advertisement
Mellanox MLNX-OS® User Manual for Ethernet
Rev 4.20
Software Version 3.4.300
2 www.mellanox.com
Rev 4.20
NOTE:
THIS HARDWARE, SOFTWARE OR TEST SUITE PRODUCT (“PRODUCT(S)”) AND ITS RELATED
DOCUMENTATION ARE PROVIDED BY MELLANOX TECHNOLOGIES “AS-IS” WITH ALL FAULTS OF ANY
KIND AND SOLELY FOR THE PURPOSE OF AIDING THE CUSTOMER IN TESTING APPLICATIONS THAT USE
THE PRODUCTS IN DESIGNATED SOLUTIONS. THE CUSTOMER'S MANUFACTURING TEST ENVIRONMENT
HAS NOT MET THE STANDARDS SET BY MELLANOX TECHNOLOGIES TO FULLY QUALIFY THE PRODUCT(S)
AND/OR THE SYSTEM USING IT. THEREFORE, MELLANOX TECHNOLOGIES CANNOT AND DOES NOT
GUARANTEE OR WARRANT THAT THE PRODUCTS WILL OPERATE WITH THE HIGHEST QUALITY. ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT ARE DISCLAIMED.
IN NO EVENT SHALL MELLANOX BE LIABLE TO CUSTOMER OR ANY THIRD PARTIES FOR ANY DIRECT,
INDIRECT, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING, BUT NOT
LIMITED TO, PAYMENT FOR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY FROM THE USE OF THE PRODUCT(S) AND RELATED DOCUMENTATION EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
2
Mellanox Technologies
350 Oakmead Parkway Suite 100
Sunnyvale, CA 94085
U.S.A.
www.mellanox.com
Tel: (408) 970-3400
Fax: (408) 970-3403
Mellanox Technologies, Ltd.
Hakidma 26
Ofer Industrial Park
Yokneam 2069200
Israel www.mellanox.com
Tel: +972 (0)74 723 7200
Fax: +972 (0)4 959 3245
© Copyright 2015. Mellanox Technologies. All Rights Reserved.
Mellanox®, Mellanox logo, BridgeX®, ConnectX®, Connect-IB®, CoolBox®, CORE-Direct®, GPUDirect®, InfiniBridge®,
InfiniHost®, InfiniScale®, Kotura®, Kotura logo, Mellanox Connect. Accelerate. Outperform logo, Mellanox Federal
Systems® Mellanox Open Ethernet®, Mellanox Virtual Modular Switch®, MetroX®, MetroDX®, MLNX-OS®, Open
Ethernet logo, PhyX®, ScalableHPC®, SwitchX®, TestX®, The Generation of Open Ethernet logo, UFM®, Virtual Protocol
Interconnect®, Voltaire® and Voltaire logo are registered trademarks of Mellanox Technologies, Ltd.
CyPU™, ExtendX™, FabricIT™, FPGADirect™, HPC-X™, Mellanox Care™, Mellanox CloudX™, Mellanox NEO™,
Mellanox Open Ethernet™, Mellanox PeerDirect™, NVMeDirect™, StPU™, Switch-IB™, Unbreakable-Link™ are trademarks of Mellanox Technologies, Ltd.
All other trademarks are property of their respective owners.
Mellanox Technologies Confidential Document Number: MLNX-15-1560-ETH
Table of Contents
3.3.2 Retrieving Return Codes when Executing Remote Commands . . . . . . . . . . . . . . 62
Mellanox Technologies Confidential 3
Rev 4.20
4.1.1 Configuring Management Interfaces with Static IP Addresses . . . . . . . . . . . . . 109
4.1.2 Configuring IPv6 Address on the Management Interface. . . . . . . . . . . . . . . . . . 109
4.9.2 Authentication, Authorization and Accounting (AAA) . . . . . . . . . . . . . . . . . . . 282
Mellanox Technologies Confidential 4
Rev 4.20
5.2.1 Configuring Static Link Aggregation Group (LAG) . . . . . . . . . . . . . . . . . . . . . 493
5.2.2 Configuring Link Aggregation Control Protocol (LACP) . . . . . . . . . . . . . . . . . 493
Mellanox Technologies Confidential 5
Rev 4.20
5.4.1 Configuring Access Mode and Assigning Port VLAN ID (PVID). . . . . . . . . . . 537
5.4.2 Configuring Hybrid Mode and Assigning Port VLAN ID (PVID). . . . . . . . . . . 538
5.4.3 Configuring Trunk Mode VLAN Membership. . . . . . . . . . . . . . . . . . . . . . . . . . 538
5.4.4 Configuring Hybrid Mode VLAN Membership . . . . . . . . . . . . . . . . . . . . . . . . . 539
Mellanox Technologies Confidential 6
Rev 4.20
Mellanox Technologies Confidential 7
Rev 4.20
Appendix A Enhancing System Security According to NIST SP 800-131A . . . . . . 1008
C.5 Interface Speed Configuration Change . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032
C.12 MGMT Module Display Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1038
C.13 MLNX-OS Image Name Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039
Mellanox Technologies Confidential 8
Rev 4.20
C.18 WebUI System Inventory Page Change . . . . . . . . . . . . . . . . . . . . . . . . . . . 1041
Rev 4.20
Mellanox Technologies Confidential 9
List of Tables
Table 6 -Serial Terminal Program Configuration for x86 Based Systems . . . . . . . . . . . . . . 32
Table 7 -Serial Terminal Program Configuration for PPC Based Systems . . . . . . . . . . . . . 32
Table 27 -Standard MIBs – Textual Conventions and Conformance MIBs . . . . . . . . . . . . 403
Mellanox Technologies Confidential 10
Rev 4.20
Table 46 -Supported VLANs by RPVST per Switch System . . . . . . . . . . . . . . . . . . . . . . 563
Rev 4.20
Mellanox Technologies Confidential 11
List of Figures
Mellanox Technologies Confidential 12
Rev 4.20
Rev 4.20
Mellanox Technologies Confidential 13
Document Revision History
Rev 4.20 – August 16, 2015
Added:
•
Section 4.3.6, “Image Maintenance via Mellanox ONIE,” on page 175
•
Section 4.9.3, “System Secure Mode,” on page 284
• the command
“system secure-mode enable” on page 327
• the command
“show system secure-mode” on page 328
• the command
“switchport dot1q-tunnel qos-mode” on page 545
•
Section 5.5, “QinQ,” on page 549
• the command
• the command
• the command
• the command
Updated:
•
Table 8, “Configuration Wizard Session - IP Configuration by DHCP,” on page 33
•
Section 2.4, “Licenses,” on page 40
• the command
“ssh server host-key” on page 77
• notes of the command
“aaa authorization” on page 300
•
Table 25, “System Health Monitor Alerts Scenarios,” on page 371
• the command
• the command
“snmp-server user” on page 424
•
Section 5.1.2, “56GbE Link Speed,” on page 474
• the command
• the command
“ip ospf authentication-key” on page 824
• the command
“neighbor password” on page 866
• the command
“neighbor peer-group” on page 867
•
Appendix B, “Security Vulnerabilities and Exposures” on page 1014
Rev 4.10 – June 11, 2015
Added:
•
Section 2.1, “Configuring the Switch for the First Time,” on page 31
with MLNX-OS®
Boot Menu step
• the command
“ssh server security strict” on page 82
• the command
“ssh server tcp-forwarding enable” on page 83
•
Section 4.1.5, “In-Band Management,” on page 110
This feature can now be enabled with IP Routing. Also updated the flow of setting an in-band management channel.
Mellanox Technologies Confidential 14
Rev 4.20
• the command
•
Section 5.1.1, “Break-Out Cables,” on page 471
• the command
• the command
•
Section 5.3.4, “MLAG Virtual System-MAC,” on page 515
•
Section 5.3.5, “Upgrading MLAG Pair,” on page 515
•
Section 5.16, “802.1x Protocol,” on page 702
•
Section 6.1.3, “Virtual Routing and Forwarding,” on page 724
• the command
• the command
• the command
“routing-context vrf” on page 728
• the command
• the command
• the command
• the command
“show routing-context vrf” on page 734
• the command
• the command
•
Section 6.2, “IPv6,” on page 766
commands by adding loopback interface configuration mode to the commands
•
Section 6.6.3, “PIM Load-Sharing,” on page 930
• the command
“ip pim multipath rp” on page 948
•
Appendix C,“UI Changes in Version 3.4.2008,” on page 1030
Updated:
• the command
•
Section 4.3.1, “Upgrading MLNX-OS Software,” on page 166 with HA group note
•
Section 4.3.2, “Upgrading MLNX-OS HA Groups,” on page 169
• the command
• the command
“show asic-version” on page 391
•
Section 5.3.1, “MLAG Keepalive and Failover,” on page 515
•
Step 10 in Section 5.3.6, “MLAG Configuration,” on page 516
• the example of the command
• the command
• the command
• the command
“show ip interface” on page 747
• the command
“interface loopback” on page 748 “id” parameter range
• the command
• the command
• the command
Mellanox Technologies Confidential 15
Rev 4.20
• the command
• the command
• the command
• the command
Removed:
• the command “interface vlan create” from
Section 4.1.6, “Commands,” on page 112
• the command “ipv6 dhcp client”
• Section B.9, “Security Vulnerabilities and Exposures,” on page 1330 and added it to the
RN
Split:
• the command “ipv6 dhcp”
Rev 3.70 – March 19, 2015
Updated:
• the command “speed” on page 1065
• the command “show interfaces ib” on page 1071
• the command “show interfaces ib status” on page 1072
Rev 3.70 – March 19, 2015
No changes
Rev 3.60 – March 05, 2015
Added:
• MLAG configuration
• the command
• the command
•
Section 5.7.4, “BPDU Guard,” on page 561
Updated:
• MLAG configuration verification
with system MAC and upgrade timeout
• the command
•
Table 46, “Supported VLANs by RPVST per Switch System,” on page 563
Rev 3.60 – March 05, 2015
No changes
Rev 3.50 – February 24, 2015
Added:
• the command
“show version concise” on page 385
Mellanox Technologies Confidential 16
Rev 4.20
Updated:
• the command
Rev 3.40 – February 11, 2015
Added:
• “List of Tables” and “List of Figures” Sections
•
Updated Section 2.4, “Licenses,” on page 40
• the command
• the command
• the command
• the command
• the command
• the command
“ip default-gateway” on page 114
• the command
• the command
“configuration write” on page 214
• the command
• the command
“email autosupport enable” on page 261
• the command
“email autosupport event” on page 262
• the command
“crypto ipsec ike” on page 330
• the command
“lacp-individual enable” on page 501
• the command
“show interfaces port-channel” on page 509
• the command
“show interfaces port-channel compatibility-parameters” on page 510
• the command
“show interfaces port-channel load-balance” on page 511
• the command
“show interfaces port-channel summary” on page 512
•
Section 5.7.8, “RPVST,” on page 562
• the command
“spanning-tree vlan forward-time” on page 584
• the command
“spanning-tree vlan hello-time” on page 585
• the command
“spanning-tree vlan max-age” on page 586
• the command
“spanning-tree vlan priority” on page 587
• the command
“show spanning-tree vlan” on page 593
•
Section 6.2, “IPv6,” on page 766
• the command
“auto-cost reference-bandwidth” on page 805
•
• the command “show ip multicast interface proxy-arp” on page 1326
Updated:
•
Section 2.3, “Starting the Web User Interface,” on page 38
• the command
• the command
Mellanox Technologies Confidential 17
Rev 4.20
•
Section 4.5.2, “Remote Logging,” on page 218
• the command
“logging debug-files” on page 221
•
Section 4.6.1, “Commands,” on page 238
•
Section 4.9.1, “User Accounts,” on page 282
• the command
• the command
“aaa authentication attempts track” on page 293
• the command
“radius-server host” on page 305
• the command
“tacacs-server host” on page 309
•
Table 25, “System Health Monitor Alerts Scenarios,” on page 371
• the command
“snmp-server auto-refresh” on page 414
• the command
“snmp-server user” on page 424
• the command
“show interfaces ethernet [<inf>] description” on page 489
• the command
“show interfaces ethernet [<inf>] status” on page 490
• the command
“show interfaces port-channel summary” on page 512
• the command
“show interfaces mlag-port-channel summary” on page 535
• the command
“spanning-tree mode” on page 566
• the command
“show spanning-tree” on page 588
• the command
“show spanning-tree detail” on page 589
• the command
“show spanning-tree interface” on page 590
• the command
“show spanning-tree mst” on page 591
• the command
“show spanning-tree root” on page 592
•
Section 5.9.2, “Defining a Multicast Router Port on a VLAN,” on page 603
• the command
“dcb application-priority” on page 631
• the command
“dcb priority-flow-control enable” on page 650
•
Section 5.14.1, “Flow Samples,” on page 683
• the command
• the command
Rev 3.30 – November 19, 2014
Added:
•
Section 5.1.4, “High Power Transceivers,” on page 476
Updated:
•
the command “web https” on page 102
•
the command “show interfaces ethernet” on page 486
•
the command “show interfaces ethernet [<inf>] transceiver” on page 491
• the command
“dcb application-priority” on page 631
•
Section A.5, “HTTPS,” on page 1010
•
Section A.7, “Password Hashing,” on page 1013
Mellanox Technologies Confidential 18
Rev 4.20
Rev 3.20 – November 09, 2014
Added:
•
Section 4.16, “Virtual Machine,” on page 446
•
Section 5.6.2, “MAC Learning Considerations,” on page 553
• the command
“mac-learning disable” on page 556
•
Section 6.1.4, “IPv4 Routing Mode,” on page 725
•
Appendix A,“Enhancing System Security According to NIST SP 800-131A,” on page
Updated:
•
Section 1.2, “Ethernet Features,” on page 29
•
Section 3.2, “Web Interface Overview,” on page 56
• the command
•
Section 4.14.1.7, “SNMP SET Operations,” on page 408
• the command
“interface port-channel” on page 495
• the command
“show lacp interfaces neighbor” on page 505
•
Section 5.3, “MLAG,” on page 513
•
the command “mlag-channel-group mode” on page 527
•
the command “show mlag statistics” on page 536
• the command
“ip icmp redirect” on page 746
•
Section 6.4, “BGP,” on page 836
•
Section 6.7.2, “Configuring VRRP,” on page 977
Replaced:
• the command “show lacp interfaces port-channel” with the command
•
Rev 3.10 – July 20, 2014
Added:
•
Section 5.15, “Transport Applications,” on page 698
•
Section 6.1.1, “IP Interfaces,” on page 720
•
Section 6.4, “BGP,” on page 836
• the command
“show ip pim upstream joins” on page 957
Updated:
•
Chapter 1, “Introduction” on page 28
•
Section 4.14.1.8, “IF-MIB and Interface Information,” on page 412
•
Section 4.14.2, “XML API,” on page 413
• MAC addresses note in
Section 5.3, “MLAG,” on page 513
Mellanox Technologies Confidential 19
Rev 4.20
•
Chapter 6, “IP Routing” on page 720
with the appropriate configuration modes for the new configuration contexts and commands added
• the command
• the command
“continue <sequence-number>” on page 898
• the command
• the command
•
Section 6.6, “Multicast (IGMP and PIM),” on page 929
• the command
“ip pim join-prune-interval” on page 945
• the command
• the command
Rev 3.00 – June 05, 2014
Updated:
•
Section 6.6, “Multicast (IGMP and PIM),” on page 929
•
Section 6.7.3, “Verifying VRRP,” on page 978
Rev 2.90 – 19 May, 2014
Added:
•
Section 6.6, “Multicast (IGMP and PIM),” on page 929
Updated:
• the command
“show configuration” on page 216
• the command
• the command
•
Section 5.3, “MLAG,” on page 513
• the command
•
Section 6.1.5.2, “IP Interfaces,” on page 736
•
Section 6.1.5.4, “Loopback Interface,” on page 748
Rev 2.80 – May 08, 2014
Added:
•
supported versions note in Section 5.9, “IGMP Snooping,” on page 603
•
Section 6.7, “VRRP,” on page 976
•
Section 6.8, “MAGP,” on page 991
•
Section 6.9, “DHCP Relay,” on page 999
Rev 2.70 – April 30, 2014
Added:
•
Appendix A,“Enhancing System Security According to NIST SP 800-131A,” on page
Mellanox Technologies Confidential 20
Rev 4.20
•
supported versions note in Section 5.9, “IGMP Snooping,” on page 603
Updated:
• the command
• the command
• the command
• the command
• the command
• the command
• the command
Rev 2.60 – April 10, 2014
Updated:
•
Table 29, “Private MIBs Supported,” on page 405
Rev 2.50 – April 2014
Updated:
•
Section 3.1.7, “Command Output Filtering,” on page 55
• the command
• the command
“show mac-address-table” on page 558
• the command
“deny/permit (MAC ACL rule)” on page 658
• the command
“show mac/ipv4 access-lists” on page 666
Added:
•
Section 5.3, “MLAG,” on page 513
• configuration mode Config Interface MLAG Port Channel to the following commands:
•
•
•
•
•
•
•
•
•
“switchport access” on page 546
•
“spanning-tree port-priority” on page 570
•
“spanning-tree cost” on page 571
•
“spanning-tree port type” on page 572
•
“spanning-tree guard” on page 573
•
“ip igmp snooping fast-leave” on page 609
Mellanox Technologies Confidential 21
Rev 4.20
•
“dcb priority-flow-control mode on” on page 652
•
“ipv4/mac port access-group” on page 657
•
“sflow enable (interface)” on page 696
Rev 2.40 – February, 2014
Updated:
•
Section 4.3.5.2, “Importing Firmware and Changing the Default Firmware,” on page 174
– updated Step 1
• the command
“show running-config” on page 217
• the command
•
Section 4.10, “Cryptographic (X.509, IPSec),” on page 329
•
Section 5.2.1, “Configuring Static Link Aggregation Group (LAG),” on page 493 –
removed unnecessary step
• the command
• the command
“show lldp interface” on page 633
Added:
•
Section 3.1.7, “Command Output Filtering,” on page 55
•
FCoE and SX1700 GW license in Section 2.4, “Licenses,” on page 40
•
Section 4.14.1.8, “IF-MIB and Interface Information,” on page 412
Rev 2.30 – January, 2014
Updated:
•
Section 4.15.4, “Writing Configuration Classes,” on page 431
• the command
“crypto certificate generation” on page 335
• the command
“crypto certificate name” on page 336
Rev 2.20 – January, 2014
Updated:
•
Section 4.15.5.11, “Installed Image Capabilities,” on page 437
Rev 2.10 – January, 2014
Added:
•
Section 4.13.2.1, “Width Reduction Power Saving,” on page 372
Updated:
•
Section 2.2, “Starting the Command Line (CLI),” on page 37
•
Section 2.3, “Starting the Web User Interface,” on page 38
•
Section 4.3.1, “Upgrading MLNX-OS Software,” on page 166 with EULA note
•
Section 4.15, “Puppet Agent,” on page 430
• the command
with Config Interface Port Channel
Mellanox Technologies Confidential 22
Rev 4.20
• the command
“spanning-tree port-priority” on page 570
with Config Interface Port
Channel
•
Section 5.8, “OpenFlow,” on page 594
• the command
“openflow description” on page 597
• the command
• the command
“switchport {hybrid, trunk} allowed-vlan” on page 547
with Config
Interface Port Channel
• the command
“spanning-tree cost” on page 571
with Config Interface Port Channel
• the command
“spanning-tree port type” on page 572
with Config Interface Port Channel
• the command
“spanning-tree guard” on page 573
with Config Interface Port Channel
• the command
“spanning-tree bpdufilter” on page 574
with Config Interface Port Channel
• the command
“deny/permit (IPv4 ACL rule)” on page 659
• the command
“sflow enable (interface)” on page 696
with Config Interface Port Channel
•
Section 6.3, “OSPF,” on page 796
• the command
Rev 2.00 – December 2013
Added:
•
Section 5.1.3, “Transceiver Information,” on page 476
• the command
Updated:
•
Section 4.3.1, “Upgrading MLNX-OS Software,” on page 166
•
Section 4.3.3, “Deleting Unused Images,” on page 170
•
Section 4.6, “Debugging,” on page 237
•
the example of the command “show cpld” on page 387
• “Notification Indicator” column in Section 8.3.2, “Standalone Proxy-ARP Configuration,” on page 1271
• the command
“show puppet-agent” on page 444
• the command
Moved:
Section 3.3, “Secure Shell (SSH),” on page 62
from 4.13.2
Removed:
• mention of the MLNX-OS Command Reference Guide
• the command “lldp tlv-select dcbx”
Rev 4.20
Mellanox Technologies Confidential 23
Rev 1.90 – November 2013
Added Appendix A,“MEX6200 System,” on page 1329
Rev 1.80 – October 2013
Added:
•
Section 4.15, “Puppet Agent,” on page 430
•
Section 5.7.7, “MSTP,” on page 562
•
Section 5.8, “OpenFlow,” on page 594
•
Section 5.9.3, “IGMP Snooping Querier,” on page 605
• the command
• the command
“igmp snooping querier query-interval”
• the command
“show ip igmp snooping querier”
•
Section 5.10.2, “DCBX,” on page 622
• the command “lldp tlv-select dcbx”
• the command
• the command
“show dcb application-priority”
Updated:
• the command
• the command
“show lldp interfaces ethernet <inf> remote”
Rev 1.7.0 – October 2013
Merged “MLNX-OS Command Reference Guide” Rev. 1.6.9 and “MLNX-OS User Manual”
Rev. 1.6.9.
Rev 4.20
Mellanox Technologies Confidential 24
Rev 4.20
About this Manual
This manual provides general information concerning the scope and organization of this User’s
Manual.
Intended Audience
This manual is intended for network administrators who are responsible for configuring and managing Mellanox Technologies’ SwitchX based Switch Platforms.
Related Documentation
The following table lists the documents referenced in this User’s Manual.
Table 1 - Reference Documents
Document Name
InfiniBand Architecture Specification, Vol. 1,
Release 1.2.1
Director switch Installation Guide
System Hardware User Manual
Switch Product Release Notes
Mellanox Virtual Modular Switch
Reference Guide
Configuring Mellanox Hardware for VPI
Operation Application Note
Description
The InfiniBand Architecture Specification that is provided by IBTA.
Each Mellanox Technologies' switch platform is shipped with an Installation Guide document to bring-up and initialize the switch platform.
This document contains hardware descriptions, LED assignments and hardware specifications among other things.
Please look up the relevant SwitchX®-based switch system/series release note file
This reference architecture provides general information concerning Mellanox L2 and L3 Virtual Modular
Switch (VMS) configuration and design.
This manual provides information on basic configuration of the converged VPI networks.
All of these documents can be found on the Mellanox website. They are available either through the product pages or through the support page with a login and password.
Glossary
Table 2 - Glossary
AAA
ARP
Authentication, Authorization, and Accounting.
Authentication - verifies user credentials (username and password).
Authorization - grants or refuses privileges to a user/client for accessing specific services.
Accounting - tracks network resources consumption by users.
Address Resolution Protocol. A protocol that translates IP addresses into
MAC addresses for communication over a local area network (LAN).
Mellanox Technologies Confidential 25
Rev 4.20
Table 2 - Glossary
CLI
DCB
DCBX
DHCP
DNS
ETS
FTP/TFTP/sFTP
Command Line Interface. A user interface in which you type commands at the prompt
Data Center Bridging
DCBX protocol is an extension of the Link Layer Discovery Protocol
(LLDP). DCBX end points exchange request and acknowledgment messages.
For flexibility, parameters are coded in a type-length-value (TLV) format.
The Dynamic Host Configuration Protocol (DHCP) is an automatic configuration protocol used on IP networks.
Domain Name System. A hierarchical naming system for devices in a computer network
ETS provides a common management framework for assignment of bandwidth to traffic classes.
File Transfer Protocol (FTP) is a standard network protocol used to transfer files from one host to another over a TCP-based network, such as the Internet.
Gateway
HA (High Availability)
Host
LACP
LDAP
A network node that interfaces with another network using a different network protocol
A system design protocol that provides redundancy of system components, thus enables overcoming single or multiple failures in minimal downtime
A computer platform executing an Operating System which may control one or more network adapters
Link Aggregation Control Protocol (LACP) provides a method to control the bundling of several physical ports together to form a single logical channel.
LACP allows a network device to negotiate an automatic bundling of links by sending LACP packets to the peer (directly connected device that also implements LACP).
The Lightweight Directory Access Protocol is an application protocol for reading and editing directories over an IP network.
MAC
MTU (Maximum Transfer Unit) The maximum size of a packet payload (not including headers) that can be sent /received from a port
Network Adapter A hardware device that allows for communication between computers in a network
PFC/FC
A Media Access Control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies including Ethernet.
RADIUS
Priority Based Flow Control applies pause functionality to traffic classes OR classes of service on the Ethernet link.
Remote Authentication Dial In User Service. A networking protocol that enables AAA centralized management for computers to connect and use a network service.
Mellanox Technologies Confidential 26
Rev 4.20
Table 2 - Glossary
RDMA (Remote Direct Memory
Access)
RSTP
Accessing memory in a remote side without involvement of the remote CPU
SA (Subnet Administrator)
SCP
SNMP
NTP
SSH syslog
TACACS+
XML Gateway
Rapid Spanning Tree Protocol. A spanning-tree protocol used to prevent loops in bridge configurations. RSTP is not aware of VLANs and blocks ports at the physical level.
The interface for querying and manipulating subnet management data
Secure Copy or SCP is a means of securely transferring computer files between a local and a remote host or between two remote hosts. It is based on the Secure Shell (SSH) protocol.
Simple Network Management Protocol. A network protocol for the management of a network and the monitoring of network devices and their functions
Network Time Protocol. A protocol for synchronizing computer clocks in a network
Secure Shell. A protocol (program) for securely logging in to and running programs on remote machines across a network. The program authenticates access to the remote machine and encrypts the transferred information through the connection.
A standard for forwarding log messages in an IP network
Terminal Access Controller Access-Control System Plus. A networking protocol that enables access to a network of devices via one or more centralized servers. TACACS+ provides separate AAA services.
Extensible Markup Language Gateway. Provides an XML request-response protocol for setting and retrieving HW management information.
Mellanox Technologies Confidential 27
1 Introduction
Mellanox® Operating System (MLNX-OS®) enables the management and configuration of Mellanox Technologies’ SwitchX® Family silicon based switch platforms. MLNX-OS supports the
Virtual Protocol Interconnect (VPI) technology which enables it to be used for both Ethernet and
InfiniBand technology providing the user with greater flexibility.
MLNX-OS provides a full suite of management options, including support for SNMPv1, 2, 3, and web user interface (WebUI). In addition, it incorporates a familiar industry-standard CLI, which enables administrators to easily configure and manage the system.
1.1
System Features
Table 3 - General System Features
Feature
Software Management
File management
Logging
Management Interface
Chassis Management
Network Management
Interfaces
Security
Date and Time
Cables & Transceivers
Unbreakable links
Virtual Port Interconnect®
(VPI)
Description
• Dual software image
• Software and firmware updates
• FTP
• TFTP
• SCP
• Event history log
• SysLog support
• DHCP/Zeroconf
• IPv6
• Monitoring environmental controls
• Power management
• Auto-temperature control
• High availability
• SNMP v1,v2c,v3
• interfaces (XML Gateway)
• Puppet Agent
• SSH
• Telnet
• RADIUS
• TACACS+
• NTP
• Transceiver info
• LLR
• Ethernet
• InfiniBand
Rev 4.20
Mellanox Technologies Confidential 28
1.2
Ethernet Features
Table 4 - Ethernet Features
Feature
General
Ethernet support
IP routing
Description
• ACL – 24K rules (permit/deny)
• Breakout cables
• Jumbo Frames (9K)
• 48K Unicast MAC addresses
• DCBX
• DHCP Relay
• ETS (802.1Qaz)
• Flow control (802.3x)
• IGMP snooping v1,2
• LAG/LACP (802.3ad), 16 links per LAG (64 LAGs)
• LLDP
• MLAG
• MSTP
• OpenFlow
• PFC (802.1Qbb)
• Rapid Spanning Tree (802.1w)
• sFlow
• VLAN (802.1Q) - 4K
• BGP
• DHCP Relay
• ECMP
• IGMP
• IPv4
• IPv6
• OSPF
• PIM
• VLAN interface
• Loopback interface
• Router interface
• VRRP
1.3
Gateway Features
Table 5 - Gateway Features
Proxy-ARP
Feature Description
• Proxy-ARP interface
• Unicast
• Multicast
• High availability Proxy-ARP
Rev 4.20
Mellanox Technologies Confidential 29
Figure 1: Managing an Ethernet Fabric Using MLNX-OS
Rev 4.20
Mellanox Technologies Confidential 30
Rev 4.20
2 Getting Started
The procedures described in this chapter assume that you have already installed and powered on your switch according to the instructions in the Hardware Installation Guide, which was shipped with the product.
2.1
Configuring the Switch for the First Time
To configure the switch:
Step 1.
Connect the host PC to the console (RJ-45) port of the switch system using the supplied cable.
The console ports for systems are shown below.
Figure 2: Console Ports SX10xx Systems
Make sure to connect to the console RJ-45 port of the switch and not to the MGT port.
DHCP is enabled by default over the MGT port. Therefore, if you have configured your DHCP server and connected an RJ-45 cable to the MGT port, simply log in using the designated IP address.
Step 2.
Configure a serial terminal with the settings described below.
This step may be skipped if the DHCP option is used and an IP is already configured for the MGT port.
Mellanox Technologies Confidential 31
Rev 4.20
Table 6 - Serial Terminal Program Configuration for PPC Based Systems
Setting Parameter
Baud Rate
Data bits
Stop bits
Parity
Flow Control
9600
8
1
None
None
Table 7 - Serial Terminal Program Configuration for x86 Based Systems
Setting Parameter
Baud Rate
Data bits
Stop bits
Parity
Flow Control
115200
8
1
None
None
Step 3.
You are prompted with the boot menu.
Mellanox MLNX-OS Boot Menu:
1: <image #1>
2: <image #2>
u: USB menu (if USB device is connected) (password required)
c: Command prompt (password required)
Choice:
Step 4.
Step 5.
Select “1” to boot with software version installed on partition #1.
Select “2” to boot with software version installed on partition #2.
Selecting “u” is not currently supported.
Select “c” to proceed to advanced booting options – available to Mellanox Support only.
The MLNX-OS Boot Menu features a countdown timer. It is recommended to allow the timer to run out by not selecting any of the options.
Login as admin and use admin as password.
If the machine is still initializing, you might not be able to access the CLI until initialization completes. As an indication that initialization is ongoing, a countdown of the number of remaining modules to be configured is displayed in the following format: “<no. of modules>
Modules are being configured”.
Go through the Mellanox configuration wizard.
Mellanox Technologies Confidential 32
The following table shows an example of a wizard session.
Table 8 - Configuration Wizard Session - IP Configuration by DHCP (Sheet 1 of 2)
Wizard Session Display (Example) Comments
Mellanox configuration wizard
Do you want to use the wizard for initial configuration? yes
Step1: Hostname? [switch-1]
You must perform this configuration the first time you operate the switch or after resetting the switch to the factory defaults. Type “y” and then press <Enter>.
If you wish to accept the default hostname, then press <Enter>. Otherwise, type a different hostname and press <Enter>.
Step 2: Use DHCP on mgmt0 interface? [yes] Perform this step to obtain an IP address for the switch. (mgmt0 is the management port of the switch.)
If you wish the DHCP server to assign the IP address, type “yes” and press <Enter>.
Step 3: Enable IPv6 [yes]
If you type “no” (no DHCP), then you will be asked whether you wish to use the “zeroconf” configuration or not. If you enter “yes” (yes
Zeroconf), the session will continue as shown in
.
If you enter “no” (no Zeroconf), then you need to enter a static IP, and the session will continue as shown in
.
Perform this step to enable IPv6 on management ports.
Step 4: Enable IPv6 autoconfig (SLAAC) on mgmt0 interface
If you wish to enable IPv6, type “yes” and press <Enter>.
If you enter “no” (no IPv6), then you will automatically be referred to Step 5.
Perform this step to enable StateLess address autoconfig on external management port.
If you wish to enable it, type “yes” and press
<Enter>.
Step 5: Use DHCPv6 on mgmt0 interface?
[yes]
Step 5: Admin password (Press <Enter> to leave unchanged)? <new_password>
Step 4: Confirm admin password? <new_password>
If you wish to disable it, enter “no”.
Perform this step to enable DHCPv6 on the
MGMT0 interface.
To avoid illegal access to the machine, please type a password and then press <Enter>. Then confirm the password by re-entering it.
Note that password characters are not printed.
Mellanox Technologies Confidential 33
Rev 4.20
Table 8 - Configuration Wizard Session - IP Configuration by DHCP (Sheet 2 of 2)
Wizard Session Display (Example) Comments
You have entered the following information:
1. Hostname: <switch name>
2. Use DHCP on mgmt0 interface: yes
3. Enable IPv6: yes
4. Enable IPv6 autoconfig (SLAAC) on mgmt0 interface: yes
5. Enable DHCPv6 on mgmt0 interface: no
6. Admin password (Enter to leave unchanged):
(CHANGED)
The wizard displays a summary of your choices and then asks you to confirm the choices or to re-edit them.
Either press <Enter> to save changes and exit, or enter the configuration step number that you wish to return to.
To change an answer, enter the step number to return to.
Otherwise hit <enter> to save changes and exit.
Note:
To run the command “configuration jumpstart” you must be in Config mode.
Choice: <Enter>
Configuration changes saved.
To return to the wizard from the CLI, enter the
“configuration jump-start” command from configuration mode. Launching CLI...
<switch name> [standalone: master] >
Rev 4.20
Mellanox Technologies Confidential 34
Table 9 - Configuration Wizard Session - IP Zeroconf Configuration
Wizard Session Display - IP Zeroconf Configuration (Example)
Mellanox configuration wizard
Do you want to use the wizard for initial configuration? y
Step 1: Hostname? [switch-112126]
Step 2: Use DHCP on mgmt0 interface? [no]
Step 3: Use zeroconf on mgmt0 interface? [no] yes
Step 4: Default gateway? [192.168.10.1]
Step 5: Primary DNS server?
Step 6: Domain name?
Step 7: Enable IPv6? [yes] yes
Step 8: Enable IPv6 autoconfig (SLAAC) on mgmt0 interface? [no] no
Step 9: Admin password (Enter to leave unchanged)?
You have entered the following information:
1. Hostname: switch-112126
2. Use DHCP on mgmt0 interface: no
3. Use zeroconf on mgmt0 interface: yes
4. Default gateway: 192.168.10.1
5. Primary DNS server:
6. Domain name:
7. Enable IPv6: yes
8. Enable IPv6 autoconfig (SLAAC) on mgmt0 interface: yes
9. Admin password (Enter to leave unchanged): (unchanged)
To change an answer, enter the step number to return to.
Otherwise hit <enter> to save changes and exit.
Choice:
Configuration changes saved.
To return to the wizard from the CLI, enter the “configuration jump-start” command from configure mode. Launching CLI...
<switch name> [standalone: master] >
Rev 4.20
Mellanox Technologies Confidential 35
Table 10 - Configuration Wizard Session - Static IP Configuration
Wizard Session Display - Static IP Configuration (Example)
Mellanox configuration wizard
Do you want to use the wizard for initial configuration? y
Step 1: Hostname? [switch-112126]
Step 2: Use DHCP on mgmt0 interface? [yes] n
Step 3: Use zeroconf on mgmt0 interface? [no]
Step 4: Primary IP address? 192.168.10.4
Mask length may not be zero if address is not zero (interface mgmt0)
Step 5: Netmask? [0.0.0.0] 255.255.255.0
Step 6: Default gateway? 192.168.10.1
Step 7: Primary DNS server?
Step 8: Domain name?
Step 9: Enable IPv6? [yes] yes
Step 10: Enable IPv6 autoconfig (SLAAC) on mgmt0 interface? [no] no
Step 11: Admin password (Enter to leave unchanged)?
You have entered the following information:
1. Hostname: switch-112126
2. Use DHCP on mgmt0 interface: no
3. Use zeroconf on mgmt0 interface: no
4. Primary IP address: 192.168.10.4
5. Netmask: 255.255.255.0
6. Default gateway: 192.168.10.1
7. Primary DNS server:
8. Domain name:
9. Enable IPv6: yes
10. Enable IPv6 autoconfig (SLAAC) on mgmt0 interface: no
11. Admin password (Enter to leave unchanged): (unchanged)
To change an answer, enter the step number to return to.
Otherwise hit <enter> to save changes and exit.
Choice:
Configuration changes saved.
To return to the wizard from the CLI, enter the “configuration jump-start” command from configure mode. Launching CLI...
<switch name>[standalone: master] >
Mellanox Technologies Confidential 36
Rev 4.20
Rev 4.20
Step 6.
Check the mgmt0 interface configuration before attempting a remote (for example, SSH) connection to the switch. Specifically, verify the existence of an IP address.
switch # show interfaces mgmt0
Interface mgmt0 state
Admin up: yes
Link up: yes
IP address: 169.254.15.134
Netmask: 255.255.0.0
IPv6 enabled: yes
Autoconf enabled: yes
Autoconf route: yes
Autoconf privacy: no
IPv6 addresses: 1
IPv6 address: fe80::202:c9ff:fe11:a1b2/64
Speed: 1000Mb/s (auto)
Duplex: full (auto)
Interface type: ethernet
Interface source: physical
MTU: 1500
HW address: 00:02:C9:11:A1:B2
Comment:
RX bytes: 11700449 TX bytes: 15139846
RX packets: 55753 TX packets: 28452
RX mcast packets: 0 TX discards: 0
RX discards: 0 TX errors: 0
RX errors: 0 TX overruns: 0
RX overruns: 0 TX carrier: 0
RX frame: 0 TX collisions: 0
TX queue len: 1000
2.1.1
Re-Running the Wizard
To rerun the wizard:
Step 1.
Enter the config mode.
switch > enable switch # config terminal
Step 2.
Rerun the wizard.
switch (config) # configuration jump-start
2.2
Starting the Command Line (CLI)
Step 1.
Step 2.
Step 3.
Step 4.
Set up an Ethernet connection between the switch and a local network machine using a standard RJ-45 connector.
Start a remote secured shell (SSH) to the switch using the command “ssh -l <username>
<switch ip address>.” rem_mach1 > ssh -l <username> <ip address>
Login to the switch (default username is admin, password admin)
Read and accept the EULA when prompted.
Mellanox Technologies Confidential 37
Rev 4.20
Step 5.
Once you get the prompt, you are ready to use the system.
Mellanox MLNX-OS Switch Management
Password:
Last login: <time> from <ip-address>
Mellanox Switch
Please read and accept the Mellanox End User License Agreement located at: http://www.mellanox.com/related-docs/prod_management_software/MLNX-OS_EULA.pdf
switch >
2.3
Starting the Web User Interface
To start a WebUI connection to the switch platform:
Step 1.
Step 2.
Set up an Ethernet connection between the switch and a local network machine using a standard RJ-45 connector.
Open a web browser – Firefox 12, Chrome 18, IE 8, Safari 5 or higher.
Note: Make sure the screen resolution is set to 1024*768 or higher.
Step 3.
Step 4.
Type in the IP address of the switch or its DNS name in the format: http://<switch_IP_address>.
Login to the switch (default user name is admin, password admin).
Figure 3: MLNX-OS Login Window
Mellanox Technologies Confidential 38
Step 5.
Read and accept the EULA if prompted.
You are only prompted if you have not accessed the switch via CLI before.
Figure 4: EULA Prompt
Rev 4.20
Step 6.
The Welcome popup appears. After reading through the content, click OK to continue.
You may click on the links under Documentation to reach the MLNX-OS documentation.
The link under What’s New takes you straight to the RN Changes and New Features section.
Figure 5: Welcome Popup
Mellanox Technologies Confidential 39
Rev 4.20
Step 7.
You may also tick the box to not show this popup again. But should you wish to see this window again, click “Product Documents” on the upper right corner of the WebUI.
A default status summary is displayed as shown in
.
Figure 6: Display After Login
2.4
Licenses
Gateway is not supported in MLNX-OS® release 3.4.1110.
MLNX-OS software package can be extended with premium features. Installing a license allows you to access the specified premium features.
This section is relevant only to switch systems with an internal management capability.
The following licenses are offered with MLNX-OS software:
Table 11 - MLNX-OS Licenses
OPN
UPGR-6012-GW
UPGR-1012-GW
Valid on Product
SX6012
SX1012
Description
Ethernet L2/L3, Gateway
InfiniBand, Ethernet L3, Gateway
Mellanox Technologies Confidential 40
Rev 4.20
Table 11 - MLNX-OS Licenses
OPN Valid on Product Description
UPGR-6018-GW
UPGR-6036-GW
UPGR-1036-GW
SX6018
SX6036
SX1036
UPGR-1710-GW
UPGR-6710-GW
SX1710
SX6710
LIC-fabric-inspector SX6036F/T; 6012F/T;
6018F/T; SX65xx
UPGR-xxxx-FCOE-J All systems supporting Ethernet directly or via license.
Ethernet L2/L3, Gateway
Ethernet L2/L3, Gateway
InfiniBand, Ethernet L3, Gateway
InfiniBand, Ethernet L3, Gateway
InfiniBand, Ethernet L3, Gateway
InfiniBand fabric inspector monitoring and health
Enables FCoE protocol
2.4.1
Installing MLNX-OS® License (CLI)
To install an MLNX-OS license via CLI:
Step 1.
Login as admin and change to Config mode.
switch > enable switch # config terminal
Step 2.
Step 3.
Step 4.
Install the license using the key. Run: switch (config) # license install <license key>
Display the installed license(s) using the following command.
switch (config) # show licenses
License 1: <license key>
Feature: EFM_SX
Valid: yes
Active: yes switch (config) #
Make sure that the “Valid” and “Active” fields both indicate “yes”.
Save the configuration to complete the license installation. Run: switch (config) # configuration write
If you do not save the installation session, you will lose the license at the next system start up.
2.4.2
Installing MLNX-OS License (Web)
To install an MLNX-OS license via WebUI:
Step 1.
Log in as admin.
Mellanox Technologies Confidential 41
Step 2.
Click the Setup tab and then Licensing on the left side navigation pane.
Figure 7: No Licenses Installed
Rev 4.20
Step 3.
Enter your license key(s) in the text box. If you have more than one license, please enter each license in a separate line. Click “Add Licenses” after entering the last license key to install them.
If you wish to add another license key in the future, you can simply enter it in the text box and click “Add Licenses” to install it.
Mellanox Technologies Confidential 42
Figure 8: Enter License Key(s) in Text Box
Rev 4.20
All installed licenses should now be displayed.
Figure 9: Installed License
Mellanox Technologies Confidential 43
Step 4.
Save the configuration to complete the license installation.
If you do not save the installation session, you will lose the installed licenses at the next system boot.
Rev 4.20
2.4.3
Retrieving a Lost License Key
In case of a lost MLNX-OS® license key, contact your authorized Mellanox reseller and provide the switch’s chassis serial number.
To obtain the switch’s chassis serial number:
Step 1.
Step 2.
Login to the switch.
Retrieve the switch’s chassis serial number using the command “show inventory”.
switch (config) # show inventory
================================================================================
Module Type Part number Serial Number
Step 3.
Step 4.
================================================================================
CHASSIS SX1035 MSX6036F-1BFR MT1121X02692
MGMT SX1035 MSX6036F-1BFR MT1121X02692
FAN SXX0XX_FAN MSX60-FF MT1121X02722
PS1 SXX0XX_PS N/A N/A switch (config) #
Send your Mellanox reseller the following information to obtain the license key:
• The chassis serial number
•
The type of license you need to retrieve. Refer to “Licenses” on page 40.
Once you receive the license key, you can install the license as described in the sections above.
Mellanox Technologies Confidential 44
Rev 4.20
2.4.4
Commands
file eula upload
file eula upload <filename> <URL>
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Uploads the Mellanox End User License Agreement to a specified remote location.
filename The Mellanox End User License Agreement
URL URL or scp://username[:password]@hostname/path/ filename
N/A
Config
3.4.1100
monitor/admin switch (config) # file help-docs upload Mellanox_End_User_
License_Agreement.pdf <scp://username[:password]@hostname/path/
filename> switch (config) # license
Mellanox Technologies Confidential 45
file help-docs upload
file help-docs upload <filename> <URL or scp://username[:password]@hostname/path/filename>
Syntax Description
Uploads the MLNX-OS UM or RN to a specified remote location.
filename The file to upload to a remote host
URL URL or scp://username[:password]@hostname/path/ filename
Default N/A
Configuration Mode Config
History
Role
Example
3.4.1100
admin switch (config) # file help-docs upload MLNX-OS_ETH_User_Manual.pdf
<scp://username[:password]@hostname/path/filename> switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 46
license delete
license delete <license-key>
Syntax Description
Default
Removes license keys by ID.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.4.1100
admin switch (config) # license delete <license-key> switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 47
license install
licenses install <license-key>
Syntax Description
Default
Installs a new license key.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.4.1100
admin switch (config) # licenses install <license-key> switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 48
show licenses
show licenses
Syntax Description
Default
Displays a list of all installed licenses. For each license, the following is displayed:
• a unique ID which is a small integer
• the text of the license key as it was added
• whether or not it is valid and active
• which feature(s) it is activating
• a list of all licensable features specifying whether or not it is currently activated by a license
N/A
N/A
Configuration Mode Config
History 3.4.1100
Role
Example admin switch (config) # show licenses
License 1: <license key>
Feature: SX_CONFIG
Valid: yes
Active: yes switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 49
Rev 4.20
3 User Interfaces
3.1
Command Line Interface (CLI) Overview
MLNX-OS® is equipped with an industry-standard CLI. The CLI is accessed through SSH or
Telnet sessions, or directly via the console port on the front panel (if it exists).
3.1.1
CLI Modes
The CLI can be in one of following modes, and each mode makes available a certain group (or level) of commands for execution. The different CLI configuration modes are:
Table 12 - CLI Modes and Config Context
Standard
Configuration Mode
Enable
Config
Config Interface Management
Config Interface Ethernet
Config Interface Port Channel
Config VLAN
Any Command Mode
Description
When the CLI is launched, it begins in Standard mode. This is the most restrictive mode and only has commands to query a restricted set of state information. Users cannot take any actions that directly affect the system, nor can they change any configuration.
The enable command moves the user to Enable mode. This mode offers commands to view all state information and take actions like rebooting the system, but it does not allow any configurations to be changed. Its commands are a superset of those in Standard mode.
The configure terminal command moves the user from
Enable mode to Config mode. Config mode is allowed only for user accounts in the “admin” role (or capabilities). This mode has a full unrestricted set of commands to view anything, take any action, and change any configuration. Its commands are a superset of those in Enable mode. To return to Enable mode, enter exit or no configure.
Note that moving directly from/to Standard mode to/from Config mode is not possible.
Configuration mode for management interface mgmt0, mgmt1 and loopback.
Configuration mode for Ethernet interface.
Configuration mode for Port channel (LAG).
Configuration mode for VLAN.
Several commands such as “show” can be applied within any context.
Mellanox Technologies Confidential 50
3.1.2
Syntax Conventions
To help you identify the parts of a CLI command, this section explains conventions of presenting the syntax of commands.
Table 13 - Syntax Conventions
Syntax Convention
< > Angled brackets
[ ] Square brackets
{ } Braces
| Vertical bars
Description Example
Indicate a value/variable that must be replaced.
Enclose optional parameters.
However, only one parameter out of the list of parameters listed can be used. The user cannot have a combination of the parameters unless stated otherwise.
<1...65535> or <switch interface>
[destination-ip | destination-port | destination-mac]
Enclose alternatives or variables that are required for the parameter in square brackets.
Identify mutually exclusive choices.
[mode {active | on | passive}] active | on | passive
Rev 4.20
Do not type the angled or square brackets, vertical bar, or braces in command lines. This guide uses these symbols only to show the types of entries.
CLI commands and options are in lowercase and are case-sensitive.
For example, when you enter the enable command, enter it all in lowercase. It cannot be ENABLE or Enable. Text entries you create are also case-sensitive.
3.1.3
Getting Help
You may request context-sensitive help at any time by pressing “?” on the command line. This will show a list of choices for the word you are on, or a list of top-level commands if you have not typed anything yet.
For example, if you are in Standard mode and you type “?” at the command line, then you will get the following list of available commands.
switch > ?
cli Configure CLI shell options enable Enter enable mode exit Log out of the CLI help View description of the interactive help system no Negate or clear certain configuration options show Display system configuration or statistics
Mellanox Technologies Confidential 51
slogin Log into another system securely using ssh switch Configure switch on system telnet Log into another system using telnet terminal Set terminal parameters traceroute Trace the route packets take to a destination switch-11a596 [standalone: master] >
If you type a legal string and then press “?” without a space character before it, then you will either get a description of the command that you have typed so far or the possible command/ parameter completions. If you press “?” after a space character and “<cr>” is shown, this means that what you have entered so far is a complete command, and that you may press Enter (carriage return) to execute it.
Try the following to get started:
?
show ?
show c?
show clock?
show clock ?
show interfaces ? (from enable mode)
You can also enter “help” to view a description of the interactive help system.
Note also that the CLI supports command and/or parameter tab-completions and their shortened forms. For example, you can enter “en” instead of the “enable” command, or “cli cl” instead of
“cli clear-history”. In case of ambiguity (more than one completion option is available, that is), then you can hit double tabs to obtain the disambiguation options. Thus, if you are in Enable mode and wish to learn which commands start with the letter “c”, type “c” and click twice on the tab key to get the following: switch # c<tab> clear cli configure switch # c
(There are three commands that start with the letter “c”: clear, cli and configure.)
3.1.4
Prompt and Response Conventions
The prompt always begins with the hostname of the system. What follows depends on what command mode the user is in. To demonstrate by example, assuming the machine name is
“switch”, the prompts for each of the modes are: switch > (Standard mode) switch # (Enable mode) switch (config) # (Config mode)
The following session shows how to move between command modes: \ switch > (You start in Standard mode) switch > enable (Move to Enable mode) switch # (You are in Enable mode) switch # configure terminal (Move to Config mode) switch (config) # (You are in Config mode) switch (config) # exit (Exit Config mode) switch # (You are back in Enable mode) switch # disable (Exit Enable mode) switch > (You are back in Standard mode)
Rev 4.20
Mellanox Technologies Confidential 52
Commands entered do not print any response and simply show the command prompt after you press <Enter>.
If an error is encountered in executing a command, the response will begin with “%”, followed by some text describing the error.
3.1.5
Using the “no” Form
Several Config mode commands offer the negation form using the keyword “no”. This no form can be used to disable a function, to cancel certain command parameters or options, or to reset a parameter value to its default. To re-enable a function or to set cancelled command parameters or options, enter the command without the “no” keyword (with parameter values if necessary).
The following example performs the following:
1. Displays the current CLI session options.
2. Disables auto-logout.
3. Displays the new CLI session options (auto-logout is disabled).
4. Re-enables auto-logout (after 15 minutes).
5. Displays the final CLI session options (auto-logout is enabled)
// 1. Display the current CLI session options switch (config) # show cli
CLI current session settings:
Maximum line size: 8192
Terminal width: 157 columns
Terminal length: 60 rows
Terminal type: xterm
Auto-logout: 15 minutes
Paging: enabled
Progress tracking: enabled
Prefix modes: enabled
...
// 2. Disable auto-logout switch (config) # no cli session auto-logout
// 3. Display the new CLI session options switch-1 [standalone: master] (config) # show cli
CLI current session settings:
Maximum line size: 8192
Terminal width: 157 columns
Terminal length: 60 rows
Terminal type: xterm
Auto-logout: disabled
Paging: enabled
Progress tracking: enabled
Prefix modes: enabled
...
// 4. Re-enable auto-logout after 15 minutes switch (config) # cli session auto-logout 15
Rev 4.20
Mellanox Technologies Confidential 53
Rev 4.20
// 5. Display the final CLI session options switch (config) # show cli
CLI current session settings:
Maximum line size: 8192
Terminal width: 157 columns
Terminal length: 60 rows
Terminal type: xterm
Auto-logout: 15 minutes
Paging: enabled
Progress tracking: enabled
Prefix modes: enabled
...
3.1.6
Parameter Key
This section provides a key to the meaning and format of all of the angle-bracketed parameters in all the commands that are listed in this document.
Table 14 - Angled Brackets Parameter Description
Parameter
<domain>
<hostname>
<ifname>
<index>
<IP address>
<log level>
<GUID>
<MAC address>
<netmask>
<network prefix>
<regular expression>
<node id>
<cluster id>
<port>
Description
A domain name, e.g. “mellanox.com”.
A hostname, e.g. “switch-1”.
An interface name, e.g. “mgmt0”, “mgmt1”, “lo” (loopback), etc.
A number to be associated with aliased (secondary) IP addresses.
An IPv4 address, e.g. “192.168.0.1”.
A syslog logging severity level. Possible values, from least to most severe, are:
“debug”, “info”, “notice”, “warning”, “error”, “crit”, “alert”, “emerg”.
Globally Unique Identifier. A number that uniquely identifies a device or component.
A MAC address. The segments may be 8 bits or 16 bits at a time, and may be delimited by “:” or “.”. So you could say “11:22:33:44:55:66”,
“1122:3344:5566”, “11.22.33.44.55.66”, or “1122.3344.5566”.
A netmask (e.g. “255.255.255.0”) or mask length prefixed with a slash (e.g. “/
24”). These two express the same information in different formats.
An IPv4 network prefix specifying a network. Used in conjunction with a netmask to determine which bits are significant. e.g. “192.168.0.0”.
An extended regular expression as defined by the “grep” in the man page. (The value you provide here is passed on to “grep -E”.)
ID of a node belonging to a cluster. This is a numerical value greater than zero.
A string specifying the name of a cluster.
TCP/UDP port number.
Mellanox Technologies Confidential 54
Rev 4.20
Table 14 - Angled Brackets Parameter Description
Parameter
<TCP port>
<URL>
Description
A TCP port number in the full allowable range [0...65535].
A normal URL, using any protocol that wget supports, including http, https, ftp, sftp, and tftp; or a pseudo-URL specifying an scp file transfer. The scp pseudo-
URL format is scp://username:password@hostname/path/filename.
Note that the path is an absolute path. Paths relative to the user's home directory are not currently supported. The implementation of ftp does not support authentication, so use scp or sftp for that.
Note also that if you omit the “:password” part, you may be prompted for the password in a follow up prompt, where you can type it securely (without the characters being echoed). This prompt will occur if the “cli default prompt empty-password” setting is true; otherwise, the CLI will assume you do not want any password. If you include the “:” character, this will be taken as an explicit declaration that the password is empty, and you will not be prompted in any case.
3.1.7
Command Output Filtering
The MLNX-OS CLI supports filtering “show” commands to display lines containing or excluding certain phrases or characters. To filter the outputs of the “show” commands use the following format: switch (config) # <show command> | [include | exclude] <extended regular expression>
[<ignore-case>] [next <lines>] [prev <lines>]
The filtering parameters are separated from the show command they filter by a pipe character
(i.e. “|”). Quotation marks may be used to include or exclude a string including space, and multiple filters can be used simultaneously. For example: switch (config) # <show command> | [include <extended regular expression> [<ignore-case>]
[next <lines>] [prev <lines>] | exclude <extended regular expression> [<ignore-case>]
[next <lines>] [prev <lines>]]
Examples: switch (config) # show asic-version | include SX
MGMT SX 9.3.3150
arc-switch14 [standalone: master] (config) # show module | exclude PS
====================================================
Module Type Present Power Is Fatal
====================================================
MGMT SX1036 1 1 Not Fatal
FAN SXX0XX_FAN 1 1 Not Fatal switch (config) # show interfaces | include "Eth|discard pac"
Eth1/1
0 discard packets
0 discard packets
Eth1/2
0 discard packets
0 discard packets
Mellanox Technologies Confidential 55
Eth1/3
0 discard packets
0 discard packets
Eth1/4
0 discard packets
0 discard packets switch (config) # show interfaces | include "Tx" next 5 | exclude broad
Tx
0 packets
0 unicast packets
0 multicast packets
0 bytes
--
Tx
0 packets
0 unicast packets
0 multicast packets
0 bytes
3.2
Web Interface Overview
MLNX-OS® package equipped with web interface which is a web GUI that accept input and provide output by generating webpages which can be viewed by the user using a web browser.
The following web browsers are supported:
• Internet Explorer 8.0 or higher
• Chrome 18 or higher
• Mozilla Firefox 12 or higher
• Safari 5 or higher
The web interface makes available the following perspective tabs:
• Setup
• System
• Security
• Ports
• Status
• IB SM Management
• Fabric Inspector
• Ethernet Management
• IP Route
• Gateway
Make sure to save your changes before switching between menus or submenus. Click the
“Save” button to the right of “Save Changes?”.
Rev 4.20
Mellanox Technologies Confidential 56
Figure 10: WebUI
Rev 4.20
3.2.1
Setup Menu
The Setup menu makes available the following submenus (listed in order of appearance from top to bottom):
Table 15 - WebUI Setup Submenus
Submenu Title
Interfaces
HA
Routing
Hostname
DNS
Login Messages
Address Resolution
Description
Obtains the status of, configures, or disables interfaces to the InfiniBand fabric.
Thus, you can: set or clear the IP address and netmask of an interface; enable
DHCP to dynamically assign the IP address and netmask; and set interface attributes such as MTU, speed, duplex, etc.
Creates, joins or modifies an InfiniBand subnet.
Configures, removes or displays the default gateway, and the static and dynamic routes.
Configures or modifies the hostname.
Configures or deletes static hosts.
Configures, removes, modifies or displays static and dynamic name servers.
Edits the login messages: Message of the Day (MOTD), Remote Login message, and Local Login message.
Adds static and dynamic ARP entries, and clears the dynamic ARP cache.
Mellanox Technologies Confidential 57
Rev 4.20
Table 15 - WebUI Setup Submenus
Submenu Title
IPSec
Neighbors
Virtualization
Virtual Switch Mgmt
Web
SNMP
Email Alerts
XML gateway
Logs
Configurations
Date and Time
NTP
Licensing
Description
Configures IPSec.
Displays IPv6 neighbor discovery protocol.
Manages the virtualization and virtual machines.
Configures the system profile.
Configures web user interface and proxy settings.
Configures SNMP attributes, SNMP admin user, and trap sinks.
Configures the destination of email alerts and the recipients to be notified.
Provides an XML request-response protocol to get and set hardware management information.
Sets up system log files, remote log sinks, and log formats.
Manages, activates, saves, and imports MLNX-OS SwitchX configuration files, and executes CLI commands.
Configures the date, time, and time zone of the switch system.
Configures NTP (Network Time Protocol) and NTP servers.
Manages MLNX-OS licenses.
3.2.2
System Menu
The System menu makes available the following sub-menus (listed in order of appearance from top to bottom):
Table 16 - WebUI System Submenus
Submenu Title
Modules
Inventory
Power Management
MLNX-OS Upgrade
Description
Displays a graphic illustration of the system modules. By moving the mouse over the ports in the front view, a pop-up caption is displayed to indicate the status of the port. The port state (active/down) is differentiated by a color scheme
(green for active, gray/black for down). By moving the mouse over the rear view, a pop-up caption is displayed to indicate the leaf part information.
Displays a table with the following information about the system modules: module name, type, serial number, ordering part number and Asic firmware version.
Displays a table with the following information about the system power supplies: power supply name, power, voltage level, current consumption, and status. A total power summary table is also displayed providing the power used, the power capacity, and the power available.
Displays the installed MLNX-OS images (and the active partition), uploads a new image, and installs a new image.
Mellanox Technologies Confidential 58
Rev 4.20
Table 16 - WebUI System Submenus
Submenu Title
Reboot
Description
Reboots the system. Make sure that you save your configuration prior to clicking reboot.
3.2.3
Security Menu
The Security menu makes available the following sub-menus (listed in order of appearance from top to bottom):
Table 17 - WebUI Security Submenus
Submenu Title
Users
Admin Password
SSH
AAA
Login Attempts
RADIUS
TACACS+
LDAP
Certificate
Description
Manages (setting up, removing, modifying) user accounts.
Modifies the system administrator password.
Displays and generate host keys.
Configures AAA (Authentication, Authorization, and Accounting) security services such as authentication methods and authorization.
Manages login attempts
Manages Radius client.
Manages TACACS+ client.
Manages LDAP client.
Manages certificates.
3.2.4
Ports Menu
The Ports menu displays the port state and enables some configuration attributes of a selected port. It also enables modification of the port configuration. A graphical display of traffic over time (last hour or last day) through the port is also available.
Table 18 - WebUI Ports Submenus
Ports
Submenu Title
Phy Profile
Monitor Session
Description
Manages port attributes, counters, transceiver info and displays a graphical counters histogram.
Provides the ability to manage phy profiles.
Displays monitor session summary and enables configuration of a selected
session.
Mellanox Technologies Confidential 59
3.2.5
Status Menu
The Status menu makes available the following sub-menus (listed in order of appearance from top to bottom):
Table 19 - WebUI Status Submenus
Submenu Title Description
Summary
Profile and Capabilities Displays general information about the switch system capabilities such as the enabled profiles (e.g IB/ETH) and their corresponding values.
Temperature Provides a graphical display of the switch module sensors’ temperature levels over time (1 hour). It is possible to display either the temperature level of one module’s sensor or the temperature levels of all the module sensors’ together.
Power Supplies
Displays general information about the switch system and the MLNX-OS image, including current date and time, hostname, uptime of system, system memory,
CPU load averages, etc.
Fans
Provides a graphical display of one of the switch’s power supplies voltage level over time (1 hour).
Provides a graphical display of fan speeds over time (1 hour). The display is per fan unit within a fan module.
CPU Load
Memory
Network
Logs
Provides a graphical display of the management CPU load over time (1 hour).
Provides a graphical display of memory utilization over time (1 day).
Provides a graphical display of network usage (transmitted and received packets) over time (1 day). It also provides per interface statistics.
Displays the system log messages. It is possible to display either the currently saved system log or a continuous system log.
Maintenance
Alerts
Virtualization
Performs specific maintenance operations automatically on a predefined schedule.
Displays a list of the recent health alerts and enables the user to configure health settings.
Displays the virtual machines, networks and volumes.
Rev 4.20
Mellanox Technologies Confidential 60
3.2.6
ETH Mgmt
The Eth Mgmt menu is not applicable when the switch profile is not Ethernet or
VPI.
The ETH Mgmt menu makes available the following sub-menus (listed in order of appearance from top to bottom):
Table 20 - WebUI ETH Mgmt Submenus
Submenu Title
Spanning Tree
MAC Table
Link Aggregation
VLAN
IGMP Snooping
ACL
Priority Flow Control
Description
Configures and monitors spanning tree protocol.
Configures static mac addresses in the switch, and displays the MAC address table.
Configures and monitors aggregated Ethernet links (LAG) and configures
LACP.
Manages the switch VLAN table.
Manages IGMP snooping in the switch.
Manages Access Control in the switch.
Manages priority flow control.
3.2.7
IP Route
The IP Route menu makes available the following sub-menus (listed in order of appearance from top to bottom):
Table 21 - WebUI IP Route Submenus
Submenu Title
Router Global
IP Route
IP Interface
Address Resolution
IP Diagnostic
Description
Enables/disables IP Routing protocol on the machine.
Not implemented.
Not implemented.
Not implemented.
Not implemented.
Rev 4.20
Mellanox Technologies Confidential 61
Rev 4.20
3.3
Secure Shell (SSH)
It is recommended not to use more than 100 concurrent SSH sessions to the switch.
3.3.1
Adding a Host and Providing an SSH Key
To add entries to the global known-hosts configuration file and its SSH value:
Step 1.
Change to Config mode Run: switch [standalone: master] > enable switch [standalone: master] # configure terminal switch [standalone: master] (config) #
Step 2.
Step 3.
Add an entry to the global known-hosts configuration file and its SSH value. Run: switch [standalone: master] (config) # ssh client global known-host "myserver ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAsXeklqc8T0EN2mnMcVcfhueaRYzIVqt4rVsrERIjmlJh4mkYYIa8hGGikNa+ t5xw2dRrNxnHYLK51bUsSG1ZNwZT1Dpme3pAZeMY7G4ZMgGIW9xOuaXgAA3eBeoUjFdi6+1BqchWk0nTb+gMfI/
MK/heQNns7AtTrvqg/O5ryIc=” switch [standalone: master] (config) #
Verify what keys exist in the host. Run: switch [standalone: master] (config) # show ssh client
SSH client Strict Hostkey Checking: ask
SSH Global Known Hosts:
Entry 1: myserver
Finger Print: d5:d7:be:d7:6c:b1:e4:16:df:61:25:2f:b1:53:a1:06
No SSH user identities configured.
No SSH authorized keys configured.
switch [standalone: master] (config) #
3.3.2
Retrieving Return Codes when Executing Remote Commands
To stop the CLI and set the system to send return errors if some commands fail:
Step 1.
Step 2.
Connect to the system from the host SSH.
Add the -h parameter after the cli (as shown in the example below) to notify the system to halt on failure and pass through the exit code.
ssh <username>@<hostname> cli -h '"enable" "show interfaces brief"'
Mellanox Technologies Confidential 62
3.4
Commands
3.4.1
CLI Session
This chapter displays all the relevant commands used to manage CLI session terminal.
cli clear-history
cli clear-history
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Clears the command history of the current user.
N/A
N/A
Config
3.1.0000
admin switch (config) # cli clear-history switch (config) #
N/A
Rev 4.20
Mellanox Technologies Confidential 63
Rev 4.20
cli default
cli default {auto-logout <minutes> | paging enable | prefix-modes {enable | showconfig} | progress enable | prompt {confirm-reload | confirm-reset | confirmunsaved | empty-password}} no cli default {auto-logout | paging enable | prefix-modes {enable | show-config} | progress enable prompt {confirm-reload | confirm-reset | confirm-unsaved | empty-password}
Syntax Description
Configures default CLI options for all future sessions.
The no form of the command deletes or disables the default CLI options.
minutes Configures keyboard inactivity timeout for automatic logout. Range is 0-35791 minutes. Setting the value to
0 or using the no form of the command disables the auto-logout.
paging enable prefix-modes {enable | show-config}
Enables text viewing one screen at a time.
Configures the prefix modes feature of CLI.
• “prefix-modes enable” enables prefix modes for current and all future sessions
• “prefix-modes show-config” uses prefix modes in “show configuration” output for current and all future sessions progress enable prompt confirm-reload prompt confirm-reset prompt confirm-unsaved prompt empty-password
Enables progress updates.
Prompts for confirmation before rebooting.
Prompts for confirmation before resetting to factory state.
Confirms whether or not to save unsaved changes before rebooting.
Prompts for a password if none is specified in a pseudo-
URL for SCP.
Default N/A
Configuration Mode Config
History
Role
3.1.0000
admin
Mellanox Technologies Confidential 64
Rev 4.20
Example switch (config) # cli default prefix-modes enable switch (config) # show cli
CLI current session settings:
Maximum line size: 8192
Terminal width: 171 columns
Terminal length: 38 rows
Terminal type: xterm
X display setting: (none)
Auto-logout: disabled
Paging: enabled
Progress tracking: enabled
Prefix modes: disabled
CLI defaults for future sessions:
Auto-logout: disabled
Paging: enabled
Progress tracking: enabled
Prefix modes: enabled (and use in 'show configuration')
Settings for both this session and future ones:
Show hidden config: yes
Confirm losing changes: yes
Confirm reboot/shutdown: no
Confirm factory reset: yes
Prompt on empty password: yes switch (config) #
Related Commands show cli
Note
Mellanox Technologies Confidential 65
Rev 4.20
cli session
cli session {auto-logout <minutes> | paging enable | prefix-modes {enable | showconfig} | progress enable | terminal {length <size> | resize | type <terminal-type>
| width} | x-display full <display>} no cli session {auto-logout | paging enable | prefix-modes {enable | show-config} | progress enable | terminal type | x-display}
Syntax Description
Configures default CLI options for all future sessions.
The no form of the command deletes or disables the CLI sessions.
minutes Configures keyboard inactivity timeout for automatic logout. Range is 0-35791 minutes. Setting the value to
0 or using the no form of the command disables the auto logout.
paging enable prefix-modes enable | show-config
Enables text viewing one screen at a time.
Configures the prefix modes feature of CLI.
• “prefix-modes enable” enables prefix modes for current and all future sessions
• “prefix-modes show-config” uses prefix modes in “show configuration” output for current and all future sessions progress enable terminal length terminal resize terminal-type terminal width
Enables progress updates.
Sets the number of lines for the current terminal. Valid range is 5-999.
Resizes the CLI terminal settings (to match the actual terminal window).
Sets the terminal type. Valid options are:
• ansi
• console
• dumb
• linux
• unknown
• vt52
• vt100
• vt102
• vt220
• vt320
• xterm
Sets the width of the terminal in characters. Valid range is 34-999.
Specifies the display as a raw string, e.g localhost:0.0.
Default x-display full <display>
N/A
Configuration Mode Config
History
Role
3.1.0000
admin
Mellanox Technologies Confidential 66
Example switch (config) # cli session auto-logout switch (config) #
Related Commands show terminal
Note
Rev 4.20
Mellanox Technologies Confidential 67
Rev 4.20
terminal
terminal {length <number of lines> | resize | type <terminal type> | width <number of characters>} no terminal type
Syntax Description
Configures default CLI options for all future sessions.
The no form of the command clears the terminal type.
length Sets the number of lines for this terminal
Range: 5-999 resize type
Resizes the CLI terminal settings (to match with real terminal)
Sets the terminal type. Possible values: ansi, console, dumb, linux, screen, vt52, vt100, vt102, vt220, xterm.
width Sets the width of this terminal in characters
Range: 34-999
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # terminal length 500 switch (config) #
Related Commands show terminal
Note
Mellanox Technologies Confidential 68
Rev 4.20
terminal sysrq enable
terminal sysrq enable no terminal sysrq enable
Syntax Description
Default
Enable SysRq over the serial connection (RS232 or Console port).
The no form of the command disables SysRq over the serial connection (RS232 or
Console port).
N/A
Enabled
Configuration Mode Config
History 3.4.3000
Role
Example admin switch (config) # terminal sysrq enable switch (config) #
Related Commands show terminal
Note
Mellanox Technologies Confidential 69
show cli
show cli
Syntax Description
Default
Displays the CLI configuration and status.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show cli
CLI current session settings:
Maximum line size: 8192
Terminal width: 171 columns
Terminal length: 38 rows
Terminal type: xterm
X display setting: (none)
Auto-logout: disabled
Paging: enabled
Progress tracking: enabled
Prefix modes: disabled
CLI defaults for future sessions:
Auto-logout: disabled
Paging: enabled
Progress tracking: enabled
Prefix modes: enabled (and use in 'show configuration')
Settings for both this session and future ones:
Show hidden config: yes
Confirm losing changes: yes
Confirm reboot/shutdown: no
Confirm factory reset: yes
Prompt on empty password: yes switch (config) #
Related Commands cli default
Note
Rev 4.20
Mellanox Technologies Confidential 70
Rev 4.20
3.4.2
Banner
banner login
banner {login | login-remote | login-local} <string> no banner login
Syntax Description
Default
Configuration Mode
History
Role
Example
Sets the CLI welcome banner message. The login-remote refers to the SSH connections banner, while the login-local refers to the serial connection banner.
The no form of the command resets the system login banner to its default.
string Text string.
“Mellanox MLNX-OS Switch Management”
Config
3.1.0000
admin switch (config) # banner login example switch (config) # show banner
Banners:
MOTD:
Mellanox Switch
Related Commands
Note
Login: example switch (config) # show banner
If more then one word is used (there is a space) quotation marks should be added (i.e.
“xxxx xxxx”).
Mellanox Technologies Confidential 71
Rev 4.20
banner login-local
banner login-local <string> no banner login-local
Syntax Description
Default
Sets system login local banner.
The no form of the command resets the banner.
string
N/A
Configuration Mode Config
History 3.1.0000
Text string.
Role
Example admin switch (config) # banner login-local Testing switch (config) #
Related Commands show banner
Note If more then one word is used (there is a space) quotation marks should be added (i.e.
“xxxx xxxx”).
Mellanox Technologies Confidential 72
Rev 4.20
banner login-remote
banner login-remote <string> no banner login-remote
Syntax Description
Default
Sets system login remote banner.
The no form of the command resets the banner.
string
N/A
Configuration Mode Config
History 3.1.0000
Text string.
Role
Example admin switch (config) # banner login-remote Testing switch (config) #
Related Commands show banner
Note If more then one word is used (there is a space) quotation marks should be added (i.e.
“xxxx xxxx”).
Mellanox Technologies Confidential 73
Rev 4.20
banner motd
banner motd <string> no banner motd
Syntax Description
Default
Sets the message of the day banner.
The no form of the command resets the system Message of the Day banner.
string
“Mellanox Switch”
Configuration Mode Config
History 3.1.0000
Text string.
Role
Example admin switch (config) # banner motd “My Banner” switch (config) # show banner
Banners:
MOTD: My-Banner
Login:
Mellanox MLNX-OS Switch Management switch (config) #
Related Commands show banner
Note • If more then one word is used (there is a space) quotation marks should be added (i.e.
"xxxx xxxx").
• To insert a multi-line MotD, hit Ctrl-V (escape sequence) followed by Ctrl-J (new line sequence). The symbol “^J” should appear. Then, whatever is typed after it becomes the new line of the MotD. Remember to also include the string between quotation marks.
Mellanox Technologies Confidential 74
show banner
show banner
Syntax Description
Default
Displays configured banners.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
unpriv/monitor/admin switch (config) # show banner
Banners:
MOTD: Testing
Login:
Mellanox MLNX-OS Switch Management switch (config) #
Related Commands banner login banner motd
Note
Rev 4.20
Mellanox Technologies Confidential 75
Rev 4.20
3.4.3
SSH
ssh server enable
ssh server enable no ssh server enable
Syntax Description
Default
Configuration Mode
History
Role
Example
Enables the SSH server.
The no form of the command disables the SSH server.
N/A
SSH server is enabled
Config
3.1.0000
admin switch (config) # ssh server enable switch (config) # show ssh server
SSH server configuration:
SSH server enabled: yes
Server security strict mode: no
Minimum protocol version: 2
TCP forwarding enabled: yes
X11 forwarding enabled: no
SSH server ports: 22
Related Commands
Note
Interface listen enabled: yes
No Listen Interfaces.
Host Key Finger Prints:
RSA v1 host key: a0:63:db:96:e2:95:5a:5a:fd:a8:d0:f4:ab:e3:5f:f8
RSA v2 host key: 1e:b7:8b:ec:ab:35:98:be:6b:d6:12:c2:18:72:12:d6
DSA v2 host key: 7c:4a:f7:72:51:67:b5:0b:cd:a2:d2:b9:f3:be:3e:68 switch (config) # show ssh server
Disabling SSH server does not terminate existing SSH sessions, it only prevents new ones from being established.
Mellanox Technologies Confidential 76
Rev 4.20
ssh server host-key
ssh server host-key {<key-type> {private-key <private-key>| public-key <publickey>} | generate}
Syntax Description
Manipulates host keys for SSH.
key-type private-key
• rsa1 - RSAv1
• rsa2 - RSAv2
• dsa2 - DSAv2
Sets new private-key for the host keys of the specified type.
public-key Sets new public-key for the host keys of the specified type.
generate
Default
Configuration Mode Config
Generates new RSA and DSA host keys for SSH.
SSH keys are locally generated
History 3.1.0000
3.4.2300
Added notes
Role admin
Mellanox Technologies Confidential 77
Rev 4.20
Example switch (config) # ssh server host-key dsa2 private-key
Key: ***********************************************
Confirm: *********************************************** switch (config) # show ssh server host-keys
SSH server configuration:
SSH server enabled: yes
Minimum protocol version: 2
X11 forwarding enabled: no
SSH server ports: 22
Interface listen enabled: yes
No Listen Interfaces.
Host Key Finger Prints:
RSA v1 host key: a0:63:db:96:e2:95:5a:5a:fd:a8:d0:f4:ab:e3:5f:f8
RSA v2 host key: 1e:b7:8b:ec:ab:35:98:be:6b:d6:12:c2:18:72:12:d6
DSA v2 host key: 7c:4a:f7:72:51:67:b5:0b:cd:a2:d2:b9:f3:be:3e:68
Host Keys:
RSA v1 host key: "switch-5ea5d8 1024 35
12457497995374010105491416867919987976776882016984375942831915584962796
99375406596085804272219042450456598705866658144854493132172365068789517
13570509420864336951833046700451354269467758379288848962624165330724512
16091899983038691571036219385577978596282214644533444813712105628654158
3022982220576029771297093"
RSA v2 host key: "switch-5ea5d8 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAA-
IEArB9i5OnukAHNUOkwpCmEl0m88kJgBzL22+F5tfaSn+S0pVYxrceZeyuzXsoZ1VtFTk2-
Fydwy0YvMS0Kcv2PuCrPZV/
GYd31QEnn22rEmrlPrKCrMl1XlUy6DFlr3OgwWm1baobmDlG/gSziWz/gc4Jgqf2CyX-
Fq4pzaR1jar1Vk="
DSA v2 host key: "switch-5ea5d8 ssh-dss AAAAB3NzaC1kc3MAAAC-
BAMeJ3S+nyaHhRbwv3tJqlWttDC35RZVC5iG4ZEvMMHp28VL94OcyyuGh39VCdM9pEVaI7h zZrsgHrNqakb/YLD/7anGH3wpl9Fx8lfe0RH3bloJzG+mJ6R5momdoPCrKwEKiKABKE00jLzlVznpP0IHxjwF+TbR3dK5HwVzQYw/bAAAAFQCBoDPqBZZa+2KylKlzUsbZ2pKhgQAAA-
IAJK+StiQdtORw1B5UCMzTrTef5L07DSfVreMEYtTRnBBtgVSNqQFWpSQIYbVDHQr9T6qCM
4VO39DuHUGQ1TMDIX7t+9mfbB87YyUu5a/ndbf3GhNhxHWwbzlr9hgLL7FSHA7DYH7bVOZ-
RlqxH64eQKGZqy1ps/F4E31lyn7GC4EQAAAIA/2osHipXf+NRjplgfmHROVVf/mGE9Vzc9/
AMUxlJJn5VhvEJ5CZW9cI+LxMOJojhOj3YW3B1czGxRObDA9vUbKXTNc8bkgoUrxySAH1rH
N0PqJgeT4L009AItSp3m1mxHqdS7jixfTvOTEKWXrgpczlmTB8+zjhUah/YuuBl2H g==" switch (config) #
Related Commands show ssh server system secure-mode enable
Note When working in secure mode, the commands “ssh server host-key rsa1” and “ssh server host-key generate” do not create RSAv1 key-type.
Mellanox Technologies Confidential 78
Rev 4.20
ssh server listen
ssh server listen {enable | interface <inf>} no ssh server listen {enable | interface <inf>}
Syntax Description
Enables the listen interface restricted list for SSH. If enabled, and at least one non-
DHCP interface is specified in the list, the SSH connections are only accepted on those specified interfaces.
The no form of the command disables the listen interface restricted list for SSH.
When disabled, SSH connections are not accepted on any interface.
enable interface <inf>
Enables SSH interface restrictions on access to this system.
Adds interface to SSH server access restriction list.
Possible interfaces are “lo”, and “mgmt0”.
Default SSH listen is enabled
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # ssh server listen enable switch (config) # show ssh server
SSH server configuration:
SSH server enabled: yes
Minimum protocol version: 2
X11 forwarding enabled: no
SSH server ports: 22
Interface listen enabled: yes
No Listen Interfaces.
Host Key Finger Prints:
RSA v1 host key: a0:63:db:96:e2:95:5a:5a:fd:a8:d0:f4:ab:e3:5f:f8
RSA v2 host key: 1e:b7:8b:ec:ab:35:98:be:6b:d6:12:c2:18:72:12:d6
DSA v2 host key: 7c:4a:f7:72:51:67:b5:0b:cd:a2:d2:b9:f3:be:3e:68 switch (config) #
Related Commands show ssh server
Note
Mellanox Technologies Confidential 79
Rev 4.20
ssh server min-version
ssh server min-version <version> no ssh server min-version
Syntax Description
Default
Sets the minimum version of the SSH protocol that the server supports.
The no form of the command resets the minimum version of SSH protocol supported.
version
2
Configuration Mode Config
History 3.1.0000
Possible versions are 1 and 2.
Role
Example admin switch (config) # ssh server min-version 2 switch (config) # show ssh server
SSH server configuration:
SSH server enabled: yes
Minimum protocol version: 2
X11 forwarding enabled: no
SSH server ports: 22
Interface listen enabled: yes
No Listen Interfaces.
Host Key Finger Prints:
RSA v1 host key: a0:63:db:96:e2:95:5a:5a:fd:a8:d0:f4:ab:e3:5f:f8
RSA v2 host key: 1e:b7:8b:ec:ab:35:98:be:6b:d6:12:c2:18:72:12:d6
DSA v2 host key: 7c:4a:f7:72:51:67:b5:0b:cd:a2:d2:b9:f3:be:3e:68 switch (config) #
Related Commands show ssh server
Note
Mellanox Technologies Confidential 80
ssh server ports
ssh server ports {<port1> [<port2>...]}
Syntax Description
Default
Specifies which ports the SSH server listens on.
port
22
Configuration Mode Config
Port number in [1...65535].
History
Role
Example
3.1.0000
admin switch (config) # ssh server ports 22 switch (config) # show ssh server
SSH server configuration:
SSH server enabled: yes
Minimum protocol version: 2
X11 forwarding enabled: no
SSH server ports: 22
Interface listen enabled: yes
No Listen Interfaces.
Host Key Finger Prints:
RSA v1 host key: a0:63:db:96:e2:95:5a:5a:fd:a8:d0:f4:ab:e3:5f:f8
RSA v2 host key: 1e:b7:8b:ec:ab:35:98:be:6b:d6:12:c2:18:72:12:d6
DSA v2 host key: 7c:4a:f7:72:51:67:b5:0b:cd:a2:d2:b9:f3:be:3e:68 switch (config) #
Related Commands show ssh server
Note • Multiple ports can be specified by repeating the <port> parameter
• The command will remove any previous ports if not listed in the command
Rev 4.20
Mellanox Technologies Confidential 81
ssh server security strict
ssh server security strict
Syntax Description
Default
Enables strict security settings.
The no form of the command disables strict security settings.
N/A
N/A
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # ssh server security strict switch (config) #
Related Commands show ssh server
Note
Rev 4.20
Mellanox Technologies Confidential 82
ssh server tcp-forwarding enable
ssh server tcp-forwarding enable
Syntax Description
Default
Enables TCP port forwarding.
The no form of the command disables TCP port forwarding.
N/A
N/A
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # ssh server tcp-forwarding enable switch (config) #
Related Commands show ssh server
Note
Rev 4.20
Mellanox Technologies Confidential 83
ssh server x11-forwarding
ssh server x11-forwarding enable no ssh server x11-forwarding enable
Syntax Description
Default
Enables X11 forwarding on the SSH server.
The no form of the command disables X11 forwarding.
N/A
X11-forwarding is disabled.
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # ssh server x11-forwarding enable switch (config) # show ssh server
SSH server configuration:
SSH server enabled: yes
Minimum protocol version: 2
X11 forwarding enabled: yes
SSH server ports: 22
Interface listen enabled: yes
No Listen Interfaces.
Host Key Finger Prints:
RSA v1 host key: a0:63:db:96:e2:95:5a:5a:fd:a8:d0:f4:ab:e3:5f:f8
RSA v2 host key: 1e:b7:8b:ec:ab:35:98:be:6b:d6:12:c2:18:72:12:d6
DSA v2 host key: 7c:4a:f7:72:51:67:b5:0b:cd:a2:d2:b9:f3:be:3e:68 switch (config) #
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 84
Rev 4.20
ssh client global
ssh client global {host-key-check <policy>} | known-host <known-host-entry>} no ssh client global {host-key-check | known-host localhost}
Syntax Description
Configures global SSH client settings.
The no form of the command negates global SSH client settings.
host-key-check <policy> Sets SSH client configuration to control how host key checking is performed. This parameter may be set in 3 ways.
• If set to “no” it always permits connection, and accepts any new or changed host keys without checking
• If set to “ask” it prompts user to accept new host keys, but does not permit a connection if there was already a known host entry that does not match the one presented by the host
• If set to “yes” it only permits connection if a matching host key is already in the known hosts file known-host known-host-entry
Adds an entry to the global known-hosts configuration file.
