
Configure the System to be a DHCP Server.................................................................................... 312
Configuring the Server for Automatic Address Allocation.........................................................312
Configuration Tasks.....................................................................................................................313
Specifying a Default Gateway..................................................................................................... 314
Enabling the DHCP Server.......................................................................................................... 314
Configure a Method of Hostname Resolution........................................................................... 315
Creating Manual Binding Entries.................................................................................................315
Debugging the DHCP Server...................................................................................................... 316
Using DHCP Clear Commands...................................................................................................316
Configure the System to be a Relay Agent...................................................................................... 316
Configure the System to be a DHCP Client.....................................................................................318
Configuring the DHCP Client System........................................................................................ 319
DHCP Client on a Management Interface................................................................................. 322
DHCP Client Operation with Other Features.............................................................................323
Configure Secure DHCP...................................................................................................................324
Option 82.................................................................................................................................... 324
DHCP Snooping.......................................................................................................................... 325
Drop DHCP Packets on Snooped VLANs Only.......................................................................... 327
Dynamic ARP Inspection.............................................................................................................327
Configuring Dynamic ARP Inspection........................................................................................328
Source Address Validation.......................................................................................................... 329
15 Equal Cost Multi-Path (ECMP)..................................................................... 332
ECMP for Flow-Based Affinity.......................................................................................................... 332
Enabling Deterministic ECMP Next Hop.................................................................................... 332
Link Bundle Monitoring.................................................................................................................... 332
Managing ECMP Group Paths.......................................................................................................... 333
16 FCoE Transit.................................................................................................... 334
Fibre Channel over Ethernet............................................................................................................ 334
Ensure Robustness in a Converged Ethernet Network................................................................... 334
FIP Snooping on Ethernet Bridges................................................................................................... 336
FIP Snooping in a Switch Stack........................................................................................................ 338
Using FIP Snooping...........................................................................................................................338
Important Points to Remember................................................................................................. 338
Enabling the FCoE Transit Feature............................................................................................. 339
Enable FIP Snooping on VLANs.................................................................................................. 339
Configure the FC-MAP Value..................................................................................................... 339
Configure a Port for a Bridge-to-Bridge Link............................................................................ 339
Configure a Port for a Bridge-to-FCF Link................................................................................ 340
Impact on Other Software Features.......................................................................................... 340
FIP Snooping Prerequisites.........................................................................................................340
FIP Snooping Restrictions........................................................................................................... 341
Configuring FIP Snooping...........................................................................................................341
Displaying FIP Snooping Information.............................................................................................. 342
FCoE Transit Configuration Example............................................................................................... 347
17 FIPS Cryptography......................................................................................... 350
Preparing the System........................................................................................................................350
Enabling FIPS Mode.......................................................................................................................... 350
Generating Host-Keys.......................................................................................................................351
Monitoring FIPS Mode Status............................................................................................................351
Disabling FIPS Mode......................................................................................................................... 352
18 Force10 Resilient Ring Protocol (FRRP)..................................................... 353
Protocol Overview............................................................................................................................ 353
Ring Status...................................................................................................................................354
Multiple FRRP Rings.................................................................................................................... 355
Important FRRP Points................................................................................................................356
Important FRRP Concepts.......................................................................................................... 357
Implementing FRRP.......................................................................................................................... 358
FRRP Configuration.......................................................................................................................... 358
Creating the FRRP Group........................................................................................................... 359
Configuring the Control VLAN................................................................................................... 359
Configuring and Adding the Member VLANs............................................................................ 360
Setting the FRRP Timers............................................................................................................. 362
Clearing the FRRP Counters....................................................................................................... 362
Viewing the FRRP Configuration................................................................................................ 362
Viewing the FRRP Information................................................................................................... 362
Troubleshooting FRRP......................................................................................................................363
Configuration Checks.................................................................................................................363
Sample Configuration and Topology...............................................................................................363
19 GARP VLAN Registration Protocol (GVRP)................................................ 366
Important Points to Remember....................................................................................................... 366
Configure GVRP................................................................................................................................366
Related Configuration Tasks.......................................................................................................367
Enabling GVRP Globally....................................................................................................................367
Enabling GVRP on a Layer 2 Interface............................................................................................. 368
Configure GVRP Registration........................................................................................................... 368
Configure a GARP Timer.................................................................................................................. 369
20 Internet Group Management Protocol (IGMP)......................................... 371
IGMP Protocol Overview...................................................................................................................371
IGMP Version 2............................................................................................................................ 371
IGMP Version 3............................................................................................................................ 373
IGMP Snooping................................................................................................................................. 376
IGMP Snooping Implementation Information........................................................................... 376
Configuring IGMP Snooping....................................................................................................... 377
Enabling IGMP Immediate-Leave............................................................................................... 377
Disabling Multicast Flooding.......................................................................................................378
Specifying a Port as Connected to a Multicast Router..............................................................378
Configuring the Switch as Querier............................................................................................. 378
Fast Convergence after MSTP Topology Changes..........................................................................379
Designating a Multicast Router Interface.........................................................................................379
21 Interfaces......................................................................................................... 380
Basic Interface Configuration.......................................................................................................... 380
Advanced Interface Configuration...................................................................................................380
Interface Types..................................................................................................................................381
View Basic Interface Information..................................................................................................... 381
Enabling a Physical Interface............................................................................................................383
Physical Interfaces............................................................................................................................ 384
Configuration Task List for Physical Interfaces......................................................................... 384
Overview of Layer Modes........................................................................................................... 384
Configuring Layer 2 (Data Link) Mode....................................................................................... 385
Configuring Layer 2 (Interface) Mode........................................................................................ 385
Configuring Layer 3 (Network) Mode.........................................................................................385
Configuring Layer 3 (Interface) Mode........................................................................................ 386
Management Interfaces....................................................................................................................387
Configuring Management Interfaces on the XML Switch......................................................... 387
VLAN Interfaces................................................................................................................................ 389
Loopback Interfaces......................................................................................................................... 390
Null Interfaces...................................................................................................................................390
Port Channel Interfaces....................................................................................................................390
Port Channel Definition and Standards...................................................................................... 391
Port Channel Benefits................................................................................................................. 391
Port Channel Implementation.................................................................................................... 391
100/1000/10000 Mbps Interfaces in Port Channels.................................................................392
Configuration Tasks for Port Channel Interfaces...................................................................... 392
Creating a Port Channel............................................................................................................. 392
Adding a Physical Interface to a Port Channel.......................................................................... 393
Reassigning an Interface to a New Port Channel......................................................................395
Configuring the Minimum Oper Up Links in a Port Channel.................................................... 395
Adding or Removing a Port Channel from a VLAN................................................................... 396
Assigning an IP Address to a Port Channel................................................................................396
Deleting or Disabling a Port Channel.........................................................................................397
Server Ports....................................................................................................................................... 397
Default Configuration without Start-up Config.........................................................................397
Bulk Configuration............................................................................................................................398
Interface Range...........................................................................................................................398
Bulk Configuration Examples..................................................................................................... 398
Defining Interface Range Macros.................................................................................................... 400
Define the Interface Range........................................................................................................ 400
Choosing an Interface-Range Macro........................................................................................ 400
Monitoring and Maintaining Interfaces............................................................................................ 401
Maintenance Using TDR............................................................................................................. 402
Splitting QSFP Ports to SFP+ Ports.................................................................................................. 402
Merging SFP+ Ports to QSFP 40G Ports.................................................................................... 403
Configure the MTU Size on an Interface................................................................................... 404
Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port............................................................404
Important Points to Remember................................................................................................. 405
Support for LM4 Optics.............................................................................................................. 405
Example Scenarios......................................................................................................................405
Layer 2 Flow Control Using Ethernet Pause Frames.......................................................................409
Enabling Pause Frames............................................................................................................... 410
Configure MTU Size on an Interface................................................................................................ 411
Port-Pipes..........................................................................................................................................412
Auto-Negotiation on Ethernet Interfaces........................................................................................ 412
Setting the Speed and Duplex Mode of Ethernet Interfaces..................................................... 412
View Advanced Interface Information..............................................................................................414
Configuring the Interface Sampling Size....................................................................................415
Dynamic Counters...................................................................................................................... 416
Enhanced Validation of Interface Ranges........................................................................................ 417
22 Internet Protocol Security (IPSec).............................................................. 419
Configuring IPSec ............................................................................................................................ 419
23 IPv4 Routing....................................................................................................421
IP Addresses.......................................................................................................................................421
Implementation Information...................................................................................................... 421
Configuration Tasks for IP Addresses.........................................................................................421
IPv4 Path MTU Discovery Overview.................................................................................................424
Using the Configured Source IP Address in ICMP Messages..........................................................425
Configuring the ICMP Source Interface.....................................................................................425
Configuring the Duration to Establish a TCP Connection..............................................................426
Enabling Directed Broadcast............................................................................................................426
Resolution of Host Names............................................................................................................... 426
Enabling Dynamic Resolution of Host Names...........................................................................427
Specifying the Local System Domain and a List of Domains.................................................... 427
Configuring DNS with Traceroute............................................................................................. 428
ARP.................................................................................................................................................... 429
Configuration Tasks for ARP.......................................................................................................429
ARP Learning via Gratuitous ARP......................................................................................................431
ARP Learning via ARP Request..........................................................................................................431
Configuring ARP Retries................................................................................................................... 432
ICMP.................................................................................................................................................. 433
Configuration Tasks for ICMP.................................................................................................... 433
UDP Helper....................................................................................................................................... 433
Configure UDP Helper................................................................................................................ 433
Important Points to Remember................................................................................................. 433
Enabling UDP Helper.................................................................................................................. 434
Configurations Using UDP Helper................................................................................................... 434
UDP Helper with Broadcast-All Addresses................................................................................ 434
UDP Helper with Subnet Broadcast Addresses..........................................................................435
UDP Helper with Configured Broadcast Addresses.................................................................. 436
UDP Helper with No Configured Broadcast Addresses............................................................ 436
Troubleshooting UDP Helper........................................................................................................... 437
24 IPv6 Addressing..............................................................................................438
Protocol Overview............................................................................................................................438
Extended Address Space............................................................................................................ 438
Stateless Autoconfiguration....................................................................................................... 438
IPv6 Header Fields............................................................................................................................ 440
Version (4 bits)............................................................................................................................ 440
Traffic Class (8 bits).....................................................................................................................440
Flow Label (20 bits).....................................................................................................................440
Payload Length (16 bits)............................................................................................................. 440
Next Header (8 bits)....................................................................................................................440
Hop Limit (8 bits)......................................................................................................................... 441
Source Address (128 bits)............................................................................................................441
Destination Address (128 bits).....................................................................................................441
Extension Header Fields....................................................................................................................441
Hop-by-Hop Options Header....................................................................................................442
Addressing.........................................................................................................................................442
Link-local Addresses...................................................................................................................443
Static and Dynamic Addressing..................................................................................................443
Implementing IPv6 with the Dell Networking OS........................................................................... 444
ICMPv6..............................................................................................................................................446
Path MTU Discovery......................................................................................................................... 447
IPv6 Neighbor Discovery.................................................................................................................. 447
IPv6 Neighbor Discovery of MTU Packets.................................................................................448
Configuring the IPv6 Recursive DNS Server.............................................................................. 448
Debugging IPv6 RDNSS Information Sent to the Host ............................................................ 449
Displaying IPv6 RDNSS Information...........................................................................................450
IPv6 Multicast....................................................................................................................................450
Secure Shell (SSH) Over an IPv6 Transport...................................................................................... 451
Configuration Task List for IPv6........................................................................................................451
Adjusting Your CAM-Profile........................................................................................................ 451
Assigning an IPv6 Address to an Interface................................................................................. 452
Assigning a Static IPv6 Route..................................................................................................... 453
Configuring Telnet with IPv6......................................................................................................453
SNMP over IPv6...........................................................................................................................454
Showing IPv6 Information.......................................................................................................... 454
Showing an IPv6 Interface..........................................................................................................454
Showing IPv6 Routes.................................................................................................................. 455
Showing the Running-Configuration for an Interface.............................................................. 456
Clearing IPv6 Routes...................................................................................................................457
25 iSCSI Optimization.........................................................................................458
iSCSI Optimization Overview........................................................................................................... 458
Monitoring iSCSI Traffic Flows................................................................................................... 460
Information Monitored in iSCSI Traffic Flows........................................................................... 460
Detection and Auto-Configuration for Dell EqualLogic Arrays................................................460
Configuring Detection and Ports for Dell Compellent Arrays...................................................461
iSCSI Optimization: Operation................................................................................................... 461
Default iSCSI Optimization Values..............................................................................................461
Displaying iSCSI Optimization Information..................................................................................... 462
26 Intermediate System to Intermediate System..........................................464
IS-IS Protocol Overview................................................................................................................... 464
IS-IS Addressing................................................................................................................................464
Multi-Topology IS-IS........................................................................................................................ 465
Transition Mode.......................................................................................................................... 466
Interface Support........................................................................................................................ 466
Adjacencies................................................................................................................................. 466
Graceful Restart................................................................................................................................ 466
Timers.......................................................................................................................................... 467
Implementation Information............................................................................................................ 467
Configuration Information............................................................................................................... 468
Configuration Tasks for IS-IS..................................................................................................... 468
IS-IS Metric Styles............................................................................................................................. 484
Configure Metric Values...................................................................................................................484
Maximum Values in the Routing Table...................................................................................... 485
Change the IS-IS Metric Style in One Level Only...................................................................... 485
Leaks from One Level to Another.............................................................................................. 487
Sample Configurations..................................................................................................................... 487
27 Link Aggregation Control Protocol (LACP)...............................................492
Introduction to Dynamic LAGs and LACP....................................................................................... 492
Important Points to Remember................................................................................................. 492
LACP Modes................................................................................................................................ 493
Configuring LACP Commands................................................................................................... 493
LACP Configuration Tasks................................................................................................................494
Creating a LAG............................................................................................................................ 494
Configuring the LAG Interfaces as Dynamic............................................................................. 495
Setting the LACP Long Timeout.................................................................................................495
Shared LAG State Tracking...............................................................................................................496
Configuring Shared LAG State Tracking.......................................................................................... 497
Important Points about Shared LAG State Tracking..................................................................498
LACP Basic Configuration Example................................................................................................. 499
Configure a LAG on ALPHA........................................................................................................499
28 Layer 2..............................................................................................................508
Manage the MAC Address Table...................................................................................................... 508
Clearing the MAC Address Table................................................................................................508
Setting the Aging Time for Dynamic Entries..............................................................................508
Configuring a Static MAC Address............................................................................................. 509
Displaying the MAC Address Table............................................................................................ 509
MAC Learning Limit.......................................................................................................................... 509
Setting the MAC Learning Limit.................................................................................................. 510
mac learning-limit Dynamic....................................................................................................... 510
mac learning-limit station-move................................................................................................510
Learning Limit Violation Actions..................................................................................................511
Setting Station Move Violation Actions.......................................................................................511
Recovering from Learning Limit and Station Move Violations...................................................511
NIC Teaming......................................................................................................................................512
MAC Move Optimization.............................................................................................................514
29 Link Layer Discovery Protocol (LLDP)........................................................ 515
802.1AB (LLDP) Overview..................................................................................................................515
Protocol Data Units..................................................................................................................... 515
Optional TLVs.................................................................................................................................... 516
Management TLVs.......................................................................................................................516
TIA-1057 (LLDP-MED) Overview...................................................................................................... 518
TIA Organizationally Specific TLVs............................................................................................. 519
Extended Power via MDI TLV......................................................................................................523
Configure LLDP.................................................................................................................................523
Related Configuration Tasks.......................................................................................................523
Important Points to Remember................................................................................................. 524
LLDP Compatibility..................................................................................................................... 524
CONFIGURATION versus INTERFACE Configurations....................................................................524
Enabling LLDP................................................................................................................................... 525
Disabling and Undoing LLDP...................................................................................................... 525
Advertising TLVs................................................................................................................................ 525
Viewing the LLDP Configuration......................................................................................................526
Viewing Information Advertised by Adjacent LLDP Agents.............................................................527
Configuring LLDPDU Intervals......................................................................................................... 528
Configuring Transmit and Receive Mode........................................................................................ 529
Configuring a Time to Live............................................................................................................... 530
Debugging LLDP...............................................................................................................................530
Relevant Management Objects.........................................................................................................531
30 Microsoft Network Load Balancing............................................................538
NLB Unicast Mode Scenario.............................................................................................................538
NLB Multicast Mode Scenario.......................................................................................................... 539
Limitations With Enabling NLB on Switches.................................................................................... 539
Benefits and Working of Microsoft Clustering.................................................................................539
Enable and Disable VLAN Flooding .................................................................................................540
Configuring a Switch for NLB ......................................................................................................... 540
..................................................................................................................................................... 540
31 Multicast Source Discovery Protocol (MSDP)........................................... 541
Protocol Overview............................................................................................................................ 541
Anycast RP.........................................................................................................................................543
Implementation Information............................................................................................................ 543
Configure the Multicast Source Discovery Protocol.......................................................................543
Related Configuration Tasks.......................................................................................................543
Enabling MSDP.................................................................................................................................. 547
Manage the Source-Active Cache................................................................................................... 548
Viewing the Source-Active Cache............................................................................................. 548
Limiting the Source-Active Cache............................................................................................. 549
Clearing the Source-Active Cache.............................................................................................549
Enabling the Rejected Source-Active Cache.............................................................................549
Accept Source-Active Messages that Fail the RFP Check.............................................................. 549
Specifying Source-Active Messages.................................................................................................553
Limiting the Source-Active Messages from a Peer......................................................................... 554
Preventing MSDP from Caching a Local Source............................................................................. 554
Preventing MSDP from Caching a Remote Source......................................................................... 555
Preventing MSDP from Advertising a Local Source.........................................................................556
Logging Changes in Peership States................................................................................................ 557
Terminating a Peership..................................................................................................................... 557
Clearing Peer Statistics......................................................................................................................557
Debugging MSDP..............................................................................................................................558
MSDP with Anycast RP......................................................................................................................558
Configuring Anycast RP....................................................................................................................560
Reducing Source-Active Message Flooding..............................................................................560
Specifying the RP Address Used in SA Messages...................................................................... 560
MSDP Sample Configurations.......................................................................................................... 563
32 Multiple Spanning Tree Protocol (MSTP).................................................. 566
Protocol Overview............................................................................................................................566
Spanning Tree Variations.................................................................................................................. 567
Implementation Information............................................................................................................ 567
Configure Multiple Spanning Tree Protocol.................................................................................... 567
Related Configuration Tasks.......................................................................................................567
Enable Multiple Spanning Tree Globally.......................................................................................... 568
Creating Multiple Spanning Tree Instances.....................................................................................568
Influencing MSTP Root Selection.................................................................................................... 569
Interoperate with Non-Dell Networking OS Bridges...................................................................... 570
Changing the Region Name or Revision..........................................................................................570
Modifying Global Parameters............................................................................................................571
Enable BPDU Filtering Globally.........................................................................................................572
Modifying the Interface Parameters................................................................................................. 573
Configuring an EdgePort.................................................................................................................. 573
Flush MAC Addresses after a Topology Change............................................................................. 574
MSTP Sample Configurations........................................................................................................... 575
Router 1 Running-ConfigurationRouter 2 Running-ConfigurationRouter 3 RunningConfigurationSFTOS Example Running-Configuration.............................................................575
Debugging and Verifying MSTP Configurations.............................................................................. 578
33 Multicast Features.......................................................................................... 581
Enabling IP Multicast......................................................................................................................... 581
Multicast with ECMP......................................................................................................................... 581
Implementation Information............................................................................................................582
First Packet Forwarding for Lossless Multicast................................................................................ 583
Multicast Policies.............................................................................................................................. 583
IPv4 Multicast Policies...................................................................................................................... 583
Limiting the Number of Multicast Routes.................................................................................. 583
Preventing a Host from Joining a Group...................................................................................584
Rate Limiting IGMP Join Requests............................................................................................. 587
Preventing a PIM Router from Forming an Adjacency.............................................................. 587
Preventing a Source from Registering with the RP................................................................... 587
Preventing a PIM Router from Processing a Join......................................................................590
34 Open Shortest Path First (OSPFv2 and OSPFv3).......................................591
Protocol Overview............................................................................................................................ 591
Autonomous System (AS) Areas..................................................................................................591
Area Types................................................................................................................................... 592
Networks and Neighbors............................................................................................................ 593
Router Types............................................................................................................................... 593
Link-State Advertisements (LSAs)............................................................................................... 595
Router Priority and Cost............................................................................................................. 596
OSPF with the Dell Networking OS..................................................................................................597
Graceful Restart.......................................................................................................................... 598
Fast Convergence (OSPFv2, IPv4 Only)..................................................................................... 599
Multi-Process OSPFv2 (IPv4 only).............................................................................................. 599
RFC-2328 Compliant OSPF Flooding........................................................................................600
OSPF ACK Packing...................................................................................................................... 601
Setting OSPF Adjacency with Cisco Routers............................................................................. 601
Configuration Information............................................................................................................... 602
Configuration Task List for OSPFv2 (OSPF for IPv4)................................................................. 602
Troubleshooting OSPFv2............................................................................................................ 615
Configuration Task List for OSPFv3 (OSPF for IPv6)........................................................................619
Enabling IPv6 Unicast Routing....................................................................................................619
Assigning IPv6 Addresses on an Interface................................................................................. 620
Assigning Area ID on an Interface..............................................................................................620
Assigning OSPFv3 Process ID and Router ID Globally.............................................................. 620
Configuring Stub Areas............................................................................................................... 621
Configuring Passive-Interface.................................................................................................... 621
Redistributing Routes..................................................................................................................622
Configuring a Default Route.......................................................................................................622
Enabling OSPFv3 Graceful Restart............................................................................................. 622
Displaying Graceful Restart........................................................................................................ 623
OSPFv3 Authentication Using IPsec...........................................................................................625
35 Policy-based Routing (PBR)......................................................................... 634
Overview........................................................................................................................................... 634
Implementing Policy-based Routing with Dell Networking OS..................................................... 636
Configuration Task List for Policy-based Routing.......................................................................... 636
PBR Exceptions (Permit)............................................................................................................. 639
Sample Configuration....................................................................................................................... 641
Create the Redirect-List GOLDAssign Redirect-List GOLD to Interface 2/11View
Redirect-List GOLD.................................................................................................................... 642
36 PIM Sparse-Mode (PIM-SM).........................................................................644
Implementation Information............................................................................................................644
Protocol Overview............................................................................................................................644
Requesting Multicast Traffic.......................................................................................................644
Refuse Multicast Traffic.............................................................................................................. 645
Send Multicast Traffic................................................................................................................. 645
Configuring PIM-SM.........................................................................................................................646
Related Configuration Tasks...................................................................................................... 646
Enable PIM-SM................................................................................................................................. 646
Configuring S,G Expiry Timers......................................................................................................... 647
Configuring a Static Rendezvous Point........................................................................................... 648
Overriding Bootstrap Router Updates....................................................................................... 649
Configuring a Designated Router.................................................................................................... 649
Creating Multicast Boundaries and Domains.................................................................................. 650
Enabling PIM-SM Graceful Restart...................................................................................................650
37 PIM Source-Specific Mode (PIM-SSM)........................................................651
Configure PIM-SMM......................................................................................................................... 651
Related Configuration Tasks....................................................................................................... 651
Implementation Information............................................................................................................ 651
Important Points to Remember................................................................................................. 652
Enabling PIM-SSM.............................................................................................................................652
Use PIM-SSM with IGMP Version 2 Hosts........................................................................................652
Configuring PIM-SSM with IGMPv2........................................................................................... 653
38 Port Monitoring..............................................................................................655
Important Points to Remember....................................................................................................... 655
Configuring Port Monitoring............................................................................................................656
Enabling Flow-Based Monitoring..................................................................................................... 657
Remote Port Mirroring......................................................................................................................658
Remote Port Mirroring Example.................................................................................................659
Configuring Remote Port Mirroring...........................................................................................660
Displaying Remote-Port Mirroring Configurations....................................................................661
Configuring the Sample Remote Port Mirroring....................................................................... 662
Configuring the Encapsulated Remote Port Mirroring................................................................... 665
Configuration steps for ERPM ................................................................................................... 665
ERPM Behavior on a typical Dell Networking OS ...........................................................................666
Decapsulation of ERPM packets at the Destination IP/ Analyzer..............................................667
39 Private VLANs (PVLAN)..................................................................................669
Private VLAN Concepts.................................................................................................................... 669
Using the Private VLAN Commands...........................................................................................670
Configuration Task List................................................................................................................671
Private VLAN Configuration Example.........................................................................................675
40 Per-VLAN Spanning Tree Plus (PVST+)...................................................... 679
Protocol Overview............................................................................................................................ 679
Implementation Information......................................................................................................680
Configure Per-VLAN Spanning Tree Plus........................................................................................680
Related Configuration Tasks...................................................................................................... 680
Enabling PVST+................................................................................................................................ 680
Disabling PVST+................................................................................................................................ 681
Influencing PVST+ Root Selection............................................................................................. 681
Modifying Global PVST+ Parameters...............................................................................................683
Modifying Interface PVST+ Parameters...........................................................................................684
Configuring an EdgePort..................................................................................................................685
PVST+ in Multi-Vendor Networks....................................................................................................686
Enabling PVST+ Extend System ID.................................................................................................. 686
PVST+ Sample Configurations......................................................................................................... 687
Enable BPDU Filtering globally.........................................................................................................689
41 Quality of Service (QoS)................................................................................690
Implementation Information............................................................................................................ 691
Port-Based QoS Configurations...................................................................................................... 692
Setting dot1p Priorities for Incoming Traffic..............................................................................692
Honoring dot1p Priorities on Ingress Traffic..............................................................................693
Configuring Port-Based Rate Policing.......................................................................................694
Configuring Port-Based Rate Shaping.......................................................................................694
Guidelines for Configuring ECN for Classifying and Color-Marking Packets................................694
Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class..........695
Classifying Incoming Packets Using ECN and Color-Marking................................................. 695
Sample configuration to mark non-ecn packets as “yellow” with single traffic class............. 698
Policy-Based QoS Configurations................................................................................................... 699
DSCP Color Maps....................................................................................................................... 700
Classify Traffic............................................................................................................................. 702
Create a QoS Policy....................................................................................................................706
Create Policy Maps..................................................................................................................... 709
Enabling QoS Rate Adjustment.........................................................................................................714
Enabling Strict-Priority Queueing.....................................................................................................714
Weighted Random Early Detection.................................................................................................. 715
Creating WRED Profiles...............................................................................................................716
Applying a WRED Profile to Traffic............................................................................................. 716
Displaying Default and Configured WRED Profiles.................................................................... 716
Displaying WRED Drop Statistics.................................................................................................717
Classifying Layer 2 Traffic on Layer 3 Interfaces ....................................................................... 717
Classifying Packets Based on a Combination of DSCP Code Points and VLAN IDs.................718
42 Routing Information Protocol (RIP)........................................................... 720
Protocol Overview............................................................................................................................ 720
RIPv1............................................................................................................................................ 720
RIPv2............................................................................................................................................ 720
Implementation Information.............................................................................................................721
Configuration Information................................................................................................................ 721
Configuration Task List................................................................................................................721
RIP Configuration Example.........................................................................................................728
43 Remote Monitoring (RMON)........................................................................ 733
Implementation Information............................................................................................................ 733
Fault Recovery...................................................................................................................................733
Setting the rmon Alarm...............................................................................................................734
Configuring an RMON Event...................................................................................................... 735
Configuring RMON Collection Statistics.................................................................................... 735
Configuring the RMON Collection History................................................................................ 736
Enabling an RMON MIB Collection History Group.................................................................... 737
44 Rapid Spanning Tree Protocol (RSTP)........................................................738
Protocol Overview............................................................................................................................ 738
Configuring Rapid Spanning Tree.................................................................................................... 738
Related Configuration Tasks.......................................................................................................738
Important Points to Remember..................................................................................................739
Configuring Interfaces for Layer 2 Mode.........................................................................................739
Enabling Rapid Spanning Tree Protocol Globally............................................................................739
Adding and Removing Interfaces..................................................................................................... 742
Modifying Global Parameters........................................................................................................... 743
Enable BPDU Filtering Globally........................................................................................................ 744
Modifying Interface Parameters....................................................................................................... 745
Configuring an EdgePort.................................................................................................................. 745
Influencing RSTP Root Selection..................................................................................................... 746
SNMP Traps for Root Elections and Topology Changes.................................................................747
Configuring Fast Hellos for Link State Detection............................................................................ 747
45 Security............................................................................................................ 748
AAA Accounting................................................................................................................................ 748
Configuration Task List for AAA Accounting..............................................................................748
AAA Authentication........................................................................................................................... 750
Configuration Task List for AAA Authentication......................................................................... 751
AAA Authorization............................................................................................................................. 753
Privilege Levels Overview............................................................................................................753
Configuration Task List for Privilege Levels............................................................................... 754
RADIUS.............................................................................................................................................. 758
RADIUS Authentication and Authorization.................................................................................758
Configuration Task List for RADIUS............................................................................................759
TACACS+...........................................................................................................................................762
Configuration Task List for TACACS+........................................................................................ 762
Choosing TACACS+ as the Authentication Method..................................................................763
Monitoring TACACS+..................................................................................................................764
TACACS+ Remote Authentication and Authorization...............................................................764
Specifying a TACACS+ Server Host............................................................................................765
Command Authorization............................................................................................................ 766
Protection from TCP Tiny and Overlapping Fragment Attacks...................................................... 766
Enabling SCP and SSH...................................................................................................................... 766
Using SCP with SSH to Copy a Software Image........................................................................ 767
Removing the RSA Host Keys and Zeroizing Storage ...............................................................768
Configuring When to Re-generate an SSH Key ........................................................................768
Configuring the SSH Server Key Exchange Algorithm...............................................................769
Configuring the HMAC Algorithm for the SSH Server............................................................... 769
Configuring the SSH Server Cipher List......................................................................................770
Secure Shell Authentication........................................................................................................770
Troubleshooting SSH.................................................................................................................. 773
Telnet................................................................................................................................................. 773
VTY Line and Access-Class Configuration.......................................................................................774
VTY Line Local Authentication and Authorization..................................................................... 774
VTY Line Remote Authentication and Authorization................................................................. 775
VTY MAC-SA Filter Support.........................................................................................................775
Role-Based Access Control.............................................................................................................. 776
Overview of RBAC....................................................................................................................... 776
User Roles....................................................................................................................................779
AAA Authentication and Authorization for Roles.......................................................................783
Role Accounting..........................................................................................................................786
Display Information About User Roles....................................................................................... 787
46 Service Provider Bridging.............................................................................789
VLAN Stacking...................................................................................................................................789
Important Points to Remember................................................................................................. 790
Configure VLAN Stacking........................................................................................................... 790
Creating Access and Trunk Ports................................................................................................791
Enable VLAN-Stacking for a VLAN..............................................................................................792
Configuring the Protocol Type Value for the Outer VLAN Tag.................................................792
Configuring Options for Trunk Ports......................................................................................... 792
Debugging VLAN Stacking..........................................................................................................793
VLAN Stacking in Multi-Vendor Networks................................................................................. 794
VLAN Stacking Packet Drop Precedence.........................................................................................798
Enabling Drop Eligibility.............................................................................................................. 798
Honoring the Incoming DEI Value............................................................................................. 799
Marking Egress Packets with a DEI Value...................................................................................799
Dynamic Mode CoS for VLAN Stacking.......................................................................................... 800
Mapping C-Tag to S-Tag dot1p Values......................................................................................801
Layer 2 Protocol Tunneling..............................................................................................................802
Implementation Information......................................................................................................804
Enabling Layer 2 Protocol Tunneling.........................................................................................805
Specifying a Destination MAC Address for BPDUs....................................................................805
Setting Rate-Limit BPDUs...........................................................................................................805
Debugging Layer 2 Protocol Tunneling.................................................................................... 806
Provider Backbone Bridging............................................................................................................ 806
47 sFlow................................................................................................................ 807
Overview........................................................................................................................................... 807
Implementation Information............................................................................................................807
Important Points to Remember................................................................................................. 808
Enabling and Disabling sFlow.......................................................................................................... 808
Enabling and Disabling sFlow on an Interface.......................................................................... 808
sFlow Show Commands.................................................................................................................. 808
Displaying Show sFlow Global................................................................................................... 809
Displaying Show sFlow on an Interface.....................................................................................809
Displaying Show sFlow on a Stack Unit.....................................................................................809
Configuring Specify Collectors........................................................................................................ 810
Changing the Polling Intervals......................................................................................................... 810
Changing the Sampling Rate............................................................................................................810
Sub-Sampling...............................................................................................................................811
Back-Off Mechanism........................................................................................................................ 811
sFlow on LAG ports........................................................................................................................... 812
Enabling Extended sFlow.................................................................................................................. 812
48 Simple Network Management Protocol (SNMP)......................................814
Implementation Information............................................................................................................ 814
Configuration Task List for SNMP...............................................................................................814
Important Points to Remember..................................................................................................815
SNMPv3 Compliance With FIPS........................................................................................................815
Set up SNMP......................................................................................................................................816
Creating a Community................................................................................................................817
Setting Up User-Based Security (SNMPv3).......................................................................................817
Reading Managed Object Values..................................................................................................... 819
Writing Managed Object Values.......................................................................................................820
Configuring Contact and Location Information using SNMP........................................................ 820
Subscribing to Managed Object Value Updates using SNMP......................................................... 821
Enabling a Subset of SNMP Traps.................................................................................................... 822
Copy Configuration Files Using SNMP............................................................................................ 824
Copying a Configuration File........................................................................................................... 826
Copying Configuration Files via SNMP............................................................................................ 827
Copying the Startup-Config Files to the Running-Config.............................................................. 827
Copying the Startup-Config Files to the Server via FTP................................................................. 828
Copying the Startup-Config Files to the Server via TFTP............................................................... 828
Copying a Binary File to the Startup-Configuration........................................................................829
Additional MIB Objects to View Copy Statistics.............................................................................. 829
Obtaining a Value for MIB Objects.................................................................................................. 830
Manage VLANs using SNMP..............................................................................................................831
Creating a VLAN.......................................................................................................................... 831
Assigning a VLAN Alias................................................................................................................ 831
Displaying the Ports in a VLAN....................................................................................................831
Add Tagged and Untagged Ports to a VLAN..............................................................................833
Enabling and Disabling a Port using SNMP..................................................................................... 834
Fetch Dynamic MAC Entries using SNMP........................................................................................834
Deriving Interface Indices.................................................................................................................836
Monitor Port-Channels.....................................................................................................................837
BMP Functionality Using SNMP SET................................................................................................ 838
Entity MIBS........................................................................................................................................ 839
Physical Entity............................................................................................................................. 839
Containment Tree.......................................................................................................................839
Troubleshooting SNMP Operation.................................................................................................. 840
49 Stacking........................................................................................................... 841
Stacking MXL 10/40GbE Switches....................................................................................................841
Stack Management Roles........................................................................................................... 842
Stack Master Election................................................................................................................. 843
Failover Roles.............................................................................................................................. 844
MAC Addressing..........................................................................................................................844
Stacking LAG............................................................................................................................... 844
Supported Stacking Topologies................................................................................................. 844
Stack Group/Port Numbers..............................................................................................................846
Configuring a Switch Stack.............................................................................................................. 847
Stacking Prerequisites................................................................................................................. 847
Cabling Stacked Switches.......................................................................................................... 848
Accessing the CLI....................................................................................................................... 848
Configuring and Bringing Up a Stack.........................................................................................849
Removing a Switch from a Stack................................................................................................852
Adding a Stack Unit.....................................................................................................................852
Merging Two Stacks....................................................................................................................853
Splitting a Stack...........................................................................................................................854
Managing Redundant Stack Management.................................................................................854
Resetting a Unit on a Stack.........................................................................................................854
Verify a Stack Configuration.............................................................................................................855
Using Show Commands............................................................................................................. 855
Troubleshooting a Switch Stack...................................................................................................... 858
Failure Scenarios...............................................................................................................................859
Stack Member FailsUnplugged Stacking CableMaster Switch FailsStack-Link Flapping
ErrorMaster Switch Recovers from FailureStack Unit in Card-Problem State Due to
Incorrect Dell Networking OS VersionStack Unit in Card-Problem State Due to
Configuration Mismatch.............................................................................................................859
Upgrading a Switch Stack.................................................................................................................862
Upgrading a Single Stack Unit..........................................................................................................863
50 Storm Control.................................................................................................865
Configure Storm Control................................................................................................................. 865
Configuring Storm Control from INTERFACE Mode.................................................................865
Configuring Storm Control from CONFIGURATION Mode......................................................865
51 Spanning Tree Protocol (STP)......................................................................866
Protocol Overview............................................................................................................................866
Configure Spanning Tree................................................................................................................. 866
Related Configuration Tasks...................................................................................................... 866
Important Points to Remember................................................................................................. 867
Configuring Interfaces for Layer 2 Mode.........................................................................................867
Enabling Spanning Tree Protocol Globally......................................................................................868
Adding an Interface to the Spanning Tree Group........................................................................... 870
Removing an Interface from the Spanning Tree Group.................................................................. 871
Modifying Global Parameters........................................................................................................... 871
Modifying Interface STP Parameters................................................................................................872
Enabling PortFast.............................................................................................................................. 873
Prevent Network Disruptions with BPDU Guard....................................................................... 873
Global BPDU Filtering....................................................................................................................... 876
Interface BPDU Filtering............................................................................................................. 876
Selecting STP Root............................................................................................................................877
STP Root Guard................................................................................................................................ 878
Root Guard Scenario.................................................................................................................. 878
Configuring Root Guard............................................................................................................. 879
SNMP Traps for Root Elections and Topology Changes................................................................ 880
Displaying STP Guard Configuration............................................................................................... 880
52 System Time and Date...................................................................................881
Network Time Protocol.................................................................................................................... 881
Protocol Overview...................................................................................................................... 882
Configure the Network Time Protocol...................................................................................... 883
Enabling NTP...............................................................................................................................883
Setting the Hardware Clock with the Time Derived from NTP.................................................883
Configuring NTP Broadcasts......................................................................................................884
Disabling NTP on an Interface................................................................................................... 884
Configuring a Source IP Address for NTP Packets....................................................................884
Configuring NTP Authentication................................................................................................885
Dell Networking OS Time and Date.................................................................................................887
Configuration Task List .............................................................................................................. 887
Set Daylight Saving Time............................................................................................................ 889
53 Tunneling ........................................................................................................892
Configuring a Tunnel........................................................................................................................892
Configuring Tunnel keepalive.......................................................................................................... 893
Configuring the ip and ipv6 unnumbered....................................................................................... 894
Configuring the Tunnel allow-remote............................................................................................ 894
Configuring the tunnel source anylocal.......................................................................................... 895
54 Uplink Failure Detection (UFD)................................................................... 896
Feature Description.......................................................................................................................... 896
How Uplink Failure Detection Works...............................................................................................897
UFD and NIC Teaming..................................................................................................................... 898
Important Points to Remember....................................................................................................... 898
Configuring Uplink Failure Detection.............................................................................................. 899
Clearing a UFD-Disabled Interface.................................................................................................. 901
Displaying Uplink Failure Detection.................................................................................................902
Sample Configuration: Uplink Failure Detection............................................................................ 904
55 Upgrade Procedures..................................................................................... 906
Get Help with Upgrades...................................................................................................................906
56 Virtual LANs (VLANs)......................................................................................907
Default VLAN.....................................................................................................................................907
Port-Based VLANs...................................................................................................................... 908
VLANs and Port Tagging.............................................................................................................908
Configuration Task List...............................................................................................................909
Configuring Native VLANs...........................................................................................................913
Enabling Null VLAN as the Default VLAN......................................................................................... 914
57 Virtual Link Trunking (VLT)........................................................................... 915
Overview............................................................................................................................................915
Multi-domain VLT........................................................................................................................916
VLT Terminology............................................................................................................................... 917
Configure Virtual Link Trunking........................................................................................................ 917
Important Points to Remember.................................................................................................. 917
Configuration Notes....................................................................................................................918
RSTP and VLT.............................................................................................................................. 922
VLT Bandwidth Monitoring.........................................................................................................922
VLT and IGMP Snooping.............................................................................................................923
VLT Port Delayed Restoration.................................................................................................... 923
PIM-Sparse Mode Support on VLT.............................................................................................923
VLT Multicast............................................................................................................................... 925
VLT Unicast Routing................................................................................................................... 926
Non-VLT ARP Sync..................................................................................................................... 927
RSTP Configuration...........................................................................................................................927
Preventing Forwarding Loops in a VLT Domain........................................................................ 928
Sample RSTP Configuration....................................................................................................... 928
Configuring VLT.......................................................................................................................... 929
Configuring a VLT Interconnect.................................................................................................929
Configuring a VLT Backup Link.................................................................................................. 930
Configuring a VLT Port Delay Period......................................................................................... 930
Reconfiguring the Default VLT Settings (Optional) .................................................................. 930
Connecting a VLT Domain to an Attached Access Device (Switch or Server)......................... 931
Configuring a VLT VLAN Peer-Down (Optional)....................................................................... 932
Configure Multi-domain VLT (mVLT) (Optional)....................................................................... 933
Verifying a VLT Configuration.....................................................................................................935
Connecting a VLT Domain......................................................................................................... 939
mVLT Configuration Example.......................................................................................................... 943
In Domain 1, configure the VLT domain and VLTi on Peer 1Configure mVLT on Peer 1Add
links to the mVLT port-channel on Peer 1Next, configure the VLT domain and VLTi on
Peer 2Configure mVLT on Peer 2Add links to the mVLT port-channel on Peer 2In
Domain 2, configure the VLT domain and VLTi on Peer 3Configure mVLT on Peer 3Add
links to the mVLT port-channel on Peer 3Configure the VLT domain and VLTi on Peer
4Configure mVLT on Peer 4Add links to the mVLT port-channel on Peer 4.......................... 944
PIM-Sparse Mode Configuration Example...................................................................................... 945
Additional VLT Sample Configurations............................................................................................ 946
Configuring Virtual Link Trunking (VLT Peer 1)Configuring Virtual Link Trunking (VLT Peer
2)Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access
Switch).........................................................................................................................................946
Troubleshooting VLT........................................................................................................................948
Specifying VLT Nodes in a PVLAN....................................................................................................950
Association of VLTi as a Member of a PVLAN............................................................................ 951
MAC Synchronization for VLT Nodes in a PVLAN......................................................................951
PVLAN Operations When One VLT Peer is Down..................................................................... 952
PVLAN Operations When a VLT Peer is Restarted..................................................................... 952
Interoperation of VLT Nodes in a PVLAN with ARP Requests................................................... 952
Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN........953
Configuring a VLT VLAN or LAG in a PVLAN................................................................................... 954
Creating a VLT LAG or a VLT VLAN............................................................................................ 954
Associating the VLT LAG or VLT VLAN in a PVLAN....................................................................955
Proxy ARP Capability on VLT Peer Nodes........................................................................................956
Working of Proxy ARP for VLT Peer Nodes................................................................................957
58 Virtual Router Redundancy Protocol (VRRP)........................................... 959
VRRP Overview................................................................................................................................. 959
VRRP Benefits................................................................................................................................... 960
VRRP Implementation...................................................................................................................... 960
VRRP Configuration.......................................................................................................................... 961
Configuration Task List............................................................................................................... 961
Setting VRRP Initialization Delay................................................................................................ 970
Sample Configurations......................................................................................................................971
VRRP for an IPv4 Configuration..................................................................................................971
59 Standards Compliance..................................................................................974
IEEE Compliance...............................................................................................................................974
RFC and I-D Compliance..................................................................................................................975
General Internet Protocols............................................................................................................... 975
General IPv4 Protocols..................................................................................................................... 975
Border Gateway Protocol (BGP).......................................................................................................976
Open Shortest Path First (OSPF)....................................................................................................... 977
Routing Information Protocol (RIP)..................................................................................................977
Network Management...................................................................................................................... 977
MIB Location..................................................................................................................................... 981
60 FC Flex IO Modules........................................................................................982
FC Flex IO Modules...........................................................................................................................982
Understanding and Working of the FC Flex IO Modules................................................................ 982
FC Flex IO Modules Overview.................................................................................................... 982
FC Flex IO Module Capabilities and Operations........................................................................984
Guidelines for Working with FC Flex IO Modules..................................................................... 984
Processing of Data Traffic.......................................................................................................... 986
Installing and Configuring the Switch........................................................................................ 987
Interconnectivity of FC Flex IO Modules with Cisco MDS Switches........................................ 990
Data Center Bridging (DCB)..............................................................................................................991
Ethernet Enhancements in Data Center Bridging......................................................................991
Enabling Data Center Bridging...................................................................................................999
QoS dot1p Traffic Classification and Queue Assignment.......................................................1000
Configure Enhanced Transmission Selection..........................................................................1001
Configure a DCBx Operation................................................................................................... 1003
Verifying the DCB Configuration.............................................................................................. 1013
PFC and ETS Configuration Examples..................................................................................... 1023
Using PFC and ETS to Manage Data Center Traffic.................................................................1023
Fibre Channel over Ethernet for FC Flex IO Modules................................................................... 1028
NPIV Proxy Gateway for FC Flex IO Modules................................................................................1028
NPIV Proxy Gateway Configuration on FC Flex IO Modules ................................................. 1028
NPIV Proxy Gateway Operations and Capabilities.................................................................. 1029
Configuring an NPIV Proxy Gateway....................................................................................... 1033
Displaying NPIV Proxy Gateway Information.......................................................................... 1039
1
About this Guide
This guide describes the supported protocols and software features, and provides configuration
instructions and examples, for the Dell Networking MXL 10/40GbE Switch IO Module.
The MXL 10/40GbE Switch IO Module is installed in a Dell PowerEdge M1000e Enclosure. For information
about how to install and perform the initial switch configuration, refer to the Getting Started Guides on
the Dell Support website at http://support.dell.com/manuals.
Though this guide contains information on protocols, it is not intended to be a complete reference. This
guide is a reference for configuring protocols on Dell Networking systems. For complete information
about protocols, refer to related documentation, including IETF requests for comments (RFCs). The
instructions in this guide cite relevant RFCs. The Standards Compliance chapter contains a complete list
of the supported RFCs and management information base files (MIBs).
Audience
This document is intended for system administrators who are responsible for configuring and maintaining
networks and assumes knowledge in Layer 2 and Layer 3 networking technologies.
Conventions
This guide uses the following conventions to describe command syntax.
Keyword
Keywords are in Courier (a monospaced font) and must be entered in the CLI as
listed.
parameter
Parameters are in italics and require a number or word to be entered in the CLI.
{X}
Keywords and parameters within braces must be entered in the CLI.
[X]
Keywords and parameters within brackets are optional.
x|y
Keywords and parameters separated by a bar require you to choose one option.
x||y
Keywords and parameters separated by a double bar allows you to choose any or
all of the options.
Information Symbols
This book uses the following information symbols.
NOTE: The Note icon signals important operational information.
CAUTION: The Caution icon signals information about situations that could result in equipment
damage or loss of data.
WARNING: The Warning icon signals information about hardware handling that could result in
injury.
32
About this Guide
* (Exception). This symbol is a note associated with additional text on the page that is marked with an
asterisk.
Related Documents
For more information about the Dell Networking MXL 10/40GbE Switch IO Module, refer to the following
documents:
•
Dell Networking OS Command Reference
•
Dell Quick Start Guide
•
Dell Networking OS Release Notes
About this Guide
33
2
Configuration Fundamentals
The Dell Networking operating system command line interface (CLI) is a text-based interface you can use
to configure interfaces and protocols.
The CLI is structured in modes for security and management purposes. Different sets of commands are
available in each mode, and you can limit user access to modes using privilege levels.
In the Dell Networking OS, after you enable a command, it is entered into the running configuration file.
You can view the current configuration for the whole system or for a particular CLI mode. To save the
current configuration, copy the running configuration to another location. For more information, refer to
Save the Running-Configuration.
NOTE: You can use the chassis management controller (CMC) out-of-band management interface
to access and manage an MXL Switch using the CLI. For information about how to access the CMC
to configure an MXL Switch, refer to the Dell Chassis Management Controller (CMC) User's Guide
on the Dell Support website.
Accessing the Command Line
Access the CLI through a serial console port or a Telnet session.
When the system successfully boots, enter the command line in EXEC mode.
telnet 172.31.1.53
Trying 172.31.1.53...
Connected to 172.31.1.53.
Escape character is '^]'.
Login: username
Password:
Dell>
CLI Modes
Different sets of commands are available in each mode.
A command found in one mode cannot be executed from another mode (except for EXEC mode
commands with a preceding do command (refer to The do Command section).
You can set user access rights to commands and command modes using privilege levels; for more
information about privilege levels and security options, refer to the Privilege Levels Overview section in
the Security chapter.
The CLI is divided into three major mode levels:
•
34
EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a
limited selection of commands is available, notably the show commands, which allow you to view
system information.
Configuration Fundamentals
•
EXEC Privilege mode has commands to view configurations, clear counters, manage configuration
files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is
unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password
section in the Getting Started chapter.
•
CONFIGURATION mode allows you to configure security features, time settings, set logging and
SNMP functions, configure static ARP and MAC addresses, and set line cards on the system.
Beneath CONFIGURATION mode are submodes that apply to interfaces, protocols, and features. The
following example shows the submode command structure. Two sub-CONFIGURATION modes are
important when configuring the chassis for the first time:
•
INTERFACE sub-mode is the mode in which you configure Layer 2 and Layer 3 protocols and IP
services specific to an interface. An interface can be physical (Management interface, 10 Gigabit
Ethernet, 40 Gigabit Ethernet, or synchronous optical network technologies [SONET]) or logical
(Loopback, Null, port channel, or virtual local area network [VLAN]).
•
LINE sub-mode is the mode in which you to configure the console and virtual terminal lines.
NOTE: At any time, entering a question mark (?) displays the available command options. For
example, when you are in CONFIGURATION mode, entering the question mark first lists all available
commands, including the possible submodes.
The CLI modes are:
EXEC
EXEC Privilege
CONFIGURATION
INTERFACE
TEN GIGABIT ETHERNET
FORTY GIGABIT ETHERNET
INTERFACE RANGE
LOOPBACK
MANAGEMENT ETHERNET
MONITOR SESSION
NULL
PORT-CHANNEL
VLAN
IP
IP ACCESS-LIST
STANDARD ACCESS-LIST
EXTENDED ACCESS-LIST
LINE
CONSOLE
VIRTUAL TERMINAL
MAC ACCESS-LIST
MONITOR SESSION
MULTIPLE SPANNING TREE
PROTOCOL GVRP
PROTOCOL LLDP
PER-VLAN SPANNING TREE
RAPID SPANNING TREE
ROUTE-MAP
ROUTER OSPF
ROUTER RIP
SPANNING TREE
Configuration Fundamentals
35
Navigating CLI Modes
The Dell Networking OS prompt changes to indicate the CLI mode.
The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI
mode. Move linearly through the command modes, except for the end command which takes you
directly to EXEC Privilege mode and the exit command which moves you up one command mode level.
NOTE: Sub-CONFIGURATION modes all have the letters “conf” in the prompt with more modifiers
to identify the mode and slot/port information.
Table 1. Dell Networking OS Command Modes
CLI Command Mode
Prompt
Access Command
EXEC
Dell>
Access the router through the
console or Telnet.
EXEC Privilege
Dell#
•
•
CONFIGURATION
Dell(conf)#
•
•
From EXEC mode, enter the
enable command.
From any other mode, use
the end command.
From EXEC privilege mode,
enter the configure
command.
From every mode except
EXEC and EXEC Privilege,
enter the exit command.
NOTE: Access all of the
following modes from
CONFIGURATION mode.
AS-PATH ACL
Dell(config-as-path)#
ip as-path access-list
Gigabit Ethernet Interface
Dell(conf-if-gi-0/0)#
interface (INTERFACE modes)
10 Gigabit Ethernet Interface
Dell(conf-if-te-0/0)#
interface (INTERFACE modes)
Interface Range
Dell(conf-if-range)#
interface (INTERFACE modes)
Loopback Interface
Dell(conf-if-lo-0)#
interface (INTERFACE modes)
Management Ethernet Interface
Dell(conf-if-ma-0/0)#
interface (INTERFACE modes)
Null Interface
Dell(conf-if-nu-0)#
interface (INTERFACE modes)
Port-channel Interface
Dell(conf-if-po-0)#
interface (INTERFACE modes)
Tunnel Interface
Dell(conf-if-tu-0)#
interface (INTERFACE modes)
VLAN Interface
Dell(conf-if-vl-0)#
interface (INTERFACE modes)
STANDARD ACCESS-LIST
Dell(config-std-nacl)#
ip access-list standard (IP
ACCESS-LIST Modes)
36
Configuration Fundamentals
CLI Command Mode
Prompt
Access Command
EXTENDED ACCESS-LIST
Dell(config-ext-nacl)#
ip access-list extended (IP
ACCESS-LIST Modes)
IP COMMUNITY-LIST
Dell(config-communitylist)#
ip community-list
AUXILIARY
Dell(config-line-aux)#
line (LINE Modes)
CONSOLE
Dell(config-lineconsole)#
line (LINE Modes)
VIRTUAL TERMINAL
Dell(config-line-vty)#
line (LINE Modes)
STANDARD ACCESS-LIST
Dell(config-std-macl)#
mac access-list standard
(MAC ACCESS-LIST Modes)
EXTENDED ACCESS-LIST
Dell(config-ext-macl)#
mac access-list extended
(MAC ACCESS-LIST Modes)
MULTIPLE SPANNING TREE
Dell(config-mstp)#
protocol spanning-tree
mstp
Per-VLAN SPANNING TREE Plus
Dell(config-pvst)#
protocol spanning-tree
pvst
PREFIX-LIST
Dell(conf-nprefixl)#
ip prefix-list
RAPID SPANNING TREE
Dell(config-rstp)#
protocol spanning-tree
rstp
REDIRECT
Dell(conf-redirect-list)#
ip redirect-list
ROUTE-MAP
Dell(config-route-map)#
route-map
ROUTER BGP
Dell(conf-router_bgp)#
router bgp
BGP ADDRESS-FAMILY
Dell(conf-router_bgp_af)# address-family {ipv4
multicast | ipv6 unicast}
(for IPv4)
(ROUTER BGP Mode)
Dell(confrouterZ_bgpv6_af)# (for IPv6)
ROUTER ISIS
Dell(conf-router_isis)#
router isis
ISIS ADDRESS-FAMILY
Dell(conf-router_isisaf_ipv6)#
address-family ipv6
unicast (ROUTER ISIS Mode)
ROUTER OSPF
Dell(conf-router_ospf)#
router ospf
ROUTER OSPFV3
Dell(confipv6router_ospf)#
ipv6 router ospf
ROUTER RIP
Dell(conf-router_rip)#
router rip
SPANNING TREE
Dell(config-span)#
protocol spanning-tree 0
TRACE-LIST
Dell(conf-trace-acl)#
ip trace-list
CLASS-MAP
Dell(config-class-map)#
class-map
Configuration Fundamentals
37
CLI Command Mode
Prompt
Access Command
CONTROL-PLANE
Dell(conf-controlcpuqos)#
control-plane-cpuqos
DCB POLICY
Dell(conf-dcb-in)# (for input dcb-input for input policy
policy)
dcb-output for output policy
Dell(conf-dcb-out)# (for
output policy)
DHCP
Dell(config-dhcp)#
ip dhcp server
DHCP POOL
Dell(config-dhcp-poolname)#
pool (DHCP Mode)
ECMP
Dell(conf-ecmp-groupecmp-group-id)#
ecmp-group
EIS
Dell(conf-mgmt-eis)#
management egressinterface-selection
FRRP
Dell(conf-frrp-ring-id)#
protocol frrp
LLDP
Dell(conf-lldp)# or
Dell(conf-if—interfacelldp)#
protocol lldp
(CONFIGURATION or INTERFACE
Modes)
LLDP MANAGEMENT INTERFACE Dell(conf-lldp-mgmtIf)#
management-interface (LLDP
Mode)
LINE
Dell(config-line-console)
or Dell(config-line-vty)
line console orline vty
MONITOR SESSION
Dell(conf-mon-sesssessionID)#
monitor session
OPENFLOW INSTANCE
Dell(conf-of-instance-ofid)#
openflow of-instance
PORT-CHANNEL FAILOVERGROUP
Dell(conf-po-failovergrp)#
port-channel failovergroup
PRIORITY GROUP
Dell(conf-pg)#
priority-group
PROTOCOL GVRP
Dell(config-gvrp)#
protocol gvrp
QOS POLICY
Dell(conf-qos-policy-outets)#
qos-policy-output
VLT DOMAIN
Dell(conf-vlt-domain)#
vlt domain
VRRP
Dell(conf-if-interfacetype-slot/port-vrid-vrrpgroup-id)#
vrrp-group
u-Boot
Dell(=>)#
Press any key when the following
line appears on the console
38
Configuration Fundamentals
CLI Command Mode
Prompt
Access Command
during a system boot: Hit any
key to stop autoboot:
UPLINK STATE GROUP
Dell(conf-uplink-stategroup-groupID)#
uplink-state-group
The following example shows how to change the command mode from CONFIGURATION mode to
PROTOCOL SPANNING TREE.
Example of Changing Command Modes
Dell(conf)#protocol spanning-tree 0
Dell(config-span)#
The do Command
You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION,
INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode by preceding the EXEC
mode command with the do command.
The following example shows the output of the do command: enable, disable, exit, and configure.
Dell(conf)#do show system brief
Stack MAC : 00:1e:c9:f1:04:22
Reload Type : normal-reload [Next boot : normal-reload]
-- Stack Info -Unit UnitType
Status
ReqTyp
CurTyp
Version Ports
--------------------------------------------------------------------0
Management online
MXL-10/40GbE MXL-10/40GbE 8-3-16-47 56
1
Member
not present
2
Member
not present
3
Member
not present
4
Member
not present
5
Member
not present
Undoing Commands
When you enter a command, the command line is added to the running configuration file (runningconfig).
To disable a command and remove it from the running-config, enter the no command, then the original
command. For example, to delete an IP address configured on an interface, use the no ip address
ip-address command.
NOTE: Use the help or ? command as described in Obtaining Help.
The first bold line shows the assigned IP address, the second bold line shows the no form of the IP
address command, and the last bold line shows the IP address removed.
Configuration Fundamentals
39
Example of Viewing Disabled Commands
Dell(conf)#interface gigabitethernet 4/17
Dell(conf-if-gi-4/17)#ip address 192.168.10.1/24
Dell(conf-if-gi-4/17)#show config
!
interface GigabitEthernet 4/17
ip address 192.168.10.1/24
no shutdown
Dell(conf-if-gi-4/17)#no ip address
Dell(conf-if-gi-4/17)#show config
!
interface GigabitEthernet 4/17
no ip address
no shutdown
Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command.
For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.
Obtaining Help
Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using
the ? or help command:
•
To list the keywords available in the current mode, enter ? at the prompt or after a keyword.
•
Enter ? after a prompt lists all of the available keywords. The output of this command is the same for
the help command.
Dell#?
start
Start Shell
capture
Capture Packet
cd
Change current directory
clear
Reset functions
clock
Manage the system clock
configure Configuring from terminal
copy
Copy from one file to another
--More-Enter ? after a partial keyword lists all of the keywords that begin with the specified letters.
Dell(conf)#cl?
class-map
clock
Dell(conf)#cl
Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword.
Dell(conf)#clock ?
summer-time
Configure summer (daylight savings) time
timezone
Configure time zone
Dell(conf)#clock
•
•
Entering and Editing Commands
Notes for entering commands.
•
•
The CLI is not case-sensitive.
You can enter partial CLI keywords.
– Enter the minimum number of letters to uniquely identify a command. For example, you cannot
enter cl as a partial keyword because both the clock and class-map commands begin with the
letters “cl.” You can enter clo, however, as a partial keyword because only one command begins
with those three letters.
40
Configuration Fundamentals
•
The TAB key auto-completes keywords in commands. Enter the minimum number of letters to
uniquely identify a command.
•
The UP and DOWN arrow keys display previously entered commands (refer to Command History).
•
The BACKSPACE and DELETE keys erase the previous letter.
•
Key combinations are available to move quickly across the command line. The following list describes
these short-cut key combinations.
Short-Cut Key
Combination
Action
CNTL-A
Moves the cursor to the beginning of the command line.
CNTL-B
Moves the cursor back one character.
CNTL-D
Deletes character at cursor.
CNTL-E
Moves the cursor to the end of the line.
CNTL-F
Moves the cursor forward one character.
CNTL-I
Completes a keyword.
CNTL-K
Deletes all characters from the cursor to the end of the command line.
CNTL-L
Re-enters the previous command.
CNTL-N
Return to more recent commands in the history buffer after recalling commands
with CTRL-P or the UP arrow key.
CNTL-P
Recalls commands, beginning with the last command.
CNTL-R
Re-enters the previous command.
CNTL-U
Deletes the line.
CNTL-W
Deletes the previous word.
CNTL-X
Deletes the line.
CNTL-Z
Ends continuous scrolling of command outputs.
Esc B
Moves the cursor back one word.
Esc F
Moves the cursor forward one word.
Esc D
Deletes all characters from the cursor to the end of the word.
Command History
The Dell Networking OS maintains a history of previously-entered commands for each mode. For
example:
•
When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC
mode commands.
•
When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered
CONFIGURATION mode commands.
Configuration Fundamentals
41
Filtering show Command Outputs
Filter the output of a show command to display specific information by adding | [except | find |
grep | no-more | save] specified_text after the command.
The variable specified_text is the text for which you are filtering and it IS case sensitive unless you
use the ignore-case sub-option.
Starting with the Dell Networking OS version 7.8.1.0, the grep command accepts an ignore-case suboption that forces the search to case-insensitive. For example, the commands:
•
show run | grep Ethernet returns a search result with instances containing a capitalized
“Ethernet,” such as interface GigabitEthernet 0/0.
•
show run | grep ethernet does not return that search result because it only searches for
instances containing a non-capitalized “ethernet.”
•
show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and
“ethernet.”
The grep command displays only the lines containing specified text. The following shows this command
used in combination with the do show stack-unit all stack-ports pfc details | grep 0
command.
Dell(conf)#do show stack-unit all stack-ports all pfc details | grep 0
stack unit 0 stack-port all
0 Pause Tx pkts, 0 Pause Rx pkts
0 Pause Tx pkts, 0 Pause Rx pkts
0 Pause Tx pkts, 0 Pause Rx pkts
0 Pause Tx pkts, 0 Pause Rx pkts
0 Pause Tx pkts, 0 Pause Rx pkts
0 Pause Tx pkts, 0 Pause Rx pkts
NOTE: The Dell Networking OS accepts a space or no space before and after the pipe. To filter a
phrase with spaces, underscores, or ranges, enclose the phrase with double quotation marks.
The except keyword displays text that does not match the specified text. The following example shows
this command used in combination with the do show stack-unit all stack-ports all pfc
details | except 0 command.
Example of the except Keyword
Example of the find Keyword
Dell(conf)#do show stack-unit all stack-ports all pfc details | except 0
Admin mode is On
Admin is enabled
Local is enabled
Link Delay 45556 pause quantum
stack unit 1 stack-port all
Admin mode is On
Admin is enabled
The find keyword displays the output of the show command beginning from the first occurrence of
specified text.
42
Configuration Fundamentals
Dell(conf)#do show stack-unit all stack-ports all pfc details | find 0
stack unit 0 stack-port all
Admin mode is On
Admin is enabled
Local is enabled
Link Delay 45556 pause quantum
0 Pause Tx pkts, 0 Pause Rx pkts
stack unit 1 stack-port all
The no-more command displays the output all at once rather than one screen at a time. This is similar to
the terminal length command except that the no-more option affects the output of the specified
command only.
The save command copies the output to a file for future reference.
NOTE: You can filter a single command output multiple times. The save option must be the last
option entered. For example:Dell# command | grep regular-expression | except
regular-expression | grep other-regular-expression | find regular-expression
| save.
Multiple Users in Configuration Mode
Dell Networking OS notifies all users when there are multiple users logged in to CONFIGURATION mode.
A warning message indicates the username, type of connection (console or VTY), and in the case of a VTY
connection, the IP address of the terminal on which the connection was established. For example:
•
On the system that telnets into the switch, this message appears:
% Warning: The following users are currently configuring the system:
User "<username>" on line console0
•
On the system that is connected over the console, this message appears:
% Warning: User "<username>" on line vty0 "10.11.130.2" is in configuration
mode
If either of these messages appears, Dell Networking recommends coordinating with the users listed in
the message so that you do not unintentionally overwrite each other’s configuration changes.
Configuration Fundamentals
43
3
Getting Started
This chapter describes how you start configuring your system.
When you power up the chassis, the system performs a power-on self test (POST) during which the route
processor module (RPM), switch fabric module (SFM), and line card status light emitting diodes (LEDs)
blink green. The system then loads the Dell Networking operating system. Boot messages scroll up the
terminal window during this process. No user interaction is required if the boot process proceeds without
interruption.
When the boot process completes, the RPM and line card status LEDs remain online (green) and the
console monitor displays the EXEC mode prompt.
For details about using the command line interface (CLI), refer to the Accessing the Command Line
section in the Configuration Fundamentals chapter.
44
Getting Started
Console Access
The MXL 10/40GbE Switch IO Module has two management ports available for system access: a serial
console port and an out-of-bounds (OOB) port.
Serial Console
A universal serial bus (USB) (A-Type) connector is located at the front panel. The USB can be defined as
an External Serial Console (RS-232) port, and is labeled on the MXL 10/40GbE Switch IO Module chassis.
The USB is present on the lower side, as you face the I/O side of the chassis, as shown.
Getting Started
45
Serial Console
46
Getting Started
External Serial Port with a USB Connector
The following table listes the pin assignments.
Table 2. Pin Assignments
USB Pin Number
Signal Name
Pin 1
RTS
Pin 2
RX
Pin 3
TX
Pin 4
CTS
Pin 5, 6
GND
RxD
Chassis GND
Accessing the CLI Interface and Running Scripts Using
SSH
In addition to the capability to access a device using a console connection or a Telnet session, you can
also use SSH for secure, protected communication with the device. You can open an SSH session and run
commands or script files. This method of connectivity is supported with MXL switch and provides a
reliable, safe communication mechanism.
Entering CLI commands Using an SSH Connection
You can run CLI commands by entering any one of the following syntax to connect to a switch using the
preconfigured user credentials using SSH:
ssh username@hostname <CLI Command>
or
echo <CLI Command> | ssh admin@hostname
The SSH server transmits the terminal commands to the CLI shell and the results are displayed on the
screen non-interactively.
Executing Local CLI Scripts Using an SSH Connection
You can execute CLI commands by entering a CLI script in one of the following ways:
ssh username@hostname <CLIscript.file>
or
cat < CLIscript.file > | ssh admin@hostname
The script is run and the actions contained in the script are performed.
Getting Started
47
Following are the points to remember, when you are trying to establish an SSH session to the device to
run commands or script files:
•
There is an upper limit of 10 concurrent sessions in SSH. Therefore, you might expect a failure in
executing SSH-related scripts.
•
To avoid denial of service (DoS) attacks, a rate-limit of 10 concurrent sessions per minute in SSH is
devised. Therefore, you might experience a failure in executing SSH-related scripts when multiple
short SSH commands are executed.
•
If you issue an interactive command in the SSH session, the behavior may not really be interactive.
•
In some cases, when you use an SSH session, when certain show commands such as show techsupport produce large volumes of output, sometimes few characters from the output display are
truncated and not displayed. This may cause one of the commands to fail for syntax error. In such
cases, if you add few newline characters before the failed command, the output displays completely.
Execution of commands on CLI over SSH does not notice the errors that have occurred while executing
the command. As a result, you cannot identify, whether a command has failed to be processed. The
console output though is redirected back over SSH.
Boot Process
After you follow the Installation Procedure in the Getting Started Guide, the MXL switch boots up.
The MXL switch with the Dell Networking OS version 8.3.16.1 requires boot flash version 4.0.1.0 and boot
selector version 4.0.0.0. The following example shows the completed boot process.
syncing disks... done
unmounting file systems...
unmounting /f10/flash (/dev/ld0e)...
unmounting /usr (mfs:31)...
unmounting /lib (mfs:23)...
unmounting /f10 (mfs:20)...
unmounting /tmp (mfs:15)...
unmounting /kern (kernfs)...
unmounting / (/dev/md0a)... done
rebooting...
NetLogic XLP Stage 1 Loader
Built by build at tools-sjc-01 on Thu May 31 23:53:38 2012
IOM Boot Selector Label 4.0.0.0
Nodes online: 1
GPIO 22 init'ed as an output
GPIO 23 init'ed as an output
I2C0 speed = 30 KHz, prescaler = 0x0377.
Initialized I2C0 Controller.
I2C1 speed = 100 KHz, prescaler = 0x0109.
Initialized I2C1 Controller.
DDR SPD: Node 0 Channel 0 Mem size = 2048 MB
DDR SPD: Node 0 DRAM frequency 666 MHz
DDR SPD: Node 0 CPU frequency 1200 MHz
RTT Norm:44
NBU0 DRAM BAR0 base: 00000000 limit: 0013f000 xlate: 00000001 node: 00000000
( 0 MB -> 320 MB
, size: 320 MB)
NBU0 DRAM BAR1 base: 001d0000 limit: 0088f000 xlate: 00090001 node: 00000000
( 464 MB -> 2192 MB
, size: 1728 MB)
48
Getting Started
Modifying Default Flash Address map..Done
Initialized eMMC Host Controller
Detected SD Card
BLC is 1 (preset 10)
Hit any key to stop autoboot: 0
Boot Image selection
Reading the Boot Block Info...Passed !!
Images are OK A:0x0 B:0x0
Boot Selector set to Bootflash Partition A image...
Verifying Copyright Information..success for Image - 0
Boot Selector: Booting Bootflash Partition A image...
Copying stage-2 loader from 0xb6120000 to 0x8c100000(size = 0x100000)
Boot Image selection DONE.
## Starting application at 0x8C100000 ...
U-Boot 2010.03-rc1(Dell Force10)
Built by build at tools-sjc-01 on Thu May 31 23:53:38 2012
IOM Boot Label 4.0.1.0
DRAM: 2 GB
Initialized CPLD on CS3
Detected [XLP308 (Lite+) Rev A0]
Initializing I2C0: speed = 30 KHz, prescaler = 0x0377 -- done.
Initializing I2C1: speed = 100 KHz, prescaler = 0x0109 -- done.
Initialized eMMC Host Controller
Detected SD Card
Now running in RAM - U-Boot [N64 ABI, Big-Endian] at: ffffffff8c100000
Flash: 256 MB
PCIE (B0:D01:F0) : Link up.
PCIE (B0:D01:F1) : No Link.
In: serial
Out: serial
Err: serial
Net: nae-0: PHY is Broadcom BCM54616S
--More-SOFTWARE IMAGE HEADER DATA :
-----------------------------More-Starting Dell Networking application
Welcome to Dell Easy Setup Wizard
The setup wizard guides you through the initial switch configuration, and gets
you up and running as quickly as possible. You can skip the setup wizard, and
enter CLI mode to manually configure the switch. You must respond to the next
question to run the setup wizard within 60 seconds, otherwise the system will
continue with normal operation using the default system configuration.
Note: You can exit the setup wizard at any point by entering [ctrl+c].
Would you like to run the setup wizard (you must answer this question within
60 seconds)? [Y/N]: N
00:00:40: %STKUNIT0-M:CP %IFMGR-5-ASTATE_UP: Changed interface Admin state to
up: Vl 1
00:00:42: %STKUNIT0-M:CP %IFMGR-5-IFM_ISCSI_ENABLE: iSCSI has been enabled
causing flow control
to be enabled on all interfaces.
EQL detection and enabling iscsi profile-compellent on an interface may cause
some automatic
Getting Started
49
configurations to occur like jumbo frames on all ports and no storm control
and spanning tree port-fast on the port of detection
00:00:42: %STKUNIT0-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user on
line console
Dell>en
Password:
Default Configuration
A version of the Dell Networking OS is pre-loaded onto the chassis; however, the system is not
configured when you power up for the first time (except for the default hostname, which is Dell). You
must configure the system using the CLI.
Configuring a Host Name
The host name appears in the prompt. The default host name is Dell.
•
Host names must start with a letter and end with a letter or digit.
•
Characters within the string can be letters, digits, and hyphens.
To create a host name, use the following command.
•
Create a host name.
CONFIGURATION mode
hostname name
Example of the hostname Command
Dell(conf)#hostname R1
R1(conf)#
Configuring a Host Name
The host name appears in the prompt. The default host name is Dell.
•
Host names must start with a letter and end with a letter or digit.
•
Characters within the string can be letters, digits, and hyphens.
To create a host name, use the following command.
•
Create a host name.
CONFIGURATION mode
hostname name
Example of the hostname Command
Dell(conf)#hostname R1
R1(conf)#
50
Getting Started
Accessing the System Remotely
You can configure the system to access it remotely by Telnet or SSH.
The MXL 10/40GbE switch IO module has a dedicated management port and a management routing
table that is separate from the IP routing table.
Accessing the MXL Switch Remotely
Configuring the system for Telnet is a three-step process, as described in the following topics:
1.
Configure an IP address for the management port. Configure the Management Port IP Address
2.
Configure a management route with a default gateway. Configure a Management Route
3.
Configure a username and password. Configure a Username and Password
Configure the Management Port IP Address
To access the system remotely, assign IP addresses to the management ports.
1.
Enter INTERFACE mode for the Management port.
CONFIGURATION mode
interface ManagementEthernet slot/port
2.
•
slot: the range is 0.
•
port: the range is 0.
Assign an IP address to the interface.
INTERFACE mode
ip address ip-address/mask
3.
•
ip-address: an address in dotted-decimal format (A.B.C.D).
•
mask: a subnet mask in /prefix-length format (/ xx).
Enable the interface.
INTERFACE mode
no shutdown
Configure a Management Route
Define a path from the system to the network from which you are accessing the system remotely.
Management routes are separate from IP routes and are only used to manage the system through the
management port.
To configure a management route, use the following command.
•
Configure a management route to the network from which you are accessing the system.
CONFIGURATION mode
management route ip-address/mask gateway
– ip-address: the network address in dotted-decimal format (A.B.C.D).
Getting Started
51
– mask: a subnet mask in /prefix-length format (/ xx).
– gateway: the next hop for network traffic originating from the management port.
Configuring a Username and Password
To access the system remotely, configure a system username and password.
To configure a system username and password, use the following command.
•
Configure a username and password to access the system remotely.
CONFIGURATION mode
username username password [encryption-type] password
– encryption-type: specifies how you are inputting the password, is 0 by default, and is not
required.
*
0 is for inputting the password in clear text.
*
7 is for inputting a password that is already encrypted using a Type 7 hash. Obtaining the
encrypted password from the configuration of another Dell Networking system.
Configuring the Enable Password
Access EXEC Privilege mode using the enable command. EXEC Privilege mode is unrestricted by default.
Configure a password as a basic security measure.
There are two types of enable passwords:
•
enable password stores the password in the running/startup configuration using a DES encryption
method.
•
enable secret is stored in the running/startup configuration in using a stronger, MD5 encryption
method.
Dell Networking recommends using the enable secret password.
To configure an enable password, use the following command.
•
Create a password to access EXEC Privilege mode.
CONFIGURATION mode
enable [password | secret] [level level] [encryption-type] password
– level: is the privilege level, is 15 by default, and is not required
– encryption-type: specifies how you are inputting the password, is 0 by default, and is not
required.
52
*
0 is for inputting the password in clear text.
*
7 is for inputting a password that is already encrypted using a DES hash. Obtain the encrypted
password from the configuration file of another Dell Networking system. You can only use this
for the enable password.
*
5 is for inputting a password that is already encrypted using an MD5 hash. Obtain the
encrypted password from the configuration file of another Dell Networking system. You can
only use this for the enable secret password.
Getting Started
Configuration File Management
Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the
system from EXEC Privilege mode.
NOTE: Using flash memory cards in the system that have not been approved by Dell Networking
can cause unexpected system behavior, including a reboot.
Copy Files to and from the System
The command syntax for copying files is similar to UNIX. The copy command uses the format copy
source-file-url destination-file-url.
NOTE: For a detailed description of the copy command, refer to the Dell Networking OS Command
Line Reference Guide.
•
To copy a local file to a remote system, combine the file-origin syntax for a local file location
with the file-destination syntax for a remote file location.
•
To copy a remote file to Dell Networking system, combine the file-origin syntax for a remote file
location with the file-destination syntax for a local file location.
Table 3. Forming a copy Command
Location
source-file-url Syntax
destination-file-url Syntax
Internal flash: flash
copy flash://filename
flash://filename
USB flash: usbflash
usbflash://filename
usbflash://filename
For a remote file location:
copy ftp://
username:password@{hostip
| hostname}/filepath/
filename
ftp://
username:password@{hostip
| hostname}/ filepath/
filename
copy tftp://{hostip |
hostname}/filepath/
filename
tftp://{hostip |
hostname}/filepath/
filename
copy scp://{hostip |
hostname}/filepath/
filename
scp://{hostip |
hostname}/filepath/
filename
FTP server
For a remote file location:
TFTP server
For a remote file location:
SCP server
Important Points to Remember
•
You may not copy a file from one remote system to another.
•
You may not copy a file from one location to the same location.
•
When copying to a server, you can only use a hostname if you configured a domain name server
(DNS) server.
Getting Started
53
NOTE: If all of the following conditions are true, the Portmode Hybrid configuration is not applied,
because of the configuration process for server ports as switch ports by default:
•
The running configuration is saved in flash.
•
The startup configuration is deleted.
•
The switch is reloaded.
•
The saved configuration is copied to the running configuration.
To avoid this scenario, delete the switch port configuration from the running configuration before
copying the saved configuration to the running configuration.
Example of Copying a File to an FTP Server
Example of Importing a File to the Local System
The bold flash shows the local location and the bold ftp shows the remote location.
Dell#copy flash://FTOS-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10/
/FTOS/FTOS-EF-8.2.1.0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27952672 bytes successfully copied
core1#$//copy ftp://myusername:mypassword@10.10.10.10//FTOS/
FTOS-EF-8.2.1.0.bin flash://
Destination file name [FTOS-EF-8.2.1.0.bin.bin]:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
26292881 bytes successfully copied
Save the Running-Configuration
The running-configuration contains the current system configuration. Dell Networking recommends
coping your running-configuration to the startup-configuration.
The system uses the startup-configuration during boot-up to configure the system. The startupconfiguration is stored in the internal flash on the IOM by default, but you can save it to a USB flash
device or a remote server.
The commands in this section follow the same format as those commands in theCopy Files to and from
the System section but use the filenames startup-config and running-config. These commands assume
that current directory is the internal flash, which is the system default.
•
Save the running-config to the startup-configuration on the internal flash.
EXEC Privilege mode
•
copy running-config startup-config
Save the running-configuration on the IOM.
EXEC Privilege mode
•
copy running-config usbflash://filename
Save the running-configuration to an FTP server.
EXEC Privilege mode
•
copy running-config ftp:// username:password@{hostip | hostname}/filepath/
filename
Save the running-configuration to a TFTP server.
EXEC Privilege mode
54
Getting Started
•
copy running-config tftp://{hostip | hostname}/ filepath/filename
Save the running-configuration to an SCP server.
EXEC Privilege mode
copy running-config scp://{hostip | hostname}/ filepath/filename
•
NOTE: When copying to a server, you can only use a host name if you have configured a DNS
server.
Save the running-configuration to the startup-configuration on the internal flash of the primary RPM.
Then copy the new startup-config file to the external flash of the primary RPM.
EXEC Privilege mode
copy running-config startup-config duplicate
Dell Networking OS Behavior: If you create a startup-configuration on an RPM and then move the RPM
to another chassis, the startup-configuration is stored as a backup file (with the extension .bak), and a
new, empty startup-configuration file is created. To restore your original startup-configuration in this
situation, overwrite the new startup-configuration with the original one using the copy startupconfig.bak startup-config command.
Viewing Files
You can only view file information and content on local file systems.
To view a list of files or the contents of a file, use the following commands.
•
View a list of files on the internal flash.
EXEC Privilege mode
•
dir flash:
View a list of files on the usbflash.
EXEC Privilege mode
•
dir usbflash:
View the contents of a file in the internal flash.
EXEC Privilege mode
•
show file flash://filename
View the contents of a file in the usb flash.
EXEC Privilege mode
•
show file usbflash://filename
View the running-configuration.
EXEC Privilege mode
•
show running-config
View the startup-configuration.
EXEC Privilege mode
show startup-config
Getting Started
55
Example of the dir Command
The output of the dir command also shows the read/write privileges, size (in bytes), and date of
modification for each file.
Dell#dir
Directory of flash:
1 drwx
2 drwx
3 drwx
4 drwx
5 d--6 -rwx
7 -rwx
8 -rwx
9 -rwx
10 -rwx
11 -rwx
12 -rwx
13 -rwx
4096
2048
4096
4096
4096
1272
10093
217155
5162
10507
4
6900
1244038
Jan
May
Feb
Feb
Feb
Apr
Feb
Feb
Mar
Mar
May
Feb
Feb
01
10
17
17
17
29
17
22
02
03
06
17
13
1980
2011
2011
2011
2011
2011
2011
2011
2011
2011
2011
2011
2011
00:00:00
14:45:15
00:28:00
00:28:02
00:28:02
16:15:14
20:48:02
23:14:34
04:02:58
01:17:16
22:05:06
04:43:12
04:27:16
+00:00
+00:00
+00:00
+00:00
+00:00
+00:00
+00:00
+00:00
+00:00
+00:00
+00:00
+00:00
+00:00
.
..
TRACE_LOG_DIR
CORE_DUMP_DIR
ADMIN_DIR
startup-config
abhi-jan26.cfg
show-tech-cfg.txt
runn-feb6
abhi-feb7.cfg
dhcpBindConflict
startup-config.bak
f10cp_sysd_110213042625.acore.gz
flash: 2143281152 bytes total (2123755520 bytes free)
--More--
View Configuration Files
Configuration files have three commented lines at the beginning of the file, as shown in the following
example, to help you track the last time any user made a change to the file, which user made the
changes, and when the file was last saved to the startup-configuration.
In the running-configuration file, if there is a difference between the timestamp on the “Last
configuration change,” and “Startup-config last updated,” you have made changes that have not been
saved and will not be preserved after a system reboot.
Example of the show running-config Command
Dell#show running-config
Current Configuration ...
Current Configuration ...
! Version E8-3-16-0
! Last configuration change at Tue Mar 6 11:51:50 2012 by default
! Startup-config last updated at Tue Mar 6 07:41:23 2012 by default
!
boot system stack-unit 5 primary tftp://10.11.200.241/dt-m1000e-3-a2
boot system stack-unit 5 secondary system: B:
boot system stack-unit 5 default tftp://10.11.200.241/dt-m1000e-3-b2
boot system gateway 10.11.209.254
--More--
Managing the File System
The Dell Networking system can use the internal Flash, USB Flash, or remote devices to store files.
The system stores files on the internal Flash by default but you can configure the system to store files
elsewhere.
To view file system information, use the following command.
•
56
View information about each file system.
Getting Started
EXEC Privilege mode
show file-systems
The output of the show file-systems command in the following example shows the total capacity,
amount of free memory, file structure, media type, read/write privileges for each storage device in use.
Dell#show file-systems
Size(b)
Free(b)
Feature Type
Flags Prefixes
2143281152 2000785408 FAT32 USERFLASH rw flash:
15848660992 831594496 FAT32 USBFLASH rw usbflash:
- network rw ftp:
- network rw tftp:
- network rw scp:
You can change the default file system so that file management commands apply to a particular device
or memory.
To change the default directory, use the following command.
•
Change the default directory.
EXEC Privilege mode
cd directory
You can change the default storage location to the USB Flash, as shown. File management commands
then apply to the USB Flash rather than the internal Flash. The bold lines show that no file system is
specified and that the file is saved to an USB Flash.
Dell#cd usbflash:
Dell#copy running-config test
!
3998 bytes successfully copied
DellS#dir
Directory of usbflash:
1
2
3
4
drwx
drwx
-rwx
-rwx
4096
2048
1272
3998
Jan 01 1980 00:00:00 +00:00 .
May 02 2012 07:05:06 +00:00 ..
Apr 29 2011 16:15:14 +00:00 startup-config
May 11 2011 23:36:12 +00:00 test
View the Command History
The command-history trace feature captures all commands entered by all users of the system with a time
stamp and writes these messages to a dedicated trace log buffer.
The system generates a trace message for each executed command. No password information is saved
to the file.
To view the command-history trace, use the show command-history command.
Example of the show command-history Command
Dell#show command-history
[5/18 21:58:32]: CMD-(TEL0):[enable]by admin from vty0 (10.11.68.5)
Getting Started
57
[5/18 21:58:48]: CMD-(TEL0):[configure]by admin from vty0 (10.11.68.5)
- Repeated 1 time.
[5/18 21:58:57]: CMD-(TEL0):[interface port-channel 1]by admin from vty0
(10.11.68.5)
[5/18 21:59:9]: CMD-(TEL0):[show config]by admin from vty0 (10.11.68.5)
[5/18 22:4:32]: CMD-(TEL0):[exit]by admin from vty0 (10.11.68.5)
[5/18 22:4:41]: CMD-(TEL0):[show interfaces port-channel brief]by admin from
vty0
(10.11.68.5)
Using HTTP for File Transfers
Stating with Release 9.3(0.1), you can use HTTP to copy files or configuration details to a remote server.
Use the copy source-file-url http://host[:port]/file-path command to transfer files to an external server.
This functionality to transport files using HTTP to a remote server is supported on MXL, I/O Aggregator,
S4810, S4820, S6000, and Z9000 platforms.
Enter the following source-file-url keywords and information:
•
To copy a file from the internal FLASH, enter flash:// followed by the filename.
•
To copy the running configuration, enter the keyword running-config.
•
To copy the startup configuration, enter the keyword startup-config.
•
To copy a file on the external FLASH, enter usbflash:// followed by the filename.
Upgrading and Downgrading the Dell Networking OS
NOTE: To upgrade the Dell Networking OS, refer to the Release Notes for the version you want to
load on the system.
Using Hashes to Validate Software Images
You can use the MD5 message-digest algorithm or SHA256 Secure Hash Algorithm to validate the
software image on the flash drive, after the image has been transferred to the system, but before the
image has been installed. The validation calculates a hash value of the downloaded image file on system’s
flash drive, and, optionally, compares it to a Dell Networking published hash for that file.
The MD5 or SHA256 hash provides a method of validating that you have downloaded the original
software. Calculating the hash on the local image file, and comparing the result to the hash published for
that file on iSupport, provides a high level of confidence that the local copy is exactly the same as the
published software image. This validation procedure, and the verify {md5 | sha256} command to support
it, can prevent the installation of corrupted or modified images.
The verify {md5 | sha256} command calculates and displays the hash of any file on the specified local
flash drive. You can compare the displayed hash against the appropriate hash published on i-Support.
Optionally, the published hash can be included in the verify {md5 | sha256} command, which will display
whether it matches the calculated hash of the indicated file.
To validate a software image:
1.
58
Download Dell Networking OS software image file from the iSupport page to the local (FTP or TFTP)
server. The published hash for that file is displayed next to the software image file on the iSupport
page.
Getting Started
2.
Go on to the Dell Networking system and copy the software image to the flash drive, using the copy
command.
3.
Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256
flash://FTOS-SE-9.5.0.0.bin
4.
Compare the generated hash value to the expected hash value published on the iSupport page.
To validate the software image on the flash drive after the image has been transferred to the system, but
before the image has been installed, use the verify {md5 | sha256} [ flash://]img-file [hash-value]
command in EXEC mode.
•
md5: MD5 message-digest algorithm
•
sha256: SHA256 Secure Hash Algorithm
•
flash: (Optional) Specifies the flash drive. The default is to use the flash drive. You can just enter the
image file name.
•
hash-value: (Optional). Specify the relevant hash published on i-Support.
•
img-file: Enter the name of the Dell Networking software image file to validate
Examples: Without Entering the Hash Value for Verification
MD5
Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin
MD5 hash for FTOS-SE-9.5.0.0.bin: 275ceb73a4f3118e1d6bcf7d75753459
SHA256
Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin
SHA256 hash for FTOS-SE-9.5.0.0.bin:
e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933
Examples: Entering the Hash Value for Verification
MD5
Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin 275ceb73a4f3118e1d6bcf7d75753459
MD5 hash VERIFIED for FTOS-SE-9.5.0.0.bin
SHA256
Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin
e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933
SHA256 hash VERIFIED for FTOS-SE-9.5.0.0.bin
Getting Started
59
4
Management
Management is supported on the Dell Networking MXL 10/40GbE Switch IO Module.
This chapter describes the different protocols or services used to manage the Dell Networking system.
Configuring Privilege Levels
Privilege levels restrict access to commands based on user or terminal line.
There are 15 privilege levels, of which two are pre-defined. The default privilege level is 1.
•
Level 1 — Access to the system begins at EXEC mode, and EXEC mode commands are limited to basic
commands, some of which are enable, disable, and exit.
•
Level 15 — To access all commands, enter EXEC Privilege mode. Normally, enter a password to enter
this mode.
Creating a Custom Privilege Level
Custom privilege levels start with the default EXEC mode command set.
You can then customize privilege levels 2-14 by:
•
removing commands from the EXEC mode commands
•
moving commands from EXEC Privilege mode to EXEC mode
•
allowing access to CONFIGURATION mode commands
•
allowing access to INTERFACE, LINE, ROUTE-MAP, and ROUTER mode commands
You can access all commands at your privilege level and below.
Moving a Command from EXEC Privilege Mode to EXEC Mode
Remove a command from the list of available commands in EXEC mode for a specific privilege level using
the privilege exec command from CONFIGURATION mode. In the command, specify a level greater
than the level given to a user or terminal line, then the first keyword of each restricted command.
Moving a Command from EXEC Privilege Mode to EXEC Mode
Move a command from EXEC Privilege to EXEC mode for a privilege level using the privilege exec
command from CONFIGURATION mode. In the command, specify the privilege level of the user or
terminal line, and specify all keywords in the command to which you want to allow access.
Allowing Access to CONFIGURATION Mode Commands
Allow access to CONFIGURATION mode using the privilege exec level level command
configure from CONFIGURATION mode. A user that enters CONFIGURATION mode remains at his
privilege level, and has access to only two commands, end and exit. Individually specify each
CONFIGURATION mode command to which you want to allow access using the privilege
60
Management
configure level level command. In the command, specify the privilege level of the user or terminal
line, and specify all keywords in the command to which you want to allow access.
Allowing Access to INTERFACE, LINE, ROUTE-MAP, and ROUTER Mode
1.
Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE, ROUTEMAP, and ROUTER modes, first allow access to the command that enters you into the mode. For
example, allow a user to enter INTERFACE mode using the privilege configure level level
interface gigabitethernet command.
2.
Then, individually identify the INTERFACE, LINE, ROUTE-MAP or ROUTER commands to which you
want to allow access using the privilege {interface | line | route-map | router}
level level command. In the command, specify the privilege level of the user or terminal line and
specify all keywords in the command to which you want to allow access.
Customizing a Privilege Level
to customize a privilege level, use the following commands.
1.
Remove a command from the list of available commands in EXEC mode.
CONFIGURATION mode
privilege exec level level {command ||...|| command}
2.
Move a command from EXEC Privilege to EXEC mode.
CONFIGURATION mode
privilege exec level level {command ||...|| command}
3.
Allow access to CONFIGURATION mode.
CONFIGURATION mode
privilege exec configure level level
4.
Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all keywords in the
command.
CONFIGURATION mode
privilege configure level level {interface | line | route-map | router}
{command-keyword ||...|| command-keyword}
5.
Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode
command.
CONFIGURATION mode
privilege {configure |interface | line | route-map | router} level level
{command ||...|| command}
Create a Custom Privilege Level Apply a Privilege Level to a Username
The following configuration privilege level 3. This level:
•
removes the resequence command from EXEC mode by requiring a minimum of privilege level 4
•
moves the capture bgp-pdu max-buffer-size command from EXEC Privilege to EXEC mode by
requiring a minimum privilege level 3, which is the configured level for VTY 0
•
allows access to CONFIGURATION mode with the banner command
Management
61
•
allows access to INTERFACE and LINE modes with the no command
Dell(conf)#do show run privilege
!
Dell(conf)#privilege exec level 3 capture
Dell(conf)#privilege exec level 3 configure
Dell(conf)#privilege exec level 4 resequence
Dell(conf)#privilege exec level 3 clear arp-cache
Dell(conf)#privilege exec level 3 clear arp-cache max-buffer-size
Dell(conf)#privilege configure level 3 line
Dell(conf)#privilege configure level 3 interface
Dell(conf)#do telnet 10.11.80.201
[telnet output omitted]
Dell#show priv
Current privilege level is 3.
Dell#?
capture
Capture packet
configure
Configuring from terminal
disable
Turn off privileged commands
enable
Turn on privileged commands
exit
Exit from the EXEC
ip
Global IP subcommands
monitor
Monitoring feature
mtrace
Trace reverse multicast path from destination to source
ping
Send echo messages
quit
Exit from the EXEC
show
Show running system information
[output omitted]
Dell#config
[output omitted]
Dell(conf)#do show priv
Current privilege level is 3.
Dell(conf)#?
end
Exit from configuration mode
exit
Exit from configuration mode
interface
Select an interface to configure
Dell(conf)#interface ?
loopback
Loopback interface
managementethernet Management Ethernet interface
null
Null interface
port-channel
Port-channel interface
range
Configure interface range
tengigabitethernet TenGigabit Ethernet interface
vlan
VLAN interface
Dell(conf)#interface tengigabitethernet 1/1
Dell(conf-if-te-1/1)#?
end
Exit from configuration mode
exit
Exit from interface configuration mode
Dell(conf-if-te-1/1)#exit
Dell(conf)#line ?
console Primary terminal line
vty Virtual terminal
Dell(conf)#line vty 0
Dell(conf-line-vty)#?
exit
Exit from line configuration mode
Dell(conf-line-vty)#
Applying a Privilege Level to a Username
To set the user privilege level, use the following command.
•
62
Configure a privilege level for a user.
Management
CONFIGURATION mode
username username privilege level
Applying a Privilege Level to a Terminal Line
To set a privilege level for a terminal line, use the following command.
•
Configure a privilege level for a terminal line.
Line mode
privilege levellevel
NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC
mode, but the prompt is hostname#, rather than hostname>.
Configuring Logging
The Dell Networking operating system tracks changes in the system using event and error messages.
By default, the system logs these messages on:
•
the internal buffer
•
console and terminal lines
•
any configured syslog servers
To disable logging, use the following commands.
•
Disable all logging except on the console.
CONFIGURATION mode
•
no logging on
Disable logging to the logging buffer.
CONFIGURATION mode
•
no logging buffer
Disable logging to terminal lines.
CONFIGURATION mode
•
no logging monitor
Disable console logging.
CONFIGURATION mode
no logging console
Audit and Security Logs
This section describes how to configure, display, and clear audit and security logs.
The following is the configuration task list for audit and security logs:
•
Enabling Audit and Security Logs
•
Displaying Audit and Security Logs
Management
63
•
Clearing Audit Logs
Enabling Audit and Security Logs
You enable audit and security logs to monitor configuration changes or determine if these changes affect
the operation of the system in the network. You log audit and security events to a system log server,
using the logging extended command in CONFIGURATION mode. This command is available with or
without RBAC enabled. For information about RBAC, see Role-Based Access Control.
Audit Logs
The audit log contains configuration events and information. The types of information in this log consist
of the following:
•
User logins to the switch.
•
System events for network issues or system issues.
•
Users making configuration changes. The switch logs who made the configuration changes and the
date and time of the change. However, each specific change on the configuration is not logged. Only
that the configuration was modified is logged with the user ID, date, and time of the change.
•
Uncontrolled shutdown.
Security Logs
The security log contains security events and information. RBAC restricts access to audit and security logs
based on the CLI sessions’ user roles. The types of information in this log consist of the following:
•
Establishment of secure traffic flows, such as SSH.
•
Violations on secure flows or certificate issues.
•
Adding and deleting of users.
•
User access and configuration changes to the security and crypto parameters (not the key
information but the crypto configuration)
Important Points to Remember
When you enabled RBAC and extended logging:
•
Only the system administrator user role can execute this command.
•
The system administrator and system security administrator user roles can view security events and
system events.
•
The system administrator user roles can view audit, security, and system events.
•
Only the system administrator and security administrator user roles can view security logs.
•
The network administrator and network operator user roles can view system events.
NOTE: If extended logging is disabled, you can only view system events, regardless of RBAC user
role.
Example of Enabling Audit and Security Logs
Dell(conf)#logging extended
64
Management
Displaying Audit and Security Logs
To display audit logs, use the show logging auditlog command in Exec mode. To view these logs,
you must first enable the logging extended command. Only the RBAC system administrator user role can
view the audit logs. Only the RBAC security administrator and system administrator user role can view the
security logs. If extended logging is disabled, you can only view system events, regardless of RBAC user
role. To view security logs, use the show logging command.
Example of the show logging auditlog Command
For information about the logging extended command, see Enabling Audit and Security Logs
Dell#show logging auditlog
May 12 12:20:25: Dell#: %CLI-6-logging extended by admin from vty0 (10.14.1.98)
May 12 12:20:42: Dell#: %CLI-6-configure terminal by admin from vty0
(10.14.1.98)
May 12 12:20:42: Dell#: %CLI-6-service timestamps log datetime by admin from
vty0 (10.14.1.98)
Example of the show logging Command for Security
For information about the logging extended command, see Enabling Audit and Security Logs
Dell#show logging
Jun 10 04:23:40: %STKUNIT0-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for
user admin on line vty0 ( 10.14.1.91 )
Clearing Audit Logs
To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is
enabled, only the system administrator user role can issue this command.
Example of the clear logging auditlog Command
Dell# clear logging auditlog
Configuring Logging Format
To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version [0 | 1}
command in CONFIGURATION mode. By default, the system log version is set to 0.
The following describes the two log messages formats:
•
0 – Displays syslog messages format as described in RFC 3164, The BSD syslog Protocol
•
1 – Displays syslog message format as described in RFC 5424, The SYSLOG Protocol
Example of Configuring the Logging Message Format
Dell(conf)#logging version ?
<0-1> Select syslog version (default = 0)
Dell(conf)#logging version 1
Management
65
Setting Up a Secure Connection to a Syslog Server
You can use reverse tunneling with the port forwarding to securely connect to a syslog server.
Pre-requisites
To configure a secure connection from the switch to the syslog server:
1.
On the switch, enable the SSH server
Dell(conf)#ip ssh server enable
2.
On the syslog server, create a reverse SSH tunnel from the syslog server to FTOS switch, using
following syntax:
ssh -R <remote port>:<syslog server>:<syslog server listen port>
user@remote_host -nNf
In the following example the syslog server IP address is 10.156.166.48 and the listening port is
5141. The switch IP address is 10.16.131.141 and the listening port is 5140
ssh -R 5140:10.156.166.48:5141 admin@10.16.131.141 -nNf
66
Management
3.
Configure logging to a local host. locahost is “127.0.0.1” or “::1”.
If you do not, the system displays an error when you attempt to enable role-based only AAA
authorization.
Dell(conf)# logging localhost tcp port
Dell(conf)#logging 127.0.0.1 tcp 5140
Display the Logging Buffer and the Logging
Configuration
To display the current contents of the logging buffer and the logging settings for the system, use the
show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered
based on the user roles. Only the security administrator and system administrator can view the security
logs.