Adds/removes an entry to/from the global known-hosts configuration file. The entry consist of “<IP> <keytype> <key>”.
Default host-key-check - ask, no keys are configured by default
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # ssh client global host-key-check no switch (config) # ssh client global known-host "72.30.2.2 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEArB9i5OnukAHNUOkwpCmEl0m88kJgBzL22+F5tfaSn+S0pVYxrceZeyuzXsoZ1VtFTk2Fydwy0YvMS0Kcv2PuCrPZV/
GYd31QEnn22rEmrlPrKCrMl1XlUy6DFlr3OgwWm1baobmDlG/gSziWz/gc4Jgqf2CyX-
Fq4pzaR1jar1Vk=" switch (config) # show ssh client
SSH client Strict Hostkey Checking: ask
SSH Global Known Hosts:
Entry 1: 72.30.2.2
Finger Print: 1e:b7:8b:ec:ab:35:98:be:6b:d6:12:c2:18:72:12:d6
No SSH user identities configured.
No SSH authorized keys configured.
switch (config) #
Mellanox Technologies Confidential 85
Related Commands show ssh client
Note
Rev 4.20
Mellanox Technologies Confidential 86
Rev 4.20
ssh client user
ssh client user <username> {authorized-key sshv2 <public key> | identity <key type> {generate | private-key [<private key>] | public-key [<public key>]} | known-host <known host> remove} no ssh client user admin {authorized-key sshv2 <public key ID> | identity <key type>}
Syntax Description
Adds an entry to the global known-hosts configuration file, either by generating new key, or by adding manually a public or private key.
The no form of the command removes a public key from the specified user's authorized key list, or changes the key type.
username The specified user must be a valid account on the system. Possible values for this parameter are “admin”,
“monitor”, “xmladmin”, and “xmluser”.
authorized-key sshv2
<public key> identity <key type> generate private-key
Adds the specified key to the list of authorized SSHv2
RSA or DSA public keys for this user account. These keys can be used to log into the user's account.
Sets certain SSH client identity settings for a user, dsa2 or rsa2.
Generates SSH client identity keys for specified user.
public-key known-host <known host> remove
Sets private key SSH client identity settings for the user.
Sets public key SSH client identity settings for the user.
Removes host from user's known host file.
Default No keys are created by default
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # ssh client user admin known-host 172.30.1.116 remove switch (config) #
Related Commands show ssh client
Note If a key is being pasted from a cut buffer and was displayed with a paging program, it is likely that newline characters have been inserted, even if the output was not long enough to require paging. One can specify “no cli session paging enable” before running the “show” command to prevent the newlines from being inserted.
Mellanox Technologies Confidential 87
Rev 4.20
slogin
slogin [<slogin options>] <hostname>
Syntax Description
Invokes the SSH client. The user is returned to the CLI when SSH finishes.
slogin options usage: slogin [-1246AaCfgkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D port] [-e escape_char] [-F configfile] [-i identity_file] [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option] [-p port] [-R port:host:hostport] [user@]hostname [command]
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
monitor/admin switch (config) # slogin 192.168.10.70
The authenticity of host '192.168.10.70 (192.168.10.70)' can't be established.
RSA key fingerprint is 2e:ad:2d:23:45:4e:47:e0:2c:ae:8c:34:f0:1a:88:cb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.70' (RSA) to the list of known hosts.
Mellanox MLNX-OS Switch Management
Last login: Sat Feb 28 22:55:17 2009 from 10.208.0.121
Mellanox Switch switch (config) #
Related Commands N/A
Note
Mellanox Technologies Confidential 88
Rev 4.20
show ssh client
show ssh client
Syntax Description
Default
Displays the client configuration of the SSH server.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # show ssh client
SSH client Strict Hostkey Checking: ask
SSH Global Known Hosts:
Entry 1: 72.30.2.2
Finger Print: 1e:b7:8b:ec:ab:35:98:be:6b:d6:12:c2:18:72:12:d6
No SSH user identities configured.
No SSH authorized keys configured.
switch (config) #
Related Commands N/A
Note
Mellanox Technologies Confidential 89
Rev 4.20
show ssh server
show ssh server
Syntax Description
Default
Displays SSH server configuration.
N/A
N/A
Configuration Mode Config
History 3.1.0000
3.4.0000
Updated Example
Role
Example admin switch (config) # show ssh server
SSH server configuration:
SSH server enabled: yes
Server security strict mode: no
Minimum protocol version: 2
TCP forwarding enabled: yes
X11 forwarding enabled: no
SSH server ports: 22
Interface listen enabled: yes
No Listen Interfaces.
Host Key Finger Prints and Key Lengths:
RSA v1 host key: 5f:4e:5f:4a:81:bb:6a:b4:06:52:77:eb:d3:ad:78:92 (2048)
RSA v2 host key: 15:e2:a8:45:1c:58:1b:00:cc:29:ec:00:38:83:49:00 (2048)
DSA v2 host key: df:c0:ac:a6:3e:a5:52:a5:d1:f6:22:37:ef:f1:08:f9 (1024) switch (config) #
Related Commands ssh server
Note
Mellanox Technologies Confidential 90
3.4.4
Remote Login
telnet
telnet
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Logs into another system using telnet.
N/A
N/A
Config
3.1.0000
admin switch (config) # (config) # telnet telnet> telnet-server
Rev 4.20
Mellanox Technologies Confidential 91
telnet-server enable
telnet-server enable no telnet-server enable
Syntax Description
Default
Enables the telnet server.
The no form of the command disables the telnet server.
N/A
Telnet server is disabled
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # telnet-server enable switch (config) # show telnet-server
Telnet server enabled: yes
Related Commands show telnet-server
Note
Rev 4.20
Mellanox Technologies Confidential 92
show telnet-server
show telnet-server
Syntax Description
Default
Displays telnet server settings.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # show telnet-server
Telnet server enabled: yes switch (config) #
Related Commands telnet-server enable
Note
Rev 4.20
Mellanox Technologies Confidential 93
Rev 4.20
3.4.5
Web Interface
web auto-logout
web auto-logout <number of minutes> no web auto-logout <number of minutes>
Syntax Description
Default
Configuration Mode
History
Role
Example
Configures length of user inactivity before auto-logout of a web session.
The no form of the command disables the web auto-logout (web sessions will never logged out due to inactivity).
number of minutes The length of user inactivity in minutes.
0 will disable the inactivity timer (same as a “no web auto-logout” command).
60 minutes
Config
3.1.0000
3.4.0000
admin
Updated Example switch (config) # web auto-logout 60 switch (config) # show web
Related Commands
Note
Web User Interface:
Web interface enabled: yes
HTTP enabled: yes
HTTP port: 80
HTTP redirect to HTTPS: no
HTTPS enabled: yes
HTTPS port: 443
HTTPS ssl-ciphers: all
HTTPS certificate name: default-cert
Listen enabled: yes
No Listen Interfaces.
Inactivity timeout: 1 hr
Session timeout: 2 hr 30 min
Session renewal: 30 min
Web file transfer proxy:
Proxy enabled: no
Web file transfer certificate authority:
HTTPS server cert verify: yes
HTTPS supplemental CA list: default-ca-list switch (config) # show web
The no form of the command does not automatically log users out due to inactivity.
Mellanox Technologies Confidential 94
web cache-enable
web cache-enable no web cache-enable
Syntax Description
Default
Enables web clients to cache webpages.
The no form of the command disables web clients from caching webpages.
N/A
Enabled
Configuration Mode Config
History 3.4.1100
Role
Example admin switch (config) # no web cache-enable
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 95
web client cert-verify
web client cert-verify no web client cert-verify
Syntax Description
Default
Enables verification of server certificates during HTTPS file transfers.
The no form of the command disables verification of server certificates during
HTTPS file transfers.
N/A
N/A
Configuration Mode Config
History 3.2.3000
Role
Example admin switch (config) # web client cert-verify
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 96
Rev 4.20
web client ca-list
web client ca-list {<ca-list-name> | default-ca-list | none} no web client ca-list
Syntax Description
Configures supplemental CA certificates for verification of server certificates during
HTTPS file transfers.
The no form of the command uses no supplemental certificates.
ca-list-name default-ca-list
Specifies CA list to configure.
Configures default supplemental CA certificate list.
Uses no supplemental certificates.
Default none default-ca-list
Configuration Mode Config
History
Role
3.2.3000
admin
Example switch (config) # web client ca-list default-ca-list
Related Commands N/A
Note
Mellanox Technologies Confidential 97
web enable
web enable no web enable
Syntax Description
Default
Enables the web-based management console.
The no form of the command disables the web-based management console.
N/A enable
Configuration Mode Config
History 3.1.0000
Role
Example
3.4.0000
admin
Updated Example switch (config) # web enable switch (config) # show web
Web User Interface:
Web interface enabled: yes
HTTP enabled: yes
HTTP port: 80
HTTP redirect to HTTPS: no
HTTPS enabled: yes
HTTPS port: 443
HTTPS ssl-ciphers: all
HTTPS certificate name: default-cert
Listen enabled: yes
No Listen Interfaces.
Inactivity timeout: 1 hr
Session timeout: 2 hr 30 min
Session renewal: 30 min
Web file transfer proxy:
Proxy enabled: no
Web file transfer certificate authority:
HTTPS server cert verify: yes
HTTPS supplemental CA list: default-ca-list switch (config) #
Related Commands show web
Note
Rev 4.20
Mellanox Technologies Confidential 98
Rev 4.20
web http
web http {enable | port <port number> | redirect} no web http {enable | port | redirect}
Syntax Description
Configures HTTP access to the web-based management console.
The no form of the command negates HTTP settings for the web-based management console.
enable port number redirect
Enables HTTP access to the web-based management console.
Sets a port for HTTP access.
Enables redirection to HTTPS. If HTTP access is enabled, this specifies whether a redirect from the
HTTP port to the HTTPS port should be issued to mandate secure HTTPS access.
Default HTTP is enabled
HTTP TCP port is 80
HTTP redirect to HTTPS is disabled
Configuration Mode Config
History 3.1.0000
Role
Example
3.4.0000
admin
Updated Example switch (config) # web http enable switch (config) # show web
Web User Interface:
Web interface enabled: yes
HTTP enabled: yes
HTTP port: 80
HTTP redirect to HTTPS: no
HTTPS enabled: yes
HTTPS port: 443
HTTPS ssl-ciphers: all
HTTPS certificate name: default-cert
Listen enabled: yes
No Listen Interfaces.
Inactivity timeout: 1 hr
Session timeout: 2 hr 30 min
Session renewal: 30 min
Web file transfer proxy:
Proxy enabled: no
Web file transfer certificate authority:
HTTPS server cert verify: yes
HTTPS supplemental CA list: default-ca-list switch (config) #
Mellanox Technologies Confidential 99
Related Commands show web web enable
Note Enabling HTTP is meaningful if the WebUI as a whole is enabled.
Rev 4.20
Mellanox Technologies Confidential 100
Rev 4.20
web httpd
web httpd listen {enable | interface <ifName> } no web httpd listen {enable | interface <ifName> }
Syntax Description
Enables the listen interface restricted list for HTTP and HTTPS.
The no form of the command disables the HTTP server listen ability.
enable Enables Web interface restrictions on access to this system.
interface <ifName> Adds interface to Web server access restriction list (i.e. mgmt0, mgmt1)
Default Listening is enabled.
all interfaces are permitted.
Configuration Mode Config
History 3.1.0000
Role
Example
3.4.0000
admin
Updated Example switch (config) # web httpd listen enable switch (config) # show web
Web User Interface:
Web interface enabled: yes
HTTP enabled: yes
HTTP port: 80
HTTP redirect to HTTPS: no
HTTPS enabled: yes
HTTPS port: 443
HTTPS ssl-ciphers: all
HTTPS certificate name: default-cert
Listen enabled: yes
No Listen Interfaces.
Inactivity timeout: 1 hr
Session timeout: 2 hr 30 min
Session renewal: 30 min
Web file transfer proxy:
Proxy enabled: no
Web file transfer certificate authority:
HTTPS server cert verify: yes
HTTPS supplemental CA list: default-ca-list switch (config) #
Related Commands N/A
Note If enabled, and if at least one of the interfaces listed is eligible to be a listen interface, then HTTP/HTTPS requests will only be accepted on those interfaces. Otherwise,
HTTP/HTTPS requests are accepted on any interface.
Mellanox Technologies Confidential 101
Rev 4.20
web https
web https {certificate {regenerate | name | default-cert} | enable | port <port number> | ssl ciphers {all | TLS | TLS1.2}} no web https {enable | port <port number>}
Syntax Description
Configures HTTPS access to the web-based management console.
The no form of the command negates HTTPS settings for the web-based management console.
certificate regenerate certificate name
Re-generates certificate to use for HTTPS connections.
Configure the named certificate to be used for HTTPS connections certificate default-cert enable port ssl ciphers {all | TLS |
TLS1.2}
Configure HTTPS to use the configured default certificate
Enables HTTPS access to the web-based management console.
Sets a TCP port for HTTPS access.
Sets ciphers to be used for HTTPS.
Default HTTPS is enabled
Default port is 443
Configuration Mode Config
History 3.1.0000
Role
3.4.0000
3.4.0010
admin
Added “ssl ciphers” parameter
Added TLS parameter to “ssl ciphers”
Mellanox Technologies Confidential 102
Rev 4.20
Example switch (config) # web https enable switch (config) # show web
Web User Interface:
Web interface enabled: yes
HTTP enabled: yes
HTTP port: 80
HTTP redirect to HTTPS: no
HTTPS enabled: yes
HTTPS port: 443
HTTPS ssl-ciphers: all
HTTPS certificate name: default-cert
Listen enabled: yes
No Listen Interfaces.
Inactivity timeout: 1 hr
Session timeout: 2 hr 30 min
Session renewal: 30 min
Web file transfer proxy:
Proxy enabled: no
Web file transfer certificate authority:
HTTPS server cert verify: yes
HTTPS supplemental CA list: default-ca-list switch (config) #
Related Commands show web web enable
Note • Enabling HTTPS is meaningful if the WebUI as a whole is enabled.
• See the command “crypto certificate default-cert name” for how to change the default certificate if inheriting the configured default certificate is preferred
Mellanox Technologies Confidential 103
Rev 4.20
web session
web session {renewal <minutes> | timeout <minutes>} no web session {renewal | timeout}
Syntax Description
Default
Configures session settings.
The no form of the command resets session settings to default.
renewal <minutes> timeout <minutes> timeout - 2.5 hours renewal - 30 min
Configures time before expiration to renew a session.
Configures time after which a session expires.
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # web session renewal 60 switch (config) # show web
Web User Interface:
Web interface enabled: yes
HTTP enabled: yes
HTTP port: 80
HTTP redirect to HTTPS: no
HTTPS enabled: yes
HTTPS port: 443
HTTPS ssl-ciphers: all
HTTPS certificate name: default-cert
Listen enabled: yes
No Listen Interfaces.
Inactivity timeout: 1 hr
Session timeout: 2 hr 30 min
Session renewal: 60 min
Web file transfer proxy:
Proxy enabled: no
Web file transfer certificate authority:
HTTPS server cert verify: yes
HTTPS supplemental CA list: default-ca-list switch (config) #
Related Commands N/A
Note
Mellanox Technologies Confidential 104
Rev 4.20
web proxy auth
web proxy auth {authtype <type>| basic [password <password> | username
<username>]} no web proxy auth {authtype | basic {password | username }
Syntax Description
Configures authentication settings for web proxy authentication.
The no form of the command resets the attributes to their default values.
type Configures the type of authentication to use with web proxy.
The possible values are:
• basic - HTTP basic authentication
• none - No authentication basic password
Configures HTTP basic authentication settings for proxy. T he password is accepted and stored in plaintext.
A password used for HTTP basic authentication with the web proxy.
username A username used for HTTP basic authentication with the web proxy.
Default Web proxy is disabled.
Configuration Mode Config
History
Role
3.1.0000
admin
Mellanox Technologies Confidential 105
Example switch (config) # web proxy auth authtype basic switch (config) # web proxy auth basic username web-user switch (config) # web proxy auth basic password web-password switch (config) # show web
Web User Interface:
Web interface enabled: yes
HTTP enabled: yes
HTTP port: 80
HTTP redirect to HTTPS: no
HTTPS enabled: yes
HTTPS port: 443
HTTPS ssl-ciphers: all
HTTPS certificate name: default-cert
Listen enabled: yes
No Listen Interfaces.
Inactivity timeout: 1 hr
Session timeout: 2 hr 30 min
Session renewal: 30 min
Web file transfer proxy:
Proxy enabled: yes
Proxy address: 10.10.10.11
Proxy port: 40
Authentication type: basic
Basic auth username: web-user
Basic auth password: web-password
Web file transfer certificate authority:
HTTPS server cert verify: yes
HTTPS supplemental CA list: default-ca-list switch (config) #
Related Commands show web web proxy host
Note
Rev 4.20
Mellanox Technologies Confidential 106
web proxy host
web proxy host <IP address> [port <port number>] no web proxy
Syntax Description
Adds and enables a proxy to be used for any HTTP or FTP downloads.
The no form of the command disables the web proxy.
IP address port number
IPv4 or IPv6 address.
Sets the web proxy default port.
Default 1080
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # web proxy host 10.10.10.10 port 1080 switch (config) # show web
Web User Interface:
Web interface enabled: yes
HTTP enabled: yes
HTTP port: 80
HTTP redirect to HTTPS: no
HTTPS enabled: yes
HTTPS port: 443
HTTPS ssl-ciphers: all
HTTPS certificate name: default-cert
Listen enabled: yes
No Listen Interfaces.
Inactivity timeout: 1 hr
Session timeout: 2 hr 30 min
Session renewal: 30 min
Web file transfer proxy:
Proxy enabled: yes
Proxy address: 10.10.10.10
Proxy port: 1080
Authentication type: basic
Basic auth username: web-user
Basic auth password: web-password
Web file transfer certificate authority:
HTTPS server cert verify: yes
HTTPS supplemental CA list: default-ca-list switch (config) #
Related Commands web proxy auth
Note
Mellanox Technologies Confidential 107
Rev 4.20
show web
show web
Syntax Description
Default
Displays the web configuration.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
3.4.0000
3.4.1100
admin
Updated Example
Updated Example switch (config) # show web
Web User Interface:
Web interface enabled: yes
Web caching enabled: yes
HTTP enabled: yes
HTTP port: 80
HTTP redirect to HTTPS: no
HTTPS enabled: yes
HTTPS port: 443
HTTPS ssl-ciphers: all
HTTPS certificate name: default-cert
Listen enabled: yes
No Listen Interfaces.
Inactivity timeout: 1 hr
Session timeout: 2 hr 30 min
Session renewal: 30 min
Web file transfer proxy:
Proxy enabled: yes
Proxy address: 10.10.10.11
Proxy port: 40
Authentication type: basic
Basic auth username: web-user
Basic auth password: web-password
Web file transfer certificate authority:
HTTPS server cert verify: yes
HTTPS supplemental CA list: default-ca-list switch (config) #
Related Commands show web web proxy auth
Note
Mellanox Technologies Confidential 108
Rev 4.20
4 System Management
4.1
Management Interface
4.1.1
Configuring Management Interfaces with Static IP Addresses
If your switch system was set during initialization to obtain dynamic IP addresses through DHCP and you wish to switch to static assignments, perform the following steps:
Step 1.
Enter Config mode. Run: switch > switch > enable switch # configure terminal switch (config) #
Step 2.
Step 3.
Disable setting IP addresses using the DHCP using the following command: switch (config) # no interface <ifname> dhcp
Define your interfaces statically using the following command: switch (config) # interface <ifname> ip address <IP address> <netmask>
4.1.2
Configuring IPv6 Address on the Management Interface
Step 1.
Enable IPv6 on this interface.
switch (config) # interface mgmt0 ipv6 enable
Step 2.
Step 3.
Set the IPv6 address to be configured automatically.
switch (config) # interface mgmt0 ipv6 address autoconfig
Verify the IPv6 address is configured correctly.
switch (config) # show interfaces mgmt0 brief
4.1.3
Dynamic Host Configuration Protocol (DHCP)
DHCP is used for automatic retrieval of management IP addresses.
For all other systems (and software versions) DHCP is disabled by default.
If a user connects through SSH, runs the wizard and turns off DHCP, the connection is immediately terminated as the management interface loses its IP address.
<localhost># ssh admin@<ip-address>
Mellanox MLNX-OS Switch Management
Password:
Mellanox Switch
Mellanox configuration wizard
Do you want to use the wizard for initial configuration? yes
Step 1: Hostname? [my-switch]
Step 2: Use DHCP on mgmt0 interface? [yes] no
<localhost>#
In such case the serial connection should be used.
Rev 4.20
Mellanox Technologies Confidential 109
4.1.4
Default Gateway
To configure manually the default gateway, use the “ip route” command, with “0.0.0.0” as prefix and mask. The next-hop address must be within the range of one of the IP interfaces on the system.
switch (config)# ip route 0.0.0.0 0.0.0.0 10.209.0.2
switch (config)# show ip route
Destination Mask Gateway Interface Source default 0.0.0.0 10.209.0.2 mgmt0 static
10.209.0.0 255.255.254.0 0.0.0.0 mgmt0 direct switch (config)#
4.1.5
In-Band Management
In-band management is a management path passing through the data ports. In-band management can be created over one of the VLANs in the systems.
The in-band management feature does not require any license. However, it works only for system profiles VPI and Ethernet. It can be enabled with IP Routing but not with IP Proxy-ARP.
To set an in-band management channel:
Step 1.
Create a VLAN. Run: switch (config) # vlan 10 switch (config vlan 10) #
Step 2.
Step 3.
Create a VLAN interface. Run: switch (config) # interface vlan 10
Enter the VLAN interface configuration mode and configure L3 attributes. Run: switch (config) # interface vlan 10 switch (config interface vlan 10)#ip address 10.10.10.10 /24
Rev 4.20
Mellanox Technologies Confidential 110
Step 4.
(Optional) Verify in-band management configuration. Run: switch (config) # show interfaces vlan 10
Admin state: Enabled
Operational state: Up
Mac Address: f4:52:14:67:07:e8
Internet Address: 10.10.10.10/24
Broadcast address: 10.10.10.255
MTU: 1500 bytes
Arp timeout: 1500 seconds
Icmp redirect: Disabled
Description: N/A
VRF: default
Counters: Enabled
RX
0 Unicast packets
0 Multicast packets
0 Unicast bytes
0 Multicast bytes
0 Bad packets
0 Bad bytes
TX
0 Unicast packets
0 Multicast packets
0 Unicast bytes
0 Multicast bytes
switch (config) #
Rev 4.20
Mellanox Technologies Confidential 111
4.1.6
Commands
4.1.6.1 Interface
This chapter describes the commands should be used to configure and monitor the management interface.
interface
interface {mgmt0 | mgmt1 | lo | vlan<id>}
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Enters a management interface context.
mgmt0 Management port 0 (out of band).
mgmt1 lo
Management port 1 (out of band).
Loopback interface.
In-band management interface (e.g. vlan10).
vlan<id>
N/A
Config
3.1.0000
admin switch (config) # interface mgmt0 switch (config interface mgmt0) # show interfaces <ifname>
Rev 4.20
Mellanox Technologies Confidential 112
ip address
ip address <IP address> <netmask> no ip address
Syntax Description
Sets the IP address and netmask of this interface.
The no form of the command clears the IP address and netmask of this interface.
IP address netmask
IPv4 address
Subnet mask of IP address
Default 0.0.0.0/0
Configuration Mode Config Interface Management
History
Role
Example
3.1.0000
admin switch (config) # interface mgmt0 switch (config interface mgmt0) # ip address 10.10.10.10 255.255.255.0
switch (config interface mgmt0) # show interfaces mgmt0
Interface mgmt0 state
Admin up: yes
Link up: yes
IP address: 10.10.10.10
Netmask: 255.255.255.0
IPv6 enabled: yes
Autoconf enabled: no
Autoconf route: yes
Autoconf privacy: no
IPv6 addresses: 1
IPv6 address: fe80:202:c9ff:fe5e:a5d8/64
Speed: 1000Mb/s (auto)
Duplex: full (auto)
Interface type: ethernet
Interface ifindex: 2
Interface source: physical
MTU: 1500
HW address: 00:02:C9:5E:A5:D8
Comment:
RX bytes: 2946769856 TX bytes: 467577486
RX packets: 44866091 TX packets: 1385520
RX mcast packets: 0 TX discards: 0
RX discards: 0 TX errors: 0
RX errors: 0 TX overruns: 0
RX overruns: 0 TX carrier: 0
RX frame: 0 TX collisions: 0
TX queue len: 1000 switch (config interface mgmt0) #
Related Commands show interfaces <ifname>
Notes If DHCP is enabled on the specified interface, then the DHCP IP assignment will hold until DHCP is disabled.
Rev 4.20
Mellanox Technologies Confidential 113
ip default-gateway
ip default-gateway <next hop IP address or interface name> no ip default-gateway
Syntax Description
Configures a default route.
The no form of the command removes the current default route.
next hop IP address or interface name
IP address, lo, mgmt0, or mgmt1.
Default N/A
Configuration Mode Config Interface Management
History
Role
Example
3.1.0000
admin switch (config) # ip default-gateway mgmt1 switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 114
Rev 4.20
alias
alias <index> ip address < IP address> <netmask> no alias <index>
Syntax Description
Adds an additional IP address to the specified interface. The secondary address will appear in the output of “show interface” under the data of the primary interface along with the alias.
The no form of the command removes the secondary address to the specified interface.
index A number that is to be aliased to (associated with) the secondary IP.
IP address netmask
Default N/A
Configuration Mode Config Interface Management
Additional IP address.
Subnet mask of the IP address.
History
Role
Example
3.1.0000
admin switch (config interface mgmt0) # alias 2 ip address 9.9.9.9
255.255.255.255
switch (config interface mgmt0) # show interfaces mgmt0
Interface mgmt0 state
Admin up: yes
Link up: yes
IP address: 172.30.2.2
Netmask: 255.255.0.0
Secondary address: 9.9.9.9/32 (alias: 'mgmt0:2')
IPv6 enabled: yes
Autoconf enabled: no
Autoconf route: yes
Autoconf privacy: no
IPv6 addresses: 1
IPv6 address: fe80::202:c9ff:fe5e:a5d8/64
Speed: 1000Mb/s (auto)
Duplex: full (auto)
Interface type: ethernet
Interface ifindex: 2
Interface source: physical
MTU: 1500
HW address: 00:02:C9:5E:A5:D8
Comment:
RX bytes: 2970074221 TX bytes: 468579522
RX packets: 44983023 TX packets: 1390539
RX mcast packets: 0 TX discards: 0
RX discards: 0 TX errors: 0
RX errors: 0 TX overruns: 0
RX overruns: 0 TX carrier: 0
RX frame: 0 TX collisions: 0
TX queue len: 1000 switch (config interface mgmt0) #
Mellanox Technologies Confidential 115
Rev 4.20
Related Commands show interfaces <ifname>
Notes • If DHCP is enabled on the specified interface, then the DHCP IP assignment will hold until
DHCP is disabled
• More than one additional IP address can be added to the interface
Mellanox Technologies Confidential 116
mtu
mtu <bytes> no mtu <bytes>
Syntax Description
Default
Role
Example
Sets the Maximum Transmission Unit (MTU) of this interface.
The no form of the command resets the MTU to its default.
bytes
1500
Configuration Mode Config Interface Management
History 3.1.0000
admin
The entry range is 68-1500.
switch (config interface mgmt0) # mtu 1500 switch (config interface mgmt0) # show interfaces mgmt0
Interface mgmt0 state
Admin up: yes
Link up: yes
IP address: 172.30.2.2
Netmask: 255.255.0.0
Secondary address: 9.9.9.9/32 (alias: 'mgmt0:2')
IPv6 enabled: yes
Autoconf enabled: no
Autoconf route: yes
Autoconf privacy: no
IPv6 addresses: 1
IPv6 address: fe80:202:c9ff:fe5e:a5d8/64
Speed: 1000Mb/s (auto)
Duplex: full (auto)
Interface type: ethernet
Interface ifindex: 2
Interface source: physical
MTU: 1500
HW address: 00:02:C9:5E:A5:D8
Comment:
RX bytes: 2970074221 TX bytes: 468579522
RX packets: 44983023 TX packets: 1390539
RX mcast packets: 0 TX discards: 0
RX discards: 0 TX errors: 0
RX errors: 0 TX overruns: 0
RX overruns: 0 TX carrier: 0
RX frame: 0 TX collisions: 0
TX queue len: 1000 switch (config interface mgmt0) #
Related Commands show interfaces <ifname>
Notes
Rev 4.20
Mellanox Technologies Confidential 117
Rev 4.20
duplex
duplex <duplex> no duplex
Sets the interface duplex.
The no form of the command resets the duplex setting for this interface to its default value.
Syntax Description duplex
Default auto
Configuration Mode Config Interface Management
Sets the duplex mode of the interface. The following are the possible values:
• half - half duplex
• full - full duplex
• auto - auto duplex sensing (half or full)
History
Role
Example
3.1.0000
admin switch (config interface mgmt0) # duplex auto switch (config interface mgmt0) # show interfaces mgmt0
Interface mgmt0 state
Admin up: yes
Link up: yes
IP address: 172.30.2.2
Netmask: 255.255.0.0
Secondary address: 9.9.9.9/32 (alias: 'mgmt0:2')
IPv6 enabled: yes
Autoconf enabled: no
Autoconf route: yes
Autoconf privacy: no
IPv6 addresses: 1
IPv6 address: fe80::202:c9ff:fe5e:a5d8/64
Speed: 1000Mb/s (auto)
Duplex: full (auto)
Interface type: ethernet
Interface ifindex: 2
Interface source: physical
MTU: 1500
HW address: 00:02:C9:5E:A5:D8
Comment:
RX bytes: 2970074221 TX bytes: 468579522
RX packets: 44983023 TX packets: 1390539
RX mcast packets: 0 TX discards: 0
RX discards: 0 TX errors: 0
RX errors: 0 TX overruns: 0
RX overruns: 0 TX carrier: 0
RX frame: 0 TX collisions: 0
TX queue len: 1000 switch (config interface mgmt0) #
Mellanox Technologies Confidential 118
Rev 4.20
Related Commands show interfaces <ifname>
Notes • Setting the duplex to “auto” also sets the speed to “auto”
• Setting the duplex to one of the settings “half” or “full” also sets the speed to a manual setting which is determined by querying the interface to find out its current auto-detected state
Mellanox Technologies Confidential 119
speed
speed <speed> no speed
Sets the interface speed.
The no form of the command resets the speed setting for this interface to its default value.
Syntax Description speed
Default auto
Configuration Mode Config Interface Management
Sets the speed of the interface. The following are the possible values:
• 10 - fixed to 10Mbps
• 100 - fixed to 1000Mbps
• 1000 - fixed to 1000Mbps
• auto - auto speed sensing (10/100/1000Mbps)
History
Role
Example
3.1.0000
admin switch (config interface mgmt0) # speed auto switch (config interface mgmt0) # show interfaces mgmt0
Interface mgmt0 state
Admin up: yes
Link up: yes
IP address: 172.30.2.2
Netmask: 255.255.0.0
Secondary address: 9.9.9.9/32 (alias: 'mgmt0:2')
IPv6 enabled: yes
Autoconf enabled: no
Autoconf route: yes
Autoconf privacy: no
IPv6 addresses: 1
IPv6 address: fe80::202:c9ff:fe5e:a5d8/64
Speed: 1000Mb/s (auto)
Duplex: full (auto)
Interface type: ethernet
Interface ifindex: 2
Interface source: physical
MTU: 1500
HW address: 00:02:C9:5E:A5:D8
Comment:
RX bytes: 2970074221 TX bytes: 468579522
RX packets: 44983023 TX packets: 1390539
RX mcast packets: 0 TX discards: 0
RX discards: 0 TX errors: 0
RX errors: 0 TX overruns: 0
RX overruns: 0 TX carrier: 0
RX frame: 0 TX collisions: 0
TX queue len: 1000 switch (config interface mgmt0) #
Rev 4.20
Mellanox Technologies Confidential 120
Rev 4.20
Related Commands show interfaces <ifname>
Notes • Setting the speed to “auto” also sets the duplex to “auto”
• Setting the speed to one of the manual settings (generally “10”, “100”, or “1000”) also sets the duplex to a manual setting which is determined by querying the interface to find out its current auto-detected state
Mellanox Technologies Confidential 121
Rev 4.20
dhcp
dhcp [renew] no dhcp
Syntax Description
Enables DHCP on the specified interface.
The no form of the command disables DHCP on the specified interface.
renew Forces a renewal of the IP address. A restart on the
DHCP client for the specified interface will be issued.
Default Could be enabled or disabled (per part number) manufactured with 3.2.0500
Configuration Mode Config Interface Management
History
Role
Example
3.1.0000
admin switch (config interface mgmt0) # dhcp switch (config) # show interfaces mgmt0 configured
Interface mgmt0 configuration
Enabled: yes
DHCP: yes
Zeroconf: no
IP address:
Netmask:
IPv6 enabled: yes
Autoconf enabled: no
Autoconf route: yes
Autoconf privacy: no
IPv6 addresses: 0
Speed: auto
Duplex: auto
MTU: 1500
Comment:
Related Commands show interfaces <ifname> configured
Notes • When enabling DHCP, the IP address and netmask are received via DHCP hence, the static
IP address configuration is ignored
• Enabling DHCP disables zeroconf and vice versa
• Setting a static IP address and netmask does not disable DHCP. DHCP is disabled by using the “no” form of this command, or by enabling zeroconf.
Mellanox Technologies Confidential 122
shutdown
shutdown no shutdown
Syntax Description
Default
Role
Example
Disables the specified interface.
The no form of the command enables the specified interface.
N/A no shutdown
Configuration Mode Config Interface Management
History 3.1.0000
admin switch (config interface mgmt0) # no shutdown switch (config) # show interfaces mgmt0 configured
Interface mgmt0 configuration
Enabled: yes
DHCP: yes
Zeroconf: no
IP address:
Netmask:
IPv6 enabled: yes
Autoconf enabled: no
Autoconf route: yes
Autoconf privacy: no
IPv6 addresses: 0
Speed: auto
Duplex: auto
MTU: 1500
Comment: switch (config) #
Related Commands show interfaces <ifname> configured
Notes
Rev 4.20
Mellanox Technologies Confidential 123
Rev 4.20
zeroconf
zeroconf no zeroconf
Syntax Description
Default
Role
Example
Enables zeroconf on the specified interface. It randomly chooses a unique link-local
IPv4 address from the 169.254.0.0/16 block. This command is an alternative to
DHCP.
The no form of the command disables the use of zeroconf on the specified interface.
N/A no zeroconf
Configuration Mode Config Interface Management
History 3.1.0000
admin switch (config interface mgmt0) # zeroconf switch (config) # show interfaces mgmt0 configured
Interface mgmt0 configuration
Enabled: yes
DHCP: no
Zeroconf: yes
IP address:
Netmask:
IPv6 enabled: yes
Autoconf enabled: no
Autoconf route: yes
Autoconf privacy: no
IPv6 addresses: 0
Speed: auto
Duplex: auto
MTU: 1500
Comment:
Related Commands show interfaces <ifname> configured
Notes Enabling zeroconf disables DHCP and vice versa.
Mellanox Technologies Confidential 124
comment
comment <comment> no comment
Syntax Description
Adds a comment for an interface.
The no form of the command removes a comment for an interface.
comment A free-form string that has no semantics other than being displayed when the interface records are listed.
Default no comment
Configuration Mode Config Interface Management
History
Role
Example
3.1.0000
admin switch (config interface mgmt0) # comment my-interface switch (config interface mgmt0) # show interfaces mgmt0
Interface mgmt0 state
Admin up: yes
Link up: yes
IP address: 172.30.2.2
Netmask: 255.255.0.0
IPv6 enabled: yes
Autoconf enabled: no
Autoconf route: yes
Autoconf privacy: no
IPv6 addresses: 1
IPv6 address: fe80::202:c9ff:fe5e:a5d8/64
Speed: 1000Mb/s (auto)
Duplex: full (auto)
Interface type: ethernet
Interface ifindex: 2
Interface source: physical
MTU: 1500
HW address: 00:02:C9:5E:A5:D8
Comment: my-interface
RX bytes: 962067812 TX bytes: 40658219
RX packets: 3738865 TX packets: 142345
RX mcast packets: 0 TX discards: 0
RX discards: 0 TX errors: 0
RX errors: 0 TX overruns: 0
RX overruns: 0 TX carrier: 0
RX frame: 0 TX collisions: 0
TX queue len: 1000 switch (config interface mgmt0) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 125
ipv6 enable
ipv6 enable no ipv6 enable
Syntax Description
Default
Enables all IPv6 addressing for this interface.
The no form of the command disables all IPv6 addressing for this interface.
N/A
IPv6 addressing is disabled
Configuration Mode Config Interface Management
History 3.1.0000
Role
Example admin switch (config interface mgmt0) # ipv6 enable switch (config interface mgmt0) # show interfaces mgmt0
Interface mgmt0 state
Admin up: yes
Link up: yes
IP address: 172.30.2.2
Netmask: 255.255.0.0
IPv6 enabled: yes
Autoconf enabled: no
Autoconf route: yes
Autoconf privacy: no
IPv6 addresses: 1
IPv6 address: fe80::202:c9ff:fe5e:a5d8/64
Speed: 1000Mb/s (auto)
Duplex: full (auto)
Interface type: ethernet
Interface ifindex: 2
Interface source: physical
MTU: 1500
HW address: 00:02:C9:5E:A5:D8
Comment: my-interface
RX bytes: 962067812 TX bytes: 40658219
RX packets: 3738865 TX packets: 142345
RX mcast packets: 0 TX discards: 0
RX discards: 0 TX errors: 0
RX errors: 0 TX overruns: 0
RX overruns: 0 TX carrier: 0
RX frame: 0 TX collisions: 0
TX queue len: 1000 switch (config interface mgmt0) #
Rev 4.20
Mellanox Technologies Confidential 126
Rev 4.20
Related Commands ipv6 address show interface <ifname>
Notes • The interface identifier is a 64-bit long modified EUI-64, which is based on the MAC address of the interface
• If IPv6 is enabled on an interface, the system will automatically add a link-local address to the interface. Link-local addresses can only be used to communicate with other hosts on the same link, and packets with link-local addresses are never forwarded by a router.
• A link-local address, which may not be removed, is required for proper IPv6 operation. The link-local addresses start with “fe80::”, and are combined with the interface identifier to form the complete address.
Mellanox Technologies Confidential 127
Rev 4.20
ipv6 address
Syntax Description ipv6 address {<IPv6 address/netmask> | autoconfig [default | privacy]} no ipv6 {<IPv6 address/netmask> | autoconfig [default | privacy]}
Configures IPv6 address and netmask to this interface, static or autoconfig options are possible.
The no form of the command removes the given IPv6 address and netmask or disables the autoconfig options.
IPv6 address/netmask Configures a static IPv6 address and netmask.
Format example: 2001:db8:1234::5678/64.
autoconfig default autoconfig privacy
(SLAAC) for this interface. An address will be automatically added to the interface based on an IPv6 prefix learned from router advertisements, combined with an interface identifier.
Enables default learning routes. The default route will be discovered automatically, if the autoconfig is enabled.
Uses privacy extensions for SLAAC to construct the autoconfig address, if the autoconfig is enabled.
Default No IP address available, auto config is enabled
Configuration Mode Config Interface Management
History
Role
3.1.0000
admin
Mellanox Technologies Confidential 128
Example switch (config interface mgmt0) # ipv6 fe80::202:c9ff:fe5e:a5d8/64 switch (config interface mgmt0) # show interfaces mgmt0
Interface mgmt0 state
Admin up: yes
Link up: yes
IP address: 172.30.2.2
Netmask: 255.255.0.0
IPv6 enabled: yes
Autoconf enabled: no
Autoconf route: yes
Autoconf privacy: no
IPv6 addresses: 1
IPv6 address: fe80::202:c9ff:fe5e:a5d8/64
Speed: 1000Mb/s (auto)
Duplex: full (auto)
Interface type: ethernet
Interface ifindex: 2
Interface source: physical
MTU: 1500
HW address: 00:02:C9:5E:A5:D8
Comment: my-interface
RX bytes: 962067812 TX bytes: 40658219
RX packets: 3738865 TX packets: 142345
RX mcast packets: 0 TX discards: 0
RX discards: 0 TX errors: 0
RX errors: 0 TX overruns: 0
RX overruns: 0 TX carrier: 0
RX frame: 0 TX collisions: 0
TX queue len: 1000 switch (config interface mgmt0) #
Related Commands ipv6 enable show interface <ifname>
Notes • Unlike IPv4, IPv6 can have multiple IPv6 addresses on a given interface
• For Ethernet, the default interface identifier is a 64-bit long modified EUI-64, which is based on the MAC address of the interface
Rev 4.20
Mellanox Technologies Confidential 129
ipv6 dhcp primary-intf
ipv6 dhcp primary-intf <if-name> no ipv6 dhcp primary-intf
Syntax Description
Sets the interface from which non-interface-specific (resolver) configuration is accepted via DHCPv6.
The no form of the command resets non-interface-specific (resolver) configuration.
if-name Interface name:
• lo
• mgmt0
• mgmt1
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # ipv6 dhcp primary-intf mgmt0 switch (config) #
Related Commands ipv6 enable ipv6 address show interface <ifname>
Notes
Rev 4.20
Mellanox Technologies Confidential 130
ipv6 dhcp stateless
ipv6 dhcp stateless no ipv6 dhcp stateless
Syntax Description
Default
Enables stateless DHCPv6 requests.
The no form of the command disables stateless DHCPv6 requests.
N/A
N/A
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # ipv6 dhcp stateless switch (config) #
Related Commands ipv6 enable ipv6 address show interface <ifname>
Notes • This command only gets DNS configuration, not an IPv6 address
• The no form of the command requests all information, including an IPv6 address
Rev 4.20
Mellanox Technologies Confidential 131
Rev 4.20
show interface
show interface {<ifname> [configured | brief]}
Syntax Description
Displays information about the specified interface, configuration status, and counters.
ifname The interface name e.g., “mgmt0”, “mgmt1”, “lo”
(loopback), etc.
configured brief
Displays the interface configuration.
Displays a brief info on the interface configuration and status.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) #show interfaces mgmt0 configured
Interface mgmt0 configuration
Enabled: yes
DHCP: yes
Zeroconf: no
IP address:
Netmask:
IPv6 enabled: yes
Autoconf enabled: no
Autoconf route: yes
Autoconf privacy: no
IPv6 addresses: 0
Speed: auto
Duplex: auto
MTU: 1500
Comment: my-interface switch (config) # show interfaces mgmt0 brief
Interface mgmt0 state
Admin up: yes
Link up: yes
IP address: 172.30.2.2
Netmask: 255.255.0.0
IPv6 enabled: yes
Autoconf enabled: no
Autoconf route: yes
Autoconf privacy: no
IPv6 addresses: 1
IPv6 address: fe80::202:c9ff:fe5e:a5d8/64
Speed: 1000Mb/s (auto)
Duplex: full (auto)
Interface type: ethernet
Interface ifindex: 2
Interface source: physical
MTU: 1500
HW address: 00:02:C9:5E:A5:D8
Comment: my-interface switch (config) #
Mellanox Technologies Confidential 132
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 133
4.1.6.2 Hostname Resolution
hostname
hostname <hostname> no hostname
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Sets a static system hostname.
The no form of the command clears the system hostname.
hostname
Default hostname
A free-form string.
Config
3.1.0000
admin switch (config) # hostname my-switch-hostname my-switch-hostname (config) # show hosts
• Hostname may contain letters, numbers, and hyphens ('-'), in any combination
• Hostname may not contain other letters, such as ‘%’, ‘_’, ‘.’etc
• Hostname may not begin with a hyphen
• Hostname may be 1-63 characters long
• Changing hostname stamps a new HTTPS certificate
Rev 4.20
Mellanox Technologies Confidential 134
ip name-server
ip name-server <IPv4/IPv6 address> no name-server <IPv4/IPv6 address>
Syntax Description
Default
Sets the static name server.
The no form of the command clears the name server.
IPv4/v6 address
No server name
Configuration Mode Config
History 3.1.0000
IPv4 or IPv6 address.
Role
Example admin switch (config) # ip name-server 9.9.9.9
switch (config) # show hosts
Hostname: switch
Name server: 9.9.9.9 (configured)
Name server: 10.211.0.121 (dynamic)
Name server: 172.30.0.126 (dynamic)
Name server: 10.4.0.135 (dynamic)
Domain name: lab.mtl.com (dynamic)
Domain name: vmlab.mtl.com (dynamic)
Domain name: yok.mtl.com (dynamic)
Domain name: mtl.com (dynamic)
IP 127.0.0.1 maps to hostname localhost
IPv6 ::1 maps to hostname localhost6
Automatically map hostname to loopback address: yes
Automatically map hostname to IPv6 loopback address: no switch (config) #
Related Commands show hosts
Notes
Rev 4.20
Mellanox Technologies Confidential 135
Rev 4.20
ip domain-list
ip domain-list <domain-name> no ip domain-list <domain-name>
Syntax Description
Sets the static domain name.
The no form of the command clears the domain name.
domain-name The domain name in a string form.
A domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System (DNS).
Default No static domain name
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # ip domain-list mydomain.com
switch (config) # show hosts
Hostname: switch
Name server: 10.211.0.121 (dynamic)
Name server: 172.30.0.126 (dynamic)
Name server: 10.4.0.135 (dynamic)
Domain name: mydomain.com (configured)
Domain name: lab.mtl.com (dynamic)
Domain name: vmlab.mtl.com (dynamic)
Domain name: yok.mtl.com (dynamic)
Domain name: mtl.com (dynamic)
IP 1.1.1.1 maps to hostname p
IP 127.0.0.1 maps to hostname localhost
IPv6 ::1 maps to hostname localhost6
Automatically map hostname to loopback address: yes
Automatically map hostname to IPv6 loopback address: no switch (config) #
Related Commands show hosts
Notes
Mellanox Technologies Confidential 136
ip/ipv6 host
{ip | ipv6} host <hostname> <IP Address> no {ip | ipv6} host <hostname> <IP Address>
Syntax Description
Configures the static hostname IPv4 or IPv6 address mappings.
The no form of the command clears the static mapping.
hostname
IP Address
The hostname in a string form.
The IPv4 or IPv6 address.
Default No static domain name.
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # ip host my-host 2.2.2.2
switch (config) # ipv6 host my-ipv6-host 2001::8f9 switch (config) # show hosts
Hostname: switch
Name server: 9.9.9.9 (configured)
Name server: 10.211.0.121 (dynamic)
Name server: 172.30.0.126 (dynamic)
Name server: 10.4.0.135 (dynamic)
Domain name: mydomain.com (configured)
Domain name: lab.mtl.com (dynamic)
Domain name: vmlab.mtl.com (dynamic)
Domain name: yok.mtl.com (dynamic)
Domain name: mtl.com (dynamic)
IP 1.1.1.1 maps to hostname p
IP 127.0.0.1 maps to hostname localhost
IP 2.2.2.2 maps to hostname my-host
IPv6 2001::8f9 maps to hostname my-ipv6-host
IPv6 ::1 maps to hostname localhost6
Automatically map hostname to loopback address: yes
Automatically map hostname to IPv6 loopback address: yes switch (config) #
Related Commands show hosts
Notes
Rev 4.20
Mellanox Technologies Confidential 137
Rev 4.20
ip/ipv6 map-hostname
{ip |ipv6} map-hostname no {ip | ipv6} map-hostname
Syntax Description
Default
Maps between the currently-configured hostname and the loopback address
127.0.0.1.
The no form of the command clears the mapping.
N/A
IPv4 mapping is enabled by default
IPv6 mapping is disabled by default
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # ip map-hostname switch (config) # # show hosts
Hostname: switch
Name server: 9.9.9.9 (configured)
Name server: 10.211.0.121 (dynamic)
Name server: 172.30.0.126 (dynamic)
Name server: 10.4.0.135 (dynamic)
Domain name: mydomain.com (configured)
Domain name: lab.mtl.com (dynamic)
Domain name: vmlab.mtl.com (dynamic)
Domain name: yok.mtl.com (dynamic)
Domain name: mtl.com (dynamic)
IP 1.1.1.1 maps to hostname p
IP 127.0.0.1 maps to hostname localhost
IP 2.2.2.2 maps to hostname my-host
IPv6 2001::8f9 maps to hostname my-ipv6-host
IPv6 ::1 maps to hostname localhost6
Automatically map hostname to loopback address: yes
Automatically map hostname to IPv6 loopback address: yes switch (config) # switch (config) # ping my-host-name
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.078 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.052 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.058 ms
Related Commands show hosts
Notes • If no mapping is configured, a mapping between the hostname and the IPv4 loopback address 127.0.0.1 will be added
• The no form of the command maps the hostname to the IPv6 loopback address if there is no statically configured mapping from the hostname to an IPv6 address (disabled by default)
• Static host mappings are preferred over DNS results. As a result, with this option set, you will not be able to look up your hostname on your configured DNS server; but without it set, some problems may arise if your hostname cannot be looked up in DNS.
Mellanox Technologies Confidential 138
show hosts
show hosts
Syntax Description
Default
Displays hostname, DNS configuration, and static host mappings.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show hosts
Hostname: my-host-name
Name server: 9.9.9.9 (configured)
Name server: 10.211.0.121 (dynamic)
Name server: 172.30.0.126 (dynamic)
Name server: 10.4.0.135 (dynamic)
Domain name: mydomain.com (configured)
Domain name: lab.mtl.com (dynamic)
Domain name: vmlab.mtl.com (dynamic)
Domain name: yok.mtl.com (dynamic)
Domain name: mtl.com (dynamic)
IP 1.1.1.1 maps to hostname p
IP 127.0.0.1 maps to hostname localhost
IP 2.2.2.2 maps to hostname my-host
IPv6 ::1 maps to hostname localhost6
Automatically map hostname to loopback address: yes
Automatically map hostname to IPv6 loopback address: no switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 139
Rev 4.20
4.1.6.3 Routing
ip/ipv6 route
{ip | ipv6} route <network-prefix> <netmask> {<nexthop-address> | <ifname>} no ip route <network-prefix> <netmask> {<nexthop-address> | <ifname>}
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Sets a static route for a given IP.
The no form of the command deletes the static route.
network-prefix netmask
IPv4 or IPv6 network prefix.
nexthop-address
IPv4 netmask formats are:
• /24
• 255.255.255.0
IPv6 netmask format is:
• /48 (as a part of the network prefix)
The IPv4 or IPv6 address of the next hop router for this route.
The interface name (e.g., mgmt0, mgmt1).
ifname
N/A
Config
3.1.0000
admin switch (config) # ip route 20.20.20.0 255.255.255.0 mgmt0 switch (config) # show ip route
Destination Mask Gateway Interface Source default 0.0.0.0 172.30.0.1 mgmt0 DHCP
10.10.10.10 255.255.255.255 0.0.0.0 mgmt0 static
20.10.10.10 255.255.255.255 172.30.0.1 mgmt0 static
20.20.20.0 255.255.255.0 0.0.0.0 mgmt0 static
172.30.0.0 255.255.0.0 0.0.0.0 mgmt0 interface show ip route
Mellanox Technologies Confidential 140
ipv6 default-gateway
ipv6 default-gateway {<ip-address> | <ifname>} no ipv6 default-gateway
Syntax Description
Sets a static default gateway.
The no form of the command deletes the default gateway.
ip address ifname
The default gateway IP address (IPv4 or IPv6).
The interface name (e.g., mgmt0, mgmt1).
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
3.2.0500
First version removed IPv4 configuration option admin switch (config) # ip default-gateway ::1 switch (config) # show ip default-gateway static
Configured default gateways:
::1 switch (config) #
Related Commands show ip route
Notes • The configured default gateway will not be used if DHCP is enabled.
• In order to configure ipv4 default-gateway use ‘ip route’ command.
Rev 4.20
Mellanox Technologies Confidential 141
Rev 4.20
show ip/ipv6 route
show {ip | ipv6} route [static]
Syntax Description
Default
Displays the routing table in the system.
static
N/A
Configuration Mode Any Command Mode
Filters the table with the static route entries.
History
Role
Example
3.1.0000
admin switch (config) # show ip route
Destination Mask Gateway Interface Source default 0.0.0.0 172.30.0.1 mgmt0 DHCP
10.10.10.10 255.255.255.255 0.0.0.0 mgmt0 static
20.10.10.10 255.255.255.255 172.30.0.1 mgmt0 static
20.20.20.0 255.255.255.0 0.0.0.0 mgmt0 static
172.30.0.0 255.255.0.0 0.0.0.0 mgmt0 interface switch (config) # show ipv6 route
Destination prefix
Gateway Interface Source
-----------------------------------------------------------------------
::/0
:: mgmt0 static
::1/128
:: lo local
2222:2222:2222::/64
:: mgmt1 interface switch (config) #
Related Commands show ip default-gateway
Notes
Mellanox Technologies Confidential 142
Rev 4.20
show ip/ipv6 default-gateway
show {ip | ipv6} default-gateway [static]
Syntax Description
Default
Displays the default gateway.
static
N/A
Configuration Mode Any Command Mode
Displays the static configuration of the default gateway.
History
Role
Example
3.1.0000
admin switch (config) # ip default-gateway 10.10.10.10
switch (config) # show ip default-gateway
Active default gateways:
172.30.0.1 (interface: mgmt0) switch (config) # show ip default-gateway static
Configured default gateway: 10.10.10.10
Related Commands show ip default-gateway
Notes The configured IPv4 default gateway will not be used if DHCP is enabled.
Mellanox Technologies Confidential 143
4.1.6.4 Network to Media Resolution (ARP & NDP)
IPv4 network use Address Resolution Protocol (ARP) to resolve IP address to MAC address, while IPv6 network uses Network Discovery Protocol (NDP) that performs basically the same as
ARP.
ip arp
ip arp <IP address> <MAC address> no ip arp <IP address> <MAC address>
Syntax Description
Default
Configuration Mode
History
Role
Example
Sets a static ARP entry.
The no form of the command deletes the static ARP.
IP address
MAC address
IPv4 address.
MAC address.
N/A
Config Interface Management
3.2.0500
admin switch (config interface mgmt0) #ip arp 20.20.20.20 aa:aa:aa:aa:aa:aa switch (config interface mgmt0) # show ip arp
Total number of entries: 6
Related Commands
Address Type MAC Address Interface
10.209.1.103 Dynamic 00:02:C9:11:A1:78 mgmt0
10.209.1.168 Dynamic 00:02:C9:5E:C3:28 mgmt0
10.209.1.104 Dynamic 00:02:C9:11:A1:E6 mgmt0
10.209.1.153 Dynamic 00:02:C9:11:A1:86 mgmt0
10.209.1.105 Dynamic 00:02:C9:5E:0B:56 mgmt0
10.209.0.1 Dynamic 00:00:5E:00:01:01 mgmt0
20.20.20.20 Static AA:AA:AA:AA:AA:AA mgmt0 switch (config interface mgmt0) # show ip arp ip route
Notes
Rev 4.20
Mellanox Technologies Confidential 144
ip arp timeout
ip arp timeout <timeout-value> no ip arp timeout
Syntax Description
Sets the dynamic ARP cache timeout.
The no form of the command sets the timeout to default.
timeout-value Time (in seconds) that an entry remains in the ARP cache. Range: 60-28800.
Default 1500 seconds
Configuration Mode Config
History
Role
3.2.0230
admin
Example switch (config) # ip arp timeout 2000 switch (config) #
Related Commands ip arp show ip arp
Notes This value is used as the ARP timeout whenever a new IP interface is created.
Rev 4.20
Mellanox Technologies Confidential 145
Rev 4.20
show ip arp
Syntax Description show ip arp [interface <type>| <ip-address> | count]
Displays ARP table.
interface type ip-address
Filters the table according to a specific interface (i.e. mgmt0)
Filters the table to the specific ip-address
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.3000
admin switch-626a54 [standalone: master] (config) # show ip arp
Total number of entries: 3
Address Type Hardware Address Interface
---------------------------------------------------------------------
---
10.209.0.1 Dynamic ETH 00:00:5E:00:01:01 mgmt0
10.209.1.120 Dynamic ETH 00:02:C9:62:E8:C2 mgmt0
10.209.1.121 Dynamic ETH 00:02:C9:62:E7:42 mgmt0 switch (config) # show ip arp count
ARP Table size: 3 (inband: 0, out of band: 3) switch (config) #
Related Commands
Notes
Mellanox Technologies Confidential 146
Rev 4.20
ipv6 neighbor
ipv6 neighbor <IPv6 address> <ifname> <MAC address> no ipv6 neighbor <IPv6 address> <ifname> <MAC address>
Syntax Description
Adds a static neighbor entry.
The no form of the command deletes the static entry.
IPv6 address ifname
The IPv6 address.
The management interface (i.e. mgmt0, mgmt1).
Default
MAC address
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin
The MAC address.
switch (config) # ipv6 neighbor 2001:db8:701f::8f9 mgmt0
00:11:22:33:44:55 switch (config) #
Related Commands show ipv6 neighbor ipv6 route arp clear ipv6 neighbors
Notes • ARP is used only with IPv4. In IPv6 networks, Neighbor Discovery Protocol (NDP) is used similarly.
• Use The no form of the command to remove static entries. Dynamic entries can be cleared via the “clear ipv6 neighbors” command.
Mellanox Technologies Confidential 147
clear ipv6 neighbors
clear ipv6 neighbors
Syntax Description
Default
Clears the dynamic neighbors cache.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # clear ipv6 neighbors switch (config) #
Related Commands ipv6 neighbor show ipv6 neighbor arp
Notes • Clearing Neighbor Discovery Protocol (NDP) cache removes only the dynamic entries learned and not the static entries configured
• Use the no form of the command to remove static entries
•
See “clear ipv6 neighbors” on page 790 for the interface or VLAN specific command
Rev 4.20
Mellanox Technologies Confidential 148
Rev 4.20
show ipv6 neighbors
show ipv6 neighbors [static]
Syntax Description
Default
Displays the Neighbor Discovery Protocol (NDP) table.
static
N/A
Configuration Mode Config
Filters only the table of the static entries.
History
Role
Example
3.1.0000
admin switch (config) # show ipv6 neighbors
IPv6 Address Age MAC Address State Interf
------------------------------------- ----- ----------------- ---------- ---
2001::2 9428 AA:AA:AA:AA:AA:AA permanent mgmt0 switch (config) #
Related Commands ipv6 neighbor clear ipv6 neighbor show ipv6
Notes
Mellanox Technologies Confidential 149
Rev 4.20
4.1.6.5 DHCP
ip dhcp
ip dhcp {default-gateway yield-to-static| hostname <hostname>| primary-intf
<ifname> | send-hostname } no ip dhcp {default-gateway yield-to-static| hostname | | primary-intf | send-hostname}
Syntax Description
Sets global DHCP configuration.
The no form of the command deletes the DHCP configuration.
yield-to-static| Does not allow you to install a default gateway from
DHCP if there is already a statically configured one.
hostname primary-intf <ifname> send-hostname
Specifies the hostname to be sent during DHCP client negotiation if send-hostname is enabled.
Sets the interface from which a non-interface-specific configuration (resolver and routes) will be accepted via
DHCP.
Enables the DHCP client to send a hostname during negotiation.
Default no ip dhcp yield-to-static no ip dhcp hostname ip ip dhcp primary-intf mgmt0 no ip dhcp send-hostname
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # ip dhcp default-gateway yield-to-static switch (config) # show ip dhcp
DHCP DHCP Valid
Interface Enabled Running lease
------------------------------------lo no no no mgmt0 yes yes yes mgmt1 yes yes no
DHCP primary interface:
Configured: mgmt0
Active: mgmt0
DHCP default gateway yields to static configuration: yes
DHCP client options:
Send Hostname: no
Client Hostname: switch (using system hostname) switch (config) #
Mellanox Technologies Confidential 150
Related Commands show ip dhcp dhcp [renew]
Notes DHCP is supported for IPv4 networks only.
Rev 4.20
Mellanox Technologies Confidential 151
show ip dhcp
show ip dhcp
Syntax Description
Default
Displays the DHCP configuration and status.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show ip dhcp
DHCP primary interface:
Configured: mgmt0
Active: mgmt0
DHCP: yield default gateway to static configuration: yes
DHCP Client Options:
Send Hostname: no
Client Hostname: switch (using system hostname) switch (config) #
Related Commands ip dhcp dhcp [renew]
Notes
Rev 4.20
Mellanox Technologies Confidential 152
4.1.6.6 General IPv6 Commands
ipv6 enable
ipv6 enable no ipv6 enable
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Enables IPv6 globally on the management interface.
The no form of the command disables IPv6 globally on the management interface.
N/A
IPv6 is disabled
Config
3.1.0000
admin switch (config) # ipv6 enable switch (config) # show ipv6
IPv6 summary
IPv6 supported: yes
IPv6 admin enabled: yes
IPv6 interface count: 2 switch (config) # ipv6 default-gateway ipv6 host ipv6 map-hostname ipv6 neighbor ipv6 route show ipv6 show ipv6 default-gateway show ipv6 route
Notes
Rev 4.20
Mellanox Technologies Confidential 153
Rev 4.20
4.1.6.7 IP Diagnostic Tools
ping
ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline] [-p pattern] [-s packetsize] [-t ttl] [-I interface or address] [-M mtu discovery hint] [-S sndbuf] [-
T timestamp option ] [-Q tos ] [hop1 ...] destination
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Sends ICMP echo requests to a specified host.
Linux Ping options http://linux.about.com/od/commands/l/blcmdl8_ping.htm
N/A
Config
3.1.0000
admin switch (config) # ping 172.30.2.2
PING 172.30.2.2 (172.30.2.2) 56(84) bytes of data.
64 bytes from 172.30.2.2: icmp_seq=1 ttl=64 time=0.703 ms
64 bytes from 172.30.2.2: icmp_seq=2 ttl=64 time=0.187 ms
64 bytes from 172.30.2.2: icmp_seq=3 ttl=64 time=0.166 ms
64 bytes from 172.30.2.2: icmp_seq=4 ttl=64 time=0.161 ms
64 bytes from 172.30.2.2: icmp_seq=5 ttl=64 time=0.153 ms
64 bytes from 172.30.2.2: icmp_seq=6 ttl=64 time=0.144 ms
^C
--- 172.30.2.2 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5004ms rtt min/avg/max/mdev = 0.144/0.252/0.703/0.202 ms switch (config) # traceroutes
Mellanox Technologies Confidential 154
Rev 4.20
traceroute
traceroute [-46dFITUnrAV] [-f first_ttl] [-g gate,...] [-i device] [-m max_ttl] [-N squeries] [-p port] [-t tos] [-l flow_label] [-w waittime] [-q nqueries] [-s src_addr]
[-z sendwait] host [packetlen]
Traces the route packets take to a destination.
Mellanox Technologies Confidential 155
Syntax Description
-I
-T
-U
-n
-r
-4
-6
-d
-F
-A
-V
-f
-g
-i
-m
-N
-p
-t
-l
-w
-q
-s
-z
Rev 4.20
Uses IPv4.
Uses IPv6.
Enables socket level debugging.
Sets DF (do not fragment bit) on.
Uses ICMP ECHO for tracerouting.
Uses TCP SYN for tracerouting.
Uses UDP datagram (default) for tracerouting.
Does not resolve IP addresses to their domain names.
Bypasses the normal routing and send directly to a host on an attached network.
Performs AS path lookups in routing registries and print results directly after the corresponding addresses.
Prints version info and exit.
Starts from the first_ttl hop (instead from 1).
Routes packets throw the specified gateway (maximum
8 for IPv4 and 127 for IPv6).
Specifies a network interface to operate with.
Sets the max number of hops (max TTL to be reached).
Default is 30.
Sets the number of probes to be tried simultaneously
(default is 16).
Uses destination port. It is an initial value for the UDP destination port (incremented by each probe, default is
33434), for the ICMP seq number (incremented as well, default from 1), and the constant destination port for
TCP tries (default is 80).
Sets the TOS (IPv4 type of service) or TC (IPv6 traffic class) value for outgoing packets.
Uses specified flow_label for IPv6 packets.
Sets the number of seconds to wait for response to a probe (default is 5.0). Non-integer (float point) values allowed too.
Sets the number of probes per each hop. Default is 3.
Uses source src_addr for outgoing packets.
Sets minimal time interval between probes (default is
0). If the value is more than 10, then it specifies a number in milliseconds, else it is a number of seconds (float point values allowed too).
Mellanox Technologies Confidential 156
Rev 4.20
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # traceroute 192.168.10.70
traceroute to 192.168.10.70 (192.168.10.70), 30 hops max, 40 byte packets
1 172.30.0.1 (172.30.0.1) 3.632 ms 2.849 ms 3.544 ms
2 10.222.128.46 (10.222.128.46) 3.176 ms 3.289 ms 3.656 ms
3 10.158.128.30 (10.158.128.30) 15.331 ms 15.819 ms 16.388 ms
4 10.158.128.65 (10.158.128.65) 20.468 ms 7.893 ms 12.27 ms
5 10.7.34.115 (10.7.34.115) 16.405 ms 11.985 ms 12.264 ms
6 192.168.10.70 (192.168.10.70) 16.377 ms 16.091 ms 20.475 ms switch (config) #
Related Commands
Notes
Mellanox Technologies Confidential 157
Rev 4.20
tcpdump
tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]
[ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ] [ -y datalinktype ] [ -Z user ]
[ -D list possible interfaces ] [ expression ]
Syntax Description
Default
Invokes standard binary, passing command line parameters straight through. Runs in foreground, printing packets as they arrive, until the user hits Ctrl+C.
N/A
N/A
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # tcpdump
......
09:37:38.678812 IP 192.168.10.7.ssh > 192.168.10.1.54155: P
1494624:1494800(176) ack 625 win 90
<nop,nop,timestamp 5842763 858672398>
09:37:38.678860 IP 192.168.10.7.ssh > 192.168.10.1.54155: P
1494800:1495104(304) ack 625 win 90
<nop,nop,timestamp 5842763 858672398>
...
9141 packets captured
9142 packets received by filter
0 packets dropped by kernel switch (config) #
Related Commands N/A
Notes
Mellanox Technologies Confidential 158
4.2 NTP, Clock & Time Zones
Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. NTP is intended to synchronize all participating computers to within a few milliseconds of Coordinated Universal Time
(UTC) and is designed to mitigate the effects of variable network latency. NTP can usually maintain time to within tens of milliseconds over the public Internet, and can achieve better than one millisecond accuracy in local area networks under ideal conditions.
Rev 4.20
Mellanox Technologies Confidential 159
4.2.1
Commands
clock set
clock set <hh:mm:ss> [<yyyy/mm/dd>]
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Sets the time and date.
hh:mm:ss yyyy/mm/dd
N/A
Config
3.1.0000
admin
Time.
Date.
switch (config) # clock set 23:23:23 2010/08/19 switch (config) # show clock
Time: 23:23:26
Date: 2010/08/19
Time zone: UTC
(Etc/UTC)
UTC offset: same as UTC switch (config) # show clock
If not specified, the date will be left the same.
Rev 4.20
Mellanox Technologies Confidential 160
Rev 4.20
clock timezone
clock timezone [<zone word> [<zone word> [<zone word>] [<zone word>]]]
Syntax Description
Sets the system time zone. The time zone may be specified in one of three ways:
• A nearby city whose time zone rules to follow. The system has a large list of cities which can be displayed by the help and completion system. They are organized hierarchically because there are too many of them to display in a flat list. A given city may be required to be specified in two, three, or four words, depending on the city.
• An offset from UTC. This will be in the form UTC-offset UTC, UTC-offset UTC+<0-14>,
UTC-offset UTC-<1-12>.
• UTC (Universal Time, which is almost identical to GMT), and this is the default time zone
The no form of the command resets time zone to its default (GMT).
zone word The possible forms this could take include: continent, city, continent, country, city, continent, region, country, city, ocean, and/or island.
Default GMT
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # clock timezone America North United_States Other
New_York switch (config) # show clock
Time: 04:21:44
Date: 2012/02/26
Time zone: America North United_States Other New_York switch (config) #
Related Commands show clock
Notes
Mellanox Technologies Confidential 161
Rev 4.20
ntp
ntp {disable | enable | {peer | server} <IP address> [version <number> | disable]} no ntp {disable | enable | {peer | server} <IP address> [disable]}
Syntax Description
Configures NTP.
The no form of the command negates NTP options.
disable enable
Disables NTP.
Enables NTP.
peer or server
IP address version <number>
Configures an NTP peer or server node.
IPv4 or IPv6 address.
Specifies the NTP version number of this peer. Possible values are 3 or 4.
Default
Configuration Mode Config
History 3.1.0000
Role
Example
NTP is enabled.
NTP version number is 4.
admin switch (config) # no ntp peer 192.168.10.24 disable switch (config) #
Related Commands N/A
Notes
Mellanox Technologies Confidential 162
Rev 4.20
ntpdate
ntpdate <IP address>
Syntax Description
Default
Sets the system clock using the specified SNTP server.
IP address
N/A
Configuration Mode Config
IP.
History
Role
Example
3.1.0000
admin switch (config) # ntpdate 192.168.10.10
26 Feb 17:25:40 ntpdate[15206]: adjust time server 192.168.10.10 offset
-0.000092 sec switch (config) #
Related Commands N/A
Notes This is a one-time operation and does not cause the clock to be kept in sync on an ongoing basis. It will generate an error if SNTP is enabled since the socket it requires will already be in use.
Mellanox Technologies Confidential 163
show clock
show clock
Syntax Description
Default
Displays the current system time, date and time zone.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # show clock
Time: 04:21:44‘
Date: 2012/02/26
Time zone: America North United_States Other New_York switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 164
show ntp
show ntp
Syntax Description
Default
Displays the current NTP settings.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # show ntp
NTP is enabled.
Clock is unsynchronized.
No NTP peers or servers configured.
switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 165
Rev 4.20
4.3
Software Management
4.3.1
Upgrading MLNX-OS Software
When upgrading from a software version older than 3.2.0100 to software version
3.3.0000 or higher, the upgrade procedure must be done in two steps. First update the software to 3.2.0300-100 (for InfiniBand platforms) or 3.2.0506 (for Ethernet platforms), then update to the desired software version.
The system being upgraded becomes indisposed throughout the upgrade procedure.
The upgrade procedure burns the software image as well as the firmware should there be a need.
To upgrade the MLNX-OS version of on a gateway, SM, or MLAG cluster, please
refer to Section 4.3.2, “Upgrading MLNX-OS HA Groups,” on page 169 .
You have to read and accept the End-User License Agreement (EULA) after image upgrade in case the EULA is modified. The EULA link is only available upon first login to CLI.
To upgrade MLNX-OS software on your system, perform the following steps:
Step 1.
Change to Config mode.
switch > enable switch # configure terminal switch (config) #
Step 2.
Obtain the previously available image (.img file). You must delete this image in the next step to make room for fetching the new image.
switch (config) # show images
Installed images:
Partition 1:
SX_PPC_M460EX 3.3.3130 2013-03-20 21:32:25 ppc
Partition 2:
SX_PPC_M460EX 3.3.3130 2013-03-20 21:32:25 ppc
Images available to be installed:
Mellanox Technologies Confidential 166
Rev 4.20
image-PPC_M460EX-SX_3.3.3256.img
SX_PPC_M460EX 3.3.3256 2013-03-20 21:32:25 ppc
Serve image files via HTTP/HTTPS: no
No image install currently in progress.
Boot manager password is set.
No image install currently in progress.
Step 3.
Require trusted signature in image being installed: yes (default) switch (config) #
Delete the old image (if one exists) that is listed under Images available to be installed prior to fetching the new image. Use the command image delete for this purpose.
switch (config) # image delete image-PPC_M460EX-3.0.1224.img
switch (config) #
When deleting an image, you delete the file but not the partition. This is recommended so as to not overload system resources.
Step 4.
Step 5.
Fetch the new software image.
switch (config) # image fetch scp://username:[email protected]/var/www/html/
<image_name>
Password (if required): ****** 100.0%[##################################################
###############] switch (config) #
Display the available images.
To recover from image corruption (e.g., due to power interruption), there are two installed images on the system. See the commands: image boot next image boot location .
switch (config) # show images
Installed images:
Partition 1:
SX <old ver> 2013-04-28 16:02:50
Partition 2:
SX <new ver> 2013-04-28 16:52:50
Images available to be installed:
new_image.img
SX <new ver> 2013-04-28 16:52:50
Mellanox Technologies Confidential 167
Serve image files via HTTP/HTTPS: no
No image install currently in progress.
Boot manager password is set.
No image install currently in progress.
Step 6.
Require trusted signature in image being installed: yes (default) switch (config) #
Install the new image.
switch (config) # image install <image_name>
Step 1 of 4: Verify Image
100.0% [#############################################################]
Step 2 of 4: Uncompress Image
100.0% [#############################################################]
Step 3 of 4: Create Filesystems
100.0% [#############################################################]
Step 4 of 4: Extract Image
100.0% [#############################################################] switch (config) #
CPU utilization may go up to 100% during image upgrade.
Step 7.
Step 8.
Have the new image activate during the next boot. Run: switch (config) # image boot next
Run show images to review your images. Run: switch (config) # show images
Images available to be installed:
new_image.img
SX <new ver> 2011-04-28 16:52:50
Installed images:
Partition 1:
SX <old ver> 2011-04-28 16:02:50
Partition 2:
SX <new ver> 2011-04-28 16:52:50
Last boot partition: 1
Next boot partition: 2
Mellanox Technologies Confidential 168
Rev 4.20
Rev 4.20
Step 9.
No boot manager password is set.
switch (config) #
Save current configuration. Run: switch (config) # configuration write switch (config)#
Step 10.
Reboot the switch to run the new image. Run: switch (config) # reload
Configuration has been modified; save first? [yes] yes
Configuration changes saved.
Rebooting...
switch (config)#
After software reboot, the software upgrade will also automatically upgrade the firmware version.
In order to upgrade the system on dual management system refer to
“Upgrading MLNX-OS Software,” on page 166 .
When performing upgrade from the WebUI, make sure that the image you are trying to upgrade to is not located already in the system (i.e. fetched from the CLI).
4.3.2
Upgrading MLNX-OS HA Groups
In case fallback is ever necessary in an HA group, all cluster nodes must have the same MLNX-
OS version installed and they must be immediately reloaded.
To upgrade MLNX-OS version without affecting an HA group:
Step 1.
Identify the HA group master.
for MLAG. Run: switch (config)# show mlag-vip
MLAG VIP
========
MLAG group name: my-mlag-group
MLAG VIP address: 1.1.1.1/30
Active nodes: 2
Step 2.
Hostname VIP-State IP Address
----------------------------------------------------
SwitchA master 10.10.10.1
SwitchB standby 10.10.10.2
Upgrade standby nodes in the HA group according to steps 1-8 in section Section 4.3.1, on page 166 .
Mellanox Technologies Confidential 169
Rev 4.20
Step 3.
Step 4.
Wait until all standby nodes have rejoined the group.
Upgrade the master node in the HA group according to steps 1-8 in section Section 4.3.1, on page 166
.
4.3.3
Deleting Unused Images
To delete unused images:
Step 1.
Enter Config mode. Run: switch > switch > enable switch # configure terminal
Step 2.
Step 3.
Get a list of the unused images. Run switch (config) # show images
Images available to be installed:
image-PPC_M460EX-3.1.1224.img
SX-OS_PPC_M460EX 3.1.1224 2011-04-28 12:29:48 ppc
Installed images:
Partition 1:
SX-OS_PPC_M460EX 3.1.0000-dev-HA 2011-04-10 12:02:49 ppc
Partition 2:
SX-OS_PPC_M460EX 3.1.0000-dev-HA 2011-04-10 12:02:49 ppc
Last boot partition: 1
Next boot partition: 1
Boot manager password is set.
No image install currently in progress.
Require trusted signature in image being installed: yes switch (config) #
Delete the unused images. Run: switch config) # image delete image-PPC_M460EX-3.0.1224.img
switch (config) #
When deleting an image, you delete the file but not the partition. This is recommended so as to not overload system resources.
4.3.4
Downgrading MLNX-OS Software
IMPORTANT NOTE
If in possession of an SX65xx director switch with the notice presented in Figure 11, the
lowest MLNX-OS version you can downgrade to is 3.3.5006; otherwise, the switch system will malfunction.
Mellanox Technologies Confidential 170
Figure 11: SX65xx Downgrade Attention Sticker
Rev 4.20
Prior to downgrading software, please make sure the following prerequisites are met:
Step 1.
Step 2.
Log into your switch via the CLI using the console port.
Backup your configuration according to the following steps:
1. Change to Config mode. Run: switch-112094 [standalone: master] > enable switch-112094 [standalone: master] # configure terminal switch-112094 [standalone: master] (config) #
2. Disable paging of CLI output. Run: switch-112094 [standalone: master] (config) # no cli default paging enable
3. Display commands to recreate current running configuration. Run: switch-112094 [standalone: master] (config) # show running-config
4. Copy the output to a text file.
4.3.4.1 Downloading Image
Step 1.
Log into the system to obtain the serial number. Run: switch-112094 [standalone: master] (config) # show inventory
Step 2.
Step 3.
Step 4.
Step 5.
Step 6.
Download the requested MLNX-OS version from the following link: http://support.mellanox.com/SupportWeb/
Enter your username and password when prompted.
Log into the switch via the CLI using the console port.
Change to Config mode. Run: switch > enable switch # configure terminal switch (config) #
Delete all previous images from the Images available to be installed prior to fetching the new image. Run: switch (config) # image delete image-EFM_PPC_M405EX-ppc-m405ex 20090531-190132.img
Mellanox Technologies Confidential 171
Step 7.
Fetch the requested software image. Run: switch (config) # image fetch scp://username:[email protected]/var/www/html/
<image_name>
100.0%[################################################## ###############]
4.3.4.2 Downgrading Image
The procedure below assumes that booting and running is done from Partition 1 and the downgrade procedure is performed on Partition 2.
Step 1.
Step 2.
Step 3.
Step 4.
Step 5.
Log in as admin.
Enter config mode. Run: switch > enable switch # configure terminal
Show all image files on the system. Run: switch (config) # show images
Images available to be installed: new_image.img
<downgrade version> 2010-09-19 16:52:50
Installed images:
Partition 1:
<current version> 2010-09-19 03:46:25
Partition 2:
<current version> 2010-09-19 03:46:25
Last boot partition: 1
Next boot partition: 1
No boot manager password is set.
switch (config) #
Install the MLNX-OS image. Run: switch (config) # image install <image_name>
Step 1 of 4: Verify Image
100.0% [#################################################################]
Step 2 of 4: Uncompress Image
100.0% [#################################################################]
Step 3 of 4: Create Filesystems
100.0% [#################################################################]
Step 4 of 4: Extract Image
100.0% [#################################################################] switch (config) #
Show all image files on the system. Run: switch (config) # show images
Images available to be installed: new_image.img
<downgrade version> 2010-09-19 16:52:50
Mellanox Technologies Confidential 172
Rev 4.20
Rev 4.20
Step 6.
Installed images:
Partition 1:
<current version> 2010-09-19 03:46:25
Partition 2:
<downgrade version> 2010-09-19 16:52:50
Last boot partition: 1
Next boot partition: 2
No boot manager password is set.
switch (config) #
Set the boot location to be the other partition (next). Run: switch (config) # image boot next
There are two installed images on the system. Therefore, if one of the images gets corrupted (due to power interruption, for example), in the next reboot the image will go up from the second partition.
Step 7.
In case you are downloading to an older software version which has never been run yet on the switch, use the following command sequence as well: switch (config) # no boot next fallback-reboot enable switch (config) # configuration write
Reload the switch. Run: switch (config) # reload
4.3.4.3 Switching to Partition with Older Software Version
The system saves a backup configuration file when upgrading from an older software version to a newer one. If the system returns to the older software partition, it uses this backup configuration file. Note that all configuration changes done with the new software are lost when returning to the older software version.
There are 2 instances where the backup configuration file does not exist:
• The user has run “reset factory” command, which clears all configuration files in the system
• The user has run “configuration switch-to” to a configuration file with different name then the backup file
Also note that the configuration file becomes empty if the switch is downgraded to a software version which has never been installed yet.
To allow switching partition to the older software version, in these cases above, follow the steps below:
Step 1.
Run the command: switch (config)# no boot next fallback-reboot enable
Step 2.
Set the boot partition. Run: switch (config)# image boot next
Mellanox Technologies Confidential 173
Step 3.
Step 4.
Save the configuration. Run: switch (config)# configuration write
Reload the system. Run: switch (config)# reload
4.3.5
Upgrading System Firmware
Each MLNX-OS software package version has a default switch firmware version. When you update the MLNX-OS software to a new version, an automatic firmware update process will be attempted by MLNX-OS. This process is described below.
4.3.5.1 After Updating MLNX-OS Software
Upon rebooting your switch system after updating the MLNX-OS software, MLNX-OS compares its default firmware version with the currently programmed firmware versions on all the switch modules (leafs and spines on director-class switches, or simply the switch card on edge switch systems).
If one or more of the switch modules is programmed with a firmware version other than the default version, then MLNX-OS automatically attempts to burn the default firmware version instead.
Rev 4.20
If a firmware update takes place, then the login process is delayed a few minutes.
To verify that the firmware update was successful, log into MLNX-OS and run the command
“show asic-version” (can be run in any mode). This command lists all of the switch modules along with their firmware versions. Make sure that all the firmware versions are the same and match the default firmware version. If the firmware update failed for one or more modules, then the following warning is displayed.
Some subsystems are not updated with a default firmware.
If you detect a mismatch in firmware version for one or more modules of the switch system, please contact your assigned Mellanox Technologies field application engineer.
4.3.5.2 Importing Firmware and Changing the Default Firmware
To perform an automatic firmware update by MLNX-OS for a different switch firmware version without changing the MLNX-OS version, import the firmware package as described below.
MLNX-OS sets it as the new default firmware and performs the firmware update automatically as described in the previous subsections.
Mellanox Technologies Confidential 174
Rev 4.20
Default Firmware Change on Standalone Systems
Step 1.
Import the firmware image (.mfa file). Run: switch (config) # image fetch image fetch scp://[email protected]:/tmp/fw-SX-rel-9_2_6440-
FIT.tgz
Password (if required): *******
100.0% [###############################################################################] switch (config) # image default-chip-fw fw-SX-rel-9_2_6440-FIT.mfa
Installing default firmware image. Please wait...
Default Firmware 9.2.6440 updated. Please save configuration and reboot for new FW to take effect.
switch (config) #
Step 2.
Step 3.
Save the configuration. Run: switch (config) # configuration write switch (config) #
Reboot the system to enable auto update.
4.3.6
Image Maintenance via Mellanox ONIE
Supported only on MSX1710-BS2F2O switch system.
The switch system MSX1710-BS2F2O allows booting ONIE and burning a different OS on the switch system.
When booting or rebooting the switch system an ONIE entry has been added to the boot loader options. For example:
GNU GRUB version 2.02~beta2
X86_64 3.4.1932 2015-04-24 18:04:12 x86_64 1
X86_64 3.4.1932 2015-04-24 18:04:12 x86_64 2
ONIE
While MLNX-OS is installed, editing grub entry and grub command line are restricted.
ONIE may be selected from this prompt to allow ONIE functionality over this system. To do so, the MLNX-OS image burned must be uninstalled from the system. Once MLNX-OS is uninstalled, ONIE boots and the user is presented with ONIE command prompt which allows regular
ONIE functionality according to Mellanox SwitchX ONIE Switch User Manual.
To return to MLNX-OS mode, MLNX-OS must be reinstalled using the ONIE Network OS installer file according to the preferred ONIE Network OS installation flow.
Mellanox Technologies Confidential 175
The switch system then loads from factory set configurations (automatically saved configuration is not supported).
All previous MLNX-OS installation flows are supported, therefore, the command
“image fetch” or “image install” may be used to save previous configuration.
Rev 4.20
Mellanox Technologies Confidential 176
Rev 4.20
4.3.7
Commands
This chapter displays all the relevant commands used to manage the system software image.
image boot
image boot {location <location ID> | next}
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Specifies the default location where the system should be booted from.
location ID Specifies the default destination location. There can be up to 2 images on the system. The possible values are 1 or 2. next Sets the boot location to be the next once after the one currently booted from, thus avoiding a cycle through all the available locations.