Example of the show logging Command
Dell#show logging
syslog logging: enabled
Console logging: level Debugging
Monitor logging: level Debugging
Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes)
Trap logging: level Informational
%IRC-6-IRC_COMMUP: Link to peer RPM is up
%RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
%RPM-2-MSG:CP1 %POLLMGR-2-MMC_STATE: External flash disk missing in 'slot0:'
%CHMGR-5-CARDDETECTED: Line card 0 present
%CHMGR-5-CARDDETECTED: Line card 2 present
%CHMGR-5-CARDDETECTED: Line card 4 present
%CHMGR-5-CARDDETECTED: Line card 5 present
%CHMGR-5-CARDDETECTED: Line card 8 present
%CHMGR-5-CARDDETECTED: Line card 10 present
%CHMGR-5-CARDDETECTED: Line card 12 present
%TSM-6-SFM_DISCOVERY: Found SFM 0
%TSM-6-SFM_DISCOVERY: Found SFM 1
%TSM-6-SFM_DISCOVERY: Found SFM 2
%TSM-6-SFM_DISCOVERY: Found SFM 3
%TSM-6-SFM_DISCOVERY: Found SFM 4
%TSM-6-SFM_DISCOVERY: Found SFM 5
%TSM-6-SFM_DISCOVERY: Found SFM 6
%TSM-6-SFM_DISCOVERY: Found SFM 7
%TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: UP
%TSM-6-SFM_DISCOVERY: Found SFM 8
%TSM-6-SFM_DISCOVERY: Found 9 SFMs
%CHMGR-5-CHECKIN: Checkin from line card 5 (type EX1YB, 1 ports)
%TSM-6-PORT_CONFIG: Port link status for LC 5 => portpipe 0: OK portpipe 1: N/A
%CHMGR-5-LINECARDUP: Line card 5 is up
%CHMGR-5-CHECKIN: Checkin from line card 12 (type S12YC12, 12 ports)
%TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/A
%CHMGR-5-LINECARDUP: Line card 12 is up
%IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8
%IFMGR-5-CSTATE_DN: changed interface Physical state to down: So 12/8
To view any changes made, use the show running-config logging command in EXEC privilege
mode, as shown in the example for Configure a UNIX Logging Facility Level.
Management
67
Log Messages in the Internal Buffer
All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
For example, %BOOTUP:RPM0:CP %PORTPIPE-INIT-SUCCESS: Portpipe 0 enabled
Configuration Task List for System Log Management
There are two configuration tasks for system log management:
•
Disabling System Logging
•
Sending System Messages to a Syslog Server
Disabling System Logging
By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the
console, and the syslog servers.
To disable system logging, use the following commands.
•
Disable all logging except on the console.
CONFIGURATION mode
•
no logging on
Disable logging to the logging buffer.
CONFIGURATION mode
•
no logging buffer
Disable logging to terminal lines.
CONFIGURATION mode
•
no logging monitor
Disable console logging.
CONFIGURATION mode
no logging console
Sending System Messages to a Syslog Server
To send system messages to a specified syslog server, use the following command. The following syslog
standards are supported: RFC 5424 The SYSLOG Protocol, R. Gerhards and Adiscon GmbH, March 2009,
obsoletes RFC 3164 and RFC 5426 Transmission of Syslog messages over UDP.
•
Specify the server to which you want to send system messages. You can configure up to eight syslog
servers.
CONFIGURATION mode
logging {ip-address | ipv6–address |hostname} {{udp {port}} | {tcp {port}}}
Configuring a UNIX System as a Syslog Server
To configure a UNIX System as a syslog server, use the following command.
68
Management
•
Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the
UNIX system and assigning write permissions to the file.
– Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/log7.log
– Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log
In the previous lines, local7 is the logging facility level and debugging is the severity level.
Changing System Logging Settings
You can change the default settings of the system logging by changing the severity level and the storage
location.
The default is to log all messages up to debug level, that is, all system messages. By changing the severity
level in the logging commands, you control the number of system messages logged.
To specify the system logging settings, use the following commands.
•
Specify the minimum severity level for logging to the logging buffer.
CONFIGURATION mode
•
logging buffered level
Specify the minimum severity level for logging to the console.
CONFIGURATION mode
•
logging console level
Specify the minimum severity level for logging to terminal lines.
CONFIGURATION mode
•
logging monitor level
Specify the minimum severity level for logging to a syslog server.
CONFIGURATION mode
•
logging trap level
Specify the minimum severity level for logging to the syslog history table.
CONFIGURATION mode
•
logging history level
Specify the size of the logging buffer.
CONFIGURATION mode
logging buffered size
•
NOTE: When you decrease the buffer size, the system deletes all messages stored in the buffer.
Increasing the buffer size does not affect messages in the buffer.
Specify the number of messages that the system saves to its logging history table.
CONFIGURATION mode
logging history size size
To view the logging buffer and configuration, use the show logging command in EXEC privilege mode,
as shown in the example for Display the Logging Buffer and the Logging Configuration.
Management
69
To view the logging configuration, use the show running-config logging command in privilege
mode, as shown in the example for Configuring a UNIX Logging Facility Level.
Display the Logging Buffer and the Logging
Configuration
To display the current contents of the logging buffer and the logging settings for the system, use the
show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered
based on the user roles. Only the security administrator and the system administrator can view the
security logs.
Example of the show logging Command
Dell#show logging
syslog logging: enabled
Console logging: level Debugging
Monitor logging: level Debugging
Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes)
Trap logging: level Informational
%IRC-6-IRC_COMMUP: Link to peer RPM is up
%RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
%RPM-2-MSG:CP1 %POLLMGR-2-MMC_STATE: External flash disk missing in 'slot0:'
%CHMGR-5-CARDDETECTED: Line card 0 present
%CHMGR-5-CARDDETECTED: Line card 2 present
%CHMGR-5-CARDDETECTED: Line card 4 present
%CHMGR-5-CARDDETECTED: Line card 5 present
%CHMGR-5-CARDDETECTED: Line card 8 present
%CHMGR-5-CARDDETECTED: Line card 10 present
%CHMGR-5-CARDDETECTED: Line card 12 present
%TSM-6-SFM_DISCOVERY: Found SFM 0
%TSM-6-SFM_DISCOVERY: Found SFM 1
%TSM-6-SFM_DISCOVERY: Found SFM 2
%TSM-6-SFM_DISCOVERY: Found SFM 3
%TSM-6-SFM_DISCOVERY: Found SFM 4
%TSM-6-SFM_DISCOVERY: Found SFM 5
%TSM-6-SFM_DISCOVERY: Found SFM 6
%TSM-6-SFM_DISCOVERY: Found SFM 7
%TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: UP
%TSM-6-SFM_DISCOVERY: Found SFM 8
%TSM-6-SFM_DISCOVERY: Found 9 SFMs
%CHMGR-5-CHECKIN: Checkin from line card 5 (type EX1YB, 1 ports)
%TSM-6-PORT_CONFIG: Port link status for LC 5 => portpipe 0: OK portpipe 1: N/A
%CHMGR-5-LINECARDUP: Line card 5 is up
%CHMGR-5-CHECKIN: Checkin from line card 12 (type S12YC12, 12 ports)
%TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/A
%CHMGR-5-LINECARDUP: Line card 12 is up
%IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8
%IFMGR-5-CSTATE_DN: changed interface Physical state to down: So 12/8
To view any changes made, use the show running-config logging command in EXEC privilege
mode, as shown in the example for Configuring a UNIX Logging Facility Level.
Configuring a UNIX Logging Facility Level
You can save system log messages with a UNIX system logging facility.
To configure a UNIX logging facility level, use the following command.
•
70
Specify one of the following parameters.
Management
CONFIGURATION mode
logging facility [facility-type]
– auth (for authorization messages)
– cron (for system scheduler messages)
– daemon (for system daemons)
– kern (for kernel messages)
– local0 (for local use)
– local1 (for local use)
– local2 (for local use)
– local3 (for local use)
– local4 (for local use)
– local5 (for local use)
– local6 (for local use)
– local7 (for local use)
– lpr (for line printer system messages)
– mail (for mail system messages)
– news (for USENET news messages)
– sys9 (system use)
– sys10 (system use)
– sys11 (system use)
– sys12 (system use)
– sys13 (system use)
– sys14 (system use)
– syslog (for syslog messages)
– user (for user programs)
– uucp (UNIX to UNIX copy protocol)
Example of the show running-config logging Command
To view nondefault settings, use the show running-config logging command in EXEC mode.
Dell#show running-config logging
!
logging buffered 524288 debugging
service timestamps log datetime msec
service timestamps debug datetime msec
!
logging trap debugging
logging facility user
logging source-interface Loopback 0
logging 10.10.10.4
Dell#
Management
71
Synchronizing Log Messages
You can configure the system to filter and consolidate the system messages for a specific line by
synchronizing the message output.
Only the messages with a severity at or below the set level appear. This feature works on the terminal and
console connections available on the system.
1.
Enter LINE mode.
CONFIGURATION mode
line {console 0 | vty number [end-number]}
Configure the following parameters for the virtual terminal lines:
•
number: the range is from zero (0) to 9.
•
end-number: the range is from 1 to 8.
You can configure multiple virtual terminals at one time by entering a number and an end-number.
2.
Configure a level and set the maximum number of messages to print.
LINE mode
logging synchronous [level severity-level | all] [limit]
Configure the following optional parameters:
•
•
level severity-level: the range is from 0 to 7. The default is 2. Use the all keyword to
include all messages.
limit: the range is from 20 to 300. The default is 20.
To view the logging synchronous configuration, use the show config command in LINE mode.
Enabling Timestamp on Syslog Messages
By default, syslog messages do not include a time/date stamp stating when the error or message was
created.
To enable timestamp, use the following command.
•
Add timestamp to syslog messages.
CONFIGURATION mode
service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone]
| uptime]
Specify the following optional parameters:
– datetime: You can add the keyword localtime to include the localtime, msec, and showtimezone. If you do not add the keyword localtime, the time is UTC.
– uptime: To view time since last boot.
If you do not specify a parameter, the system configures uptime.
To view the configuration, use the show running-config logging command in EXEC privilege mode.
72
Management
To disable time stamping on syslog messages, use the no service timestamps [log | debug]
command.
File Transfer Services
With the Dell Networking OS, you can configure the system to transfer files over the network using the
file transfer protocol (FTP).
One FTP application is copying the system image files over an interface on to the system; however, FTP is
not supported on virtual local area network (VLAN) interfaces.
For more information about FTP, refer to RFC 959, File Transfer Protocol.
Configuration Task List for File Transfer Services
The configuration tasks for file transfer services are:
•
Enabling the FTP Server (mandatory)
•
Configuring FTP Server Parameters (optional)
•
Configuring FTP Client Parameters (optional)
Enabling the FTP Server
To enable the system as an FTP server, use the following command.
To view FTP configuration, use the show running-config ftp command in EXEC privilege mode.
•
Enable FTP on the system.
CONFIGURATION mode
ftp-server enable
Example of Viewing FTP Configuration
Dell#show running ftp
!
ftp-server enable
ftp-server username nairobi password 0 zanzibar
Dell#
Configuring FTP Server Parameters
After you enable the FTP server on the system, you can configure different parameters.
To specify the system logging settings, use the following commands.
•
Specify the directory for users using FTP to reach the system.
CONFIGURATION mode
ftp-server topdir dir
•
The default is the internal flash directory.
Specify a user name for all FTP users and configure either a plain text or encrypted password.
CONFIGURATION mode
ftp-server username username password [encryption-type] password
Management
73
Configure the following optional and required parameters:
– username: enter a text string.
– encryption-type: enter 0 for plain text or 7 for encrypted text.
– password: enter a text string.
NOTE: You cannot use the change directory (cd) command until you have configured ftpserver topdir.
To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode.
Configuring FTP Client Parameters
To configure FTP client parameters, use the following commands.
•
Enter the following keywords and slot/port or number information:
– For a Loopback interface, enter the keyword loopback then a number between 0 and 16383.
– For a port channel interface, enter the keywords port-channel then a number from 1 to 128.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
– For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
CONFIGURATION mode
•
ip ftp source-interface interface
Configure a password.
CONFIGURATION mode
•
ip ftp password password
Enter a username to use on the FTP client.
CONFIGURATION mode
ip ftp username name
To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode,
as shown in the example for Enabling the FTP Server.
Terminal Lines
You can access the system remotely and restrict access to the system by creating user profiles.
Terminal lines on the system provide different means of accessing the system. The virtual terminal lines
(VTYs) connect you through Telnet to the system.
Denying and Permitting Access to a Terminal Line
Dell Networking recommends applying only standard access control lists (ACLs) to deny and permit
access to VTY lines.
•
74
Layer 3 ACLs deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with
no rules does not deny traffic.
Management
•
You cannot use the show ip accounting access-list command to display the contents of an
ACL that is applied only to a VTY line.
To apply an IP ACL to a line, Use the following command.
•
Apply an ACL to a VTY line.
LINE mode
ip access-class access-list
Example of an ACL that Permits Terminal Access
To view the configuration, use the show config command in LINE mode.
Dell(config-std-nacl)#show config
!
ip access-list standard myvtyacl
seq 5 permit host 10.11.0.1
Dell(config-std-nacl)#line vty 0
Dell(config-line-vty)#show config
line vty 0
access-class myvtyacl
Dell OS Behavior: Prior to Dell OS version 7.4.2.0, in order to deny access on a VTY line, apply an ACL
and accounting, authentication, and authorization (AAA) to the line. Then users are denied access only
after they enter a username and password. Beginning in Dell OS version 7.4.2.0, only an ACL is required,
and users are denied access before they are prompted for a username and password.
Configuring Login Authentication for Terminal Lines
You can use any combination of up to six authentication methods to authenticate a user on a terminal
line.
A combination of authentication methods is called a method list. If the user fails the first authentication
method, the system prompts the next method until all methods are exhausted, at which point the
connection is terminated. The available authentication methods are:
enable
Prompt for the enable password.
line
Prompt for the password you assigned to the terminal line. Configure a password
for the terminal line to which you assign a method list that contains the line
authentication method. Configure a password using the password command from
LINE mode.
local
Prompt for the system username and password.
none
Do not authenticate the user.
radius
Prompt for a username and password and use a RADIUS server to authenticate.
tacacs+
Prompt for a username and password and use a TACACS+ server to authenticate.
1.
Configure an authentication method list. You may use a mnemonic name or use the default
keyword. The default authentication method for terminal lines is local and the default method list is
empty.
CONFIGURATION mode
Management
75
aaa authentication login {method-list-name | default} [method-1] [method-2]
[method-3] [method-4] [method-5] [method-6]
2.
Apply the method list from Step 1 to a terminal line.
CONFIGURATION mode
login authentication {method-list-name | default}
3.
If you used the line authentication method in the method list you applied to the terminal line,
configure a password for the terminal line.
LINE mode
password
Example of Terminal Line Authentication
In the following example, VTY lines 0-2 use a single authentication method, line.
Dell(conf)#aaa authentication login myvtymethodlist line
Dell(conf)#line vty 0 2
Dell(config-line-vty)#login authentication myvtymethodlist
Dell(config-line-vty)#password myvtypassword
Dell(config-line-vty)#show config
line vty 0
password myvtypassword
login authentication myvtymethodlist
line vty 1
password myvtypassword
login authentication myvtymethodlist
line vty 2
password myvtypassword
login authentication myvtymethodlist
Dell(config-line-vty)#
Setting Time Out of EXEC Privilege Mode
EXEC time-out is a basic security feature that returns the Dell Networking OS to EXEC mode after a
period of inactivity on the terminal lines.
To set time out, use the following commands.
•
Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on
VTY. Disable EXEC time out by setting the time-out period to 0.
LINE mode
•
exec-timeout minutes [seconds]
Return to the default time-out values.
LINE mode
no exec-timeout
Example of Setting the Time Out Period for EXEC Privilege Mode
The following example shows how to set the time-out period and how to view the configuration using
the show config command from LINE mode.
Dell(conf)#line con 0
Dell(config-line-console)#exec-timeout 0
76
Management
Dell(config-line-console)#show config
line console 0
exec-timeout 0 0
Dell(config-line-console)#
Using Telnet to get to Another Network Device
To telnet to another device, use the following commands.
•
Telnet to the stack-unit. You do not need to configure the management port on the stack-unit to be
able to telnet to it.
EXEC Privilege mode
•
telnet-peer-stack-unit
Telnet to a device with an IPv4 address.
EXEC Privilege
telnet [ip-address]
If you do not enter an IP address, the system enters a Telnet dialog that prompts you for one.
Enter an IPv4 address in dotted decimal format (A.B.C.D).
Example of the telnet Command for Device Access
Dell# telnet 10.11.80.203
Trying 10.11.80.203...
Connected to 10.11.80.203.
Exit character is '^]'.
Login:
Login: admin
Password:
Dell>exit
Dell#telnet 2200:2200:2200:2200:2200::2201
Trying 2200:2200:2200:2200:2200::2201...
Connected to 2200:2200:2200:2200:2200::2201.
Exit character is '^]'.
FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1)
login: admin
Dell#
Lock CONFIGURATION Mode
The systems allows multiple users to make configurations at the same time. You can lock
CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message
2).
You can set two types of locks: auto and manual.
•
Set auto-lock using the configuration mode exclusive auto command from
CONFIGURATION mode. When you set auto-lock, every time a user is in CONFIGURATION mode, all
other users are denied access. This means that you can exit to EXEC Privilege mode, and re-enter
CONFIGURATION mode without having to set the lock again.
Management
77
•
Set manual lock using the configure terminal lock command from CONFIGURATION mode.
When you configure a manual lock, which is the default, you must enter this command each time you
want to enter CONFIGURATION mode and deny access to others.
Viewing the Configuration Lock Status
If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which
user has control of CONFIGURATION mode using the show configuration lock command from
EXEC Privilege mode.
You can then send any user a message using the send command from EXEC Privilege mode.
Alternatively, you can clear any line using the clear command from EXEC Privilege mode. If you clear a
console session, the user is returned to EXEC mode.
Example of Locking CONFIGURATION Mode for Single-User Access
Dell(conf)#configuration mode exclusive auto
BATMAN(conf)#exit
3d23h35m: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console
Dell#config
! Locks configuration mode exclusively.
Dell(conf)#
If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears
on their terminal (message 1): % Error: User "" on line console0 is in exclusive
configuration mode.
If any user is already in CONFIGURATION mode when while a lock is in place, the following appears on
their terminal (message 2): % Error: Can't lock configuration mode exclusively since
the following users are currently configuring the system: User "admin" on line
vty1 ( 10.1.1.1 ).
NOTE: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you
configure a lock and then exit CONFIGURATION mode, and another user enters CONFIGURATION
mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though
you are the one that configured the lock.
NOTE: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is
unconfigured.
Recovering from a Forgotten Password
If you configure authentication for the console and you exit out of EXEC mode or your console session
times out, you are prompted for a password to re-enter.
Use the following commands if you forget your password.
1.
Log onto the system using the console.
2.
Power-cycle the chassis by switching off all of the power modules and then switching them back on.
3.
Hit any key to abort the boot process. You enter uBoot immediately, as indicated by the => prompt.
(during bootup)
hit any key
78
Management
4.
Set the system parameters to ignore the startup configuration file when the system reloads.
uBoot mode
setenv stconfigignore true
5.
To save the changes, use the saveenv command.
uBoot mode
saveenv
6.
Reload the system.
uBoot mode
reset
7.
Copy startup-config.bak to the running config.
EXEC Privilege mode
copy flash://startup-config.bak running-config
8.
Remove all authentication statements you might have for the console.
LINE mode
no authentication login no password
9.
Save the running-config.
EXEC Privilege mode
copy running-config startup-config
10. Set the system parameters to use the startup configuration file when the system reloads.
uBoot mode
setenv stconfigignore false
11. Save the running-config.
EXEC Privilege mode
copy running-config startup-config
Recovering from a Forgotten Enable Password
Use the following commands if you forget the enable password.
1.
Log onto the system using the console.
2.
Power-cycle the chassis by switching off all of the power modules and then switching them back on.
3.
Hit any key to abort the boot process. You enter uBoot immediately, as indicated by the => prompt.
(during bootup)
hit any key
4.
Set the system parameters to ignore the enable password when the system reloads.
uBoot mode
setenv enablepwdignore true
5.
Reload the system.
Management
79
uBoot mode
reset
6.
Configure a new enable password.
CONFIGURATION mode
enable {secret | password}
7.
Save the running-config to the startup-config.
EXEC Privilege mode
copy running-config startup-config
Recovering from a Failed Start
A system that does not start correctly might be attempting to boot from a corrupted Dell Networking OS
image or from a mis-specified location.
In this case, you can restart the system and interrupt the boot process to point the system to another
boot location. Use the setenv command, as described in the following steps. For details about the
setenv command, its supporting commands, and other commands that can help recover from a failed
start, refer to the u-Boot chapter in the Dell Networking OS Command Line Reference Guide.
1.
Power-cycle the chassis (pull the power cord and reinsert it).
2.
Hit any key to abort the boot process. You enter uBoot immediately, the => prompt indicates
success.
(during bootup)
press any key
3.
Assign the new location to the Dell Networking OS image it uses when the system reloads.
uBoot mode
setenv [primary_image f10boot location | secondary_image f10boot location |
default_image f10boot location]
4.
Assign an IP address to the Management Ethernet interface.
uBoot mode
setenv ipaddre address
5.
Assign an IP address as the default gateway for the system.
uBoot mode
setenv gatewayip address
6.
Reload the system.
uBoot mode
reset
80
Management
802.1X
5
802.1X is a method of port security.
A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets
on the network until its identity can be verified (through a username and password, for example). This
feature is named for its IEEE specification.
802.1X employs extensible authentication protocol (EAP) to transfer a device’s credentials to an
authentication server (typically RADIUS) using a mandatory intermediary network access device, in this
case, a Dell Networking switch. The network access device mediates all communication between the
end-user device and the authentication server so that the network remains secure. The network access
device uses EAP-over-Ethernet (EAPOL) to communicate with the end-user device and EAP-overRADIUS to communicate with the server.
NOTE: The Dell Networking operating system supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS,
EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.
The following figures show how the EAP frames are encapsulated in Ethernet and RADIUS frames.
802.1X
81
Figure 1. EAP Frames Encapsulated in Ethernet and RADUIS
82
802.1X
Figure 2. EAP Frames Encapsulated in Ethernet and RADUIS
The authentication process involves three devices:
•
The device attempting to access the network is the supplicant. The supplicant is not allowed to
communicate on the network until the authenticator authorizes the port. It can only communicate
with the authenticator in response to 802.1X requests.
•
The device with which the supplicant communicates is the authenticator. The authenticator is the
gate keeper of the network. It translates and forwards requests and responses between the
authentication server and the supplicant. The authenticator also changes the status of the port based
on the results of the authentication process. The Dell Networking switch is the authenticator.
•
The authentication-server selects the authentication method, verifies the information the supplicant
provides, and grants it network access privileges.
Ports can be in one of two states:
•
Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in
or out of the port.
•
The authenticator changes the port state to authorized if the server can authenticate the supplicant.
In this state, network traffic can be forwarded normally.
NOTE: The Dell Networking switches place 802.1X-enabled ports in the unauthorized state by
default.
The Port-Authentication Process
The authentication process begins when the authenticator senses that a link status has changed from
down to up:
1.
When the authenticator senses a link state change, it requests that the supplicant identify itself using
an EAP Identity Request frame.
2.
The supplicant responds with its identity in an EAP Response Identity frame.
802.1X
83
3.
The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a
RADIUS Access-Request frame and forwards the frame to the authentication server.
4.
The authentication server replies with an Access-Challenge frame. The Access-Challenge frame
requests that the supplicant prove that it is who it claims to be, using a specified method (an EAPMethod). The challenge is translated and forwarded to the supplicant by the authenticator.
5.
The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant
provides the Requested Challenge information in an EAP response, which is translated and
forwarded to the authentication server as another Access-Request frame.
6.
If the identity information provided by the supplicant is valid, the authentication server sends an
Access-Accept frame in which network privileges are specified. The authenticator changes the port
state to authorized and forwards an EAP Success frame. If the identity information is invalid, the
server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator
forwards an EAP Failure frame.
Figure 3. EAP Port-Authentication
84
802.1X
EAP over RADIUS
802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as
defined in RFC 3579.
EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV)
format. The Type value for EAP messages is 79.
Figure 4. EAP Over RADIUS
RADIUS Attributes for 802.1 Support
Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request
messages:
Attribute 5
NAS-Port: the physical port number by which the authenticator is connected to
the supplicant.
Attribute 31
Calling-station-id: relays the supplicant MAC address to the authentication server.
Attribute 41
NAS-Port-Type: NAS-port physical port type. 5 indicates Ethernet.
Attribute 81
Tunnel-Private-Group-ID: associate a tunneled session with a particular group of
users.
Configuring 802.1X
Configuring 802.1X on a port is a two-step process.
1.
Enable 802.1X globally (refer to Enabling 802.1X).
2.
Enable 802.1X on an interface (refer to Enabling 802.1X).
Related Configuration Tasks
•
Configuring Request Identity Re-transmissions
•
Forcibly Authorizing or Unauthorizing a Port
•
Re-authenticating a Port
•
Configuring Timeouts
•
Configuring a Guest VLAN
•
Configuring an Authentication-fail VLAN
802.1X
85
Important Points to Remember
•
The Dell Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0,
PEAPv1, and MS-CHAPv2 with PEAP.
•
802.1X is not supported on port-channels or port-channel members.
Enabling 802.1X
Enable 802.1X globally and at a interface level.
Figure 5. 802.1X Enabled
1.
Enable 802.1X globally.
CONFIGURATION mode
dot1x authentication
2.
Enter INTERFACE mode on an interface or a range of interfaces.
INTERFACE mode
86
802.1X
interface [range]
3.
Enable 802.1X on an interface or a range of interfaces.
INTERFACE mode
dot1x authentication
Example of Verifying that 802.1X is Enabled Globally
Example of Verifying 802.1X is Enabled on an Interface
Verify that 802.1X is enabled globally and at the interface level using the show running-config |
find dot1x command from EXEC Privilege mode.
The bold lines show that 802.1X is enabled.
Dell#show running-config | find dot1x
dot1x authentication
!
[output omitted]
!
interface GigabitEthernet 2/1
ip address 2.2.2.2/24
dot1x authentication
no shutdown
!
interface GigabitEthernet 2/2
ip address 1.0.0.1/24
dot1x authentication
no shutdown
--More-View 802.1X configuration information for an interface using the show dot1x interface command.
The bold lines show that 802.1X is enabled on all ports unauthorized by default.
Dell#show dot1x interface TenGigabitEthernet 2/1
802.1x information on Te 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
AUTO
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Disable
Guest VLAN id:
NONE
Auth-Fail VLAN:
Disable
Auth-Fail VLAN id:
NONE
Auth-Fail Max-Attempts: NONE
Mac-Auth-Bypass:
Disable
Mac-Auth-Bypass Only:
Disable
Tx Period:
30 seconds
Quiet Period:
60 seconds
ReAuth Max:
2
Supplicant Timeout:
30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
2
Host Mode:
SINGLE_HOST
802.1X
87
Auth PAE State:
Backend State:
Initialize
Initialize
Configuring Request Identity Re-Transmissions
If the authenticator sends a Request Identity frame, but the supplicant does not respond, the
authenticator waits 30 seconds and then re-transmits the frame.
The amount of time that the authenticator waits before re-transmitting and the maximum number of
times that the authenticator re-transmits are configurable.
NOTE: There are several reasons why the supplicant might fail to respond; for example, the
supplicant might have been booting when the request arrived or there might be a physical layer
problem.
To configure re-transmissions, use the following commands.
•
Configure the amount of time that the authenticator waits before re-transmitting an EAP Request
Identity frame.
INTERFACE mode
dot1x tx-period number
The range is from 1 to 65535 (1 year)
•
The default is 30.
Configure a maximum number of times the authenticator re-transmits a Request Identity frame.
INTERFACE mode
dot1x max-eap-req number
The range is from 1 to 10.
The default is 2.
The example in Configuring a Quiet Period after a Failed Authentication shows configuration information
for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and
re-transmits a maximum of 10 times.
Configuring a Quiet Period after a Failed Authentication
If the supplicant fails the authentication process, the authenticator sends another Request Identity frame
after 30 seconds by default, but you can configure this period.
NOTE: The quiet period (dot1x quiet-period) is a transmit interval for after a failed
authentication; the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive
supplicant.
To configure a quiet period, use the following command.
•
Configure the amount of time that the authenticator waits to re-transmit a Request Identity frame
after a failed authentication.
INTERFACE mode
dot1x quiet-period seconds
The range is from 1 to 65535.
88
802.1X
The default is 60 seconds.
Example of Configuring and Verifying Port Authentication
The following example shows configuration information for a port for which the authenticator retransmits an EAP Request Identity frame:
•
after 90 seconds and a maximum of 10 times for an unresponsive supplicant
•
re-transmits an EAP Request Identity frame
The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions.
Dell(conf-if-range-Te-0/0)#dot1x tx-period 90
Dell(conf-if-range-Te-0/0)#dot1x max-eap-req 10
Dell(conf-if-range-Te-0/0)#dot1x quiet-period 120
Dell#show dot1x interface TenGigabitEthernet 2/1
802.1x information on Te 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
AUTO
Port Auth Status:
UNAUTHORIZED
Re-Authentication: Disable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period: 120 seconds
ReAuth Max:
2
Supplicant Timeout:
30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Initialize
Backend State:
Initialize
Forcibly Authorizing or Unauthorizing a Port
IEEE 802.1X requires that a port can be manually placed into any of three states:
•
ForceAuthorized — an authorized state. A device connected to this port in this state is never
subjected to the authentication process, but is allowed to communicate on the network. Placing the
port in this state is same as disabling 802.1X on the port.
•
ForceUnauthorized — an unauthorized state. A device connected to a port in this state is never
subjected to the authentication process and is not allowed to communicate on the network. Placing
the port in this state is the same as shutting down the port. Any attempt by the supplicant to initiate
authentication is ignored.
•
Auto — an unauthorized state by default. A device connected to this port in this state is subjected to
the authentication process. If the process is successful, the port is authorized and the connected
device can communicate on the network. All ports are placed in the Auto state by default.
To set the port state, use the following command.
•
Place a port in the ForceAuthorized, ForceUnauthorized, or Auto state.
INTERFACE mode
dot1x port-control {force-authorized | force-unauthorized | auto}
The default state is auto.
802.1X
89
Example of Placing a Port in Force-Authorized State and Viewing the Configuration
The example shows configuration information for a port that has been force-authorized.
The bold line shows the new port-control state.
Dell(conf-if-gi-2/1)#dot1x port-control force-authorized
Dell(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control: FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication: Disable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
2
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:
Auth PAE State:
Backend State:
Initialize
Initialize
Initialize
Initialize
Re-Authenticating a Port
You can configure the authenticator for periodic re-authentication.
After the supplicant has been authenticated, and the port has been authorized, you can configure the
authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the
supplicant is required to re-authenticate every 3600 seconds, but you can configure this interval. You can
configure a maximum number of re-authentications as well.
To configure re-authentication time settings, use the following commands.
•
Configure the authenticator to periodically re-authenticate the supplicant.
INTERFACE mode
dot1x reauthentication [interval] seconds
The range is from 1 to 65535.
•
The default is 3600.
Configure the maximum number of times that the supplicant can be re-authenticated.
INTERFACE mode
dot1x reauth-max number
The range is from 1 to 10.
The default is 2.
90
802.1X
Example of Re-Authenticating a Port and Verifying the Configuration
The bold lines show that re-authentication is enabled and the new maximum and re-authentication time
period.
Dell(conf-if-gi-2/1)#dot1x reauthentication interval 7200
Dell(conf-if-gi-2/1)#dot1x reauth-max 10
Dell(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:UNAUTHORIZED
Re-Authentication: Enable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max: 10
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:7200 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Initialize
Backend State:
Initialize
Auth PAE State:
Initialize
Configuring Timeouts
If the supplicant or the authentication server is unresponsive, the authenticator terminates the
authentication process after 30 seconds by default. You can configure the amount of time the
authenticator waits for a response.
To terminate the authentication process, use the following commands.
•
Terminate the authentication process due to an unresponsive supplicant.
INTERFACE mode
dot1x supplicant-timeout seconds
The range is from 1 to 300.
•
The default is 30.
Terminate the authentication process due to an unresponsive authentication server.
INTERFACE mode
dot1x server-timeout seconds
The range is from 1 to 300.
The default is 30.
Example of Viewing Configured Server Timeouts
The example shows configuration information for a port for which the authenticator terminates the
authentication process for an unresponsive supplicant or server after 15 seconds.
802.1X
91
The bold lines show the new supplicant and server timeouts.
Dell(conf-if-gi-2/1)#dot1x port-control force-authorized
Dell(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Disable
Guest VLAN id:
NONE
Auth-Fail VLAN:
Disable
Auth-Fail VLAN id:
NONE
Auth-Fail Max-Attempts: NONE
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout: 15 seconds
Server Timeout:
15 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Initialize
Backend State:
Initialize
Enter the tasks the user should do after finishing this task (optional).
Configuring Dynamic VLAN Assignment with Port
Authentication
The system supports dynamic VLAN assignment when using 802.1X.
The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN
assignment uses the standard dot1x procedure:
1.
The host sends a dot1x packet to the Dell Networking system
2.
The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port
number
3.
The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN
assignment using Tunnel-Private-Group-ID
The illustration shows the configuration on the Dell Networking system before connecting the end user
device in black and blue text, and after connecting the device in red text. The blue text corresponds to
the preceding numbered steps on dynamic VLAN assignment with 802.1X.
92
802.1X
Figure 6. Dynamic VLAN Assignment
1.
Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations
(refer to the illustration in Dynamic VLAN Assignment with Port Authentication).
2.
Make the interface a switchport so that it can be assigned to a VLAN.
3.
Create the VLAN to which the interface will be assigned.
4.
Connect the supplicant to the port configured for 802.1X.
5.
Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in
Dynamic VLAN Assignment with Port Authentication).
Guest and Authentication-Fail VLANs
Typically, the authenticator (the Dell Networking system) denies the supplicant access to the network
until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port
and places it in either the VLAN for which the port is configured or the VLAN that the authentication
server indicates in the authentication data.
NOTE: Ports cannot be dynamically assigned to the default VLAN.
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases
this behavior is not appropriate. External users of an enterprise network, for example, might not be able
802.1X
93
to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network
printers, do not have 802.1X capability and therefore cannot authenticate themselves. To be able to
connect such devices, they must be allowed access the network without compromising network security.
The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices
and the Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users.
•
•
If the supplicant fails authentication a specified number of times, the authenticator places the port in
the Authentication-fail VLAN.
If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of
the Guest VLAN and the authentication process begins.
Configuring a Guest VLAN
If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * txperiod), the system assumes that the host does not have 802.1X capability and the port is placed in the
Guest VLAN.
NOTE: For more information about configuring timeouts, refer to Configuring Timeouts.
Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using
the dot1x guest-vlan command from INTERFACE mode. View your configuration using the show
config command from INTERFACE mode or using the show dot1x interface command from EXEC
Privilege mode.
Example of Viewing Guest VLAN Configuration
Dell(conf-if-gi-1/2)#dot1x guest-vlan 200
Dell(conf-if-gi-1/2)#show config
!
interface GigabitEthernet 1/2
switchport
dot1x guest-vlan 200
no shutdown
Dell(conf-if-gi-1/2)#
Configuring an Authentication-Fail VLAN
If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified
amount of time.
NOTE: For more information about authenticator re-attempts, refer to Configuring a Quiet Period
after a Failed Authentication
You can configure the maximum number of times the authenticator re-attempts authentication after a
failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
Configure a port to be placed in the VLAN after failing the authentication process as specified number of
times using the dot1x auth-fail-vlan command from INTERFACE mode. Configure the maximum
number of authentication attempts by the authenticator using the keyword max-attempts with this
command.
Example of Configuring Maximum Authentication Attempts
Example of Viewing Configured Authentication
Dell(conf-if-gi-1/2)#dot1x auth-fail-vlan 100 max-attempts 5
Dell(conf-if-gi-1/2)#show config
94
802.1X
!
interface GigabitEthernet 1/2
switchport
dot1x guest-vlan 200
dot1x auth-fail-vlan 100 max-attempts 5
no shutdown
Dell(conf-if-gi-1/2)#
View your configuration using the show config command from INTERFACE mode, as shown in the
example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC
Privilege mode.
Dell(conf-if-gi-2/1)#dot1x port-control force-authorized
Dell(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Enable
Guest VLAN id:
200
Auth-Fail VLAN:
Enable
Auth-Fail VLAN id: 100
Auth-Fail Max-Attempts: 5
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout:
15 seconds
Server Timeout:
15 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Initialize
Backend State:
Initialize
802.1X
95
6
Access Control List (ACL) VLAN Groups
and Content Addressable Memory (CAM)
This chapter describes the access control list (ACL) VLAN group and content addressable memory (CAM)
enhancements.
Optimizing CAM Utilization During the Attachment of
ACLs to VLANs
You can enable and configure the ACL CAM optimization functionality to minimize the number of entries
in CAM while ACLs are applied on a VLAN or a set of VLANs, and also while ACLs are applied on a set of
ports. This capability enables the effective usage of the CAM space when Layer 3 ACLs are applied to a set
of VLANs and when Layer 2 or Layer 3 ACLs are applied on a set of ports.
In releases of Dell Networking OS that do not support the CAM optimization functionality, when an ACL is
applied on a VLAN, the ACL rules are configured with the rule-specific parameters and the VLAN as
additional attributes in the ACL region. When the ACL is applied on multiple VLAN interfaces, the
consumption of the CAM space increases proportionally. For example, when an ACL with ‘n’ number of
rules is applied on ‘m’ number of VLAN interfaces, a total of n*m entries are configured in the CAM region
that is allocated for ACLs. Similarly, when an L2 or L3 ACL is applied on a set of ports, a large portion of
the CAM space gets used because a port is saved as a parameter in CAM.
To avoid excessive consumption of the CAM space, configure ACL VLAN groups, which combine all the
VLANs that are applied with the same ACL, into a single group. A class identifier (Class ID) is assigned for
each of the ACLs attached to the VLAN and this Class ID is used as an identifier or locator in the CAM
space instead of the VLAN ID. This method of processing reduces the number of entries in the CAM area
significantly and saves memory space by using the class ID as a filtering criterion in CAM instead of the
VLAN ID.
You can create an ACL VLAN group and attach the ACL with the VLAN members. The optimization is
applicable only when you create an ACL VLAN group. If you apply an ACL separately on the VLAN
interface, each ACL has a mapping with the VLAN and increased CAM space utilization occurs. Attaching
an ACL individually to VLAN interfaces is similar to the behavior of ACL-VLAN mapping storage in CAM
prior to the implementation of the ACL VLAN group functionality.
The ACL manager application on router processor (RP1) contains all the state information about all the
ACL VLAN groups that are present. The ACL handler on control processor (CP) and the ACL agent on line
cards do not contain any stateful information about the group. The ACL manager application performs
the validation after you enter the acl-vlan-group command. If the command is valid, it is processed
and sent to the agent, if required. If a configuration error is found or if the maximum limit has exceeded
for the ACL VLAN groups present on the system, an appropriate error message is displayed. The ACL
manager application verifies the following parameters when you enter the acl-vlan-group command:
•
96
Whether the CAM profile is set in VFP
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)
•
Whether the maximum number of groups in the system has exceeded
•
Whether the maximum number of VLAN numbers permitted per ACL group has exceeded
•
When a VLAN member that is being added is already a part of another ACL group
After these verification steps are performed, the ACL manager considers the command as valid and sends
the information to the ACL agent on the line card. The ACL manager notifies the ACL agent in the
following cases:
•
A VLAN member is added or removed from a group, and previously associated VLANs exist in the
group.
•
The egress ACL is applied or removed from the group and the group contains VLAN members. VLAN
members are added or deleted from a VLAN, which itself is a group member.
•
A line card returns to the active state after going down, and this line card contains a VLAN that is a
member of an ACL group.
•
The ACL VLAN group is deleted and it contains VLAN members.
The ACL manager does not notify the ACL agent in the following cases:
•
The ACL VLAN group is created.
•
The ACL VLAN group is deleted and it does not contain any VLAN members.
•
The ACL is applied or removed from a group, and the ACL group does not contain a VLAN member.
•
The description of the ACL group is added or removed.
Guidelines for Configuring ACL VLAN groups
Keep the following points in mind when you configure ACL VLAN groups:
•
The interfaces, to which the ACL VLAN group is applied, function as restricted interfaces. The ACL
VLAN group name is used to identify the group of VLANs that is used to perform hierarchical filtering.
•
You can add only one ACL to an interface at a time.
•
When you attach an ACL VLAN group to the same interface, a validation is performed to determine
whether an ACL is applied directly to an interface. If you previously applied an ACL separately to the
interface, an error occurs when you attempt to attach an ACL VLAN group to the same interface.
•
The maximum number of members in an ACL VLAN group is determined by the type of switch and its
hardware capabilities. This scaling limit depends on the number of slices that are allocated for ACL
CAM optimization. If one slice is allocated, the maximum number of VLAN members is 256 for all ACL
VLAN groups. If two slices are allocated, the maximum number of VLAN members is 512 for all ACL
VLAN groups.
•
The maximum number of VLAN groups that you can configure also depends on the hardware
specifications of the switch. Each VLAN group is mapped to a unique ID in the hardware. The
maximum number of ACL VLAN groups supported is 31. Only a maximum of two components (iSCSI
counters, Open Flow, ACL optimization) can be allocated virtual flow processing slices at a time.
•
The maximum number of VLANs that you can configure as a member of ACL VLAN groups is limited
to 512 on the MXL switch if two slices are allocated. If only one virtual flow processing slice is
allocated, the maximum number of VLANs that you can configure as a member of an ACL VLAN
group is 256 for the MXL switch.
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)
97
•
Port ACL optimization is applicable only for ACLs that are applied without the VLAN range.
•
You cannot view the statistical details of ACL rules per VLAN and per interface if you enable the ACL
VLAN group capability. You can view the counters per ACL only using the show ip accounting
access list command.
•
Within a port, you can apply Layer 2 ACLs on a VLAN or a set of VLANs. In this case, CAM optimization
is not applied.
•
To enable optimization of CAM space for Layer 2 or Layer 3 ACLs that are applied to ports, the port
number is removed as a qualifier for ACL application on ports, and port bits are used. When you apply
the same ACL to a set of ports, the port bitmap is set when the ACL flow processor (FP) entry is added.
When you remove the ACL from a port, the port bitmap is removed.
•
If you do not attach an ACL to any of the ports, the FP entries are deleted. Similarly, when the same
ACL is applied on a set of ports, only one set of entries is installed in the FP, thereby effectively saving
CAM space. The optimization is enabled only if you specify the optimized option with the ip
access-group command. This option is not valid for VLAN and LAG interfaces.
Configuring ACL VLAN Groups and Configuring FP Blocks
for VLAN Parameters
This section describes how to optimize the utilization of CAM blocks by configuring ACL VLAN groups
that you can attach to VLAN interfaces and also how to configure FP blocks for different VLAN
operations.
Configuring ACL VLAN Groups
You can create an ACL VLAN group and attach the ACL with the VLAN members. The optimization is
applicable only when you create an ACL VLAN group. If you apply an ACL separately on the VLAN
interface, each ACL has a mapping with the VLAN and increases the CAM space utilization. Attaching an
ACL individually to VLAN interfaces is similar to the behavior of ACL-VLAN mapping storage in CAM prior
to the implementation of the ACL VLAN group functionality.
1.
Create an ACL VLAN group
CONFIGURATION mode
acl-vlan-group {group name}
You can have up to eight different ACL VLAN groups at any given time.
2.
Add a description to the ACL VLAN group.
CONFIGURATION (conf-acl-vl-grp) mode
description description
3.
Apply an egress IP ACL to the ACL VLAN group.
CONFIGURATION (conf-acl-vl-grp) mode
ip access-group {group name} out implicit-permit
4.
Add VLAN member(s) to an ACL VLAN group.
CONFIGURATION (conf-acl-vl-grp) mode
member vlan {VLAN-range}
5.
98
Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)
CONFIGURATION (conf-acl-vl-grp) mode
show acl-vlan-group {group name | detail}
Dell#show acl-vlan-group detail
Group Name :
TestGroupSeventeenTwenty
Egress IP Acl :
SpecialAccessOnlyExpertsAllowed
Vlan Members :
100,200,300
Group Name :
CustomerNumberIdentificationEleven
Egress IP Acl :
AnyEmployeeCustomerElevenGrantedAccess
Vlan Members :
2-10,99
Group Name :
HostGroup
Egress IP Acl :
Group5
Vlan Members :
1,1000
Dell#
Configuring FP Blocks for VLAN Parameters
Use the cam-acl-vlan command to allocate the number of FP blocks for the various VLAN processes
on the system. You can use the no version of this command to reset the number of FP blocks to default.
By default, 0 groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not
enabled by default, and you need to allocate the slices for CAM optimization.
1.
Allocate the number of FP blocks for VLAN Open Flow operations.
CONFIGURATION mode
cam-acl-vlan vlanopenflow <0-2>
2.
Allocate the number of FP blocks for VLAN iSCSI counters.
CONFIGURATION mode
cam-acl-vlan vlaniscsi <0-2>
3.
Allocate the number of FP blocks for ACL VLAN optimization feature.
CONFIGURATION mode
cam-acl-vlan vlanaclopt <0-2>
4.
View the number of flow processor (FP) blocks that is allocated for the different VLAN services.
EXEC Privilege mode
Dell#show cam-usage switch
Linecard|Portpipe| CAM Partition
| Total CAM
| Used CAM
|Available
CAM
========|========|=================|=============|=============|
==============
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)
99
11
7152
31687
0
11
7152
31687
|
| IN-L2 ACL
|
7152
|
0
|
|
| IN-L2 FIB
|
32768
|
1081
|
|
| OUT-L2 ACL
|
0
|
0
|
| IN-L2 ACL
|
7152
|
0
|
|
| IN-L2 FIB
|
32768
|
1081
|
|
| OUT-L2 ACL
|
0
|
0
|
|
0
1
0
Viewing CAM Usage
View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and
Layer 2 ACL sub- partitions) using the show cam-usage command in EXEC Privilege mode
Display Layer 2, Layer 3, ACL, or all CAM usage statistics.
EXCE Privilege mode
show cam usage [acl | router | switch]
The following sample output shows the consumption of CAM blocks for Layer 2 and Layer 3 ACLs, in
addition to other processes that use CAM space:
Dell#show cam-usage
Linecard|Portpipe| CAM Partition
| Total CAM
| Used CAM
|Available CAM
========|========|=================|=============|=============|==============
1
|
0
| IN-L2 ACL
|
1008
|
320
|
688
|
| IN-L2 FIB
|
32768
|
1132
|
31636
|
| IN-L3 ACL
|
12288
|
2
|
12286
|
| IN-L3 FIB
|
262141
|
14
|
262127
|
| IN-L3-SysFlow
|
2878
|
45
|
2833
|
| IN-L3-TrcList
|
1024
|
0
|
1024
|
| IN-L3-McastFib |
9215
|
0
|
9215
|
| IN-L3-Qos
|
8192
|
0
|
8192
|
| IN-L3-PBR
|
1024
|
0
|
1024
|
| IN-V6 ACL
|
0
|
0
|
0
|
| IN-V6 FIB
|
0
|
0
|
0
|
| IN-V6-SysFlow
|
0
|
0
|
0
|
| IN-V6-McastFib |
0
|
0
|
0
|
| OUT-L2 ACL
|
1024
|
0
|
1024
|
| OUT-L3 ACL
|
1024
|
0
|
1024
|
| OUT-V6 ACL
|
0
|
0
|
0
1
|
1
| IN-L2 ACL
|
320
|
0
|
320
|
| IN-L2 FIB
|
32768
|
1136
|
31632
|
| IN-L3 ACL
|
12288
|
2
|
12286
|
| IN-L3 FIB
|
262141
|
14
|
262127
|
| IN-L3-SysFlow
|
2878
|
44
|
2834
--More-The following sample output displays the CAM space utilization when Layer 2 and Layer 3 ACLs are
configured:
Dell#show cam-usage acl
Linecard|Portpipe| CAM Partition
| Total CAM
| Used CAM
|Available CAM
========|========|=================|=============|=============|============
11
|
0
| IN-L2 ACL
|
1008
|
0
|
1008
|
| IN-L3 ACL
|
12288
|
2
|
12286
100
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)
|
|
| OUT-L2 ACL
| OUT-L3 ACL
|
|
1024
1024
|
|
2
0
|
|
1022
1024
The following sample output displays the CAM space utilization for Layer 2 ACLs:
Dell#show cam-usage switch
Linecard|Portpipe| CAM Partition
| Total CAM
| Used CAM
|Available CAM
========|========|=================|=============|=============|==============
11
|
0
| IN-L2 ACL
|
7152
|
0
|
7152
|
| IN-L2 FIB
|
32768
|
1081
|
31687
|
| OUT-L2 ACL
|
0
|
0
|
0
11
|
1
| IN-L2 ACL
|
7152
|
0
|
7152
|
| IN-L2 FIB
|
32768
|
1081
|
31687
|
| OUT-L2 ACL
|
0
|
0
|
0
The following sample output displays the CAM space utilization for Layer 3 ACLs:
Dell#show cam-usage router
Linecard|Portpipe| CAM Partition
| Total CAM
| Used CAM
|Available CAM
========|========|=================|=============|=============|==============
11
|
0
| IN-L3 ACL
|
8192
|
3
|
8189
|
| IN-L3 FIB
|
196607
|
1
|
196606
|
| IN-L3-SysFlow
|
2878
|
0
|
2878
|
| IN-L3-TrcList
|
1024
|
0
|
1024
|
| IN-L3-McastFib |
9215
|
0
|
9215
|
| IN-L3-Qos
|
8192
|
0
|
8192
|
| IN-L3-PBR
|
1024
|
0
|
1024
|
| OUT-L3 ACL
|
16384
|
0
|
16384
11
|
1
| IN-L3 ACL
|
8192
|
3
|
8189
|
| IN-L3 FIB
|
196607
|
1
|
196606
|
| IN-L3-SysFlow
|
2878
|
0
|
2878
|
| IN-L3-TrcList
|
1024
|
0
|
1024
|
| IN-L3-McastFib |
9215
|
0
|
9215
|
| IN-L3-Qos
|
8192
|
0
|
8192
|
| IN-L3-PBR
|
1024
|
0
|
1024
|
| OUT-L3 ACL
|
16384
|
0
|
16384
Allocating FP Blocks for VLAN Processes
The VLAN ContentAware Processor (VCAP) application is a preingress CAP that modifies the VLAN
settings before packets are forwarded. To support the ACL CAM optimization functionality, the CAM
carving feature is enhanced. A total of four VACP groups are present, of which two are for fixed groups
and the other two are for dynamic groups. Out of the total of two dynamic groups, you can allocate zero,
one, or two FP blocks to iSCSI Counters, OpenFlow and ACL Optimization.
You can configure only two of these features at a time.
•
To allocate the number of FP blocks for VLAN open flow operations, use the cam-acl-vlan
vlanopenflow <0-2> command.
•
To allocate the number of FP blocks for VLAN iSCSI counters, use the cam-acl-vlan vlaniscsi
<0-2> command.
•
To allocate the number of FP blocks for ACL VLAN optimization feature, use the cam-acl-vlan
vlanaclopt <0-2> command.
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)
101
To reset the number of FP blocks to the default, use the no version of these commands. By default, zero
groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by
default, and you need to allocate the slices for CAM optimization.
To display the number of FP blocks that is allocated for the different VLAN services, you can use the show
cam-acl-vlan command. After CAM configuration for ACL VLAN groups is performed, reboot the
system to enable the settings to be stored in nonvolatile storage. During the initialization of CAM, the
chassis manager reads the NVRAM and allocates the dynamic VCAP regions.
102
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)
Access Control Lists (ACLs)
7
This chapter describes access control lists (ACLs), prefix lists, and route-maps.
At their simplest, ACLs, prefix lists, and route-maps permit or deny traffic based on MAC and/or IP
addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS,
refer to Layer 2.
An ACL is essentially a filter containing some criteria to match (examine IP, transmission control protocol
[TCP], or user datagram protocol [UDP] packets) and an action to take (permit or deny). ACLs are
processed in sequence so that if a packet does not match the criterion in the first filter, the second filter
(if configured) is applied. When a packet matches a filter, the switch drops or forwards the packet based
on the filter’s specified action. If the packet does not match any of the filters in the ACL, the packet is
dropped (implicit deny).
The number of ACLs supported on a system depends on your content addressable memory (CAM) size.
For more information, refer to the Content Addressable Memory (CAM) chapter.
IP Access Control Lists (ACLs)
In Dell Networking switch/routers, you can create two different types of IP ACLs: standard or extended.
A standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the
following criteria:
•
IP protocol number
•
Source IP address
•
Destination IP address
•
Source TCP port number
•
Destination TCP port number
•
Source UDP port number
•
Destination UDP port number
For more information about ACL options, refer to the Dell Networking OS Command Reference Guide.
For extended ACL, TCP, and UDP filters, you can match criteria on specific or ranges of TCP or UDP
ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions.
When creating an access list, the sequence of the filters is important. You have a choice of assigning
sequence numbers to the filters as you enter them, or the Dell Networking operating system assigns
numbers in the order the filters are created. The sequence numbers are listed in the display output of the
show config and show ip accounting access-list commands.
Ingress and egress hot lock ACLs allow you to append or delete new rules into an existing ACL (already
written into CAM) without disrupting traffic flow. Existing entries in the CAM are shuffled to
Access Control Lists (ACLs)
103
accommodate the new entries. Hot lock ACLs are enabled by default and support both standard and
extended ACLs.
NOTE: Hot lock ACLs are supported for Ingress ACLs only.
Implementing ACL on the Dell Networking OS
You can assign one IP ACL per interface with the Dell Networking OS. If you do not assign an IP ACL to
an interface, it is not used by the software in any other capacity.
The number of entries allowed per ACL is hardware-dependent. For detailed specification on entries
allowed per ACL, refer to your line card documentation.
If you enable counters on IP ACL rules that are already configured, those counters are reset when a new
rule is inserted or prepended. If a rule is appended, the existing counters are not affected. This is
applicable to the following features:
•
•
•
•
L2 Ingress Access list
L2 Egress Access list
L3 Ingress Access list
L3 Egress Access list
NOTE: IP ACLs are supported over VLANs in the Dell Networking OS version 6.2.1.1 and higher.
ACLs and VLANs
There are some differences when assigning ACLs to a VLAN rather than a physical port.
For example, when using a single port-pipe, if you apply an ACL to a VLAN, one copy of the ACL entries is
installed in the ACL CAM on the port-pipe. The entry looks for the incoming VLAN in the packet. Whereas
if you apply an ACL on individual ports of a VLAN, separate copies of the ACL entries are installed for each
port belonging to a port-pipe.
ACL Optimization
If an access list contains duplicate entries, the system deletes one entry to conserve CAM space.
Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM
entries whether it is identified as a standard or extended ACL.
Determine the Order in which ACLs are Used to Classify
Traffic
When you link class-maps to queues using the service-queue command, the system matches the
class-maps according to queue priority (queue numbers closer to 0 have lower priorities).
As shown in the following example, class-map cmap2 is matched against ingress packets before cmap1.
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
Therefore (without the keyword order), packets within the range 20.1.1.0/24 match positive against
cmap1 and are buffered in queue 7, though you intended for these packets to match positive against
cmap2 and be buffered in queue 4.
104
Access Control Lists (ACLs)
In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use
the order keyword to specify the order in which you want to apply ACL rules. The order can range from
0 to 254. The Dell Networking OS writes to the CAM ACL rules with lower-order numbers (order numbers
closer to 0) before rules with higher-order numbers so that packets are matched as you intended. By
default, all ACL rules have an order of 255.
Example of the order Keyword to Determine ACL Sequence
Dell(conf)#ip access-list standard acl1
Dell(config-std-nacl)#permit 20.0.0.0/8
Dell(config-std-nacl)#exit
Dell(conf)#ip access-list standard acl2
Dell(config-std-nacl)#permit 20.1.1.0/24 order 0
Dell(config-std-nacl)#exit
Dell(conf)#class-map match-all cmap1
Dell(conf-class-map)#match ip access-group acl1
Dell(conf-class-map)#exit
Dell(conf)#class-map match-all cmap2
Dell(conf-class-map)#match ip access-group acl2
Dell(conf-class-map)#exit
Dell(conf)#policy-map-input pmap
Dell(conf-policy-map-in)#service-queue 7 class-map cmap1
Dell(conf-policy-map-in)#service-queue 4 class-map cmap2
Dell(conf-policy-map-in)#exit
Dell(conf)#interface gig 1/0
Dell(conf-if-gi-1/0)#service-policy input pmap
IP Fragment Handling
The Dell Networking OS supports a configurable option to explicitly deny IP fragmented packets,
especially second and subsequent packets.
It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable
to all Layer protocols (permit/deny ip/tcp/udp/icmp).
•
Both standard and extended ACLs support IP fragments.
•
Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these
fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the
packet as a whole cannot be reassembled.
•
Implementing the required rules uses a significant number of CAM entries per TCP/UDP entry.
•
For IP ACL, the system always applies implicit deny. You do not have to configure it.
•
For IP ACL, the system applies implicit permit for second and subsequent fragment prior to the
implicit deny.
•
If you configure an explicit deny, the second and subsequent fragments do not hit the implicit permit
rule for fragments.
IP Fragments ACL Examples
The following examples show how you can use ACL commands with the fragment keyword to filter
fragmented packets.
Access Control Lists (ACLs)
105
Example of Permitting All Packets on an Interface
Example of Denying Second and Subsequent Fragments
The following configuration permits all packets (both fragmented and non-fragmented) with destination
IP 10.1.1.1. The second rule does not get hit at all.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32
Dell(conf-ext-nacl)#deny ip any 10.1.1.1./32 fragments
Dell(conf-ext-nacl)
To deny the second/subsequent fragments, use the same rules in a different order. These ACLs deny all
second and subsequent fragments with destination IP 10.1.1.1 but permit the first fragment and nonfragmented packets with destination IP 10.1.1.1.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments
Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32
Dell(conf-ext-nacl)
Layer 4 ACL Rules Examples
The following examples show the ACL commands for Layer 4 packet filtering.
When configuring ACLs with the fragments keyword, be aware of the following.
When an ACL filters packets, it looks at the fragment offset (FO) to determine whether it is a fragment.
•
FO = 0 means it is either the first fragment or the packet is a non-fragment.
•
FO > 0 means it is dealing with the fragments of the original packet.
Permit an ACL line with L3 information only, and the fragments keyword is present:
If a packet’s L3 information matches the L3 information in the ACL line, the packet's FO is checked.
•
If a packet's FO > 0, the packet is permitted.
•
If a packet's FO = 0, the next ACL entry is processed.
Deny ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information does match the L3 information in the ACL line, the packet's FO is checked.
•
If a packet's FO > 0, the packet is denied.
•
If a packet's FO = 0, the next ACL line is processed.
Example of Layer 4 ACL Rules
Example of TCP Packets
In this first example, fragments or non-fragmented TCP packets from 10.1.1.1 with TCP destination port
equal to 24 are permitted. All other fragments are denied.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
Dell(conf-ext-nacl)#deny ip any any fragment
Dell(conf-ext-nacl)
106
Access Control Lists (ACLs)
In the following example, TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with
TCP destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host
10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragment
Dell(conf-ext-nacl)#deny ip any any fragment
Dell(conf-ext-nacl)
Configure a Standard IP ACL
To configure an ACL, use commands in IP ACCESS LIST mode and INTERFACE mode.
For a complete list of all the commands related to IP ACLs, refer to the Dell Networking OS Command
Line Interface Reference Guide. To set up extended ACLs, refer to Configure an Extended IP ACL.
A standard IP ACL uses the source IP address as its match criterion.
1.
Enter IP ACCESS LIST mode by naming a standard IP access list.
CONFIGURATION mode
ip access-list standard access-listname
2.
Configure a drop or forward filter.
CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address}
[count [byte]] [order] [fragments]
NOTE: When assigning sequence numbers to filters, keep in mind that you might need to insert a
new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five.
When you use the log keyword, the CP logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these
packets’ details.
To view the rules of a particular ACL configured on a particular interface, use the show ip accounting
access-list ACL-name interface interface command in EXEC Privilege mode.
Example of Viewing the Rules of a Specific ACL on an Interface
Example of the seq Command to Order Filters
Dell#show ip accounting access-list ToOspf interface gig 1/6
Standard IP access list ToOspf
seq 5 deny any
seq 10 deny 10.2.0.0 /16
seq 15 deny 10.3.0.0 /16
seq 20 deny 10.4.0.0 /16
seq 25 deny 10.5.0.0 /16
seq 30 deny 10.6.0.0 /16
seq 35 deny 10.7.0.0 /16
seq 40 deny 10.8.0.0 /16
seq 45 deny 10.9.0.0 /16
seq 50 deny 10.10.0.0 /16
Dell#
Access Control Lists (ACLs)
107
The following example shows how the seq command orders the filters according to the sequence
number assigned. In the example, filter 25 was configured before filter 15, but the show config
command displays the filters in the correct order.
Dell(conf-std-nacl)#seq 25 deny ip host 10.5.0.0 any
Dell(conf-std-nacl)#seq 15 permit tcp 10.3.0.0 /16 any
Dell(conf-std-nacl)#show config
!
ip access-list standard dilling
seq 15 permit tcp 10.3.0.0/16 any
Dell(conf-std-nacl)#
To delete a filter, use the no seq sequence-number command in IP ACCESS LIST mode.
Configuring a Standard IP ACL Filter
If you are creating a standard ACL with only one or two filters, you can let the system ssign a sequence
number based on the order in which the filters are configured. The software assigns filters in multiples of
five.
1.
Configure a standard IP ACL and assign it a unique name.
CONFIGURATION mode
ip access-list standard access-list-name
2.
Configure a drop or forward IP ACL filter.
CONFIG-STD-NACL mode
{deny | permit} {source [mask] | any | host ip-address} [count [byte]]
[order] [fragments]
The following example shows a standard IP ACL in which the system assigns the sequence numbers. The
filters were assigned sequence numbers based on the order in which they were configured (for example,
the first filter was given the lowest sequence number). The show config command in IP ACCESS LIST
mode displays the two filters with the sequence numbers 5 and 10.
Example of Viewing Filter Sequence for a Specified Standard ACL
Example of Viewing Standard ACL Filter Sequence for an Interface
Dell(config-route-map)#ip access standard kigali
Dell(config-std-nacl)#permit 10.1.0.0/16
Dell(config-std-nacl)#show config
!
ip access-list standard kigali
seq 5 permit 10.1.0.0/16 seq 10 deny tcp any any eq 111
Dell(config-std-nacl)#
To view all configured IP ACLs, use the show ip accounting access-list command in EXEC
Privilege mode.
Dell#show ip accounting access example interface gig 4/12
Extended IP access list example
seq 15 deny udp any any eq 111
seq 20 deny udp any any eq 2049
seq 25 deny udp any any eq 31337
108
Access Control Lists (ACLs)
seq
seq
seq
seq
seq
seq
30
35
40
45
50
55
deny tcp any any range 12345 12346
permit udp host 10.21.126.225 10.4.5.0 /28
permit udp host 10.21.126.226 10.4.5.0 /28
permit udp 10.8.0.0 /16 10.50.188.118 /31 range 1812 1813
permit tcp 10.8.0.0 /16 10.50.188.118 /31 eq 49
permit udp 10.15.1.0 /24 10.50.188.118 /31 range 1812 1813
To delete a filter, enter the show config command in IP ACCESS LIST mode and locate the sequence
number of the filter you want to delete. Then use the no seq sequence-number command in IP
ACCESS LIST mode.
Configure an Extended IP ACL
Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP
host addresses, UDP addresses, and UDP host addresses.
Because traffic passes through the filter in the order of the filter’s sequence, you can configure the
extended IP ACL by first entering IP ACCESS LIST mode and then assigning a sequence number to the
filter.
Configuring Filters with a Sequence Number
To configure filters with a sequence number, use the following commands.
1.
Enter IP ACCESS LIST mode by creating an extended IP ACL.
CONFIGURATION mode
ip access-list extended access-list-name
2.
Configure a drop or forward filter.
CONFIG-EXT-NACL mode
seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp |
udp} {source mask | any | host ip-address} {destination mask | any | host
ip-address} [operator port [port]] [count [byte]] [order] [fragments]
When you create the filters with a specific sequence number, you can create the filters in any order and
the filters are placed in the correct order.
NOTE: When assigning sequence numbers to filters, you might need to insert a new filter. To
prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or another
number.
The following examples shows how the seq command orders the filters according to the sequence
number assigned. In the example, filter 15 was configured before filter 5, but the show config
command displays the filters in the correct order.
Dell(conf-ext-nacl)#seq 15 deny ip host 112.45.0.0 any
Dell(conf-ext-nacl)#seq 5 permit tcp 12.1.3.45 255.255.0.0 any
Dell(conf-ext-nacl)#show config
!
ip access-list extended dilling
seq 5 permit tcp 12.1.0.0 255.255.0.0 any
seq 15 deny ip host 112.45.0.0 any
Dell(conf-ext-nacl)#
Access Control Lists (ACLs)
109
Configuring Filters Without a Sequence Number
If you are creating an extended ACL with only one or two filters, you can let the system assign a
sequence number based on the order in which the filters are configured. The system assigns filters in
multiples of five.
To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the
following commands:
•
Configure a deny or permit filter to examine IP packets.
CONFIG-EXT-NACL mode
•
{deny | permit} {source mask | any | host ip-address} [count [byte]] [order]
[fragments]
Configure a deny or permit filter to examine TCP packets.
CONFIG-EXT-NACL mode
•
{deny | permit} tcp {source mask] | any | host ip-address}} [count [byte]]
[order] [fragments]
Configure a deny or permit filter to examine UDP packets.
CONFIG-EXT-NACL mode
{deny | permit} udp {source mask | any | host ip-address}} [count [byte]]
[order] [fragments]
The following example shows an extended IP ACL in which the sequence numbers were assigned by the
software. The filters were assigned sequence numbers based on the order in which they were configured
(for example, the first filter was given the lowest sequence number). The show config command in IP
ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10.
Example of Viewing Filter Sequence for a Specified Extended ACL
Dell(config-ext-nacl)#deny tcp host 123.55.34.0 any
Dell(config-ext-nacl)#permit udp 154.44.123.34 0.0.255.255 host 34.6.0.0
Dell(config-ext-nacl)#show config
!
ip access-list extended nimule
seq 5 deny tcp host 123.55.34.0 any
seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0
Dell(config-ext-nacl)#
To view all configured IP ACLs and the number of packets processed through the ACL, use the show ip
accounting access-list command in EXEC Privilege mode, as shown in the first example in
Configuring a Standard IP ACL Filter.
Established Flag
To obtain the functionality of est, use the following ACLs:
•
permit tcp any any rst
•
permit tcp any any ack
110
Access Control Lists (ACLs)
Configure Layer 2 and Layer 3 ACLs
Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode.
If both L2 and L3 ACLs are applied to an interface, the following rules apply:
•
When the system routes the packets, only the L3 ACL governs them because they are not filtered
against an L2 ACL.
•
When the system switches the packets, first the L3 ACL filters them, then the L2 ACL filters them.
•
When the system switches the packets, the egress L3 ACL does not filter the packet.
For the following features, if you enable counters on rules that have already been configured and a new
rule is either inserted or prepended, all the existing counters are reset:
•
L2 ingress access list
•
L3 egress access list
•
L2 egress access list
•
L3 ingress access list
If a rule is simply appended, existing counters are not affected.
Table 4. L2 and L3 Filtering on Switched Packets
L2 ACL Behavior
L3 ACL Behavior
Decision on Targeted Traffic
Deny
Deny
L3 ACL denies.
Deny
Permit
L3 ACL permits.
Permit
Deny
L3 ACL denies.
Permit
Permit
L3 ACL permits.
NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets.
The L3 ACL applied to such a port does not affect traffic. That is, existing rules for other features
(such as trace-list, policy-based routing [PBR], and QoS) are applied to the permitted traffic.
For information about MAC ACLs, refer to Layer 2.
Assign an IP ACL to an Interface
To pass traffic through a configured IP ACL, assign that ACL to a physical interface, a port channel
interface, or a VLAN.
The IP ACL is applied to all traffic entering a physical or port channel interface and the traffic is either
forwarded or dropped depending on the criteria and actions specified in the ACL.
The same ACL may be applied to different interfaces and that changes its functionality. For example, you
can take ACL “ABCD” and apply it using the in keyword and it becomes an ingress access list. If you apply
the same ACL using the out keyword, it becomes an egress access list.
For more information about Layer-3 interfaces, refer to Interfaces.
Access Control Lists (ACLs)
111
Applying an IP ACL
To apply an IP ACL (standard or extended) to a physical or port channel interface, use the following
commands.
1.
Enter the interface number.
CONFIGURATION mode
interface interface slot/port
2.
Configure an IP address for the interface, placing it in Layer-3 mode.
INTERFACE mode
ip address ip-address
3.
Apply an IP ACL to traffic entering or exiting an interface.
INTERFACE mode
ip access-group access-list-name {in | out} [implicit-permit] [vlan vlanrange]
NOTE: The number of entries allowed per ACL is hardware-dependent. For detailed
specification about entries allowed per ACL, refer to your line card documentation.
4.
Apply rules to the new ACL.
INTERFACE mode
ip access-list [standard | extended] name
To view which IP ACL is applied to an interface, use the show config command in INTERFACE mode, or
use the show running-config command in EXEC mode.
Example of Viewing ACLs Applied to an Interface
Dell(conf-if)#show conf
!
interface GigabitEthernet 0/0
ip address 10.2.1.100 255.255.255.0
ip access-group nimule in
no shutdown
Dell(conf-if)#
To filter traffic on Telnet sessions, use only standard ACLs in the access-class command.
Counting ACL Hits
You can view the number of packets matching the ACL by using the count option when creating ACL
entries.
In the MXL switch, you can configure either count (packets) or count (bytes). However, for an ACL with
multiple rules, you can configure some ACLs with count (packets) and others as count (bytes) at any
given time.
1.
Create an ACL that uses rules with the count option. Refer to Configuring a Standard IP ACL Filter.
2.
Apply the ACL as an inbound or outbound ACL on an interface. Refer to Assign an IP ACL to an
Interface.
112
Access Control Lists (ACLs)
3.
View the number of packets matching the ACL.
EXEC Privilege mode
show ip accounting access-list
Configure Ingress ACLs
Ingress ACLs are applied to interfaces and to traffic entering the system.
These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same
results. By localizing target traffic, it is a simpler implementation.
To create an ingress ACL, use the ip access-group command in EXEC Privilege mode. The example
shows applying the ACL, rules to the newly created access group, and viewing the access list.
Example of Applying ACL Rules to Ingress Traffic and Viewing ACL Configuration
To specify ingress, use the in keyword. Begin applying rules to the ACL with the ip access-list
extended abcd command. To view the access-list, use the show command.
Dell(conf)#interface tengig 0/0
Dell(conf-if-tengig0/0)#ip access-group abcd in
Dell(conf-if-tengig0/0)#show config
!
tengigethernet 0/0
no ip address
ip access-group abcd in
no shutdown
Dell(conf-if-tengig0/0)#end
Dell#configure terminal
Dell(conf)#ip access-list extended abcd
Dell(conf-ext-nacl)#permit tcp any any
Dell(conf-ext-nacl)#deny icmp any any
Dell(conf-ext-nacl)#permit 1.1.1.2
Dell(conf-ext-nacl)#end
Dell#show ip accounting access-list
!
Extended Ingress IP access list abcd on tengigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 15 permit 1.1.1.2
Configure Egress ACLs
Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack —
malicious and incidental — by explicitly allowing only authorized traffic.
These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same
results. By localizing target traffic, it is a simpler implementation.
To restrict egress traffic, use an egress ACL. For example, when a direct operating system (DOS) attack
traffic is isolated to a specific interface, you can apply an egress ACL to block the flow from the exiting
the box, thus protecting downstream devices.
Access Control Lists (ACLs)
113
To create an egress ACL, use the ip access-group command in EXEC Privilege mode. The example
shows viewing the configuration, applying rules to the newly created access group, and viewing the
access list.
Example of Applying ACL Rules to Egress Traffic and Viewing ACL Configuration
To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list
extended abcd command. To view the access-list, use the show command.
Dell(conf)#interface tengig 0/0
Dell(conf-if-tengig0/0)#ip access-group abcd out
Dell(conf-if-tengig0/0)#show config
!
tengigethernet 0/0
no ip address
ip access-group abcd out
no shutdown
Dell(conf-if-tengig0/0)#end
Dell#configure terminal
Dell(conf)#ip access-list extended abcd
Dell(conf-ext-nacl)#permit tcp any any
Dell(conf-ext-nacl)#deny icmp any any
Dell(conf-ext-nacl)#permit 1.1.1.2
Dell(conf-ext-nacl)#end
Dell#show ip accounting access-list
!
Extended Ingress IP access list abcd on tengigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 15 permit 1.1.1.2
Applying Egress Layer 3 ACLs (Control-Plane)
By default, packets originated from the system are not filtered by egress ACLs.
For example, if you initiate a ping session from the system and apply an egress ACL to block this type of
traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL
feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and
CPU-forwarded traffic. Using permit rules with the count option, you can track on a per-flow basis
whether CPU-generated and CPU-forwarded packets were transmitted successfully.
1.
Apply Egress ACLs to IPv4 system traffic.
CONFIGURATION mode
ip control-plane [egress filter]
2.
Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic.
CONFIG-NACL mode
permit ip {source mask | any | host ip-address} {destination mask | any |
host ip-address} count
Dell Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group
management protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU
traffic. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface
MAC address instead of VRRP virtual MAC address.
114
Access Control Lists (ACLs)
IP Prefix Lists
IP prefix lists control routing policy.
An IP prefix list is a series of sequential filters that contain a matching criterion (examine IP route prefix)
and an action (permit or deny) to process routes. The filters are processed in sequence so that if a route
prefix does not match the criterion in the first filter, the second filter (if configured) is applied. When the
route prefix matches a filter, the system drops or forwards the packet based on the filter’s designated
action. If the route prefix does not match any of the filters in the prefix list, the route is dropped (that is,
implicit deny).
A route prefix is an IP address pattern that matches on bits within the IP address. The format of a route
prefix is A.B.C.D/X where A.B.C.D is a dotted-decimal address and /X is the number of bits that should be
matched of the dotted decimal address. For example, in 112.24.0.0/16, the first 16 bits of the address
112.24.0.0 match all addresses between 112.24.0.0 to 112.24.255.255.
The following examples show permit or deny filters for specific routes using the le and ge parameters,
where x.x.x.x/x represents a route prefix:
•
To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8.
•
To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8.
•
To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24.
•
To permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20.
The following rules apply to prefix lists:
•
A prefix list without any permit or deny filters allows all routes.
•
An “implicit deny” is assumed (that is, the route is dropped) for all route prefixes that do not match a
permit or deny filter in a configured prefix list.
•
After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route.
Implementation Information
In the Dell Networking OS, prefix lists are used in processing routes for routing protocols (for example,
router information protocol [RIP], open shortest path first [OSPF], and border gateway protocol [BGP]).
NOTE: The MXL Switch platform does not support all protocols. It is important to know which
protocol you are supporting prior to implementing prefix lists.
Configuration Task List for Prefix Lists
To configure a prefix list, use commands in PREFIX LIST, ROUTER RIP, ROUTER OSPF, and ROUTER BGP
modes.
Create the prefix list in PREFIX LIST mode and assign that list to commands in ROUTER RIP, ROUTER
OSPF and ROUTER BGP modes.
The following list includes the configuration tasks for prefix lists, as described in the following sections.
•
Configuring a prefix list
•
Use a prefix list for route redistribution
Access Control Lists (ACLs)
115
For a complete listing of all commands related to prefix lists, refer to the Dell Networking OS Command
Line Interface Reference Guide.
Creating a Prefix List
To create a prefix list, use the following commands.
1.
Create a prefix list and assign it a unique name.
You are in PREFIX LIST mode.
CONFIGURATION mode
ip prefix-list prefix-name
2.
Create a prefix list with a sequence number and a deny or permit action.
CONFIG-NPREFIXL mode
seq sequence-number {deny | permit} ip-prefix [ge min-prefix-length] [le
max-prefix-length]
The optional parameters are:
•
ge min-prefix-length: the minimum prefix length to match (from 0 to 32).
•
le max-prefix-length: the maximum prefix length to match (from 0 to 32).
Example of Assigning Sequence Numbers to Filters
If you want to forward all routes that do not match the prefix list criteria, configure a prefix list filter to
permit all routes (permit 0.0.0.0/0 le 32). The “permit all” filter must be the last filter in your prefix
list. To permit the default route only, enter permit 0.0.0.0/0.
The following example shows how the seq command orders the filters according to the sequence
number assigned. In the example, filter 20 was configured before filter 15 and 12, but the show config
command displays the filters in the correct order.
Dell(conf-nprefixl)#seq 20 permit 0.0.0.0/0 le 32
Dell(conf-nprefixl)#seq 12 deny 134.23.0.0 /16
Dell(conf-nprefixl)#seq 15 deny 120.23.14.0 /8 le 16
Dell(conf-nprefixl)#show config
!
ip prefix-list juba
seq 12 deny 134.23.0.0/16
seq 15 deny 120.0.0.0/8 le 16
seq 20 permit 0.0.0.0/0 le 32
Dell(conf-nprefixl)#
NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a
prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded.
To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.
If you are creating a standard prefix list with only one or two filters, you can let the system assign a
sequence number based on the order in which the filters are configured. The system assigns filters in
multiples of five.
116
Access Control Lists (ACLs)
Creating a Prefix List Without a Sequence Number
To create a filter without a specified sequence number, use the following commands.
1.
Create a prefix list and assign it a unique name.
CONFIGURATION mode
ip prefix-list prefix-name
2.
Create a prefix list filter with a deny or permit action.
CONFIG-NPREFIXL mode
{deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length]
The optional parameters are:
•
ge min-prefix-length: is the minimum prefix length to be matched (from 0 to 32).
•
le max-prefix-length: is the maximum prefix length to be matched (from 0 to 32).
Example of Creating a Filter with a Dell Networking OS-Assigned Sequence Numbers
The example shows a prefix list in which the sequence numbers were assigned by the software. The filters
were assigned sequence numbers based on the order in which they were configured (for example, the
first filter was given the lowest sequence number). The show config command in PREFIX LIST mode
displays the two filters with the sequence numbers 5 and 10.
Dell(conf-nprefixl)#permit 123.23.0.0 /16
Dell(conf-nprefixl)#deny 133.24.56.0 /8
Dell(conf-nprefixl)#show conf
!
ip prefix-list awe
seq 5 permit 123.23.0.0/16
seq 10 deny 133.0.0.0/8
Dell(conf-nprefixl)#
To delete a filter, enter the show config command in PREFIX LIST mode and locate the sequence
number of the filter you want to delete, then use the no seq sequence-number command in PREFIX
LIST mode.
Viewing Prefix Lists
To view all configured prefix lists, use the following commands.
•
Show detailed information about configured prefix lists.
EXEC Privilege mode
•
show ip prefix-list detail [prefix-name]
Show a table of summarized information about configured Prefix lists.
EXEC Privilege mode
show ip prefix-list summary [prefix-name]
Access Control Lists (ACLs)
117
Example of the show ip prefix-list detail Command
Example of the show ip prefix-list summary Command
Dell>show ip prefix detail
Prefix-list with the last deletion/insertion: filter_ospf
ip prefix-list filter_in:
count: 3, range entries: 3, sequences: 5 - 10
seq 5 deny 1.102.0.0/16 le 32 (hit count: 0)
seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0)
seq 10 permit 0.0.0.0/0 le 32 (hit count: 0)
ip prefix-list filter_ospf:
count: 4, range entries: 1, sequences: 5 - 10
seq 5 deny 100.100.1.0/24 (hit count: 0)
seq 6 deny 200.200.1.0/24 (hit count: 0)
seq 7 deny 200.200.2.0/24 (hit count: 0)
seq 10 permit 0.0.0.0/0 le 32 (hit count: 0)
Dell>
Dell>show ip prefix summary
Prefix-list with the last deletion/insertion: filter_ospf
ip prefix-list filter_in:
count: 3, range entries: 3, sequences: 5 - 10
ip prefix-list filter_ospf:
count: 4, range entries: 1, sequences: 5 - 10
Dell>
Applying a Prefix List for Route Redistribution
To pass traffic through a configured prefix list, use the prefix list in a route redistribution
command.
Apply the prefix list to all traffic redistributed into the routing process. The traffic is either forwarded or
dropped, depending on the criteria and actions specified in the prefix list.
To apply a filter to routes in RIP, use the following commands.
•
Enter RIP mode.
CONFIGURATION mode
•
router rip
Apply a configured prefix list to incoming routes. You can specify an interface.
If you enter the name of a nonexistent prefix list, all routes are forwarded.
CONFIG-ROUTER-RIP mode
•
distribute-list prefix-list-name in [interface]
Apply a configured prefix list to outgoing routes. You can specify an interface or type of route.
If you enter the name of a non-existent prefix list, all routes are forwarded.
CONFIG-ROUTER-RIP mode
distribute-list prefix-list-name out [interface | connected | static | ospf]
Example of Viewing Configured Prefix Lists (ROUTER RIP mode)
To view the configuration, use the show config command in ROUTER RIP mode, or the show
running-config rip command in EXEC mode.
118
Access Control Lists (ACLs)
Dell(conf-router_rip)#show config
!
router rip
distribute-list prefix juba out
network 10.0.0.0
Dell(conf-router_rip)#router ospf 34
Applying a Filter to a Prefix List (OSPF)
To apply a filter to routes in open shortest path first (OSPF), use the following commands.
•
Enter OSPF mode.
CONFIGURATION mode
•
router ospf
Apply a configured prefix list to incoming routes. You can specify an interface.
If you enter the name of a non-existent prefix list, all routes are forwarded.
CONFIG-ROUTER-OSPF mode
•
distribute-list prefix-list-name in [interface]
Apply a configured prefix list to incoming routes. You can specify which type of routes are affected.
If you enter the name of a non-existent prefix list, all routes are forwarded.
CONFIG-ROUTER-OSPF mode
distribute-list prefix-list-name out [connected | rip | static]
Example of Viewing Configured Prefix Lists (ROUTER OSPF mode)
To view the configuration, use the show config command in ROUTER OSPF mode, or the show
running-config ospf command in EXEC mode.
Dell(conf-router_ospf)#show config
!
router ospf 34
network 10.2.1.1 255.255.255.255 area 0.0.0.1
distribute-list prefix awe in
Dell(conf-router_ospf)#
ACL Resequencing
ACL resequencing allows you to re-number the rules and remarks in an access or prefix list.
The placement of rules within the list is critical because packets are matched against rules in sequential
order. To order new rules using the current numbering scheme, use resequencing whenever there is no
opportunity.
For example, the following table contains some rules that are numbered in increments of 1. You cannot
place new rules between these packets, so apply resequencing to create numbering space, as shown in
the second table. In the same example, apply resequencing if more than two rules must be placed
between rules 7 and 10.
Access Control Lists (ACLs)
119
You can resequence IPv4 ACLs, prefixes, and MAC ACLs. No CAM writes happen as a result of
resequencing, so there is no packet loss; the behavior is similar Hot-lock ACLs.
NOTE: ACL resequencing does not affect the rules, remarks, or order in which they are applied.
Resequencing merely renumbers the rules so that you can place new rules within the list as needed.
Table 5. ACL Resequencing
Rules
Resquencing
Rules Before Resequencing:
seq 5 permit any host 1.1.1.1
seq 6 permit any host 1.1.1.2
seq 7 permit any host 1.1.1.3
seq 10 permit any host 1.1.1.4
Rules After Resequencing:
seq 5 permit any host 1.1.1.1
seq 10 permit any host 1.1.1.2
seq 15 permit any host 1.1.1.3
seq 20 permit any host 1.1.1.4
Resequencing an ACL or Prefix List
Resequencing is available for IPv4 ACLs, prefix lists, and MAC ACLs.
To resequence an ACL or prefix list, use the following commands. You must specify the list name, starting
number, and increment when using these commands.
•
Resequence an IPv4 or MAC ACL.
EXEC mode
•
resequence access-list {ipv4 | mac} {access-list-name StartingSeqNum Step-toIncrement}
Resequence an IPv4 prefix-list.
EXEC mode
resequence prefix-list {ipv4} {prefix-list-name StartingSeqNum Step-toIncrement}
Example of Resequencing ACLs When Remarks and Rules Have the Same Number
Example of Resequencing ACLs When Remarks and Rules Have Different Numbers
The example shows the resequencing of an IPv4 access-list beginning with the number 2 and
incrementing by 2.
Remarks and rules that originally have the same sequence number have the same sequence number after
you apply the resequence command.
Dell(config-ext-nacl)# show config
!
ip access-list extended test
remark 4 XYZ
remark 5 this remark corresponds to permit any host 1.1.1.1
seq 5 permit ip any host 1.1.1.1
120
Access Control Lists (ACLs)
remark 9 ABC
remark 10 this remark corresponds to permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.2
seq 15 permit ip any host 1.1.1.3
seq 20 permit ip any host 1.1.1.4
Dell# end
Dell# resequence access-list ipv4 test 2 2
Dell# show running-config acl
!
ip access-list extended test
remark 2 XYZ
remark 4 this remark corresponds to permit any host 1.1.1.1
seq 4 permit ip any host 1.1.1.1
remark 6 this remark has no corresponding rule
remark 8 this remark corresponds to permit ip any host 1.1.1.2
seq 8 permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.3
seq 12 permit ip any host 1.1.1.4
Remarks that do not have a corresponding rule are incremented as a rule. These two mechanisms allow
remarks to retain their original position in the list. The following example shows remark 10 corresponding
to rule 10 and as such, they have the same number before and after the command is entered. Remark 4 is
incremented as a rule, and all rules have retained their original positions.
Dell(config-ext-nacl)# show config
!
ip access-list extended test
remark 4 XYZ
remark 5 this remark corresponds to permit any host 1.1.1.1
seq 5 permit ip any host 1.1.1.1
remark 9 ABC
remark 10 this remark corresponds to permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.2
seq 15 permit ip any host 1.1.1.3
seq 20 permit ip any host 1.1.1.4
Dell# end
Dell# resequence access-list ipv4 test 2 2
Dell# show running-config acl
!
ip access-list extended test
remark 2 XYZ
remark 4 this remark corresponds to permit any host 1.1.1.1
seq 4 permit ip any host 1.1.1.1
remark 6 this remark has no corresponding rule
remark 8 this remark corresponds to permit ip any host 1.1.1.2
seq 8 permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.3
seq 12 permit ip any host 1.1.1.4
Route Maps
Similar to ACLs and prefix lists, route maps are composed of a series of commands that contain a
matching criterion and an action; however, route maps can change the packets meeting the criterion.
ACLs and prefix lists can only drop or forward the packet or traffic. Route maps process routes for route
redistribution. For example, a route map can be called to filter only specific routes and to add a metric.
Access Control Lists (ACLs)
121
Route maps also have an “implicit deny.” Unlike ACLs and prefix lists; however, where the packet or traffic
is dropped, in route maps, if a route does not match any of the route map conditions, the route is not
redistributed.
Implementation Information
The Dell Networking OS implementation of route maps allows route maps with the no match or no set
commands. When there is no match command, all traffic matches the route map and the set command
applies.
Important Points to Remember
•
•
•
For route-maps with more than one match clause:
– Two or more match clauses within the same route-map sequence have the same match
commands (though the values are different), matching a packet against these clauses is a logical
OR operation.
– Two or more match clauses within the same route-map sequence have different match
commands, matching a packet against these clauses is a logical AND operation.
If no match is found in a route-map sequence, the process moves to the next route-map sequence
until a match is found, or there are no more sequences.
When a match is found, the packet is forwarded and no more route-map sequences are processed.
– If a continue clause is included in the route-map sequence, the next or a specified route-map
sequence is processed after a match is found.
Configuration Task List for Route Maps
Configure route maps in ROUTE-MAP mode and apply the maps in various commands in ROUTER RIP
and ROUTER OSPF modes.
The following list includes the configuration tasks for route maps, as described in the following sections.
•
•
•
•
Create a route map (mandatory)
Configure route map filters (optional)
Configure a route map for route redistribution (optional)
Configure a route map for route tagging (optional)
Creating a Route Map
Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route
map filters do not contain the permit and deny actions found in ACLs and prefix lists.
Route map filters match certain routes and set or specify values.
To create a route map, use the following command.
•
Create a route map and assign it a unique name. The optional permit and deny keywords are the
action of the route map.
CONFIGURATION mode
route-map map-name [permit | deny] [sequence-number]
The default is permit.
122
Access Control Lists (ACLs)
The optional seq keyword allows you to assign a sequence number to the route map instance.
Example of Viewing a Configured Route Map
Example of Multiple Instances of a Route-Map
Example of Deleting One Instance of a Route Map
Example of Viewing All Instances of a Specified Route Map
The default action is permit and the default sequence number starts at 10. When you use the keyword
deny in configuring a route map, routes that meet the match filters are not redistributed.
To view the configuration, use the show config command in ROUTE-MAP mode.
Dell(config-route-map)#show config
!
route-map dilling permit 10
Dell(config-route-map)#
You can create multiple instances of this route map by using the sequence number option to place the
route maps in the correct order. The system processes the route maps with the lowest sequence number
first. When a configured route map is applied to a command, such as redistribute, traffic passes
through all instances of that route map until a match is found. The following is an example with two
instances of a route map.
Dell#show route-map
route-map zakho, permit, sequence 10
Match clauses:
Set clauses:
route-map zakho, permit, sequence 20
Match clauses:
interface TenGigabitEthernet 0/1
Set clauses:
tag 35
level stub-area
Dell#
To delete all instances of that route map, use the no route-map map-name command. To delete just
one instance, add the sequence number to the command syntax.
Dell(conf)#no route-map zakho 10
Dell(conf)#end
Dell#show route-map
route-map zakho, permit, sequence 20
Match clauses:
interface TenGigabitEthernet 0/1
Set clauses:
tag 35
level stub-area
Dell#
The following example shows a route map with multiple instances. The show config command displays
only the configuration of the current route map instance. To view all instances of a specific route map,
use the show route-map command.
Dell#show route-map dilling
route-map dilling, permit, sequence 10
Access Control Lists (ACLs)
123
Match clauses:
Set clauses:
route-map dilling, permit, sequence 15
Match clauses:
interface Loopback 23
Set clauses:
tag 3444
Dell#
To delete a route map, use the no route-map map-name command in CONFIGURATION mode.
Configure Route Map Filters
Within ROUTE-MAP mode, there are match and set commands.
•
match commands search for a certain criterion in the routes.
•
set commands change the characteristics of routes, either adding something or specifying a level.
When there are multiple match commands with the same parameter under one instance of route-map,
the system does a match between all of those match commands. If there are multiple match commands
with different parameters, the system does a match ONLY if there is a match among ALL the match
commands.
In the following example, there is a match if a route has any of the tag values specified in the match
commands.
Example of the match Command to Match Any of Several Values
Example of the match Command to Match All Specified Values
Dell(conf)#route-map force permit 10
Dell(config-route-map)#match tag 1000
Dell(config-route-map)#match tag 2000
Dell(config-route-map)#match tag 3000
In the next example, there is a match only if a route has both of the specified characteristics. In this
example, there a match only if the route has a tag value of 1000 and a metric value of 2000.
Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens
in any instance of that route-map.
Dell(conf)#route-map force permit 10
Dell(config-route-map)#match tag 1000
Dell(config-route-map)#match metric 2000
In the following example, instance 10 permits the route having a tag value of 1000 and instances 20 and
30 deny the route having a tag value of 1000. In this scenario, the system scans all the instances of the
route-map for any permit statement. If there is a match anywhere, the route is permitted. However, other
instances of the route-map deny it.
Example of the match Command to Permit and Deny Routes
Dell(conf)#route-map force permit 10
Dell(config-route-map)#match tag 1000
124
Access Control Lists (ACLs)
Dell(conf)#route-map force deny 20
Dell(config-route-map)#match tag 1000
Dell(conf)#route-map force deny 30
Dell(config-route-map)#match tag 1000
Configuring Match Routes
To configure match criterion for a route map, use the following commands.
•
Match routes whose next hop is a specific interface.
CONFIG-ROUTE-MAP mode
match interface interface
The parameters are:
– For a Loopback interface, enter the keyword loopback then a number between zero (0) and
16383.
– For a 10-Gigabit Ethernet interface, enter the keyword tengigabitEthernet then the slot/port
information.
– For a VLAN, enter the keyword vlan then a number from 1 to 4094.
•
– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
Match destination routes specified in a prefix list (IPv4).
CONFIG-ROUTE-MAP mode
•
match ip address prefix-list-name
Match next-hop routes specified in a prefix list (IPv4).
CONFIG-ROUTE-MAP mode
•
match ip next-hop {access-list-name | prefix-list prefix-list-name}
Match source routes specified in a prefix list (IPv4).
CONFIG-ROUTE-MAP mode
•
match ip route-source {access-list-name | prefix-list prefix-list-name}
Match routes with a specific value.
CONFIG-ROUTE-MAP mode
•
match metric metric-value
Match routes specified as internal or external to OSPF, ISIS level-1, ISIS level-2, or locally generated.
CONFIG-ROUTE-MAP mode
•
match route-type {external [type-1 | type-2] | internal | level-1 | level-2 |
local }
Match routes with a specific tag.
CONFIG-ROUTE-MAP mode
match tag tag-value
Access Control Lists (ACLs)
125
To create route map instances, use these commands. There is no limit to the number of match
commands per route map, but the convention is to keep the number of match filters in a route map low.
Set commands do not require a corresponding match command.
Configuring Set Conditions
To configure a set condition, use the following commands.
•
Generate a tag to be added to redistributed routes.
CONFIG-ROUTE-MAP mode
•
set automatic-tag
Specify an OSPF area or ISIS level for redistributed routes.
CONFIG-ROUTE-MAP mode
•
set level {backbone | level-1 | level-1-2 | level-2 | stub-area}
Specify a value for redistributed routes.
CONFIG-ROUTE-MAP mode
•
set metric {+ | - | metric-value}
Specify an OSPF or ISIS type for redistributed routes.
CONFIG-ROUTE-MAP mode
•
set metric-type {external | internal | type-1 | type-2}
Assign an IP address as the route’s next hop.
CONFIG-ROUTE-MAP mode
•
set next-hop ip-address
Specify a tag for the redistributed routes.
CONFIG-ROUTE-MAP mode
set tag tag-value
To create route map instances, use these commands. There is no limit to the number of set commands
per route map, but the convention is to keep the number of set filters in a route map low. Set commands
do not require a corresponding match command.
Configure a Route Map for Route Redistribution
Route maps on their own cannot affect traffic and must be included in different commands to affect
routing traffic. To apply a route map to traffic, you must call or include that route map in a command
such as the redistribute or default-information originate commands in OSPF and BGP.
Route redistribution occurs when the system learns the advertising routes from static or directly
connected routes or another routing protocol. Different protocols assign different values to redistributed
routes to identify either the routes and their origins. The metric value is the most common attribute that
is changed to properly redistribute other routes into a routing protocol. Other attributes that can be
changed include the metric type (for example, external and internal route types in OSPF) and route tag.
Use the redistribute command in OSPF, RIP, ISIS, and BGP to set some of these attributes for routes
that are redistributed into those protocols.
126
Access Control Lists (ACLs)
Route maps add to that redistribution capability by allowing you to match specific routes and set or
change more attributes when redistributing those routes.
In the following example, the redistribute command calls the route map static ospf to
redistribute only certain static routes into OSPF. According to the route map static ospf, only routes
that have a next hop of Gigabitethernet interface 0/0 and that have a metric of 255 are redistributed into
the OSPF backbone area.
NOTE: When re-distributing routes using route-maps, you must create the route-map defined in
the redistribute command under the routing protocol. If you do not create a route-map, NO
routes are redistributed.
Example of Calling a Route Map to Redistribute Specified Routes
router ospf 34
default-information originate metric-type 1
redistribute static metric 20 metric-type 2 tag 0 route-map staticospf
!
route-map staticospf permit 10
match interface GigabitEthernet 0/0
match metric 255
set level backbone
Configure a Route Map for Route Tagging
One method for identifying routes from different routing protocols is to assign a tag to routes from that
protocol.
As the route enters a different routing domain, it is tagged. The tag is passed along with the route as it
passes through different routing protocols. You can use this tag when the route leaves a routing domain
to redistribute those routes again.
In the following example, the redistribute ospf command with a route map is used in ROUTER RIP
mode to apply a tag of 34 to all internal OSPF routes that are redistributed into RIP.
Example of the redistribute Command Using a Route Tag
!
router rip
redistribute ospf 34 metric 1 route-map torip
!
route-map torip permit 10
match route-type internal
set tag 34
!
Continue Clause
Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more
route-map modules are processed.
If you configure the continue command at the end of a module, the next module (or a specified
module) is processed even after a match is found. The following example shows a continue clause at the
end of a route-map module. In this example, if a match is found in the route-map “test” module 10,
module 30 is processed.
Access Control Lists (ACLs)
127
NOTE: If you configure the continue clause without specifying a module, the next sequential
module is processed.
Example of Using the continue Clause in a Route Map
!
route-map test permit 10
match commu comm-list1
set community 1:1 1:2 1:3
set as-path prepend 1 2 3 4 5
continue 30!
Logging of ACL Processes
To assist in the administration and management of traffic that traverses the device after being validated
by the configured ACLs, you can enable the generation of logs for access control list (ACL) processes.
Although you can configure ACLs with the required permit or deny filters to provide access to the
incoming packet or disallow access to a particular user, it is also necessary to monitor and examine the
traffic that passes through the device. To evaluate network traffic that is subjected to ACLs, configure the
logs to be triggered for ACL operations. This functionality is primarily needed for network supervision and
maintenance activities of the handled subscriber traffic.
When ACL logging is configured, and a frame reaches an ACL-enabled interface and matches the ACL, a
log is generated to indicate that the ACL entry matched the packet.
When you enable ACL log messages, at times, depending on the volume of traffic, it is possible that a
large number of logs might be generated that can impact the system performance and efficiency. To
avoid an overload of ACL logs from being recorded, you can configure the rate-limiting functionality.
Specify the interval or frequency at which ACL logs must be triggered and also the threshold or limit for
the maximum number of logs to be generated. If you do not specify the frequency at which ACL logs
must be generated, a default interval of 5 minutes is used. Similarly, if you do not specify the threshold for
ACL logs, a default threshold of 10 is used, where this value refers to the number of packets that are
matched against an ACL .
A Layer 2 or Layer 3 ACL contains a set of defined rules that are saved as flow processor (FP) entries.
When you enable ACL logging for a particular ACL rule, a set of specific ACL rules translate to a set of FP
entries. You can enable logging separately for each of these FP entries, which relate to each of the ACL
entries configured in an ACL. Dell Networking OS saves a table that maps each ACL entry that matches
the ACL name on the received packet, sequence number of the rule, and the interface index in the
database. When the configured maximum threshold has exceeded, log generation stops. When the
interval at which ACL logs are configured to be recorded expires, a fresh interval timer starts and the
packet count for that new interval commences from zero. If ACL logging was stopped previously because
the configured threshold has exceeded, it is reenabled for this new interval.
The ACL application sends the ACL logging configuration information and other details, such as the
action, sequence number, and the ACL parameters that pertain to that ACL entry. The ACL service
collects the ACL log and records the following attributes per log message.
•
For non-IP packets, the ACL name, sequence number, ACL action (permit or deny), source and
destination MAC addresses, EtherType, and ingress interface are the logged attributes.
128
Access Control Lists (ACLs)
•
For IP Packets, the ACL name, sequence number, ACL action (permit or deny), source and destination
MAC addresses, source and destination IP addresses, and the transport layer protocol used are the
logged attributes.
•
For IP packets that contain the transport layer protocol as Transmission Control Protocol (TCP) or
User Datagram Protocol (UDP), the ACL name, sequence number, ACL action (permit or deny), source
and destination MAC addresses, source and destination IP addresses, and the source and destination
ports (Layer 4 parameters) are also recorded.
If the packet contains an unidentified EtherType or transport layer protocol, the values for these
parameters are saved as Unknown in the log message. If you also enable the logging of the count of
packets in the ACL entry, and if the logging is deactivated in a specific interval because the threshold has
exceeded, the count of packets that exceeded the logging threshold value during that interval is recorded
when the subsequent log record (in the next interval) is generated for that ACL entry.
Guidelines for Configuring ACL Logging
Keep the following points in mind when you configure logging of ACL activities:
•
During initialization, the ACL logging application tags the ACL rule indices for which a match
condition exists as being in-use, which ensures that the same rule indices are not reused by ACL
logging again.
•
The ACL configuration information that the ACL logging application receives from the ACL manager
causes the allocation and clearance of the match rule number. A unique match rule number is
created for the combination of each ACL entry, sequence number, and interface parameters.
•
A separate set of match indices is preserved by the ACL logging application for the permit and deny
actions. Depending on the action of an ACL entry, the corresponding match index is allocated from
the particular set that is maintained for permit and deny actions.
•
A maximum of 125 ACL entries with permit action can be logged. A maximum of 126 ACL entries with
deny action can be logged.
•
For virtual ACL entries, the same match rule number is reused. Similarly, when an ACL entry is deleted
that was previously enabled for ACL logging, the match rule number used by it is released back to the
pool or available set of match indices so that it can be reused for subsequent allocations.
•
If you enabled the count of packets for the ACL entry for which you configured logging, and if the
logging is deactivated in a specific interval owing to the threshold having exceeded, the count of
packets that exceeded the logging threshold value during that interval is logged when the subsequent
log record (in the next interval) is generated for that ACL entry.
•
When you delete an ACL entry, the logging settings associated with it are also removed.
•
ACL logging is supported for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended
MAC ACLs.
•
For ACL entries applied on port-channel interfaces, one match index for every member interface of
the port-channel interface is assigned. Therefore, the total available match indices of 251 are split (125
match indices for permit action and 126 match indices for the deny action).
•
You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable
logging for ACLs on egress interfaces.
•
The total available match rule indices is 255 with four match indices used by other modules, leaving
251 indices available for ACL logging.
Access Control Lists (ACLs)
129
Configuring ACL Logging
To configure the maximum number of ACL log messages to be generated and the frequency at which
these messages must be generated, perform the following steps:
NOTE: This example describes the configuration of ACL logging for standard IP access lists. You can
enable the logging capability for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and
extended MAC ACLs.
1.
Specify the maximum number of ACL logs or the threshold that can be generated by using the
threshold-in-msgs count option with the seq, permit, or deny commands. Upon exceeding the
specified maximum limit, the generation of ACL logs is terminated. You can enter a threshold in the
range of 1-100. By default, 10 ACL logs are generated if you do not specify the threshold explicitly.
CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address}
[log [threshold-in-msgs count] ]
2.
Specify the interval in minutes at which ACL logs must be generated. You can enter an interval in the
range of 1-10 minutes. The default frequency at which ACL logs are generated is 5 minutes. If ACL
logging is stopped because the configured threshold has exceeded, it is re-enabled after the logging
interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, IPv6 ACLs,
and standard and extended MAC ACLs. Configure ACL logging only on ACLs that are applied to
ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.
CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address}
[log [interval minutes]]
Flow-Based Monitoring Support for ACLs
Flow-based monitoring conserves bandwidth by monitoring only the specified traffic instead of all traffic
on the interface. It is available for Layer 2 and Layer 3 ingress traffic. You can specify traffic using standard
or extended access-lists. This feature copies all incoming packets on one port and forwards (mirrors)
them to another port. The source port is the monitored port (MD) and the destination port is the
monitoring port (MG).
The port mirroring application maintains and performs all the monitoring operations on the chassis. ACL
information is sent to the ACL manager, which in turn notifies the ACL agent to add entries in the CAM
area. Duplicate entries in the ACL are not saved.
When a packet arrives at a port that is being monitored, the packet is validated against the configured
ACL rules. If the packet matches an ACL rule, the system examines the corresponding flow processor to
perform the action specified for that port. If the mirroring action is set in the flow processor entry, the
destination port details, to which the mirrored information must be sent, are sent to the destination port.
When a stack unit is reset or a stack unit undergoes a failure, the ACL agent registers with the port
mirroring application. The port mirroring utility downloads the monitoring configuration to the ACL
agent. The interface manager notifies the port mirroring application about the removal of an interface
when an ACL entry associated with that interface to is deleted.
130
Access Control Lists (ACLs)
Behavior of Flow-Based Monitoring
Activate flow-based monitoring for a monitoring session by entering the flow-based enable
command in the Monitor Session mode. When you enable this capability, traffic with particular flows that
are traversing through the ingress interfaces are examined, and appropriate ACLs can be applied in the
ingress direction. By default, flow-based monitoring is not enabled.
You must specify the monitor option with the permit, deny, or seq command for ACLs that are
assigned to the source or the monitored port (MD) to enable the evaluation and replication of traffic that
is traversing to the destination port. Enter the keyword monitor with the seq, permit, or deny
command for the ACL rules to allow or drop IPv4, IPv6, ARP, UDP, EtherType, ICMP, and TCP packets.
The ACL rule describes the traffic that you want to monitor, and the ACL in which you are creating the
rule will be applied to the monitored interface. Flow monitoring is supported for standard and extended
IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs.
CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address}
[count [byte]] [monitor]
If the number of monitoring sessions increases, inter-process communication (IPC) bandwidth utilization
will be high. The ACL manager might require a large bandwidth when you assign an ACL, with many
entries, to an interface.
The ACL agent module saves monitoring details in its local database and also in the CAM region to
monitor packets that match the specified criterion. The ACL agent maintains data on the source port, the
destination port, and the endpoint to which the packet must be forwarded when a match occurs with the
ACL entry.
If you configure the flow-based enable command and do not apply an ACL on the source port or the
monitored port, both flow-based monitoring and port mirroring do not function. Flow-based monitoring
is supported only for ingress traffic and not for egress packets.
The port mirroring application maintains a database that contains all monitoring sessions (including port
monitor sessions). It has information regarding the sessions that are enabled for flow-based monitoring
and those sessions that are not enabled for flow-based monitoring. It downloads monitoring
configuration to the ACL agent whenever the ACL agent is registered with the port mirroring application
or when flow-based monitoring is enabled.
The show monitor session session-id command has been enhanced to display the Type field in
the output, which indicates whether a particular session is enabled for flow-monitoring.
Example Output of the show Command
#show running-config monitor session
!
monitor session 11
flow-based enable
source GigabitEthernet 13/0 destination GigabitEthernet 13/1 direction both
The show running-config monitor session command displays whether flow-based monitoring is
enabled for a particular session.
Access Control Lists (ACLs)
131
The show config command has been modified to display monitoring configuration in a particular
session.
Example Output of the show Command
(conf-mon-sess-11)#show config
!
monitor session 11
flow-based enable
source GigabitEthernet 13/0 destination GigabitEthernet 13/1 direction
both
The show ip | mac | ipv6 accounting commands have been enhanced to display whether
monitoring is enabled for traffic that matches with the rules of the specific ACL.
Example Output of the show Command
Dell# show ip accounting access-list
!
Extended Ingress IP access list kar on GigabitEthernet 10/0
Total cam count 1
seq 5 permit ip 192.168.20.0/24 173.168.20.0/24 monitor
Dell#show mac accounting access-list kar in gi 10/0 out
Egress Extended mac access-list kar on GigabitEthernet 10/0
seq 5 permit host 11:11:11:11:11:11 host 22:22:22:22:22:22 monitor
seq 10 permit host 22:22:22:22:22:22 any monitor
seq 15 permit host 00:0f:fe:1e:de:9b host 0a:0c:fb:1d:fc:aa monitor
Dell#show ipv6 accounting access-list
!
Ingress IPv6 access list kar on GigabitEthernet 10/0
Total cam count 1
seq 5 permit ipv6 22::/24 33::/24 monitor
Enabling Flow-Based Monitoring
Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead of all traffic on
the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 2
and Layer 3 ingress and egress traffic. You can specify traffic using standard or extended access-lists.
1.
Enable flow-based monitoring for a monitoring session.
MONITOR SESSION mode
flow-based enable
2.
Define access-list rules that include the keyword monitor. Dell Networking OS only considers port
monitoring traffic that matches rules with the keyword monitor.
CONFIGURATION mode
ip access-list
For more information, see Access Control Lists (ACLs).
3.
Apply the ACL to the monitored port.
INTERFACE mode
ip access-group access-list
132
Access Control Lists (ACLs)
Example of the flow-based enable Command
To view an access-list that you applied to an interface, use the show ip accounting access-list
command from EXEC Privilege mode.
Dell(conf)#monitor session 0
Dell(conf-mon-sess-0)#flow-based enable
Dell(conf)#ip access-list ext testflow
Dell(config-ext-nacl)#seq 5 permit icmp any any count bytes monitor
Dell(config-ext-nacl)#seq 10 permit ip 102.1.1.0/24 any count bytes monitor
Dell(config-ext-nacl)#seq 15 deny udp any any count bytes
Dell(config-ext-nacl)#seq 20 deny tcp any any count bytes
Dell(config-ext-nacl)#exit
Dell(conf)#interface gig 1/1
Dell(conf-if-gi-1/1)#ip access-group testflow in
Dell(conf-if-gi-1/1)#show config
!
interface GigabitEthernet 1/1
ip address 10.11.1.254/24
ip access-group testflow in
shutdown
Dell(conf-if-gi-1/1)#exit
Dell(conf)#do show ip accounting access-list testflow
!
Extended Ingress IP access list testflow on GigabitEthernet 1/1
Total cam count 4
seq 5 permit icmp any any monitor count bytes (0 packets 0 bytes)
seq 10 permit ip 102.1.1.0/24 any monitor count bytes (0 packets 0 bytes)
seq 15 deny udp any any count bytes (0 packets 0 bytes)
seq 20 deny tcp any any count bytes (0 packets 0 bytes)
Dell(conf)#do show monitor session 0
SessionID Source Destination Direction Mode
Type
--------- ------ ----------- --------- ------0
Gi 1/1 Gi 1/2
rx
interface Flow-based
Access Control Lists (ACLs)
133
8
Bidirectional Forwarding Detection (BFD)
Bidirectional forwarding detection (BFD) is a protocol that is used to rapidly detect communication
failures between two adjacent systems.
It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It
also provides a failure detection solution for links on which no routing protocol is used.
BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a
three-way handshake. After the session has been established, the systems exchange periodic control
packets at sub-second intervals. If a system does not receive a hello packet within a specified amount of
time, routing protocols are notified that the forwarding path is down.
BFD provides forwarding path failure detection times on the order of milliseconds rather than seconds as
with conventional routing protocol hellos. It is independent of routing protocols, and as such, provides a
consistent method of failure detection when used across a network. Networks converge faster because
BFD triggers link state changes in the routing protocol sooner and more consistently because BFD
eliminates the use of multiple protocol-dependent timers and methods.
BFD also carries less overhead than routing protocol hello mechanisms. Control packets can be
encapsulated in any form that is convenient, and, on Dell Networking routers, BFD agents maintain
sessions that reside on the line card, which frees resources on the route processor module (RPM). Only
session state changes are reported to the BFD Manager (on the RPM), which in turn notifies the routing
protocols that are registered with it.
BFD is an independent and generic protocol, which all media, topologies, and routing protocols can
support using any encapsulation. Dell Networking has implemented BFD at Layer 3 and with user
datagram protocol (UDP) encapsulation. BFD functionality will be implemented in phases. OSPF, IS-IS,
VRRP, VLANs, LAGs, static routes, and physical ports support BFD, based on the IETF internet draft draftietf-bfd-base-03.
How BFD Works
Two neighboring systems running BFD establish a session using a three-way handshake.
After the session has been established, the systems exchange control packets at agreed upon intervals. In
addition, systems send a control packet anytime there is a state change or change in a session parameter.
These control packets are sent without regard to transmit and receive intervals.
NOTE: The Dell Networking operating system does not support multi-hop BFD sessions.
If a system does not receive a control packet within an agreed-upon amount of time, the BFD agent
changes the session state to Down. It then notifies the BFD manager of the change and sends a control
packet to the neighbor that indicates the state change (though it might not be received if the link or
receiving interface is faulty). The BFD manager notifies the routing protocols that are registered with it
(clients) that the forwarding path is down and a link state change is triggered in all protocols.
134
Bidirectional Forwarding Detection (BFD)
NOTE: A session state change from Up to Down is the only state change that triggers a link state
change in the routing protocol client.
BFD Packet Format
Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration
shows the complete encapsulation of a BFD control packet inside an IPv4 packet.
Figure 7. BFD in IPv4 Packet Format
Field
Description
Diagnostic Code
The reason that the last session failed.
State
The current local session state. Refer to BFD Sessions.
Flag
A bit that indicates packet function. If the poll bit is set, the receiving system must
respond as soon as possible, without regard to its transmit interval. The responding
Bidirectional Forwarding Detection (BFD)
135
Field
Description
system clears the poll bit and sets the final bit in its response. The poll and final bits
are used during the handshake and in Demand mode (refer to BFD Sessions).
NOTE: The Dell Networking OS does not currently support multi-point
sessions, Demand mode, authentication, or control plane independence;
these bits are always clear.
Detection
Multiplier
The number of packets that must be missed in order to declare a session down.
Length
The entire length of the BFD packet.
My Discriminator
A random number generated by the local system to identify the session.
Your Discriminator A random number generated by the remote system to identify the session.
Discriminator values are necessary to identify the session to which a control packet
belongs because there can be many sessions running on a single interface.
Desired Min TX
Interval
The minimum rate at which the local system would like to send control packets to
the remote system.
Required Min RX
Interval
The minimum rate at which the local system would like to receive control packets
from the remote system.
Required Min Echo The minimum rate at which the local system would like to receive echo packets.
RX
NOTE: The Dell Networking OS does not currently support the echo function.
Authentication
Type,
Authentication
Length,
Authentication
Data
An optional method for authenticating control packets.
NOTE: The Dell Networking OS does not currently support the BFD
authentication function.
Two important parameters are calculated using the values contained in the control packet.
Transmit
interval
Transmit interval is the agreed-upon rate at which a system sends control packets.
Each system has its own transmit interval, which is the greater of the last received
remote Desired TX Interval and the local Required Min RX Interval.
Detection time
Detection time is the amount of time that a system does not receive a control
packet, after which the system determines that the session has failed. Each system
has its own detection time.
136
•
In Asynchronous mode: Detection time is the remote Detection Multiplier
multiplied by greater of the remote Desired TX Interval and the local Required
Min RX Interval.
•
In Demand mode: Detection time is the local Detection Multiplier multiplied by
the greater of the local Desired Min TX and the remote Required Min RX
Interval.
Bidirectional Forwarding Detection (BFD)
BFD Sessions
You must enable BFD on both sides of a link in order to establish a session.
The two participating systems can assume either of two roles:
Active
The active system initiates the BFD session. Both systems can be active for the
same session.
Passive
The passive system does not initiate a session. It only responds to a request for
session initialization from the active system.
A BFD session has two modes:
Asynchronous
mode
In Asynchronous mode, both systems send periodic control messages at an agreed
upon interval to indicate that their session status is Up.’
Demand mode
If one system requests Demand mode, the other system stops sending periodic
control packets; it only sends a response to status inquiries from the Demand
mode initiator. Either system (but not both) can request Demand mode at any time.
NOTE: The Dell Networking OS supports Asynchronous mode only.
A session can have four states: Administratively Down, Down, Init, and Up.
Administratively
Down
The local system does not participate in a particular session.
Down
The remote system is not sending control packets or at least not within the
detection time for a particular session.
Init
The local system is communicating.
Up
Both systems are exchanging control packets.
The session is declared down if:
•
•
•
A control packet is not received within the detection time.
Sufficient echo packets are lost.
Demand mode is active and a control packet is not received in response to a poll packet.
BFD Three-Way Handshake
A three-way handshake must take place between the systems that participate in the BFD session.
The handshake shown in the following illustration assumes that there is one active and one passive
system, and that this session is the first session established on this link. The default session state on both
ports is Down.
1.
The active system sends a steady stream of control packets that indicates that its session state is
Down, until the passive system responds. These packets are sent at the desired transmit interval of
the Active system. The Your Discriminator field is set to zero.
2.
When the passive system receives any of these control packets, it changes its session state to Init
and sends a response that indicates its state change. The response includes its session ID in the My
Discriminator field and the session ID of the remote system in the Your Discriminator field.
3.
The active system receives the response from the passive system and changes its session state to
Up. It then sends a control packet indicating this state change. This is the third and final part of the
Bidirectional Forwarding Detection (BFD)
137
handshake. Now the discriminator values have been exchanged and the transmit intervals have been
negotiated.
4.
The passive system receives the control packet and changes its state to Up. Both systems agree that
a session has been established. However, because both members must send a control packet — that
requires a response — anytime there is a state change or change in a session parameter, the passive
system sends a final response indicating the state change. After this, periodic control packets are
exchanged.
Figure 8. BFD Three-Way Handshake State Changes
Session State Changes
The following illustration shows how the session state on a system changes based on the status
notification it receives from the remote system. For example, if a session on a system is down and it
138
Bidirectional Forwarding Detection (BFD)
receives a Down status notification from the remote system, the session state on the local system
changes to Init.
Figure 9. Session State Changes
Important Points to Remember
•
BFD for line card ports is hitless, but is not hitless for VLANs because they are instantiated on the RPM.
•
The Dell Networking OS supports a maximum of 100 sessions per BFD agent. Each linecard processor
has a BFD Agent, so the limit translates to 100 BFD sessions per linecard.
•
Enable BFD on both ends of a link.
•
Demand mode, authentication, and the Echo function are not supported.
•
BFD is not supported on multi-hop and virtual links.
•
Protocol Liveness is supported for routing protocols only.
•
The Dell Networking OS supports only OSPF, OSPFv3, BGP, and VRRP protocols as BFD clients.
Configure BFD
This section contains the following procedures.
•
Configure BFD for Physical Ports
•
Configure BFD for Port-Channels
Bidirectional Forwarding Detection (BFD)
139
•
Configure BFD for Static Routes
•
Configure BFD for OSPF
•
Configure BFD for OSPFv3
•
Configure BFD for BGP
•
Configure BFD for VRRP
•
Configure BFD for VLANs
•
Configuring Protocol Liveness
•
Troubleshooting BFD
Configure BFD for Physical Ports
BFD on physical ports is useful when you do not enable the routing protocol.
Without BFD, if the remote system fails, the local system does not remove the connected route until the
first failed attempt to send a packet. When you enable BFD, the local system removes the route as soon
as it stops receiving periodic control packets from the remote system.
Configuring BFD for a physical port is a two-step process:
1.
Enable BFD globally. Refer to Enabling BFD Globally.
2.
Establish a session with a next-hop neighbor.
Related Configuration Tasks
•
Changing Physical Port Session Parameters.
•
Disabling and Re-Enabling BFD.
Enabling BFD Globally
You must enable BFD globally on both routers.
To enable the BFD globally, use the following command.
•
Enable BFD globally.
CONFIGURATION mode
bfd enable
Example of Verifying BFD is Enabled
To verify that BFD is enabled globally, use the show running bfd command.
The bold line shows that BFD is enabled.
R1(conf)#bfd ?
enable
protocol-liveness
R1(conf)#bfd enable
Enable BFD protocol
Enable BFD protocol-liveness
R1(conf)#do show running-config bfd
!
bfd enable
R1(conf)#
140
Bidirectional Forwarding Detection (BFD)
Establishing a Session on Physical Ports
To establish a session, enable BFD at the interface level on both ends of the link, as shown in the
following illustration. The configuration parameters do not need to match.
Figure 10. Establishing a BFD Session on Physical Ports
1.
Enter interface mode.
CONFIGURATION mode
interface
2.
Assign an IP address to the interface if one is not already assigned.
INTERFACE mode
ip address ip-address
3.
Identify the neighbor that the interface participates with the BFD session.
INTERFACE mode
bfd neighbor ip-address
Example of Verifying Session Creation
Example of the Viewing Detailed BFD Session Information
To verify that the session is established, use the show bfd neighbors command.
The bold line shows the BFD session.
R1(conf-if-gi-4/24)#do show bfd neighbors
* - Active session role
Ad Dn - Admin Down
C - CLI
I - ISIS
O - OSPF
R - Static Route (RTM)
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients
Gi 4/24
Up
100
100
3
C
* 2.2.2.1 2.2.2.2
To view specific information about BFD sessions, use the show bfd neighbors detail command.
R1(conf-if-gi-4/24)#do show bfd neighbors detail
Bidirectional Forwarding Detection (BFD)
141
Session Discriminator: 1
Neighbor Discriminator: 1
Local Addr: 2.2.2.1
Local MAC Addr: 00:01:e8:09:c3:e5
Remote Addr: 2.2.2.2
Remote MAC Addr: 00:01:e8:06:95:a2
Int: GigabitEthernet 4/24
State: Up
Configured parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Neighbor parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Actual parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Role: Active
Delete session on Down: False
Client Registered: CLI
Uptime: 00:03:57
Statistics:
Number of packets received from neighbor: 1775
Number of packets sent to neighbor: 1775
Number of state changes: 1
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 4
Log messages display when you configure both interfaces for BFD.
R1(conf-if-gi-4/24)#00:36:01: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE:
Changed session state to
Down for neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0)
00:36:02: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to
Up for neighbor
2.2.2.2 on interface Gi 4/24 (diag: 0)
Changing Physical Port Session Parameters
Configure BFD sessions with default intervals and a default role (active).
The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection
Multiplier, and system role. Configure these parameters per interface; if you change a parameter, the
change affects all physical port sessions on that interface.
NOTE: Dell Networking recommends maintaining the default values.
Change session parameters for all sessions on an interface.
INTERFACE mode
bfd interval milliseconds min_rx milliseconds multiplier value role [active
| passive]
Changing Session Parameters for Physical Ports
View session parameters using the show bfd neighbors detail command.
The bold line shows the parameter changes.
R1(conf-if-gi-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive
R1(conf-if-gi-4/24)#do show bfd neighbors detail
Session Discriminator: 1
Neighbor Discriminator: 1
Local Addr: 2.2.2.1
142
Bidirectional Forwarding Detection (BFD)
Local MAC Addr: 00:01:e8:09:c3:e5
Remote Addr: 2.2.2.2
Remote MAC Addr: 00:01:e8:06:95:a2
Int: GigabitEthernet 4/24
State: Up
Configured parameters:
TX: 100ms, RX: 100ms, Multiplier: 4
Neighbor parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Actual parameters:
TX: 100ms, RX: 100ms, Multiplier: 4
Role: Passive
Delete session on Down: False
Client Registered: CLI
Uptime: 00:09:06
Statistics:
Number of packets received from neighbor: 4092
Number of packets sent to neighbor: 4093
Number of state changes: 1
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 7
Disabling and Re-Enabling BFD
BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured.
If you disable BFD, all of the sessions on that interface are placed in an Administratively Down state ( the
first message example), and the remote systems are notified of the session state change (the second
message example).
To disable and re-enable BFD on an interface, use the following commands.
•
Disable BFD on an interface.
INTERFACE mode
•
no bfd enable
Enable BFD on an interface.
INTERFACE mode
bfd enable
If you disable BFD on a local interface, this message displays:
R1(conf-if-gi-4/24)#01:00:52: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE:
Changed session state to Ad
Dn for neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0)
If the remote system state changes due to the local state administration being down, this message
displays:
R2>01:32:53: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state
to Down for neighbor
2.2.2.1 on interface Gi 2/1 (diag: 7)
Configure BFD for Static Routes
BFD offers systems a link state detection mechanism for static routes.
With BFD, systems are notified to remove static routes from the routing table as soon as the link state
change occurs, rather than waiting until packets fail to reach their next hop.
Bidirectional Forwarding Detection (BFD)
143
Configuring BFD for static routes is a three-step process:
1.
Enable BFD globally. Refer to Enabling BFD Globally.
2.
On the local system, establish a session with the next hop of a static route. Refer to Establishing
Sessions for Static Routes.
3.
On the remote system, establish a session with the physical port that is the origin of the static route.
Refer to Establishing a Session on Physical Ports.
Related Configuration Tasks
•
•
Changing Static Route Session Parameters
Disabling BFD for Static Routes
Establishing Sessions for Static Routes
Sessions are established for all neighbors that are the next hop of a static route.
Figure 11. Establishing Sessions for Static Routes
To establish a BFD session, use the following command.
•
Establish BFD sessions for all neighbors that are the next hop of a static route.
CONFIGURATION mode
ip route bfd
Example of the show bfd neighbors Command to Verify Static Routes
To verify that sessions have been created for static routes, use the show bfd neighbors command.
The bold line shows BFD for static routes is enabled.
R1(conf)#ip route 2.2.3.0/24 2.2.2.2
R1(conf)#ip route bfd
R1(conf)#do show bfd neighbors
* - Active session role
Ad Dn - Admin Down
C - CLI
I - ISIS
O - OSPF
144
Bidirectional Forwarding Detection (BFD)
R - Static Route (RTM)
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients
2.2.2.1 2.2.2.2 Gi 4/24 Up 100 100 4 R
To view detailed session information, use the show bfd neighbors detail command, as shown in
the examples in Disabling BFD for BGP.
Changing Static Route Session Parameters
BFD sessions are configured with default intervals and a default role.
The parameters you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier,
and system role. These parameters are configured for all static routes. If you change a parameter, the
change affects all sessions for static routes.
To change parameters for static route sessions, use the following command .
•
Change parameters for all static route sessions.
CONFIGURATION mode
ip route bfd interval milliseconds min_rx milliseconds multiplier value role
[active | passive]
To view session parameters, use the show bfd neighbors detail command, as shown in the
examples in \Displaying BFD for BGP Information.
Disabling BFD for Static Routes
If you disable BFD, all static route BFD sessions are torn down.
A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change
to the Down state.
To disable BFD for static routes, use the following command.
•
Disable BFD for static routes.
CONFIGURATION mode
no ip route bfd
Configure BFD for OSPF
When using BFD with OSPF, the OSPF protocol registers with the BFD manager on the RPM.
BFD sessions are established with all neighboring interfaces participating in OSPF. If a neighboring
interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the OSPF
protocol that a link state change occurred.
Configuring BFD for OSPF is a two-step process:
1.
Enable BFD globally. Refer to Enabling BFD Globally.
2.
Establish sessions with OSPF neighbors. Refer to Establishing Sessions with OSPF Neighbors.
Related Configuration Tasks
•
Changing OSPF Session Parameters
•
Disabling BFD for OSPF
Bidirectional Forwarding Detection (BFD)
145
Establishing Sessions with OSPF Neighbors
BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all
neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full
state.
Figure 12. Establishing Sessions with OSPF Neighbors
To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following
commands.
•
Establish sessions with all OSPF neighbors.
ROUTER-OSPF mode
•
bfd all-neighbors
Establish sessions with OSPF neighbors on a single interface.
146
Bidirectional Forwarding Detection (BFD)
INTERFACE mode
ip ospf bfd all-neighbors
Example of Verifying Sessions with OSPF Neighbors
To view the established sessions, use the show bfd neighbors command.
The bold line shows the OSPF BFD sessions.
R2(conf-router_ospf)#bfd all-neighbors
R2(conf-router_ospf)#do show bfd neighbors
*
- Active session role
Ad Dn - Admin Down
C
- CLI
I
- ISIS
O
- OSPF
R
- Static Route (RTM)
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients
* 2.2.2.2 2.2.2.1
Gi 2/1
Up
100
100
3
O
* 2.2.3.1 2.2.3.2 Gi 2/2 Up 100 100 3 O
Changing OSPF Session Parameters
Configure BFD sessions with default intervals and a default role.
The parameters that you can configure are: desired tx interval, required min rx interval,
detection multiplier, and system role. Configure these parameters for all OSPF sessions or all
OSPF sessions on a particular interface. If you change a parameter globally, the change affects all OSPF
neighbors sessions. If you change a parameter at the interface level, the change affects all OSPF sessions
on that interface.
To change parameters for all OSPF sessions or for OSPF sessions on a single interface, use the following
commands.
•
Change parameters for OSPF sessions.
ROUTER-OSPF mode
•
bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value
role [active | passive]
Change parameters for all OSPF sessions on an interface.
INTERFACE mode
ip ospf bfd all-neighbors interval milliseconds min_rx milliseconds
multiplier value role [active | passive]
To view session parameters, use the show bfd neighbors detail command, as shown in the
example in Displaying BFD for BGP Information.
Disabling BFD for OSPF
If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a
Down state.
If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote
system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin
Down packet is sent before the session is terminated.
Bidirectional Forwarding Detection (BFD)
147
To disable BFD sessions, use the following commands.
•
Disable BFD sessions with all OSPF neighbors.
ROUTER-OSPF mode
•
no bfd all-neighbors
Disable BFD sessions with all OSPF neighbors on an interface.
INTERFACE mode
ip ospf bfd all-neighbors disable
Configure BFD for OSPFv3
BFD for OSPFv3 provides support for IPV6.
Configuring BFD for OSPFv3 is a two-step process:
1.
Enable BFD globally.
2.
Establish sessions with OSPFv3 neighbors.
Related Configuration Tasks
•
Changing OSPFv3 Session Parameters
•
Disabling BFD for OSPFv3
Establishing Sessions with OSPFv3 Neighbors
You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific
interface. Sessions are only established when the OSPFv3 adjacency is in the Full state.
To establish BFD with all OSPFv3 neighbors or with OSPFv3 neighbors on a single interface, use the
following commands.
•
Establish sessions with all OSPFv3 neighbors.
ROUTER-OSPFv3 mode
•
bfd all-neighbors
Establish sessions with OSPFv3 neighbors on a single interface.
INTERFACE mode
ipv6 ospf bfd all-neighbors
To view the established sessions, use the show bfd neighbors command.
Changing OSPFv3 Session Parameters
Configure BFD sessions with default intervals and a default role.
The parameters that you can configure are: desired tx interval, required min rx interval,
detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all
OSPFv3 sessions on a particular interface. If you change a parameter globally, the change affects all
OSPFv3 neighbors sessions. If you change a parameter at the interface level, the change affects all
OSPFv3 sessions on that interface.
148
Bidirectional Forwarding Detection (BFD)
To change parameters for all OSPFv3 sessions or for OSPFv3 sessions on a single interface, use the
following commands.
To view session parameters, use the show bfd neighbors detail command, as shown in the
example in Displaying BFD for BGP Information.
•
Change parameters for all OSPFv3 sessions.
ROUTER-OSPFv3 mode
•
bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value
role [active | passive]
Change parameters for OSPFv3 sessions on a single interface.
INTERFACE mode
ipv6 ospf bfd all-neighbors interval milliseconds min_rx milliseconds
multiplier value role [active | passive]
Disabling BFD for OSPFv3
If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a
Down state.
If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote
system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin
Down packet is sent before the session is terminated.
To disable BFD sessions, use the following commands.
•
Disable BFD sessions with all OSPFv3 neighbors.
ROUTER-OSPFv3 mode
•
no bfd all-neighbors
Disable BFD sessions with OSPFv3 neighbors on a single interface.
INTERFACE mode
ipv6 ospf bfd all-neighbors disable
Configure BFD for BGP
In a BGP core network, bidirectional forwarding detection (BFD) provides rapid detection of
communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP
(eBGP) peers for faster network reconvergence.
BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces. BFD for BGP does not
support IPv6 and the BGP multihop feature.
Prerequisites
Before configuring BFD for BGP, you must first configure the following settings:
1.
Configure BGP on the routers that you want to interconnect, as described in Border Gateway
Protocol IPv4 (BGPv4).
2.
Enable fast fall-over for BGP neighbors to reduce convergence time (the neighbor fall-over
command), as described in Configuring BGP Fast Fail-Over.
Bidirectional Forwarding Detection (BFD)
149
Establishing Sessions with BGP Neighbors
Before configuring BFD for BGP, you must first configure BGP on the routers that you want to
interconnect.
For more information, refer to Border Gateway Protocol IPv4 (BGPv4).
For example, the following illustration shows a sample BFD configuration on Router 1 and Router 2 that
use eBGP in a transit network to interconnect AS1 and AS2. The eBGP routers exchange information with
each other as well as with iBGP routers to maintain connectivity and accessibility within each
autonomous system.
Figure 13. Establishing Sessions with BGP Neighbors
The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor:
•
•
By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors
command).
By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peergroup-name} bfd command)
BFD packets originating from a router are assigned to the highest priority egress queue to minimize
transmission delays. Incoming BFD control packets received from the BGP neighbor are assigned to the
highest priority queue within the control plane policing (CoPP) framework to avoid BFD packets drops
due to queue congestion.
BFD notifies BGP of any failure conditions that it detects on the link. Recovery actions are initiated by
BGP.
150
Bidirectional Forwarding Detection (BFD)
BFD for BGP is supported only on directly-connected BGP neighbors and only in BGP IPv4 networks.
As long as each BFD for BGP neighbor receives a BFD control packet within the configured BFD interval
for failure detection, the BFD session remains up and BGP maintains its adjacencies. If a BFD for BGP
neighbor does not receive a control packet within the detection interval, the router informs any clients of
the BFD session (other routing protocols) about the failure. It then depends on the individual routing
protocols that uses the BGP link to determine the appropriate response to the failure condition. The
typical response is to terminate the peering session for the routing protocol and reconverge by bypassing
the failed neighboring router. A log message is generated whenever BFD detects a failure condition.
You can configure BFD for BGP on the following types of interfaces: physical port (10GE or 40GE), port
channel, and VLAN.
1.
Enable BFD globally.
CONFIGURATION mode
bfd enable
2.
Specify the AS number and enter ROUTER BGP configuration mode.
CONFIGURATION mode
router bgp as-number
3.
Add a BGP neighbor or peer group in a remote AS.
CONFIG-ROUTERBGP mode
neighbor {ip-address | peer-group name} remote-as as-number
4.
Enable the BGP neighbor.
CONFIG-ROUTERBGP mode
neighbor {ip-address | peer-group-name} no shutdown
5.
Configure parameters for a BFD session established with all neighbors discovered by BGP. OR
Establish a BFD session with a specified BGP neighbor or peer group using the default BFD session
parameters.
CONFIG-ROUTERBGP mode
bfd all-neighbors [interval millisecs min_rx millisecs multiplier value role
{active | passive}]
OR
neighbor {ip-address | peer-group-name} bfd
NOTES:
6.
•
When you establish a BFD session with a specified BGP neighbor or peer group using the
neighbor bfd command, the default BFD session parameters are used (interval: 100
milliseconds, min_rx: 100 milliseconds, multiplier: 3 packets, and role: active).
•
When you explicitly enable or disable a BGP neighbor for a BFD session with the neighbor bfd
or neighbor bfd disable commands, the neighbor does not inherit the BFD enable/disable
values configured with the bfd all-neighbors command or configured for the peer group to
which the neighbor belongs. Also, the neighbor only inherits the global timer values configured
with the bfd all-neighbors command (interval, min_rx, and multiplier).
Repeat Steps 1 to 5 on each BGP peer participating in a BFD session.
Bidirectional Forwarding Detection (BFD)
151
Disabling BFD for BGP
You can disable BFD for BGP.
To disable a BFD for BGP session with a specified neighbor, use the first command. To remove the
disabled state of a BFD for BGP session with a specified neighbor, use the no neighbor {ip-address
| peer-group-name} bfd disable command in ROUTER BGP configuration mode.
The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally
configured with the bfd all-neighbors command or configured for the peer group to which the
neighbor belongs.
•
Disable a BFD for BGP session with a specified neighbor.
ROUTER BGP mode
•
neighbor {ip-address | peer-group-name} bfd disable
Remove the disabled state of a BFD for BGP session with a specified neighbor.
ROUTER BGP mode
no neighbor {ip-address | peer-group-name} bfd disable
Use BFD in a BGP Peer Group
You can establish a BFD session for the members of a peer group (the neighbor peer-group-name
bfd command in ROUTER BGP configuration mode).
Members of the peer group may have BFD:
•
Explicitly enabled (the neighbor ip-address bfd command)
•
Explicitly disabled (the neighbor ip-address bfd disable command)
•
Inherited (neither explicitly enabled or disabled) according to the current BFD configuration of the
peer group. For information about BGP peer groups, refer to Configuring Peer Groups.
If you explicitly enable (or disable) a BGP neighbor for BFD that belongs to a peer group:
•
The neighbor does not inherit the BFD enable/disable values configured with the bfd allneighbors command or configured for the peer group to which the neighbor belongs.
•
The neighbor inherits only the global timer values that are configured with the bfd all-neighbors
command (interval, min_rx, and multiplier).
If you explicitly enable (or disable) a peer group for BFD that has no BFD parameters configured (for
example, advertisement interval) using the neighbor peer-group-name bfd command, the peer
group inherits any BFD settings configured with the bfd all-neighbors command.
Displaying BFD for BGP Information
You can display related information for BFD for BGP.
To display information about BFD for BGP sessions on a router, use the following commands and refer to
the following examples.
•
Verify a BFD for BGP configuration.
EXEC Privilege mode
show running-config bgp
152
Bidirectional Forwarding Detection (BFD)
•
Verify that a BFD for BGP session has been successfully established with a BGP neighbor. A line-byline listing of established BFD adjacencies is displayed.
EXEC Privilege mode
•
show bfd neighbors [interface] [detail]
Display BFD packet counters for sessions with BGP neighbors.
EXEC Privilege mode
•
show bfd counters bgp [interface]
Check to see if BFD is enabled for BGP connections.
EXEC Privilege mode
•
show ip bgp summary
Displays routing information exchanged with BGP neighbors, including BFD for BGP sessions.
EXEC Privilege mode
show ip bgp neighbors [ip-address]
Example of Verifying BGP Configuration
Example of Viewing All BFD Neighbors
Example of Viewing BFD Neighbor Detail
Example of Viewing Configured BFD Counters
Example of Viewing BFD Summary Information
Example of Viewing BFD Information for a Specified Neighbor
R2# show running-config bgp
!
router bgp 2
neighbor 1.1.1.2 remote-as 1
neighbor 1.1.1.2 no shutdown
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 no shutdown
neighbor 3.3.3.2 remote-as 1
neighbor 3.3.3.2 no shutdown
bfd all-neighbors
R2# show bfd neighbors
*
- Active session role
Ad Dn - Admin Down
B - BGP
C
- CLI
I
- ISIS
O
- OSPF
R
- Static Route (RTM)
M
- MPLS
V
- VRRP
LocalAddr
* 1.1.1.3
* 2.2.2.3
* 3.3.3.3
RemoteAddr
1.1.1.2
2.2.2.2
3.3.3.2
Interface
Te 6/0
Te 6/1
Te 6/2
Bidirectional Forwarding Detection (BFD)
State
Up
Up
Up
Rx-int
100
100
100
Tx-int
100
100
100
Mult
3
3
3
Clients
B
B
B
153
The bold lines show the BFD session parameters: TX (packet transmission), RX (packet reception), and
multiplier (maximum number of missed packets).
R2# show bfd neighbors detail
Session Discriminator: 9
Neighbor Discriminator: 10
Local Addr: 1.1.1.3
Local MAC Addr: 00:01:e8:66:da:33
Remote Addr: 1.1.1.2
Remote MAC Addr: 00:01:e8:8a:da:7b
Int: TenGigabitEthernet 6/0
State: Up
Configured parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Neighbor parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Actual parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Role: Active
Delete session on Down: True
Client Registered: BGP
Uptime: 00:07:55
Statistics:
Number of packets received from neighbor: 4762
Number of packets sent to neighbor: 4490
Number of state changes: 2
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 5
Session Discriminator: 10
Neighbor Discriminator: 11
Local Addr: 2.2.2.3
Local MAC Addr: 00:01:e8:66:da:34
Remote Addr: 2.2.2.2
Remote MAC Addr: 00:01:e8:8a:da:7b
Int: TenGigabitEthernet 6/1
State: Up
Configured parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Neighbor parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Actual parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Role: Active
Delete session on Down: True
Client Registered: BGP
Uptime: 00:02:22
Statistics:
Number of packets received from neighbor: 1428
Number of packets sent to neighbor: 1428
Number of state changes: 1
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 4
R2# show bfd counters bgp
Interface TenGigabitEthernet 6/0
Protocol BGP
Messages:
Registration
154
: 5
Bidirectional Forwarding Detection (BFD)
De-registration
Init
Up
Down
Admin Down
:
:
:
:
:
4
0
6
0
2
Interface TenGigabitEthernet 6/1
Protocol BGP
Messages:
Registration
De-registration
Init
Up
Down
Admin Down
:
:
:
:
:
:
5
4
0
6
0
2
Interface TenGigabitEthernet 6/2
Protocol BGP
Messages:
Registration
De-registration
Init
Up
Down
Admin Down
:
:
:
:
:
:
1
0
0
1
0
2
The bold line shows the message displayed when you enable BFD for BGP connections.
R2# show ip bgp summary
BGP router identifier 10.0.0.1, local AS number 2
BGP table version is 0, main routing table version 0
BFD is enabled, Interval 100 Min_rx 100 Multiplier 3 Role Active
3 neighbor(s) using 24168 bytes of memory
Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/Pfx
1.1.1.2
2.2.2.2
3.3.3.2
0
0
0
1
1
1
282
273
282
281
273
281
0
0
0
0
0
0
0
(0)
0
00:38:12
04:32:26
00:38:12
The bold lines show the message displayed when you enable a BFD session with different configurations:
•
•
•
Message displayed when you enable a BFD session with a BGP neighbor that inherits the global BFD
session settings configured with the global bfd all-neighbors command.
Message displayed when you enable a BFD session with a BGP neighbor using the neighbor ipaddress bfd command.
Message displayed when you enable a BGP neighbor in a peer group for which you enabled a BFD
session using the neighbor peer-group-name bfd command
R2# show ip bgp neighbors 2.2.2.2
BGP neighbor is 2.2.2.2, remote AS 1, external link
BGP version 4, remote router ID 12.0.0.4
BGP state ESTABLISHED, in this state for 00:05:33
Last read 00:00:30, last write 00:00:30
Hold time is 180, keepalive interval is 60 seconds
Received 8 messages, 0 in queue
1 opens, 0 notifications, 0 updates
7 keepalives, 0 route refresh requests
Bidirectional Forwarding Detection (BFD)
155
Sent 9 messages, 0 in queue
2 opens, 0 notifications, 0 updates
7 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 30 seconds
Minimum time before advertisements start is 0 seconds
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Neighbor is using BGP global mode BFD configuration
For address family: IPv4 Unicast
BGP table version 0, neighbor version 0
Prefixes accepted 0 (consume 0 bytes), withdrawn 0 by peer, martian prefixes
ignored 0
Prefixes advertised 0, denied 0, withdrawn 0 from peer
Connections established 1; dropped 0
Last reset never
Local host: 2.2.2.3, Local port: 63805
Foreign host: 2.2.2.2, Foreign port: 179
E1200i_ExaScale#
R2# show ip bgp neighbors 2.2.2.3
BGP neighbor is 2.2.2.3, remote AS 1, external link
Member of peer-group pg1 for session parameters
BGP version 4, remote router ID 12.0.0.4
BGP state ESTABLISHED, in this state for 00:05:33
...
Neighbor is using BGP neighbor mode BFD configuration
Peer active in peer-group outbound optimization
...
R2# show ip bgp neighbors 2.2.2.4
BGP neighbor is 2.2.2.4, remote AS 1, external link
Member of peer-group pg1 for session parameters
BGP version 4, remote router ID 12.0.0.4
BGP state ESTABLISHED, in this state for 00:05:33
...
Neighbor is using BGP peer-group mode BFD configuration
Peer active in peer-group outbound optimization
...
Configure BFD for VRRP
When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the route processor
module (RPM).
BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring
interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP
protocol that a link state change occurred.
156
Bidirectional Forwarding Detection (BFD)
Configuring BFD for VRRP is a three-step process:
1.
Enable BFD globally. Refer to Enabling BFD Globally.
2.
Establish VRRP BFD sessions with all VRRP-participating neighbors. Refer to Establishing VRRP
Sessions on VRRP Neighbors.
3.
On the master router, establish a VRRP BFD sessions with the backup routers. Refer to Establishing
Sessions with All VRRP Neighbors.
Related Configuration Tasks
•
Changing VRRP Session Parameters.
•
Disabling BFD for VRRP.
Establishing Sessions with All VRRP Neighbors
BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a
particular neighbor.
Figure 14. Establishing Sessions with All VRRP Neighbors
To establish sessions with all VRRP neighbors, use the following command.
•
Establish sessions with all VRRP neighbors.
INTERFACE mode
vrrp bfd all-neighbors
Bidirectional Forwarding Detection (BFD)
157
Establishing VRRP Sessions on VRRP Neighbors
The master router does not care about the state of the backup router, so it does not participate in any
VRRP BFD sessions.
VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to
establish an individual VRRP session the backup router.
To establish a session with a particular VRRP neighbor, use the following command.
•
Establish a session with a particular VRRP neighbor.
INTERFACE mode
vrrp bfd neighbor ip-address
Example of Viewing Sessions with VRRP Neighbors
Example of Viewing VRRP Session State Information
To view the established sessions, use the show bfd neighbors command.
The bold line shows that VRRP BFD sessions are enabled.
R1(conf-if-gi-4/25)#vrrp bfd all-neighbors
R1(conf-if-gi-4/25)#do show bfd neighbor
*
- Active session role
Ad Dn - Admin Down
C
- CLI
I
- ISIS
O
- OSPF
R
- Static Route (RTM)
V
- VRRP
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients
* 2.2.5.1 2.2.5.2 Gi 4/25 Down 1000 1000 3 V
To view session state information, use the show vrrp command.
The bold line shows the VRRP BFD session.
R1(conf-if-gi-4/25)#do show vrrp
-----------------GigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1
State: Backup, Priority: 1, Master: 2.2.5.2
Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec
Adv rcvd: 95, Bad pkts rcvd: 0, Adv sent: 933, Gratuitous ARP sent: 3
Virtual MAC address:
00:00:5e:00:01:01
Virtual IP address:
2.2.5.4
Authentication: (none)
BFD Neighbors:
RemoteAddr State
2.2.5.2
Up
158
Bidirectional Forwarding Detection (BFD)
Changing VRRP Session Parameters
BFD sessions are configured with default intervals and a default role.
The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection
Multiplier, and system role. You can change parameters for all VRRP sessions or for a particular neighbor.
To change parameters for all VRRP sessions or for a particular VRRP session, use the following
commands.
•
Change parameters for all VRRP sessions.
INTERFACE mode
•
vrrp bfd all-neighbors interval milliseconds min_rx milliseconds multiplier
value role [active | passive]
Change parameters for a particular VRRP session.
INTERFACE mode
vrrp bfd neighbor ip-address interval milliseconds min_rx milliseconds
multiplier value role [active | passive]
To view session parameters, use the show bfd neighbors detail command, as shown in the
example in Verifying BFD Sessions with BGP Neighbors Using the show bfd neighbors command
example in Displaying BFD for BGP Information.
Disabling BFD for VRRP
If you disable any or all VRRP sessions, the sessions are torn down.
A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to
the Down state.
To disable all VRRP sessions on an interface, sessions for a particular VRRP group, or for a particular VRRP
session on an interface, use the following commands.
•
Disable all VRRP sessions on an interface.
INTERFACE mode
•
no vrrp bfd all-neighbors
Disable all VRRP sessions in a VRRP group.
VRRP mode
•
bfd disable
Disable a particular VRRP session on an interface.
INTERFACE mode
no vrrp bfd neighbor ip-address
Configure BFD for VLANs
BFD on Dell Networking systems is a Layer 3 protocol.
Use BFD with routed virtual local area networks (VLANs). BFD on VLANs is analogous to BFD on physical
ports. If you enable the no routing protocol, and a remote system fails, the local system does not remove
the connected route until the first failed attempt to send a packet. If you enable BFD, the local system
removes the route when it stops receiving periodic control packets from the remote system.
Bidirectional Forwarding Detection (BFD)
159
There is one BFD agent for VLANs and port-channels that resides on RP2, as opposed to the other agents
that are on the line card. Therefore, the 100 total possible sessions that this agent can maintain is shared
for VLANs and port-channels.
Configuring BFD for VLANs is a two-step process:
1.
Enable the BFD globally. Refer to Enabling BFD Globally.
2.
Establish sessions with VLAN neighbors. Refer to Establish Sessions with VLAN Neighbors.
Related Configuration Task
•
Changing VLAN Session Parameters.
•
Disabling BFD for VLANs.
Establish Sessions with VLAN Neighbors
To establish a session, enable BFD at interface level on both ends of the link, as shown in the following
illustration. The session parameters do not need to match.
Figure 15. Establishing Sessions with VLAN Neighbors
To establish a BFD session with a VLAN neighbor, follow this step.
•
Establish sessions with a VLAN neighbor.
INTERFACE VLAN mode
bfd neighbor ip-address
View the established sessions using the show bfd neighbors command, as shown in the following
example.
R2(conf-if-vl-200)#bfd neighbor 2.2.3.2
R2(conf-if-vl-200)#do show bfd neighbors
* - Active session role
Ad Dn - Admin Down
C - CLI
I - ISIS
O - OSPF
R - Static Route (RTM)
V - VRRP
160
Bidirectional Forwarding Detection (BFD)
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients
* 2.2.3.2 2.2.3.1
Vl 200
Up
100
100
3
C
Changing VLAN Session Parameters
BFD sessions are configured with default intervals and a default role.
The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection
Multiplier, and system role. You can change parameters per interface, if you make a configuration
change, the change affects all sessions on that interface.
CAUTION: When configuring BFD on VLAN or LAG interfaces, Dell Networking recommends a
minimum value of 500 milliseconds for both the transmit and minimum receive time, which
yields a final detection time of (500ms *3) 1500 milliseconds.
To change parameters for a session, use the following commands.
•
Change session parameters for all sessions on an interface.
INTERFACE VLAN mode
bfd interval milliseconds min_rx milliseconds multiplier value role [active |
passive]
To view session parameters, use the show bfd neighbors command, as shown in the example
Changing Physical Port Session Parameters.
Disabling BFD for VLANs
If you disable BFD on an interface, sessions on the interface are torn down.
A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to
the Down state.
To disable BFD on a VLAN interface, use the following command.
•
Disable all sessions on a VLAN interface.
INTERFACE VLAN mode
no bfd enable
Configure BFD for Port-Channels
BFD on port-channels is analogous to BFD on physical ports.
If you enable the no routing protocol, and a remote system fails, the local system does not remove the
connected route until the first failed attempt to send a packet. If you enable BFD, the local system
removes the route when it stops receiving periodic control packets from the remote system.
There is one BFD agent for VLANs and port-channels that resides on RP2, as opposed to the other agents
that are on the line card. Therefore, the 100 total possible sessions that this agent can maintain is shared
for VLANs and port-channels.
Configuring BFD for port-channels is a two-step process:
•
Enable BFD globally. Refer to Enabling BFD Globally.
•
Establish sessions on port-channels. Refer to Establish Sessions on Port-Channels.
Bidirectional Forwarding Detection (BFD)
161
Related Configuration Tasks
•
Changing Port-Channel Session Parameters.
•
Disabling BFD for Port-Channels.
Establish Sessions on Port-Channels
To establish a session, you must enable BFD at interface level on both ends of the link, as shown in the
following example. The session parameters do not need to match.
Figure 16. Establishing Sessions on Port-Channels
To establish a session on a port-channel, use the bfd neighbor ip-address command in INTERFACE
PORT-CHANNEL mode.
View the established sessions using the show bfd neighbors command, as shown in Changing PortChannel Session Parameters.
Viewing Established Sessions for VLAN Neighbors
R2(conf-if-po-1)#bfd neighbors 2.2.2.1
R2(conf-if-po-1)#do show bfd neighors
* - Active session role
Ad Dn - Admin Down
C - CLI
I - ISIS
O - OSPF
R - Static Route (RTM)
V - VRRP
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients
Po 1
Up
100
100
3
C
* 2.2.2.2
2.2.2.1
162
Bidirectional Forwarding Detection (BFD)
Changing Physical Port Session Parameters
Configure BFD sessions with default intervals and a default role.
The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection
Multiplier, and system role. Configure these parameters per interface; if you change a parameter, the
change affects all physical port sessions on that interface.
CAUTION: When configuring BFD on VLAN or LAG interfaces, Dell Networking recommends a
minimum value of 500 milliseconds for both the transmit and minimum receive time, which
yields a final detection time of (500ms *3) 1500 milliseconds.
Change session parameters for all sessions on an interface.
INTERFACE PORT-CHANNEL mode
bfd interval milliseconds min_rx milliseconds multiplier value role [active
| passive]
View session parameters using the show bfd neighbors detail command.
Disabling BFD for Port-Channels
If you disable BFD on an interface, sessions on the interface are torn down.
A final Admin Down control packet is sent to all neighbors, and sessions on the remote system are placed
in a Down state.
To disable BFD for a port-channel, use the following command.
•
Disable BFD for a port-channel.
INTERFACE PORT-CHANNEL mode
no bfd enable
Configuring Protocol Liveness
Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled.
When you disable a client, all BFD sessions for that protocol are torn down. Neighbors on the remote
system receive an Admin Down control packet and are placed in the Down state.
To enable protocol liveness, use the following command.
•
Enable Protocol Liveness.
CONFIGURATION mode
bfd protocol-liveness
Troubleshooting BFD
To troubleshoot BFD, use the following commands and examples.
To control packet field values or to examine the control packets in hexadecimal format, use the following
command.
•
Examine control packet field values.
CONFIGURATION mode
Bidirectional Forwarding Detection (BFD)
163
•
debug bfd detail
Examine the control packets in hexadecimal format.
CONFIGURATION
debug bfd packet
Example of Output from the debug bfd detail Command
Example of Output from the debug bfd packet Command
The following example shows a three-way handshake using the debug bfd detail command.
R1(conf-if-gi-4/24)#00:54:38: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE:
Changed session state to
Down for neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0)
00:54:38 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24
TX packet dump:
Version:1, Diag code:0, State:Down, Poll bit:0, Final bit:0, Demand bit:0
myDiscrim:4, yourDiscrim:0, minTx:1000000, minRx:1000000, multiplier:3,
minEchoRx:0
00:54:38 : Received packet for session with neighbor 2.2.2.2 on Gi 4/24
RX packet dump:
Version:1, Diag code:0, State:Init, Poll bit:0, Final bit:0, Demand bit:0
myDiscrim:6, yourDiscrim:4, minTx:1000000, minRx:1000000, multiplier:3,
minEchoRx:0
00:54:38: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Up
for neighbor 2.2.2.2
on interface Gi 4/24 (diag: 0)
The following example displays hexadecimal output from the debug bfd packet command.
RX packet dump:
20 c0 03 18 00 00 00 05
00 01 86 a0 00 00 00 00
00:34:13 : Sent packet for
TX packet dump:
20 c0 03 18 00 00 00 04
00 01 86 a0 00 00 00 00
00:34:14 : Received packet
RX packet dump:
20 c0 03 18 00 00 00 05
00 01 86 a0 00 00 00 00
00:34:14 : Sent packet for
TX packet dump:
00 00 00 04 00 01 86 a0
session with neighbor 2.2.2.2 on Gi 4/24
00 00 00 05 00 01 86 a0
for session with neighbor 2.2.2.2 on Gi 4/24
00 00 00 04 00 01 86 a0
session with neighbor 2.2.2.2 on Gi 4/24
The output for the debug bfd event command is the same as the log messages that appear on the
console by default.
164
Bidirectional Forwarding Detection (BFD)
Border Gateway Protocol IPv4 (BGPv4)
9
This chapter provides a general description of BGPv4 as it is supported in the Dell Networking operating
system.
BGP protocol standards are listed in the Standards Compliance chapter.
BGP is an external gateway protocol that transmits interdomain routing information within and between
autonomous systems (AS). The primary function of the BGP is to exchange network reachability
information with other BGP systems. BGP generally operates with an internal gateway protocol (IGP) such
as open shortest path first (OSPF) or router information protocol (RIP), allowing you to communicate to
external ASs smoothly. BGP adds reliability to network connections by having multiple paths from one
router to another.
Autonomous Systems (AS)
BGP autonomous systems (ASs) are a collection of nodes under common administration with common
network routing policies.
Each AS has a number, which an internet authority already assigns. You do not assign the BGP number.
AS numbers (ASNs) are important because the ASN uniquely identifies each network on the Internet. The
Internet Assigned Numbers Authority (IANA) has reserved AS numbers 64512 through 65534 to be used
for private purposes. IANA reserves ASNs 0 and 65535 and must not be used in a live environment.
You can group autonomous systems into three categories (multihomed, stub, and transit), defined by
their connections and operation.
•
multihomed AS — is one that maintains connections to more than one other AS. This group allows
the AS to remain connected to the Internet in the event of a complete failure of one of their
connections. However, this type of AS does not allow traffic from one AS to pass through on its way
to another AS. A simple example of this group is seen in the following illustration.
•
stub AS — is one that is connected to only one other AS.
•
transit AS — is one that provides connections through itself to separate networks. For example, in the
following illustration, Router 1 can use Router 2 (the transit AS) to connect to Router 4. Internet
service providers (ISPs) are always transit ASs, because they provide connections from one network to
another. The ISP is considered to be “selling transit service” to the customer network, so thus the term
Transit AS.
When BGP operates inside an AS (AS1 or AS2, as seen in the following illustration), it is referred to as
Internal BGP (IBGP Interior Border Gateway Protocol). When BGP operates between ASs (AS1 and AS2), it
is called External BGP (EBGP Exterior Border Gateway Protocol). IBGP provides routers inside the AS with
the knowledge to reach routers external to the AS. EBGP routers exchange information with other EBGP
routers as well as IBGP routers to maintain connectivity and accessibility.
Border Gateway Protocol IPv4 (BGPv4)
165
Figure 17. Interior BGP
BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is
a path vector protocol — a computer network in which BGP maintains the path that updated information
takes as it diffuses through the network. Updates traveling through the network and returning to the
same node are easily detected and discarded.
BGP does not use a traditional interior gateway protocol (IGP) matrix, but makes routing decisions based
on path, network policies, and/or rulesets. Unlike most protocols, BGP uses TCP as its transport protocol.
Because each BGP router talking to another router is a session, a BGP network needs to be in “full mesh.”
This is a topology that has every router directly connected to every other router. Each BGP router within
an AS must have iBGP sessions with all other BGP routers in the AS. For example, a BGP network within
an AS needs to be in “full mesh.” As seen in the following illustration, four routers connected in a full
mesh have three peers each, six routers have five peers each, and eight routers in full mesh have seven
peers each.
166
Border Gateway Protocol IPv4 (BGPv4)
Figure 18. BGP Routers in Full Mesh
The number of BGP speakers each BGP peer must maintain increases exponentially. Network
management quickly becomes impossible.
Sessions and Peers
When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of
that session are Peers. A Peer is also called a Neighbor.
Border Gateway Protocol IPv4 (BGPv4)
167
Establish a Session
Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic
routing policies.
In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state
machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For
each peer-to-peer session, a BGP implementation tracks which of these six states the session is in. The
BGP protocol defines the messages that each peer should exchange in order to change the session from
one state to another.
State
Description
Idle
BGP initializes all resources, refuses all inbound BGP connection attempts, and
initiates a TCP connection to the peer.
Connect
In this state the router waits for the TCP connection to complete, transitioning to
the OpenSent state if successful.
If that transition is not successful, BGP resets the ConnectRetry timer and
transitions to the Active state when the timer expires.
Active
The router resets the ConnectRetry timer to zero and returns to the Connect state.
OpenSent
After successful OpenSent transition, the router sends an Open message and waits
for one in return.
OpenConfirm
After the Open message parameters are agreed between peers, the neighbor
relation is established and is in the OpenConfirm state. This is when the router
receives and checks for agreement on the parameters of open messages to
establish a session.
Keepalive and
Established
Keepalive messages are exchanged next, and after successful receipt, the router is
placed in the Established state. Keepalive messages continue to be sent at regular
periods (established by the Keepalive timer) to verify connections.
After the connection is established, the router can now send/receive Keepalive, Update, and Notification
messages to/from its peer.
Peer Groups
Peer Ggroups are neighbors grouped according to common routing policies. They enable easier system
configuration and management by allowing groups of routers to share and inherit policies.
Peer groups also aid in convergence speed. When a BGP process needs to send the same information to
a large number of peers, the BGP process needs to set up a long output queue to get that information to
all the proper peers. If the peers are members of a peer group however, the information can be sent to
one place and then passed onto the peers within the group.
168
Border Gateway Protocol IPv4 (BGPv4)
Route Reflectors
Route reflectors (RR) reorganize the iBGP core into a hierarchy and allow some route advertisement
rules.
Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector
and its client peers form a route reflection cluster. Because BGP speakers announce only the best route
for a given prefix, route reflector rules are applied after the router makes its best path decision.
NOTE: Address-family specific RR configurations are not supported.
•
If a route was received from a nonclient peer, reflect the route to all client peers.
•
If the route was received from a client peer, reflect the route to all nonclient and all client peers.
To illustrate how these rules affect routing, refer to the following illustration and the following steps.
Routers B, C, D, E, and G are members of the same AS (AS100). These routers are also in the same Route
Reflection Cluster, where Router D is the Route Reflector. Router E and H are client peers of Router D;
Routers B and C and nonclient peers of Router D.
Figure 19. BGP Router Rules
1.
Router B receives an advertisement from Router A through eBGP. Because the route is learned
through eBGP, Router B advertises it to all its iBGP peers: Routers C and D.
2.
Router C receives the advertisement but does not advertise it to any peer because its only other peer
is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B.
3.
Router D does not advertise the route to Router C because Router C is a nonclient peer and the
route advertisement came from Router B who is also a nonclient peer.
4.
Router D does reflect the advertisement to Routers E and G because they are client peers of Router
D.
5.
Routers E and G then advertise this iBGP learned route to their eBGP peers Routers F and H.
Communities
BGP communities are sets of routes with one or more common attributes. Communities are a way to
assign common attributes to multiple routes at the same time.
Border Gateway Protocol IPv4 (BGPv4)
169
BGP Attributes
Routes learned using BGP have associated properties that are used to determine the best route to a
destination when multiple paths exist to a particular destination.
These properties are referred to as BGP attributes, and an understanding of how BGP attributes influence
route selection is required for the design of robust networks. This section describes the attributes that
BGP uses in the route selection process:
•
Weight
•
Local Preference
•
Multi-Exit Discriminators (MEDs)
•
Origin
•
AS Path
•
Next Hop
Best Path Selection Criteria
Paths for active routes are grouped in ascending order according to their neighboring external AS
number (BGP best path selection is deterministic by default, which means the bgp nondeterministic-med command is NOT applied).
The best path in each group is selected based on specific criteria. Only one “best path” is selected at a
time. If any of the criteria results in more than one path, BGP moves on to the next option in the list. For
example, two paths may have the same weights, but different local preferences. BGP sees that the Weight
criteria results in two potential “best paths” and moves to local preference to reduce the options. If a
number of best paths are determined, this selection criteria is applied to group’s best to determine the
ultimate best path.
In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are
compared in the order in which they arrive. This method can lead to the system choosing different best
paths from a set of paths, depending on the order in which they were received from the neighbors
because MED may or may not get compared between the adjacent paths. In deterministic mode, the
system compares MED between the adjacent paths within an AS group because all paths in the AS group
are from the same AS.
NOTE: In the Dell Networking OS version 8.3.11.4, the bgp bestpath as-path multipathrelax command is disabled by default, preventing BGP from load-balancing a learned route across
two or more eBGP peers. To enable load-balancing across different eBGP peers, enable the bgp
bestpath as-path multipath-relax command. A system error results if you configure the
bgp bestpath as-path ignore command and the bgp bestpath as-path multipathrelax command at the same time. Only enable one command at a time.
The following illustration shows that the decisions BGP goes through to select the best path. The list
following the illustration details the path selection criteria.
170
Border Gateway Protocol IPv4 (BGPv4)
Figure 20. BGP Best Path Selection
Best Path Selection Details
1.
Prefer the path with the largest WEIGHT attribute.
2.
Prefer the path with the largest LOCAL_PREF attribute.
3.
Prefer the path that was locally Originated via a network command, redistribute
command or aggregate-address command.
a.
4.
Routes originated with the Originated via a network or redistribute commands are
preferred over routes originated with the aggregate-address command.
Prefer the path with the shortest AS_PATH (unless the bgp bestpath as-path ignore command
is configured, then AS_PATH is not considered). The following criteria apply:
a.
An AS_SET has a path length of 1, no matter how many ASs are in the set.
b.
A path with no AS_PATH configured has a path length of 0.
c.
AS_CONFED_SET is not included in the AS_PATH length.
d.
AS_CONFED_SEQUENCE has a path length of 1, no matter how many ASs are in the
AS_CONFED_SEQUENCE.
5.
Prefer the path with the lowest ORIGIN type (IGP is lower than EGP, and EGP is lower than
INCOMPLETE).
6.
Prefer the path with the lowest multi-exit discriminator (MED) attribute. The following criteria apply:
a.
This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs
are compared only if the first AS in the AS_SEQUENCE is the same for both paths.
b.
If you entered the bgp always-compare-med command, MEDs are compared for all paths.
Border Gateway Protocol IPv4 (BGPv4)
171
c.
Paths with no MED are treated as “worst” and assigned a MED of 4294967295.
7.
Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths.
8.
Prefer the path with the lowest IGP metric to the BGP if next-hop is selected when
synchronization is disabled and only an internal path remains.
9.
The system deems the paths as equal and does not perform steps 9 through 11, if the following
criteria is met:
a.
the IBGP multipath or EBGP multipath are configured (the maximum-path command).
b.
the paths being compared were received from the same AS with the same number of ASs in the
AS Path but with different NextHops.
c.
the paths were received from IBGP or EBGP neighbor respectively.
10. If the bgp bestpath router-id ignore command is enabled and:
11.
a.
if the Router-ID is the same for multiple paths (because the routes were received from the same
route) skip this step.
b.
if the Router-ID is NOT the same for multiple paths, prefer the path that was first received as
the Best Path. The path selection algorithm returns without performing any of the checks
detailed here.
Prefer the external path originated from the BGP router with the lowest router ID. If both paths are
external, prefer the oldest path (first received path). For paths containing a route reflector (RR)
attribute, the originator ID is substituted for the router ID.
12. If two paths have the same router ID, prefer the path with the lowest cluster ID length. Paths without
a cluster ID length are set to a 0 cluster ID length.
13. Prefer the path originated from the neighbor with the lowest address. (The neighbor address is used
in the BGP neighbor configuration and corresponds to the remote peer used in the TCP connection
with the local router.)
After a number of best paths are determined, this selection criteria is applied to group’s best to determine
the ultimate best path.
In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are
compared in the order in which they arrive. This method can lead to the system choosing different best
paths from a set of paths, depending on the order in which they were received from the neighbors
because MED may or may not get compared between the adjacent paths. In deterministic mode, the
system compares MED between the adjacent paths within an AS group because all paths in the AS group
are from the same AS.
Weight
The weight attribute is local to the router and is not advertised to neighboring routers.
If the router learns about more than one route to the same destination, the route with the highest weight
is preferred. The route with the highest weight is installed in the IP routing table.
Local Preference
Local preference (LOCAL_PREF) represents the degree of preference within the entire AS. The higher the
number, the greater the preference for the route.
Local preference (LOCAL_PREF) is one of the criteria used to determine the best path, so keep in mind
that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. For
this example, assume that thelocal preference (LOCAL_PREF) is the only attribute applied. In the
following illustration, AS100 has two possible paths to AS 200. Although the path through Router A is
shorter (one hop instead of two), the LOCAL_PREF settings have the preferred path go through Router B
172
Border Gateway Protocol IPv4 (BGPv4)
and AS300. This is advertised to all routers within AS100, causing all BGP speakers to prefer the path
through Router B.
Figure 21. BGP Local Preference
Multi-Exit Discriminators (MEDs)
If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a
preference to a preferred path.
MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact
selection, as shown in the illustration in Best Path Selection Criteria.
One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this
example, assume the MED is the only attribute applied. In the following illustration, AS100 and AS200
connect in two places. Each connection is a BGP session. AS200 sets the MED for its T1 exit point to 100
and the MED for its OC3 exit point to 50. This sets up a path preference through the OC3 link. The MEDs
are advertised to AS100 routers so they know which is the preferred path.
MEDs are non-transitive attributes. If AS100 sends an MED to AS200, AS200 does not pass it on to AS300
or AS400. The MED is a locally relevant attribute to the two participating ASs (AS100 and AS200).
NOTE: The MEDs are advertised across both links, so if a link goes down, AS 1 still has connectivity
to AS300 and AS400.
Border Gateway Protocol IPv4 (BGPv4)
173
Figure 22. Multi-Exit Discriminators
NOTE: With the Dell Networking OS version 8.3.1.0, configuring the set metric-type internal
command in a route-map advertises the IGP cost as MED to outbound EBGP peers when
redistributing routes. The configured set metric value overwrites the default IGP cost.
Origin
The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin
codes: IGP, EGP, INCOMPLETE.
Origin Type
Description
IGP
Indicates the prefix originated from information learned through an interior
gateway protocol.
EGP
Indicates the prefix originated from information learned from an EGP protocol,
which NGP replaced.
INCOMPLETE
Indicates that the prefix originated from an unknown source.
Generally, an IGP indicator means that the route was derived inside the originating AS. EGP generally
means that a route was learned from an external gateway protocol. An INCOMPLETE origin code
generally results from aggregation, redistribution, or other indirect ways of installing routes into BGP.
In the Dell Networking OS, these origin codes appear as shown in the following example. The question
mark (?) indicates an origin code of INCOMPLETE (shown in bold). The lower case letter (i) indicates an
origin code of IGP (shown in bold).
Example of Viewing Origin Codes
Dell#show ip bgp
BGP table version is 0, local router ID is 10.101.15.13
Status codes: s suppressed, d damped, h history, * valid, > best
Path source: I - internal, a - aggregate, c - confed-external, r redistributed, n - network
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 7.0.0.0/29
174
Next Hop
10.114.8.33
Metric
0
LocPrf
0
Weight
18508
Path
?
Border Gateway Protocol IPv4 (BGPv4)
*> 7.0.0.0/30
*> 9.2.0.0/16
10.114.8.33
10.114.8.33
0
10
0
0
18508
18508
?
701 i
AS Path
The AS path is the list of all ASs that all the prefixes listed in the update have passed through.
The local AS number is added by the BGP speaker when advertising to a eBGP neighbor.
The AS path is shown in the following example. The origin attribute is shown following the AS path
information (shown in bold).
Example of Viewing AS Paths
Dell#show ip bgp paths
Total 30655 Paths
Address
Hash Refcount Metric
0x4014154 0
3
18508
0x4013914 0
3
18508
0x5166d6c 0
3
18508
0x5e62df4 0
2
18508
0x3a1814c 0
26
18508
0x567ea9c 0
75
18508
0x6cc1294 0
2
18508
0x6cc18d4 0
1
18508
0x5982e44 0
162
18508
0x67d4a14 0
2
18508
0x559972c 0
31
18508
0x59cd3b4 0
2
18508
0x7128114 0
10
18508
0x536a914 0
3
18508
0x2ffe884 0
1
18508
Path
701 3549 19421 i
701 7018 14990 i
209 4637 1221 9249 9249 i
701 17302 i
209 22291 i
209 3356 2529 i
209 1239 19265 i
701 2914 4713 17935 i
209 i
701 19878 ?
209 18756 i
209 7018 15227 i
209 3356 13845 i
209 701 6347 7781 i
701 3561 9116 21350 i
Next Hop
The next hop is the IP address used to reach the advertising router.
For EBGP neighbors, the next-hop address is the IP address of the connection between the neighbors.
For IBGP, the EBGP next-hop address is carried into the local AS. A next hop attribute is set when a BGP
speaker advertises itself to another BGP speaker outside its local AS and when advertising routes within
an AS. The next hop attribute also serves as a way to direct traffic to another BGP speaker, rather than
waiting for a speaker to advertise.
The system allows you to set the next hop attribute in the CLI. Setting the next hop attribute lets you
determine a router as the next hop for a BGP neighbor.
Multiprotocol BGP
Multiprotocol extensions for BGP (MBGP) is defined in IETF RFC 2858. MBGP allows different types of
address families to be distributed in parallel.
MBGP allows information about the topology of the IP multicast-capable routers to be exchanged
separately from the topology of normal IPv4 and IPv6 unicast routers. It allows a multicast routing
topology different from the unicast routing topology.
Border Gateway Protocol IPv4 (BGPv4)
175
NOTE: It is possible to configure BGP peers that exchange both unicast and multicast network layer
reachability information (NLRI), but you cannot connect multiprotocol BGP with BGP. Therefore,
you cannot redistribute multiprotocol BGP routes into BGP.
Implement BGP with the Dell Networking OS
The following sections describe how to implement BGP on the Dell Networking OS.
Additional Path (Add-Path) Support
The add-path feature reduces convergence times by advertising multiple paths to its peers for the same
address prefix without replacing existing paths with new ones. By default, a BGP speaker advertises only
the best path to its peers for a given address prefix. If the best path becomes unavailable, the BGP speaker
withdraws its path from its local RIB and recalculates a new best path. This situation requires both IGP
and BGP convergence and can be a lengthy process.
BGP add-path reduces the time taken for BGP convergence by advertising multiple paths to its peers for
the same address prefix without new paths implicitly replacing the existing paths. An iBGP speaker that
receives multiple paths from its peers should calculate the best path in its own. BGP add-path helps
switchover to next new best path based on IGP convergence time when best path becomes unavailable.
Advertise IGP Cost as MED for Redistributed Routes
When using multipath connectivity to an external AS, you can advertise the MED value selectively to each
peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting
others to a constant pre-defined metric as MED value.
The Dell Networking OS version 8.3.1.0 and later support configuring the set metric-type internal
command in a route-map to advertise the IGP cost as the MED to outbound EBGP peers when
redistributing routes. The configured set metric value overwrites the default IGP cost.
By using the redistribute command with the route-map command, you can specify whether a peer
advertises the standard MED or uses the IGP cost as the MED.
When configuring this functionality:
•
If the redistribute command does not have metric configured and the BGP peer outbound
route-map does have metric-type internal configured, BGP advertises the IGP cost as MED.
•
If the redistribute command has metric configured (route-map set metric or
redistribute route-type metric) and the BGP peer outbound route-map has metric-type
internal configured, BGP advertises the metric configured in the redistribute command as
MED.
•
If BGP peer outbound route-map has metric configured, all other metrics are overwritten by this
configuration.
NOTE: When redistributing static, connected, or OSPF routes, there is no metric option. Simply
assign the appropriate route-map to the redistributed route.
The following table lists some examples of these rules.
176
Border Gateway Protocol IPv4 (BGPv4)
Table 6. Redistributed Route Rules
Command Settings
BGP Local Routing
Information Base
MED Advertised to Peer
WITH route-map
metric-type internal
MED Advertised to Peer
WITHOUT route-map
metric-type internal
redistribute isis (IGP cost MED: IGP cost 20
= 20)
MED = 20
MED = 0
redistribute isis routemap set metric 50
MED: IGP cost 50
MED: 50 MED: 50
MED: 50 MED: 50
redistribute isis metric
100
MED: IGP cost 100
MED: 100
MED: 100
Ignore Router-ID for Some Best-Path Calculations
The Dell Networking OS version 8.3.1.0 and later allows you to avoid unnecessary BGP best-path
transitions between external paths under certain conditions. The bgp bestpath router-id ignore
command reduces network disruption caused by routing and forwarding plane changes and allows for
faster convergence.
Four-Byte AS Numbers
The Dell Networking OS version 7.7.1 and later supports 4-Byte (32-bit) format when configuring
autonomous system numbers (ASNs).
The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message. If a 4-Byte
BGP speaker has sent and received this capability from another speaker, all the messages will be 4-octet.
The behavior of a 4-Byte BGP speaker is different with the peer depending on whether the peer is a 4Byte or 2-Byte BGP speaker.
Where the 2-Byte format is 1-65535, the 4-Byte format is 1-4294967295. Enter AS numbers using the
traditional format. If the ASN is greater than 65535, the dot format is shown when using the show ip
bgp commands. For example, an ASN entered as 3183856184 appears in the show commands as
48581.51768; an ASN of 65123 is shown as 65123. To calculate the comparable dot format for an ASN
from a traditional format, use ASN/65536. ASN%65536.
Traditional Format
DOT Format
65001
0.65501
65536
1.0
100000
1.34464
4294967295
65535.65535
When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte
identified routers. You cannot mix them.
Configure 4-byte AS numbers with the four-octet-support command.
Border Gateway Protocol IPv4 (BGPv4)
177
AS4 Number Representation
The Dell Networking OS version 8.2.1.0 supports multiple representations of 4-byte AS numbers: asplain,
asdot+, and asdot.
NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers
feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported.
ASPLAIN is the method the Dell Networking OS has used for all previous Dell Networking OS versions.
ASPLAIN remains the default method with the Dell Networking OS version 8.2.1.0 and later. With the
ASPLAIN notation, a 32-bit binary AS number is translated into a decimal value.
•
All AS numbers between 0 and 65535 are represented as a decimal number when entered in the CLI
and when displayed in the show commands output.
•
AS numbers larger than 65535 are represented using ASPLAIN notation. When entered in the CLI and
when displayed in the show commands output, 65546 is represented as 65546.
ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by a
decimal point (.): <high-order 16 bit value>.<low-order 16 bit value>. Some examples are shown in the
following table.
•
All AS numbers between 0 and 65535 are represented as a decimal number, when entered in the CLI
and when displayed in the show commands outputs.
•
AS Numbers larger than 65535 is represented using ASDOT notation as <higher 2 bytes in
decimal>.<lower 2 bytes in decimal>. For example: AS 65546 is represented as 1.10.
ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS numbers less than 65536
appear in integer format (asplain); AS numbers equal to or greater than 65536 appear in the decimal
format (asdot+). For example, the AS number 65526 appears as 65526 and the AS number 65546 appears
as 1.10.
Dynamic AS Number Notation Application
The Dell Networking OS version 8.3.1.0 applies the ASN notation type change dynamically to the
running-config statements.
When you apply or change an asnotation, the type selected is reflected immediately in the runningconfiguration and the show commands (refer to the following two examples).
Example of Dynamic Changes in the Running Configuration When Using the bgp asnotation
Command
Example of the Running Configuration When AS Notation is Disabled
ASDOT
Dell(conf-router_bgp)#bgp asnotation asdot
Dell(conf-router_bgp)#show conf
!
router bgp 100
bgp asnotation asdot
bgp four-octet-as-support
neighbor 172.30.1.250 local-as 65057
<output truncated>
Dell(conf-router_bgp)#do show ip bgp
BGP table version is 24901, local router ID is 172.30.1.57
<output truncated>
178
Border Gateway Protocol IPv4 (BGPv4)
ASDOT+
Dell(conf-router_bgp)#bgp asnotation asdot+
Dell(conf-router_bgp)#show conf
!
router bgp 100
bgp asnotation asdot
bgp four-octet-as-support
neighbor 172.30.1.250 local-as 65057
<output truncated>
Dell(conf-router_bgp)#do show ip bgp
BGP table version is 24901, local router ID is 172.30.1.57
<output truncated>
AS-PLAIN
Dell(conf-router_bgp)#bgp asnotation asplain+
Dell(conf-router_bgp)#sho conf
!
router bgp 100
bgp four-octet-asdot+
bgp four-octet-as-support
neighbor 172.30.1.250 local-as 65057
<output truncated>
Dell(conf-router_bgp)#do sho ip bgp
BGP table version is 31571, local router ID is 172.30.1.57
<output truncated>
AS-PLAIN
Dell(conf-router_bgp)#bgp asnotation asplain
Dell(conf-router_bgp)#sho conf
AS NOTATION DISABLED
Dell(conf-router_bgp)#no bgp asnotation
Dell(conf-router_bgp)#sho conf
!
router bgp 100
bgp four-octet-as-support
neighbor 172.30.1.250 local-as 65057
<output truncated>
Dell(conf-router_bgp)#do sho ip bgp
BGP table version is 28093, local router ID is 172.30.1.57
AS4 SUPPORT DISABLED
Dell(conf-router_bgp)#no bgp four-octet-as-support
Dell(conf-router_bgp)#sho conf
!
router bgp 100
AS Number Migration
With this feature you can transparently change the AS number of an entire BGP network and ensure that
the routes are propagated throughout the network while the migration is in progress.
When migrating one AS to another, perhaps combining ASs, an eBGP network may lose its routing to an
iBGP if the ASN changes. Migration can be difficult as all the iBGP and eBGP peers of the migrating
network must be updated to maintain network reachability. Essentially, Local-AS provides a capability to
the BGP speaker to operate as if it belongs to "virtual" AS network besides its physical AS network.
Border Gateway Protocol IPv4 (BGPv4)
179
The following illustration shows a scenario where Router A, Router B, and Router C belong to AS 100,
200, and 300, respectively. Router A acquired Router B; Router B has Router C as its customer. When
Router B is migrating to Router A, it must maintain the connection with Router C without immediately
updating Router C’s configuration. Local-AS allows this behavior to happen by allowing Router B to
appear as if it still belongs to Router B’s old network (AS 200) as far as communicating with Router C is
concerned.
Figure 23. Before and After AS Number Migration with Local-AS Enabled
When you complete your migration, and you have reconfigured your network with the new information,
disable this feature.
If you use the no prepend option, the Local-AS does not prepend to the updates received from the
eBGP peer. If you do not select no prepend (the default), the Local-AS is added to the first AS segment
in the AS-PATH. If an inbound route-map is used to prepend the as-path to the update from the peer, the
Local-AS is added first. For example, consider the topology described in the previous illustration. If Router
180
Border Gateway Protocol IPv4 (BGPv4)
B has an inbound route-map applied on Router C to prepend "65001 65002" to the as-path, the
following events take place on Router B:
1.
Receive and validate the update.
2.
Prepend local-as 200 to as-path.
3.
Prepend "65001 65002" to as-path.
Local-AS is prepended before the route-map to give an impression that update passed through a router
in AS 200 before it reached Router B.
BGP4 Management Information Base (MIB)
The FORCE10-BGP4-V2-MIB enhances Dell Networking OS BGP management information base (MIB)
support with many new simple network management protocol (SNMP) objects and notifications (traps)
defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell
website.
NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web
page.
Important Points to Remember
•
The f10BgpM2AsPathTableEntry table, f10BgpM2AsPathSegmentIndex, and
f10BgpM2AsPathElementIndex are used to retrieve a particular ASN from the AS path. These indices
are assigned to the AS segments and individual ASN in each segment starting from 0. For example, an
AS path list of {200 300 400} 500 consists of two segments: {200 300 400} with segment index 0 and
500 with segment index 1. ASN 200, 300, and 400 are assigned 0, 1, and 2 element indices in that
order.
•
Unknown optional transitive attributes within a given path attribute (PA) are assigned indices in order.
These indices correspond to the f10BgpM2PathAttrUnknownIndex field in the
f10BgpM2PathAttrUnknownEntry table.
•
Negotiation of multiple instances of the same capability is not supported.
F10BgpM2PeerCapAnnouncedIndex and f10BgpM2PeerCapReceivedIndex are ignored in the peer
capability lookup.
•
Configure inbound BGP soft-reconfiguration on a peer for f10BgpM2PrefixInPrefixesRejected to
display the number of prefixes filtered due to a policy. If you do enable BGP soft-reconfig, the
denied prefixes are not accounted for.
•
F10BgpM2AdjRibsOutRoute stores the pointer to the NLRI in the peer's Adj-Rib-Out.
•
PA Index (f10BgpM2PathAttrIndex field in various tables) is used to retrieve specific attributes from the
PA table. The Next-Hop, RR Cluster-list, and Originator ID attributes are not stored in the PA Table
and cannot be retrieved using the index passed in command. These fields are not populated in
f10BgpM2PathAttrEntry, f10BgpM2PathAttrClusterEntry, and f10BgpM2PathAttrOriginatorIdEntry.
•
F10BgpM2PathAttrUnknownEntry contains the optional-transitive attribute details.
•
Query for f10BgpM2LinkLocalNextHopEntry returns the default value for Link-local Next-hop.
•
RFC 2545 and the f10BgpM2Rfc2545Group are not supported.
•
An SNMP query displays up to 89 AS paths. A query for a larger AS path count displays as "…" at the
end of the output.
•
SNMP set for BGP is not supported. For all peer configuration tables
(f10BgpM2PeerConfigurationGroup, f10BgpM2PeerRouteReflectorCfgGroup, and
f10BgpM2PeerAsConfederationCfgGroup), an SNMP set operation returns an error. Only SNMP
queries are supported. In addition, the f10BgpM2CfgPeerError, f10BgpM2CfgPeerBgpPeerEntry, and
f10BgpM2CfgPeerRowEntryStatus fields are to hold the SNMP set status and are ignored in SNMP
query.
Border Gateway Protocol IPv4 (BGPv4)
181
•
The AFI/SAFI is not used as an index to the f10BgpM2PeerCountersEntry table. The BGP peer’s AFI/
SAFI (IPv4 Unicast or IPv6 Multicast) is used for various outbound counters. Counters corresponding
to IPv4 Multicast cannot be queried.
•
The f10BgpM2[Cfg]PeerReflectorClient field is populated based on the assumption that routereflector clients are not in a full mesh if you enable BGP client-2-client reflection and that
the BGP speaker acting as reflector advertises routes learned from one client to another client. If
disabled, it is assumed that clients are in a full mesh and there is no need to advertise prefixes to the
other clients.
•
High CPU utilization may be observed during an SNMP walk of a large BGP Loc-RIB.
•
To avoid SNMP timeouts with a large-scale configuration (large number of BGP neighbors and a large
BGP Loc-RIB), Dell Networking recommends setting the timeout and retry count values to a relatively
higher number. For example, t = 60 or r = 5.
•
To return all values on an snmpwalk for the f10BgpM2Peer sub-OID, use the -C c option, such as
snmpwalk -v 2c -C c -c public<IP_address><OID>.
•
An SNMP walk may terminate pre-maturely if the index does not increment lexicographically. Dell
Networking recommends using options to ignore such errors.
•
Multiple BPG process instances are not supported. Thus, the f10BgpM2PeerInstance field in various
tables is not used to locate a peer.
•
Multiple instances of the same NLRI in the BGP RIB are not supported and are set to zero in the SNMP
query response.
•
The f10BgpM2NlriIndex and f10BgpM2AdjRibsOutIndex fields are not used.
•
Carrying MPLS labels in BGP is not supported. The f10BgpM2NlriOpaqueType and
f10BgpM2NlriOpaquePointer fields are set to zero.
•
4-byte ASN is supported. The f10BgpM2AsPath4byteEntry table contains 4-byte ASN-related
parameters based on the configuration.
Traps (notifications) specified in the BGP4 MIB draft <draft-ietf-idr-bgp4–mibv2–05.txt> are not
supported. Such traps (bgpM2Established and bgpM2BackwardTransition) are supported as part of RFC
1657.
Configuration Information
The software supports BGPv4 as well as the following:
•
deterministic multi-exit discriminator (MED) (default)
•
a path with a missing MED is treated as worst path and assigned an MED value of (0xffffffff)
•
the community format follows RFC 1998
•
delayed configuration (the software at system boot reads the entire configuration file prior to sending
messages to start BGP peer sessions)
The following are not yet supported:
•
auto-summarization (the default is no auto-summary)
•
synchronization (the default is no synchronization)
BGP Configuration
To enable the BGP process and begin exchanging information, assign an AS number and use commands
in ROUTER BGP mode to configure a BGP neighbor.
By default, BGP is disabled.
182
Border Gateway Protocol IPv4 (BGPv4)
By default, the system compares the MED attribute on different paths from within the same AS (the bgp
always-compare-med command is not enabled).
NOTE: In the Dell Networking OS, all newly configured neighbors and peer groups are disabled. To
enable a neighbor or peer group, enter the neighbor {ip-address | peer-group-name} no
shutdown command.
The following table displays the default values for BGP.
Table 7. BGP Default Values
Item
Default
BGP Neighbor Adjacency changes
All BGP neighbor changes are logged.
Fast External Fallover feature
Disabled
Graceful Restart feature
Disabled
Local preference
100
MED
0
Route Flap Damping Parameters
half-life = 15 minutes
reuse = 750
suppress = 2000
max-suppress-time = 60 minutes
Distance
external distance = 20
internal distance = 200
local distance = 200
Timers
keepalive = 60 seconds
holdtime = 180 seconds
Add-path
Disabled
Enabling BGP
By default, BGP is not enabled on the system. The Dell Networking OS supports one autonomous system
(AS) and assigns the AS number (ASN).
To establish BGP sessions and route traffic, configure at least one BGP neighbor or peer.
In BGP, routers with an established TCP connection are called neighbors or peers. After a connection is
established, the neighbors exchange full BGP routing tables with incremental updates afterward. In
addition, neighbors exchange KEEPALIVE messages to maintain the connection.
In BGP, neighbor routers or peers can be classified as external. External BGP peers must be connected
physically to one another (unless you enable the EBGP multihop feature), while internal BGP peers do not
need to be directly connected. The IP address of an EBGP neighbor is usually the IP address of the
interface directly connected to the router. First, the BGP process determines if all internal BGP peers are
reachable, then it determines which peers outside the AS are reachable.
Border Gateway Protocol IPv4 (BGPv4)
183
NOTE: Find Sample Configurations for enabling BGP routers at the end of this chapter.
1.
Assign an AS number and enter ROUTER BGP mode.
CONFIGURATION mode
router bgp as-number
•
as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535
(Dotted format).
Only one AS is supported per system.
NOTE: If you enter a 4-Byte AS number, 4-Byte AS support is enabled automatically.
a. Enable 4-Byte support for the BGP process.
NOTE: This command is OPTIONAL. Enable if you want to use 4-Byte AS numbers or if you
support AS4 number representation.
CONFIG-ROUTER-BGP mode
bgp four-octet-as-support
NOTE: Use it only if you support 4-Byte AS numbers or if you support AS4 number
representation. If you are supporting 4-Byte ASNs, enable this command.
Disable 4-Byte support and return to the default 2-Byte format by using the no bgp fouroctet-as-support command. You cannot disable 4-Byte support if you currently have a 4Byte ASN configured.
Disabling 4-Byte AS numbers also disables ASDOT and ASDOT+ number representation. All AS
numbers are displayed in ASPLAIN format.
b. Enable IPv4 multicast or IPv6 mode.
CONFIG-ROUTER-BGP mode
address-family [ipv4 | ipv6}
Use this command to enter BGP for IPv6 mode (CONF-ROUTER_BGPv6_AF).
2.
Add a neighbor as a remote AS.
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group name} remote-as as-number
•
peer-group name: 16 characters
•
as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535
(Dotted format)
Formats: IP Address A.B.C.D
You must use Configuring Peer Groups before assigning them a remote AS.
3.
184
Enable the BGP neighbor.
Border Gateway Protocol IPv4 (BGPv4)
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group-name} no shutdown
Example of the show ip bgp summary Command (2-Byte AS number displayed)
Example of the show ip bgp summary Command (4-Byte AS number displayed)
Example of the show ip bgp neighbors Command
Example of Verifying BGP Configuration
NOTE: When you change the configuration of a BGP neighbor, always reset it by entering the
clear ip bgp command in EXEC Privilege mode.
To view the BGP configuration, enter show config in CONFIGURATION ROUTER BGP mode. To view
the BGP status, use the show ip bgp summary command in EXEC Privilege mode. The first example
shows the summary with a 2-byte AS number displayed (in bold); the second example shows that the
summary with a 4-byte AS number using the show ip bgp summary command (displays a 4–byte AS
number in bold).
R2#show ip bgp summary
BGP router identifier 192.168.10.2, local AS number 65123
BGP table version is 1, main routing table version 1
1 network entrie(s) using 132 bytes of memory
1 paths using 72 bytes of memory
BGP-RIB over all using 73 bytes of memory
1 BGP path attribute entrie(s) using 72 bytes of memory
1 BGP AS-PATH entrie(s) using 47 bytes of memory
5 neighbor(s) using 23520 bytes of memory
Neighbor
AS
MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx
10.10.21.1
10.10.32.3
65123 0
65123 0
0
0
0
0
0
0
0 never
0 never
Active
Active
R2#show ip bgp summary
BGP router identifier 192.168.10.2, local AS number 48735.59224
BGP table version is 1, main routing table version 1
1 network entrie(s) using 132 bytes of memory
1 paths using 72 bytes of memory
BGP-RIB over all using 73 bytes of memory
1 BGP path attribute entrie(s) using 72 bytes of memory
1 BGP AS-PATH entrie(s) using 47 bytes of memory
5 neighbor(s) using 23520 bytes of memory
Neighbor
AS
MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx
10.10.21.1
10.10.32.3
65123 0
65123 0
0
0
0
0
0
0
0
0
never
never
Active
Active
For the router’s identifier, the system uses the highest IP address of the Loopback interfaces configured.
Because Loopback interfaces are virtual, they cannot go down, thus preventing changes in the router ID.
If you do not configure Loopback interfaces, the highest IP address of any interface is used as the router
ID.
To view the status of BGP neighbors, use the show ip bgp neighbors command in EXEC Privilege
mode as shown in the first example. For BGP neighbor configuration information, use the show
running-config bgp command in EXEC Privilege mode as shown in the second example.
Border Gateway Protocol IPv4 (BGPv4)
185
NOTE: The showconfig command in CONFIGURATION ROUTER BGP mode gives the same
information as the show running-config bgp command.
The following example displays two neighbors: one is an external internal BGP neighbor and the second
one is an internal BGP neighbor. The first line of the output for each neighbor displays the AS number and
states whether the link is an external or internal (shown in bold).
The third line of the show ip bgp neighbors output contains the BGP State. If anything other than
ESTABLISHED is listed, the neighbor is not exchanging information and routes. For more information
about using the show ip bgp neighbors command, refer to the Dell Networking OS Command Line
Interface Reference Guide.
Dell#show ip bgp neighbors
BGP neighbor is 10.114.8.60, remote AS 18508, external link
BGP version 4, remote router ID 10.20.20.20
BGP state ESTABLISHED, in this state for 00:01:58
Last read 00:00:14, hold time is 90, keepalive interval is 30 seconds
Received 18552 messages, 0 notifications, 0 in queue
Sent 11568 messages, 0 notifications, 0 in queue
Received 18549 updates, Sent 11562 updates
Minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 216613, neighbor version 201190
130195 accepted prefixes consume 520780 bytes
Prefix advertised 49304, rejected 0, withdrawn 36143
Connections established 1; dropped 0
Last reset never
Local host: 10.114.8.39, Local port: 1037
Foreign host: 10.114.8.60, Foreign port: 179
BGP neighbor is 10.1.1.1, remote AS 65535, internal link
Administratively shut down
BGP version 4, remote router ID 10.0.0.0
BGP state IDLE, in this state for 17:12:40
Last read 17:12:40, hold time is 180, keepalive interval is 60 seconds
Received 0 messages, 0 notifications, 0 in queue
Sent 0 messages, 0 notifications, 0 in queue
Received 0 updates, Sent 0 updates
Minimum time between advertisement runs is 5 seconds
For address family: IPv4 Unicast
BGP table version 0, neighbor version 0
0 accepted prefixes consume 0 bytes
Prefix advertised 0, rejected 0, withdrawn 0
Connections established 0; dropped 0
Last reset never
No active TCP connection
Dell#
R2#show running-config bgp
!
router bgp 65123
bgp router-id 192.168.10.2
network 10.10.21.0/24
186
Border Gateway Protocol IPv4 (BGPv4)
network 10.10.32.0/24
network 100.10.92.0/24
network 192.168.10.0/24
bgp four-octet-as-support
neighbor 10.10.21.1 remote-as 65123
neighbor 10.10.21.1 filter-list ISP1in
neighbor 10.10.21.1 no shutdown
neighbor 10.10.32.3 remote-as 65123
neighbor 10.10.32.3 no shutdown
neighbor 100.10.92.9 remote-as 65192
neighbor 100.10.92.9 no shutdown
neighbor 192.168.10.1 remote-as 65123
neighbor 192.168.10.1 update-source Loopback 0
Configuring AS4 Number Representations
Enable one type of AS number representation: ASPLAIN, ASDOT+, or ASDOT.
Term
Description
ASPLAIN
the method Dell Networking OS used for all previous Dell Networking OS versions.
It remains the default method with the Dell Networking OS version 8.2.1.0 and
later. With the ASPLAIN notation, a 32–bit binary AS number is translated into a
decimal value.
ASDOT+
representation splits the full binary 4-byte AS number into two words of 16 bits
separated by a decimal point (.): <high-order 16 bit value>.<low-order 16 bit value>.
ASDOT
representation combines the ASPLAIN and ASDOT+ representations. AS numbers
less than 65536 appear in integer format (asplain); AS numbers equal to or greater
than 65536 appear using the decimal method (asdot+). For example, the AS
number 65526 appears as 65526 and the AS number 65546 appears as 1.10.
NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers
feature. If you do not implement 4-Byte AS numbers, only ASPLAIN representation is supported.
Only one form of AS number representation is supported at a time. You cannot combine the types of
representations within an AS.
To configure AS4 number representations, use the following commands.
•
Enable ASPLAIN AS Number representation.
CONFIG-ROUTER-BGP mode
bgp asnotation asplain
•
NOTE: ASPLAIN is the default method the system uses and does not appear in the configuration
display.
Enable ASDOT AS Number representation.
CONFIG-ROUTER-BGP mode
•
bgp asnotation asdot
Enable ASDOT+ AS Number representation.
CONFIG-ROUTER-BGP mode
bgp asnotation asdot+
Border Gateway Protocol IPv4 (BGPv4)
187
Example of the bgp asnotation asplain Command
Example of the bgp asnotation asdot Command
Example of the bgp asnotation asdot+ Command
Dell(conf-router_bgp)#bgp asnotation asplain
Dell(conf-router_bgp)#sho conf
!
router bgp 100
bgp four-octet-as-support
neighbor 172.30.1.250 remote-as 18508
neighbor 172.30.1.250 local-as 65057
neighbor 172.30.1.250 route-map rmap1 in
neighbor 172.30.1.250 password 7
5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957
Dell(conf-router_bgp)#bgp asnotation asdot
Dell(conf-router_bgp)#sho conf
!
router bgp 100
bgp asnotation asdot
bgp four-octet-as-support
neighbor 172.30.1.250 remote-as 18508
neighbor 172.30.1.250 local-as 65057
neighbor 172.30.1.250 route-map rmap1 in
neighbor 172.30.1.250 password 7
5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957
Dell(conf-router_bgp)#bgp asnotation asdot+
Dell(conf-router_bgp)#sho conf
!
router bgp 100
bgp asnotation asdot+
bgp four-octet-as-support
neighbor 172.30.1.250 remote-as 18508
neighbor 172.30.1.250 local-as 65057
neighbor 172.30.1.250 route-map rmap1 in
neighbor 172.30.1.250 password 7
5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957
Configuring Peer Groups
To configure multiple BGP neighbors at one time, create and populate a BGP peer group.