N/A enable/config
3.1.0000
admin switch (config) # image boot location 2 switch (config) # show images
Mellanox Technologies Confidential 177
Rev 4.20
boot next
boot next fallback-reboot enable no boot next fallback-reboot enable
Syntax Description
Default
Sets the default setting for next boot. Normally, if the system fails to apply the configuration on startup (after attempting upgrades or downgrades, as appropriate), it will reboot to the other partition as a fallback.
The no form of the command tells the system not to do that, only for the next boot.
N/A
N/A
Configuration Mode Config
History 3.2.0506
Role
Example admin switch (config) # boot next fallback-reboot enable switch (config) #
Related Commands show images
Notes • Normally, if the system fails to apply the configuration on startup (after attempting upgrades or downgrades, as appropriate) it reboots to the other partition as a fallback.
• The no form of this command tells the system not to do that only for the next boot. In other words, this setting is not persistent, and goes back to enabled automatically after each boot.
• When downgrading to an older software version which has never been run yet on a system, the “fallback reboot” always happens, unless the command “no boot next fallback-reboot enable” is used. However, this also happens when the older software version has been run before, but the configuration file has been switched since upgrading. In general, a downgrade only works (without having the fallback reboot forcibly disabled) if the process can find a snapshot of the configuration file (by the same name as the currently active one) which was taken before upgrading from the older software version. If that is not found, a fallback reboot is performed in preference to falling back to the initial database because the latter generally involves a loss of network connectivity, and avoiding that is of paramount importance.
Mellanox Technologies Confidential 178
boot system
boot system {location | next} no boot system next
Syntax Description
Configures which system image to boot by default.
The no form of the command resets the next boot location to the current active one.
location Specifies location from which to boot system
• 1 – installs to location 1
• 2 – installs to location 2 next Boots system from next location after one currently booted
Default N/A
Configuration Mode Config
History
Role
Example
3.2.0506
admin switch (config) # boot system location 2 switch (config) #
Related Commands show images
Notes
Rev 4.20
Mellanox Technologies Confidential 179
Rev 4.20
image default-chip-fw
image default-chip-fw <file name>
Syntax Description
Default
Sets the default firmware package to be installed.
filename
N/A
Configuration Mode Config
Specifies the firmware filename.
History
Role
Example
3.1.0000
admin switch (config) # image default-chip-fw image-SX_PPC_M460EX-ppc-m460ex-
20120122-084759.img
switch (config) #
Related Commands image install-chip fw show images
Notes
Mellanox Technologies Confidential 180
image delete
image delete <image name>
Syntax Description
Default
Deletes the specified image file.
image name
N/A
Configuration Mode Config
Specifies the image name.
History
Role
Example
3.1.0000
admin switch (config) # image delete image-MLXNX-OS-201140526-010145.img
switch (config) #
Related Commands show images
Notes
Rev 4.20
Mellanox Technologies Confidential 181
image fetch
image fetch <URL> [<filename>]
Syntax Description
Downloads an image from the specified URL or via SCP.
URL HTTP, HTTPS, FTP, TFTP, SCP and SFTP are supported. Example: scp://username[:password]@hostname/path/filename.
filename Specifies a filename for this image to be stored as locally.
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # image fetch scp://<username>@192.168.10.125/var/www/ html/<image_name>
Password ******
100.0%[############################################################] switch (config) #
Related Commands show images
Notes • Please delete the previously available image, prior to fetching the new image
• See section “Upgrading MLNX-OS SX Software,” in the Mellanox SwitchX® User Man-
ual for a full upgrade example
Rev 4.20
Mellanox Technologies Confidential 182
image install
image install <image filename> [location <location ID>] | [progress <progoptions>] [verify <ver-options>]
Syntax Description
Installs the specified image file.
image filename Specifies the image name.
location ID prog-options ver-options
Specifies the image destination location.
• “no-track” overrides CLI default and does not track the installation progress
• “track” overrides CLI default and tracks the installation progress
• “check-sig” requires an image to have either a valid signature or no signature
• “ignore-sig” allows unsigned or invalidly signed images to be installed
• “require-sig” requires from the installed image to have a valid signature. If a valid signature is not found on the image, the image cannot be installed.
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # image install SX_PPC_M460EX 3.0.0000-dev-HA 2012-01-
22 08:47:59 ppc
Step 1 of 4: Verify Image
100.0%
[################################################################]
Step 2 of 4: Uncompress Image
100.0%
[################################################################]
Step 3 of 4: Create Filesystems
100.0%
[################################################################]
Step 4 of 4: Extract Image
100.0%
[################################################################] switch (config) #
Related Commands show images
Notes • The image cannot be installed on the “active” location (the one which is currently being booted)
• On a two-location system, the location is chosen automatically if no location is specified
Rev 4.20
Mellanox Technologies Confidential 183
image move
image move <src image name> <dest image name>
Syntax Description
Renames the specified image file.
src image name Specifies the old image name.
Specifies the new image name.
Default dest image name
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # image move image1.img image2.img
switch (config) #
Related Commands show images
Notes
Rev 4.20
Mellanox Technologies Confidential 184
image options
image options {require-sig | serve} no image options {require-sig | serve all}
Syntax Description
Configures options and defaults for image usage.
The no form of the command disables options and defaults for image usage.
require-sig serve all
Requires images to be signed by a trusted signature
Configures options for serving image files from this appliance all Makes all image files on this appliance available for
HTTP and HTTPS download
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # image options require-sig switch (config) #
Related Commands show images
Notes
Rev 4.20
Mellanox Technologies Confidential 185
show bootvar
show bootvar
Syntax Description
Default
Displays the installed system images and the boot parameters.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # show bootvar
Installed images:
Partition 1:
SX_PPC_M460EX 3.0.0000-dev-HA 2012-01-22 08:47:59 ppc
Last dobincp: 2012/01/23 14:54:23
Partition 2:
SX_PPC_M460EX 3.0.0000-dev-HA 2012-01-18 09:52:41 ppc
Last dobincp: 2012/01/19 16:48:23
Last boot partition: 1
Next boot partition: 1
Boot manager password is set.
No image install currently in progress.
Image signing: trusted signature always required
Admin require signed images: yes
Settings for next boot only:
Fallback reboot on configuration failure: yes (default) switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 186
show images
show image
Syntax Description
Default
Displays information about the system images and boot parameters.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show images
Images available to be installed:
image-SX_PPC_M460EX-ppc-m460ex-20120122-084759.img
SX_PPC_M460EX 3.0.0000-dev-HA 2012-01-22 08:47:59 ppc
Installed images:
Partition 1:
SX_PPC_M460EX 3.0.0000-dev-HA 2012-01-22 08:47:59 ppc
Last dobincp: 2012/01/23 14:54:23
Partition 2:
SX_PPC_M460EX 3.0.0000-dev-HA 2012-01-18 09:52:41 ppc
Last dobincp: 2012/01/19 16:48:23
Last boot partition: 1
Next boot partition: 1
Boot manager password is set.
No image install currently in progress.
Image signing: trusted signature always required
Admin require signed images: yes
Settings for next boot only:
Fallback reboot on configuration failure: yes (default) switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 187
4.4
Configuration Management
4.4.1
Saving a Configuration File
To save the current configuration to the active configuration file, you can either use the configuration write command (requires running in Config mode) or the write memory command
(requires running in Enable mode).
• To save the configuration to the active configuration file, run: switch (config) # configuration write
• To save the configuration to a user-specified file without making the new file the active configuration file, run: switch (config) # configuration write to myconf no-switch
• To save the configuration to a user-specified file and make the new file the active configuration file, run: switch (config) # configuration write to myconf
• To display the available configuration files and the active file, run: switch (config) # show configuration files initial myconf (active) switch (config) #
4.4.2
Loading a Configuration File
By default, or after a system reset, the system loads the default “initial” configuration file.
To load a different configuration file and make it the active configuration: switch [standalone: master] > switch [standalone: master] > enable switch [standalone: master] # configure terminal switch [standalone: master] (config) # configuration switch-to myconfig switch [standalone: master] (config) #
4.4.3
Restoring Factory Default Configuration
In cases where the system configuration becomes corrupted it is suggested to restore the factory default configuration.
To restore factory default configuration on a single management module system:
Step 1.
Run the command reset factory [reboot] [keep-basic] [keep-all-config]:.
switch (config) # reset factory keep-basic
4.4.4
Managing Configuration Files
There are two types of configuration files that can be applied on the switch, BIN files (binary) and text-based configuration files.
Rev 4.20
Mellanox Technologies Confidential 188
4.4.4.1 BIN Configuration Files
BIN configuration files are not human readable and cannot be edited.
To create a new BIN configuration file switch (config) # configuration new my-filename
To upload a BIN configuration file from a switch to an external file server switch (config) # configuration upload my-filename scp://root@my-server/root/tmp/myfilename
To fetch a BIN configuration file switch (config) # configuration fetch scp://root@my-server/root/tmp/my-filename
To see the available configuration files switch (config) # show configuration files initial (active) my-filename
Active configuration: initial
Unsaved changes: no switch (config) #
To load a BIN configuration file: switch (config) # configuration switch-to my-filename
Applying a new BIN configuration file changes the whole switch’s configuration and requires system reboot which can be preformed using the command reload .
4.4.4.2 Text Configuration Files
Text configuration files are text based and editable.
To create a new text-based configuration file: switch (config) # configuration text generate active running save my-filename
To apply a text-based configuration file: switch (config) # configuration text file my-filename apply
Applying a text-based configuration file to an existing/running data port configuration may result in unpredictable behavior. It is therefore suggested to first clear the switch’s
configuration by applying a specific configuration file (following the procedure in Section 4.4.4.1
) or by resetting the switch back to factory default.
Rev 4.20
Mellanox Technologies Confidential 189
To upload a text-based configuration file from a switch to an external file server switch (config) # configuration text file my-filename upload scp://root@my-server/root/ tmp/my-filename
To fetch a text-based configuration file from an external file server to a switch switch (config) # configuration text fetch scp://root@my-server/root/tmp/my-filename
To apply a text-based configuration file: switch (config) # configuration text file my-filename apply
When applying a text-based configuration file, the configuration is appended to the switch’s existing configuration. Reboot is not required.
Rev 4.20
Mellanox Technologies Confidential 190
4.4.5
Commands
4.4.5.1 File System
debug generate dump
debug generate dump
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Generates a debug dump.
N/A
N/A
Config
3.1.0000
admin switch (config) # debug generate dump
Generated dump sysdump-switch-112104-201140526-091707.tgz
switch (config) # file debug-dump
The dump can then be manipulated using the “file debug-dump...” commands.
Rev 4.20
Mellanox Technologies Confidential 191
Rev 4.20
file debug-dump
file debug-dump {delete {<filename> | latest} | email {<filename> | latest} | upload {{<filename> | latest} <URL>}}
Syntax Description
Manipulates debug dump files.
delete {<filename> | latest}
Deletes a debug dump file.
email {<filename> | latest} upload {{<filename> | latest} <URL>}}
Emails a debug dump file to pre-configured recipients for “informational events”, regardless of whether they have requested to receive “detailed” notifications or not.
Uploads a debug dump file to a remote host. The URL to the remote host: HTTP, HTTPS, FTP, TFTP, SCP and SFTP are supported. Example: scp://username[:password]@hostname/path/filename.
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
3.3.4000
Initial release
Added “latest” parameter admin switch (config) # file debug-dump email sysdump-switch-112104-20114052-
091707.tgz
switch (config) #
Related Commands show files debug-dump
Notes
Mellanox Technologies Confidential 192
Rev 4.20
file stats
file stats {delete <filename> | move {<source filename> | <destination filename>}
| upload <filename> <URL>}
Syntax Description
Manipulates statistics report files.
delete <filename> Deletes a stats report file.
Renames a stats report file.
move <source filename>
<destination filename> upload <filename>
<URL>
Uploads a stats report file.
URL - HTTP, HTTPS, FTP, TFTP, SCP and SFTP are supported. Example: scp://username[:password]@hostname/path/filename.
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # file stats move memory-1.csv memory-2.csv
switch (config) #
Related Commands show files stats show files stats <filename>
Notes
Mellanox Technologies Confidential 193
Rev 4.20
file tcpdump
Syntax Description file tcpdump {delete <filename> | upload <filename> <URL>}
Manipulates tcpdump output files.
delete <filename> Deletes the specified tcpdump output file.
upload <filename>
<URL>
Uploads the specified tcpdump output file to the specified URL.
URL - HTTP, HTTPS, FTP, TFTP, SCP and SFTP are supported. Example: scp://username[:password]@hostname/path/filename.
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # file tcmpdump delete my-tcpdump-file.txt
switch (config) #
Related Commands show files stats tcpdump
Notes
Mellanox Technologies Confidential 194
reload
reload [force immediate | halt [noconfirm] | noconfirm]
Syntax Description
Reboots or shuts down the system.
force immediate Forces an immediate reboot of the system even if the system is busy.
halt noconfirm
Shuts down the system.
Reboots the system without asking about unsaved changes.
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # reload
Configuration has been modified; save first? [yes] yes
Configuration changes saved.
...
switch (config) #
Related Commands reset factory
Notes
Rev 4.20
Mellanox Technologies Confidential 195
Rev 4.20
reset factory
reset factory [keep-all-config | keep-basic | keep-virt-vols | only-config] [halt]
Syntax Description
Clears the system and resets it entirely to its factory state.
keep-all-cofig Preserves everything in the running configuration file.
The user will be prompted for confirmation before honoring this command, unless confirmation is disabled with the command: “no cli default prompt confirmreset”.
keep-basic keep-virt-vols
Preserves licenses in the running configuration file
Preserve all virtual disk volumes only-config halt
Default N/A
Configuration Mode Config
History 3.1.0000
3.4.0000
Role
Example
Resets only configuration
The system is halted after this process completes
Added notes and “keep-virt-vols” parameter admin switch (config) # reset factory
Type 'YES' to confirm reset: YES
Resetting and rebooting the system -- please wait...
...
Related Commands reload
Notes • Effects of parameter “keep-all-cofig”: Licenses – not deleted; profile – no change;
configuration – unchanged; management IP – unchanged
• Effects of parameter “keep-basic”: Licenses – not deleted; profile – reset; configuration – reset; management IP – reset
• Effects of parameter “keep-virt-vols”: Licenses – deleted; profile – reset; configuration – reset; management IP – unchanged
• Effects of parameter “only-config”: Licenses – deleted; profile – reset; configuration – reset; management IP – unchanged
Mellanox Technologies Confidential 196
Rev 4.20
show files debug-dump
show files debug-dump [<filename>]
Syntax Description
Displays a list of debug dump files.
filename Displays a summary of the contents of a particular debug dump file.
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # show files debug-dump sysdump-switch-112104-20114052-
091707.tgz
System information:
Hostname: switch-112104
Version: SX_PPC 3.1.0000 2011-05-25 13:59:00 ppc
Date: 2012-01-26 09:17:07
Uptime: 0d 18h 47m 48s
==================================================
Output of 'uname -a':
Linux switch-112104 2.6.27-MELLANOXuni-m405ex SX_PPC 3.1.0000 #1 2012-
01-25 13:59:00 ppc ppc ppc GNU/Linux
==================================================
..................................................
switch (config) #
Related Commands file debug-dump
Notes
Mellanox Technologies Confidential 197
Rev 4.20
show files stats
show files stats <filename>
Syntax Description
Default
Displays a list of statistics report files.
filename
N/A
Configuration Mode Config
Display the contents of a particular statistics report file.
History
Role
Example
3.1.0000
admin switch (config) # show files stats memory-201140524-111745.csv
switch (config) #
Related Commands file stats
Notes
Mellanox Technologies Confidential 198
show files system
show files system [detail]
Syntax Description
Default
Displays usage information of the file systems on the system.
detail
N/A
Configuration Mode Config
Displays more detailed information on file-system.
History
Role
Example
3.1.0000
admin switch (config) # show files system
Statistics for /config filesystem:
Bytes Total 100 MB
Bytes Used 3 MB
Bytes Free 97 MB
Bytes Percent Free 97%
Bytes Available 97 MB
Inodes Total 0
Inodes Used 0
Inodes Free 0
Inodes Percent Free 0%
Statistics for /var filesystem:
Bytes Total 860 MB
Bytes Used 209 MB
Bytes Free 651 MB
Bytes Percent Free 75%
Bytes Available 651 MB
Inodes Total 0
Inodes Used 0
Inodes Free 0
Inodes Percent Free 0% switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 199
show files tcpdump
show files tcpdump
Syntax Description
Default
Displays a list of statistics report files.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # show files stats test dump3 switch (config) #
Related Commands file tcpdump tcpdump
Notes
Rev 4.20
Mellanox Technologies Confidential 200
4.4.5.2 Configuration Files
configuration audit
configuration audit max-changes <number>
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Chooses settings related to configuration change auditing.
max-changes Set maximum number of audit messages to log per change.
1000
Config
3.1.0000
admin switch (config) # configuration audit max-changes 100 switch (config) # show configuration audit
Maximum number of changes to log: 100 switch (config) # show configuration
N/A
Rev 4.20
Mellanox Technologies Confidential 201
Rev 4.20
configuration copy
configuration copy <source name> <dest name>
Syntax Description
Copies a configuration file.
source name Name of source file.
dest name Name of destination file. If the file of specified filename does not exist a new file will be created with said filename.
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # configuration copy initial.bak example switch (config) #
Related Commands
Notes • This command does not affect the current running configuration
• The active configuration file may not be the target of a copy. However, it may be the source of a copy in which case the original remains active.
Mellanox Technologies Confidential 202
configuration delete
configuration delete <filename>
Syntax Description
Default
Deletes a configuration file.
filename
N/A
Configuration Mode Config
Name of file to delete.
History
Role
Example
3.1.0000
admin switch (config) # show configuration files example initial initial.bak initial.prev
switch (config) # configuration delete example switch (config) # show configuration files initial initial.bak initial.prev
switch (config) #
Related Commands show configuration
Notes • This command does not affect the current running configuration
• The active configuration file may not be deleted
Rev 4.20
Mellanox Technologies Confidential 203
Rev 4.20
configuration fetch
configuration fetch <URL> [<name>]
Syntax Description
Downloads a configuration file from a remote host.
URL HTTP, HTTPS, FTP, TFTP, SCP and SFTP are supported. Example: scp://username[:password]@hostname/path/filename.
The configuration file name.
Default name
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # configuration fetch scp://root:password@
192.168.10.125/tmp/conf1 switch (config) #
Related Commands configuration switch-to
Notes • The downloaded file should not override the active configuration file, using the <name> parameter
• If no name is specified for a configuration fetch, it is given the same name as it had on the server
• No configuration file may have the name “active”
Mellanox Technologies Confidential 204
Rev 4.20
configuration jump-start
configuration jump-start
Syntax Description
Default
Runs the initial-configuration wizard.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # configuration jump-start
Mellanox configuration wizard
Step 1: Hostname? [switch-3cc29c]
Step 2: Use DHCP on mgmt0 interface? y
Step 3: Admin password (Enter to leave unchanged)?
You have entered the following information:
1. Hostname: switch-3cc29c
2. Use DHCP on mgmt0 interface: yes
3. Enable IPv6: yes
4. Enable IPv6 autoconfig (SLAAC) on mgmt0 interface: yes
53. Admin password (Enter to leave unchanged): (unchanged)
To change an answer, enter the step number to return to.
Otherwise hit <enter> to save changes and exit.
Choice:
Configuration changes saved.
switch (config) #
Related Commands N/A
Notes • The wizard is automatically invoked whenever the CLI is launched when the active configuration file is fresh (i.e. not modified from its initial contents)
• This command invokes the wizard on demand – see chapter “Initializing the Switch for the
First Time” in the Mellanox MLNX-OS SwitchX User Manual
Mellanox Technologies Confidential 205
configuration merge
configuration merge <filename>
Syntax Description
Default
Merges the “shared configuration” from one configuration file into the running configuration.
filename
N/A
Configuration Mode Config
History 3.1.0000
Name of file from which to merge settings.
Role
Example admin switch (config) # configuration merge new-config-file switch (config) #
Related Commands
Notes • No configuration files are modified during this process
• The configuration name must be a non-active configuration file
Rev 4.20
Mellanox Technologies Confidential 206
configuration move
configuration move <source name> <dest name>
Syntax Description
Moves a configuration file.
source name Old name of file to move.
New name for moved file.
Default dest name
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # show configuration files example1 initial initial.bak initial.prev
switch (config) # configuration move example1 example2 switch (config) # show configuration files example2 initial initial.bak initial.prev
switch (config) #
Related Commands show configuration
Notes • This command does not affect the current running configuration
• The active configuration file may not be the target of a move
Rev 4.20
Mellanox Technologies Confidential 207
configuration new
configuration new <filename> [factory [keep-basic] [keep-connect]]
Syntax Description
Creates a new configuration file under the specified name. The parameters specify what configuration, if any, to carry forward from the current running configuration.
filename factory
Names for new configuration file.
Creates new file with only factory defaults.
keep-basic keep-connect
Keeps licenses and host keys.
Keeps configuration necessary for connectivity (interfaces, routes, and ARP).
Default Keeps licenses and host keys
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # show configuration files initial initial.bak initial.prev
switch (config) # configuration new example2 switch (config) # show configuration files example2 initial initial.bak initial.prev
switch (config) #
Related Commands show configuration
Notes
Rev 4.20
Mellanox Technologies Confidential 208
Rev 4.20
configuration switch-to
configuration switch-to <filename>
Syntax Description
Default
Loads the configuration from the specified file and makes it the active configuration file.
N/A
N/A
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # show configuration files initial (active) newcon initial.prev
initial.bak
switch (config) # configuration switch-to newcon switch (config) # show configuration files initial newcon (active) initial.prev
initial.bak
switch (config) #
Related Commands show configuration files
Notes The current running configuration is lost and not automatically saved to the previous active configuration file.
Mellanox Technologies Confidential 209
Rev 4.20
configuration text fetch
configuration text fetch <URL> [apply [discard | fail-continue | filename | overwrite | verbose] | filename <filename> | overwrite [apply | filename <filename>]]
Syntax Description
Fetches a text configuration file (list of CLI commands) from a specified URL.
apply Applies the file to the running configuration (i.e. executes the commands in it). This option has the following parameters:
• discard: Does not keep downloaded configuration text file after applying it to the system
• fail-continue: If applying commands, continues execution even if one of them fails
• overwrite: If saving the file and the filename already exists, replaces the old file
• verbose: Displays all commands being executed and their output instead of just those that get errors filename overwrite
Specifies filename for saving downloaded text file.
Downloads the file and saves it using the same name it had on the server. This option has the following parameters:
• apply: Applies the downloaded configuration to the running system
• filename: Specifies filename for saving downloaded text file
Default N/A
Configuration Mode Config
History
Role
Example
3.2.1000
3.2.3000
First version
Updated command admin switch (config) # configuration fetch text scp://username[:password]@hostname/path/filename
Related Commands N/A
Notes
Mellanox Technologies Confidential 210
configuration text file
configuration text file <filename> {apply [fail-continue] [verbose] | delete | rename <filename> | upload < URL>}
Syntax Description
Performs operations on text-based configuration files.
filename <file> Specifies the filename.
apply fail-continue
Applies the configuration on the system.
Continues execution of the commands even if some commands fail.
verbose delete rename <filename> upload <URL>
Displays all commands being executed and their output, instead of just those that get errors.
Deletes the file.
Renames the file.
Supported types are HTTP, HTPPS, FTP, TFTP, SCP and SFTP. For example: scp://username[:password]@hostname/path/filename.
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # configuration text file my-config-file delete switch (config) #
Related Commands show configuration files
Notes
Rev 4.20
Mellanox Technologies Confidential 211
configuration text generate
configuration text generate {active {running | saved} | file <filename> } {save
<filename> | upload <URL>}
Syntax Description
Generates a new text-based configuration file from this system's configuration.
active Generates from currently active configuration.
running saved
Uses running configuration.
Uses saved configuration.
file <filename> save upload <URL>
Generates from inactive saved configuration.
Saves new file to local persistent storage.
Supported types are HTTP, HTPPS, FTP, TFTP, SCP and SFTP. For example: scp://username[:password]@hostname/path/filename.
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # configuration text generate file initial.prev save example switch (config) # show configuration files initial (active) initial.prev
initial.bak
Active configuration: initial
Unsaved changes: yes switch (config) #
Related Commands show configuration files
Notes
Rev 4.20
Mellanox Technologies Confidential 212
configuration upload
configuration upload {active | <name>} <URL or scp or sftp://username:password@hostname[:port]/path/filename>
Syntax Description
Default
Uploads a configuration file to a remote host.
active
N/A
Configuration Mode Config
Upload the active configuration file.
History
Role
Example
3.1.0000
admin switch (config) # configuration upload active scp://root:password@
192.168.10.125/tmp/conf1 switch (config) #
Related Commands N/A
Notes No configuration file may have the name “active”.
Rev 4.20
Mellanox Technologies Confidential 213
Rev 4.20
configuration write
configuration write [local | to <filename> [no-switch]]
Syntax Description
Saves the running configuration to the active configuration file.
local Saves the running configuration locally (same as “write memory local”) to <filename> no-switch
Saves the running configuration to a new file under a different name and makes it the active file
Saves the running configuration to this file but keep the current one active
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # configuration write switch (config) #
Related Commands write
Notes
Mellanox Technologies Confidential 214
Rev 4.20
write
write {memory [local] | terminal}
Syntax Description
Saves or displays the running configuration.
memory Saves running configuration to the active configuration file. It is the same as “configuration write”.
local terminal
Saves the running configuration only on the local node.
It is the same as “configuration write local”.
Displays commands to recreate current running configuration. It is the same as “show running-config”.
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # write terminal
##
## Running database "initial"
## Generated at 20114/05/27 10:05:16 +0000
## Hostname: switch
##
##
## Network interface configuration
## interface mgmt0 comment "" interface mgmt0 create interface mgmt0 dhcp interface mgmt0 display interface mgmt0 duplex auto interface mgmt0 mtu 1500 no interface mgmt0 shutdown interface mgmt0 speed auto no interface mgmt0 zeroconf
##
## Local user account configuration
## username a** capability admin no username a** disable username a** disable password
......
switch (config) #
Related Commands show running-config configuration write
Notes
Mellanox Technologies Confidential 215
Rev 4.20
show configuration
show configuration [audit | files [<filename>] | running | text files]
Syntax Description
Default N/A
Configuration Mode Config
History 3.1.0000
3.3.5006
Role
Example monitor/admin
Removed “running full” and “full” parameters switch (config) # show configuration
##
## Active saved database "newcon"
## Generated at 20114/05/25 10:18:52 +0000
## Hostname: switch-3cc29c
##
##
## Network interface configuration
## interface mgmt0 comment "" interface mgmt0 create interface mgmt0 dhcp interface mgmt0 display interface mgmt0 duplex auto interface mgmt0 mtu 1500 no interface mgmt0 shutdown interface mgmt0 speed auto no interface mgmt0 zeroconf switch (config) #
Related Commands
Notes
Displays a list of CLI commands that will bring the state of a fresh system up to match the current persistent state of this system.
audit files [<filename>]
Displays settings for configuration change auditing.
Displays a list of configuration files in persistent storage if no filename is specified. If a filename is specified, it displays the commands to recreate the configuration in that file. In the latter case, only nondefault commands are shown, as for the normal “show configuration” command.
running text files
Displays commands to recreate current running configuration. Same as “show configuration” except that it applies to the currently running configuration, rather than the current persisted configuration.
Displays names of available text-based configuration files.
Mellanox Technologies Confidential 216
show running-config
show running-config
Syntax Description
Default
Displays commands to recreate current running configuration.
N/A
N/A
Configuration Mode Config
History 3.1.0000
3.3.4402
Removed “full” parameter
Role
Example monitor/admin switch (config) # show running-config
##
## Running database "initial"
## Generated at 2012/02/28 14:59:02 +0000
## Hostname: switch-5ea5d8
##
##
## License keys
##
license install LK2-EFM_SX-5M11-5K11-5HGL-0KAL-64QK-8C2Q-60Q3-6C1G
##
## Network interface configuration
##
interface mgmt0 create
interface mgmt0 comment ""
interface mgmt0 dhcp
interface mgmt0 display
interface mgmt0 duplex auto
interface mgmt0 mtu 1500 no interface mgmt0 shutdown
...
switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 217
Rev 4.20
4.5
Logging
4.5.1
Monitor
To print logging events to the terminal:
Set the modules or events you wish to print to the terminal. For example, run: switch (config) # logging monitor events notice switch (config) # logging monitor sx-sdk warning
These commands print system events in severity “notice” and sx-sdk module notifications in severity
“warning” to the screen. For example, in case of interface-down event, the following gets printed to the screen.
switch (config) #
Wed Jul 10 11:30:42 2013: Interface IB1/17 changed state to DOWN
Wed Jul 10 11:30:43 2013: Interface IB1/18 changed state to DOWN switch (config) #
.
4.5.2
Remote Logging
To configure remote syslog to send syslog messages to a remote syslog server:
Step 1.
Enter Config mode. Run: switch > switch > enable switch # configure terminal
Step 2.
Step 3.
Step 4.
Set remote syslog server. Run switch (config) # logging <IP address>
Set the minimum severity of the log level to info. Run: switch (config) # logging <IP address> trap info
Override the log levels on a per-class basis. Run: switch (config) # logging <IP address> trap override class <class name> priority <level>
Mellanox Technologies Confidential 218
Rev 4.20
4.5.3
Commands
logging <syslog IP address>
logging <syslog IP address> [trap {<log-level> | override class <class> priority
<log-level>}] no logging <syslog IP address> [trap {<log-level> | override class <class> priority <log-level>}]
Syntax Description
Enables (by setting the IP address) sending logging messages, with ability to filter the logging messages according to their classes.
The no form of the command stops sending messages to the remote syslog server.
syslog IP address log-level
IPv4 address of the remote syslog server.
• alert - alert notification, action must be taken immediately
• crit - critical condition
• debug - debug level messages
• emerg - system is unusable (emergency)
• err - error condition
• info - informational condition
• none - disables the logging locally and remotely
• notice - normal, but significant condition
• warning - warning condition class log-level
Sets or removes a per-class override on the logging level. All classes which do not have an override set will use the global logging level set with “logging local
<log level>”. Classes that do have an override will do as the override specifies. If “none” is specified for the log level, MLNX-OS will not log anything from this class.
Classes available:
• iss-modules - protocol stack
• mgmt-back - system management back-end
• mgmt-core - system management core
• mgmt-front - system management front-end
• mlx-daemons - management daemons
• sx-sdk - switch SDK
• alert - alert notification, action must be taken immediately
• crit - critical condition
• debug - debug level messages
• emerg - system is unusable (emergency)
• err - error condition
• info - informational condition
• none - disables the logging locally and remotely
• notice - normal, but significant condition
• warning - warning condition
Default Remote logging is disabled
Configuration Mode Config
History
Role
3.1.0000
admin
Mellanox Technologies Confidential 219
Example switch (config) # logging local info switch (config) # show logging
Local logging level: info
Default remote logging level: notice
No remote syslog servers configured.
Allow receiving of messages from remote hosts: no
Number of archived log files to keep: 10
Log rotation size threshold: 5.000% of partition (43 megabytes)
Log format: standard
Subsecond timestamp field: disabled
Levels at which messages are logged:
CLI commands: notice
Audit messages: notice switch (config) #
Related Commands show logging logging local override
Notes
Rev 4.20
Mellanox Technologies Confidential 220
Rev 4.20
logging debug-files
logging debug-files {delete {current | oldest} | rotation {criteria | force | maxnum} | update {<number> | current} | upload <log-file> <upload URL>}
Syntax Description
Configures settings for debug log files.
delete {current | oldest} Deletes certain debug-log files.
• current: Deletes the current active debug-log file
• oldest: Deletes some of the oldest debug-log files rotation {criteria
{frequency {daily | weekly | monthly} | size
<size> | size-pct
<percentage>} | force | max-num} update {<number> | current}
Configures automatic rotation of debug-logging files.
• criteria: Sets how the system decides when to rotate debug files.
• frequency: Rotate log files on a fixed time-based schedule
• size: Rotate log files when they pass a size threshold in megabytes
• size-pct: Rotate logs when they surpass a specified percentage of disk
• forces: Forces an immediate rotation of the log files
• max-num: Specifies the maximum number of old log files to keep
Uploads a local debug-log file to a remote host.
• current: Uploads log file “messages” to a remote host
• number: Uploads compressed log file “debug.<number>.gz” to a remote host. Range is 1-10 upload log-file upload URL
Uploads debug log file to a remote host
Possible values: 1-7, or current
HTTP, HTTPS, FTP, TFTP, SCP and SFTP are supported (e.g.: scp://username[:password]@hostname/ path/filename)
Default N/A
Configuration Mode Config
History
Role
Example
3.3.4150
admin switch (config) # logging debug-files delete current switch (config) #
Related Commands
Notes
Mellanox Technologies Confidential 221
Rev 4.20
logging local override
logging local override [class <class> priority <log-level>] no logging local override [class <class> priority <log-level>]
Syntax Description
Enables class-specific overrides to the local log level.
The no form of the command disables all class-specific overrides to the local log level without deleting them from the configuration, but disables them so that the logging level for all classes is determined solely by the global setting.
override class
Enables class-specific overrides to the local log level.
log-level
Sets or removes a per-class override on the logging level. All classes which do not have an override set will use the global logging level set with “logging local
<log level>”. Classes that do have an override will do as the override specifies. If “none” is specified for the log level, MLNX-OS will not log anything from this class.
Classes available:
• debug-module - debug module functionality
• protocol-stack - protocol stack modules functionality
• mgmt-back - system management back-end components
• mgmt-core - system management core
• mgmt-front - system management front-end components
• mlx-daemons - management daemons
• sx-sdk - switch SDK
• alert - alert notification, action must be taken immediately
• crit - critical condition
• debug - debug level messages
• emerg - system is unusable (emergency)
• err - error condition
• info - informational condition
• none - disables the logging locally and remotely
• notice - normal, but significant condition
• warning - warning condition
Default Override is disabled.
Configuration Mode Config
History 3.1.0000
3.3.4150
Added debug-module class
Changed iss-modules with protocol-stack
Role admin
Mellanox Technologies Confidential 222
Example switch (config) # logging local override class mgmt-front priority warning switch (config) # show logging
Local logging level: info
Override for class mgmt-front: warning
Default remote logging level: notice
No remote syslog servers configured.
Allow receiving of messages from remote hosts: no
Number of archived log files to keep: 10
Log rotation size threshold: 5.000% of partition (43 megabytes)
Log format: standard
Subsecond timestamp field: disabled
Levels at which messages are logged:
CLI commands: notice
Audit messages: notice switch (config) #
Related Commands show logging logging local
Notes
Rev 4.20
Mellanox Technologies Confidential 223
Rev 4.20
logging fields
logging fields seconds {enable | fractional-digits <f-digit> | whole-digits <wdigit>} no logging fields seconds {enable | fractional-digits <f-digit> | whole-digits <wdigit>}
Syntax Description
Specifies whether to include an additional field in each log message that shows the number of seconds since the Epoch or not.
The no form of the command disallows including an additional field in each log message that shows the number of seconds since the Epoch.
enable Specifies whether to include an additional field in each log message that shows the number of seconds since the Epoch or not.
f-digit w-digit
The fractional-digits parameter controls the number of digits to the right of the decimal point. Truncation is done from the right.
Possible values are: 1, 2, 3, or 6.
The whole-digits parameter controls the number of digits to the left of the decimal point. Truncation is done from the left. Except for the year, all of these digits are redundant with syslog's own date and time.
Possible values: 1, 6, or all.
Default disabled
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # logging fields seconds enable switch (config) # logging fields seconds whole-digits 1 switch (config) # show logging
Local logging level: info
Override for class mgmt-front: warning
Default remote logging level: notice
No remote syslog servers configured.
Allow receiving of messages from remote hosts: no
Number of archived log files to keep: 10
Log rotation size threshold: 5.000% of partition (43 megabytes)
Log format: standard
Subsecond timestamp field: enabled
Subsecond timestamp precision: 1 whole digit; 3 fractional digits
Levels at which messages are logged:
CLI commands: notice
Audit messages: notice switch (config) #
Mellanox Technologies Confidential 224
Related Commands show logging
Notes This is independent of the standard syslog date and time at the beginning of each message in the format of “July 15 18:00:00”. Aside from indicating the year at full precision, its main purpose is to provide subsecond precision.
Rev 4.20
Mellanox Technologies Confidential 225
logging files delete
logging files delete {current | oldest [<number of files>]}
Syntax Description
Deletes the current or oldest log files.
current Deletes current log file.
oldest number of files
Deletes oldest log file.
Sets the number of files to be deleted.
Default CLI commands and audit message are set to notice logging level
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # logging files delete current switch (config) #
Related Commands show logging show log files
Notes
Rev 4.20
Mellanox Technologies Confidential 226
Rev 4.20
logging files rotation
logging files rotation {criteria { frequency <freq> | size <size-mb>| size-pct <sizepercentage>} | force | max-number <number-of-files>}
Syntax Description
Sets the rotation criteria of the logging files.
freq size-mb
Sets rotation criteria according to time. Possible options are:
• Daily
• Weekly
• Monthly
Sets rotation criteria according to size in mega bytes.
The range is 1-9999.
size-percentage force number-of-files
Sets rotation criteria according to size in percentage of the partition where the logging files are kept in. The percentage given is truncated to three decimal points
(thousandths of a percent).
Forces an immediate rotation of the log files. This does not affect the schedule of auto-rotation if it was done based on time: the next automatic rotation will still occur at the same time for which it was previously scheduled. Naturally, if the auto-rotation was based on size, this will delay it somewhat as it reduces the size of the active log file to zero.
The number of log files will be kept. If the number of log files ever exceeds this number (either at rotation time, or when this setting is lowered), the system will delete as many files as necessary to bring it down to this number, starting with the oldest.
Default 10 files are kept by default with rotation criteria of 5% of the log partition size
Configuration Mode Config
History
Role
3.1.0000
admin
Mellanox Technologies Confidential 227
Example switch (config) # logging files rotation criteria size-pct 6 switch (config) # show logging
Local logging level: info
Override for class mgmt-front: warning
Default remote logging level: notice
No remote syslog servers configured.
Allow receiving of messages from remote hosts: no
Number of archived log files to keep: 10
Log rotation size threshold: 6.000% of partition (51.60 megabytes)
Log format: standard
Subsecond timestamp field: enabled
Subsecond timestamp precision: 1 whole digit; 3 fractional digits
Levels at which messages are logged:
CLI commands: info
Audit messages: notice switch (config)
Related Commands show logging show log files
Notes
Rev 4.20
Mellanox Technologies Confidential 228
logging files upload
logging files upload {current | <file-number>} <url>
Syntax Description
Uploads a log file to a remote host.
current The current log file.
The current log file will have the name “messages” if you do not specify a new name for it in the upload
URL.
file-number url
An archived log file.
The archived log file will have the name “messages<n>.gz” (while “n” is the file number) if you do not specify a new name for it in the upload URL. The file will be compressed with gzip.
Uplaods URL path.
FTP, TFTP, SCP, and SFTP are supported. For example: scp://username[:password]@hostname/path/filename.
Default 10 files are kept by default with rotation criteria of 5% of the log partition size
Configuration Mode Config
History
Role
3.1.0000
admin
Example switch (config) # logging files uplaod 1 scp://admin@scpserver
Related Commands show logging show log files
Notes
Rev 4.20
Mellanox Technologies Confidential 229
logging format
logging format {standard | welf [fw-name <hostname>]} no logging format {standard | welf [fw-name <hostname>]}
Sets the format of the logging messages.
The no form of the command resets the format to its default.
Syntax Description welf hostname
Default standard
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # logging format standard switch (config) # show logging
Local logging level: info
Default remote logging level: notice
No remote syslog servers configured.
Allow receiving of messages from remote hosts: yes
Number of archived log files to keep: 10
Log rotation size threshold: 5.000% of partition (43 megabytes)
Log format: standard
Subsecond timestamp field: disabled
Levels at which messages are logged:
CLI commands: notice
Audit messages: notice switch (config) #
Related Commands show logging
Notes
WebTrends Enhanced Log file (WELF) format.
Specifies the firewall hostname that should be associated with each message logged in WELF format. If no firewall name is set, the hostname is used by default.
Rev 4.20
Mellanox Technologies Confidential 230
Rev 4.20
logging level
logging level {cli commands <log-level> | audit mgmt <log-level>}
Syntax Description
Sets the severity level at which CLI commands or the management audit message that the user executes are logged. This includes auditing of both configuration changes and actions.
cli commands audit mgmt
Sets the severity level at which CLI commands which the user executes are logged.
Sets the severity level at which all network management audit messages are logged.
log-level
Default
Configuration Mode Config
• alert - alert notification, action must be taken immediately
• crit - critical condition
• debug - debug level messages
• emerg - system is unusable (emergency)
• err - error condition
• info - informational condition
• none - disables the logging locally and remotely
• notice - normal, but significant condition
• warning - warning condition
CLI commands and audit message are set to notice logging level
History
Role
Example
3.1.0000
admin switch (config) # logging level cli commands info switch (config) # show logging
Local logging level: info
Override for class mgmt-front: warning
Default remote logging level: notice
No remote syslog servers configured.
Allow receiving of messages from remote hosts: no
Number of archived log files to keep: 10
Log rotation size threshold: 5.000% of partition (43 megabytes)
Log format: standard
Subsecond timestamp field: enabled
Subsecond timestamp precision: 1 whole digit; 3 fractional digits
Levels at which messages are logged:
CLI commands: info
Audit messages: notice switch (config) #
Related Commands show logging
Notes
Mellanox Technologies Confidential 231
logging monitor
logging monitor <facility> <priority-level> no logging monitor <facility> <priority-level>
Syntax Description
Default no logging monitor
Configuration Mode Config
History
Role
Example
3.3.4000
admin switch (config) # logging monitor events notice switch (config) #
Related Commands
Notes
Sets monitor log facility and level to print to the terminal.
The no form of the command disables printing logs of facilities to the terminal.
facility priority-level
• mgmt-front
• mgmt-back
• mgmt-core
• events
• sx-sdk
• mlnx-daemons
• iss-modules
• none
• emerg
• alert
• crit
• err
• warming
• notice
• info
• debug
Rev 4.20
Mellanox Technologies Confidential 232
Rev 4.20
logging receive
logging receive no logging receive
Syntax Description
Default
Enables receiving logging messages from a remote host.
The no form of the command disables the option of receiving logging messages from a remote host.
N/A
Receiving logging is disabled
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # logging receive switch (config) # show logging
Local logging level: info
Default remote logging level: notice
No remote syslog servers configured.
Allow receiving of messages from remote hosts: yes
Number of archived log files to keep: 10
Log rotation size threshold: 5.000% of partition (43 megabytes)
Log format: standard
Subsecond timestamp field: disabled
Levels at which messages are logged:
CLI commands: notice
Audit messages: notice switch (config) #
Related Commands show logging logging local logging local override
Notes • This does not log to the console TTY port
• In-band management should be enabled in order to open a channel from the host to the
CPU
• If enabled, only log messages matching or exceeding the minimum severity specified with the “logging local” command will be logged, regardless of what is sent from the remote host
Mellanox Technologies Confidential 233
logging trap
logging trap no logging trap
Configures the minimum severity of log messages sent to syslog servers.
The no form of the command disables sending event log messages to syslog servers.
Syntax Description
Default severity level
Receiving logging is disabled
Configuration Mode Config
The minimum severity level for all configured syslog servers:
• none – disable logging
• emerg – emergency: system is unusable
• alert – action must be taken immediately
• crit – critical conditions
• err – error conditions
• warning – warning conditions
• notice – normal but significant condition
• info – informational messages
• debug – debug-level messages
History
Role
Example
3.1.0000
admin switch (config) # logging trap info switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 234
show logging
show logging
Syntax Description
Default
Displays the logging configurations.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show logging
Local logging level: info
Override for class mgmt-front: warning
Default remote logging level: notice
No remote syslog servers configured.
Allow receiving of messages from remote hosts: no
Number of archived log files to keep: 10
Log rotation size threshold: 5.000% of partition (43 megabytes)
Log format: standard
Subsecond timestamp field: enabled
Subsecond timestamp precision: 1 whole digit; 3 fractional digits
Levels at which messages are logged:
CLI commands: info
Audit messages: notice switch (config) #
Related Commands logging fields logging files rotation logging level logging local logging receive logging <syslog IP address>
Notes
Rev 4.20
Mellanox Technologies Confidential 235
Rev 4.20
show log
show log [continues | files [<file-number>]] [[not] matching <reg-exp>]
Syntax Description
Displays the log file with optional filter criteria.
continues Displays the last few lines of the current log file and then continues to display new lines as they come in until the user hits Ctrl+C, similar to LINUX “tail” utility.
files
<file-number>
Displays the list of log files.
Displays an archived log file, where the number may range from 1 up to the number of archived log files available.
History
[not] matching <reg-exp> The file is piped through a LINUX “grep” utility to only include lines either matching, or not matching, the provided regular expression.
Default N/A
Configuration Mode Any Command Mode
3.1.0000
3.3.4402
Updated example and added note
Role
Example admin switch (config) # show log matching "Executing|Action"
Jan 19 10:55:38 arc-switch14 cli28202: [cli.NOTICE]: user admin: Executing command: en
Jan 19 11:19:32 arc-switch14 cli28202: [cli.NOTICE]: user admin: Executing command: image install image-SX_PPC_M460EX-ppc-m460ex-20140119-115026.img
Jan 19 11:19:32 arc-switch14 mgmtd4064: [mgmtd.NOTICE]: Action ID 326: requested by: user admin (System Administrator) via CLI
Jan 19 11:19:32 arc-switch14 mgmtd4064: [mgmtd.NOTICE]: Action ID 326: descr: install system software image
Jan 19 11:19:32 arc-switch14 mgmtd4064: [mgmtd.NOTICE]: Action ID 326: param: image filename: image-SX_PPC_M460EX-ppc-m460ex-20140119-115026.img, version: SX_PPC_M460EX
3.0.0000-dev-master-HA 2014-01-19 11:50:26 ppc
Jan 19 11:19:32 arc-switch14 mgmtd4064: [mgmtd.NOTICE]: Action ID 326: param: switch next boot location after install: no switch (config) #
Related Commands logging fields logging files rotation logging level logging local logging receive logging <syslog IP address> show logging
Notes When using a regular expression containing | (OR), the expression should be surrounded by quotes (“<expression>”), otherwise it is parsed as filter (PIPE) command.
Mellanox Technologies Confidential 236
4.6
Debugging
To use the debugging logs feature:
Step 1.
Enable debugging. Run: switch (config) # debug ethernet all
Step 2.
Step 3.
Display the debug level set. Run: switch (config) # show debug ethernet
Display the logs. Run: switch (config) # show log debug {match|continue}
Rev 4.20
Mellanox Technologies Confidential 237
4.6.1
Commands
debug ethernet all
debug ethernet all no debug ethernet all
Syntax Description
Default
Configuration Mode
History
Role
Example
Enables debug traces for Ethernet modules.
The no form of the command disables the debug traces for all Ethernet modules.
N/A
N/A
Config
3.3.4150
admin switch (config) # debug ethernet all switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 238
debug ethernet dcbx
debug ethernet dcbx {all | management | fail-all | control-panel | tlv}
Syntax Description
Configures the trace level for DCBX.
The no form of the command disables the configured DCBX debug traces.
all management
Enables all traces.
Management messages.
fail-all control-panel
Default tlv
N/A
Configuration Mode Config
All failure traces.
Control plane traces.
TLV related trace configuration.
History
Role
Example
3.3.4150
admin switch (config) # debug ethernet dcbx all switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 239
debug ethernet ip all
debug ethernet ip all
Syntax Description
Default
Enables debug traces for all routing modules.
The no form of the command disables debug traces for all routing modules.
N/A
N/A
Configuration Mode Config
History 3.3.4150
Role
Example admin switch (config) # debug ethernet ip all switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 240
debug ethernet ip arp all
debug ethernet ip arp all no debug ethernet ip arp all
Syntax Description
Default
Enables the trace level for ARP.
The no form of the command disables the trace level for ARP.
N/A
N/A
Configuration Mode Config
History 3.3.4150
Role
Example admin switch (config) # debug ethernet ip arp all switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 241
Rev 4.20
debug ethernet ip bgp
debug ethernet ip bgp {all | control-path | dampening | graceful-restart | internal
| keep-alive | receive | resources | rtm | transmit | update} no debug ethernet ip bgp {all | control-path | dampening | graceful-restart | internal | keep-alive | receive | resources | rtm | transmit | update}
Syntax Description neighbor receive resources rtm transmit update
Default N/A
Configuration Mode Config
Enables the trace level for BGP.
The no form of the command disables tracking a specified level.
all control-path
Enable track traces
Control path dump trace dampening graceful-restart internal keep-alive
Dampening information
Graceful-restart events
Internal events
Keep-alive packets exchange
Peer connection/state changes traces
All received packets
OS Resource trace
Route change notifications
All transmitted packets
Update packets exchange
History
Role
Example
3.3.4150
admin switch (config) # debug ethernet ip arp all switch (config) #
Related Commands
Notes
Mellanox Technologies Confidential 242
debug ethernet ip dhcp-relay
debug ethernet ip dhcp-relay {all | error} no debug ethernet ip dhcp-relay {all | error}
Syntax Description
Configures the trace level for DHCP.
The no form of the command disables tracking a specified level.
all error
Enables track traces
Error code debug messages
Default N/A
Configuration Mode Config
History
Role
Example
3.3.4150
admin switch (config) # debug ethernet ip dhcp-relay all switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 243
Rev 4.20
debug ethernet ip igmp-l3
debug ethernet ip igmp-l3 {all | control-plane | data-path | fail-all | init-shut | management | memory | packet-path | resources} no debug ethernet ip igmp-l3 {all | control-plane | data-path | fail-all | init-shut | management | memory | packet-path | resources}
Syntax Description memory packet-dump
Default resources
N/A
Configuration Mode Config
History
Role
Example
3.3.4150
admin
Memory related messages
Packet dump messages
OS resource trace switch (config) # debug ethernet ip igmp-l3 all switch (config) #
Related Commands
Notes
Configures the trace level for IGMP.
The no form of the command disables tracking a specified level.
all control-plane
Enable track traces
Control plane traces data-path fail-all init-shut management
IP packet dump trace
All failures including Packet Validation Trace
Init and shutdown messages
Management messages
Mellanox Technologies Confidential 244
Rev 4.20
debug ethernet ip igmp-snooping
debug ethernet ip igmp-snooping {all | forward-db-messages | group-info | initshut | packet-dump | query | source-info | system-resources-management | timer | vlan-info} no debug ethernet ip igmp-snooping {all | forward-db-messages | group-info | init-shut | packet-dump | query | source-info | system-resources-management | timer | vlan-info}
Syntax Description
Configures the trace level for IGMP snooping.
The no form of the command disables tracking a specified level.
all forward-db-messages
Enable track traces
Forwarding database messages group-info init-shut packet-dump query source-info system-resources-
management
Group information messages
Init and shutdown messages
Packet dump messages
Query related messages
Source information messages
System resources management messages timer vlan-info
Default N/A
Configuration Mode Config
History
Role
Example
3.3.4150
admin
Timer messages
VLAN information messages switch (config) # debug ethernet ip igmp-snooping all switch (config) #
Related Commands
Notes
Mellanox Technologies Confidential 245
Rev 4.20
debug ethernet ip interface
debug ethernet ip interface {all | arp-packet-dump | buffer | enet-packet-dump | error | fail-all | filter | trace-error | trace-event} no debug ethernet ip interface {all | arp-packet-dump | buffer | enet-packetdump | error | fail-all | filter | trace-error | trace-event}
Syntax Description filter trace-error
Default trace-event
N/A
Configuration Mode Config
History
Role
Example
3.3.4150
admin
Lower layer traces
Trace error messages
Trace event messages switch (config) # debug ethernet ip interface all switch (config) #
Related Commands
Notes
Configures the trace level for interface.
The no form of the command disables tracking a specified level.
all arp-packet-dump
Enable track traces
ARP packet dump trace buffer enet-packet-dump error fail-all
Buffer trace
ENET packet dump trace
Trace error messages
All failures including Packet Validation Trace
Mellanox Technologies Confidential 246
debug ethernet ip ospf
debug ethernet ip ospf {adjacency | all | configuration | ddp-packet | helper |
Interface | ism | lrq-packet | lsa_packet | lsu-packet}
Syntax Description
Configures the trace level for OSPF.
The no form of the command disables tracking a specified level.
adjacency all
Adjacency formation debug messages
Enable track traces configuration ddp-packet helper
Interface
Configuration debug messages
DDP packet debug messages
Helper debug messages
Interface debug messages ism lrq-packet lsa_packet lsu-packet
Interface State Machine debug messages
Link State Request Packet debug messages
Link State Acknowledge Packet debug messages
Link State Update Packet debug messages
Neighbor State Machine debug messages
Default nsm
N/A
Configuration Mode Config
History
Role
Example
3.3.4150
admin switch (config) # debug ethernet ip ospf all switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 247
debug ethernet lacp
debug ethernet lacp {all | all-resource | data-path | fail-all | init-shut |
management | memory | packet} no debug ethernet lacp {all | all-resources | data-path | fail-all | init-shut |
management | memory | packet}
Syntax Description
Configures the trace level for LACP.
The no form of the command disables the configured LACP debug traces.
all all-resource
Enables all traces.
BPDU related messages.
data-path fail-all init-shut management memory
Init and shutdown traces.
Management messages.
Memory related messages.
IP packet dump trace.
memory packet
Default N/A
Configuration Mode Config
History
Role
Example
3.3.4150
admin
All failure traces.
OS resource trace.
switch (config) # debug ethernet lacp all switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 248
Rev 4.20
debug ethernet lldp
debug ethernet lldp {all | control-panel | critical-event | data-path | fail-all | initshut | management | memory | neigh-add | neigh-age-out | neigh-del | neigh-drop
| neigh-updt | tlv} no debug ethernet lldp {all | control-panel | critical-event | data-path | fail-all | init-shut | management | memory | neigh-add | neigh-age-out | neigh-del | neighdrop | neigh-updt | tlv}
Syntax Description
Configures the trace level for LLDP.
The no form of the command disables the configured LLDP debug traces.
all control-panel
Enables all traces.
Control plane traces.
critical-event data-path fail-all init-shut
Critical traces.
IP packet dump trace.
All failure traces.
Init and shutdown traces.
management memory neigh-add neigh-age-out neigh-del neigh-drop neigh-updt tlv
Management messages.
Memory related messages.
Neighbor add traces.
Neighbor ageout traces.
Neighbor delete traces.
Neighbor drop traces.
Neighbor update traces.
TLV related trace configuration
Default N/A
Configuration Mode Config
History
Role
Example
3.3.4150
admin switch (config) # debug ethernet lldp all switch (config) #
Related Commands
Notes
Mellanox Technologies Confidential 249
debug ethernet port
debug ethernet port all
Syntax Description
Default
Configures the trace level for port.
The no form of the command disables the configured port debug traces.
N/A
N/A
Configuration Mode Config
History 3.3.4150
Role
Example admin switch (config) # debug ethernet port all switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 250
Rev 4.20
debug ethernet qos
debug ethernet qos {all | all-resource | control-panel | fail-all | filters | init-shut | management | memory | packet} no debug ethernet qos {all | all-resource | control-panel | fail-all | filters | init-shut
| management | memory | packet}
Syntax Description management memory
Default packet
N/A
Configuration Mode Config
History
Role
Example
3.3.4150
admin
Management messages.
Memory related messages.
BPDU related messages.
switch (config) # debug ethernet port all switch (config) #
Related Commands
Notes
Configures the trace level for QoS.
The no form of the command disables the configured QoS debug traces.
all all-resource
Enables all traces.
OS resource traces.
control-panel fail-all filters init-shut
Control plane traces.
All failure traces.
Lower layer traces.
Init and shutdown traces.
Mellanox Technologies Confidential 251
Rev 4.20
debug ethernet spanning-tree
debug ethernet spanning-tree {all | error | event | filters | init-shut | management
| memory | packet | port-info-state-machine | port-receive-state-machine | portrole-selection-state-machine | port-transit-state-machine | port-transmit-statemachine | protocol-migration-state-machine | timers} no debug ethernet spanning-tree {all | error | event | filters | init-shut | management | memory | packet | port-info-state-machine | port-receive-state-machine | port-role-selection-state-machine | port-transit-state-machine | port-transmitstate-machine | protocol-migration-state-machine | timers}
Syntax Description
Configures the trace level for spanning-tree.
The no form of the command disables the configured spanning-tree debug traces.
all error
Enables all traces.
Error messages trace.
event filters init-shut management
Events related messages.
Lower later traces.
Init and shutdown traces.
Management messages.
memory packet port-info-state-machine port-receive-statemachine
Memory related messages.
BPDU related messages.
Port information messages.
Port received messages.
port-role-selection-statemachine
Port role selection messages.
port-transit-state-machine Port transition messages.
port-transmit-statemachine
Port transmission messages.
protocol-migration-statemachine
Protocol migration messages.
Default timers
N/A
Configuration Mode Config
History
Role
Example
3.3.4150
admin
Timer modules message.
switch (config) # debug ethernet spanning-tree all switch (config) #
Mellanox Technologies Confidential 252
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 253
debug ethernet vlan
debug ethernet vlan {all | fwd | priority | filters} no debug ethernet vlan {all | fwd | priority | filters}
Syntax Description
Configures the trace level for VLAN.
The no form of the command disables the configured VLAN debug traces.
all fwd
Enables all traces
Forward.
priority filters
Default N/A
Configuration Mode Config
Priority.
Lower layer traces.
History
Role
Example
3.3.4150
admin switch (config) # debug ethernet vlan all switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 254
Rev 4.20
show debug ethernet
show debug ethernet {dcbx | ip {arp | dhcp-relay | igmp-snooping | interface | ospf} | lacp | lldp | port | qos | spanning-tree | vlan}
Syntax Description
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4150
admin switch (config) # show debug ethernet dcbx dcbx protocol :
management is ON
fail-all is ON
control-panel is ON
tlv is ON switch (config) #
Related Commands
Notes
Displays debug level configuration on a specific switch.
dcbx Displays the trace level for spanning tree.
ip lacp lldp port qos spanning-tree vlan
Displays debug trace level for ethernet routing module.
• arp
• dhcp-relay
• igmp-snooping
• interface
• ospf
Displays the trace level for LACP.
Displays the trace level for LLDP.
Displays the trace level for port.
Displays the trace level for QoS.
Displays the trace level for spanning tree.
Displays the trace level for VLAN.
Mellanox Technologies Confidential 255
Rev 4.20
show log debug
show log debug [continuous | files | matching | not]
Syntax Description
Displays current event debug-log file in a scrollable pager.
continuous Displays new event log messages as they arrive.
files matching
Displays archived debug log files.
Displays event debug logs that match a given regular expression.
not Displays event debug logs that do not meet certain criteria.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4150
admin switch (config) # show log debug
Jun 15 16:20:47 switch-627e4c last message repeated 7 times
Jun 15 16:20:47 switch-627e4c issd[6509]: TID 1274844336: [issd.DEBUG]: NPAPI: >>QoSHwQueueDelete i4IfIndex[137]
Jun 15 16:20:47 switch-627e4c last message repeated 7 times
Jun 15 16:20:47 switch-627e4c issd[6509]: TID 1274844336: [issd.DEBUG]: NPAPI: >>QoSHwQueueDelete i4IfIndex[141]
Jun 15 16:20:47 switch-627e4c last message repeated 7 times
Jun 15 16:20:48 switch-627e4c issd[6509]: TID 1274844336: [issd.DEBUG]: NPAPI: ==FsHwSetSpeed sx_api_port_speed_admin_set = 0
Jun 15 16:20:48 switch-627e4c issd[6509]: TID 1274844336: [issd.DEBUG]: NPAPI: ==FsHwGetSpeed sx_api_port_speed_oper_get = 0
Jun 15 16:20:49 switch-627e4c issd[6509]: TID 1274844336: [issd.DEBUG]: NPAPI: >>CfaGddConfigPort NS u4IfIndex[89], u1ConfigOption[6]
Jun 15 16:20:49 switch-627e4c issd[6509]: TID 1274844336: [issd.DEBUG]: NPAPI: >>CfaGddConfigPort NS u4IfIndex[33], u1ConfigOption[6]
Jun 15 16:20:49 switch-627e4c issd[6509]: TID 1274844336: [issd.DEBUG]: NPAPI: >>CfaGddConfigPort NS u4IfIndex[73], u1ConfigOption[6]
Jun 15 16:20:49 switch-627e4c issd[6509]: TID 1274844336: [issd.DEBUG]: NPAPI: >>CfaGddConfigPort NS u4IfIndex[121], u1ConfigOption[6]
Jun 15 16:20:49 switch-627e4c issd[6509]: TID 1274844336: [issd.DEBUG]: NPAPI: >>CfaGddConfigPort NS u4IfIndex[133], u1ConfigOption[6]
Jun 15 16:20:49 switch-627e4c issd[6509]: TID 1274844336: [issd.DEBUG]: NPAPI: >>CfaGddConfigPort NS u4IfIndex[13], u1ConfigOption[6]
Jun 15 16:20:49 switch-627e4c issd[6509]: TID 1274844336: [issd.DEBUG]: NPAPI: >>CfaGddConfigPort NS u4IfIndex[81], u1ConfigOption[6]
Jun 15 16:20:49 switch-627e4c issd[6509]: TID 1274844336: [issd.DEBUG]: NPAPI: >>CfaGddConfigPort NS u4IfIndex[117], u1ConfigOption[6]
Jun 15 16:20:49 switch-627e4c issd[6509]: TID 1274844336: [issd.DEBUG]: NPAPI: >>CfaGddConfigPort NS u4IfIndex[65], u1ConfigOption[6]
.
.
.
switch (config) #
Related Commands
Notes
Mellanox Technologies Confidential 256
Rev 4.20
4.7
Event Notifications
MLNX-OS features a variety of supported events. Events are printed in the system log file, and, optionally, can be sent to the system administrator via email, SNMP trap or directly prompted to the terminal.
4.7.1
Supported Events
The following table presents the supported events and maps them to their relevant MIB OID.
Table 22 - Supported Event Notifications and MIB Mapping
Event Name asic-chip-down cpu-util-high disk-space-low health-module-status insufficient-fans insufficient-fans-recover insufficient-power interface-down interface-up internal-bus-error liveness-failure low-power low-power-recover
Event Description MIB OID Comments
ASIC (chip) down
CPU utilization has risen too high
File system free space has fallen too low
Health module status changed
Insufficient amount of fans in system
Insufficient amount of fans in system recovered
Insufficient power supply
An interface’s link state has changed to DOWN
An interface’s link state has changed to UP
Mellanox-EFM-MIB: asicChipDown
Mellanox-EFM-MIB: cpuUtilHigh
Mellanox-EFM-MIB: diskSpaceLow
Mellanox-EFM-MIB: systemHealthStatus
Mellanox-EFM-MIB: insufficientFans
Mellanox-EFM-MIB: insufficientFansRecover
Mellanox-EFM-MIB: insufficientPower
RFC1213: linkdown
(SNMPv1)
RFC1213: linkup
(SNMPv1)
Not supported
Supported for
Ethernet, InfiniBand and management interfaces for 1U and blade systems
Supported for
Ethernet, InfiniBand and management interfaces for 1U and blade systems
Internal bus (I
2
C) error
Mellanox-EFM-MIB: internalBusError
Not implemented A process in the system is detected as hung
Low power supply Mellanox-EFM-MIB: lowPower
Low power supply recover Mellanox-EFM-MIB: lowPowerRecover
Mellanox Technologies Confidential 257
Rev 4.20
Table 22 - Supported Event Notifications and MIB Mapping
Event Name Event Description new_root paging-high
Local bridge became a root bridge
Paging activity has risen too high power-redundancy-mismatch Power redundancy mismatch
MIB OID
Bridge-MIB: newRoot
N/A process-crash process-exit snmp-authtrap topology_change unexpected-shutdown
A process in the system has crashed
A process in the system unexpectedly exited
An SNMPv3 request has failed authentication
Topology change triggered by a local bridge
Unexpected system shutdown
Send a testing event
Comments
Supported for
Ethernet
Not supported
Mellanox-EFM-MIB: powerRedundancyMismatch
Mellanox-EFM-MIB: procCrash
Mellanox-EFM-MIB: procUnexpectedExit
Not implemented
Supported for
SX65xx only
systems
Bridge-MIB: topology-
Change
Mellanox-EFM-MIB: unexpectedShutdown testTrap
Supported for
Ethernet
To send, use the CLI command: snmp-server notify send-test
N/A Not supported temperature-too-high
Reset occurred due to over-heating of ASIC
Temperature is too high
Mellanox-EFM-MIB: asicOverTempReset
Mellanox-EFM-MIB: asicOverTemp
4.7.2
Terminal Notifications
To print events to the terminal:
Set the events you wish to print to the terminal. Run: switch (config) # logging monitor events notice
This command prints system events in the severity “notice” to the screen. For example, in case of interface-down event, the following gets printed to the screen.
switch (config) #
Wed Jul 10 11:30:42 2013: Interface IB1/17 changed state to DOWN
Wed Jul 10 11:30:43 2013: Interface IB1/18 changed state to DOWN switch (config) #
Mellanox Technologies Confidential 258
Rev 4.20
4.7.3
Email Notifications
To configure MLNX-OS to send you emails for all configured events and failures:
Step 1.
Enter to Config mode. Run: switch > switch > enable switch # configure terminal
Step 2.
Step 3.
Step 4.
Step 5.
Set your mailhub to the IP address to be your mail client’s server – for example, Microsoft Outlook exchange server.
switch (config) # email mailhub <IP address>
Add your email address for notifications. Run: switch (config) # email notify recipient <email address>
Configure the system to send notifications for a specific event. Run: switch (config) # email notify event <event name>
Show the list of events for which an email is sent. Run: switch (config) # show email events
Failure events for which emails will be sent:
process-crash: A process in the system has crashed
unexpected-shutdown: Unexpected system shutdown
Step 6.
Informational events for which emails will be sent:
asic-chip-down: ASIC (Chip) Down
cpu-util-high: CPU utilization has risen too high
cpu-util-ok: CPU utilization has fallen back to normal levels
disk-io-high: Disk I/O per second has risen too high
disk-io-ok: Disk I/O per second has fallen back to acceptable levels
disk-space-low: Filesystem free space has fallen too low
.
.
.
switch (config) #
Have the system send you a test email. Run: switch # email send-test
The last command should generate the following email:
-----Original Message-----
From: Admin User [mailto:do-not-reply@switch.]
Sent: Sunday, May 01, 2011 11:17 AM
To: <name>
Subject: System event on switch: Test email for event notification
==== System information:
Hostname: switch
Version: <version> 2011-05-01 14:56:31
...
Date: 2011/05/01 08:17:29
Mellanox Technologies Confidential 259
Uptime: 17h 8m 28.060s
This is a test email.
==== Done.
Rev 4.20
Mellanox Technologies Confidential 260
Rev 4.20
4.7.4
Commands
4.7.4.1 Email Notification
email autosupport enable
email autosupport enable no email autosupport enable
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
N/A
Sends automatic support notifications via email.
The no form of the command stops sending automatic support notifications via email.
N/A
N/A
Config
3.2.3000
admin switch (config) # email autosupport enable
Mellanox Technologies Confidential 261
Rev 4.20
email autosupport event
email autosupport event <event> no email autosupport event
Syntax Description
Specifies for which events to send auto-support notification emails.
The no form of the command resets auto-support email security mode to its default.
event • process-crash – a process has crashed
• process-exit – a process unexpectedly exited
• liveness-failure – a process iss detected as hung
• cpu-util-high – CPU utilization has risen too high
• cpu-util-ok – CPU utilization has fallen back to normal levels
• paging-high – paging activity has risen too high
• paging-ok – paging activity has fallen back to normal levels
• disk-space-low – filesystem free space has fallen too low
• disk-space-ok – filesystem free space is back in the normal range
• memusage-high – memory usage has risen too high
• memusage-ok – memory usage has fallen back to acceptable levels
• netusage-high – network utilization has risen too high
• netusage-ok – network utilization has fallen back to acceptable levels
• disk-io-high – disk I/O per second has risen too high
• disk-io-ok – disk I/O per second has fallen back to acceptable levels
• unexpected-cluster-join – node has unexpectedly joined the cluster
• unexpected-cluster-leave – node has unexpectedly left the cluster
• unexpected-cluster-size – the number of nodes in the cluster is unexpected
• unexpected-shutdown – unexpected system shutdown
• interface-up – an interface’s link state has changed to up
• interface-down – an interface's link state has changed to down
• user-login – a user has logged into the system
• user-logout – a user has logged out of the system
• health-module-status – health module Status
• temperature-too-high – temperature has risen too high
• low-power – low power supply
• low-power-recover – low power supply Recover
• insufficient-power – insufficient power supply
• power-redundancy-mismatch – power redundancy mismatch
• insufficient-fans – insufficient amount of fans in system
• insufficient-fans-recover – insufficient amount of fans in system recovered
• asic-chip-down – ASIC (Chip) Down
• internal-bus-error – internal bus (I2C) Error
• internal-link-speed-mismatch – internal links speed mismatch
Mellanox Technologies Confidential 262
Default N/A
Configuration Mode Config
History
Role
3.2.3000
admin
Example switch (config) # email autosupport event process-crash
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 263
email autosupport ssl mode
email autosupport ssl mode {none | tls | tls-none} no email autosupport ssl mode
Syntax Description
Configures type of security to use for auto-support email.
The no form of the command resets auto-support email security mode to its default.
none tls
Does not use TLS to secure auto-support email.
Uses TLS over the default server port to secure autosupport email and does not send an email if TLS fails.
tls-none Attempts TLS over the default server port to secure auto-support email, and falls back on plaintext if this fails.
Default tls-none
Configuration Mode Config
History
Role
3.2.3000
admin
Example switch (config) # email autosupport ssl mode tls
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 264
email autosupport ssl cert-verify
email autosupport ssl cert-verify no email autosupport ssl cert-verify
Syntax Description
Default
Verifies server certificates.
The no form of the command does not verify server certificates.
N/A
N/A
Configuration Mode Config
History 3.2.3000
Role
Example admin switch (config) # email autosupport ssl cert-verify
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 265
email autosupport ssl ca-list
email autosupport ssl ca-list {<ca-list-name> | default_ca_list | none} no email autosupport ssl ca-list
Syntax Description
Configures supplemental CA certificates for verification of server certificates.
The no form of the command removes supplemental CA certificate list.
default_ca_list none
Default supplemental CA certificate list.
No supplemental list; uses built-in list only.
Default default_ca_list
Configuration Mode Config
History
Role
3.2.3000
admin
Example switch (config) # email autosupport ssl ca-list default_ca_list
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 266
Rev 4.20
email dead-letter
email dead-letter {cleanup max-age <duration> | enable} no email dead-letter
Syntax Description
Default
Configures settings for saving undeliverable emails.
The no form of the command disables sending of emails to vendor auto-support upon certain failures.
duration enable
Save dead letter is enabled
The default duration is 14 days
Example: “5d4h3m2s” for 5 days, 4 hours, 3 minutes, 2 seconds.
Saves dead-letter files for undeliverable emails.
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # email dead-letter enable switch (config) #
Related Commands show email
Notes
Mellanox Technologies Confidential 267
Rev 4.20
email domain
email domain <hostname or IP address> no email domain
Syntax Description
Default
Sets the domain name from which the emails will appear to come from (provided that the return address is not already fully-qualified). This is used in conjunction with the system hostname to form the full name of the host from which the email appears to come.
The no form of the command clears email domain override.
hostname or IP address
No email domain
Configuration Mode Config
History 3.1.0000
IP address.
Role
Example admin switch (config) # email domain mellanox switch (config) # show email
Mail hub: 10.0.8.11
Mail hub port: 125
Domain: mellanox
Return address: do-not-reply
Include hostname in return address: yes
...
switch (config) #
Related Commands show emails
Notes
Mellanox Technologies Confidential 268
email mailhub
email mailhub <hostname or IP address> no email mailhub
Syntax Description
Default
Sets the mail relay to be used to send notification emails.
The no form of the command clears the mail relay to be used to send notification emails.
hostname or IP address
N/A
Configuration Mode Config
History 3.1.0000
Hostname or IP address.
Role
Example admin switch (config) # email mailhub 10.0.8.11
switch (config) # show email
Mail hub: 10.0.8.11
Mail hub port: 25
Domain: (not specified)
Return address: do-not-reply
Include hostname in return address: yes
... switch (config) #
Related Commands show email [events]
Notes
Rev 4.20
Mellanox Technologies Confidential 269
email mailhub-port
email mailhub-port <hostname or IP address> no email mailhub-port
Syntax Description
Default
Sets the mail relay port to be used to send notification emails.
The no form of the command resets the port to its default.
hostname or IP address
25
Configuration Mode Config
History 3.1.0000
hostname or IP address.
Role
Example admin switch (config) # email mailhub-port 125 switch (config) # show email
Mail hub: 10.0.8.11
Mail hub port: 125
Domain: (system domain name)
Return address: do-not-reply
Include hostname in return address: yes
...
switch (config) #
Related Commands show email
Notes
Rev 4.20
Mellanox Technologies Confidential 270
Rev 4.20
email notify event
email notify event <event name> no email notify event <event name>
Syntax Description
Enables sending email notifications for the specified event type.
The no form of the command disables sending email notifications for the specified event type.
event name Example event names would include “process-crash” and “cpu-util-high”.
Default No events are enabled
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # email notify event process-crash switch (config) # show email events
Failure events for which emails will be sent: process-crash: A process in the system has crashed unexpected-shutdown: Unexpected system shutdown
Informational events for which emails will be sent: liveness-failure: A process in the system was detected as hung process-exit: A process in the system unexpectedly exited cpu-util-ok: CPU utilization has fallen back to normal levels cpu-util-high: CPU utilization has risen too high disk-io-ok: Disk I/O per second has fallen back to acceptable levels
...
temperature-too-high: Temperature has risen too high
All events for which autosupport emails will be sent: process-crash: A process in the system has crashed liveness-failure: A process in the system was detected as hungswitch
(config) # switch (config) #
Related Commands show email
Notes This does not affect auto-support emails. Auto-support can be disabled overall, but if it is enabled, all auto-support events are sent as emails.
Mellanox Technologies Confidential 271
Rev 4.20
email notify recipient
email notify recipient <email addr> [class {info | failure} | detail] no email notify recipient <email addr> [class {info | failure} | detail]
Syntax Description
Adds an email address from the list of addresses to which to send email notifications of events.
The no form of the command removes an email address from the list of addresses to which to send email notifications of events.
email addr class
Email address of intended recipient.
Specifies which types of events are sent to this recipient.
info failure
Default detail
No recipients are added
Configuration Mode Config
Sends informational events to this recipient.
Sends failure events to this recipient.
Sends detailed event emails to this recipient.
History
Role
Example
3.1.0000
admin switch (config) # email notify recipient [email protected]
switch (config) # show email
Mail hub:
Mail hub port: 25
Domain: (not specified)
Return address: user1
Include hostname in return address: no
Dead letter settings:
Save dead.letter files: yes
Dead letter max age: (none)
Email notification recipients: [email protected] (all events, in detail)
Autosupport emails
Enabled: no
Recipient: [email protected]
Mail hub: autosupport.mellanox.com
switch (config) #
Related Commands show email
Notes
Mellanox Technologies Confidential 272
Rev 4.20
email return-addr
email return-addr <username> no email domain
Sets the username or fully-qualified return address from which email notifications are sent.
• If the string provided contains an “@” character, it is considered to be fully-qualified and used as-is.
• Otherwise, it is considered to be just the username, and we append “@<hostname>.<domain>”. The default is “do-not-reply”, but this can be changed to “admin” or whatnot in case something along the line does not like fictitious addresses.
The no form of the command resets this attribute to its default.
username do-not-reply
Username.
Syntax Description
Default
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # email return-addr user1 switch (config) # show email
Mail hub:
Mail hub port: 25
Domain: (not specified)
Return address: user1
Include hostname in return address: yes
...
switch (config) #
Related Commands show email
Notes
Mellanox Technologies Confidential 273
Rev 4.20
email return-host
email return-host no email return-host
Syntax Description
Default
Includes the hostname in the return address for emails.
The no form of the command does not include the hostname in the return address for emails.
N/A
No return host
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # no email return-host switch (config) # show email
Mail hub:
Mail hub port: 25
Domain: (system domain name)
Return address: my-address
Include hostname in return address: no
Current reply address: host@localdomain
Dead letter settings:
Save dead.letter files: yes
Dead letter max age: 5 days
No recipients configured.
Autosupport emails
Enabled: no
Recipient: [email protected]
Mail hub: autosupport.mellanox.com
switch (config) #
Related Commands show email
Notes This only takes effect if the return address does not contain an “@” character.
Mellanox Technologies Confidential 274
email send-test
email send-test
Syntax Description
Default
Sends test-email to all configured event and failure recipients.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # email autosupport enable switch (config) #
Related Commands show email [events]
Notes
Rev 4.20
Mellanox Technologies Confidential 275
Rev 4.20
email ssl mode
email ssl mode {none | tls | tls-none} no email ssl mode
Syntax Description
Sets the security mode(s) to try for sending email.
The no form of the command resets the email SSL mode to its default.
none tls
No security mode, operates in plaintext.
Attempts to use TLS on the regular mailhub port, with
STARTTLS. If this fails, it gives up.
tls-none Attempts to use TLS on the regular mailhub port, with
STARTTLS. If this fails, it falls back on plaintext.
Default default-cert
Configuration Mode Config
History
Role
3.2.3000
admin
Example switch (config) # email ssl mode tls-none
Related Commands N/A
Notes
Mellanox Technologies Confidential 276
Rev 4.20
email ssl cert-verify
email ssl cert-verify no email ssl cert-verify
Syntax Description
Default
Enables verification of SSL/TLS server certificates for email.
The no form of the command disables verification of SSL/TLS server certificates for email.
N/A
N/A
Configuration Mode Config
History 3.2.3000
Role
Example admin switch (config) # email ssl cert-verify
Related Commands N/A
Notes This command has no impact unless TLS is used.
Mellanox Technologies Confidential 277
email ssl ca-list
email ssl ca-list {<ca-list-name> | default-ca-list | none} no email ssl ca-list
Syntax Description
Specifies the list of supplemental certificates of authority (CA) from the certificate configuration database that is to be used for verification of server certificates when sending email using TLS, if any.
The no form of the command uses no list of supplemental certificates.
ca-list-name default-ca-list
Specifies CA list name.
Uses default supplemental CA certificate list.
Uses no list of supplemental certificates.
Default none default-ca-list
Configuration Mode Config
History
Role
3.2.3000
admin
Example switch (config) # email ssl ca-list none
Related Commands N/A
Notes This command has no impact unless TLS is used, and certificate verification is enabled.
Rev 4.20
Mellanox Technologies Confidential 278
show email
show email [events]
Syntax Description
Default
Shows email configuration or events for which email should be sent upon.
events
N/A
Configuration Mode Any Command Mode show event list
History
Role
Example
3.1.0000
admin switch (config) # show email
Mail hub:
Mail hub port: 25
Domain: (system domain name)
Return address: my-address
Include hostname in return address: no
Current reply address: host@localdomain
Dead letter settings:
Save dead.letter files: yes
Dead letter max age: 5 days
No recipients configured.
Autosupport emails
Enabled: no
Recipient: [email protected]
Mail hub: autosupport.mellanox.com
switch (config) #
Related Commands show email
Notes
Rev 4.20
Mellanox Technologies Confidential 279
4.8
mDNS
Multicast DNS (mDNS) protocol is used by the SM HA to deliver control information between the InfiniBand nodes via the management interface. To block sending mDNS traffic from the management interface run the command no ha dns enable.
Rev 4.20
Mellanox Technologies Confidential 280
4.8.1
Commands
ha dns enable
ha dns enable no ha dns enable
Syntax Description
Default
Configuration Mode
History
Role
Example
Allows mDNS traffic.
The no form of the command blocks mDNS traffic from being sent from mgmt0.
N/A
Enabled.
Config
3.3.4000
admin switch (config) # no ha dns enable switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 281
4.9
User Management and Security
4.9.1
User Accounts
There are two general user account types: admin and monitor. As admin, the user is privileged to execute all the available operations. As monitor, the user can execute operations that display system configuration and status, or set terminal settings.
Table 23 - User Roles (Accounts) and Default Passwords
User Role admin monitor xmladmin xmluser
Default Password admin monitor xmladmin xmluser
To remove passwords from the XML users, run the command username <username>
nopassword .
4.9.2
Authentication, Authorization and Accounting (AAA)
AAA is a term describing a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.
These combined processes are considered important for effective network management and security. The AAA feature allows you to verify the identity of, grant access to, and track the actions of users managing the MLNX-OS switch. The MLNX-OS switch supports Remote Access Dial-In
User Service (RADIUS) or Terminal Access Controller Access Control device Plus (TACACS+) protocols.
• Authentication - authentication provides the initial method of identifying each individual user, typically by entering a valid username and password before access is granted.
The AAA server compares a user's authentication credentials with the user credentials stored in a database. If the credentials match, the user is granted access to the network or devices. If the credentials do not match, authentication fails and network access is denied.
• Authorization - following the authentication, a user must gain authorization for performing certain tasks. After logging into a system, for instance, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands. Simply put, authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorization occurs within the context of authentication. Once you have authenticated a user, they may be authorized for different types of access or activity.
• Accounting - the last level is accounting, which measures the resources a user consumes during access. This includes the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information, and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.
Rev 4.20
Mellanox Technologies Confidential 282
Authentication, authorization, and accounting services are often provided by a dedicated AAA server, a program that performs these functions. Network access servers interface with AAA servers using the Remote Authentication Dial-In User Service (RADIUS) protocol.
4.9.2.1 RADIUS
RADIUS (Remote Authentication Dial-In User Service), widely used in network environments, is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. It is commonly used for embedded network devices such as routers, modem servers, switches and so on. RADIUS is currently the de-facto standard for remote authentication. It is prevalent in both new and legacy systems.
It is used for several reasons:
• RADIUS facilitates centralized user administration
• RADIUS consistently provides some level of protection against an active attacker
4.9.2.2 TACACS+
TACACS (Terminal Access Controller Access Control System), widely used in network environments, is a client/server protocol that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. It is commonly used for providing NAS (Network Access Security). NAS ensures secure access from remotely connected users. TACACS implements the TACACS Client and provides the AAA (Authentication, Authorization and Accounting) functionalities.
TACACS is used for several reasons:
• Facilitates centralized user administration
• Uses TCP for transport to ensure reliable delivery
• Supports inbound authentication, outbound authentication and change password request for the authentication service
• Provides some level of protection against an active attacker
4.9.2.3 LDAP
LDAP (Lightweight Directory Access Protocol) is an authentication protocol that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system. LDAP is based on a client/server model. The switch acts as a client to the LDAP server. A remote user (the remote administrator) interacts only with the switch, not the back-end server and database.
LDAP authentication consists of the following components:
• A protocol with a frame format that utilizes TCP over IP
• A centralized server that stores all the user authorization information
• A client: in this case, the switch
Each entry in the LDAP server is referenced by its Distinguished Name (DN). The DN consists of the user-account name concatenated with the LDAP domain name. If the user-account name is
John, the following is an example DN: uid=John,ou=people,dc=domain,dc=com
Rev 4.20
Mellanox Technologies Confidential 283
Rev 4.20
4.9.3
System Secure Mode
System secure mode is a state that configures the switch system to run secure algorithms in compliance with FIPS 140-2 requirements. In this mode, unsecure algorithms are disabled and unsecure feature configurations are disallowed.
In this mode the system supports Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules, which is a NIST (National Institute of Standards and Technology) publication that specifies the requirement for system cypher functionality.
When this mode is activated, all the modules which are used by the system are verified to work in compliance with the secure mode.
Note that if system fails to load in secure mode it is loaded in non-secure mode.
Prerequisites:
Step 1.
Disable SNMPv1 and v2. Run: switch (config) # no snmp-server enable communities
Step 2.
Step 3.
Step 4.
Step 5.
Step 6.
Step 7.
Step 8.