An advantage of peer groups is that members of a peer group inherit the configuration properties of the
group and share same update policy.
A maximum of 256 peer groups are allowed on the system.
Create a peer group by assigning it a name, then adding members to the peer group. After you create a
peer group, you can configure route policies for it. For information about configuring route policies for a
peer group, refer to Filtering BGP Routes.
NOTE: Find Sample Configurations for enabling peer groups at the end of this chapter.
1.
Create a peer group by assigning a name to it.
CONFIG-ROUTERBGP mode
188
Border Gateway Protocol IPv4 (BGPv4)
neighbor peer-group-name peer-group
2.
Enable the peer group.
CONFIG-ROUTERBGP mode
neighbor peer-group-name no shutdown
By default, all peer groups are disabled.
3.
Create a BGP neighbor.
CONFIG-ROUTERBGP mode
neighbor ip-address remote-as as-number
4.
Enable the neighbor.
CONFIG-ROUTERBGP mode
neighbor ip-address no shutdown
5.
Add an enabled neighbor to the peer group.
CONFIG-ROUTERBGP mode
neighbor ip-address peer-group peer-group-name
6.
Add a neighbor as a remote AS.
CONFIG-ROUTERBGP mode
neighbor {ip-address | peer-group name} remote-as as-number
Formats: IP Address A.B.C.D
•
Peer-Group Name: 16 characters.
•
as-number: the range is from 0 to 65535 (2-Byte) or 1 to 4294967295 | 0.1 to 65535.65535 (4Byte) or 0.1 to 65535.65535 (Dotted format)
To add an external BGP (EBGP) neighbor, configure the as-number parameter with a number
different from the BGP as-number configured in the router bgp as-number command.
To add an internal BGP (IBGP) neighbor, configure the as-number parameter with the same BGP asnumber configured in the router bgp as-number command.
Example of Viewing a Newly Created Peer Group
Example of Enabling a Peer Group
Example of the show ip bgp peer-group Command
After you create a peer group, you can use any of the commands beginning with the keyword neighbor
to configure that peer group.
When you add a peer to a peer group, it inherits all the peer group’s configured parameters.
A neighbor cannot become part of a peer group if it has any of the following commands configured:
•
neighbor advertisement-interval
•
neighbor distribute-list out
•
neighbor filter-list out
•
neighbor next-hop-self
Border Gateway Protocol IPv4 (BGPv4)
189
•
neighbor route-map out
•
neighbor route-reflector-client
•
neighbor send-community
A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is
more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates.
NOTE: When you configure a new set of BGP policies for a peer group, always reset the peer group
by entering the clear ip bgp peer-group peer-group-name command in EXEC Privilege
mode.
To view the configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
When you create a peer group, it is disabled (shutdown). The following example shows the creation of a
peer group (zanzibar) (in bold).
Dell(conf-router_bgp)#neighbor zanzibar peer-group
Dell(conf-router_bgp)#show conf
!
router bgp 45
bgp fast-external-fallover
bgp log-neighbor-changes
neighbor zanzibar peer-group
neighbor zanzibar shutdown
neighbor 10.1.1.1 remote-as 65535
neighbor 10.1.1.1 shutdown
To enable a peer group, use the neighbor peer-group-name no shutdown command in
CONFIGURATION ROUTER BGP mode (shown in bold).
Dell(conf-router_bgp)#neighbor zanzibar no shutdown
Dell(conf-router_bgp)#show config
!
router bgp 45
bgp fast-external-fallover
bgp log-neighbor-changes
neighbor zanzibar peer-group
neighbor zanzibar no shutdown
neighbor 10.1.1.1 remote-as 65535
neighbor 10.1.1.1 shutdown
To disable a peer group, use the neighbor peer-group-name shutdown command in
CONFIGURATION ROUTER BGP mode. The configuration of the peer group is maintained, but it is not
applied to the peer group members. When you disable a peer group, all the peers within the peer group
that are in the ESTABLISHED state move to the IDLE state.
To view the status of peer groups, use the show ip bgp peer-group command in EXEC Privilege
mode, as shown in the following example.
Dell>show ip bgp peer-group
Peer-group zanzibar, remote AS 65535
BGP version 4
Minimum time between advertisement runs is 5 seconds
For address family: IPv4 Unicast
BGP neighbor is zanzibar, peer-group internal,
190
Border Gateway Protocol IPv4 (BGPv4)
Number of peers in this group 26
Peer-group members (* - outbound optimized):
10.68.160.1
10.68.161.1
10.68.162.1
10.68.163.1
10.68.164.1
10.68.165.1
10.68.166.1
10.68.167.1
10.68.168.1
10.68.169.1
10.68.170.1
10.68.171.1
10.68.172.1
10.68.173.1
10.68.174.1
10.68.175.1
10.68.176.1
10.68.177.1
10.68.178.1
Configuring BGP Fast Fail-Over
By default, a BGP session is governed by the hold time.
BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast
fail-over feature reduces the convergence time while maintaining stability. The connection to a BGP peer
is immediately reset if a link to a directly connected external peer fails.
When you enable fail-over, BGP tracks IP reachability to the peer remote address and the peer local
address. Whenever either address becomes unreachable (for example, no active route exists in the
routing table for peer IPv6 destinations/local address), BGP brings down the session with the peer.
The BGP fast fail-over feature is configured on a per-neighbor or peer-group basis and is disabled by
default.
To enable the BGP fast fail-over feature, use the following command.
To disable fast fail-over, use the [no] neighbor [neighbor | peer-group] fail-over command
in CONFIGURATION ROUTER BGP mode.
•
Enable BGP Fast Fail-Over.
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group-name} fail-over
Example of Verifying that Fast Fail-Over is Enabled on a BGP Neighbor
Example of Verifying that Fast Fail-Over is Enabled on a Peer-Group
To verify fast fail-over is enabled on a particular BGP neighbor, use the show ip bgp neighbors
command. Because fast fail-over is disabled by default, it appears only if it has been enabled (shown in
bold).
Dell#sh ip bgp neighbors
BGP neighbor is 100.100.100.100, remote AS 65517, internal link
Member of peer-group test for session parameters
BGP version 4, remote router ID 30.30.30.5
BGP state ESTABLISHED, in this state for 00:19:15
Last read 00:00:15, last write 00:00:06
Border Gateway Protocol IPv4 (BGPv4)
191
Hold time is 180, keepalive interval is 60 seconds
Received 52 messages, 0 notifications, 0 in queue
Sent 45 messages, 5 notifications, 0 in queue
Received 6 updates, Sent 0 updates
Route refresh request: received 0, sent 0
Minimum time between advertisement runs is 5 seconds
Minimum time before advertisements start is 0 seconds
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
fail-over enabled
Update source set to Loopback 0
Peer active in peer-group outbound optimization
For address family: IPv4 Unicast
BGP table version 52, neighbor version 52
4 accepted prefixes consume 16 bytes
Prefix advertised 0, denied 0, withdrawn 0
To verify that fast fail-over is enabled on a peer-group, use the show ip bgp peer-group command
(shown in bold).
Dell#sh ip bgp peer-group
Peer-group test
fail-over enabled
BGP version 4
Minimum time between advertisement runs is 5 seconds
For address family: IPv4 Unicast
BGP neighbor is test
Number of peers in this group 1
Peer-group members (* - outbound optimized):
100.100.100.100*
Dell#
router bgp
neighbor
neighbor
neighbor
65517
test peer-group
test fail-over
test no shutdown
Configuring Passive Peering
When you enable a peer-group, the software sends an OPEN message to initiate a TCP connection.
If you enable passive peering for the peer group, the software does not send an OPEN message, but it
responds to an OPEN message.
When a BGP neighbor connection with authentication configured is rejected by a passive peer-group, the
system does not allow another passive peer-group on the same subnet to connect with the BGP
192
Border Gateway Protocol IPv4 (BGPv4)
neighbor. To work around this, change the BGP configuration or change the order of the peer group
configuration.
You can constrain the number of passive sessions accepted by the neighbor. The limit keyword allows
you to set the total number of sessions the neighbor will accept, between 2 and 256. The default is 256
sessions.
1.
Configure a peer group that does not initiate TCP connections with other peers.
CONFIG-ROUTER-BGP mode
neighbor peer-group-name peer-group passive limit
Enter the limit keyword to restrict the number of sessions accepted.
2.
Assign a subnet to the peer group.
CONFIG-ROUTER-BGP mode
neighbor peer-group-name subnet subnet-number mask
The peer group responds to OPEN messages sent on this subnet.
3.
Enable the peer group.
CONFIG-ROUTER-BGP mode
neighbor peer-group-name no shutdown
4.
Create and specify a remote peer for BGP neighbor.
CONFIG-ROUTER-BGP mode
neighbor peer-group-name remote-as as-number
Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to
ESTABLISHED. After the peer group is ESTABLISHED, the peer group is the same as any other peer group.
For more information about peer groups, refer to Configuring Peer Groups.
Maintaining Existing AS Numbers During an AS Migration
The local-as feature smooths out the BGP network migration operation and allows you to maintain
existing ASNs during a BGP network migration.
When you complete your migration, be sure to reconfigure your routers with the new information and
disable this feature.
•
Allow external routes from this neighbor.
CONFIG-ROUTERBGP mode
neighbor {IP address | peer-group-name local-as as number [no prepend]
– Peer Group Name: 16 characters.
– AS-number: 0 to 65535 (2-Byte) or 1 to 4294967295 (4-Byte) or 0.1 to 65535.65535 (Dotted
format).
– No Prepend: specifies that local AS values are not prepended to announcements from the
neighbor.
Format: IP Address: A.B.C.D.
Border Gateway Protocol IPv4 (BGPv4)
193
You must use Configuring Peer Groups before assigning it to an AS. This feature is not supported on
passive peer groups.
Example of the Verifying that Local AS Numbering is Disabled
The first line in bold shows the actual AS number. The second two lines in bold show the local AS number
(6500) maintained during migration.
To disable this feature, use the no neighbor local-as command in CONFIGURATION ROUTER BGP
mode.
R2(conf-router_bgp)#show conf
!
router bgp 65123
bgp router-id 192.168.10.2
network 10.10.21.0/24
network 10.10.32.0/24
network 100.10.92.0/24
network 192.168.10.0/24
bgp four-octet-as-support
neighbor 10.10.21.1 remote-as 65123
neighbor 10.10.21.1 filter-list Laura in
neighbor 10.10.21.1 no shutdown
neighbor 10.10.32.3 remote-as 65123
neighbor 10.10.32.3 no shutdown
neighbor 100.10.92.9 remote-as 65192
neighbor 100.10.92.9 local-as 6500
neighbor 100.10.92.9 no shutdown
neighbor 192.168.10.1 remote-as 65123
neighbor 192.168.10.1 update-source Loopback 0
Allowing an AS Number to Appear in its Own AS Path
This command allows you to set the number of times a particular AS number can occur in the AS path.
The allow-as feature permits a BGP speaker to allow the ASN to be present for a specified number of
times in the update received from the peer, even if that ASN matches its own. The AS-PATH loop is
detected if the local ASN is present more than the specified number of times in the command.
•
Allow this neighbor ID to use the AS path the specified number of times.
CONFIG-ROUTER-BGP mode
neighbor {IP address | peer-group-name} allowas-in number
– Peer Group Name: 16 characters.
– Number: 1 through 10.
Format: IP Address: A.B.C.D.
You must use Configuring Peer Groups’before assigning it to an AS.
Example of Viewing AS Numbers in AS Paths
The lines shown in bold are the number of times ASN 65123 can appear in the AS path (allows–in 9).
To disable this feature, use the no neighbor allow-as in number command in CONFIGURATION
ROUTER BGP mode.
R2(conf-router_bgp)#show conf
!
194
Border Gateway Protocol IPv4 (BGPv4)
router bgp 65123
bgp router-id 192.168.10.2
network 10.10.21.0/24
network 10.10.32.0/24
network 100.10.92.0/24
network 192.168.10.0/24
bgp four-octet-as-support
neighbor 10.10.21.1 remote-as 65123
neighbor 10.10.21.1 filter-list Laura in
neighbor 10.10.21.1 no shutdown
neighbor 10.10.32.3 remote-as 65123
neighbor 10.10.32.3 no shutdown
neighbor 100.10.92.9 remote-as 65192
neighbor 100.10.92.9 local-as 6500
neighbor 100.10.92.9 no shutdown
neighbor 192.168.10.1 remote-as 65123
neighbor 192.168.10.1 update-source Loopback 0
neighbor 192.168.10.1 no shutdown
Enabling Graceful Restart
Use this feature to lessen the negative effects of a BGP restart.
The Dell Networking OS advertises support for this feature to BGP neighbors through a capability
advertisement. You can enable graceful restart by router and/or by peer or peer group.
NOTE: By default, BGP graceful restart is disabled.
The default role for BGP is as a receiving or restarting peer. If you enable BGP, when a peer that supports
graceful restart resumes operating, The Dell Networking OS performs the following tasks:
•
Continues saving routes received from the peer if the peer advertised it had graceful restart capability.
Continues forwarding traffic to the peer.
•
Flags routes from the peer as Stale and sets a timer to delete them if the peer does not perform a
graceful restart.
•
Deletes all routes from the peer if forwarding state information is not saved.
•
Speeds convergence by advertising a special update packet known as an end-of-RIB marker. This
marker indicates the peer has been updated with all routes in the local RIB.
If you configure your system to do so, the system can perform the following actions during a hot failover:
•
Save all forwarding information base (FIB) and content addressable memory (CAM) entries on the line
card and continue forwarding traffic while the secondary route processor module (RPM) is coming
online.
•
Advertise to all BGP neighbors and peer-groups that the forwarding state of all routes has been saved.
This prompts all peers to continue saving the routes they receive and to continue forwarding traffic.
•
Bring the secondary RPM online as the primary and re-open sessions with all peers operating in No
Shutdown mode.
•
Defer best path selection for a certain amount of time. This helps optimize path selection and results
in fewer updates being sent out.
To enable graceful restart, use the configure router bgp graceful-restart command.
•
Enable graceful restart for the BGP node.
CONFIG-ROUTER-BGP mode
•
bgp graceful-restart
Set maximum restart time for all peers.
Border Gateway Protocol IPv4 (BGPv4)
195
CONFIG-ROUTER-BGP mode
bgp graceful-restart [restart-time time-in-seconds]
•
The default is 120 seconds.
Set maximum time to retain the restarting peer’s stale paths.
CONFIG-ROUTER-BGP mode
bgp graceful-restart [stale-path-time time-in-seconds]
•
The default is 360 seconds.
Local router supports graceful restart as a receiver only.
CONFIG-ROUTER-BGP mode
bgp graceful-restart [role receiver-only]
Enabling Neighbor Graceful Restart
BGP graceful restart is active only when the neighbor becomes established. Otherwise, it is disabled.
Graceful-restart applies to all neighbors with established adjacency.
With the graceful restart feature, the system enables the receiving/restarting mode by default. In
Receiver-Only mode, graceful restart saves the advertised routes of peers that support this capability
when they restart. This option provides support for remote peers for their graceful restart without
supporting the feature itself.
You can implement BGP graceful restart either by neighbor or by BGP peer-group. For more information,
refer to the Dell Networking OS Command Line Interface Reference Guide.
•
Add graceful restart to a BGP neighbor or peer-group.
CONFIG-ROUTER-BGP mode
•
neighbor {ip-address | peer-group-name} graceful-restart
Set the maximum restart time for the neighbor or peer-group.
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group-name} graceful-restart [restart-time timein-seconds]
•
The default is 120 seconds.
Local router supports graceful restart for this neighbor or peer-group as a receiver only.
CONFIG-ROUTER-BGP mode
•
neighbor {ip-address | peer-group-name} graceful-restart [role receiver-only]
Set the maximum time to retain the restarting neighbor’s or peer-group’s stale paths.
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group-name} graceful-restart [stale-path-time
time-in-seconds]
The default is 360 seconds.
196
Border Gateway Protocol IPv4 (BGPv4)
Filtering on an AS-Path Attribute
You can use the BGP attribute, AS_PATH, to manipulate routing policies.
The AS_PATH attribute contains a sequence of AS numbers representing the route’s path. As the route
traverses an AS, the ASN is prepended to the route. You can manipulate routes based on their AS_PATH
to affect interdomain routing. By identifying certain ASN in the AS_PATH, you can permit or deny routes
based on the number in its AS_PATH.
AS-PATH ACLs use regular expressions to search AS_PATH values. AS-PATH ACLs have an “implicit deny.”
This means that routes that do not meet any Match filter are dropped.
To configure an AS-PATH ACL to filter a specific AS_PATH value, use these commands in the following
sequence.
1.
Assign a name to a AS-PATH ACL and enter AS-PATH ACL mode.
CONFIGURATION mode
ip as-path access-list as-path-name
2.
Enter the parameter to match BGP AS-PATH for filtering.
CONFIG-AS-PATH mode
{deny | permit} filter parameter
This is the filter that is used to match the AS-path. The entries can be any format, letters, numbers, or
regular expressions.
You can enter this command multiple times if multiple filters are desired.
For accepted expressions, refer to Regular Expressions as Filters.
3.
Return to CONFIGURATION mode.
AS-PATH ACL mode
exit
4.
Enter ROUTER BGP mode.
CONFIGURATION mode
router bgp as-number
5.
Use a configured AS-PATH ACL for route filtering and manipulation.
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group-name} filter-list as-path-name {in | out}
If you assign an non-existent or empty AS-PATH ACL, the software allows all routes.
Example of the show ip bgp paths Command
To view all BGP path attributes in the BGP database, use the show ip bgp paths command in EXEC
Privilege mode.
Dell#show ip bgp paths
Total 30655 Paths
Address
Hash Refcount Metric Path
0x4014154 0
3
18508 701 3549 19421 i
Border Gateway Protocol IPv4 (BGPv4)
197
0x4013914
0x5166d6c
0x5e62df4
0x3a1814c
0x567ea9c
0x6cc1294
0x6cc18d4
0x5982e44
0x67d4a14
0x559972c
0x59cd3b4
0x7128114
0x536a914
0x2ffe884
0x2ff7284
0x2ff7ec4
0x2ff8544
0x736c144
0x3b8d224
0x5eb1e44
0x5cd891c
--More--
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
3
3
2
26
75
2
1
162
2
31
2
10
3
1
99
4
3
1
10
1
9
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
701
209
701
209
209
209
701
209
701
209
209
209
209
701
701
209
701
701
209
701
209
7018 14990 i
4637 1221 9249 9249 i
17302 i
22291 i
3356 2529 i
1239 19265 i
2914 4713 17935 i
i
19878 ?
18756 i
7018 15227 i
3356 13845 i
701 6347 7781 i
3561 9116 21350 i
1239 577 855 ?
3561 4755 17426 i
5743 2648 i
209 568 721 1494 i
701 2019 i
8584 16158 i
6453 4759 i
Regular Expressions as Filters
Regular expressions are used to filter AS paths or community lists. A regular expression is a special
character used to define a pattern that is then compared with an input string.
For an AS-path access list, as shown in the previous commands, if the AS path matches the regular
expression in the access list, the route matches the access list.
The following lists the regular expressions accepted in the Dell Networking OS.
Regular Expression Definition
^ (caret)
Matches the beginning of the input string. Alternatively, when used as the first
character within brackets [^ ], this matches any number except the ones specified
within the brackets.
$ (dollar)
Matches the end of the input string.
. (period)
Matches any single character, including white space.
* (asterisk)
Matches 0 or more sequences of the immediately previous character or pattern.
+ (plus)
Matches 1 or more sequences of the immediately previous character or pattern.
? (question)
Matches 0 or 1 sequence of the immediately previous character or pattern.
( ) (parenthesis)
Specifies patterns for multiple use when one of the multiplier metacharacters
follows: asterisk *, plus sign +, or question mark ?
[ ] (brackets)
Matches any enclosed character and specifies a range of single characters.
- (hyphen)
Used within brackets to specify a range of AS or community numbers.
_ (underscore)
Matches a ^, a $, a comma, a space, or a {, or a }. Placed on either side of a string to
specify a literal and disallow substring matching. You can precede or follow
numerals enclosed by underscores by any of the characters listed.
| (pipe)
Matches characters on either side of the metacharacter; logical OR.
198
Border Gateway Protocol IPv4 (BGPv4)
As seen in the following example, the expressions are displayed when using the show commands. To
view the AS-PATH ACL configuration, use the show config command in CONFIGURATION AS-PATH
ACL mode and the show ip as-path-access-list command in EXEC Privilege mode.
For more information about this command and route filtering, refer to Filtering BGP Routes.
The following example applies access list Eagle to routes inbound from BGP peer 10.5.5.2. Access list
Eagle uses a regular expression to deny routes originating in AS 32. The first lines shown in bold create
the access list and filter. The second lines shown in bold are the regular expression shown as part of the
access list filter.
Example of Using Regular Expression to Filter AS Paths
Dell(config)#router bgp 99
Dell(conf-router_bgp)#neigh AAA peer-group
Dell(conf-router_bgp)#neigh AAA no shut
Dell(conf-router_bgp)#show conf
!
router bgp 99
neighbor AAA peer-group
neighbor AAA no shutdown
neighbor 10.155.15.2 remote-as 32
neighbor 10.155.15.2 shutdown
Dell(conf-router_bgp)#neigh 10.155.15.2 filter-list 1 in
Dell(conf-router_bgp)#ex
Dell(conf)#ip as-path access-list Eagle
Dell(config-as-path)#deny 32$
Dell(config-as-path)#ex
Dell(conf)#router bgp 99
Dell(conf-router_bgp)#neighbor AAA filter-list Eagle in
Dell(conf-router_bgp)#show conf
!
router bgp 99
neighbor AAA peer-group
neighbor AAA filter-list Eaglein
neighbor AAA no shutdown
neighbor 10.155.15.2 remote-as 32
neighbor 10.155.15.2 filter-list 1 in
neighbor 10.155.15.2 shutdown
Dell(conf-router_bgp)#ex
Redistributing Routes
In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP
process. With the redistribute command, you can include ISIS, OSPF, static, or directly connected
routes in the BGP process.
To add routes from other routing instances or protocols, use any of the following commands in ROUTER
BGP mode.
•
Include, directly connected or user-configured (static) routes in BGP.
ROUTER BGP or CONF-ROUTER_BGPv6_ AF mode
redistribute {connected | static} [route-map map-name]
•
Configure the map-name parameter to specify the name of a configured route map.
Include specific ISIS routes in BGP.
ROUTER BGP or CONF-ROUTER_BGPv6_ AF mode
Border Gateway Protocol IPv4 (BGPv4)
199
redistribute isis [level-1 | level-1-2 | level-2] [metric value] [route-map
map-name]
Configure the following parameters:
– level-1, level-1-2, or level-2: Assign all redistributed routes to a level. The default is level-2.
– metric value: The value is from 0 to 16777215. The default is 0.
•
– map-name: name of a configured route map.
Include specific OSPF routes in IS-IS.
ROUTER BGP or CONF-ROUTER_BGPv6_ AF mode
redistribute ospf process-id [match external {1 | 2} | match internal]
[metric-type {external | internal}] [route-map map-name]
Configure the following parameters:
– process-id: the range is from 1 to 65535.
– match external: the range is from 1 or 2.
– match internal
– metric-type: external or internal.
– map-name: name of a configured route map.
Enabling Additional Paths
The add-path feature is disabled by default.
NOTE: Note: In some cases, while receiving 1K same routes from more than 64 iBGP neighbors,
BGP sessions holdtime of 10 seconds may flap. The BGP add-path does not update packets for
advertisement and cannot scale to higher numbers. Either reduce the number of routes added or
increase the holddown timer value.
To allow multiple paths sent to peers, use the following commands.
1.
Allow the advertisement of multiple paths for the same address prefix without the new paths
replacing any previous ones.
CONFIG-ROUTER-BGP mode
bgp add-path [send | receive | both] count
The range is from 2 to 64.
2.
Allow the specified neighbor/peer group to send/ receive multiple path advertisements.
CONFIG-ROUTER-BGP mode
neighbor add-path
3.
Configure the maximum number of parallel routes (multipath support) BGP supports.
CONFIG-ROUTER-BGP mode
max-path number
The range is from 2 to 64.
200
Border Gateway Protocol IPv4 (BGPv4)
Configuring IP Community Lists
Within the Dell Networking OS, you have multiple methods of manipulating routing attributes.
One attribute you can manipulate is the COMMUNITY attribute. This attribute is an optional attribute that
is defined for a group of destinations. You can assign a COMMUNITY attribute to BGP routers by using an
IP community list. After you create an IP community list, you can apply routing decisions to all routers
meeting the criteria in the IP community list.
IETF RFC 1997 defines the COMMUNITY attribute and the predefined communities of INTERNET,
NO_EXPORT_SUBCONFED, NO_ADVERTISE, and NO_EXPORT. All BGP routes belong to the INTERNET
community. In the RFC, the other communities are defined as follows:
•
All routes with the NO_EXPORT_SUBCONFED (0xFFFFFF03) community attribute are not sent to
CONFED-EBGP or EBGP peers, but are sent to IBGP peers within CONFED-SUB-AS.
•
All routes with the NO_ADVERTISE (0xFFFFFF02) community attribute must not be advertised.
•
All routes with the NO_EXPORT (0xFFFFFF01) community attribute must not be advertised outside a
BGP boundary, but are sent to CONFED-EBGP and IBGP peers.
The Dell Networking OS also supports BGP Extended Communities as described in RFC 4360 — BGP
Extended Communities Attribute.
To configure an IP community list, use these commands.
1.
Create a community list and enter COMMUNITY-LIST mode.
CONFIGURATION mode
ip community-list community-list-name
2.
Configure a community list by denying or permitting specific community numbers or types of
community.
CONFIG-COMMUNITYLIST mode
{deny | permit} {community-number | local-AS | no-advertise | no-export |
quote-regexp regular-expression-list | regexp regular-expression}
•
community-number: use AA:NN format where AA is the AS number (2 Bytes or 4 Bytes) and NN
is a value specific to that autonomous system.
•
local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED.
•
no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE.
•
no-export: routes with the COMMUNITY attribute of NO_EXPORT.
•
quote-regexp: then any number of regular expressions. The software applies all regular
expressions in the list.
•
regexp: then a regular expression.
Example of the show ip community-lists Command
To view the configuration, use the show config command in CONFIGURATION COMMUNITY-LIST or
CONFIGURATION EXTCOMMUNITY LIST mode or the show ip {community-lists |
extcommunity-list} command in EXEC Privilege mode.
Dell#show ip community-lists
ip community-list standard 1
deny 701:20
deny 702:20
deny 703:20
Border Gateway Protocol IPv4 (BGPv4)
201
deny
deny
deny
deny
deny
deny
deny
deny
704:20
705:20
14551:20
701:112
702:112
703:112
704:112
705:112
Configuring an IP Extended Community List
To configure an IP extended community list, use these commands.
1.
Create a extended community list and enter the EXTCOMMUNITY-LIST mode.
CONFIGURATION mode
ip extcommunity-list extcommunity-list-name
2.
Two types of extended communities are supported.
CONFIG-COMMUNITY-LIST mode
{permit | deny} {{rt | soo} {ASN:NN | IPADDR:N} | regex REGEX-LINE}
Filter routes based on the type of extended communities they carry using one of the following
keywords:
•
rt: route target.
•
soo: route origin or site-of-origin. Support for matching extended communities against regular
expression is also supported. Match against a regular expression using the following keyword.
•
regexp: regular expression.
Example of the show ip extcommunity-lists Command
To set or modify an extended community attribute, use the set extcommunity {rt | soo}
{ASN:NN | IPADDR:NN} command.
To view the configuration, use the show config command in CONFIGURATION COMMUNITY-LIST or
CONFIGURATION EXTCOMMUNITY LIST mode or the show ip {community-lists |
extcommunity-list} command in EXEC Privilege mode.
Dell#show ip community-lists
ip community-list standard 1
deny 701:20
deny 702:20
deny 703:20
deny 704:20
deny 705:20
deny 14551:20
deny 701:112
deny 702:112
deny 703:112
deny 704:112
deny 705:112
202
Border Gateway Protocol IPv4 (BGPv4)
Filtering Routes with Community Lists
To use an IP community list or IP extended community list to filter routes, you must apply a match
community filter to a route map and then apply that route map to a BGP neighbor or peer group.
1.
Enter the ROUTE-MAP mode and assign a name to a route map.
CONFIGURATION mode
route-map map-name [permit | deny] [sequence-number]
2.
Configure a match filter for all routes meeting the criteria in the IP community or IP extended
community list.
CONFIG-ROUTE-MAP mode
match {community community-list-name [exact] | extcommunity extcommunitylist-name [exact]}
3.
Return to CONFIGURATION mode.
CONFIG-ROUTE-MAP mode
exit
4.
Enter ROUTER BGP mode.
CONFIGURATION mode
router bgp as-number
AS-number: 0 to 65535 (2-Byte) or 1 to 4294967295 (4-Byte) or 0.1 to 65535.65535 (Dotted format)
5.
Apply the route map to the neighbor or peer group’s incoming or outgoing routes.
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group-name} route-map map-name {in | out}
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP
mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
To view which BGP routes meet an IP community or IP extended community list’s criteria, use the show
ip bgp {community-list | extcommunity-list} command in EXEC Privilege mode.
Manipulating the COMMUNITY Attribute
In addition to permitting or denying routes based on the values of the COMMUNITY attributes, you can
manipulate the COMMUNITY attribute value and send the COMMUNITY attribute with the route
information.
By default, the system does not send the COMMUNITY attribute.
To send the COMMUNITY attribute to BGP neighbors, use the following command.
•
Enable the software to send the router’s COMMUNITY attribute to the BGP neighbor or peer group
specified.
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group-name} send-community
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP
mode.
Border Gateway Protocol IPv4 (BGPv4)
203
If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route
map with one or both of the following statements in the route map. Then apply that route map to a BGP
neighbor or peer group.
1.
Enter ROUTE-MAP mode and assign a name to a route map.
CONFIGURATION mode
route-map map-name [permit | deny] [sequence-number]
2.
Configure a set filter to delete all COMMUNITY numbers in the IP community list.
CONFIG-ROUTE-MAP mode
set comm-list community-list-name delete
OR
set community {community-number | local-as | no-advertise | no-export |
none}
Configure a community list by denying or permitting specific community numbers or types of
community.
•
•
•
•
•
•
3.
community-number: use AA:NN format where AA is the AS number (2 or 4 Bytes) and NN is a
value specific to that autonomous system.
local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED and are not sent
to EBGP peers.
no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE and are not
advertised.
no-export: routes with the COMMUNITY attribute of NO_EXPORT.
none: remove the COMMUNITY attribute.
additive: add the communities to already existing communities.
Return to CONFIGURATION mode.
CONFIG-ROUTE-MAP mode
exit
4.
Enter the ROUTER BGP mode.
CONFIGURATION mode
router bgp as-number
5.
Apply the route map to the neighbor or peer group’s incoming or outgoing routes.
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group-name} route-map map-name {in | out}
Example of the show ip bgp community Command
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP
mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
To view BGP routes matching a certain community number or a pre-defined BGP community, use the
show ip bgp community command in EXEC Privilege mode.
Dell>show ip bgp community
BGP table version is 3762622, local router ID is 10.114.8.48
204
Border Gateway Protocol IPv4 (BGPv4)
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
* i 3.0.0.0/8
*>i 4.2.49.12/30
* i 4.21.132.0/23
*>i 4.24.118.16/30
*>i 4.24.145.0/30
*>i 4.24.187.12/30
*>i 4.24.202.0/30
*>i 4.25.88.0/30
*>i 6.1.0.0/16
*>i 6.2.0.0/22
*>i 6.3.0.0/18
--More--
Next Hop Metric
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
LocPrf
100
100
100
100
100
100
100
100
100
100
100
Weight
0
0
0
0
0
0
0
0
0
0
0
Path
209 701 80 i
209 i
209 6461 16422 i
209 i
209 i
209 i
209 i
209 3561 3908 i
209 7170 1455 i
209 7170 1455 i
209 7170 1455 i
Changing MED Attributes
By default, the system uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from
the same AS.
To change how the MED attribute is used, enter any or all of the following commands.
•
Enable MED comparison in the paths from neighbors with different ASs.
CONFIG-ROUTER-BGP mode
bgp always-compare-med
•
By default, this comparison is not performed.
Change the bestpath MED selection.
CONFIG-ROUTER-BGP mode
bgp bestpath med {confed | missing-as-best}
– confed: Chooses the bestpath MED comparison of paths learned from BGP confederations.
– missing-as-best: Treat a path missing an MED as the most preferred one.
To view the nondefault values, use the show config command in CONFIGURATION ROUTER BGP
mode.
Changing the LOCAL_PREFERENCE Attribute
In the Dell Networking OS, you can change the value of the LOCAL_PREFERENCE attribute.
To change the default values of this attribute for all routes received by the router, use the following
command.
•
Change the LOCAL_PREF value.
CONFIG-ROUTER-BGP mode
bgp default local-preference value
– value: the range is from 0 to 4294967295.
The default is 100.
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP
mode or the show running-config bgp command in EXEC Privilege mode.
Border Gateway Protocol IPv4 (BGPv4)
205
A more flexible method for manipulating the LOCAL_PREF attribute value is to use a route map.
1.
Enter the ROUTE-MAP mode and assign a name to a route map.
CONFIGURATION mode
route-map map-name [permit | deny] [sequence-number]
2.
Change LOCAL_PREF value for routes meeting the criteria of this route map.
CONFIG-ROUTE-MAP mode
set local-preference value
3.
Return to CONFIGURATION mode.
CONFIG-ROUTE-MAP mode
exit
4.
Enter ROUTER BGP mode.
CONFIGURATION mode
router bgp as-number
5.
Apply the route map to the neighbor or peer group’s incoming or outgoing routes.
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group-name} route-map map-name {in | out}
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP
mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
Changing the NEXT_HOP Attribute
You can change how the NEXT_HOP attribute is used.
To change how the NEXT_HOP attribute is used, enter the first command. To view the BGP
configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show
running-config bgp command in EXEC Privilege mode.
You can also use route maps to change this and other BGP attributes. For example, you can include the
second command in a route map to specify the next hop address.
•
Disable next hop processing and configure the router as the next hop for a BGP neighbor.
CONFIG-ROUTER-BGP mode
•
neighbor {ip-address | peer-group-name} next-hop-self
Sets the next hop address.
CONFIG-ROUTE-MAP mode
set next-hop ip-address
Changing the WEIGHT Attribute
To change how the WEIGHT attribute is used, enter the first command. You can also use route maps to
change this and other BGP attributes. For example, you can include the second command in a route map
to specify the next hop address.
•
Assign a weight to the neighbor connection.
CONFIG-ROUTER-BGP mode
206
Border Gateway Protocol IPv4 (BGPv4)
neighbor {ip-address | peer-group-name} weight weight
– weight: the range is from 0 to 65535.
•
The default is 0.
Sets weight for the route.
CONFIG-ROUTE-MAP mode
set weight weight
– weight: the range is from 0 to 65535.
To view BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode
or the show running-config bgp command in EXEC Privilege mode.
Enabling Multipath
By default, the software allows one path to a destination. You can enable multipath to allow up to 16
parallel paths to a destination.
To allow more than one path, use the following command.
The show ip bgp network command includes multipath information for that network.
•
Enable multiple parallel paths.
CONFIG-ROUTER-BGP mode
maximum-paths {ebgp | ibgp} number
The show ip bgp network command includes multipath information for that network.
Filtering BGP Routes
Filtering routes allows you to implement BGP policies.
You can use either IP prefix lists, route maps, AS-PATH ACLs or IP community lists (using a route map) to
control which routes the BGP neighbor or peer group accepts and advertises. Prefix lists filter routes
based on route and prefix length, while AS-Path ACLs filter routes based on the ASN. Route maps can
filter and set conditions, change attributes, and assign update policies.
NOTE: The Dell Networking OS supports up to 255 characters in a set community statement inside
a route map.
NOTE: With the Dell Networking OS, you can create inbound and outbound policies. Each of the
commands used for filtering has in and out parameters that you must apply. In the system, the
order of preference varies depending on whether the attributes are applied for inbound updates or
outbound updates.
For inbound and outbound updates the order of preference is:
•
prefix lists (using the neighbor distribute-list command)
•
AS-PATH ACLs (using the neighbor filter-list command)
•
route maps (using the neighbor route-map command)
Prior to filtering BGP routes, create the prefix list, AS-PATH ACL, or route map.
For configuration information about prefix lists, AS-PATH ACLs, and route maps, refer to Access Control
Lists (ACLs).
Border Gateway Protocol IPv4 (BGPv4)
207
NOTE: When you configure a new set of BGP policies, to ensure the changes are made, always
reset the neighbor or peer group by using the clear ip bgp command in EXEC Privilege mode.
To filter routes using prefix lists, use the following commands.
1.
Create a prefix list and assign it a name.
CONFIGURATION mode
ip prefix-list prefix-name
2.
Create multiple prefix list filters with a deny or permit action.
CONFIG-PREFIX LIST mode
seq sequence-number {deny | permit} {any | ip-prefix [ge | le] }
•
ge: minimum prefix length to be matched.
•
le: maximum prefix length to be matched.
For information about configuring prefix lists, refer to Access Control Lists (ACLs).
3.
Return to CONFIGURATION mode.
CONFIG-PREFIX LIST mode
exit
4.
Enter ROUTER BGP mode.
CONFIGURATION mode
router bgp as-number
5.
Filter routes based on the criteria in the configured prefix list.
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group-name} distribute-list prefix-list-name {in
| out}
Configure the following parameters:
•
ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name.
•
prefix-list-name: enter the name of a configured prefix list.
•
in: apply the prefix list to inbound routes.
•
out: apply the prefix list to outbound routes.
As a reminder, the following are rules concerning prefix lists:
•
If the prefix list contains no filters, all routes are permitted.
•
If none of the routes match any of the filters in the prefix list, the route is denied. This action is called
an implicit deny. (If you want to forward all routes that do not match the prefix list criteria, you must
configure a prefix list filter to permit all routes. For example, you could have the following filter as the
last filter in your prefix list permit 0.0.0.0/0 le 32).
•
After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route.
To view the BGP configuration, use the show config command in ROUTER BGP mode. To view a prefix
list configuration, use the show ip prefix-list detail or show ip prefix-list summary
commands in EXEC Privilege mode.
208
Border Gateway Protocol IPv4 (BGPv4)
Filtering BGP Routes Using Route Maps
To filter routes using a route map, use these commands.
1.
Create a route map and assign it a name.
CONFIGURATION mode
route-map map-name [permit | deny] [sequence-number]
2.
Create multiple route map filters with a match or set action.
CONFIG-ROUTE-MAP mode
{match | set}
For information about configuring route maps, refer to Access Control Lists (ACLs).
3.
Return to CONFIGURATION mode.
CONFIG-ROUTE-MAP mode
exit
4.
Enter ROUTER BGP mode.
CONFIGURATION mode
router bgp as-number
5.
Filter routes based on the criteria in the configured route map.
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group-name} route-map map-name {in | out}
Configure the following parameters:
•
ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name.
•
map-name: enter the name of a configured route map.
•
in: apply the route map to inbound routes.
•
out: apply the route map to outbound routes.
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP
mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
Filtering BGP Routes Using AS-PATH Information
To filter routes based on AS-PATH information, use these commands.
1.
Create a AS-PATH ACL and assign it a name.
CONFIGURATION mode
ip as-path access-list as-path-name
2.
Create a AS-PATH ACL filter with a deny or permit action.
AS-PATH ACL mode
{deny | permit} as-regular-expression
3.
Return to CONFIGURATION mode.
AS-PATH ACL
Border Gateway Protocol IPv4 (BGPv4)
209
exit
4.
Enter ROUTER BGP mode.
CONFIGURATION mode
router bgp as-number
5.
Filter routes based on the criteria in the configured route map.
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group-name} filter-list as-path-name {in | out}
Configure the following parameters:
•
ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name.
•
as-path-name: enter the name of a configured AS-PATH ACL.
•
in: apply the AS-PATH ACL map to inbound routes.
•
out: apply the AS-PATH ACL to outbound routes.
To view which commands are configured, use the show config command in CONFIGURATION
ROUTER BGP mode and the show ip as-path-access-list command in EXEC Privilege mode.
To forward all routes not meeting the AS-PATH ACL criteria, include the permit .* filter in your AS-PATH
ACL.
Configuring BGP Route Reflectors
BGP route reflectors are intended for ASs with a large mesh; they reduce the amount of BGP control
traffic.
With route reflection configured properly, IBGP routers are not fully meshed within a cluster but all
receive routing information.
Configure clusters of routers where one router is a concentration router and the others are clients who
receive their updates from the concentration router.
To configure a route reflector, use the following commands.
•
Assign an ID to a router reflector cluster.
CONFIG-ROUTER-BGP mode
bgp cluster-id cluster-id
•
You can have multiple clusters in an AS.
Configure the local router as a route reflector and the neighbor or peer group identified is the route
reflector client.
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group-name} route-reflector-client
When you enable a route reflector, the system automatically enables route reflection to all clients. To
disable route reflection between all clients in this reflector, use the no bgp client-to-client
reflection command in CONFIGURATION ROUTER BGP mode. All clients must be fully meshed
before you disable route reflection.
To view a route reflector configuration, use the show config command in CONFIGURATION ROUTER
BGP mode or the show running-config bgp in EXEC Privilege mode.
210
Border Gateway Protocol IPv4 (BGPv4)
Aggregating Routes
The Dell Networking OS provides multiple ways to aggregate routes in the BGP routing table. At least one
specific route of the aggregate must be in the routing table for the configured aggregate to become
active.
To aggregate routes, use the following command.
AS_SET includes AS_PATH and community information from the routes included in the aggregated route.
•
Assign the IP address and mask of the prefix to be aggregated.
CONFIG-ROUTER-BGP mode
aggregate-address ip-address mask [advertise-map map-name] [as-set]
[attribute-map map-name] [summary-only] [suppress-map map-name]
Example of Viewing Aggregated Routes
In the show ip bgp command, aggregates contain an ‘a’ in the first column (shown in bold) and routes
suppressed by the aggregate contain an ‘s’ in the first column.
Dell#show ip bgp
BGP table version is 0, local router ID is 10.101.15.13
Status codes: s suppressed, d damped, h history, * valid, > best
Path source: I - internal, a - aggregate, c - confed-external, r - redistributed,
n - network
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 7.0.0.0/29
*> 7.0.0.0/30
*>a 9.0.0.0/8
Next Hop
10.114.8.33
10.114.8.33
192.0.0.0
Metric LocPrf Weight Path
0
0 18508 ?
0
0 18508 ?
32768 18508 701 {7018 2686 3786} ?
Configuring BGP Confederations
Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP
confederations.
As with route reflectors, BGP confederations are recommended only for IBGP peering involving many
IBGP peering sessions per router. Basically, when you configure BGP confederations, you break the AS
into smaller sub-AS, and to those outside your network, the confederations appear as one AS. Within the
confederation sub-AS, the IBGP neighbors are fully meshed and the MED, NEXT_HOP, and LOCAL_PREF
attributes are maintained between confederations.
To configure BGP confederations, use the following commands.
•
Specifies the confederation ID.
CONFIG-ROUTER-BGP mode
bgp confederation identifier as-number
•
– as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte).
Specifies which confederation sub-AS are peers.
CONFIG-ROUTER-BGP mode
bgp confederation peers as-number [... as-number]
– as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte).
Border Gateway Protocol IPv4 (BGPv4)
211
All Confederation routers must be either 4 Byte or 2 Byte. You cannot have a mix of router ASN
support.
To view the configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
Enabling Route Flap Dampening
When EBGP routes become unavailable, they “flap” and the router issues both WITHDRAWN and UPDATE
notices.
A flap is when a route:
•
is withdrawn
•
is readvertised after being withdrawn
•
has an attribute change
The constant router reaction to the WITHDRAWN and UPDATE notices causes instability in the BGP
process. To minimize this instability, you may configure penalties (a numeric value) for routes that flap.
When that penalty value reaches a configured limit, the route is not advertised, even if the route is up. In
Dell, that penalty value is 1024. As time passes and the route does not flap, the penalty value decrements
or is decayed. However, if the route flaps again, it is assigned another penalty.
The penalty value is cumulative and penalty is added under following cases:
•
Withdraw
•
Readvertise
•
Attribute change
When dampening is applied to a route, its path is described by one of the following terms:
•
history entry — an entry that stores information on a downed route
•
dampened path — a path that is no longer advertised
•
penalized path — a path that is assigned a penalty
To configure route flap dampening parameters, set dampening parameters using a route map, clear
information on route dampening and return suppressed routes to active state, view statistics on route
flapping, or change the path selection from the default mode (deterministic) to non-deterministic, use
the following commands.
•
Enable route dampening.
CONFIG-ROUTER-BGP mode
bgp dampening [half-life | reuse | suppress max-suppress-time] [route-map
map-name]
Enter the following optional parameters to configure route dampening parameters:
– half-life: the range is from 1 to 45. Number of minutes after which the Penalty is decreased.
After the router assigns a Penalty of 1024 to a route, the Penalty is decreased by half after the halflife period expires. The default is 15 minutes.
– reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty
value. If the Penalty value is less than the reuse value, the flapping route is once again advertised
(or no longer suppressed). Withdrawn routes are removed from history state. The default is 750.
212
Border Gateway Protocol IPv4 (BGPv4)
– suppress: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty
value. If the Penalty value is greater than the suppress value, the flapping route is no longer
advertised (that is, it is suppressed). The default is 2000.)
– max-suppress-time: the range is from 1 to 255. The maximum number of minutes a route can
be suppressed. The default is four times the half-life value. The default is 60 minutes.
•
– route-map map-name: name of a configured route map. Only match commands in the
configured route map are supported. Use this parameter to apply route dampening to selective
routes.
Enter the following optional parameters to configure route dampening.
CONFIG-ROUTE-MAP mode
set dampening half-life reuse suppress max-suppress-time
– half-life: the range is from 1 to 45. Number of minutes after which the Penalty is decreased.
After the router assigns a Penalty of 1024 to a route, the Penalty is decreased by half after the halflife period expires. The default is 15 minutes.
– reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty
value. If the Penalty value is less than the reuse value, the flapping route is once again advertised
(or no longer suppressed). The default is 750.
– suppress: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty
value. If the Penalty value is greater than the suppress value, the flapping route is no longer
advertised (that is, it is suppressed). The default is 2000.
•
– max-suppress-time: the range is from 1 to 255. The maximum number of minutes a route can
be suppressed. The default is four times the half-life value. The default is 60 minutes.
Clear all information or only information on a specific route.
EXEC Privilege
•
clear ip bgp dampening [ip-address mask]
View all flap statistics or for specific routes meeting the following criteria.
EXEC or EXEC Privilege mode
show ip bgp flap-statistics [ip-address [mask]] [filter-list as-path-name]
[regexp regular-expression]
– ip-address [mask]: enter the IP address and mask.
– filter-list as-path-name: enter the name of an AS-PATH ACL.
– regexp regular-expression: enter a regular express to match on.
•
By default, the path selection in Dell is deterministic, that is, paths are compared irrespective of the
order of their arrival. You can change the path selection method to non-deterministic, that is, paths
are compared in the order in which they arrived (starting with the most recent). Furthermore, in nondeterministic mode, the software may not compare MED attributes though the paths are from the
same AS.
Change the best path selection method to non-deterministic.
CONFIG-ROUTER-BGP mode
bgp non-deterministic-med
NOTE: When you change the best path selection method, path selection for existing paths
remains unchanged until you reset it by entering the clear ip bgp command in EXEC
Privilege mode.
Border Gateway Protocol IPv4 (BGPv4)
213
Example of Configuring a Route for Reuse or Restart
Example of Viewing the Number of Dampened Routes
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP
mode or the show running-config bgp command in EXEC Privilege mode.
The following example shows how to configure values to reuse or restart a route. In the following
example, default = 15 is the set time before the value decrements, bgp dampening 2 ? is the set
re-advertise value, bgp dampening 2 2000 ? is the suppress value, and bgp dampening 2 2000
3000 ? is the time to suppress a route. Default values are also shown.
Dell(conf-router_bgp)#bgp dampening ?
<1-45> Half-life time for the penalty (default = 15)
route-map Route-map to specify criteria for dampening
<cr>
Dell(conf-router_bgp)#bgp dampening 2 ?
<1-20000>
Value to start reusing a route (default = 750)
Dell(conf-router_bgp)#bgp dampening 2 2000 ?
<1-20000>
Value to start suppressing a route (default = 2000)
Dell(conf-router_bgp)#bgp dampening 2 2000 3000 ?
<1-255>
Maximum duration to suppress a stable route (default = 60)
Dell(conf-router_bgp)#bgp dampening 2 2000 3000 10 ?
route-map
Route-map to specify criteria for dampening
<cr>
To view a count of dampened routes, history routes, and penalized routes when you enable route
dampening, look at the seventh line of the show ip bgp summary command output, as shown in the
following example (bold).
Dell>show ip bgp summary
BGP router identifier 10.114.8.131, local AS number 65515
BGP table version is 855562, main routing table version 780266
122836 network entrie(s) and 221664 paths using 29697640 bytes of memory
34298 BGP path attribute entrie(s) using 1920688 bytes of memory
29577 BGP AS-PATH entrie(s) using 1384403 bytes of memory
184 BGP community entrie(s) using 7616 bytes of memory
Dampening enabled. 0 history paths, 0 dampened paths, 0 penalized paths
Neighbor
AS
MsgRcvd MsgSent TblVer
10.114.8.34 18508 82883
79977
780266
10.114.8.33 18508 117265 25069
780266
Dell>
InQ OutQ Up/Down State/PfxRcd
0
2 00:38:51
118904
0
20 00:38:50 102759
To view which routes are dampened (non-active), use the show ip bgp dampened-routes command
in EXEC Privilege mode.
Changing BGP Timers
To configure BGP timers, use either or both of the following commands.
Timer values configured with the neighbor timers command override the timer values configured
with the timers bgp command.
When two neighbors, configured with different keepalive and holdtime values, negotiate for new
values, the resulting values are as follows:
214
Border Gateway Protocol IPv4 (BGPv4)
•
the lower of the holdtime values is the new holdtime value, and
•
whichever is the lower value; one-third of the new holdtime value, or the configured keepalive
value is the new keepalive value.
•
Configure timer values for a BGP neighbor or peer group.
CONFIG-ROUTER-BGP mode
neighbors {ip-address | peer-group-name} timers keepalive holdtime
– keepalive: the range is from 1 to 65535. Time interval, in seconds, between keepalive messages
sent to the neighbor routers. The default is 60 seconds.
•
– holdtime: the range is from 3 to 65536. Time interval, in seconds, between the last keepalive
message and declaring the router dead. The default is 180 seconds.
Configure timer values for all neighbors.
CONFIG-ROUTER-BGP mode
timers bgp keepalive holdtime
– keepalive: the range is from 1 to 65535. Time interval, in seconds, between keepalive messages
sent to the neighbor routers. The default is 60 seconds.
– holdtime: the range is from 3 to 65536. Time interval, in seconds, between the last keepalive
message and declaring the router dead. The default is 180 seconds.
To view non-default values, use the show config command in CONFIGURATION ROUTER BGP mode
or the show running-config bgp command in EXEC Privilege mode.
Enabling BGP Neighbor Soft-Reconfiguration
BGP soft-reconfiguration allows for faster and easier route changing.
Changing routing policies typically requires a reset of BGP sessions (the TCP connection) for the policies
to take effect. Such resets cause undue interruption to traffic due to hard reset of the BGP cache and the
time it takes to re-establish the session. BGP soft reconfig allows for policies to be applied to a session
without clearing the BGP Session. Soft-reconfig can be done on a per-neighbor basis and can either be
inbound or outbound.
BGP soft-reconfiguration clears the policies without resetting the TCP connection.
To reset a BGP connection using BGP soft reconfiguration, use the clear ip bgp command in EXEC
Privilege mode at the system prompt.
When you enable soft-reconfiguration for a neighbor and you execute the clear ip bgp soft in
command, the update database stored in the router is replayed and updates are reevaluated. With this
command, the replay and update process is triggered only if a route-refresh request is not negotiated
with the peer. If the request is indeed negotiated (after execution of clear ip bgp soft in), BGP
sends a route-refresh request to the neighbor and receives all of the peer’s updates.
To use soft reconfiguration (or soft reset) without preconfiguration, both BGP peers must support the soft
route refresh capability, which is advertised in the open message sent when the peers establish a TCP
session.
To determine whether a BGP router supports this capability, use the show ip bgp neighbors
command. If a router supports the route refresh capability, the following message displays: Received
route refresh capability from peer.
Border Gateway Protocol IPv4 (BGPv4)
215
If you specify a BGP peer group by using the peer-group-name argument, all members of the peer
group inherit the characteristic configured with this command.
•
Clear all information or only specific details.
EXEC Privilege mode
clear ip bgp {* | neighbor-address | AS Numbers | ipv4 | peer-group-name}
[soft [in | out]]
– *: Clears all peers.
– neighbor-address: Clears the neighbor with this IP address.
– AS Numbers: Peers’ AS numbers to be cleared.
– ipv4: Clears information for the IPv4 address family.
•
– peer-group-name: Clears all members of the specified peer group.
Enable soft-reconfiguration for the BGP neighbor specified.
CONFIG-ROUTER-BGP mode
neighbor {ip-address | peer-group-name} soft-reconfiguration inbound
BGP stores all the updates received by the neighbor but does not reset the peer-session.
Entering this command starts the storage of updates, which is required to do inbound soft
reconfiguration. Outbound BGP soft reconfiguration does not require inbound soft reconfiguration to
be enabled.
Example of Soft-Reconfigration of a BGP Neighbor
The example enables inbound soft reconfiguration for the neighbor 10.108.1.1. All updates received from
this neighbor are stored unmodified, regardless of the inbound policy. When inbound soft reconfiguration
is done later, the stored information is used to generate a new set of inbound updates.
Dell>router bgp 100
neighbor 10.108.1.1 remote-as 200
neighbor 10.108.1.1 soft-reconfiguration inbound
Route Map Continue
The BGP route map continue feature, continue [sequence-number], (in ROUTE-MAP mode) allows
movement from one route-map entry to a specific route-map entry (the sequence number).
If you do not specify a sequence number, the continue feature moves to the next sequence number (also
known as an “implied continue”). If a match clause exists, the continue feature executes only after a
successful match occurs. If there are no successful matches, continue is ignored.
Match a Clause with a Continue Clause
The continue feature can exist without a match clause.
Without a match clause, the continue clause executes and jumps to the specified route-map entry. With
a match clause and a continue clause, the match clause executes first and the continue clause next in a
specified route map entry. The continue clause launches only after a successful match. The behavior is:
•
A successful match with a continue clause—the route map executes the set clauses and then goes to
the specified route map entry after execution of the continue clause.
•
If the next route map entry contains a continue clause, the route map executes the continue clause if
a successful match occurs.
216
Border Gateway Protocol IPv4 (BGPv4)
•
If the next route map entry does not contain a continue clause, the route map evaluates normally. If a
match does not occur, the route map does not continue and falls-through to the next sequence
number, if one exists
Set a Clause with a Continue Clause
If the route-map entry contains sets with the continue clause, the set actions operation is performed first
followed by the continue clause jump to the specified route map entry.
•
If a set actions operation occurs in the first route map entry and then the same set action occurs with
a different value in a subsequent route map entry, the last set of actions overrides the previous set of
actions with the same set command.
•
If the set community additive and set as-path prepend commands are configured, the
communities and AS numbers are prepended.
Enabling MBGP Configurations
Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of
routes: one set for unicast routing and one set for multicast routing. The routes associated with multicast
routing are used by the protocol independent multicast (PIM) to build data distribution trees.
The Dell Networking OS MBGP is implemented per RFC 1858. You can enable the MBGP feature per
router and/or per peer/peer-group.
The default is IPv4 Unicast routes.
When you configure a peer to support IPv4 multicast, the system takes the following actions:
•
Send a capability advertisement to the peer in the BGP Open message specifying IPv4 multicast as a
supported AFI/SAFI (Subsequent Address Family Identifier).
•
If the corresponding capability is received in the peer’s Open message, BGP marks the peer as
supporting the AFI/SAFI.
•
When exchanging updates with the peer, BGP sends and receives IPv4 multicast routes if the peer is
marked as supporting that AFI/SAFI.
•
Exchange of IPv4 multicast route information occurs through the use of two new attributes called
MP_REACH_NLRI and MP_UNREACH_NLRI, for feasible and withdrawn routes, respectively.
•
If the peer has not been activated in any AFI/SAFI, the peer remains in Idle state.
Most Dell Networking OS BGP IPv4 unicast commands are extended to support the IPv4 multicast RIB
using extra options to the command. For a detailed description of the MBGP commands, refer to the Dell
Networking OS Command Line Interface Reference Guide.
•
Enables support for the IPv4 multicast family on the BGP node.
CONFIG-ROUTER-BGP mode
•
address family ipv4 multicast
Enable IPv4 multicast support on a BGP neighbor/peer group.
CONFIG-ROUTER-BGP-AF (Address Family) mode
neighbor [ip-address | peer-group-name] activate
Border Gateway Protocol IPv4 (BGPv4)
217
BGP Regular Expression Optimization
The Dell Networking OS optimizes processing time when using regular expressions by caching and reusing regular expression evaluated results, at the expense of some memory in RP1 processor.
BGP policies that contain regular expressions to match against as-paths and communities might take a
lot of CPU processing time, thus affect BGP routing convergence. Also, show bgp commands that get
filtered through regular expressions can to take a lot of CPU cycles, especially when the database is large.
This feature is turned on by default. If necessary, use the bgp regex-eval-optz-disable command in
CONFIGURATION ROUTER BGP mode to disable it.
Debugging BGP
To enable BGP debugging, use any of the following commands.
•
View all information about BGP, including BGP events, keepalives, notifications, and updates.
EXEC Privilege mode
•
debug ip bgp [ip-address | peer-group peer-group-name] [in | out]
View information about BGP route being dampened.
EXEC Privilege mode
•
debug ip bgp dampening [in | out]
View information about local BGP state changes and other BGP events.
EXEC Privilege mode
•
debug ip bgp [ip-address | peer-group peer-group-name] events [in | out]
View information about BGP KEEPALIVE messages.
EXEC Privilege mode
•
debug ip bgp [ip-address | peer-group peer-group-name] keepalive [in | out]
View information about BGP notifications received from or sent to neighbors.
EXEC Privilege mode
•
debug ip bgp [ip-address | peer-group peer-group-name] notifications [in |
out]
View information about BGP updates and filter by prefix name.
EXEC Privilege mode
•
debug ip bgp [ip-address | peer-group peer-group-name] updates [in | out]
[prefix-list name]
Enable soft-reconfiguration debug.
EXEC Privilege mode
debug ip bgp {ip-address | peer-group-name} soft-reconfiguration
In-BGP is shown using the show ip protocols command.
The system displays debug messages on the console. To view which debugging commands are enabled,
use the show debugging command in EXEC Privilege mode.
218
Border Gateway Protocol IPv4 (BGPv4)
To disable a specific debug command, use the keyword no then the debug command. For example, to
disable debugging of BGP updates, use no debug ip bgp updates command.
To disable all BGP debugging, use the no debug ip bgp command.
To disable all debugging, use the undebug all command.
Storing Last and Bad PDUs
The system stores the last notification sent/received and the last bad protocol data unit (PDU) received
on a per peer basis. The last bad PDU is the one that causes a notification to be issued.
In the following example, the last seven lines shown in bold are the last PDUs.
Example of the show ip bgp neighbor Command to View Last and Bad PDUs
Dell(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2
BGP neighbor is 1.1.1.2, remote AS 2, external link
BGP version 4, remote router ID 2.4.0.1
BGP state ESTABLISHED, in this state for 00:00:01
Last read 00:00:00, last write 00:00:01
Hold time is 90, keepalive interval is 30 seconds
Received 1404 messages, 0 in queue
3 opens, 1 notifications, 1394 updates
6 keepalives, 0 route refresh requests
Sent 48 messages, 0 in queue
3 opens, 2 notifications, 0 updates
43 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 30 seconds
Minimum time before advertisements start is 0 seconds
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
For address family: IPv4 Unicast
BGP table version 1395, neighbor version 1394
Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by peer
Prefixes advertised 0, rejected 0, 0 withdrawn from peer
Connections established 3; dropped 2
Last reset 00:00:12, due to Missing well known attribute
Notification History
'UPDATE error/Missing well-known attr' Sent : 1 Recv: 0
'Connection Reset' Sent : 1 Recv: 0
PDU Counters
The Dell Networking OS version 7.5.1.0 introduces additional counters for various types of PDUs sent and
received from neighbors.
These are seen in the output of the show ip bgp neighbor command.
Border Gateway Protocol IPv4 (BGPv4)
219
Sample Configurations
The following example configurations show how to enable BGP and set up some peer groups. These
examples are not comprehensive directions. They are intended to give you some guidance with typical
configurations.
To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these
examples to your CLI. Be sure that you make the necessary changes.
The following illustration shows the configurations described on the following examples. These
configurations show how to create BGP areas using physical and virtual links. They include setting up the
interfaces and peers groups with each other.
Figure 24. Sample Configurations
220
Border Gateway Protocol IPv4 (BGPv4)
Example of Enabling BGP (Router 1)
Example of Enabling BGP (Router 2)
Example of Enabling BGP (Router 3)
Example of Enabling Peer Groups (Router 1)
Example of Enabling Peer Groups (Router 2)
Example of Enabling Peer Groups (Router 3)
R1# conf
R1(conf)#int loop 0
R1(conf-if-lo-0)#ip address 192.168.128.1/24
R1(conf-if-lo-0)#no shutdown
R1(conf-if-lo-0)#show config
!
interface Loopback 0
ip address 192.168.128.1/24
no shutdown
R1(conf-if-lo-0)#int gig 1/21
R1(conf-if-gi-1/21)#ip address 10.0.1.21/24
R1(conf-if-gi-1/21)#no shutdown
R1(conf-if-gi-1/21)#show config
!
interface GigabitEthernet 1/21
ip address 10.0.1.21/24
no shutdown
R1(conf-if-gi-1/21)#int gig 1/31
R1(conf-if-gi-1/31)#ip address 10.0.3.31/24
R1(conf-if-gi-1/31)#no shutdown
R1(conf-if-gi-1/31)#show config
!
interface GigabitEthernet 1/31
ip address 10.0.3.31/24
no shutdown
R1(conf-if-gi-1/31)#router bgp 99
R1(conf-router_bgp)#network 192.168.128.0/24
R1(conf-router_bgp)#neighbor 192.168.128.2 remote 99
R1(conf-router_bgp)#neighbor 192.168.128.2 no shut
R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0
R1(conf-router_bgp)#neighbor 192.168.128.3 remote 100
R1(conf-router_bgp)#neighbor 192.168.128.3 no shut
R1(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0
R1(conf-router_bgp)#show config
!
router bgp 99
network 192.168.128.0/24
neighbor 192.168.128.2 remote-as 99
neighbor 192.168.128.2 update-source Loopback 0
neighbor 192.168.128.2 no shutdown
neighbor 192.168.128.3 remote-as 100
neighbor 192.168.128.3 update-source Loopback 0
neighbor 192.168.128.3 no shutdown
R1(conf-router_bgp)#end
R1#
R1#show ip bgp summary
BGP router identifier 192.168.128.1, local AS number 99
BGP table version is 4, main routing table version 4
4 network entrie(s) using 648 bytes of memory
6 paths using 408 bytes of memory
BGP-RIB over all using 414 bytes of memory
3 BGP path attribute entrie(s) using 144 bytes of memory
2 BGP AS-PATH entrie(s) using 74 bytes of memory
2 neighbor(s) using 8672 bytes of memory
Border Gateway Protocol IPv4 (BGPv4)
221
Neighbor
AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx
192.168.128.2 99 4
5
4
0
0
00:00:32
1
192.168.128.3 100 5
4
1
0
0
00:00:09
4
R1#
R2# conf
R2(conf)#int loop 0
R2(conf-if-lo-0)#ip address 192.168.128.2/24
R2(conf-if-lo-0)#no shutdown
R2(conf-if-lo-0)#show config
!
interface Loopback 0
ip address 192.168.128.2/24
no shutdown
R2(conf-if-lo-0)#int gig 2/11
R2(conf-if-gi-2/11)#ip address 10.0.1.22/24
R2(conf-if-gi-2/11)#no shutdown
R2(conf-if-gi-2/11)#show config
!
interface GigabitEthernet 2/11
ip address 10.0.1.22/24
no shutdown
R2(conf-if-gi-2/11)#int gig 2/31
R2(conf-if-gi-2/31)#ip address 10.0.2.2/24
R2(conf-if-gi-2/31)#no shutdown
R2(conf-if-gi-2/31)#show config
!
interface GigabitEthernet 2/31
ip address 10.0.2.2/24
no shutdown
R2(conf-if-gi-2/31)#
R2(conf-if-gi-2/31)#router bgp 99
R2(conf-router_bgp)#network 192.168.128.0/24
R2(conf-router_bgp)#neighbor 192.168.128.1 remote 99
R2(conf-router_bgp)#neighbor 192.168.128.1 no shut
R2(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0
R2(conf-router_bgp)#neighbor 192.168.128.3 remote 100
R2(conf-router_bgp)#neighbor 192.168.128.3 no shut
R2(conf-router_bgp)#neighbor 192.168.128.3 update loop 0
R2(conf-router_bgp)#show config
!
router bgp 99
bgp router-id 192.168.128.2
network 192.168.128.0/24
bgp graceful-restart
neighbor 192.168.128.1 remote-as 99
neighbor 192.168.128.1 update-source Loopback 0
neighbor 192.168.128.1 no shutdown
neighbor 192.168.128.3 remote-as 100
neighbor 192.168.128.3 update-source Loopback 0
neighbor 192.168.128.3 no shutdown
R2(conf-router_bgp)#end
R2#show ip bgp summary
BGP router identifier 192.168.128.2, local AS number 99
BGP table version is 1, main routing table version 1
1 network entrie(s) using 132 bytes of memory
3 paths using 204 bytes of memory
BGP-RIB over all using 207 bytes of memory
2 BGP path attribute entrie(s) using 128 bytes of memory
2 BGP AS-PATH entrie(s) using 90 bytes of memory
222
Border Gateway Protocol IPv4 (BGPv4)
2 neighbor(s) using 9216 bytes of memory
Neighbor
AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx
192.168.128.1 99 40
35
1
0
0
00:01:05
1
192.168.128.3 100 4
4
1
0
0
00:00:16
1
R2#
R3# conf
R3(conf)#
R3(conf)#int loop 0
R3(conf-if-lo-0)#ip address 192.168.128.3/24
R3(conf-if-lo-0)#no shutdown
R3(conf-if-lo-0)#show config
!
interface Loopback 0
ip address 192.168.128.3/24
no shutdown
R3(conf-if-lo-0)#int gig 3/11
R3(conf-if-gi-3/11)#ip address 10.0.3.33/24
R3(conf-if-gi-3/11)#no shutdown
R3(conf-if-gi-3/11)#show config
!
interface GigabitEthernet 3/11
ip address 10.0.3.33/24
no shutdown
R3(conf-if-lo-0)#int gig 3/21
R3(conf-if-gi-3/21)#ip address 10.0.2.3/24
R3(conf-if-gi-3/21)#no shutdown
R3(conf-if-gi-3/21)#show config
!
interface GigabitEthernet 3/21
ip address 10.0.2.3/24
no shutdown
R3(conf-if-gi-3/21)#
R3(conf-if-gi-3/21)#router bgp 100
R3(conf-router_bgp)#show config
!
router bgp 100
R3(conf-router_bgp)#network 192.168.128.0/24
R3(conf-router_bgp)#neighbor 192.168.128.1 remote 99
R3(conf-router_bgp)#neighbor 192.168.128.1 no shut
R3(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0
R3(conf-router_bgp)#neighbor 192.168.128.2 remote 99
R3(conf-router_bgp)#neighbor 192.168.128.2 no shut
R3(conf-router_bgp)#neighbor 192.168.128.2 update loop 0
R3(conf-router_bgp)#show config
!
router bgp 100
network 192.168.128.0/24
neighbor 192.168.128.1 remote-as 99
neighbor 192.168.128.1 update-source Loopback 0
neighbor 192.168.128.1 no shutdown
neighbor 192.168.128.2 remote-as 99
neighbor 192.168.128.2 update-source Loopback 0
neighbor 192.168.128.2 no shutdown
R3(conf)#end
R3#show ip bgp summary
BGP router identifier 192.168.128.3, local AS number 100
BGP table version is 1, main routing table version 1
1 network entrie(s) using 132 bytes of memory
3 paths using 204 bytes of memory
Border Gateway Protocol IPv4 (BGPv4)
223
BGP-RIB over all using 207 bytes of memory
2 BGP path attribute entrie(s) using 128 bytes of
2 BGP AS-PATH entrie(s) using 90 bytes of memory
2 neighbor(s) using 9216 bytes of memory
Neighbor
AS MsgRcvd MsgSent TblVer InQ OutQ
192.168.128.1 99 24
25
1
0
0
192.168.128.2 99 14
14
1
0
0
R3#
memory
Up/Down State/Pfx
00:14:20
1
00:10:22
1
R1#conf
R1(conf)#router bgp 99
R1(conf-router_bgp)# network 192.168.128.0/24
R1(conf-router_bgp)# neighbor AAA peer-group
R1(conf-router_bgp)# neighbor AAA no shutdown
R1(conf-router_bgp)# neighbor BBB peer-group
R1(conf-router_bgp)# neighbor BBB no shutdown
R1(conf-router_bgp)# neighbor 192.168.128.2 peer-group AAA
R1(conf-router_bgp)# neighbor 192.168.128.3 peer-group BBB
R1(conf-router_bgp)#
R1(conf-router_bgp)#show config
!
router bgp 99
network 192.168.128.0/24
neighbor AAA peer-group
neighbor AAA no shutdown
neighbor BBB peer-group
neighbor BBB no shutdown
neighbor 192.168.128.2 remote-as 99
neighbor 192.168.128.2 peer-group AAA
neighbor 192.168.128.2 update-source Loopback 0
neighbor 192.168.128.2 no shutdown
neighbor 192.168.128.3 remote-as 100
neighbor 192.168.128.3 peer-group BBB
neighbor 192.168.128.3 update-source Loopback 0
neighbor 192.168.128.3 no shutdown
R1#
R1#show ip bgp summary
BGP router identifier 192.168.128.1, local AS number 99
BGP table version is 1, main routing table version 1
1 network entrie(s) using 132 bytes of memory
3 paths using 204 bytes of memory
BGP-RIB over all using 207 bytes of memory
2 BGP path attribute entrie(s) using 96 bytes of memory
2 BGP AS-PATH entrie(s) using 74 bytes of memory
2 neighbor(s) using 8672 bytes of memory
Neighbor
AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx
192.168.128.2 99 23
24
1
0
(0) 00:00:17
1
192.168.128.3 100 30
29
1
0
(0) 00:00:14
1
!
R1#show ip bgp neighbors
BGP neighbor is 192.168.128.2, remote AS 99, internal link
Member of peer-group AAA for session parameters
BGP version 4, remote router ID 192.168.128.2
BGP state ESTABLISHED, in this state for 00:00:37
Last read 00:00:36, last write 00:00:36
Hold time is 180, keepalive interval is 60 seconds
Received 23 messages, 0 in queue
2 opens, 0 notifications, 2 updates
19 keepalives, 0 route refresh requests
Sent 24 messages, 0 in queue
2 opens, 1 notifications, 2 updates
224
Border Gateway Protocol IPv4 (BGPv4)
19 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 5 seconds
Minimum time before advertisements start is 0 seconds
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Update source set to Loopback 0
Peer active in peer-group outbound optimization
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1
Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer
Prefixes advertised 1, denied 0, withdrawn 0 from peer
Connections established 2; dropped 1
Last reset 00:00:57, due to user reset
Notification History
'Connection Reset' Sent : 1 Recv: 0
Last notification (len 21) sent 00:00:57 ago
ffffffff ffffffff ffffffff ffffffff 00150306 00000000
Local host: 192.168.128.1, Local port: 179
Foreign host: 192.168.128.2, Foreign port: 65464
BGP neighbor is 192.168.128.3, remote AS 100, external link
Member of peer-group BBB for session parameters
BGP version 4, remote router ID 192.168.128.3
BGP state ESTABLISHED, in this state for 00:00:37
Last read 00:00:36, last write 00:00:36
Hold time is 180, keepalive interval is 60 seconds
Received 30 messages, 0 in queue
4 opens, 2 notifications, 4 updates
20 keepalives, 0 route refresh requests
Sent 29 messages, 0 in queue
4 opens, 1 notifications, 4 updates
20 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 30 seconds
Minimum time before advertisements start is 0 seconds
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Update source set to Loopback 0
Peer active in peer-group outbound optimization
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1
Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer
Prefixes advertised 1, denied 0, withdrawn 0 from peer
Connections established 4; dropped 3
Last reset 00:00:54, due to user reset
R1#
R2#conf
R2(conf)#router bgp 99
R2(conf-router_bgp)# neighbor CCC peer-group
R2(conf-router_bgp)# neighbor CC no shutdown
Border Gateway Protocol IPv4 (BGPv4)
225
R2(conf-router_bgp)# neighbor BBB peer-group
R2(conf-router_bgp)# neighbor BBB no shutdown
R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA
R2(conf-router_bgp)# neighbor 192.168.128.1 no shut
R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB
R2(conf-router_bgp)# neighbor 192.168.128.3 no shut
R2(conf-router_bgp)#show conf
!
router bgp 99
network 192.168.128.0/24
neighbor AAA peer-group
neighbor AAA no shutdown
neighbor BBB peer-group
neighbor BBB no shutdown
neighbor 192.168.128.1 remote-as 99
neighbor 192.168.128.1 peer-group CCC
neighbor 192.168.128.1 update-source Loopback 0
neighbor 192.168.128.1 no shutdown
neighbor 192.168.128.3 remote-as 100
neighbor 192.168.128.3 peer-group BBB
neighbor 192.168.128.3 update-source Loopback 0
neighbor 192.168.128.3 no shutdown
R2(conf-router_bgp)#end
R2#
R2#show ip bgp summary
BGP router identifier 192.168.128.2, local AS number 99
BGP table version is 2, main routing table version 2
1 network entrie(s) using 132 bytes of memory
3 paths using 204 bytes of memory
BGP-RIB over all using 207 bytes of memory
2 BGP path attribute entrie(s) using 128 bytes of memory
2 BGP AS-PATH entrie(s) using 90 bytes of memory
2 neighbor(s) using 9216 bytes of memory
Neighbor
AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx
192.168.128.1 99 140
136
2
0
(0)
00:11:24
1
192.168.128.3 100 138
140
2
0
(0)
00:18:31
1
R2#show ip bgp neighbor
BGP neighbor is 192.168.128.1, remote AS 99, internal link
Member of peer-group AAA for session parameters
BGP version 4, remote router ID 192.168.128.1
BGP state ESTABLISHED, in this state for 00:11:42
Last read 00:00:38, last write 00:00:38
Hold time is 180, keepalive interval is 60 seconds
Received 140 messages, 0 in queue
6 opens, 2 notifications, 19 updates
113 keepalives, 0 route refresh requests
Sent 136 messages, 0 in queue
12 opens, 3 notifications, 6 updates
115 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 5 seconds
Minimum time before advertisements start is 0 seconds
R3#conf
R3(conf)#router bgp 100
R3(conf-router_bgp)# neighbor
R3(conf-router_bgp)# neighbor
R3(conf-router_bgp)# neighbor
R3(conf-router_bgp)# neighbor
R3(conf-router_bgp)# neighbor
226
AAA peer-group
AAA no shutdown
CCC peer-group
CCC no shutdown
192.168.128.2 peer-group BBB
Border Gateway Protocol IPv4 (BGPv4)
R3(conf-router_bgp)# neighbor 192.168.128.2 no shutdown
R3(conf-router_bgp)# neighbor 192.168.128.1 peer-group BBB
R3(conf-router_bgp)# neighbor 192.168.128.1 no shutdown
R3(conf-router_bgp)#
R3(conf-router_bgp)#end
R3#show ip bgp summary
BGP router identifier 192.168.128.3, local AS number 100
BGP table version is 1, main routing table version 1
1 network entrie(s) using 132 bytes of memory
3 paths using 204 bytes of memory
BGP-RIB over all using 207 bytes of memory
2 BGP path attribute entrie(s) using 128 bytes of memory
2 BGP AS-PATH entrie(s) using 90 bytes of memory
2 neighbor(s) using 9216 bytes of memory
Neighbor
AS
MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx
192.168.128.1 99 93
192.168.128.2 99 122
R3#show ip bgp neighbor
99
120
1
1
0
0
(0)
(0)
00:00:15
00:00:11
1
1
BGP neighbor is 192.168.128.1, remote AS 99, external link
Member of peer-group BBB for session parameters
BGP version 4, remote router ID 192.168.128.1
BGP state ESTABLISHED, in this state for 00:00:21
Last read 00:00:09, last write 00:00:08
Hold time is 180, keepalive interval is 60 seconds
Received 93 messages, 0 in queue
5 opens, 0 notifications, 5 updates
83 keepalives, 0 route refresh requests
Sent 99 messages, 0 in queue
5 opens, 4 notifications, 5 updates
85 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 30 seconds
Minimum time before advertisements start is 0 seconds
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Update source set to Loopback 0
Peer active in peer-group outbound optimization
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1
Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer
Prefixes advertised 1, denied 0, withdrawn 0 from peer
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
Border Gateway Protocol IPv4 (BGPv4)
227
CISCO_ROUTE_REFRESH(128)
Update source set to Loopback 0
Peer active in peer-group outbound optimization
For address family: IPv4 Unicast
BGP table version 2, neighbor version 2
Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer
Prefixes advertised 1, denied 0, withdrawn 0 from peer
Connections established 6; dropped 5
Last reset 00:12:01, due to Closed by neighbor
Notification History
'HOLD error/Timer expired' Sent : 1 Recv: 0
'Connection Reset' Sent : 2 Recv: 2
Last notification (len 21) received 00:12:01 ago
ffffffff ffffffff ffffffff ffffffff 00150306 00000000
Local host: 192.168.128.2, Local port: 65464
Foreign host: 192.168.128.1, Foreign port: 179
BGP neighbor is 192.168.128.3, remote AS 100, external link
Member of peer-group BBB for session parameters
BGP version 4, remote router ID 192.168.128.3
BGP state ESTABLISHED, in this state for 00:18:51
Last read 00:00:45, last write 00:00:44
Hold time is 180, keepalive interval is 60 seconds
Received 138 messages, 0 in queue
7 opens, 2 notifications, 7 updates
122 keepalives, 0 route refresh requests
Sent 140 messages, 0 in queue
7 opens, 4 notifications, 7 updates
122 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 30 seconds
Minimum time before advertisements start is 0 seconds
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Update source set to Loopback 0
Peer active in peer-group outbound optimization
For address family: IPv4 Unicast
BGP table version 2, neighbor version 2
Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer
Prefixes advertised 1, denied 0, withdrawn 0 from peer
228
Border Gateway Protocol IPv4 (BGPv4)
Content Addressable Memory (CAM)
10
Content addressable memory (CAM) is a type of memory that stores information in the form of a lookup
table.
On Dell Networking systems, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs),
flows, and routing policies.
CAM Allocation
Allocate space for IPV4 ACLs and quality of service (QoS) regions by using the cam-acl command in
CONFIGURATION mode.
The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP
blocks.
NOTE: There are 16 FP blocks, but the system flow requires three blocks that cannot be reallocated.
The following table lists the default CAM allocation settings.
Table 8. Default Cam Allocation Settings
CAM Allocation
Setting
L3 ACL (ipv4acl)
2
L2 ACL(l2acl)
2
IPv6 L3 ACL (ipv6acl)
0
L3 QoS (ipv4qos)
2
L2 QoS (l2qos)
0
L2PT (l2pt)
0
MAC ACLs (ipmacacl)
0
ECFMACL (ecfmacl)
0
FCOEACL (fcoeacl)
4
ISCSIOPTACL (iscsioptacl)
2
VMAN QoS (vman-qos)
0
VMAN Dual QoS (vman-dual-qos)
0
The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10). All other
profile allocations can use either even or odd numbered ranges.
NOTE: On the MXL 10/40GbE switch IO module, there can be only one odd number of Blocks in
the CLI configuration; the other Blocks must be in factors of 2. For example, a CLI configuration of
5+4+2+1+1 Blocks is not supported; a configuration of 6+4+2+1 Blocks is supported.
Content Addressable Memory (CAM)
229
You must save the new CAM settings to the startup-config (write-mem or copy run start) then
reload the system for the new settings to take effect.
1.
Select a cam-acl action.
CONFIGURATION mode
cam-acl [default | l2acl]
NOTE: Selecting default resets the CAM entries to the default settings. Select l2acl to allocate
space for the ACLs and QoS regions.
2.
Enter the number of FP blocks for each region.
EXEC Privilege mode
l2acl number ipv4acl number ipv6acl number, ipv4qos number l2qos number,
l2pt number ipmacacl number ecfmacl number [vman-qos | vman-dual-qos number
3.
Reload the system.
EXEC Privilege mode
reload
4.
Verify that the new settings will be written to the CAM on the next boot.
EXEC Privilege mode
show cam-acl
Test CAM Usage
This command applies to both IPv4 CAM profiles, but is best used when verifying QoS optimization for
IPv6 ACLs.
Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy.
Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege
mode to verify the actual CAM space required. The Status column in the command output indicates
whether or not the policy can be enabled.
Example of the test cam-usage Command
Dell#test cam-usage service-policy input pmap stack-unit all
Stack-Unit | Portpipe | CAM Partition | Available CAM | Estimated CAM per Port
| Status
----------------------------------------------------------------------------------------2 |
0 |
L2ACL |
28 |
1
| Allowed (28)
View CAM-ACL Settings
View the current cam-acl settings using the show cam-acl command.
Example of Viewing CAM-ACL Settings
Dell#show cam-acl
230
Content Addressable Memory (CAM)
-- Chassis Cam ACL -Current Settings(in block sizes)
L2Acl
: 6
Ipv4Acl
: 2
Ipv6Acl
: 0
Ipv4Qos
: 2
L2Qos
: 1
L2PT
: 0
IpMacAcl
: 0
VmanQos
: 0
VmanDualQos : 0
EcfmAcl
: 0
FcoeAcl
: 0
iscsiOptAcl : 2
-- Stack unit 5 -Current Settings(in block sizes)
L2Acl
: 6
Ipv4Acl
: 2
Ipv6Acl
: 0
Ipv4Qos
: 2
L2Qos
: 1
L2PT
: 0
IpMacAcl
: 0
VmanQos
: 0
VmanDualQos : 0
EcfmAcl
: 0
FcoeAcl
: 0
iscsiOptAcl : 2
Dell#
CAM Optimization
When you enable this command, if a Policy Map containing classification rules (ACL and/or dscp/ ipprecedence rules) is applied to more than one physical interface on the same port-pipe, only a single
copy of the policy is written (only 1 FP entry is used).
When you disable this command, the system behaves as described in this chapter. However, enabling
CAM optimization would apply a single rate policy FP entry. If the input service policy maps applied to
several ports are the same, rate policing is applied to all the ports as a group and not individually.
Content Addressable Memory (CAM)
231
Control Plane Policing (CoPP)
11
Control plane policing (CoPP) is supported on the XML switch.
CoPP uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a
system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching
the system control plane, rate-limits, traffic to an acceptable level.
CoPP increases security on the system by protecting the routing processor from unnecessary or DoS
traffic, giving priority to important control plane and management traffic. CoPP uses a dedicated control
plane configuration through the ACL and QoS command line interfaces (CLIs) to provide filtering and
rate-limiting capabilities for the control plane packets.
The following illustration shows an example of the difference between having CoPP implemented and
not having CoPP implemented.
Figure 25. Control Plane Policing
232
Control Plane Policing (CoPP)
Figure 26. CoPP Implemented Versus CoPP Not Implemented
Configure Control Plane Policing
The MXL switch can process maximum of 4200 PPS (packets per second). Protocols that share a single
queue may experience flaps if one of the protocols receives a high rate of control traffic even though Per
Protocol CoPP is applied. This happens because Queue-Based Rate Limiting is applies first.
For example, border gateway protocol (BGP) and internet control message protocol (ICMP) share same
queue (Q6); Q6 has 400 PPS of bandwidth by default. The desired rate of ICMP is 100 PPS and the
remaining 300 PPS is assigned to BGP. If ICMP packets come at 400 PPS, BGP packets may be dropped
though ICMP packets are rate-limited to 100 PPS. You can solve this by increasing Q6 bandwidth to 700
PPS to allow both ICMP and BGP packets and then applying per-flow CoPP for ICMP and BGP packets.
The setting of this Q6 bandwidth is dependent on the incoming traffic for the set of protocols sharing the
same queue. If you are not aware of the incoming protocol traffic rate, you cannot set the required
queue rate limit value. You must complete queue bandwidth tuning carefully because the system cannot
open up to handle any rate, including traffic coming at the line rate.
Control Plane Policing (CoPP)
233
CoPP policies are assigned on a per-protocol or a per-queue basis, and are assigned in CONTROLPLANE mode to each port-pipe.
CoPP policies are configured by creating extended ACL rules and specifying rate-limits through QoS
policies. The ACLs and QoS policies are assigned as service-policies.
Configuring CoPP for Protocols
This section lists the commands necessary to create and enable the service-policies for CoPP.
For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs)Access
Control Lists (ACLs) and Quality of Service (QoS).
The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for
the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to
the ACL. The ACL and QoS policies are finally assigned to a control-plane service policy for each portpipe.
1.
Create a Layer 2 extended ACL for control-plane traffic policing for a particular protocol.
CONFIGURATION mode
mac access-list extended name cpu-qos permit {arp | frrp | gvrp | isis |
lacp | lldp | stp}
2.
Create a Layer 3 extended ACL for control-plane traffic policing for a particular protocol.
CONFIGURATION mode
ip access-list extended name cpu-qos permit {bgp | dhcp | dhcp-relay | ftp |
icmp | igmp | msdp | ntp | ospf | pim | ip | ssh | telnet | vrrp}
3.
Create an IPv6 ACL for control-plane traffic policing for a particular protocol.
CONFIGURATION mode
ipv6 access-list name cpu-qos permit {bgp | icmp | vrrp}
4.
Create a QoS input policy for the router and assign the policing.
CONFIGURATION mode
qos-policy-input name cpu-qos rate-police
5.
Create a QoS class map to differentiate the control-plane traffic and assign to an ACL.
CONFIGURATION mode
class-map match-any name cpu-qos match {ip | mac | ipv6} access-group name
6.
Create a QoS input policy map to match to the class-map and qos-policy for each desired protocol.
CONFIGURATION mode
policy-map-input name cpu-qos class-map name qos-policy name
7.
Enter Control Plane mode.
CONFIGURATION mode
control-plane-cpuqos
8.
Assign the protocol based the service policy on the control plane. Enabling this command on a portpipe automatically enables the ACL and QoS rules creates with the cpu-qos keyword.
CONTROL-PLANE mode
234
Control Plane Policing (CoPP)
service-policy rate-limit-protocols
Example of Creating the IP/IPv6/MAC Extended ACL
Example of Creating the QoS Input Policy
Example of Creating the QoS Class Map
Example of Matching the QoS Class Map to the QoS Policy
Example of Creating the Control Plane Service Policy
Dell(conf)#ip access-list extended ospf cpu-qos
Dell(conf-ip-acl-cpuqos)#permit ospf
Dell(conf-ip-acl-cpuqos)#exit
Dell(conf)#ip access-list extended bgp cpu-qos
Dell(conf-ip-acl-cpuqos)#permit bgp
Dell(conf-ip-acl-cpuqos)#exit
Dell(conf)#mac access-list extended lacp cpu-qos
Dell(conf-mac-acl-cpuqos)#permit lacp
Dell(conf-mac-acl-cpuqos)#exit
Dell(conf)#ipv6 access-list ipv6-icmp cpu-qos
Dell(conf-ipv6-acl-cpuqos)#permit icmp
Dell(conf-ipv6-acl-cpuqos)#exit
Dell(conf)#ipv6 access-list ipv6-vrrp cpu-qos
Dell(conf-ipv6-acl-cpuqos)#permit vrrp
Dell(conf-ipv6-acl-cpuqos)#exit
Dell(conf)#qos-policy-in rate_limit_200k cpu-qos
Dell(conf-in-qos-policy-cpuqos)#rate-police 200 40 peak 500 40
Dell(conf-in-qos-policy-cpuqos)#exit
Dell(conf)#qos-policy-in rate_limit_400k cpu-qos
Dell(conf-in-qos-policy-cpuqos)#rate-police 400 50 peak 600 50
Dell(conf-in-qos-policy-cpuqos)#exit
Dell(conf)#qos-policy-in rate_limit_500k cpu-qos
Dell(conf-in-qos-policy-cpuqos)#rate-police 500 50 peak 1000 50
Dell(conf-in-qos-policy-cpuqos)#exit
Dell(conf)#class-map match-any class_ospf cpu-qos
Dell(conf-class-map-cpuqos)#match ip access-group ospf
Dell(conf-class-map-cpuqos)#exit
Dell(conf)#class-map match-any class_bgp cpu-qos
Dell(conf-class-map-cpuqos)#match ip access-group bgp
Dell(conf-class-map-cpuqos)#exit
Dell(conf)#class-map match-any class_lacp cpu-qos
Dell(conf-class-map-cpuqos)#match mac access-group lacp
Dell(conf-class-map-cpuqos)#exit
Dell(conf)#class-map match-any class-ipv6-icmp cpu-qos
Dell(conf-class-map-cpuqos)#match ipv6 access-group ipv6-icmp
Dell(conf-class-map-cpuqos)#exit
Dell(conf)#policy-map-input egressFP_rate_policy cpu-qos
Dell(conf-policy-map-in-cpuqos)#class-map class_ospf qos-policy rate_limit_500k
Dell(conf-policy-map-in-cpuqos)#class-map class_bgp qos-policy rate_limit_400k
Control Plane Policing (CoPP)
235
Dell(conf-policy-map-in-cpuqos)#class-map class_lacp qos-policy rate_limit_200k
Dell(conf-policy-map-in-cpuqos)#class-map class-ipv6 qos-policy rate_limit_200k
Dell(conf-policy-map-in-cpuqos)#exit
Dell(conf)#control-plane-cpuqos
Dell(conf-control-cpuqos)#service-policy rate-limit-protocols
egressFP_rate_policy
Dell(conf-control-cpuqos)#exit
Configuring CoPP for CPU Queues
Controlling traffic on the CPU queues does not require ACL rules, but does require QoS policies.
CoPP for CPU queues converts the input rate from kbps to pps, assuming 64 bytes is the average packet
size, and applies that rate to the corresponding queue. Consequently, 1 kbps is roughly equivalent to 2
pps.
The basics for creating a CoPP service policy is to create QoS policies for the desired CPU bound queue
and associate it with a particular rate-limit. The QoS policies are assigned to a control-plane service
policy for each port-pipe.
1.
Create a QoS input policy for the router and assign the policing.
CONFIGURATION mode
qos-policy-input name cpu-qos
2.
Create an input policy-map to assign the QoS policy to the desired service queues.l.
CONFIGURATION mode
policy-map--input name cpu-qos service-queue 0 qos-policy name
3.
Enter Control Plane mode.
CONFIGURATION mode
control-plane-cpuqos
4.
Assign a CPU queue-based service policy on the control plane in cpu-qos mode. Enabling this
command sets the queue rates according to those configured.
CONTROL-PLANE mode
service-policy rate-limit-cpu-queues name
Example of Creating the QoS Policy
Example of Assigning the QoS Policy to the Queues
Example of Creating the Control Plane Service Policy
Dell#conf
Dell(conf)#qos-policy-input cpuq_1
Dell(conf-qos-policy-in)#rate-police 3000 40 peak 500 40
Dell(conf-qos-policy-in)#exit
Dell(conf)#qos-policy-input cpuq_2
Dell(conf-qos-policy-in)#rate-police 5000 80 peak 600 50
Dell(conf-qos-policy-in)#exit
Dell(conf)#policy-map-input cpuq_rate_policy cpu-qos
Dell(conf-qos-policy-in)#service-queue 5 qos-policy cpuq_1
236
Control Plane Policing (CoPP)
Dell(conf-qos-policy-in)#service-queue 6 qos-policy cpuq_2
Dell(conf-qos-policy-in)#service-queue 7 qos-policy cpuq_1
Dell#conf
Dell(conf)#control-plane
Dell(conf-control-plane)#service-policy rate-limit-cpu-queues cpuq_rate_policy
Show Commands
The following section describes the CoPP show commands.
To view the rates for each queue, use the show cpu-queue rate cp command.
Example of Viewing Queue Rates
Example of Viewing Queue Mapping
Example of Viewing Queue Mapping for MAC Protocols
Example of Viewing Queue Mapping for IPv6 Protocols
Dell#show cpu-queue rate cp
Service-Queue Rate (PPS)
-------------- ----------Q0
1300
Q1
300
Q2
300
Q3
300
Q4
2000
Q5
400
Q6
400
Q7
1100
Dell#
To view the queue mapping for each configured protocol, use the show ip protocol-queuemapping command.
Dell#show ip protocol-queue-mapping
Protocol
Src-Port Dst-Port TcpFlag
--------------- -------- ------TCP (BGP)
any/179 179/any
_
UDP (DHCP)
67/68
68/67
_
UDP (DHCP-R) 67
67
_
TCP (FTP)
any
21
_
ICMP
any
any
_
IGMP
any
any
_
TCP (MSDP)
any/639 639/any
_
UDP (NTP)
any
123
_
OSPF
any
any
_
PIM
any
any
_
UDP (RIP)
any
520
_
TCP (SSH)
any
22
_
TCP (TELNET) any
23
_
VRRP
any
any
_
Dell#
Queue
----Q6
Q6/Q5
Q6
Q6
Q6
Q7
Q6
Q6
Q7
Q7
Q7
Q6
Q6
Q7
EgPort Rate (kbps)
------ ----------CP
100
CP
_
CP
_
CP
_
CP
_
CP
_
CP
_
CP
_
CP
_
CP
_
CP
_
CP
_
CP
_
CP
_
To view the queue mapping for the MAC protocols, use the show mac protocol-queue-mapping
command.
Dell#show mac protocol-queue-mapping
Protocol Destination Mac
EtherType Queue EgPort Rate (kbps)
Control Plane Policing (CoPP)
237
-------ARP
FRRP
LACP
LLDP
GVRP
STP
ISIS
-------------------------- ----- ------ ----------any
0x0806
Q5/Q6
CP
_
01:01:e8:00:00:10/11 any
Q7
CP
_
01:80:c2:00:00:02
0x8809
Q7
CP
_
any
0x88cc
Q7
CP
_
01:80:c2:00:00:21
any
Q7
CP
_
01:80:c2:00:00:00
any
Q7
CP
_
01:80:c2:00:00:14/15 any
Q7
CP
_
09:00:2b:00:00:04/05 any
Q7
CP
Dell#
To view the queue mapping for IPv6 protocols, use the show ipv6 protocol-queue-mapping
command.
Dell#show ipv6 protocol-queue-mapping
Protocol
Src-Port Dst-Port TcpFlag Queue EgPort Rate (kbps)
--------------- -------- ------- ----- ------ ----------TCP (BGP) any/179 179/any
_
Q6
CP
_
ICMP
any
any
_
Q6
CP
_
VRRP
any
any
_
Q7
CP
_
Dell#
238
Control Plane Policing (CoPP)
Data Center Bridging (DCB)
12
Data center bridging (DCB) is supported on the FC Flex IO module installed in the MXL 10/40GbE Switch.
Ethernet Enhancements in Data Center Bridging
The following section describes DCB.
.
DCB refers to a set of IEEE Ethernet enhancements that provide data centers with a single, robust,
converged network to support multiple traffic types, including local area network (LAN), server, and
storage traffic. Through network consolidation, DCB results in reduced operational cost, simplified
management, and easy scalability by avoiding the need to deploy separate application-specific networks.
For example, instead of deploying an Ethernet network for LAN traffic, include additional storage area
networks (SANs) to ensure lossless Fibre Channel traffic, and a separate InfiniBand network for highperformance inter-processor computing within server clusters, only one DCB-enabled network is
required in a data center. The Dell Networking switches that support a unified fabric and consolidate
multiple network infrastructures use a single input/output (I/O) device called a converged network
adapter (CNA).
A CNA is a computer input/output device that combines the functionality of a host bus adapter (HBA)
with a network interface controller (NIC). Multiple adapters on different devices for several traffic types
are no longer required.
Data center bridging satisfies the needs of the following types of data center traffic in a unified fabric:
LAN traffic
LAN traffic consists of many flows that are insensitive to latency requirements,
while certain applications, such as streaming video, are more sensitive to latency.
Ethernet functions as a best-effort network that may drop packets in the case of
network congestion. IP networks rely on transport protocols (for example, TCP) for
reliable data transmission with the associated cost of greater processing overhead
and performance impact.
Storage traffic
Storage traffic based on Fibre Channel media uses the SCSI protocol for data
transfer. This traffic typically consists of large data packets with a payload of 2K
bytes that cannot recover from frame loss. To successfully transport storage traffic,
data center Ethernet must provide no-drop service with lossless links.
InterProcess
Communicatio
n (IPC) traffic
InterProcess Communication (IPC) traffic within high-performance computing
clusters to share information. Server traffic is extremely sensitive to latency
requirements.
To ensure lossless delivery and latency-sensitive scheduling of storage and service traffic and I/O
convergence of LAN, storage, and server traffic over a unified fabric, IEEE data center bridging adds the
following extensions to a classical Ethernet network:
Data Center Bridging (DCB)
239
•
802.1Qbb — Priority-based Flow Control (PFC)
•
802.1Qaz — Enhanced Transmission Selection (ETS)
•
802.1Qau — Congestion Notification
•
Data Center Bridging Exchange (DCBx) protocol
NOTE: In the Dell Networking OS version 8.3.12.0, only the PFC, ETS, and DCBx features are
supported in data center bridging.
Priority-Based Flow Control
In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in
multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion.
When PFC detects congestion on a queue for a specified priority, it sends a pause frame for the 802.1p
priority traffic to the transmitting device. In this way, PFC ensures that PFC-enabled priority traffic is not
dropped by the switch.
PFC enhances the existing 802.3x pause and 802.1p priority capabilities to enable flow control based on
802.1p priorities (classes of service). Instead of stopping all traffic on a link (as performed by the
traditional Ethernet pause mechanism), PFC pauses traffic on a link according to the 802.1p priority set on
a traffic type. You can create lossless flows for storage and server traffic while allowing for loss in case of
LAN traffic congestion on the same physical interface.
The following illustration shows how PFC handles traffic congestion by pausing the transmission of
incoming traffic with dot1p priority 3.
Figure 27. Priority-Based Flow Control
In the system, PFC is implemented as follows:
•
PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface.
However, only two lossless queues are supported on an interface: one for Fibre Channel over
Ethernet (FCoE) converged traffic and one for Internet Small Computer System Interface (iSCSI)
storage traffic. Configure the same lossless queues on all ports.
•
PFC delay constraints place an upper limit on the transmit time of a queue after receiving a message
to pause a specified priority.
•
By default, PFC is enabled on an interface with no dot1p priorities configured. You can configure the
PFC priorities if the switch negotiates with a remote peer using DCBX.
•
During DCBX negotiation with a remote peer:
– If the negotiation succeeds and the port is in DCBX Willing mode to receive a peer configuration,
PFC parameters from the peer are used to configured PFC priorities on the port. If you enable the
240
Data Center Bridging (DCB)
link-level flow control mechanism on the interface, DCBX negotiation with a peer is not
performed.
– If the negotiation fails and PFC is enabled on the port, any user-configured PFC input policies are
applied. If no PFC input policy has been previously applied, the PFC default setting is used (no
priorities configured). If you do not enable PFC on an interface, you can enable the 802.3x linklevel pause function. By default, the link-level pause is disabled.
•
PFC supports buffering to receive data that continues to arrive on an interface while the remote
system reacts to the PFC operation.
•
PFC uses the DCB MIB IEEE802.1azd2.5 and the PFC MIB IEEE802.1bb-d2.2.
Enhanced Transmission Selection
Enhanced transmission selection (ETS) supports optimized bandwidth allocation between traffic types in
multiprotocol (Ethernet, FCoE, SCSI) links.
ETS allows you to divide traffic according to its 802.1p priority into different priority groups (traffic
classes) and configure bandwidth allocation and queue scheduling for each group to ensure that each
traffic type is correctly prioritized and receives its required bandwidth. For example, you can prioritize
low-latency storage or server cluster traffic in a traffic class to receive more bandwidth and restrict besteffort LAN traffic assigned to a different traffic class.
Although you can configure strict-priority queue scheduling for a priority group, ETS introduces flexibility
that allows the bandwidth allocated to each priority group to be dynamically managed according to the
amount of LAN, storage, and server traffic in a flow. Unused bandwidth is dynamically allocated to
prioritized priority groups. Traffic is queued according to its 802.1p priority assignment, while flexible
bandwidth allocation and the configured queue-scheduling for a priority group is supported.
The following figure shows how ETS allows you to allocate bandwidth when different traffic types are
classed according to 802.1p priority and mapped to priority groups.
Figure 28. Enhanced Transmission Selection
The following table lists the traffic groupings ETS uses to select multiprotocol traffic for transmission.
Data Center Bridging (DCB)
241
Table 9. ETS Traffic Groupings
Traffic Groupings
Description
Priority group
A group of 802.1p priorities used for bandwidth
allocation and queue scheduling. All 802.1p priority
traffic in a group must have the same traffic
handling requirements for latency and frame loss.
Group ID
A 4-bit identifier assigned to each priority group.
The range is from 0 to 7.
Group bandwidth
Percentage of available bandwidth allocated to a
priority group.
Group transmission selection algorithm (TSA)
Type of queue scheduling a priority group uses.
In the Dell Networking OS, ETS is implemented as follows:
•
ETS supports groups of 802.1p priorities that have:
– PFC enabled or disabled
– No bandwidth limit or no ETS processing
•
Bandwidth allocated by the ETS algorithm is made available after strict-priority groups are serviced. If
a priority group does not use its allocated bandwidth, the unused bandwidth is made available to
other priority groups.
•
For ETS traffic selection, an algorithm is applied to priority groups using:
– Strict priority shaping
– ETS shaping
•
ETS uses the DCB MIB IEEE 802.1azd2.5.
Data Center Bridging Exchange Protocol (DCBx)
DCBx allows a switch to automatically discover DCB-enabled peers and exchange configuration
information. PFC and ETS use DCBx to exchange and negotiate parameters with peer devices. DCBx
capabilities include:
•
Discovery of DCB capabilities on peer-device connections.
•
Determination of possible mismatch in DCB configuration on a peer link.
•
Configuration of a peer device over a DCB link.
DCBx requires the link layer discovery protocol (LLDP) to provide the path to exchange DCB parameters
with peer devices. Exchanged parameters are sent in organizationally specific TLVs in LLDP data units. For
more information, refer to Link Layer Discovery Protocol (LLDP). The following LLDP TLVs are supported
for DCB parameter exchange:
PFC
parameters
PFC Configuration TLV and Application Priority Configuration TLV.
ETS parameters
ETS Configuration TLV and ETS Recommendation TLV.
242
Data Center Bridging (DCB)
Data Center Bridging in a Traffic Flow
The following figure shows how DCB handles a traffic flow on an interface.
Figure 29. DCB PFC and ETS Traffic Handling
Enabling Data Center Bridging
Data center bridging is enabled by default on an MXL 10/40GbE Switch to support converged enhanced
Ethernet (CEE) in a data center network.
A prerequisite for configuring DCB:
•
Priority-based flow control
•
Enhanced transmission selection
•
Data center bridging exchange protocol
•
FCoE initialization protocol (FIP) snooping
DCB processes virtual local area network (VLAN)-tagged packets and dot1p priority values. Untagged
packets are treated with a dot1p priority of 0.
For DCB to operate effectively, you can classify ingress traffic according to its dot1p priority so that it
maps to different data queues. The dot1p-queue assignments used are shown in the following table.
On the MXL Switch, by default, DCB is enabled and MMU buffers are reserved to achieve no-drop traffic
handling for PFC. Disabling DCB does not release the buffers reserved by default. To utilize reserved
buffers for non-DCB applications, you have to explicitly release the buffers (Refer to Configuring the PFC
Buffer in a Switch Stack).
To disable or re-enable DCB on a switch, enter the following commands.
1.
Disable DCB.
Data Center Bridging (DCB)
243
CONFIGURATION mode
no dcb enable
2.
Re-enable DCB.
CONFIGURATION mode
dcb enable
NOTE: Dell Networking OS Behavior: DCB is not supported if you enable link-level flow control on
one or more interfaces.
After you disable DCB, if link-level flow control is not automatically enabled on an interface, to enable
flow control, manually shut down the interface (the shutdown command) and re-enable it (the no
shutdown command).
QoS dot1p Traffic Classification and Queue Assignment
The following section describes QoS dot1P traffic classification and assignments.
DCB supports PFC, ETS, and DCBx to handle converged Ethernet traffic that is assigned to an egress
queue according to the following QoS methods:
Honor dot1p
You can honor dot1p priorities in ingress traffic at the port or global switch level
(refer to Default dot1p to Queue Mapping) using the service-class dynamic
dot1p command in INTERFACE configuration mode (refer to Honoring dot1p
Values on Ingress Packets).
Layer 2 class
maps
You can use dot1p priorities to classify traffic in a class map and apply a service
policy to an ingress port to map traffic to egress queues (refer to Policy-Based QoS
Configurations).
NOTE: Dell Networking does not recommend mapping all ingress traffic to a single queue when
using PFC and ETS. However, Dell Networking does recommend using Ingress traffic classification
using the service-class dynamic dot1p command (honor dot1p) on all DCB-enabled
interfaces. If you use L2 class maps to map dot1p priority traffic to egress queues, take into account
the default dot1p-queue assignments in the following table and the maximum number of two
lossless queues supported on a port (refer to Configuring Lossless Queues).
Although the system allows you to change the default dot1p priority-queue assignments (refer to
Setting dot1p Priorities for Incoming Traffic), DCB policies applied to an interface may become
invalid if you reconfigure dot1p-queue mapping. If the configured DCB policy remains valid, the
change in the dot1p-queue assignment is allowed. For DCB ETS enabled interfaces, traffic destined
to queue that is not mapped to any dot1p priority are dropped.
dot1p Value in the
Incoming Frame
Egress Queue Assignment
0
0
1
0
2
0
3
1
4
2
244
Data Center Bridging (DCB)
dot1p Value in the
Incoming Frame
Egress Queue Assignment
5
3
6
3
7
3
NOTE: If you reconfigure the global dot1p-queue mapping, an automatic re-election of the DCBX
configuration source port is performed (refer to Configuration Source Election).
Configuring Priority-Based Flow Control
PFC provides a flow control mechanism based on the 802.1p priorities in converged Ethernet traffic
received on an interface and is enabled by default when you enable DCB.
As an enhancement to the existing Ethernet pause mechanism, PFC stops traffic transmission for
specified priorities (Class of Service (CoS) values) without impacting other priority classes. Different traffic
types are assigned to different priority classes.
When traffic congestion occurs, PFC sends a pause frame to a peer device with the CoS priority values of
the traffic that is to be stopped. Data Center Bridging Exchange protocol (DCBx) provides the link-level
exchange of PFC parameters between peer devices. PFC allows network administrators to create zeroloss links for Storage Area Network (SAN) traffic that requires no-drop service, while retaining packetdrop congestion management for Local Area Network (LAN) traffic.
To ensure complete no-drop service, apply the same DCB input policy with the same pause time and
dot1p priorities on all PFC-enabled peer interfaces.
To configure PFC and apply a PFC input policy to an interface, follow these steps.
1.
Create a DCB input policy to apply pause or flow control for specified priorities using a configured
delay time.
CONFIGURATION mode
dcb-input policy-name
The maximum is 32 alphanumeric characters.
2.
Configure the link delay used to pause specified priority traffic.
DCB INPUT POLICY mode
pfc link-delay value
One quantum is equal to a 512-bit transmission.
The range (in quanta) is from 712 to 65535.
The default is 45556 quantum in link delay.
3.
Configure the CoS traffic to be stopped for the specified delay.
DCB INPUT POLICY mode
pfc priority priority-range
Data Center Bridging (DCB)
245
Enter the 802.1p values of the frames to be paused.
The range is from 0 to 7.
The default is none.
Maximum number of loss less queues supported on the switch: 2.
Separate priority values with a comma. Specify a priority range with a dash, for example: pfc priority
1,3,5-7.
4.
Enable the PFC configuration on the port so that the priorities are included in DCBx negotiation with
peer PFC devices.
DCB INPUT POLICY mode
pfc mode on
The default is PFC mode is on.
5.
(Optional) Enter a text description of the input policy.
DCB INPUT POLICY mode
description text
The maximum is 32 characters.
6.
Exit DCB input policy configuration mode.
DCB INPUT POLICY mode
exit
7.
Enter interface configuration mode.
CONFIGURATION mode
interface type slot/port
8.
Apply the input policy with the PFC configuration to an ingress interface.
INTERFACE mode
dcb-policy input policy-name
9.
Repeat Steps 1 to 8 on all PFC-enabled peer interfaces to ensure lossless traffic service.
Dell Networking OS Behavior: As soon as you apply a DCB policy with PFC enabled on an interface,
DCBx starts exchanging information with PFC-enabled peers. The IEEE802.1Qbb, CEE, and CIN versions
of PFC Type, Length, Value (TLV) are supported. DCBx also validates PFC configurations that are received
in TLVs from peer devices.
By applying a DCB input policy with PFC enabled, you enable PFC operation on ingress port traffic. To
achieve complete lossless handling of traffic, also enable PFC on all DCB egress ports or configure the
dot1p priority-queue assignment of PFC priorities to lossless queues (refer to Configuring Lossless
Queues).
To remove a DCB input policy, including the PFC configuration it contains, use the no dcb-input
policy-name command in INTERFACE Configuration mode. To disable PFC operation on an interface,
use the no pfc mode on command in DCB Input Policy Configuration mode. PFC is enabled and
disabled as the global DCB operation is enabled (dcb enable) or disabled (no dcb enable).
246
Data Center Bridging (DCB)
You can enable any number of 802.1p priorities for PFC. Queues to which PFC priority traffic is mapped
are lossless by default. Traffic may be interrupted due to an interface flap (going down and coming up)
when you reconfigure the lossless queues for no-drop priorities in a PFC input policy and reapply the
policy to an interface.
To apply PFC, a PFC peer must support the configured priority traffic (as detected by DCBx).
To honor a PFC pause frame multiplied by the number of PFC-enabled ingress ports, the minimum link
delay must be greater than the round-trip transmission time the peer requres.
If you apply an input policy with PFC disabled (no pfc mode on):
•
You can enable link-level flow control on the interface (refer to Enabling Pause Frames). To delete the
input policy, first disable link-level flow control. PFC is then automatically enabled on the interface
because an interface is by default PFC-enabled.
•
PFC still allows you to configure lossless queues on a port to ensure no-drop handling of lossless
traffic (refer to Configuring Lossless Queues).
NOTE: You cannot enable PFC and link-level flow control at the same time on an interface.
When you apply an input policy to an interface, an error message displays if:
•
The PFC dot1p priorities result in more than two lossless port queues globally on the switch.
•
Link-level flow control is already enabled. You cannot be enable PFC and link-level flow control at the
same time on an interface.
•
In a switch stack, configure all stacked ports with the same PFC configuration.
A DCB input policy for PFC applied to an interface may become invalid if you reconfigure dot1p-queue
mapping (refer to the Create Input Policy Maps section in the Quality of Service (QoS) chapter). This
situation occurs when the new dot1p-queue assignment exceeds the maximum number (2) of lossless
queues supported globally on the switch. In this case, all PFC configurations received from PFC-enabled
peers are removed and resynchronized with the peer devices.
Traffic may be interrupted when you reconfigure PFC no-drop priorities in an input policy or reapply the
policy to an interface.
The Dell Networking OS does not support MACsec Bypass Capability (MBC).
Configuring Lossless Queues
DCB also supports the manual configuration of lossless queues on an interface when PFC mode is turned
off and priority classes are disabled in a DCB input policy applied to the interface.
Prerequisite: A DCB input policy with PFC configuration is applied to the interface with the following
conditions:
•
PFC mode is off (no pfc mode on).
•
No PFC priority classes are configured (no pfc priority priority-range).
The configuration of no-drop queues provides flexibility for ports on which PFC is not needed but
lossless traffic should egress from the interface.
Lossless traffic egresses out the no-drop queues. Ingress dot1p traffic from PFC-enabled interfaces is
automatically mapped to the no-drop egress queues.
1.
Enter INTERFACE Configuration mode.
CONFIGURATION mode
Data Center Bridging (DCB)
247
interface type slot/port
2.
Configure the port queues that will still function as no-drop queues for lossless traffic.
INTERFACE mode
pfc no-drop queues queue-range
For the dot1p-queue assignments, refer to the dot1p Priority-Queue Assignment table.
The maximum number of lossless queues globally supported on the switch is four.
The range is from 0 to 3. Separate the queue values with a comma; specify a priority range with a
dash; for example, pfc no-drop queues 1,3 or pfc no-drop queues 2-3.
The default: No lossless queues are configured.
NOTE: Dell Networking OS Behavior: By default, no lossless queues are configured on a port.
A limit of two lossless queues is supported on a port. If the amount of priority traffic that you configure to
be paused exceeds the two lossless queues, an error message displays. Reconfigure the input policy
using a smaller number of PFC priorities.
If you configure lossless queues on an interface that already has a DCB input policy with PFC enabled
(pfc mode on), an error message displays.
Traffic may be interrupted due to an interface flap (going down and coming up) when you reconfigure
lossless queues on no-drop priorities in an input policy and re-apply the policy to an interface.
Configuring the PFC Buffer in a Switch Stack
In a switch stack, you must configure all stacked ports with the same PFC configuration. In addition, you
must configure a separate buffer of memory allocated exclusively to a service pool accessed by queues
on which priority-based control flows are mapped.
These PFC-enabled queues ensure the lossless transmission of storage and server traffic. The buffer
required for the PFC service pool is calculated based on the number of ports and port queues used by
PFC traffic.
You can configure the size of the PFC buffer for all switches in a stack or all port pipes on a specified
stack unit by entering the following commands on the master switch.
•
Configure the PFC buffer for all switches in the stack.
CONFIGURATION mode
[no] dcb stack-unit all pfc-buffering pfc-port {1-56} pfc-queues {1-2}
•
By default, the PFC buffer is enabled on all ports on the stack unit.
Configure the PFC buffer for all port pipes in a specified stack unit by specifying the port-pipe
number, number of PFC-enabled ports, and number of configured lossless queues.
CONFIGURATION mode
[no] dcb stack-unit stack-unit-id [port-set port-set-id] pfc-buffering pfcports {1-56} pfc-queues {1-2}
Valid stack-unit IDs are 0 to 5.
The only valid port-set ID (port-pipe number) is 0.
248
Data Center Bridging (DCB)
Dell Networking OS Behavior: If you configure PFC on a 40GbE port, count the 40GbE port as four PFCenabled ports in the pfc-port number you enter in the command syntax.
To achieve lossless PFC operation, the PFC port count and queue number used for the reserved buffer
size that is created must be greater than or equal to the buffer size required for PFC-enabled ports and
lossless queues on the switch.
For the PFC buffer configuration to take effect, you must reload the stack or a specified stack unit (use
the reload command at EXEC Privilege level).
If you configure the PFC buffer on all stack units, delete the startup configuration on both the master and
standby, and reload the stack, the new master (previously standby) generates the following syslog
message for each stack unit when it boots up: PFC_BUFFER_CONFIG_CHANGED is generated for
all stack units.
Configure Enhanced Transmission Selection
ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet
traffic.
Different traffic types have different service needs. Using ETS, you can create groups within an 802.1p
priority class to configure different treatment for traffic with different bandwidth, latency, and best-effort
needs.
For example, storage traffic is sensitive to frame loss; interprocess communication (IPC) traffic is latencysensitive. ETS allows different traffic types to coexist without interruption in the same converged link by:
•
Allocating a guaranteed share of bandwidth to each priority group.
•
Allowing each group to exceed its minimum guaranteed bandwidth if another group is not fully using
its allotted bandwidth.
To configure ETS and apply an ETS output policy to an interface, you must:
1.
Create a Quality of Service (QoS) output policy with ETS scheduling and bandwidth allocation
settings.
2.
Create a priority group of 802.1p traffic classes.
3.
Configure a DCB output policy in which you associate a priority group with a QoS ETS output policy.
4.
Apply the DCB output policy to an interface.
ETS Prerequisites and Restrictions
The following prerequisites and restrictions apply when you configure ETS bandwidth allocation or queue
scheduling and apply a QoS ETS output policy on an interface.
•
Configuring ETS bandwidth allocation or a queue scheduler for dot1p priorities in a priority group is
applicable if the DCBx version used on a port is CIN (refer to Configuring DCBx) or CEE as a port
version where CNA supports CEE and DUT port versions in AUTO or CEE mode.
•
When allocating bandwidth or configuring a queue scheduler for dot1p priorities in a priority group on
a DCBx CIN interface, take into account the CIN bandwidth allocation (refer to Configuring
Bandwidth Allocation for DCBx CIN) and dot1p-queue mapping (QoS dot1p Traffic Classification and
Queue Assignment).
•
Although an ETS output policy does not support WRED, ECN, rate shaping, and rate limiting because
DCBx does not negotiate these parameters with peer devices, you can apply a QoS output policy with
WRED and/or rate shaping on a DCBx CIN-enabled interface (refer to Configuring Port-Based Rate
Shaping and Weighted Random Early Detection). In this case, the WRED or rate shaping configuration
Data Center Bridging (DCB)
249
•
in the QoS output policy takes into account the bandwidth allocation or queue scheduler configured
in the ETS output policy.
You can only use a QoS ETS output policy in association with a priority group in a DCB output policy
and cannot be applied to an interface as a normal QoS output policy (refer to Applying an ETS Output
Policy for a Priority Group to an Interface and Creating an Output QoS Policy in the Quality of Service
(QoS) chapter.).
NOTE: The IEEE 802.1Qaz, CEE, and CIN versions of ETS are supported.
Creating a QoS ETS Output Policy
A QoS output policy that you create to optimize bandwidth on an output interface for specified priority
traffic consists of the ETS settings (the bandwidth percentage and queue schedule) used in DCBx
negotiations with peer devices.
1.
Create a QoS output policy to configure the ETS bandwidth allocation and scheduling for priority
traffic.
CONFIGURATION mode
qos-policy-output policy-name ets
The maximum is 32 characters.
2.
(Optional) Configure the method used to schedule priority traffic in port queues.
POLICY-MAP-OUT-ETS mode
scheduler value
strict — Strict priority traffic is serviced before any other queued traffic (refer to Enabling StrictPriority Queueing in the Quality of Service (QoS) chapter).
NOTE: If you configure a scheduling method, you cannot configure bandwidth allocation in
Step 3.
3.
(Optional) Configure the bandwidth percentage allocated to priority traffic in port queues.
POLICY-MAP-OUT-ETS mode
bandwidth-percentage percentage
The percentage range is from 1 to 100% in units of 1%. The sum of bandwidth percentage assigned to
dot1p priorities/queues in a priority group should be 100%.
The default is none.
NOTE: If you configure bandwidth allocation, you cannot configure a scheduling method in
Step 2.
4.
Exit ETS Output Policy Configuration mode.
POLICY-MAP-OUT-ETS mode
exit
Dell Networking OS Behavior: Traffic in priority groups is assigned to strict-queue or WERR scheduling in
an ETS output policy and is managed using the ETS bandwidth-assignment algorithm. The system
dequeues all frames of strict-priority traffic before servicing any other queues. A queue with strict-priority
traffic can starve other queues in the same port.
ETS-assigned bandwidth allocation and scheduling apply only to data queues, not to control queues.
250
Data Center Bridging (DCB)
The Dell Networking OS supports hierarchical scheduling on an interface. The system control traffic is
redirected to control queues as higher priority traffic with strict-priority scheduling. After control queues
drain out, the remaining data traffic is scheduled to queues according to the bandwidth and scheduler
configuration in the ETS output policy. The available bandwidth (that the ETS algorithm calculates) is
equal to the link bandwidth after scheduling non-ETS higher-priority traffic.
The configuration of bandwidth allocation and strict-queue scheduling is not supported at the same time
for a priority group. If both are configured, the configured bandwidth allocation is ignored for prioritygroup traffic when you apply the output policy on an interface (refer to Applying an ETS Output Policy for
a Priority Group to an Interface).
Bandwidth assignment in a dot.1p priority-queue: By default, equal bandwidth is assigned to each port
queue and each dot1p priority in a priority group. To configure bandwidth amounts in associated dot1p
queues, use the bandwidth-percentage command. When specified bandwidth is assigned to some
port queues and not to others, the remaining bandwidth (100% minus assigned bandwidth amount) is
equally distributed to unassigned nonstrict priority queues in the priority group. The sum of the allocated
bandwidth to all queues in a priority group should be 100% of the bandwidth on the link.
Bandwidth assignment in a priority group: By default, equal bandwidth is assigned to each priority group
in the ETS output policy applied to an egress port if you did not configure bandwidth allocation. The sum
of configured bandwidth allocation to dot1p priority traffic in all ETS priority groups must be 100%.
Allocate at least 1% of the total bandwidth to each priority group and queue. If you assign bandwidth to
some priority groups but not to others, the remaining bandwidth (100% minus assigned bandwidth
amount) is equally distributed to nonstrict-priority groups which have no configured scheduler.
Scheduling of priority traffic: dot1p priority traffic on the switch is scheduled to the current queue
mapping. dot1p priorities within the same queue should have the same traffic properties and scheduling
method.
ETS output-policy error: If an error occurs in an ETS output-policy configuration, the configuration is
ignored and the scheduler and bandwidth allocation settings are reset to the ETS default values (all
priorities are in the same ETS priority group and bandwidth is allocated equally to each priority). If an error
occurs when a port receives a peer’s ETS configuration, the port’s configuration is reset to the previously
configured ETS output policy. If no ETS output policy was previously applied, the port is reset to the
default ETS parameters.
Creating an ETS Priority Group
An ETS priority group specifies the range of 802.1p priority traffic to which a QoS output policy with ETS
settings is applied on an egress interface. You can associate a priority group to more than one ETS output
policy on different interfaces.
1.
Create an ETS priority group to use with an ETS output policy.
CONFIGURATION mode
priority-group group-name
The maximum is 32 characters.
2.
Configure the priority-group identifier.
PRIORITY-GROUP mode
Data Center Bridging (DCB)
251
set-pgid value
The range is from 0 to 7.
The default is none.
3.
Configure the 802.1p priorities for the traffic on which you want to apply an ETS output policy.
PRIORITY-GROUP mode
priority-list value
The range is from 0 to 7.
The default is none.
Separate priority values with a comma. Specify a priority range with a dash. For example, priority-list
3,5-7.
4.
Exit priority-group configuration mode.
PRIORITY-GROUP mode
exit
5.
Repeat Steps 1 to 4 to configure all remaining dot1p priorities in an ETS priority group.
Dell Networking OS Behavior: A priority group consists of 802.1p priority values that are grouped for
similar bandwidth allocation and scheduling, and that share latency and loss requirements. All 802.1p
priorities mapped to the same queue must be in the same priority group.
Configure all 802.1p priorities in priority groups associated with an ETS output policy (refer to Applying an
ETS Output Policy for a Priority Group to an Interface). You can assign each dot1p priority to only one
priority group.
By default, all 802.1p priorities are grouped in priority group 0 and 100% of the port bandwidth is assigned
to priority group 0. The complete bandwidth is equally assigned to each priority class so that each class
has 12 to 13%.
The maximum number of priority groups supported in ETS output policies on an interface is equal to the
number of data queues (4) on the port. The 802.1p priorities in a priority group can map to multiple
queues.
If you configure more than one priority queue as strict priority or more than one priority group as strict
priority, the higher numbered priority queue is given preference when scheduling data traffic.
Applying an ETS Output Policy for a Priority Group to an Interface
To apply ETS on egress port traffic, you must associate a priority group with an ETS output policy which
has scheduling and bandwidth configuration in a DCB output policy, and then apply the output policy to
an interface.
1.
Create a DCB output policy to associate an ETS configuration with priority traffic.
CONFIGURATION mode
dcb-output policy-name
252
Data Center Bridging (DCB)
The maximum is 32 alphanumeric characters.
2.
Enable the ETS configuration so that scheduling and bandwidth allocation configured in an ETS
output policy or received in a DCBx TLV from a peer can take effect on an interface.
DCB OUTPUT POLICY mode
ets mode on
The default: ETS mode is on.
3.
Associate the 802.1p priority traffic in a priority group with the ETS configuration in a QoS output
policy.
DCB OUTPUT POLICY mode
priority-group group-name qos-policy ets-policy-name
4.
(Optional) Enter a text description of the output policy.
DCB OUTPUT POLICY mode
description text
The maximum is 32 characters.
5.
Repeat Steps 1 to 4 to configure all remaining ETS priority groups with an ETS output policy.
6.
Exit DCB Output Policy Configuration mode.
DCB OUTPUT POLICY
exit
7.
Enter INTERFACE Configuration mode.
CONFIGURATION mode
interface type slot/port
8.
Apply the output policy with the ETS configuration to an egress interface.
INTERFACE mode
dcb-policy output policy-name
Dell Networking OS Behavior: Create a DCB output policy to associate a priority group with an ETS
output policy with scheduling and bandwidth configuration. You can apply a DCB output policy on
multiple egress ports.
The ETS configuration associated with 802.1p priority traffic in a DCB output policy is used in DCBx
negotiation with ETS peers.
When you apply an ETS output policy to an interface, ETS-configured scheduling and bandwidth
allocation take precedence over any configured settings in the QoS output policies.
To remove an ETS output policy from an interface, use the no dcb-policy output policy-name
command. DCB and ETS are both disabled by default. When DCB is enabled, ETS is enabled on all
interfaces that have the default ETS configuration applied.
If you disable ETS in an output policy applied to an interface (the no ets mode on command), any
previously configured QoS settings at the interface or global level take effect. If QoS settings are
Data Center Bridging (DCB)
253
configured at the interface or global level and in an output policy map (the service-policy output
command), the QoS configuration in the output policy take precedence.
When you apply a DCB output policy with ETS bandwidth allocation to an egress interface which uses
default ETS settings, the configured bandwidth allocation may not be applied to dot1p priority traffic in
the specified priority group.
ETS Operation with DCBx
The following section describes DCBx negotiation with peer ETS devices.
In DCBx negotiation with peer ETS devices, ETS configuration is handled as follows:
•
ETS TLVs are supported in DCBx versions CIN, CEE, and IEEE2.5.
•
The DCBx port-role configurations determine the ETS operational parameters (refer to Configure a
DCBx Operation).
•
ETS configurations received from TLVs from a peer are validated.
•
If there is a hardware limitation or TLV error:
– DCBx operation on an ETS port goes down.
– New ETS configurations are ignored and existing ETS configurations are reset to the previously
configured ETS output policy on the port or to the default ETS settings if no ETS output policy was
previously applied.
•
ETS operates with legacy DCBx versions as follows:
– In the CEE version, the priority group/traffic class group (TCG) ID 15 represents a non-ETS priority
group. Any priority group configured with a scheduler type is treated as a strict-priority group and
is given the priority-group (TCG) ID 15.
– The CIN version supports two types of strict-priority scheduling:
*
Group strict priority: Use this to increase its bandwidth usage to the bandwidth total of the
priority group and allow a single priority flow in a priority group. A single flow in a group can
use all the bandwidth allocated to the group.
*
Link strict priority: Use this to increase to the maximum link bandwidth and allow a flow in any
priority group.
CIN supports only the dot1p priority-queue assignment in a priority group. To configure a dot1p
priority flow in a priority group to operate with link strict priority, you configure: The dot1p priority for
strict-priority scheduling (strict-priority command; Enabling Strict-Priority Queueing). The
priority group for strict-priority scheduling (scheduler strict command; Creating a QoS ETS
Output Policy).
If you configure only the priority group in an ETS output policy or only the dot1p priority for strictpriority scheduling, the flow is handled with group strict priority.
Configuring Bandwidth Allocation for DCBx CIN
After you apply an ETS output policy to an interface, if the DCBx version used in your data center network
is CIN, you may need to configure a QoS output policy to overwrite the default CIN bandwidth allocation.
This default setting divides the bandwidth allocated to each port queue equally between the dot1p
priority traffic assigned to the queue.
For more information, refer to Allocating Bandwidth to Queue.
254
Data Center Bridging (DCB)
To create a QoS output policy that allocates different amounts of bandwidth to the different traffic types/
dot1p priorities assigned to a queue and apply the output policy to the interface, follow these steps.
1.
Create a QoS output policy.
CONFIGURATION mode
qos-policy-output output-policy-name
The maximum 32 alphanumeric characters.
2.
Configure the percentage of bandwidth to allocate to the dot1p priority/queue traffic in the
associated L2 class map.
QoS OUTPUT POLICY mode
bandwidth-percentage percentage
The default is none.
3.
Repeat Step 2 to configure bandwidth percentages for other priority queues on the port.
QoS OUTPUT POLICY mode
bandwidth-percentage percentage
4.
Create a priority group for strict-priority scheduling.
QoS OUTPUT POLICY mode
scheduler strict
5.
Exit QoS Output Policy Configuration mode.
QoS OUTPUT POLICY mode
exit
6.
Enter INTERFACE Configuration mode.
CONFIGURATION mode
interface type slot/port
7.
Apply the QoS output policy with the bandwidth percentage for specified priority queues to an
egress interface.
INTERFACE mode
service-policy output output-policy-name
Applying DCB Policies in a Switch Stack
You can apply a DCB input policy with PFC configuration to all stacked ports in a switch stack or on a
stacked switch. You can apply different DCB input policies to different stacked switches.
To apply DCB policies in a switch stack, use the following command.
•
Apply the specified DCB input policy on all ports of the switch stack or a single stacked switch.
CONFIGURATION mode
dcb-policy input stack-unit {all | stack-unit-id} stack-ports all dcb-inputpolicy-name
Entering this command removes all DCB input policies applied to stacked ports.
Data Center Bridging (DCB)
255
Dell Networking Behavior: A dcb-policy input stack-unit all command overwrites any previous
dcb-policy input stack-unit stack-unit-id configurations. Similarly, a dcb-policy input
stack-unit stack-unit-id command overwrites any previous dcb-policy input stack-unit
all configuration.
Entering the no dcb-policy input stack-unit all command removes all DCB input policies
applied to stacked ports and resets PFC to its default settings. The no dcb-policy input stackunit stack-unit-id command removes only the DCB input policy applied to the specified switch.
Applying DCB Policies with an ETS Configuration
You can apply a DCB output policy with ETS configuration to all stacked ports in a switch stack or an
individual stacked switch. In addition, you can apply different DCB output policies to different stack units.
•
Apply the specified DCB output policy on all ports of the switch stack or a stacked switch.
CONFIGURATION mode
dcb-policy output stack-unit {all | stack-unit-id} stack-ports all dcboutput-policy-name
Entering this command removes all DCB input policies applied to stacked ports.
Dell Networking Behavior: A dcb-policy output stack-unit all command overwrites any
previous dcb-policy output stack-unit stack-unit-id configurations. Similarly, a dcb-policy
output stack-unit stack-unit-id command overwrites any previous dcb-policy output
stack-unit all configuration.
Entering the no dcb-policy output stack-unit all command removes all DCB output policies
applied to stacked ports. The no dcb-policy output stack-unit stack-unit-id command
removes only the DCB output policy applied to the specified switch.
Configure a DCBx Operation
DCB devices use data center bridging exchange protocol (DCBx) to exchange configuration information
with directly connected peers using the link layer discovery protocol (LLDP) protocol.
DCBx can detect the misconfiguration of a peer DCB device, and optionally, configure peer DCB devices
with DCB feature settings to ensure consistent operation in a data center network.
DCBx is a prerequisite for using DCB features, such as priority-based flow control (PFC) and enhanced
traffic selection (ETS), to exchange link-level configurations in a converged Ethernet environment. DCBx
is also deployed in topologies that support lossless operation for FCoE or iSCSI traffic. In these scenarios,
all network devices are DCBx-enabled (DCBx is enabled end-to-end). For more information about how
these features are implemented and used, refer to:
•
Configuring Priority-Based Flow Control
•
Configure Enhanced Transmission Selection
•
Configuring FIP Snooping
DCBx supports the following versions: CIN, CEE, and IEEE2.5.
Prerequisite: For DCBx, enable LLDP on all DCB devices.
256
Data Center Bridging (DCB)
DCBx Operation
DCBx performs the following operations:
•
Discovers DCB configuration (such as PFC and ETS) in a peer device.
•
Detects DCB mis-configuration in a peer device; that is, when DCB features are not compatibly
configured on a peer device and the local switch. Mis-configuration detection is feature-specific
because some DCB features support asymmetric configuration.
•
Reconfigures a peer device with the DCB configuration from its configuration source if the peer
device is willing to accept configuration.
•
Accepts the DCB configuration from a peer if a DCBx port is in “willing” mode to accept a peer’s DCB
settings and then internally propagates the received DCB configuration to its peer ports.
DCBx Port Roles
To enable the auto-configuration of DCBx-enabled ports and propagate DCB configurations learned
from peer DCBx devices internally to other switch ports, use the following DCBx port roles.
Auto-upstream
The port advertises its own configuration to DCBx peers and receives its
configuration from DCBX peers (ToR or FCF device). The port also propagates its
configuration to other ports on the switch.
The first auto-upstream that is capable of receiving a peer configuration is elected
as the configuration source. The elected configuration source then internally
propagates the configuration to other auto-upstream and auto-downstream ports.
A port that receives an internally propagated configuration overwrites its local
configuration with the new parameter values.
When an auto-upstream port (besides the configuration source) receives and
overwrites its configuration with internally propagated information, one of the
following actions is taken:
•
If the peer configuration received is compatible with the internally propagated
port configuration, the link with the DCBx peer is enabled.
•
If the received peer configuration is not compatible with the currently
configured port configuration, the link with the DCBX peer port is disabled and
a syslog message for an incompatible configuration is generated. The network
administrator must then reconfigure the peer device so that it advertises a
compatible DCB configuration.
The configuration received from a DCBX peer or from an internally propagated
configuration is not stored in the switch’s running configuration.
On a DCBX port in an auto-upstream role, the PFC and application priority TLVs are
enabled. ETS recommend TLVs are disabled and ETS configuration TLVs are
enabled.
Autodownstream
The port advertises its own configuration to DCBx peers but is not willing to
receive remote peer configuration. The port always accepts internally propagated
configurations from a configuration source. An auto-downstream port that
receives an internally propagated configuration overwrites its local configuration
with the new parameter values.
Data Center Bridging (DCB)
257
When an auto-downstream port receives and overwrites its configuration with
internally propagated information, one of the following actions is taken:
•
If the peer configuration received is compatible with the internally propagated
port configuration, the link with the DCBx peer is enabled.
•
If the received peer configuration is not compatible with the currently
configured port configuration, the link with the DCBX peer port is disabled and
a syslog message for an incompatible configuration is generated. The network
administrator must then reconfigure the peer device so that it advertises a
compatible DCB configuration.
The internally propagated configuration is not stored in the switch’s running
configuration. On a DCBX port in an auto-downstream role, all PFC, application
priority, ETS recommend, and ETS configuration TLVs are enabled.
Configuration
source
The port is configured to serve as a source of configuration information on the
switch. Peer DCB configurations received on the port are propagated to other
DCBx auto-configured ports. If the peer configuration is compatible with a port
configuration, DCBx is enabled on the port.
On a configuration-source port, the link with a DCBx peer is enabled when the port
receives a DCB configuration that can be internally propagated to other autoconfigured ports.
The configuration received from a DCBX peer is not stored in the switch’s running
configuration.
On a DCBX port that is the configuration source, all PFC and application priority
TLVs are enabled. ETS recommend TLVs are disabled and ETS configuration TLVs
are enabled.
Manual
The port is configured to operate only with administrator-configured settings and
does not auto-configure with DCB settings received from a DCBx peer or from an
internally propagated configuration from the configuration source. If you enable
DCBx, ports in Manual mode advertise their configurations to peer devices but do
not accept or propagate internal or external configurations. Unlike other userconfigured ports, the configuration of DCBx ports in Manual mode is saved in the
running configuration.
On a DCBx port in a manual role, all PFC, application priority, ETS recommend, and
ETS configuration TLVs are enabled.
The default for the DCBx port role is manual.
258
Data Center Bridging (DCB)
NOTE: On a DCBx port, application priority TLV advertisements are handled as follows:
•
The application priority TLV is transmitted only if the priorities in the advertisement match the
configured PFC priorities on the port.
•
On auto-upstream and auto-downstream ports:
– If a configuration source is elected, the ports send an application priority TLV based on the
application priority TLV received on the configuration-source port. When an application
priority TLV is received on the configuration-source port, the auto-upstream and autodownstream ports use the internally propagated PFC priorities to match against the received
application priority. Otherwise, these ports use their locally configured PFC priorities in
application priority TLVs.
– If no configuration source is configured, auto-upstream and auto-downstream ports check
to see that the locally configured PFC priorities match the priorities in a received application
priority TLV.
•
On manual ports, an application priority TLV is advertised only if the priorities in the TLV match
the PFC priorities configured on the port.
DCB Configuration Exchange
The DCBx protocol supports the exchange and propagation of configuration information for the
enhanced transmission selection (ETS) and priority-based flow control (PFC) DCB features.
DCBx uses the following methods to exchange DCB configuration parameters:
Asymmetric
DCB parameters are exchanged between a DCBx-enabled port and a peer port
without requiring that a peer port and the local port use the same configured
values for the configurations to be compatible. For example, ETS uses an
asymmetric exchange of parameters between DCBx peers.
Symmetric
DCB parameters are exchanged between a DCBx-enabled port and a peer port but
requires that each configured parameter value be the same for the configurations
in order to be compatible. For example, PFC uses an symmetric exchange of
parameters between DCBx peers.
Configuration Source Election
When an auto-upstream or auto-downstream port receives a DCB configuration from a peer, the port
first checks to see if there is an active configuration source on the switch.
•
If a configuration source already exists, the received peer configuration is checked against the local
port configuration. If the received configuration is compatible, the DCBx marks the port as DCBxenabled. If the configuration received from the peer is not compatible, a warning message is logged
and the DCBx frame error counter is incremented. Although DCBx is operationally disabled, the port
keeps the peer link up and continues to exchange DCBx packets. If a compatible peer configuration is
later received, DCBx is enabled on the port.
•
If there is no configuration source, a port may elect itself as the configuration source. A port may
become the configuration source if the following conditions exist:
– No other port is the configuration source.
– The port role is auto-upstream.
– The port is enabled with link up and DCBx enabled.
– The port has performed a DCBx exchange with a DCBx peer.
– The switch is capable of supporting the received DCB configuration values through either a
symmetric or asymmetric parameter exchange.
Data Center Bridging (DCB)
259
A newly elected configuration source propagates configuration changes received from a peer to the
other auto-configuration ports. Ports receiving auto-configuration information from the configuration
source ignore their current settings and use the configuration source information.
Propagation of DCB Information
When an auto-upstream or auto-downstream port receives a DCB configuration from a peer, the port
acts as a DCBx client and checks if a DCBx configuration source exists on the switch.
•
If a configuration source is found, the received configuration is checked against the currently
configured values that are internally propagated by the configuration source. If the local configuration
is compatible with the received configuration, the port is enabled for DCBx operation and
synchronization.
•
If the configuration received from the peer is not compatible with the internally propagated
configuration used by the configuration source, the port is disabled as a client for DCBx operation and
synchronization and a syslog error message is generated. The port keeps the peer link up and
continues to exchange DCBx packets. If a compatible configuration is later received from the peer,
the port is enabled for DCBx operation.
NOTE: DCB configurations internally propagated from a configuration source do not overwrite the
configuration on a DCBx port in a manual role. When a configuration source is elected, all autoupstream ports other than the configuration source are marked as willing disabled. The internally
propagated DCB configuration is refreshed on all auto-configuration ports and each port may begin
configuration negotiation with a DCBx peer again.
Auto-Detection and Manual Configuration of the DCBx Version
When operating in Auto-Detection mode (the DCBx version auto command), a DCBx port
automatically detects the DCBx version on a peer port. Legacy CIN and CEE versions are supported in
addition to the standard IEEE version 2.5 DCBx.
A DCBx port detects a peer version after receiving a valid frame for that version. The local DCBx port
reconfigures to operate with the peer version and maintains the peer version on the link until one of the
following conditions occurs:
•
The switch reboots.
•
The link is reset (goes down and up).
•
User-configured CLI commands require the version negotiation to restart.
•
The peer times out.
•
Multiple peers are detected on the link.
If you configure a DCBx port to operate with a specific version (the DCBx version {cee | cin |
ieee-v2.5} command in the Configuring DCBx), DCBx operations are performed according to the
configured version, including fast and slow transmit timers and message formats. If a DCBx frame with a
different version is received, a syslog message is generated and the peer version is recorded in the peer
status table. If the frame cannot be processed, it is discarded and the discard counter is incremented.
NOTE: Because DCBx TLV processing is best effort, it is possible that CIN frames may be processed
when DCBx is configured to operate in CEE mode and vice versa. In this case, the unrecognized
TLVs cause the unrecognized TLV counter to increment, but the frame is processed and is not
discarded.
Legacy DCBx (CIN and CEE) supports the DCBx control state machine that is defined to maintain the
sequence number and acknowledge the number sent in the DCBx control TLVs.
260
Data Center Bridging (DCB)
DCBx Example
The following figure shows how DCBX is used on an MXL Switch installed in a PowerEdge M1000e
chassis in which servers are also installed.
The external 40GbE ports on the base module (ports 33 and 37) of two switches are used for uplinks
configured as DCBx auto-upstream ports. The MXL switch is connected to third-party, top-of-rack (ToR)
switches through 40GbE uplinks. The ToR switches are part of a Fibre Channel storage network.
The internal ports (ports 1-32) connected to the 10GbE backplane are configured as auto-downstream
ports.
On the MXL switch, PFC and ETS use DCBx to exchange link-level configuration with DCBx peer devices.
Figure 30. DCBx Sample Topology
Data Center Bridging (DCB)
261
DCBx Prerequisites and Restrictions
The following prerequisites and restrictions apply when you configure DCBx operation on a port:
•
For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol
lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations
in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a
local DCBx interface, LLDP is shut down.
•
The CIN version of DCBx supports only PFC, ETS, and FCOE; it does not support iSCSI, backward
congestion management (BCN), logical link down (LLDF), and network interface virtualization (NIV).
Configuring DCBx
To configure DCBx, follow these steps.
For DCBx, to advertise DCBx TLVs to peers, enable LLDP. For more information, refer to Link Layer
Discovery Protocol (LLDP).
Configure DCBx operation at the interface level on a switch or globally on the switch. To configure an
MXL switch for DCBx operation in a data center network, you must:
1.
Configure ToR- and FCF-facing interfaces as auto-upstream ports.
2.
Configure server-facing interfaces as auto-downstream ports.
3.
Configure a port to operate in a configuration-source role.
4.
Configure ports to operate in a manual role.
1.
Enter INTERFACE Configuration mode.
CONFIGURATION mode
interface type slot/port
2.
Enter LLDP Configuration mode to enable DCBx operation.
INTERFACE mode
[no] protocol lldp
3.
Configure the DCBx version used on the interface, where: auto configures the port to operate using
the DCBx version received from a peer.
PROTOCOL LLDP mode
[no] DCBx version {auto | cee | cin | ieee-v2.5}
•
cee: configures the port to use CEE (Intel 1.01).
•
cin: configures the port to use Cisco-Intel-Nuova (DCBx 1.0).
•
ieee-v2.5: configures the port to use IEEE 802.1Qaz (Draft 2.5).
The default is Auto.
4.
Configure the DCBx port role the interface uses to exchange DCB information.
PROTOCOL LLDP mode
[no] DCBx port-role {config-source | auto-downstream | auto-upstream |
manual}
•
262
auto-upstream: configures the port to receive a peer configuration. The configuration source is
elected from auto-upstream ports.
Data Center Bridging (DCB)
•
auto-downstream: configures the port to accept the internally propagated DCB configuration
from a configuration source.
•
config-source: configures the port to serve as the configuration source on the switch.
•
manual: configures the port to operate only on administer-configured DCB parameters. The port
does not accept a DCB configuration received from a peer or a local configuration source.
The default is Manual.
5.
On manual ports only: Configure the PFC and ETS TLVs advertised to DCBx peers.
PROTOCOL LLDP mode
[no] advertise DCBx-tlv {ets-conf | ets-reco | pfc} [ets-conf | ets-reco |
pfc] [ets-conf | ets-reco | pfc]
•
ets-conf: enables the advertisement of ETS Configuration TLVs.
•
ets-reco: enables the advertisement of ETS Recommend TLVs.
•
pfc enables: the advertisement of PFC TLVs.
The default is All PFC and ETS TLVs are advertised.
NOTE: You can configure the transmission of more than one TLV type at a time; for example,
advertise DCBx-tlv ets-conf ets-reco. You can enable ETS recommend TLVs (ets-reco)
only if you enable ETS configuration TLVs (ets-conf).
To disable TLV transmission, use the no form of the command; for example, no advertise DCBxtlv pfc ets-reco.
6.
On manual ports only: Configure the Application Priority TLVs advertised on the interface to DCBx
peers.
PROTOCOL LLDP mode
[no] advertise DCBx-appln-tlv {fcoe | iscsi}
•
fcoe: enables the advertisement of FCoE in Application Priority TLVs.
•
iscsi: enables the advertisement of iSCSI in Application Priority TLVs.
The default is Application Priority TLVs are enabled to advertise FCoE and iSCSI.
NOTE: To disable TLV transmission, use the no form of the command; for example, no
advertise DCBx-appln-tlv iscsi.
For information about how to use FCoE and iSCSI, refer to Fibre Channel over Ethernet and iSCSI
Optimization.
To verify the DCBx configuration on a port, use the show interface DCBx detail command.
Configuring DCBx Globally on the Switch
To globally configure the DCBx operation on a switch, follow these steps.
1.
Enter Global Configuration mode.
EXEC PRIVILEGE mode
configure
2.
Enter LLDP Configuration mode to enable DCBx operation.
Data Center Bridging (DCB)
263
CONFIGURATION mode
[no] protocol lldp
3.
Configure the DCBx version used on all interfaces not already configured to exchange DCB
information.
PROTOCL LLDP mode
[no] DCBx version {auto | cee | cin | ieee-v2.5}
•
auto: configures all ports to operate using the DCBx version received from a peer.
•
cee: configures a port to use CEE (Intel 1.01). cin configures a port to use Cisco-Intel-Nuova
(DCBx 1.0).
•
ieee-v2.5: configures a port to use IEEE 802.1Qaz (Draft 2.5).
The default is Auto.
NOTE: To configure the DCBx port role the interfaces use to exchange DCB information, use
the DCBx port-role command in INTERFACE Configuration mode (Step 3).
4.
Configure the PFC and ETS TLVs that advertise on unconfigured interfaces with a manual port-role.
PROTOCOL LLDP mode
[no] advertise DCBx-tlv {ets-conf | ets-reco | pfc} [ets-conf | ets-reco |
pfc] [ets-conf | ets-reco | pfc]
•
ets-conf: enables transmission of ETS Configuration TLVs.
•
ets-reco: enables transmission of ETS Recommend TLVs.
•
pfc: enables transmission of PFC TLVs.
NOTE: You can configure the transmission of more than one TLV type at a time. You can only
enable ETS recommend TLVs (ets-reco) if you enable ETS configuration TLVs (ets-conf). To
disable TLV transmission, use the no form of the command; for example, no advertise
DCBx-tlv pfc ets-reco.
The default is All TLV types are enabled.
5.
Configure the Application Priority TLVs that advertise on unconfigured interfaces with a manual portrole.
PROTOCOL LLDP mode
[no] advertise DCBx-appln-tlv {fcoe | iscsi}
•
fcoe: enables the advertisement of FCoE in Application Priority TLVs.
•
iscsi: enables the advertisement of iSCSI in Application Priority TLVs.
The default is Application Priority TLVs are enabled and advertise FCoE and iSCSI.
NOTE: To disable TLV transmission, use the no form of the command; for example, no
advertise DCBx-appln-tlv iscsi.
For information about how to use FCoE and iSCSI, refer to Fibre Channel over Ethernet and iSCSI
Optimization.
6.
264
Configure the FCoE priority advertised for the FCoE protocol in Application Priority TLVs.
Data Center Bridging (DCB)
PROTOCOL LLDP mode
[no] fcoe priority-bits priority-bitmap
The priority-bitmap range is from 1 to FF.
The default is 0x8.
7.
Configure the iSCSI priority advertised for the iSCSI protocol in Application Priority TLVs.
PROTOCOL LLDP mode
[no] iscsi priority-bits priority-bitmap
The priority-bitmap range is from 1 to FF.
The default is 0x10.
DCBx Error Messages
The following syslog messages appear when an error in DCBx operation occurs.
LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting
more than one DCBx
peer on the port interface.
LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx
peer interface.
DSM_DCBx_PEER_VERSION_CONFLICT: A local port expected to receive the IEEE, CIN,
or CEE version
in a DCBx TLV from a remote peer but received a different, conflicting DCBx
version.
DSM_DCBx_PFC_PARAMETERS_MATCH and DSM_DCBx_PFC_PARAMETERS_MISMATCH: A local
DCBx port received
a compatible (match) or incompatible (mismatch) PFC configuration from a peer.
DSM_DCBx_ETS_PARAMETERS_MATCH and DSM_DCBx_ETS_PARAMETERS_MISMATCH: A local
DCBx port received
a compatible (match) or incompatible (mismatch) ETS configuration from a peer.
LLDP_UNRECOGNISED_DCBx_TLV_RECEIVED: A local DCBx port received an unrecognized
DCBx TLV from
a peer.
Debugging DCBx on an Interface
To enable DCBx debug traces for all or a specific control paths, use the following command.
•
Enable DCBx debugging.
EXEC PRIVILEGE mode
debug DCBx {all | auto-detect-timer | config-exchng | fail | mgmt | resource
| sem | tlv}
– all: enables all DCBx debugging operations.
– auto-detect-timer: enables traces for DCBx auto-detect timers.
– config-exchng: enables traces for DCBx configuration exchanges.
– fail: enables traces for DCBx failures.
Data Center Bridging (DCB)
265
– mgmt: enables traces for DCBx management frames.
– resource: enables traces for DCBx system resource frames.
– sem: enables traces for the DCBx state machine.
– tlv: enables traces for DCBx TLVs.
Verifying the DCB Configuration
To display DCB configurations, use the following show commands.
Table 10. Displaying DCB Configurations
Command
Output
show dot1p-queue mapping
Displays the current 802.1p priority-queue
mapping.
show dcb [stack-unit unit-number]
Displays the data center bridging status, number of
PFC-enabled ports, and number of PFC-enabled
queues. On the master switch in a stack, you can
specify a stack-unit number. The range is from 0 to
5.
show qos dcb-input [pfc-profile]
Displays the PFC configuration in a DCB input
policy.
show qos dcb-output [ets-profile]
Displays the ETS configuration in a DCB output
policy.
show qos priority-groups
Displays the ETS priority groups configured on the
switch, including the 802.1p priority classes and ID
of each group.
show interface port-type slot/port pfc
{summary | detail}
Displays the PFC configuration applied to ingress
traffic on an interface, including priorities and link
delay.
To clear PFC TLV counters, use the clear pfc
counters interface port-type slot/port
command.
show interface port-type slot/port pfc
statistics
Displays counters for the PFC frames received and
transmitted (by dot1p priority class) on an interface.
show interface port-type slot/port ets
{summary | detail}
Displays the ETS configuration applied to egress
traffic on an interface, including priority groups
with priorities and bandwidth allocation.
To clear ETS TLV counters, enter the clear ets
counters interface port-type slot/port
command.
266
Data Center Bridging (DCB)
Example of the show dot1p-queue mapping Command
Example of the show dcb Command
Example of the show qos dcb-input Command
Example of the show qos dcb-output Command
Example of the show qos priority-groups Command
Example of the show interfaces pfc summary Command
Example of the show interface pfc statistics Command
Example of the show interface ets summary Command
Example of the show interface ets detail Command
Example of the show stack-unit all stack-ports all pfc details Command
Example of the show stack-unit all stack-ports all ets details Command
Example of the show interface DCBx detail Command
Dell(conf)# show dot1p-queue-mapping
Dot1p Priority: 0 1 2 3 4 5 6 7
Queue
: 0 0 0 1 2 3 3 3
Dell# show dcb
stack-unit 0 port-set 0
DCB Status : Enabled
PFC Port Count : 56 (current), 56 (configured)
PFC Queue Count : 2 (current), 2 (configured)
Dell(conf)# show qos dcb-input
dcb-input pfc-profile
pfc link-delay 32
pfc priority 0-1
dcb-input pfc-profile1
no pfc mode on
pfc priority 6-7
Dell# show qos dcb-output
dcb-output ets
priority-group san qos-policy san
priority-group ipc qos-policy ipc
priority-group lan qos-policy lan
Dell#show qos priority-groups
priority-group ipc
priority-list 4
set-pgid 2
Dell# show interfaces tengigabitethernet 0/49 pfc summary
Interface TenGigabitEthernet 0/49
Admin mode is on
Admin is enabled
Remote is enabled, Priority list is 4
Remote Willing Status is enabled
Local is enabled
Data Center Bridging (DCB)
267
Oper status is Recommended
PFC DCBx Oper status is Up
State Machine Type is Feature
TLV Tx Status is enabled
PFC Link Delay 45556 pause quantams
Application Priority TLV Parameters :
-------------------------------------FCOE TLV Tx Status is disabled
ISCSI TLV Tx Status is disabled
Local FCOE PriorityMap is 0x8
Local ISCSI PriorityMap is 0x10
Remote FCOE PriorityMap is 0x8
Remote ISCSI PriorityMap is 0x8
Dell# show interfaces tengigabitethernet 0/49 pfc detail
Interface TenGigabitEthernet 0/49
Admin mode is on
Admin is enabled
Remote is enabled
Remote Willing Status is enabled
Local is enabled
Oper status is recommended
PFC DCBx Oper status is Up
State Machine Type is Feature
TLV Tx Status is enabled
PFC Link Delay 45556 pause quanta
Application Priority TLV Parameters :
-------------------------------------FCOE TLV Tx Status is disabled
ISCSI TLV Tx Status is disabled
Local FCOE PriorityMap is 0x8
Local ISCSI PriorityMap is 0x10
Remote FCOE PriorityMap is 0x8
Remote ISCSI PriorityMap is 0x8
0 Input TLV pkts, 1 Output TLV pkts, 0 Error pkts, 0 Pause Tx pkts, 0 Pause Rx
pkts
The following table describes the show interface pfc summary command fields.
Table 11. show interface pfc summary Command Description
Fields
Description
Interface
Interface type with stack-unit and port number.
Admin mode is on; Admin is enabled
PFC Admin mode is on or off with a list of the
configured PFC priorities . When PFC admin mode
is on, PFC advertisements are enabled to be sent
and received from peers; received PFC
configuration takes effect. The admin operational
status for a DCBx exchange of PFC configuration is
enabled or disabled.
Remote is enabled; Priority list Remote Willing
Status is enabled
Operational status (enabled or disabled) of peer
device for DCBx exchange of PFC configuration
with a list of the configured PFC priorities. Willing
status of peer device for DCBx exchange (Willing
bit received in PFC TLV): enabled or disabled.
268
Data Center Bridging (DCB)
Fields
Description
Local is enabled
DCBx operational status (enabled or disabled) with
a list of the configured PFC priorities
Operational status (local port)
DCBx operational status (enabled or disabled) with
a list of the configured PFC priorities.
Port state for current operational PFC
configuration:
• Init: Local PFC configuration parameters were
exchanged with peer.
• Recommend: Remote PFC configuration
parameters were received from peer.
• Internally propagated: PFC configuration
parameters were received from configuration
source.
PFC DCBx Oper status
Operational status for exchange of PFC
configuration on local port: match (up) or
mismatch (down).
State Machine Type
Type of state machine used for DCBx exchanges of
PFC parameters:
•
•
Feature: for legacy DCBx versions
Symmetric: for an IEEE version
TLV Tx Status
Status of PFC TLV advertisements: enabled or
disabled.
PFC Link Delay
Link delay (in quanta) used to pause specified
priority traffic.
Application Priority TLV: FCOE TLV Tx Status
Status of FCoE advertisements in application
priority TLVs from local DCBx port: enabled or
disabled.
Application Priority TLV: ISCSI TLV Tx Status
Status of ISCSI advertisements in application
priority TLVs from local DCBx port: enabled or
disabled.
Application Priority TLV: Local FCOE Priority Map
Priority bitmap used by local DCBx port in FCoE
advertisements in application priority TLVs.
Application Priority TLV: Local ISCSI Priority Map
Priority bitmap used by local DCBx port in ISCSI
advertisements in application priority TLVs.
Application Priority TLV: Remote FCOE Priority
Map
Status of FCoE advertisements in application
priority TLVs from remote peer port: enabled or
disabled.
Application Priority TLV: Remote ISCSI Priority Map Status of iSCSI advertisements in application
priority TLVs from remote peer port: enabled or
disabled.
PFC TLV Statistics: Input TLV pkts
Data Center Bridging (DCB)
Number of PFC TLVs received.
269
Fields
Description
PFC TLV Statistics: Output TLV pkts
Number of PFC TLVs transmitted.
PFC TLV Statistics: Error pkts
Number of PFC error packets received.
PFC TLV Statistics: Pause Tx pkts
Number of PFC pause frames transmitted.
PFC TLV Statistics: Pause Rx pkts
Number of PFC pause frames received
Dell#show interfaces tengigabitethernet 0/3 pfc statistics
Interface TenGigabitEthernet 0/3
Priority Rx XOFF Frames Rx Total Frames Tx Total Frames
------------------------------------------------------0
0
0
0
1
0
0
0
2
0
0
0
3
0
0
0
4
0
0
0
5
0
0
0
6
0
0
0
7
0
0
0
Dell(conf)# show interfaces te 0/0 ets summary
Interface TenGigabitEthernet 0/0
Max Supported TC Groups is 4
Number of Traffic Classes is 8
Admin mode is on
Admin Parameters :
-----------------Admin is enabled
TC-grp
Priority#
Bandwidth
TSA
0
0,1,2,3,4,5,6,7
100%
ETS
1
0%
ETS
2
0%
ETS
3
0%
ETS
4
0%
ETS
5
0%
ETS
6
0%
ETS
7
0%
ETS
Priority# Bandwidth TSA
0
1
2
3
4
5
6
7
Remote Parameters:
------------------Remote is disabled
Local Parameters :
-----------------Local is enabled
TC-grp
Priority#
0
0,1,2,3,4,5,6,7
1
270
13%
13%
13%
13%
12%
12%
12%
12%
ETS
ETS
ETS
ETS
ETS
ETS
ETS
ETS
Bandwidth
100%
0%
TSA
ETS
ETS
Data Center Bridging (DCB)
2
3
4
5
6
7
0%
0%
0%
0%
0%
0%
Priority#
Bandwidth
0
13%
1
13%
2
13%
3
13%
4
12%
5
12%
6
12%
7
12%
Oper status is init
Conf TLV Tx Status is disabled
Traffic Class TLV Tx Status is disabled
0 Input Conf TLV Pkts, 0 Output Conf TLV
0 Input Traffic Class TLV Pkts, 0 Output
Traffic Class TLV
Pkts
ETS
ETS
ETS
ETS
ETS
ETS
TSA
ETS
ETS
ETS
ETS
ETS
ETS
ETS
ETS
Pkts, 0 Error Conf TLV Pkts
Traffic Class TLV Pkts, 0 Error
The following table describes the show interface ets detail command fields.
Dell(conf)# show interfaces tengigabitethernet 0/0 ets detail
Interface TenGigabitEthernet 0/0
Max Supported TC Groups is 4
Number of Traffic Classes is 8
Admin mode is on
Admin Parameters :
-----------------Admin is enabled
TC-grp
Priority#
Bandwidth
TSA
0
0,1,2,3,4,5,6,7
100%
ETS
1
0%
ETS
2
0%
ETS
3
0%
ETS
4
0%
ETS
5
0%
ETS
6
0%
ETS
7
0%
ETS
Priority# Bandwidth TSA
0
1
2
3
4
5
6
7
Remote Parameters:
------------------Remote is disabled
Local Parameters :
-----------------Local is enabled
TC-grp
Priority#
0
0,1,2,3,4,5,6,7
Data Center Bridging (DCB)
13%
13%
13%
13%
12%
12%
12%
12%
ETS
ETS
ETS
ETS
ETS
ETS
ETS
ETS
Bandwidth
100%
TSA
ETS
271
1
2
3
4
5
6
7
0%
0%
0%
0%
0%
0%
0%
Priority#
Bandwidth
0
13%
1
13%
2
13%
3
13%
4
12%
5
12%
6
12%
7
12%
Oper status is init
Conf TLV Tx Status is disabled
Traffic Class TLV Tx Status is disabled
0 Input Conf TLV Pkts, 0 Output Conf TLV
0 Input Traffic Class TLV Pkts, 0 Output
Traffic Class TLV
Pkts
ETS
ETS
ETS
ETS
ETS
ETS
ETS
TSA
ETS
ETS
ETS
ETS
ETS
ETS
ETS
ETS
Pkts, 0 Error Conf TLV Pkts
Traffic Class TLV Pkts, 0 Error
Table 12. show interface ets detail Command Description
Field
Description
Interface
Interface type with stack-unit and port number.
Max Supported TC Group
Maximum number of priority groups supported.
Number of Traffic Classes
Number of 802.1p priorities currently configured.
Admin mode
ETS mode: on or off.
When on, the scheduling and bandwidth allocation
configured in an ETS output policy or received in a
DCBx TLV from a peer can take effect on an
interface.
Admin Parameters
ETS configuration on local port, including priority
groups, assigned dot1p priorities, and bandwidth
allocation.
Remote Parameters
ETS configuration on remote peer port, including
Admin mode (enabled if a valid TLV was received
or disabled), priority groups, assigned dot1p
priorities, and bandwidth allocation. If the ETS
Admin mode is enabled on the remote port for
DCBx exchange, the Willing bit received in ETS
TLVs from the remote peer is included.
Local Parameters
ETS configuration on local port, including Admin
mode (enabled when a valid TLV is received from a
peer), priority groups, assigned dot1p priorities, and
bandwidth allocation.
Operational status (local port)
Port state for current operational ETS
configuration:
272
Data Center Bridging (DCB)
Field
Description
•
•
•
Init: Local ETS configuration parameters were
exchanged with peer.
Recommend: Remote ETS configuration
parameters were received from peer.
Internally propagated: ETS configuration
parameters were received from configuration
source.
ETS DCBx Oper status
Operational status of ETS configuration on local
port: match or mismatch.
State Machine Type
Type of state machine used for DCBx exchanges of
ETS parameters:
•
•
Feature: for legacy DCBx versions
Asymmetric: for an IEEE version
Conf TLV Tx Status
Status of ETS Configuration TLV advertisements:
enabled or disabled.
ETS TLV Statistic: Input Conf TLV pkts
Number of ETS Configuration TLVs received.
ETS TLV Statistic: Output Conf TLV pkts
Number of ETS Configuration TLVs transmitted.
ETS TLV Statistic: Error Conf TLV pkts
Number of ETS Error Configuration TLVs received.
Dell(conf)# show stack-unit all stack-ports all pfc details
stack unit 0 stack-port all
Admin mode is On
Admin is enabled, Priority list is 4-5
Local is enabled, Priority list is 4-5
Link Delay 45556 pause quantum
0 Pause Tx pkts, 0 Pause Rx pkts
stack unit 1 stack-port all
Admin mode is On
Admin is enabled, Priority list is 4-5
Local is enabled, Priority list is 4-5
Link Delay 45556 pause quantum
0 Pause Tx pkts, 0 Pause Rx pkts
Dell(conf)# show stack-unit all stack-ports all ets details
Stack unit 0 stack port all
Max Supported TC Groups is 4
Number of Traffic Classes is 1
Admin mode is on
Admin Parameters:
-------------------Admin is enabled
TC-grp
Priority#
Bandwidth
TSA
-----------------------------------------------0
0,1,2,3,4,5,6,7 100%
ETS
1
2
3
4
5
-
Data Center Bridging (DCB)
273
6
7
8
-
-
Stack unit 1 stack port all
Max Supported TC Groups is 4
Number of Traffic Classes is 1
Admin mode is on
Admin Parameters:
-------------------Admin is enabled
TC-grp
Priority#
Bandwidth
TSA
-----------------------------------------------0
0,1,2,3,4,5,6,7 100%
ETS
1
2
3
4
5
6
7
8
Dell(conf)# show interface tengigabitethernet 0/49 dcbx detail
Dell#show interface te 0/49 dcbx detail
E-ETS Configuration TLV enabled
e-ETS Configuration TLV disabled
R-ETS Recommendation TLV enabled
r-ETS Recommendation TLV disabled
P-PFC Configuration TLV enabled
p-PFC Configuration TLV disabled
F-Application priority for FCOE enabled
f-Application Priority for FCOE
disabled
I-Application priority for iSCSI enabled i-Application Priority for iSCSI
disabled
--------------------------------------------------------------------------------Interface TenGigabitEthernet 0/49
Remote Mac Address 00:00:00:00:00:11
Port Role is Auto-Upstream
DCBX Operational Status is Enabled
Is Configuration Source? TRUE
Local DCBX Compatibility mode is CEE
Local DCBX Configured mode is CEE
Peer Operating version is CEE
Local DCBX TLVs Transmitted: ErPfi
Local DCBX Status
----------------DCBX Operational Version is 0
DCBX Max Version Supported is 0
Sequence Number: 2
Acknowledgment Number: 2
Protocol State: In-Sync
Peer DCBX Status:
---------------DCBX Operational Version is 0
DCBX Max Version Supported is 255
Sequence Number: 2
Acknowledgment Number: 2
Total DCBX Frames transmitted 27
Total DCBX Frames received 6
274
Data Center Bridging (DCB)
Total DCBX Frame errors 0
Total DCBX Frames unrecognized 0
The following table describes the show interface DCBx detail command fields.
Table 13. show interface DCBx detail Command Description
Field
Description
Interface
Interface type with chassis slot and port number.
Port-Role
Configured DCBx port role: auto-upstream, autodownstream, config-source, or manual.
DCBx Operational Status
Operational status (enabled or disabled) used to
elect a configuration source and internally
propagate a DCB configuration. The DCBx
operational status is the combination of PFC and
ETS operational status.
Configuration Source
Specifies whether the port serves as the DCBx
configuration source on the switch: true (yes) or
false (no).
Local DCBx Compatibility mode
DCBx version accepted in a DCB configuration as
compatible. In auto-upstream mode, a port can
only received a DCBx version supported on the
remote peer.
Local DCBx Configured mode
DCBx version configured on the port: CEE, CIN,
IEEE v2.5, or Auto (port auto-configures to use the
DCBx version received from a peer).
Peer Operating version
DCBx version that the peer uses to exchange DCB
parameters.
Local DCBx TLVs Transmitted
Transmission status (enabled or disabled) of
advertised DCB TLVs (see TLV code at the top of
the show command output).
Local DCBx Status: DCBx Operational Version
DCBx version advertised in Control TLVs.
Local DCBx Status: DCBx Max Version Supported
Highest DCBx version supported in Control TLVs.
Local DCBx Status: Sequence Number
Sequence number transmitted in Control TLVs.
Local DCBx Status: Acknowledgment Number
Acknowledgement number transmitted in Control
TLVs.
Local DCBx Status: Protocol State
Current operational state of DCBx protocol: ACK
or IN-SYNC.
Peer DCBx Status: DCBx Operational Version
DCBx version advertised in Control TLVs received
from peer device.
Peer DCBx Status: DCBx Max Version Supported
Highest DCBx version supported in Control TLVs
received from peer device.
Data Center Bridging (DCB)
275
Field
Description
Peer DCBx Status: Sequence Number
Sequence number transmitted in Control TLVs
received from peer device.
Peer DCBx Status: Acknowledgment Number
Acknowledgement number transmitted in Control
TLVs received from peer device.
Total DCBx Frames transmitted
Number of DCBx frames sent from local port.
Total DCBx Frames received
Number of DCBx frames received from remote
peer port.
Total DCBx Frame errors
Number of DCBx frames with errors received.
Total DCBx Frames unrecognized
Number of unrecognizable DCBx frames received.
PFC and ETS Configuration Examples
This section contains examples of how to configure and apply DCB input and output policies on an
interface.
Using PFC and ETS to Manage Data Center Traffic
The following shows examples of using PFC and ETS to manage your data center traffic.
In the following example:
•
Incoming SAN traffic is configured for priority-based flow control.
•
Outbound LAN, IPC, and SAN traffic is mapped into three ETS priority groups and configured for
enhanced traffic selection (bandwidth allocation and scheduling).
•
One lossless queue is used.
276
Data Center Bridging (DCB)
Figure 31. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic
QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global
Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more
information, refer to QoS dot1p Traffic Classification and Queue Assignment.
dot1p Value in
Incoming Frame
Queue Assignment
0
0
1
0
2
0
Data Center Bridging (DCB)
277
dot1p Value in
Incoming Frame
Queue Assignment
3
1
4
2
5
3
6
3
7
3
The following describes the dot1p-priority class group assignment
dot1p Value in the
Incoming Frame
Priority Group Assignment
0
LAN
1
LAN
2
LAN
3
SAN
4
IPC
5
LAN
6
LAN
7
LAN
The following describes the priority group-bandwidth assignment.
Priority Group
Bandwidth Assignment
IPC
5%
SAN
50%
LAN
45%
PFC and ETS Configuration Command Examples
The following examples show PFC and ETS configuration commands to manage your data center traffic.
278
Data Center Bridging (DCB)
Example of Configuring QoS Priority-Queue Assignment to Honor Dot1p Priorities
Example of Configuring a DCB Input Policy to Apply PFC to Lossless SAN Priority Traffic
Example of Configuring an ETS Priority Group
Example of Configuring an ETS Output Policy for Egress Traffic
Example of Configuring a DCB Output Policy to Apply ETS (Bandwidth Allocation and Scheduling) to
IPC, SAN, and LAN Priority Traffic
Example of Applying DCB Input and Output Policies to an Interface
Example of Configuring a QoS Output Policy to Specify Bandwidth Allocation to Different Traffic Types
if DCBx Version is CIN
Example of Creating a QoS Policy Map for DCBx CIN Bandwidth Allocation
Example of Applying the QoS Policy Map for DCBx CIN Bandwidth Allocation to an Interface
Dell(conf)# service-class dynamic dot1p
Or
Dell(conf)# interface tengigabitethernet 0/1
Dell(conf-if-te-0/1)# service-class dynamic dot1p
Dell(conf)# dcb-input ipc_san_lan
Dell(conf-qos-policy-in)# pfc mode on
Dell(conf-qos-policy-in)# pfc priority 3
Dell(conf)# priority-group san
Dell(conf-pg)# priority-list 3
Dell(conf-pg)# set-pgid 1
Dell(conf-pg)# exit
Dell(conf)# priority-group ipc
Dell(conf-pg)# priority-list 4
Dell(conf-pg)# set-pgid 2
Dell(conf-pg)# exit
Dell(conf)# priority-group lan
Dell(conf-pg)# priority-list 0-2,5-7
Dell(conf-pg)# set-pgid 3
Dell(conf-pg)# exit
Dell(conf)# qos-policy-output san ets
Dell(conf-qos-policy-out)# bandwidth-percentage 50
Dell(conf-qos-policy-out)# exit
Dell(conf)# qos-policy-output lan ets
Dell(conf-qos-policy-out)# bandwidth-percentage 45
Dell(conf-qos-policy-out)# exit
Dell(conf)# qos-policy-output ipc ets
Dell(conf-qos-policy-out)# bandwidth-percentage 5
Dell(conf-qos-policy-out)# exit
Dell(conf)# dcb-output ets
Dell(conf-dcb-out)# priority-group san qos-policy san
Dell(conf-dcb-out)# priority-group lan qos-policy lan
Dell(conf-dcb-out)# priority-group ipc qos-policy ipc
Dell(conf)# interface tengigabitethernet 0/1
Dell(conf-if-te-0/1)# dcb-policy input pfc
Dell(conf-if-te-0/1)# dcb-policy output ets
Data Center Bridging (DCB)
279
Dell(conf)# qos-policy-output lan-q0
Dell(conf-qos-policy-out)# bandwidth-percentage 20
Dell(conf-qos-policy-out)# exit
Dell(conf)#q os-policy-output lan-q3
Dell(conf-qos-policy-out)# bandwidth-percentage 70
Dell(conf-qos-policy-out)# exit
Dell(conf)#policy-map-output ets-queues
Dell(conf)# policy-map-output ets-queues
Dell(conf-policy-map-out)# service-queue 0 qos-policy lan-q0
Dell(conf-policy-map-out)# service-queue 3 qos-policy lan-q3
Dell(conf-if-te-0/1)# service-policy output ets-queues
Using PFC and ETS to Manage Converged Ethernet Traffic in a Switch Stack
The following example shows how to apply the DCB PFC input policy (ipc_san_lan) and ETS output
policy (ets) on all MXL switches in a switch stack.
This example references the PFC and ETS Configuration Examples section.
Example of Applying DCB PFC Input Policy and ETS Output Policy in a Switch Stack
Dell(conf)# dcb-policy output stack-unit all stack-ports all ets
Dell(conf)# dcb-policy input stack-unit all stack-ports all pfc
Hierarchical Scheduling in ETS Output Policies
ETS supports up to three levels of hierarchical scheduling.
For example, you can apply ETS output policies with the following configurations:
Priority group 1
Assigns traffic to one priority queue with 20% of the link bandwidth and strictpriority scheduling.
Priority group 2
Assigns traffic to one priority queue with 30% of the link bandwidth.
Priority group 3
Assigns traffic to two priority queues with 50% of the link bandwidth and strictpriority scheduling.
In this example, the configured ETS bandwidth allocation and scheduler behavior is as follows:
Unused
bandwidth
usage:
Strict-priority
groups:
280
Normally, if there is no traffic or unused bandwidth for a priority group, the
bandwidth allocated to the group is distributed to the other priority groups
according to the bandwidth percentage allocated to each group. However, when
three priority groups with different bandwidth allocations are used on an interface:
•
If priority group 3 has free bandwidth, it is distributed as follows: 20% of the free
bandwidth to priority group 1 and 30% of the free bandwidth to priority group 2.
•
If priority group 1 or 2 has free bandwidth, (20 + 30)% of the free bandwidth is
distributed to priority group 3. Priority groups 1 and 2 retain whatever free
bandwidth remains up to the (20+ 30)%.
If two priority groups have strict-priority scheduling, traffic assigned from the
priority group with the higher priority-queue number is scheduled first. However,
when three priority groups are used and two groups have strict-priority scheduling
(such as groups 1 and 3 in the example), the strict priority group whose traffic is
Data Center Bridging (DCB)
mapped to one queue takes precedence over the strict priority group whose traffic
is mapped to two queues.
Therefore, in this example, scheduling traffic to priority group 1 (mapped to one strict-priority queue)
takes precedence over scheduling traffic to priority group 3 (mapped to two strict-priority queues).
Configuring DCB Maps and its Attributes
This topic contains the following sections that describe how to configure a DCB map, apply the
configured DCB map to a port, configure PFC without a DCB map, and configure lossless queues.
DCB Map: Configuration Procedure
A DCB map consists of PFC and ETS parameters. By default, PFC is not enabled on any 802.1p priority
and ETS allocates equal bandwidth to each priority. To configure user-defined PFC and ETS settings, you
must create a DCB map.
Step
Task
Command
Command Mode
1
Enter global configuration mode to create a
DCB map or edit PFC and ETS settings.
dcb-map name
CONFIGURATION
2
Configure the PFC setting (on or off) and the
ETS bandwidth percentage allocated to traffic
in each priority group, or whether the priority
group traffic should be handled with strict
priority scheduling. You can enable PFC on a
maximum of two priority queues on an
interface. Enabling PFC for dot1p priorities
makes the corresponding port queue lossless.
The sum of all allocated bandwidth
percentages in all groups in the DCB map
must be 100%. Strict-priority traffic is serviced
first. Afterwards, bandwidth allocated to other
priority groups is made available and allocated
according to the specified percentages. If a
priority group does not use its allocated
bandwidth, the unused bandwidth is made
available to other priority groups.
priority-group
group_num {bandwidth
percentage | strictpriority} pfc {on | off}
DCB MAP
priority-pgid
dot1p0_group_num
dot1p1_group_num
dot1p2_group_num
dot1p3_group_num
dot1p4_group_num
DCB MAP
Example: priority-group 0 bandwidth 60 pfc
off priority-group 1 bandwidth 20 pfc on
priority-group 2 bandwidth 20 pfc on
priority-group 4 strict-priority pfc off
Repeat this step to configure PFC and ETS
traffic handling for each priority group.
3
Specify the dot1p priority-to-priority group
mapping for each priority. Priority-group
range: 0 to 7. All priorities that map to the
same queue must be in the same priority
group.
Data Center Bridging (DCB)
281
Step
Task
Command
Leave a space between each priority group
number. For example: priority-pgid 0 0 0 1 2
4 4 4 in which priority group 0 maps to dot1p
priorities 0, 1, and 2; priority group 1 maps to
dot1p priority 3; priority group 2 maps to
dot1p priority 4; priority group 4 maps to
dot1p priorities 5, 6, and 7.
dot1p5_group_num
dot1p6_group_num
dot1p7_group_num
Command Mode
Important Points to Remember
•
If you remove a dot1p priority-to-priority group mapping from a DCB map (no priority pgid
command), the PFC and ETS parameters revert to their default values on the interfaces on which the
DCB map is applied. By default, PFC is not applied on specific 802.1p priorities; ETS assigns equal
bandwidth to each 802.1p priority.
As a result, PFC and lossless port queues are disabled on 802.1p priorities, and all priorities are
mapped to the same priority queue and equally share the port bandwidth.
•
To change the ETS bandwidth allocation configured for a priority group in a DCB map, do not modify
the existing DCB map configuration. Instead, first create a new DCB map with the desired PFC and
ETS settings, and apply the new map to the interfaces to override the previous DCB map settings.
Then, delete the original dot1p priority-priority group mapping.
If you delete the dot1p priority-priority group mapping (no priority pgid command) before you
apply the new DCB map, the default PFC and ETS parameters are applied on the interfaces. This
change may create a DCB mismatch with peer DCB devices and interrupt network operation.
Applying a DCB Map on a Port
To apply a DCB map to an Ethernet port, follow these steps:
Step
Task
Command
Command Mode
1
Enter interface configuration mode on an
Ethernet port.
CONFIGURATION
interface
{tengigabitEthernet slot/
port |
fortygigabitEthernet
slot/port}
2
Apply the DCB map on the Ethernet port to
configure it with the PFC and ETS settings in
the map; for example:
dcb-map name
INTERFACE
Dell# interface tengigabitEthernet 0/0
Dell(config-if-te-0/0)# dcb-map
SAN_A_dcb_map1 Repeat Steps 1 and 2 to
apply a DCB map to more than one port.
You cannot apply a DCB map on an interface
that has been already configured for PFC using
thepfc priority command or which is
282
Data Center Bridging (DCB)
Step
Task
Command
Command Mode
already configured for lossless queues (pfc
no-drop queues command).
Configuring PFC without a DCB Map
In a network topology that uses the default ETS bandwidth allocation (assigns equal bandwidth to each
priority), you can also enable PFC for specific dot1p-priorities on individual interfaces without using a
DCB map. This type of DCB configuration is useful on interfaces that require PFC for lossless traffic, but
do not transmit converged Ethernet traffic.
Step
Task
Command
Command Mode
1
Enter interface configuration mode on an
Ethernet port.
interface
{tengigabitEthernet
slot/port |
fortygigabitEthernet
slot/port}
CONFIGURATION
2
Enable PFC on specified priorities. Range:
0-7. Default: None.
pfc priority
priority-range
INTERFACE
Maximum number of lossless queues
supported on an Ethernet port: 2.
Separate priority values with a comma.
Specify a priority range with a dash, for
example: pfc priority 3,5-7
1.
You cannot configure PFC using the
pfc priority command on an
interface on which a DCB map has been
applied or which is already configured
for lossless queues (pfc no-drop
queues command).
Configuring Lossless Queues
DCB also supports the manual configuration of lossless queues on an interface after you disable PFC
mode in a DCB map and apply the map on the interface. The configuration of no-drop queues provides
flexibility for ports on which PFC is not needed, but lossless traffic should egress from the interface.
Lossless traffic egresses out the no-drop queues. Ingress 802.1p traffic from PFC-enabled peers is
automatically mapped to the no-drop egress queues.
When configuring lossless queues on a port interface, consider the following points:
•
By default, no lossless queues are configured on a port.
•
A limit of two lossless queues are supported on a port. If the number of lossless queues configured
exceeds the maximum supported limit per port (two), an error message is displayed. You must reconfigure the value to a smaller number of queues.
Data Center Bridging (DCB)
283
•
If you configure lossless queues on an interface that already has a DCB map with PFC enabled (pfc
on), an error message is displayed.
Step
Task
Command
Command Mode
1
Enter INTERFACE Configuration mode.
interface{tengigabitE CONFIGURATION
thernet slot/port |
fortygigabitEthernet
slot/port}
2
Open a DCB map and enter DCB map
configuration mode.
dcb-map name
INTERFACE
3
Disable PFC.
no pfc mode on
DCB MAP
4
Return to interface configuration mode.
exit
DCB MAP
5
Apply the DCB map, created to disable the
PFC operation, on the interface
dcb-map {name |
default}
INTERFACE
6
Configure the port queues that still function
as no-drop queues for lossless traffic.
pfc no-drop
queuesqueue-range
INTERFACE
The maximum number of lossless queues
globally supported on a port is 2.
You cannot configure PFC no-drop queues
on an interface on which a DCB map with
PFC enabled has been applied, or which is
already configured for PFC using the pfc
priority command.
Range: 0-3. Separate queue values with a
comma; specify a priority range with a dash;
for example: pfc no-drop queues 1,3 or pfc
no-drop queues 2-3 Default: No lossless
queues are configured.
Priority-Based Flow Control Using Dynamic Buffer
Method
In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in
multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion.
When PFC detects congestion on a queue for a specified priority, it sends a pause frame for the 802.1p
priority traffic to the transmitting device.
Pause and Resume of Traffic
The pause message is used by the sending device to inform the receiving device about a congested,
heavily-loaded traffic state that has been identified. When the interface of a sending device transmits a
pause frame, the recipient acknowledges this frame by temporarily halting the transmission of data
packets. The sending device requests the recipient to restart the transmission of data traffic when the
284
Data Center Bridging (DCB)
congestion eases and reduces. The time period that is specified in the pause frame defines the duration
for which the flow of data packets is halted. When the time period elapses, the transmission restarts.
When a device sends a pause frame to another device, the time for which the sending of packets from
the other device must be stopped is contained in the pause frame. The device that sent the pause frame
empties the buffer to be less than the threshold value and restarts the acceptance of data packets.
Dynamic ingress buffering enables the sending of pause frames at different thresholds based on the
number of ports that experience congestion at a time. This behavior impacts the total buffer size used by
a particular lossless priority on an interface. The pause and resume thresholds can also be configured
dynamically. You can configure a buffer size, pause threshold, ingress shared threshold weight, and
resume threshold to control and manage the total amount of buffers that are to be used in your network
environment.
All the PFC-related settings such as the DCB input and output policies or DCB maps are saved in the DCB
application and the Differentiated Services Manager (DSM) application. All of these configurations can be
modified only for interfaces that are enabled for DCB. The DCB buffer configurations are also saved in the
DCB and DSM databases.
Buffer Sizes for Lossless or PFC Packets
You can configure up to a maximum of 4 lossless (PFC) queues. By configuring 4 lossless queues, you
can configure 4 different priorities and assign a particular priority to each application that your network is
used to process. For example, you can assign a higher priority for time-sensitive applications and a lower
priority for other services, such as file transfers. You can configure the amount of buffer space to be
allocated for each priority and the pause or resume thresholds for the buffer. This method of
configuration enables you to effectively manage and administer the behavior of lossless queues.
Although the system contains 9 MB of space for shared buffers, a minimum guaranteed buffer is provided
to all the internal and external ports in the system for both unicast and multicast traffic. This minimum
guaranteed buffer reduces the total available shared buffer to 7,787 KB. This shared buffer can be used for
lossy and lossless traffic.
The default behavior causes up to a maximum of 6.6 MB to be used for PFC-related traffic. The remaining
approximate space of 1 MB can be used by lossy traffic. You can allocate all the remaining 1 MB to
lossless PFC queues. If you allocate in such a way, the performance of lossy traffic is reduced and
degraded. Although you can allocate a maximum buffer size, it is used only if a PFC priority is configured
and applied on the interface.
The number of lossless queues supported on the system is dependent on the availability of total buffers
for PFC. The default configuration in the system guarantees a minimum of 52 KB per queue if all the 128
queues are congested. However, modifying the buffer allocation per queue impacts this default behavior.
By default the total available buffer for PFC is 6.6 MB and when you configure dynamic ingress buffering,
a minimum of least 52 KB per queue is used when all ports are congested. By default, the system enables
a maximum of two lossless queues on the MXL platform.
This default behavior is impacted if you modify the total buffer available for PFC or assign static buffer
configurations to the individual PFC queues.
Data Center Bridging (DCB)
285
Interworking of DCB Map With DCB Buffer Threshold
Settings
The dcb-input and dcb-output configuration commands are deprecated. You must use the dcp-map
command to create a DCB map to configure priority flow control (PFC) and enhanced transmission
selection (ETS) on Ethernet ports that support converged Ethernet traffic.
Configure the dcb-buffer-threshold command and its related parameters only on ports with either
auto configuration or dcb-map configuration. This command is not supported on existing front-panel
interfaces or stack ports that are configured with the dcb-input or dcb-output commands. Similarly, if
the dcb-buffer-threshold configuration is present on a stack port or any interface, the dcb-input or dcbouput policies cannot be applied on those interfaces.
Example: When the dcb-buffer-threshold policy is applied on interfaces or stack ports with the dcb-input
or dcb-output policies, the following error message is displayed:
%Error: dcb-buffer-threshold not supported on interfaces with deprecated
commands
Example: When the dcb-input or dcb-output policy is configured on interfaces or stack ports with the
dcb-buffer threshold policy, the following error message is displayed:
%Error: Deprecated command is not supported on interfaces with dcb-bufferthreshold configured
You must not modify the service-class dot1p mappings when any buffer-threshold-policy is configured
on the system.
Dell(conf)#service-class dot1p-mapping dot1p0 3
% Error: PFC buffer-threshold policies conflict with dot1p mappings. Please
remove all dcb-buffer-threshold policies to change mappings.
The show dcb command has been enhanced to display the following additional buffer-related
information:
Dell(conf)#do show dcb
dcb Status : Enabled
PFC Queue Count : 2 --Indicate the PFC queue configured.
Total buffer (lossy + lossless)(in KB): 7787--Total buffer space for lossy and
lossless queues
PFC total buffer (in KB): 6526 --Indicates the total buffer (configured or
default)
PFC shared buffer (in KB): 832--Indicates the shared buffer (Configured or
default)
PFC available buffer ( in KB): 5694--Indicates remaining available buffers for
PFC that are free to be allocated
Configuring the Dynamic Buffer Method
To configure the dynamic buffer capability, perform the following steps:
1.
286
Enable the DCB application. By default, DCB is enabled and link-level flow control is disabled on all
interfaces.
Data Center Bridging (DCB)
CONFIGURATION mode
S6000-109-Dell(conf)#dcb enable
2.
Configure the shared PFC buffer size and the total buffer size. A maximum of 4 lossless queues are
supported.
CONFIGURATION mode
S6000-109-Dell(conf)#dcb pfc-shared-buffer-size 4000
S6000-109-Dell(conf)#dcb pfc-total-buffer-size 5000
3.
Configure the number of PFC queues.
CONFIGURATION mode
Dell(conf)#dcb enable pfc-queues 4
The number of ports supported based on lossless queues configured will depend on the buffer.
For each priority, you can specify the shared buffer threshold limit, the ingress buffer size, buffer limit
for pausing the acceptance of packets, and the buffer offset limit for resuming the acceptance of
received packets.
4.
Configure the profile name for the DCB buffer threshold
CONFIGURATION mode
Dell(conf)#dcb-buffer-threshold test
5.
DCB-BUFFER-THRESHOLD mode
Dell(conf-dcb-buffer-thr)# priority 0 buffer-size 52 pause-threshold 16
resume-offset 10 shared-threshold-weight 7
6.
Assign the DCB policy to the DCB buffer threshold profile on stack ports.
CONFIGURATION mode
Dell(conf)# dcb-policy buffer-threshold stack-unit all stack-ports all test
7.
Assign the DCB policy to the DCB buffer threshold profile on interfaces. This setting takes
precedence over the default buffer-threshold setting.
INTERFACE mode (conf-if-te)
Dell(conf-if-te-0/0)#dcb-policy buffer-threshold test
8.
Create a QoS policy buffer and enter the QoS Policy Buffer Configuration mode to configure the nodrop queues, ingress buffer size, buffer limit for pausing, and buffer offset limit for resuming.
CONFIGURATION mode
Dell(conf)# qos-policy-buffer test
Dell (conf-qos-policy-buffer)#queue 0 pause no-drop buffer-size 128000
pause-threshold 103360 resume-threshold 83520
Dell (conf-qos-policy-buffer)# queue 4 pause no-drop buffer-size 128000
pause-threshold 103360 resume-threshold 83520
Data Center Bridging (DCB)
287
13
Debugging and Diagnostics
This chapter describes debugging and diagnostics for the XML switch.
Offline Diagnostics
The offline diagnostics test suite is useful for isolating faults and debugging hardware.
The diagnostics tests are grouped into three levels:
•
Level 0 — Level 0 diagnostics check for the presence of various components and perform essential
path verifications. In addition, Level 0 diagnostics verify the identification registers of the components
on the board.
•
Level 1 — A smaller set of diagnostic tests. Level 1 diagnostics perform status, self-test, access, and
read-write tests for all the components on the board and test their registers for appropriate values. In
addition, Level 1 diagnostics perform extensive tests on memory devices (for example, SDRAM, flash,
NVRAM, EEPROM) wherever possible.
•
Level 2 — The full set of diagnostic tests. Level 2 diagnostics are used primarily for on-board MAC
level, Physical level, external Loopback tests, and more extensive component diagnostics. Various
components on the board are put into Loopback mode and test packets are transmitted through
those components. These diagnostics also perform snake tests using virtual local area network (VLAN)
configurations.
NOTE: Diagnostic is not allowed in Stacking mode, including member stacking. Avoid stacking
before executing the diagnostic tests in the chassis.
Important Points to Remember
•
You can only perform offline diagnostics on an offline standalone unit. You cannot perform
diagnostics if the ports are configured in a stacking group. Remove the port(s) from the stacking
group before executing the diagnostic test.
•
Diagnostics only test connectivity, not the entire data path.
•
Diagnostic results are stored on the flash of the unit on which you performed the diagnostics.
•
When offline diagnostics are complete, the unit or stack member reboots automatically.
Running Offline Diagnostics
To run offline diagnostics, use the following commands.
For more information, refer to the examples following the steps.
1.
Place the unit in the offline state.
EXEC Privilege mode
offline stack-unit <id>
You cannot enter this command on a MASTER or Standby stack unit.
288
Debugging and Diagnostics
NOTE: The system reboots when the offline diagnostics complete. This is an automatic
process. The following warning message appears when you implement the offline stackunit <id> command: Warning - Diagnostic execution will cause stack-unit
to reboot after completion of diags. Proceed with Offline-Diags [confirm
yes/no]:y
Dell#offline stack-unit 0
Warning - offline of unit will bring down all the protocols and
the unit will be operationally down, except for running Diagnostics.
Please make sure that stacking/fanout not configured for Diagnostics
execution.
Also reboot/online command is necessary for normal operation after the
offline command is issued.
Proceed with Offline [confirm yes/no]:yes
Dell#Dec 15 03:58:37: %STKUNIT0-M:CP %CHMGR-2-STACKUNIT_DOWN: Stack unit 0
down - stack unit offline
2.
Confirm the offline status.
EXEC Privilege mode
show system brief
Dell#show system brief
Stack MAC : 00:1e:c9:f1:00:cb
Reload-Type
:
normal-reload [Next boot : normal-reload]
-- Stack Info -Unit UnitType
Status
ReqTyp
CurTyp
Version
Ports
----------------------------------------------------------------------------------0
Management
offline
MXL-10/40GbE
MXL-10/40GbE
9.4(0.0)
56
1
Member
not present
2
Member
not present
3
Member
not present
4
Member
not present
5
Member
not present
Dell#
3.
Start diagnostics on the unit.diag
When the tests are complete, the system displays the following message and reboots the unit
automatically
Diags completed... Rebooting the system now!!!
Dec 15 04:00:38: %MXL-10/40GbE:0 %DIAGAGT-6-DA_DIAG_DONE: Diags finished on
stack unit 0
Diagnostic results are printed to a file in the flash using the filename
format TestReport-SU-stack-unit.txt.
Log messages differ somewhat when diagnostics are done on a standalone unit
and on a stack member.
Example of the diag command (Standalone unit)
Dell#diag stack-unit 0 level0
Warning - diagnostic execution will cause multiple link flaps on the peer side
- advisable to shut directly connected ports
Debugging and Diagnostics
289
Proceed with Diags [confirm yes/no]: yes
FTOS#Dec 15 04:14:07: %MXL-10/40GbE:0 %DIAGAGT-6-DA_DIAG_STARTED: Starting
diags on stack unit 0
00:12:10 : System may take additional time for Driver Init.
00:12:10 : Approximate time to complete the Diags ... 6 Mins
00:13:53 : Diagnostic test results are stored on file: flash:/TestReportSU-0.txt
Diags completed... Rebooting the system now!!!
Dec 15 04:15:54: %MXL-10/40GbE:0 %DIAGAGT-6-DA_DIAG_DONE: Diags finished on
stack unit 0
syncing disks... 1 1 done
unmounting file systems...
unmounting /f10/flash (/dev/ld0e)...
unmounting /usr/pkg (/dev/ld0h)...
unmounting /usr (mfs:35)...
unmounting /lib (mfs:24)...
unmounting /f10 (mfs:21)...
unmounting /tmp (mfs:15)...
unmounting /kern (kernfs)...
unmounting / (/dev/md0a)... done
rebooting...
Example of theshow file flash:\\ command (Standalone Unit)
Dell#show file flash://TestReport-SU-0.txt
*******************************BLADE IOM
DIAGNOSTICS*******************************
Board
CPU Version
Stack Unit Board Temp
Stack Unit Number
Board Serial Number
Board Type
CPLD Revision
Image Build Version
:
:
:
:
:
:
:
:
Blade IOM Dell Inc.
XLP3XX-A0
49 Degree C
0
TW282981C80067
Blade IOM Module
0x6
9-4(0-89)
**************************** BLADE IOM LEVEL 0
DIAGNOSTICS*************************
Test 1 - Power Rail Status Test ..................................... PASS
Test 2.000 - OptMod: Power Status Test .............................. PASS
Test 2.001 - OptMod: Power Status Test .............................. PASS
Test 2 - OptMod: Power Status Test .................................. PASS
Test 3.000 - Board Temperarture Sensor Test ......................... PASS
Test 3.001 - Board Temperarture Sensor Test ......................... PASS
Test 3 - Board Temperarture Sensor Test ............................. PASS
Test 4 - RTC Presence Test .......................................... PASS
Test 5.000 - CPU Sdram Presence Test ............................... PASS
Test 6.000 - CPU Sdram Size Test ................................... PASS
diagBladeIOMUsbAAccessTest[238]: ERROR: No USB A device found
Test 7 - USB A Access Test ..........................................
NOT
PRESENT
diagBladeIOMUsbAPresenceGet[267]: ERROR: No USB device found
diagBladeIOMUsbHostControllerAccessTest[608]: ERROR: No USB device detected.
Test 8 - Usb Host Controller Access Test ............................
NOT
PRESENT
Test 9 - SD Flash Access Test ....................................... PASS
Test 10.000 - Qsfp Plus Power Mode Test ............................. PASS
Test 10.001 - Qsfp Plus Power Mode Test ............................. PASS
Test 10 - Qsfp Plus Power Mode Test ................................. PASS
290
Debugging and Diagnostics
Test
Test
Test
Test
Test
Test
Test
Test
Test
Test
Test
11 - CPLD Presence Test ........................................
12 - Flash Access Test .........................................
13 - Board Revision Test .......................................
14 - MGMT PHY Presence Test ....................................
15.000 - Optional Module Type Test .............................
15.001 - Optional Module Type Test .............................
15 - Optional Module Type Test .................................
16.000 - Qsfp Plus Presence Test ...............................
16.001 - Qsfp Plus Presence Test ...............................
16 - Qsfp Plus Presence Test ...................................
17 - Cpu Type Detect Test ......................................
PASS
PASS
PASS
PASS
PASS
PASS
PASS
PASS
PASS
PASS
PASS
***************** BLADE IOM LEVEL 1
DIAGNOSTICS*************************************
Test 101 - RTC Function Test ........................................
Test 102 - RTC Rollover Test ........................................
Test 103 - GPIO Access Test .........................................
Test 104 - PSoC Access Test .........................................
Test 105 - PCIe BCM56846 Access Test ................................
Test 106 - CPU SDRAM Access Test ....................................
Test 107 - CPU SDRAM Data Line Test .................................
Test 108 - CPU SDRAM Address Line Test ..............................
diagBladeIOMUsbAPresenceGet[267]: ERROR: No USB device found
diagBladeIOMUsbFileCopyTest[92]: ERROR: No USB device detected.
Test 109 - Usb File Copy Stress Test ................................
PRESENT
Test 110 - Flash Rw Test ............................................
Test 111 - I2C Stress Test ..........................................
PASS
PASS
PASS
PASS
PASS
PASS
PASS
PASS
NOT
PASS
PASS
Trace Logs
In addition to the syslog buffer, the Dell Networking OS buffers trace messages which are continuously
written by various software tasks to report hardware and software events and status information.