Only allow SNMPv3 users with sha and aes-128. Run: switch (config) # snmp-server user <username> v3 auth sha <password1> priv aes-128 <password2>
Only allow SNMPv3 traps with sha and aes-128. Run: switch (config) # snmp-server host <ip-address> informs version 3 user <username> auth sha <password1> priv aes-128 <password2>
Only allow SSHv2. Run: switch (config) # ssh server min-version 2
Enable SSH server strict security mode. Run: switch (config) # ssh server security strict
Disable HTTP access. Run: switch (config) # no web http enable
Enable HTTPS strict cyphers. Run: switch (config) # web https ssl ciphers TLS1.2
Disable router BGP neighbor password configuration. Run: switch (config) # no router bgp <as-number> neighbor <ip-address> password
Step 9.
Disable router BGP peer group password configuration. Run: switch (config) # no router bgp <as-number> peer-group <peer-group-name> password
Step 10.
Disable BGP password configuration. Run: switch (config) # no neighbor <ip-address> password
Step 11.
Disable MD5 password hashing on for users. Run: switch (config) # username <username> password <password>
If a necessary prerequisite is not fulfilled the system does not activate secure mode and issues an advisory message accordingly.
Mellanox Technologies Confidential 284
Secure mode is not supported on director switch systems.
To activate secure mode: switch (config) # system secure-mode enable
Warning! Configuration is about to be saved and the system will be reloaded.
Type 'YES' to confirm the change in secure mode: YES
To deactivate secure mode: switch (config) # no system secure-mode enable
Warning! Configuration is about to be saved and the system will be reloaded.
Type 'YES' to confirm the change in secure mode: YES
To verify secure mode configuration and state: switch (config)# show system secure-mode
Secure mode configured: yes
Secure mode enabled: yes switch (config) #
Rev 4.20
Mellanox Technologies Confidential 285
Rev 4.20
4.9.4
Commands
4.9.4.1 User Accounts
username
username <username> [capability <cap> | disable [login | password] | full-name
<name> | nopassword | password [0 | 7] <password>] no username <username> [capability | disable [login | password] | full-name]
Syntax Description
Creates a user and sets its capabilities, password and name.
The no form of the command deletes the user configuration.
username Specifies a username and creates a user account. New users are created initially with admin privileges but is disabled.
capability <cap> Defines user capabilities.
• admin - full administrative capabilities
• monitor - read only capabilities, can not change the running configuration
• unpriv – can only query the most basic information, and cannot take any actions or change any configuration
• v_admin – basic administrator capabilities disable [login | password] • Disable - disable this account
• Disable login - disable all logins to this account
• Disable password - disable login to this account using a local password name Full name of the user.
nopassword
0 | 7 password
The next login of the user will not require password.
• 0: specifies a login password in cleartext
• 7: specifies a login password in encrypted text
Specifies a password for the user in string form. If [0 |
7] was not specified then the password is in cleartext.
Default The following usernames are available by default:
• admin
• monitor
• xmladmin
• xmluser
Configuration Mode Config
History
Role
3.1.0000
3.4.0000
3.4.1100
admin
Updated Example
Updated Example
Mellanox Technologies Confidential 286
Rev 4.20
Example switch (config) # username monitor full-name smith switch (config) # show usernames
USERNAME FULL NAME CAPABILITY ACCOUNT STATUS
USERID System Administrator admin Password set admin System Administrator admin Password set monitor smith monitor Password set (SHA512) xmladmin XML Admin User admin Password set (SHA512) xmluser XML Monitor User monitor Password set (SHA512) switch (config) #
Related Commands show usernames show users
Notes • To enable a user account, just set a password on it (or use the command username <user> nopassword to enable it with no password required for login)
• Removing a user account does not terminate any current sessions that user has open; it just prevents new sessions from being established
• Encrypted password is useful for the command show configuration, since the cleartext password cannot be recovered after it is set
Mellanox Technologies Confidential 287
show usernames
show usernames
Syntax Description
Default
Displays list of users and their capabilities.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show usernames
USERNAME FULL NAME CAPABILITY ACCOUNT STATUS
USERID System Administrator admin Password set admin System Administrator admin Password set monitor smith monitor Password set (SHA512) xmladmin XML Admin User admin No password required xmluser XML Monitor User monitor No password required switch (config) #
Related Commands username show users
Notes
Rev 4.20
Mellanox Technologies Confidential 288
Rev 4.20
show users
show users [history]
Syntax Description
Default
Displays logged in users and related information such as idle time and what host they have connected from.
history
N/A
Configuration Mode Any Command Mode
History 3.1.0000
Displays current and historical sessions.
Role
Example admin switch (config) # show users
USERNAME FULL NAME LINE HOST IDLE admin System Administrator pts/0 172.22.237.174 0d0h34m4s admin System Administrator pts/1 172.30.0.127 1d3h30m49s admin System Administrator pts/3 172.22.237.34 0d0h0m0s switch (config) #show users history admin pts/3 172.22.237.34 Wed Feb 1 11:56 still logged in admin pts/3 172.22.237.34 Wed Feb 1 11:42 - 11:46 (00:04) wtmp begins Wed Feb 1 11:38:10 2012 switch (config) #
Related Commands username show usernames
Notes
Mellanox Technologies Confidential 289
show whoami
show whoami
Syntax Description
Default
Displays username and capabilities of user currently logged in.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show whoami
Current user: admin
Capabilities: admin switch (config) #
Related Commands username show usernames show users
Notes
Rev 4.20
Mellanox Technologies Confidential 290
Rev 4.20
4.9.4.2 AAA Methods
aaa accounting
aaa accounting changes default stop-only tacacs+ no aaa accounting changes default stop-only tacacs+
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Enables logging of system changes to an AAA accounting server.
The no form of the command disables the accounting.
N/A
N/A
Config
3.1.0000
3.2.3000
admin
First version
Removed ‘time’ parameter from the command.
switch (config) # aaa accounting changes default stop-only tacacs+ switch (config) # show aaa
AAA authorization:
Default User: admin
Map Order: local-only
Authentication method(s):
local
radius
tacacs+
ldap
Accounting method(s):
tacacs+ switch (config) # show aaa
• TACACS+ is presently the only accounting service method supported
• Change accounting covers both configuration changes and system actions that are visible under audit logging, however this feature operates independently of audit logging, so it is unaffected by the “logging level audit mgmt” or “configuration audit” commands
• Configured TACACS+ servers are contacted in the order in which they appear in the configuration until one accepts the accounting data, or the server list is exhausted
• Despite the name of the “stop-only” keyword, which indicates that this feature logs a
TACACS+ accounting “stop” message, and in contrast to configuration change accounting, which happens after configuration database changes, system actions are logged when the action is started, not when the action has completed
Mellanox Technologies Confidential 291
Rev 4.20
aaa authentication login
aaa authentication login default <auth method> [<auth method> [<auth method> [<auth method> [<auth method>]]]] no aaa authentication login
Syntax Description
Sets a sequence of authentication methods. Up to four methods can be configured.
The no form of the command resets the configuration to its default.
auth-method • local
• radius
• tacacs+
• ldap
Default local
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # aaa authentication login default local radius tacacs+ ldap switch (config) # show aaa
AAA authorization:
Default User: admin
Map Order: local-only
Authentication method(s):
local
radius
tacacs+
ldap
Accounting method(s):
tacacs+ switch (config) #
Related Commands show aaa
Notes The order in which the methods are specified is the order in which the authentication is attempted. It is required that “local” is one of the methods selected. It is recommended that “local” be listed first to avoid potential problems logging in to local accounts in the face of network or remote server issues.
Mellanox Technologies Confidential 292
Rev 4.20
aaa authentication attempts track
aaa authentication attempts track {downcase | enable} no aaa authentication attempts track {downcase | enable}
Syntax Description
Configure tracking for failed authentication attempts.
The no form of the command clears configuration for tracking authentication failures.
downcase Does not convert all usernames to lowercase (for authentication failure tracking purposes only).
Disables tracking of failed authentication attempts
Default enable
N/A
Configuration Mode Config
History
Role
3.2.3000
admin
Example switch (config) # aaa authentication attempts track enable
Related Commands N/A
Notes • This is required for the lockout functionality described below, but can also be used on its own for informational purposes.
• Disabling tracking does not clear any records of past authentication failures, or the locks in the database. However, it does prevent any updates to this database from being made: no new failures are recorded. It also disables lockout, preventing new lockouts from being recorded and existing lockouts from being enforced.
Mellanox Technologies Confidential 293
Rev 4.20
aaa authentication attempts lockout
aaa authentication attempts lockout {enable | lock-time | max-fail | unlock-time} no aaa authentication attempts lockout {enable | lock-time | max-fail | unlocktime}
Configures lockout of accounts based on failed authentication attempts.
The no form of the command clears configuration for lockout of accounts based on failed authentication attempts.
Mellanox Technologies Confidential 294
Syntax Description enable lock-time max-fail unlock-time
Rev 4.20
Enables locking out of user accounts based on authentication failures.
This both suspends enforcement of any existing lockouts, and prevents any new lockouts from being recorded. If lockouts are later re-enabled, any lockouts that had been recorded previously resume being enforced; but accounts which have passed the max-fail limit in the meantime are NOT automatically locked at this time. They would be permitted one more attempt, and then locked, because of how the locking is done: lockouts are applied after an authentication failure, if the user has surpassed the threshold at that time.
Lockouts only work if tracking is enabled. Enabling lockouts automatically enables tracking. Disabling tracking automatically disables lockouts.
Sets maximum permitted consecutive authentication failures before locking out users.
Unlike the “max-fail” setting, this does take effect immediately for all accounts
If both unlock-time and lock-time are set, the unlocktime must be greater than the lock-time
This is not based on the number of consecutive failures, and is therefore divorced from most of the rest of the tally feature, except for the tracking of the last login failure
Sets maximum permitted consecutive authentication failures before locking out users.
This setting only impacts what lockouts are imposed while the setting is active; it is not retroactive to previous logins. So if max-fail is disabled or changed, this does not immediately cause any users to be changed from locked to unlocked or vice-versa.
Enables the auto-unlock of an account after a specified number of seconds if a user account is locked due to authentication failures, counting from the last valid login attempt.
Unlike the “max-fail” setting, this does take effect immediately for all accounts.
If both unlock-time and lock-time are set, the unlocktime must be greater than the lock-time.
Careful with disabling the unlock-time, particularly if you have max-fail set to something, and have not overridden the behavior for the admin (i.e. they are subject to lockouts also). If the admin account gets locked out, and there are no other administrators who can aid, the user may be forced to boot single-user and use the pam_tallybyname command-line utility to unlock your account manually. Even if one is careful not to incur this many authentication failures, it makes the system more subject to DOS attacks.
Mellanox Technologies Confidential 295
Default N/A
Configuration Mode Config
History
Role
3.2.3000
admin
Example switch (config) # aaa authentication attempts lockout enable
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 296
Rev 4.20
aaa authentication attempts class-override
aaa authentication attempts class-override {admin [no-lockout] | unknown {notrack | hash-username}} no aaa authentication attempts class-override {admin | unknown {no-track | hash-username}}
Syntax Description
Overrides the global settings for tracking and lockouts for a type of account.
The no form of the command removes this override and lets the admin be handled according to the global settings.
admin Overrides the global settings for tracking and lockouts for the admin account. This applies only to the single account with the username “admin”. It does not apply to any other users with administrative privileges.
no-lockout unknown
Prevents the admin user from being locked out, though the authentication failure history is still tracked (if tracking is enabled overall).
Overrides the global settings for tracking and lockouts for unknown accounts. The “unknown” class here contains the following categories:
• Real remote usernames which simply failed authentication
• Mis-typed remote usernames
• Passwords accidentally entered as usernames
• Bogus usernames made up as part of an attack on the system hash-username no-track
Applies a hash function to the username, and stores the hashed result in lieu of the original.
Does not track authentication for such users (which of course also implies no-lockout).
Default N/A
Configuration Mode Config
History
Role
Example
3.2.3000
admin switch (config) # aaa authentication attempts class-override admin nolockout
Related Commands N/A
Notes
Mellanox Technologies Confidential 297
Rev 4.20
aaa authentication attempts reset
aaa authentication attempts reset {all | user <username>} [{no-clear-history | nounlock}]
Syntax Description
Clears the authentication history for and/or unlocks specified users.
all Applies function to all users.
user no-clear-history
Applies function to specified user.
Leaves the history of login failures but unlocks the account.
no-unlock Leaves the account locked but clears the history of login failures.
Default N/A
Configuration Mode Config
History
Role
3.2.3000
admin
Example switch (config) # aaa authentication attempts reset user admin all
Related Commands N/A
Notes
Mellanox Technologies Confidential 298
Rev 4.20
clear aaa authentication attempts
clear aaa authentication attempts {all | user <username>} [no-clear-history | nounlock]
Syntax Description
Clears the authentication history for and/or unlocks specified users all Applies function to all users.
user no-clear-history
Applies function to specified user.
Clears the history of login failures.
Default no-unlock
N/A
Configuration Mode Config
History
Role
Example
3.2.3000
admin
Unlocks the account.
switch (config) # aaa authentication attempts reset user admin noclear-history
Related Commands N/A
Notes
Mellanox Technologies Confidential 299
Rev 4.20
aaa authorization
aaa authorization map [default-user <username> | order <policy>] no aaa authorization map [default-user | order]
Syntax Description
Sets the mapping permissions of a user in case a remote authentication is done.
The no form of the command resets the attributes to default.
username Specifies what local account the authenticated user will be logged on as when a user is authenticated (via
RADIUS or TACACS+) and does not have a local account. If the username is local, this mapping is ignored.
order <policy> Sets the user mapping behavior when authenticating users via RADIUS or TACACS+ to one of three choices. The order determines how the remote user mapping behaves. If the authenticated username is valid locally, no mapping is performed. The setting has the following three possible behaviors:
• remote-first – if a local-user mapping attribute is returned and it is a valid local username, it maps the authenticated user to the local user specified in the attribute. Otherwise, it uses the user specified by the default-user command.
• remote-only – maps a remote authenticated user if the authentication server sends a local-user mapping attribute. If the attribute does not specify a valid local user, no further mapping is tried.
• local-only – maps all remote users to the user specified by the “aaa authorization map default-user <user name>” command. Any vendor attributes received by an authentication server are ignored.
Default
Role
Example
Default user - admin
Map order - remote-first
Configuration Mode Config
History 3.1.0000
admin switch (config) # aaa authorization map default-user admin switch (config) # show aaa
AAA authorization:
Default User: admin
Map Order: remote-first
Authentication method(s):
local
Accounting method(s):
tacacs+ switch (config) #
Mellanox Technologies Confidential 300
Rev 4.20
Related Commands show aaa username
Notes • If, for example, the user is locally defined to have admin permission, but in a remote server such as RADIUS the user is authenticated as monitor and the order is remote-first, then the user is given monitor permissions.
• If AAA authorization order policy is configured to remote-only, then when upgrading to
3.4.3000 or later from an older MLNX-OS version, this policy is changed to remote-first.
Mellanox Technologies Confidential 301
show aaa
show aaa
Syntax Description
Default
Displays the AAA configuration.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show aaa
AAA authorization:
Default User: admin
Map Order: remote-first
Authentication method(s):
local
Accounting method(s):
tacacs+ switch (config) #
Related Commands aaa accounting aaa authentication aaa authorization show aaa show usernames username
Notes
Rev 4.20
Mellanox Technologies Confidential 302
Rev 4.20
show aaa authentication attempts
show aaa authentication attempts [configured | status user <username>]]
Syntax Description
Shows the current authentication, authorization and accounting settings.
authentication attempts Displays configuration and history of authentication failures.
configured status user
Displays configuration of authentication failure tracking.
Displays status of authentication failure tracking and lockouts for specific user.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.2.1000
admin switch (config) # show aaa authentication attempts
Configuration for authentication failure tracking and locking:
Track authentication failures: yes
Lock accounts based on authentication failures: yes
Override treatment of 'admin' user: (none)
Override treatment of unknown usernames: hash-usernames
Configuration for lockouts based on authentication failures:
Lock account after consecutive auth failures: 5
Allow retry on locked accounts (unlock time): after 15 second(s)
Temp lock after each auth failure (lock time): none
Username Known Locked Failures Last fail time Last fail from
-------- ----- ------ -------- -------------- -------
-------
0Q72B43EHBKT8CB5AF5PGRX3U3B3TUL4CYJP93N(*) no no 1 2012/
08/20 14:29:19 ttyS0
(*) Hashed for security reasons switch-627d3c [standalone: master] (config) # switch (config) #
Related Commands N/A
Notes
Mellanox Technologies Confidential 303
4.9.4.3 RADIUS
radius-server
radius-server {key <secret>| retransmit <retries> | timeout <seconds>} no radius-server {key | retransmit | timeout}
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Sets global RADIUS server attributes.
The no form of the command resets the attributes to their default values.
secret Sets a secret key (shared hidden text string), known to the system and to the RADIUS server.
retries Number of retries (0-5) before exhausting from the authentication.
Timeout in seconds between each retry (1-60).
seconds
3 seconds, 1 retry
Config
3.1.0000
admin switch (config) #radius-server retransmit 3 switch (config) # show radius
RADIUS defaults:
Key: 3333
Timeout: 3
Retransmit: 1
No RADIUS servers configured.
switch (config) # aaa authorization radius-server host show radius
Each RADIUS server can override those global parameters using the command
“radius-server host”.
Rev 4.20
Mellanox Technologies Confidential 304
radius-server host
radius-server host <IP address> [enable | auth-port <port> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>] no radius-server host <IP address> [auth-port | enable]
Syntax Description
Default
Configures RADIUS server attributes.
The no form of the command resets the attributes to their default values and deletes the RADIUS server.
IP address enable auth-port
RADIUS server IP address
Administrative enable of the RADIUS server port key
Configures authentication port to use with this
RADIUS server
RADIUS server UDP port number prompt-key retransmit
Configures shared secret to use with this RADIUS server
Prompt for key, rather than entering on command line retries
Configures retransmit count to use with this RADIUS server
Number of retries (0-5) before exhausting from the authentication timeout seconds
3 seconds, 1 retry
Default UDP port is 1812
Configures timeout between each try
Timeout in seconds between each retry (1-60)
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # radius-server host 40.40.40.40
switch (config) # show radius
RADIUS defaults:
Key: 3333
Timeout: 3
Retransmit: 1
RADIUS servers:
40.40.40.40:1812
Enabled: yes
Key: 3333 (default)
Timeout: 3 (default)
Retransmit: 1 (default) switch (config) #
Rev 4.20
Mellanox Technologies Confidential 305
Rev 4.20
Related Commands aaa authorization radius-server show radius
Notes • RADIUS servers are tried in the order they are configured
• If you do not specify a parameter for this configured RADIUS server, the configuration will be taken from the global RADIUS server configuration. Refer to “radius-server” command.
Mellanox Technologies Confidential 306
show radius
show radius
Syntax Description
Default
Displays RADIUS configurations.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show radius
RADIUS defaults:
Key: 3333
Timeout: 3
Retransmit: 1
RADIUS servers:
40.40.40.40:1812
Enabled: yes
Key: 3333 (default)
Timeout: 3 (default)
Retransmit: 1 (default) switch (config) #
Related Commands aaa authorization radius-server radius-server host
Notes
Rev 4.20
Mellanox Technologies Confidential 307
4.9.4.4 TACACS+
tacacs-server
tacacs-server {key <secret>| retransmit <retries> | timeout <seconds>} no tacacs-server {key | retransmit | timeout}
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Sets global TACACS+ server attributes.
The no form of the command resets the attributes to default values.
secret Set a secret key (shared hidden text string), known to the system and to the TACACS+ server.
retries Number of retries (0-5) before exhausting from the authentication.
Timeout in seconds between each retry (1-60).
seconds
3 seconds, 1 retry
Config
3.1.0000
admin switch (config) #tacacs-server retransmit 3 switch (config) # show tacacs
TACACS+ defaults:
Key: 3333
Timeout: 3
Retransmit: 1
No TACACS+ servers configured.
switch (config) # aaa authorization show radius show tacacs tacacs-server host
Each TACACS+ server can override those global parameters using the command
“tacacs-server host”.
Rev 4.20
Mellanox Technologies Confidential 308
Rev 4.20
tacacs-server host
tacacs-server host <IP address> {enable | auth-port <port> | auth-type <type> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>} no tacacs-server host <IP address> {enable | auth-port}
Syntax Description
Configures TACACS+ server attributes.
The no form of the command resets the attributes to their default values and deletes the TACACS+ server.
IP address enable auth-port
TACACS+ server IP address
Administrative enable for the TACACS+ server port auth-type
Configures authentication port to use with this
TACACS+ server
TACACS+ server UDP port number type
Configures authentication type to use with this
TACACS+ server
Authentication type. Possible values are:
• ASCII
• PAP (Password Authentication Protocol) key secret prompt-key retransmit
Configures shared secret to use with this TACACS+ server
Sets a secret key (shared hidden text string), known to the system and to the TACACS+ server
Prompts for key, rather than entering key on command line
Configures retransmit count to use with this TACACS+ server retries Number of retries (0-5) before exhausting from the authentication
Configures timeout to use with this TACACS+ server
Timeout in seconds between each retry (1-60)
Default timeout seconds
3 seconds, 1 retry
Default TCP port is 49
Default auth-type is PAP
Configuration Mode Config
History 3.1.0000
Role admin
Mellanox Technologies Confidential 309
Rev 4.20
Example switch (config) # tacacs-server host 40.40.40.40
switch (config) # show tacacs
TACACS+ defaults:
Key: 3333
Timeout: 3
Retransmit: 1
TACACS+ servers:
40.40.40.40:49
Enabled: yes
Auth-type PAP
Key: 3333 (default)
Timeout: 3 (default)
Retransmit: 1 (default) switch (config) #
Related Commands aaa authorization show tacacs tacacs-server
Notes • TACACS+ servers are tried in the order they are configured
• A PAP auth-type similar to an ASCII login, except that the username and password arrive at the network access server in a PAP protocol packet instead of being typed in by the user, so the user is not prompted
• If the user does not specify a parameter for this configured TACACS+ server, the configuration will be taken from the global TACACS+ server configuration. Refer to “tacacsserver” command.
Mellanox Technologies Confidential 310
show tacacs
show tacacs
Syntax Description
Default
Displays TACACS+ configurations.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show tacacs
TACACS+ defaults:
Key: 3333
Timeout: 3
Retransmit: 1
TACACS+ servers:
40.40.40.40:49
Enabled: yes
Auth-type PAP
Key: 3333 (default)
Timeout: 3 (default)
Retransmit: 1 (default) switch (config) #
Related Commands aaa authorization tacacs-server tacacs-server host
Notes
Rev 4.20
Mellanox Technologies Confidential 311
Rev 4.20
4.9.4.5 LDAP
ldap base-dn
ldap base-dn <string> no ldap base-dn
Syntax Description
Default ou=users,dc=example,dc=com
Configuration Mode Config
History 3.1.0000
3.4.0000
Updated Example
Role
Example
Sets the base distinguished name (location) of the user information in the schema of the LDAP server.
The no form of the command resets the attribute to its default values.
string A case-sensitive string that specifies the location in the
LDAP hierarchy where the server should begin searching when it receives an authorization request.
For example:
“ou=users,dc=example,dc=com”, with no spaces.
when: ou - Organizational unit dc - Domain component cn - Common name sn - Surname admin switch (config) # ldap base-dn ou=department,dc=example,dc=com switch (config) # show ldap
User base DN : ou=department,dc=example,dc=com
User search scope : subtree
Login attribute : sAMAccountName
Bind DN :
Bind password :
Group base DN :
Group attribute : member
LDAP version : 3
Referrals : yes
Server port : 389
Search Timeout : 5
Bind Timeout : 5
SSL mode : none
Server SSL port : 636 (not active)
SSL ciphers : TLS1.2 (not active)
SSL cert verify : yes
SSL ca-list : default-ca-list
LDAP servers:
1: 10.10.10.10
2: 10.10.10.12
switch (config) #
Mellanox Technologies Confidential 312
Related Commands show ldap
Notes
Rev 4.20
Mellanox Technologies Confidential 313
Rev 4.20
ldap bind-dn/bind-password
ldap {bind-dn | bind-password} <string> no ldap {bind-dn | bind-password}
Syntax Description
Role
Example
Gives the distinguished name or password to bind to on the LDAP server. This can be left empty for anonymous login (the default).
The no form of the command resets the attribute to its default values.
string A case-sensitive string that specifies distinguished name or password to bind to on the LDAP server.
Default “”
Configuration Mode Config
History 3.1.0000
3.4.0000
admin
Updated Example switch (config) # ldap bind-dn my-dn switch (config) # ldap bind-password my-password switch (config) # show ldap
User base DN : ou=department,dc=example,dc=com
User search scope : subtree
Login attribute : sAMAccountName
Bind DN : my-dn
Bind password : my-password
Group base DN :
Group attribute : member
LDAP version : 3
Referrals : yes
Server port : 389
Search Timeout : 5
Bind Timeout : 5
SSL mode : none
Server SSL port : 636 (not active)
SSL ciphers : TLS1.2 (not active)
SSL cert verify : yes
SSL ca-list : default-ca-list
LDAP servers:
1: 10.10.10.10
2: 10.10.10.12
switch (config) #
Related Commands show ldap
Notes For anonymous login, bind-dn and bind-password should be empty strings “”.
Mellanox Technologies Confidential 314
ldap group-attribute/group-dn
ldap {group-attribute {<group-att> |member | uniqueMember} | group-dn
<group-dn>} no ldap {group-attribute | group-dn}
Syntax Description
Default
Sets the distinguished name or attribute name of a group on the LDAP server.
The no form of the command resets the attribute to its default values.
group-att member
Specifies a custom attribute name.
groupOfNames or group membership attribute.
uniqueMember group-dn group-att: member group-dn: “” groupOfUniqueNames membership attribute.
DN of group required for authorization.
Configuration Mode Config
History 3.1.0000
Role
Example
3.4.0000
admin
Updated Example switch (config) # ldap group-attribute member switch (config) # ldap group-dn my-group-dn switch (config) # show ldap
User base DN : ou=department,dc=example,dc=com
User search scope : subtree
Login attribute : sAMAccountName
Bind DN : my-dn
Bind password : my-password
Group base DN : my-group-dn
Group attribute : member
LDAP version : 3
Referrals : yes
Server port : 389
Search Timeout : 5
Bind Timeout : 5
SSL mode : none
Server SSL port : 636 (not active)
SSL ciphers : TLS1.2 (not active)
SSL cert verify : yes
SSL ca-list : default-ca-list
LDAP servers:
1: 10.10.10.10
2: 10.10.10.12
switch (config) #
Rev 4.20
Mellanox Technologies Confidential 315
Rev 4.20
Related Commands show ldap
Notes • The user’s distinguished name must be listed as one of the values of this attribute, or the user will not be authorized to log in
• After login authentication, if the group-dn is set, a user must be a member of this group or the user will not be authorized to log in. If the group is not set (“” - the default) no authorization checks are done.
Mellanox Technologies Confidential 316
ldap host
ldap host <IP Address> [order <number> last] no ldap host <IP Address>
Syntax Description
Adds an LDAP server to the set of servers used for authentication.
The no form of the command deletes the LDAP host.
IP Address number
IPv4 or IPv6 address.
The order of the LDAP server.
Default last
No hosts configured
Configuration Mode Config
History 3.1.0000
3.4.0000
Role
Example
The LDAP server will be added in the last location.
Updated Example admin switch (config) # ldap host 10.10.10.10
switch (config) # show ldap
User base DN : ou=department,dc=example,dc=com
User search scope : subtree
Login attribute : sAMAccountName
Bind DN : my-dn
Bind password : my-password
Group base DN : my-group-dn
Group attribute : member
LDAP version : 3
Referrals : yes
Server port : 389
Search Timeout : 5
Bind Timeout : 5
SSL mode : none
Server SSL port : 636 (not active)
SSL ciphers : TLS1.2 (not active)
SSL cert verify : yes
SSL ca-list : default-ca-list
LDAP servers:
1: 10.10.10.10
2: 10.10.10.12
switch (config) #
Related Commands show aaa show ldap
Notes • The system will select the LDAP host to try according to its order
• New servers are by default added at the end of the list of servers
Rev 4.20
Mellanox Technologies Confidential 317
ldap login-attribute
ldap login-attribute {<string> | uid | sAMAccountName} no ldap login-attribute
Syntax Description
Sets the attribute name which contains the login name of the user.
The no form of the command resets this attribute to its default.
string uid
Custom attribute name.
LDAP login name is taken from the user login username.
SAM Account name, active directory login name.
Default sAMAccountName sAMAccountName
Configuration Mode Config
History 3.1.0000
3.4.0000
Updated Example
Role
Example admin switch (config) # ldap login-attribute uid switch (config) # show ldap
User base DN : ou=department,dc=example,dc=com
User search scope : subtree
Login attribute : uid
Bind DN : my-dn
Bind password : my-password
Group base DN : my-group-dn
Group attribute : member
LDAP version : 3
Referrals : yes
Server port : 389
Search Timeout : 5
Bind Timeout : 5
SSL mode : none
Server SSL port : 636 (not active)
SSL ciphers : TLS1.2 (not active)
SSL cert verify : yes
SSL ca-list : default-ca-list
LDAP servers:
1: 10.10.10.10
2: 10.10.10.12
switch (config) #
Related Commands show aaa show ldap
Notes
Rev 4.20
Mellanox Technologies Confidential 318
ldap port
ldap port <port> no ldap port
Syntax Description
Default
Sets the TCP port on the LDAP server to connect to for authentication.
The no form of the command resets this attribute to its default value.
port
389
Configuration Mode Config
History 3.1.0000
TCP port number.
Role
Example
3.4.0000
admin
Updated Example switch (config) # ldap port 1111 switch (config) # show ldap
User base DN : ou=department,dc=example,dc=com
User search scope : subtree
Login attribute : uid
Bind DN : my-dn
Bind password : my-password
Group base DN : my-group-dn
Group attribute : member
LDAP version : 3
Referrals : yes
Server port : 1111
Search Timeout : 5
Bind Timeout : 5
SSL mode : none
Server SSL port : 636 (not active)
SSL ciphers : TLS1.2 (not active)
SSL cert verify : yes
SSL ca-list : default-ca-list
LDAP servers:
1: 10.10.10.10
2: 10.10.10.12
switch (config) #
Related Commands show aaa show ldap
Notes
Rev 4.20
Mellanox Technologies Confidential 319
ldap referrals
ldap referrals no ldap referrals
Syntax Description
Default
Enables LDAP referrals.
The no form of the command disables LDAP referrals.
N/A
LDAP referrals are enabled
Configuration Mode Config
History 3.1.0000
Role
Example
3.4.0000
admin
Updated Example switch (config) # no ldap referrals switch (config) # show ldap
User base DN : ou=department,dc=example,dc=com
User search scope : subtree
Login attribute : uid
Bind DN : my-dn
Bind password : my-password
Group base DN : my-group-dn
Group attribute : member
LDAP version : 3
Referrals : no
Server port : 1111
Search Timeout : 5
Bind Timeout : 5
SSL mode : none
Server SSL port : 636 (not active)
SSL ciphers : TLS1.2 (not active)
SSL cert verify : yes
SSL ca-list : default-ca-list
LDAP servers:
1: 10.10.10.10
2: 10.10.10.12
switch (config) #
Related Commands show aaa show ldap
Notes Referral is the process by which an LDAP server, instead of returning a result, will return a referral (a reference) to another LDAP server which may contain further information.
Rev 4.20
Mellanox Technologies Confidential 320
Rev 4.20
ldap scope
ldap scope <scope> no ldap scope
Syntax Description
Specifies the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.
The no form of the command resets the attribute to its default value.
scope • one-level - searches the immediate children of the base dn
• subtree - searches at the base DN and all its children
Default subtree
Configuration Mode Config
History 3.1.0000
3.4.0000
Role
Example
Updated Example admin switch (config) # ldap scope subtree switch (config) # show ldap
User base DN : ou=department,dc=example,dc=com
User search scope : subtree
Login attribute : uid
Bind DN : my-dn
Bind password : my-password
Group base DN : my-group-dn
Group attribute : member
LDAP version : 3
Referrals : no
Server port : 1111
Search Timeout : 5
Bind Timeout : 5
SSL mode : none
Server SSL port : 636 (not active)
SSL ciphers : TLS1.2 (not active)
SSL cert verify : yes
SSL ca-list : default-ca-list
LDAP servers:
1: 10.10.10.10
2: 10.10.10.12
switch (config) #
Related Commands show aaa show ldap
Notes
Mellanox Technologies Confidential 321
Rev 4.20
ldap ssl
Syntax Description
Default ldap ssl {ca-list <options> | cert-verify | ciphers {all | TLS1.2} | mode <mode> | port <port-number>} no ldap ssl {cert-verify | ciphers | mode | port}
Sets SSL parameter for LDAP.
The no form of the command resets the attribute to its default value.
options This command specifies the list of supplemental certificates of authority (CAs) from the certificate configuration database that is to be used by LDAP for authentication of servers when in TLS or SSL mode.
The options are:
• default-ca-list - u ses default supplemental CA certificate list
• none - n o supplemental list, uses the built-in one only
CA certificates are ignored if “ldap ssl mode” is not configured as either “tls” or “ssl”, or if “no ldap ssl cert-verify” is configured.
The default-ca-list is empty in the factory default configuration. Use the command: “crypto certificate ca-list default-ca-list name” to add trusted certificates to that list.
The “default-ca-list” option requires LDAP to consult the system’s configured global default CA-list for supplemental certificates.
cert-verify Enables verification of SSL/TLS server certificates.
This may be required if the server's certificate is selfsigned, or does not match the name of the server.
Sets SSL mode to be used.
ciphers {all | TLS1.2} mode port-number
Sets the security mode for connections to the LDAP server.
• none – requests no encryption for the LDAP connection
• ssl – the SSL-port configuration is used, an SSL connection is made before LDAP requests are sent (LDAP over
SSL)
• start-tls – the normal LDAP port is used, an LDAP connection is initiated, and then TLS is started on this existing connection
Sets the port on the LDAP server to connect to for authentication when the SSL security mode is enabled
(LDAP over SSL).
cert-verify: enabled mode: none (LDAP SSL is not activated) port-number: 636 ciphers: all
Mellanox Technologies Confidential 322
Rev 4.20
Configuration Mode Config
History
Role
Example
3.1.0000
3.2.3000
3.4.0000
First version
Added ca-list argument.
Added “ssl ciphers” parameter
Updated Example admin switch (config) # ldap ssl mode ssl switch (config) # show ldap
User base DN : ou=department,dc=example,dc=com
User search scope : subtree
Login attribute : uid
Bind DN : my-dn
Bind password : my-password
Group base DN : my-group-dn
Group attribute : member
LDAP version : 3
Referrals : no
Server port : 1111
Search Timeout : 5
Bind Timeout : 5
SSL mode : ssl
Server SSL port : 636 (not active)
SSL ciphers : TLS1.2 (not active)
SSL cert verify : yes
SSL ca-list : default-ca-list
LDAP servers:
1: 10.10.10.10
2: 10.10.10.12
switch (config) #
Related Commands show aaa show ldap
Notes • If available, the TLS mode is recommended, as it is standardized, and may also be of higher security
• The port number is used only for SSL mode. In case the mode is TLS, the LDAP port number will be used.
Mellanox Technologies Confidential 323
ldap timeout
ldap {timeout-bind | timeout-search} <seconds> no ldap {timeout-bind | timeout-search}
Syntax Description
Sets a global communication timeout in seconds for all LDAP servers to specify the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.
The no form of the command resets the attribute to its default value.
timeout-bind timeout-search
Sets the global LDAP bind timeout for all LDAP servers.
Sets the global LDAP search timeout for all LDAP servers.
Range: 1-60 seconds.
Default seconds
5 seconds
Configuration Mode Config
History 3.1.0000
3.4.0000
Updated Example
Role
Example admin switch (config) # ldap timeout-bind 10 switch (config) # show ldap
User base DN : ou=department,dc=example,dc=com
User search scope : subtree
Login attribute : uid
Bind DN : my-dn
Bind password : my-password
Group base DN : my-group-dn
Group attribute : member
LDAP version : 3
Referrals : no
Server port : 1111
Search Timeout : 5
Bind Timeout : 10
SSL mode : none
Server SSL port : 636 (not active)
SSL ciphers : TLS1.2 (not active)
SSL cert verify : yes
SSL ca-list : default-ca-list
LDAP servers:
1: 10.10.10.10
2: 10.10.10.12
switch (config) #
Related Commands show aaa show ldap
Notes
Rev 4.20
Mellanox Technologies Confidential 324
ldap version
ldap version <version> no ldap version
Syntax Description
Default
Sets the LDAP version.
The no form of the command resets the attribute to its default value.
version
3
Configuration Mode Config
History 3.1.0000
Sets the LDAP version. Values: 2 and 3.
Role
Example
3.4.0000
admin
Updated Example switch (config) # ldap version 3 switch (config) # show ldap
User base DN : ou=department,dc=example,dc=com
User search scope : subtree
Login attribute : uid
Bind DN : my-dn
Bind password : my-password
Group base DN : my-group-dn
Group attribute : member
LDAP version : 3
Referrals : no
Server port : 1111
Search Timeout : 5
Bind Timeout : 10
SSL mode : none
Server SSL port : 636 (not active)
SSL ciphers : TLS1.2 (not active)
SSL cert verify : yes
SSL ca-list : default-ca-list
LDAP servers:
1: 10.10.10.10
2: 10.10.10.12
switch (config) #
Related Commands show aaa show ldap
Notes
Rev 4.20
Mellanox Technologies Confidential 325
show ldap
show ldap
Syntax Description
Default
Displays LDAP configurations.
N/A
N/A
Configuration Mode Any Command Mode
History 3.1.0000
3.4.0000
Updated Example
Role
Example admin switch (config) # show ldap
User base DN : ou=department,dc=example,dc=com
User search scope : subtree
Login attribute : uid
Bind DN : my-dn
Bind password : my-password
Group base DN : my-group-dn
Group attribute : member
LDAP version : 3
Referrals : no
Server port : 1111
Search Timeout : 5
Bind Timeout : 10
SSL mode : none
Server SSL port : 636 (not active)
SSL ciphers : TLS1.2 (not active)
SSL cert verify : yes
SSL ca-list : default-ca-list
LDAP servers:
1: 10.10.10.10
2: 10.10.10.12
switch (config) #
Related Commands show aaa show ldap
Notes
Rev 4.20
Mellanox Technologies Confidential 326
4.9.4.6 System Secure Mode
system secure-mode enable
system secure-mode enable no system secure-mode enable
Syntax Description
Default
Configuration Mode
History
Role
Example
Enables secure mode on the switch.
The no form of the command disables secure mode.
N/A
Disabled
Config
3.4.2300
admin switch (config) # system secure-mode enable
Related Commands
Notes
Warning! Configuration is about to be saved and the system will be reloaded.
Type 'YES' to confirm the change in secure mode: YES user <username> password <password> ssh server min-version ssh server security strict snmp-server user no neighbor <ip-address> password router bgp neighbor password router bgp peer-group password
Before enabling secure mode, the command performs the following configuration checks:
• SSH min-version cannot be 1 when enabling secure mode
• SSH security must be set to strict security
• SNMPv3 user auth cannot be md5 when enabling secure mode
• SNMPv3 user priv cannot be des when enabling secure mode
• SNMPv3 trap auth cannot be md5 when enabling secure mode
• SNMPv3 trap priv cannot be des when enabling secure mode
• Router BGP neighbor password cannot be set when enabling secure mode
• Router BGP peer-group password cannot be set when enabling with secure mode
• User password hash cannot be MD5 when secure mode is enabled
Only if the check passes, secure mode is enabled on the switch system.
Rev 4.20
Mellanox Technologies Confidential 327
show system secure-mode
show system secure-mode
Syntax Description
Default
Displays the security mode of the switch system.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.4.2300
admin switch (config) # show system secure-mode
Secure mode configured: yes
Secure mode enabled : yes switch (config) #
Related Commands system secure-mode enable
Notes “Secure mode configuration” describes the user configuration
“Secure mode enabled” describes the system state
Rev 4.20
Mellanox Technologies Confidential 328
4.10 Cryptographic (X.509, IPSec)
This chapter contains commands for configuring, generating and modifying x.509 certificates used in the system. Certificates are used for creating a trusted SSL connection to the system.
Crypto commands also cover IPSec configuration commands used for establishing a secure connection between hosts over IP layer which is useful for transferring sensitive information.
Rev 4.20
Mellanox Technologies Confidential 329
Rev 4.20
4.10.1 Commands
crypto ipsec ike
crypto ipsec ike {clear sa [peer {any | <IPv4 or IPv6 address>} local <IPv4 or
IPv6 address>] | restart}
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Manage the IKE (ISAKMP) process or database state clear Clears IKE (ISAKMP) peering state sa peer
Clears IKE generated ISAKMP and IPSec security associations (remote peers are affected)
Clears security associations for the specified IKE peer
(remote peers are affected) all – clears security associations for all IKE peerings with a specific local address (remote peers are affected)
IPv4 or IPv6 address – clears security associations for specific IKE peering with a specific local address
(remote peers are affected)
IPv4 or IPv6 address local restart
Clears security associations for the specified IKE peering (remote peer is affected)
Clear security associations for the specified/all IKE peering (remote peer is affected)
Restarts the IKE (ISAKMP) daemon (clears all IKE state, peers may be affected)
N/A
Config
3.2.3000
admin switch (config)# crypto ipsec ike restart switch (config)#
N/A
Mellanox Technologies Confidential 330
Rev 4.20
crypto ipsec peer local
crypto ipsec peer <IPv4 or IPv6 address> local <IPv4 or IPv6 address> {enable | keying {ike [auth {hmac-md5 | hmac-sha1 | hmac-sha256 | null} | dh-group | disable | encrypt | exchange-mode | lifetime | local | mode | peer-identity | pfs-group | preshared-key | prompt-preshared-key | transform-set] | manual [auth | disable | encrypt | local-spi | mode | remote-spi]}}
Syntax Description
Configures ipsec in the system.
enable Enables IPSec peering.
ike Configures IPSec peering using IKE ISAKMP to manage SA keys. It has the following optional parameters:
• auth: Configures the authentication algorithm for IPSec peering
• dh-group: Configures the phase1 Diffie-Hellman group proposed for secure IKE key exchange
• disable: Configures this IPSec peering administratively disabled
• encrypt: Configures the encryption algorithm for IPSec peering
• exchange-mode: Configures the IKE key exchange mode to propose for peering
• lifetime: Configures the SA lifetime to propose for this
IPSec peering
• local-identity: Configures the ISAKMP payload identification value to send as local endpoint's identity
• mode: Configures the peering mode for this IPSec peering
• peer-identity: Configures the identification value to match against the peer's ISAKMP payload identification
• pfs-group: Configures the phase2 PFS (Perfect Forwarding Secrecy) group to propose for Diffie-Hellman exchange for this IPSec peering
• preshared-key: Configures the IKE pre-shared key for the
IPSec peering
• prompt-preshared-key: Prompts for the pre-shared key, rather than entering it on the command line
• transform-set: Configures transform proposal parameters keying manual
Configures key management for this IPSec peering:
• auth: Configures the authentication algorithm for this
IPSec peering
• disable: Configures this IPSec peering administratively disabled
• encrypt: Configures the encryption algorithm for this
IPSec peering
• local-spi: Configures the local SPI for this manual IPSec peering
• mode: Configures the peering mode for this IPSec peering
• remote-spi: Configures the remote SPI for this manual
IPSec peering
Configures IPSec peering using manual keys.
Mellanox Technologies Confidential 331
Rev 4.20
Default N/A
Configuration Mode Config
History
Role
Example
3.2.3000
admin switch (config)# crypto ipsec peer 10.10.10.10 local 10.7.34.139 enable switch (config)#
Related Commands N/A
Notes
Mellanox Technologies Confidential 332
Rev 4.20
crypto certificate ca-list
crypto certificate ca-list [default-ca-list name {<cert-name> | system-selfsigned}] no crypto certificate ca-list [default-ca-list name {<cert-name> | system-selfsigned}]
Syntax Description
Default
Adds the specified CA certificate to the default CA certificate list.
The no form of the command removes the certificate from the default CA certificate list.
cert-name
N/A
Configuration Mode Config
History 3.2.3000
The name of the certificate.
Role
Example admin switch (config) # crypto certificate default-cert name test
Related Commands N/A
Notes • Two certificates with the same subject and issuer fields cannot both be placed onto the CA list
• The no form of the command does not delete the certificate from the certificate database
• Unless specified otherwise, applications that use CA certificates will still consult the wellknown certificate bundle before looking at the default-ca-list
Mellanox Technologies Confidential 333
crypto certificate default-cert
crypto certificate default-cert name {<cert-name> | system-self-signed} no crypto certificate default-cert name {<cert-name> | system-self-signed}
Syntax Description
Default
Designates the named certificate as the global default certificate role for authentication of this system to clients.
The no form of the command reverts the default-cert name to “system-self-signed”
(the “cert-name” value is optional and ignored).
cert-name
N/A
Configuration Mode Config
History 3.2.3000
The name of the certificate.
Role
Example admin switch (config) # crypto certificate default-cert name test
Related Commands N/A
Notes • A certificate must already be defined before it can be configured in the default-cert role
• If the named default-cert is deleted from the database, the default-cert automatically becomes reconfigured to the factory default, the “system-self-signed” certificate
Rev 4.20
Mellanox Technologies Confidential 334
Rev 4.20
crypto certificate generation
crypto certificate generation default {country-code | days-valid | email-addr | hash-algorithm {sha1 | sha256} | key-size-bits | locality | org-unit | organization | state-or-prov}
Syntax Description
Configures default values for certificate generation.
country-code Configures the default certificate value for country code with a two-alphanumeric-character code or -- for none.
days-valid email-addr
Configures the default certificate value for days valid.
Configures the default certificate value for email address.
Configures the default certificate hashing algorithm.
hash-algorithm {sha1 | sha256} key-size-bits Configures the default certificate value for private key size. (Private key length in bits – at least 1024, but 2048 is strongly recommended.) locality org-unit organization state-or-prov
Configures the default certificate value for locality.
Configures the default certificate value for organizational unit.
Configures the default certificate value for the organization name.
Configures the default certificate value for state or province.
Default N/A
Configuration Mode Config
History
Role
Example
3.2.1000
3.3.4350
First version
Added “hash-algorithm” parameter admin switch (config) # crypto certificate generation default hash-algorithm sha256
Related Commands N/A
Notes The default hashing algorithm used is sha1.
Mellanox Technologies Confidential 335
Rev 4.20
crypto certificate name
crypto certificate name {<cert-name> | system-self-signed} {comment <new comment> | generate self-signed [comment <cert-comment> | common-name
<domain> | country-code <code> | days-valid <days> | email-addr <address> | hash-algorithm {sha1 | sha256} | key-size-bits <bits> | locality <name> | org-unit
<name> | organization <name> | serial-num <number> | state-or-prov <name>]}
| private-key pem <PEM string> | prompt-private-key | public-cert [comment
<comment string> | pem <PEM string>] | regenerate days-valid <days> | rename
<new name>} no crypto certificate name <cert-name>
Syntax Description
Default
Configures default values for certificate generation.
The no form of the command clears/deletes certain certificate settings.
cert-name comment generate self-signed
Unique name by which the certificate is identified.
Specifies a certificate comment.
Generates certificates. This option has the following parameters which may be entered sequentially in any order:
• comment: Specifies a certificate comment (free string)
• common-name: Specifies the common name of the issuer and subject (e.g. a domain name)
• country-code: Specifies the country codwo-alphanumeric-character country code, or “--” for none)
• days-valid: Specifies the number of days the certificate is valid
• email-addr: Specifies the email address
• hash-algorithm: Specifies the hashing function used for signature algorithm
• key-size-bits: Specifies the size of the private key in bits
(private key length in bits - at least 1024 but 2048 is strongly recommended)
• locality: Specifies the locality name
• org-unit: Specifies the organizational unit name
• organization: Specifies the organization name
• serial-num: Specifies the serial number for the certificate
(a lower-case hexadecimal serial number prefixed with
“0x”)
• state-or-prov: Specifies the state or province name private-key pem prompt-private-key public-cert regenerate rename
N/A
Specifies certificate contents in PEM format.
Prompts for certificate private key with secure echo.
Installs a certificate.
Regenerates the named certificate using configured certificate generation default values for the specified validity period
Renames the certificate.
Mellanox Technologies Confidential 336
Rev 4.20
Configuration Mode Config
History 3.2.3000
Role
Example
3.3.4402
admin
First version
Added “hash-algorithm” parameter switch (config) # crypto certificate name system-self-signed generate self-signed hash-algorithm sha256
Related Commands N/A
Notes
Mellanox Technologies Confidential 337
crypto certificate system-self-signed
crypto certificate system-self-signed regenerate [days-valid <days>]
Syntax Description
Default
Configures default values for certificate generation.
days-valid
N/A
Configuration Mode Config
Specifies the number of days the certificate is valid
History
Role
Example
3.2.1000
admin switch (config) # crypto certificate system-self-signed regenerate days-valid 3
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 338
Rev 4.20
show crypto certificate
show crypto certificate [detail | public-pem | default-cert [detail | public-pem] |
[name <cert-name> [detail | public-pem] | ca-list [default-ca-list]]
Syntax Description
Displays information about all certificates in the certificate database.
ca-list Displays the list of supplemental certificates configured for the global default system CA certificate role.
default-ca-list default-cert
Displays information about the currently configured default certificates of the CA list.
Displays information about the currently configured default certificate.
detail name public-pem
Displays all attributes related to the certificate.
Displays information about the certificate specified.
Displays the uninterpreted public certificate as a PEM formatted data string
Default N/A
Configuration Mode Config
History
Role
3.2.1000
admin
Mellanox Technologies Confidential 339
Rev 4.20
Example switch (config)# show crypto certificate
Certificate with name 'system-self-signed' (default-cert)
Comment: system-generated self-signed certificate
Private Key: present
Serial Number: 0x546c935511bcafc21ac0e8249fbe0844
SHA-1 Fingerprint: fe6df38dd26801971cb2d44f62dbe492b6063c5f
Validity:
Starts: 2012/12/02 13:45:05
Expires: 2013/12/02 13:45:05
Subject:
Common Name: IBM-DEV-Bay4
Country: IS
State or Province:
Locality:
Organization:
Organizational Unit:
E-mail Address:
Issuer:
Common Name: IBM-DEV-Bay4
Country: IS
State or Province:
Locality:
Organization:
Organizational Unit:
E-mail Address: switch (config)#
Related Commands N/A
Notes
Mellanox Technologies Confidential 340
show crypto ipsec
show crypto ipsec [brief | configured | ike | policy | sa]
Syntax Description
Default
Displays information ipsec configuration.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.2.1000
admin switch (config)# show crypto ipsec
IPSec Summary
-------------
Crypto IKE is using pluto (Openswan) daemon.
Daemon process state is stopped.
No IPSec peers configured.
IPSec IKE Peering State
-----------------------
Crypto IKE is using pluto (Openswan) daemon.
Daemon process state is stopped.
No active IPSec IKE peers.
IPSec Policy State
------------------
No active IPSec policies.
IPSec Security Association State
--------------------------------
No active IPSec security associations.
switch (config)#
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 341
4.11 Scheduled Jobs
Use the commands in this section to manage and schedule the execution of jobs
4.11.1 Commands
job
job <job ID> no job <job ID>
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Creates a job.
The no form of the command deletes the job.
job ID
N/A
An integer.
Config
3.1.0000
admin switch (config) # job 100 switch (config job 100) # show jobs
Job state is lost on reboot.
Rev 4.20
Mellanox Technologies Confidential 342
Rev 4.20
command
command <sequence #> | <command> no command <sequence #>
Syntax Description
Adds a CLI command to the job.
The no form of the command deletes the command from the job. sequence # An integer that controls the order the command is executed relative to other commands in this job. The commands are executed in an ascending order.
Default command
N/A
Configuration Mode Config job
History
Role
Example
3.1.0000
admin
A CLI command.
switch (config)# job 100 switch (config job 100) # command 10 “show power” switch (config job 100) #
Related Commands show jobs
Notes • The command must be defined with inverted commas (“”)
• The command must be added as it was executed from the “config” mode. For example, in order to change the interface description you need to add the command: “interface <type>
<number> description my-description”.
Mellanox Technologies Confidential 343
comment
comment <comment> no comment
Syntax Description
Default
Adds a comment to the job.
The no form of the command deletes the comment.
comment
“”
Configuration Mode Config job
History 3.1.0000
The comment to be added (string).
Role
Example admin switch (config)# job 100 switch (config job 100) # comment Job_for_example switch (config job 100) #
Related Commands show jobs
Notes
Rev 4.20
Mellanox Technologies Confidential 344
enable
enable no enable
Syntax Description
Default
Enables the specified job.
The no form of the command disables the specified job.
N/A
N/A
Configuration Mode Config job
History 3.1.0000
Role
Example admin switch (config)# job 100 switch (config job 100) # enable switch (config job 100) #
Related Commands show jobs
Notes If a job is disabled, it will not be executed automatically according to its schedule; nor can it be executed manually.
Rev 4.20
Mellanox Technologies Confidential 345
execute
execute
Syntax Description
Default
Forces an immediate execution of the job.
N/A
N/A
Configuration Mode Config job
History
Role
Example
3.1.0000
admin switch (config)# job 100 switch (config job 100) # execute switch (config job 100) #
Related Commands show jobs
Notes • The job timer (if set) is not canceled and the job state is not changed: i.e. the time of the next automatic execution is not affected
• The job will not be run if not currently enabled
Rev 4.20
Mellanox Technologies Confidential 346
fail-continue
fail-continue no fail-continue
Syntax Description
Default
Continues the job execution regardless of any job failures.
The no form of the command returns fail-continue to its default.
N/A
A job will halt execution as soon as any of its commands fails
Configuration Mode Config job
History 3.1.0000
Role
Example admin switch (config)# job 100 switch (config job 100) # fail-continue switch (config job 100) #
Related Commands show jobs
Notes
Rev 4.20
Mellanox Technologies Confidential 347
name
name <job name> no name
Syntax Description
Default
Configures a name for this job.
The no form of the command resets the name to its default.
name
“”.
Configuration Mode Config job
History 3.1.0000
Specifies a name for the job (string).
Role
Example admin switch (config)# job 100 switch (config job 100) # name my-job switch (config job 100) #
Related Commands show jobs
Notes
Rev 4.20
Mellanox Technologies Confidential 348
Rev 4.20
schedule type
schedule type <recurrence type> no schedule type
Syntax Description
Sets the type of schedule the job will automatically execute on.
The no form of the command resets the schedule type to its default.
recurrence type The available schedule types are:
• daily - the job is executed every day at a specified time
• weekly - the job is executed on a weekly basis
• monthly - the job is executed every month on a specified day of the month
• once - the job is executed once at a single specified date and time
• periodic - the job is executed on a specified fixed time interval, starting from a fixed point in time.
Default once
Configuration Mode Config job
History
Role
Example
3.1.0000
admin switch (config)# job 100 switch (config job 100) # schedule type once switch (config job 100) #
Related Commands show jobs
Notes A schedule type is essentially a structure for specifying one or more future dates and times for a job to execute.
Mellanox Technologies Confidential 349
Rev 4.20
schedule <recurrence type>
schedule <recurrence type> <interval and date> no schedule
Syntax Description
Sets the type of schedule the job will automatically execute on.
The no form of the command resets the schedule type to its default.
recurrence type The available schedule types are:
• daily - the job is executed every day at a specified time
• weekly - the job is executed on a weekly basis
• monthly - the job is executed every month on a specified day of the month
• once - the job is executed once at a single specified date and time
• periodic - the job is executed on a specified fixed time interval, starting from a fixed point in time.
Default interval and date once
Configuration Mode Config job
History
Role
Example
3.1.0000
admin
Interval and date, per recurrence type.
switch (config)# job 100 switch (config job 100) # schedule monthly interval 10 switch (config job 100) #
Related Commands show jobs
Notes A schedule type is essentially a structure for specifying one or more future dates and times for a job to execute.
Mellanox Technologies Confidential 350
show jobs
show jobs [<job-id>]
Syntax Description
Default
Displays configuration and state (including results of last execution, if any exist) of all jobs, or of one job if a job ID is specified.
job-id
N/A
Configuration Mode Config
History 3.1.0000
Job ID.
Role
Example admin switch (config) # show jobs 10
Job 10:
Status: inactive
Enabled: yes
Continue on failure: no
Schedule Type: once
Time and date: 1970/01/01 00:00:00 +0000
Last Exec Time: Thu 2012/04/05 13:11:42 +0000
Next Exec Time: N/A
Commands:
Command 10: show power
Last Output:
=====================
Module Status
=====================
PS1 OK
PS2 NOT PRESENT switch (config) #
Related Commands show jobs
Notes
Rev 4.20
Mellanox Technologies Confidential 351
Rev 4.20
4.12 Statistics and Alarms
4.12.1 Commands
stats alarm <alarm-id> clear
stats alarm <alarm ID> clear
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Clears alarm state.
alarm ID Alarms supported by the system, for example:
• cpu_util_indiv - Average CPU utilization too high: percent utilization
• disk_io - Operating System Disk I/O per second too high: kilobytes per second
• fs_mnt - Free filesystem space too low: percent of disk space free
• intf_util - Network utilization too high: bytes per second
• memory_pct_used - Too much memory in use: percent of physical memory used
• paging - Paging activity too high: page faults
• temperature - Temperature is too high: degrees
N/A
Config
3.1.0000
admin switch (config) # stats alarm cpu_util_indiv clear switch (config) # show stats alarm
Mellanox Technologies Confidential 352
Rev 4.20
stats alarm <alarm-id> enable
stats alarm <alarm-id> enable no stats alarm <alarm-id> enable
Enables the alarm.
The no form of the command disables the alarm, notifications will not be received.
Syntax Description alarm ID
Default
Configuration Mode Config
Alarms supported by the system, for example:
• cpu_util_indiv - Average CPU utilization too high: percent utilization
• disk_io - Operating System Disk I/O per second too high: kilobytes per second
• fs_mnt - Free filesystem space too low: percent of disk space free
• intf_util - Network utilization too high: bytes per second
• memory_pct_used - Too much memory in use: percent of physical memory used
• paging - Paging activity too high: page faults
• temperature - Temperature is too high: degrees
The default is different per alarm-id
History
Role
Example
3.1.0000
admin switch (config) # stats alarm cpu_util_indiv enable switch (config) #
Related Commands show stats alarm
Notes
Mellanox Technologies Confidential 353
Rev 4.20
stats alarm <alarm-id> event-repeat
stats alarm <alarm ID> event-repeat {single | while-not-cleared} no stats alarm <alarm ID> event-repeat
Syntax Description
Configures repetition of events from this alarm.
alarm ID single
Alarms supported by the system, for example:
• cpu_util_indiv - Average CPU utilization too high: percent utilization
• disk_io - Operating System Disk I/O per second too high: kilobytes per second
• fs_mnt - Free filesystem space too low: percent of disk space free
• intf_util - Network utilization too high: bytes per second
• memory_pct_used - Too much memory in use: percent of physical memory used
• paging - Paging activity too high: page faults
• temperature - Temperature is too high: degrees
Does not repeat events: only sends one event whenever the alarm changes state.
Repeats error events until the alarm clears.
Default while-not-cleared single
Configuration Mode Config
History
Role
Example
3.1.0000
monitor/admin switch (config) # stats alarm cpu_util_indiv event-repeat single switch (config) #
Related Commands show stats alarm
Notes
Mellanox Technologies Confidential 354
Rev 4.20
stats alarm <alarm-id> {rising | falling}
stats alarm <alarm ID> {rising | falling} {clear-threshold | error-threshold}
<threshold-value>
Syntax Description
Configure alarms thresholds.
alarm ID falling
Alarms supported by the system, for example:
• cpu_util_indiv - Average CPU utilization too high: percent utilization
• disk_io - Operating System Disk I/O per second too high: kilobytes per second
• fs_mnt - Free filesystem space too low: percent of disk space free
• intf_util - Network utilization too high: bytes per second
• memory_pct_used - Too much memory in use: percent of physical memory used
• paging - Paging activity too high: page faults
• temperature - Temperature is too high: degrees
Configures alarm for when the statistic falls too low.
rising error-threshold
Configures alarm for when the statistic rises too high.
Sets threshold to trigger falling or rising alarm.
threshold-value
Default
Configuration Mode Config
The desired threshold value, different per alarm.
Default is different per alarm-id
History
Role
Example
3.1.0000
admin switch (config) # stats alarm cpu_util_indiv falling clear-threshold 10 switch (config) #
Related Commands show stats alarm
Notes Not all alarms support all four thresholds.
Mellanox Technologies Confidential 355
Rev 4.20
stats alarm <alarm-id> rate-limit
stats alarm <alarm ID> rate-limit {count <count-type> <count> | reset | window
<window-type> <duration>}
Syntax Description
Default
Configures alarms rate limit.
alarm ID count-type
Alarms supported by the system, for example:
• cpu_util_indiv - Average CPU utilization too high: percent utilization
• disk_io - Operating System Disk I/O per second too high: kilobytes per second
• fs_mnt - Free filesystem space too low: percent of disk space free
• intf_util - Network utilization too high: bytes per second
• memory_pct_used - Too much memory in use: percent of physical memory used
• paging - Paging activity too high: page faults
• temperature - Temperature is too high: degrees
Long medium, or short count (number of alarms).
reset Set the count and window durations to default values for this alarm.
Long medium, or short count, in seconds.
window-type
Short window: 5 alarms in 1 hour
Medium window: 20 alarms in 1 day
Long window: 50 alarms in 7 days
Configuration Mode Config
History 3.1.0000
Role
Example monitor/admin switch (config) # stats alarm paging rate-limit window long 2000 switch (config) #
Related Commands show stats alarm
Notes
Mellanox Technologies Confidential 356
stats chd <chd-id> clear
stats chd <CHD ID> clear
Syntax Description
Clears CHD counters.
CHD ID CHD supported by the system, for example:
• cpu_util - CPU utilization: percentage of time spent
• cpu_util_ave - CPU utilization average: percentage of time spent
• cpu_util_day - CPU utilization average: percentage of time spent
• disk_device_io_hour - Storage device I/O read/write statistics for the last hour: bytes
• disk_io - Operating system aggregate disk I/O average
(KB/sec)
• eth_day
• eth_hour
• eth_ip_day
• eth_ip_hour
• fs_mnt_day - Filesystem system usage average: bytes
• fs_mnt_month - Filesystem system usage average: bytes
• fs_mnt_week - Filesystem system usage average: bytes
• ib_day
• ib_hour
• intf_day - Network interface statistics aggregation: bytes
• intf_hour - Network interface statistics (same as “interface” sample)
• intf_util - Aggregate network utilization across all interfaces
• memory_day - Average physical memory usage: bytes
• memory_pct - Average physical memory usage
• paging - Paging activity: page faults
• paging_day - Paging activity: page faults
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # stats chd memory_day clear switch (config) #
Related Commands show stats chd
Notes
Rev 4.20
Mellanox Technologies Confidential 357
stats chd <chd-id> enable
stats chd <chd-id> enable no stats chd <chd-id> enable
Syntax Description
Enables the CHD.
The no form of the command disables the CHD.
chd-id CHD supported by the system, for example:
• cpu_util - CPU utilization: percentage of time spent
• cpu_util_ave - CPU utilization average: percentage of time spent
• cpu_util_day - CPU utilization average: percentage of time spent
• disk_device_io_hour - Storage device I/O read/write statistics for the last hour: bytes
• disk_io - Operating system aggregate disk I/O average:
KB/sec
• eth_day
• eth_hour
• fs_mnt_day - Filesystem system usage average: bytes
• fs_mnt_month - Filesystem system usage average: bytes
• fs_mnt_week - Filesystem system usage average: bytes
• ib_day
• ib_hour
• intf_day - Network interface statistics aggregation: bytes
• intf_hour - Network interface statistics (same as “interface” sample)
• intf_util - Aggregate network utilization across all interfaces
• memory_day - Average physical memory usage: bytes
• memory_pct - Average physical memory usage
• paging - Paging activity: page faults
• paging_day - Paging activity: page faults
Default Enabled
Configuration Mode Config
History
Role
Example
3.1.0000
monitor/admin switch (config) # stats chd memory_day enable switch (config) #
Related Commands show stats chd
Notes
Rev 4.20
Mellanox Technologies Confidential 358
stats chd <chd-id> compute time
stats chd <CHD ID> compute time {interval | range} <number of seconds>
Syntax Description
Sets parameters for when this CHD is computed.
CHD ID interval
Possible IDs:
• cpu_util - CPU utilization: percentage of time spent
• cpu_util_ave - CPU utilization average: percentage of time spent
• cpu_util_day - CPU utilization average: percentage of time spent
• disk_device_io_hour - Storage device I/O read/write statistics for the last hour: bytes
• disk_io - Operating system aggregate disk I/O average:
KB/sec
• eth_day
• eth_hour
• fs_mnt_day - Filesystem system usage average: bytes
• fs_mnt_month - Filesystem system usage average: bytes
• fs_mnt_week - Filesystem system usage average: bytes
• ib_day
• ib_hour
• intf_day - Network interface statistics aggregation: bytes
• intf_hour - Network interface statistics (same as “interface” sample)
• intf_util - Aggregate network utilization across all interfaces
• memory_day - Average physical memory usage: bytes
• memory_pct - Average physical memory usage
• paging - Paging activity: page faults
• paging_day - Paging activity: page faults
Specifies calculation interval (how often to do a new calculation) in number of seconds.
range number of seconds
Specifies calculation range, in number of seconds.
Number of seconds.
Default Different per CHD
Configuration Mode Config
History
Role
Example
3.1.0000
monitor/admin switch (config) # stats chd memory_day compute time interval 120 switch (config) # show stats chd memory_day
CHD "memory_day" (Average physical memory usage: bytes):
Source dataset: sample "memory"
Computation basis: time
Interval: 120 second(s)
Range: 1800 second(s) switch (config) #
Rev 4.20
Mellanox Technologies Confidential 359
Related Commands show stats chd
Notes
Rev 4.20
Mellanox Technologies Confidential 360
stats sample <sample-id> clear
stats sample <sample ID> clear
Syntax Description
Clears sample history.
sample ID Possible sample IDs are:
• congested
• cpu_util - CPU utilization: milliseconds of time spent
• disk_device_io - Storage device I/O statistics
• disk_io - Operating system aggregate disk I/O: KB/sec
• eth
• eth-abs
• eth_ip
• fan - Fan speed
• fs_mnt_bytes - Filesystem usage: bytes
• fs_mnt_inodes - Filesystem usage: inodes
• ib
• interface - Network interface statistics
• intf_util - Network interface utilization: bytes
• memory - System memory utilization: bytes
• paging - Paging activity: page faults
• power - Power supply usage
• power-consumption
• temperature - Modules temperature
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # stats sample temperature clear switch (config) #
Related Commands show stats sample
Notes
Rev 4.20
Mellanox Technologies Confidential 361
stats sample <sample-id> enable
stats sample <sample-id> enable no states sample <sample-id> enable
Syntax Description
Enables the sample.
The no form of the command disables the sample.
sample-id Possible sample IDs are:
• congested
• cpu_util - CPU utilization: milliseconds of time spent
• disk_device_io - Storage device I/O statistics
• disk_io - Operating system aggregate disk I/O: KB/sec
• eth
• fan - Fan speed
• fs_mnt_bytes - Filesystem usage: bytes
• fs_mnt_inodes - Filesystem usage: inodes
• ib
• interface - Network interface statistics
• intf_util - Network interface utilization: bytes
• memory - System memory utilization: bytes
• paging - Paging activity: page faults
• power - Power supply usage
• power-consumption
• temperature - Modules temperature
Default Enabled
Configuration Mode Config
History
Role
3.1.0000
admin
Example switch (config) # stats sample temperature enable switch (config) #
Related Commands show stats sample
Notes
Rev 4.20
Mellanox Technologies Confidential 362
stats sample <sample-id> interval
stats sample <sample ID> interval <number of seconds>
Syntax Description
Sets the amount of time between samples for the specified group of sample data.
sample ID Possible sample IDs are:
• congested
• cpu_util - CPU utilization: milliseconds of time spent
• disk_device_io - Storage device I/O statistics
• disk_io - Operating system aggregate disk I/O: KB/sec
• eth
• fan - Fan speed
• fs_mnt_bytes - Filesystem usage: bytes
• fs_mnt_inodes - Filesystem usage: inodes
• ib
• interface - Network interface statistics
• intf_util - Network interface utilization: bytes
• memory - System memory utilization: bytes
• paging - Paging activity: page faults
• power - Power supply usage
• power-consumption
• temperature - Modules temperature
Interval in seconds.
Default number of seconds
Different per sample
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # stats sample temperature interval 1 switch (config) # show stats sample temperature
Sample "temperature" (Modules temperature):
Enabled: yes
Sampling interval: 1 second switch (config) #
Related Commands show stats sample
Notes
Rev 4.20
Mellanox Technologies Confidential 363
stats clear-all
stats clear all
Syntax Description
Default
Clears data for all samples, CHDs, and status for all alarms.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # stats clear-all switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 364
Rev 4.20
stats export
stats export <format> <report name> [{after | before} <yyyy/mm/dd>
<hh:mm:ss>] [filename <filename>]
Syntax Description
Exports statistics to a file.
format report name after | before yyyy/mm/dd hh:mm:ss filename
Currently the only supported value for <format> is
“csv” (comma-separated value).
Determines dataset to be exported. Possible report names are:
• memory - Memory utilization
• paging - Paging I/O
• cpu_util - CPU utilization
Only includes stats collected after or before a specific time.
Date: It must be between 1970/01/01 and 2038/01/19.
Time: It must be between 00:00:00 and 03:14:07 UTC and is treated as local time.
Specifies filename to give new report. If a filename is specified, the stats will be exported to a file of that name; otherwise a name will be chosen automatically and will contain the name of the report and the time and date of the export. Any automatically-chosen name will be given a .csv extension.
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # stats export csv memory filename mellanoxexample before 2000/08/14 15:59:50 after 2000/08/14 15:01:50
Generated report file: mellanoxexample.csv
switch (config) # show files stats mellanoxexample.csv
switch (config) #
Related Commands show files stats
Notes
Mellanox Technologies Confidential 365
Rev 4.20
show stats alarm
show stats alarm [<Alarm ID> [rate-limit]]
Syntax Description
Displays status of all alarms or the specified alarm.
Alarm ID rate-limit
May be:
• cpu_util_indiv - Average CPU utilization too high: percent utilization
• disk_io - Operating System Disk I/O per second too high: kilobytes per second
• fs_mnt - Free filesystem space too low: percent of disk space free
• intf_util - Network utilization too high: bytes per second
• memory_pct_used - Too much memory in use: percent of physical memory used
• paging - Paging activity too high: page faults
• temperature - Temperature is too high: degrees
Displays rate limit parameters.
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # show stats alarm
Alarm cpu_util_indiv (Average CPU utilization too high): ok
Alarm disk_io (Operating System Disk I/O per second too high): (disabled)
Alarm fs_mnt (Free filesystem space too low): ok
Alarm intf_util (Network utilization too high): (disabled)
Alarm memory_pct_used (Too much memory in use): (disabled)
Alarm paging (Paging activity too high): ok
Alarm temperature (Temperature is too high): ok switch (config) #
Related Commands stats alarm
Notes
Mellanox Technologies Confidential 366
Rev 4.20
show stats chd
show stats chd [<CHD ID>]
Syntax Description
Default
Displays configuration of all statistics CHDs.
CHD ID May be:
• cpu_util_indiv - Average CPU utilization too high: percent utilization
• disk_io - Operating System Disk I/O per second too high: kilobytes per second
• fs_mnt - Free filesystem space too low: percent of disk space free
• intf_util - Network utilization too high: bytes per second
• memory_pct_used - Too much memory in use: percent of physical memory used
• paging - Paging activity too high: page faults
• temperature - Temperature is too high: degrees
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # show stats chd disk_device_io_hour
CHD "disk_device_io_hour" (Storage device I/O read/write statistics for the last
hour: bytes):
Enabled: yes
Source dataset: sample "disk_device_io"
Computation basis: data points
Interval: 1 data point(s)
Range: 1 data point(s) switch (config) #
Related Commands stats chd
Notes
Mellanox Technologies Confidential 367
show stats cpu
show stats cpu
Displays some basic stats about CPU utilization:
• the current level
• the peak over the past hour
• the average over the past hour
N/A Syntax Description
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # show stats cpu
CPU 0
Utilization: 6%
Peak Utilization Last Hour: 16% at 2012/02/28 08:47:32
Avg. Utilization Last Hour: 8% switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 368
show stats sample
show stats sample [<sample ID>]
Syntax Description
Displays sampling interval for all samples, or the specified one.
sample ID Possible sample IDs are:
• congested
• cpu_util - CPU utilization: milliseconds of time spent
• disk_device_io - Storage device I/O statistics
• disk_io - Operating system aggregate disk I/O: KB/sec
• eth
• fan - Fan speed
• fs_mnt_bytes - Filesystem usage: bytes
• fs_mnt_inodes - Filesystem usage: inodes
• ib
• interface - Network interface statistics
• intf_util - Network interface utilization: bytes
• memory - System memory utilization: bytes
• paging - Paging activity: page faults
• power - Power supply usage
• power-consumption
• temperature - Modules temperature
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # show stats sample fan
Sample "fan" (Fan speed):
Enabled: yes
Sampling interval: 1 minute 11 seconds switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 369
4.13
Chassis Management
The Chassis Manager provides the user access to the following information:
Table 24 - Chassis Manager Information
Accessible Parameters switch temperatures power supply voltages fan unit power unit
Flash memory
Description
Displays system’s temperature
Displays power supplies’ voltage levels
Displays system fans’ status
Displays system power consumers
Displays information about system memory utilization.
Additionally, it monitors:
• AC power to the PSUs
• DC power out from the PSUs
• Chassis failures
4.13.1 System Health Monitor
The system health monitor scans the system to decide whether or not the system is healthy. When the monitor discovers that one of the system's modules (leaf, spine, fan, or power supply) is in an unhealthy state or returned from an unhealthy state, it notifies the users through the following methods:
• System logs – accessible to the user at any time as they are saved permanently on the system
• Status LEDs – changed by the system health monitor when an error is found in the system and is resolved
• email/SNMP traps – notification on any error found in the system and resolved
4.13.1.1 Re-Notification on Errors
When the system is in an unhealthy state, the system health monitor notifies the user about the current unresolved issue every X seconds. The user can configure the re-notification gap by running the “health notif-cntr <counter>” command.
Rev 4.20
Mellanox Technologies Confidential 370
Rev 4.20
4.13.1.2 System Health Monitor Alerts Scenarios
• System Health Monitor sends notification alerts in the following cases:
Table 25 - System Health Monitor Alerts Scenarios (Sheet 1 of 2)
Alert Message Scenario Notification Indicator Recovery Action Recovery Message
Fan <fan_number> speed is below minimal range
Fan <fan_number> speed in spine number
<spine_number> is below minimal range
Fan <fan_number> is unresponsive
Fan <fan_number> in spine number
<spine_number> is unresponsive
Fan <fan_number> is not present
Fan <fan_number> in spine number
<spine_number> is not present.
Insufficient number of working fans in the system
Power supply
<ps_number> is unresponsive
A chassis fan speed is below minimal threshold:
15% of maximum speed
A spine fan speed is below minimal threshold:
30% of maximum speed
A chassis fan is not responsive on MLNX-OS systems
A spine fan is not responsive on MLNX-OS systems
A chassis fan is missing
A spine fan is missing
Insufficient number of working fans in the system
A power supply unit is not responsive, or the power supplied to the PS unit is below 10V on MLNX-OS systems
Email, fan LED and system status LED set red, log alert, SNMP.
Email, fan LED and system status LED set red, log alert, SNMP
Email, fan LED and system status LED set red, log alert, SNMP
Email, fan LED and system status LED set red, log alert, SNMP
Email, fan LED and system status LED set red, log alert, SNMP
Email, fan LED and system status LED set red, log alert, SNMP
Email, fan LED and system status LED set red, log alert, SNMP
Email, power supply
LED and system status LED set red, log alert, SNMP
Check the fan and replace it if required
Check the fan and replace it if required
“Fan <fan_number> has been restored to its normal state”
“Fan speed
<fan_number> in spine number
<spine_number> has been restored to its normal state”
“Fan <fan_number> has been restored to its normal state”
Check fan connectivity and replace it if required
Check fan connectivity and replace it if required
“Fan <fan_number> in spine number
<spine_number> has been restored to its normal state”
Insert a fan unit “Fan <fan_number> has been restored to its normal state”
Insert a fan unit “Fan <fan_number> in spine number
<spine_number> has been restored to its normal state”
Plug in additional fans or change faulty fans
Check the PS module
“The system currently has sufficient number of working fans”
“Power supply
<ps_number> has been restored to its normal state”
Mellanox Technologies Confidential 371
Rev 4.20
Table 25 - System Health Monitor Alerts Scenarios (Sheet 2 of 2)
Alert Message
Power supply
<ps_number> temperature is too hot
Unit/leaf/spine
<leaf/spine number> is unresponsive
Unit/leaf/spine voltage is out of range
ASIC temperature is too hot
Power Supply
<number> is unresponsive
Scenario Notification Indicator Recovery Action Recovery Message
A power supply unit temperature is higher than the maximum threshold of 70
Celsius on MLNX-OS systems
A leaf/spine is not responsive
Email, power supply
LED and system status LED set red, log alert, SNMP
Email, system status
LED set red, log alert,
SNMP
Email, system status
LED set red, log alert,
SNMP
Check chassis fans connections. On
MLNX-OS systems, check system fan connections.
Check leaf/ spine connectivity and replace it if required
Check leaf connectivity
“Power supply
<ps_number> temperature is back to normal”
“Leaf/spine number <leaf/spine number> has been restored to its normal state”
“Unit voltage is in range”
One of the voltages in a
MLNX-OS unit is below minimal threshold or higher than the maximum threshold - both thresholds are 15% of the expected voltage
A SwitchX unit temperature is higher than the maximum threshold of 105
Celsius on MLNX-OS systems
A power supply is malfunctioning or disconnected
Email, system status
LED set red, log alert,
SNMP
Check the fans system
Email, system status
LED set red, log alert,
SNMP
Connect power cable or replace malfunctioning
PS
“SwitchX temperature is back to normal”
“Power supply has been removed” or “PS has been restored to its normal state”
4.13.2 Power Management
4.13.2.1 Width Reduction Power Saving
Link width reduction (LWR) is a Mellanox proprietary power saving feature to be utilized to economize the power usage of the fabric. LWR may be used to manually or automatically configure a certain connection between Mellanox switch systems to lower the width of a link from 4X operation to 1X based on the traffic flow.
LWR is relevant only for 40GbE and InfiniBand FDR speeds in which the links are operational at a 4X width.
When “show interfaces” is used, a port’s speed appears unchanged even when only one lane is active.
Mellanox Technologies Confidential 372
Rev 4.20
LWR has three operating modes per interface:
• Disabled – LWR does not operate and the link remains in 4X under all circumstances.
• Automatic – the link automatically alternates between 4X and 1X based on traffic flow.
• Force – a port is forced to operate in 1X mode lowering the throughput capability of the port. This mode should be chosen in cases where constant low throughput is expected on the port for a certain time period – after which the port should be configured to one of the other two modes, to allow higher throughput to pass through the port.
See command
“power-management width” on page 381
.
Table 26 - LWR Configuration Behavior
Switch-A Configuration Switch-B Configuration
Disable
Disable
Disable
Force
Disable
Auto
Auto
Force
Auto
Force
Auto
Force
Behavior
LWR is disabled.
Transmission from Switch-B to Switch-A operates at
1X. On the opposite direction, LWR is disabled.
Depending on traffic flow, transmission from Switch-
B to Switch-A may operate at 1X. On the opposite direction, LWR is disabled.
Transmission from Switch-B to Switch-A operates at
1 lane. Transmission from Switch-A to Switch-B may operate at 1X depending on the traffic.
Width of the connection depends on the traffic flow
Connection between the switches operates at 1x
Mellanox Technologies Confidential 373
4.13.3 Monitoring Environmental Conditions
Step 1.
Display module’s temperature. Run: switch (config) # show temperature
============================================
Module Sensor CurTemp Status
(Celsius)
============================================
MGMT CPU_BOARD_MONITOR 40.00 OK
L01 BOARD_MONITOR 27.00 OK
L01 QSFP_TEMP1 24.00 OK
L01 QSFP_TEMP2 22.00 OK
L01 QSFP_TEMP3 21.00 OK
L01 SX 38.00 OK
L02 BOARD_MONITOR 27.00 OK
L02 QSFP_TEMP1 24.50 OK
L02 QSFP_TEMP2 22.50 OK
L02 QSFP_TEMP3 21.50 OK
L02 SX 32.00 OK
PS2 PS_MONITOR 24.66 OK
PS3 PS_MONITOR 31.04 OK
PS4 PS_MONITOR 28.06 OK
S01 BOARD_MONITOR 23.00 OK
S01 SX 34.00 OK
S01 SX_AMBIENT_TEMP 22.50 OK
S02 BOARD_MONITOR 24.00 OK
S02 SX 49.00 OK
S02 SX_AMBIENT_TEMP 24.00 OK switch (config) #
Rev 4.20
Mellanox Technologies Confidential 374
Step 2.
Display measured voltage levels of power supplies. Run: switch (config) # show voltage
======================================================
Module Power Meter Reg Expected Actual Status
Voltage Voltage
======================================================
PS2 PS_MONITOR V1 48.00 46.88 OK
PS3 PS_MONITOR V1 48.00 48.29 OK
PS4 PS_MONITOR V1 48.00 48.29 OK
MGMT CPU_BOARD_MONITOR V1 12.00 11.92 OK
MGMT CPU_BOARD_MONITOR V2 2.50 2.48 OK
MGMT CPU_BOARD_MONITOR V3 3.30 3.31 OK
MGMT CPU_BOARD_MONITOR V4 3.30 3.30 OK
MGMT CPU_BOARD_MONITOR V5 1.80 1.81 OK
MGMT CPU_BOARD_MONITOR V6 1.20 1.26 OK
S01 BOARD_MONITOR V1 3.30 3.33 OK
S01 BOARD_MONITOR V2 2.27 2.15 OK
S01 BOARD_MONITOR V3 1.80 1.76 OK
S01 BOARD_MONITOR V4 3.30 3.30 OK
S01 BOARD_MONITOR V5 0.90 0.93 OK
S01 BOARD_MONITOR V6 1.20 1.19 OK
S02 BOARD_MONITOR V1 3.30 3.26 OK
S02 BOARD_MONITOR V2 2.27 2.16 OK
S02 BOARD_MONITOR V3 1.80 1.79 OK
S02 BOARD_MONITOR V4 3.30 3.31 OK
S02 BOARD_MONITOR V5 0.90 0.95 OK
S02 BOARD_MONITOR V6 1.20 1.20 OK
L01 BOARD_MONITOR V1 3.30 3.33 OK
L01 BOARD_MONITOR V2 2.27 2.16 OK
L01 BOARD_MONITOR V3 1.80 1.76 OK
L01 BOARD_MONITOR V4 3.30 3.30 OK
L01 BOARD_MONITOR V5 0.90 0.93 OK
L01 BOARD_MONITOR V6 1.20 1.19 OK
L02 BOARD_MONITOR V1 3.30 3.26 OK
L02 BOARD_MONITOR V2 2.27 2.17 OK
L02 BOARD_MONITOR V3 1.80 1.79 OK
L02 BOARD_MONITOR V4 3.30 3.30 OK
L02 BOARD_MONITOR V5 0.90 0.89 OK
L02 BOARD_MONITOR V6 1.20 1.19 OK switch (config) #
Rev 4.20
Mellanox Technologies Confidential 375
Step 3.
Step 4.
Display the fan speed and status. Run: switch (config) # show fan
=====================================================
Module Device Fan Speed Status
(RPM)
=====================================================
FAN1 FAN F1 6994.00 OK
FAN2 FAN F1 6792.00 OK
FAN3 FAN F1 6870.00 OK
FAN4 FAN F1 6818.00 OK
S01 FAN F1 7800.00 OK
S01 FAN F2 8130.00 OK
S02 FAN F1 8130.00 OK
S02 FAN F2 8490.00 OK
S03 FAN - - NOT PRESENT
S04 FAN - - NOT PRESENT
S05 FAN - - NOT PRESENT
S06 FAN - - NOT PRESENT switch (config) #
Display the voltage current and status of each module in the system. Run: switch (config) # show power consumers
================================================
Module Power Voltage Current Status
(Watts) (Amp)
================================================
FAN1 15.55 48.00 0.32 OK
FAN2 16.26 48.00 0.34 OK
FAN3 15.30 48.00 0.32 OK
FAN4 14.98 48.00 0.31 OK
L01 32.45 48.00 0.68 OK
L02 28.75 48.00 0.60 OK
MGMT 16.08 48.00 0.34 OK
S01 37.34 48.00 0.78 OK
S02 35.09 48.00 0.73 OK
Total power used : 211.79 W
Max power : 686.00 W switch (config) #
4.13.4 USB Access
MLNX-OS can access USB devices attached to switch systems. USB devices are automatically recognized and mounted upon insertion. To access a USB device for reading or writing a file, you need to provide the path to the file on the mounted USB device in the following format: scp://username:password@hostname/var/mnt/usb1/<file name>
While username and password are the admin username and password and hostname is the IP of the switch.
Rev 4.20
Mellanox Technologies Confidential 376
Examples:
To fetch an image from a USB device, run the command: switch (config) # “image fetch scp://admin:[email protected]/var/mnt/usb1/image.img
To save log file ‘my-logfile’ to a USB device under the name test_logfile using the logging files command, run (in Enable or Config mode): switch (config) # logging files upload my-logfile scp://username:password@hostname/var/ mnt/usb1/test_logfile switch (config) #
To safely remove the USB and to flush the cache, after writing (log files, for example) to a
USB, use the usb eject command (in Enable or Config mode). switch (config) # usb eject switch (config) #
4.13.5 System Reboot
4.13.5.1 Rebooting 1U Switches
To reboot a 1U switch system:
Step 1.
Enter Config mode. Run: switch > switch > enable switch # configure terminal
Step 2.
Reboot the system. Run: switch (config) # reload
Rev 4.20
Mellanox Technologies Confidential 377
4.13.6 Commands
4.13.6.1 Chassis Management
clear counters
clear counters [all | interface <type> <number>]
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Clears switch counters.
all type number
N/A
Config Interface Port Channel
3.2.3000
admin
Clears all switch counters.
A specific interface type
The interface number.
switch (config) # clear counters
Rev 4.20
Mellanox Technologies Confidential 378
Rev 4.20
health
health {max-report-len <length> | re-notif-cntr <counter> | report-clear}
Syntax Description
Default
Configures health daemon settings.
max-report-len <length> Sets the length of the health report - number of line entries. Possible values: 10-2048.
re-notif-cntr <counter> Health control changes notification counter, in seconds.
Possible values: 120-7200 seconds.
Clears the health report.
report-clear max-report-len: 50 re-notif-cntr:
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # health re-notif-cntr 125 switch (config) #
Related Commands show health-report
Notes
Mellanox Technologies Confidential 379
power enable
power enable <module name> no power enable <module name>
Syntax Description
Default
Powers on the module.
The no form of the command shuts down the module.
module name Enables power for selected module.
Power is enabled on all modules.
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # power enable L01 switch (config) #
Related Commands show power show power consumers
Notes This command is not applicable for 1U systems.
Rev 4.20
Mellanox Technologies Confidential 380
power-management width
power-management width {auto | force} no power-management width
Syntax Description
Sets the width of the interface to be automatically adjusted.
The no form of the command disables power-saving.
auto Allows the system to automatically decide whether to work in power-saving mode or not.
force
Disabled
Forces power-saving mode on the port.
Default
Configuration Mode
History
Role
Example
Config Interface Ethernet
3.3.4000
admin switch (config interface ib 1/1) # power-management width auto switch (config) #
Related Commands show interface
Notes
Rev 4.20
Mellanox Technologies Confidential 381
usb eject
usb eject
Syntax Description
Default
Gracefully turns off the USB interface.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # usb eject switch (config) #
Related Commands N/A
Notes Applicable only for systems with USB interface.
Rev 4.20
Mellanox Technologies Confidential 382
show fan
show fan
Syntax Description
Default
Displays fans status.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show fan switch (config) # show fan
=====================================================
Module Device Fan Speed Status
(RPM)
=====================================================
FAN FAN F1 5340.00 OK
FAN FAN F2 5340.00 OK
FAN FAN F3 5640.00 OK
FAN FAN F4 5640.00 OK
PS1 FAN F1 5730.00 OK
PS2 FAN - - NOT PRESENT switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 383
show version
show version
Syntax Description
Default
Displays version information for the currently running system image.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show version
Product name: MLNX-OS
Product release: 3.1.0000
Build ID: #1-dev
Build date: 2012-02-26 08:47:51
Target arch: ppc
Target hw: m460ex
Built by: root@r-fit16
Uptime: 1d 3h 32m 24.656s
Product model: ppc
Host ID: 0002c911a15e
System memory: 110 MB used / 1917 MB free / 2027 MB total
Swap: 0 MB used / 0 MB free / 0 MB total
Number of CPUs: 1
CPU load averages: 0.18 / 0.19 / 0.16
switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 384
show version concise
show version concise
Syntax Description
Default
Displays concise version information for the currently running system image.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show version concise
SX_PPC_M460EX SX_3.4.0000 2014-10-14 20:26:41 ppc switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 385
Rev 4.20
show uboot
show uboot
Syntax Description
Default
Displays u-boot version.
N/A
N/A
Configuration Mode Any Command Mode
History 3.3.5006
3.4.1110
Role
Example
Updated output admin switch (config) # show uboot
UBOOT version : U-Boot 2009.01 SX_PPC_M460EX SX_3.2.0330-82 ppc (Dec 20 2012 - 17:53:54) switch (config) #
Related Commands N/A
Notes
Mellanox Technologies Confidential 386
show cpld
show cpld
Syntax Description
Default
Displays status of all CPLDs in the system.
N/A
N/A
Configuration Mode Any Command Mode
History 3.1.0000
3.3.4302
Updated example
Role
Example admin switch (config) # show cpld
=====================================
Name Type Version
=====================================
Cpld1 CPLD_TOR 4
Cpld2 CPLD_PORT1 2
Cpld3 CPLD_PORT2 2
Cpld4 CPLD_MEZZ 3 switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 387
show inventory
show inventory
Syntax Description
Default
Displays system inventory.
N/A
N/A
Configuration Mode Any Command Mode
History 3.1.0000
3.4.1604
Removed CPU module output from Example
Role
Example admin switch (config) # show inventory
===================================================================================
Module Type Part number Serial Number Asic revision
===================================================================================
CHASSIS SX1036 MSX1036B-1SFR MT1205X01549 N/A
MGMT SX1036 MSX1036B-1SFR MT1205X01549 0
FAN SXX0XX_FAN MSX60-FF MT1206X07209 N/A
PS1 SXX0XX_PS MSX60-PF MT1206X06697 N/A switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 388
show module
show module
Syntax Description
Default
Displays modules status.
N/A
N/A
Configuration Mode Any Command Mode
History 3.1.0000
3.3.0000
Role
Example
3.4.2008
3.4.3000
First version
Added “Is Fatal” column
Updated command output
Updated command output and added note admin switch (config) # show module
======================
Module Status
======================
MGMT ready
FAN1 ready
FAN2 ready
PS1 ready
PS2 not-present switch (config) #
Related Commands N/A
Notes The Status column may have one of the following values: error, fatal, not-present, powered-off, powered-on, ready.
Rev 4.20
Mellanox Technologies Confidential 389
show memory
show memory
Syntax Description
Default
Displays memory status.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show memory
Total Used Free Used+B/C Free-B/C
Physical 2027 MB 761 MB 1266 MB 1214 MB 813 MB
Swap 0 MB 0 MB 0 MB
Physical Memory Borrowed for System Buffers and Cache:
Buffers: 0 MB
Cache: 452 MB
Total Buffers/Cache: 452 MB switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 390
show asic-version
show asic-version
Syntax Description
Default
Displays firmware ASIC version.
N/A
N/A
Configuration Mode Any Command Mode
History 3.1.0000
3.4.2008
Updated Example
Role
Example admin switch (config) # show asic-version
================================================
Module Device Version
================================================
MGMT SX 9.2.9160
switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 391
show power
show power
Syntax Description
Default
Displays power supplies and power usage.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show power
==================================================================
Module Power Voltage Current Capacity Grid Status
(Watts) (Amp) (Watts) Group
==================================================================
PS1 0.00 47.11 0.00 1008 A OK
PS2 248.82 48.05 5.18 1008 A OK
PS3 0.00 46.88 0.00 1008 A OK
PS4 - - - NOT PRESENT
PS5 46.72 47.82 0.98 1008 A OK
PS6 - - - NOT PRESENT
PS7 - - - NOT PRESENT
PS8 - - - NOT PRESENT
PS9 - - - NOT PRESENT
PS10 - - - NOT PRESENT
Total power used : 295.54 W
Total power capacity : 4032.00 W
Total power budget : 4032.00 W
Total power available : 3736.46 W
Redundancy mode: combined
Redundancy status: OK switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 392
show power consumers
show power consumers
Syntax Description
Default
Displays power consumers.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show power consumers
================================================
Module Power Voltage Current Status
(Watts) (Amp)
================================================
MGMT 17.47 48.00 0.36 OK
S01 33.26 48.00 0.69 OK
S02 33.50 48.00 0.70 OK
L01 31.73 48.00 0.66 OK
L02 29.76 48.00 0.62 OK
L30 28.61 48.00 0.60 OK
FAN5 14.91 48.00 0.31 OK
FAN2 13.70 48.00 0.29 OK
FAN1 14.21 48.00 0.30 OK
FAN6 15.10 48.00 0.31 OK
FAN4 14.53 48.00 0.30 OK
FAN7 15.04 48.00 0.31 OK
FAN3 15.17 48.00 0.32 OK
FAN8 14.98 48.00 0.31 OK
Total power used : 291.97 W
Max power : 1636.00 W switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 393
show temperature
show temperature
Syntax Description
Default
Displays the system's temperature sensors status.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show temperature
===================================================
Module Component Reg CurTemp Status
(Celsius)
===================================================
MGMT BOARD_MONITOR T1 25.00 OK
MGMT CPU_BOARD_MONITOR T1 26.00 OK
MGMT CPU_BOARD_MONITOR T2 41.00 OK
MGMT QSFP_TEMP1 T1 23.00 OK
MGMT QSFP_TEMP2 T1 22.50 OK
MGMT QSFP_TEMP3 T1 23.00 OK
MGMT SX T1 37.00 OK switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 394
Rev 4.20
show voltage
show voltage
Syntax Description
Default
Displays power supplies voltage level.
N/A
N/A
Configuration Mode Any Command Mode
History 3.1.0000
3.3.5006
Updated Example
Role
Example admin switch (config) # show voltage
===========================================================================================
Module Power Meter Reg Expected Actual Status High Low
Voltage Voltage Range Range
===========================================================================================
MGMT BOARD_MONITOR USB 5V sensor 5.00 5.15 OK 5.55 4.45
MGMT BOARD_MONITOR Asic I/O sensor 2.27 2.11 OK 2.55 1.99
MGMT BOARD_MONITOR 1.8V sensor 1.80 1.79 OK 2.03 1.57
MGMT BOARD_MONITOR SYS 3.3V sensor 3.30 3.28 OK 3.68 2.92
MGMT BOARD_MONITOR CPU 0.9V sensor 0.90 0.93 OK 1.04 0.76
MGMT BOARD_MONITOR 1.2V sensor 1.20 1.19 OK 1.37 1.03
MGMT CPU_BOARD_MONITOR 12V sensor 12.00 11.67 OK 13.25 10.75
MGMT CPU_BOARD_MONITOR 12V sensor 2.50 2.46 OK 2.80 2.20
MGMT CPU_BOARD_MONITOR 2.5V sensor 3.30 3.26 OK 3.68 2.92
MGMT CPU_BOARD_MONITOR SYS 3.3V sensor 3.30 3.24 OK 3.68 2.92
MGMT CPU_BOARD_MONITOR SYS 3.3V sensor 1.80 1.79 OK 2.03 1.57
MGMT CPU_BOARD_MONITOR 1.8V sensor 1.20 1.24 OK 1.37 1.03
switch (config) #
Related Commands N/A
Notes
Mellanox Technologies Confidential 395
show health-report
show health-report
Syntax Description
Default
Displays health report.
N/A
N/A
Configuration Mode Any Command Mode
History 3.1.0000
3.3.0000
Role
Example
First version
Output update admin switch (config) # show health-report
========================
| ALERTS CONFIGURATION |
========================
Re-notification counter (sec):[3600]
Report max counter: [50]
========================
| HEALTH REPORT |
========================
No Health issues file switch (config) #
Related Commands N/A
Notes Problems with the power supply cannot be monitored on SX1016 switch systems.
Rev 4.20
Mellanox Technologies Confidential 396
show resources
show resources
Syntax Description
Default
Displays system resources.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show resources
Total Used Free
Physical 2027 MB 761 MB 1266 MB
Swap 0 MB 0 MB 0 MB
Number of CPUs: 1
CPU load averages: 0.11 / 0.23 / 0.23
CPU 1
Utilization: 5%
Peak Utilization Last Hour: 19% at 2012/02/15 13:26:19
Avg. Utilization Last Hour: 7% switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 397
show system profile
show system profile
Syntax Description
Default
Displays system profile.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.2.0000
admin switch (config) # show system profile eth-single-switch switch (config) #
Related Commands system profile
Notes
Rev 4.20
Mellanox Technologies Confidential 398
show system capabilities
show system capabilities
Syntax Description
Default
Displays system capabilities.
N/A
N/A
Configuration Mode Any Command Mode
History 3.1.0000
3.3.0000
First version
Added gateway support
Role
Example admin switch (config) # show system capabilities
IB: Supported
Ethernet: Supported, Full L2
GW: Supported
Max number of GW ports: 0
Max SM nodes: 648
IB Max licensed speed: FDR
Ethernet Max licensed speed: 56Gb switch (config) #
Related Commands show system profile
Notes
Rev 4.20
Mellanox Technologies Confidential 399
show system mac
show system mac
Syntax Description
Default
Displays system MAC address.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show system mac
00:02:C9:5E:AF:18 switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 400
show protocols
show protocols
Syntax Description
Default
Displays all protocols enabled in the system.
N/A
N/A
Configuration Mode Any Command Mode
History 3.2.3000
3.3.4550
Updated Example
Role
Example admin switch (config) # show protocols
Ethernet enabled spanning-tree rstp lacp disabled lldp enabled igmp-snooping disabled ets enabled priority-flow-control disabled sflow disabled openflow enabled
IP routing disabled ospf disabled dhcp-relay disabled
MLAG enabled
Infiniband enabled sm enabled switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 401
show bios
show bios
Syntax Description
Default
Displays the bios version information.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4150
admin switch (config) # show bios
BIOS version : 4.6.5
BIOS subversion : Official AMI Release
BIOS release date : 07/02/2013 switch (config) #
Related Commands
Notes The command is available only on X86 systems (not on PPC).
Rev 4.20
Mellanox Technologies Confidential 402
4.14
Network Management Interfaces
4.14.1 SNMP
Simple Network Management Protocol (SNMP), is a network protocol for the management of a network and the monitoring of network devices and their functions. SNMP supports asynchronous event (trap) notifications and queries.
MLNX-OS supports:
• SNMP versions v1, v2c and v3
• SNMP trap notifications
• Standard MIBs
• Mellanox private MIBs
4.14.1.1 Standard MIBs
Table 27 - Standard MIBs – Textual Conventions and Conformance MIBs
MIB
INET-ADDRESS-MIB
SNMPV2-CONF
SNMPV2-TC
SNMPV2-TM
SNMP-USM-AES-MIB
IANA-LANGUAGE-MIB
IANA-RTPROTO-MIB
IANAifType-MIB
IANA-ADDRESS-FAMILY-NUMBERS-
MIB
Standard
RFC-4001
RFC 2579
RFC 3417
RFC 3826
RFC 2591
RFC 2932
Comments
Rev 4.20
Starting from version 3.4.1600, IB interfaces in interfaces tables (i.e. ifTable, ifxTable) have changed from SX<if>/<port> to IB/port.
Table 28 - Standard MIBs – Chassis and Switch
MIB
RFC1213-MIB
IF-MIB
ENTITY-MIB
Standard
RFC 1213
RFC 2863
RFC 4133
Comments ifXTable only supported.
Mellanox Technologies Confidential 403
Rev 4.20
Table 28 - Standard MIBs – Chassis and Switch
MIB
ENTITY-SENSOR-MIB
ENTITY-STATE-MIB
Bridge MIB
Q-Bridge MIB
RSTP-MIB
LLDP-MIB
Standard
RFC 3433
RFC 4268
RFC 4188
RFC 4363
RFC 4318
802.1AB-2005
Comments
Fan and temperature sensors
Fan and temperature states dot1dTpFdbGroup and dot1dStaticGroup are not supported in this MIB, it is supported as a part of Q-Bridge-MIB.
This MIB is not relevant to InfiniBand.
The following SNMP groups are not supported:
• qBridgeVlanStatisticsGroup,
• qBridgeVlanStatisticsOverflowGroup ,
• qBridgeVlanHCStatisticsGroup,
• qBridgeLearningConstraintsGroup.
The following SNMP tables are not supported:
• dot1qTpFdbTable (dynamic UC MAC addresses)
• dot1qTpGroupTable (dynamic MC MAC addresses)
• dot1qForwardAllTable (GMRP)
• dot1qForwardUnregisteredTable (GMRP)
• dot1qVlanCurrentTable (GVRP)
This MIB is not relevant to InfiniBand.
This MIB is not relevant to InfiniBand.
This MIB is not relevant to InfiniBand.
Mellanox Technologies Confidential 404
4.14.1.2 Private MIB
Table 29 - Private MIBs Supported
MIB
MELLANOX-SMI-MIB
MELLANOX-PRODUCTS-MIB
MELLANOX-IF-VPI-MIB
MELLANOX-EFM-MIB
MELLANOX-ENTITY-MIB
MELLANOX-POWER-CYCLE
MELLANOX-SW-UPDATE-MIB
MELLANOX-CONFIG-DB
Description
Mellanox Private MIB main structure (no objects)
List of OID – per managed system (sysObjID)
IfTable extensions
Partially deprecated MIB (based on Mellanox-MIB)
Traps definitions and test trap set scalar are supported.
Enhances the standard ENTITY-MIB (contains GUID and ASIC revision).
Allows rebooting the switch system
Allows viewing what SW images are installed, uploading and installing new SW images
Allows loading, uploading, or deleting configuration files
Mellanox private MIBs can be downloaded from the Mellanox Support webpage.
4.14.1.3 Mellanox Private Traps
The following private traps are supported by MLNX-OS.
Table 30 - SNMP Traps
Trap asicChipDown asicOverTempReset asicOverTemp lowPower internalBusError procCrash cpuUtilHigh procUnexpectedExit diskSpaceLow systemHealthStatus lowPowerRecover insufficientFans
Action Required
Reboot the system.
Check fans and environmental temperature.
Check fans and environmental temperature.
Add/connect power supplies.
N/A
Generate SysDump and contact Mellanox support.
N/A
Generate SysDump and contact Mellanox support.
Clean images and sysDump files using the commands “image delete” and “file debug-dump delete”.
Refer to Health Status table.
N/A
Check Fans and environmental conditions.
Rev 4.20
Mellanox Technologies Confidential 405
Rev 4.20
Table 30 - SNMP Traps
Trap insufficientFansRecover insufficientPower
Action Required
N/A
Add/connect power supplies, or change power mode using the command “power redundancy mode”.
N/A insufficientPowerRecover
For additional information refer to MELLANOX-EFM-MIB.
For event-to-MIB mapping, please refer to
Table 22, “Supported Event Notifications and MIB Mapping,” on page 257 .
4.14.1.4 Configuring SNMP
To set up the SNMP:
Step 1.
Activate the SNMP server on the MLNX-OS switch (in configure mode) using the following commands:
Community strings are case sensitive.
Director switches (SX65xx systems) require SNMP timeout configuration on the agent of 60 seconds.
switch (config) # snmp-server enable switch (config) # snmp-server enable notify switch (config) # snmp-server community public ro switch (config) # snmp-server contact "contact name" switch (config) # snmp-server host <host IP address> traps version 2c public switch (config) # snmp-server location "location name" switch (config) # snmp-server user admin v3 enable switch (config) # snmp-server user admin v3 prompt auth md5 priv des
4.14.1.5 Configuring an SNMPv3 User
To configure SNMPv3 user:
Step 1.
Configure the user using the command: switch (config) # snmp-server user [role] v3 prompt auth <hash type> priv <privacy type> where
• user role – admin
Mellanox Technologies Confidential 406
Rev 4.20
Step 2.
Step 3.
• auth type – md5 or sha
• priv type – des or aes-128
Enter authentication password and its confirmation.
Enter privacy password and its confirmation.
switch (config) # snmp-server user admin v3 prompt auth md5 priv des
Auth password: ********
Confirm: ********
Privacy password: ********
Confirm: ******** switch (config) #
To retrieve the system table, run the following SNMP command: snmpwalk -v3 -l authPriv -a MD5 -u admin -A “<Authentication password>” -x DES -X “<privacy password>” <system ip> SNMPv2-MIB::system
4.14.1.6 Configuring an SNMP Notification
To set up the SNMP Notification (traps or informs):
Step 1.
Make sure SNMP and SNMP notification are enable. Run: switch (config) # snmp-server enable switch (config) # snmp-server enable notify switch (config) #
Step 2.
Step 3.
Configure SNMP host with the desired arguments (IP Address, SNMP version, authentication methods). More than one host can be configured. Each host may have different attributes. Run: switch (config) # snmp-server host 10.134.47.3 traps version 3 user my-username auth sha my-password switch (config) #
Verify the SNMP host configuration. Run: switch (config) # show snmp host
Notifications enabled: yes
Default notification community: public
Default notification port: 162
Notification sinks:
10.134.47.3
Enabled: yes
Port: 162 (default)
Notification type: SNMP v3 trap
Username: my-username
Authentication type: sha
Privacy type: aes-128
Authentication password: (set)
Privacy password: (set) switch (config) #
Mellanox Technologies Confidential 407
Step 4.
Configure the desired event to be sent via SNMP. Run: switch (config) # snmp-server notify event interface-up switch (config) #
This particular event is used as an example only.
Step 5.
Verify the list of traps and informs being sent to out of the system. Run: switch (config) # show snmp events
Events for which traps will be sent:
asic-chip-down: ASIC (Chip) Down
cpu-util-high: CPU utilization has risen too high
disk-space-low: Filesystem free space has fallen too low
health-module-status: Health module Status
insufficient-fans: Insufficient amount of fans in system
insufficient-fans-recover: Insufficient amount of fans in system recovered
insufficient-power: Insufficient power supply
interface-down: An interface's link state has changed to down
interface-up: An interface's link state has changed to up
internal-bus-error: Internal bus (I2C) Error
liveness-failure: A process in the system was detected as hung
low-power: Low power supply
low-power-recover: Low power supply Recover
new_root: local bridge became a root bridge
paging-high: Paging activity has risen too high
power-redundancy-mismatch: Power redundancy mismatch
process-crash: A process in the system has crashed
process-exit: A process in the system unexpectedly exited
snmp-authtrap: An SNMP v3 request has failed authentication
topology_change: local bridge trigerred a topology change
unexpected-shutdown: Unexpected system shutdown switch (config) #
To print event notifications to the terminal (SSH or CONSOLE) refer to Section 4.5.1,
4.14.1.7 SNMP SET Operations
MLNX-OS allows the user to use SET operations via SNMP interface. This is needed to configure a user/community supporting SET operations.
Enabling SNMP SET
To allow SNMP SET operations using SNMPv1/v2:
Step 1.
Enable SNMP communities. Run: switch (config) # snmp-server enable communities
Rev 4.20
Mellanox Technologies Confidential 408
Rev 4.20
Step 2.
Step 3.
Configure a read-write community. Run: switch (config) # snmp-server community my-community-name rw
Make sure SNMP communities are enabled (enabled by default). Make sure “(DISABLED)” does not appear beside “Read-only communities” / “Read-write communities”. Run: switch (config) # show snmp
SNMP enabled: yes
SNMP port: 161
System contact:
System location:
Read-only communities:
public
Read-write communities:
my-community-name switch (config) # show snmp
No Listen Interfaces.
Step 4.
Configure this RW community in your MIB browser.
To allow SNMP SET operations using SNMPv3:
Step 1.
Create an SNMPv3 user. Run: switch (config) # snmp-server user myuser v3 auth sha <password1> priv aes-128 <password2>
It is possible to use other configuration options not specified in the example above.
Please refer to the command
“snmp-server user” on page 424 for more information.
Step 2.
Make sure the username is enabled for SET access and has admin capability level. Run: switch (config) # show snmp user
User name: myuser
Enabled overall: yes
Authentication type: sha
Privacy type: aes-128
Authentication password: (set)
Privacy password: (set)
Require privacy: yes
SET access:
Enabled: yes
Capability level: admin
MLNX-OS supports the OIDs for SET operation listed in Table 31 which are expanded upon in
the following subsections.
Table 31 - Supported SET OIDs
MIB Name
MELLANOX-EFM-MIB
OID Name sendTestTrapSet
OID
1.3.6.1.4.1.33049.2.1.1.1.6.0
Mellanox Technologies Confidential 409
Table 31 - Supported SET OIDs
MIB Name
SNMPv2-MIB
MELLANOX-CONFIG-DB
MELLANOX-POWER-
CYCLE
MELLANOX-SW-UPDATE
OID Name sysName mellanoxConfigDBCmdExecute mellanoxConfigDBCmdFilename mellanoxConfigDBCmdStatus mellanoxConfigDBCmdStatusString mellanoxConfigDBCmdUri mellanoxPowerCycleCmdExecute mellanoxPowerCycleCmdStatus mellanoxPowerCycleCmdStatusString mellanoxSWUpdateCmdSetNext mellanoxSWUpdateCmdUri mellanoxSWUpdateCmdExecute mellanoxSWUpdateCmdStatus mellanoxSWUpdateCmdStatusString mellanoxSWActivePartition mellanoxSWNextBootPartition
OID
1.3.6.1.2.1.1.5.0
1.3.6.1.4.1.33049.12.1.1.2.3.0
1.3.6.1.4.1.33049.12.1.1.2.2.0
1.3.6.1.4.1.33049.12.1.1.2.4.0
1.3.6.1.4.1.33049.12.1.1.2.5.0
1.3.6.1.4.1.33049.12.1.1.2.1.0
1.3.6.1.4.1.33049.10.1.1.2.1.0
1.3.6.1.4.1.33049.10.1.1.2.2.0
1.3.6.1.4.1.33049.10.1.1.2.3.0
1.3.6.1.4.1.33049.11.1.1.2.1.0
1.3.6.1.4.1.33049.11.1.1.2.2.0
1.3.6.1.4.1.33049.11.1.1.2.3.0
1.3.6.1.4.1.33049.11.1.1.2.4.0
1.3.6.1.4.1.33049.11.1.1.2.5.0
1.3.6.1.4.1.33049.11.1.1.3.0.0
1.3.6.1.4.1.33049.11.1.1.4.0.0
Sending a Test Trap SET Request
MLNX-OS allows the user to use test the notification mechanism via SNMP SET. Sending a SET request with the designated OID triggers a test trap.
Prerequisites:
1. Enable SET operations by following the instructions in
Section , “Enabling SNMP SET,” on page 408
.
2. Configure host to which to send SNMP notifications.
3. Set a trap receiver in the MIB browser.
To send a test trap:
Step 1.
Step 2.
Send a SET request to the switch IP with the OID 1.3.6.1.4.1.33049.2.1.1.1.6.0.
Make sure the test trap is received by the aforementioned trap receiver (OID:
1.3.6.1.4.1.33049.2.1.2.13).
Setting Hostname with SNMP
Mellanox supports setting system hostname using an SNMP SET request as described in
SNMPv2-MIB (sysName, OID: 1.3.6.1.2.1.1.5.0).
The restrictions on setting a hostname via CLI also apply to setting a hostname through SNMP.
Refer to the command
for more information.
Power Cycle with SNMP
Mellanox supports power cycling its systems using an SNMP SET request as described in MEL-
LANOX-POWER-CYCLE MIB.
Power cycle command is issued via the OID mellanoxPowerCycleCmdExecute. The following options are available:
• Reload – saves any unsaved configuration and reloads the switch
Rev 4.20
Mellanox Technologies Confidential 410
• Reload discard – reboots the system and discards of any unsaved changes
• Reload force – forces an expedited reload on the system even if it is busy without saving unsaved configuration (equals the CLI command reload force)
• Reload slave – reloads the slave management on dual management systems (must be executed from the master management module)
On dual management systems it is advised to connect via the BIP to make sure commands are executed from the master management.
Changing Configuration with SNMP
Mellanox supports making configuration changes on its systems using SNMP SET requests.
Configuration requests are performed by setting several values (arguments) and then executing a command by setting the value for the relevant operation.
It is possible to set the parameters and execute the commands on the same SNMP request or separate them to several SET operations. Upon executing a command, the values of its arguments remain and can be read using GET commands.
Once a command is executed there may be two types of errors:
• Immediate: This error results in a failure of the SNMP request. This means a critical error in the SNMP request has occurred or that a previous SET request is being executed
• Delayed: The SET request has been accepted by the switch but an error occurred during its execution.
For example, when performing a fetch (download) operation, an immediate error can occur when the given URL is invalid. A delayed error can occur if the download process fails due to network connectivity issues.
The following parameters are arguments are supported:
• Command URI – URI to fetch the configuration file from or upload the file to (for sup-
ported URI format please refer to the CLI command “configuration fetch” for more
details)
• Config file name – filename to save the configuration file to or to upload to remote location
The following commands are supported:
• BinarySwitchTo – replaces the configuration file with a new binary configuration file.
This option fetches the configuration file from the URI provided in the mellanoxConfigDBCmdUri and switches to that configuration file. This command should be preceded by a reload command in order for the new configuration to apply.
• TextApply – fetches a configuration file in human-readable format and applies its configuration upon the current configuration.
• BinaryUpload – uploads a binary format configuration file of the current running configuration or an existing configuration file on the switch to the URI in the mellanoxConfigDBCmdUri command. The filename parameter indicates what configuration file on the switch to upload.
Rev 4.20
Mellanox Technologies Confidential 411
Rev 4.20
• TextUpload – uploads a human-readable configuration file of the current running configuration or an existing configuration file on the switch to the URI in the mellanoxConfigDBCmdUri command. The filename parameter indicates what configuration file on the switch to upload.
• ConfigWrite – saves active configuration to a filename on the switch as given in the filename parameter. In case filename is “active”, active configuration is saved to the current saved configuration (same as the CLI command configuration write).
Upgrading MLNX-OS Software with SNMP
Mellanox supports upgrading MLNX-OS software using an SNMP SET request as described in
MELLANOX-SW-UPDATE MIB.
The software upgrade command is issued via the OID mellanoxSWUpdateCmdExecute. The following options are available:
• Update – fetches the image from a specified URI (equivalent to the command “image fetch” followed by “image install”)
The image to update from is defined by the OID mellanoxSWUpdateCmdUri. The restrictions on the
URI are identical to what is supported in the CLI command “image fetch” on page 182.
• Set-Next – changes the image for the next boot equivalent to the CLI command “image boot”)
The partition from which to boot is defined by the OID mellanoxSWUpdateCmdSetNext. The parameters for this OID are as follows:
• 0 – no change
• 1 – partition 1
• 2 – partition 2
• 3 – next partition (default)
Using the OIDs mellanoxSWUpdateCmdStatus and mellanoxSWUpdateCmdStatusString you may view the status of the latest operation performed from the aforementioned in either integer values, or human-readable forms, respectively. The integer values presented may be as follows:
• 0 – no operation
• 1-100 – progress%
• 101 – success
• 200 – failure
4.14.1.8 IF-MIB and Interface Information
MLNX-OS supports displaying information of switch ports, LAG ports, MLAG ports and VLAN interfaces on all systems via SNMP interface. This feature is enabled by default. The interface information is available in the ifTables, ifXTable and mellanoxIfVPITable. Additionally, traps for interface up/down, and internal link suboptimal speed are enabled. The user has the ability to enable one or both of these traps.
Interface up/down traps are sent whenever there is a change in the interface’s operational state.
These traps are suppressed for internal links when the internal link’s speed does not match the configured speed of the link (mismatch condition).
Mellanox Technologies Confidential 412
4.14.2 XML API
MLNX-OS XML API is currently under development. For further information please contact
Mellanox support.
Rev 4.20
Mellanox Technologies Confidential 413
4.14.3 Commands
4.14.3.1 SNMP
The commands in this section are used to manage the SNMP server.
snmp-server auto-refresh
snmp-server auto-refresh {enable | interval <time>} no snmp-server auto-refresh enable
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Configures SNMPD refresh settings.
The no form of the command disables SNMPD refresh mechanism.
enable interval
Enables SNMPD refresh mechanism.
Sets SNMPD refresh interval.
time
Enabled.
Interval: 60 secs
In seconds. Range: 20-500.
Config
3.2.3000
3.4.1100
admin
Added time parameter and updated notes switch (config) # snmp-server auto-refresh interval 120 show snmp
• When configuring an interval lower than 60 seconds, the following warning message appears asking for confirmation: “Warning: this configuration may increase CPU utilization, Type 'YES' to confirm: YES”.
• When disabling SNMP auto-refresh, information is retrieved no more than once every 60 seconds just like SNMP tables that do not have an auto-refresh mechanism.
Rev 4.20
Mellanox Technologies Confidential 414
snmp-server community
snmp-server community <community> [ ro | rw] no snmp-server community <community>
Syntax Description
Default
Sets a community name for either read-only or read-write SNMP requests.
The no form of the command sets the community string to default.
community ro
Community name.
Sets the read-only community string.
rw Sets the read-write community string.
Read-only community: “public”
Read-write community: “”
Configuration Mode Config
History 3.1.0000
Role
Example admin switch(config) # snmp-server community private rw switch (config) # show snmp
SNMP enabled: yes
SNMP port: 161
System contact:
System location:
Read-only community: public
Read-write community: private
Interface listen enabled: yes
No Listen Interfaces.
Traps enabled: yes
Default trap community: public
Default trap port: 162
No trap sinks configured.
switch(config) #
Related Commands show snmp
Notes • If neither the “ro” or the “rw” parameters are specified, the read-only community is set as the default community
• If the read-only community is specified, only queries can be performed
• If the read-write community is specified, both queries and sets can be performed
Rev 4.20
Mellanox Technologies Confidential 415
snmp-server contact
snmp-server contact <contact name> no snmp-server contact
Syntax Description
Default
Sets a value for the sysContact variable in MIB-II.
The no form of the command resets the parameter to its default value.
contact name
“”
Configuration Mode Config
History 3.1.0000
Contact name.
Role
Example admin switch (config) # snmp-server contact my-name switch (config) # show snmp
SNMP enabled: yes
SNMP port: 161
System contact: my-name
System location:
Read-only community: public
Read-write community: private
Interface listen enabled: yes
No Listen Interfaces.
Traps enabled: yes
Default trap community: public
Default trap port: 162
No trap sinks configured.
switch (config) #
Related Commands show snmp
Notes
Rev 4.20
Mellanox Technologies Confidential 416
snmp-server enable
snmp-server enable [communities | mult-communities | notify] no snmp-server enable [communities | mult-communities | notify]
Syntax Description
Default
Enables SNMP-related functionality.
The no form of the command disables the SNMP server.
enable Enables SNMP-related functionality:
• SNMP engine
• SNMP traps communities Enables community-based authentication on this system.
Enables multiple communities to be configured.
mult-communities notify Enables sending of SNMP traps and informs from this system.
SNMP is enabled by default
SNMP server communities are enabled by default
SNMP notifies are enabled by default
SNMP server multi-communities are disabled by default
Configuration Mode Config
History 3.1.0000
Role
Example
3.2.1050
admin
First version
Change traps to notify switch (config) # snmp-server enable switch (config) # show snmp
SNMP enabled: yes
SNMP port: 161
System contact: my-name
System location:
Read-only community: public
Read-write community: private
Interface listen enabled: yes
No Listen Interfaces.
Traps enabled: yes
Default trap community: public
Default trap port: 162
No trap sinks configured.
switch (config) #
Related Commands show snmp
Notes SNMP traps are only sent if there are trap sinks configured with the “snmp-server host...” command, and if these trap sinks are themselves enabled.
Rev 4.20
Mellanox Technologies Confidential 417
snmp-server host
snmp-server host <IP address> {disable | {traps | informs} [<community> |
<port> | version <snmp version>]} no snmp-server host <IPv4 or IPv6 address> {disable | {traps| informs} [<community> | <port>]}
Syntax Description
Default
Configures hosts to which to send SNMP traps.
The no form of the commands removes a host from which SNMP traps should be sent.
IP address disable
IPv4 or IPv6 address.
Temporarily disables sending of traps to this host.
community port
Specifies trap community string.
Overrides default UDP port for this trap sink.
snmp version
No hosts are configured
Default community is “public”
Default UDP port is 162
Default SNMP version is 2c
Specifies the SNMP version of traps to send to this host.
Configuration Mode Config
History 3.1.0000
Role
3.2.1050
admin
First version
Add inform option
Rev 4.20
Mellanox Technologies Confidential 418
Rev 4.20
Example switch (config) # snmp-server host 10.10.10.10 traps version 1 switch (config) # show snmp
SNMP enabled: yes
SNMP port: 161
System contact:
System location:
Read-only communities:
public
Read-write communities:
(none)
Interface listen enabled: yes
No Listen Interfaces.
Traps enabled: yes
Default trap community: public
Default trap port: 162
Trap sinks:
10.10.10.10
Enabled: yes
Type: traps version 1
Port: 162 (default)
Community: public (default) switch (config) #
Related Commands show snmp snmp-server enable
Notes This setting is only meaningful if traps are enabled, though the list of hosts may still be edited if traps are disabled. Refer to “snmp-server enable” command.
Mellanox Technologies Confidential 419
Rev 4.20
snmp-server listen
snmp-server listen {enable | interface <ifName>} no snmp-server listen {enable | interface <ifName> }
Syntax Description
Configures SNMP server interface access restrictions.
The no form of the command disables the listen interface restricted list for SNMP server. enable ifName
Enables SNMP interface restrictions on access to this system.
Adds an interface to the “listen” list for SNMP server.
For example: “mgmt0”, “mgmt1”.
Default N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # snmp listen enable switch (config) # show snmp
SNMP enabled: yes
SNMP port: 161
System contact:
System location:
Read-only community: public
Read-write community: private
Interface listen enabled: yes
No Listen Interfaces.
Traps enabled: yes
Default trap community: public
Default trap port: 162
Trap sinks:
10.10.10.10
Enabled: yes
Type: traps version 1
Port: 3
Community: public (default) switch (config) #
Related Commands show snmp
Notes If enabled, and if at least one of the interfaces listed is eligible to be a listen interface, then SNMP requests will only be accepted on those interfaces. Otherwise, SNMP requests are accepted on any interface.
Mellanox Technologies Confidential 420
snmp-server location
snmp-server location <system location> no snmp-server location
Syntax Description
Default
Sets a value for the sysLocation variable in MIB-II.
The no form of the command clears the contents of the sysLocation variable.
system location
“”
Configuration Mode Config
History 3.1.0000
String.
Role
Example admin switch (config) # snmp-server location lab switch (config) # show snmp
SNMP enabled: yes
SNMP port: 161
System contact: my-name
System location: lab
Read-only community: public
Read-write community: private
Interface listen enabled: yes
No Listen Interfaces.
Traps enabled: yes
Default trap community: public
Default trap port: 162
No trap sinks configured.
switch (config) #
Related Commands show snmp
Notes
Rev 4.20
Mellanox Technologies Confidential 421
snmp-server notify
snmp-server notify {community <community> | event <event name> | port
<port> | send-test} no snmp-server notify {community | event <event name> | port}
Syntax Description
Configures SNMP notifications (traps and informs).
The no form of the commands negate the SNMP notifications.
community Sets the default community for traps sent to hosts which do not have a custom community string set.
event port
Specifies which events will be sent as traps.
Sets the default port to which traps are sent.
Default send-test Sends a test trap.
Community: public
All informs and traps are enabled
Port: 162
Configuration Mode Config
History 3.1.0000
Role
Example
3.2.1050
admin
First version
Changed traps to notify switch (config) # snmp-server community public switch (config) # show snmp
SNMP enabled: yes
SNMP port: 1000
System contact: my-name
System location: lab
Read-only community: public
Read-write community: private
Interface listen enabled: yes
No Listen Interfaces.
Traps enabled: yes
Default trap community: public
Default trap port: 162
No trap sinks configured.
switch (config) #
Related Commands show snmp show snmp events
Notes • This setting is only meaningful if traps are enabled, though the list of hosts may still be edited if traps are disabled
• Refer to Mellanox MIB file for the list of supported traps
Rev 4.20
Mellanox Technologies Confidential 422
snmp-server port
snmp-server port <port> no snmp-server port
Syntax Description
Default
Sets the UDP listening port for the SNMP agent.
The no form of the command resets the parameter to its default value.
port
161
Configuration Mode Config
History 3.1.0000
UDP port.
Role
Example admin switch (config) # snmp-server port 1000 switch (config) # show snmp
SNMP enabled: yes
SNMP port: 1000
System contact: my-name
System location: lab
Read-only community: public
Read-write community: private
Interface listen enabled: yes
No Listen Interfaces.
Traps enabled: yes
Default trap community: public
Default trap port: 162
No trap sinks configured.
switch (config) #
Related Commands show snmp
Notes
Rev 4.20
Mellanox Technologies Confidential 423
snmp-server user
snmp-server user {admin | <username>} v3 {[encrypted] auth <hash-type>
<password> [priv <privacy-type> [<password>]] | capability <cap> | enable
<sets> | prompt auth <hash-type> [priv <privacy-type>] | require-privacy} no snmp-server user {admin | <username> } v3 {[encrypted] auth <hash-type>
<password> [priv <privacy-type> [<password>]] | capability <cap> | enable
<sets> | prompt auth <hash-type> [priv <privacy-type>]}
Syntax Description
Specifies an existing username, or a new one to be added.
The no form of the command disables access via SNMP v3 for the specified user.
v3 auth
Configures SNMP v3 users
Configures SNMP v3 security parameters, specifying passwords in plaintext on the command line (note: passwords are always stored encrypted) capability enable encrypted
Sets capability level for SET requests
Enables SNMP v3 access for this user prompt require-privacy
Configures SNMP v3 security parameters, specifying passwords in encrypted form
Configures SNMP v3 security parameters, specifying passwords securely in follow-up prompts, rather than on the command line
Requires privacy (encryption) for requests from this user
Default No SNMP v3 users defined
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # snmp-server user admin v3 enable switch (config) # show snmp user
User name: admin
Enabled overall: yes
Authentication type: sha
Privacy type: aes-128
Authentication password: (NOT SET; user disabled)
Privacy password: (NOT SET; user disabled)
SET access:
Enabled: yes
Capability level: admin switch (config) #
Rev 4.20
Mellanox Technologies Confidential 424
Rev 4.20
Related Commands show snmp user
Notes • The username chosen here may be anything that is valid as a local UNIX username (alphanumeric, plus '-', '_', and '.'), but these usernames are unrelated to, and independent of, local user accounts. That is, they need not have the same capability level as a local user account of the same name. Note that these usernames should not be longer than 31 characters, or they will not work.
• The hash algorithm specified is used both to create digests of the authentication and privacy passwords for storage in configuration, and also in HMAC form for the authentication protocol itself.
• If the command ends after the auth password, the privacy algorithm is set to its default, which is AES-128, and the privacy password is set to whatever was specified for the authentication password. You may also specify the privacy algorithm while still not specifying a separate password.
• There are three variants of the command, which branch out after the “v3” keyword. If
“auth” is used next, the passwords are specified in plaintext on the command line. If
“encrypted” is used next, the passwords are specified encrypted (hashed) on the command line. If “prompt-pass” is used, the passwords are not specified on the command line the user is prompted for them when the command is executing. If “priv” is not specified, only the auth password is prompted for. If “priv” is specified, the privacy password is prompted for; entering an empty string for this prompt will result in using the same password specified for authentication.
Mellanox Technologies Confidential 425
show snmp
show snmp [auto-refresh | engineID | events | host | user]
Syntax Description
Displays SNMP-server configuration and status.
auto-refresh SNMP refreshed mechanism status.
engineID events
SNMP Engine ID.
SNMP events.
host user
Default N/A
Configuration Mode Config
List of notification sinks.
SNMP users.
History
Role
Example
3.1.0000
admin switch (config) # show snmp user
User name: Hendrix
Enabled overall: yes
Authentication type: sha
Privacy type: des
Authentication password: (set)
Privacy password: (set)
Require privacy: yes
SET access:
Enabled: yes
Capability level: admin switch (config) #
Related Commands show snmp
Notes
Rev 4.20
Mellanox Technologies Confidential 426
show snmp auto-refresh
show snmp auto-refresh
Syntax Description
Default
Displays SNMPD refresh mechanism status.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch(config) # show snmp auto-refresh
=================
SNMP auto refresh
=================
Auto-refresh enabled: yes
Refresh interval (sec): 60
=====================
Auto-Refreshed tables
===================== entPhysicalTable ifTable ifXTable switch(config) #
Related Commands snmp-server auto-refresh
Notes
Rev 4.20
Mellanox Technologies Confidential 427
4.14.3.2 XML API
xml-gw enable
xml-gw enable no xml-gw enable
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Enables the XML gateway.
The no form of the command disables the XML gateway.
N/A
XML Gateway is enabled
Config
3.1.0000
admin switch (config) # xml-gw enable switch (config) # show xml-gw
XML Gateway enabled: yes switch (config) # show xml-gw
Rev 4.20
Mellanox Technologies Confidential 428
show xml-gw
show xml-gw
Syntax Description
Default
Displays the XML gateway setting.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # show xml-gw
XML Gateway enabled: yes switch (config) #
Related Commands xml-gw enable
Notes
Rev 4.20
Mellanox Technologies Confidential 429
4.15
Puppet Agent
Puppet is a software that allows network administrators to automate repetitive tasks. MLNX-OS includes a built-in agent for the open-source “Puppet” configuration change management system.
The Puppet agent enables configuring Mellanox switches in accordance with the standard “puppet-netdev-stdlib” type library and with the “Mellanox-netdev-stdlib-mlnxos” and “Mellanoxnetdev-ospf-stdlib” type libraries provided by Mellanox Technologies to the Puppet community.
For more information, please refer to the CLI commands, to the NetDev documentation at https:/
/github.com/puppetlabs/puppet-netdev-stdlib and to Mellanox’s Puppet modules GitHub page at https://github.com/Mellanox .
4.15.1 Setting the Puppet Server
To set the puppet server:
Step 1.
Define the Puppet server (the name has to be a DNS and not IP). Run: switch (config) # puppet-agent master-hostname <please_type_your_hostname_DNS_here> switch (config) #
Step 2.
Step 3.
Enable the Puppet agent. Run: switch (config) # puppet-agent enable switch (config) #
(Optional) Verify there are no errors in the Puppet agent log. Run: switch (config) # show puppet-agent log continuous switch (config) #
4.15.2 Accepting the Switch Request
Rev 4.20
This is to be performed on the first run only.
To accept the switch’s request:
Option 1 – using Puppet CLI commands:
Step 1.
Ensure the certificate request. Run:
# puppet cert list
"<switch>"
(F4:B4:20:3B:2B:11:76:37:14:34:D0:D1:03:ED:3D:B5)
Step 2.
Sign the certificate request if the cert_name parameter (e.g. switch1.domain) is in the list. Run:
# puppet cert sign <full_domain_name>
Step 3.
Verify the request is removed from the Puppet certification list. Run:
# puppet cert list
Option 2 – accept certificate requests in the puppet server console:
Step 1.
Go to the “nodes requests” page (the button is at the top right), and wait for a certificate request for the switch and then accept it.
Mellanox Technologies Confidential 430
Figure 12: Accepting an Agent Request through the Console
Rev 4.20
4.15.3 Installing Modules on the Puppet Server
Mellanox uses netdev-stdlib types and provides a package of Mellanox providers for those types which have to be installed at the Puppet server prior to the first Puppet configuration run (before configuring resources on the Mellanox switch).
To install those modules, run the following commands in the Puppet server:
# puppet module install netdevops-netdev_stdlib
# puppet module install mellanox-netdev_ospf_stdlib
# puppet module install mellanox-netdev_stdlib_mlnxos
In case of an already installed module, please use the command “ puppet module upgrade <module_name> ” or “ puppet module install <module_name> -
-force ” instead of “ puppet module install <module_name> ” to reinstall the modules.
For more information please refer to the Network Automation Tools document or Puppet category in the Mellanox community site at: http://community.mellanox.com/community/support/ solutions .
4.15.4 Writing Configuration Classes
To write configuration classes:
Step 1.
Assigning Configuration Classes to a Node
Configuration files can be written and changed in the puppet server machine in the directory
“/etc/puppetlabs/puppet/manifests/” (or “/etc/puppet/manifests” in case of an open source puppet server).
The file “/etc/puppetlabs/puppet/manifests/site.pp” is the main file for Puppet-classes-to-nodes association. To associate a configuration to a Puppet agent node, just append association lines as below: import "netdev_vlan_example" import "netdev_l2_vlan_example" import "netdev_lag_example" node 'switch-6375dc.mtr.labs.mlnx'{
netdev_device { $hostname: }
include vlan_example # Asserts a class vlan_example in one of the files
include l2_interface_example
Mellanox Technologies Confidential 431
Rev 4.20
include lag_example
Step 2.
}
If you have a puppet console, you may assign classes of configuration in the following way:
• Add the relevant classes (using the console add class button on the “nodes” page).
• Assign the classes to the relevant nodes/groups in the puppet server console (in the console node/group page -> edit -> Classes).
Update VLAN
Manifest example (located in “/etc/puppetlabs/puppet/manifests/netdev_vlan_example.pp”).
class vlan_example{
$vlans = {
'Vlan244' => {vlan_id => 244, ensure => present},
'Vlan245' => {vlan_id => 245, ensure => present},
}
Step 3.
create_resources( netdev_vlan, $vlans )
}
Update Layer 2 Interface.
Manifest example (located in “/etc/puppetlabs/puppet/manifests/netdev_l2_interface_example.pp”) class vlans_ensure_example{
$vlans = {
'Vlan347' => {vlan_id => 347, ensure => present},
'Vlan348' => {vlan_id => 348, ensure => present},
'Vlan349' => {vlan_id => 349, ensure => present},
}
create_resources( netdev_vlan, $vlans )
} class l2_interface_example{
include vlans_ensure_example #class to Ensure VLANs before assigning
$l2_interfaces = {
'ethernet 1/3' => {ensure => absent, vlan_tagging => disable}, #default
'ethernet 1/4' => {ensure => present, vlan_tagging => enable, tagged_vlans => [Vlan348,Vlan347], untagged_vlan => Vlan349} #hybrid
}
create_resources( netdev_l2_interface, $l2_interfaces )
}
Mellanox Technologies Confidential 432
Rev 4.20
Step 4.
Update LAG.
Manifest example (located in “/etc/puppetlabs/puppet/manifests/netdev_lag_example.pp”) class lag_example{
$lags = {
'port-channel 101' => {ensure => present, links => ['ethernet 1/12', 'ethernet 1/13'], lacp => active},
'port-channel 102' => {ensure => present, links => ['ethernet 1/6','ethernet 1/5'], lacp => disabled},
}
create_resources( netdev_lag, $lags )
}
You may add classes to ensure that all assigned links are with the same layer 1 and layer 2 configurations (similarly to the way we did in update l2_interface section with vlans_ensure_example class).
4.15.5 Supported Configuration Capabilities
4.15.5.1 Ethernet, Port-Channel, and InfiniBand Interface Capabilities
Table 32 - Ethernet, Port-Channel, and InfiniBand Interface Capabilities
Field ensure speed admin mtu description
Description Values
Sets the given values or restores the interface to default
Sets the speed of the interface.
Disables/enables interface admin state.
Configures the maximum transmission unit frame size for the interface.
Sets the Ethernet, LAG and
InfiniBand description.
absent, present auto*|10m|100m|1g|10g|40 g|56g up, down
Ethernet: 1518-9216
Text
Example ensure => present speed => 1g admin => up mtu => 1520 description =>
“changed_by_puppet”
Mellanox Technologies Confidential 433
Rev 4.20
4.15.5.2 VLAN Capabilities
Table 33 - VLAN Capabilities ensure vlan_id
Field Description Values
Creates or destroys the
VLAN given as a resource
ID
The VLAN ID absent, present
1-4094 (integer)
4.15.5.3 Layer 2 Ethernet Interface Capabilities
Table 34 - L2 Ethernet and Port-Channel Interface Capabilities ensure
Field vlan_tagging tagged_vlans untagged_vlan
Description
Sets the given values or restores the Layer 2 interface to default.
VLAN tagging mode
List of tagged (trunked)
VLANs
Untag (access) VLAN
Values absent, present enable,disable
2-4994 (range)
<VLAN name>
4.15.5.4 LAG (Port-Channel) Capabilities
Table 35 - LAG Capabilities ensure lacp links
Field Description Values creates or destroys the port-channel given as a resource ID
The LACP mode of the
LAG
List of ports assigned to the
LAG absent, present passive | active | on
List of link names
4.15.5.5 Layer 3 Interface Capabilities
Table 36 - L3 Interface Capabilities ensure
Field Description
Creates or destroys the interface VLAN specified in the resource ID.
Values present, absent
Example ensure => present vlan_id => 245
Example ensure => present vlan_tagging => enable tagged_vlans =>
[Vlan348,Vlan347] untagged_vlan => Vlan349
Example ensure => present lacp => on links => ['ethernet 1/6','ethernet 1/5']
Example ensure => present
Mellanox Technologies Confidential 434
Rev 4.20
Table 36 - L3 Interface Capabilities
Field ipaddress netmask method
Description
Sets IP address on the
Layer 3 interface (requires netmask).
Sets netmask for the IP address.
Configures the method of the L3 interface (currently supports only static method).
Values
A valid IP address
A valid netmask (of the form X.1X2.X3.X4), which creates a valid combination with the given IP address static
Example ipaddress => ‘192.168.4.2’ netmask =>
‘255.255.255.0’ method => static
4.15.5.6 OSPF Interface Capabilities
Table 37 - OSPF Interface Capabilities ensure area_id
Type
Field Description Values
Creates or destroys the
OSPF interface of the associated interface of the
VLAN specified in the resource ID
The associated area ID
The network type present, absent
Integer representing an IP broadcast, point_to_point
Example ensure => present area_id => ‘7200’ type => ‘point_to_point’
4.15.5.7 OSPF Area Capabilities
Table 38 - OSPF Area Capabilities ensure
Field router_id ospf_area_mode subnets
Description Values
Creates or destroys the
OSPF area specified in the resource ID
The OSPF area associated router ID (currently supports only default router) present, absent default
The OSPF area mode normal, stub, nssa
A list of associated subnets List of subnets
Example ensure => present router_id => 'default' ospf_area_mode => 'stub'
["192.168.4.0/24",
"192.168.5.0/24"]
Mellanox Technologies Confidential 435
4.15.5.8 Router OSPF Capabilities
Table 39 - Router OSPF Capabilities ensure
Field Description Values
Enables/disables the router
ID specified in the resource
ID present, absent
4.15.5.10Fetched Image Capabilities
Table 41 - Fetched Image Capabilities ensure
Field protocol host user password location force_delete
Description Values
Enables/disables the protocol specified in the resource ID
Specifies the protocol for fetch method
The host where the filename located
The username for fetching the image
The password for fetching the image
The location of the file name in the host file system
Remove all the images or only the ones which are not installed on any partition, before fetching present, absent http, https, ftp, tftp, scp, sftp
DNS/IP
Username
Password
Directory full path yes, no
Example ensure => present
4.15.5.9 Protocol LLDP, SNMP, IP Routing and Spanning Tree Capabilities
Table 40 - Protocol Enable/Disable Capabilities
Field ensure
Description
Enables/disables the protocol specified in the resource ID
Values present, absent
Example ensure => present
Example ensure => present protocol => scp host => my_DNS user => my_username password => my_pass location => '/tmp' force_delete => no
Rev 4.20
Mellanox Technologies Confidential 436
Rev 4.20
4.15.5.11Installed Image Capabilities
Table 42 - Installed Image Capabilities
Field Description ensure is_next_boot
Specifies if the image version given in as resource
ID is ensured to be installed or not
Ensures that the installed image is the next boot partition configuration_write Writes configurations to database.
force_reload Reload if image is in other partition.
yes, no yes, no yes, no
Values present, absent
Example ensure => present is_next_boot => yes configuration_write => yes force_reload => no
4.15.6 Supported Resources for Each Type
Table 43 - Fetched Image Capabilities
Resource Type
Network device
Puppet Type Name netdev_device
Layer 1 interface
Layer 2 interface
VLAN
LAG
Layer 3 interface
OSPF interface
OSPF area netdev_interface netdev_l2_interface netdev_vlan netdev_lag netdev_l3_interface netdev_ospf_interface netdev_ospf_area
Supported Resource IDS
$hostname
'ethernet <#ID>', 'portchannel <#id>', 'ib <#ID>'
'ethernet <#ID>', 'portchannel <#id>'
VLAN name string
'port-channel <#id>'
'vlan <#ID>'
'vlan <#ID>'
Valid area ID (representing an IP)
Example netdev_device { $hostname: } netdev_interface{'ethernet
1/3': ensure => absent} netdev_l2_interface{'ethernet 1/3': ensure => absent} netdev_vlan {'Vlan244': vlan_id => 244, ensure => present } netdev_lag {'port-channel
101': ensure => present } netdev_l3_interface{ 'vlan
4': ipaddress =>
'192.168.4.2', netmask =>
'255.255.255.0'} netdev_ospf _interface{
'vlan 4': ensure => present, area_id => '10' } netdev_ospf _area{ '10': ensure => present, ospf_area_mode=>'stub'}
Mellanox Technologies Confidential 437
Rev 4.20
Table 43 - Fetched Image Capabilities
Resource Type
OSPF router
Puppet Type Name netdev_router_ospf
Protocol
Fetched image
Installed image mlnx_protocol mlnx_fetched_img mlnx_installed_img
Supported Resource IDS
Currently only supports
'default' ip_routing, lldp, snmp, spanning_tree
The image file name
The image version name
Example netdev_router_ospf
{'default':
ensure => present } mlnx_protocol { 'ip_routing': ensure => present} mlnx_fetched_image {
'image-PPC_M460EX-
3.3.4300.img': ensure => present} mlnx_installed_img {
'3.3.4300': ensure => present}
4.15.7 Troubleshooting
This section presents common issues that may prevent the switch from connecting to the puppet server.
4.15.7.1 Switch and Server Clocks are not Synchronized
This can be fixed by using NTP to synchronize the clocks at the switch (using the CLI command ntp ) and at the server (e.g. using ntpdate).
4.15.7.2 Outdated or Invalid SSL Certificates Either on the Switch or the Server
This can be fixed on the switch using the CLI command puppet-agent clear-certificates
(requires puppet-agent restart to take effect).
On the server it can be fixed by running puppet cert clean <switch_fqdn> (FQDN is the
Fully Qualified Domain Name which consists of a hostname and a domain suffix).
4.15.7.3 Communications Issue
Make sure it is possible to ping the puppet server hostname from the switch (using the CLI command ping).
If the hostname is not reachable (e.g. no DNS server) it can be statically added to the switch local hosts lookup (using the CLI command ip host).
Make sure that port 8140 is open (using the command tracepath {<hostname> | <ip>}/8140).
Mellanox Technologies Confidential 438
4.15.8 Commands
puppet-agent
puppet-agent
Syntax Description
Default
Configuration Mode
History
Role
Example
Enters puppet agent configuration mode.
N/A
None
Config
3.3.4200
admin switch (config) # puppet-agent switch (config puppet-agent) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 439
master-hostname
master-hostname <hostname> no master-hostname
Syntax Description
Default
Sets the puppet server hostname.
The no form of the command resets the parameter to its default.
hostname puppet
Configuration Mode Config Puppet
History 3.3.4200
Puppet server hostname. Free string may be entered.
Role
Example admin switch (config puppet-agent) # master-hostname my-puppet-server-hostname switch (config puppet-agent) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 440
enable
enable no enable
Syntax Description
Default
Enables the puppet server on the switch.
The no form of the command disables the puppet server.
N/A
Disabled
Configuration Mode Config Puppet
History 3.3.4200
Role
Example admin switch (config puppet-agent) # enable switch (config puppet-agent) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 441
run-interval
run-interval <time>
Syntax Description
Configures the time interval in which the puppet agent reports to the puppet server.
time Can be in seconds (“30” or “30s”), minutes (“30m”), hours (“6h”), days (“2d”), or years (“5y”).
Default 30m
Configuration Mode Config Puppet
History
Role
Example
3.3.4302
admin switch (config puppet-agent) # run-interval 40m switch (config puppet-agent) #
Related Commands show puppet-agent
Notes
Rev 4.20
Mellanox Technologies Confidential 442
restart
puppet-agent restart
Syntax Description
Default
Restarts the puppet agent.
N/A
N/A
Configuration Mode Config Puppet
History
Role
Example
3.3.4200
admin switch (config puppet-agent) # restart switch (config puppet-agent) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 443
show puppet-agent
show puppet-agent
Syntax Description
Default
Displays Puppet agent status and configuration.
N/A
N/A
Configuration Mode Any Command Mode
History 3.3.4200
3.3.4302
Updated output with run interval
Role
Example admin switch (config puppet-agent) # show puppet-agent
Puppet agent is disabled
Puppet master hostname: puppet
Run interval: 40m switch (config puppet-agent) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 444
show puppet-agent log
show puppet-agent log [[not] [matching | continuous] <string> | files [[not] matching] <string>]
Syntax Description
Displays the Puppet agent’s log file.
continuous Puppet agent log messages as they arrive.
files matching not
Displays archived Puppet agent log files.
Displays Puppet agent log that match a given string.
Displays Puppet agent log that do not meet a certain string.
Free string.
Default string
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4200
admin switch (config puppet-agent) # show puppet-agent log
Mon Nov 04 11:52:42 +0000 2013 Puppet (notice): Starting Puppet client version 3.2.3
Mon Nov 04 11:52:44 +0000 2013 Puppet (warning): Unable to fetch my node definition, but the agent run will continue:
Mon Nov 04 11:52:44 +0000 2013 Puppet (warning): Could not intern from pson: source '"#<Puppet::Node:0x7f' not in PSON!
Mon Nov 04 11:53:21 +0000 2013 /Netdev_vlan[Vlan104]/ensure (notice): created
Mon Nov 04 11:53:22 +0000 2013 /Netdev_vlan[Vlan101]/ensure (notice): created
Mon Nov 04 11:53:23 +0000 2013 /Netdev_vlan[Vlan102]/ensure (notice): created
Mon Nov 04 11:53:24 +0000 2013 /Netdev_vlan[Vlan103]/ensure (notice): created
Mon Nov 04 11:53:40 +0000 2013 /Netdev_l2_interface[ethernet 1/6]/untagged_vlan (notice): untagged_vlan changed 'default' to 'Vlan103'
Mon Nov 04 11:53:43 +0000 2013 /Netdev_l2_interface[ethernet 1/7]/untagged_vlan (notice): untagged_vlan changed 'default' to 'Vlan103'
Mon Nov 04 11:53:48 +0000 2013 /Netdev_vlan[Vlan100]/ensure (notice): created
Mon Nov 04 11:53:48 +0000 2013 /Netdev_l2_interface[ethernet 1/5]/vlan_tagging (notice): vlan_tagging changed 'enable' to 'disable'
Mon Nov 04 11:53:48 +0000 2013 /Netdev_l2_interface[ethernet 1/5]/tagged_vlans (notice): tagged_vlans changed '[]' to
'[Vlan100,Vlan101,Vlan102]'
Mon Nov 04 11:53:51 +0000 2013 /Netdev_l2_interface[ethernet 1/1]/tagged_vlans (notice): tagged_vlans changed '[]' to '[Vlan101,Vlan104]'
Mon Nov 04 11:53:51 +0000 2013 /Netdev_l2_interface[ethernet 1/1]/untagged_vlan (notice): untagged_vlan changed 'default' to 'Vlan100'
Mon Nov 04 11:53:54 +0000 2013 /Netdev_l2_interface[ethernet 1/3]/tagged_vlans (notice): tagged_vlans changed '[]' to '[Vlan101,Vlan104]'
Mon Nov 04 11:53:54 +0000 2013 /Netdev_l2_interface[ethernet 1/3]/untagged_vlan (notice): untagged_vlan changed 'default' to 'Vlan100'
Mon Nov 04 11:53:58 +0000 2013 /Netdev_l2_interface[ethernet 1/4]/vlan_tagging (notice): vlan_tagging changed 'enable' to 'disable'
Mon Nov 04 11:53:58 +0000 2013 /Netdev_l2_interface[ethernet 1/4]/tagged_vlans (notice): tagged_vlans changed '[]' to
'[Vlan100,Vlan101,Vlan102]'
Mon Nov 04 11:54:03 +0000 2013 /Netdev_l2_interface[ethernet 1/2]/tagged_vlans (notice): tagged_vlans changed '[]' to '[Vlan101,Vlan104]'
Mon Nov 04 11:54:03 +0000 2013 /Netdev_l2_interface[ethernet 1/2]/untagged_vlan (notice): untagged_vlan changed 'default' to 'Vlan100'
Mon Nov 04 11:54:06 +0000 2013 Puppet (notice): Finished catalog run in 47.90 seconds switch (config puppet-agent) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 445
4.16
Virtual Machine
A virtual machine (VM) on a switch is added to allow additional OS to run on top of the switch.
The VM OS can connect through mgmt0 interface to the switch system’s management interface.
In addition, the VM is also connected to the out-of-band network. This allows it to communicate through the network and to control the switch management software.
The number of VMs that may run on a system is user-configurable and also relies on resource availability.
Rev 4.20
The number of configurable VMs is limited to 4.
Each VM consumes the following resources:
• Memory
• Processing power which is not policed (the user may determine the core to be used)
• MACs which are required for each vNIC (user configurable)
4.16.1 Virtual Machine Configuration
To configure a VM:
The example below installs Ubuntu 14 and defines 3GB storage with 512MB memory
(default) using the first core of the switch system (default) through mgmt0 interface
(default) with an auto-generated MAC (default).
Step 1.
Step 2.
Step 3.
Step 4.
Enable the VM feature. Run: switch (config) # virtual-machine enable
Create a VM. Run: switch (config) # virtual-machine host my-vm switch (config virtual-machine host my-vm) #
Define storage for the VM. Run: switch (config virtual-machine host my-vm) # storage create disk size-max 3000
100.0% [#################################################################]
Created empty virtual disk volume 'vdisk001.img' in pool 'default'
Device attached to drive number 1.
switch (config virtual-machine host my-vm) #
Display the VM parameters (notice boldface). Run: switch (config virtual-machine host my-vm) # show virtual-machine host my-vm
VM 'my-vm'
Status: shut off Architecture: x86_64
VCPU used: 0 sec Number of VCPUs: 1
Boot order: hd, cdrom Memory size: 512 MB
Consoles: text, graphics
Storage:
IDE bus, drive 1: default/vdisk001.img (3000 MB capacity)
Interfaces:
1: on bridge 'mgmt0' address unknown (MAC 52:54:00:2F:89:69)
Mellanox Technologies Confidential 446
Rev 4.20
Step 5.
Step 6.
Step 7.
switch (config virtual-machine host my-vm) # exit switch (config) #
Import the VM image. Run: switch (config) # virtual-machine volume fetch url scp://root@<ip>/.../ubuntu-14.04server-amd64.iso
Password (if required): *************
100.0% [#################################################################]
Install the imported image. Run: switch (config) # virtual-machine host my-vm switch (config virtual-machine host my-vm) # install cdrom file ubuntu-14.04-serveramd64.iso
Switch to a different terminal, and run the following command to connect VNC viewer to the
VM:
$ vncviewer -via admin@<switch IP> 127.0.0.1:0
...
Mellanox MLNX-OS Switch Management
Password: ************
Continue VM installation from the VNC prompt.
The switch prompt is unresponsive pending a successful VM installation. Successful
VM installation is indicated by the reboot of the VM.
VM IP is determined by DHCP configuration according to the MAC address in
To verify VM configuration, run: switch (config virtual-machine host my-vm) # show virtual-machine host my-vm
VM 'my-vm'
Status: running Architecture: x86_64
VCPU used: 12 min 27.440 sec Number of VCPUs: 1
Boot order: cdrom, hd Memory size: 512 MB
Consoles: text, graphics
Storage:
IDE bus, drive 1: default/vdisk001.img (3000 MB capacity)
IDE bus, drive 2: default/ubuntu-14.04-server-amd64.iso (564 MB capacity) READ-ONLY
Interfaces:
1: on bridge 'mgmt0' address unknown (MAC 52:54:00:2F:89:69)
To remove a storage assigned to a VM:
Step 1.
Remove the VM assigned the disk space. Run: switch (config) # no virtual-machine host my-vm
Step 2.
Remove the disk space assigned to that VM. Run: switch (config) # no virtual-machine volume file mydisk.img
Mellanox Technologies Confidential 447
4.16.2 Commands
4.16.2.1 Config
virtual-machine enable
virtual-machine enable no virtual-machine enable
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Enables VM feature on the switch.
The no form of the command disables VM feature on the switch.
N/A no virtual-machine enable
Config
3.4.0000
admin switch (config) # virtual-machine enable
Rev 4.20
Mellanox Technologies Confidential 448
virtual-machine host
virtual-machine host <vm-name> no virtual-machine host <vm-name>
Syntax Description
Default
Creates a VM, or enters its configuration context if it already exists.
The no form of the command removes the VM of the specified name.
vm-name
N/A
Configuration Mode Config
History 3.4.0000
Configures a name for the VM.
Role
Example admin switch (config)# virtual-machine host my-vm switch (config virtual-machine host my-vm)#
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 449
arch
arch {i386 | x86_64}
Syntax Description
Configures VM CPU architecture.
i386 32-bit x86 CPU architecture
Default x86_64 x86_64
Configuration Mode Config Virtual Machine Host
64-bit x86 CPU architecture
History
Role
Example switch (config virtual-machine host my-vm)# arch i386
Related Commands virtual-machine
Notes
3.4.0000
admin
Rev 4.20
Mellanox Technologies Confidential 450
comment
comment <string> no comment
Syntax Description
Default
Configures a comment describing the VM.
The no form of the command deletes the configured comment.
string
N/A
Configuration Mode Config Virtual Machine Host
History 3.4.0000
Free string
Role
Example admin switch (config virtual-machine host my-vm)# comment “example VM”
Related Commands virtual-machine
Notes To configure a multi-word string, the string must be placed within quotation marks.
Rev 4.20
Mellanox Technologies Confidential 451
Rev 4.20
console
console {connect [graphics | text [force]] | graphics vnc | text tty} no console {graphics vnc | text tty}
Syntax Description
Configures or connects to a text or graphical console.
The no form of the command clears console settings.
connect Connects to the text console unless specified otherwise:
• graphics – connects to the X11 graphical (VNC) console
• text – connects to the text console graphics vnc text tty
Enables graphical (VNC) console access
Enables TTY text console access
Default Graphical and textual consoles are enabled
Configuration Mode Config Virtual Machine Host
History
Role
3.4.0000
admin
Example switch (config virtual-machine host my-vm)# console connect text
Related Commands virtual-machine ssh server x11-forwarding enable
Notes • To exit the text console press Ctrl-6 (or Ctrl-Shift-6)
• If the guest OS is not configured to receive input from a serial console (ttyS0), the VM console becomes unresponsive when connected to.
• To view the graphical console, X display must be enabled. There are two options to activate it, the command vncviewer -via admin@<switchIP> 127.0.0.1:<VNC display num> (which is run from an external Linux host) and the command ssh server
x11-forwarding enable (which is run from within the switch and requires that you log out and log back in again using ssh -X). The latter command weakens the switch security, therefore, it is recommended to opt for the second option. The VNC display num parameter may be procured by running the command show virtual-machine <vm-name> detail.
Mellanox Technologies Confidential 452
Rev 4.20
install
install {cancel |cdrom [pool <pool-name>] {file <volume-name> [connect-console
<console-type> | disk-overwrite | timeout {<minutes> | none}]}}
Syntax Description
Installs an operating system onto this VM (temporarily attach a CD and boot from it).
cancel Cancels an install already in progress cdrom pool <pool-name>
Installs an operating system from a CD-ROM (ISO) image
Configures storage pool in which to find image to install:
• default
• usb
Specifies CD-ROM (ISO) image from which to install file <volume-name> connect-console <consoletype>
Connects to the console during installation. The types may be:
• text – text console
• graphics – graphical console disk-overwrite timeout {<minutes> | none}
Installs even if primary target volume is not empty
Configures a timeout for installation in minutes (default is no timeout).
Default N/A
Configuration Mode Config Virtual Machine Host
History
Role
Example
3.4.0000
admin switch (config virtual-machine host my-vm)# install cdrom pool usb file
<image>
Related Commands virtual-machine
Notes The default pool from which the system installs the ISO image is the /var/ partition in the switch.
Mellanox Technologies Confidential 453
interface
interface <id> {bridge <bridge> | macaddr <mac> | model <model> | name
<name>}
Syntax Description
Configures virtual interfaces.
<id> Interface ID number (1-8 permitted) bridge <bridge> macaddr <mac> model <model>
Configures bridge for this interface (i.e. mgmt0 or mgmt1)
Configures MAC address (e.g. ff:ee:dd:cc:bb:aa) name <name>
Configures virtual interface model:
• realtek-8139 – Realtek 8139 (default)
• virtio – Virtual IO
Configures virtual interface name. The name must begin with “vif”.
Default N/A
Configuration Mode Config Virtual Machine Host
History
Role
3.4.0000
admin
Example switch (config virtual-machine host my-vm)# interface 1 model virtio
Related Commands virtual-machine
Notes
Rev 4.20
Mellanox Technologies Confidential 454
memory
memory <MB>
Syntax Description
Default
Configures memory allowance.
MB
512MB
Configuration Mode Config Virtual Machine Host
Size in megabytes.
History
Role
3.4.0000
admin
Example switch (config virtual-machine host my-vm)# memory 1024
Related Commands virtual-machine
Notes It is recommended not to allocate more than 1GB of memory per VM.
Rev 4.20
Mellanox Technologies Confidential 455
Rev 4.20
power
power {cycle [force | connect-console {graphics | text}] | off [force] | on [connectconsole {graphics | text}]}
Syntax Description
Turns the VM on or off, or other related options.
cycle Powers the VM down and then on again immediately force connect-console <consoletype>
Forces an action on the system.
Connects to the console after power-on. The types may be:
• text – text console
• graphics – graphical console off on
Default N/A
Configuration Mode Config Virtual Machine Host
Powers down the VM
Powers on VM:
History
Role
Example switch (config virtual-machine host my-vm)# power cycle force
Related Commands virtual-machine
Notes
3.4.0000
admin
Mellanox Technologies Confidential 456
Rev 4.20
storage create
storage create disk [drive-number <number> | file <filename> | mode {read-only
| read-write} | pool <pool-name> | size-max <MB>]
Syntax Description
Creates a new storage device for the VM, with an automatically assigned name.
create disk Creates a new virtual disk image for this VM.
drive-number <number> Specifies the drive number to be assigned to the volume. Insert “new” to assign a new drive number to the volume.
file <filename> mode {read-only | readwrite}
Specifies filename for new volume to be created
Specifies initial device mode pool <pool-name> size-max <MB>
Default N/A
Configuration Mode Config Virtual Machine Host
Specifies storage pool in which to create new volume
Specifies maximum disk capacity in megabytes
History
Role
Example
3.4.0000
admin switch (config virtual-machine host my-vm)# storage create disk sizemax 2000
Related Commands virtual-machine
Notes
Mellanox Technologies Confidential 457
Rev 4.20
storage device
storage device [bus ide] drive-number <number> [mode {read-only | readwrite}] source {[pool <pool-name>] file <filename>} no storage device [bus ide] drive-number <id>
Syntax Description
Modifies existing storage device, or create a new one with a specific name.
The no form of the command removes a storage device from the VM.
device Modifies existing storage device, or creates a new one with a specific name bus ide drive-number <number> mode {read-only | readwrite}
Configures bus type to IDE
Selects device to configure by drive number
Configures the device mode:
• read-only – sets the read-only attribute of the volume
• read-write – sets the read-write attribute of the volume source file <filename> pool <pool-name> file
<filename>
Default N/A
Configuration Mode Config Virtual Machine Host
History
Role
3.4.0000
admin
Specifies where the data for this volume resides
Specifies the filename for this volume
Specifies the storage pool for this volume
Example switch (config virtual-machine host my-vm)# storage create disk bus ide
Related Commands virtual-machine
Notes
Mellanox Technologies Confidential 458
vcpus
vcpus {count <count> | vcpu <vcpu> pin <cpu-list> [<cpu-list>]} no vcpus {pin | vcpu <vcpu> pin}
Syntax Description
Specifies virtual CPUs.
The no form of the command removes certain CPU configuration.
count <count> vcpu <vcpu>
Specifies the number of virtual CPUs
Specifies options for a particular virtual CPU
Default pin <cpu-list>
N/A
Configuration Mode Config Virtual Machine Host
Specifies physical CPUs to pin to this vCPU
History
Role
3.4.0000
admin switch (config virtual-machine host my-vm)# vcpus count 1 Example
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 459
Rev 4.20
virtual-machine volume fetch url
virt volume fetch url <download-url> [filename <filename> | pool <pool-name> filename <filename>]
Syntax Description
Default N/A
Configuration Mode Config Virtual Machine Host
History
Role
Example
3.4.0000
admin switch (config) # virtual-machine volume fetch scp://admin[:adminpass]@<hostname/path/filename>
Related Commands
Notes
Fetches volume image from a remote host.
download-url Specifies URL from which to fetch a volume. Format: http, https, ftp, tftp, scp and sftp are supported (e.g. scp://username[:password]@hostname/path/filename) filename <filename> pool-name <pool-name>
Specifies new filename for fetched volume image
Specifies storage pool for fetched volume image
Mellanox Technologies Confidential 460
Rev 4.20
virt volume file
virt volume file <name> {create disk size-max <MB> | move {new-name <newname> | pool <pool-name> new-name <new-name>} | upload <upload-url>} no virt volume file <volume-name>
Syntax Description
Specifies name of volume file to manage.
The no form of the command deletes the volume file.
file <name> create
Specifies name of volume file to manage
Creates a new volume file under this name disk size-max <MB> move new-name <filename> pool <pool-name> newname <filename> upload <upload-url>
Specifies maximum capacity of virtual disk to create
Moves or renames this volume
Specifies a name for the destination file
Specifies a storage pool for the copy
Uploads this volume file to a remote host. Format: ftp, tftp, scp and sftp are supported (e.g.
scp://username[:password]@hostname/path/filename)
Default N/A
Configuration Mode Config Virtual Machine Host
History
Role
Example
3.4.0000
admin switch (config) # virt volume file my-vm_file create cdrom extract cdrom1
Related Commands
Notes
Mellanox Technologies Confidential 461
4.16.2.2 Show
show virtual-machine configured
show virtual-machine configured
Syntax Description
Default
Configuration Mode
History
Role
Example
Displays global virtualization configuration.
N/A
N/A
Any Command Mode
3.4.0000
admin switch (config) # show virtual-machine configured
Virtualization enabled: yes
Virtual machines: 2 configured
Virtual networks: 0 configured switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 462
Rev 4.20
show virtual-machine host
show virtual-machine host [<vm-name>]
Syntax Description
Default
Displays status for this VM.
vm-name
N/A
Configuration Mode Any Command Mode
The name of the VM.
History
Role
Example
3.4.0000
admin switch (config) # show virtual-machine host my-vm
VM 'my-vm'
Status: shut off Architecture: x86_64
VCPU used: 0 sec Number of VCPUs: 1
Boot order: hd, cdrom Memory size: 512 MB
Consoles: text, graphics
Storage:
IDE bus, drive 1: default/vdisk001.img (3000 MB capacity)
Interfaces:
1: on bridge 'mgmt0' address unknown (MAC 52:54:00:2F:89:69) switch (config) #
Related Commands
Notes If the command is run in the middle of an installation, the following banner appears:
*** INSTALL IN PROGRESS: begun <time> ago ***
Mellanox Technologies Confidential 463
show virtual-machine host configured
show virtual-machine host <vm-name> configured [detail]
Syntax Description
Displays configuration for this VM.
vm-name The name of the VM.
Displays detailed configuration for this VM.
Default detail
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.4.0000
admin switch (config) # show virtual-machine host my-vm configured detail
VM 'my-vm'
UUID: 0a177a99-f780-5951-877a-bd660e12e5db
Text console: enabled
Graphics console: enabled
Auto-power: last
Boot order: hd, cdrom
Architecture: x86_64
Memory size: 512 MB
Features: ACPI, APIC
Number of VCPUs: 1
(No VCPUs pinned)
Storage:
IDE bus, drive 1
Source pool: default
Source file: vdisk001.img (3000 MB capacity)
Mode: read-write
Interfaces:
Interface 1
Name: vif1
MAC address: 52:54:00:2F:89:69
Model: realtek-8139
Bound to: bridge 'mgmt0' switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 464
show virtual-machine host detail
show virtual-machine host <vm-name> detail
Syntax Description
Default
Displays detailed status for this VM.
vm-name
N/A
Configuration Mode Any Command Mode
The name of the VM.
History
Role
Example
3.4.0000
admin switch (config) # show virtual-machine host my-vm detail
VM 'my-vm'
Status: shut off
UUID: 0a177a99-f780-5951-877a-bd660e12e5db
Text console: enabled
Device: N/A
Graphics console: enabled
VNC display num: N/A
Boot order: hd, cdrom
Architecture: x86_64
Memory size: 512 MB
Features: ACPI, APIC
Number of VCPUs: 1
(State of individual VCPUs unavailable when VM is powered off)
Storage:
IDE bus, drive 1
Source pool: default
Source file: vdisk001.img (3000 MB capacity)
Mode: read-write
Device type: disk
Read requests: N/A
Read bytes: N/A
Write requests: N/A
Write bytes: N/A
Interfaces:
Interface 1
Name: vif1
MAC address: 52:54:00:2F:89:69
Model: realtek-8139
Bound to: bridge 'mgmt0'
IP address:
RX bytes: 0 TX bytes: 0
RX packets: 0 TX packets: 0
RX errors: 0 TX errors: 0
RX drop: 0 TX drop: 0 switch (config) #
Rev 4.20
Mellanox Technologies Confidential 465
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 466
show virtual-machine install
show virtual-machine host <vm-name> install
Syntax Description
Default
Displays status of installation of guest OS.
vm-name
N/A
Configuration Mode Any Command Mode
The name of the VM.
History
Role
Example
3.4.0000
admin switch (config) # show virtual-machine host my-vm install
Install status for VM 'my-vm'
Install in progress, begun 2 minutes 28 seconds ago.
No previous install information available.
switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 467
show virtual-machine interface
show virtual-machine host <vm-name> interface [brief | configure]
Syntax Description
Displays full status of all interfaces for this VM.
vm-name The name of the VM.
brief configure
Displays brief status of all interfaces for this VM.
Displays configuration of all interfaces for this VM.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.4.0000
admin switch (config) # show virtual-machine host my-vm interface
Interface 1
Name: vif1
MAC address: 52:54:00:2F:89:69
Model: realtek-8139
Bound to: bridge 'mgmt0'
IP address:
RX bytes: 0 TX bytes: 0
RX packets: 0 TX packets: 0
RX errors: 0 TX errors: 0
RX drop: 0 TX drop: 0 switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 468
show virtual-machine storage
show virtual-machine host <vm-name> storage
Syntax Description
Default
Displays statistics for attached storage.
vm-name
N/A
Configuration Mode Any Command Mode
The name of the VM.