Each trace message provides the date, time, and name of the Dell Networking OS process. All messages
are stored in a ring buffer. You can save the messages to a file either manually or automatically after
failover.
Auto Save on Crash or Rollover
Exception information for MASTER or standby units is stored in the flash:/TRACE_LOG_DIR directory. This
directory contains files that save trace information when there has been a task crash or timeout.
•
On a MASTER unit, you can reach the TRACE_LOG_DIR files by FTP or by using the show file
command from the flash://TRACE_LOG_DIR directory.
•
On a Standby unit, you can reach the TRACE_LOG_DIR files only by using the show file command
from the flash://TRACE_LOG_DIR directory.
NOTE: Non-management member units do not support this functionality.
Example of the dir flash: Command
Dell#dir flash://TRACE_LOG_DIR
Directory of flash:/TRACE_LOG_DIR
1 drwx
4096 Jan 17 2011 15:02:16 +00:00 .
2 drwx
4096 Jan 01 1980 00:00:00 +00:00 ..
3 -rwx 100583 Feb 11 2011 20:41:36 +00:00 failure_trace0_RPM0_CP
flash: 2143281152 bytes total (2069291008 bytes free)
Debugging and Diagnostics
291
Using the Show Hardware Commands
The show hardware command tree consists of commands used with the XML switch.
These commands display information from a hardware sub-component and from hardware-based
feature tables.
NOTE: Use the show hardware commands only under the guidance of the Dell Technical
Assistance Center.
•
View internal interface status of the stack-unit CPU port which connects to the external management
interface.
EXEC Privilege mode
•
show hardware stack-unit {0-5} cpu management statistics
View driver-level statistics for the data-plane port on the CPU for the specified stack-unit.
EXEC Privilege mode
show hardware stack-unit {0-5} cpu data-plane statistics
•
This view provides insight into the packet types entering the CPU to see whether CPU-bound traffic is
internal (IPC traffic) or network control traffic, which the CPU must process.
View the modular packet buffers details per stack unit and the mode of allocation.
EXEC Privilege mode
•
show hardware stack-unit {0-5} buffer total-buffer
View the modular packet buffers details per unit and the mode of allocation.
EXEC Privilege mode
•
show hardware stack-unit {0-5} buffer unit {0-1} total-buffer
View the forwarding plane statistics containing the packet buffer usage per port per stack unit.
EXEC Privilege mode
•
show hardware stack-unit {0-5} buffer unit {0-1} port {1-64 | all} bufferinfo
View the forwarding plane statistics containing the packet buffer statistics per COS per port.
EXEC Privilege mode
•
show hardware stack-unit {0-5} buffer unit {0-1} port {1-64} queue {0-14 |
all} buffer-info
View input and output statistics on the party bus, which carries inter-process communication traffic
between CPUs.
EXEC Privilege mode
•
show hardware stack-unit {0-5} cpu party-bus statistics
View the ingress and egress internal packet-drop counters, MAC counters drop, and FP packet drops
for the stack unit on per port basis.
EXEC Privilege mode
show hardware stack-unit {0-5} drops unit {0-0} port {33–56}
This view helps identifying the stack unit/port pipe/port that may experience internal drops.
292
Debugging and Diagnostics
•
View the input and output statistics for a stack-port interface.
EXEC Privilege mode
•
show hardware stack-unit {0-5} stack-port {33–56}
View the counters in the field processors of the stack unit.
EXEC Privilege mode
•
show hardware stack-unit {0-5} unit {0-0} counters
View the details of the FP Devices and Hi gig ports on the stack-unit.
EXEC Privilege mode
•
show hardware stack-unit {0-5} unit {0-0} details
Execute a specified bShell command from the CLI without going into the bShell.
EXEC Privilege mode
•
show hardware stack-unit {0-5} unit {0-0} execute-shell-cmd {command}
View the Multicast IPMC replication table from the bShell.
EXEC Privilege mode
•
show hardware stack-unit {0-5} unit {0-0} ipmc-replication
View the internal statistics for each port-pipe (unit) on per port basis.
EXEC Privilege mode
•
show hardware stack-unit {0-5} unit {0-0} port-stats [detail]
View the stack-unit internal registers for each port-pipe.
EXEC Privilege mode
•
show hardware stack-unit {0-5} unit {0-0} register
View the tables from the bShell through the CLI without going into the bShell.
EXEC Privilege mode
show hardware stack-unit {0-5} unit {0-0} table-dump {table name}
Enabling Environmental Monitoring
The MXL switch components use environmental monitoring hardware to detect transmit power readings,
receive power readings, and temperature updates.
To receive periodic power updates, you must enable the following command.
•
Enable environmental monitoring.
enable optic-info-update interval
Example of the show interfaces transceiver Command
Dell#show int ten 0/49 transceiver
SFP is present
SFP 49 Serial Base ID fields
SFP 49 Id
= 0x03
SFP 49 Ext Id
= 0x04
SFP 49 Connector
= 0x07
SFP 49 Transceiver Code
= 0x00 0x00 0x00 0x01 0x20 0x40 0x0c 0x01
SFP 49 Encoding
= 0x01
SFP 49 BR Nominal
= 0x0c
SFP 49 Length(9um) Km
= 0x00
Debugging and Diagnostics
293
SFP
SFP
SFP
SFP
SFP
SFP
SFP
SFP
SFP
SFP
SFP
SFP
SFP
SFP
49
49
49
49
49
49
49
49
49
49
49
49
49
49
Length(9um) 100m
Length(50um) 10m
Length(62.5um) 10m
Length(Copper) 10m
Vendor Rev
Laser Wavelength
CheckCodeBase
Serial Extended ID
Options
BR max
BR min
Vendor SN
Datecode
CheckCodeExt
= 0x00
= 0x37
= 0x1e
= 0x00
=
= 850 nm
= 0x78
fields
= 0x00 0x12
= 0
= 0
= P11C0B0
= 020919
= 0xb6
SFP 49 Diagnostic Information
===================================
SFP 49 Rx Power measurement type
===================================
SFP 49 Temp High Alarm threshold
SFP 49 Voltage High Alarm threshold
SFP 49 Bias High Alarm threshold
SFP 49 TX Power High Alarm threshold
SFP 49 RX Power High Alarm threshold
SFP 49 Temp Low Alarm threshold
SFP 49 Voltage Low Alarm threshold
SFP 49 Bias Low Alarm threshold
SFP 49 TX Power Low Alarm threshold
SFP 49 RX Power Low Alarm threshold
===================================
SFP 49 Temp High Warning threshold
SFP 49 Voltage High Warning threshold
SFP 49 Bias High Warning threshold
SFP 49 TX Power High Warning threshold
SFP 49 RX Power High Warning threshold
SFP 49 Temp Low Warning threshold
SFP 49 Voltage Low Warning threshold
SFP 49 Bias Low Warning threshold
SFP 49 TX Power Low Warning threshold
SFP 49 RX Power Low Warning threshold
===================================
SFP 49 Temperature
SFP 49 Voltage
SFP 49 Tx Bias Current
SFP 49 Tx Power
SFP 49 Rx Power
===================================
SFP 49 Data Ready state Bar
SFP 49 Rx LOS state
SFP 49 Tx Fault state
= Average
=
=
=
=
=
=
=
=
=
=
100.000C
5.000V
100.000mA
5.000mW
5.000mW
-50.000C
0.000V
0.000mA
0.000mW
0.000mW
=
=
=
=
=
=
=
=
=
=
100.000C
5.000V
100.000mA
5.000mW
5.000mW
-50.000C
0.000V
0.000mA
0.000mW
0.000mW
=
=
=
=
=
40.844C
3.169V
0.000mA
0.000mW
0.227mW
= False
= False
= False
Recognize an Over-Temperature Condition
An overtemperature condition occurs, for one of two reasons: the card genuinely is too hot or a sensor
has malfunctioned.
Inspect cards adjacent to the one reporting the condition to discover the cause.
•
If directly adjacent cards are not normal temperature, suspect a genuine overheating condition.
•
If directly adjacent cards are normal temperature, suspect a faulty sensor.
294
Debugging and Diagnostics
When the system detects a genuine over-temperature condition, it powers off the card. To recognize this
condition, look for the following system messages:
CHMGR-2-MAJOR_TEMP: Major alarm: chassis temperature high (temperature reaches
or exceeds threshold of
[value]C)
CHMGR-2-TEMP_SHUTDOWN_WARN: WARNING! temperature is [value]C; approaching
shutdown threshold of [value]C
To view the programmed alarm thresholds levels, including the shutdown value, use the show alarms
threshold command.
Example of the show alarms threshold Command
Dell#show alarms threshold
-- Temperature Limits (deg C) ---------------------------------------------------------------------------BelowNormal Normal Elevated Critical Trip/Shutdown
Unit0 <=40
41
71
81
86
Dell#
Troubleshoot an Over-Temperature Condition
To troubleshoot an over-temperature condition, use the following information.
1.
Use the show environment commands to monitor the temperature levels.
2.
Check air flow through the system. Ensure that the air ducts are clean and that all fans are working
correctly.
3.
After the software has determined that the temperature levels are within normal limits, you can repower the card safely. To bring back the line card online, use the power-on command in EXEC
mode.
In addition, Dell Networking requires that you install blanks in all slots without a line card to control
airflow for adequate system cooling.
NOTE: Exercise care when removing a card; if it has exceeded the major or shutdown thresholds,
the card could be hot to the touch.
Example of the show enivornment Command
Dell#show environment
-- Unit Environment Status -Unit Status Temp Voltage
---------------------------* 0 online 71C
ok
* Management Unit
-- Thermal Sensor Readings (deg C) -Unit Sensor0 Sensor1 Sensor2 Sensor3 Sensor4 Sensor5 Sensor6 Sensor7 Sensor8
Sensor9
----------------------------------------------------------------------------------------0
45
43
66
61
66
62
70
65
67
71
Debugging and Diagnostics
295
Recognize an Under-Voltage Condition
If the system detects an under-voltage condition, it sends an alarm.
To recognize this condition, look for the following system message: %CHMGR-1-CARD_SHUTDOWN:
Major alarm: Line card 2 down - auto-shutdown due to under voltage.
This message indicates that the specified card is not receiving enough power. In response, the system
first shuts down Power over Ethernet (PoE).
Troubleshoot an Under-Voltage Condition
To troubleshoot an under-voltage condition, check that the correct number of power supplies are
installed and their Status light emitting diodes (LEDs) are lit.
The following table lists information for SNMP traps and OIDs on S-Series environmental monitoring
hardware and hardware components.
Table 14. SNMP Traps and OIDs
OID String
OID Name
Description
chSysPortXfpRecvPower
OID displays the receiving power
of the connected optics.
chSysPortXfpTxPower
OID displays the transmitting
power of the connected optics.
chSysPortXfpRecvTemp
OID displays the temperature of
the connected optics.
Receiving Power
.1.3.6.1.4.1.6027.3.10.1.2.5.1.6
Transmitting power
.1.3.6.1.4.1.6027.3.10.1.2.5.1.8
Temperature
.1.3.6.1.4.1.6027.3.10.1.2.5.1.7
NOTE: These OIDs only
generate if you enable the
enable optic-infoupdate-interval is
enabled command.
Hardware MIB Buffer Statistics
.1.3.6.1.4.1.6027.3.16.1.1.4
fpPacketBufferTable
View the modular packet buffers
details per stack unit and the
mode of allocation.
.1.3.6.1.4.1.6027.3.16.1.1.5
fpStatsPerPortTable
View the forwarding plane
statistics containing the packet
buffer usage per port per stack
unit.
.1.3.6.1.4.1.6027.3.16.1.1.6
fpStatsPerCOSTable
View the forwarding plane
statistics containing the packet
buffer statistics per COS per port.
296
Debugging and Diagnostics
Buffer Tuning
Buffer tuning allows you to modify the way your switch allocates buffers from its available memory and
helps prevent packet drops during a temporary burst of traffic.
The application-specific integrated circuit (ASICs) implement the key functions of queuing, feature
lookups, and forwarding lookups in hardware.
Forwarding processor (FP) ASICs provide Ethernet MAC functions, queueing, and buffering, as well as
store feature and forwarding tables for hardware-based lookup and forwarding decisions. 1G and 10G
interfaces use different FPs.
The following table describes the type and number of ASICs per platform.
You can tune buffers at three locations
1.
CSF — Output queues going from the CSF.
2.
FP Uplink — Output queues going from the FP to the CSF IDP links.
3.
Front-End Link — Output queues going from the FP to the front-end PHY.
All ports support eight queues, four for data traffic and four for control traffic. All eight queues are
tunable.
Physical memory is organized into cells of 128 bytes. The cells are organized into two buffer pools — the
dedicated buffer and the dynamic buffer.
•
Dedicated buffer — this pool is reserved memory that other interfaces cannot use on the same ASIC
or by other queues on the same interface. This buffer is always allocated, and no dynamic re-carving
takes place based on changes in interface status. Dedicated buffers introduce a trade-off. They
provide each interface with a guaranteed minimum buffer to prevent an overused and congested
interface from starving all other interfaces. However, this minimum guarantee means that the buffer
manager does not reallocate the buffer to an adjacent congested interface, which means that in some
cases, memory is under-used.
•
Dynamic buffer — this pool is shared memory that is allocated as needed, up to a configured limit.
Using dynamic buffers provides the benefit of statistical buffer sharing. An interface requests dynamic
buffers when its dedicated buffer pool is exhausted. The buffer manager grants the request based on
three conditions:
– The number of used and available dynamic buffers.
– The maximum number of cells that an interface can occupy.
– Available packet pointers (2k per interface). Each packet is managed in the buffer using a unique
packet pointer. Thus, each interface can manage up to 2k packets.
You can configure dynamic buffers per port on both 1G and 10G FPs and per queue on CSFs. By default,
the FP dynamic buffer allocation is 10 times oversubscribed. For the 48-port 1G card:
•
Dynamic Pool= Total Available Pool(16384 cells) — Total Dedicated Pool = 5904 cells
•
Oversubscription ratio = 10
•
Dynamic Cell Limit Per port = 59040/29 = 2036 cells
Debugging and Diagnostics
297
Figure 32. Buffer Tuning Points
Deciding to Tune Buffers
Dell Networking recommends exercising caution when configuring any non-default buffer settings, as
tuning can significantly affect system performance. The default values work for most cases.
As a guideline, consider tuning buffers if traffic is bursty (and coming from several interfaces). In this case:
•
Reduce the dedicated buffer on all queues/interfaces.
•
Increase the dynamic buffer on all interfaces.
•
Increase the cell pointers on a queue that you are expecting will receive the largest number of
packets.
To define, change, and apply buffers, use the following commands.
•
Define a buffer profile for the FP queues.
CONFIGURATION mode
•
buffer-profile fp fsqueue
Define a buffer profile for the CSF queues.
CONFIGURATION mode
•
buffer-profile csf csqueue
Change the dedicated buffers on a physical 1G interface.
298
Debugging and Diagnostics
BUFFER PROFILE mode
•
buffer dedicated
Change the maximum number of dynamic buffers an interface can request.
BUFFER PROFILE mode
•
buffer dynamic
Change the number of packet-pointers per queue.
BUFFER PROFILE mode
•
buffer packet-pointers
Apply the buffer profile to a CSF to FP link.
CONFIGURATION mode
buffer csf linecard
Example of Viewing the Default Buffer Profile
Example of Viewing the Buffer Profile Allocations
Example of Viewing the Buffer Profile (Interface)
Example of Viewing the Buffer Profile (Linecard)
Dell Networking OS Behavior: If you attempt to apply a buffer profile to a non-existent port-pipe, the
system displays the following message: %DIFFSERV-2-DSA_BUFF_CARVING_INVALID_PORT_SET:
Invalid FP port-set 2 for linecard 2. Valid range of port-set is <0-1>. However,
the configuration still appears in the running-config.
Configuration changes take effect immediately and appear in the running configuration. Because under
normal conditions all ports do not require the maximum allocation, the configured dynamic allocations
can exceed the actual amount of available memory; this allocation is called oversubscription. If you
choose to oversubscribe the dynamic allocation, a burst of traffic on one interface might prevent other
interfaces from receiving the configured dynamic allocation, which causes packet loss.
You cannot allocate more than the available memory for the dedicated buffers. If the system determines
that the sum of the configured dedicated buffers allocated to the queues is more than the total available
memory, the configuration is rejected, returning a syslog message similar to the following: 00:04:20:
%S50N:0 %DIFFSERV-2-DSA_DEVICE_BUFFER_UNAVAILABLE: Unable to allocate dedicated
buffers for stack-unit 0, port pipe 0, egress port 25 due to unavailability of
cells.
Dell Networking OS Behavior: When you remove a buffer-profile using the no buffer-profile [fp
| csf] command from CONFIGURATION mode, the buffer-profile name still appears in the output of
the show buffer-profile [detail | summary] command. After a stack unit reset, the buffer
profile correctly returns to the default values, but the profile name remains. Remove it from the show
buffer-profile [detail | summary] command output by entering no buffer [fp-uplink |
csf] stack-unit port-set buffer-policy from CONFIGURATION mode and no bufferpolicy from INTERFACE mode.
To display the allocations for any buffer profile, use the show commands.
To display the default buffer profile, use the show buffer-profile {summary | detail} command
from EXEC Privilege mode.
Debugging and Diagnostics
299
Dell#show buffer-profile detail interface tengigabitethernet 0/1
Interface tengig 0/1
Buffer-profile Dynamic buffer 194.88 (Kilobytes)
Queue# Dedicated Buffer Buffer Packets
(Kilobytes)
0
2.50
256
1
2.50
256
2
2.50
256
3
2.50
256
4
9.38
256
5
9.38
256
6
9.38
256
7
9.38
256
Dell#show running-config interface tengigabitethernet 2/0 !
interface TenGigabitEthernet 2/0
no ip address
mtu 9252
switchport
no shutdown
buffer-policy myfsbufferprofile
Dell#show buffer-profile detail int gi 0/10
Interface Gi 0/10
Buffer-profile fsqueue-fp
Dynamic buffer 1256.00 (Kilobytes)
Queue# Dedicated Buffer Buffer Packets
Kilobytes)
0
3.00
256
1
3.00
256
2
3.00
256
3
3.00
256
4
3.00
256
5
3.00
256
6
3.00
256
7
3.00
256
Dell#show buffer-profile detail fp-uplink stack-unit 0 port-set 0
Linecard 0 Port-set 0
Buffer-profile fsqueue-hig
Dynamic Buffer 1256.00 (Kilobytes)
Queue# Dedicated Buffer Buffer Packets
(Kilobytes)
0
3.00
256
1
3.00
256
2
3.00
256
3
3.00
256
4
3.00
256
5
3.00
256
6
3.00
256
7
3.00
256
300
Debugging and Diagnostics
Using a Pre-Defined Buffer Profile
The Dell Networking OS provides two pre-defined buffer profiles, one for single-queue (for example,
non-quality-of-service [QoS]) applications, and one for four-queue (for example, QoS) applications.
You must reload the system for the global buffer profile to take effect, a message similar to the following
displays: % Info: For the global pre-defined buffer profile to take effect, please
save the config and reload the system..
Dell Networking OS Behavior: After you configure buffer-profile global 1Q, the message displays during
every bootup. Only one reboot is required for the configuration to take effect; afterward you may ignore
this bootup message.
Dell Networking OS Behavior: The buffer profile does not returned to the default, 4Q. If you configure
1Q, save the running-config to the startup-config, and then delete the startup-config and reload the
chassis. The only way to return to the default buffer profile is to remove the 1Q profile configured and
then reload the chassis.
If you have already applied a custom buffer profile on an interface, the buffer-profile global
command fails and a message similar to the following displays: % Error: User-defined buffer
profile already applied. Failed to apply global pre-defined buffer profile.
Please remove all user-defined buffer profiles.
Similarly, when you configure buffer-profile global, you cannot not apply a buffer profile on any
single interface. A message similar to the following displays: % Error: Global pre-defined buffer
profile already applied. Failed to apply user-defined buffer profile on
interface Gi 0/1. Please remove global pre-defined buffer profile.
To apply a predefined buffer profile, use the following command.
•
Apply one of the pre-defined buffer profiles for all port pipes in the system.
CONFIGURATION mode
buffer-profile global [1Q|4Q]
If the default buffer profile (4Q) is active, the system displays an error message instructing you to remove
the default configuration using the no buffer-profile global command.
Sample Buffer Profile Configuration
The two general types of network environments are sustained data transfers and voice/data.
Dell Networking recommends a single-queue approach for data transfers.
Example of a Single Queue Application for S50N with Default Packet Pointers
!
buffer-profile fp fsqueue-fp
buffer dedicated queue0 3 queue1 3 queue2 3 queue3 3 queue4 3 queue5 3 queue6 3
queue7 3
buffer dynamic 1256
!
buffer-profile fp fsqueue-hig
buffer dedicated queue0 3 queue1 3 queue2 3 queue3 3 queue4 3 queue5 3 queue6
3 queue7 3
buffer dynamic 1256
!
Debugging and Diagnostics
301
buffer fp-uplink stack-unit 0 port-set 0 buffer-policy fsqueue-hig
buffer fp-uplink stack-unit 0 port-set 1 buffer-policy fsqueue-hig
!
Interface range gi 0/1 - 48
buffer-policy fsqueue-fp
Dell#sho run int gi 0/10
!
interface GigabitEthernet 0/10
no ip address
Troubleshooting Packet Loss
The show hardware stack-unit command is intended primarily to troubleshoot packet loss.
To troubleshoot packet loss, use the following commands.
•
•
•
•
•
•
•
•
•
•
•
•
show hardware stack-unit 0–5 cpu data-plane statistics
show hardware stack-unit 0–5 cpu party-bus statistics
show hardware stack-unit 0-5 drops unit 0-0 port 1–56
show hardware stack-unit 0-5 stack-port 33–56
show hardware stack-unit 0-5 unit 0-0 {counters | details | port-stats
[detail] | register | ipmc-replication | table-dump}:
show hardware {layer2| layer3} {eg acl |in acl} stack-unit 0-5 port-set 0-0
show hardware layer3 qos stack-unit 0-5 port-set 0-0
show hardware system-flow layer2 stack-unit 0-5 port-set 0-1 [counters]
clear hardware stack-unit 0-5 counters
clear hardware stack-unit 0-5 cpu data-plane statistics
clear hardware stack-unit 0-5 cpu party-bus statistics
clear hardware stack-unit 0-5 stack-port 33–56
Displaying Drop Counters
To display drop counters, use the following commands.
•
Identify which stack unit, port pipe, and port is experiencing internal drops.
•
show hardware stack-unit 0–11 drops [unit 0 [port 0–63]]
Display drop counters.
show hardware stack-unit drops unit port
Example of the show hardware stack-unit Command to View Drop Counters Statistics
Dell#show hardware stack-unit 0 drops
UNIT No: 0
Total Ingress Drops :0
Total IngMac Drops :0
Total Mmu Drops :0
Total EgMac Drops :0
Total Egress Drops :0
UNIT No: 1
Total Ingress Drops :0
Total IngMac Drops :0
Total Mmu Drops :0
Total EgMac Drops :0
Total Egress Drops :0
Dell#show hardware stack-unit 0 drops unit 0
Port# :Ingress Drops :IngMac Drops :Total Mmu Drops :EgMac Drops :Egress
Drops
302
Debugging and Diagnostics
1
2
3
4
5
6
7
8
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Dell#show hardware stack-unit
--- Ingress Drops --Ingress Drops
:
IBP CBP Full Drops
:
PortSTPnotFwd Drops
:
IPv4 L3 Discards
:
Policy Discards
:
Packets dropped by FP
:
(L2+L3) Drops
:
Port bitmap zero Drops
:
Rx VLAN Drops
:
0 drops unit 0 port 1
30
0
0
0
0
14
0
16
0
--- Ingress MAC counters--Ingress FCSDrops
: 0
Ingress MTUExceeds
: 0
--- MMU Drops --HOL DROPS
TxPurge CellErr
Aged Drops
: 0
: 0
: 0
--- Egress MAC counters--Egress FCS Drops
: 0
--- Egress FORWARD PROCESSOR Drops --IPv4 L3UC Aged & Drops
: 0
TTL Threshold Drops
: 0
INVALID VLAN CNTR Drops
: 0
L2MC Drops
: 0
PKT Drops of ANY Conditions : 0
Hg MacUnderflow
: 0
TX Err PKT Counter
: 0
Dataplane Statistics
The show hardware stack-unit cpu data-plane statistics command provides insight into
the packet types coming to the CPU.
The command output in the following example has been augmented, providing detailed RX/ TX packet
statistics on a per-queue basis. The objective is to see whether CPU-bound traffic is internal (so-called
party bus or IPC traffic) or network control traffic, which the CPU must process.
Example of Viewing Dataplane Statistics
Example of Viewing Party Bus Statistics
Dell#show hardware stack-unit 2 cpu data-plane statistics
bc pci driver statistics for device:
rxHandle
:0
noMhdr
:0
noMbuf
:0
noClus
:0
recvd
:0
Debugging and Diagnostics
303
dropped
recvToNet
rxError
rxDatapathErr
rxPkt(COS0)
rxPkt(COS1)
rxPkt(COS2)
rxPkt(COS3)
rxPkt(COS4)
rxPkt(COS5)
rxPkt(COS6)
rxPkt(COS7)
rxPkt(UNIT0)
rxPkt(UNIT1)
rxPkt(UNIT2)
rxPkt(UNIT3)
transmitted
txRequested
noTxDesc
txError
txReqTooLarge
txInternalError
txDatapathErr
txPkt(COS0)
txPkt(COS1)
txPkt(COS2)
txPkt(COS3)
txPkt(COS4)
txPkt(COS5)
txPkt(COS6)
txPkt(COS7)
txPkt(UNIT0)
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
The show hardware stack-unit cpu party-bus statistics command displays input and output
statistics on the party bus, which carries inter-process communication traffic between CPUs
Dell#sh hardware stack-unit 2 cpu party-bus statistics
Input Statistics:
27550 packets, 2559298 bytes
0 dropped, 0 errors
Output Statistics:
1649566 packets, 1935316203 bytes
0 errors
Display Stack Port Statistics
The show hardware stack-unit stack-port command displays input and output statistics for a
stack-port interface.
Example of Viewing Stack Unit Statistics
Dell#show hardware stack-unit 2 stack-port 49
Input Statistics:
27629 packets, 3411731 bytes
0 64-byte pkts, 27271 over 64-byte pkts, 207 over 127-byte pkts
17 over 255-byte pkts, 56 over 511-byte pkts, 78 over 1023-byte pkts
0 Multicasts, 5 Broadcasts
0 runts, 0 giants, 0 throttles
0 CRC, 0 overrun, 0 discarded
Output Statistics:
1649714 packets, 1948622676 bytes, 0 underruns
0 64-byte pkts, 27234 over 64-byte pkts, 107970 over 127-byte pkts
304
Debugging and Diagnostics
34 over 255-byte pkts, 504838 over 511-byte pkts, 1009638 over 1023-byte pkts
0 Multicasts, 0 Broadcasts, 1649714 Unicasts
0 throttles, 0 discarded, 0 collisions
Rate info (interval 45 seconds):
Input 00.00 Mbits/sec,
2 packets/sec, 0.00% of line-rate
Output 00.06 Mbits/sec,
8 packets/sec, 0.00% of line-rate
Dell#
Display Stack Member Counters
The show hardware stack-unit 0–5 {counters | details | port-stats [detail] |
register} command displays internal receive and transmit statistics, based on the selected command
option.
The following example is a sample of the output for the counters option.
Example of Displaying Stack Unit Counters
RIPC4.ge0
RUC.ge0
RDBGC0.ge0
RDBGC1.ge0
RDBGC5.ge0
RDBGC7.ge0
GR64.ge0
GR127.ge0
GR255.ge0
GRPKT.ge0
GRBYT.ge0
GRMCA.ge0
GRBCA.ge0
GT64.ge0
GT127.ge0
GT255.ge0
GT511.ge0
GTPKT.ge0
GTBCA.ge0
GTBYT.ge0
RUC.cpu0
TDBGC6.cpu0
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
1,202
1,224
34
366
16
18
5,176
1,566
4
1,602
117,600
366
12
4
964
4
1
973
1
71,531
972
1,584
+1,202
+1,217
+24
+235
+12
+12
+24
+1,433
+4
+1,461
+106,202
+235
+9
+3
+964
+4
+1
+972
+1
+71,467
+971
+1,449=
Enabling Application Core Dumps
Application core dumps are disabled by default.
A core dump file can be very large. Due to memory requirements the file can only be sent directly to an
FTP server; it is not stored on the local flash.
To enable full application core dumps, use the following command.
•
Enable RPM core dumps and specify the Shutdown mode.
CONFIGURATION mode
logging coredump server
To undo this command, use the no logging coredump server command.
Debugging and Diagnostics
305
Mini Core Dumps
The Dell Networking OS supports mini core dumps on the application and kernel crashes. The mini core
dump applies to Master, Standby, and Member units.
Application and kernel mini core dumps are always enabled. The mini core dumps contain the stack
space and some other minimal information that you can use to debug a crash. These files are small files
and are written into flash until space is exhausted. When the flash is full, the write process is stopped.
A mini core dump contains critical information in the event of a crash. Mini core dump files are located in
flash:/ (root dir). The application mini core filename format is f10StkUnit<Stack_unit_no>.<Application
name>.acore.mini.txt. The kernel mini core filename format is f10StkUnit<Stack_unit_no>.kcore.mini.txt.
The following are sample filenames.
When a member or standby unit crashes, the mini core file gets uploaded to master unit. When the
master unit crashes, the mini core file is uploaded to new master.
In the MXL Switch, only the master unit has the ability to upload the coredump.
The panic string contains key information regarding the crash. Several panic string types exist, and they
are displayed in regular English text to allow easier understanding of the crash cause.
Example of Application Mini Core Dump Listings
Example of a Mini Core Text File
Dell#dir
Directory of flash:
1 drw- 16384 Jan 01 1980 00:00:00 +00:00 .
2 drwx 1536 Sep 03 2009 16:51:02 +00:00 ..
3 drw- 512
Aug 07 2009 13:05:58 +00:00 TRACE_LOG_DIR
4 d--- 512
Aug 07 2009 13:06:00 +00:00 ADMIN_DIR
5 -rw- 8693 Sep 03 2009 16:50:56 +00:00 startup-config
6 -rw- 8693 Sep 03 2009 16:44:22 +00:00 startup-config.bak
7 -rw- 156 Aug 28 2009 16:16:10 +00:00 f10StkUnit0.mrtm.acore.mini.txt
8 -rw- 156 Aug 28 2009 17:17:24 +00:00 f10StkUnit0.vrrp.acore.mini.txt
9 -rw- 156 Aug 28 2009 18:25:18 +00:00 f10StkUnit0.sysd.acore.mini.txt
10 -rw- 156 Aug 28 2009 19:07:36 +00:00 f10StkUnit0.frrp.acore.mini.txt
11 -rw- 156 Aug 31 2009 16:18:50 +00:00 f10StkUnit2.sysd.acore.mini.txt
12 -rw- 156 Aug 29 2009 14:28:34 +00:00 f10StkUnit0.ipm1.acore.mini.txt
13 -rw- 156 Aug 31 2009 16:14:56 +00:00 f10StkUnit0.acl.acore.mini.txt
flash: 3104256 bytes total (2959872 bytes free)
Dell#
VALID MAGIC
-----------------PANIC STRING ----------------panic string is :<null>
---------------STACK TRACE START--------------0035d60c <f10_save_mmu+0x120>:
00274f8c <panic+0x144>:
0024e2b0 <db_fncall+0x134>:
0024dee8 <db_command+0x258>:
0024d9c4 <db_command_loop+0xc4>:
002522b0 <db_trap+0x158>:
0026a8d0 <mi_switch+0x1b0>:
0026a00c <bpendtsleep>:
----------------STACK TRACE END----------------
306
Debugging and Diagnostics
--------------------FREE MEMORY--------------uvmexp.free = 0x2312
Enabling TCP Dumps
A TCP dump captures CPU-bound control plane traffic to improve troubleshooting and system
manageability. When you enable TCP dump, it captures all the packets on the local CPU, as specified in
the CLI.
You can save the traffic capture files to flash, FTP, SCP, or TFTP. The files saved on the flash are located in
the flash://TCP_DUMP_DIR/Tcpdump_<time_stamp_dir>/ directory and labeled tcpdump_*.pcap. There
can be up to 20 Tcpdump_<time_stamp_dir> directories. The 21st file overwrites the oldest saved file.
The maximum file size for a TCP dump capture is 1MB. When a file reaches 1MB, a new file is created, up
to the specified total number of files.
Maximize the number of packets recorded in a file by specifying the snap-length to capture the file
headers only.
The tcpdump command has a finite run process. When you enable the tcpdump command, it runs until
the capture-duration timer and/or the packet-count counter threshold is met. If you do not set a
threshold, the system uses a default of a 5 minute capture-duration and/or a single 1k file as the stopping
point for the dump.
You can use the capture-duration timer and the packet-count counter at the same time. The TCP dump
stops when the first of the thresholds is met. That means that even if the duration timer is 9000 seconds,
if the maximum file count parameter is met first, the dumps stop.
To enable a TCP dump, use the following command.
•
Enable a TCP dump for CPU bound traffic.
CONFIGURATION mode
tcpdump cp [capture-duration time | filter expression | max-file-count value
| packet-count value | snap-length value | write-to path]
Debugging and Diagnostics
307
Dynamic Host Configuration Protocol
(DHCP)
14
The dynamic host configuration protocol (DHCP) is an application layer protocol that dynamically assigns
IP addresses and other configuration parameters to network end-stations (hosts) based on configuration
policies determined by network administrators.
DHCP relieves network administrators of manually configuring hosts, which can be a tedious and errorprone process when hosts often join, leave, and change locations on the network and it reclaims IP
addresses that are no longer in use to prevent address exhaustion.
DHCP is based on a client-server model. A host discovers the DHCP server and requests an IP address,
and the server either leases or permanently assigns one. There are three types of devices that are involved
in DHCP negotiation:
DHCP Server
This is a network device offering configuration parameters to the client.
DHCP Client
This is a network device requesting configuration parameters from the server.
Relay Agent
This is an intermediary network device that passes DHCP messages between the
client and server when the server is not on the same subnet as the host.
DHCP Packet Format and Options
DHCP uses the user datagram protocol (UDP) as its transport protocol.
The server listens on port 67 and transmits to port 68; the client listens on port 68 and transmits to port
67. The configuration parameters are carried as options in the DHCP packet in Type, Length, Value (TLV)
format; many options are specified in RFC 2132. To limit the number of parameters that servers must
provide, hosts specify the parameters that they require, and the server sends only those parameters.
Some common options are shown in the following illustration.
Figure 33. DHCP packet Format
The following table lists common DHCP options.
308
Dynamic Host Configuration Protocol (DHCP)
Option
Number and Description
Subnet Mask
Option 1
Specifies the client’s subnet mask.
Router
Option 3
Specifies the router IP addresses that may serve as the client’s default gateway.
Domain Name
Server
Option 6
Domain Name
Option 15
Specifies the domain name servers (DNSs) that are available to the client.
Specifies the domain name that clients should use when resolving hostnames via
DNS.
IP Address Lease
Time
Option 51
DHCP Message
Type
Option 53
Specifies the amount of time that the client is allowed to use an assigned IP
address.
•
1: DHCPDISCOVER
•
2: DHCPOFFER
•
3: DHCPREQUEST
•
4: DHCPDECLINE
•
5: DHCPACK
•
6: DHCPNACK
•
7: DHCPRELEASE
•
8: DHCPINFORM
Parameter Request Option 55
List
Clients use this option to tell the server which parameters it requires. It is a series of
octets where each octet is DHCP option code.
Renewal Time
Option 58
Specifies the amount of time after the IP address is granted that the client attempts
to renew its lease with the original server.
Rebinding Time
Option 59
Specifies the amount of time after the IP address is granted that the client attempts
to renew its lease with any server, if the original server does not respond.
Vendor Class
Identifer
Option 60
Dynamic Host Configuration Protocol (DHCP)
309
Option
Number and Description
Identifiers a user-defined string used by the Relay Agent to forward DHCP client
packets to a specific server.
L2 DHCP
Snooping
Option 82
End
Option 255
Specifies IP addresses for DHCP messages received from the client that are to be
monitored to build a DHCP snooping database.
Signals the last option in the DHCP packet.
Assign an IP Address using DHCP
The following section describes DHCP and the client in a network.
When a client joins a network:
1.
The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP
servers. This message includes the parameters that the client requires and might include suggested
values for those parameters.
2.
Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers
to the client values for the requested parameters. Multiple servers might respond to a single
DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer.
3.
The client broadcasts a DHCPREQUEST message in response to the offer, requesting the offered
values.
4.
After receiving a DHCPREQUEST, the server binds the clients’ unique identifier (the hardware address
plus IP address) to the accepted configuration parameters and stores the data in a database called a
binding table. The server then broadcasts a DHCPACK message, which signals to the client that it
may begin using the assigned parameters.
5.
When the client leaves the network, or the lease time expires, returns its IP address to the server in a
DHCPRELEASE message.
There are additional messages that are used in case the DHCP negotiation deviates from the process
previously described and shown in the illustration below.
DHCPDECLINE
A client sends this message to the server in response to a DHCPACK if the
configuration parameters are unacceptable; for example, if the offered address is
already in use. In this case, the client starts the configuration process over by
sending a DHCPDISCOVER.
DHCPINFORM
A client uses this message to request configuration parameters when it assigned an
IP address manually rather than with DHCP. The server responds by unicast.
DHCPNAK
A server sends this message to the client if it is not able to fulfill a DHCPREQUEST;
for example, if the requested address is already in use. In this case, the client starts
the configuration process over by sending a DHCPDISCOVER.
310
Dynamic Host Configuration Protocol (DHCP)
Figure 34. Client and Server Messaging
Implementation Information
The following describes DHCP implementation.
•
Dell Networking implements DHCP based on RFC 2131 and RFC 3046.
•
IP source address validation is a sub-feature of DHCP Snooping; the Dell Networking operating
system (OS) uses access control lists (ACLs) internally to implement this feature and as such, you
cannot apply ACLs to an interface which has IP source address validation. If you configure IP source
address validation on a member port of a virtual local area network (VLAN) and then attempt to apply
an access list to the VLAN, the system displays the first line in the following message. If you first apply
an ACL to a VLAN and then attempt enable IP source address validation on one of its member ports,
the system displays the second line in the following message.
% Error: Vlan member has access-list configured.
% Error: Vlan has an access-list configured.
NOTE: If you enable DHCP Snooping globally and you have any configured L2 ports, any IP ACL,
MAC ACL, or DHCP source address validation ACL does not block DHCP packets.
•
The Dell Networking OS provides 40K entries that can be divided between leased addresses and
excluded addresses. By extension, the maximum number of pools you can configure depends on the
subnet mask that you give to each pool. For example, if all pools were configured for a /24 mask, the
total would be 40000/253 (approximately 158). If the subnet is increased, more pools can be
configured. The maximum subnet that can be configured for a single pool is /17. The system displays
an error message for configurations that exceed the allocated memory.
•
The MXL switch supports 4K DHCP Snooping entries.
•
All platforms support Dynamic ARP Inspection on 16 VLANs per system. For more information, refer to
Dynamic ARP Inspection.
NOTE: If the DHCP server is on the top of rack (ToR) and the VLTi (ICL) is down due to a failed
link, when a VLT node is rebooted in BMP (Bare Metal Provisioning) mode, it is not able to reach
the DHCP server, resulting in BMP failure.
Dynamic Host Configuration Protocol (DHCP)
311
Configure the System to be a DHCP Server
Configuring the system to be a DHCP server is supported on the XML switch.
A DHCP server is a network device that has been programmed to provide network configuration
parameters to clients upon request. Servers typically serve many clients, making host management much
more organized and efficient.
The following table lists the key responsibilities of DHCP servers.
Table 15. DHCP Server Responsibilities
DHCP Server Responsibility
Description
Address Storage and Management
DHCP servers are the owners of the addresses
used by DHCP clients.The server stores the
addresses and manages their use, keeping track of
which addresses have been allocated and which
are still available.
Configuration Parameter Storage and Management DHCP servers also store and maintain other
parameters that are sent to clients when
requested. These parameters specify in detail how
a client is to operate.
Lease Management
DHCP servers use leases to allocate addresses to
clients for a limited time. The DHCP server
maintains information about each of the leases,
including lease length.
Responding To Client Requests
DHCP servers respond to different types of
requests from clients, primarily, granting, renewing,
and terminating leases.
Providing Administration Services
DHCP servers include functionality that allows an
administrator to implement policies that govern
how DHCP performs its other tasks.
Configuring the Server for Automatic Address Allocation
Automatic address allocation is an address assignment method by which the DHCP server leases an IP
address to a client from a pool of available addresses.
An address pool is a range of IP addresses that the DHCP server may assign. The subnet number indexes
the address pools.
To create an address pool, follow these steps.
1.
Access the DHCP server CLI context.
CONFIGURATION mode
ip dhcp server
2.
Create an address pool and give it a name.
DHCP mode
pool name
312
Dynamic Host Configuration Protocol (DHCP)
3.
Specify the range of IP addresses from which the DHCP server may assign addresses.
DHCP <POOL> mode
network network/prefix-length
•
network: the subnet address.
•
prefix-length: specifies the number of bits used for the network portion of the address you
specify.
The prefix-length range is from 17 to 31.
4.
Display the current pool configuration.
DHCP <POOL> mode
show config
After an IP address is leased to a client, only that client may release the address. The Dell Networking OS
performs a IP + MAC source address validation to ensure that no client can release another clients
address. This validation is a default behavior and is separate from IP+MAC source address validation.
Configuration Tasks
To configure DHCP, an administrator must first set up a DHCP server and provide it with configuration
parameters and policy information including IP address ranges, lease length specifications, and
configuration data that DHCP hosts need.
Configuring the Dell system to be a DHCP server is a three-step process:
1.
Configuring the Server for Automatic Address Allocation
2.
Specifying a Default Gateway
3.
Enabling the DHCP Server
Related Configuration Tasks
•
Configure a Method of Hostname Resolution
•
Creating Manual Binding Entries
•
Debugging the DHCP Server
•
Using DHCP Clear Commands
Excluding Addresses from the Address Pool
The DHCP server assumes that all IP addresses in a DHCP address pool are available for assigning to
DHCP clients.
You must specify the IP address that the DHCP server should not assign to clients.
To exclude an address, follow this step.
•
Exclude an address range from DHCP assignment. The exclusion applies to all configured pools.
DHCP mode
excluded-address
Specifying an Address Lease Time
To specify an address lease time, use the following command.
Dynamic Host Configuration Protocol (DHCP)
313
•
Specify an address lease time for the addresses in a pool.
DHCP <POOL>
lease {days [hours] [minutes] | infinite}
The default is 24 hours.
Specifying a Default Gateway
The IP address of the default router should be on the same subnet as the client.
To specify a default gateway, follow this step.
•
Specify default gateway(s) for the clients on the subnet, in order of preference.
DHCP <POOL>
default-router address
Enabling the DHCP Server
To set up the DHCP Server, you must first enable it.
The DHCP server is disabled by default.
1.
Enter the DHCP command-line context.
CONFIGURATION mode
ip dhcp server
2.
Enable DHCP server.
DHCP mode
no disable
The default is Disabled.
3.
Display the current DHCP configuration.
DHCP mode
show config
In the following illustration, an IP phone powers Power over Ethernet (PoE) and has acquired an IP
address from the Dell Networking system, which is advertising link layer discovery protocol (LLDP)-media
endpoint discovery (MED). The leased IP address is displayed using the show ip dhcp binding
command and confirmed using the show lldp neighbors command.
Figure 35. Enabling the DHCP Server
314
Dynamic Host Configuration Protocol (DHCP)
Configure a Method of Hostname Resolution
Dell systems are capable of providing DHCP clients with parameters for two methods of hostname
resolution—using DNS or NetBIOS WINS.
Using DNS for Address Resolution
A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host
names to IP addresses.
1.
Create a domain.
DHCP <POOL>
domain-name name
2.
Specify in order of preference the DNS servers that are available to a DHCP client.
DHCP <POOL>
dns-server address
Using NetBIOS WINS for Address Resolution
Windows internet naming service (WINS) is a name resolution service that Microsoft DHCP clients use to
correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of
four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid.
1.
Specify the NetBIOS WINS name servers, in order of preference, that are available to Microsoft
Dynamic Host Configuration Protocol (DHCP) clients.
DHCP <POOL> mode
netbios-name-server address
2.
Specify the NetBIOS node type for a Microsoft DHCP client. Dell Networking recommends specifying
clients as hybrid.
DHCP <POOL> mode
netbios-node-type type
Creating Manual Binding Entries
An address binding is a mapping between the IP address and the media access control (MAC) address of a
client.
The DHCP server assigns the client an available IP address automatically, and then creates an entry in the
binding table. However, the administrator can manually create an entry for a client; manual bindings are
useful when you want to guarantee that a particular network device receives a particular IP address.
Manual bindings can be considered single-host address pools. There is no limit on the number of manual
bindings, but you can only configure one manual binding per host.
NOTE: The Dell Networking OS does not prevent you from using a network IP as a host IP; be sure
to not use a network IP as a host IP.
1.
Create an address pool.
DHCP mode
Dynamic Host Configuration Protocol (DHCP)
315
pool name
2.
Specify the client IP address.
DHCP <POOL>
host address
3.
Specify the client hardware address.
DHCP <POOL>
hardware-address hardware-address type
• hardware-address: the client MAC address.
• type: the protocol of the hardware platform.
The default protocol is Ethernet.
Debugging the DHCP Server
To debug the DHCP server, use the following command.
•
Display debug information for DHCP server.
EXEC Privilege mode
debug ip dhcp server [events | packets]
Using DHCP Clear Commands
To clear DHCP binding entries, address conflicts, and server counters, use the following commands.
•
Clear DHCP binding entries for the entire binding table.
EXEC Privilege mode.
•
clear ip dhcp binding
Clear a DHCP binding entry for an individual IP address.
EXEC Privilege mode.
•
clear ip dhcp binding ip address
Clear a DHCP address conflict.
EXEC Privilege mode.
•
clear ip dhcp conflict
Clear DHCP server counters.
EXEC Privilege mode.
clear ip dhcp server statistics
Configure the System to be a Relay Agent
DHCP clients and servers request and offer configuration information via broadcast DHCP messages.
Routers do not forward broadcasts, so if there are no DHCP servers on the subnet, the client does not
receive a response to its request and therefore cannot access the network.
You can configure an interface on the Dell Networking system to relay the DHCP messages to a specific
DHCP server using the ip helper-address dhcp-address command from INTERFACE mode, as
316
Dynamic Host Configuration Protocol (DHCP)
shown in the following illustration. Specify multiple DHCP servers by using the ip helper-address
dhcp-address command multiple times.
When you configure the ip helper-address command, the system listens for DHCP broadcast
messages on port 67. The system rewrites packets received from the client and forwards them via unicast
to the DHCP servers; the system rewrites the destination IP address and writes its own address as the
relay device. Responses from the server are unicast back to the relay agent on port 67 and the relay agent
rewrites the destination address and forwards the packet to the client subnet via broadcast or unicast,
depending whether the client has set or cleared the BROADCAST flag in the DHCP Client PDUs.
NOTE: DHCP Relay is not available on Layer 2 interfaces and VLANs.
Figure 36. Configuring a Relay Agent
To view the ip helper-address configuration for an interface, use the show ip interface
command from EXEC privilege mode.
Dynamic Host Configuration Protocol (DHCP)
317
Example of the show ip interface Command
Dell#show ip int tengig 1/3
GigabitEthernet 1/3 is up, line protocol is down
Internet address is 10.11.0.1/24
Broadcast address is 10.11.0.255
Address determined by user input
IP MTU is 1500 bytes
Helper address is 192.168.0.1
192.168.0.2
Directed broadcast forwarding is disabled
Proxy ARP is enabled
Split Horizon is enabled
Poison Reverse is disabled
ICMP redirects are not sent
ICMP unreachables are not sent
Configure the System to be a DHCP Client
A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP
server.
Implement the DHCP client functionality as follows:
•
The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration
is not received. Use bare metal provisioning (BMP) to receive configuration parameters (the Dell
Networking OS version and a configuration file). BMP is enabled as a factory-default setting on a
switch.
A switch cannot operate with BMP and as a DHCP client simultaneously. To disable BMP in EXEC
mode, use the stop bmp command. After BMP stops, the switch acts as a DHCP client.
•
By default, the switch is configured to operate in Jumpstart mode as a DHCP client that sends DHCP
requests to a DHCP server to retrieve configuration information (IP address, boot-image filename, and
configuration file). All ports and management interfaces are brought up in Layer 3 mode and preconfigured with no shutdown and no ip address. For this reason, you cannot enter configuration
commands to set up the switch.
To interrupt a Jumpstart process, prevent a loop from occurring, and apply the FTOS image and
startup configuration stored in the local flash, enter the stop jump-start command from the console.
To re-configure the switch so that it boots up in normal mode using the FTOS image and startup
configuration file in local flash, enter the reload-type normal-reload command and save it to the
startup configuration:
FTOS# reload-type normal-reload
FTOS# write memory
FTOS# reload
•
To re-enable Jumpstart mode for the next reload, enter the reload-type jump-start command.
•
Acquire a dynamic IP address from a DHCP client is for a limited period or until the client releases the
address.
•
A DHCP server manages and assigns IP addresses to clients from an address pool stored on the
server. For more information, refer to Configuring the Server for Automatic Address Allocation.
•
Dynamically assigned IP addresses are supported only on Ethernet interfaces: 10 Gigabit, 40 Gigabit,
and 100/1000/10000 Ethernet Interfaces. The DHCP client is supported on VLAN and port-channel
interfaces.
•
The public out-of-band management interface and default VLAN 1 are configured by default as a
DHCP client to acquire a dynamic IP address from a DHCP server.
318
Dynamic Host Configuration Protocol (DHCP)
Configuring the DHCP Client System
This section describes how to configure and view an interface as a DHCP client to receive an IP address.
Dell Networking OS Behavior: The ip address dhcp command enables DHCP server-assigned
dynamic addresses on an interface. The setting persists after a switch reboot. To stop DHCP transactions
and save the dynamically acquired IP address, use the shutdown command on the interface. To display
the dynamic IP address and show DHCP as the mode of IP address assignment, use the show
interface type slot/port command. To unconfigure the IP address, use the no shutdown
command when the lease timer for the dynamic IP address is expired. The interface acquires a new
dynamic IP address from the DHCP server.
If you later enter the no shutdown command and the lease timer for the dynamic IP address has
expired, the IP address is released.
You cannot configure a secondary (backup) IP address on an interface using the ip address dhcp
command; you must use the ip address command at the interface configuration level.
Use the no ip address dhcp command to:
•
Release the IP address dynamically acquired from a DHCP server from the interface.
•
Disable the DHCP client on the interface so it cannot acquire a dynamic IP address from a DHCP
server.
•
Stop DHCP packet transactions on the interface.
When you enter the release dhcp command, the IP address dynamically acquired from a DHCP server
is released from an interface. The ability to acquire a new DHCP server-assigned address remains in the
running configuration for the interface. To acquire a new IP address, use the renew DHCP command in
EXEC Privilege mode or the ip address dhcp command in INTERFACE Configuration mode.
To manually configure a static IP address on an interface, use the ip address command. A prompt
displays to release an existing dynamically acquired IP address. If you confirm, the ability to receive a
DHCP server-assigned IP address is removed.
To enable acquiring a dynamic IP address from a DHCP server on an interface configured with a static IP
address, use the ip address dhcp command. A prompt displays to confirm the IP address
reconfiguration. If you confirm, the statically configured IP address is released. An error message displays
if you enter the release dhcp or renew dhcp commands.
To renew the lease time of the dynamically acquired IP, use the renew dhcp command on an interface
already configured with a dynamic IP address.
NOTE: To verify the currently configured dynamic IP address on an interface, use the show ip
dhcp lease command. The show running-configuration command output only displays ip
address dhcp. The currently assigned dynamic IP address does not display.
To configure and view an interface as a DHCP client to receive an IP address, use the following
commands.
1.
Enter INTERFACE Configuration mode on an Ethernet interface.
CONFIGURATION mode
Dynamic Host Configuration Protocol (DHCP)
319
interface type slot/port
2.
Acquire the IP address for an Ethernet interface from a DHCP network server.
INTERFACE mode
ip address dhcp
Dynamically assigned IP addresses can be released without removing the DHCP client operation on
the interface on a switch configured as a DHCP client.
3.
Manually acquire a new IP address from the DHCP server by releasing a dynamically acquired IP
address while retaining the DHCP client configuration on the interface.
EXEC Privilege mode
release dhcp interface type slot/port
4.
Acquire a new IP address with renewed lease time from a DHCP server.
EXEC Privilege mode
renew dhcp interface type slot/port
Example of the show ip dhcp client statistics Command
Example of the show ip dhcp lease command
DHCP Client: Debug Messages Logged during DHCP Client Enabling/Disabling
DHCP Client: Debug Messages Logged during DHCP Client Release/Renew
To display DHCP client information, use the following show commands in EXEC Privilege mode.
•
To display statistics about DHCP client interfaces, use the show ip dhcp client statistics
interface type slot/port command.
•
To clear DHCP client statistics on a specified or on all interfaces, use the clear ip dhcp client
statistics {all | interface type slot/port} command.
•
To display dynamic IP address lease information currently assigned to a DHCP client interface, use the
show ip dhcp lease [interface type slot/port] command.
•
To display log messages for all DHCP packets sent and received on DHCP client interfaces, use the
debug ip dhcp client packets [interface type slot/port] command.
•
To display log message on DHCP client interfaces for IP address acquisition, IP address release, IP
address and lease time renewal, and release an IP address, use the [no] debug ip dhcp client
events [interface type slot/port] command.
Dell# show ip dhcp client statistics interface tengigabitethernet 0/1
Message
Received
DHCPOFFER
0
DHCPACK
0
DHCPNAK
0
Message
DHCPDISCOVER
DHCPREQUEST
DHCPDECLINE
DHCPRELEASE
DHCPREBIND
DHCPRENEW
Sent
0
0
0
0
0
0
Dell# show ip dhcp lease interface tengigabitethernet 4/37
Interface Lease-IP
Expires At
320
Def-Router ServerId
State
Lease Obtnd At
Lease
Dynamic Host Configuration Protocol (DHCP)
======
Te 4/37
11:14
=========
189.17.9.2/30
Renew Time
==========
09-05-2023 04:56
========= ========
====== ==============
===========
0.0.0.0
189.17.9.1 BOUND 06-12-2012 07:35 01-18-2038
Rebind Time
========
11-06-2034 13:46
The following example shows the packet- and event-level debug messages displayed for the packet
transmissions and state transitions on a DHCP client interface when you enable and disable a DHCP
client.
Dell (conf-if-te-0/1)# ip address dhcp
May 27 15:52:46: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT:
Interface Te 0/1 :
DHCP ENABLE CMD Received in state START
May 27 15:52:48: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT:
Interface Te 0/1:
Transitioned to state SELECTING
May 27 15:52:48: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_PKT:
DHCP DISCOVER sent in Interface Te 0/1
May 27 15:52:48: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_PKT:
Received DHCPOFFER packet in Interface Te 0/1 with Lease-Ip:10.16.134.250,
Mask:255.255.0.0,Server-Id:10.16.134.249
May 27 15:52:51: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT:
Interface Te 0/1 :
IP STATUS MESSAGE Received in state SELECTING status: 0
May 27 15:52:51: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT:
Interface Te 0/1 :
Transitioned to state REQUESTING
May 27 15:52:51: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_PKT:
DHCP REQUEST sent in Interface Te 0/1
May 27 15:52:51: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_PKT:
Received DHCPACK packet in InterfaceGi 0/1 with Lease-IP:10.16.134.250, Mask:
255.255.0.0,
May 27 15:53:01: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT:
Interface Te 0/1 :
IP STATUS MESSAGE Received in state REQUESTING status: 0
May 27 15:53:01: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT:
Interface Te 0/1 :
Transitioned to state BOUND,IP Address: 10.16.134.250 Renewal in 2582 seconds
Dell (conf-if-te-0/1)# no ip address dhcp
May 27 15:53:40: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG:
Interface Te 0/1 :
DHCP DISABLE CMD Received in state BOUND
May 27 15:53:40: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG:
DHCP RELEASE sent in Interface Te 0/1
May 27 15:53:40: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG:
Interface Te 0/1 :
Transitioned to state START
May 27 15:53:40: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG:
Interface Te 0/1 :
DHCP DISABLED CMD sent to Dell in state START
DHCLIENT_DBG_EVT:
DHCLIENT_DBG_PKT:
DHCLIENT_DBG_EVT:
DHCLIENT_DBG_EVT:
Dell#release dhcp int Te 0/1
Dell#May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT- LOG:
DHCLIENT_DBG_EVT: Interface Te
0/1 :DHCP RELEASE CMD Received in state BOUND
May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_PKT:
DHCP RELEASE sent in
Interface Te 0/1
May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT:
Dynamic Host Configuration Protocol (DHCP)
321
Interface Te 0/1
:Transitioned to state STOPPED
May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT:
Interface Te 0/1 :DHCP IP
RELEASED CMD sent to Dell in state STOPPED
Dell#renew dhcp int te 0/1
Dell#May 27 15:55:28: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG:
DHCLIENT_DBG_EVT: Interface Te 0/1 :DHCP
RENEW CMD Received in state STOPPED
May 27 15:55:31: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT:
Interface Te 0/1
:Transitioned to state SELECTING
May 27 15:55:31: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_PKT:
DHCP DISCOVER sent in
Interface Te 0/1
May 27 15:55:31: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_PKT:
Received DHCPOFFER packet
in Interface Te 0/1 with Lease-Ip:10.16.134.250, Mask:255.255.0.0,Server-Id:
10.16.134.249
The following shows an example of the packet- and event-level debug messages displayed for the packet
transmissions and state transitions on a DHCP client interface when you release and renew a DHCP
client.
Dell# release dhcp interface tengigabitethernet 0/1
May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG:
Interface Te 0/1 :
DHCP RELEASE CMD Received in state BOUND
May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG:
DHCP RELEASE sent in Interface Te 0/1
May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG:
Interface Te 0/1 :
Transitioned to state STOPPED
May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG:
Interface Te 0/1 :
DHCP IP RELEASED CMD sent to Dell in state STOPPED
DHCLIENT_DBG_EVT:
DHCLIENT_DBG_PKT:
DHCLIENT_DBG_EVT:
DHCLIENT_DBG_EVT:
Dell# renew dhcp interface tengigabitethernet 0/1
Dell#May 27 15:55:28: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG:
DHCLIENT_DBG_EVT: Interface Te 0/1 :
DHCP RENEW CMD Received in state STOPPED
May 27 15:55:31: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT:
Interface Te 0/1 :
Transitioned to state SELECTING
May 27 15:55:31: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_PKT:
DHCP DISCOVER sent in Interface Te 0/1
May 27 15:55:31: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_PKT:
Received DHCPOFFER packet in Interface Te 0/1 with Lease-Ip:10.16.134.250,
Mask:255.255.0.0,Server-Id:10.16.134.249
DHCP Client on a Management Interface
These conditions apply when you enable a management interface to operate as a DHCP client.
•
The management default route is added with the gateway as the router IP address received in the
DHCP ACK packet. It is required to send and receive traffic to and from other subnets on the external
network. The route is added irrespective when the DHCP client and server are in the same or different
subnets. The management default route is deleted if the management IP address is released like other
DHCP client management routes.
•
ip route for 0.0.0.0 takes precedence if it is present or added later.
322
Dynamic Host Configuration Protocol (DHCP)
•
Management routes added by a DHCP client display with Route Source as DHCP in the show ip
management route and show ip management-route dynamic command output.
•
Management routes added by DHCP are automatically reinstalled if you configure a static IP route
with the ip route command that replaces a management route added by the DHCP client. If you
remove the statically configured IP route using the no ip route command, the management route
is reinstalled. Manually delete management routes added by the DHCP client.
•
To reinstall management routes added by the DHCP client that is removed or replaced by the same
statically configured management routes, release the DHCP IP address and renew it on the
management interface.
•
Management routes added by the DHCP client have higher precedence over the same statically
configured management route. Static routes are not removed from the running configuration if a
dynamically acquired management route added by the DHCP client overwrites a static management
route.
•
Management routes added by the DHCP client are not added to the running configuration.
NOTE: Management routes added by the DHCP client include the specific routes to reach a DHCP
server in a different subnet and the management route.
DHCP Client Operation with Other Features
The DHCP client operates with other Dell Networking OS features, as the following describes.
Stacking
The DHCP client daemon runs only on the master unit and handles all DHCP packet transactions. It
periodically synchronizes the lease file with the standby unit.
When a stack failover occurs, the new master requires the same DHCP server-assigned IP address on
DHCP client interfaces. The new master reinitiates a DHCP packet transaction by sending a DHCP
discovery packet on nonbound interfaces.
Virtual Link Trunking (VLT)
A DHCP client is not supported on VLT interfaces.
VLAN and Port Channels
DHCP client configuration and behavior are the same on Virtual LAN (VLAN) and port-channel (LAG)
interfaces as on a physical interface.
DHCP Snooping
A DHCP client can run on a switch simultaneously with the DHCP snooping feature as follows:
•
If you enable DHCP snooping globally on a switch and you enable a DHCP client on an interface, the
trust port, source MAC address, and snooping table validations are not performed on the interface by
DHCP snooping for packets destined to the DHCP client daemon.
The following criteria determine packets destined for the DHCP client:
– DHCP is enabled on the interface.
– The user data protocol (UDP) destination port in the packet is 68.
– The chaddr (change address) in the DHCP header of the packet is the same as the interface’s
MAC address.
•
An entry in the DHCP snooping table is not added for a DHCP client interface.
Dynamic Host Configuration Protocol (DHCP)
323
DHCP Server
A switch can operate as a DHCP client and a DHCP server. DHCP client interfaces cannot acquire a
dynamic IP address from the DHCP server running on the switch. Acquire a dynamic IP address from
another DHCP server.
Virtual Router Redundancy Protocol (VRRP)
Do not enable the DHCP client on an interface and set the priority to 255 or assign the same DHCP
interface IP address to a VRRP virtual group. Doing so guarantees that this router becomes the VRRP
group owner.
To use the router as the VRRP owner, if you enable a DHCP client on an interface that is added to a VRRP
group, assign a priority less than 255 but higher than any other priority assigned in the group.
Configure Secure DHCP
DHCP as defined by RFC 2131 provides no authentication or security mechanisms.
Secure DHCP is a suite of features that protects networks that use dynamic address allocation from
spoofing and attacks.
•
•
•
•
Option 82
DHCP Snooping
Dynamic ARP Inspection
Source Address Validation
Option 82
RFC 3046 (the relay agent information option, or Option 82) is used for class-based IP address
assignment.
The code for the relay agent information option is 82, and is comprised of two sub-options, circuit ID and
remote ID.
Circuit ID
This is the interface on which the client-originated message is received.
Remote ID
This identifies the host from which the message is received. The value of this suboption is the MAC address of the relay agent that adds Option 82.
The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server. The server can
use this information to:
•
•
•
track the number of address requests per relay agent. Restricting the number of addresses available
per relay agent can harden a server against address exhaustion attacks.
associate client MAC addresses with a relay agent to prevent offering an IP address to a client
spoofing the same MAC address on a different relay agent.
assign IP addresses according to the relay agent. This prevents generating DHCP offers in response to
requests from an unauthorized relay agent.
The server echoes the option back to the relay agent in its response, and the relay agent can use the
information in the option to forward a reply out the interface on which the request was received rather
than flooding it on the entire VLAN.
The relay agent strips Option 82 from DHCP responses before forwarding them to the client.
324
Dynamic Host Configuration Protocol (DHCP)
To insert Option 82 into DHCP packets, follow this step.
•
Insert Option 82 into DHCP packets.
CONFIGURATION mode
ip dhcp relay information-option [trust-downstream]
For routers between the relay agent and the DHCP server, enter the trust-downstream option.
DHCP Snooping
DHCP snooping protects networks from spoofing. In the context of DHCP snooping, ports are either
trusted or not trusted.
By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect.
Manually configure ports connected to legitimate servers and relay agents as trusted.
When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages —
containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type.
Every time the relay agent receives a DHCPACK on a trusted port, it adds an entry to the table.
The relay agent checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and
DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is legitimate and that the
packet arrived on the correct port. Packets that do not pass this check are forwarded to the server for
validation. This checkpoint prevents an attacker from spoofing a client and declining or releasing the real
client’s address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a not
trusted port are also dropped. This checkpoint prevents an attacker from acting as an imposter as a
DHCP server to facilitate a man-in-the-middle attack.
Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE,
DHCPNACK, or DHCPDECLINE.
Dell Networking OS Behavior: Introduced in the Dell Networking OS version 7.8.1.0, DHCP snooping was
available for Layer 3 only and dependent on DHCP relay agent (ip helper-address). The Dell
Networking OS version 8.2.1.0 extends DHCP snooping to Layer 2 and you do not have to enable relay
agent to snoop on Layer 2 interfaces.
Dell Networking OS Behavior: Binding table entries are deleted when a lease expires or when the relay
agent encounters a DHCPRELEASE. The switch maintains a list of snooped VLANs. When the binding
table is exhausted, DHCP packets are dropped on snooped VLANs, while these packets are forwarded
across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are
made. However, DHCPRELEASE and DHCPDECLINE packets are allowed so that the DHCP snooping
table can decrease in size. After the table usage falls below the maximum limit of 4000 entries, new IP
address assignments are allowed.
NOTE: DHCP server packets are dropped on all not trusted interfaces of a system configured for
DHCP snooping. To prevent these packets from being dropped, configure ip dhcp snooping
trust on the server-connected port.
Enabling DHCP Snooping
To enable DHCP snooping, use the following commands.
1.
Enable DHCP snooping globally.
Dynamic Host Configuration Protocol (DHCP)
325
CONFIGURATION mode
ip dhcp snooping
2.
Specify ports connected to DHCP servers as trusted.
INTERFACE mode
ip dhcp snooping trust
3.
Enable DHCP snooping on a VLAN.
CONFIGURATION mode
ip dhcp snooping vlan
Adding a Static Entry in the Binding Table
To add a static entry in the binding table, use the following command.
•
Add a static entry in the binding table.
EXEC Privilege mode
ip dhcp snooping binding mac
Clearing the Binding Table
To clear the binding table, use the following command.
•
Delete all of the entries in the binding table.
EXEC Privilege mode
clear ip dhcp snooping binding
Displaying the Contents of the Binding Table
To display the contents of the binding table, use the following command.
•
Display the contents of the binding table.
EXEC Privilege mode
show ip dhcp snooping
Example of the show ip dhcp snooping Command
View the DHCP snooping statistics with the show ip dhcp snooping command.
Dell#show ip dhcp snooping
IP
IP
IP
IP
DHCP
DHCP
DHCP
DHCP
Snooping
Snooping Mac Verification
Relay Information-option
Relay Trust Downstream
:
:
:
:
Disabled.
Disabled.
Disabled.
Enabled.
Database write-delay (In minutes)
: 0
DHCP packets information
Relay Information-option packets
Relay Trust downstream packets
Snooping packets
: 0
: 0
: 0
Packets received on snooping disabled L3 Ports
: 0
326
Dynamic Host Configuration Protocol (DHCP)
Snooping packets processed on L2 vlans
: 0
DHCP Binding File Details
Invalid File
Invalid Binding Entry
Binding Entry lease expired
: 0
: 0
: 0
Drop DHCP Packets on Snooped VLANs Only
Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE.
Starting with the Dell Networking OS version 8.2.1.1, line cards maintain a list of snooped VLANs. When
the binding table fills, DHCP packets are dropped only on snooped VLANs, while such packets are
forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address
assignments are made. However, DHCP release and decline packets are allowed so that the DHCP
snooping table can decrease in size. After the table usage falls below the maximum limit of 4000 entries,
new IP address assignments are allowed.
To view the number of entries in the table, use the show ip dhcp snooping binding command. This
output displays the snooping binding table created using the ACK packets from the trusted port.
Dell#show ip dhcp snooping binding
Codes : S - Static D - Dynamic
IP Address MAC Address
Expires(Sec) Type VLAN
Interface
================================================================
10.1.1.251 00:00:4d:57:f2:50
172800
D
Vl 10
Gi 0/2
10.1.1.252 00:00:4d:57:e6:f6
172800
D
Vl 10
Gi 0/1
10.1.1.253 00:00:4d:57:f8:e8
172740
D
Vl 10
Gi 0/3
10.1.1.254 00:00:4d:69:e8:f2
172740
D
Vl 10
Te 0/50
Total number of Entries in the table : 4
Dynamic ARP Inspection
Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP
frames that have been validated against the DHCP binding table.
ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP
requests and replies from any device. ARP replies are accepted even when no request was sent. If a client
receives an ARP message for which a relevant entry already exists in its ARP cache, it overwrites the
existing entry with the new information.
The lack of authentication in ARP makes it vulnerable to spoofing. ARP spoofing is a technique attackers
use to inject false IP-to-MAC mappings into the ARP cache of a network device. It is used to launch manin-the-middle (MITM), and denial-of-service (DoS) attacks, among others.
A spoofed ARP message is one in which the MAC address in the sender hardware address field and the IP
address in the sender protocol field are strategically chosen by the attacker. For example, in an MITM
attack, the attacker sends a client an ARP message containing the attacker’s MAC address and the
gateway’s IP address. The client then thinks that the attacker is the gateway, and sends all internet-bound
packets to it. Likewise, the attacker sends the gateway an ARP message containing the attacker’s MAC
address and the client’s IP address. The gateway then thinks that the attacker is the client and forwards all
packets addressed to the client to it. As a result, the attacker is able to sniff all packets to and from the
client.
Other attacks using ARP spoofing include:
Dynamic Host Configuration Protocol (DHCP)
327
Broadcast
An attacker can broadcast an ARP reply that specifies FF:FF:FF:FF:FF:FF as the
gateway’s MAC address, resulting in all clients broadcasting all internet-bound
packets.
MAC flooding
An attacker can send fraudulent ARP messages to the gateway until the ARP cache
is exhausted, after which, traffic from the gateway is broadcast.
Denial of
service
An attacker can send a fraudulent ARP messages to a client to associate a false
MAC address with the gateway address, which would blackhole all internet-bound
packets from the client.
NOTE: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of
SystemFlow. One CAM entry is required for every DAI-enabled VLAN. You can enable DAI on up to
16 VLANs on a system. However, the ExaScale default CAM profile allocates only nine entries to the
L2SysFlow region for DAI. You can configure 10 to 16 DAI-enabled VLANs by allocating more CAM
space to the L2SysFlow region before enabling DAI.
SystemFlow has 102 entries by default. This region is comprised of two sub-regions: L2Protocol and
L2SystemFlow. L2Protocol has 87 entries; L2SystemFlow has 15 entries. Six L2SystemFlow entries
are used by Layer 2 protocols, leaving nine for DAI. L2Protocol can have a maximum of 100 entries;
you must expand this region to capacity before you can increase the size of L2SystemFlow. This is
relevant when you are enabling DAI on VLANs. If, for example, you want to enable DAI on 16 VLANs,
you need seven more entries; in this case, reconfigure the SystemFlow region for 122 entries using
the layer-2 eg-acl value fib value frrp value ing-acl value learn value l2pt
value qos value system-flow 122 command.
The logic is as follows:
L2Protocol has 87 entries by default and must be expanded to its maximum capacity, 100 entries,
before L2SystemFlow can be increased; therefore, 13 more L2Protocol entries are required.
L2SystemFlow has 15 entries by default, but only nine are for DAI; to enable DAI on 16 VLANs, seven
more entries are required. 87 L2Protocol + 13 additional L2Protocol + 15 L2SystemFlow + 7
additional L2SystemFlow equals 122.
Configuring Dynamic ARP Inspection
To enable dynamic ARP inspection, use the following commands.
1.
Enable DHCP snooping.
2.
Validate ARP frames against the DHCP snooping binding table.
INTERFACE VLAN mode
arp inspection
Example of Viewing the ARP Database
Example of Viewing ARP Packets
To view entries in the ARP database, use the show arp inspection database command.
Dell#show arp inspection database
Protocol Address
Age(min) Hardware Address
Interface VLAN
CPU
--------------------------------------------------------------------Internet 10.1.1.251 00:00:4d:57:f2:50 Gi 0/2
Vl 10 CP
Internet 10.1.1.252 00:00:4d:57:e6:f6 Gi 0/1
Vl 10 CP
328
Dynamic Host Configuration Protocol (DHCP)
Internet
Internet
Dell#
10.1.1.253
10.1.1.254
-
00:00:4d:57:f8:e8
00:00:4d:69:e8:f2
Gi 0/3
Te 0/50
Vl 10
Vl 10
CP
CP
To see how many valid and invalid ARP packets have been processed, use the show arp inspection
statistics command.
Dell#show arp inspection statistics
Dynamic ARP Inspection (DAI) Statistics
--------------------------------------Valid ARP Requests
: 0
Valid ARP Replies
: 1000
Invalid ARP Requests
: 1000
Invalid ARP Replies
: 0
Dell#
Bypassing the ARP Inspection
You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in
multi-switch environments.
ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by
default.
To bypass the ARP inspection, use the following command.
•
Specify an interface as trusted so that ARPs are not validated against the binding table.
INTERFACE mode
arp inspection-trust
Dell Networking OS Behavior: Introduced in the Dell Networking OS version 8.2.1.0, DAI was available
for Layer 3 only. However, the Dell Networking OS version 8.2.1.1 extends DAI to Layer 2.
Source Address Validation
Using the DHCP binding table, the Dell Networking OS can perform three types of source address
validation (SAV).
Table 16. Three Types of Source Address Validation
Source Address Validation
Description
IP Source Address Validation
Prevents IP spoofing by forwarding only IP packets
that have been validated against the DHCP binding
table.
DHCP MAC Source Address Validation
Verifies a DHCP packet’s source hardware address
matches the client hardware address field
(CHADDR) in the payload.
IP+MAC Source Address Validation
Verifies that the IP source address and MAC source
address are a legitimate pair.
Dynamic Host Configuration Protocol (DHCP)
329
Enabling IP Source Address Validation
IP source address validation (SAV) prevents IP spoofing by forwarding only IP packets that have been
validated against the DHCP binding table.
A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker.
For example, using ARP spoofing, an attacker can assume a legitimate client’s identity and receive traffic
addressed to it. Then the attacker can spoof the client’s IP address to interact with other clients.
The DHCP binding table associates addresses the DHCP servers assign, with the port on which the
requesting client is attached. When you enable IP source address validation on a port, the system verifies
that the source IP address is one that is associated with the incoming port. If an attacker is impostering as
a legitimate client, the source address appears on the wrong ingress port and the system drops the
packet. Likewise, if the IP address is fake, the address is not on the list of permissible addresses for the
port and the packet is dropped.
To enable IP source address validation, use the following command.
•
Enable IP source address validation.
INTERFACE mode
ip dhcp source-address-validation
DHCP MAC Source Address Validation
DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against
the client hardware address field (CHADDR) in the payload.
The Dell Networking OS version 8.2.1.1 ensures that the packet’s source MAC address is checked against
the CHADDR field in the DHCP header only for packets from snooped VLANs.
•
Enable DHCP MAC SAV.
CONFIGURATION mode
ip dhcp snooping verify mac-address
Enabling IP+MAC Source Address Validation
IP source address validation (SAV) validates the IP source address of an incoming packet against the
DHCP snooping binding table.
IP+MAC SAV ensures that the IP source address and MAC source address are a legitimate pair, rather than
validating each attribute individually. You cannot configure IP+MAC SAV with IP SAV.
1.
Allocate at least one FP block to the ipmacacl CAM region.
CONFIGURATION mode
cam-acl l2acl
2.
Save the running-config to the startup-config.
EXEC Privilege mode
copy running-config startup-config
3.
Reload the system.
EXEC Privilege
reload
330
Dynamic Host Configuration Protocol (DHCP)
4.
Enable IP+MAC SAV.
INTERFACE mode
ip dhcp source-address-validation ipmac
The system creates an ACL entry for each IP+MAC address pair in the binding table and applies it to the
interface.
To display the IP+MAC ACL for an interface for the entire system, use the show ip dhcp snooping
source-address-validation [interface] command in EXEC Privilege mode.
Dynamic Host Configuration Protocol (DHCP)
331
Equal Cost Multi-Path (ECMP)
15
Equal cost multi-path (ECMP) is supported on the XML switch platform.
ECMP for Flow-Based Affinity
ECMP for flow-based affinity is available on the XML switch.
NOTE: IPv6 /128 routes having multiple paths do not form ECMPs. The /128 route is treated as a
host entry and finds its place in the host table.
NOTE: Using XOR algorithms results in imbalanced loads across an ECMP/LAG when the number of
members in said ECMP/LAG is a multiple of 4.
Enabling Deterministic ECMP Next Hop
Deterministic ECMP next hop arranges all ECMPs in order before writing them into the content
addressable memory (CAM).
For example, suppose the RTM learns eight ECMPs in the order that the protocols and interfaces came
up. In this case, the forwarding information base (FIB) and CAM sort them so that the ECMPs are always
arranged. This implementation ensures that every chassis having the same prefixes orders the ECMPs the
same.
With eight or less ECMPs, the ordering is lexicographic and deterministic. With more than eight ECMPs,
ordering is deterministic, but it is not in lexicographic order.
To enable deterministic ECMP next hop, use the appropriate command.
NOTE: Packet loss might occur when you enable ip/ipv6 ecmp-deterministic for the firsttime only.
•
Enable IPv4 Deterministic ECMP Next Hop.
CONFIGURATION mode.
•
ip ecmp-deterministic
Enable IPv6 Deterministic ECMP Next Hop.
CONFIGURATION mode.
ipv6 ecmp-deterministic
Link Bundle Monitoring
Monitoring linked ECMP bundles allows traffic distribution amounts in a link to be monitored for unfair
distribution at any given time.
A threshold of 60% is defined as an acceptable amount of traffic on a member link. Links are monitored in
15-second intervals for three consecutive instances. Any deviation within that time causes a syslog to be
332
Equal Cost Multi-Path (ECMP)
sent and an alarm event to be generated. When the deviation clears, another syslog is sent and a clear
alarm event is generated.
Link bundle utilization is calculated as the total bandwidth of all links divided by the total bytes-persecond of all links. Within each ECMP group, you can specify interfaces. If you enable monitoring for the
ECMP group, the utilization calculation is performed when the utilization of the link-bundle (not a link
within a bundle) exceeds 60%.
Enable link bundle monitoring using the ecmp-group command.
NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you
configure multipath routes to the same network. The system can generate a maximum of 512
unique ecmp-groups. The ecmp-group indexes are generated in even numbers (0, 2, 4, 6... 1022)
and are for information only.
To enable the link bundle monitoring feature, for link bundle monitoring with ECMP, use the ecmpgroup command.
You can configure the ecmp-group with id 2, enabled for link bundle monitoring. This is different from
the ecmp-group index 2 that is created by configuring routes and is automatically generated. These two
ecmp-groups are not related in any way.
Managing ECMP Group Paths
Configure the maximum number of paths for an ECMP route that the L3 CAM can hold to avoid path
degeneration.
When you do not configure the maximum number of routes, the CAM can hold a maximum ECMP per
route.
To configure the maximum number of paths, use the following command.
NOTE: Save the new ECMP settings to the startup-config (write-mem) then reload the system for
the new settings to take effect.
•
Configure the maximum number of paths per ECMP group.
CONFIGURATION mode.
•
ip ecmp-group maximum-paths {2-64}
Enable ECMP group path management.
CONFIGURATION mode.
ip ecmp-group path-fallback
Example of the ip ecmp-group maximum-paths Command
Dell(conf)#ip ecmp-group maximum-paths 3
User configuration has been changed. Save the configuration and reload to take
effect
Dell(conf)#
Equal Cost Multi-Path (ECMP)
333
16
FCoE Transit
The Fibre Channel over Ethernet (FCoE) Transit feature is supported on the XML 10/40GbE switch. When
you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge.
NOTE: FCoE transit is not supported on Fibre Channel interfaces.
Fibre Channel over Ethernet
FCoE provides a converged Ethernet network that allows the combination of storage-area network (SAN)
and LAN traffic on a Layer 2 link by encapsulating Fibre Channel data into Ethernet frames.
FCoE works with the Ethernet enhancements provided in data center bridging (DCB) to support lossless
(no-drop) SAN and LAN traffic. In addition, DCB provides flexible bandwidth sharing for different traffic
types, such as LAN and SAN, according to 802.1p priority classes of service. For more information, refer
to the Data Center Bridging (DCB) chapter.
Ensure Robustness in a Converged Ethernet Network
Fibre Channel networks used for SAN traffic employ switches that operate as trusted devices. To
communicate with other end devices attached to the Fibre Channel network, end devices log into the
switch to which they are attached.
Because Fibre Channel links are point-to-point, a Fibre Channel switch controls all storage traffic that an
end device sends and receives over the network. As a result, the switch can enforce zoning
configurations, ensure that end devices use their assigned addresses, and secure the network from
unauthorized access and denial-of-service (DoS) attacks.
To ensure similar Fibre Channel robustness and security with FCoE in an Ethernet cloud network, FIP
establishes virtual point-to-point links between FCoE end-devices (server ENodes and target storage
devices) and FCoE forwarders (FCFs) over transit FCoE-enabled bridges.
Ethernet bridges commonly provide ACLs that can emulate a point-to-point link by providing the traffic
enforcement required to create a Fibre Channel-level of robustness. You can configure ACLs to emulate
point-to-point links, providing control over the traffic received or transmitted into the switch. To
automatically generate ACLs, use FIP snooping. In addition, FIP serves as a Layer 2 protocol to:
•
Operate between FCoE end-devices and FCFs over intermediate Ethernet bridges to prevent
unauthorized access to the network and achieve the required security.
•
Allow transit Ethernet bridges to efficiently monitor FIP frames passing between FCoE end-devices
and an FCF. To dynamically configure ACLs on the bridge to only permit traffic authorized by the FCF,
use the FIP snooping data.
FIP enables FCoE devices to discover one another, initialize and maintain virtual links over an Ethernet
network, and access storage devices in a storage area network (SAN). FIP satisfies the Fibre Channel
requirement for point-to-point connections by creating a unique virtual link for each connection
between an FCoE end-device and an FCF via a transit switch.
334
FCoE Transit
FIP provides functionality for discovering and logging into an FCF. After discovering and logging in, FIP
allows FCoE traffic to be sent and received between FCoE end-devices (ENodes) and the FCF. FIP uses its
own EtherType and frame format. The following illustration shows the communication that occurs
between an ENode server and an FCoE switch (FCF).
The following table lists the FIP functions.
Table 17. FIP Functions
FIP Function
Description
FIP VLAN discovery
FCoE devices (ENodes) discover the FCoE VLANs
on which to transmit and receive FIP and FCoE
traffic.
FIP discovery
FCoE end-devices and FCFs are automatically
discovered.
Initialization
FCoE devices learn ENodes from the FLOGI and
FDISC to allow immediate login and create a virtual
link with an FCoE switch.
Maintenance
A valid virtual link between an FCoE device and an
FCoE switch is maintained and the LOGO
functions properly.
FCoE Transit
335
Figure 37. FIP Discovery and Login Between an ENode and an FCF
FIP Snooping on Ethernet Bridges
In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the
login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be
transmitted between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is
called a FIP snooping bridge (FSB).
On a FIP snooping bridge, ACLs are created dynamically as FIP login frames are processed. The ACLs are
installed on switch ports configured for ENode mode for server-facing ports and FCF mode for a trusted
port directly connected to an FCF.
Enable FIP snooping on the switch and configure the FIP snooping parameters. When you enable FIP
snooping, all ports on the switch by default become ENode ports.
Dynamic ACL generation on the XML switch operating as a FIP snooping bridge function as follows:
Global ACLs
These are applied on server-facing ENode ports.
Port-based
ACLs
These ACLs are applied on all three port modes: on ports directly connected to an
FCF, server-facing ENode ports, and bridge-to-bridge links. Port-based ACLs take
precedence over global ACLs.
336
FCoE Transit
FCoEgenerated
ACLs
These take precedence over user-configured ACLs. A user-configured ACL entry
cannot deny FCoE and FIP snooping frames.
The following illustration shows an MXL 10/40GbE switch used as a FIP snooping bridge in a converged
Ethernet network. The top-of-rack (ToR) switch operates as an FCF for FCoE traffic. Converged LAN and
SAN traffic is transmitted between the ToR switch and an MXL switch. The MXL switch operates as a
lossless FIP snooping bridge to transparently forward FCoE frames between the ENode servers and the
FCF switch.
Figure 38. FIP Snooping on an MXL 10/40GbE Switch
FCoE Transit
337
The following sections describe how to configure the FIP snooping feature on a switch that functions as
a FIP snooping bridge so that it can perform the following functions:
•
Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis.
•
To assign a MAC address to an FCoE end-device (server ENode or storage device) after a server
successfully logs in, set the FCoE MAC address prefix (FC-MAP) value an FCF uses.
•
To provide more port security on ports that are directly connected to an FCF and have links to other
FIP snooping bridges, set the FCF or Bridge-to-Bridge Port modes.
•
To ensure that they are operationally active, check FIP snooping-enabled VLANs.
•
Process FIP VLAN discovery requests and responses, advertisements, solicitations, FLOGI/FDISC
requests and responses, FLOGO requests and responses, keep-alive packets, and clear virtual-link
messages.
FIP Snooping in a Switch Stack
FIP snooping supports switch stacking as follows:
•
A switch stack configuration is synchronized with the standby stack unit.
•
Dynamic population of the FCoE database (ENode, Session, and FCF tables) is synchronized with the
standby stack unit. The FCoE database is maintained by snooping FIP keep-alive messages.
•
In case of a failover, the new master switch starts the required timers for the FCoE database tables.
Timers run only on the master stack unit.
NOTE: As a best practice, Dell Networking recommends not configuring FIP Snooping on a stacked
MXL switch.
Using FIP Snooping
There are four steps to configure FCoE transit.
1.
Enable the FCoE transit feature on a switch to maintain FIP snooping information on the switch.
2.
Enable FIP snooping globally on all virtual local area networks (VLANs) or individual VLANs on a FIP
snooping bridge.
3.
Configure the FC-Map value applied globally by the switch on all VLANs or an individual VLAN.
4.
Configure FCF mode for a FIP snooping bridge-to-FCF link.
For a sample FIP snooping configuration, refer to Configuring FIP Snooping.
Important Points to Remember
•
Enable DCBx on the switch before enabling the FIP Snooping feature.
•
To enable the feature on the switch, configure FIP Snooping.
•
To allow FIP frames to pass through the switch on all VLANs, enable FIP snooping globally on a
switch.
•
A switch can support a maximum eight VLANs. Configure at least one FCF/bridge-to-bridge port
mode interface for any FIP snooping-enabled VLAN.
•
You can configure multiple FCF-trusted interfaces in a VLAN.
•
When you disable FIP snooping:
– ACLs are not installed, FIP and FCoE traffic is not blocked, and FIP packets are not processed.
338
FCoE Transit
– The existing per-VLAN and FIP snooping configuration is stored. The configuration is re-applied
the next time you enable the FIP snooping feature.
Enabling the FCoE Transit Feature
The following sections describe how to enable FCoE transit.
NOTE: FCoE transit is disabled by default. To enable this feature, you must follow the Configuring
FIP Snooping procedure.
As soon as you enable the FCoE transit feature on a switch-bridge, existing VLAN-specific and FIP
snooping configurations are applied. The FCoE database is populated when the switch connects to a
converged network adapter (CNA) or FCF port and compatible DCB configurations are synchronized. By
default, all FCoE and FIP frames are dropped unless specifically permitted by existing FIP snoopinggenerated ACLs. You can reconfigure any of the FIP snooping settings.
If you disable FCoE transit, FIP and FCoE traffic are handled as normal Ethernet frames and no FIP
snooping ACLs are generated. The VLAN-specific and FIP snooping configuration is disabled and stored
until you re-enable FCoE transit and the configurations are re-applied.
Enable FIP Snooping on VLANs
You can enable FIP snooping globally on a switch on all VLANs or on a specified VLAN.
When you enable FIP snooping on VLANs:
•
•
•
•
FIP frames are allowed to pass through the switch on the enabled VLANs and are processed to
generate FIP snooping ACLs.
FCoE traffic is allowed on VLANs only after a successful virtual-link initialization (fabric login FLOGI)
between an ENode and an FCF. All other FCoE traffic is dropped.
You must configure at least one interface for FCF (FIP snooping bridge-bridge) mode on a FIP
snooping-enabled VLAN. You can configure multiple FCF trusted interfaces in a VLAN.
A maximum of eight VLANS are supported for FIP snooping on the switch. When enabled globally, FIP
snooping processes FIP packets in traffic only from the first eight incoming VLANs. When enabled on
a per-VLAN basis, FIP snooping is supported on up to eight VLANs.
Configure the FC-MAP Value
You can configure the FC-MAP value to be applied globally by the switch on all or individual FCoE VLANs
to authorize FCoE traffic.
The configured FC-MAP value is used to check the FC-MAP value for the MAC address assigned to
ENodes in incoming FCoE frames. If the FC-MAP value does not match, FCoE frames are dropped. A
session between an ENode and an FCF is established by the switch-bridge only when the FC-MAP value
on the FCF matches the FC-MAP value on the FIP snooping bridge.
Configure a Port for a Bridge-to-Bridge Link
If a switch port is connected to another FIP snooping bridge, configure the FCoE-Trusted Port mode for
bridge-bridge links.
Initially, all FCoE traffic is blocked. Only FIP frames with the ALL_FCF_MAC and ALL_ENODE_MAC values
in their headers are allowed to pass. After the switch learns the MAC address of a connected FCF, it
allows FIP frames destined to or received from the FCF MAC address.
FCoE traffic is allowed on the port only after the switch learns the FC-MAP value associated with the
specified FCF MAC address and verifies that it matches the configured FC-MAP value for the FCoE VLAN.
FCoE Transit
339
Configure a Port for a Bridge-to-FCF Link
If a port is directly connected to an FCF, configure the port mode as FCF. Initially, all FCoE traffic is
blocked; only FIP frames are allowed to pass.
FCoE traffic is allowed on the port only after a successful fabric login (FLOGI) request/response and
confirmed use of the configured FC-MAP value for the VLAN.
FLOGI and fabric discovery (FDISC) request/response packets are trapped to the CPU. They are forwarded
after the necessary ACLs are installed.
Impact on Other Software Features
When you enable FIP snooping on a switch, other software features are impacted. The following table
lists the impact of FIP snooping.
Table 18. Impact of Enabling FIP Snooping
Impact
Description
MAC address learning
MAC address learning is not performed on FIP and
FCoE frames, which are denied by ACLs
dynamically created by FIP snooping on serverfacing ports in ENode mode.
MTU auto-configuration
MTU size is set to mini-jumbo (2500 bytes) when a
port is in Switchport mode, the FIP snooping
feature is enabled on the switch, and FIP snooping
is enabled on all or individual VLANs.
Link aggregation group (LAG)
FIP snooping is supported on port channels on
ports on which PFC mode is on (PFC is
operationally up).
STP
If you enable an STP protocol (STP, RSTP, PVSTP,
or MSTP) on the switch and ports enter a blocking
state, when the state change occurs, the
corresponding port-based ACLs are deleted. If a
port is enabled for FIP snooping in ENode or FCF
mode, the ENode/FCF MAC-based ACLs are
deleted.
FIP Snooping Prerequisites
Before you enable FCoE transit and configure FIP snooping on a switch, ensure that certain conditions
are met.
A FIP snooping bridge requires data center bridging exchange protocol (DCBx) and priority-based flow
control (PFC) to be enabled on the switch for lossless Ethernet connections (refer to theData Center
Bridging (DCB) chapter). Dell Networking recommends also enabling enhanced transmission selection
(ETS); however, ETS is recommended but not required.
If you enable DCBx and PFC mode is on (PFC is operationally up) in a port configuration, FIP snooping is
operational on the port. If the PFC parameters in a DCBx exchange with a peer are not synchronized, FIP
and FCoE frames are dropped on the port after you enable the FIP snooping feature.
340
FCoE Transit
For VLAN membership, you must:
•
create the VLANs on the switch which handles FCoE traffic (use the interface vlan command).
•
configure each FIP snooping port to operate in Hybrid mode so that it accepts both tagged and
untagged VLAN frames (use the portmode hybrid command).
•
configure tagged VLAN membership on each FIP snooping port that sends and receives FCoE traffic
and has links with an FCF, ENode server, or another FIP snooping bridge (use the tagged port-type
slot/port command).
The default VLAN membership of the port must continue to operate with untagged frames. FIP snooping
is not supported on a port that is configured for non-default untagged VLAN membership.
FIP Snooping Restrictions
The following restrictions apply when you configure FIP snooping.
•
•
•
•
The maximum number of FCoE VLANs supported on the switch is eight.
The maximum number of FIP snooping sessions supported per ENode server is 32. To increase the
maximum number of sessions to 64, use the fip-snooping max-sessions-per-enodemac
command.
The maximum number of FCFs supported per FIP snooping-enabled VLAN is 12.
Links to other FIP snooping bridges on a FIP snooping-enabled port (bridge-to-bridge links) are not
supported on the MXL switch.
Configuring FIP Snooping
You can enable FIP snooping globally on all FCoE VLANs on a switch or on an individual FCoE VLAN.
By default, FIP snooping is disabled.
To enable FCoE transit on the switch and configure the FCoE transit parameters on ports, follow these
steps.
1.
Enable the FCoE transit feature on a switch.
CONFIGURATION mode.
feature fip-snooping
2.
Enable FIP snooping on all VLANs or on a specified VLAN.
CONFIGURATION mode or VLAN INTERFACE mode.
fip-snooping enable
By default, FIP snooping is disabled on all VLANs.
3.
Configure the FC-MAP value used by FIP snooping on all VLANs.
CONFIGURATION VLAN or INTERFACE mode
fip-snooping fc-map fc-map-value
The default is 0x0EFC00.
The valid values are from 0EFC00 to 0EFCFF.
4.
Enter interface configuration mode to configure the port for FIP snooping links.
CONFIGURATION mode
interface port-type slot/port
FCoE Transit
341
By default, a port is configured for bridge-to-ENode links.
5.
Configure the port for bridge-to-FCF links.
INTERFACE or CONFIGURATION mode
fip-snooping port-mode fcf
NOTE: To disable the FIP snooping feature or FIP snooping on VLANs, use the no version of a
command; for example, no feature fip-snooping or no fip-snooping enable.
.
Displaying FIP Snooping Information
Use the following show commands to display information on FIP snooping, .
Table 19. Displaying FIP Snooping Information
Command
Output
show fip-snooping sessions [interface
vlan vlan-id]
Displays information on FIP-snooped sessions on
all VLANs or a specified VLAN, including the ENode
interface and MAC address, the FCF interface and
MAC address, VLAN ID, FCoE MAC address and
FCoE session ID number (FC-ID), worldwide node
name (WWNN) and the worldwide port name
(WWPN).
show fip-snooping config
Displays the FIP snooping status and configured
FC-MAP values.
show fip-snooping enode [enode-macaddress]
Displays information on the ENodes in FIPsnooped sessions, including the ENode interface
and MAC address, FCF MAC address, VLAN ID and
FC-ID.
show fip-snooping fcf [fcf-mac-address] Displays information on the FCFs in FIP-snooped
sessions, including the FCF interface and MAC
address, FCF interface, VLAN ID, FC-MAP value,
FKA advertisement period, and number of ENodes
connected.
clear fip-snooping database interface
Clears FIP snooping information on a VLAN for a
vlan vlan-id {fcoe-mac-address | enode- specified FCoE MAC address, ENode MAC address,
mac-address | fcf-mac-address}
or FCF MAC address, and removes the
corresponding ACLs generated by FIP snooping.
show fip-snooping statistics [interface Displays statistics on the FIP packets snooped on
vlan vlan-id| interface port-type port/ all interfaces, including VLANs, physical ports, and
slot | interface port-channel portport channels.
channel-number]
clear fip-snooping statistics
[interface vlan vlan-id | interface
port-type port/slot | interface portchannel port-channel-number]
Clears the statistics on the FIP packets snooped on
all VLANs, a specified VLAN, or a specified port
interface.
show fip-snooping system
Displays information on the status of FIP snooping
on the switch (enabled or disabled), including the
342
FCoE Transit
Command
Output
number of FCoE VLANs, FCFs, ENodes, and
currently active sessions.
Displays information on the FCoE VLANs on which
FIP snooping is enabled.
show fip-snooping vlan
Example of the show fip-snooping sessions Command
Example of Viewing FIP Snooping Configuration
Example of the show fip-snooping enode Command
Example of the show fip-snooping fcf Command
Example of the show fip-snooping statistics interface vlan (VLAN and Port) Command
Example of the show fip-snooping statistics port-channel Command
Example of the show fip-snooping system Command
Example of the show fip-snooping vlan Command
Dell#show fip-snooping sessions
Enode MAC
Enode Intf FCF MAC
aa:bb:cc:00:00:00 Te 0/42
aa:bb:cd:00:00:00
aa:bb:cc:00:00:00 Te 0/42
aa:bb:cd:00:00:00
aa:bb:cc:00:00:00 Te 0/42
aa:bb:cd:00:00:00
aa:bb:cc:00:00:00 Te 0/42
aa:bb:cd:00:00:00
aa:bb:cc:00:00:00 Te 0/42
aa:bb:cd:00:00:00
FCoE MAC
0e:fc:00:01:00:01
0e:fc:00:01:00:02
0e:fc:00:01:00:03
0e:fc:00:01:00:04
0e:fc:00:01:00:05
FC-ID
01:00:01
01:00:02
01:00:03
01:00:04
01:00:05
FCF Intf
Te 0/43
Te 0/43
Te 0/43
Te 0/43
Te 0/43
Port WWPN
31:00:0e:fc:00:00:00:00
41:00:0e:fc:00:00:00:00
41:00:0e:fc:00:00:00:01
41:00:0e:fc:00:00:00:02
41:00:0e:fc:00:00:00:03
VLAN
100
100
100
100
100
Port WWNN
21:00:0e:fc:00:00:00:00
21:00:0e:fc:00:00:00:00
21:00:0e:fc:00:00:00:00
21:00:0e:fc:00:00:00:00
21:00:0e:fc:00:00:00:00
The following table describes the show fip-snooping sessions command fields.
Table 20. show fip-snooping sessions Command Description
Field
Description
ENode MAC
MAC address of the ENode .
ENode Interface
Slot/ port number of the interface connected to
the ENode.
FCF MAC
MAC address of the FCF.
FCF Interface
Slot/ port number of the interface to which the
FCF is connected.
VLAN
VLAN ID number used by the session.
FCoE MAC
MAC address of the FCoE session assigned by the
FCF.
FC-ID
Fibre Channel ID assigned by the FCF.
FCoE Transit
343
Field
Description
Port WWPN
Worldwide port name of the CNA port.
Port WWNN
Worldwide node name of the CNA port.
Dell# show fip-snooping config
FIP Snooping Feature enabled Status: Enabled
FIP Snooping Global enabled Status: Enabled
Global FC-MAP Value: 0X0EFC00
FIP Snooping enabled VLANs
VLAN
Enabled FC-MAP
---- -------------100
TRUE
0X0EFC00
Dell# show fip-snooping enode
Enode MAC
Enode Interface FCF MAC
VLAN
----------------------- ---------d4:ae:52:1b:e3:cd Te 0/11
54:7f:ee:37:34:40 100
FC-ID
----62:00:11
The following table describes the show fip-snooping enode command fields.