History
Role
Example
3.4.0000
admin switch (config) # show virtual-machine host my-vm storage
Storage for VM 'my-vm'
IDE bus, drive 1
Source pool: default
Source file: vdisk001.img (3000 MB capacity)
Mode: read-write
Device type: disk
Read requests: N/A
Read bytes: N/A
Write requests: N/A
Write bytes: N/A switch (config) #
Related Commands
Notes
Rev 4.20
Mellanox Technologies Confidential 469
Mellanox Technologies Confidential 470
Rev 4.20
5 Ethernet Switching
5.1
Interface
Interface Ethernet have the following physical set of configurable parameters
• Admin state – enabling or disabling the interface
• Flow control – admin state per direction (send or receive)
• MTU (Maximum Transmission Unit) – 1500-9216 bytes
• Speed – 1/10/40/56GbE (depends on the interface type and system)
• Description – user defined string
• Module-type – the type of the module plugged in the interface
To use 40GbE QSFP interfaces as 10GbE (via QSA adapter), the speed must be manually set with the command “speed 10000” under the interface configuration mode.
5.1.1
Break-Out Cables
The break-out cable is a unique Mellanox capability, where a single physical 40Gbps port is divided into 2x10Gbps or 4x10Gbps ports. It maximizes the flexibility of the end user to use the
Mellanox switch with a combination of 10Gbps and 40Gbps interfaces according to the specific requirements of its network. Certain ports cannot be split at all and there are ports which can be split into 2 ports only. Splitting a port changes the notation of that port from x/y to x/y/z with “x/ y” indicating the previous notation of the port prior to the split and “z” indicating the number of the resulting 10G port (1,2 or 1,2,3,4). Each sub-physical port is then handled as an individual port. For example: splitting port 10 into 4 will give the following new ports: 1/10/1, 1/10/2, 1/10/
3, 1/10/4.
Figure 13: Break-Out Cable
Rev 4.20
A split-4 operation results in blocking a 40G port in addition to the one being split. A set of hardware restrictions determine which of the ports can be split.
Mellanox Technologies Confidential 471
Specific ports can be split by using a QSFP 1X4 breakout cable to split one 40 Gb/s port into 4 lanes (4 SFP+ connectors). These 4 lanes then go, one lane to each of the 4 SFP+ connectors.
Some ports can be split into 2 10 Gb/s ports, using lanes 1 and 2 only. When a QSFP port is split into 2 10Gb/s ports then only SFP+ connectors #1 and #2 are used. Connectors #3 and #4 are left unconnected.
Rev 4.20
Splitting the interface deletes all configuration on that interface.
1
When splitting an interface’s traffic into 4 10Gb/s data streams (four lanes) one of the other ports on the switch must be disabled (unmapped).
• some ports can be split into 4
• some ports can be split into 2
• some ports become unmapped due to a 1X4 split
2 3 4 5 6
Figure 14: Port Splitting Options
7 8 9 10 11 12 13 14 15 16 17 18
Table 44 - Key for Port Splitting Figure
Color Description
Dark green
Light green
This port can be split into 4 10Gb/s SFP+
This port can be split into 2 10Gb/s SFP+
Red X This port is unmapped by the neighboring split 4 port
The maximum number of 10Gb/s Ethernet ports configurable with this switch is 34.
Mellanox Technologies Confidential 472
Rev 4.20
7
8
5
6
9
3
4
1
2
Table 45 - Port Splitting Options
Port #
Can be split to 4
Turns off port
#
Can be split to 2
— YES
—
YES 2
—
—
—
—
YES
—
—
YES
5
8
YES
—
—
—
—
—
Port #
14
15
16
17
18
10
11
12
13
Can be split to 4
Turns off port
#
YES 11
Can be split to 2
—
—
—
YES 14
—
—
—
—
YES
—
—
17
YES
—
—
YES
To see the exact splitting options available per system, refer to each specific system’s hardware user manual (Cabling chapter) located on the Mellanox website.
5.1.1.1 Changing the Module Type to a Split Mode
To split an interface:
Step 1.
Shut down all the ports related to the interface. Run:
• in case of split-2, shut down the current interface only
• in case of split-4, shut down the current interface and the other interface according to the table above switch (config) # interface ethernet 1/1 switch (config interface ethernet 1/1) # shutdown switch (config interface ethernet 1/1) # exit switch (config) # interface ethernet 1/4 switch (config interface ethernet 1/4) # shutdown
Step 2.
Step 3.
Split the ports as desired. Run: switch (config interface ethernet 1/4) # module-type qsfp-split-4 switch (config interface ethernet 1/4) #
The following warning will be displayed:
the following interfaces will be unmapped: 1/4 1/1 .
Choose Yes when prompted Type 'yes' to confirm split
The <ports> field in the warning refers to the affected ports from splitting port <inf> in the applied command.
Please beware that splitting a port into 4 prevents you from accessing the splittable port, and an additional one. For example, in the procedure above, ports 3 and 4 become unaccessible.
Mellanox Technologies Confidential 473
5.1.1.2 Unsplitting a Split Port
To unsplit a split port:
Step 1.
Shut down all of the split ports. Run: switch (config interface ethernet 1/4/4) # shutdown switch (config interface ethernet 1/4/4) # exit switch (config) # interface ethernet 1/4/3 switch (config interface ethernet 1/4/3) # shutdown switch (config interface ethernet 1/4/3) # exit switch (config) # interface ethernet 1/4/2 switch (config interface ethernet 1/4/2) # shutdown switch (config interface ethernet 1/4/2) # exit switch (config) # interface ethernet 1/4/1 switch (config interface ethernet 1/4/1) # shutdown
Step 2.
From the first member of the split (1/4/1), change the module-type back to QSFP. Run: switch (config interface ethernet 1/4/1) # module-type qsfp
Rev 4.20
The module-type can be changed only from the first member of the split and not from the interface that was split.
Step 3.
The following warning will be displayed:
The following interfaces will be unmapped: 1/4/1 1/4/2 1/4/3 1/4/4.
Type “yes” when prompted “Type 'yes' to confirm unsplit.”
5.1.2
56GbE Link Speed
Mellanox offers proprietary speed of 56Gb/s per Ethernet interface.
The following OPNs support 56GbE:
• MSX6036F-xxxx
• MSX1036x-xxxS
• MSX1024x-xxxS
• MSX1012x-xxxx
• MSX6012F-xxxx
• MSX6018F-xxxx
The following OPNs do not support 56GbE:
• MSX6036T-xxxx
• MSX1036x-xxxR
• MSX6012T-xxxx
• MSX6018T-xxxx
56Gb/s speed is not supported on SwitchX® (A1) ASIC based switch systems.
Mellanox Technologies Confidential 474
To achieve 56GbE link speed:
Step 1.
Make sure your system is 56Gb/s capable (i.e. SX6036F, SX1024, and SX1036).
56GbE can only be achieved on 1U FDR capable systems.
Step 2.
Install Ethernet license. Run: switch (config) # license install <license key>
For a list of the available licenses see
Section 2.4, “Licenses,” on page 40 .
Step 3.
Step 4.
Step 5.
Set the system profile to be eth-single-switch, and reset the system: switch (config) # system profile eth-single-profile
Set the speed for the desired interface to 56GbE as follows. Run: switch (config) # interface ethernet 1/1 switch (config interface ethernet 1/1) # speed 56000 switch (config interface ethernet 1/1) #
Verify the speed is 56GbE switch (config) # show interface ethernet 1/1
Eth1/1
Admin state: Enabled
Operational state: Down
Description: N\A
Mac address: 00:02:c9:5d:e0:26
MTU: 1522 bytes
Flow-control: receive off send off
Actual speed: 56 Gbps
Switchport mode: access
Rx
0 frames
0 unicast frames
0 multicast frames
0 broadcast frames
0 octets
0 error frames
0 discard frames
Tx
0 frames
0 unicast frames
0 multicast frames
0 broadcast frames
0 octets
0 discard frames switch (config) #
Mellanox Technologies Confidential 475
Rev 4.20
5.1.3
Transceiver Information
MLNX-OS offers the option of viewing the transceiver information of a module or cable connected to a specific interface. The information is a set of read-only parameters burned onto the
EEPROM of the transceiver by the manufacture. The parameters include identifier (connector type), cable type, speed and additional inventory attributes.
To display transceiver information of a specific interface, run: switch (config) # show interfaces ethernet 1/60 transceiver
Port 1/60 state
identifier : QSFP+
cable/ module type : Passive copper, unequalized
ethernet speed and type: 56GigE
vendor : Mellanox
cable length : 1m
part number : MC2207130-001
revision : A3
serial number : MT1238VS04936 switch (config) #
Rev 4.20
The indicated cable length is rounded up to the nearest natural number.
5.1.4
High Power Transceivers
Mellanox switch systems offer high power transceiver (LR4) support in the following ports:
• SX1036/SX1700 – ports 1, 3, 33, 35
• SX1024/SX1400 – ports 50, 52, 54, 56, 58, 60
• SX1012/SX1710 – all ports
If a high power transceiver (e.g. LR4) is inserted to a port that does not support it, the link does not go up, and the following warning message is displayed: “Warning: High power transceiver is not supported” when the command “show interfaces ethernet” is run.
Mellanox Technologies Confidential 476
5.1.5
Commands
interface ethernet
interface ethernet <slot>/<port>[/<subport>]-[<slot>/<port>[/<subport>]]
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Enters the Ethernet interface or Ethernet interface range configuration mode.
<slot>/<port> Ethernet port number.
subport Ethernet subport number. to be used in case of split port.
N/A
Config
3.1.0000
3.2.1100
admin
First version
Added range support switch (config) # interface ethernet 1/1 switch (config interface ethernet 1/1) # exit switch (config) # interface ethernet 1/1-1/10 switch (config interface ethernet 1/1-1/10) # show interfaces ethernet
Rev 4.20
Mellanox Technologies Confidential 477
Rev 4.20
flowcontrol
flowcontrol {receive | send} {off | on} [force]
Syntax Description
Enables or disables IEEE 802.3x link-level flow control per direction for the specified interface.
receive | send receive - ingresses direction send - egresses direction off | on on - enables IEEE 802.3x link-level flow control for the specified interface on receive or send.
off - disables IEEE 802.3x link-level flow control for the specified interface on receive or send
Forces command implementation.
Default
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History force receive off, send off
3.1.0000
3.3.4500
Added MLAG port-channel configuration mode
Role
Example admin switch (config interface ethernet 1/1) # flowcontrol receive off switch (config interface ethernet 1/1) #
Related Commands show interfaces ethernet
Note N/A
Mellanox Technologies Confidential 478
mtu
mtu <frame-size>
Syntax Description
Default
History
Configures the Maximum Transmission Unit (MTU) frame size for the interface.
frame-size
1522 bytes
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
3.1.0000
3.3.4500
This value may be 1500-9216 bytes.
Added MLAG port-channel configuration mode
Role
Example admin switch (config interface ethernet 1/1) # mtu 9216 switch (config interface ethernet 1/1) #
Related Commands show interfaces ethernet
Note
Rev 4.20
Mellanox Technologies Confidential 479
shutdown
shutdown no shutdown
Syntax Description
Default
Disables the interface.
The no form of the command enables the interface.
N/A
The interface is enabled.
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History 3.1.0000
3.3.4500
Added MLAG port-channel configuration mode
Role
Example admin switch (config interface ethernet 1/1) # shutdown switch (config interface ethernet 1/1) #
Related Commands show interfaces ethernet
Note
Rev 4.20
Mellanox Technologies Confidential 480
description
description <string> no description
Syntax Description
Default
Role
Example
Sets an interface description.
The no form of the command returns the interface description to its default value.
string
“”
40 bytes
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History 3.1.0000
3.3.4500
Added MLAG port-channel configuration mode admin switch (config interface ethernet 1/1) # description my-interface switch (config interface ethernet 1/1) #
Related Commands show interfaces ethernet
Note
Rev 4.20
Mellanox Technologies Confidential 481
Rev 4.20
speed
speed <port speed> [force] no speed
Syntax Description
Sets the speed of the interface.
The no form of the command sets the speed of the interface to its default value.
port speed 1000 - 1GbE
10000 - 10GbE
40000 - 40GbE
56000 - 56GbE
Default
History force
Depends on the port module type, see the “Notes” section below.
Configuration Mode Config Interface Ethernet
Config Interface MLAG Port Channel
3.1.0000
3.3.4500
Forces speed change configuration
Added MLAG port-channel configuration mode
Role
Example admin switch (config interface ethernet 1/1) # speed 40000 switch (config interface ethernet 1/1) #
Related Commands show interfaces ethernet
Note • 56Gbps port speed requires a license (LIC-6036F-56GE)
• The default speed depends on the interface capabilities, interface capable with 40Gbps will have 40Gbps speed by default
• Not all interfaces support all speed options
Mellanox Technologies Confidential 482
load-interval
load-interval <time> no load-interval
Syntax Description
Default
Role
Example
Sets the interface counter interval.
The no form of the command resets the interval to its default value.
time
300 seconds.
In seconds.
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History 3.3.0000
3.3.4500
Added MLAG port-channel configuration mode admin switch (config interface ethernet 1/1) # load-interval 30 switch (config interface ethernet 1/1) #
Related Commands show interfaces ethernet
Note This interval is used for the ingress rate and egress rate counters.
Rev 4.20
Mellanox Technologies Confidential 483
ip address dhcp
ip address dhcp no ip address dhcp
Syntax Description
Default
Enables DHCP on this Ethernet interface.
N/A
Disabled
Configuration Mode Config Interface Ethernet set as router interface
Config Interface Port Channel set as router interface
History
Role
3.4.2008
admin
Example
Related Commands interface ethernet show interfaces ethernet
Note switch (config interface ethernet 1/1) # ip address dhcp switch (config interface ethernet 1/1) #
Rev 4.20
Mellanox Technologies Confidential 484
clear counters
clear counters
Syntax Description
Default
History
Clears the interface counters.
N/A
N/A
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
3.1.0000
3.3.4500
Added MLAG port-channel configuration mode
Role
Example admin switch (config interface ethernet 1/1) # clear counters
Related Commands show interfaces ethernet
Note
Rev 4.20
Mellanox Technologies Confidential 485
Rev 4.20
show interfaces ethernet
show interfaces ethernet <inf> [counters [priority]]
Syntax Description
Displays the configuration and status for the interface.
inf Interface number: <slot>/<port>.
counters priority
Displays interface extended counters.
Displays interface extended counters per priority (0-7).
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show interfaces ethernet 1/1
Eth1/1
Admin state: Enabled
Operational state: Up
Description: N\A
Mac address: 00:02:c9:71:ed:2d
MTU: 1500 bytes(Maximum packet size 1522 bytes)
Flow-control: receive off send off
Actual speed: 40 Gbps
Width reduction mode: Not supported
Switchport mode: access
Last clearing of "show interface" counters 00:20:39
60 seconds Ingress rate: 0 bits/sec, 0 bytes/sec, 0 packets/sec
60 seconds Egress rate: 0 bits/sec, 0 bytes/sec, 0 packets/sec
Rx
0 packets
0 unicast packets
0 multicast packets
0 broadcast packets
0 bytes
0 error packets
0 discard packets
Tx
63 packets
0 unicast packets
63 multicast packets
0 broadcast packets
4032 bytes
0 discard packets switch (config) #
Mellanox Technologies Confidential 486
Rev 4.20
Related Commands
Note If a high power transceiver (e.g. LR4) is inserted to a port that does not support it, the link does not go up, and the following warning message is displayed: “Warning: High power transceiver is not supported” when running the command “show interfaces ethernet” is run. For more information, please refer to
.
Mellanox Technologies Confidential 487
show interfaces ethernet [<inf>] capabilities
show interfaces ethernet [<inf>] capabilities
Syntax Description
Displays the interface capabilities.
inf shows only one interface capabilities.
Interface number: <slot>/<port>.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show interfaces ethernet 1/1 capabilities
Eth1/1
Speed : 10000,40000
FlowControl : Send, Receive switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 488
show interfaces ethernet [<inf>] description
show interfaces ethernet [<inf>] description
Syntax Description
Default
Displays the admin status and protocol status for the specified interface. inf
N/A
Configuration Mode Any Command Mode
Interface number: <slot>/<port>.
History 3.1.0000
3.4.1100
Updated Example
Role
Example admin switch (config) # show interfaces ethernet description
Interface Admin state Operational state
--------- ----------- -----------------
Eth1/58 Enabled Down
Eth1/59 Enabled Up
Eth1/60 Enabled Down (Suspend) switch (config) # show interfaces ethernet 1/60
Eth1/60
Admin state: Enabled
Operational state: Down (Suspend) switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 489
show interfaces ethernet [<inf>] status
show interfaces ethernet [<inf>] status
Syntax Description
Default
Displays the status, speed and negotiation mode of the specified interface.
inf
N/A
Configuration Mode Any Command Mode
Interface number: <slot>/<port>.
History 3.1.0000
3.4.1100
Updated Example
Role
Example admin switch (config) # show interfaces ethernet status
Port Operational state Speed Negotiation
---- ----------------- ----- -----------
Eth1/58 Down 40 Gbps No-Negotiation
Eth1/59 Up 40 Gbps No-Negotiation
Eth1/60 Down (Suspend) 40 Gbps No-Negotiation switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 490
Rev 4.20
show interfaces ethernet [<inf>] transceiver
show interfaces ethernet [<inf>] transceiver
Syntax Description
Default
Displays the transceiver info.
inf
N/A
Configuration Mode Any Command Mode interface number: <slot>/<port>
History
Role
Example
3.1.0000
admin switch (config) # show interfaces ethernet 1/1 transceiver
Port 1/1 state
identifier : QSFP+
cable/module type : Optical cable/module
ethernet speed and type: 40GBASE - SR4
vendor : Mellanox
cable_length : 50 m
part number : MC2210411-SR4
revision : A1
serial number : TT1151-00006 switch (config) #
Related Commands
Note • For a full list of the supported cables and transceivers, please refer to the LinkX™ Cables and Transceivers webpage in Mellanox.com: http://www.mellanox.com/page/ cables?mtag=cable_overview.
• If a high power transceiver (e.g. LR4) is used, it will be indicated in the field “cable/module type”.
Mellanox Technologies Confidential 491
module-type
module-type <type> [force]
Syntax Description
Splits or un-splits the interface, as desired.
type qsfp - Port runs at 40000/56000Mbps.
qsfp-split-2 - Port is split and runs at 2X10000Mbps.
qsfp-split-4 - Port is split and runs at 4X10000Mbps.
force force the split operation without asking for user confirmation.
Default interface module type is qsfp (if the interface supports 40Gbps speed)
Configuration Mode Config Interface Ethernet
History
Role
Example
3.1.1400
admin switch (config interface ethernet 1/4) # module-type qsfp-split-4 the following interfaces will be unmapped: 1/4 1/1
Type 'yes' to confirm split: yes switch (config interface ethernet 1/4) #
Related Commands switchport mode switchport [trunk | hybrid] allowed-vlan show vlan
Note • The affected interfaces should be disabled prior to the operation
• in order to un-split the interface - used the command with “qsfp”, the speed is set to
40Gbps “module-type qsfp”.
• This command is applicable only on 40Gbps Ethernet ports
Rev 4.20
Mellanox Technologies Confidential 492
5.2
Link Aggregation Group (LAG)
Link Aggregation protocol describes a network operation in which several same speed links are combined into a single logical entity with the accumulated bandwidth of the originating ports.
LAG groups exchange Lag Aggregation Control Protocol (LACP) packets in order to align the functionality between both endpoints of the LAG. To equally send traffic on all LAG links, the switch uses a hash function which can use a set of attributes as key to the hash function.
As many as 16 physical ports can be aggregated on a single LAG.
5.2.1
Configuring Static Link Aggregation Group (LAG)
To configure a static LAG:
Step 1.
Step 2.
Log in as admin.
Enter config mode. Run: switch > enable switch # configure terminal
Step 3.
Step 4.
Step 5.
Create a port-channel entity. Run: switch (config) # interface port-channel 1 switch (config interface port-channel 1) #
Change back to config mode.
switch (config interface port-channel 1) # exit switch (config) #
Add a physical port to the port-channel. Run: switch (config interface ethernet 1/4) # channel-group 1 mode on switch (config interface ethernet 1/4) #
Rev 4.20
If the physical port is operationally up, this port becomes an active member of the aggregation. Consequently, it becomes able to convey traffic.
5.2.2
Configuring Link Aggregation Control Protocol (LACP)
To configure LACP:
Step 1.
Step 2.
Log in as admin.
Enter config mode. Run: switch > enable switch # configure terminal
Step 3.
Step 4.
Create a port-channel entity. Run: switch (config) # interface port-channel 1 switch (config interface port-channel 1) #
Change back to config mode. Run: switch (config interface port-channel 1) # exit switch (config) #
Mellanox Technologies Confidential 493
Step 5.
Step 6.
Enable LACP in the switch. Run: switch (config) # lacp switch (config) #
Add a physical port to the port-channel. Run: switch (config interface ethernet 1/4) # channel-group 1 mode active/passive switch (config interface ethernet 1/4) #
Rev 4.20
Mellanox Technologies Confidential 494
Rev 4.20
5.2.3
Commands
interface port-channel
interface port-channel <1-4096>[-<2-4096>] no interface port-channel <1-4096>[-<2-4096>]
Syntax Description
Default
Configuration Mode
History
Role
Example
Creates a LAG and enters the LAG configuration mode. There is an option to create a range of LAG interfaces.
The no form of the command deletes the LAG, or range of LAGs.
1-4096 / 2-4096
N/A
LAG number
Config
3.1.1400
3.2.1100
3.4.0000
admin
First version
Added range support
Added note switch (config)# interface port-channel 1 switch (config interface port-channel 1) # exit switch (config)# interface port-channel 1-10 switch (config interface port-channel 1-10) #
Related Commands
Note If a LAG is also an IPL, attempting to delete it without first deleting the IPL is rejected by the management.
Mellanox Technologies Confidential 495
lacp
lacp no lacp
Syntax Description
Default
Enables LACP in the switch.
The no form of the command disables LACP in the switch.
N/A
LACP is disabled.
Configuration Mode Config
History 3.1.1400
Role
Example admin switch (config)# lacp switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 496
lacp system-priority
lacp system-priority <1-65535> no lacp system-priority
Syntax Description
Default
Configures the LACP system priority.
The no form of the command sets the LACP system-priority to default.
1-65535
32768
Configuration Mode Config
History 3.1.1400
LACP system-priority.
Role
Example admin switch (config)# lacp system-priority 1 switch (config)# show lacp interfaces port-channel
Port-channel Module Admin Status is enabled
Port-channel System Identifier is 00:02:c9:5c:61:70
LACP System Priority: 3 switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 497
Rev 4.20
lacp (interface)
lacp {rate fast | port-priority <1-65535>} no lacp {rate fast | port-priority}
Syntax Description
Configures the LACP interface parameters.
The no form of the command sets the LACP interface configuration to default.
rate fast Sets LACP PDUs on the port to be in fast (1 second) or slow rate. (30 seconds).
Default
Role
Example rate - slow (30 seconds) port-priority 32768
Configuration Mode Config
History 3.1.1400
admin switch (config interface ethernet 1/7)# lacp rate fast switch (config interface ethernet 1/7)# show lacp interfaces ethernet
1/7
Port : 1/7
-------------
Port State = Down
Channel Group : 1
Pseudo port-channel = Po1
LACP port-priority = 32768
LACP Rate = Slow
LACP Activity : Passive
LACP Timeout : Short
Aggregation State : Aggregation, Defaulted,
LACP Port Admin Oper Port Port
Port State Priority Key Key Number State
-------------------------------------------------------------------
1/7 Down 128 1 1 0x7 0x0 switch (config)#
Related Commands
Note Configuring LACP rate (fast or slow) will configure the peer port to send (fast or slow), it does not make any affect on the local port LACP rate.
Mellanox Technologies Confidential 498
port-channel load-balance ethernet
port-channel load-balance ethernet <method> no port-channel load-balance ethernet <method>
Syntax Description
Configures the port-channel load balancing distribution function method.
The no form of the command sets the distribution function method to default.
method Possible load balance methods:
• destination-ip
• destination-mac
• destination-port
• source-destination-ip
• source-destination-mac
• source-destination-port
• source-ip
• source-mac
• source-port
Default source-destination-mac
Configuration Mode Config
History
Role
Example
3.1.1400
admin switch (config)# port-channel load-balance ethernet destination-ip source-port source-mac switch (config)# show interfaces port-channel load-balance destination-ip,source-mac,source-port switch (config)#
Related Commands
Note Several load balance methods can be configured (refer to the example)
Rev 4.20
Mellanox Technologies Confidential 499
Rev 4.20
channel-group
channel-group <1-4096> [mode {on | active | passive}] no channel-group
Syntax Description
Assigns and configures a physical interface to a port channel.
The no form of the command removes a physical interface from the port-channel.
1-4096 mode on
The port channel number.
Static assignment the port to LAG. LACP will not be enabled on this port.
mode active/passive Dynamic assignment of the port to LAG. LACP will be enabled in either passive or active mode.
Default N/A
Configuration Mode Config Interface Ethernet
History 3.1.1400
3.4.0008
Role
Example
Added a note admin switch (config interface ethernet 1/7)# channel-group 1 mode active
Related Commands show interfaces port-channel summary show interfaces port-channel compatibility-parameters show lacp interfaces ethernet
Note • Setting the mode to active/passive is possible only in LACP is enabled.
• The first port in the LAG decide if the LAG will be static (“on”) or LACP (“active” ,
“pasive”).
• All the ports in the LAG must have the same configuration, determines by the first port added to the LAG. The port with a different configuration will be rejected, for the list of dependencies refer to ‘show interfaces port-channel compatibility-parameters’
• A physical port may only be part of one channel-group
Mellanox Technologies Confidential 500
Rev 4.20
lacp-individual enable
lacp-individual enable [force] no lacp-individual enable [force]
Syntax Description
Default
Configures the LAG to act with LACP-individual capabilities.
The no form of the command disables the LACP-individual capability.
force
N/A
Configuration Mode Config Interface Port Channel
History 3.4.1100
Toggles the interface after enabling LACP-individual.
Role
Example
Related Commands
Note admin switch (config interface port-channel 10)# lacp-individual enable force
If a switch is connected via LAG to a host without LACP capability, running this command on that LAG allows a member port (with the lowest numerical priority value), acting as an individual, to communicate with the host.
Mellanox Technologies Confidential 501
ip address dhcp
ip address dhcp no ip address dhcp
Syntax Description
Default
Enables DHCP on this LAG interface.
N/A
Disabled
Configuration Mode Config Interface Port Channel set as router interface
History
Role
3.4.2008
admin
Example
Related Commands interface port-channel show interface port-channel
Note switch (config interface port channel 10) # ip address dhcp switch (config interface port channel 10) #
Rev 4.20
Mellanox Technologies Confidential 502
Rev 4.20
show lacp counters
show lacp counters
Displays the LACP PDUs counters.
Syntax Description
Default
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.1400
admin switch (config)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Illegal Unknown
----------------------------------------------------------------------
Port-channel: 1
------------------
1/7 0 0 0 0 0 0 0 0 switch (config) # switch (config)#
Related Commands
Note
Mellanox Technologies Confidential 503
show lacp interfaces ethernet
show lacp interface ethernet <inf>
Syntax Description
Default
Displays the LACP interface configuration and status.
inf
N/A
Configuration Mode Any Command Mode
Interface number, for example “1/1”.
History
Role
Example
3.1.1400
admin switch (config) # show lacp interfaces ethernet 1/4
Port : 1/4
-------------
Port State = Down
Channel Group : 1
Pseudo port-channel = Po1
LACP port-priority = 128
LACP Rate = Slow
LACP Activity : Passive
LACP Timeout : Short
Aggregation State : Aggregation, Defaulted,
LACP Port Admin Oper Port Port
Port State Priority Key Key Number State
-------------------------------------------------------------------
1/4 Down 128 1 1 0x4 0x0 switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 504
show lacp interfaces neighbor
show lacp interfaces neighbor
Syntax Description
Default
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Displays the LACP interface neighbor status.
3.1.1400
3.4.0000
admin
First version
Updated output
Rev 4.20
Mellanox Technologies Confidential 505
Example
Related Commands
Note switch (config) # show lacp interfaces neighbor
Flags:
A - Device is in Active mode
P - Device is in Passive mode
Channel group 1 neighbors
Port 1/4
----------
Partner System ID : 00:00:00:00:00:00
Flags : A
LACP Partner Port Priority : 0
LACP Partner Oper Key : 0
LACP Partner Port State : 0x0
Port State Flags Decode
------------------------
Activity : Active
Aggregation State : Aggregation, Sync, Collecting, Distributing
MLAG channel group 25 neighbors
Port 1/49
----------
Partner System ID : 00:02:c9:fa:c4:c0
Flags : A
LACP Partner Port Priority : 255
LACP Partner Oper Key : 33
LACP Partner Port State : 0xbc
Port State Flags Decode
------------------------
Activity : Active
Aggregation State : Aggregation, Sync, Collecting, Distributing,
MLAG channel group 28 neighbors
Port 1/51
----------
Partner System ID : f4:52:14:10:d8:f1
Flags : A
LACP Partner Port Priority : 255
LACP Partner Oper Key : 33
LACP Partner Port State : 0xbc
Port State Flags Decode
------------------------
Activity : Active
Aggregation State : Aggregation, Sync, Collecting, Distributing, switch (config) #
Rev 4.20
Mellanox Technologies Confidential 506
show lacp
show lacp
Syntax Description
Default
Displays the LACP global parameters.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.4.0000
admin switch (config) # show lacp
Port-channel Module Admin Status is enabled switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 507
show lacp interfaces system-identifier
show lacp interfaces {mlag-port-channel | port-channel} <instance> systemidentifier
Syntax Description
Default
Displays the system identifier of LACP.
instance
N/A
Configuration Mode Any Command Mode
LAG or MLAG instance.
History
Role
Example
3.4.0000
admin switch (config)# show lacp interfaces port-channel 2 system-identifier
Priority: 12345
MAC: 00:02:C9:AC:2A:60 switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 508
show interfaces port-channel
show interfaces port-channel <port-channel>
Syntax Description
Default
Displays port-channel configuration properties.
port-channel
N/A
Configuration Mode Any Command Mode
LAG interface whose properties to display
History 3.3.4000
3.4.1100
Update Example
Role
Example admin switch (config) # show interfaces port-channel 2
Po2
Admin state: Enabled
Operational state: Up
Description: N\A
Mac address: 00:00:00:00:00:00
MTU: 9216 bytes (Maximum packet size 9238 bytes)
lacp-individual mode: Enabled
Flow-control: receive off send off
Actual speed: 2 X 40 Gbps
Width reduction mode: Not supported
Switchport mode: trunk
MAC learning mode: Enabled
Last clearing of "show interface" counters : Never
60 seconds ingress rate: 2440 bits/sec, 305 bytes/sec, 5 packets/sec
60 seconds egress rate: 2440 bits/sec, 305 bytes/sec, 5 packets/sec
Rx
24060 packets
23447 unicast packets
598 multicast packets
15 broadcast packets
1796876 bytes
0 error packets
0 discard packets
Tx
23961 packets
23454 unicast packets
496 multicast packets
11 broadcast packets
1805778 bytes
4 discard packets switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 509
Rev 4.20
show interfaces port-channel compatibility-parameters
show interfaces port-channel compatibility-parameters
Syntax Description
Default
Displays port-channel parameters.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4000
admin switch (config) # show interfaces port-channel compatibility-parameters
* Port-mode
* Speed
* MTU
* Flow Control
* Access VLAN
* Allowed VLAN list
* Flowcontrol & PFC
* Channel-group mode
* CoS parameters
* MAC learning disable
Static configuration on the port should be removed:
* ACL port binding
* Static mrouter
* sflow
* OpenFlow
* port mirroring local analyzer port
* Static mac address switch (config) #
Related Commands
Note
Mellanox Technologies Confidential 510
show interfaces port-channel load-balance
show interfaces port-channel load-balance
Syntax Description
Default
Displays the type of load-balancing in use for port-channels.
N/A
N/A
Configuration Mode Any Command Mode
N/A
History
Role
Example
3.3.4000
admin switch (config) # show interfaces port-channel load-balance source-destination-mac switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 511
Rev 4.20
show interfaces port-channel summary
show interfaces port-channel summary
Syntax Description
Default
Displays a summary for the port-channel interfaces.
N/A
N/A
Configuration Mode Any Command Mode
History 3.1.1400
3.4.1100
Updated Example
Role
Example admin switch (config) # show interfaces port-channel summary
Flags: D - Down, U - Up, P - Up in port-channel (members)
S - Suspend in port-channel (members), I - Individual
-----------------------------------------------------------------------
Group Port- Type Member Ports
Channel
-----------------------------------------------------------------------
1 Po2(U) LACP Eth1/58(D) Eth1/59(I) Eth1/60(S)
2 Po5(D) LACP Eth1/1(S) Eth1/33(I)
3 Po10(U) LACP Eth1/49(P) Eth1/50(P) Eth1/51(S) Eth1/52(S) switch (config) #
Related Commands
Note
Mellanox Technologies Confidential 512
5.3
MLAG
Figure 15: Basic MLAG Setup
Rev 4.20
All nodes in an MLAG must be of the same CPU type (i.e. PPC or x86).
Each switch configuration is independent and it is user responsibility to make sure to configure both switches similarly pertaining MLAG (e.g. MLAG port-channel VLAN membership, static MAC, ACL, etc).
A link aggregation group (LAG) is used for extending the bandwidth from a single link to multiple links and provide redundancy in case of link failure. Extending the implementation of the
LAG to more than a single device provides yet another level of redundancy that extends from the link level to the node level. This extrapolation of the LAG from single to multiple switches is referred to as multi-chassis link aggregation (MLAG).
MLAG is currently supported for 2 switches only.
The VIP address must be on the same management IP subnet.
Mellanox Technologies Confidential 513
A peered device (host or switch) connecting to switches running an MLAG runs a standard LAG and is unaware of the fact that the LAG connects to two separate switches.
MLAG links currently mandate disabling xSTP control protocol. However, interfaces not part of an MLAG can run any protocol independently.
The MLAG switches share an inter-peer link (IPL) between them for carrying control messages in a steady state or data packages in failure scenarios. Thus, the bandwidth of the IPL should be defined accordingly. The IPL itself can be a LAG and be constructed of either 10GbE or 40GbE
illustrates. The IPL serves the following purposes:
• MLAG protocol control – keepalive messages, MAC sync, MLAG port sync, etc.
• MLAG port failure – serves redundancy in case of a fallen link on one of the MLAG switches.
• Layer-3 failure – serves redundancy in case of a failed connection between the MLAG switches and the rest of the L3 network should there be one.
The MLAG protocol is made up of the following components to be expanded later:
• Keepalive
• Unicast and multicast sync
• MLAG port sync
When positioned at the top of rack (ToR) and connecting with a Layer-3 uplink, the MLAG pair acts as the L3 border for the hosts connected to it. To allow default gateway redundancy, both
MLAG switches should be addressed by the host via the same default gateway address.
MLAG uses an IP address (VIP) that is always directed to the MLAG-VIP master node.
When running MLAG with L3, VRRP or MAGP must be deployed. For more information, refer to
Section 6.7, “VRRP,” on page 976 or
Section 6.8, “MAGP,” on page 991
respectively.
When MLAG is connected through a Layer-2 based uplink, there is no need to apply default gateway redundancy towards hosts since this function is implemented on the L2/
L3 border points of the network.
The two peer switches need to carry the exact same configuration of the MLAG attributes for guaranteeing proper functionality of the MLAG.
Ensuring that both switches are configured identically is the responsibility of the user and is not monitored by the MLNX-OS software.
Rev 4.20
When working with MLAG the maximum number of MAC addresses is limited to
47,970. Without it, the number of MAC addresses would be 55,872.
Mellanox Technologies Confidential 514
When transitioning from standalone into a group or vice versa, a few seconds are required for the node state to stabilize. During that time, group features such as Gateway HA, SM HA, and MLAG commands should not be executed. To run group features, wait for the CLI prompt to turn into [standalone:master], [<group>:master] or
[<group>:standby] instead of [standalone:*unknown*] or [<group>:*unknown*].
5.3.1
MLAG Keepalive and Failover
Master election in MLAG is based on the IPs of the nodes taking part of the MLAG. The master elected is that which has the highest IPL VLAN interface local IP address.
MLAG master/slave roles take effect in fault scenarios such as split-brain, peer faults, and during software upgrades.
The MLAG pair of switches periodically exchanges a keepalive message on a user configurable interval. If the keepalive message fails to arrive for three consecutive intervals the switches break into two standalone switches. In such case the remaining active switch begins to act as a standalone switch and assumes that its previously peering MLAG switch has failed.
To avoid a scenario where failure on the IPL causes both MLAG peers to assume that their peer has failed, a safety mechanism based on UDP packets running via the management plane is maintained and alerts both peers of IPL failure. In such a case of IPL failure, the slave shuts down its interfaces to avoid a split brain scenario and the master becomes a standalone switch.
5.3.2
Unicast and Multicast Sync
Unicast and multicast sync is a mechanism which syncs the unicast and multicast FDBs of the
MLAG peers. It prevents unicast asymmetric traffic from loading the network with flood traffic and multicast traffic from being processed.
5.3.3
MLAG Port Sync
Under normal circumstances, traffic from the IPL cannot pass through the MLAG ports (the IPL is isolated from the MLAG ports). If one of the MLAG links break, the other MLAG switch opens that isolation and allows traffic from its peer through the IPL to flow via the MLAG port which accesses the destination of the fallen link.
5.3.4
MLAG Virtual System-MAC
A pair of MLAG switches uses a single virtual system MAC for L2 protocols (such as LACP) operating on the MLAG ports.
The virtual system MAC is automatically computed based on the MLAG VIP name, but can be manually set using the command
.
MLAG relies on systems to have the same virtual system MAC. Therefore, if a system MAC mismatch is detected, the slave shuts down its interfaces.
5.3.5
Upgrading MLAG Pair
Switches in the same MLAG group must have the same MLNX-OS version.
Mellanox Technologies Confidential 515
Rev 4.20
When peers identify having different versions, they enter an upgrading state in which the slave
For more information on MLAG upgrade, please see
Section 4.3.2, “Upgrading MLNX-OS HA
.
5.3.6
MLAG Configuration
This section provides an example of how to configure two switches and a server in an MLAG setup.
Figure 16: Basic MLAG Topology
Rev 4.20
To configure L2 MLAG:
Prerequisites:
Step 1.
Enable IP routing. Run: switch (config)# ip routing
Step 2.
(Recommended) Enable LACP in the switch. Run: switch (config)# lacp
Step 3.
Step 4.
Enable QoS on the switch to avoid congestion on the IPL port. Run: switch (config)# dcb priority-flow-control enable force
Enable the MLAG protocol commands. Run: switch (config)# protocol mlag
Configuring the IPL:
Step 1.
Create a VLAN for the inter-peer link (IPL) to run on. Run: switch (config)# vlan 4000 switch (config vlan 4000)#
Mellanox Technologies Confidential 516
Rev 4.20
Step 2.
Step 3.
Step 4.
Step 5.
Step 6.
Step 7.
Create a LAG. Run: switch (config)# interface port-channel 1 switch (config interface port-channel 1)#
Map a physical port to the LAG in active mode (LACP). Run: switch (config)# interface ethernet 1/1 channel-group 1 mode active
Set this LAG as an IPL. Run: switch (config interface port-channel 1)# ipl 1
Enable QoS on this specific interface. Run: switch (config interface port-channel 1)# dcb priority-flow-control mode on force
Create a VLAN interface. Run: switch (config)# interface vlan 4000 switch (config interface vlan 4000)#
Set an IP address and netmask for the VLAN interface.
On SwitchA, run: switch (config interface vlan 4000)# ip address 10.10.10.1 /30
Step 8.
Step 9.
On SwitchB, run: switch (config interface vlan 4000)# ip address 10.10.10.2 /30
Map the VLAN interface to be used on the IPL and set the peer IP address (the IP address of the
IPL port on the second switch) of the IPL peer port. IPL peer ports must be configured on the same netmask.
On SwitchA, run: switch (config interface vlan 4000)# ipl 1 peer-address 10.10.10.2
On SwitchB, run: switch (config interface vlan 4000)# ipl 1 peer-address 10.10.10.1
Configure a virtual IP (VIP) for the MLAG. Run:
On SwitchA, run: switch (config)# mlag-vip my-vip ip 10.10.10.254 /24 //mask may also be 255.255.255.0
On SwitchB, run: switch (config)# mlag-vip my-vip
Step 10.
(Optional) Configure a virtual system MAC for the MLAG. Run: switch (config)# mlag system-mac 00:00:5E:00:01:5D
Creating an MLAG interface:
Step 1.
Create an MLAG interface for the host. Run: switch (config)# interface mlag-port-channel 1 switch (config interface mlag-port-channel 1)#
Step 2.
Disable STP. Run: switch (config interface mlag-port-channel 1)# spanning-tree port type edge switch (config interface mlag-port-channel 1)# spanning-tree bpdufilter enable
Mellanox Technologies Confidential 517
Rev 4.20
Step 3.
Step 4.
Bind an Ethernet port to the MLAG group. Run: switch (config interface ethernet 1/2)# mlag-channel-group 1 mode on
Create and enable the MLAG interface. Run: switch (config interface mlag-port-channel 1)# no shutdown
STP must be disabled (no spanning-tree) on the MLAG switches when there is at least 1 MLAG port-channel connected to a switch and not to a host.
Enabling MLAG:
Step 1.
Enable MLAG. Run: switch [my-vip: master] (config mlag)# no shutdown
When running MLAG with L3, VRRP or MAGP must be deployed. For more information, refer to
Section 6.7, “VRRP,” on page 976
or Section 6.8, “MAGP,” on page 991
respectively.
To verify MLAG configuration:
Step 1.
Examine MLAG configuration and status. Run:
SX2 [mellanox: master] (config)# show mlag
Admin status: Enabled
Operational status: Up
Reload-delay: 1 sec
Keepalive-interval: 30 sec
Upgrade-timeout: 60 min
System-mac: 00:00:5E:00:01:5D
MLAG Ports Configuration Summary:
Configured: 1
Disabled: 0
Enabled: 1
MLAG Ports Status Summary:
Inactive: 0
Active-partial: 0
Active-full: 1
Mellanox Technologies Confidential 518
MLAG IPLs Summary:
ID Group Vlan Operational Local Peer
Port-Channel Interface State IP address IP address
---------------------------------------------------------------------
1 Po1 1 Up 10.10.10.1 10.10.10.2
Step 2.
Peers state Summary:
System-id State Hostname
-----------------------------------
F4:52:14:2D:9B:88 Up <SX2>
F4:52:14:2D:9B:08 Up SX1 switch [mellanox: master] (config)#
Examine the MLAG summary table. Run: switch [my-vip: master] (config)# show interfaces mlag-port-channel summary
MLAG Port-Channel Flags: D-Down, U-Up
P-Partial UP, S - suspended by MLAG
Port Flags: D - Down, P - Up in port-channel (members)
S - Suspend in port-channel (members), I - Individual
Group
Port-Channel Type Local Ports Peer Ports
(D/P/S/I) (D/P/S/I) (D/P/S/I)
----------------------------------------------------------------------
1 Mpo2(U) Static Eth1/2(P) Eth1/2(P)
Step 3.
switch (config)#
Examine the MLAG statistics. Run: switch [my-vip: master] (config)# show mlag statistics
IPL 1:
Rx Heartbeat : 516
Tx Heartbeat : 516
Rx IGMP tunnel : 0
Tx IGMP tunnel : 0
RX mlag-notification: 0
TX mlag-notification: 0
Rx port-notification : 0
Tx port-notification : 0
Rx FDB sync : 0
Tx FDB sync : 0
RX LACP manager: 1
TX LACP manager: 0 switch (config)#
Rev 4.20
Mellanox Technologies Confidential 519
Rev 4.20
5.3.7
Commands
protocol mlag
protocol mlag no protocol mlag
Enables MLAG functionality and unhides the MLAG commands.
The no form of the command hides the MLAG commands and deletes its database.
Syntax Description
Default
Configuration Mode
History
Role
Example no protocol mlag
Config
3.3.4500
admin switch (config) # protocol mlag switch (config) #
Related Commands
Note • Running the no form of this command hides MLAG commands.
• MLAG may be enabled without IP routing, but without IP routing an IPL vLAN interface cannot be configured and thus MLAG does not function.
• MLAG may be enabled without IGMP snooping, but if IGMP snooping is disabled, multicast FDBs do not sync.
Mellanox Technologies Confidential 520
mlag
mlag
Syntax Description
Default
Enters MLAG configuration mode.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.3.4500
admin switch (config) # mlag switch (config mlag) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 521
shutdown
shutdown no shutdown
Syntax Description
Default
Enables MLAG.
The no form of the command disables MLAG.
N/A
Disabled
Configuration Mode Config MLAG
History 3.3.4500
Role
Example admin switch (config mlag) # no shutdown switch (config mlag) #
Related Commands
Note This parameter must be similar in all MLAG peers.
Rev 4.20
Mellanox Technologies Confidential 522
interface mlag-port-channel
interface mlag-port-channel <if-number> no interface mlag-port-channel <if-number>
Syntax Description
Default
Creates an MLAG interface.
The no form of the command deletes the MLAG interface.
if-number
N/A
Configuration Mode Config
History 3.3.4500
Integer. Interface number range: 1-1000.
Role
Example admin switch (config) # interface mlag-port-channel 1 switch (config interface mlag-port-channel 1) #
Related Commands
Note • The maximum number of interfaces is 64.
• The default Admin state is disabled.
• Range configuration is possible on this interface.
• This interface number must be the same in all the MLAG switches.
Rev 4.20
Mellanox Technologies Confidential 523
ipl
ipl <ipl-id> no ipl <ipl-id>
Syntax Description
Default
Sets this LAG as an IPL port.
The no form of the command resets this LAG as regular LAG.
ipl-id no ipl
Configuration Mode Config Interface Port Channel
History 3.3.4500
IPL ID. Only “1” IPL port is supported.
Role
Example
Related Commands
Note admin switch (config interface port-channel 1)# ipl 1
• If a LAG is set as IPL, only the commands “[no] shutdown”, “no ipl” and “no interface port-channel” become applicable.
• A LAG interface set as IPL must have default LAG configuration, otherwise the set is rejected. Force option can be used.
Rev 4.20
Mellanox Technologies Confidential 524
Rev 4.20
ipl peer-address
ipl <ipl-id> peer-address <IP-Address> no ipl <ipl-id>
Syntax Description
Maps a VLAN interface to be used for an IPL LAG and sets the peer IP address of the
IPL peer port.
The no form of the command deletes a peer IPL LAG and unbinds this VLAN interface from the IPL function.
ipl-id
IP-Address
IPL ID. Only “1” IPL port is supported.
IPv4 address.
Default N/A
Configuration Mode Config Interface VLAN
History
Role
Example
3.3.4500
admin switch (config interface vlan 1)# ipl 1 peer-address 10.10.10.10
switch (config interface vlan 1)#
Related Commands
Note • The subnet mask is the same subnet mask of the VLAN interface.
• This VLAN interface should be used for IPL only.
Mellanox Technologies Confidential 525
keep-alive-interval
keep-alive-interval <value> no keep-alive-interval
Syntax Description
Default
Configures the interval during which keep-alive messages are issued between the
MLAG switches.
The no form of the command resets this parameter to its default value.
value
1 second
Configuration Mode Config MLAG
History 3.3.4500
Time in seconds. Range: 1-300.
Role
Example admin switch (config mlag) # keep-alive-interval 1 switch (config mlag) #
Related Commands
Note This parameter must be similar in all MLAG peers.
Rev 4.20
Mellanox Technologies Confidential 526
mlag-channel-group mode
mlag-channel-group <if-number> mode {on | active | passive} no mlag-channel-group
Syntax Description
Binds an Ethernet port to the MLAG LAG.
The no form of the command deletes the binding.
if-number on
Integer. Interface number range: 1-1000.
Binds to static MLAG.
active passive
Default N/A
Configuration Mode Config Interface Ethernet
Sets MLAG LAG in LACP active mode.
Sets MLAG LAG in LACP passive mode.
History
Role
Example
3.3.4500
admin switch (config interface ethernet 1/1)# mlag-channel-group 1 mode on switch (config interface ethernet 1/1)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 527
mlag-vip
Syntax Description mlag-vip <domain-name> ip [<ip-address> {<masklen> | netmask> [force]] no mlag-vip
Sets the VIP domain and IP address for MLAG.
The no form of the command deletes the VIP domain and IP address.
domain-name MLAG group name
<masklen>
<netmask> force
Format example: /24. Note that a space is required between the IP address and the mask.
Format example: 255.255.255.0. Note that a space is required between the IP address and the mask.
Forces the IP address if another IP is already configured.
Default N/A
Configuration Mode Config
History
Role
Example
3.3.4500
admin switch (config)# mlag-vip my-mlag-domain ip 10.10.10.254/24 switch (config)#
Related Commands
Note • This IP address must be configured in one of the MLAG switches and must be in the box management subnet.
• Other switches in the MLAG must join the same domain name.
Rev 4.20
Mellanox Technologies Confidential 528
Rev 4.20
reload-delay
reload-delay <value> no reload-delay
Syntax Description
Default
Specifies the amount of time that MLAG ports are disabled after system reboot.
The no form of the command resets this parameter to its default value.
value
30 seconds
Configuration Mode Config MLAG
History 3.3.4500
Time in seconds. Range: 0-300.
Role
Example admin switch (config mlag) # reload-delay 30 switch (config mlag) #
Related Commands
Note • This interval allows the switch to learn the IPL topology to identify the master and sync the
MAC address before opening the MLAG ports.
• This parameter must be similar in all MLAG peers.
Mellanox Technologies Confidential 529
system-mac
system-mac <virtual-mac> no system-mac <virtual-mac>
Configures virtual system MAC.
The no form of the command resets this value to its default value.
virtual-mac MAC address Syntax Description
Default Default is calculated according to the MLAG-VIP name, using the base MAC as
VRRP MAC prefix (00:00:5E:00:01:xx) with the suffix hashed from the mlag-vip name 0...255.
Configuration Mode Config MLAG
History 3.4.2008
Role
Example admin switch (config mlag) # system-mac 00:00:5E:00:01:5D switch (config mlag) #
Related Commands
Note This parameter must be configured the same in all MLAG peers.
Rev 4.20
Mellanox Technologies Confidential 530
Rev 4.20
upgrade-timeout
upgrade-timeout <time> no upgrade-timeout
Syntax Description
Default
Configures the time period during which an MLAG slave keeps its ports active while in upgrading state.
The no form of the command resets the parameter value to its default.
time
60
Configuration Mode Config MLAG
History 3.4.2008
Time in minutes. Range: 0-120 minutes.
Role
Example admin switch (config mlag) # upgrade-timeout 60 switch (config mlag) #
Related Commands
Note This parameter must be configured the same in all MLAG peers.
Mellanox Technologies Confidential 531
show mlag
show mlag
Syntax Description
Default
Displays MLAG configuration and status.
N/A
N/A
Configuration Mode Any Command Mode
History 3.3.4500
3.3.5006
3.4.2008
Updated example
Updated example with system MAC and upgrade
timeout
Role
Example admin
SX2 [mellanox: master] (config)# show mlag
Admin status: Enabled
Operational status: Up
Reload-delay: 1 sec
Keepalive-interval: 30 sec
Upgrade-timeout: 60 min
System-mac: 00:00:5E:00:01:5D
MLAG Ports Configuration Summary:
Configured: 1
Disabled: 0
Enabled: 1
MLAG Ports Status Summary:
Inactive: 0
Active-partial: 0
Active-full: 1
MLAG IPLs Summary:
ID Group Vlan Operational Local Peer
Port-Channel Interface State IP address IP address
---------------------------------------------------------------------
1 Po1 1 Up 10.10.10.1 10.10.10.2
MLAG Members Summary:
System-id State Hostname
-----------------------------------
F4:52:14:2D:9B:88 Up <SX2>
F4:52:14:2D:9B:08 Up SX1
SX2 [mellanox: master] (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 532
show mlag-vip
show mlag-vip
Syntax Description
Default
Displays MLAG VIP configuration and status.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4500
admin switch (config)# show mlag-vip
MLAG VIP
========
MLAG group name: my-mlag-group
MLAG VIP address: 1.1.1.1/30
Active nodes: 2
Hostname VIP-State IP Address
----------------------------------------------------
SwitchA master 10.10.10.1
SwitchB standby 10.10.10.2
switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 533
show interfaces mlag-port-channel
show interfaces mlag-port-channel <if-number>
Syntax Description
Default
Displays the MLAG LAG configuration and status.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4500
admin switch (config)# show interfaces mlag-port-channel 1
Mpo1
Admin state: Enabled
Operational state: Down
Description: N\A
Mac address: 00:00:00:00:00:00
MTU: 1500 bytes (Maximum packet size 1522 bytes)
Flow-control: receive off send off
Actual speed: 0 Gbps
Width reduction mode: Not supported Switchport mode: access
Last clearing of "show interface" counters : Never
60 seconds ingress rate: 0 bits/sec, 0 bytes/sec, 0 packets/sec
60 seconds egress rate: 0 bits/sec, 0 bytes/sec, 0 packets/sec
Rx
0 packets
0 unicast packets
0 multicast packets
0 broadcast packets
0 bytes
0 error packets
0 discard packets
Tx
0 packets
0 unicast packets
0 multicast packets
0 broadcast packets
0 bytes
0 discard packets switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 534
Rev 4.20
show interfaces mlag-port-channel summary
show interfaces mlag-port-channel summary
Syntax Description
Default
Displays MLAG summary table.
N/A
N/A
Configuration Mode Any Command Mode
History 3.3.4500
3.4.0000
First version
Added notes and updated example
Role
Example
3.4.1100
admin
Updated Example switch [my-vip: standby] (config)# show interfaces mlag-port-channel summary
MLAG Port-Channel Flags: D-Down, U-Up
P-Partial UP, S - Suspended by MLAG
Port Flags: D - Down, P - Up in port-channel (members)
S - Suspend in port-channel (members), I - Individual
Group
Port-Channel Type Local Ports Peer Ports
(D/U/P/S) (D/P/S/I) (D/P/S/I)
----------------------------------------------------------------------
1 Mpo2(U) Static Eth1/2(P) Eth1/2(P)
2 Mpo3(U) Static Eth1/4(P) Eth1/8(P)
3 Mpo4(U) LACP Eth1/5(P) Eth1/5(P) switch (config)#
Related Commands
Note • If a cluster is not available, the column “Peer Ports” shows “N/A”. If the cluster is available but is not configured on the peer, the “Peer Ports” column shows nothing.
• If the system happens to be busy, peer ports may be unavailable and the following prompt may appear in the output: “System busy and partial information is presented – please try again later”.
• The “I” flag indicates an interface which is part of a port-channel and in individual state
• The “S” flag indicates an interface which is part of a port-channel and in suspended state
Mellanox Technologies Confidential 535
show mlag statistics
show mlag statistics
Syntax Description
Default
Displays the MLAG IPL counters.
N/A
N/A
Configuration Mode Any Command Mode
History 3.3.4500
3.4.0000
Updated example
Role
Example admin switch (config)# show mlag statistics
IPL 1:
RX Heartbeat: 439908
TX Heartbeat: 439951
RX IGMP tunnel: 0
TX IGMP tunnel: 1
RX mlag-notification: 0
TX mlag-notification: 12
RX port-notification: 56
TX port-notification: 73
RX FDB sync: 424
TX FDB sync: 778
RX LACP manager: 38
TX LACP manager: 21
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 536
5.4
VLANs
A Virtual Local Area Network (VLAN) is an L2 segment of the network which defines a broadcast domain and is identified by a tag added to all Ethernet frames running within the domain.
This tag is called a VLAN ID (VID) and can take a value of 1-4094.
Each port can have a switch mode of either:
• Access – Access port is a port connected to a host. It can accept only untagged frames, and assigns them a default configured VLAN (Port VLAN ID). On egress, traffic sent from the access port is untagged.
• Access-dcb – This mode is Mellanox specific that receives ingress untagged traffic but sends egress priority tag (VLAN ID = 0)
• Hybrid – Hybrid port is a port connected to either switches or hosts. It can receive both tagged and untagged frames and assigns untagged frames a default configured VLAN (Port VLAN
ID). It receives tagged frames with VLANs of which the port is a member (these VLANs’ names are allowed). On egress, traffic of allowed VLANs sent from the Hybrid port is sent tagged, while traffic sent with PVID is untagged.
• Trunk – Trunk port is a port connecting 2 switches. It accepts only tagged frames with
VLANs of which the port is a member. On egress, traffic sent from the Trunk port is tagged.
By default, a Trunk port is, automatically, a member on all current VLANs.
5.4.1
Configuring Access Mode and Assigning Port VLAN ID (PVID)
To configure Access mode and assign PVID to interfaces:
Step 1.
Step 2.
Log in as admin.
Enter config mode. Run: switch > enable switch # configure terminal
Step 3.
Step 4.
Create a VLAN. Run: switch (config) # vlan 6 switch (config vlan 6) #
Change back to config mode. Run: switch (config vlan 6) # exit switch (config) #
Step 5.
Step 6.
Step 7.
Enter the interface context. Run: switch (config) # interface ethernet 1/36 switch (config interface ethernet 1/36) #
From within the interface context, configure the interface mode to Access. Run: switch (config interface ethernet 1/36) # switchport mode access switch (config interface ethernet 1/36) #
From within the interface context, configure the Access VLAN membership. Run: switch (config interface ethernet 1/36) # switchport access vlan 6 switch (config interface ethernet 1/36) #
Rev 4.20
Mellanox Technologies Confidential 537
Step 8.
Change back to config mode. Run: switch (config interface ethernet 1/36) # exit switch (config) #
5.4.2
Configuring Hybrid Mode and Assigning Port VLAN ID (PVID)
To configure Hybrid mode and assign PVID to interfaces:
Step 1.
Step 2.
Log in as admin.
Enter config mode. Run: switch > enable switch # configure terminal
Step 3.
Step 4.
Create a VLAN. Run: switch (config) # vlan 6 switch (config vlan 6) #
Change back to config mode. Run: switch (config vlan 6) # exit switch (config) #
Step 5.
Step 6.
Step 7.
Step 8.
Enter the interface context. Run: switch (config) # interface ethernet 1/36 switch (config interface ethernet 1/36) #
From within the interface context, configure the interface mode to Access. Run: switch (config interface ethernet 1/36) # switchport mode hybrid switch (config interface ethernet 1/36) #
From within the interface context, configure the Access VLAN membership. Run: switch (config interface ethernet 1/36) # switchport hybrid vlan 6 switch (config interface ethernet 1/36) #
Change to config mode again. Run: switch (config interface ethernet 1/36) # exit switch (config) #
5.4.3
Configuring Trunk Mode VLAN Membership
To configure Trunk mode VLAN membership:
Step 1.
Step 2.
Log in as admin.
Enter config mode. Run: switch > enable switch # configure terminal
Step 3.
Step 4.
Create a VLAN. Run: switch (config) # vlan 10 switch (config vlan 10) #
Change back to config mode. Run: switch (config vlan 10) # exit switch (config) #
Mellanox Technologies Confidential 538
Rev 4.20
Step 5.
Step 6.
Enter the interface context. Run: switch [standalone: master] (config) # interface ethernet 1/35 switch [standalone: master] (config interface ethernet 1/35) #
From within the interface context, configure the interface mode to Trunk. Run: switch [standalone: master] (config interface ethernet 1/35) # switchport mode trunk switch [standalone: master] (config interface ethernet 1/35) #
5.4.4
Configuring Hybrid Mode VLAN Membership
To configure Hybrid mode VLAN membership:
Step 1.
Step 2.
Log in as admin.
Enter config mode. Run: switch > enable switch # configure terminal
Step 3.
Step 4.
Create a VLAN. Run: switch (config) # vlan 10 switch (config vlan 10) #
Change back to config mode. Run: switch (config vlan 10) # exit switch (config) #
Step 5.
Step 6.
Step 7.
Step 8.
Enter the interface context. Run: switch (config) # interface ethernet 1/35 switch (config interface ethernet 1/35) #
From within the interface context, configure the interface mode to Hybrid. Run: switch (config interface ethernet 1/35) # switchport mode hybrid switch (config interface ethernet 1/35) #
From within the interface context, configure the allowed VLAN membership. Run: switch (config interface ethernet 1/35) # switchport hybrid allowed-vlan add 10 switch (config interface ethernet 1/35) #
Change to config mode again. Run: switch (config interface ethernet 1/35) # exit switch (config) #
Rev 4.20
Mellanox Technologies Confidential 539
5.4.5
Commands
vlan
vlan {<vlan-id> | <vlan-range>} no vlan {<vlan-id> | <vlan-range>}
Syntax Description
Default
Configuration Mode
History
Role
Example
Creates a VLAN or range of VLANs, and enters a VLAN context.
The no form of the command deletes the VLAN or VLAN range.
vlan-id 1-4094.
vlan-range Any range of VLANs.
VLAN 1 is enabled by default.
Config
3.1.1400
admin switch (config) # vlan 10 switch (config vlan 10) # show vlan
Related Commands
Note
VLAN Name Ports
---- ----------- --------------------------------------
1 default Eth1/2, Eth1/3, Eth1/4/1, Eth1/4/2 ...
10 switch (config vlan 10) # show vlan switchport mode switchport [trunk | hybrid] allowed-vlan
Interfaces are not added automatically to VLAN unless configured with trunk or hybrid mode with “all” option turned on.
Rev 4.20
Mellanox Technologies Confidential 540
Rev 4.20
name
name <vlan-name> no name
Adds VLAN name.
The no form of the command deletes the VLAN name.
40-character long string.
Syntax Description
Default vlan-name
No name available.
Configuration Mode Config VLAN
History
Role
Example
3.1.1400
admin switch (config) # vlan 10 switch (config vlan 10) # name my-vlan-name switch (config vlan 10) # show vlan
VLAN Name Ports
---- ----------- --------------------------------------
1 default Eth1/2, Eth1/3, Eth1/4/1, Eth1/4/2, Eth1/
5,
Eth1/6, Eth1/7, Eth1/8, Eth1/9, Eth1/10,
Eth1/11, Eth1/12, Eth1/13, Eth1/14, Eth1/
15,
Eth1/16, Eth1/17, Eth1/18, Eth1/19, Eth1/
20,
Eth1/21, Eth1/22, Eth1/23, Eth1/24, Eth1/
25,
Eth1/26, Eth1/27, Eth1/28, Eth1/29, Eth1/
30,
Eth1/31, Eth1/32, Eth1/33, Eth1/34, Eth1/
35,
Eth1/36, Po34, Po4096
10 my-vlan-name
Related Commands show vlan switchport mode switchport [trunk | hybrid] allowed-vlan
Note Name can not be added to a range of VLANs.
Mellanox Technologies Confidential 541
show vlan
show vlan [id <vlan-id>]
Syntax Description
Displays the VLAN table.
vlan-id 1-4094.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.1400
admin switch (config vlan 10) # show vlan
VLAN Name Ports
---- ----------- --------------------------------------
1 default Eth1/2, Eth1/3, Eth1/4/1, Eth1/4/2 ...
10 my-vlan-name
Related Commands show vlan switchport mode switchport [trunk | hybrid] allowed-vlan vlan
Note
Rev 4.20
Mellanox Technologies Confidential 542
Rev 4.20
switchport mode
switchport mode {access | dot1q-tunnel | trunk | hybrid | access-dcb}
no switchport mode
Syntax Description
Sets the switch port mode.
The no form of the command sets the switch port mode to access.
access Untagged port. 802.1q tagged traffic are filtered. Egress traffic is untagged.
dot1q-tunnel Allows both tagged and untagged ingress Ethernet packets. Egress packets are tagged with a second
VLAN (802.1Q) header.
trunk hybrid
802.1q tagged port, untagged traffic is filtered.
Both 802.1q tagged and untagged traffic is allowed on the port.
Untagged port, egress traffic is priority tagged.
Default
Role
Example access-dcb access
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History 3.1.1400
3.3.4500
3.4.3000
admin
Added MLAG port-channel configuration mode
Added dot1q-tunnel parameter switch (config) # interface ethernet 1/7 switch (config interface ethernet 1/7) # switchport mode access switch (config interface ethernet 1/7) # show interfaces switchport
Interface | Mode | Access vlan | Allowed vlans
-----------|------------|-------------|---------------------------
Eth1/2 access 1
Eth1/3 access 1
Eth1/4/1 access 1
Eth1/4/2 access 1
Eth1/5 access 1
Eth1/6 access 1
....
Po34 access 1
Po4096 access 1 switch (config interface ethernet 1/7) #
Mellanox Technologies Confidential 543
Related Commands show vlan show interfaces switchport switchport access vlan switchport [trunk | hybrid] allowed-vlan switchport dot1q-tunnel qos-mode vlan
Note
Rev 4.20
Mellanox Technologies Confidential 544
Rev 4.20
switchport dot1q-tunnel qos-mode
switchport dot1q-tunnel qos-mode {pipe | uniform} no switchport dot1q-tunnel qos-mode
Syntax Description
Default pipe
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History
Role
Example
Assigns QoS to the service provider’s traffic.
The no form of the command resets the parameter value to its default.
pipe uniform
Gives the service provider’s traffic QoS 0
Gives the service provider’s traffic the same QoS as the customer’s traffic
3.4.3000
admin switch (config interface ethernet 1/1) # switchport dot1q-tunnel qosmode uniform switch (config interface ethernet 1/1) #
Related Commands show vlan show interfaces switchport switchport access vlan switchport [trunk | hybrid] allowed-vlan vlan
Note
Mellanox Technologies Confidential 545
Rev 4.20
switchport access
switchport access vlan <vlan-id> no switchport access vlan
Syntax Description
Default
Sets the port access VLAN.
The no form of the command sets the port access VLAN to 1.
vlan-id
1
1-4094.
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History 3.1.1400
3.2.0500
First version
Format change (removed hybrid and access-dcb options). Previous command format was: “switchport
{hybrid | access-dcb | access} vlan <vlan-id>”
Role
Example
3.3.4500
admin
Added MLAG port-channel configuration mode switch (config) # interface ethernet 1/7 switch (config interface ethernet 1/7) # switchport access vlan 10 switch (config interface ethernet 1/7) # show interfaces switchport
Interface | Mode | Access vlan | Allowed vlans
-----------|------------|-------------|---------------------------
Eth1/2 access 1
Eth1/3 access 1
Eth1/4/1 access 1
Eth1/4/2 access 1
Eth1/5 access 1
Eth1/6 access 1
Eth1/7 access 10
....
Po4096 access 1 switch (config interface ethernet 1/7) #
Related Commands show vlan show interfaces switchport switchport mode switchport [trunk | hybrid] allowed-vlan vlan
Note This command is not applicable for interfaces with port mode trunk.
only one option (“access”, “access-dcb” or “hybrid”) is applicable to configure on the port, depends on the switchport mode of the port.
Mellanox Technologies Confidential 546
Rev 4.20
switchport {hybrid, trunk} allowed-vlan
switchport {hybrid, trunk} allowed-vlan {<vlan> | add <vlan> | remove <vlan> all | except <vlan> | none}
Syntax Description
Sets the port allowed VLANs.
vlan add
VLAN ID (1-4094) or VLAN range.
Adds VLAN or range of VLANs.
remove all
Default N/A
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History
Role
Example except none
3.1.1400
admin
Removes VLANs or range of VLANs.
Adds all VLANs in available in the VLAN table.
New VLANs added to the VLAN table are added automatically.
Adds all VLANs expect this VLAN or VLAN range.
Removes all VLANs.
switch (config) # interface ethernet 1/7 switch (config interface ethernet 1/7) # switchport hybrid allowed-vlan all switch (config interface ethernet 1/7) #show interfaces switchport
Interface | Mode | Access vlan | Allowed vlans
-----------|------------|-------------|---------------------------
Eth1/2 access 1
Eth1/3 access 1
Eth1/4/1 access 1
Eth1/4/2 access 1
Eth1/5 access 1
Eth1/6 access 1
Eth1/7 hybrid 1 1, 10
....
Po34 access 1
Po4096 access 1 switch (config interface ethernet 1/7) #
Related Commands show vlan show interfaces switchport switchport access vlan switchport mode vlan
Note This command is not applicable for interfaces with port mode access or access-dcb.
Mellanox Technologies Confidential 547
show interface switchport
show interface switchport
Displays all interface switch port configurations.
Syntax Description
Default
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.1400
admin switch (config) #show interfaces switchport
Interface | Mode | Access vlan | Allowed vlans
-----------|------------|-------------|---------------------------
Eth1/2 access 1
Eth1/3 access 1
Eth1/4/1 access 1
Eth1/4/2 access 1
Eth1/5 access 1
Eth1/6 access 1
Eth1/7 hybrid 1 1, 10
....
Po34 access 1
Po4096 access 1 switch (config)#
Related Commands show vlan switchport access vlan switchport mode vlan
Note
Rev 4.20
Mellanox Technologies Confidential 548
5.5
QinQ
A QinQ VLAN tunnel enables a service provider (SP) to segregate the traffic of different customers in their infrastructure, while still giving the customer a full range of VLANs for their internal use by adding a second 802.1Q VLAN tag to an already tagged frame.
So let us assume for example that an SP exists which needs to offer L2 connectivity to two corporations, “X” and “Y”, that have campuses located in both “A”, “B”. All campuses run Ethernet
LANs, and the customers intend to connect through the SP’s L2 VPN network so that their campuses are in the same LAN (L2 network). Hence, it would be desirable for “X”, “Y” to have a single LAN each in both “A”, “B” which could easily exceed the VLAN limit of 4096 of the
802.1Q specification.
5.5.1
QinQ Operation Modes
QinQ can be enabled on a port or according to predefined conditions.
Rev 4.20
C-VLAN is the VLAN tag assigned to the ingress traffic of a QinQ-enabled interface.
S-VLAN is the VLAN tag assigned to the egress traffic of a QinQ-enabled interface.
• ACL-mode: Adding and removing S-VLAN is determined by an ACL-dependent action
• Port-mode: All ingress traffic to a specific QinQ-enabled interface is tagged with an additional VLAN 802.1Q tag (also known as S-VLAN). The S-VLAN ID is equal to that interface’s PVID (access VLAN).
The S-VLAN tag is added regardless of whether the traffic is tagged or untagged. Traffic coming out from this port, has the S-VLAN stripped from it.
5.5.2
Configuring QinQ
To configure QinQ:
Step 1.
Create the C-VLAN. Run: switch (config) # vlan 200 switch (config vlan 200) # exit
Step 2.
Step 3.
Step 4.
Enter the configuration mode of an Ethernet, LAG, or MLAG interface. Run: switch (config) # interface port-channel 100
Change the switchport mode of the interface to enable QinQ. Run: switch (config interface port-channel 100) # switchport mode dot1q-tunnel
Change its port VLAN ID (PVID). This configures the S-VLAN. Run: switch (config interface port-channel 100) # switchport access vlan 200
Mellanox Technologies Confidential 549
Step 5.
Verify the configuration. Run: switch (config interface port-channel 100) # show interface port-channel 100
Po100
Admin state: Enabled
Operational state: Up
Description: N\A
Mac address: 00:00:00:00:00:00
MTU: 1500 bytes(Maximum packet size 1522 bytes)
lacp-individual mode: Disabled
Flow-control: receive off send off
Actual speed: 1 X 40 Gbps
Width reduction mode: Not supported
Switchport mode: dot1q-tunnel
QoS mode: uniform
MAC learning mode: Enabled
Last clearing of "show interface" counters : Never
60 seconds ingress rate: 0 bits/sec, 0 bytes/sec, 0 packets/sec
60 seconds egress rate: 0 bits/sec, 0 bytes/sec, 0 packets/sec
Rx
0 packets
0 unicast packets
0 multicast packets
0 broadcast packets
0 bytes
0 error packets
0 discard packets
Tx
0 packets
0 unicast packets
0 multicast packets
0 broadcast packets
0 bytes
0 discard packets switch (config interface port-channel 100) #
Rev 4.20
Mellanox Technologies Confidential 550
Step 6.
Verify the configuration. Run: switch (config interface port-channel 100) # show interfaces switchport
Interface Mode Access vlan Allowed vlans
-------------------------------------------------------------------------
Eth1/1 access 1
Eth1/2 access 1
Eth1/3 access 1
Eth1/4 access 1
Eth1/5 access 1
Eth1/6 access 1
...
Eth1/27 access 1
Eth1/33 access 1
Eth1/34 access 1
Eth1/35 access 1
Eth1/36 access 1
Po400 dot1q-tunnel 200 switch (config interface port-channel 100) #
Rev 4.20
Mellanox Technologies Confidential 551
Rev 4.20
5.5.3
Commands
switchport dot1q-tunnel qos-mode
switchport dot1q-tunnel qos-mode {pipe | uniform} no switchport dot1q-tunnel qos-mode
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Assigns QoS to the service provider’s traffic.
The no form of the command resets the parameter value to its default.
pipe Gives the service provider’s traffic the same QoS as the customer’s traffic uniform pipe
Gives the service provider’s traffic QoS 0
Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
3.4.3000
admin switch (config interface ethernet 1/1) # switchport dot1q-tunnel qosmode uniform switch (config interface ethernet 1/1) # show vlan show interfaces switchport switchport access vlan switchport [trunk | hybrid] allowed-vlan vlan
Note
Mellanox Technologies Confidential 552
Rev 4.20
5.6
MAC Address Table
5.6.1
Configuring Unicast Static MAC Address
You can configure static MAC addresses for unicast traffic. This feature improves security and reduces unknown unicast flooding.
To configure Unicast Static MAC address:
Step 1.
Step 2.
Log in as admin.
Enter config mode. Run: switch > enable switch # configure terminal
Step 3.
Run the command mac-address-table static unicast <destination mac address> vlan <vlan identifier(1-4094)> interface ethernet <slot>/ <port>
.
switch (config) # mac-address-table static unicast 00:11:22:33:44:55 vlan 1 interface ethernet 0/1
5.6.2
MAC Learning Considerations
MAC learning may be disabled using the command mac-learning disable which is beneficial in the following situations:
• To prevent denial-of-service attacks
• To manage the available MAC address table space by controlling which interfaces can learn
MAC addresses
• To duplicate to a dedicated server (port7) all the packets that one host (host1; port1) sends to another (host2; port2), like in port mirroring. To accomplish this, MAC learning is disabled on port2. In this case the FDB does not obtain the MAC address of host2. Also, to prevent broadcast to every port, it is possible to configure a VLAN (VLAN 80) which ports 1, 2 and 7 are member of.
Figure 17: MAC Learning Disable Example Case
Server host2
SA=2
2
VLAN 80
7 VLAN 80
SX
1
VLAN 80 host1
SA=1; DA=2
Mellanox Technologies Confidential 553
5.6.3
Commands
mac-address-table aging-time
mac-address-table aging-time <age> no mac-address-table aging-time
Syntax Description
Default
Configuration Mode
History
Role
Example
Sets the maximum age of a dynamically learnt entry in the MAC address table.
The no form of the command resets the aging time of the MAC address table to its default.
age 10-1000000 seconds.
300
Config
3.1.0600
admin switch (config) # mac-address-table aging-time 50 switch (config) # show mac-address-table aging-time
Mac Address Aging Time: 50
Related Commands switch (config) # show mac-address-table show mac-address-table aging time
Note
Rev 4.20
Mellanox Technologies Confidential 554
Rev 4.20
mac-address-table static
mac-address-table static <mac address> vlan <vlan> interface <if-type> <ifnumber> no mac-address-table static <mac address> vlan <vlan> interface <if-type> <ifnumber>
Configures a static MAC address in the forwarding database.
The no form of the command deletes a configured static MAC address from the forwarding database.
Syntax Description mac address vlan
Default
Configuration Mode Config
Destination MAC address.
if-type if-number
VLAN ID or VLAN range.
Ethernet or port-channel interface type.
The interface number (i.e. 1/1, 3).
No static MAC addresses available in default.
History
Role
Example
3.1.0600
admin switch (config) # mac-address-table static aa:aa:aa:aa:aa:aa vlan 1 interface ethernet 1/7 switch (config) # show mac-address-table
Switch ethernet-default
Vlan Mac Address Type Interface
---- ----------- ---- ------------
1 aa:aa:aa:aa:aa:aa static Eth1/7
Number of unicast: 1
Number of multicast: 0 switch (config) #
Related Commands show mac-address-table mac-address-table aging time
Note The no form of the command will not clear a dynamic MAC address. Dynamic MAC addresses are cleared using the “clear mac-address-table dynamic” command.
Mellanox Technologies Confidential 555
Rev 4.20
mac-learning disable
mac-learning disable no mac-learning disable
Syntax Description N/A
Enabled Default
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
History
Role
Example
Related Commands
Note
Disables MAC-address learning.
The no form of the command enables MAC-address learning.
3.1.0600
admin switch (config interface ethernet 1/1) # mac-learning disable
• When adding a port to a LAG, the port needs to be aligned with the LAG’s configuration
• When removing a port from a LAG, the port remains in whichever configuration the LAG is in
• Disabling MAC learning is not supported on a local analyzer port.
• Disabling MAC learning is not supported on an IPL LAG.
Mellanox Technologies Confidential 556
clear mac-address-table dynamic
clear mac-address-table dynamic
Syntax Description
Default
Clear the dynamic entries in the MAC address table.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0600
admin switch (config) # clear mac-address-table dynamic switch (config) #
Related Commands mac-address-table aging-time mac-address-table static show mac-address-table
Note This command does not clear the MAC addresses learned on the mgmt0 port. Static entries are deleted using the “no mac-address-table static” command.
Rev 4.20
Mellanox Technologies Confidential 557
Rev 4.20
show mac-address-table
show mac-address-table [address <mac-address> | interface ethernet <if-number> | vlan [<vlan> | range <range>] | unicast | multicast]
Syntax Description
Displays the static and dynamic unicast and multicast MAC addresses for the switch.
Various of filter options available.
mac-address if-number
Filter the table to a specific MAC address.
Filter the table to a specific interface.
vlan range unicast multicast
Filter the table to a specific VLAN number (1-4094).
Filter the table to a range of VLANs.
Filter the table to a unicast addresses only.
Filter the table to a multicast addresses only.
Default N/A
Configuration Mode Any Command Mode
History 3.1.0600
3.3.4500
Role
Example
Updated Example admin switch (config) # show mac-address-table
Switch ethernet-default
Vlan Mac Address Type Interface
---- ----------- ---- ------------
1 00:00:00:00:00:01 Static Po5
1 00:00:3D:5C:FE:16 Dynamic Eth1/1
1 00:00:3D:5D:FE:1B Dynamic Eth1/2
Number of unicast: 2
Number of multicast: 0 switch (config) #
Related Commands mac-address-table static clear mac-address-table
Note
Mellanox Technologies Confidential 558
show mac-address-table aging-time
show mac-address-table aging-time
Syntax Description
Default
Displays the MAC address table aging time.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0600
admin switch (config) # mac-address-table aging-time 300 switch (config) # show mac-address-table aging-time
Mac Address Aging Time: 300 switch (config) #
Related Commands mac-address-table aging-time mac-address-table static clear mac-address-table
Note MAC addresses learned on the mgmt0 is not shown by this command.
Rev 4.20
Mellanox Technologies Confidential 559
5.7
Spanning Tree
The operation of Rapid Spanning Tree Protocol (RSTP) provides for rapid recovery of connectivity following the failure of a bridge/bridge port or a LAN. The RSTP component avoids this delay by calculating an alternate root port, and immediately switching over to the alternate port if the root port becomes unavailable. Thus, using RSTP, the switch immediately brings the alternate port to forwarding state, without the delays caused by the listening and learning states. The RSTP component conforms to IEEE standard 802.1D 2004.
RSTP enhancements is a set of functions added to increase the volume of RSTP in Mellanox switches. It adds a set of capabilities related to the behavior of ports in different segments of the network. For example: the required behavior of a port connected to a non-switch entity, such as host, is to converge quickly, while the required behavior of a port connected to a switch entity is to converge based on the RSTP parameters.
Additionally, it adds security issues on a port and switch basis, allowing the operator to determine the state and role of a port or the entire switch should an abnormal event occur. For example: If a port is configured to be root-guard, the operator will not allow it to become a root-port under any circumstances, regardless of any BPDU that will have been received on the port.
5.7.1
Port Priority and Cost
When two ports on a switch are part of a loop, the STP port priority and port path cost configuration determine which port on the switch is put in the forwarding state and which port is put in the blocking state.
To configure port priority use the following command: switch (config interface etherent <inf>)# spanning-tree port-priority <0-240>
To configure port path cost use the following command: switch (config interface etherent <inf>)# spanning-tree cost <1-200000000>
5.7.2
Port Type
Port type has the following configuration options:
• edge – is not assumed to be converged by the RSTP learning/forwarding mechanism. It converges to forwarding quickly.
Rev 4.20
It is recommended to configure the port type for all ports connected to hosts as edge ports.
• normal – is assumed to be connected to a switch, thus it tries to be converged by the RSTP learning/forwarding. However, if it does not receive any BPDUs, it is operationally moved to be edge.
• network – is assumed to be connected to a switch. If it does not receive any BPDUs, it is moved to discarding state.
Each of these configuration options is mutually exclusive.
Port type is configured using the command spanning-tree port type. It may be applied globally on the switch (Config) level, which configures all switch interfaces. Another option is to configure ports individually by entering the interface’s configuration mode.
Mellanox Technologies Confidential 560
• Global configuration: switch (config)# spanning-tree port type {edge , normal , network} default
• Interface configuration: switch (config interface etherent <inf>)# spanning-tree port type {edge , normal, network}
5.7.3
BPDU Filter
Using BPDU filter prevents the CPU from sending/receiving BPDUs on specific ports.
BPDU filtering is configured per interface. When configured, the port does not send any BPDUs and drops all BPDUs that it receives. To configure BPDU filter, use the following command: switch (config interface etherent <inf>)# spanning-tree bpdufilter {enable , disable}
Rev 4.20
Configuring BPDU filtering on a port connected to a switch can cause bridging loops because the port filters any BPDU it receives and goes to forwarding state.
5.7.4
BPDU Guard
BPDU guard is a security feature which, when enabled, shuts down the port in case it receives
BPDU packets. This feature becomes useful when connecting to an unauthorized switch.
To configure BPDU guard use the following command: switch (config interface etherent <inf>)# spanning-tree port type <type> bpduguard
5.7.5
Loop Guard
Loop guard is a feature that prevents loops in the network.
When a blocking port in a redundant topology transitions to the forwarding state (accidentally), an STP loop occurs. This happens when BPDUs are no longer received by one of the ports in a physically redundant topology.
Loop guard is useful in switched networks where devices are connected point-to-point. A designated bridge cannot disappear unless it sends an inferior BPDU or brings the link down on a point-to-point connection.
The loop guard configuration is only allowed on “network” port type.
If loop guard is enabled and the port does not receive BPDUs, the port is put into an inconsistent state (blocking) until the port starts to receive BPDUs again. A port in the inconsistent state does not transmit BPDUs. If BPDUs are received again, loop guard alters its inconsistent state condition. STP converges to a stable topology without the failed link or bridge after loop guard isolates the failure.
Disabling loop guard moves all loop-inconsistent ports to listening state.
Mellanox Technologies Confidential 561
To configure loop guard use the following command: switch (config interface etherent <inf>)# spanning-tree guard loop
5.7.6
Root Guard
Configuring root guard on a port prevents that port from becoming a root port. A port put in rootinconsistent (blocked) state if an STP convergence is triggered by a BPDU that makes that port a root port. The port is unblocked after the port stops sending BPDUs.
To configure loop guard use the following command: switch (config interface etherent <inf>)# spanning-tree guard root
5.7.7
MSTP
Spanning Tree Protocol (STP) is a mandatory protocol to run on L2 Ethernet networks to eliminate network loops and the resulting broadcast storm caused by these loops. Multiple STP
(MSTP) enables the virtualization of the L2 domain into several VLANs, each governed by a separate instance of a spanning tree which results in a network with higher utilization of physical links while still keeping the loop free topology on a logical level.
Up to 64 MSTP instances can be defined in the switch. Up to 64 VLANs can be mapped to a single MSTP instance. MSTP instance 0 (the default instance) may have all possible VLANs (1-
4094) mapped to it.
For MSTP network design over Mellanox L2 VMS, please refer to Mellanox Virtual Modular
Switch Reference Guide .
5.7.8
RPVST
Rapid Per-VLAN Spanning Tree (RPVST) flavor of the STP provides finer-grained traffic by paving a spanning-tree instance per each configured VLAN. Like MSTP, it allows a better utilization of the network links comparing to RSTP.
Figure 18 exhibits a typical RPVST network configuration to get a better utilization on the inter-
switch trunk ports.
Figure 18: RPVST Network Config
Rev 4.20
Root VLAN 10
Root VLAN 20
VLAN 20,30
Root VLAN 30
Mellanox Technologies Confidential 562
5.7.8.1 RPVST and VLAN Limitations
When the STP of the switch is set to RPVST, spanning tree is set on each of the configured
VLANs in the system by default. To enable the spanning tree mode, the command “spanningtree” must be run.
Each VLAN runs an STP state machine and an RPVST instance. There is a global limitation on the number of active state machines that can operate in MLNX-OS. Enforcement of this limitation is done through the maximum number of VLANs allowed in the system. On x86 switch systems the limitation is 128 VLANs and on PPC systems it ranges from 13-18 VLANs depending on the switch system. The more ports the switch system has the less VLANs it can support.
Table 46 - Supported VLANs by RPVST per Switch System
Switch System Model x86 systems
SX1012
SX1016
SX1024
SX1035
SX1036
128
17
13
13
13
13
Number of Supported VLANs
The state machine takes attributes like forward time, hello time, max age and priority, etc.
When configuring priority on a VLAN in RPVST, the operational priority given to the
VLAN is a summation of what the user configured and the value of the VLAN itself.
For example running “spanning-tree vlan 10 priority 32768” yields a priority of 32778 for VLAN 10.
5.7.8.2 RPVST and RSTP Interoperability
Figure 19: RPVST and RSTP Cluster
Rev 4.20
RSTP Domain
RPVST
Domain
RPVST
Domain
RPVST
Domain
Mellanox Technologies Confidential 563
RPVST domains can be interconnected by a standard 802.1Q domain that runs RSTP protocol.
While the RSTP domain builds a single common instance spanning tree, the RPVST domains at the edge continue to build a tree per VLAN while exchanging tagged RPVST multicast BPDUs.
(This exchange may happen on untagged RPVST BPDUs as well.) The switch devices that are in the boundary between the RPVST and the RSTP domains should be configured as RPVST mode.
When set to RPVST mode, the switch continues to run the common instance spanning tree
(CIST) state machine on VLAN 1 by exchanging IEEE BPDUs with the legacy RSTP switches.
To successfully connect RSTP and RPVST domains, the system administrator must align the native VLAN configuration across all network switches, or in other words, the internal identification of untagged packets to VLAN.
Rev 4.20
Mellanox Technologies Confidential 564
5.7.9
Commands
spanning-tree
spanning-tree no spanning-tree
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Globally enables the spanning tree feature.
The no form disables the spanning tree feature.
N/A
Spanning tree is enabled.
Config
3.1.0000
admin switch (config) # no spanning-tree switch (config) # show spanning-tree
Rev 4.20
Mellanox Technologies Confidential 565
spanning-tree mode
spanning-tree mode {rst | mst | rpvst} no spanning-tree mode
Syntax Description
Changes the spanning tree mode.
The no form of the command sets the parameter to its default value.
mst rst
Multiple spanning tree.
Rapid spanning tree.
Rapid per-VLAN spanning tree.
Default rpvst rst
Configuration Mode Config
History
Role
3.3.4150
admin
Example
Related Commands
Note switch (config)# spanning-tree mode mst
• On x86 switch systems, the number of VLANs supported by RPVST are 128
• On PPC switch systems, the number of VLANs supported by RPVST are between 13-18
Rev 4.20
Mellanox Technologies Confidential 566
Rev 4.20
spanning-tree (timers)
spanning-tree [forward-time <time in secs> | hello-time <time in secs> | max-age
<time in secs>] no spanning-tree [forward-time | hello-time | max-age | priority]
Syntax Description
Sets the spanning tree timers.
The no form of the command sets the timer to default.
forward-time Controls how fast a port changes its spanning tree state from Blocking state to Forwarding state.
Parameter range: 4-30 seconds.
hello-time max-age
Determines how often the switch broadcasts its hello message to other switches when it is the root of the spanning tree.
Parameter range: 1-2 seconds.
Sets the maximum age allowed for the Spanning Tree
Protocol information learnt from the network on any port before it is discarded.
Parameter range: 6-40 seconds.
Default forward-time: 15 seconds hello-time:2 seconds max-age: 20 seconds
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config) # spanning-tree forward-time switch (config) #
Related Commands show spanning-tree
Note The following formula applies on the spanning tree timers:
2*(ForwardTime -1)>=MaxAgeTime >= 2*(Hello Time + 1)
Mellanox Technologies Confidential 567
Rev 4.20
spanning-tree port type (default global)
spanning-tree port type {edge [bpdufilter | bpduguard] | network [bpduguard] | normal [bpduguard]} default no spanning-tree port type default
Syntax Description
Configures all switch interfaces as edge/network/normal ports. These ports can be connected to any type of device.
The no form of the command disables the spanning tree operation.
edge bpdufilter
Assumes all ports are connected to hosts/servers.
Configures to enable the spanning tree BPDU filter.
bpduguard network normal
Configures to enable the spanning tree BPDU guard.
Assumes all ports are connected to switches and bridges.
The port type (edge or network) determines according to the spanning tree operational mode.
Default Normal
Configuration Mode Config
History 3.1.0000
3.4.0008
Role
Example
Updated command syntax admin switch (config) # spanning-tree port type edge default switch (config) #
Related Commands show spanning-tree
Note
Mellanox Technologies Confidential 568
spanning-tree priority
spanning-tree priority <bridge-priority> no spanning-tree priority
Syntax Description
Sets the spanning tree bridge priority.
The no form of the command sets the bridge priority to default.
bridge-priority Sets the bridge priority for the spanning tree. Its value must be in steps of 4096, starting from 0. Only the following values are applicable: 0, 4096, 8192, 12288,
16384, 20480, 24576, 28672, 32768, 36864, 40960,
45056, 49152, 53248, 57344, 61440.
Default 32786
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # spanning-tree priority 4096 switch (config) #
Related Commands show spanning-tree
Note
Rev 4.20
Mellanox Technologies Confidential 569
Rev 4.20
spanning-tree port-priority
spanning-tree port-priority <priority> no spanning-tree port-priority
Syntax Description
Role
Example
Configures the spanning-tree interface priority.
The no form of the command returns configuration to its default.
priority Spanning tree interface priority. The possible values are: 0, 16, 32,48, 64, 80, 96, 112, 128,144, 160, 176,
192, 208, 224, 240.
Default
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History
128
3.1.0000
3.3.4500
Added MLAG port-channel configuration mode admin switch (config) # interface ethernet 1/1 switch (config interface ethernet 1/1) # spanning-tree port-priority 16 switch (config interface ethernet 1/1) #
Related Commands show spanning-tree
Note
Mellanox Technologies Confidential 570
Rev 4.20
spanning-tree cost
spanning-tree cost <port cost> no spanning-tree cost
Syntax Description
Role
Example
Configures the interface cost of the spanning tree.
The no form of the command returns configuration to its default.
port cost Sets the spanning tree cost of an interface.
Value range is 0-200000000.
Default
History
The default cost is derived from the speed.
1Gbps 20000
10Gbps 2000
40Gbps 500
56Gbps 357
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
3.1.0000
3.3.4500
Added MLAG port-channel configuration mode admin switch (config) # interface ethernet 1/1 switch (config interface ethernet 1/1) # spanning-tree cost 1000 switch (config interface ethernet 1/1) #
Related Commands show spanning-tree
Note • LAG default cost is calculated by dividing the port speed by the number of active links in
UP state. For example: if there were 4 links in the LAG out of which only two are in UP state, assuming the port speed is 10Gbps, the LAG cost will be 2000/2 = 1000.
• When configuring the cost for a LAG, the cost will be fixed to this configuration, no matter what the number of active links (UIP state) in the LAG is
• Unstable network may cause the LAG cost to change dynamically assuming the cost parameter is not configured for anything else other than default
Mellanox Technologies Confidential 571
spanning-tree port type
spanning-tree port type <port type> no spanning-tree port type
Syntax Description
Configures spanning-tree port type
The no form of the command returns configuration to default.
default edge normal
According to global configuration
Assumes all ports are connected to hosts/servers.
network
The port type (edge or network) determines according to the spanning tree operational mode.
Assumes all ports are connected to switches and bridges.
Role
Example bpdufilter bpduguard
Default
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History
Globally defined by the command “spanning-tree port type <port-type> default”
3.1.0000
3.3.4500
Added MLAG port-channel configuration mode admin
Configures to enable the spanning tree BPDU filter.
Configures to enable the spanning tree BPDU guard.
switch (config) # interface ethernet 1/1 switch (config interface ethernet 1/1) # spanning-tree port type edge switch (config interface ethernet 1/1) #
Related Commands show spanning-tree
Note
Rev 4.20
Mellanox Technologies Confidential 572
Rev 4.20
spanning-tree guard
spanning-tree guard {loop | root} no spanning-tree guard {loop | root}
Syntax Description
Configures spanning-tree guard.
The no form of the command returns configuration to default.
loop Enables loop-guard on the interface.
If the loop-guard is enabled, upon a situation where the interface fails to receive BPDUs the switch will not egress data traffic on this interface.
root Enables root-guard on the interface.
If root-guard is enabled on the interface, the interface will never be selected as root port.
loop-guard and loop-guard are disabled.
Default
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History 3.1.0000
3.3.4500
Added MLAG port-channel configuration mode
Role
Example admin switch (config) # interface ethernet 1/1 switch (config interface ethernet 1/1) # spanning-tree guard root switch (config interface ethernet 1/1) #
Related Commands show spanning-tree
Note
Mellanox Technologies Confidential 573
Rev 4.20
spanning-tree bpdufilter
spanning-tree bpdufilter {disable | enable} no spanning-tree bpdufilter
Syntax Description
Configures spanning-tree BPDU filter on the interface. The interface will ignore any
BPDU that it receives and will not send PDBUs, The STP state on the port will move to the forwarding state.
The no form of the command returns the configuration to default.
disable enable
Disables the BPDU filter on this port.
Enables the BPDU filter on this port.
Default BPDU filter is disabled.
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History
Role
Example
3.1.0000
admin switch (config) # interface ethernet 1/1 switch (config interface ethernet 1/1) # spanning-tree bpdufilter enable
Related Commands show spanning-tree
Note This command can be used when the switch is connected to hosts.
Mellanox Technologies Confidential 574
clear spanning-tree counters
clear spanning-tree counters
Syntax Description
Default
Clears the spanning-tree counters.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config) # clear panning-tree counters switch (config) #
Related Commands show spanning tree
Note
Rev 4.20
Mellanox Technologies Confidential 575
Rev 4.20
spanning-tree mst max-hops
spanning-tree mst max-hops <max-hops> no spanning-tree mst max-hops
Syntax Description
Default
Specifies the max hop value inserts into BPDUs that sent out as the root bridge.
The no form of the command sets the parameter to its default value.
max-hops
20
Configuration Mode Config
History 3.3.4150
Max hop value. The range is 6-40.
Role
Example admin switch (config)# spanning-tree mst max-hops 20 switch (config)#
Related Commands
Note • The max hop setting determines the number of bridges in an MST region that a BPDU can traverse before it is discarded
• This command is available when global STP mode is set to MST
Mellanox Technologies Confidential 576
spanning-tree mst priority
spanning-tree mst <mst-instance> priority <priority> no spanning-tree mst <mst-instance> priority
Syntax Description
Configures the specified instance’s priority number.
The no form of the command sets the parameter to its default value.
mst-instance priority
MST instance. Range is 1-64.
MST instance port priority. Possible values are: 0,
4096, 8192, 12288, 16384, 20480, 24576, 28672,
32768, 36864, 40960, 45056, 49152,
53248, 57344, 61440
Default 32768
Configuration Mode Config
History
Role
Example
3.3.4150
admin switch (config)# spanning-tree mst 1 priority 32768 switch (config)#
Related Commands
Note • The bridge priority is the four most significant digits of the bridge ID, which is used by spanning tree algorithms to select the root bridge and choose among redundant links.
Bridge ID numbers range from 0-65535 (16 bits); bridges with smaller bridge IDs are elected over other bridges.
• This command is available when global STP mode is set to MST
Rev 4.20
Mellanox Technologies Confidential 577
spanning-tree mst vlan
spanning-tree mst <mst-instance> vlan <vlan-range> no spanning-tree mst <mst-instance> vlan <vlan-range>
Syntax Description
Maps a VLAN or a range of VLANs into an MSTP instance.
The no form of the command unmaps a VLAN or a range of VLANs from MSTP instances.
mst-instance vlan <vlan-range>
MST instance. Range is 1-64.
A single VLAN or a a range of VLANs. The format is
<vlan> or <from-vlan>-<to-vlan>.
Default N/A
Configuration Mode Config
History
Role
Example
3.3.4150
admin switch (config)# spanning-tree mst 1 vlan 10-20 switch (config)#
Related Commands
Note This command is available when global STP mode is set to MST
Rev 4.20
Mellanox Technologies Confidential 578
spanning-tree mst revision
spanning-tree mst revision <number> no spanning-tree mst revision
Syntax Description
Default
Configures the MSTP revision number.
The no form of the command sets the parameter to its default value.
number
0
Configuration Mode Config
History 3.3.4150
The MST revision number. Range is 0-65535.
Role
Example admin switch (config)# spanning-tree mst revision 1 switch (config)#
Related Commands
Note • The revision number is one of three parameters, along with the MST name and VLAN-toinstance map, that identify the switch’s MST region
• This command is available when global STP mode is set to MST
Rev 4.20
Mellanox Technologies Confidential 579
spanning-tree mst name
spanning-tree mst name <name> no spanning-tree mst name
Syntax Description
Default
Configures the MSTP name.
The no form of the command sets the parameter to its default value.
name
N/A
Configuration Mode Config
History 3.3.4150
MST name: Up to 32 characters.
Role
Example admin switch (config)# spanning-tree mst name my-mst switch (config)#
Related Commands
Note • The name is one of three parameters, along with the MST revision number and VLAN-toinstance map, that identifies the switch’s MST region
• This command is available when global STP mode is set to MST
Rev 4.20
Mellanox Technologies Confidential 580
Rev 4.20
spanning-tree mst root
spanning-tree mst <mst-instance> root <role> no spanning-tree mst <mst-instance> root
Syntax Description
Changes the bridge priority for the specified MST instance to the following values:
• Primary – 8192
• Secondary – 16384
The no form of the command sets the parameter to its default value.
mst-instance role
MSTP instance. Possible range is 1-64.
Values: “primary” or “secondary”.
Default primary
Configuration Mode Config
History
Role
Example
3.3.4150
admin switch (config)# spanning-tree mst name my-mst switch (config)#
Related Commands
Note • The root command is a way to automate a system configuration while ‘playing’ with the priority field. The priority field granularity may be too explicit for some users in case you wish to have 2 levels of priority (primary and secondary). So by default all the switches get the same priority and while using the root option you can get the role of master and backup by setting the priority field to a predefined value.
• This command is available when global STP mode is set to MST.
Mellanox Technologies Confidential 581
Rev 4.20
spanning-tree mst port-priority
spanning-tree mst {mst-instance} port-priority <priority> no spanning-tree mode
Syntax Description
Changes the spanning tree mode.
The no form of the command sets the parameter to its default value.
mst-instance priority
MST instance. Range is 0-4094.
MST instance port priority. Valid values are: 0, 16, 32,
48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224 and 240.
Default
History
Role rst
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
3.3.4150
Example admin switch (config interface ethernet 1/1)# spanning-tree mst 1 port-
priority 32768 switch (config interface port-channel 1)# spanning-tree mst 1 port-
priority 32768
Related Commands
Note This command is available when global STP mode is set to MST.
Mellanox Technologies Confidential 582
Rev 4.20
spanning-tree mst cost
spanning-tree mst {mst-instance} cost <cost-value> no spanning-tree mode
Syntax Description
Configures the cost per MSTP instance.
The no form of the command sets the parameter to its default value.
mst-instance cost-value
MST instance. Range is 1-64.
MST instance port cost. Range is 0-200000000.
Default 2000 for 10Gb/s, 500 for 40Gb/s, 20000 for 1Gb/s, 357 for 56Gb/s
Configuration Mode Config Interface Port Channel
History
Role
Example
3.3.4150
admin switch (config interface ethernet 1/1)# spanning-tree mst 1 cost 4000 switch (config interface port-channel 1)# spanning-tree mst 1 cost 4000 switch (config)#
Related Commands
Note This command is available when global STP mode is set to MST.
Mellanox Technologies Confidential 583
spanning-tree vlan forward-time
spanning-tree vlan <vid> forward-time <secs> no spanning-tree vlan <vid> forward-time
Syntax Description
Default
Configures how fast an interface changes its spanning tree state from Blocking to
Forwarding.
The no form of the command resets the parameter value to its default.
secs
15 seconds
Configuration Mode Config
History 3.4.1100
Parameter range: 4-30 seconds.
Role
Example admin switch (config) # spanning-tree vlan 10 forward-time 15
Related Commands show spanning-tree
Note • The following formula applies on the spanning tree timers:
2*(ForwardTime -1)>=MaxAgeTime >= 2*(Hello Time + 1)
• This command is available when global STP mode is set to RPVST
Rev 4.20
Mellanox Technologies Confidential 584
Rev 4.20
spanning-tree vlan hello-time
spanning-tree vlan <vid> hello-time <secs> no spanning-tree vlan <vid> hello-time
Syntax Description
Default
Configures how often the switch broadcasts its hello message to other switches when it is the root of the spanning tree.
The no form of the command resets the parameter value to its default.
secs
2 seconds
Configuration Mode Config
History 3.4.1100
Parameter range: 1-2 seconds.
Role
Example admin switch (config) # spanning-tree vlan 10 hello-time 2
Related Commands show spanning-tree
Note • The following formula applies on the spanning tree timers:
2*(ForwardTime -1)>=MaxAgeTime >= 2*(Hello Time + 1)
• This command is available when global STP mode is set to RPVST
Mellanox Technologies Confidential 585
spanning-tree vlan max-age
spanning-tree vlan <vid> max-age <secs> no spanning-tree vlan <vid> max-age
Syntax Description
Default
Sets the maximum age allowed for the Spanning Tree Protocol information learned from the network on any port before it is discarded.
The no form of the command resets the parameter value to its default.
secs
20 seconds
Configuration Mode Config
History 3.4.1100
Parameter range: 6-40 seconds.
Role
Example admin switch (config) # spanning-tree vlan 10 max-age 20
Related Commands show spanning-tree
Note • The following formula applies on the spanning tree timers:
2*(ForwardTime -1)>=MaxAgeTime >= 2*(Hello Time + 1)
• This command is available when global STP mode is set to RPVST
Rev 4.20
Mellanox Technologies Confidential 586
spanning-tree vlan priority
spanning-tree vlan <vid> priority <priority> no spanning-tree vlan <vid> priority
Syntax Description
Configures RPVST instance port priority.
The no form of the command resets the parameter value to its default.
priority Possible values are: 0, 4096, 8192, 12288, 16384,
20480, 24576, 28672, 32768, 36864, 40960, 45056,
49152, 53248, 57344, 61440.
Default 32768
Configuration Mode Config
History
Role
3.4.1100
admin
Example switch (config) # spanning-tree vlan 10 priority 32768
Related Commands show spanning-tree
Note • The following formula applies on the spanning tree timers:
2*(ForwardTime -1)>=MaxAgeTime >= 2*(Hello Time + 1)
• This command is available when global STP mode is set to RPVST
Rev 4.20
Mellanox Technologies Confidential 587
show spanning-tree
show spanning-tree
Syntax Description
Default
Displays spanning tree information.
N/A
N/A
Configuration Mode Any Command Mode
History 3.1.0000
3.4.1100
Updated Example with R and G flags
Role
Example admin switch (config) # show spanning-tree
Switch ethernet-default
Spanning tree protocol is enabled rst
Spanning tree force version:2
Root ID
Priority 32768
Address 00:02:c9:7a:e9:40
Cost 1000
Port Eth1/32
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID
Priority 32768
Address 00:02:c9:96:c6:d0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
L - Loop Inconsistent
R - Root Inconsistent
G - BPDU Guard Inconsistent
Interface Role Sts Cost Prio Type
---- ---- ----- ---- ---- ----
Eth1/9 Designated Forwarding 500 128 normal
Eth1/22 Designated Discarding(R) 500 128 normal
Eth1/32 Root Forwarding 500 128 normal
Eth1/39 Disabled Discarding(G) 2000 128 normal switch (config) #
Related Commands clear spanning-tree counters spanning-tree
Note
Rev 4.20
Mellanox Technologies Confidential 588
Rev 4.20
show spanning-tree detail
show spanning-tree detail
Syntax Description
Default
Displays detailed spanning-tree configuration and statistics.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config) # show spanning-tree detail
Switch ethernet-default
Spanning tree protocol is enabled
Bridge is executing the rst compatible Spanning Tree Protocol
Bridge Identifier has priority 32768, address 00:02:c9:96:c6:d0
Configured hello time 2, max age 20, forward delay 15
Current root has priority 32768, address 00:02:c9:7a:e9:40
Root port is Eth1/32( Ethernet1/32),cost of root path is 1000
Number of topology changes 21,last change occurred 00:00:03 ago
Timers: hold 6 hello 2, max age 20, forward delay 15
default port type: normal, default bpdu filter: disabled, default bpdu guard: disabled switch (config) #
Related Commands clear spanning-tree counters spanning-tree
Note
Mellanox Technologies Confidential 589
show spanning-tree interface
show spanning-tree interface {ethernet <slot>/<port> | port-channel
<port-channel> | mlag-port-channel <mlag-port-channel>
Syntax Description
Display running state for specific interfaces.
ethernet Ethernet interface.
port-channel mlag-port-channel
LAG instance.
MLAG instance.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4150
admin switch (config) # show spanning-tree interface ethernet 1/2
Eth1/2 is Disabled Discarding
Port path cost 500, Port priority 128, Port Identifier 128.5
Designated root has priority 0, address unknown
Designated bridge has priority 0, address unknown
Designated port id 0.0, designated path cost 0
Number of transitions to forwarding state: 0
Port type: normal
PortFast is: off
Bpdu filter: disabled
Bpdu guard: disabled
Loop guard: disabled
Root guard: disabled
Link type: point-to-point
BPDU: sent: 0 received: 0 switch (config) #
Related Commands clear spanning-tree counters spanning-tree
Note
Rev 4.20
Mellanox Technologies Confidential 590
Rev 4.20
show spanning-tree mst
show spanning-tree mst [details | <instance> interface {ethernet <slot>/<port> | port-channel <port-channel> | mlag-port-channel <mlag-port-channel>}]
Syntax Description
Displays basic multi-spanning-tree information.
details Displays detailed multi-spanning-tree configuration and statistics.
ethernet port-channel
Ethernet interface.
LAG instance.
Default mlag-port-channel
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4150
admin
MLAG instance.
switch (config) # show spanning-tree mst
MST0 vlans mapped: 1-1023,1025-2047,2049-3071,3073-4094
Interface Role Sts Cost Prio Type
---- ---- ----- ---- ---- ----
Eth1/9 Designated Forwarding 500 128.9 point-to-point
Eth1/10 Designated Forwarding 500 128.10 point-to-point
Eth1/11 Back Up Discarding 500 128.22 point-to-point switch (config) #
Related Commands clear spanning-tree counters spanning-tree
Note
Mellanox Technologies Confidential 591
show spanning-tree root
show spanning-tree root
Syntax Description
Default
Displays root multi-spanning-tree information.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4150
admin switch (config) # show spanning-tree root
Instance Priority MAC addr Root Cost Hello Time Max Age FWD Dly Root Port
------- ------ -------- --------- -------- -------- ------- ---------
MST0 32768 00:02:c9:71:ed:40 500 2 20 15 Eth1/20
MST1 32768 00:02:c9:71:f0:c0 0 2 20 15 -
MST2 0 00:02:c9:71:f0:c0 0 2 20 15 -
MST3 32768 00:02:c9:71:f0:c0 0 2 20 15 switch (config) #
Related Commands clear spanning-tree counters spanning-tree
Note
Rev 4.20
Mellanox Technologies Confidential 592
show spanning-tree vlan
show spanning-tree vlan <vid> [detail | interface {ethernet <slot>/<port> | portchannel <port-channel> | mlag-port-channel <mlag-port-channel>}]
Syntax Description
Displays spanning tree information.
vid VLAN ID. Range is also supported.
Format: <vid1>[-<vid2>] detail ethernet
Displays detailed RPVST configuration and statistics.
Ethernet interface.
port-channel mlag-port-channel
Default N/A
Configuration Mode Any Command Mode
LAG instance.
MLAG instance.
History
Role
Example
3.4.1100
admin switch (config) # show spanning-tree vlan 10
Switch ethernet-default
Spanning tree protocol is enabled rpvst
Spanning tree force version:2
Vlan 10
Root ID
Priority 10
Address 00:02:c9:96:c6:d0
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID
Priority 10
Address 00:02:c9:96:c6:d0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
L - Loop Inconsistent
Interface Role Sts Cost Prio Type
---- ---- ----- ---- ---- ----
Mpo21 Designated Forwarding 500 128 normal
Mpo20 Back Up Discarding 500 128 normal switch (config) #
Related Commands clear spanning-tree counters spanning-tree
Note
Rev 4.20
Mellanox Technologies Confidential 593
5.8
OpenFlow
MLNX-OS supports OpenFlow 1.0. OpenFlow is a network protocol that facilitates direct communication between network systems via Ethernet. Software Defined Networks (SDN) allows a centralist management of network equipment. OpenFlow allows the SDN controller to manage
SDN equipment. The OpenFlow protocol allows communication between the OpenFlow controller and OpenFlow agent.
OpenFlow is useful to manage switches and allow applications running on the OpenFlow controller to have access to the switch’s datapath and provide functionality such as flow steering, security enhancement, traffic monitoring and more.
The OpenFlow controller communicates with the OpenFlow switch over secured channel using
OpenFlow protocol.
An OpenFlow switch contains a flow table which contains flows inserted by the OpenFlow controller. And the OpenFlow switch performs packet lookup and forwarding according to those rules.
Mellanox OpenFlow switch implementation is based on the hybrid model, allowing the coexistence of an OpenFlow pipeline and a normal pipeline. In this model, a packet is forwarded according to OpenFlow configuration, if such configuration is matched with the packet parameters. Otherwise, the packet is handled by the normal (regular forwarding/routing) pipeline.
The OpenFlow specification defines:
“OpenFlow-hybrid switches support both OpenFlow operation and normal Ethernet switching operation, i.e. traditional L2 Ethernet switching, VLAN isolation, L3 routing (IPv4 routing, IPv6 routing...), ACL and QoS processing. Those switches must provide a classification mechanism outside of OpenFlow that routes traffic to either the OpenFlow pipeline or the normal pipeline. For example, a switch may use the VLAN tag or input port of the packet to decide whether to process the packet using one pipeline or the other, or it may direct all packets to the OpenFlow pipeline.”
Utilizing the built-in capabilities of the hybrid switch/router is the main benefit of the hybrid mode. It increases network performance and efficiency – faster processing of new flows as well as lower load on the controllers. The hybrid switch processes non-OpenFlow data through its local management plane and achieve better efficiency and use of resources, compared to the pure
OpenFlow switch.
5.8.1
Flow Table
The flow table contains flows which are used to perform packet lookup, modification and forwarding. Each flow has a 12 tuple key. The key is used in order to classify a packet into a certain flow. The key contains the flowing fields: ingress port, source MAC, destination MAC, Ether-
Type, VLAN ID, PCP, source IP, destination IP, IP protocol, IP ToS bits, TCP/UDP source port and TCP/UDP destination port.
The flow key can have a specific value for each field or wildcard which signals to the switch to ignore this part of the key.
Each packet passes through the flow table once a match is found; the switch performs the actions configured to the specific flow by the OpenFlow controller.
Upkeeping a flow table enables the switch to forward incoming traffic with a simple lookup on its flow table entries. OpenFlow switches perform a check for matching entries on, or ignore using a wildcard, specific fields of the ingress traffic. If the entry exists, the switch performs the
Rev 4.20
Mellanox Technologies Confidential 594
action associated with that flow entry. Packets without a flow entry match are forwarded according to the normal pipeline (hybrid switch).
Every flow entry contains one of the following parameters:
1. Header fields for matching purposes with each entry containing a specific value or a wildcard which could match all entries.
2. Matching packet counters which are useful for statistical purposes, in order to keep track of the number of packets.
3. Actions which specify the manner in which to handle the packets of a flow which can be any of the following: a. Forwarding the packet b. Dropping the packet c. Forwarding the packet to the OpenFlow controller d. Modifying the VLAN, VLAN priority (PCP), and/or stripping the VLAN header
Rev 4.20
The flow table supports up to 1000 flows.
5.8.2
Configuring OpenFlow
To run OpenFlow on a switch:
Step 1.
Unlock the OpenFlow CLI commands. Run: switch (config) # protocol openflow
Step 2.
Step 3.
Step 4.
Configure interfaces to be managed by OpenFlow. Run: switch (config) # interface ethernet 1/1-1/4 openflow mode hybrid
Configure the OpenFlow controller IP and TCP port. Run: switch (config) # openflow controller-ip 10.209.0.205 tcp-port 6633
(Optional) Verify the OpenFlow configuration. Run: switch (config) # show openflow
OpenFlow version: OF VERSION 1.0
Table size: 1000, 0 in use
Active controller ip: 10.209.0.205 port: 6633
Connection status: HANDSHAKE_COMPLETE (CONNECTED)
Forward-to-controller: ospf lldp arp-unicast arp-broadcast (all)
Enabled ports: Eth1/1 Eth1/2 Eth1/3 Eth1/4 switch (config) #
To be able to configure the switch using the controller, you should see the following line in the output:
Connection status must be: HANDSHAKE_COMPLETE (CONNECTED).
Mellanox Technologies Confidential 595
5.8.3
Commands
protocol openflow
protocol openflow no protocol openflow
Syntax Description
Default
Configuration Mode
History
Role
Example
Unhides the OpenFlow commands.
The no form of the command hides the OpenFlow commands.
N/A no protocol openflow
Config
3.3.4200
admin switch (config) # protocol openflow switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 596
openflow description
openflow description <string>
Syntax Description
Default
Sets the OpenFlow description.
string
N/A
Configuration Mode Config
Free string.
History
Role
Example
3.3.4302
admin switch (config) # openflow description OF-switch-104 switch (config) # show openflow detail
OpenFlow version: OF VERSION 1.0
Table size: 1000, 0 in use
Active controller ip: 10.209.1.39 port: 6633
Connection status: HANDSHAKE_COMPLETE (CONNECTED)
Forward-to-controller: ospf lldp arp-unicast arp-broadcast (all)
Enabled ports: Eth1/10 Eth1/11 Eth1/13 Eth1/19
Echo period: 10 sec
Keep alive period: 30 sec
Messages in (last session): 86290
Messages out (last session): 47984
Disconnect count: 0
Openflow description: OF-switch-104
Datapath ID: 00:00:00:02:c9:a8:e3:50
Not supporting buffering
Not supporting emergency flows
Not supporting port statistics
Not supporting IP reassemble
Supporting spanning tree
Not supporting queue statistics switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 597
openflow mode hybrid
openflow mode hybrid no openflow mode
Syntax Description
Default
Enables OpenFlow on the port.
The no form of the command returns the port to its default state.
N/A no openflow mode
Configuration Mode Config Interface Ethernet
History 3.3.4200
Role
Example admin switch (config interface etherent 1/1)# openflow mode hybrid switch (config interface etherent 1/1)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 598
controller-ip
controller-ip <ip-address> [tcp-port <port-number>] no controller-ip <ip-address> tcp-port
Syntax Description
Sets the OpenFlow controller’s IP & TCP port.
The no form of the command sets the parameter to its default.
ip-address tcp-port <port-number>
The IPv4 address of the OpenFlow controller.
Sets the TCP port number of the OpenFlow controller.
Default 0.0.0.0; TCP port 6633
Configuration Mode Config OpenFlow
History
Role
Example
3.3.4200
admin switch (config openflow) # controller-ip 10.10.10.10 tcp-port 6633 switch (config openflow) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 599
datapath-id
datapath-id <value> no datapath-id
Syntax Description
Sets a specific identifier for the switch with which the controller is communicating.
The no form of the command resets the parameter to its default value.
value The most significant 16 bits of the agent data-path ID.
Range is 0x0000-0xFFFF in hexa.
Default 0x0000
Configuration Mode Config OpenFlow
History
Role
Example
3.3.4200
admin switch (config openflow) # datapath-id 0x1234 switch (config openflow) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 600
Rev 4.20
forward-to-controller
forward-to-controller {[ospf] [lldp] [arp-unicast] [arp-broadcast] all | none}
Syntax Description
Forwards the selected traffic types to the controller from all the ports on which Open-
Flow enabled.
ospf lldp
Forwards OSPF traffic to the controller.
Forwards LLDP traffic to the controller.
arp-unicast arp-broadcast all none
Forwards ARP-unicast traffic to the controller.
Forwards ARP-broadcast traffic to the controller.
Forwards all traffic types to the controller.
Forwards no traffic to the controller.
Default None
Configuration Mode Config OpenFlow
History
Role
Example
3.3.4200
admin switch (config openflow) # forward-to-controller all switch (config openflow) #
Related Commands
Note
Mellanox Technologies Confidential 601
Rev 4.20
show openflow
show openflow [detail | tables | flows <id>]
Syntax Description
Displays general information about the OpenFlow protocol configuration.
detail Displays detailed information about the OpenFlow protocol.
tables flows <id>
Displays information about the OpenFlow tables (size, type, etc.).
Displays specific flows inside the OpenFlow tables. ID may be a range (e.g. 1-10).
Displays OpenFlow statistics.
Default statistics
None
Configuration Mode Any Command Mode
History 3.3.4200
3.3.4302
Removed flow-id parameter
Added “flows” and “statistics” parameters
Role
Example admin switch (config openflow) # show openflow flows 2
Flow id: 2 priority: 1 hard timeout: infinite idle timeout: 0 sec match:
ingress interface: Eth1/18
source Ethernet address: 11:22:33:44:55:66
destination Ethernet address: 77:88:aa:bb:cc:fe
Ethernet type: 0x800
VLAN ID: 308
PCP: 4
SIP: 1.1.1.1
DIP: 2.2.2.2
Dport: 1790
Protocol: 86
TOS: 120 actions:
output controller statistics:
0 packets, 0 bytes switch (config openflow) #
Related Commands
Note
Mellanox Technologies Confidential 602
5.9
IGMP Snooping
Only IGMP Snooping v1 and v2 are supported.
The Internet Group Multicast Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. The host joins a multicast-group by sending a join request message towards the network router, and responds to queries sent from the network router by dispatching a join report.
A given port can be either manually configured to be a router-port or it can be dynamically manifested when having received a query, hence, the network router is connected to this port. All
IGMP Snooping Control packets received from hosts (joins/leaves) are forwarded to the routerport, and the router-port updates its multicast-group data-base accordingly. Each dynamically learnt multicast group will be added to all of the router-ports on the switch.
As many as 5K multicast groups can be created on the switch.
5.9.1
Configuring IGMP Snooping
You can configure IGMP snooping to establish multicast group memberships.
To configure IGMP snooping:
Step 1.
Step 2.
Log in as admin.
Enter config mode. Run: switch > enable switch # configure terminal
Step 3.
Step 4.
Enable IGMP snooping globally. Run: switch (config) # ip igmp snooping switch (config) #
Enable IGMP snooping on a VLAN. Run: switch (config) # vlan 2 switch (config vlan 2) # ip igmp snooping
5.9.2
Defining a Multicast Router Port on a VLAN
You can define a Multicast Router (MRouter) port on a VLAN in one of the following methods:
To change the interface switchport to trunk:
Step 1.
Step 2.
Log in as admin.
Enter config mode. Run: switch > enable switch # configure terminal
Step 3.
Enable IGMP snooping globally. Run: switch (config) # ip igmp snooping switch (config) #
Rev 4.20
Mellanox Technologies Confidential 603
Rev 4.20
Step 4.
Step 5.
Change the interface switchport mode of the port (the interface is member of VLAN 1 by default). Run: switch (config) # interface ethernet 1/1 switch (config interface ethernet 1/1) # switchport mode trunk
Change back to config mode. Run: switch (config interface ethernet 1/1) # exit switch (config) #
Step 6.
Define the MRouter port on the VLAN. Run: switch (config) # vlan 2 switch (config vlan 2) # ip igmp snooping mrouter interface ethernet 1/1 switch (config vlan 2) #
To change the interface switchport to hybrid:
Step 1.
Step 2.
Log in as admin.
Enter config mode. Run: switch > enable switch # configure terminal
Step 3.
Step 4.
Step 5.
Step 6.
Step 7.
Step 8.
Step 9.
Enable IGMP snooping globally. Run: switch (config) # ip igmp snooping switch (config) #
Create a VLAN. Run: switch (config) # vlan 200 switch (config vlan 200) #
Change back to config mode. Run: switch (config vlan 200) # exit switch (config) #
Change the interface switchport mode of the port (the interface is member of VLAN 1 by default). Run: switch (config) # interface ethernet 1/36 switch (config interface ethernet 1/36) # switchport mode hybrid
Attach the VLAN to the port’s interface. Run: switch (config interface ethernet 1/36) # switchport mode hybrid allowed-vlan 200 switch (config interface ethernet 1/36) #
Change to config mode again. Run: switch (config interface ethernet 1/36) # exit switch (config) #
Define the MRouter port on the VLAN. Run: switch (config) # vlan 200 switch (config vlan 200) # ip igmp mrouter interface ethernet 1/36 switch (config vlan 200) #
Mellanox Technologies Confidential 604
5.9.3
IGMP Snooping Querier
IGMP Snooping Querier compliments the IGMP snooping functionality. IGMP Snooping Querier is used to support IGMP snooping in a VLAN where PIM and IGMP are not configured because the multicast traffic does not need to be routed. When IGMP Snooping Querier is enabled, IGMP queries are sent out periodically by the switch through all ports in the VLAN and to which hosts wishing to receive IP multicast traffic respond with IGMP report messages. IGMP
Snooping Querier must be used in conjunction with IGMP snooping as IGMP snooping listens to these IGMP reports to establish appropriate forwarding.
To configure IGMP Snooping Querier:
Step 1.
Enable the IGMP snooping on the switch. Run: switch (config) # ip igmp snooping
Step 2.
Step 3.
Step 4.
Enable the IGMP snooping querier on a specific VLAN. Run: switch (config) # vlan 10 switch (config vlan 10)# ip igmp snooping querier
Set the query interval time. Run: switch (config vlan 10)# igmp snooping querier query-interval 25
(Optional) Verify the IGMP snooping querier configuration. Run: switch (config vlan 10)# show ip igmp snooping querier
VLAN 10 IGMP Querier Present query-interval: 125 address: 1.1.1.2 version: 2 switch (config vlan 10)#
Rev 4.20
Mellanox Technologies Confidential 605
Rev 4.20
5.9.4 Commands
ip igmp snooping (admin)
ip igmp snooping no ip igmp snooping
Syntax Description
Default
Configuration Mode
History
Role
Example
Enables IGMP snooping globally or per VLAN.
The no form of the command disables IGMP snooping globally or per VLAN.
N/A
IGMP snooping is disabled, globally and per VLAN.
Config
Config VLAN
3.1.1400
admin switch (config) # ip igmp snooping switch (config) # vlan 10 switch (config vlan 10) # ip igmp snooping switch (config vlan 10) # exit switch (config) # show ip igmp snooping
Related Commands
Note
IGMP snooping global configuration:
IGMP snooping globally enabled
IGMP snooping operationally enabled
Proxy-reporting globally disabled
Last member query interval is 1 seconds
Mrouter timeout is 125 seconds
Port purge timeout is 260 seconds
Report suppression interval is 5 seconds switch (config vlan 10) # show ip igmp snooping vlan 10
Vlan 10 configuration parameters:
IGMP snooping is enabled
IGMP version is V2
Snooping switch is acting as Non-Querier
mrouter static port list: none
mrouter dynamic port list: none switch (config vlan 10) # vlan 10 switch (config vlan 10) # show ip igmp snooping
IGMP snooping has global admin state, and per VLAN admin state. Both states need to be enabled in order to enable the IGMP snooping on a specific VLAN.
Mellanox Technologies Confidential 606
Rev 4.20
ip igmp snooping (config)
ip igmp snooping {last-member-query-interval <1-25> | proxy reporting mrouter-timeout <60-600> | port-purge-timeout <130-1225> | report-suppression-interval <1-25>} no ip igmp snooping {last-member-query-interval | proxy reporting | mroutertimeout | report-suppression-interval}
Syntax Description
Configures IGMP global parameters.
The no form of the command resets the IGMP global parameters to default.
last-member-query-interval <1-25>
Sets the time period (in seconds) with which the general queries are sent by the IGMP quarrier. After timeout expiration the port will be removed from the multicast group.
proxy reporting mrouter-timeout <60-
600>
Enables proxy reporting
Sets the IGMP snooping router port purge time-out after which the port gets deleted if no IGMP router control packets are received.
The default value is 125 seconds.
port-purge-timeout <130-
1225> report-suppression-interval <1-25>
Sets the IGMP snooping port purge time interval after which the port gets deleted if no IGMP reports are received.
Sets the IGMP snooping report-suppression time interval for which the IGMPv2 report messages for the same group will not get forwarded onto the router ports.
The default value is 5 seconds.
Default last-member-query-interval – 1 second proxy reporting is disabled mrouter-timout – 125 port-purge-timeout – 260 seconds report-suppression-interval – 5 seconds
Configuration Mode Config
History 3.1.1400
Role admin
Mellanox Technologies Confidential 607
Example switch (config) # ip igmp snooping report-suppression-interval 3 switch (config) # show ip igmp snooping
IGMP snooping global configuration:
IGMP snooping globally enabled
IGMP snooping operationally enabled
Proxy-reporting globally disabled
Last member query interval is 1 seconds
Mrouter timeout is 125 seconds
Port purge timeout is 260 seconds
Report suppression interval is 3 seconds switch (config) #
Related Commands ip igmp snooping (admin) show ip igmp snooping
Note
Rev 4.20
Mellanox Technologies Confidential 608
ip igmp snooping fast-leave
ip igmp snooping fast-leave no ip igmp snooping fast-leave
Syntax Description
Default
Enables fast leave processing on a specific interface.
The no form of the command disables fast leave processing on a specific interface.
N/A
Normal-leave is enabled.
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History 3.1.1400
3.3.4500
Added MLAG port-channel configuration mode
Role
Example admin switch (config interface ethernet 1/1) # ip igmp snooping fast-leave switch (config interface ethernet 1/1) # show ip igmp snooping interfaces interface leave-mode
----------- ------------
Eth1/1 Fast
Eth1/2 Normal
Eth1/3 Normal
...
switch (config interface ethernet 1/1) #
Related Commands show ip igmp snooping interfaces
Note
Rev 4.20
Mellanox Technologies Confidential 609
Rev 4.20
ip igmp snooping static-group
ip igmp snooping static-group <IP address> interface <type> <number> no ip igmp snooping static-group <IP address> interface <type> <number>
Syntax Description
Creates a static multicast group and attaches a port to a specified group.
The no form of the command deletes the interface from the multicast group.
Ip address Multicast IP address <224.x.x.x - 239.255.255.255> interface <type> <number>
Attach the group to a specific interface. type - ethernet or port-channel
Default No static groups are configured.
Configuration Mode Config VLAN
History
Role
Example
3.1.1400
admin switch (config)# vlan 1 switch (config vlan 1) # ip igmp snooping static-group 230.0.0.1 interface ethernet 1/1 switch (config vlan 1) # show ip igmp snooping groups
Vlan ID Group St/Dyn Ports
-------- ------------ ------- -------
1 230.0.0.1 St Eth1/1
Total Num of Dynamic Group Addresses 0
Total Num of Static Group Addresses 1 switch (config vlan 1) #
Related Commands show ip igmp snooping groups
Note If the deleted interface is the last port, it deletes the entire multicast group.
Mellanox Technologies Confidential 610
Rev 4.20
ip igmp snooping mrouter
ip igmp snooping mrouter interface <type> <number> no ip igmp snooping mrouter interface <type> <number>
Syntax Description
Creates a static multicast router port on a specific VLAN, on a specific interface.
The no form of the command removes the static multicast router port from a specific
VLAN.
interface <type> <number>
Attaches the group to a specific interface. type - ethernet or port-channel.
Default No static mrouters are configured.
Configuration Mode Config VLAN
History
Role
Example
3.1.1400
admin switch (config)# vlan 1 switch (config vlan 1) # ip igmp snooping mrouter interface ethernet 1/1 switch (config vlan 1) # show ip igmp snooping mrouter
Vlan Ports
-------- ------------
1 Eth1/1(static) switch (config vlan 1) #
Related Commands show ip igmp snooping mrouter
Note The multicast router port can be created only if IGMP snooping is enabled both globally and on the VLAN.
Mellanox Technologies Confidential 611
ip igmp snooping unregistered multicast
ip igmp snooping unregistered multicast <options> no ip igmp snooping unregistered multicast
Syntax Description
Sets the behavior of the snooping switch for unregistered multicast traffic.
The no form of the command sets it default.
options • flood
• forward-to-mrouter-ports
Default flood
Configuration Mode Config
History
Role
Example
3.2.0500
admin switch (config) # ip igmp snooping unregisted multicast flood switch (config) # show ip igmp snooping
IGMP snooping global configuration:
IGMP snooping globally enabled
IGMP snooping operationally enabled
Proxy-reporting globally disabled
Last member query interval is 1 seconds
Mrouter timeout is 125 seconds
Port purge timeout is 260 seconds
Report suppression interval is 5 seconds
IGMP snooping unregistered multicast: flood switch (config) #
Related Commands show ip igmp snooping
Note
Rev 4.20
Mellanox Technologies Confidential 612
ip igmp snooping querier
ip igmp snooping querier no ip igmp snooping querier
Syntax Description
Default
Enables the IGMP Snooping Querier on a VLAN.
The no form of the command disables the IGMP Snooping Querier on a VLAN.
N/A
Disable
Configuration Mode Config VLAN
History 3.3.4200
Role
Example admin switch (config vlan 1)# ip igmp snooping querier switch (config vlan 1)#
Related Commands igmp snooping querier query-interval show ip igmp snooping querier
Note
Rev 4.20
Mellanox Technologies Confidential 613
igmp snooping querier query-interval
igmp snooping querier query-interval <time> no igmp snooping querier query-interval
Syntax Description
Default
Configures the query interval.
The no form of the command rests the parameter to its default.
time
125 seconds
Configuration Mode Config VLAN
History 3.3.4200
Time interval between queries (in seconds).
Role
Example admin switch (config vlan 1)# igmp snooping querier query-interval 20 switch (config vlan 1)#
Related Commands igmp snooping querier query-interval show ip igmp snooping querier
Note
Rev 4.20
Mellanox Technologies Confidential 614
show ip igmp snooping
show ip igmp snooping
Syntax Description
Default
Displays IGMP snooping information for all VLANs or a specific VLAN.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.1400
admin switch (config) # show ip igmp snooping
IGMP snooping global configuration:
IGMP snooping globally enabled
IGMP snooping operationally enabled
Proxy-reporting globally disabled
Last member query interval is 1 seconds
Mrouter timeout is 125 seconds
Port purge timeout is 260 seconds
Report suppression interval is 3 seconds
IGMP snooping unregistered multicast: flood switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 615
Rev 4.20
show ip igmp snooping groups
show ip igmp snooping groups
Syntax Description
Default
Displays per VLAN the list of multicast groups attached (static or dynamic allocated) per port.
N/A
N/A
Configuration Mode Any Command Mode
History 3.1.1400
Role
Example admin switch (config) # show ip igmp snooping groups
Vlan ID Group St/Dyn Ports
-------- ------------ ------- -------
1 230.0.0.1 St Eth1/1
Total Num of Dynamic Group Addresses 0
Total Num of Static Group Addresses 1 switch (config) #
Related Commands
Note
Mellanox Technologies Confidential 616
show ip igmp snooping vlan
show ip igmp snooping vlan {<vlan/vlan-range> | all}
Syntax Description
Displays IGMP configuration per VLAN or VLAN range.
vlan/vlan range Displays IGMP VLAN configuration per specific
VLAN or VLAN range.
Display IGMP VLAN configuration on all VLAN.
Default all
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.1400
admin switch (config) # show ip igmp vlan 1
Vlan 1 configuration parameters:
IGMP snooping is enabled
IGMP version is V2
Snooping switch is acting as Non-Querier
mrouter static port list: Eth1/1
mrouter dynamic port list: none switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 617
show ip igmp snooping mrouter
show ip igmp snooping mrouter
Syntax Description
Default
Displays IGMP snooping multicast router information.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.1400
admin switch (config) # show ip igmp snooping mrouter
Vlan Ports
-------- ------------
1 Eth1/1(static) switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 618
show ip igmp snooping interfaces
show ip igmp snooping interfaces
Syntax Description
Default
Displays IGMP snooping interface information.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.1400
admin switch (config) # show ip igmp snooping interfaces interface leave-mode
----------- ------------
1/1 Normal
1/2 Normal
1/3 Normal
1/4 Fast
...
switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 619
show ip igmp snooping statistics
show ip igmp snooping statistics
Syntax Description
Default
Displays IGMP snooping statistical counters.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.1400
admin switch (config) # show ip igmp snooping statistics
Snooping Statistics for VLAN 1
General queries received : 0
Group specific queries received : 0
V1/V2 reports received : 0
V1/V2 reports transmitted : 0
Leave messages received : 0
Group specific queries transmitted: 0
Leave messages transmitted: 0
Unsuccessful joins received count Per Vlan: 0
Active/Successful joins received count Per Vlan: 0
Active Groups count: 0
Packets dropped: 0 switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 620
Rev 4.20
show ip igmp snooping querier
show ip igmp snooping querier [vlan <num>]
Syntax Description
Displays running IGMP snooping querier configuration on the VLANs.
vlan <num> Displays the IGMP snooping querier configuration running on the specified VLAN.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4200
admin switch (config) # show ip igmp snooping querier vlan 10
Vlan 1 IGMP Querier Present query-interval: 20 address: 1.1.1.2 version: 2 switch (config) #
Related Commands
Note
Mellanox Technologies Confidential 621
5.10
Link Layer Discovery Protocol (LLDP)
The Link Layer Discovery Protocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used by network devices for advertising their identity, capabilities, and neighbors on a IEEE 802 LAN. The protocol is formally defined in IEEE 802.1AB.
5.10.1 Configuring LLDP
To configure the LLDP on the switch:
Step 1.
Step 2.
Log in as admin.
Enter config mode. Run: switch > enable switch # configure terminal
Step 3.
Step 4.
Step 5.
Enable LLDP globally on the switch. Run: switch (config) # lldp switch (config) #
Enable LLDP per interface. Run: switch (config interface ethernet 1/1) # lldp receive switch (config interface ethernet 1/1) # lldp transmit
Show LLDP local information. Run: switch (config) # show lldp local
LLDP is Enabled
Local global configuration
Chassis sub type: macAddress (4)
Chassis id: 00:11:22:33:44:55
System Name: "switch-111111"
System Description: my-system-description
Supported capabilities: B
Supported capabilities enabled: B
Step 6.
Show LLDP remote information. Run: switch (config)# show lldp interfaces ethernet 1/1 remote
Ethernet 1/1
Remote Index: 1
Remote chassis id: 00:11:22:33:44:55 ; chassis id subtype: mac
Remote port-id: ethenret 1/2; port id subtype: local
Remote port description: ethernet 1/2
Remote system name: remote-system
Remote system description: remote-system-description
Remote system capabilities supported: B ; B
5.10.2 DCBX
Data Center Bridging (DCB) is an enabler for running the Ethernet network with lossless connectivity using priority-based flow control and enhanced transmission selection. DCBx (exchange)
Rev 4.20
Mellanox Technologies Confidential 622
compliments the DCB implementation by offering a dynamic protocol that communicates DCB attributes between peering endpoint.
Rev 4.20
Mellanox Technologies Confidential 623
5.10.3 Commands
lldp
lldp no lldp
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Enables LLDP globally.
The no form of the command disables the LLDP.
N/A
Disabled
Config
3.2.0300
admin switch (config)# lldp switch (config)# show lldp local
Rev 4.20
Mellanox Technologies Confidential 624
lldp reinit
lldp reinit <seconds> no lldp reinit
Syntax Description
Default
Sets the delay in seconds from enabling the LLDP on the port until re-initialization will be attempted.
The no form of the command sets the parameter to default.
seconds
2
Configuration Mode Config
History 3.2.0300
1-10
Role
Example admin switch (config)# lldp reinit 10 switch (config)#
Related Commands show lldp timers
Note
Rev 4.20
Mellanox Technologies Confidential 625
Rev 4.20
lldp timer
lldp timer <seconds> no lldp timer
Syntax Description
Default
Sets the LLDP interval at which LLDP frames are transmitted. (lldpMessageTxInterval)
The no form of the command sets the parameter to default.
seconds
30
Configuration Mode Config
History 3.2.0300
5-32768
Role
Example admin switch (config)# lldp timer 10 switch (config)#
Related Commands show lldp timers
Note
Mellanox Technologies Confidential 626
lldp tx-delay
lldp tx-delay <seconds> no lldp tx-delay
Syntax Description
Default
Indicates the delay in seconds between successive LLDP frame transmissions
The no form of the command sets the parameter to default.
seconds
2
Configuration Mode Config
History 3.2.0300
1-8192
Role
Example admin switch (config)# lldp tx-delay 10 switch (config)#
Related Commands show lldp timers
Note The recommended value for the tx-delay is set by the following formula:
1 <= lldp tx-delay <= (0.25 * lldp timer)
Rev 4.20
Mellanox Technologies Confidential 627
lldp tx-hold-multiplier
lldp tx-hold-multiplier <seconds> no lldp tx-hold-multiplier
Syntax Description
Default
The time-to-live value expressed as a multiple of the lldpMessageTxInterval object.
The no form of the command sets the parameter to default.
seconds
2
Configuration Mode Config
History 3.2.0300
1-8192
Role
Example admin switch (config)# lldp tx-hold-multiplier 10 switch (config)#
Related Commands show lldp timers
Note The actual time-to-live value used in LLDP frames, can be expressed by the following formula: TTL = min(65535, (lldpMessageTxInterval * lldpMessageTxHoldMultiplier)) For example, if the value of lldpMessageTxInterval is '30', and the value of lldpMessageTxHoldMultiplier is '4', then the value '120' is encoded in the TTL field in the LLDP header.
Rev 4.20
Mellanox Technologies Confidential 628
Rev 4.20
lldp {receive | transmit}
lldp {receive | transmit} no lldp {receive | transmit}
Syntax Description
Default
Enables LLDP to be received or transmitted on this port.
The no form of the command disables the LLDP to be received or transmitted on this port.
N/A
Enabled for receive and Trasmit.
Configuration Mode Config Interface Ethernet
History 3.2.0300
Role
Example admin switch (config interface ethernet 1/1)# lldp receive switch (config interface ethernet 1/1)# lldp transmit switch (config interface ethernet 1/1)#
Related Commands show lldp interface
Note The LLDP is disabled by default (globally)
Mellanox Technologies Confidential 629
Rev 4.20
lldp tlv-select
lldp tlv-select {[dcbx] [dcbx-cee] [port-description] [sys-name] [sys-description]
[sys-capababilities] [management-address] [none] all}
Syntax Description
Sets the LLDP basic TLVs to be transmitted on this port.
dcbx Enables LLDP-DCBX TLVs.
dcbx-cee port-description
Enables LLDP-DCBX CEE TLVs.
LLDP port description TLV.
sys-name sys-description sys-capabilities management-address
LLDP system name TLV.
LLDP system description TLV.
LLDP system capabilities TLV.
LLDP management address TLV.
all none
Default all
Configuration Mode Config Interface Ethernet
History 3.2.0300
3.3.0000
Role
Example all above TLVs.
None of the above TLVs.
3.3.4302
3.3.4402
Initial revision
Added “none” parameter
Added “dcbx” parameter
Added “dcbx-cee” parameter admin switch (config interface ethernet 1/1)# lldp tlv-select port-description sys-name switch (config interface ethernet 1/1)#
Related Commands show lldp interface
Note
Mellanox Technologies Confidential 630
dcb application-priority
dcb application-priority <selector> <protocol> <priority>
Syntax Description
Adds an application to the application priority table.
selector Protocol type: ethertype protocol Protocol field in hexadecimal notation (e.g. ‘0x8906’ for FCoE, ‘0x8914’ for FIP).
priority
Default
Configuration Mode Config
Range: 0-7.
No applications are available. The table is empty.
History 3.3.4200
3.4.0008
Role
Example admin switch (config-if)# dcb application-priority ethertype 0x8906 switch (config-if)#
Related Commands show lldp interface
Note
Rev 4.20
Mellanox Technologies Confidential 631
show lldp local
show lldp local
Syntax Description
Default
Shows LLDP local information.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.2.0300
admin switch (config)# show lldp local
LLDP is Enabled
Local global configuration
Chassis sub type: macAddress (4)
Chassis id: 0002C9030046AF00
System Name: my-switch
System Description: SX1036
Supported capabilities: B,R
Supported capabilities enabled: B switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 632
Rev 4.20
show lldp interface
show lldp interface [ethernet <inf>]
Syntax Description
Default
Shows LLDP local interface table information.
inf
N/A
Configuration Mode Any Command Mode
Interface number (e.g. 1/1).
History 3.2.0300
3.3.4200
First version
Updated example
Role
Example
3.3.4402
admin
Updated example switch (config)# show lldp interface ethernet 1/1
TLV flags:
PD: port-description, SN: sys-name, SD: sys-description, SC: sys-capabilities, MA: management-address, ETS-C: ETS-Configuration, ETS-R: ETS-
Recommendation, AP: Application Priority, PFC: Priority Flow Control,
CEE: Converged Enhanced Ethernet DCBX version
Interface Receive Transmit Notification TLVs
--------------------------------------------------------------------------eth1/1 Enable Enable Enable PD,SN,SD,SC,MA,PFC,CEE eth1/2 Disable Disable Enable PD,SN,SD,MA,AP eth1/3 Enable Disable Disable PD,SD,SC,ETS-R,AP,PFC
...
switch (config)#
Related Commands
Note
Mellanox Technologies Confidential 633
show lldp interfaces ethernet <inf> remote
show lldp interfaces ethernet <inf> remote
Syntax Description
Default
Shows LLDP remote interface table information.
inf
N/A
Configuration Mode Any Command Mode
Local interface number (e.g. 1/1).
History 3.2.0300
3.3.4200
First version
Updated output
Role admin
Rev 4.20
Mellanox Technologies Confidential 634
Example
Related Commands
Note
Rev 4.20
switch (config)# show lldp interfaces ethernet <number> Ethernet <port-number> // example "Ethernet 1/1"
Latest LLDPDU received on <date> // e.g. date: "Thu Feb 14 12:08:29 2013" - new field
Remote Index:
Remote chassis id: <byte array> ; chassis id subtype: <sub-type>
Remote port-id: <byte array> ; port id subtype: <sub-type>
Remote port description: <byte array>
Remote system name: <byte array>
Remote system description: < byte array>
Remote system capabilities supported: <enum parced as defined in the MIB> ; enable <enum parced as defined in the
MIB>
Management Table //theoretially remote can send more then one management address (Future) RemoteIndex Subtype Address ifSubtype ifId OID
1 ipV4(1) 10.10.10.10 ifIndex(2) 1(mgmt0) <Oid>
1 ipV4(1) 10.10.10.11 ifIndex(3) 2(mgmt1) <Oid>
Unknown TLVs Table //(Future) Type Info
-------------------------------
<integer> <byte-array>
<integer> <byte-array>
Organizationally-Defined Information Table // (Future) OUI subtype Index DefInfo
-------------------------------------------------------------
<byte-array> <integer> <integer> <byte-array>
<byte-array> <integer> <integer> <byte-array>
Remote PFC configuration // new section Willing: {enabled, disabled}
MACsec: {enabled, disabled}
Number of supported traffic classes: 4 // range is 1-8
PFC enabled on priorities: 5 7 // it could be "0 1 2 3 4 5 6 7" or " 1 3 7" or "None"
WARNING: peer PFC configuration does not match the local PFC configuration // This warning should appear only if the local and remote PFC configuration don't match!
Remote ETS configuration // new section Willing: {enabled, disabled}
CBS: {enabled, disabled}
Number of supported traffic classes: 3 // range is 1-8
WARNING: peer ETS configuration does not match the local ETS configuration // This warning should appear only if the local and remote ETS configuration don't match!
Priority assignment table: Priority TC
1
3
0
2
0
1
---------------
0
3
7
2
6
2
5
1
4
3
Traffic class bandwidth table // (No need to have the recommended TC - ETS-Recommended TLV)
TC Bandwidth TSA
-----------------------------
Page 43 of 354
0 25% tsaStrictPriority(0) // we are expecting either 0 or 2 as answers.
Mellanox Technologies Confidential 635
show lldp timers
show lldp timers
Syntax Description
Default
Shows LLDP timers configuration
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.2.0300
admin switch (config)# show lldp timers msg-tx-interval:30 tx-delay:2 tx-hold:4 tx-reinit-delay:2 switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 636
show lldp statistics global
show lldp statistics global
Syntax Description
Default
Shows LLDP global statistics
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.2.0300
admin switch (config)# show lldp timers
Remote Table Last Change Time : 10300
Remote Table Inserts : 5
Remote Table Deletes : 0
Remote Table Drops : 0
Remote Table Ageouts : 0 switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 637
Rev 4.20
show lldp statistics [interface ethernet <inf>]
show lldp statistics [interface ethernet <inf>]
Syntax Description
Default
Shows LLDP interface statistics
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.2.0300
admin switch (config)# show lldp statistics ethernet 1/1
Interface Frames In In TLVs TLVs Ageout Out
Discarded Errors Total Discarded Unrecognize Frames
-----------------------------------------------------------------------
Eth 1/1 0 0 10 0 0 0 0 switch (config)#
Related Commands
Note
Mellanox Technologies Confidential 638
show dcb application-priority
show dcb application-priority
Syntax Description
Default
Displays application priority admin table.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4200
admin switch (config)# show dcb application-priority
Application priority configuration
Selector Protocol Priority
------------------------------
Ethertype 0x8906 3
Ethertype 0x8914 3 switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 639
5.11
Quality of Service (QoS)
5.11.1 Priority Flow Control and Link Level Flow Control
Priority Flow Control (PFC) provides an enhancement to the existing pause mechanism in Ethernet. The current Ethernet pause option stops all traffic on a link. PFC creates eight separate virtual links on the physical link and allows any of these links to be paused and restarted independently, enabling the network to create a no-drop class of service for an individual virtual link. PFC has 8 possible priorities (3 bits in VLAN header). Each priority can be mapped to one of 4 possible queues in the ingress.
The PFC software offers the following features:
• Provides per-priority enabling or disabling of flow control
• Transmits PFC-PAUSE frames when the receive threshold for a particular traffic class is reached
• Provides the management capability for an administrator to configure the flow control properties on each port of the switch
• Keeps flow control disabled for all priorities on all ports by default
• Allows an administrator to enable or disable flow control per port and per priority level
• Supports flow control only on physical ports, not on logical interfaces such as tunnels or interfaces defined by sharing a physical port in multiple virtual switch contexts
• Uses the configured threshold values to set up the queue buffer spaces accordingly in the datapath
• Provides hardware abstraction layer callouts for the following:
• Enabling or disabling of flow control on each port for each priority
• Configuring the queue depth for each priority on each port
• Provides trace logs for execution upon error conditions and for any event notifications from the hardware or datapath. These trace logs are a useful aid in troubleshooting.
• Allows the administrator to configure the minimum and maximum threshold values for flow control. These configurations are applied globally on all ports and priorities.
Priority Based Flow Control (PFC) provides an enhancement to the existing pause flow control mechanism as described in 802.1x.
To enable PFC globally:
Step 1.
Step 2.
Log in as admin.
Enter config mode. Run: switch > enable switch # configure terminal
Step 3.
Enable PFC globally on the switch. Run: switch (config) # dcb priority-flow-control enable
This action might cause traffic loss while shutting down a port with priority-flow-control mode on
Type 'yes' to confirm enable pfc globally: yes
Rev 4.20
Mellanox Technologies Confidential 640
Rev 4.20
To enable PFC per priority:
Step 1.
Log in as admin.
Step 2.
Enter config mode. Run: switch > enable switch # configure terminal
Step 3.
Enable PFC globally on the switch. Run: switch (config) # dcb priority-flow-control enable
# dcb priority-flow-control enable
This action might cause traffic loss while shutting down a port with priority-flow-control mode on
Type 'yes' to confirm enable pfc globally: yes switch (config) #
Step 4.
Choose the desirable priority you want to enable using the command dcb priority-flow-control priority <pri[0..7]> enable
.
switch (config) # dcb priority-flow-control priority 5 enable
To enable PFC per interface:
Step 1.
Step 2.
Log in as admin.
Change to config mode. Run: switch > enable switch # configure terminal
Step 3.
Enable PFC globally on the switch. Run: switch (config) # dcb priority-flow-control enable
Step 4.
Step 5.
Step 6.
Choose the desirable priority you want to enable using the command dcb priority-flow-control priority <pri[0..7]> enable switch (config) # dcb priority-flow-control 5 enable
Change to Interface mode. Run: switch (config) # switch (config) # interface ethernet 1/1 switch (config interface ethernet 1/1) #
Enable PFC for the specific interface: switch (config interface ethernet 1/1) # dcb priority-flow-control mode on
5.11.2 Enhanced Transmission Selection (ETS)
Enhanced Transmission Selection (ETS) provides a common management framework for assignment of bandwidth to traffic classes, for weighted round robin (WRR) scheduling. If a traffic class does not use all the bandwidth allocated to it, other traffic classes can use that available bandwidth. This allows optimal utilization of the network capacity while prioritizing and providing the necessary resources.
The ETS feature has the following attributes:
• ETS global admin:
• Enable (default) – scheduling mode is WRR according to the configured bandwidth-pertraffic class
Mellanox Technologies Confidential 641
Rev 4.20
• Disable – scheduling mode is Strict Priority (SP)
• Bandwidth percentage for each traffic class: By default each traffic class gets an equal share
The default mapping of priority to traffic classes (per interface) is as follows:
• Priority 0,1 mapped to TC 0
• Priority 2,3 mapped to TC 1
• Priority 4,5 mapped to TC 2
• Priority 6,7 mapped to TC 3
TC0 and TC3 are lossy TCs, while TC1 and TC2 can be lossless as well as lossy. It is possible but not recommended to map PFC enabled priorities (lossless traffic) to those
TC0 or TC3.
ETS is enabled by default (scheduling is WRR).
To set the scheduling mode to Strict Priority:
Step 1.
Run the command dcb ets disable
.
switch (config) # no dcb ets enable
To configure the WRR bandwidth percentage:
Step 1.
Make sure ETS feature is enabled. Run: switch (config) # dcb ets enable
Step 2.
Choose the WRR bandwidth rate and distribution.
By default the WRR distribution function is equal 25% per TC. Changing the WRR bandwidth rate will cause a change in the distribution function, for example if you wish to schedule more traffic on TC-0, TC-1, TC-2 while reducing the amount of traffic sent on TC-3, run the command dcb ets tc bandwidth. switch (config) # dcb ets tc bandwidth 30 30 30 10
# show dcb ets
ETS enabled
TC Bandwidth
--------------------------
0 30%
1 30%
2 30%
3 10%
Number of Traffic Class: 4 switch (config) #
Traffic class priorities are <0-3>, where 0 is the lowest and 3 is the highest.
Mellanox Technologies Confidential 642
Rev 4.20
The sum of all traffic class bandwidth value (in percentage) should be 100, otherwise the command fails.
Step 3.
Run the command show dcb ets
to verify the configuration.
switch (config) # show dcb ets
ETS enabled
TC Bandwidth
--------------------------
0 30%
1 30%
2 10%
3 30%
Number of Traffic Class: 4 switch (config) #
Mellanox Technologies Confidential 643
5.11.3 Commands
5.11.3.1 Enhanced Transmission Selection (ETS)
dcb ets enable
dcb ets enable no dcb ets enable
Syntax Description
Default
Configuration Mode
History
Role
Example
Sets the switch egress scheduling mode to be weighted round robin.
The no form of the command sets the switch egress scheduling mode to be strict priority.
N/A
ETS is enabled.
Config
3.1.0000
admin switch (config)# dcb ets enable switch (config)# show dcb ets
ETS enabled
TC Bandwidth
--------------------------
0 25%
1 25%
2 25%
3 25%
Number of Traffic Class: 4
Rev 4.20
Related Commands
Note switch (config) # show dcb ets
Mellanox Technologies Confidential 644
dcb ets tc bandwidth
dcb ets tc bandwidth <tc-0> <tc-1> <tc-2> <tc-3> no dcb ets tc bandwidth
Configures the bandwidth limit of the traffic class.
The no form of the command sets the bandwidths per traffic class back to its default.
0-100.
Syntax Description
Default tc-i
25% per traffic class.
Configuration Mode Config
History
Role
Example
3.1.0000
admin switch (config)# dcb ets tc bandwidth 20 20 30 30 switch (config) # show dcb ets
ETS enabled
TC Bandwidth
--------------------------
0 20%
1 20%
2 30%
3 30%
Number of Traffic Class: 4 switch (config) #
Related Commands show dcb ets
Note The sum of all traffic class bandwidth must be equal to 100.
Rev 4.20
Mellanox Technologies Confidential 645
vlan map-priority
vlan map priority <priority> traffic-class <tc> no vlan map priority <priority>
Maps an VLAN user priority to a traffic class.
The no form of the command sets the mapping back to default.
N/A Syntax Description
Default Priority 0,1 mapped to tc 0.
Priority 2,3 mapped to tc 1.
Priority 4,5 mapped to tc 2.
Priority 6,7 mapped to tc 3.
Configuration Mode Config Interface Ethernet
History 3.1.0000
Role
Example admin switch (config interface ethernet 1/1) # vlan map-priority 1 trafficclass 2 switch (config interface ethernet 1/1) #
Related Commands show dcb ets interface
Note
Rev 4.20
Mellanox Technologies Confidential 646
show dcb ets
show dcb ets
Displays ETS configuration and operational data.
Syntax Description
Default ETS is enabled.
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config)# show dcb ets
ETS enabled
TC Bandwidth
--------------------------
0 25%
1 25%
2 25%
3 25%
Number of Traffic Class: 4 switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 647
show dcb ets interface
show dcb ets interface <type> <number>
Syntax Description
Displays ETS configuration and operational data, per interface.
type ethernet or port-channel interface number, i.e. 1/1
Default number
ETS is enabled.
Configuration Mode Any Command Mode
History
Role
3.1.0000
admin
Rev 4.20
Mellanox Technologies Confidential 648
Example
Related Commands
Note switch (config)# show dcb ets interface ethernet 1/1
ETS Port Mode :ON MODE
ETS Oper State :INIT STATE
ETS State Machine Type :Assymetric
-----------------------------------------------
ETS Local Port Info
-----------------------------------------------
TC bandwidth table
-----------------------------------------------
TC Bandwidth RecomBandwidth
-----------------------------------------------
0 25% 25%
1 25% 25%
2 25% 25%
3 25% 25% priority assignment table
--------------------------------------
Priority TC
--------------------------------------
0 0
1 0
2 1
3 1
4 2
5 2
6 3
7 3
Number of Traffic Class: 4
Willing Status: Disable
-----------------------------------------------
ETS Admin Port Info
-----------------------------------------------
TC Bandwidth RecomBandwidth
-----------------------------------------------
0 30% 30%
1 30% 30%
2 30% 30%
3 10% 10%
-----------------------------------------------
ETS Remote Port Info
-----------------------------------------------
No Remote Entry is Present
----------------------------------------------switch (config) #
Rev 4.20
Mellanox Technologies Confidential 649
5.11.3.2 Priority Flow Control (PFC)
dcb priority-flow-control enable
dcb priority-flow-control enable [force] no dcb priority-flow-control enable [force]
Syntax Description
Default
Configuration Mode
History
Role
Example
Enables PFC globally on the switch.
The no form of the command globally disables PFC on the switch.
force
PFC is disabled.
Forces operation
Config
3.1.0000
3.3.0000
admin
Updated Example switch (config)# dcb priority-flow-control enable
This action might cause traffic loss while shutting down a port with priority-flow-control mode on
Type 'yes' to confirm enable pfc globally: yes switch (config)# show dcb priority-flow-control
PFC enabled
Priority Enabled List :
Priority Disabled List :0 1 2 3 4 5 6 7
TC Lossless
--- ----------
0 N
1 Y
2 Y
3 N
Rev 4.20
Related Commands
Note
Interface PFC admin PFC oper
------------ -------------- -------------
1/1 Disabled Disabled
1/2 Disabled Disabled
1/3 Disabled Disabled
1/4 Disabled Disabled
...
switch (config) # show dcb priority-flow-control
This command asks the user to approve traffic loss because some interfaces with
DCB mode activated might get shut down.
Mellanox Technologies Confidential 650
dcb priority-flow-control priority
dcb priority-flow-control priority <prio> enable no dcb priority-flow-control priority <prio> enable
Syntax Description
Default
Enables PFC per priority on the switch.
The no form of the command disables PFC per priority on the switch.
prio 0-7.
PFC is disabled for all priorities.
Configuration Mode Config
History 3.1.0000
Role
Example admin switch (config)# dcb priority-flow-control priority 0 enable switch (config)# show dcb priority-flow-control
PFC enabled
Priority Enabled List : 0
Priority Disabled List : 1 2 3 4 5 6 7
TC Lossless
--- ----------
0 N
1 Y
2 Y
3 N
Interface PFC admin PFC oper
------------ -------------- -------------
1/1 Disabled Disabled
1/2 Disabled Disabled
1/3 Disabled Disabled
1/4 Disabled Disabled
...
switch (config) #
Related Commands show dcb priority-flow-control
Note
Rev 4.20
Mellanox Technologies Confidential 651
Rev 4.20
dcb priority-flow-control mode on
dcb priority-flow-control mode on [force] no dcb priority-flow-control mode
Syntax Description
Default
Enables PFC per interface.
The no form of the command disables PFC per interface.
force Force command implementation.
PFC is disabled for all interfaces.
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History 3.1.0000
3.3.4500
Added MLAG port-channel configuration mode
Role
Example admin switch (config interface ethernet 1/1) # dcb priority-flow-control mode on switch (config interface ethernet 1/1) # show dcb priority-flow-control
PFC enabled
Priority Enabled List : 0
Priority Disabled List : 1 2 3 4 5 6 7
TC Lossless
--- ----------
0 N
1 Y
2 Y
3 N
Interface PFC admin PFC oper
------------ -------------- -------------
1/1 On Enabled
1/2 Disabled Disabled
1/3 Disabled Disabled
1/4 Disabled Disabled
...
switch (config) #
Related Commands show dcb priority-flow-control
Note
Mellanox Technologies Confidential 652
Rev 4.20
show dcb priority-flow-control
show dcb priority-flow-control [interface <type> <inf>] [detail]
Syntax Description
Displays DCB priority flow control configuration and status. type • ethernet
• port-channel inf detail
The interface number.
Adds details information to the show output.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.0000
admin switch (config interface ethernet 1/1) # show dcb priority-flow-control
PFC enabled
Priority Enabled List : 0
Priority Disabled List : 1 2 3 4 5 6 7
TC Lossless
--- ----------
0 N
1 Y
2 Y
3 N
Interface PFC admin PFC oper
------------ -------------- -------------
1/1 On Enabled
1/2 Disabled Disabled
1/3 Disabled Disabled
1/4 Disabled Disabled
...
switch (config) #
Related Commands
Note
Mellanox Technologies Confidential 653
Rev 4.20
5.12
Access Control List
An Access Control List (ACL) is a list of permissions attached to an object, to filter or match switches packets. When the pattern is matched at the hardware lookup engine, a specified action
(e.g. permit/deny) is applied. The rule fields represent flow characteristics such as source and destination addresses, protocol and VLAN ID.
ACL support currently allows actions of permit or deny rules, and supports only ingress direction. ACL search pattern can be taken from either L2 or L3 fields, e.g L2/L3 source and destination addresses, protocol, VLAN ID and priority or TCP port.
5.12.1 Configuring Access Control List
Access Control List (ACL) is configured by the user and is applied to a port once the ACL search engine matches search criteria with a received packet.
To configure ACL:
Step 1.
Step 2.
Log in as admin.
Enter config mode. Run: switch > enable switch # configure terminal
Step 3.
Step 4.
Step 5.
Create a MAC / IPv4 ACL (access-list) entity. switch (config) mac access-list mac-acl switch (config mac access-list mac-acl) #
Add a MAC / IP rules to the appropriate access-list. switch (config mac access-list mac-acl)seq-number 10 deny 0a:0a:0a:0a:0a:0a mask ff:ff:ff:ff:ff:ff any vlan 6 cos 2 protocol 80 switch (config mac access-list mac-acl) #
Bind the created access-list to an interface (slot/port or port-channel). switch (config) switch (config) # interface ethernet 1/1 switch (config interface ethernet 1/1) # mac port access-group mac-acl
5.12.2 ACL Actions
An ACL action is a set of actions can be activated in case the packet hits the ACL rule.
To modify the VLAN tag of the egress traffic as part of the ACL “permit” rule:
Step 1.
Create access-list action profile: a.Create an action access-list profile using the command access-list action <action-profilename>
Step 2.
b.Add rule to map a VLAN using the command vlan-map <vlan-id> within the action profile configuration mode
Create an access-list and bind the action rule: a.Create an access-list profile using the command ipv4/mac access-list b.Add access list rule using the command deny/permit (action <action profile name>)
Mellanox Technologies Confidential 654
Step 3.
Bind the access-list to an interface using the command ipv4/mac port access-group
Create an action profile and add vlan mapping action: switch (config)#access-list action my-action switch (config access-list action my-action) # vlan-map 20 switch (config access-list action my-action) #exit
Create an access list and bind rules: switch (config)# mac access-list my-list switch (config mac access-list my-list)# permit any any action my-action switch (config mac access-list my-list)# exit
Bind an access-list to a port:
Switch (config)# interface ethernet 1/1
Switch (config interface ethernet 1/1)# mac port access-group my-list
Rev 4.20
Mellanox Technologies Confidential 655
5.12.3 Commands
ipv4/mac access-list
{ipv4 | mac} access-list <acl-name> no {ipv4 | mac} access-list <acl-name>
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Creates a MAC or IPv4 ACL and enter the ACL configuration mode.
The no form of the command deletes the ACL.
ipv4 | mac acl-name
IPv4 or MAC – access list.
User defined string for the ACL.
No ACL available by default.
Config
3.1.1400
admin switch (config)# mac access-list my-mac-list switch (config mac access-list my-mac-list)# ipv4/port access-group
Rev 4.20
Mellanox Technologies Confidential 656
ipv4/mac port access-group
{ipv4 | mac} port access-list <acl-name> no {ipv4 | mac} port access-list <acl-name>
Syntax Description
Binds an ACL to the interface.
The no form of the command unbinds the ACL from the interface.
ipv4 | mac acl-name
IPv4 or MAC – access list.
ACL name.
Default
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
History
No ACL is bind by default.
3.1.1400
3.3.4500
Added MLAG port-channel configuration mode
Role
Example admin switch (config interface ethernet 1/1) # mac port access-group my-list switch (config interface ethernet 1/1) #
Related Commands ipv4/mac access-list
Note The access control list should be defined prior to the binding action.
Rev 4.20
Mellanox Technologies Confidential 657
Rev 4.20
deny/permit (MAC ACL rule)
[seq-number <sequence-number>] {deny|permit} {any | <source-mac> [mask
<mac>]} {any |<destination-mac> [mask <mac>]} [protocol <protocol>] [cos
<cos-value>] [vlan <vlan-id> | vlan-mask <vlan-mask>] [action <action-id>] no <sequence-number>
Syntax Description
Default
Creates a rule for MAC ACL.
The no form of the command deletes a rule from the MAC ACL.
sequence-number Optional parameter to set a specific sequence number for the rule. The range is:1-500.
deny | permit
{any | <source-mac>
[mask <mac>]}
Determines the type of the rule, denies or permits action.
Sets source MAC and optionally sets a mask for that
MAC. The “any” option will cause the rule not to check the source MAC.
{any | <destination-mac>
[mask <mac>]} protocol
Sets destination MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the destination MAC.
Sets the Ethertype filed value from the MAC address.
Possible range is: 0x0000-0xffff.
cos-value vlan-id vlan-mask <vlan-mask> action
Sets the COS (priority bits) field, possible range is: 0-7.
Sets the VLAN ID field, possible range is 0-4095.
Sets VLAN group. Range: 0x0000-0x0FFF.
Action name (free string).
No rule is added by default to access control list.
Default sequence number is in multiple of 10.
Configuration Mode Config MAC ACL
History 3.1.1400
Role
Example
3.3.4500
admin
Added vlan-mask parameter switch (config mac access-list my-list) # seq-number 10 deny
0a:0a:0a:0a:0a:0a mask ff:ff:ff:ff:ff:ff any vlan 6 cos 2 protocol 80 switch (config mac access-list my-list) #
Related Commands ipv4/mac access-list ipv4/mac port access-group
Note
Mellanox Technologies Confidential 658
Rev 4.20
deny/permit (IPv4 ACL rule)
[seq-number <sequence-number>] {permit | deny} ip {<source-ip> [mask <ip>] |
[any]} {<dest-ip> [mask <ip>] | [any]} [action <action-id>] no <sequence-number>
Syntax Description
Creates a rule for IPv4 ACL.
The no form of the command deletes a rule from the IPv4 ACL.
sequence-number Optional parameter to set a specific sequence number for the rule. The range is:1-500.
deny | permit
{any | <source-ip> [mask
<ip>]}
Determines the type of the rule, deny or permit action.
Valid mask values fall in the range 0-255.
Sets source IP and optionally sets a mask for that IP address. The “any” option causes the rule to not check the source IP.
Valid mask values fall in the range 0-255.
Default
{any | <destination-ip>
[mask <ip>]}
Sets destination IP and optionally sets a mask for that
MAC. The “any” option causes the rule to not check the destination MAC.
No rule is added by default to access control list.
Default sequence number is in multiple of 10.
Configuration Mode Config IPv4 ACL
History 3.1.1400
Role
Example
3.3.4302
admin
First version
Updated syntax description of mask <ip> parameter switch (config ipv4 access-list my-list) # seq-number 51 deny ip 1.1.1.1 mask 123.12.13.53 45.45.45.0 mask 123.132.21.123
switch (config ipv4 access-list my-list) #
Related Commands ipv4/mac access-list ipv4/mac port access-group
Note
Mellanox Technologies Confidential 659
Rev 4.20
deny/permit (IPv4 TCP/UDP ACL rule)
[seq-number <sequence-number>] {permit | deny} {tcp | udp} {<source-ip>
[mask <ip>] | [any]} {<dest-ip> [mask <ip>]| [any]} [eq-source <port-number>]
[eq-destination <port-number>] [action <action-id>] no <sequence-number>
Syntax Description
Creates a rule for IPv4 UDP/TCP ACL.
The no form of the command deletes a rule from the ACL.
sequence-number Optional parameter to set a specific sequence number for the rule. The range is:1-500.
deny | permit tcp | udp
{any | <source-ip> [mask
<ip>]}
Determines the type of the rule, deny or permit action.
UDP or TCP rule transport type.
{any | <destination-ip>
[mask <ip>]}
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
Sets destination IP and optionally sets a mask for that
MAC. The “any” option will cause the rule not to check the destination MAC.
TCP/UDP source port number. Range is 0-65535.
[eq-source <port-number>]
[eq-destination <portnumber>]
TCP/UDP destination port number. Range is 0-65535.
Default No rule is added by default to access control list.
Default sequence number is in multiple of 10.
Configuration Mode Config IPv4 ACL
History 3.1.1400
Role
Example admin switch (config ipv4 access-list my-list) # seq-number 10 deny tcp any any eq-source 1200 switch (config ipv4 access-list my-list) #
Related Commands ipv4/mac access-list ipv4/mac port access-group
Note
Mellanox Technologies Confidential 660
access-list action
access-list action <action-profile-name> no access-list action <action-profile-name>
Syntax Description
Default
Creates access-list action profile and entering the action profile configuration mode.