Table 21. show fip-snooping enode Command Description
Field
Description
ENode MAC
MAC address of the ENode.
ENode Interface
Slot/ port number of the interface connected to
the ENode.
FCF MAC
MAC address of the FCF.
VLAN
VLAN ID number used by the session.
FC-ID
Fibre Channel session ID assigned by the FCF.
Dell# show fip-snooping fcf
FCF MAC
FCF Interface VLAN FC-MAP
FKA_ADV_PERIOD No. of Enodes
------------------- ---- ------------------- ------------54:7f:ee:37:34:40 Po 22
100 0e:fc:00 4000
2
The following table describes the show fip-snooping fcf command fields.
Table 22. show fip-snooping fcf Command Description
Field
Description
FCF MAC
MAC address of the FCF.
FCF Interface
Slot/port number of the interface to which the FCF
is connected.
VLAN
VLAN ID number used by the session.
FC-MAP
FC-Map value advertised by the FCF.
344
FCoE Transit
Field
Description
ENode Interface
Slot/number of the interface connected to the
ENode.
FKA_ADV_PERIOD
Period of time (in milliseconds) during which FIP
keep-alive advertisements are transmitted.
No of ENodes
Number of ENodes connected to the FCF.
FC-ID
Fibre Channel session ID assigned by the FCF.
Dell# show fip-snooping statistics interface vlan
Number of Vlan Requests
Number of Vlan Notifications
Number of Multicast Discovery Solicits
Number of Unicast Discovery Solicits
Number of FLOGI
Number of FDISC
Number of FLOGO
Number of Enode Keep Alive
Number of VN Port Keep Alive
Number of Multicast Discovery Advertisement
Number of Unicast Discovery Advertisement
Number of FLOGI Accepts
Number of FLOGI Rejects
Number of FDISC Accepts
Number of FDISC Rejects
Number of FLOGO Accepts
Number of FLOGO Rejects
Number of CVL
Number of FCF Discovery Timeouts
Number of VN Port Session Timeouts
Number of Session failures due to Hardware Config
Dell(conf)#
100
:0
:0
:2
:0
:2
:16
:0
:9021
:3349
:4437
:2
:2
:0
:16
:0
:0
:0
:0
:0
:0
:0
Dell# show fip-snooping statistics int tengigabitethernet 0/11
Number of Vlan Requests
:1
Number of Vlan Notifications
:0
Number of Multicast Discovery Solicits
:1
Number of Unicast Discovery Solicits
:0
Number of FLOGI
:1
Number of FDISC
:16
Number of FLOGO
:0
Number of Enode Keep Alive
:4416
Number of VN Port Keep Alive
:3136
Number of Multicast Discovery Advertisement
:0
Number of Unicast Discovery Advertisement
:0
Number of FLOGI Accepts
:0
Number of FLOGI Rejects
:0
Number of FDISC Accepts
:0
Number of FDISC Rejects
:0
Number of FLOGO Accepts
:0
Number of FLOGO Rejects
:0
Number of CVL
:0
Number of FCF Discovery Timeouts
:0
Number of VN Port Session Timeouts
:0
Number of Session failures due to Hardware Config :0
Dell# show fip-snooping statistics interface port-channel 22
Number of Vlan Requests
:0
FCoE Transit
345
Number
Number
Number
Number
Number
Number
Number
Number
Number
Number
Number
Number
Number
Number
Number
Number
Number
Number
Number
Number
of
of
of
of
of
of
of
of
of
of
of
of
of
of
of
of
of
of
of
of
Vlan Notifications
Multicast Discovery Solicits
Unicast Discovery Solicits
FLOGI
FDISC
FLOGO
Enode Keep Alive
VN Port Keep Alive
Multicast Discovery Advertisement
Unicast Discovery Advertisement
FLOGI Accepts
FLOGI Rejects
FDISC Accepts
FDISC Rejects
FLOGO Accepts
FLOGO Rejects
CVL
FCF Discovery Timeouts
VN Port Session Timeouts
Session failures due to Hardware Config
:2
:0
:0
:0
:0
:0
:0
:0
:4451
:2
:2
:0
:16
:0
:0
:0
:0
:0
:0
:0
The following table describes the show fip-snooping statistics command fields.
Table 23. show fip-snooping statistics Command Descriptions
Field
Description
Number of VLAN Requests
Number of FIP-snooped VLAN request frames
received on the interface.
Number of VLAN Notifications
Number of FIP-snooped VLAN notification frames
received on the interface.
Number of Multicast Discovery Solicits
Number of FIP-snooped multicast discovery solicit
frames received on the interface.
Number of Unicast Discovery Solicits
Number of FIP-snooped unicast discovery solicit
frames received on the interface.
Number of FLOGI
Number of FIP-snooped FLOGI request frames
received on the interface.
Number of FDISC
Number of FIP-snooped FDISC request frames
received on the interface.
Number of FLOGO
Number of FIP-snooped FLOGO frames received
on the interface.
Number of ENode Keep Alives
Number of FIP-snooped ENode keep-alive frames
received on the interface.
Number of VN Port Keep Alives
Number of FIP-snooped VN port keep-alive frames
received on the interface.
Number of Multicast Discovery Advertisements
Number of FIP-snooped multicast discovery
advertisements received on the interface.
Number of Unicast Discovery Advertisements
Number of FIP-snooped unicast discovery
advertisements received on the interface.
346
FCoE Transit
Field
Description
Number of FLOGI Accepts
Number of FIP FLOGI accept frames received on
the interface.
Number of FLOGI Rejects
Number of FIP FLOGI reject frames received on the
interface.
Number of FDISC Accepts
Number of FIP FDISC accept frames received on
the interface.
Number of FDISC Rejects
Number of FIP FDISC reject frames received on the
interface.
Number of FLOGO Accepts
Number of FIP FLOGO accept frames received on
the interface.
Number of FLOGO Rejects
Number of FIP FLOGO reject frames received on
the interface.
Number of CVLs
Number of FIP clear virtual link frames received on
the interface.
Number of FCF Discovery Timeouts
Number of FCF discovery timeouts that occurred
on the interface.
Number of VN Port Session Timeouts
Number of VN port session timeouts that occurred
on the interface.
Number of Session failures due to Hardware
Config
Number of session failures due to hardware
configuration that occurred on the interface.
Dell# show fip-snooping system
Global Mode
:
FCOE VLAN List (Operational) :
FCFs
:
Enodes
:
Sessions
:
Enabled
1, 100
1
2
17
NOTE: NPIV sessions are included in the number of FIP-snooped sessions displayed.
Dell# show fip-snooping vlan
* = Default VLAN
VLAN
---*1
100
FC-MAP
-----0X0EFC00
FCFs
---1
Enodes
-----2
Sessions
-------17
FCoE Transit Configuration Example
The following illustration shows an XML switch used as a FIP snooping bridge for FCoE traffic between an
ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway.
In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch. On
the FIP snooping bridge, DCBx is configured as follows:
FCoE Transit
347
Figure 39. FIP Snooping on an MXL 10/40GbE Switch Configuration Example
•
A server-facing port is configured for DCBx in an auto-downstream role.
•
An FCF-facing port is configured for DCBx in an auto-upstream or configuration-source role.
The DCBx configuration on the FCF-facing port is detected by the server-facing port and the DCB PFC
configuration on both ports is synchronized. For more information about how to configure DCBx and
PFC on a port, refer to the Data Center Bridging (DCB) chapter.
The following example shows how to configure FIP snooping on FCoE VLAN 10, on an FCF-facing port
(0/50), on an ENode server-facing port (0/1), and to configure the FIP snooping ports as tagged members
of the FCoE VLAN enabled for FIP snooping.
348
FCoE Transit
Example of Enabling the FIP Snooping Feature on the Switch (FIP Snooping Bridge)
Example of Enabling FIP Snooping on the FCoE VLAN
Example of Enabling an FC-MAP Value on a VLAN
Example of Configuring the ENode Server-Facing Port
Example of Configuring the FCF-Facing Port
Example of Configuring FIP Snooping Ports as Tagged Members of the FCoE VLAN
Dell(conf)# feature fip-snooping
Dell(conf)# interface vlan 10
Dell(conf-if-vl-10)# fip-snooping enable
Dell(conf-if-vl-10)# fip-snooping fc-map 0xOEFC01
NOTE: Configuring an FC-MAP value is only required if you do not use the default FC-MAP value
(0x0EFC00).
Dell(conf)# interface tengigabitethernet 0/1
Dell(conf-if-te-0/1)# portmode hybrid
Dell(conf-if-te-0/1)# switchport
NOTE: A port is enabled by default for bridge-ENode links.
Dell(conf)# interface tengigabitethernet 0/50
Dell(conf-if-te-0/50)# portmode hybrid
Dell(conf-if-te-0/50)# switchport
Dell(conf-if-te-0/50)# fip-snooping port-mode fcf
Dell(conf)# interface vlan 10
Dell(conf-if-vl-10)# tagged tengigabitethernet 0/1
Dell(conf-if-vl-10)# tagged tengigabitethernet 0/50
Dell(conf-if-te-0/1)# no shut
Dell(conf-if-te-0/50)# no shut
Dell(conf-if-vl-10)# no shut
After FIP packets are exchanged between the ENode and the switch, a FIP snooping session is
established. ACLs are dynamically generated for FIP snooping on the FIP snooping bridge/switch.
FCoE Transit
349
17
FIPS Cryptography
Federal information processing standard (FIPS) cryptography is supported on the XML switch platform.
This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms. This
feature provides cryptographic algorithms conforming to various FIPS standards published by the
National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of
Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a
software-based cryptographic module.
NOTE: The FIPS mode included in this release is the OpenSSL FIPS Object Module v2.0, which has
been validated to meet FIPS-140-2 requirements, per certificate #1747. The MXL switch platform is
not one of the validated platforms. Dell Networking has contracted with the OpenSSL Foundation to
complete a Change Letter validation of the MXL switch platform for this FIPS mode. A patch release
will be available after that Change Letter validation has been completed.
NOTE: For the Dell Networking OS version 8.3.12.0, only the SSH and SCP copy features use FIPS
Cryptographic mode to secure management interface user sessions and file transfers. Other
features that use cryptographic algorithms do not, or cannot, use FIPS mode. You must configure
the management interfaces to limit access to/from the system to SSH alone.
Preparing the System
Before you enable FIPS mode, Dell Networking recommends making the following changes to your
system.
1.
Disable the Telnet server (only use secure shell [SSH] to access the system).
2.
Disable the FTP server (only use secure copy [SCP] to transfer files to and from the system).
3.
Attach a secure, standalone host to the console port for the FIPS configuration to use.
Enabling FIPS Mode
To enable or disable FIPS mode, use the console port.
Secure the host attached to the console port against unauthorized access. Any attempts to enable or
disable FIPS mode from a virtual terminal session are denied.
When you enable FIPS mode, the following actions are taken:
•
If enabled, the SSH server is disabled.
•
All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
•
Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage.
•
FIPS mode is enabled.
– If you enable the SSH server when you enter the fips mode enable command, it is re-enabled
for version 2 only.
350
FIPS Cryptography
– If you re-enable the SSH server, a new RSA host key-pair is generated automatically. You can also
manually create this key-pair using the crypto key generate command.
NOTE: Under certain unusual circumstances, it is possible for the fips enable command to
indicate a failure.
•
This failure occurs if any of the self-tests fail when you enable FIPS mode.
•
This failure occurs if there were existing SSH/Telnet sessions that could not be closed
successfully in a reasonable amount of time. In general, this failure can occur if a user at a
remote host is in the process of establishing an SSH session to the local system, and has been
prompted to accept a new host key or to enter a password, but is not responding to the request.
Assuming this failure is a transient condition, attempting to enable FIPS mode again should be
successful.
To enable FIPS mode, use the following command.
•
Enable FIPS mode from a console port.
CONFIGURATION
fips mode enable
Generating Host-Keys
The following describes hot-key generation.
When you enable or disable FIPS mode, the system deletes the current public/private host-key pair,
terminates any SSH sessions that are in progress (deleting all the per-session encryption key information),
actually enables/tests FIPS mode, generates new host-keys, and re-enables the SSH server (assuming it
was enabled before enabling FIPS).
For more information, refer to the SSH Server and SCP Commands section in the Security chapter of the
Dell Networking OS Command Line Reference Guide.
Monitoring FIPS Mode Status
To view the status of the current FIPS mode (enabled/disabled), use the following commands.
•
Use either command to view the status of the current FIPS mode.
show fips status
show system
Example of the show fips status Command
Example of the show system Command
Dell#show fips status
FIPS Mode : Enabled
for the system using the show system command.
Dell#show system
Stack MAC : 00:01:e8:8a:ff:0c
Reload Type : normal-reload [Next boot : normal-reload]
FIPS Cryptography
351
-- Unit 0 -Unit Type
Status
Next Boot
Required Type
Current Type
Master priority
Hardware Rev
Num Ports
Up Time
Dell Version
Jumbo Capable
POE Capable
FIPS Mode
Burned In MAC
No Of MACs
...
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
Management Unit
online
online
XML - 52-port GE/TE/FG (SE)
XML - 52-port GE/TE/FG (SE)
0
3.0
64
7 hr, 3 min
XML-8-3-7-1061
yes
no
enabled
00:01:e8:8a:ff:0c
3
Disabling FIPS Mode
The following describes disabling FIPS mode.
When you disable FIPS mode, the following changes occur:
•
The SSH server disables.
•
All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, close.
•
Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage.
•
FIPS mode disables.
•
The SSH server re-enables.
•
The Telnet server re-enables (if it is present in the configuration).
•
New 1024–bit RSA and RSA1 host key-pairs are created.
To disable FIPS mode, use the following command.
•
To disable FIPS mode from a console port.
CONFIGURATION mode
no fips mode enable
The following Warning message displays:
WARNING: Disabling FIPS mode will close all SSH/Telnet connections, restart
those servers, and destroy
all configured host keys.
Proceed (y/n) ?
352
FIPS Cryptography
18
Force10 Resilient Ring Protocol (FRRP)
FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a
metropolitan area network (MAN) or large campuses.
FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with
optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node
of failure) may require 4 to 5 seconds to reconverge. FRRP can converge within 150ms to 1500ms when a
link in the ring breaks (depending on network configuration).
To operate a deterministic network, a network administrator must run a protocol that converges
independently of the network size or node of failure. FRRP is a proprietary protocol that provides this
flexibility, while preventing Layer 2 loops. FRRP provides sub-second ring-failure detection and
convergence/re-convergence in a Layer 2 network while eliminating the need for running spanning-tree
protocol. With its two-way path to destination configuration, FRRP provides protection against any single
link/switch failure and thus provides for greater network uptime.
Protocol Overview
FRRP is built on a ring topology.
You can configure up to 255 rings on a system. FRRP uses one Master node and multiple Transit nodes in
each ring. There is no limit to the number of nodes on a ring. The Master node is responsible for the
intelligence of the Ring and monitors the status of the Ring. The Master node checks the status of the
Ring by sending ring health frames (RHF) around the Ring from its Primary port and returning on its
Secondary port. If the Master node misses three consecutive RHFs, the Master node determines the ring
to be in a failed state. The Master then sends a Topology Change RHF to the Transit Nodes informing
them that the ring has changed. This causes the Transit Nodes to flush their forwarding tables, and reconverge to the new network structure.
One port of the Master node is designated the Primary port (P) to the ring; another port is designated as
the Secondary port (S) to the ring. In normal operation, the Master node blocks the Secondary port for all
non-control traffic belonging to this FRRP group, thereby avoiding a loop in the ring, like STP. Layer 2
switching and learning mechanisms operate per existing standards on this ring.
Each Transit node is also configured with a Primary port and a Secondary port on the ring, but the port
distinction is ignored as long as the node is configured as a Transit node. If the ring is complete, the
Master node logically blocks all data traffic in the transmit and receive directions on the Secondary port
to prevent a loop. If the Master node detects a break in the ring, it unblocks its Secondary port and allows
data traffic to be transmitted and received through it. Refer to the following illustration for a simple
example of this FRRP topology. Note that ring direction is determined by the Master node’s Primary and
Secondary ports.
Force10 Resilient Ring Protocol (FRRP)
353
Figure 40. Normal Operating FRRP Topology
A virtual LAN (VLAN) is configured on all node ports in the ring. All ring ports must be members of the
Member VLAN and the Control VLAN.
The Member VLAN is the VLAN used to transmit data as described earlier.
The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass
through all ports in the ring, including the secondary port of the Master node.
Ring Status
The ring failure notification and the ring status checks provide two ways to ensure the ring remains up
and active in the event of a switch or port failure.
Ring Checking
At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is
complete, the frame is received on its secondary port and the Master node resets its fail-period timer and
continues normal operation.
If the Master node does not receive the RHF before the fail-period timer expires (a configurable timer),
the Master node moves from the Normal state to the Ring-Fault state and unblocks its Secondary port.
The Master node also clears its forwarding table and sends a control frame to all other nodes, instructing
them to also clear their forwarding tables. Immediately after clearing its forwarding table, each node
starts learning the new topology.
354
Force10 Resilient Ring Protocol (FRRP)
Ring Failure
If a Transit node detects a link down on any of its ports on the FRRP ring, it immediately sends a linkdown control frame on the Control VLAN to the Master node.
When the Master node receives this control frame, the Master node moves from the Normal state to the
Ring-Fault state and unblocks its Secondary port. The Master node clears its routing table and sends a
control frame to all other ring nodes, instructing them to clear their routing tables as well. Immediately
after clearing its routing table, each node begins learning the new topology.
Ring Restoration
The Master node continues sending ring health frames out its primary port even when operating in the
Ring-Fault state.
After the ring is restored, the next status check frame is received on the Master node's Secondary port.
This causes the Master node to transition back to the Normal state. The Master node then logically blocks
non-control frames on the Secondary port, clears its own forwarding table, and sends a control frame to
the Transit nodes, instructing them to clear their forwarding tables and re-learn the topology.
During the time between the Transit node detecting that its link is restored and the Master node
detecting that the ring is restored, the Master node’s Secondary port is still forwarding traffic. This can
create a temporary loop in the topology. To prevent this, the Transit node places all the ring ports
transiting the newly restored port into a temporary blocked state. The Transit node remembers which
port has been temporarily blocked and places it into a pre- forwarding state. When the Transit node in
the pre-forwarding state receives the control frame instructing it to clear its routing table, it does so and
unblocks the previously blocked ring ports on the newly restored port. Then the Transit node returns to
the Normal state.
Multiple FRRP Rings
Up to 255 rings are allowed per system and multiple rings can be run on one system.
More than the recommended number of rings may cause interface instability. You can configure multiple
rings with a single switch connection; a single ring can have multiple FRRP groups; multiple rings can be
connected with a common link.
Member VLAN Spanning Two Rings Connected by One Switch
A member VLAN can span two rings interconnected by a common switch, in a figure-eight style
topology.
A switch can act as a Master node for one FRRP group and a Transit for another FRRP group, or it can be
a Transit node for both rings.
In the following example, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control
VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both
FRRP groups. Switch R3 has two instances of FRRP running on it: one for each ring. The example
topology that follows shows R3 assuming the role of a Transit node for both FRRP 101 and FRRP 202.
Force10 Resilient Ring Protocol (FRRP)
355
Figure 41. Multiple Rings Connected by a Single Switch Example
Important FRRP Points
FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2
networks.
The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately,
sets up or breaks down the ring.
•
The Master node transmits ring status check frames at specified intervals.
•
You can run multiple physical rings on the same switch.
•
One Master node per ring — all other nodes are Transit.
•
Each node has two member interfaces — primary and secondary.
•
There is no limit to the number of nodes on a ring.
•
Master node ring port states — blocking, pre-forwarding, forwarding, and disabled.
•
Transit node ring port states — blocking, pre-forwarding, forwarding, and disabled.
356
Force10 Resilient Ring Protocol (FRRP)
•
STP disabled on ring interfaces.
•
Master node secondary port is in blocking state during Normal operation.
•
Ring health frames (RHF)
– Hello RHF: sent at 500ms (hello interval); Only the Master node transmits and processes these.
– Topology Change RHF: triggered updates; processed at all nodes.
Important FRRP Concepts
The following table lists some important FRRP concepts.
Concept
Explanation
Ring ID
Each ring has a unique 8-bit ring ID through which the ring is identified (for
example, FRRP 101 and FRRP 202.
Control VLAN
Each ring has a unique Control VLAN through which tagged ring health frames
(RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used
for any other purpose.
Member VLAN
Each ring maintains a list of member VLANs. Member VLANs must be consistent
across the entire ring.
Port Role
Each node has two ports for each ring: Primary and Secondary. The Master node
Primary port generates RHFs. The Master node Secondary port receives the RHFs.
On Transit nodes, there is no distinction between a Primary and Secondary
interface when operating in the Normal state.
Ring Interface
State
Each interface (port) that is part of the ring maintains one of four states”
Ring Protocol
Timers
Ring Status
•
Blocking State — Accepts ring protocol packets but blocks data packets. LLDP,
FEFD, or other Layer 2 control packets are accepted. Only the Master node
Secondary port can enter this state.
•
Pre-Forwarding State — A transition state before moving to the Forward state.
Control traffic is forwarded but data traffic is blocked. The Master node
Secondary port transitions through this state during ring bring-up. All ports
transition through this state when a port comes up.
•
Pre-Forwarding State — A transition state before moving to the Forward state.
Control traffic is forwarded but data traffic is blocked. The Master node
Secondary port transitions through this state during ring bring-up. All ports
transition through this state when a port comes up.
•
Disabled State — When the port is disabled or down, or is not on the VLAN.
•
Hello Interval — The interval when ring frames are generated from the Master
node’s Primary interface (default 500 ms). The Hello interval is configurable in
50 ms increments from 50 ms to 2000 ms.
•
Dead Interval — The interval when data traffic is blocked on a port. The default
is three times the Hello interval rate. The dead interval is configurable in 50 ms
increments from 50 ms to 6000 ms.
The state of the FRRP ring. During initialization/configuration, the default ring
status is Ring-down (disabled). The Primary and Secondary interfaces, control
VLAN, and Master and Transit node information must be configured for the ring to
be up.
Force10 Resilient Ring Protocol (FRRP)
357
Concept
Explanation
•
Ring-Up — Ring is up and operational.
•
Ring-Down — Ring is broken or not set up.
Ring Health-Check The Master node generates two types of RHFs. RHFs never loop the ring because
Frame (RHF)
they terminate at the Master node’s secondary port.
•
Hello RHF (HRHF) — These frames are processed only on the Master node’s
Secondary port. The Transit nodes pass the HRHF through without processing
it. An HRHF is sent at every Hello interval.
•
Topology Change RHF (TCRHF) — These frames contains ring status, keepalive,
and the control and member VLAN hash. The TCRHF is processed at each node
of the ring. TCRHFs are sent out the Master Node’s Primary and Secondary
interface when the ring is declared in a Failed state with the same sequence
number, on any topology change to ensure that all Transit nodes receive it.
There is no periodic transmission of TCRHFs. The TCRHFs are sent on triggered
events of ring failure or ring restoration only.
Implementing FRRP
•
FRRP is media and speed independent.
•
FRRP is a Dell proprietary protocol that does not interoperate with any other vendor.
•
You must disable the spanning tree protocol (STP) on both the Primary and Secondary interfaces
before you can enable FRRP.
•
All ring ports must be Layer 2 ports. This is required for both Master and Transit nodes.
•
A VLAN configured as a control VLAN for a ring cannot be configured as a control or member VLAN
for any other ring.
•
The control VLAN is not used to carry any data traffic; it carries only RHFs.
•
The control VLAN cannot have members that are not ring ports.
•
If multiple rings share one or more member VLANs, they cannot share any links between them.
•
Member VLANs across multiple rings are not supported in Master nodes.
•
Each ring has only one Master node; all others are transit nodes.
FRRP Configuration
These are the tasks to configure FRRP.
•
Creating the FRRP Group
•
Configuring the Control VLAN
– Configure Primary and Secondary ports
•
Configuring and Adding the Member VLANs
– Configure Primary and Secondary ports
•
Setting the FRRP Timers
Other FRRP related commands are:
•
Clearing the FRRP Counters
358
Force10 Resilient Ring Protocol (FRRP)
•
Viewing the FRRP Configuration
•
Viewing the FRRP Information
Creating the FRRP Group
Create the FRRP group on each switch in the ring.
To create the FRRP group, use the command.
•
Create the FRRP group with this Ring ID.
CONFIGURATION mode
protocol frrp ring-id
Ring ID: the range is from 1 to 255.
Configuring the Control VLAN
Control and member VLANS are configured normally for Layer 2. Their status as control or member is
determined at the FRRP group commands.
For more information about configuring VLANS in Layer 2 mode, refer to Layer 2.
Be sure to follow these guidelines:
•
All VLANS must be in Layer 2 mode.
•
You can only add ring nodes to the VLAN.
•
A control VLAN can belong to one FRRP group only.
•
Tag control VLAN ports.
•
All ports on the ring must use the same VLAN ID for the control VLAN.
•
You cannot configure a VLAN as both a control VLAN and member VLAN on the same ring.
•
Only two interfaces can be members of a control VLAN (the Master Primary and Secondary ports).
•
Member VLANs across multiple rings are not supported in Master nodes.
To create the control VLAN for this FRRP group, use the following commands on the switch that is to act
as the Master node.
1.
Create a VLAN with this ID number.
CONFIGURATION mode.
interface vlan vlan-id
VLAN ID: from 1 to 4094.
2.
Tag the specified interface or range of interfaces to this VLAN.
CONFIG-INT-VLAN mode.
tagged interface slot/ port {range}
•
For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/port
information.
•
For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port
information.
•
For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
Force10 Resilient Ring Protocol (FRRP)
359
•
For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port
information.
Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-Port.
3.
Assign the Primary and Secondary ports and the control VLAN for the ports on the ring.
CONFIG-FRRP mode.
interface primary int slot/port secondary int slot/port control-vlan vlan id
•
For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/port
information.
•
For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port
information.
•
For a SONET interface, enter the keyword sonet then the slot/port information.
•
For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
•
For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port
information.
Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-Port.
VLAN ID: The VLAN identification of the control VLAN.
4.
Configure the Master node.
CONFIG-FRRP mode.
mode master
5.
Identify the Member VLANs for this FRRP group.
CONFIG-FRRP mode.
member-vlan vlan-id {range}
VLAN-ID, Range: VLAN IDs for the ring’s member VLANS.
6.
Enable FRRP.
CONFIG-FRRP mode.
no disable
Configuring and Adding the Member VLANs
Control and member VLANS are configured normally for Layer 2. Their status as Control or Member is
determined at the FRRP group commands.
For more information about configuring VLANS in Layer 2 mode, refer to the Layer 2 chapter.
Be sure to follow these guidelines:
•
All VLANS must be in Layer 2 mode.
•
Tag control VLAN ports. Member VLAN ports, except the Primary/Secondary interface, can be tagged
or untagged.
•
The control VLAN must be the same for all nodes on the ring.
360
Force10 Resilient Ring Protocol (FRRP)
To create the Members VLANs for this FRRP group, use the following commands on all of the Transit
switches in the ring.
1.
Create a VLAN with this ID number.
CONFIGURATION mode.
interface vlan vlan-id
VLAN ID: the range is from 1 to 4094.
2.
Tag the specified interface or range of interfaces to this VLAN.
CONFIG-INT-VLAN mode.
tagged interface slot/port {range}
3.
•
For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/port
information.
•
For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port
information.
•
For a SONET interface, enter the keyword sonet then the slot/port information.
•
For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
•
For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port
information.
•
Slot/Port, range: Slot and Port ID for the interface. The range is entered Slot/Port-Port.
Assign the Primary and Secondary ports and the Control VLAN for the ports on the ring.
CONFIG-FRRP mode.
interface primary int slot/port secondary int slot/port control-vlan vlan id
•
For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/port
information.
•
For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port
information.
•
For a SONET interface, enter the keyword sonet then the slot/port information.
•
For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
•
For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port
information.
Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-Port.
VLAN ID: Identification number of the Control VLAN.
4.
Configure a Transit node.
CONFIG-FRRP mode.
mode transit
5.
Identify the Member VLANs for this FRRP group.
CONFIG-FRRP mode.
member-vlan vlan-id {range}
Force10 Resilient Ring Protocol (FRRP)
361
VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs.
6.
Enable this FRRP group on this switch.
CONFIG-FRRP mode.
no disable
Setting the FRRP Timers
To set the FRRP timers, use the following command.
NOTE: Set the Dead-Interval time 3 times the Hello-Interval.
•
Enter the desired intervals for Hello-Interval or Dead-Interval times.
CONFIG-FRRP mode.
timer {hello-interval|dead-interval} milliseconds
– Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500).
– Dead-Interval: the range is from 50 to 6000, in increments of 50 (default is 1500).
Clearing the FRRP Counters
To clear the FRRP counters, use one of the following commands.
•
Clear the counters associated with this Ring ID.
EXEC PRIVELEGED mode.
clear frrp ring-id
•
Ring ID: the range is from 1 to 255.
Clear the counters associated with all FRRP groups.
EXEC PRIVELEGED mode.
clear frrp
Viewing the FRRP Configuration
To view the configuration for the FRRP group, use the following command.
•
Show the configuration for this FRRP group.
CONFIG-FRRP mode.
show configuration
Viewing the FRRP Information
To view general FRRP information, use one of the following commands.
•
Show the information for the identified FRRP group.
EXEC or EXEC PRIVELEGED mode.
show frrp ring-id
Ring ID: the range is from 1 to 255.
362
Force10 Resilient Ring Protocol (FRRP)
•
Show the state of all FRRP groups.
EXEC or EXEC PRIVELEGED mode.
show frrp summary
Ring ID: the range is from 1 to 255.
Troubleshooting FRRP
To troubleshoot FRRP, use the following information.
Configuration Checks
•
•
•
•
•
•
Each Control Ring must use a unique VLAN ID.
Only two interfaces on a switch can be Members of the same control VLAN.
There can be only one Master node for any FRRP group.
You can configure FRRP on Layer 2 interfaces only.
Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces
when you enable FRRP.
– When the interface ceases to be a part of any FRRP process, if you enable Spanning Tree globally,
also enable it explicitly for the interface.
The maximum number of rings allowed on a chassis is 255.
Sample Configuration and Topology
The following example shows a basic FRRP topology.
Figure 42. Basic Topology and CLI Commands
Force10 Resilient Ring Protocol (FRRP)
363
Example of R1 MASTER
Example of R2 TRANSIT
Example of R3 TRANSIT
interface GigabitEthernet 1/24
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/34
no ip address
switchport
no shutdown
!
interface Vlan 101
no ip address
tagged GigabitEthernet 1/24,34
no shutdown
!
interface Vlan 201
no ip address
tagged GigabitEthernet 1/24,34
no shutdown
!
protocol frrp 101
interface primary GigabitEthernet 1/24
secondary GigabitEthernet 1/34 control-vlan 101
member-vlan 201
mode master
no disable
interface GigabitEthernet 2/14
no ip address
switchport
no shutdown
!
interface GigabitEthernet 2/31
no ip address
switchport
no shutdown
!
interface Vlan 101
no ip address
tagged GigabitEthernet 2/14,31
no shutdown
!
interface Vlan 201
no ip address
tagged GigabitEthernet 2/14,31
no shutdown
!
protocol frrp 101
interface primary GigabitEthernet 2/14 secondary GigabitEthernet 2/31 controlvlan 101
member-vlan 201
mode transit
no disable
interface GigabitEthernet 3/14
no ip address
switchport
364
Force10 Resilient Ring Protocol (FRRP)
no shutdown
!
interface GigabitEthernet 3/21
no ip address
switchport
no shutdown
!
interface Vlan 101
no ip address
tagged GigabitEthernet 3/14,21
no shutdown
!
interface Vlan 201
no ip address
tagged GigabitEthernet 3/14,21
no shutdown
!
protocol frrp 101
interface primary GigabitEthernet 3/21
secondary GigabitEthernet 3/14 control-vlan 101
member-vlan 201
mode transit
no disable
Force10 Resilient Ring Protocol (FRRP)
365
19
GARP VLAN Registration Protocol (GVRP)
GARP VLAN registration protocol (GVRP) is supported on the XML switch platform.
Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2
switch that participates in a given VLAN. GVRP, defined by the IEEE 802.1q specification, is a Layer 2
network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches
use GARP to register and de-register attribute values, such as VLAN IDs, with each other.
GVRP exchanges network VLAN information to allow switches to dynamically forward frames for one or
more VLANs. Therefore, GVRP spreads this information and configures the needed VLANs on any
additional switches in the network. Data propagates via the exchange of GVRP protocol data units (PDUs).
The purpose of GVRP is to simplify (but not eliminate) static configuration. The idea is to configure
switches at the edge and have the information dynamically propagate into the core. As such, the edge
ports must still be statically configured with VLAN membership information, and they do not run GVRP. It
is this information that is propagated to create dynamic VLAN membership in the core of the network.
Important Points to Remember
•
•
•
•
•
GVRP propagates VLAN membership throughout a network. GVRP allows end stations and switches to
issue and revoke declarations relating to VLAN membership.
VLAN registration is made in the context of the port that receives the GARP PDU and is propagated to
the other active ports.
GVRP is disabled by default; enable GVRP for the switch and then for individual ports.
Dynamic VLANs are aged out after the LeaveAll timer expires three times without receipt of a Join
message. To display status, use the show gvrp statistics {interface interface |
summary} command.
On the MXL Switch, you cannot enable per-VLAN spanning tree+ (PVST+) and GVRP at the same time.
If spanning tree and GVRP are both required, implement either rapid spanning tree protocol (RSTP),
spanning tree protocol (STP), or multiple spanning tree protocol (MSTP). The MXL 10/40GbE Switch
IO Module system does support enabling GVRP and MSTP at the same time.
Dell(conf)#protocol spanning-tree pvst
Dell(conf-pvst)#no disable
% Error: GVRP running. Cannot enable PVST.
.........
Dell(conf)#protocol spanning-tree mstp
Dell(conf-mstp)#no disable
% Error: GVRP running. Cannot enable MSTP.
Configure GVRP
To begin, enable GVRP.
To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is
per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where
you want GVRP information exchanged. In the following example, that type of port is referred to as a
366
GARP VLAN Registration Protocol (GVRP)
VLAN trunk port, but it is not necessary to specifically identify to the Dell Networking operating system
(OS) that the port is a trunk port.
Figure 43. Global GVRP Configuration Example
Basic GVRP configuration is a two-step process:
1.
Enabling GVRP Globally
2.
Enabling GVRP on a Layer 2 Interface
Related Configuration Tasks
•
Configure GVRP Registration
•
Configure a GARP Timer
Enabling GVRP Globally
To configure GVRP globally, use the following command.
•
Enable GVRP for the entire switch.
CONFIGURATION mode
GARP VLAN Registration Protocol (GVRP)
367
gvrp enable
Example of Configuring GVRP
Dell(conf)#protocol gvrp
Dell(config-gvrp)#no disable
Dell(config-gvrp)#show config
!
protocol gvrp
no disable
Dell(config-gvrp)#
To inspect the global configuration, use the show gvrp brief command.
Enabling GVRP on a Layer 2 Interface
To enable GVRP on a Layer 2 interface, use the following command.
•
Enable GVRP on a Layer 2 interface.
INTERFACE mode
gvrp enable
Example of Enabling GVRP on an Interface
Dell(conf-if-gi-1/21)#switchport
Dell(conf-if-gi-1/21)#gvrp enable
Dell(conf-if-gi-1/21)#no shutdown
Dell(conf-if-gi-1/21)#show config
!
interface GigabitEthernet 1/21
no ip address
switchport
gvrp enable
no shutdown
To inspect the interface configuration, use the show config command from INTERFACE mode or use
the show gvrp interface command in EXEC or EXEC Privilege mode.
Configure GVRP Registration
Configure GVRP registration.
There are three GVRP registration modes:
•
Normal Registration — Allows dynamic creation, registration, and de-registration of VLANs (if you
enabled dynamic VLAN creation). By default, the registration mode is set to Normal when you enable
GVRP on a port. This default mode enables the port to dynamically register and de-register VLANs,
and to propagate both dynamic and static VLAN information.
•
Fixed Registration Mode — figuring a port in fixed registration mode allows for manual creation and
registration of VLANs, prevents VLAN deregistration, and registers all VLANs known on other ports on
the port. For example, if an interface is statically configured via the CLI to belong to a VLAN, it should
not be unconfigured when it receives a Leave PDU. Therefore, the registration mode on that interface
is FIXED.
•
Forbidden Mode — Disables the port to dynamically register VLANs and to propagate VLAN
information except information about VLAN 1. A port with forbidden registration type thus allows only
VLAN 1 to pass through even though the PDU carries information for more VLANs. Therefore, if you
368
GARP VLAN Registration Protocol (GVRP)
do not want the interface to advertise or learn about particular VLANS, set the interface to the
registration mode of FORBIDDEN.
Based on the configuration in the following example, the interface 1/21 is not removed from VLAN 34 or
VLAN 35 despite receiving a GVRP Leave message. Additionally, the interface is not dynamically added to
VLAN 45 or VLAN 46, even if a GVRP Join message is received.
Example of the gvrp registration Command
Dell(conf-if-gi-1/21)#gvrp registration fixed 34,35
Dell(conf-if-gi-1/21)#gvrp registration forbidden 45,46
Dell(conf-if-gi-1/21)#show conf
!
interface GigabitEthernet 1/21
no ip address
switchport
gvrp enable
gvrp registration fixed 34-35
gvrp registration forbidden 45-46
no shutdown
Dell(conf-if-gi-1/21)#
Configure a GARP Timer
Set GARP timers to the same values on all devices that are exchanging information using GVRP.
There are three GARP timer settings.
•
Join — A GARP device reliably transmits Join messages to other devices by sending each Join
message two times. To define the interval between the two sending operations of each Join message,
use this parameter. The default is 200ms.
•
Leave — When a GARP device expects to de-register a piece of attribute information, it sends out a
Leave message and starts this timer. If a Join message does not arrive before the timer expires, the
information is de-registered. The Leave timer must be greater than or equal to 3x the Join timer. The
default is 600ms.
•
LeaveAll — After startup, a GARP device globally starts a LeaveAll timer. After expiration of this interval,
it sends out a LeaveAll message so that other GARP devices can re-register all relevant attribute
information. The device then restarts the LeaveAll timer to begin a new cycle. The LeaveAll timer must
be greater than or equal to 5x of the Leave timer. The default is 10000ms.
Example of the garp timer Command
Dell(conf)#garp timer leav 1000
Dell(conf)#garp timers leave-all 5000
Dell(conf)#garp timer join 300
Verification:
Dell(conf)#do show garp timer
GARP Timers Value (milliseconds)
---------------------------------------Join Timer
300
Leave Timer
1000
LeaveAll Timer 5000
Dell(conf)#
GARP VLAN Registration Protocol (GVRP)
369
Dell displays this message if an attempt is made to configure an invalid GARP timer: Dell(conf)#garp
timers join 300 % Error: Leave timer should be >= 3*Join timer.
370
GARP VLAN Registration Protocol (GVRP)
Internet Group Management Protocol
(IGMP)
20
Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by
the same IP address are a multicast group.
IGMP is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast routing
protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to
discover which groups are active and to populate the multicast routing table.
IGMP Protocol Overview
IGMP has three versions. Version 3 obsoletes and is backwards-compatible with version 2; version 2
obsoletes version 1.
IGMP Version 2
IGMP version 2 improves on version 1 by specifying IGMP Leave messages, which allows hosts to notify
routers that they no longer care about traffic for a particular group.
Leave messages reduce the amount of time that the router takes to stop forwarding traffic for a group to
a subnet (leave latency) after the last host leaves the group. In version 1 hosts quietly leave groups, and
the router waits for a query response timer several times the value of the query interval to expire before it
stops forwarding traffic.
To receive multicast traffic from a particular source, a host must join the multicast group to which the
source is sending traffic. A host that is a member of a group is called a receiver. A host may join many
groups, and may join or leave any group at any time. A host joins and leaves a multicast group by sending
an IGMP message to its IGMP Querier. The querier is the router that surveys a subnet for multicast
receivers and processes survey responses to populate the multicast routing table.
IGMP messages are encapsulated in IP packets, as shown in the following illustration.
Internet Group Management Protocol (IGMP)
371
Figure 44. IGMP Messages in IP Packets
Join a Multicast Group
There are two ways that a host may join a multicast group: it may respond to a general query from its
querier or it may send an unsolicited report to its querier.
•
Responding to an IGMP Query
– One router on a subnet is elected as the querier. The querier periodically multicasts (to allmulticast-systems address 224.0.0.1) a general query to all hosts on the subnet.
– A host that wants to join a multicast group responds with an IGMP membership report that
contains the multicast address of the group it wants to join (the packet is addressed to the same
group). If multiple hosts want to join the same multicast group, only the report from the first host
to respond reaches the querier, and the remaining hosts suppress their responses (for how the
delay timer mechanism works, refer to IGMP Snooping).
– The querier receives the report for a group and adds the group to the list of multicast groups
associated with its outgoing port to the subnet. Multicast traffic for the group is then forwarded to
that subnet.
•
Sending an Unsolicited IGMP Report
– A host does not have to wait for a general query to join a group. It may send an unsolicited IGMP
membership report, also called an IGMP Join message, to the querier.
Leave a Multicast Group
The following describes how a host can leave a multicast group.
•
A host sends a membership report of type 0x17 (IGMP Leave message) to the all routers multicast
address 224.0.0.2 when it no longer cares about multicast traffic for a particular group.
•
The querier sends a Group-Specific Query to determine whether there are any remaining hosts in the
group. There must be at least one receiver in a group on a subnet for a router to forward multicast
traffic for that group to the subnet.
•
Any remaining hosts respond to the query according to the delay timer mechanism (refer to IGMP
Snooping). If no hosts respond (because there are none remaining in the group), the querier waits a
specified period and sends another query. If it still receives no response, the querier removes the
group from the list associated with forwarding port and stops forwarding traffic for that group to the
subnet.
372
Internet Group Management Protocol (IGMP)
IGMP Version 3
Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences.
•
Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid
forwarding traffic to subnets where there are no interested receivers.
•
To enable filtering, routers must keep track of more state information, that is, the list of sources that
must be filtered. An additional query type, the Group-and-Source-Specific Query, keeps track of state
changes, while the Group-Specific and General queries still refresh the existing state.
•
Reporting is more efficient and robust: hosts do not suppress query responses (non-suppression
helps track state and enables the immediate-leave and IGMP snooping features), state-change reports
are retransmitted to insure delivery, and a single membership report bundles multiple statements from
a single host, rather than sending an individual packet for each statement.
The version 3 packet structure is different from version 2 to accommodate these protocol
enhancements. Queries are still sent to the all-systems address 224.0.0.1, as shown in the following
illustration, but reports are sent to the all IGMP version 3-capable multicast routers address 244.0.0.22, as
shown in the second illustration.
Figure 45. IGMP Version 3 Packet Structure
Internet Group Management Protocol (IGMP)
373
Figure 46. IGMP Version 3–Capable Multicast Routers Address Structure
Joining and Filtering Groups and Sources
The following illustration shows how multicast routers maintain the group and source information from
unsolicited reports.
1.
The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1.
2.
The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source
10.11.1.1. Include messages prevents traffic from all other sources in the group from reaching the
subnet. Before recording this request, the querier sends a group-and-source query to verify that
there are no hosts interested in any other sources. The multicast router must satisfy all hosts if they
have conflicting requests. For example, if another host on the subnet is interested in traffic from
10.11.1.3, the router cannot record the include request. There are no other interested hosts, so the
request is recorded. At this point, the multicast routing protocol prunes the tree to all but the
specified sources.
3.
The host’s third message indicates that it is only interested in traffic from sources 10.11.1.1 and
10.11.1.2. Because this request again prevents all other sources from reaching the subnet, the router
sends another group-and-source query so that it can satisfy all other hosts. There are no other
interested hosts so the request is recorded.
374
Internet Group Management Protocol (IGMP)
Figure 47. Membership Reports: Joining and Filtering
Leaving and Staying in Groups
The following illustration shows how multicast routers track and refresh state changes in response to
group-and-specific and general queries.
1.
Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1
and 10.11.1.2 are no longer necessary.
2.
The querier, before making any state changes, sends a group-and-source query to see if any other
host is interested in these two sources; queries for state-changes are retransmitted multiple times. If
any are, they respond with their current state information and the querier refreshes the relevant state
information.
3.
Separately in the following illustration, the querier sends a general query to 224.0.0.1.
4.
Host 2 responds to the periodic general query so the querier refreshes the state information for that
group.
Internet Group Management Protocol (IGMP)
375
Figure 48. Membership Queries: Leaving and Staying
IGMP Snooping
IGMP snooping enables switches to use information in IGMP packets to generate a forwarding table that
associates ports with multicast groups so that when they receive multicast frames, they can forward them
only to interested receivers.
Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather
than one unique device. Switches forward multicast frames out of all ports in a virtual local area network
(VLAN) by default, even though there may be only some interested hosts, which is a waste of bandwidth.
If you enable IGMP snooping on a VLT unit, IGMP snooping dynamically learned groups and multicast
router ports are made to learn on the peer by explicitly tunneling the received IGMP control packets.
IGMP Snooping Implementation Information
•
IGMP snooping on the Dell Networking OS uses IP multicast addresses not MAC addresses.
•
IGMP snooping is not supported on stacked VLANs.
•
IGMP snooping is supported on all MXL 10/40GbE stack members.
376
Internet Group Management Protocol (IGMP)
•
IGMP snooping reacts to spanning tree protocol (STP) and multiple spanning tree protocol (MSTP)
topology changes by sending a general query on the interface that transitions to the forwarding state.
•
Configuring IGMP Snooping
Configuring IGMP snooping is a one-step process. To enable, view, or disable IGMP snooping, use the
following commands.
•
Enable IGMP snooping on a switch.
CONFIGURATION mode
•
ip igmp snooping enable
View the configuration.
CONFIGURATION mode
•
show running-config
Disable snooping on a VLAN.
INTERFACE VLAN mode
no ip igmp snooping
Related Configuration Tasks
•
Enabling IGMP Immediate-Leave
•
Disabling Multicast Flooding
•
Specifying a Port as Connected to a Multicast Router
•
Configuring the Switch as Querier
Example of ip igmp snooping enable Command
Dell(conf)#ip igmp snooping enable
Dell(conf)#do show running-config igmp
ip igmp snooping enable
Dell(conf)#
Enabling IGMP Immediate-Leave
To remove a group-port association after receiving an IGMP Leave message, use the following
command.
•
Configure the switch to remove a group-port association after receiving an IGMP Leave message.
INTERFACE VLAN mode
•
ip igmp fast-leave
View the configuration.
INTERFACE VLAN mode
show config
Example of the show config Command
Dell(conf-if-vl-100)#show config
!
interface Vlan 100
no ip address
Internet Group Management Protocol (IGMP)
377
ip igmp snooping fast-leave
shutdown
Dell(conf-if-vl-100)#
Disabling Multicast Flooding
If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered
frame), the switch floods that packet out of all ports on the VLAN.
On the MXL Switch, when you configure no ip igmp snooping flood, the system forwards the
frames on the mrouter ports for first 96 IGMP snooping-enabled VLANs. For all other VLANs, the
unregistered multicast packets are dropped.
Specifying a Port as Connected to a Multicast Router
To statically specify or view a port in a VLAN, use the following commands.
•
Statically specify a port in a VLAN as connected to a multicast router.
INTERFACE VLAN mode
•
ip igmp snooping mrouter
View the ports that are connected to multicast routers.
EXEC Privilege mode.
show ip igmp snooping mrouter
Configuring the Switch as Querier
To configure the switch as a querier, use the following command.
Hosts that do not support unsolicited reporting wait for a general query before sending a membership
report. When the multicast source and receivers are in the same VLAN, multicast traffic is not routed and
so there is no querier. Configure the switch to be the querier for a VLAN so that hosts send membership
reports and the switch can generate a forwarding table by snooping.
•
Configure the switch to be the querier for a VLAN by first assigning an IP address to the VLAN
interface.
INTERFACE VLAN mode
ip igmp snooping querier
– IGMP snooping querier does not start if there is a statically configured multicast router interface in
the VLAN.
– The switch may lose the querier election if it does not have the lowest IP address of all potential
queriers on the subnet.
– When enabled, IGMP snooping querier starts after one query interval in case no IGMP general
query (with IP SA lower than its VLAN IP address) is received on any of its VLAN members.
Adjusting the Last Member Query Interval
To adjust the last member query interval, use the following command.
When the querier receives a Leave message from a receiver, it sends a group-specific query out of the
ports specified in the forwarding table. If no response is received, it sends another. The amount of time
that the querier waits to receive a response to the initial query before sending a second one is the last
member query interval (LMQI). The switch waits one LMQI after the second query before removing the
group-port entry from the forwarding table.
378
Internet Group Management Protocol (IGMP)
•
Adjust the last member query interval.
INTERFACE VLAN mode
ip igmp snooping last-member-query-interval
Fast Convergence after MSTP Topology Changes
The following describes the fast convergence feature.
When a port transitions to the Forwarding state as a result of an STP or MSTP topology change, the
system sends a general query out of all ports except the multicast router ports. The host sends a
response to the general query and the forwarding database is updated without having to wait for the
query interval to expire.
When an IGMP snooping switch is not acting as a querier, it sends out the general query in response to
the MSTP triggered link-layer topology change, with the source IP address of 0.0.0.0 to avoid triggering
querier election.
Designating a Multicast Router Interface
To designate an interface as a multicast router interface, use the following command.
The Dell Networking OS also has the capability of listening in on the incoming IGMP general queries and
designate those interfaces as the multicast router interface when the frames have a non-zero IP source
address. All IGMP control packets and IP multicast data traffic originating from receivers is forwarded to
multicast router interfaces.
•
Designate an interface as a multicast router interface.
ip igmp snooping mrouter interface
Internet Group Management Protocol (IGMP)
379
Interfaces
21
This chapter describes 100/1000/10000 Mbps Ethernet, 10 Gigabit Ethernet, and 40 Gigabit Ethernet
interface types, both physical and logical, and how to configure them with the Dell Networking operating
software (OS).
Basic Interface Configuration
•
Interface Types
•
View Basic Interface Information
•
Enabling a Physical Interface
•
Physical Interfaces
•
Management Interfaces
•
VLAN Interfaces
•
Loopback Interfaces
•
Null Interfaces
•
Port Channel Interfaces
•
Server Ports
Advanced Interface Configuration
•
Bulk Configuration
•
Define the Interface Range
•
Monitoring and Maintaining Interfaces
•
Splitting QSFP Ports to SFP+ Ports
•
Configure MTU Size on an Interface
•
Layer 2 Flow Control Using Ethernet Pause Frames
•
Configure the MTU Size on an Interface
•
Port-Pipes
•
Auto-Negotiation on Ethernet Interfaces
•
View Advanced Interface Information
380
Interfaces
Interface Types
The following table describes different interface types.
Interface Type
Modes Possible
Default Mode
Requires Creation
Default State
Physical
L2, L3
Unset
No
Shutdown
(disabled)
Management
N/A
N/A
No
No Shutdown
(enabled)
Loopback
L3
L3
Yes
No Shutdown
(enabled)
Null
N/A
N/A
No
Enabled
Port Channel
L2, L3
L3
Yes
Shutdown
(disabled)
VLAN
L2, L3
L2
Yes (except default) L2 - No Shutdown
(enabled)
L3 - Shutdown
(disabled)
View Basic Interface Information
To view basic interface information, use the following command.
You have several options for viewing interface status and configuration parameters.
•
Lists all configurable interfaces on the chassis.
EXEC mode
show interfaces
This command has options to display the interface status, IP and MAC addresses, and multiple
counters for the amount and type of traffic passing through the interface.
If you configured a port channel interface, this command lists the interfaces configured in the port
channel.
NOTE: To end output from the system, such as the output from the show interfaces
command, enter CTRL+C and the system returns to the command prompt.
NOTE: The CLI output may be incorrectly displayed as 0 (zero) for the Rx/Tx power values. To
obtain the correct power information, perform a simple network management protocol (SNMP)
query.
Example of the show interfaces Command
Example of the show ip interfaces brief Command
Example of the show running-config Command to View Physical Interfaces
The following example shows the configuration and status information for one interface.
Interfaces
381
Dell#show interfaces tengigabitethernet 0/16
TenGigabitEthernet 0/16 is up, line protocol is up
Hardware is DellForce10Eth, address is 00:1e:c9:f1:00:05
Current address is 00:1e:c9:f1:00:05
Server Port AdminState is Up
Pluggable media not present
Interface index is 38080769
Internet address is not set
Mode of IP Address Assignment : NONE
DHCP Client-ID :tenG145001ec9f10005
MTU 1554 bytes, IP MTU 1500 bytes
LineSpeed 10000 Mbit
Flowcontrol rx off tx off
ARP type: ARPA, ARP Timeout 04:00:00
Last clearing of "show interface" counters 5d1h18m
Queueing strategy: fifo
Input Statistics:
34561 packets, 6266197 bytes
38 64-byte pkts, 4373 over 64-byte pkts, 21491 over 127-byte pkts
8659 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts
21984 Multicasts, 12577 Broadcasts
0 runts, 0 giants, 0 throttles
0 CRC, 0 overrun, 0 discarded
Output Statistics:
44329 packets, 4722779 bytes, 0 underruns
0 64-byte pkts, 44329 over 64-byte pkts, 0 over 127-byte pkts
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts
44329 Multicasts, 0 Broadcasts, 0 Unicasts
0 throttles, 0 discarded, 0 collisions
Rate info (interval 299 seconds):
Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate
Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate
Time since last interface status change: 4d0h28m
0 runts, 0 giants, 0 throttles
0 CRC, 0 overrun, 0 discarded
Output Statistics:
3 packets, 192 bytes, 0 underruns
3 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts
0 Multicasts, 3 Broadcasts, 0 Unicasts
0 Vlans, 0 throttles, 0 discarded, 0 collisions
Rate info (interval 299 seconds):
Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate
Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate
Time since last interface status change: 00:00:31
Dell
To view which interfaces are enabled for Layer 3 data transmission, use the show ip interfaces
brief command in EXEC Privilege mode. In the following example, GigabitEthernet interface 1/5 is in
Layer 3 mode because an IP address has been assigned to it and the interface’s status is operationally up.
Dell#show ip interface brief
Interface
IP-Address
GigabitEthernet 1/0 unassigned
GigabitEthernet 1/1 unassigned
GigabitEthernet 1/2 unassigned
GigabitEthernet 1/3 unassigned
GigabitEthernet 1/4 unassigned
GigabitEthernet 1/5 10.10.10.1
GigabitEthernet 1/6 unassigned
382
OK?
NO
NO
YES
YES
YES
YES
NO
Method
Manual
Manual
Manual
Manual
Manual
Manual
Manual
Status
administratively down
administratively down
up
up
up
up
administratively down
Protocol
down
down
up
up
up
up
down
Interfaces
GigabitEthernet 1/7
GigabitEthernet 1/8
unassigned
unassigned
NO
NO
Manual
Manual
administratively down
administratively down
down
down
To view only configured interfaces, use the show interfaces configured command in the EXEC
Privilege mode. In the previous example, GigabitEthernet interface 1/5 is in Layer 3 mode because an IP
address has been assigned to it and the interface’s status is operationally up.
To determine which physical interfaces are available, use the show running-config command in EXEC
mode. This command displays all physical interfaces available on the line cards.
Dell#show running
Current Configuration ...
!
interface GigabitEthernet
no ip address
shutdown
!
interface GigabitEthernet
no ip address
shutdown
!
interface GigabitEthernet
no ip address
shutdown
!
interface GigabitEthernet
no ip address
shutdown
9/6
9/7
9/8
9/9
Enabling a Physical Interface
After determining the type of physical interfaces available, to enable and configure the interfaces, enter
INTERFACE mode by using the interface interface slot/port command.
1.
Enter the keyword interface then the type of interface and slot/port information.
CONFIGURATION mode
interface interface-type
•
For the Management interface on the RPM, enter the keyword ManagementEthernet then the
slot/port information.
•
For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
•
2.
For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port
information.
Enable the interface.
INTERFACE mode
no shutdown
To confirm that the interface is enabled, use the show config command in INTERFACE mode. To leave
INTERFACE mode, use the exit command or end command. You cannot delete a physical interface.
Interfaces
383
Physical Interfaces
The switch interfaces support Layer 2 and Layer 3 traffic over the 100/1000/10000, 10-Gigabit, and 40Gigabit Ethernet interfaces. These interfaces can also become part of virtual interfaces such as virtual
local area networks (VLANs) or port channels.
For more information about VLANs, refer to Bulk Configuration. For more information on port channels,
refer to Physical Interfaces.
Dell Networking OS Behavior: The MXL 10/40GbE switch systems use a single MAC address for all
physical interfaces.
Configuration Task List for Physical Interfaces
By default, all interfaces are operationally disabled and traffic does not pass through them.
The following section includes information about optional configurations for physical interfaces:
•
Overview of Layer Modes
•
Configuring Layer 2 (Data Link) Mode
•
Configuring Layer 2 (Interface) Mode
•
Configuring Layer 3 (Interface) Mode
•
Configuring Layer 3 (Network) Mode
•
Management Interfaces
•
Auto-Negotiation on Ethernet Interfaces
•
Adjusting the Keepalive Timer
•
Clearing Interface Counters
Overview of Layer Modes
On all systems running the Dell Networking OS, you can place physical interfaces, port channels, and
VLANs in Layer 2 mode or Layer 3 mode.
By default, VLANs are in Layer 2 mode.
Type of Interface
Possible Modes
Requires Creation
Default State
10/100/1000 Ethernet,
Gigabit Ethernet, 10
Gigabit Ethernet
Layer 2
No
Shutdown (disabled)
Management
N/A
No
Shutdown (disabled)
Loopback
Layer 3
Yes
No shutdown (enabled)
Null interface
N/A
No
Enabled
Port Channel
Layer 2
Yes
Shutdown (disabled)
Layer 3
Layer 3
384
Interfaces
Type of Interface
Possible Modes
Requires Creation
Default State
VLAN
Layer 2
Yes, except for the
default VLAN.
No shutdown (active for
Layer 2)
Layer 3
Shutdown (disabled for
Layer 3)
Configuring Layer 2 (Data Link) Mode
Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface
unless the interface has been set to Layer 2 mode.
To set Layer 2 data transmissions through an individual interface, use the following command.
•
Enable Layer 2 data transmissions through an individual interface.
INTERFACE mode
switchport
Example of a Basic Layer 2 Interface Configuration
Dell(conf-if)#show config
!
interface Port-channel 1
no ip address
switchport
no shutdown
Dell(conf-if)#
Configuring Layer 2 (Interface) Mode
To configure an interface in Layer 2 mode, use the following commands.
•
Enable the interface.
INTERFACE mode
•
no shutdown
Place the interface in Layer 2 (switching) mode.
INTERFACE mode
switchport
For information about enabling and configuring the Spanning Tree Protocol, refer to Spanning Tree
Protocol (STP).
To view the interfaces in Layer 2 mode, use the show interfaces switchport command in EXEC
mode.
Configuring Layer 3 (Network) Mode
When you assign an IP address to a physical interface, you place it in Layer 3 mode.
To enable Layer 3 mode on an individual interface, use the following commands. In all interface types
except VLANs, the shutdown command prevents all traffic from passing through the interface. In VLANs,
the shutdown command prevents Layer 3 traffic from passing through the interface. Layer 2 traffic is
unaffected by the shutdown command. One of the interfaces in the system must be in Layer 3 mode
before you configure or enter a Layer 3 protocol mode (for example, OSPF).
Interfaces
385
•
Enable Layer 3 on an individual interface
INTERFACE mode
•
ip address
Enable the interface.
INTERFACE mode
no shutdown
Dell(conf-if)#show config
!
interface TenGigabitEthernet 1/5
ip address 10.10.10.1 /24
no shutdown
Dell(conf-if)#
Example of Error Due to Issuing a Layer 3 Command on a Layer 2 Interface
If an interface is in the incorrect layer mode for a given command, an error message displays (shown in
bold). In the following example, the ip address command triggered an error message because the
interface is in Layer 2 mode and the ip address command is a Layer 3 command only.
Dell(conf-if)#show config
!
interface GigabitEthernet 1/2
no ip address
switchport
no shutdown
Dell(conf-if)#ip address 10.10.1.1 /24
% Error: Port is in Layer 2 mode Gi 1/2.
Dell(conf-if)#
To determine the configuration of an interface, use the show config command in INTERFACE mode or
the various show interface commands in EXEC mode.
Configuring Layer 3 (Interface) Mode
To assign an IP address, use the following commands.
•
Enable the interface.
INTERFACE mode
•
no shutdown
Configure a primary IP address and mask on the interface.
INTERFACE mode
ip address ip-address mask [secondary]
The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/
xx).
Add the keyword secondary if the IP address is the interface’s backup IP address.
Example of the show ip interface Command
You can only configure one primary IP address per interface. You can configure up to 255 secondary IP
addresses on a single interface.
386
Interfaces
To view all interfaces to see with an IP address assigned, use the show ip interfaces brief
command in EXEC mode as shown in View Basic Interface Information.
To view IP information on an interface in Layer 3 mode, use the show ip interface command in
EXEC Privilege mode.
Dell(conf-if-vl-10)#do sh int vl 10
Vlan 10 is up, line protocol is up
Address is 00:1e:c9:f1:03:38, Current address is 00:1e:c9:f1:03:38
Interface index is 1107787786
Internet address is 5.5.5.1/24
Mode of IP Address Assignment : MANUAL
DHCP Client-ID: vlan10001ec9f10338
MTU 1554 bytes, IP MTU 1500 bytes
LineSpeed 1000 Mbit
ARP type: ARPA, ARP Timeout 04:00:00
Last clearing of "show interface" counters 00:01:09
Queueing strategy: fifo
Time since last interface status change: 00:00:46
Management Interfaces
The IOM management interface has both a public IP and private IP address on the internal fabric D
interface.
The public IP address is exposed to the outside world for Web GUI configurations/WSMAN and other
proprietary traffic. You can statically configure the public IP address or obtain the IP address dynamically
using the dynamic host configuration protocol (DHCP).
NOTE: When you shut down a management interface, connectivity to the interface’s private IP
address is disabled.
You can access the full switch using:
•
Internal RS-232 using the chassis management controller (CMC). Telnet into CMC and do a connect
-b switch-id to get console access to corresponding IOM.
•
External serial port with a universal serial bus (USB) connector (front panel): connect using the IOM
front panel USB serial line to get console access (Labeled as USB B).
•
Telnet/others using the public IP interface on the fabric D interface.
•
CMC through the private IP interface on the fabric D interface.
The MXL switch system supports the management Ethernet interface as well as the standard interface on
any front-end port. You can use either method to connect to the system.
Configuring Management Interfaces on the XML Switch
On the MXL Switch IO Module, the dedicated management interface provides management access to the
system.
You can configure this interface with the Dell Networking OS, but the configuration options on this
interface are limited. You cannot configure Gateway addresses and IP addresses if it appears in the main
routing table of the Dell Networking OS. In addition, proxy ARP is not supported on this interface.
To configure a management interface, use the following commands.
Interfaces
387
For additional management access, IOM supports the default VLAN (VLAN 1) L3 interface in addition to
the public fabric D management interface. You can assign the IP address for the VLAN 1 default
management interface using the setup wizard (or) through the CLI.
If you do not configure the VLAN 1 default using the wizard or CLI presented in startup-config, by default,
the VLAN 1 management interface gets its IP address using DHCP.
There is only one management interface for the whole stack.
You can manage the MXL Switch from any port. Configure an IP address for the port using the ip
address command. Enable the IP address for the port using the no shutdown command. You can use
the description command from INTERFACE mode to note that the interface is the management
interface. There is no separate management routing table, so you must configure all routes in the IP
routing table (use the ip route command).
•
Enter the slot and the port (0) to configure a Management interface.
CONFIGURATION mode
interface managementethernet interface
•
The slot range is 0–0.
Configure an IP address and mask on a Management interface.
INTERFACE mode
ip address ip-address mask
– ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in /
prefix format (/x).
Example of the show interface Command
To display the configuration for a given port, use the show interface command from EXEC Privilege
mode, as shown in the following example.
To display the routing table for a given port, use the show ip route command from EXEC Privilege
mode.
Dell#show int tengig 0/16
TenGigabitEthernet 0/16 is up, line protocol is down
Hardware is DellForce10Eth, address is 00:1e:c9:bb:02:c2
Current address is 00:1e:c9:bb:02:c2
Server Port AdminState is Down
Pluggable media not present
Interface index is 38080769
Internet address is not set
Mode of IP Address Assignment : NONE
DHCP Client-ID :tenG145001ec9bb02c2
MTU 1554 bytes, IP MTU 1500 bytes
LineSpeed auto
Flowcontrol rx off tx off
ARP type: ARPA, ARP Timeout 04:00:00
Last clearing of "show interface" counters 2w4d2h
Queueing strategy: fifo
Input Statistics:
0 packets, 0 bytes
0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts
388
Interfaces
0 Multicasts, 0 Broadcasts
0 runts, 0 giants, 0 throttles
0 CRC, 0 overrun, 0 discarded
Output Statistics:
0 packets, 0 bytes, 0 underruns
0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts
0 Multicasts, 0 Broadcasts, 0 Unicasts
0 throttles, 0 discarded, 0 collisions
Rate info (interval 299 seconds):
Input 00.00 Mbits/sec,
0 packets/sec, 0.00% of line-rate
Output 00.00 Mbits/sec,
0 packets/sec, 0.00% of line-rate
Time since last interface status change: 2w4d2h
Dell#
VLAN Interfaces
VLANs are logical interfaces and are, by default, in Layer 2 mode. Physical interfaces and port channels
can be members of VLANs.
For more information about VLANs and Layer 2, refer to Layer 2 and Virtual LANs (VLANs).
NOTE: To monitor VLAN interfaces, use Management Information Base for Network Management of
TCP/IP-based internets: MIB-II (RFC 1213).
NOTE: You cannot simultaneously use egress rate shaping and ingress rate policing on the same
VLAN.
The Dell Networking OS supports Inter-VLAN routing (Layer 3 routing in VLANs). You can add IP
addresses to VLANs and use them in routing protocols in the same manner that physical interfaces are
used. For more information about configuring different routing protocols, refer to the chapters on the
specific protocol.
A consideration for including VLANs in routing protocols is that you must configure the no shutdown
command. (For routing traffic to flow, you must enable the VLAN.)
NOTE: You cannot assign an IP address to the default VLAN, which is VLAN 1 (by default). To assign
another VLAN ID to the default VLAN, use the default vlan-id vlan-id command.
To assign an IP address to an interface, use the following command.
•
Configure an IP address and mask on the interface.
INTERFACE mode
ip address ip-address mask [secondary]
– ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in
slash format (/24).
– secondary: the IP address is the interface’s backup IP address. You can configure up to eight
secondary IP addresses.
Example of a Configuration for a VLAN Participating in an OSPF Process
interface Vlan 10
ip address 1.1.1.2/24
tagged GigabitEthernet 2/2-13
tagged TenGigabitEthernet 5/0
ip ospf authentication-key Dell force10
ip ospf cost 1
ip ospf dead-interval 60
Interfaces
389
!
ip ospf hello-interval 15
no shutdown
Loopback Interfaces
A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to
it are processed locally.
Because this interface is not a physical interface, you can configure routing protocols on this interface to
provide protocol stability. You can place Loopback interfaces in default Layer 3 mode.
To configure, view, or delete a Loopback interface, use the following commands.
•
Enter a number as the Loopback interface.
CONFIGURATION mode
interface loopback number
•
The range is from 0 to 16383.
View Loopback interface configurations.
EXEC mode
•
show interface loopback number
Delete a Loopback interface.
CONFIGURATION mode
no interface loopback number
Many of the same commands found in the physical interface are also found in the Loopback interfaces.
For more information, refer to Access Control Lists (ACLs).
Null Interfaces
The Null interface is another virtual interface. There is only one Null interface. It is always up, but no
traffic is transmitted through this interface.
To enter INTERFACE mode of the Null interface, use the following command.
•
Enter INTERFACE mode of the Null interface.
CONFIGURATION mode
interface null 0
The only configurable command in INTERFACE mode of the Null interface is the ip unreachable
command.
Port Channel Interfaces
Port channel interfaces support link aggregation, as described in IEEE Standard 802.3ad.
This section covers the following topics:
•
Port Channel Definition and Standards
•
Port Channel Benefits
390
Interfaces
•
Port Channel Implementation
•
Configuration Tasks for Port Channel Interfaces
Port Channel Definition and Standards
Link aggregation is defined by IEEE 802.3ad as a method of grouping multiple physical interfaces into a
single logical interface—a link aggregation group (LAG) or port channel.
A LAG is “a group of links that appear to a MAC client as if they were a single link” according to IEEE
802.3ad. In the Dell Networking OS, a LAG is referred to as a port channel interface.
A port channel provides redundancy by aggregating physical interfaces into one logical interface. If one
physical interface goes down in the port channel, another physical interface carries the traffic.
Port Channel Benefits
A port channel interface provides many benefits, including easy management, link redundancy, and
sharing.
Port channels are transparent to network configurations and can be modified and managed as one
interface. For example, you configure one IP address for the group and that IP address is used for all
routed traffic on the port channel.
With this feature, you can create larger-capacity interfaces by utilizing a group of lower-speed links. For
example, you can build a 40-Gigabit interface by aggregating four 10-Gigabit Ethernet interfaces
together. If one of the five interfaces fails, traffic is redistributed across the three remaining interfaces.
Port Channel Implementation
The Dell Networking OS supports static and dynamic port channels.
•
Static — Port channels that are statically configured.
•
Dynamic — Port channels that are dynamically configured using the link aggregation control protocol
(LACP). For details, refer to Link Aggregation Control Protocol (LACP).
There are 128 port-channels with 16 members per channel.
As soon as you configure a port channel, the system treats it like a physical interface. For example, IEEE
802.1Q tagging is maintained while the physical interface is in the port channel.
Member ports of a LAG are added and programmed into the hardware in a predictable order based on
the port ID, instead of in the order in which the ports come up. With this implementation, load balancing
yields predictable results across line card resets and chassis reloads.
A physical interface can belong to only one port channel at a time.
Each port channel must contain interfaces of the same interface type/speed.
Port channels can contain a mix of 100, 1000, or 10000 Mbps Ethernet interfaces and TenGigabit
Ethernet interfaces. The interface speed (100, 1000, or 10000 Mbps) the port channel uses is determined
by the first port channel member that is physically up. The system disables the interfaces that do match
the interface speed that the first channel member sets. That first interface may be the first interface that is
physically brought up or was physically operating when interfaces were added to the port channel. For
example, if the first operational interface in the port channel is a Gigabit Ethernet interface, all interfaces
Interfaces
391
at 1000 Mbps are kept up, and all 100/1000/10000 interfaces that are not set to 1000 speed or auto
negotiate are disabled.
100/1000/10000 Mbps Interfaces in Port Channels
When both 100/1000/10000 interfaces and TenGigabitEthernet interfaces are added to a port channel,
the interfaces must share a common speed. When interfaces have a configured speed different from the
port channel speed, the software disables those interfaces.
The common speed is determined when the port channel is first enabled. At that time, the software
checks the first interface listed in the port channel configuration. If you enabled that interface, its speed
configuration becomes the common speed of the port channel. If the other interfaces configured in that
port channel are configured with a different speed, the system disables them.
For example, if four interfaces (TenGig 0/0, 0/1, 0/2, and 0/3) in which TenGig 0/0 and TenGig 0/3 are set
to speed 100 Mb/s and the others are set to 10000 Mb/s, with all interfaces enabled, and you add them to
a port channel by entering channel-member tengigabitethernet 0/0-3 while in port channel
interface mode, and the system determines if the first interface specified (TenGig 0/0) is up. After it is up,
the common speed of the port channel is 100 Mb/s. The system disables those interfaces configured with
speed 1000 Mb/s or whose speed is 1000 Mb/s as a result of auto-negotiation.
In this example, you can change the common speed of the port channel by changing its configuration so
the first enabled interface referenced in the configuration is a 1000 Mb/s speed interface. You can also
change the common speed of the port channel here by setting the speed of the TenGig 0/0 interface to
1000 Mb/s.
Configuration Tasks for Port Channel Interfaces
To configure a port channel (LAG), use the commands similar to those found in physical interfaces. By
default, no port channels are configured in the startup configuration.
These are the mandatory and optional configuration tasks:
•
Creating a Port Channel (mandatory)
•
Adding a Physical Interface to a Port Channel (mandatory)
•
Reassigning an Interface to a New Port Channel (optional)
•
Configuring the Minimum Oper Up Links in a Port Channel (optional)
•
Adding or Removing a Port Channel from a VLAN (optional)
•
Assigning an IP Address to a Port Channel (optional)
•
Deleting or Disabling a Port Channel (optional)
Creating a Port Channel
You can create up to 128 port channels with 16port members per group on an XML switch.
To configure a port channel, use the following commands.
1.
Create a port channel.
CONFIGURATION mode
interface port-channel id-number
2.
Ensure that the port channel is active.
INTERFACE PORT-CHANNEL mode
no shutdown
392
Interfaces
After you enable the port channel, you can place it in Layer 2 or Layer 3 mode. To place the port channel
in Layer 2 mode or configure an IP address to place the port channel in Layer 3 mode, use the
switchport command.
You can configure a port channel as you would a physical interface by enabling or configuring protocols
or assigning access control lists.
Adding a Physical Interface to a Port Channel
You can add any physical interface to a port channel if the interface configuration is minimal.
NOTE: Port channels can contain a mix of 100/1000/10000 Ethernet interfaces and 10 Gigabit
Ethernet interface, but the Dell Networking OS disables the interfaces that are not the same speed
of the first channel member in the port channel (refer to 100/1000/10000 Mbps Interfaces in Port
Channels).
You can configure only the following commands on an interface if it is a member of a port channel:
•
•
•
•
description
shutdown/no shutdown
mtu
ip mtu (if the interface is on a Jumbo-enabled by default)
NOTE: The MXL switch supports jumbo frames by default (the default maximum transmission unit
[MTU] is 1554 bytes) You can configure the MTU using the mtu command from INTERFACE mode.
To view the interface’s configuration, enter INTERFACE mode for that interface and use the show
config command or from EXEC Privilege mode, use the show running-config interface
interface command.
To add a physical interface to a port, use the following commands.
1.
Add the interface to a port channel.
INTERFACE PORT-CHANNEL mode
channel-member interface
The interface variable is the physical interface type and slot/port information.
2.
Double check that the interface was added to the port channel.
INTERFACE PORT-CHANNEL mode
show config
Example of the show interfaces port-channel brief Command
Example of the show interface port-channel Command
Example of Error Due to an Attempt to Configure an Interface that is Part of a Port Channel
To view the port channel’s status and channel members in a tabular format, use the show interfaces
port-channel brief command in EXEC Privilege mode, as shown in the following example.
Dell#show int port brief
Codes: L - LACP Port-channel
LAG Mode Status Uptime
Ports
1
L3
down
00:00:00 Te 0/16 (Down)
Dell#
Interfaces
393
The following example shows the port channel’s mode (L2 for Layer 2 and L3 for Layer 3 and L2L3 for a
Layer 2-port channel assigned to a routed VLAN), the status, and the number of interfaces belonging to
the port channel.
Dell#show int port-channel
Port-channel 1 is down, line protocol is down
Hardware address is 00:1e:c9:f1:00:05, Current address is 00:1e:c9:f1:00:05
Interface index is 1107755009
Minimum number of links to bring Port-channel up is 1
Internet address is not set
Mode of IP Address Assignment : NONE
DHCP Client-ID :lag1001ec9f10005
MTU 1554 bytes, IP MTU 1500 bytes
LineSpeed auto
Members in this channel: Te 0/16(D)
ARP type: ARPA, ARP Timeout 04:00:00
Last clearing of "show interface" counters 00:05:44
Queueing strategy: fifo
Input Statistics:
0 packets, 0 bytes
0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts
0 Multicasts, 0 Broadcasts
0 runts, 0 giants, 0 throttles
0 CRC, 0 overrun, 0 discarded
Output Statistics:
0 packets, 0 bytes, 0 underruns
0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts
0 Multicasts, 0 Broadcasts, 0 Unicasts
0 throttles, 0 discarded, 0 collisions
Rate info (interval 299 seconds):
Input 00.00 Mbits/sec,
0 packets/sec, 0.00% of line-rate
Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate
Time since last interface status change: 00:05:44
When more than one interface is added to a Layer 2-port channel, the system selects one of the active
interfaces in the port channel to be the primary port. The primary port replies to flooding and sends
protocol data units (PDUs). An asterisk in the show interfaces port-channel brief command
indicates the primary port.
As soon as a physical interface is added to a port channel, the properties of the port channel determine
the properties of the physical interface. The configuration and status of the port channel are also applied
to the physical interfaces within the port channel. For example, if the port channel is in Layer 2 mode, you
cannot add an IP address or a static MAC address to an interface that is part of that port channel.
In the following example, interface GigabitEthernet 1/6 is part of port channel 1, which is in Layer 2 mode,
and an error message appeared when an IP address was configured.
Dell(conf-if-po-1)#show config
!
interface Port-channel 1
no ip address
channel-member TenGigabitEthernet 0/16
shutdown
Dell(conf-if-po-1)#
Dell(conf-if-po-1)#int tengig 1/6
Dell(conf-if)#ip address 10.56.4.4 /24
394
Interfaces
% Error: Te 1/6 Port is part of a LAG.
Dell(conf-if)#
Reassigning an Interface to a New Port Channel
An interface can be a member of only one port channel. If the interface is a member of a port channel,
remove it from the first port channel and then add it to the second port channel.
To reassign an interface to a new port channel, use the following commands.
1.
Remove the interface from the first port channel.
INTERFACE PORT-CHANNEL mode
no channel-member interface
2.
Change to the second port channel INTERFACE mode.
INTERFACE PORT-CHANNEL mode
interface port-channel id number
3.
Add the interface to the second port channel.
INTERFACE PORT-CHANNEL mode
channel-member interface
Example of Moving an Interface to a New Port Channel
The following example shows moving the TenGigabitEthernet 1/8 interface from port channel 4 to port
channel 3.
Dell(conf-if-po-1)#show config
!
interface Port-channel 1
no ip address
channel-member TenGigabitEthernet 0/16
shutdown
Dell(conf-if-po-1)#no chann tengig 1/8
Dell(conf-if-po-1)#int port 5
Dell(conf-if-po-5)#channel tengig 1/8
Dell(conf-if-po-5)#show conf
!
interface Port-channel 5
no ip address
channel-member TenGigabitEthernet 1/8
shutdown
Dell(conf-if-po-5)#
Configuring the Minimum Oper Up Links in a Port Channel
You can configure the minimum links in a port channel (LAG) that must be in “oper up” status to consider
the port channel to be in “oper up” status.
To set the “oper up” status of your links, use the following command.
•
Enter the number of links in a LAG that must be in “oper up” status.
INTERFACE mode
minimum-links number
The default is 1.
Interfaces
395
Example of Configuring the Minimum Oper Up Links in a Port Channel
Dell#config t
Dell(conf)#int po 1
Dell(conf-if-po-1)#minimum-links 5
Dell(conf-if-po-1)#
Adding or Removing a Port Channel from a VLAN
As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to
a VLAN, place the port channel in Layer 2 mode (by using the switchport command).
To add or remove a VLAN port channel and to view VLAN port channel members, use the following
commands.
•
Add the port channel to the VLAN as a tagged interface.
INTERFACE VLAN mode
tagged port-channel id number
•
An interface with tagging enabled can belong to multiple VLANs.
Add the port channel to the VLAN as an untagged interface.
INTERFACE VLAN mode
untagged port-channel id number
•
An interface without tagging enabled can belong to only one VLAN.
Remove the port channel with tagging enabled from the VLAN.
INTERFACE VLAN mode
no tagged port-channel id number
or
•
no untagged port-channel id number
Identify which port channels are members of VLANs.
EXEC Privilege mode
show vlan
Assigning an IP Address to a Port Channel
You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols.
To assign an IP address, use the following command.
•
Configure an IP address and mask on the interface.
INTERFACE mode
ip address ip-address mask [secondary]
– ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in
slash format (/24).
396
Interfaces
– secondary: the IP address is the interface’s backup IP address. You can configure up to eight
secondary IP addresses.
Deleting or Disabling a Port Channel
To delete or disable a port channel, use the following commands.
•
Delete a port channel.
CONFIGURATION mode
•
no interface portchannel channel-number
Disable a port channel.
shutdown
When you disable a port channel, all interfaces within the port channel are operationally down also.
Server Ports
By default, the MXL switch allows the server ports to come up as switch ports in no shut mode, ready to
switch traffic.
Default Configuration without Start-up Config
This feature is enabled by default and can be enabled on reload by deleting the start-up config file.
On reload, all the server ports (1-32) come up as switch ports in No Shut mode. Uplinks remain in Shut
mode ensuring that there are no network loops.
With this feature, you can install servers and test their connectivity by running applications on the servers,
even before configuring VLAN membership, STP on all interfaces or uplinks.
NOTE: This feature does not impact BMP mode. It always applies when reloading in Normal mode.
Important Points to Remember
•
On a new MXL switch running the Dell Networking OS version 9.2(0.0), with no saved startup
configuration, the switch comes up with all server ports as switch ports in No Shut state. When you
configure STP, the switch brings up the uplink and saves the running configuration to the startupconfig file. All the server ports without any specific configuration have the default configuration of
Layer2 switch port and No Shut mode saved.
•
On an existing MXL switch with a saved startup configuration, running an older Dell Networking OS
version, an upgrade to a new version does not change the current behavior. This is because the startup config file in older Dell Networking OS versions have the default configuration of Shut mode for all
the server ports without any specific configuration. To enable this feature after upgrading a switch
with a saved startup configuration, delete the start-up config file and reboot the switch. This allows all
the server ports to come as Layer2 switch ports in No Shut state.
•
In a stacked configuration of MXL switches, the behavior is similar to a standalone configuration. If a
start-up config file is detected at bootup, the entire stack reboots using the saved configuration. If no
start-up config file is detected at restart, the entire logical switch, including master unit, standby
master, and any stack units restart with all server ports as Layer2 switch ports in No Shut mode.
•
If a new stack unit is added to an existing stack, by default, the server side interfaces always start in
Shut mode. If the startup configuration is deleted after a stack unit was added to a stack and the stack
is reloaded, on reboot the entire logical switch comes up with all server ports as Layer2 switch ports in
No Shut mode.
Interfaces
397
Bulk Configuration
Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured
for logical interfaces.
Interface Range
An interface range is a set of interfaces to which other commands may be applied and may be created if
there is at least one valid interface within the range.
Bulk configuration excludes from configuration any non-existing interfaces from an interface range. A
default VLAN may be configured only if the interface range being configured consists of only VLAN ports.
The interface range command allows you to create an interface range allowing other commands to
be applied to that range of interfaces.
The interface range prompt offers the interface (with slot and port information) for valid interfaces. The
maximum size of an interface range prompt is 32. If the prompt size exceeds this maximum, it displays (...)
at the end of the output.
NOTE: Non-existing interfaces are excluded from the interface range prompt.
NOTE: When creating an interface range, interfaces appear in the order they were entered and are
not sorted.
To display all interfaces that have been validated under the interface range context, use the show range
command in Interface Range mode.
To display the running configuration only for interfaces that are part of interface range, use the show
configuration command in Interface Range mode.
Bulk Configuration Examples
Use the interface range command for bulk configuration.
•
Create a Single-Range
•
Create a Multiple-Range
•
Exclude Duplicate Entries
•
Exclude a Smaller Port Range
•
Overlap Port Ranges
•
Commas
•
Add Ranges
Create a Single-Range
The following is an example of a single range.
Example of the interface range Command (Single Range)
Dell(conf)# interface range tengigabitethernet 5/1 - 23
Dell(conf-if-range-te-5/1-23)# no shutdown
Dell(conf-if-range-te-5/1-23)#
398
Interfaces
Create a Multiple-Range
The following is an example of multiple range.
Example of the interface range Command (Multiple Ranges)
Dell(conf)#interface range tengigabitethernet 3/0 , tengigabitethernet 2/1 47 , vlan 1000
Dell(conf-if-range-te-2/1-47)#
Exclude Duplicate Entries
The following is an example showing how duplicate entries are omitted from the interface-range prompt.
Example of the Interface-Range Prompt for Duplicate Interfaces
Dell(conf)#interface range vlan 1 , vlan 1 , vlan 3 , vlan 3
Dell(conf-if-range-vl-1,vl-3)#
Dell(conf)#interface range tengigabitethernet 2/0 - 23 , tengigabitethernet 2/0
- 23 , tengigab 2/0 - 23
Dell(conf-if-range-te-2/0-23)#
Exclude a Smaller Port Range
The following is an example show how the smaller of two port ranges is omitted in the interface-range
prompt.
Example of the Interface-Range Prompt for Multiple Port Ranges
Dell(conf)#interface range tengigabitethernet 2/0 - 23 , tengigab 2/1 - 10
Dell(conf-if-range-te-2/0-23)#
Overlap Port Ranges
The following is an example showing how the interface-range prompt extends a port range from the
smallest start port number to the largest end port number when port ranges overlap. handles overlapping
port ranges.
Example of the Interface-Range Prompt for Overlapping Port Ranges
Dell(conf)#inte ra tengig 2/1 - 11 , tengig 2/1 - 23
Dell(conf-if-range-te-2/1-23)#
Commas
The following is an example of how to use commas to add different interface types to the range, enabling
all Gigabit Ethernet interfaces in the range 5/1 to 5/23 and both Ten Gigabit Ethernet interfaces 1/1 and
1/2.
Example of Multiple-Range Bulk Configuration Gigabit Ethernet and Ten-Gigabit Ethernet
Dell(conf-if)# interface range tengigabitethernet 5/1 - 23, tengigabitethernet
1/1 - 2
Dell(conf-if-range-te-5/1-23)# no shutdown
Dell(conf-if-range-te-5/1-23)#
Interfaces
399
Add Ranges
The following example shows how to use commas to add VLAN and port-channel interfaces to the
range.
Example of Multiple-Range Bulk Configuration with VLAN and Port-channel
Dell(conf-ifrange-te-5/1-23-te-1/1-2)# interface range Vlan 2 – 100 , Port 1 –
25
Dell(conf-if-range-te-5/1-23-te-1/1-2-vl-2-100-po-1-25)# no shutdown
Dell(conf-if-range)#
Defining Interface Range Macros
You can define an interface-range macro to automatically select a range of interfaces for configuration.
Before you can use the macro keyword in the interface-range macro command string, define the
macro.
To define an interface-range macro, use the following command.
•
Defines the interface-range macro and saves it in the running configuration file.
CONFIGURATION mode
define interface-range macro_name {vlan vlan_ID - vlan_ID} |
{{tengigabitethernet | fortyGigE} slot/ interface - interface} [ , {vlan
vlan_ID - vlan_ID} {{tengigabitethernet | fortyGigE} slot/interface interface}]
Define the Interface Range
The following example shows how to define an interface-range macro named “test” to select Fast
Ethernet interfaces 5/1 through 5/4.
Example of the define interface-range Command for Macros
Dell(config)# define interface-range test tengigabitethernet 5/1 - 4
Choosing an Interface-Range Macro
To use an interface-range macro, use the following command.
•
Selects the interfaces range to be configured using the values saved in a named interface-range
macro.
CONFIGURATION mode
interface range macro name
Example of Using a Macro to Change the Interface Range Configuration Mode
The following example shows how to change to the interface-range configuration mode using the
interface-range macro named “test.”
Dell(config)# interface range macro test
Dell(config-if)#
400
Interfaces
Monitoring and Maintaining Interfaces
Monitor interface statistics with the monitor interface command. This command displays an ongoing
list of the interface status (up/down), number of packets, traffic statistics, and so on.
To view the interface’s statistics, use the following command.
•
View the interface’s statistics.
EXEC Privilege mode
monitor interface interface
Enter the type of interface and slot/port information:
– For a 100/1000/10000 Ethernet interface, enter the keyword TenGigabitEthernet then the
slot/port information.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
Example of the monitor interface Command
The information displays in a continuous run, refreshing every 2 seconds by default. To manage the
output, use the following keys.
•
m — Change mode
•
l — Page up
•
T — Increase refresh interval (by 1 second)
•
t — Decrease refresh interval (by 1 second)
•
c — Clear screen
•
a — Page down
•
q — Quit
Dell#monitor interface tengig 3/1
Dell Networking uptime is 1 day(s), 4 hour(s), 31 minute(s)
Monitor time: 00:00:00 Refresh Intvl.: 2s
Interface: TenGig 3/1, Disabled, Link is Down, Linespeed is 1000 Mbit
Traffic statistics: Current
Input bytes:
0
Output bytes:
0
Input packets:
0
Output packets:
0
64B packets:
0
Over 64B packets:
0
Over 127B packets:
0
Over 255B packets:
0
Over 511B packets:
0
Over 1023B packets:
0
Error statistics:
Input underruns:
0
Input giants:
0
Input throttles:
0
Input CRC:
0
Input IP checksum:
0
Interfaces
Rate
0 Bps
0 Bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0
0
0
0
0
pps
pps
pps
pps
pps
Delta
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
401
Input overrun:
Output underruns:
Output throttles:
m
l
T
q
-
0
0
0
Change mode
Page up
Increase refresh interval
Quit
0 pps
0 pps
0 pps
0
0
0
c - Clear screen
a - Page down
t - Decrease refresh interval
Dell
Maintenance Using TDR
The time domain reflectometer (TDR) is supported on all Dell Networking switch/routers.
TDR is an assistance tool to resolve link issues that helps detect obvious open or short conditions within
any of the four copper pairs. TDR sends a signal onto the physical cable and examines the reflection of
the signal that returns. By examining the reflection, TDR is able to indicate whether there is a cable fault
(when the cable is broken, becomes unterminated, or if a transceiver is unplugged).
TDR is useful for troubleshooting an interface that is not establishing a link; that is, when the link is
flapping or not coming up. TDR is not intended to be used on an interface that is passing traffic. When a
TDR test is run on a physical cable, it is important to shut down the port on the far end of the cable.
Otherwise, it may lead to incorrect test results.
NOTE: TDR is an intrusive test. Do not run TDR on a link that is up and passing traffic.
To test the condition of cables on 100/1000/10000 BASE-T modules, use the following commands.
1.
To test for cable faults on the TenGigabitEthernet cable.
EXEC Privilege mode
tdr-cable-test tengigabitethernet <slot>/<port>
Between two ports, do not start the test on both ends of the cable.
Enable the interface before starting the test.
Enable the port to run the test or the test prints an error message.
2.
Displays TDR test results.
EXEC Privilege mode
show tdr tengigabitethernet <slot>/<port>
Splitting QSFP Ports to SFP+ Ports
The MXL 10/40GbE switch supports splitting a 40GbE port on the base module or a 2-Port 40GbE QSFP+
module into four 10GbE SFP+ ports using a 4x10G breakout cable.
NOTE: By default, the 40GbE ports on a 2-Port 40GbE QSFP+ module come up in 4x10GbE (quad)
mode as eight 10GbE ports. On the base module, you must convert the 40GbE ports to 4x10GbE
mode as described in the following section.
402
Interfaces
NOTE: When you split a 40G port (such as fo 0/4) into four 10G ports, the 40G interface
configuration is available in the startup configuration when you save the running configuration by
using the write memory command. When a reload of the system occurs, the 40G interface
configuration is not applicable because the 40G ports are split into four 10G ports after the reload
operation. While the reload is in progress, you might see error messages when the configuration file
is being loaded. You can ignore these error messages. Similarly, such error messages are displayed
during a reload after you configure the four individual 10G ports to be stacked as a single 40G port.
•
Split a single 40G port into 4-10G ports.
CONFIGURATION mode
stack-unit port number portmode quad
– stack-unit: Enter the stack member unit identifier of the stack member to reset. The range is
from 0 to 5.
– port <port number> : Enter the port number of the 40G port to be split. The valid values on
base module: 33 or 37; OPTM SLOT 0: 41 or 45; OPTM SLOT 1: 49 or 53.
– portmode quad: Identifies the uplink port as a split 10GbE SFP+ port.
•
To display the stack-unit number, enter the show system brief command.
Save the configuration and reload the switch.
CONFIGURATION mode
write memory
reload
Merging SFP+ Ports to QSFP 40G Ports
To remove FANOUT mode in 40G QSFP Ports, use the following commands.
1.
Merge 4-10G ports to a single 40G port.
CONFIGURATION mode
no stack-unit port number portmode quad
2.
•
stack-unit: Enter the stack member unit identifier of the stack member to reset. The range is
from 0 to 5.
•
port <port number>: Enter the port number of the 40GbE QSFP+ port. Valid values on base
module: 33 or 37; OPTM SLOT 0: 41 or 45; OPTM SLOT 1: 49 or 53.
•
portmode quad: Identifies the uplink port as a split 10GbE SFP+ port.
Save the configuration and reload the switch.
CONFIGURATION mode
write memory
reload
Important Points to Remember
•
You cannot use split ports as stack-link to stack an MXL Switch.
•
Split ports cannot be a part of any stacked system.
•
The quad port must be in a default configuration before it can be split into 4x10G ports.
Interfaces
403
•
The 40G port is lost in the configuration when the port is split; be sure the port is also removed from
other L2/L3 feature configurations.
•
The system must be reloaded after issuing the CLI for the change to take effect.
Configure the MTU Size on an Interface
The link MTU is the frame size of a packet. The IP MTU size is used for IP fragmentation.
If the system determines that the IP packet must be fragmented as it leaves the interface, the system
divides the packet into fragments no bigger than the size set in the ip mtu command.
In the Dell Networking OS, MTU is defined as the entire Ethernet packet (Ethernet header + FCS +
payload).
Because different networking vendors define MTU differently, check their documentation when planning
MTU sizes across a network.
The following table lists the various Layer 2 overheads found in the Dell Networking OS and the number
of bytes.
Table 24. Layer 2 Overhead
Transmission Media
MTU Range (in bytes)
Ethernet
594-12000 = link MTU
576-11982 = IP MTU
Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port
You can convert a QSFP or QSFP+ port to an SFP or SFP+ port using the Quad to Small Form Factor
Pluggable Adapter (QSA).
QSA provides smooth connectivity between devices that use Quad Lane Ports (such as the 40 Gigabit
Ethernet adapters) and 10 Gigabit hardware that uses SFP+ based cabling. Using this adapter, you can
effectively use a QSFP or QSFP+ module to connect to a lower-end switch or server that uses an SFP or
SFP+ based module.
When connected to a QSFP or QSFP+ port on a 40 Gigabit adapter, QSA acts as an interface for the SFP
or SFP+ cables. This interface enables you to directly plug in an SFP or SFP+ cable originating at a 10
Gigabit Ethernet port on a switch or server.
You can use QSFP optical cables (without a QSA) to split a 40 Gigabit port on a switch or a server into
four 10 Gigabit ports. You must enable the fan-out mode in order for this mechanism to work.
Similarly, you can enable the fan-out mode to configure the QSFP port on a device to act as an SFP or
SFP+ port. As the QSA enables a QSFP or QSFP+ port to be used as an SFP or SFP+ port, Dell Networking
OS does not immediately detect the QSA after you insert it into a QSFP port cage.
After you insert an SFP or SFP+ cable into a QSA connected to a 40 Gigabit port, Dell Networking OS
assumes that all the four fanned-out 10 Gigabit ports have plugged-in SFP or SFP+ optical cables.
However, the link UP event happens only for the first 10 Gigabit port and you can use only that port for
404
Interfaces
data transfer. As a result, only the first fanned-out port is identified as the active 10 Gigabit port with a
speed of 10G or 1G depending on whether you insert an SFP+ or SFP cable respectively.
NOTE: Although it is possible to configure the remaining three 10 Gigabit ports, the Link UP event
does not occur for these ports leaving the lanes unusable. Dell Networking OS perceives these ports
to be in a Link Down state. You must not try to use these remaining three 10 Gigabit ports for actual
data transfer or for any other related configurations.
NOTE: Trident2 chip sets do not work at 1G speeds with auto-negotiation enabled. As a result,
when you peer any device using SFP, the link does not come up if auto-negotiation is enabled.
Therefore, you must disable auto-negotiation on platforms that currently use Trident2 chip sets
(S6000 and Z9000). This limitation applies only when you convert QSFP to SFP using the QSA. This
constraint does not apply for QSFP to SFP+ conversions using the QSA.
Important Points to Remember
•
Before using the QSA to convert a 40 Gigabit Ethernet port to a 10 Gigabit SFP or SFP+ port, you must
enable 40 G to 4*10 fan-out mode on the device.
•
When you insert a QSA into a 40 Gigabit port, you can use only the first 10 Gigabit port in the fan-out
mode to plug-in SFP or SFP+ cables. The remaining three 10 Gigabit ports are perceived to be in Link
Down state and are unusable.
•
You cannot use QSFP optical cables in a QSA setup.
•
When you remove the QSA module alone from a 40 Gigabit port, without connecting any SFP or SFP
+ cables; Dell Networking OS does not generate any event. However, when you remove a QSA
module that has SFP or SFP+ optical cables plugged in, Dell Networking OS generates a SFP or SFP+
Removed event.
•
In the S6000 platform, you can use the QSA on any of the ports. However, the existing maximum fanout restrictions apply to the ports.
•
The QSA module does not have a designated EEPROM. To recognize a QSA, Dell Networking OS
reads the EEPROM corresponding to a SFP+ or SFP module that is plugged into QSA. The access
location of this EEPROM is different from the EEPROM location of the QSFP+ module.
•
The diagnostics application is capable of detecting insertion or removal of both the QSA as well as the
SFP+ or SFP optical cables plugged into the QSA. In addition, the diagnostic application is also
capable of reading the DDS and Vendor information from the EEPROM corresponding to SFP+ or SFP
optical cables. As a result, no separate detection of QSA is required.
Support for LM4 Optics
The newly supported LM4 optics are similar in behavior to the LR4 optics that are already supported.
However, in the output of show inventory media command, an LM4 optical module is denoted as
40G-LM4. Barring this exception, the functionality and behavior of LM4 optics is similar to LR4 optics.
Example Scenarios
Consider the following scenarios:
•
QSFP port 0 is connected to a QSA with SFP+ optical cables plugged in.
•
QSFP port 4 is connected to a QSA with SFP optical cables plugged in.
•
QSFP port 8 in fanned-out mode is plugged in with QSFP optical cables.
Interfaces
405
•
QSFP port 12 in 40 G mode is plugged in with QSFP optical cables.
For these configurations, the following examples show the command output that the show interfaces
tengigbitethernet transceiver, show interfaces tengigbitethernet, and show
inventory media commands displays:
Dell#show interfaces tengigabitethernet 0/0 transceiver
SFP+ 0 Serial ID Base Fields
SFP+ 0 Id
= 0x0d
SFP+ 0 Ext Id
= 0x00
SFP+ 0 Connector
= 0x23
SFP+ 0 Transceiver Code
= 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00
SFP+ 0 Encoding
= 0x00
………………
………………
SFP+ 0 Diagnostic Information
===================================
SFP+ 0 Rx Power measurement type
= OMA
===================================
SFP+ 0 Temp High Alarm threshold
= 0.000C
SFP+ 0 Voltage High Alarm threshold
= 0.000V
SFP+ 0 Bias High Alarm threshold
= 0.000mA
NOTE: In the following show interfaces tengigbitethernet commands, the ports 1,2, and 3
are inactive and no physical SFP or SFP+ connection actually exists on these ports. However, Dell
Networking OS still perceives these ports as valid and the output shows that pluggable media
(optical cables) is inserted into these ports. This is a software limitation for this release.
Dell#show interfaces tengigabitethernet 0/1 transceiver
SFP+ 0 Serial ID Base Fields
SFP+ 0 Id
= 0x0d
SFP+ 0 Ext Id
= 0x00
SFP+ 0 Connector
= 0x23
……………………….
Dell#show interfaces tengigabitethernet 0/2 transceiver
SFP+ 0 Serial ID Base Fields
SFP+ 0 Id
= 0x0d
SFP+ 0 Ext Id
= 0x00
SFP+ 0 Connector
= 0x23
……………………….
Dell#show interfaces tengigabitethernet 0/3 transceiver
SFP+ 0 Serial ID Base Fields
SFP+ 0 Id
= 0x0d
SFP+ 0 Ext Id
= 0x00
SFP+ 0 Connector
= 0x23
……………………….
Dell#show interfaces tengigabitethernet 0/4 transceiver
SFP 0 Serial ID Base Fields
SFP 0 Id
= 0x0d
SFP 0 Ext Id
= 0x00
SFP 0 Connector
= 0x23
SFP 0 Transceiver Code
= 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00
SFP 0 Encoding
= 0x00
………………
………………
SFP 0 Diagnostic Information
===================================
406
Interfaces
SFP 0 Rx Power measurement type
===================================
SFP 0 Temp High Alarm threshold
SFP 0 Voltage High Alarm threshold
SFP 0 Bias High Alarm threshold
= OMA
= 0.000C
= 0.000V
= 0.000mA
NOTE: In the following show interfaces tengigbitethernet transceiver commands, the
ports 5,6, and 7 are inactive and no physical SFP or SFP+ connection actually exists on these ports.
However, Dell Networking OS still perceives these ports as valid and the output shows that
pluggable media (optical cables) is inserted into these ports. This is a software limitation for this
release.
Dell#show interfaces tengigabitethernet 0/5 transceiver
SFP 0 Serial ID Base Fields
SFP 0 Id
= 0x0d
SFP 0 Ext Id
= 0x00
SFP 0 Connector
= 0x23
SFP 0 Transceiver Code
= 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00
SFP 0 Encoding
= 0x00
………………
Dell#show interfaces tengigabitethernet 0/6 transceiver
SFP 0 Serial ID Base Fields
SFP 0 Id
= 0x0d
SFP 0 Ext Id
= 0x00
SFP 0 Connector
= 0x23
SFP 0 Transceiver Code
= 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00
SFP 0 Encoding
= 0x00
………………
Dell#show interfaces tengigabitethernet 0/7 transceiver
SFP 0 Serial ID Base Fields
SFP 0 Id
= 0x0d
SFP 0 Ext Id
= 0x00
SFP 0 Connector
= 0x23
SFP 0 Transceiver Code
= 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00
SFP 0 Encoding
= 0x00
………………
Dell#show interfaces tengigabitethernet 0/8 transceiver
QSFP 0 Serial ID Base Fields
QSFP 0 Id
= 0x0d
QSFP 0 Ext Id
= 0x00
QSFP 0 Connector
= 0x23
QSFP 0 Transceiver Code
= 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00
QSFP 0 Encoding
= 0x00
………………
………………
QSFP 0 Diagnostic Information
===================================
QSFP 0 Rx Power measurement type
= OMA
===================================
QSFP 0 Temp High Alarm threshold
= 0.000C
QSFP 0 Voltage High Alarm threshold
= 0.000V
QSFP 0 Bias High Alarm threshold
= 0.000mA
Dell#show interfaces fortyGigE 0/12 transceiver
QSFP 0 Serial ID Base Fields
QSFP 0 Id
= 0x0d
QSFP 0 Ext Id
= 0x00
Interfaces
407
QSFP 0 Connector
= 0x23
QSFP 0 Transceiver Code
= 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00
QSFP 0 Encoding
= 0x00
………………
………………
QSFP 0 Diagnostic Information
===================================
QSFP 0 Rx Power measurement type
= OMA
===================================
QSFP 0 Temp High Alarm threshold
= 0.000C
QSFP 0 Voltage High Alarm threshold
= 0.000V
QSFP 0 Bias High Alarm threshold
= 0.000mA
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Dell#show interfaces tengigabitethernet 0/0
tengigabitethernet 0/0 is up, line protocol is up
Hardware is DellEth, address is 90:b1:1c:f4:9a:fa
Current address is 90:b1:1c:f4:9a:fa
Pluggable media present, SFP+ type is 10GBASE-SX
Interface index is 35012865
Internet address is not set
Mode of IPv4 Address Assignment : NONE
DHCP Client-ID :90b11cf49afa
MTU 1554 bytes, IP MTU 1500 bytes
LineSpeed 10000 Mbit
Dell#show interfaces tengigabitethernet 0/1
tengigabitethernet 0/1 is up, line protocol is down
Hardware is DellEth, address is 90:b1:1c:f4:9a:fa
Current address is 90:b1:1c:f4:9a:fa
Pluggable media present, SFP+ type is 10GBASE-SX
……….
LineSpeed 10000 Mbit
Dell#show interfaces tengigabitethernet 0/2
tengigabitethernet 0/1 is up, line protocol is down
Hardware is DellEth, address is 90:b1:1c:f4:9a:fa
Current address is 90:b1:1c:f4:9a:fa
Pluggable media present, SFP+ type is 10GBASE-SX
……….
LineSpeed 10000 Mbit
Dell#show interfaces tengigabitethernet 0/3
tengigabitethernet 0/1 is up, line protocol is down
Hardware is DellEth, address is 90:b1:1c:f4:9a:fa
Current address is 90:b1:1c:f4:9a:fa
Pluggable media present, SFP+ type is 10GBASE-SX
……….
LineSpeed 10000 Mbit
Dell#show interfaces tengigabitethernet 0/4
gigabitethernet 0/0 is up, line protocol is up
Hardware is DellEth, address is 90:b1:1c:f4:9a:fa
Current address is 90:b1:1c:f4:9a:fa
Pluggable media present, SFP type is 1GBASE
……………………
LineSpeed 1000 Mbit
Dell#show interfaces tengigabitethernet 0/5
gigabitethernet 0/0 is up, line protocol is down
Hardware is DellEth, address is 90:b1:1c:f4:9a:fa
Current address is 90:b1:1c:f4:9a:fa
Pluggable media present, SFP type is 1GBASE
408
Interfaces
……………………
LineSpeed 1000 Mbit
Dell#show interfaces tengigabitethernet 0/6
gigabitethernet 0/0 is up, line protocol is down
Hardware is DellEth, address is 90:b1:1c:f4:9a:fa
Current address is 90:b1:1c:f4:9a:fa
Pluggable media present, SFP type is 1GBASE
……………………
LineSpeed 1000 Mbit
Dell#show interfaces tengigabitethernet 0/7
gigabitethernet 0/0 is up, line protocol is down
Hardware is DellEth, address is 90:b1:1c:f4:9a:fa
Current address is 90:b1:1c:f4:9a:fa
Pluggable media present, SFP type is 1GBASE
……………………
LineSpeed 1000 Mbit
Dell#show interfaces tengigabitethernet 0/8
TenGigabitEthernet 0/0 is up, line protocol is up
Hardware is DellEth, address is 90:b1:1c:f4:9a:fa
Current address is 90:b1:1c:f4:9a:fa
Pluggable media present, QSFP type is 4x10GBASE-CR1-3M
……..
LineSpeed 10000 Mbit
The show inventory command shows the following output:
NOTE: In the following show inventory media command output, the port numbers 1, 2, 3, 5, 6,
and 7 ports are actually inactive. However, Dell Networking OS still shows that optical cables are
inserted into these ports. This is a software limitation for this release.
Dell# show inventory media
Slot
Port
Type
Media
Serial Number
------------------------------------------------------------------0
0
SFP+
10GBASE-SX
APF12420031B3P
0
1
SFP+
10GBASE-SX
APF12420031B3P
0
2
SFP+
10GBASE-SX
APF12420031B3P
0
3
SFP+
10GBASE-SX
APF12420031B3P
0
4
SFP
10GBASE-SX
APF12420031B3P
0
5
SFP
10GBASE-SX
APF12420031B3P
0
6
SFP
10GBASE-SX
APF12420031B3P
0
7
SFP
10GBASE-SX
APF12420031B3P
0
8
QSFP
4x10GBASE-CR1-3M
APF12420031B3P
0
9
QSFP
4x10GBASE-CR1-3M
APF12420031B3P
0
10
QSFP
4x10GBASE-CR1-3M
APF12420031B3P
0
11
QSFP
4x10GBASE-CR1-3M
APF12420031B3P
0
12
QSFP
40GBASE-SR4
Layer 2 Flow Control Using Ethernet Pause Frames
Ethernet pause frames allow for a temporary stop in data transmission.
A situation may arise where a sending device may transmit data faster than a destination device can
accept it. The destination sends a pause frame back to the source, stopping the sender’s transmission for
a period of time.
Interfaces
409
The globally assigned 48-bit Multicast address 01-80-C2-00-00-01 is used to send and receive pause
frames. To allow full duplex flow control, stations implementing the pause operation instruct the MAC to
enable reception of frames with a destination address equal to this multicast address.
The pause frame is defined by IEEE 802.3x and uses MAC Control frames to carry the pause commands.
Ethernet pause frames are supported on full duplex only. The only configuration applicable to half duplex
ports is rx off tx off.
NOTE: If a port is over-subscribed, Ethernet Pause Frame flow control does not ensure no loss
behavior.
The following error message appears when trying to enable flow control when you already configured
half duplex: Can’t configure flowcontrol when half duplex is configure, config
ignored.
The following error message appears when trying to enable half duplex and flow control configuration is
on: Can’t configure half duplex when flowcontrol is on, config ignored.
Enabling Pause Frames
Enable Ethernet pause frames flow control on all ports on a chassis. If not, the system may exhibit
unpredictable behavior.
NOTE: If you disable rx flow control, Dell Networking recommends rebooting the system.
The flow control sender and receiver must be on the same port-pipe. Flow control is not supported
across different port-pipes. (also refer to iSCSI Optimization: Operation).
NOTE: After you disable DCB, if link-level flow control is not automatically enabled on an interface,
to enable flow control, manually shut down the interface (shutdown command) and re-enable it
(no shutdown command).
To enable pause frames, use the following command.
•
Control how the system responds to and generates 802.3x pause frames on 10 and 40 Gig ports.
INTERFACE mode
flowcontrol rx [off | on] tx [off | on] [threshold {<1-2047> <1-2013>
<1-2013>}]
– rx on: enter the keywords rx on to process the received flow control frames on this port.
– rx off: enter the keywords rx off to ignore the received flow control frames on this port.
– tx on: enter the keywords tx on to send control frames from this port to the connected device
when a higher rate of traffic is received.
– tx off: enter the keywords tx off so that flow control frames are not sent from this port to the
connected device when a higher rate of traffic is received.
– threshold: when you configure tx on, you can set the threshold values for:
The default is rx off.
410
Interfaces
Configure MTU Size on an Interface
If a packet includes a Layer 2 header, the difference in bytes between the link MTU and IP MTU must be
enough to include the Layer 2 header.
For example, for VLAN packets, if the IP MTU is 1400, the Link MTU must be no less than 1422:
1400-byte IP MTU + 22-byte VLAN Tag = 1422-byte link MTU
The MTU range is from 592 to 12000, with a default of 1500. IP MTU automatically configures.
The following table lists the various Layer 2 overheads found in the Dell Networking OS and the number
of bytes.
Table 25. Layer 2 Overhead
Layer 2 Overhead
Difference Between Link MTU and IP MTU
Ethernet (untagged)
18 bytes
VLAN Tag
22 bytes
Untagged Packet with VLAN-Stack Header
22 bytes
Tagged Packet with VLAN-Stack Header
26 bytes
Link MTU and IP MTU considerations for port channels and VLANs are as follows.
Port Channels:
•
All members must have the same link MTU value and the same IP MTU value.
•
The port channel link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values
configured on the channel members.
For example, if the members have a link MTU of 2100 and an IP MTU 2000, the port channel’s MTU
values cannot be higher than 2100 for link MTU or 2000 bytes for IP MTU.
VLANs:
•
All members of a VLAN must have the same IP MTU value.
•
Members can have different Link MTU values. Tagged members must have a link MTU 4–bytes higher
than untagged members to account for the packet tag.
•
The VLAN link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values
configured on the VLAN members.
For example, the VLAN contains tagged members with Link MTU of 1522 and IP MTU of 1500 and
untagged members with Link MTU of 1518 and IP MTU of 1500. The VLAN’s Link MTU cannot be higher
than 1518 bytes and its IP MTU cannot be higher than 1500 bytes.
Interfaces
411
Port-Pipes
A high-speed data bus connection used to switch traffic between front-end ports is known as the port
pipe. A port pipe is a Dell Networking-specific term for the hardware path that packets follow through a
system.
The MXL switch supports single port pipe only.
Auto-Negotiation on Ethernet Interfaces
By default, auto-negotiation of speed and duplex mode is enabled on 100/1000/10000 Base-T Ethernet
interfaces. Only 10GE interfaces do not support auto-negotiation.
When using 10GE interfaces, verify that the settings on the connecting devices are set to no autonegotiation.
The local interface and the directly connected remote interface must have the same setting, and autonegotiation is the easiest way to accomplish that, as long as the remote interface is capable of autonegotiation.
NOTE: As a best practice, Dell Networking recommends keeping auto-negotiation enabled. Only
disable auto-negotiation on switch ports that attach to devices not capable of supporting
negotiation or where connectivity issues arise from interoperability issues.
For 100/1000/10000 Ethernet interfaces, the negotiation auto command is tied to the speed
command. Auto-negotiation is always enabled when the speed command is set to 1000 in IOS.
Setting the Speed and Duplex Mode of Ethernet Interfaces
To discover whether the remote and local interface requires manual speed synchronization, and to
manually synchronize them if necessary, use the following command sequence.
1.
Determine the local interface status. Refer to the following example.
EXEC Privilege mode
show interfaces [interface] status
2.
Determine the remote interface status.
EXEC mode or EXEC Privilege mode
[Use the command on the remote system that is equivalent to the first command.]
3.
Access CONFIGURATION mode.
EXEC Privilege mode
config
4.
Access the port.
CONFIGURATION mode
interface interface slot/port
5.
Set the local port speed.
INTERFACE mode
412
Interfaces
speed {100 | 1000 | 10000 | auto}
6.
Optionally, set full- or half-duplex.
INTERFACE mode
duplex {half | full}
7.
Disable auto-negotiation on the port.
INTERFACE mode
no negotiation auto
If the speed was set to 1000, do not disable auto-negotiation.
8.
Verify configuration changes.
INTERFACE mode
show config
Example of the show interfaces status Command to View Link Status
Example of Setting Port Speed and Disabling Auto-Negotiation
NOTE: The show interfaces status command displays link status, but not administrative
status. For both link and administrative status, use the show ip interface [interface |
brief] [configuration] command.
Dell#show interfaces status
Port Description Status Speed
Te 0/1
Down
Auto
Te 0/2
Down
Auto
Te 0/3
Down
Auto
Te 0/4
Down
Auto
Te 0/5
Down
Auto
Te 0/6
Down
Auto
Te 0/7
Down
Auto
Te 0/8
Down
Auto
Te 0/9
Down
Auto
Te 0/10
Down
Auto
Te 0/11
Down
Auto
Te 0/12
Down
Auto
Te 0/13
Down
Auto
[output omitted]
Duplex
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Vlan
--------------
In the previous example, several ports display “Auto” in the Speed field, including port 0/1. In the following
example, the speed of port 0/1 is set to 100Mb and then its auto-negotiation is disabled.
Dell#configure
Dell(config)#interface tengig 0/1
Dell(conf-if-te-0/1)#speed 100
Dell(conf-if-te-0/1)#duplex full
Dell(conf-if-te-0/1)#no negotiation auto
Dell(conf-if-te-0/1)#show config
!
interface TenGigabitEthernet 0/1
no ip address
speed 100
duplex full
no shutdown
Interfaces
413
Set Auto-Negotiation Options
The negotiation auto command provides a mode option for configuring an individual port to forced
master/ forced slave after you enable auto-negotiation.
CAUTION: Ensure that only one end of the node is configured as forced-master and the other is
configured as forced-slave. If both are configured the same (that is, both as forced-master or
both as forced-slave), the show interface command flaps between an auto-neg-error and
forced-master/slave states.
Example of the negotiation auto Command
Dell(conf)# int tengig 0/0
Dell(conf-if)#neg auto
Dell(conf-if-autoneg)# ?
end
Exit from configuration mode
exit
Exit from autoneg configuration mode
mode
Specify autoneg mode
no
Negate a command or set its defaults
show
Show autoneg configuration information
Dell(conf-if-autoneg)#mode ?
forced-master
Force port to master mode
forced-slave
Force port to slave mode
Dell(conf-if-autoneg)#
Adjusting the Keepalive Timer
To change the time interval between keepalive messages on the interfaces, use the keepalive
command. The interface sends keepalive messages to itself to test network connectivity on the interface.
To change the default time interval between keepalive messages, use the following command.
•
Change the default interval between keepalive messages.
INTERFACE mode
•
keepalive [seconds]
View the new setting.
INTERFACE mode
show config
View Advanced Interface Information
The following options have been implemented for the show [ip | running-config] interfaces
commands.
When you use the configured keyword, only interfaces that have non-default configurations display.
Example of show Commands that Use the configured Keyword
Example of the show interfaces switchport Command
The following example lists the possible show commands that have the configured keyword available:
Dell#show
Dell#show
Dell#show
Dell#show
Dell#show
Dell#show
414
interfaces configured
interfaces tengigabitEthernet 0 configured
ip interface configured
ip interface tengigabitEthernet 1 configured
interfaces fortygigabitEthernet 0 configured
ip interface fortygigabitEthernet 1 configured
Interfaces
Dell#show ip interface brief configured
Dell#show running-config interfaces configured
Dell#show running-config interface tengigabitEthernet 1 configured
In EXEC mode, the show interfaces switchport command displays only interfaces in Layer 2 mode
and their relevant configuration information. The show interfaces switchport command displays
the interface, whether it supports IEEE 802.1Q tagging or not, and the VLANs to which the interface
belongs.
Dell#show interfaces switchport
Name: TenGigabitEthernet 13/0
802.1QTagged: True
Vlan membership:
Vlan 2
Name: TenGigabitEthernet 13/1
802.1QTagged: True
Vlan membership:
Vlan 2
Name: TenGigabitEthernet 13/2
802.1QTagged: True
Vlan membership:
Vlan 2
Name: TenGigabitEthernet 13/3
802.1QTagged: True
Vlan membership:
Vlan 2
--More--
Configuring the Interface Sampling Size
You can enter any value between five and 299 seconds (the default). If you enter 1 to 5 seconds, software
polling is done at 5 second intervals. If you enter 6 to 10 seconds, software polling is done at 10 second
interval. For any other value, software polling is done once every 15 seconds. So, for example, if you enter
“19”, you actually get a sample of the past 15 seconds.
All LAG members inherit the rate interval configuration from the LAG.
The following example shows how to configure rate interval when changing the default value.
To configure the number of seconds of traffic statistics to display in the show interfaces output, use the
following command.
•
Configure the number of seconds of traffic statistics to display in the show interfaces output.
INTERFACE mode
rate-interval
Example of the rate-interval Command
The bold lines shows the default value of 299 seconds, the change-rate interval of 100, and the new rate
interval set to 100.
Dell#show interfaces
TenGigabitEthernet 10/0 is down, line protocol is down
Hardware is Dell Force10Eth, address is 00:01:e8:01:9e:d9
Internet address is not set
MTU 1554 bytes, IP MTU 1500 bytes
Interfaces
415
LineSpeed 10000 Mbit
ARP type: ARPA, ARP Timeout 04:00:00
Last clearing of "show interface" counters 1d23h44m
Queueing strategy: fifo
0 packets input, 0 bytes
Input 0 IP Packets, 0 Vlans 0 MPLS
0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts
Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles
0 CRC, 0 IP Checksum, 0 overrun, 0 discarded
0 packets output, 0 bytes, 0 underruns
Output 0 Multicasts, 0 Broadcasts, 0 Unicasts
0 IP Packets, 0 Vlans, 0 MPLS
0 throttles, 0 discarded
Rate info (interval 299 seconds):
Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate
Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate
Time since last interface status change: 1d23h40m
Dell(conf)#interface tengigabitethernet 10/0
Dell(conf-if-te-10/0)#rate-interval 100
Dell#show interfaces
TenGigabitEthernet 10/0 is down, line protocol is down
Hardware is Dell Force10Eth, address is 00:01:e8:01:9e:d9
Internet address is not set
MTU 1554 bytes, IP MTU 1500 bytes
LineSpeed 10000 Mbit
ARP type: ARPA, ARP Timeout 04:00:00
Last clearing of "show interface" counters 1d23h45m
Queueing strategy: fifo
0 packets input, 0 bytes
Input 0 IP Packets, 0 Vlans 0 MPLS
0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts
Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles
0 CRC, 0 IP Checksum, 0 overrun, 0 discarded
0 packets output, 0 bytes, 0 underruns
Output 0 Multicasts, 0 Broadcasts, 0 Unicasts
0 throttles, 0 discarded
Rate info (interval 100 seconds):
Input 00.00 Mbits/sec,
0 packets/sec, 0.00% of line-rate
Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate
Time since last interface status change: 1d23h42m
Dynamic Counters
By default, counting is enabled for IPFLOW, IPACL, L2ACL, L2FIB.
For the remaining applications, the system automatically turns on counting when you enable the
application, and is turned off when you disable the application.
NOTE: If you enable more than four counter-dependent applications on a port pipe, there is an
impact on line rate performance.
The following counter-dependent applications are supported by the Dell Networking OS:
•
Egress VLAN
•
Ingress VLAN
•
Next Hop 2
•
Next Hop 1
416
Interfaces
•
Egress ACLs
•
ILM
•
IP FLOW
•
IP ACL
•
IP FIB
•
L2 ACL
•
L2 FIB
Clearing Interface Counters
The counters in the show interfaces command are reset by the clear counters command. This
command does not clear the counters any SNMP program captures.
To clear the counters, use the following the command.
•
Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical
interfaces or selected ones. Without an interface specified, the command clears all interface counters.
EXEC Privilege mode
clear counters [interface] [vrrp [vrid] | learning-limit]
(OPTIONAL) Enter the following interface keywords and slot/port or number information:
– For a Loopback interface, enter the keyword loopback then a number from 0 to 16383.
– For a Port Channel interface, enter the keywords port-channel then a number from 1 to 128.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
– For a VLAN, enter the keyword vlan then a number from 1 to 4094.
– (OPTIONAL) To clear statistics for all VRRP groups configured, enter the keyword vrrp. Enter a
number from 1 to 255 as the vrid.
– (OPTIONAL) To clear unknown source address (SA) drop counters when you configure the MAC
learning limit on the interface, enter the keywords learning-limit.
Example of the clear counters Command
When you enter this command, confirm that you want the Dell Networking OS to clear the interface
counters for that interface.
Dell#clear counters tengig 0/0
Clear counters on TenGigabitEthernet 0/0 [confirm]
Dell#
Enhanced Validation of Interface Ranges
You can avoid specifying spaces between the range of interfaces, separated by commas, that you
configure by using the interface range command. For example, if you enter a list of interface ranges,
such as interface range fo 2/0-1,te 10/0,gi 3/0,fa 0/0, this configuration is considered
valid. The comma-separated list is not required to be separated by spaces in between the ranges. You
can associate multicast MAC or hardware addresses to an interface range and VLANs by using the mac-
Interfaces
417
address-table static multicast-mac-address vlan vlan-id output-range interface
command.
418
Interfaces
Internet Protocol Security (IPSec)
22
IPSec is an end-to-end security scheme for protecting IP communications by authenticating and
encrypting all packets in a communication session.
Use IPSec between hosts, between gateways, or between hosts and gateways.
IPSec is compatible with Telnet and file transfer protocols (FTPs) and can operate in Transport mode. In
Transport mode, IPSec encrypts only the packet payload; the IP header is unchanged. This is the default
mode.
NOTE: Due to performance limitations on the control processor, you cannot enable IPSec on all
packets in a communication session.
IPSec uses the following protocols:
•
Authentication Headers (AH) — Disconnected integrity and origin authentication for IP packets
•
Encapsulating Security (ESP) — Confidentiality, authentication, and data integrity for IP packets
•
Security Associations (SA) — Necessary algorithmic parameters for AH and ESP functionality
IPSec supports the following authentication and encryption algorithms:
•
Authentication only:
– MD5
– SHA1
•
Encryption only:
– 3DES
– CBC
– DES
•
ESP Authentication and Encryption:
– MD5 and 3DES
– MD5 and CBC
– MD5 and DES
– SHA1 and 3DES
– SHA1 and CBC
– SHA1 and DES
Configuring IPSec
The following sample configuration shows how to configure FTP and telnet for IPSec.
1.
Define the transform set.
CONFIGURATION mode
Internet Protocol Security (IPSec)
419
crypto ipsec transform-set myXform-seta esp-authentication md5 espencryption des
2.
Define the crypto policy.
CONFIGURATION mode
crypto ipsec policy
myCryptoPolicy 10 ipsec-manual
transform-set myXform-set
session-key inbound esp 256
auth <key> encrypt <key>
session-key outbound esp 257
auth <key> encrypt <key>
match 0 tcp a::1 /128 0 a::2 /128 21
match 1 tcp a::1 /128 21 a::2 /128 0
match 2 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21
match 3 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0
3.
Apply the crypto policy to management traffic.
CONFIGURATION mode
management crypto-policy
myCryptoPolicy
420
Internet Protocol Security (IPSec)
IPv4 Routing
23
The Dell Networking OS supports various IP addressing features.
This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and
routing principles and their implementation in the Dell Networking operating system (OS).
IP Feature
Default
DNS
Disabled
Directed Broadcast Disabled
Proxy ARP
Enabled
ICMP Unreachable Disabled
ICMP Redirect
Disabled
IP Addresses
The Dell Networking OS supports IP version 4, as described in RFC 791. It also supports classful routing
and variable length subnet masks (VLSM).
With VLSM, you can configure one network with different masks. Supernetting, which increases the
number of subnets, is also supported. To subnet, you add a mask to the IP address to separate the
network and host portions of the IP address.
At its most basic level, an IP address is 32-bits composed of network and host portions and represented
in dotted decimal format. For example, 00001010110101100101011110000011 is represented as
10.214.87.131.
For more information about IP addressing, refer to RFC 791, Internet Protocol.
Implementation Information
In the Dell Networking OS, you can configure any IP address as a static route except IP addresses already
assigned to interfaces.
NOTE: The Dell Networking OS versions 7.7.1.0 and later support 31-bit subnet masks (/31, or
255.255.255.254) as defined by RFC 3021. This feature allows you to save two more IP addresses on
point-to-point links than 30-bit masks. The system supports RFC 3021 with ARP.
Configuration Tasks for IP Addresses
The following describes the tasks associated with IP address configuration.
Configuration tasks for IP addresses includes:
•
Assigning IP Addresses to an Interface (mandatory)
IPv4 Routing
421
•
Configuring Static Routes (optional)
•
Configure Static Routes for the Management Interface (optional)
For a complete listing of all commands related to IP addressing, refer to the Dell Networking OS
Command Line Interface Reference Guide.
Assigning IP Addresses to an Interface
Assign primary and secondary IP addresses to physical or logical (for example, [virtual local area network
[VLAN] or port channel) interfaces to enable IP communication between the system and hosts connected
to that interface.
In the system, you can assign one primary address and up to 255 secondary IP addresses to each
interface.
1.
Enter the keyword interface then the type of interface and slot/port information.
CONFIGURATION mode
interface interface
•
For a Loopback interface, enter the keyword loopback then a number from 0 to 16383.
•
For the Management interface on the RPM, enter the keyword ManagementEthernet then the
slot/port information. The slot range is from 0 to 1. The port range is 0/0.
•
For a port channel interface, enter the keywords port-channel then a number from 1 to 128.
•
For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
•
For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
•
2.
For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port
information.
Enable the interface.
INTERFACE mode
no shutdown
3.
Configure a primary IP address and mask on the interface.
INTERFACE mode
ip address ip-address mask [secondary]
•
ip-address mask: the IP address must be in dotted decimal format (A.B.C.D). The mask must
be in slash prefix-length format (/24).
•
secondary: add the keyword secondary if the IP address is the interface’s backup IP address.
Example the show config Command
Example of the show ip interface Command
To view the configuration, use the show config command in INTERFACE mode or use the show ip
interface command in EXEC privilege mode, as shown in the second example.
Dell(conf-if-te-0/16)#show conf
!
interface TenGigabitEthernet 0/16
no ip address
shutdown
Dell(conf-if-te-0/16)#
422
IPv4 Routing
Dell#show ip interface tengig 0/16
TenGigabitEthernet 0/16 is down, line protocol is down
Internet address is not set
IP MTU is 1500 bytes
Directed broadcast forwarding is disabled
Proxy ARP is enabled
Split Horizon is enabled
Poison Reverse is disabled
ICMP redirects are not sent
ICMP unreachables are not sent
Dell#
Configuring Static Routes
A static route is an IP address that you manually configure and that the routing protocol does not learn,
such as open shortest path first (OSPF). Often, static routes are used as backup routes in case other
dynamically learned routes are unreachable.
You can enter as many static IP addresses as necessary.
To configure a static route, use the following command.
•
Configure a static IP address.
CONFIGURATION mode
ip route ip-address mask {ip-address | interface [ip-address]} [distance]
[permanent] [tag tag-value]
Use the following required and optional parameters:
– ip-address: enter an address in dotted decimal format (A.B.C.D).
– mask: enter a mask in slash prefix-length format (/X).
– interface: enter an interface type then the slot/port information.
– distance: the range is from 1 to 255. (optional)
– permanent: keep the static route in the routing table (if you use the interface option) even if
you disable the interface with the route. (optional)
– tag tag-value: the range is from 1 to 4294967295. (optional)
Example of the show ip route static Command
To view the configured routes, use the show ip route static command.
Dell#show ip route static
Destination Gateway
----------------S 2.1.2.0/24
Direct, Nu 0
S 6.1.2.0/24
via 6.1.20.2,
S 6.1.2.2/32
via 6.1.20.2,
S 6.1.2.3/32
via 6.1.20.2,
S 6.1.2.4/32
via 6.1.20.2,
S 6.1.2.5/32
via 6.1.20.2,
S 6.1.2.6/32
via 6.1.20.2,
S 6.1.2.7/32
via 6.1.20.2,
S 6.1.2.8/32
via 6.1.20.2,
S 6.1.2.9/32
via 6.1.20.2,
S 6.1.2.10/32 via 6.1.20.2,
S 6.1.2.11/32 via 6.1.20.2,
S 6.1.2.12/32 via 6.1.20.2,
S 6.1.2.13/32 via 6.1.20.2,
IPv4 Routing
Te
Te
Te
Te
Te
Te
Te
Te
Te
Te
Te
Te
Te
5/0
5/0
5/0
5/0
5/0
5/0
5/0
5/0
5/0
5/0
5/0
5/0
5/0
Dist/Metric
----------0/0
1/0
1/0
1/0
1/0
1/0
1/0
1/0
1/0
1/0
1/0
1/0
1/0
1/0
Last Change
----------00:02:30
00:02:30
00:02:30
00:02:30
00:02:30
00:02:30
00:02:30
00:02:30
00:02:30
00:02:30
00:02:30
00:02:30
00:02:30
00:02:30
423
S
S
S
S
S
6.1.2.14/32
6.1.2.15/32
6.1.2.16/32
6.1.2.17/32
11.1.1.0/24
--More--
via 6.1.20.2,
via 6.1.20.2,
via 6.1.20.2,
via 6.1.20.2,
Direct, Nu 0
Direct, Lo 0
Te
Te
Te
Te
5/0
5/0
5/0
5/0
1/0
1/0
1/0
1/0
0/0
00:02:30
00:02:30
00:02:30
00:02:30
00:02:30
The system installs a next hop that is on the directly connected subnet of current IP address on the
interface (for example, if interface tengig 0/0 is on 172.31.5.0 subnet, the system installs the static
route).
The system also installs a next hop that is not on the directly connected subnet but which recursively
resolves to a next hop on the interface's configured subnet. For example, if tengig 0/0 has ip address
on subnet 2.2.2.0 and if 172.31.5.43 recursively resolves to 2.2.2.0, the system installs the static route.
•
When the interface goes down, the system withdraws the route.
•
When the interface comes up, the system re-installs the route.
•
When the recursive resolution is “broken,” the system withdraws the route.
•
When the recursive resolution is satisfied, the system re-installs the route.
Configure Static Routes for the Management Interface
When an IP address that a protocol uses and a static management route exists for the same prefix, the
protocol route takes precedence over the static management route.
To configure a static route for the management port, use the following command.
•
Assign a static route to point to the management interface or forwarding router.
CONFIGURATION mode
management route ip-address mask {forwarding-router-address |
ManagementEthernet slot/port}
Example of the show ip route static Command
To view the configured static routes for the management port, use the show ip management-route
command in EXEC privilege mode.
Dell#show ip management-route all
Destination
----------1.1.1.0/24
172.16.1.0/24
172.31.1.0/24
Gateway
------172.31.1.250
172.31.1.250
ManagementEthernet 1/0
State
----Active
Active
Connected
Dell#
IPv4 Path MTU Discovery Overview
The size of the packet that can be sent across each hop in the network path without being fragmented is
called the path maximum transmission unit (PMTU). This value might vary for the same route between
two devices, mainly over a public network, depending on the network load and speed, and it is not a
consistent value. The MTU size can also be different for various types of traffic sent from one host to the
same endpoint.
424
IPv4 Routing
Path MTU discovery (PMTD) identifies the path MTU value between the sender and the receiver, and uses
the determined value to transmit packets across the network. PMTD, as described in RFC 1191, denotes
that the default byte size of an IP packet is 576. This packet size is called the maximum transmission unit
(MTU) for IPv4 frames. PMTD operates by containing the do not fragment (DF) bit set in the IP headers of
outgoing packets. When any device along the network path contains an MTU that is smaller than the size
of the packet that it receives, the device drops the packet and sends an Internet Control Message
Protocol (ICMP) Fragmentation Needed (Type 3, Code 4) message with its MTU value to the source or the
sending device. This message enables the source to identify that the transmitted packet size must be
reduced. The packet is retransmitted with a lower size than the previous value. This process is repeated in
an interactive way until the MTU of the transmitted packet is lower or equal to the MTU of the receiving
device for it to obtain the packet without fragmentation. If the ICMP message from the receiving device,
which is sent to the originating device, contains the next-hop MTU, then the sending device lowers the
packet size accordingly and resends the packet. Otherwise, the iterative method is followed until the
packet can traverse without being fragmented.
PMTD is enabled by default on the switches that support this capability. To enable PMTD to function
correctly, you must enter the ip unreachables command on a VLAN interface to enable the
generation of ICMP unreachable messages. PMTD is supported on all the layer 3 VLAN interfaces.
Because all of the Layer 3 interfaces are mapped to the VLAN ID of 4095 when VLAN sub-interfaces are
configured on it, it is not possible to configure unique layer 3 MTU values for each of the layer 3
interfaces. If a VLAN interface contains both IPv4 and IPv6 addresses configured on it, both the IPv4 and
IPv6 traffic are applied the same MTU size; you cannot specify different MTU values for IPv4 and IPv6
packets.
Using the Configured Source IP Address in ICMP
Messages
ICMP error or unreachable messages are now sent with the configured IP address of the source interface
instead of the front-end port IP address as the source IP address. Enable the generation of ICMP
unreachable messages through the ip unreachable command in Interface mode. When a ping or
traceroute packet from an endpoint or a device arrives at the null 0 interface configured with a static
route, it is discarded. In such cases, you can configure Internet Control Message Protocol (ICMP)
unreachable messages to be sent to the transmitting device.
Configuring the ICMP Source Interface
You can enable the ICMP error and unreachable messages to contain the configured IP address of the
source device instead of the previous hop's IP address. This configuration helps identify the devices along
the path because the DNS server maps the loopback IP address to the host name, and does not translate
the IP address of every interface of the switch to the host name.
Configure the source to send the configured source interface IP address instead of using its front-end IP
address in the ICMP unreachable messages and in the traceroute command output. Use the ip icmp
source-interface interface or the ipv6 icmp source-interface interface commands in
Configuration mode to enable the ICMP error messages to be sent with the source interface IP address.
This functionality is supported on loopback, VLAN, port channel, and physical interfaces for IPv4 and IPv6
messages. feature is not supported on tunnel interfaces. ICMP error relay, PATH MTU transmission, and
fragmented packets are not supported for tunnel interfaces. The traceroute utilities for IPv4 and IPv6 list
the IP addresses of the devices in the hops of the path for which ICMP source interface is configured.
IPv4 Routing
425
Configuring the Duration to Establish a TCP Connection
You can configure the amount of time for which the device must wait before it attempts to establish a
TCP connection. Using this capability, you can limit the wait times for TCP connection requests. Upon
responding to the initial SYN packet that requests a connection to the router for a specific service (such
as SSH or BGP) with a SYN ACK, the router waits for a period of time for the ACK packet to be sent from
the requesting host that will establish the TCP connection.
You can set this duration or interval for which the TCP connection waits to be established to a
significantly high value to prevent the device from moving into an out-of-service condition or becoming
unresponsive during a SYN flood attack that occurs on the device. You can set the wait time to be 10
seconds or lower. If the device does not contain any BGP connections with the BGP neighbors across
WAN links, you must set this interval to a higher value, depending on the complexity of your network and
the configuration attributes.
To configure the duration for which the device waits for the ACK packet to be sent from the requesting
host to establish the TCP connection, perform the following steps:
1.
Define the wait duration in seconds for the TCP connection to be established.
CONFIGURATION mode
Dell(conf)#ip tcp reduced-syn-ack-wait <9-75>
You can use the no ip tcp reduced-syn-ack-wait command to restore the default behavior,
which causes the wait period to be set as 8 seconds.
2.
View the interval that you configured for the device to wait before the TCP connection is attempted
to be established.
EXEC mode
Dell>show ip tcp reduced-syn-ack-wait
Enabling Directed Broadcast
By default, the system drops directed broadcast packets destined for an interface. This default setting
provides some protection against denial of service (DoS) attacks.
To enable the system to receive directed broadcasts, use the following command.
•
Enable directed broadcast.
INTERFACE mode
ip directed-broadcast
To view the configuration, use the show config command in INTERFACE mode.
Resolution of Host Names
Domain name service (DNS) maps host names to IP addresses. This feature simplifies such commands as
Telnet and FTP by allowing you to enter a name instead of an IP address.
Dynamic resolution of host names is disabled by default. Unless you enable the feature, the system
resolves only host names entered into the host table with the ip host command.
426
IPv4 Routing
The following sections describe DNS and the resolution of host names.
•
Enabling Dynamic Resolution of Host Names
•
Specifying the Local System Domain and a List of Domains
•
Configuring DNS with Traceroute
Enabling Dynamic Resolution of Host Names
By default, dynamic resolution of host names (DNS) is disabled.
To enable DNS, use the following commands.
•
Enable dynamic resolution of host names.
CONFIGURATION mode
•
ip domain-lookup
Specify up to six name servers.
CONFIGURATION mode
ip name-server ip-address [ip-address2 ... ip-address6]
The order you entered the servers determines the order of their use.
Example of the show hosts Command
To view current bindings, use the show hosts command.
Dell>show host
Default domain is force10networks.com
Name/address lookup uses domain service
Name servers are not set
Host
Flags TTL
Type Address
-------- ----- ------- ------ks
(perm, OK) - IP
2.2.2.2
patch1
(perm, OK) - IP
192.68.69.2
tomm-3
(perm, OK) - IP
192.68.99.2
gxr
(perm, OK) - IP
192.71.18.2
f00-3
(perm, OK) - IP
192.71.23.1
Dell>
To view the current configuration, use the show running-config resolve command.
Specifying the Local System Domain and a List of Domains
If you enter a partial domain, the system can search different domains to finish or fully qualify that partial
domain.
A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. The Dell
Networking OS searches the host table first to resolve the partial domain. The host table contains both
statically configured and dynamically learnt host and IP addresses. If the system cannot resolve the
domain, it tries the domain name assigned to the local system. If that does not resolve the partial domain,
the system searches the list of domains configured.
To configure a domain name or a list of domain names, use the following commands.
•
Enter up to 63 characters to configure one domain name.
CONFIGURATION mode
ip domain-name name
IPv4 Routing
427
•
Enter up to 63 characters to configure names to complete unqualified host names.
CONFIGURATION mode
ip domain-list name
Configure this command up to six times to specify a list of possible domain names. The Dell
Networking OS searches the domain names in the order they were configured until a match is found
or the list is exhausted.
Configuring DNS with Traceroute
To configure your switch to perform DNS with traceroute, use the following commands.
•
Enable dynamic resolution of host names.
CONFIGURATION mode
•
ip domain-lookup
Specify up to six name servers.
CONFIGURATION mode
ip name-server ip-address [ip-address2 ... ip-address6]
•
The order you entered the servers determines the order of their use.
When you enter the traceroute command without specifying an IP address (Extended
Traceroute), you are prompted for a target and source IP address, timeout in seconds (default is 5),
a probe count (default is 3), minimum TTL (default is 1), maximum TTL (default is 30), and port number
(default is 33434).
CONFIGURATION mode
traceroute [host | ip-address]
To keep the default setting for these parameters, press the ENTER key.
Example of the traceroute Command
The following text is example output of DNS using the traceroute command.
Dell#traceroute www.force10networks.com
Translating "www.force10networks.com"...domain server (10.11.0.1) [OK]
Type Ctrl-C to abort.
----------------------------------------------------------------------------------------Tracing the route to www.force10networks.com (10.11.84.18), 30 hops max, 40
byte packets
----------------------------------------------------------------------------------------TTL Hostname
Probe1
Probe2
Probe3
1
10.11.199.190 001.000 ms 001.000 ms 002.000 ms
2
gwegress-sjc-02.force10networks.com (10.11.30.126) 005.000 ms 001.000 ms
001.000 ms
3
fw-sjc-01.force10networks.com (10.11.127.254) 000.000 ms 000.000 ms 000.000
ms
428
IPv4 Routing
4
www.force10networks.com (10.11.84.18) 000.000 ms 000.000 ms 000.000 ms
Dell#
ARP
The Dell Networking OS uses two forms of address resolution: address resolution protocol (ARP) and
Proxy ARP.
ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP
network. Over time, the system creates a forwarding table mapping the MAC addresses to their
corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are
removed after a defined period of time.
For more information about ARP, refer to RFC 826, An Ethernet Address Resolution Protocol.
In the Dell Networking OS, Proxy ARP enables hosts with knowledge of the network to accept and
forward packets from hosts that contain no knowledge of the network. Proxy ARP makes it possible for
hosts to be ignorant of the network, including subnetting.
For more information about Proxy ARP, refer to RFC 925, Multi-LAN Address Resolution, and RFC 1027,
Using ARP to Implement Transparent Subnet Gateways.
Configuration Tasks for ARP
For a complete listing of all ARP-related commands, refer to the Dell Networking OS Command Line
Reference Guide.
Configuration tasks for ARP include:
•
Configuring Static ARP Entries (optional)
•
Enabling Proxy ARP (optional)
•
Clearing ARP Cache (optional)
•
ARP Learning via Gratuitous ARP
•
ARP Learning via ARP Request
•
Configuring ARP Retries
Configuring Static ARP Entries
ARP dynamically maps the MAC and IP addresses, and while most network host support dynamic
mapping, you can configure an ARP entry (called a static ARP) for the ARP cache.
To configure a static ARP entry, use the following command.
•
Configure an IP address and MAC address mapping for an interface.
CONFIGURATION mode
arp ip-address mac-address interface
– ip-address: IP address in dotted decimal format (A.B.C.D).
– mac-address: MAC address in nnnn.nnnn.nnnn format.
– interface: enter the interface type slot/port information.
Example of the show arp Command
These entries do not age and can only be removed manually. To remove a static ARP entry, use the no
arp ip-address command.
IPv4 Routing
429
To view the static entries in the ARP cache, use the show arp static command in EXEC privilege
mode.
Dell#show arp
Protocol Address
Age(min) Hardware Address
Interface VLAN CPU
---------------------------------------------------------------------------------------Internet 10.11.68.14
94
00:01:e9:45:00:03 Ma 0/0
CP
Internet 10.11.209.254 0
00:01:e9:45:00:03 Ma 0/0
CP
Dell#
Enabling Proxy ARP
By default, Proxy ARP is enabled. To disable Proxy ARP, use the no proxy-arp command in the interface
mode.
To re-enable Proxy ARP, use the following command.
•
Re-enable Proxy ARP.
INTERFACE mode
ip proxy-arp
To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If
it is not listed in the show config command output, it is enabled. Only non-default information is
displayed in the show config command output.
Clearing ARP Cache
To clear the ARP cache of dynamically learnt ARP information, use the following command.
•
Clear the ARP caches for all interfaces or for a specific interface by entering the following information.
EXEC privilege
clear arp-cache [interface | ip ip-address] [no-refresh]
– ip ip-address (OPTIONAL): enter the keyword ip then the IP address of the ARP entry you
wish to clear.
– no-refresh (OPTIONAL): enter the keywords no-refresh to delete the ARP entry from CAM. Or
to specify which dynamic ARP entries you want to delete, use this option with interface or ip
ip-address.
– For a port channel interface, enter the keywords port-channel then a number from 1 to 128.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
– For a VLAN interface, enter the keyword vlan then a number between 1 and 4094.
– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
NOTE: Transit traffic may not be forwarded during the period when deleted ARP entries are resolved
again and re-installed in CAM. Use this option with extreme caution.
430
IPv4 Routing
ARP Learning via Gratuitous ARP
Gratuitous ARP can mean an ARP request or reply.
In the context of ARP learning via gratuitous ARP on the system, the gratuitous ARP is a request. A
gratuitous ARP request is an ARP request that is not needed according to the ARP specification, but one
that hosts may send to. Gratuitous ARP can:
•
detect IP address conflicts
•
inform switches of their presence on a port so that packets can be forwarded
•
update the ARP table of other nodes on the network in case of an address change
In the request, the host uses its own IP address in the Sender Protocol Address and Target Protocol
Address fields. When a gratuitous ARP is received, the system installs an ARP entry on the CPU.
To enable ARP learning via gratuitous ARP, use the arp learn-enable command in CONFIGURATION
mode.
ARP Learning via ARP Request
In the Dell Networking OS versions prior to 8.3.1.0, the system learns via ARP requests only if the target IP
specified in the packet matches the IP address of the receiving router interface. This is the case when a
host is attempting to resolve the gateway address.
If the target IP does not match the incoming interface, the packet is dropped. If there is an existing entry
for the requesting host, it is updated.
Figure 49. ARP Learning via ARP Request
Beginning with the Dell Networking OS version 8.3.1.0, when you enable ARP learning via gratuitous ARP,
the system installs a new ARP entry, or updates an existing entry for all received ARP requests.
IPv4 Routing
431
Figure 50. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled
Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP.
It only updates the ARP entry for the Layer 3 interface with the source IP of the request.
Configuring ARP Retries
In the Dell Networking OS versions prior to 8.3.1.0, the number of ARP retries is set to five and is not
configurable. After five retries, the system backs off for 20 seconds before it sends a new request.
Beginning with the Dell Networking OS version 8.3.1.0, the number of ARP retries is configurable.
The default backoff interval remains at 20 seconds. On the MXL switch platform, using the Dell
Networking OS version 8.3.8.0 and later, the time between ARP re-send is configurable. This timer is an
exponential backoff timer. Over the specified period, the time between ARP requests increases. This
reduces the potential for the system to slow down while waiting for a multitude of ARP responses.
To set and display ARP retries, use the following commands.
•
Set the number of ARP retries.
CONFIGURATION mode
arp retries number
The default is 5.
•
The range is from 1 to 20.
Set the exponential timer for resending unresolved ARPs.
CONFIGURATION mode
arp backoff-time
The default is 30.
•
The range is from 1 to 3600.
Display all ARP entries learned via gratuitous ARP.
EXEC Privilege mode
show arp retries
432
IPv4 Routing
ICMP
For diagnostics, the internet control message protocol (ICMP) provides routing information to end
stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable
(ICMP Echo or Echo Reply).
ICMP error messages inform the router of problems in a particular packet. These messages are sent only
on unicast traffic.
Configuration Tasks for ICMP
The following lists the configuration tasks for ICMP.
•
Enabling ICMP Unreachable Messages
For a complete listing of all commands related to ICMP, refer to the Dell Networking OS Command Line
Reference Guide.
Enabling ICMP Unreachable Messages
By default, ICMP unreachable messages are disabled.
When enabled, ICMP unreachable messages are created and sent out all interfaces.
To disable and re-enable ICMP unreachable messages, use the following commands.
•
Set the system to create and send ICMP unreachable messages on the interface.
INTERFACE mode
ip unreachable
To view if ICMP unreachable messages are sent on the interface, use the show config command in
INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default
information is displayed in the show config command output.
UDP Helper
User datagram protocol (UDP) helper allows you to direct the forwarding IP/UDP broadcast traffic by
creating special broadcast addresses and rewriting the destination IP address of packets to match those
addresses.
Configure UDP Helper
Configuring the system to direct UDP broadcast is a one-step process:
1.
Enable UDP helper and specify the UDP ports for which traffic is forwarded. Refer to Enabling UDP
Helper.
Important Points to Remember
•
The existing ip directed broadcast command is rendered meaningless if you enable UDP helper
on the same interface.
•
The broadcast traffic rate should not exceed 200 packets per second when you enable UDP helper.
•
You may specify a maximum of 16 UDP ports.
IPv4 Routing
433
•
UDP helper is compatible with IP helper (ip helper-address):
– UDP broadcast traffic with port number 67 or 68 are unicast to the dynamic host configuration
protocol (DHCP) server per the ip helper-address configuration whether or not the UDP port
list contains those ports.
– If the UDP port list contains ports 67 or 68, UDP broadcast traffic is forwarded on those ports.
Enabling UDP Helper
To enable UDP helper, use the following command.
•
Enable UPD helper.
ip udp-helper udp-ports
Example of Enabling UDP Helper
Example of the show ip udp-helper Command
Dell(conf-if-te-1/1)#ip udp-helper udp-port 1000
Dell(conf-if-te-1/1)#show config
!
interface TenGigabitEthernet 1/1
ip address 2.1.1.1/24
ip udp-helper udp-port 1000
no shutdown
To view the interfaces and ports on which you enabled UDP helper, use the show ip udp-helper
command from EXEC Privilege mode.
Dell#show ip udp-helper
--------------------------Port
UDP port list
-------------------------TenGig 1/1
1000
Configurations Using UDP Helper
When you enable UDP helper and the destination IP address of an incoming packet is a broadcast
address, the system suppresses the destination address of the packet.
The following sections describe various configurations that employ UDP helper to direct broadcasts.
•
•
•
•
UDP Helper with Broadcast-All Addresses
UDP Helper with Subnet Broadcast Addresses
UDP Helper with Configured Broadcast Addresses
UDP Helper with No Configured Broadcast Addresses
UDP Helper with Broadcast-All Addresses
When the destination IP address of an incoming packet is the IP broadcast address, the system rewrites
the address to match the configured broadcast address.
In the following illustration:
1.
Packet 1 is dropped at ingress if you did not configure UDP helper address.
2.
If you enable UDP helper (using the ip udp-helper udp-port command), and the UDP
destination port of the packet matches the UDP port configured, the system changes the destination
434
IPv4 Routing
address to the configured broadcast 1.1.255.255 and routes the packet to VLANs 100 and 101. If you
do not configure an IP broadcast address (using the ip udp-broadcast-address command) on
VLANs 100 or 101, the packet is forwarded using the original destination IP address 255.255.255.255.
Packet 2, sent from a host on VLAN 101 has a broadcast MAC address and IP address. In this case:
1.
It is flooded on VLAN 101 without changing the destination address because the forwarding process
is Layer 2.
2.
If you enabled UDP helper, the system changes the destination IP address to the configured
broadcast address 1.1.255.255 and forwards the packet to VLAN 100.
3.
Packet 2 is also forwarded to the ingress interface with an unchanged destination address because it
does not have broadcast address configured.
Figure 51. UDP Helper with Broadcast-All Addresses
UDP Helper with Subnet Broadcast Addresses
When the destination IP address of an incoming packet matches the subnet broadcast address of any
interface, the system changes the address to the configured broadcast address and sends it to matching
interface.
In the following illustration, Packet 1 has the destination IP address 1.1.1.255, which matches the subnet
broadcast address of VLAN 101. If you configured UDP helper and the packet matches the specified UDP
port, the system changes the address to the configured IP broadcast address and floods the packet on
VLAN 101.
Packet 2 is sent from the host on VLAN 101. It has a broadcast MAC address and a destination IP address
of 1.1.1.255. In this case, it is flooded on VLAN 101 in its original condition as the forwarding process is
Layer 2.
IPv4 Routing
435
Figure 52. UDP Helper with Subnet Broadcast Addresses
UDP Helper with Configured Broadcast Addresses
Incoming packets with a destination IP address matching the configured broadcast address of any
interface are forwarded to the matching interfaces.
In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast
address of VLAN 100 and 101. If you enabled UDP helper and the UDP port number matches, the packet
is flooded on both VLANs with an unchanged destination address.
Packet 2 is sent from a host on VLAN 101. It has broadcast MAC address and a destination IP address that
matches the configured broadcast address on VLAN 101. In this case, Packet 2 is flooded on VLAN 101
with the destination address unchanged because the forwarding process is Layer 2. If you enabled UDP
helper, the packet is flooded on VLAN 100 as well.
Figure 53. UDP Helper with Configured Broadcast Addresses
UDP Helper with No Configured Broadcast Addresses
The following describes UDP helper with no broadcast addresses configured.
•
If the incoming packet has a broadcast destination IP address, the unaltered packet is routed to all
Layer 3 interfaces.
•
If the Incoming packet has a destination IP address that matches the subnet broadcast address of any
interface, the unaltered packet is routed to the matching interfaces.
436
IPv4 Routing
Troubleshooting UDP Helper
To display debugging information for troubleshooting, use the debug ip udp-helper command.
Example of the debug ip udp-helper Command
Dell(conf)# debug ip udp-helper
01:20:22: Pkt rcvd on TenGig 5/0 with IP DA (0xffffffff) will be sent on TenGig
5/1 TenGig 5/
2 Vlan 3
01:44:54: Pkt rcvd on TenGig 7/0 is handed over for DHCP processing.
When using the IP helper and UDP helper on the same interface, use the debug ip dhcp command.
Example Output from the debug ip dhcp Command
Packet 0.0.0.0:68 -> 255.255.255.255:67 TTL 128
2005-11-05 11:59:35 %RELAY-I-PACKET, BOOTP REQUEST (Unicast) received at
interface
172.21.50.193 BOOTP Request, XID = 0x9265f901, secs = 0 hwaddr = 00:02:2D:8D:
46:DC, giaddr =
0.0.0.0, hops = 2
2005-11-05 11:59:35 %RELAY-I-BOOTREQUEST, Forwarded BOOTREQUEST for 00:02:2D:8D:
46:DC to
137.138.17.6
2005-11-05 11:59:36 %RELAY-I-PACKET, BOOTP REPLY (Unicast) received at interface
194.12.129.98 BOOTP Reply, XID = 0x9265f901, secs = 0 hwaddr = 00:02:2D:8D:
46:DC, giaddr =
172.21.50.193, hops = 2
2005-07-05 11:59:36 %RELAY-I-BOOTREPLY, Forwarded BOOTREPLY for 00:02:2D:8D:
46:DC to
128.141.128.90 Packet 0.0.0.0:68 -> 255.255.255.255:67 TTL 128
IPv4 Routing
437
24
IPv6 Addressing
Internet protocol version 6 (IPv6) is supported on the MXL switch platform.
NOTE: The IPv6 basic commands are supported on all platforms. However, not all features are
supported on all platforms, nor for all releases. To determine the Dell Networking OS version
supporting which features and platforms, refer to Implementing IPv6 with the Dell Networking OS.
IPv6 is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching
its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion.
This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell
Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
Protocol Overview
IPv6 is an evolution of IPv4. IPv6 is generally installed as an upgrade in devices and operating systems.
Most new devices and operating systems support both IPv4 and IPv6.
Some key changes in IPv6 are:
•
Extended address space
•
Stateless autoconfiguration
•
Header format simplification
•
Improved support for options and extensions
Extended Address Space
The address format is extended from 32 bits to 128 bits. This not only provides room for all anticipated
needs, it allows for the use of a hierarchical address space structure to optimize global addressing.
Stateless Autoconfiguration
When a booting device comes up in IPv6 and asks for its network prefix, the device can get the prefix (or
prefixes) from an IPv6 router on its link. It can then autoconfigure one or more global IPv6 addresses by
using either the MAC address or a private random number to build its unique IPv6 address.
Stateless autoconfiguration uses three mechanisms for IPv6 address configuration:
•
Prefix Advertisement — Routers use “Router Advertisement” messages to announce the network
prefix. Hosts then use their interface-identifier MAC address to generate their own valid IPv6 address.
•
Duplicate Address Detection (DAD) — Before configuring its IPv6 address, an IPv6 host node device
checks whether that address is used anywhere on the network using this mechanism.
•
Prefix Renumbering — Useful in transparent renumbering of hosts in the network when an
organization changes its service provider.
NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6
addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration.
438
IPv6 Addressing
NOTE: The Dell Networking OS provides the flexibility to add prefixes on Router Advertisements (RA)
to advertise responses to Router Solicitations (RS). By default, RA response messages are sent when
an RS message is received.
The Dell Networking OS manipulation of IPv6 stateless autoconfiguration supports the router side only.
Neighbor discovery (ND) messages are advertised so the neighbor can use this information to autoconfigure its address. However, received ND messages are not used to create an IPv6 address.
NOTE: Inconsistencies in router advertisement values between routers are logged per RFC 4861.
The values checked for consistency include:
•
Cur Hop limit
•
M and O flags
•
Reachable time
•
Retrans timer
•
MTU options
•
Preferred and valid lifetime values for the same prefix
Only management ports support stateless auto-configuration as a host.
The router redirect functionality in the neighbor discovery protocol (NDP) is similar to IPv4 router redirect
messages. NDP uses ICMPv6 redirect messages (Type 137) to inform nodes that a better router exists on
the link.
IPv6 Headers
The IPv6 header has a fixed length of 40 bytes. This fixed length provides 16 bytes each for source and
destination information and 8 bytes for general header information.
The IPv6 header includes the following fields:
•
Version (4 bits)
•
Traffic Class (8 bits)
•
Flow Label (20 bits)
•
Payload Length (16 bits)
•
Next Header (8 bits)
•
Hop Limit (8 bits)
•
Source Address (128 bits)
•
Destination Address (128 bits)
IPv6 provides for extension headers. Extension headers are used only if necessary. There can be no
extension headers, one extension header or more than one extension header in an IPv6 packet. Extension
headers are defined in the Next Header field of the preceding IPv6 header.
IPv6 Addressing
439
IPv6 Header Fields
The 40 bytes of the IPv6 header are ordered, as shown in the following illustration.
Figure 54. IPv6 Header Fields
Version (4 bits)
The Version field always contains the number 6, referring to the packet’s IP version.
Traffic Class (8 bits)
The Traffic Class field deals with any data that needs special handling. These bits define the packet
priority and are defined by the packet Source. Sending and forwarding routers use this field to identify
different IPv6 classes and priorities. Routers understand the priority settings and handle them
appropriately during conditions of congestion.
Flow Label (20 bits)
The Flow Label field identifies packets requiring special treatment in order to manage real-time data
traffic.
The sending router can label sequences of IPv6 packets so that forwarding routers can process packets
within the same flow without needing to reprocess each packet’s header separately.
NOTE: All packets in the flow must have the same source and destination addresses.
Payload Length (16 bits)
The Payload Length field specifies the packet payload. This is the length of the data following the IPv6
header. IPv6 Payload Length only includes the data following the header, not the header itself.
The Payload Length limit of 2 bytes requires that the maximum packet payload be 64 KB. However, the
Jumbogram option type Extension header supports larger packet sizes when required.
Next Header (8 bits)
The Next Header field identifies the next header’s type. If an Extension header is used, this field contains
the type of Extension header (as shown in the following table). If the next header is a transmission control
440
IPv6 Addressing
protocol (TCP) or user datagram protocol (UDP) header, the value in this field is the same as for IPv4. The
Extension header is located between the IP header and the TCP or UDP header.
The following lists the Next Header field values.
Value
Description
0
Hop-by-Hop option header
4
IPv4
6
TCP
8
Exterior Gateway Protocol (EGP)
41
IPv6
43
Routing header
44
Fragmentation header
50
Encrypted Security
51
Authentication header
59
No Next Header
60
Destinations option header
NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current
listing, refer to the Internet Assigned Numbers Authority (IANA) web page.
Hop Limit (8 bits)
The Hop Limit field shows the number of hops remaining for packet processing. In IPv4, this is known as
the Time to Live (TTL) field and uses seconds rather than hops.
Each time the packet moves through a forwarding router, this field decrements by 1. If a router receives a
packet with a Hop Limit of 1, it decrements it to 0 (zero). The router discards the packet and sends an
ICMPv6 message back to the sending router indicating that the Hop Limit was exceeded in transit.
Source Address (128 bits)
The Source Address field contains the IPv6 address for the packet originator.
Destination Address (128 bits)
The Destination Address field contains the intended recipient’s IPv6 address. This can be either the
ultimate destination or the address of the next hop router.
Extension Header Fields
Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header,
adding extension headers do not severely impact performance. Each Extension headers’s lengths vary,
but they are always a multiple of 8 bytes.
Each extension header is identified by the Next Header field in the IPv6 header that precedes it. Extension
headers are viewed only by the destination router identified in the Destination Address field. If the
Destination Address is a multicast address, the Extension headers are examined by all the routers in that
multicast group.
IPv6 Addressing
441
However, if the Destination Address is a Hop-by-Hop options header, the Extension header is examined
by every forwarding router along the packet’s route. The Hop-by-Hop options header must immediately
follow the IPv6 header, and is noted by the value 0 (zero) in the Next Header field.
Extension headers are processed in the order in which they appear in the packet header.
Hop-by-Hop Options Header
The Hop-by-Hop options header contains information that is examined by every router along the
packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero).
When a Hop-by-Hop Options header is not included, the router knows that it does not have to process
any router specific information and immediately processes the packet to its final destination.
When a Hop-by-Hop Options header is present, the router only needs this extension header and does
not need to take the time to view further into the packet.
The Hop-by-Hop Options header contains:
•
Next Header (1 byte)
This field identifies the type of header following the Hop-by-Hop Options header and uses the same
values.
•
Header Extension Length (1 byte)
This field identifies the length of the Hop-by-Hop Options header in 8-byte units, but does not include
the first 8 bytes. Consequently, if the header is less than 8 bytes, the value is 0 (zero).
•
Options (size varies)
This field can contain one or more options. The first byte if the field identifies the Option type, and directs
the router how to handle the option.
00
Skip and continue processing.
01
Discard the packet.
10
Discard the packet and send an ICMP Parameter Problem Code 2 message to the
packet’s Source IP Address identifying the unknown option type.
11
Discard the packet and send an ICMP Parameter Problem, Code 2 message to the
packet’s Source IP Address only if the Destination IP Address is not a multicast
address.
The second byte contains the Option Data Length.
The third byte specifies whether the information can change en route to the destination. The value is 1 if
it can change; the value is 0 if it cannot change.
Addressing
IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is
separated by a colon (:).
For example, 2001:0db8:0000:0000:0000:0000:1428:57ab is a valid IPv6 address. If one or more fourdigit group(s) is 0000, the zeros may be omitted and replaced with two colons(::). For example,
442
IPv6 Addressing
2001:0db8:0000:0000:0000:0000:1428:57ab can be shortened to 2001:0db8::1428:57ab. Only one set
of double colons is supported in a single address. Any number of consecutive 0000 groups may be
reduced to two colons, as long as there is only one double colon used in an address. Leading and/or
trailing zeros in a group can also be omitted (as in ::1 for localhost, 1:: for network addresses and :: for
unspecified addresses).
All the addresses in the following list are all valid and equivalent.
•
2001:0db8:0000:0000:0000:0000:1428:57ab
•
2001:0db8:0000:0000:0000::1428:57ab
•
2001:0db8:0:0:0:0:1428:57ab
•
2001:0db8:0:0::1428:57ab
•
2001:0db8::1428:57ab
•
2001:db8::1428:57ab
IPv6 networks are written using classless inter-domain routing (CIDR) notation. An IPv6 network (or
subnet) is a contiguous group of IPv6 addresses the size of which must be a power of two; the initial bits
of addresses, which are identical for all hosts in the network, are called the network's prefix.
A network is denoted by the first address in the network and the size in bits of the prefix (in decimal),
separated with a slash. Because a single host is seen as a network with a 128-bit prefix, host addresses
may be written with a following /128.
For example, 2001:0db8:1234::/48 stands for the network with addresses
2001:0db8:1234:0000:0000:0000:0000:0000 through 2001:0db8:1234:ffff:ffff:ffff:ffff:ffff.
Link-local Addresses
Link-local addresses, starting with fe80:, are assigned only in the local link area.
The addresses are generated usually automatically by the operating system's IP layer for each network
interface. This provides instant automatic network connectivity for any IPv6 host and means that if several
hosts connect to a common hub or switch, they have an instant communication path via their link-local
IPv6 address.
Link-local addresses cannot be routed to the public Internet.
Static and Dynamic Addressing
Static IPv6 addresses are manually assigned to a computer by an administrator.
Dynamic IPv6 addresses are assigned either randomly or by a server using dynamic host configuration
protocol (DHCP). Even though IPv6 addresses assigned using DHCP may stay the same for long periods
of time, they can change. In some cases, a network administrator may implement dynamically assigned
static IPv6 addresses. In this case, a DHCP server is used, but it is specifically configured to always assign
the same IPv6 address to a particular computer, and never to assign that IP address to another computer.
This allows static IPv6 addresses to be configured in one place, without having to specifically configure
each computer on the network in a different way.
In IPv6, every interface, whether using static or dynamic address assignments, also receives a local-link
address automatically in the fe80::/64 subnet.
IPv6 Addressing
443
Implementing IPv6 with the Dell Networking OS
The Dell Networking OS supports both IPv4 and IPv6 and both may be used simultaneously in your
system.
The following table lists the Dell Networking OS version in which an IPv6 feature became available for
each platform. The sections following the table give greater detail about the feature.
Feature and Functionality
Dell Networking OS Release
Introduction
Documentation and Chapter
Location
MXL
Basic IPv6 Commands
9.2(0.0)
IPv6 Basic Commands in the Dell
Networking OS Command Line
Interface Reference Guide.
IPv6 address types: Unicast
9.2(0.0)
Extended Address Space in this
chapter
IPv6 neighbor discovery
9.2(0.0)
IPv6 Neighbor Discovery in this
chapter
IPv6 stateless autoconfiguration
9.2(0.0)
Stateless Autoconfiguration in this
chapter
IPv6 MTU path discovery
9.2(0.0)
Path MTU Discovery in this
chapter
IPv6 ICMPv6
9.2(0.0)
ICMPv6 in this chapter
IPv6 ping
9.2(0.0)
ICMPv6 in this chapter
IPv6 traceroute
9.2(0.0)
ICMPv6 in this chapter
Static routing
9.2(0.0)
Assigning a Static IPv6 Route in
this chapter
Route redistribution
9.2(0.0)
OSPF, IS-IS, and IPv6 BGP
chapters in the Dell Networking
OS Command Line Reference
Guide.
Multiprotocol BGP extensions for 9.2(0.0)
IPv6
IPv6 BGP in the Dell Networking
OS Command Line Reference
Guide.
IPv6 BGP MD5 Authentication
9.2(0.0)
IPv6 BGP in the Dell Networking
OS Command Line Reference
Guide.
IS-IS for IPv6
9.2(0.0)
Intermediate System to
Intermediate System (IS-IS)
IPv6 Basic Addressing
IPv6 Routing
444
IPv6 Addressing
Feature and Functionality
Dell Networking OS Release
Introduction
Documentation and Chapter
Location
MXL
IPv6 IS-IS in the Dell Networking
OS Command Line Reference
Guide.
IS-IS for IPv6 support for
redistribution
9.2(0.0)
Intermediate System to
Intermediate System (IS-IS)
IPv6 IS-IS in the Dell Networking
OS Command Line Reference
Guide.
ISIS for IPv6 support for
distribute lists and administrative
distance
9.2(0.0)
OSPF for IPv6 (OSPFv3)
9.2(0.0)
Equal Cost Multipath for IPv6
9.2(0.0)
IPv6 Services and Management
9.2(0.0)
Telnet client over IPv6
(outbound Telnet)
9.2(0.0)
Intermediate System to
Intermediate System (IS-IS)
IPv6 IS-IS in the Dell Networking
OS Command Line Reference
Guide.
OSPFv3 in the Dell Networking OS
Command Line Reference Guide.
Configuring Telnet with IPv6 in
this chapter
Control and Monitoring in the Dell
Networking OS Command Line
Reference Guide.
Telnet server over IPv6 (inbound
Telnet)
9.2(0.0)
Configuring Telnet with IPv6 in
this chapter
Control and Monitoring in the Dell
Networking OS Command Line
Reference Guide.
Secure Shell (SSH) client support
over IPv6 (outbound SSH) Layer
3 only
9.2(0.0)
Secure Shell (SSH) Over an IPv6
Transport in this chapter
Secure Shell (SSH) server support 9.2(0.0)
over IPv6 (inbound SSH) Layer 3
only
Secure Shell (SSH) Over an IPv6
Transport in this chapter
IPv6 Access Control Lists
9.2(0.0)
IPv6 Access Control Lists in the
Dell Networking OS Command
Line Reference Guide.
N/A
IPv6 Multicast in this chapter
IPv6 Multicast
PIM-SM for IPv6
IPv6 Addressing
445
Feature and Functionality
Dell Networking OS Release
Introduction
Documentation and Chapter
Location
MXL
IPv6 PIM in the Dell Networking
OS Command Line Reference
Guide.
PIM-SSM for IPv6
N/A
IPv6 Multicast in this chapter
IPv6 PIM in the Dell Networking
OS Command Line Reference
Guide.
MLDv1/v2
N/A
IPv6 Multicast in this chapter
Multicast IPv6 in the Dell
Networking OS Command Line
Reference Guide.
MLDv1 Snooping
N/A
IPv6 Multicast in this chapter
Multicast IPv6 in the Dell
Networking OS Command Line
Reference Guide.
MLDv2 Snooping
N/A
IPv6 Multicast in this chapter
Multicast IPv6 in the Dell
Networking OS Command Line
Reference Guide.
IPv6 QoS
trust DSCP values
N/A
IPv6 Multicast in this chapter
ICMPv6
ICMPv6 is supported on the MXL switch platform.
ICMP for IPv6 combines the roles of ICMP, IGMP and ARP in IPv4. Similar to IPv4, it provides functions for
reporting delivery and forwarding errors, and provides a simple echo service for troubleshooting. The Dell
Networking OS implementation of ICMPv6 is based on RFC 4443.
Generally, ICMPv6 uses two message types:
•
Error reporting messages indicate when the forwarding or delivery of the packet failed at the
destination or intermediate node. These messages include Destination Unreachable, Packet Too Big,
Time Exceeded and Parameter Problem messages.
•
Informational messages provide diagnostic functions and additional host functions, such as Neighbor
Discovery and Multicast Listener Discovery. These messages also include Echo Request and Echo
Reply messages.
The ping and traceroute commands extend to support IPv6 addresses. These commands use ICMPv6
Type-2 messages.
446
IPv6 Addressing
Path MTU Discovery
IPv6 path maximum transmission unit (MTU) discovery is supported on the MXL switch platform.
Path MTU, in accordance with RFC 1981, defines the largest packet size that can traverse a transmission
path without suffering fragmentation. Path MTU for IPv6 uses ICMPv6 Type-2 messages to discover the
largest MTU along the path from source to destination and avoid the need to fragment the packet.
The recommended MTU for IPv6 is 1280. Greater MTU settings increase processing efficiency because
each packet carries more data while protocol overheads (for example, headers) or underlying per-packet
delays remain fixed.
Figure 55. Path MTU Discovery Process
IPv6 Neighbor Discovery
IPv6 neighbor discovery protocol (NDP) is supported on the MXL swtich platform.
NDP is a top-level protocol for neighbor discovery on an IPv6 network. In lieu of address resolution
protocol (ARP), NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for
determining relationships between neighboring nodes. Using these messages, an IPv6 device learns the
link-layer addresses for neighbors known to reside on attached links, quickly purging cached values that
become invalid.
NOTE: If a neighboring node does not have an IPv6 address assigned, it must be manually pinged to
allow the IPv6 device to determine the relationship of the neighboring node.
NOTE: To avoid problems with network discovery, Dell Networking recommends configuring the
static route last or assigning an IPv6 address to the interface and assigning an address to the peer
(the forwarding router’s address) less than 10 seconds apart.
IPv6 Addressing
447
With ARP, each node broadcasts ARP requests on the entire link. This approach causes unnecessary
processing by uninterested nodes. With NDP, each node sends a request only to the intended destination
via a multicast address with the unicast address used as the last 24 bits. Other hosts on the link do not
participate in the process, greatly increasing network bandwidth efficiency.
Figure 56. NDP Router Redirect
IPv6 Neighbor Discovery of MTU Packets
With the Dell Networking OS version 8.3.1.0, you can set the MTU advertised through the RA packets to
incoming routers, without altering the actual MTU setting on the interface.
The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For
example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is
set with the mtu command.
Configuring the IPv6 Recursive DNS Server
You can configure up to four Recursive DNS Server (RDNSS) addresses to be distributed via IPv6 router
advertisements to an IPv6 device, using the ipv6 nd dns-server ipv6-RDNSS-address {lifetime
| infinite} command in INTERFACE CONFIG mode.
The lifetime parameter configures the amount of time the IPv6 host can use the IPv6 RDNSS address for
name resolution. The lifetime range is 0 to 4294967295 seconds. When the maximum lifetime value,
4294967295, or the infinite keyword is specified, the lifetime to use the RDNSS address does not
expire. A value of 0 indicates to the host that the RDNSS address should not be used. You must specify a
lifetime using the lifetime or infinite parameter.
The DNS server address does not allow the following:
•
link local addresses
•
loopback addresses
448
IPv6 Addressing
•
prefix addresses
•
multicast addresses
•
invalid host addresses
If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed.
Example for Configuring an IPv6 Recursive DNS Server
The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1
second.
Dell(conf-if-te-0/1)#ipv6 nd dns-server ?
X:X:X:X::X
Recursive DNS Server's (RDNSS) IPv6 address
Dell(conf-if-te-0/1)#ipv6 nd dns-server 1000::1 ?
<0-4294967295>
Max lifetime (sec) which RDNSS address may be used for
name resolution
infinite
Infinite lifetime (sec) which RDNSS address may be used
for name resolution
Dell(conf-if-te-0/1)#ipv6 nd dns-server 1000::1 1
Debugging IPv6 RDNSS Information Sent to the Host
To verify that the IPv6 RDNSS information sent to the host is configured correctly, use the debug ipv6
nd command in EXEC Privilege mode.
Example of Debugging IPv6 RDNSS Information Sent to the Host
The following example debugs IPv6 RDNSS information sent to the host.
Dell(conf-if-te-0/1)#do debug ipv6 nd tengigabitethernet 0/1
ICMPv6 Neighbor Discovery packet debugging is on for tengigabitethernet 0/1
Dell(conf-if-te-0/1)#00:13:02 : : cp-ICMPV6-ND: Sending RA on Te 0/1
current hop limit=64, flags: M-, O-,
router lifetime=1800 sec, reachable time=0 ms, retransmit time=0 ms
SLLA=00:01:e8:8b:75:70
prefix=1212::/64 on-link autoconfig
valid lifetime=2592000 sec, preferred lifetime=604800 sec
dns-server=1000::0001, lifetime=1 sec
dns-server=3000::0001, lifetime=1 sec
dns-server=2000::0001, lifetime=0 sec
The last 3 lines indicate that the IPv6 RDNSS information was configured correctly.
dns-server=1000::0001, lifetime=1 sec
dns-server=3000::0001, lifetime=1 sec
dns-server=2000::0001, lifetime=0 sec
If the DNS server information is not displayed, verify that the IPv6 recursive DNS server configuration was
configured on the correct interface.
IPv6 Addressing
449
Displaying IPv6 RDNSS Information
To display IPv6 interface information, including IPv6 RDNSS information, use the show ipv6
interface command in EXEC or EXEC Privilege mode.
Examples of Displaying IPv6 RDNSS Information
The following example displays IPv6 RDNSS information. The output in the last 3 lines indicates that the
IPv6 RDNSS was correctly configured on interface te 0/1.
Dell#show ipv6 interface te 0/1
TenGigabitEthernet 0/1 is up, line protocol is up
IPV6 is enabled
Link Local address: fe80::201:e8ff:fe8b:7570
Global Unicast address(es):
1212::12, subnet is 1212::/64 (MANUAL)
Remaining lifetime: infinite
Global Anycast address(es):
Joined Group address(es):
ff02::1
ff02::2
ff02::1:ff00:12
ff02::1:ff8b:7570
ND MTU is 0
ICMP redirects are not sent
DAD is enabled, number of DAD attempts: 3
ND reachable time is 20120 milliseconds
ND base reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 198 to 600 seconds
ND router advertisements live for 1800 seconds
ND advertised hop limit is 64
IPv6 hop limit for originated packets is 64
ND dns-server address is 1000::1 with lifetime of 1 seconds
ND dns-server address is 3000::1 with lifetime of 1 seconds
ND dns-server address is 2000::1 with lifetime of 0 seconds
To display IPv6 RDNSS information, use the show configuration command in INTERFACE CONFIG
mode.
Dell(conf-if-te-0/1)#show configuration
The following example uses the show configuration command to display IPv6 RDNSS information.
!
interface TenGigabitEthernet 0/1
no ip address
ipv6 address 1212::12/64
ipv6 nd dns-server 1000::1 1
ipv6 nd dns-server 3000::1 1
ipv6 nd dns-server 2000::1 0
no shutdown
IPv6 Multicast
IPv6 multicast is supported on the MXL switch platform.
The Dell Networking OS supports the following protocols to implement IPv6 multicast routing:
450
IPv6 Addressing
•
Multicast listener discovery protocol (MLD) — MLD on a multicast router sends out periodic general
MLD queries that the switch forwards through all ports in the VLAN. There are two versions of MLD:
MLD version 1 is based on version 2 of the Internet group management protocol (IGMP) for IPv4; MLD
version 2 is based on version 3 of the IGMP for IPv4. IPv6 multicast for the Dell Networking OS
supports versions 1 and 2.
•
Protocol-independent multicast-sparse mode (PIM-SM) — PIM-SM is a multicast protocol in which
multicast receivers explicitly join to receive multicast traffic. The protocol uses a router as the root or
rendezvous point (RP) of the share tree distribution tree to distribute multicast traffic to a multicast
group. Messages to join the multicast group (Join messages) are sent towards the RP and data is sent
from senders to the RP so receivers can discover who are the senders and begin receiving traffic
destined to the multicast group.
For more information, refer to the Neighbor Discovery Protocol (NDP), Multicast IPv6, and Protocol
Independent Multicast (IPv6) chapters in the Dell Networking OS Command Line Interface Reference
Guide.
Secure Shell (SSH) Over an IPv6 Transport
IPv6 secure shell (SSH) is supported on the MXL switch platform.
The Dell Networking OS supports both inbound and outbound SSH sessions using IPv6 addressing.
Inbound SSH supports accessing the system through the management interface as well as through a
physical Layer 3 interface.
For SSH configuration details, refer to the Security chapter in the Dell Networking OS Command Line
Interface Reference Guide.
Configuration Task List for IPv6
The following are configuration tasks for the IPv6 protocol.
•
Adjusting Your CAM-Profile
•
Assigning an IPv6 Address to an Interface
•
Assigning a Static IPv6 Route
•
Configuring Telnet with IPv6
•
SNMP over IPv6
•
Showing IPv6 Information
•
Clearing IPv6 Routes
Adjusting Your CAM-Profile
The cam-acl command is supported on the MXL switch platform.
Although adjusting your CAM-profile is not a mandatory step, if you plan to implement IPv6 ACLs, adjust
your CAM settings.
The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. There are 16
FP blocks, but the System Flow requires three blocks that cannot be reallocated.
You must enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use
either even or odd-numbered ranges.
The default option sets the CAM Profile as follows:
•
L3 ACL (ipv4acl): 6
IPv6 Addressing
451
•
L2 ACL(l2acl): 5
•
IPv6 L3 ACL (ipv6acl): 0
•
L3 QoS (ipv4qos): 1
•
L2 QoS (l2qos): 1
To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy
run start) then reload the system for the new settings.
•
Allocate space for IPV6 ACLs. Enter the CAM profile name then the allocated amount.
CONFIGURATION mode
cam-acl { ipv6acl }
When not selecting the default option, enter all of the profiles listed and a range for each.
The total space allocated must equal 13.
•
The ipv6acl range must be a factor of 2.
Show the current CAM settings.
EXEC mode or EXEC Privilege mode
•
show cam-acl
Provides information on FP groups allocated for the egress acl.
CONFIGURATION mode
show cam-acl-egress
Allocate at least one group for L2ACL and IPv4 ACL.
The total number of groups is 4.
Assigning an IPv6 Address to an Interface
IPv6 addresses are supported on the MXL switch platform.
Essentially, IPv6 is enabled in the Dell Networking OS simply by assigning IPv6 addresses to individual
router interfaces. You can use IPv6 and IPv4 together on a system, but be sure to differentiate that usage
carefully. To assign an IPv6 address to an interface, use the ipv6 address command.
You can configure up to two IPv6 addresses on management interfaces, allowing required default router
support on the management port that is acting as host, per RFC 4861. Data ports support more than two
IPv6 addresses.
When you configure IPv6 addresses on multiple interfaces (the ipv6 address command) and verify the
configuration (the show ipv6 interfaces command), the same link local (fe80) address is displayed
for each IPv6 interface.
•
Enter the IPv6 Address for the device.
CONFIG-INTERFACE mode
ipv6 address ipv6 address/mask
– ipv6 address: x:x:x:x::x
452
IPv6 Addressing
– mask: The prefix length is from 0 to 128
NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits. Separate
each group by a colon (:). Omitting zeros is accepted as described in Addressing.
Assigning a Static IPv6 Route
IPv6 static routes are supported on the MXL switch platform.
To configure IPv6 static routes, use the ipv6 route command.
NOTE: After you configure a static IPv6 route (the ipv6 route command) and configure the
forwarding router’s address (specified in the ipv6 route command) on a neighbor’s interface, the
IPv6 neighbor does not display in the show ipv6 route command output.
•
Set up IPv6 static routes.
CONFIGURATION mode
ipv6 route prefix type {slot/port} forwarding router tag
– prefix: IPv6 route prefix
– type {slot/port}: interface type and slot/port
– forwarding router: forwarding router’s address
– tag: route tag
Enter the keyword interface then the type of interface and slot/port information:
– For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/ port
information.
– For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/ port
information.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
– For a Loopback interface, enter the keyword loopback then the loopback number.
– For a port-channel interface, enter the keywords port-channel then the port-channel number.
– For a VLAN interface, enter the keyword vlan then the VLAN ID.
– For a Null interface, enter the keyword null then the Null interface number.
Configuring Telnet with IPv6
IPv6 telnet is supported on the MXL switch platform.
The Telnet client and server in the Dell Networking OS supports IPv6 connections. You can establish a
Telnet session directly to the router using an IPv6 Telnet client, or you can initiate an IPv6 Telnet
connection from the router.
NOTE: Telnet to link local addresses is supported on the MXL switch.
•
Enter the IPv6 Address for the device.
EXEC mode or EXEC Privileged mode
telnet ipv6 address
– ipv6 address: x:x:x:x::x
IPv6 Addressing
453
– mask: prefix length is from 0 to 128.
NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where
each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing.
SNMP over IPv6
The simple network management protocol (SNMP) is supported on the MXL switch platform.
You can configure SNMP over IPv6 transport so that an IPv6 host can perform SNMP queries and receive
SNMP notifications from a device running IPv6. The Dell Networking OS SNMP-server commands for
IPv6 have been extended to support IPv6. For more information regarding SNMP commands, refer to the
SNMP and SYSLOG chapters in the Dell Networking OS Command Line Interface Reference Guide.
•
snmp-server host
•
snmp-server user ipv6
•
snmp-server community ipv6
•
snmp-server community access-list-name ipv6
•
snmp-server group ipv6
•
snmp-server group access-list-name ipv6
Showing IPv6 Information
All of the following show commands are supported on the MXL switch platform.
View specific IPv6 configuration with the following commands.
•
List the IPv6 show options.
EXEC mode or EXEC Privileged mode
show ipv6 ?
Example of show ipv6 Command Options
Dell#show ipv6 ?
accounting
IPv6 accounting information
cam
IPv6 CAM Entries
fib
IPv6 FIB Entries
interface
IPv6 interface information
mbgproutes
MBGP routing table
mld
MLD information
mroute
IPv6 multicast-routing table
neighbors
IPv6 neighbor information
ospf
OSPF information
pim
PIM V6 information
prefix-list List IPv6 prefix lists
route
IPv6 routing information
rpf
RPF table
Dell#
Showing an IPv6 Interface
To view the IPv6 configuration for a specific interface, use the following command.
•
Show the currently running configuration for the specified interface.
EXEC mode
454
IPv6 Addressing
show ipv6 interface type {slot/port}
Enter the keyword interface then the type of interface and slot/port information:
– For all brief summary of IPv6 status and configuration, enter the keyword brief.
– For all IPv6 configured interfaces, enter the keyword configured.
– For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/ port
information.
– For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/ port
information.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
– For a loopback interface, enter the keyword loopback then the loopback number.
– For a port-channel interface, enter the keywords port-channel then the port-channel number.
– For a VLAN interface, enter the keyword vlan then the VLAN ID.
Showing IPv6 Routes
To view the global IPv6 routing information, use the following command.
•
Show IPv6 routing information for the specified route type.
EXEC mode
show ipv6 route type
The following keywords are available:
– To display information about a network, enter ipv6 address (X:X:X:X::X).
– To display information about a host, enter hostname.
– To display information about all IPv6 routes (including non-active routes), enter all.
– To display information about all connected IPv6 routes, enter connected.
– To display information about brief summary of all IPv6 routes, enter summary.
– To display information about Border Gateway Protocol (BGP) routes, enter bgp.
– To display information about ISO IS-IS routes, enter isis.
– To display information about Open Shortest Path First (OSPF) routes, enter ospf.
– To display information about Routing Information Protocol (RIP), enter rip.
– To display information about static IPv6 routes, enter static.
– To display information about an IPv6 Prefix lists, enter list and the prefix-list name.
Example of the show ipv6 route summary Command
Example of the show ipv6 route Command
Example of the show ipv6 route static Command
Dell#show ipv6 route summary
Route Source Active Routes Non-active Routes
IPv6 Addressing
455
connected
static
Total
5
0
5
0
0
0
Dell#show ipv6 route
Codes: C - connected, L - local, S - static, R - RIP,
B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated,
O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type 2, E1 - OSPF external type 1,
E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1,
L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default,
Gateway of last resort is not set
Destination Dist/Metric, Gateway, Last Change
----------------------------------------------------C
2001::/64 [0/0]
Direct, Gi 1/1, 00:28:49
C
2002::/120 [0/0]
Direct, Gi 1/1, 00:28:49
C
2003::/120 [0/0]
Direct, Gi 1/1, 00:28:49
Dell#show ipv6 route static
Destination Dist/Metric, Gateway, Last Change
----------------------------------------------------S
8888:9999:5555:6666:1111:2222::/96 [1/0]
via
2222:2222:3333:3333::1, Gi 9/1, 00:03:16
S
9999:9999:9999:9999::/64 [1/0]
via 8888:9999:5555:6666:1111:2222:3333:4444, 00:03:16
Showing the Running-Configuration for an Interface
To view the configuration for any interface, use the following command.
•
Show the currently running configuration for the specified interface.
EXEC mode
show running-config interface type {slot/port}
Enter the keyword interface then the type of interface and slot/port information:
– For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/ port
information.
– For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/ port
information.
– For the Management interface on the RPM, enter the keyword ManagementEthernet then the
slot/port information.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
Example of the show running-config interface Command
Dell#show run int gi 2/2
!
interface GigabitEthernet 2/2
no ip address
ipv6 address 3:4:5:6::8/24
shutdown
Dell#
456
IPv6 Addressing
Clearing IPv6 Routes
To clear routes from the IPv6 routing table, use the following command.
•
Clear (refresh) all or a specific route from the IPv6 routing table.
EXEC mode
clear ipv6 route {* | ipv6 address prefix-length}
– *: all routes.
– ipv6 address: the format is x:x:x:x::x.
– mask: the prefix length is from 0 to 128.
NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where
each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing.
IPv6 Addressing
457
iSCSI Optimization
25
The MXL switch enables internet small computer system interface (iSCSI) optimization with default iSCSI
parameter settings and is auto-provisioned to support the following features.
•
Detection and Auto-Configuration for Dell EqualLogic Arrays
•
Configuring Detection and Ports for Dell Compellent Arrays
To display information on iSCSI configuration and sessions, use the show commands.
iSCSI optimization enables quality-of-service (QoS) treatment for iSCSI traffic.
iSCSI Optimization Overview
iSCSI is a TCP/IP-based protocol for establishing and managing connections between IP-based storage
devices and initiators in a storage area network (SAN).
iSCSI optimization enables the network switch to auto-detect Dell’s iSCSI storage arrays and triggers a
self-configuration of several key network configurations that enables optimization of the network for
better storage traffic throughput.
iSCSI optimization also provides a means of monitoring iSCSI sessions and applying quality of service
(QoS) policies on iSCSI traffic. When enabled, iSCSI optimization allows a switch to monitor (snoop) the
establishment and termination of iSCSI connections. The switch uses the snooped information to detect
iSCSI sessions and connections established through the switch.
iSCSI optimization allows you to reduce deployment time and management complexity in data centers.
In a data center network, Dell EqualLogic and Compellent iSCSI storage arrays are connected to a
converged Ethernet network using the data center bridging exchange protocol (DCBx) through stacked
and/or non-stacked Ethernet switches.
iSCSI session monitoring over virtual link trunking (VLT) synchronizes the iSCSI session information
between the VLT peers, allowing session information to be available in both the VLT peers.
iSCSI optimization functions as follows:
•
Auto-detection of EqualLogic storage arrays — the switch detects any active EqualLogic array directly
attached to its ports.
•
Manual configuration to detect Compellent storage arrays where auto-detection is not supported.
•
Automatic configuration of switch ports after detection of storage arrays.
•
If you configure flow-control, iSCSI uses the current configuration. If you do not configure flowcontrol, iSCSI auto-configures flow control.
•
iSCSI monitoring sessions — the switch monitors and tracks active iSCSI sessions in connections on
the switch, including port information and iSCSI session information.
•
iSCSI QoS — A user-configured iSCSI class of service (CoS) profile is applied to all iSCSI traffic.
Classifier rules are used to direct the iSCSI data traffic to queues that can be given preferential QoS
458
iSCSI Optimization
treatment over other data passing through the switch. Preferential treatment helps to avoid session
interruptions during times of congestion that would otherwise cause dropped iSCSI packets.
•
iSCSI DCBx TLVs are supported.
The following illustration shows iSCSI optimization between servers in an M1000e enclosure and a
storage array in which a stack and MXL connects installed servers (iSCSI initiators) to a storage array (iSCSI
targets) in a SAN network. iSCSI optimization running on the MXL is configured to use dot1p priorityqueue assignments to ensure that iSCSI traffic in these sessions receives priority treatment when
forwarded on MXL hardware.
Figure 57. iSCSI Optimization Example
iSCSI Optimization
459
Monitoring iSCSI Traffic Flows
The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that
trap iSCSI protocol packets to the CPU for examination.
Devices that initiate iSCSI sessions usually use well-known TCP ports 3260 or 860 to contact targets.
When you enable iSCSI optimization, by default the switch identifies IP packets to or from these ports as
iSCSI traffic.
You can configure the switch to monitor traffic for additional port numbers or a combination of port
number and target IP address, and you can remove the well-known port numbers from monitoring.
Information Monitored in iSCSI Traffic Flows
iSCSI optimization examines the following data in packets and uses the data to track the session and
create the classifier entries that enable QoS treatment.
•
Initiator’s IP Address
•
Target’s IP Address
•
Initiator defined session identifier (ISID)
•
Initiator’s iSCSI qualified name (IQN)
•
Target’s IQN
•
Initiator’s TCP Port
•
Target’s TCP Port
If no iSCSI traffic is detected for a session during a user-configurable aging period, the session data is
cleared.
Detection and Auto-Configuration for Dell EqualLogic Arrays
The iSCSI optimization feature includes auto-provisioning support with the ability to detect directly
connected Dell EqualLogic storage arrays and automatically reconfigure the switch to enhance storage
traffic flows.
The MXL uses the link layer discovery protocol (LLDP) to discover Dell EqualLogic devices on the
network. LLDP is enabled by default. For more information about LLDP, refer to Link Layer Discovery
Protocol (LLDP).
The following message displays the first time a Dell EqualLogic array is detected and describes the
configuration changes that are automatically performed:
%STKUNIT0-M:CP %IFMGR-5-IFM_ISCSI_AUTO_CONFIG: This switch is being configured
for optimal
conditions to support iSCSI traffic which will cause some automatic
configuration to occur
including jumbo frames and flow-control on all ports; no storm control and
spanning-tree port
fast to be enabled on the port of detection.
The following syslog message is generated the first time an EqualLogic array is detected:
%STKUNIT0-M:CP %LLDP-5-LLDP_EQL_DETECTED: EqualLogic Storage Array detected on
interface Te 1/43
•
At the first detection of an EqualLogic array, an MTU of 12000 is enabled on all ports and portchannels (if it has not already been enabled).
460
iSCSI Optimization
•
Spanning-tree portfast is enabled on the interface LLDP identifies.
•
Unicast storm control is disabled on the interface LLDP identifies.
Configuring Detection and Ports for Dell Compellent Arrays
For the best iSCSI traffic conditions, the MXL switch auto-configures a port connected to a Dell
Compellent storage array, when configured as compellent connected port through CLI.
The following message displays the first time a Dell Compellent storage array is detected and describes
the configuration changes that are automatically performed:
%STKUNIT0-M:CP %IFMGR-5-IFM_ISCSI_AUTO_CONFIG: This switch is being configured
for optimal
conditions to support iSCSI traffic which will cause some automatic
configuration to occur
including jumbo frames and flow-control on all ports; no storm control and
spanning-tree port
fast to be enabled on the port of detection.
The MXL switch auto-configures as follows:
•
At the first detection, an MTU of 12000 is enabled on all ports and port-channels (if it is not already
enabled).
•
Spanning-tree portfast is enabled on the interface identified by CLI, if the port is in L2 mode.
•
Unicast storm control is disabled on the interface identified by CLI.
iSCSI Optimization: Operation
iSCSI optimization requires LLDP to be enabled. LLDP is enabled by default on MXL switch.
When the MXL auto-configures with iSCSI enabled, the following actions occurs:
•
Link-level flow control is enabled on PFC disabled interfaces.
•
iSCSI session snooping is enabled.
•
iSCSI LLDP monitoring starts to automatically detect EqualLogic arrays.
The following message displays when you enable iSCSI on a switch and describes the configuration
changes that are automatically performed:
%STKUNIT0-M:CP %IFMGR-5-IFM_ISCSI_ENABLE: iSCSI has been enabled causing flow
control to be enabled on all interfaces. EQL detection and enabling iscsi
profile-compellent on an interface may cause some automatic configurations to
occur like jumbo frames on all ports and no storm control and spanning tree
port-fast on the port of detection.
Default iSCSI Optimization Values
The following table lists the default values for the iSCSI optimization feature.
Table 26. iSCSI Optimization Defaults
Parameter
Default Value
iSCSI Optimization global setting
Enabled
iSCSI CoS mode (802.1p priority queue mapping)
Enabled: dot1p priority 4 without the remark
setting
iSCSI Optimization
461
Parameter
Default Value
iSCSI CoS Treatment
iSCSI packets are queued based on dot1p instead
of DSCP values.
VLAN priority tag
iSCSI flows are assigned by default to dot1p priority
4 without the remark setting.
DSCP
None: user-configurable.
Remark
Not configured.
iSCSI session aging time
10 minutes
iSCSI optimization target ports
iSCSI well-known ports 3260 and 860 are
configured as default (with no IP address or name)
but can be removed as any other configured
target.
iSCSI session monitoring
Enabled. The CAM allocation for iSCSI is set to two.
Displaying iSCSI Optimization Information
To display information on iSCSI optimization, use the following show commands.
•
Display the currently configured iSCSI settings.
•
show iscsi
Display information on active iSCSI sessions on the switch.
•
•
show iscsi sessions
Display detailed information on active iSCSI sessions on the switch . To display detailed information
on specified iSCSI session, enter the session’s iSCSI ID.
show iscsi sessions detailed [session isid]
Display all globally configured non-default iSCSI settings in the current session.
show run iscsi
Example of the show iscsi Command
Example of the show iscsi session Command
Example of the show iscsi session detailed Command
Dell#show iscsi
iSCSI is enabled
iSCSI session monitoring is disabled
iSCSI COS : dot1p is 4 no-remark
Session aging time: 10
Maximum number of connections is 256
-----------------------------------------------iSCSI Targets and TCP Ports:
-----------------------------------------------TCP Port Target IP Address
3260
860
VLT PEER1
Dell#show isci session
Session 0:
462
iSCSI Optimization
----------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0e70c2002-10a0018426a48c94-iom010
Initiator: iqn.1991-05.com.microsoft:win-x9l8v27yajg
ISID: 400001370000
VLT PEER2
Session 1:
----------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0f60c2002-0360018428d48c94-iom011
iqn.1991-05.com.microsoft:win-x9l8v27yajg
ISID: 400001370000
Dell# show isci sessions detailed
Session 0 :
------------------------------------------------------------Target:iqn.2010-11.com.ixia:ixload:iscsi-TG1
Initiator:iqn.2010-11.com.ixia.ixload:initiator-iscsi-2c
Up Time:00:00:01:28(DD:HH:MM:SS)
Time for aging out:00:00:09:34(DD:HH:MM:SS)
ISID:806978696102
Initiator
Initiator Target
Target
Connection
IP Address TCP Port IP Address TCPPort ID
10.10.0.44 33345 10.10.0.101 3260 0
Session 1 :
-------------------------------------------------------------Target:iqn.2010-11.com.ixia:ixload:iscsi-TG1
Initiator:iqn.2010-11.com.ixia.ixload:initiator-iscsi-35
Up Time:00:00:01:22(DD:HH:MM:SS)
Time for aging out:00:00:09:31(DD:HH:MM:SS)
ISID:806978696102
Initiator Initiator Target
Target
Connection
IP Address TCP Port IP Address TCPPort ID
10.10.0.53 33432 10.10.0.101 3260 0
iSCSI Optimization
463
Intermediate System to Intermediate
System
26
Intermediate system to intermediate system (Is-IS) is supported on the MXL switch platform.
•
The IS-IS protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell
Networking supports both IPv4 and IPv6 versions of IS-IS.
•
The IS-IS protocol standards are listed in th