The no form of the command deletes the action profile.
action-profile-name
N/A
Configuration Mode Config
History 3.2.0230
given name for the profile.
Role
Example admin switch (config)# access-list action my-action switch (config access-list action my-action)# show access-list action my-action
Access-list Action my-action
Mapped_Vlan_ID |Mapped_port |Counter_set |Policer_ID |
================================================================
N/A |N/A |N/A |N/A | switch (config access-list action my-action)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 661
vlan-map
vlan-map <vlan-id> no vlan-map
Syntax Description
Default
Adds action to map a new VLAN to the packet (in the ingress port or VLAN).
The no form of the command removes the action to map a new VLAN.
vlan-id
N/A
Configuration Mode Config ACL Action
History 3.2.0230
0-4095.
Role
Example admin switch (config access-list action my-action)# vlan-map 10 switch (config access-list action my-action)# show access-list action my-action
Access-list Action my-action
Mapped_Vlan_ID |Mapped_port |Counter_set |Policer_ID |
================================================================
10 |N/A |N/A |N/A | switch (config access-list action my-action)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 662
vlan-pop
vlan-pop
Syntax Description
Default
Pops VLAN frames from traffic.
vlan-id
N/A
Configuration Mode Config ACL Action
VLAN ID: 0-4095.
History
Role
Example
3.4.3000
admin switch (config access-list action my-action)# vlan-pop switch (config access-list action my-action)# show access-list action my-action
Access-list Action my-action
Popped_Vlan_ID |Mapped_port |Counter_set |Policer_ID |
=====================================================================
N/A |N/A |N/A |N/A | switch (config access-list action my-action) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 663
vlan-push
vlan-push <vlan-id>
Syntax Description
Default
Pushes (or adds) VLAN frames to traffic.
vlan-id
N/A
Configuration Mode Config ACL Action
VLAN ID: 0-4095
History
Role
Example
3.4.3000
admin switch (config access-list action my-action)# vlan-push 10 switch (config access-list action my-action)# show access-list action my-action
Access-list Action my-action
Mapped_Vlan_ID |Mapped_port |Counter_set |Policer_ID |
=========================================================
10 |N/A |N/A |N/A | switch (config access-list action my-action)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 664
show access-list action
show access-list action {<action-profile-name> | summary}
Syntax Description
Displays the access-list action profiles summary.
action-profile-name Filter the table according to the action profile name.
Display summary of the action list.
Default summary
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.2.0230
admin witch (config)# show access-list action my-action
Access-list Action my-action
Mapped_Vlan_ID |Mapped_port |Counter_set |Policer_ID |
================================================================
10 |N/A |N/A |N/A | switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 665
Rev 4.20
show mac/ipv4 access-lists
show [mac |ipv4 |] access-lists <access-list-name>
Syntax Description
Displays the list of rules for the MAC/IPv4 ACL.
ipv4 | mac IPv4 or MAC - access list.
ACL name.
Default access-list-name
N/A
Configuration Mode Any Command Mode
History
History
Role
Example
3.1.1400
3.3.4500
Updated output admin switch (config mac access-list my-list) # show mac access-lists my-list mac access-list my-list seq-number|p/d |smac |dmac |protocol|cos |vlan |vlan-mask|action|
====================================================================
10 |deny |any |any |0800 |3 |3 |0x0FFF |none |
20 |deny |any |any |80 |2 |6 |0x0000 |none |
30 |deny |any |any |any |any |any |0x0ACB |none |
40 |deny |any |any |any |any |any |N/A |none | switch (config mac access-list my-list) #
Related Commands deny/permit (MAC ACL rule) deny/permit (IPv4 ACL rule) deny/permit (IPv4 TCP/UDP ACL rule) ipv4/mac access-list ipv4/mac port access-group
Note
Mellanox Technologies Confidential 666
show mac/ipv4 access-lists summary
show [mac |ipv4 |] access-lists summary
Syntax Description
Displays the summary of number of rules per ACL, and the interfaces attached.
ipv4 | mac IPv4 or MAC - Access list
ACL name
Default access-list-name
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.1.1400
admin switch (config) # show mac access-lists summary mac access-list my-list
Total ACEs Configured: 2
Configured on interfaces:
Ethernet 1/1
Ethernet 1/2 switch (config) #
Related Commands deny/permit (MAC ACL rule) deny/permit (IPv4 ACL rule) deny/permit (IPv4 TCP/UDP ACL rule) ipv4/mac access-list ipv4/mac port access-group
Note
Rev 4.20
Mellanox Technologies Confidential 667
5.13
Port Mirroring
Port mirroring enables data plane monitoring functionality which allows the user to send an entire traffic stream for testing. Port mirroring sends a copy of packets of a port’s traffic stream, called “mirrored port”, into an analyzer port. Port mirroring is used for network monitoring. It can be used for intrusion detection, security breaches, latency analysis, capacity and performance matters, and protocol analysis.
provides an overview of the mirroring functionality.
Figure 20: Overview of Mirroring Functionality
Rev 4.20
There is no limitation on the number of mirroring sources and more than a single source can be mapped to a single analyzer destination.
5.13.1 Mirroring Sessions
Port mirroring is performed by configuring mirroring sessions. A session is an association of a mirror port (or more) and an analyzer port.
Figure 21: Mirror to Analyzer Mapping
Mirror Port Session Analyzer Port
S1 A1
M1
ACL
M2
Port
M3
M4
LAG
S2
S7
A2
A m
M n
Mellanox Technologies Confidential 668
Rev 4.20
A mirroring session is a monitoring configuration mode that has the following parameters:
Table 47 - Mirroring Parameters
Parameter Description
Source interface(s) List of source interfaces to be mirrored.
Destination interface A single analyzer port through which all mirrored traffic egress.
Header format
Truncation
The format and encapsulation of the mirrored traffic when sent to analyzer.
Enabling truncation segments each mirrored packet to 64 bytes.
Congestion control
Admin state
Controls the behavior of the source port when destination port is congested.
Administrative state of the monitoring session.
Access
RW
RW
RW
RW
RW
RW
5.13.1.1 Source Interface
The source interface (mirror port) refers to the interface from which the traffic is monitored. Port mirroring does not affect the switching of the original traffic. The traffic is simply duplicated and sent to the analyzer port. Traffic in any direction (either ingress, egress or both) can be mirrored.
There is no limitation on the number of the source interfaces mapped to a mirroring session.
Ingress and egress traffic flows of a specific source interface can be mapped to two different sessions.
LAG
The source interface can be a physical interface or a LAG.
Port mirroring can be configured on a LAG interface but not on a LAG member. When a port is added to a mirrored LAG it inherits the LAG’s mirror configuration. However, if port mirroring configuration is set on a port, that configuration must be removed prior to adding the port to a
LAG interface.
When a port is removed from a LAG, the mirror property is switched off for that port.
Control Protocols
All control protocols captured on the mirror port are forwarded to the analyzer port in addition to their normal treatment. For example LACP, STP, and LLDP are forwarded to the analyzer port in addition to their normal treatment by the CPU.
Exceptions to the behavior above are the packets that are being handled by the MAC layer, such as pause frames.
5.13.1.2 Destination Interface
The destination interface is an analyzer port is one to which mirrored traffic is sent. The mirrored packets, are duplicated, optionally modified and sent to the analyzer port. The SwitchX® platform supports up to 7 analyzer ports where any mirror port can be mapped to any analyzer port and more than a single mirror port can be mapped to a single analyzer port.
Mellanox Technologies Confidential 669
Packets can be forwarded to any destination using the command destination interface.
The analyzer port supports status and statistics as any other port.
LAG
The destination interface cannot be a member of LAG when the header format is local.
Control Protocols
The destination interface may also operate in part as a standard port, receiving and sending out non-mirrored traffic. When the header format is configured as a local port, ingress control protocol packets that are received by the local analyzer port get discarded.
Advanced MTU Considerations
The analyzer port, like its counterparts, is subject to MTU configuration. It does not send packets longer than configured.
When the analyzer port sends encapsulated traffic, the analyzer traffic has additional headers and therefore longer frame. The MTU must be configured to support the additional length, otherwise, the packet is truncated to the configured MTU.
The system on the receiving end of the analyzer port must be set to handle the egress traffic. If it is not, it might discard it and indicate this in its statistics (packet too long).
5.13.1.3 Header Format
Ingress traffic from the source interface can be manipulated in several ways depending on the network layout using the command header-format.
If the analyzer system is directly connected to the destination interface, then the only parameters that can be configured on the port are the MTU, speed and port based flow control. Priority flow control is not supported is this case. However, if the analyzer system is indirectly connected to the destination interface, there are two options for switching the mirrored data to the analyzer system:
• A VLAN tag may be added to the Ethernet header of the mirrored traffic
• An Ethernet header can be added with include a new destination address and VLAN tag
Rev 4.20
It must be taken into account that adding headers increases packet size.
Mellanox Technologies Confidential 670
Rev 4.20
DA
DA
DA
DA
SA
Source Frame
Type/
Len
Data
SA
Source Frame
Type/
Len
Data
SA
Source Frame
Type/
Len
Data
SA
Source Frame
Type/
Len
Data
Figure 22: Header Format Options
Mirror Frame local
DA SA
Type/
Len
Data add‐vlan
Mirror Frame
DA SA 0x8100 VLAN
Type/
Len
Data add‐ethernet‐header add‐ethernet‐header
(+vlan)
Mirror Frame
DA SA 0x8949 DA SA
Type/
Len
Data
Mirror Frame
DA SA 0x8100 VLAN 0x8949 DA SA
Type/
Len
Data
5.13.1.4 Congestion Control
The destination ports might receive pause frames that lead to congestion in the switch port. In addition, too much traffic directed to the analyzer port (for example 40GbE mirror port is directed into 10G analyzer port) might also lead to congestion.
In case of congestion:
• When best effort mode is enabled on the analyzer port, SwitchX drops excessive traffic headed to the analyzer port using tail drop mechanism, however, the regular data (mirrored data heading to its original port) does not suffer from a delay or drops due to the analyzer port congestion.
• When the best effort mode on the analyzer port is disabled, the SwitchX does not drop the excessive traffic. This might lead to buffer exhaustion and data path packet loss.
The default behavior in congestion situations is to drop any excessive frames that may clog the system.
ETS, PFC and FC configurations do not apply to the destination port.
5.13.1.5 Truncation
When enabled, the system can truncate the mirrored packets into smaller 64-byte packets
(default) which is enough to capture the packets’ L2 and L3 headers.
5.13.2 Configuring Mirroring Sessions
presents two network scenarios with direct and remote connectivity to the analyzer equipment. Direct connectivity is when the analyzer is connected to the analyzer port of the switch. In this case there is no need for adding an L2 header to the mirrored traffic. Remote connectivity is when the analyzer is indirectly connected to the analyzer port of the switch. In this situation, adding an L2 header may be necessary depending on the network’s setup.
Mellanox Technologies Confidential 671
Figure 23: Mirroring Session
Rev 4.20
To configure a mirroring session:
Step 1.
Create a session. Run: switch (config) # monitor session 1
This command enters a monitor session configuration mode. Upon first implementation the command also creates the session.
Step 2.
Step 3.
Step 4.
Add source interface(s). Run: switch (config monitor session 1) # add source interface ethernet 1/1 direction both
Add destination interface. Run: switch (config monitor session 1) # destination interface ethernet 1/2
(Optional) Set header format. Run: switch (config monitor session 1) # header-format add-ethernet-header destination-mac
00:0d:ec:f1:a9:c8 add-vlan 10 priority 5 traffic-class 2
For remote connectivity use the header formats add-vlan or add-ethernet-header . For local connectivity, use local .
Step 5.
Step 6.
(Optional) Truncate the mirrored traffic to 64-byte packets. Run: switch (config monitor session 1) # truncate
(Optional) Set congestion control. Run: switch (config monitor session 1) # congestion pause-excessive-frames
The default for this command is to drop excessive frames. The pause-excessiveframes option uses flow control to regulate the traffic from the source interfaces.
Mellanox Technologies Confidential 672
Rev 4.20
If the option pause-excessive-frame is selected, make sure that flow control is enabled on all source interfaces on the ingress direction of the monitoring session using the command flowcontrol in the interface configuration mode.
Step 7.
Enable the session. Run: switch (config monitor session 1) # no shutdown
5.13.3 Verifying Mirroring Sessions
To verify the attributes of a specific mirroring session: switch (config) # show monitor session 1
Admin: Enable
Status: Up
Truncate: Enable
Destination interface: eth1/2
Congestion type: pause-excessive-frames
Header format: add-ethernet-header
- traffic class 2
- vlan 10
- priority 5
- destination-mac 00:0d:ec:f1:a9:c8
Source interfaces
Interface direction
------------------------eth1/1 both
To verify the attributes of running mirroring sessions: switch (config) # show monitor session summary
Session Admin Status Mode Destination Source
1 Enable Up add-eth eth1/2 eth1/1(b)
2 Disable Down add-vlan eth1/2 eth1/8(i), po1(e)
3 Enable Up add-eth eth1/5 eth1/18(e)
7 Disable Down local
Mellanox Technologies Confidential 673
5.13.4 Commands
5.13.4.1 Config
monitor session
monitor session <session-id> no monitor session <session-id>
Syntax Description
Default
Configuration Mode
History
Role
Example
Creates session and enters monitor session configuration mode upon using this command for the first time.
The no form of the command deletes the session.
session-id
N/A
The monitor session ID. The range is 1-7.
Config
3.3.3500
admin switch (config)# monitor session 1 switch (config monitor session 1)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 674
5.13.4.2 Config Monitor Session
destination interface
destination interface <type> <number> [force] no destination interface
Syntax Description
Default
Configuration Mode
History
Role
Example
Sets the egress interface number.
The no form of the command deletes the destination interface.
interface <type> <number>
Sets the interface type and number (e.g. ethernet 1/2) force The user does not need to shutdown the port prior the operation.
no destination interface
Config Monitor Session
3.3.3500
3.3.4100
admin
First version
Added force argument switch (config monitor session 1) # destination interface ethernet 1/2 switch (config monitor session 1)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 675
shutdown
shutdown no shutdown
Syntax Description
Default
Disables the session.
The no form of the command enables the session.
N/A
Disabled
Configuration Mode Config Monitor Session
History 3.3.3500
Role
Example admin switch (config monitor session 1) # no shutdown switch (config monitor session 1)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 676
add source interface
add source interface <type> <number> direction <d-type> no source interface <type> <number>
Syntax Description
Adds a source interface to the mirrored session.
The no form of the command deletes the source interface.
interface <type> <number>
Configures interface as “ethernet” or “port-channel”.
direction <d-type> Configures the direction of the mirrored traffic. The options are as follows:
• egress – sets the egress traffic to be monitored
• ingress – sets the ingress traffic to be monitored
• both – sets egress and ingress traffic to be monitored
Default N/A
Configuration Mode Config Monitor Session
History
Role
Example
3.3.3500
admin switch (config monitor session 1) # add source interface ethernet 1/1 direction both switch (config monitor session 1)#
Related Commands
Note If mirroring is configured in one direction (e.g. ingress) on an interface and then is configured in the other direction (e.g. egress), then the ultimate setting is “both”.
Rev 4.20
Mellanox Technologies Confidential 677
Rev 4.20
header-format
header-format {local [traffic-class <tc>] | add-vlan <vlan-id> [priority <prio>]
[traffic-class <tc>] | add-ethernet-header destination-mac <mac-address> [addvlan <vlan-id> [priority <prio>]] [traffic-class <tc>]} no header-format
Syntax Description
Sets the header format of the mirrored traffic.
The no form of the command resets the parameter values back to default.
local traffic-class <tc>
The mirrored header of the frame is not changed.
Changes the egress traffic class of the frame. Range is
0-3.
add-vlan <vlan-id> priority <prio> add-ethernet-header destination-mac
An 802.1q VLAN tag is added to the frame.
The priority to be added to the Ethernet header. Range is 0-7.
Adds an Ethernet header to the mirrored frame.
The destination MAC address of the added Ethernet frame.
Default no-change vlan 1 priority 0 traffic-class 0
Configuration Mode Config Monitor Session
History 3.3.3500
Role
Example admin switch (config monitor session 1) # header-format add-ethernet-header destination-mac 00:0d:ec:f1:a9:c8 add-vlan 10 priority 5 traffic-class
2 switch (config monitor session 1)#
Related Commands
Note If add-ethernet-header is used, the source MAC address is the one attached to the switch.
Mellanox Technologies Confidential 678
truncate
truncate no truncate
Syntax Description
Default
Truncates the mirrored frames to 64-byte packets.
The no form of the command disables truncation.
N/A no truncate
Configuration Mode Config Monitor Session
History 3.3.3500
Role
Example admin switch (config monitor session 1) # truncate switch (config monitor session 1)#
Related Commands
Note This command applies for all sessions on the same analyzer port.
Rev 4.20
Mellanox Technologies Confidential 679
congestion
congestion [drop-excessive-frames | pause-excessive-frames] no congestion
Syntax Description
Sets the system’s behavior when congested
The no form of the command disables truncation.
drop-excessive-frames pause-excessive-frames
Drops excessive frames.
Pauses excessive frames.
Default drop-excessive-frames
Configuration Mode Config Monitor Session
History 3.3.3500
3.3.4000
Role
Example
Added Syntax Description.
admin switch (config monitor session 1) # congestion pause-excessive-frames switch (config monitor session 1)#
Related Commands
Note This command applies for all sessions on the same analyzer port.
Rev 4.20
Mellanox Technologies Confidential 680
5.13.4.3 Show
show monitor session
show monitor session <session-id>
Syntax Description
Default
Configuration Mode
History
Role
Example
Displays monitor session configuration and status.
session-id The monitor session ID. Range is 1-7.
N/A
Any Command Mode
3.3.3500
admin switch (config) # show monitor session 1
Admin: Enable
Status: Up
Truncate: Enable
Destination interface: eth1/2
Congestion type: pause-excessive-frames
Header format: add-ethernet-header
- traffic class 2
- vlan 10
- priority 5
- destination-mac 00:0d:ec:f1:a9:c8
Source interfaces
Interface direction
------------------------eth1/1 both switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 681
show monitor session summary
show monitor session summary
Syntax Description
Default
Displays monitor session configuration and status summary.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.3500
admin switch (config) # show monitor session summary
Session Admin Status Mode Destination Source
1 Enable Up add-eth eth1/2 eth1/1(b)
2 Disable Down add-vlan eth1/2 eth1/8(i), po1(e)
3 Enable Up add-eth eth1/5 eth1/18(e)
7 Disable Down local switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 682
5.14
sFlow
sFlow (ver. 5) is a procedure for statistical monitoring of traffic in networks. MLNX-OS supports an sFlow sampling mechanism (agent), which includes collecting traffic samples and data from counters. The sFlow datagrams are then sent to a central collector.
The sampling mechanism must ensure that any packet going into the system has an equal chance of being sampled, irrespective of the flow to which it belongs. The sampling mechanism provides the collector with periodical information on the amount (and load) of traffic per interface by loading the counter samples into sFlow datagrams.
The sFlow packets are encapsulated and sent in UDP over IP. The UDP port number that is used is the standard 6343 by default.
Figure 24: sFlow Functionality Overview
Rev 4.20
5.14.1 Flow Samples
The sFlow agent samples the data path based on packets.
Truncation and sampling rate are the two parameters that influence the flow samples. In case of congestion the flow samples can be truncated to a predefined size before it is assigned to the
CPU. The truncation can be set to any value between 64 to 256 bytes with the default being 128 bytes.
The sampling rate can be adjusted by setting an average rate. The system assures that a random number of packets is sampled, however, the sample rate on average converges to the configured rate. Valid values range between 4000 to 16777215 packets.
5.14.2 Statistical Samples
The sFlow agent samples interface counters time based. Polling interval is configurable to any value between 5-3600 seconds with the default being 20 seconds.
The following statistics are gathered by the CPU:
Table 48 - List of Statistical Counters
Counter
Total packets
Description
The number of packets that pass through sFlow-enabled ports.
Mellanox Technologies Confidential 683
Table 48 - List of Statistical Counters
Counter
Number of flow samples
Number of statistic samples
Number of discarded samples
Number of datagrams
Description
The number of packets that are captured by the sampling mechanism.
The number of statistical samples.
The number of samples that were discarded.
The number of datagrams that were sent to the collector.
5.14.3 sFlow Datagrams
The sFlow datagrams contain flow samples and statistical samples.
The sFlow mechanism uses IP protocol, therefore if the packet length is more than the interface
MTU, it becomes fragmented by the IP stack. The MTU may also be set manually to anything in the range of 200-9216 bytes. The default is 1400 bytes.
5.14.4 Sampled Interfaces sFlow must be enabled on physical or LAG interfaces that require sampling. When adding a port to a LAG, sFlow must be disabled on the port. If a port with enabled sFlow is configured to be added to a LAG, the configuration is rejected. Removing a port from a LAG disables sFlow on the port regardless of the LAG’s sFlow status.
5.14.5 Configuring sFlow
To configure the sFlow agent:
Step 1.
Unlock the sFlow commands. Run: switch (config) # protocol sflow
Step 2.
Step 3.
Step 4.
Step 5.
Step 6.
Enable sFlow on the system. Run: switch (config) # sflow enable
Enter sFlow configuration mode. Run: switch (config) # sflow switch (config sflow) #
Set the central collector’s IP. Run: switch (config sflow) # collector-ip 10.10.10.10
Set the agent-ip used in the sFlow header. Run: switch (config sflow) # agent-ip 20.20.20.20
(Optional) Set the sampling rate of the mechanism. Run: switch (config sflow) # sampling-rate 16000
Rev 4.20
This means that one every 16000 packet gets collected for sampling.
Mellanox Technologies Confidential 684
Step 7.
Step 8.
Step 9.
(Optional) Set the maximum size of the data path sample. Run: switch (config sflow) # max-sample-size 156
(Optional) Set the frequency in which counters are polled. Run: switch (config sflow) # counter-poll-interval 19
(Optional) Set the maximum size of the datagrams sent to the central collector. Run: switch (config sflow) # max-datagram-size 1500
Step 10.
Enable the sFlow agent on the desired interfaces. Run: switch (config interface ethernet 1/1)# sflow enable switch (config interface port-channel 1)# sflow enable
5.14.6 Verifying sFlow
To verify the attributes of the sFlow agent: switch (config)# show sflow sflow protocol enabled sflow enabled sampling-rate 16000 max-sampled-size 156 counter-poll-interval 19 max-datagram-size 1500 collector-ip 10.10.10.10
collector-port 6343 agent-ip 20.20.20.20
Interfaces
Ethernet: eth1/1
Port-channel: po1
Statistics:
Total Packets: 2000
Number of flow samples: 1200
Number of samples discarded: 0
Number of statistic samples: 800
Number of datagrams: 300
Rev 4.20
Mellanox Technologies Confidential 685
5.14.7 Commands
5.14.7.1 Config
protocol sflow
protocol sflow no protocol sflow
Syntax Description
Default
Configuration Mode
History
Role
Example
Unhides the sFlow commands.
The no form of the command deletes sFlow configuration and hides the sFlow commands.
N/A
Disabled
Config
3.3.3500
admin switch (config) # protocol sflow switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 686
sflow enable (global)
sflow enable no sflow enable
Syntax Description
Default
Enables sFlow in the system.
The no form of the command disables sFlow without deleting the configuration.
N/A
Disabled
Configuration Mode Config
History 3.3.3500
Role
Example admin switch (config) # sflow enable switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 687
sflow
sflow
Syntax Description
Default
Enters sFlow configuration mode.
N/A
N/A
Configuration Mode Config
History
Role
Example
3.3.3500
admin switch (config) # sflow switch (config sflow) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 688
Rev 4.20
5.14.7.2 Config sFlow
sampling-rate
sampling-rate <rate> no sampling-rate
Syntax Description
Default
Configuration Mode
History
Role
Example
Sets sFlow sampling ratio.
The no form of the command resets this parameter to its default value.
rate Sets the number of packets passed before selecting one for sampling. The range is 4000-16777215. Zero disables sampling.
16000
Config sFlow
3.3.3500
admin switch (config sflow) # sampling-rate 16111 switch (config sflow) #
Related Commands
Note
Mellanox Technologies Confidential 689
max-sample-size
max-sample-size <packet-size> no max-sample-size
Syntax Description
Default
Sets the maximum size of sampled packets by sFlow.
The no form of the command resets the parameter to its default value.
packet-size
128 bytes
Configuration Mode Config sFlow
History 3.3.3500
The sampled packet size. The range is 64-256 bytes.
Role
Example admin switch (config sflow) # max-sample-size 165 switch (config sflow) #
Related Commands
Note Sampled payload beyond the configured size is discarded.
Rev 4.20
Mellanox Technologies Confidential 690
Rev 4.20
counter-poll-interval
counter-poll-interval <seconds> no counter-poll-interval
Syntax Description
Sets the sFlow statistics polling interval.
The no form of the command resets the parameter to its default value.
seconds The sFlow statistics polling interval in seconds. Range is 5-3600 seconds. Zero disables the statistic polling.
Default 20 seconds
Configuration Mode Config sFlow
History
Role
Example
3.3.3500
admin switch (config sflow) # counter-poll-interval 30 switch (config sflow) #
Related Commands
Note
Mellanox Technologies Confidential 691
Rev 4.20
max-datagram-size
max-datagram-size <packet-size> no max-datagram-size
Syntax Description
Sets the maximum sFlow packet size to be sent to the collector.
The no form of the command resets the parameter to its default value.
packet-size The packet size of the packet being sent to the collector.
The range is 200-9216 bytes.
Default 1400 bytes
Configuration Mode Config sFlow
History
Role
Example
3.3.3500
admin switch (config sflow) # max-datagram-size 9216 switch (config sflow) #
Related Commands
Note This packet contains the data sample as well as the statistical counter data.
Mellanox Technologies Confidential 692
collector-ip
collector-ip <ip-address> [udp-port <udp-port-number>] no collector-ip [<ip-address> udp-port]
Syntax Description
Sets the collector’s IP.
The no form of the command resets the parameters to their default values.
ip-address udp-port <udp-port-number>
The collector IP address.
Sets the collector UDP port number.
Default
Configuration Mode Config sFlow
History 3.3.3500
Role
Example ip-address: 0.0.0.0
udf-port-number: 6343 admin switch (config sflow) # collector-ip 10.10.10.10
switch (config sflow) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 693
Rev 4.20
agent-ip
agent-ip {<ip-address> | interface [ethernet <slot/port> | port-channel <channelgroup>] | <if-name> | loopback <number> | vlan <id>} no agent-ip
Syntax Description
Sets the IP address associated with this agent.
The no form of the command resets the parameters to their default values.
interface Configures a specific ethernet/port-channel interface’s agent IP.
if-name ip-address
Interface name (e.g. mgmt0, mgmt1).
The sFlow agent’s IP address (i.e. the source IP of the packet).
loopback <number> vlan <id>
Default ip-address: 0.0.0.0
Configuration Mode Config sFlow
History 3.3.3500
3.3.5200
Role
Example
Loopback interface number. Range: 1-32.
Interface VLAN. Range: 1-4094.
Updated “interface” parameters admin switch (config sflow) # agent-ip 20.20.20.20
switch (config sflow) #
Related Commands
Note The IP address here is used in the sFlow header.
Mellanox Technologies Confidential 694
clear counters
clear counters
Syntax Description
Default
Clears sFlow counters.
N/A
N/A
Configuration Mode Config sFlow
History
Role
Example
3.3.3500
admin switch (config sflow) # clear counters switch (config sflow) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 695
sflow enable (interface)
sflow enable no sflow enable
Enables sFlow on this interface.
The no form of the command disables sFlow on the interface.
N/A Syntax Description
Default
History disable no view-port-channel member
Configuration Mode Config Interface Ethernet
Config Interface Port Channel
Config Interface MLAG Port Channel
3.3.3500
3.3.4500
Added MLAG port-channel configuration mode
Role
Example admin switch(config interface ethernet 1/1)# sflow enable
...
switch(config interface port-channel 1)# sflow enable
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 696
5.14.7.3 Show
show sflow
show sflow
Syntax Description
Default
Configuration Mode
History
Role
Example
Displays sFlow configuration and counters.
N/A
N/A
Any Command Mode
3.3.3500
admin switch (config)# show sflow sflow protocol enabled sflow enabled sampling-rate 16000 max-sampled-size 156 counter-poll-interval 19 max-datagram-size 1500 collector-ip 10.10.10.10
collector-port 6343 agent-ip 20.20.20.20
Interfaces
Ethernet: eth1/1
Port-channel: po1
Statistics:
Total Packets: 2000
Number of flow samples: 1200
Number of samples discarded: 0
Number of statistic samples: 800
Number of datagrams: 300
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 697
5.15
Transport Applications
5.15.1 RDMA over Converged Ethernet (RoCE)
5.15.1.1 RoCE Overview
Remote Direct Memory Access (RDMA) is the remote memory management capability that allows server to server data movement directly between application memory without any CPU involvement. RDMA over Converged Ethernet (RoCE) is a mechanism to provide this efficient data transfer with very low latencies on loss-less Ethernet networks. With advances in data center convergence over reliable Ethernet, ConnectX® EN with RoCE uses the proven and efficient
RDMA transport to provide the platform for deploying RDMA technology in mainstream data center application at 10GigE and 40GigE link-speed. ConnectX® EN with its hardware offload support takes advantage of this efficient RDMA transport (InfiniBand) services over Ethernet to deliver ultra-low latency for performance-critical and transaction intensive applications such as financial, database, storage, and content delivery networks. RoCE encapsulates IB transport and
GRH headers in Ethernet packets bearing a dedicated ether type. While the use of GRH is optional within InfiniBand subnets, it is mandatory when using RoCE. Applications written over
IB verbs should work seamlessly, but they require provisioning of GRH information when creating address vectors. The library and driver are modified to provide mapping from GID to MAC addresses required by the hardware.
5.15.1.1.1IP Routable (RoCEv2)
A straightforward extension of the RoCE protocol enables traffic to operate in layer 3 environments. This capability is obtained via a simple modification of the RoCE packet format. Instead of the GRH used in RoCE, routable RoCE packets carry an IP header which allows traversal of
IP L3 Routers and a UDP header that serves as a stateless encapsulation layer for the RDMA
Transport Protocol Packets over IP.
Figure 25: RoCEv2 and RoCE Frame Format Differences
Rev 4.20
The proposed RoCEv2 packets use a well-known UDP destination port value that unequivocally distinguishes the datagram. Similar to other protocols that use UDP encapsulation, the UDP source port field is used to carry an opaque flow-identifier that allows network devices to implement packet forwarding optimizations (e.g. ECMP) while staying agnostic to the specifics of the protocol header format.
Mellanox Technologies Confidential 698
Furthermore, since this change exclusively affects the packet format on the wire, and due to the fact that with RDMA semantics packets are generated and consumed below the AP applications can seamlessly operate over any form of RDMA service (including the routable version of RoCE as shown in Figure 2), in a completely transparent way
1
.
Figure 26: RoCEv2 Protocol Stack
Rev 4.20
5.15.1.2 RoCE Configuration
In order to function reliably, RoCE requires a form of flow control. While it is possible to use global flow control, this is normally undesirable, for performance reasons.
The normal and optimal way to use RoCE is to use Priority Flow Control (PFC). To use PFC, it must be enabled on all endpoints and switches in the flow path.
In the following section we present instructions to configure PFC on Mellanox ConnectX™ cards. There are multiple configuration steps required, all of which may be performed via Power-
Shell. Therefore, although we present each step individually, you may ultimately choose to write a PowerShell script to do them all in one step. Note that administrator privileges are required for these steps.
For further information, please refer to the following URL: http://blogs.technet.com/b/josebda/archive/2012/07/31/deploying-windows-server-2012-withsmb-direct-smb-over-rdma-and-the-mellanox-connectx-3-using-10gbe-40gbe-roce-step-bystep.aspx
5.15.1.2.1Prerequisites
The following are the driver’s prerequisites in order to set or configure RoCE:
• ConnectX®-3 and ConnectX®-3 Pro firmware version 2.30.3000 or higher
1. Standard RDMA APIs are IP based already for all existing RDMA technologies
Mellanox Technologies Confidential 699
• All InfiniBand verbs applications which run over InfiniBand verbs should work on RoCE links if they use GRH headers.
• Set HCA to use Ethernet protocol:
Display the Device Manager and expand “System Devices”.
5.15.1.2.2Configuring Windows Host
Since PFC is responsible for flow controlling at the granularity of traffic priority, it is necessary to assign different priorities to different types of network traffic.
As per RoCE configuration, all ND/NDK traffic is assigned to one or more chosen priorities, where PFC is enabled on those priorities.
Configuring Windows host requires configuring QoS.
5.15.1.2.2.1 Using Global Pause Flow Control (GFC)
To use Global Pause Flow Control (GFC) mode, disable QoS and Priority:
PS $ Disable-NetQosFlowControl
PS $ Disable-NetAdapterQos
5.15.1.3 Configuring SwitchX® Based Switch System
To enable RoCE, the SwitchX should be configured as follows:
• Ports facing the host should be configured as access ports, and either use global pause or Port
Control Protocol (PCP) for priority flow control
• Ports facing the network should be configured as trunk ports, and use Port Control Protocol
(PCP) for priority flow control
For further information on how to configure SwitchX, please refer to SwitchX User Manual.
5.15.1.4 Configuring Router (PFC only)
The router uses L3's DSCP value to mark the egress traffic of L2 PCP. The required mapping, maps the three most significant bits of the DSCP into the PCP. This is the default behavior, and no additional configuration is required.
5.15.1.4.1Copying Port Control Protocol (PCP) Between Subnets
The captured PCP option from the Ethernet header of the incoming packet can be used to set the
PCP bits on the outgoing Ethernet header.
5.15.1.5 Configuring the RoCE Mode
Configuring the RoCE mode requires the following:
• RoCE mode is configured per-driver and is enforced on all the devices in the system
The supported RoCE modes depend on the firmware installed. If the firmware does not support the needed mode, the fallback mode would be the maximum supported RoCE mode of the installed NIC.
RoCE mode can be enabled and disabled via PowerShell.
Rev 4.20
Mellanox Technologies Confidential 700
To enable RoCE using the PowerShell:
• Open the PowerShell and run:
Set-MlnxDriverCoreSetting –RoceMode 1
To enable RoCEv2 using the PowerShell:
• Open the PowerShell and run:
Set-MlnxDriverCoreSetting –RoceMode 2
To disable any version of RoCE using the PowerShell:
Open the PowerShell and run:
Set-MlnxDriverCoreSetting –RoceMode 0
To check current version of RoCE using the PowerShell:
Step 1.
Open the PowerShell and run:
Get-MlnxDriverCoreSetting
Step 2.
Example output:
Caption : DriverCoreSettingData 'mlx4_bus'
Description : Mellanox Driver Option Settings
.
.
.
RoceMode : 0
Rev 4.20
Mellanox Technologies Confidential 701
5.16 802.1x Protocol
The 802.1x standard describes a way to authenticate hosts (or supplicants) and to allow connection only to a list of allowed hosts pre-configured on an authentication server. The authentication is performed by the switch (authenticator) which negotiates the authentication with a RADIUS server (authentication server). This allows to block traffic from non-authenticated sources.
The 802.1x protocol defines the following roles:
• Supplicant – the host. It provides the authentication credentials to the authenticator and awaits approval.
• Authenticator – the device that connects the supplicant to the network, and checks the authentication with the authentication server. The authenticator is also in charge of blocking and isolating of new client till authenticated and allowing communication once the client has passed the authentication. Mellanox switch acts as an authenticator.
• Authentication server – a RADIUS server which can authenticate the user.
Rev 4.20
The 802.1x is available only on access physical ports. It is not available on LAG and
MLAG ports.
A local analyzer port cannot support 802.1x protocol.
802.1x cannot be activated on router ports.
802.1x cannot run on a port configured to switchport trunk or hybrid.
Management interfaces cannot be configured as 802.1x port access entity (PAE) authenticators.
5.16.1 802.1x Operating Modes
The following operating modes are supported in 802.1x:
• Single host – only one supplicant can communicate through the port.
Once authentication of the supplicant is accepted by the authentication server, the switch allows it access. If the supplicant logs off or the port state is changed, the port becomes unauthenticated. And if a different supplicant tries to access through this port, its bidirectional traffic is discarded (including authentication traffic).
Mellanox Technologies Confidential 702
Rev 4.20
An exception to this is multicast and broadcast traffic which do get transmitted over the interface once authenticated and are exposed to an unauthorized supplicant if it exists.
• Multi-host mode – allows connection of multiple hosts over a single port. Only the first supplicant is authenticated. Subsequent hosts have network access without the need to authenticate.
5.16.2 Configuring 802.1x
To configure 802.1x on the switch
Step 1.
Enable 802.1x protocol. Run: switch (config) # protocol dot1x
Step 2.
Step 3.
Step 4.
Step 5.
Step 6.
Step 7.
Enable the system as authenticator. Run: switch (config) # dot1x system-auth-control
Configure RADIUS server parameters. Run: switch (config) # dot1x radius-server host 10.10.10.10 key my4uth3nt1c4t10nk3y retransmit 2 timeout 3
Enter the configuration mode of an Ethernet interface. Run: switch (config) # interface ethernet 1/1 switch (config interface ethernet 1/1) #
Configure the interface as a port access entity authenticator. Run: switch (config interface ethernet 1/1) # dot1x pae authenticator
Configure the interface to perform authentication on ingress traffic. Run: switch (config interface ethernet 1/1) # dot1x port-control auto
Verify 802.1x configuration. Run: switch (config interface ethernet 1/1) # show dot1x interfaces ethernet 1/1
Eth1/1
PAE Status: Enabled
Configured host mode: Multi-host
Configured port-control: Auto
Authentication status: Unauthorized
Re-Authentication: Disabled
Re-Authentication period (sec): -
Tx wait period (sec): 30
Quiet period (sec): 60
Max request retry: 2
Last EAPOL RX source MAC: 00:00:00:00:00:00 switch (config interface ethernet 1/1)#
Mellanox Technologies Confidential 703
5.16.3 Commands
protocol dot1x
protocol dot1x no protocol dot1x
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Enables 802.1x EAPOL protocol.
The no form of the command disables 802.1x EAPOL protocol.
N/A
Disabled
Config
3.4.2008
admin switch (config)# protocol dot1x
Rev 4.20
Mellanox Technologies Confidential 704
dot1x clear-statistics
dot1x clear-statistics
Syntax Description
Default
Resets the 802.1x counters on all or a specific port.
N/A
N/A
Configuration Mode Config
Config Interface Ethernet
History
Role
Example
Related Commands
Note
3.4.2008
admin switch (config)# dot1x clear-statistics
Rev 4.20
Mellanox Technologies Confidential 705
dot1x pae authenticator
dot1x pae authenticator no dot1x pae authenticator
Syntax Description
Default
Configures the port as a 802.1x port access entity (PAE) authenticator.
The no form of the command disables the port from being a 802.1x PAE authenticator.
N/A
Disabled
Configuration Mode Config Interface Ethernet
History 3.4.2008
Role
Example
Related Commands
Note admin switch (config interface ethernet 1/2)# dot1x system-auth-control
Rev 4.20
Mellanox Technologies Confidential 706
dot1x host-mode
dot1x host-mode [multi-host | single-host] no dot1x host-mode
Syntax Description
Default single-host
Configuration Mode Config Interface Ethernet
History 3.4.2008
3.4.2300
Role
Example
Added “single-host” option admin switch (config interface ethernet 1/2)# dot1x host-mode single-host
Related Commands
Note
Configures the authentication mode to either multi-host or single-host.
The no form of the command resets the parameter to its default.
multi-host single-host
Sets the interface to operate in a port-based mode
Sets the interface to operate in a MAC-based mode with support of a single supplicant per interface
Rev 4.20
Mellanox Technologies Confidential 707
dot1x port-control
dot1x port-control [auto | force-authorized | force-unauthorized] no dot1x port-control
Syntax Description
Configures 802.1x port access entity (PAE) port-control.
The no form of the command resets the parameter to its default.
auto The authenticator uses PAE authentication services to allow or block the port traffic force-authorized force-unauthorized
Allows traffic on this port regardless of supplicant authorization
Blocks traffic on this port regardless of supplicant authorization
Default Force-authorized
Configuration Mode Config Interface Ethernet
History
Role
3.4.2008
admin switch (config interface ethernet 1/2)# dot1x port-control auto Example
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 708
Rev 4.20
dot1x radius-server host
dot1x radius-server host <IP address> [enable | auth-port <port> | key <password> | prompt-key | retransmit <retries> | timeout <seconds>] no dot1x radius-server host <IP address> enable
Syntax Description
Default auth-port: 1812 key: empty string retransmit: 1 timeout: 3
Configuration Mode Config
History 3.4.2008
Role
Example admin switch (config)# dot1x radius-server host 10.10.10.10 auth-port 65535 prompt-key enable
Related Commands
Note
Configure 802.1x RADIUS server IP address.
The no form of the command disables 802.1x RADIUS server.
auth-port Sets 802.1x RADIUS port to use with this server.
Range: 1-65535.
enable key prompt-key retransmit
Sets 802.1x RADIUS as administratively enabled
Configures 802.1x global RADIUS shared secret for servers.
Prompts for key, rather than entering on command line timeout
Configure 802.1x global RADIUS retransmit count for servers. The time configured is in seconds. Range: 0-5.
Configures 802.1x global RADIUS timeout value for servers. The time configured is in seconds. Range: 1-
60.
• The no form of the various parameters resets them to their default values as indicated in the
Default section above
• It is possible to configure up to 5 RADIUS servers
• It is possible to configure only 1 authentication port per RADIUS server IP
Mellanox Technologies Confidential 709
dot1x reauthenticate
dot1x reauthenticate no dot1x reauthenticate
Syntax Description
Default
Enables supplicant re-authentication according to the configuration of command
“dot1x timeout reauthentication”
.
The no form of the command disables supplicant re-authentication.
N/A
No re-authentication
Configuration Mode Config Interface Ethernet
History 3.4.2008
Role
Example
Related Commands
Note admin switch (config interface ethernet 1/2)# dot1x reauthenticate
Rev 4.20
Mellanox Technologies Confidential 710
dot1x system-auth-control
dot1x system-auth-control no dot1x system-auth-control
Syntax Description
Default
Enables the system as authenticator.
The no form of the command disables the system as authenticator.
N/A
Disabled
Configuration Mode Config
History 3.4.2008
Role
Example
Related Commands
Note admin switch (config)# dot1x system-auth-control
Rev 4.20
Mellanox Technologies Confidential 711
Rev 4.20
dot1x timeout reauthentication
dot1x timeout reauthentication <period> no dot1x timeout reauthentication
Syntax Description
Default
Configures the number of seconds between re-authentication attempts.
The no form of the command resets the parameter to its default.
period
3600 seconds
Configuration Mode Config Interface Ethernet
History 3.4.2008
Time in second. Range: 1-65535 seconds.
Role
Example admin switch (config interface ethernet 1/2)# dot1x timeout reauthentication
3600
Related Commands
Note
Mellanox Technologies Confidential 712
dot1x timeout quiet-period
dot1x timeout quiet-period <period> no dot1x timeout quiet-period
Syntax Description
Default
Configures the number of seconds that the authenticator remains quiet following a failed authentication exchange with the supplicant.
The no form of the command resets the parameter to its default.
period
60 seconds
Configuration Mode Config Interface Ethernet
History 3.4.2008
Time in second. Range: 1-65535 seconds.
Role
Example
Related Commands
Note admin switch (config interface ethernet 1/2)# dot1x timeout quiet-period 60
Rev 4.20
Mellanox Technologies Confidential 713
dot1x timeout tx-period
dot1x timeout tx-period <period> no dot1x timeout tx-period
Syntax Description
Default
Configures the maximum number of seconds that the authenticator waits for supplicant response of EAP-request/identify frame before retransmitting the request.
The no form of the command resets the parameter to its default.
period
30 seconds
Configuration Mode Config Interface Ethernet
History 3.4.2008
Time in second. Range: 1-65535 seconds.
Role
Example
Related Commands
Note admin switch (config interface ethernet 1/2)# dot1x timeout quiet-period 30
Rev 4.20
Mellanox Technologies Confidential 714
Rev 4.20
dot1x max-req
dot1x max-req <retries> no dot1x max-req
Syntax Description
Default
Configures the maximum amount of retries for the authenticator to communicate with the supplicant over EAP.
The no form of the command resets the parameter to its default.
retries
2
Configuration Mode Config Interface Ethernet
History 3.4.2008
The number of request retries. Range: 1-10.
Role
Example
Related Commands
Note admin switch (config interface ethernet 1/2)# dot1x max-req 2
Mellanox Technologies Confidential 715
show dot1x
show dot1x
Syntax Description
Default
Displays 802.1x information on all interfaces.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.4.2008
admin switch (config)# show dot1x
System authentication is enabled
---------------------------------------------------------------------
Port Pae Host-mode Port-control Status
---------------------------------------------------------------------
Eth1/1 Enabled multi-host auto unauthorized
Eth1/2 Disabled multi-host force-authorized down
Eth1/3 Disabled multi-host force-authorized down
Eth1/4 Disabled multi-host force-authorized down
Eth1/5 Disabled multi-host force-authorized down
Eth1/6 Disabled multi-host force-authorized down
Eth1/7 Disabled multi-host force-authorized down
Eth1/8 Disabled multi-host force-authorized down
Eth1/9 Disabled multi-host force-authorized down
...
switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 716
show dot1x interfaces ethernet
show dot1x interfaces ethernet <slot>/<port>
Syntax Description
Default
Displays 802.1x interface information.
<slot>/<port>
N/A
Configuration Mode Any Command Mode
Ethernet interface
History
Role
Example
3.4.2008
admin switch (config)# show dot1x interfaces ethernet 1/2
Eth1/2
PAE Status: Enabled
Configured host mode: Multi-host
Configured port-control: Auto
Authentication status: Unauthorized
Re-Authentication: Enabled
Re-Authentication period (sec): 3600
Tx wait period (sec): 30
Quiet period (sec): 60
Max request retry: 2
Last EAPOL RX source MAC: 00:00:00:00:00:00 switch (config interface ethernet 1/2)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 717
show dot1x interfaces ethernet statistics
show dot1x interfaces ethernet <slot>/<port> statistics
Syntax Description
Default
Displays 802.1x interface information.
<slot>/<port>
N/A
Configuration Mode Any Command Mode
Ethernet interface
History
Role
Example
3.4.2008
admin switch (config)# show dot1x interfaces ethernet 1/2 statistics
Eth1/2
EAPOL frames received: 3
EAPOL frames transmitted: 2
EAPOL Start frames received: 1
EAPOL Logoff frames received: 0
EAP Response-ID frames received: 2
EAP Response frames received: 0
EAP Request-ID frames transmitted: 2
EAP Request frames transmitted: 0
Invalid EAPOL frames received: 0
EAP length error frames received: 0
Last EAPOL frame version: 1
Last EAPOL frame source: 00:1A:A0:02:E9:8E switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 718
show dot1x radius
show dot1x radius
Syntax Description
Default
Displays 802.1x RADIUS settings.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.4.2008
admin switch (config)# show dot1x radius
802.1x RADIUS defaults:
Key: ********
Timeout: 3
Retransmit: 1
No 802.1x RADIUS servers configured.
switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 719
6 IP Routing
6.1
General
6.1.1
IP Interfaces
MLNX-OS supports 3 types of IP interfaces.
• VLAN interface
• Loopback interface
• Router ports
Router ports are not supported on SX10xx-xxxR and SX60xx-xxxR systems.
VLAN interface is a logical IPv4 interface created per subnet over a specific 802.1Q VLAN ID.
If two hosts from two different subnets need to communicate (via the IP layer), the network administrator needs to configure two interface VLANs, one for each of the subnets. The user may configure up to 64 VLAN interfaces.
Each interface VLAN has the following attributes:
• Admin state
• Operational state
• MAC address
• IP address and mask
• MTU
• Description
• Set of counters
Loopback interface is a logical software entity where traffic transmitted to this interface is immediately received on the sending end.
Router port is a regular switch port configured to operate as an L3 interface. Router ports are assigned an IP address and all L3 commands become applicable to them.
Once configured, router ports no longer partake in the bridging activities of the switch and
VLANs configured on them are separate from the pool allocated for the switch ports.
6.1.1.1 Configuring a VLAN Interface
To configure a VLAN interface:
Step 1.
Create a VLAN. Run: switch (config)# vlan 10 switch (config vlan 10)# exit
Step 2.
Assign a physical interface to this VLAN. Run: switch (config)# interface ethernet 1/1 switch (config interface ethernet 1/1)# switchport mode access
Rev 4.20
Mellanox Technologies Confidential 720
Rev 4.20
Step 3.
Step 4.
Step 5.
Step 6.
switch (config interface ethernet 1/1)# exit
There must be at least one interface in the operational state “UP”.
switch (config)# show interface etherent 1/1 status
Port Operational state Speed Negotiation
---- ----------------- ----- -----------
Eth1/1 Up 40 Gbps No-Negotiation
Create a VLAN interface that matches the VLAN. Run: switch (config)# interface vlan 10 switch (config interface vlan 10)#
Configure an IP address and a network mask to the interface. Run: switch (config interface vlan 10)# ip address 10.10.10.10 /24
Verify VLAN interface configuration. Run: switch (config interface vlan 10)# show interface vlan 10
Vlan 10
Admin state: Enabled
Operational state: UP
Mac Address: 00:02:c9:5d:e0:f0
Internet Address: 10.10.10.10/24
Broadcast address: 10.10.10.255
MTU: 1500 bytes
Description: my-ip-interface
Counters: disabled
6.1.1.2 Configuring a Loopback Interface
To configure a loopback interface:
Step 1.
Create a loopback interface. Run: switch (config)# interface loopback 2 switch (config interface loopback 2)#
Step 2.
Step 3.
Configure an IP address on the loopback interface. Run: switch (config interface loopback 2)# ip address 20.20.20.20 /32
Verify loopback interface configuration. Run: switch (config interface loopback 2)# show interfaces loopback 2
Loopback 2
Internet Address: 20.20.20.20/32
Broadcast address: 20.20.20.20
MTU: 1500 bytes
Description: my-loopback switch (config) #
Mellanox Technologies Confidential 721
6.1.1.3 Configuring a Router Port
Step 1.
Enter an Ethernet interface’s configuration context. Run: switch (config)# interface ethernet 1/10 switch (config interface ethernet 1/10)#
Step 2.
Step 3.
Step 4.
Configure the Ethernet interface to become an L3 router port. Run: switch (config interface ethernet 1/10)# no switchport force
Configure an IP address on the router port. Run: switch (config interface ethernet 1/10)# ip address 100.100.100.100 /24
Verify router port configuration. Run: switch (config interface ethernet 1/10)# show interfaces ethernet 1/10
Eth1/10
Admin state: Enabled
Operational state: Down
Description: N\A
Mac address: 00:02:c9:96:c6:d8
MTU: 1500 bytes(Maximum packet size 1522 bytes)
Flow-control: receive off send off
Actual speed: 40 Gbps
Width reduction mode: Unknown
DHCP client: Disabled
IP Address: 100.100.100.100 /24
Broadcast address: 100.100.100.255
Arp timeout: 1500 seconds
VRF: default
MAC learning mode: Enabled
Last clearing of "show interface" counters : 00:00:01
60 seconds ingress rate: 0 bits/sec, 0 bytes/sec, 0 packets/sec
60 seconds egress rate: 0 bits/sec, 0 bytes/sec, 0 packets/sec
Rx
0 packets
0 unicast packets
0 multicast packets
0 broadcast packets
0 bytes
0 error packets
0 discard packets
Tx
0 packets
0 unicast packets
0 multicast packets
0 broadcast packets
0 bytes
0 discard packets
Rev 4.20
Mellanox Technologies Confidential 722
6.1.2
Equal Cost Multi-Path Routing (ECMP)
Equal-cost multi-path routing (ECMP) is a routing strategy where next-hop packet forwarding to a single destination can occur over multiple paths.
In Figure 27, routers R1 and R2 can both access each of their router peer networks. Router R1
routing table for 10.0.40/24 will contain the following routes:
• 10.0.10.2
• 10.0.20.2
• 10.0.30.2
Figure 27: ECMP
Rev 4.20
The load balancing function of the ECMP is configured globally on the system.
Hash algorithm can be symmetric or asymmetric. In symmetric hash functions bidirectional flows between routes will follow the same path, while in asymmetric hash functions, bidirectional traffic can follow different paths in both directions.
The following load balancing types are supported:
• Source IP & Port – source IP (SIP) and source UDP/TCP port: If the packet is not UDP/
TCP, only SIP is used for the hash calculation. This is an asymmetric hash function.
• Destination IP & Port – destination IP (DIP) and destination UDP/TCP port: If the packet is not UDP/TCP, only DIP is used for the hash calculation. This is an asymmetric hash function.
• Source and Destination IP & Port – destination and source IP, as well as destination and source UDP/TCP port: If the packet is not UDP/TCP, only SIP/DIP are used for the hash calculation. This is a symmetric hash function.
• Traffic Class: Load balance based on the traffic class assigned to the packet. This is an asymmetric hash function.
• All (default): all above fields are part of the hash calculations. This is a symmetric hash function.
6.1.2.1 Hash Functions
It is advised that LAG and ECMP hash function configuration over more than one hop is different. If the same hash function is used over two hops, all the traffic sorted from one hop to following one will arrive already having the same characteristics, which will render the next hash
Mellanox Technologies Confidential 723
function useless. For example, configure load-balancing on the first hop based on source IP while on the next hop based on destination IP.
Figure 28: Multiple Hash Functions
Spine Spine Spine
Rev 4.20
Leaf
Hash
Leaf Leaf
Hash
ToR
6.1.3
Virtual Routing and Forwarding
Only static IPv4 and ECMP are supported with VRF.
Virtual routing and forwarding (VRF) allows multiple routing table instances to coexist within the same router simultaneously. Since the routing instances are independent, IP addresses on each routing table may overlap without conflicting with each other.
VRF can be used for the following purposes:
• Ensure customer privacy and security
• Separate between management and user data
• Support customers with the same address space
• Support VPN
Multiple routing instances defined in the router can have different purposes and can be configured in different manners:
• Different IP interfaces can be attached to different VRFs (only one IP interface can be in a single VRF)
• Routing in VRF can be enabled or disabled
• Each VRF component can run its own routing protocol independently from other instances
• Differently configured IPv4 and IPv6 services
The first VRF in the system is created automatically and it is called “default” VRF. It cannot be deleted or configured.
Mellanox Technologies Confidential 724
6.1.4
IPv4 Routing Mode
The resources available for IPv4 routing are as follows:
• number of IPv4 neighbors – 2048
• number of IPv4 unicast routes – 4096
• number of IPv4 multicast routes – 672
Prior to upgrading to this software release the user must align the number of configured multicast routes to number defined above.
Rev 4.20
Mellanox Technologies Confidential 725
6.1.5
Commands
6.1.5.1 General
ip l3
ip l3 [force] no ip l3 [force]
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Enables IP routing capabilities.
The no form of the command disables IP routing and removes its configuration.
N/A
If operating with Ethernet system profile: L3
Config
3.4.1802
admin switch (config) # ip l3 force switch (config) #
N/A
Rev 4.20
Mellanox Technologies Confidential 726
vrf definition
vrf definition <vrf-name>
Syntax Description
Default
Creates the VRF.
vrf-name
N/A
Configuration Mode Config
History
Role
Example
3.4.2008
admin
VRF session name switch (config) # vrf definition my-vrf switch (config vrf definition my-vrf) #
Related Commands N/A
Notes Only 1 VRF is supported aside from the default VRF
Rev 4.20
Mellanox Technologies Confidential 727
routing-context vrf
routing-context vrf <vrf-name>
Syntax Description
Default
Enters the active-context of the specified session.
vrf-name
N/A
Configuration Mode Config
VRF session name
History
Role
Example
3.4.2008
admin switch (config) # routing-context vrf my-vrf switch (config) #
Related Commands N/A
Notes • If a routing-context is configured, the user does not have to explicitly specify the VRF name parameter in this or any other VRF command
• If no routing-context is configured and the user does not specify the VRF name, default
VRF is used
Rev 4.20
Mellanox Technologies Confidential 728
ip routing
ip routing [vrf <vrf-name>]
Syntax Description
Default
Enables L3 forwarding between high speed interfaces.
vrf-name
N/A
Configuration Mode Config
VRF session name
History 3.4.1802
3.4.2008
Added VRF parameter
Role
Example admin switch (config) # ip routing vrf my-vrf switch (config) #
Related Commands N/A
Notes • RD must be configured to enable IP routing on the VRF
• If no routing-context is specified, the “routing-context” VRF is automatically configured.
Rev 4.20
Mellanox Technologies Confidential 729
description
description <description> no description force
Syntax Description
Creates the VRF.
description force
Text string
Forces deletion (no confirmation needed if configuration exists inside the VRF)
Default N/A
Configuration Mode Config VRF Definition
History
Role
Example
3.4.2008
admin switch (config vrf definition my-vrf) # description vrf-description switch (config vrf definition my-vrf) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 730
Rev 4.20
rd
rd [<ip addr>:<0-65,535> | <AS Number>:<0-4,294,967,295> | <AS Number>:<ip addr>]
Syntax Description
Adds a route distinguisher (RD) to the VRF configuration mode.
ip-addr IPv4 address
Asynchronous machine number
Default
AS Number
N/A
Configuration Mode Config VRF Definition
History
Role
Example
3.4.2008
admin switch (config vrf definition my-vrf) # rd 10.10.10.10:2 switch (config vrf definition my-vrf) #
Related Commands N/A
Notes • RDs internally identify routes belonging to a VRF to distinguish overlapping or duplicate
IP address ranges. This allows the creation of distinct routes to the same IP address for different VPNs. The RD is a 64-bit number made up of an AS number or IPv4 address followed by a user-selected ID number. Once an RD has been assigned to a VRF it cannot be changed. To change the RD, remove the VRF then create it again. VRF is not active until an RD is defined.
• An RD must be defined to enable IP routing on the VRF
Mellanox Technologies Confidential 731
vrf forwarding
vrf forwarding <vrf-name>
Syntax Description
Default
Maps an interface to VRF.
vrf-name
N/A
VRF session name
Configuration Mode Config Interface Ethernet set as router port
Config Interface VLAN
Config Interface Loopback
History
Role
Example
3.4.2008
admin switch (config interface ethernet 1/2) # vrf forwarding my-vrf switch (config interface ethernet 1/2) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 732
show ip routing
show ip routing [vrf <vrf-name> | all]
Syntax Description
Displays IP routing information per VRF.
vrf Displays information for specific VRF
Displays information on all VRFs
Default all
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.2.0230
3.4.2008
Added VRF parameter admin switch (config) # show ip routing vrf all
VRF Name: my-vrf
-----------------------------
IP routing: disabled
VRF Name: default
-----------------------------
IP routing: enabled switch (config) #
Related Commands N/A
Notes If no routing-context is specified, the “routing-context” VRF is automatically displayed.
Rev 4.20
Mellanox Technologies Confidential 733
show routing-context vrf
show routing-context vrf
Syntax Description
Default
Displays VRF active context.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.4.2008
admin switch (config) # show routing-context vrf
VRF active context: my-vrf switch (config) #
Related Commands N/A
Notes
Rev 4.20
Mellanox Technologies Confidential 734
show vrf
show vrf [<vrf-name> | all]
Syntax Description
Displays VRF information.
all Displays information for all VRF instances
Name of VRF instance
Default vrf-name
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.4.2008
admin switch (config) # show vrf my-vrf
VRF Info
Name: my-vrf
RD: 10.10.10.10:2
Description: Test VRF
IP routing state: Enabled
Protocols: IPv4
Interfaces: Eth1/2 switch (config) #
Related Commands N/A
Notes If no routing-context is specified, the “routing-context” VRF is automatically displayed.
Rev 4.20
Mellanox Technologies Confidential 735
Rev 4.20
6.1.5.2 IP Interfaces
switchport
switchport [force] no switchport [force]
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Configures the Ethernet interface as a regular switchport.
The no form of the command configures the Ethernet interface as a router port.
force Forces configuration even if the interface’s admin state is enabled.
N/A
Config Interface Ethernet
Config Interface Port Channel
3.3.5200
admin switch (config interface ethernet 1/10)# no switchport force
Mellanox Technologies Confidential 736
Rev 4.20
encapsulation dot1q vlan
encapsulation dot1q vlan <vlan-id> [force] no encapsulation dot1q vlan [force]
Syntax Description
Enables L2 802.1Q encapsulation of traffic on a specified router port in a VLAN.
The no form of the command disables L2 802.1Q encapsulation of traffic on a specified router port in a VLAN.
vlan-id Enables L2 802.1Q encapsulation of traffic on a router port in a VLAN.
Forces admin state down.
Default force
N/A
Configuration Mode Config Interface Ethernet
History
Role
Example
Related Commands
Note
3.3.5200
admin switch (config interface ethernet 1/10)# encapsulation dot1q vlan 10
Mellanox Technologies Confidential 737
Rev 4.20
6.1.5.3 Interface VLAN
interface vlan
interface vlan <vlan-id> no interface vlan <vlan-id>
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Creates a VLAN interface and enters the interface VLAN configuration mode.
The no form of the command deletes the VLAN interface.
vlan-id
N/A
A numeric range of 1-4094
Config
3.2.0230
admin switch (config) # interface vlan 10 switch (config interface vlan 10) # ip routing vlan <vlan-id> switchport mode switchport access show interfaces vlan
• Make sure the VLAN was created, using the command “vlan <vlan-id>” in the global configuration mode
• The VLAN must be assigned to one of the L2 interfaces. To do so, run the command
“swichport ...”
• At least one interface belong to that VLAN must be in UP state
Mellanox Technologies Confidential 738
ip address
ip address <ip-address> <mask> no ip address <ip-address> <mask>
Syntax Description
Enters user-defined description for the interface.
ip-address IPv4 address mask There are two possible ways to the mask:
• /length (i.e. /24)
• Network address (i.e. 255.255.255.0)
Default 0.0.0.0/0
Configuration Mode Config Interface VLAN
History
Role
Example
3.2.0230
admin switch (config interface vlan 10) # ip address 10.10.10.10 /24 switch (config interface vlan 10) #
Related Commands interface vlan show interfaces vlan
Note
Rev 4.20
Mellanox Technologies Confidential 739
ip address dhcp
ip address dhcp no ip addres dhcp
Syntax Description
Default
Enables DHCP on this VLAN interface.
N/A
Disabled
Configuration Mode Config Interface VLAN
History
Role
Example
3.4.2008
admin switch (config interface vlan 10) # ip address dhcp switch (config interface vlan 10) #
Related Commands interface vlan show interfaces vlan
Note
Rev 4.20
Mellanox Technologies Confidential 740
counters
counters no counters
Enables counters on the IP interface.
The no form of the command disables counters gathering on the IP interface.
Syntax Description
Default
N/A counters are disabled.
Configuration Mode Config Interface VLAN
History 3.2.0230
Role
Example admin switch (config interface vlan 10) # counters switch (config interface vlan 10) #
Related Commands counters interface vlan show interfaces vlan
Note • Enabling counters for the router interface adds delay to the traffic stream
• There are maximum of 16 counter sets
Rev 4.20
Mellanox Technologies Confidential 741
description
description <string> no description
Syntax Description
Default
Enters a description for the interface.
The no form of the command sets the description to default.
string
“”
Configuration Mode Config Interface VLAN
History 3.2.0230
User defined string
Role
Example admin switch (config interface vlan 10) # description my-ip-interface switch (config interface vlan 10) #
Related Commands interface vlan show interfaces vlan
Note
Rev 4.20
Mellanox Technologies Confidential 742
mtu
mtu <size> [force] no mtu
Syntax Description
Sets the MTU for the interface.
The no form of the command sets the MTU to default.
size force
1500-9216.
Forces command implementation.
Default 1522
Configuration Mode Config Interface VLAN
History
Role
Example
3.2.0230
admin switch (config interface vlan 10)# mtu 9216 switch (config interface vlan 10 #
Related Commands interface vlan show interfaces vlan
Note
Rev 4.20
Mellanox Technologies Confidential 743
shutdown
shutdown no shutdown
Syntax Description
Default
Disables the interface.
The no form of the command enables the interface.
N/A
The interface is enabled.
Configuration Mode Config Interface VLAN
History 3.1.0000
Role
Example admin switch (config interface vlan 20) # shutdown switch (config interface vlan 20) #
Related Commands interface vlan
Note
Rev 4.20
Mellanox Technologies Confidential 744
clear counters
clear counters
Syntax Description
Default
Clears the interface counters.
N/A
N/A
Configuration Mode Config Interface VLAN
History
Role
Example
3.2.0230
admin switch (config interface vlan 10) # clear counters switch (config interface vlan 10) #
Related Commands interface vlan counters
Note
Rev 4.20
Mellanox Technologies Confidential 745
ip icmp redirect
ip icmp redirect no ip icmp redirect
Syntax Description
Default
Enables ICMP redirect.
The no form of the command disables ICMP redirect.
N/A
Enabled
Configuration Mode Config Interface VLAN
History 3.4.0010
Role
Example admin switch (config interface vlan 10) # no ip icmp redirect
Related Commands interface vlan counters
Note • ICMP redirect transmits messages to hosts alerting them about the existence of more efficient routes to a specific destination
Rev 4.20
Mellanox Technologies Confidential 746
show ip interface
show ip interface [vrf <vrf-name> | all] [brief]
Syntax Description
Displays IP interfaces information per VRF.
all Displays information on all VRFs
Displays IP interfaces information in a shortened form
Default brief
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.4.2008
admin switch (config) # show ip interface vrf all brief
Interface Address/Mask Admin-state Oper-state MTU VRF mgmt0 10.224.22.27/24 Enabled Up 1500 default mgmt1 0.0.0.0/0 Enabled Down 1500 default
Vlan 20 20.20.20.1/24 Enabled Down 1500 my-vrf
Eth1/1 1.1.1.1/24 Enabled Down 1500 my-vrf
Loopback 10 10.10.10.1/32 Enabled Up 1500 my-vrf
Vlan 30 30.30.30.1/24 Enabled Down 1500 default
Eth1/2 2.2.2.2/24 Enabled Down 1500 default
Loopback 11 11.11.11.1/32 Enabled Up 1500 default switch (config) # show ip interface vrf my-vrf brief
Interface Address/Mask Admin-state Oper-state MTU VRF
Vlan 20 20.20.20.1/24 Enabled Down 1500 my-vrf
Eth1/1 1.1.1.1/24 Enabled Down 1500 my-vrf
Loopback 10 10.10.10.1/32 Enabled Up 1500 my-vrf switch (config) # show ip interface vrf default brief
Interface Address/Mask Admin-state Oper-state MTU VRF mgmt0 10.224.22.27/24 Enabled Up 1500 default mgmt1 0.0.0.0/0 Enabled Down 1500 default
Vlan 30 30.30.30.1/24 Enabled Down 1500 default
Eth1/2 2.2.2.2/24 Enabled Down 1500 default
Loopback 11 11.11.11.1/32 Enabled Up 1500 default switch (config) #
Related Commands N/A
Notes If no routing-context is specified, the “routing-context” VRF is automatically displayed.
Rev 4.20
Mellanox Technologies Confidential 747
6.1.5.4 Loopback Interface
interface loopback
interface loopback <id> no interface loopback <id>
Syntax Description
Default
Configuration Mode
History
Role
Example
Creates a loopback interface and enters the interface configuration mode.
The no form of the command deletes the interface.
id
N/A
A numeric range of 0-31
Config
3.2.3000
admin switch (config) # interface loopback 10 switch (config interface loopback 10) #
Related Commands
Note • Up to 32 loopback interfaces can be configured
• Within the loopback configuration mode, you can configure description and ip-address
• MTU cannot be configured on the loopback interface
Rev 4.20
Mellanox Technologies Confidential 748
ip address
ip address <ip-address> <mask> no ip address <ip-address> <mask>
Syntax Description
Enters user-defined description for the interface.
ip-address IPv4 address.
mask There are two possible ways to the mask:
• /length – only /32 is possible
• Network address (i.e. 255.255.255.0)
Default 0.0.0.0/0
Configuration Mode Config Interface Loopback
History
Role
3.3.5006
admin
Example switch (config interface loopback 10) # ip address 10.10.10.10 /32
Related Commands interface loopback
Note
Rev 4.20
Mellanox Technologies Confidential 749
description
description <string> no description
Syntax Description
Default
Enters a description for the interface.
The no form of the command sets the description to default.
string
“”
Configuration Mode Config Interface Loopback
History 3.3.5006
User defined string.
Role
Example admin switch (config interface loopback 10) # description my-ip-interface
Related Commands interface loopback
Note
Rev 4.20
Mellanox Technologies Confidential 750
show interfaces loopback
show interface loopback <id>
Syntax Description
Default
Shows the attribute of the interface loopback.
id
N/A
Configuration Mode Config
A numeric range of 1-32
History
Role
Example
3.2.3000
admin switch (config) # show interfaces loopback 2
Loopback 2
Internet Address: 2.2.2.2/32
Broadcast address: 2.2.2.2
MTU: 1500 bytes
Description: my-loopback switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 751
Rev 4.20
6.1.5.5 Routing and ECMP
ip route
ip route [vrf <vrf-name>] <IP prefix> <netmask> <next hop IP address> no ip route [vrf <vrf-name>] <IP prefix> <netmask> <next hop IP address>
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Configures a static route inside VRF.
The no form of the command removes the static route configured.
vrf-name ip prefix netmask
VRF session name
IP address next hop IP address
N/A
There are two possible ways to the mask:
• /length (i.e. /24)
• Network address (i.e. 255.255.255.0)
IP address of the next hop.
Config
3.1.0000
3.4.2008
admin
Added VRF parameter switch (config) # ip route vrf my-vrf 80.80.80.0 /24 20.20.20.2
N/A
If no routing-context is specified, the “routing-context” VRF is automatically configured.
Mellanox Technologies Confidential 752
ip load-sharing
ip load-sharing <type> no ip load-sharing
Syntax Description
This command sets the ECMP load sharing mode.
The no form of the command sets the load-sharing to default.
type • source-ip-port
• destination-ip-port
• source-destination-ip-port
• traffic-class
• all
Default all
Configuration Mode Config
History
Role
Example
3.2.0230
admin switch (config) # ip load-sharing all switch (config) # show ip load-sharing
Load sharing: all switch (config)
Related Commands ip route
Note
Rev 4.20
Mellanox Technologies Confidential 753
show ip route
show ip route [vrf [<vrf-name> | all]] [-a | static | summary]
Syntax Description
Role
Displays routing table of VRF instance.
all Displays routing tables for all VRF instances
-a Displays static routes currently inactive due to the interface being down
Displays static route
Displays route summary static summary
Default N/A
Configuration Mode Any Command Mode
History 3.1.0000
3.3.3500
3.4.0000
3.4.2008
3.4.3000
admin
First version
Added Distance/Metric column
Added -a parameter
Added VRF parameter
Updated Notes section
Rev 4.20
Mellanox Technologies Confidential 754
Rev 4.20
Example switch (config) # show ip route vrf my-vrf
VRF Name: my-vrf
-----------------------------
Destination Mask Gateway Interface Source Distance/Metric
10.10.10.1 255.255.255.255 0.0.0.0 loopback10 direct 0/0
20.20.20.0 255.255.255.0 0.0.0.0 vlan20 direct 0/0
80.80.80.0 255.255.255.0 20.20.20.2 vlan20 static 1/0 switch (config) # show ip route vrf my-vrf static
VRF Name: my-vrf
-----------------------------
Destination Mask Gateway Interface Source Distance/Metric
80.80.80.0 255.255.255.0 20.20.20.2 vlan20 static 1/0 switch (config) # show ip route vrf my-vrf summary
VRF Name: my-vrf
-----------------------------
Route Source Routes direct 2 static 1 ospf 0 bgp 0
DHCP 0
Total 3 switch (config) # show ip route vrf my-vrf -a
VRF Name: my-vrf
-----------------------------
Destination Mask Gateway Interface Source Distance/Metric
90.90.90.0 255.255.255.0 1.1.1.2 NA static 1/0 switch (config) #
Related Commands ip route
Notes • If no routing-context is specified, the “routing-context” VRF is automatically displayed
• If no default route exists, then the message “Route not found” is printed
Mellanox Technologies Confidential 755
show ip load-sharing
show ip load-sharing
Syntax Description
Default
Displays ECMP hash attribute.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.2.0230
admin switch (config) # show ip load-sharing
Load sharing: all switch (config) #
Related Commands ip load-sharing
Note
Rev 4.20
Mellanox Technologies Confidential 756
Rev 4.20
6.1.5.6 Network to Media Resolution (ARP)
ip arp
ip arp [vrf <vrf-name>] <ip-address> <mac-address> no ip arp <ip-address>
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Notes
Configures IP ARP properties of VRF
The no form of the command deletes the static ARP configuration.
vrf-name
IP address
VRF session name
IPv4 address
MAC address (format XX:XX:XX:XX:XX:XX) mac-address
N/A
Config
3.4.2008
admin switch (config) # ip arp vrf my-vrf 20.20.20.2 aa:bb:cc:dd:ee:ff
N/A
If no routing-context is specified, the “routing-context” VRF is automatically configured.
Mellanox Technologies Confidential 757
ip arp timeout
ip arp timeout <timeout-value> no ip arp timeout
Syntax Description
Sets the dynamic ARP cache timeout.
The no form of the command sets the timeout to default.
timeout-value Time (in seconds) that an entry remains in the ARP cache. Range: 60-28800.
Default 1500 seconds
Configuration Mode Config Interface VLAN
History
Role
Example
3.2.0230
admin switch (config) # ip arp timeout 2000 switch (config) # show ip arp
ARP Timeout: 2000
Total number of entries: 55
IP Address MAC Address Interface
1.0.0.2 00:02:c9:5c:30:40 Vlan11
1.0.0.3 00:11:22:33:44:55 Vlan11
2.0.0.2 00:02:c9:5c:30:40 Vlan12
3.0.0.2 00:02:c9:5c:30:40 Vlan13
4.0.0.2 00:02:c9:5c:30:40 Vlan14 switch (config) #
Related Commands ip arp show ip arp
Note This value is used as the ARP timeout whenever a new IP interface is created.
Rev 4.20
Mellanox Technologies Confidential 758
Rev 4.20
clear ip arp
clear ip arp [vrf <vrf-name>] [interface <type> | <IP-address>]
Syntax Description
Clears the dynamic ARP cache for the specific VRF session.
vrf-name VRF session name interface ip-address
Clears dynamic ARP entries for a interface
Clears dynamic ARP entries for a specific IP address
Default N/A
Configuration Mode Config
History
History
3.2.0230
3.4.2008
Role
Example
Added VRF parameter admin switch (config) # clear ip arp vrf my-vrf switch (config) #
Related Commands ip arp show ip arp
Notes If no routing-context is specified, the “routing-context” VRF is automatically configured.
Mellanox Technologies Confidential 759
show ip arp
show ip arp [vrf [<vrf-name> | all]] [interface <type> | count]
Syntax Description
Displays all ARP information for VRF instance.
all Displays all ARP information for all VRF interface count
Displays all ARP information for specific interface
Displays number of ARPs for specific VRF
Default N/A
Configuration Mode Any Command Mode
History 3.3.3000
3.4.2008
Role
Example
Added VRF parameter admin switch (config) # show ip arp vrf my-vrf
VRF Name: my-vrf
-----------------------------
Total number of entries: 2
Address Type Hardware Address Interface
------------------------------------------------------------------------
20.20.20.2 Static ETH AA:AA:AA:BB:BB:BB vlan 20
1.1.1.2 Static ETH 00:11:22:33:44:55 eth 1/1 switch (config) # show ip arp vrf my-vrf interface ethernet 1/1
VRF Name: my-vrf
-----------------------------
Total number of entries: 1
Address Type Hardware Address Interface
------------------------------------------------------------------------
1.1.1.2 Static ETH 00:11:22:33:44:55 eth 1/1 switch (config) # show ip arp vrf my-vrf interface vlan 20
VRF Name: mmm
-----------------------------
Total number of entries: 1
Address Type Hardware Address Interface
------------------------------------------------------------------------
20.20.20.2 Static ETH AA:AA:AA:BB:BB:BB vlan 20 switch (config) #
Related Commands ip arp
Notes If no routing-context is specified, the “routing-context” VRF is automatically displayed.
Rev 4.20
Mellanox Technologies Confidential 760
Rev 4.20
6.1.5.7 IP Diagnostic Tools
ping
ping [vrf <vrf-name>] [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline] [p pattern] [-s packetsize] [-t ttl] [-I interface or address] [-M mtu discovery hint]
[-S sndbuf] [-T timestamp option ] [-Q tos ] [hop1 ...] destination
Syntax Description
Default
Configuration Mode
History
Role
Example
Sends ICMP echo requests to a specified host.
Linux Ping options vrf
N/A
Specifies VRF instance name
Config
3.1.0000
3.4.2008
admin
Added VRF parameter switch (config) # ping 172.30.2.2
PING 172.30.2.2 (172.30.2.2) 56(84) bytes of data.
64 bytes from 172.30.2.2: icmp_seq=1 ttl=64 time=0.703 ms
64 bytes from 172.30.2.2: icmp_seq=2 ttl=64 time=0.187 ms
64 bytes from 172.30.2.2: icmp_seq=3 ttl=64 time=0.166 ms
64 bytes from 172.30.2.2: icmp_seq=4 ttl=64 time=0.161 ms
64 bytes from 172.30.2.2: icmp_seq=5 ttl=64 time=0.153 ms
64 bytes from 172.30.2.2: icmp_seq=6 ttl=64 time=0.144 ms
^C
--- 172.30.2.2 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5004ms rtt min/avg/max/mdev = 0.144/0.252/0.703/0.202 ms switch (config) #
Related Commands traceroute
Note When using -I option use the interface name + interface number, for example “ping -I vlan10”
Mellanox Technologies Confidential 761
Rev 4.20
traceroute
Syntax Description traceroute [vrf <vrf-name>] [-46dFITUnrAV] [-f first_ttl] [-g gate,...] [-i device]
[-m max_ttl] [-N squeries] [-p port] [-t tos] [-l flow_label] [-w waittime] [-q nqueries] [-s src_addr] [-z sendwait] host [packetlen]
-V
-f
-g
-U
-n
-r
-d
-F
-I
-T
-4
-6
Traces the route packets take to a destination.
vrf Specifies VRF instance name
Uses IPv4.
Uses IPv6
Enables socket level debugging.
Sets DF (“do not fragment” bit) on.
Uses ICMP ECHO for tracerouting.
Uses TCP SYN for tracerouting.
-A
-i
-m
-N
-p
-t
-l
Uses UDP datagram (default) for tracerouting.
Does not resolve IP addresses to their domain names.
Bypasses the normal routing and send directly to a host on an attached network.
Performs AS path lookups in routing registries and print results directly after the corresponding addresses.
Prints version info and exit.
Starts from the first_ttl hop (instead from 1).
Routes packets throw the specified gateway (maximum
8 for IPv4 and 127 for IPv6).
Specifies a network interface to operate with.
Sets the max number of hops (max TTL to be reached).
Default is 30.
Sets the number of probes to be tried simultaneously
(default is 16).
Uses destination port. It is an initial value for the UDP destination port (incremented by each probe, default is
33434), for the ICMP seq number (incremented as well, default from 1), and the constant destination port for
TCP tries (default is 80).
Sets the TOS (IPv4 type of service) or TC (IPv6 traffic class) value for outgoing packets.
Uses specified flow_label for IPv6 packets.
Mellanox Technologies Confidential 762
-w
-q
-s
-z
Rev 4.20
Sets the number of seconds to wait for response to a probe (default is 5.0). Non-integer (float point) values allowed too.
Sets the number of probes per each hop. Default is 3.
Uses source src_addr for outgoing packets.
Sets minimal time interval between probes (default is
0). If the value is more than 10, then it specifies a number in milliseconds, else it is a number of seconds (float point values allowed too).
Default N/A
Configuration Mode Config
History 3.1.0000
3.4.2008
Role
Example
Added VRF parameter admin switch (config) # traceroute 192.168.10.70
traceroute to 192.168.10.70 (192.168.10.70), 30 hops max, 40 byte packets
1 172.30.0.1 (172.30.0.1) 3.632 ms 2.849 ms 3.544 ms
2 10.222.128.46 (10.222.128.46) 3.176 ms 3.289 ms 3.656 ms
3 10.158.128.30 (10.158.128.30) 15.331 ms 15.819 ms 16.388 ms
4 10.158.128.65 (10.158.128.65) 20.468 ms 7.893 ms 12.27 ms
5 10.7.34.115 (10.7.34.115) 16.405 ms 11.985 ms 12.264 ms
6 192.168.10.70 (192.168.10.70) 16.377 ms 16.091 ms 20.475 ms switch (config) #
Related Commands
Note • The following flags are not supported: -6, -l, -A
• When using -i option use the interface name + interface number, for example “traceroute -i vlan10”
Mellanox Technologies Confidential 763
Rev 4.20
tcpdump
tcpdump [vrf <vrf-name>] [-aAdeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]
[ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ] [ -y datalinktype ] [ -Z user ]
[ expression ]
Syntax Description
Default
Invokes standard binary, passing command line parameters straight through. Runs in foreground, printing packets as they arrive, until the user hits Ctrl+C.
vrf
N/A
Configuration Mode Config
History 3.1.0000
Specifies VRF instance name
Role
Example
3.4.2008
admin
Added VRF parameter switch (config) # tcpdump
......
09:37:38.678812 IP 192.168.10.7.ssh > 192.168.10.1.54155: P
1494624:1494800(176) ack 625 win 90
<nop,nop,timestamp 5842763 858672398>
09:37:38.678860 IP 192.168.10.7.ssh > 192.168.10.1.54155: P
1494800:1495104(304) ack 625 win 90
<nop,nop,timestamp 5842763 858672398>
...
9141 packets captured
9142 packets received by filter
0 packets dropped by kernel switch (config) #
Related Commands N/A
Note •
• When using -i option use the interface name + interface number, for example “tcpdump -i vlan10”
• For all flag options of this command refer to the linux ‘man page’ of tcp dump.
Mellanox Technologies Confidential 764
Rev 4.20
6.1.5.8 QoS
qos map dscp-to-pcp preserve-pcp
qos map dscp-to-pcp preserve-pcp no qos map dscp-to-pcp preserve-pcp
Syntax Description
Default
Configuration Mode
History
Role
Example
Configures the router to copy PCP bits when transferring data from one subnet to another.
The no form of the command disables this ability.
N/A
Disabled.
Config
3.3.4000
admin switch (config) # qos map dscp-to-pcp preserve-pcp switch (config) #
Related Commands
Note • This commands applies the configuration for all router interfaces
• As part of its function, the router performs DSCP to PCP bits mapping (fixed mapping). By activating the command the router preserves the PCP bits from one subnet to another subnet (PCP bits are copied).
Mellanox Technologies Confidential 765
6.2
IPv6
To activate this feature please contact your Mellanox support representative.
IP version 6 (IPv6) is a routing protocol which succeeds IPv4. With the expansion of the Internet and data bases IPv6 addresses consist of 128 bits whose purpose is to allow networks to include a significantly higher number of nodes by increasing the pool of available unique IP addresses.
IPv6 packets alleviate overhead and allow for future customizability.
Textual representations of IPv6 addresses consist of 128 bits made up from eight 16-bit hexadecimal numbers separated by colons. IPv6 addresses may be abbreviated as follows:
• You may omit leading zeros in each 16-bit sequence
• You may replace an entire sequence with a double colon if it equals zero
For example, these addresses represent the same IPv6 address:
• af23:0000:0000:0000:1284:037d:35ce:2401
• af23:0:0:0:1284:37d:35ce:2401
• af23::1284:37d:35ce:2401
IPv6 addresses typically denote a 64-bit network prefix and a 64-bit host address.
Only static IPv6 and ECMP are supported.
Rev 4.20
The number of static IPv6 addresses supported is 64.
6.2.1
Neighbor Discovery Protocol
Neighbor Discovery (ND) decides relationships between neighbors and replaces ARP, ICMP, and
ICMP redirect in IPv4.
Five kinds of ICMPv6 packets are defined by ND:
• Neighbor advertisement
• Router advertisement
• Neighbor solicitation
• Router solicitation
• Redirect
ND checks whether a neighboring node’s address has changed, whether the neighbor is still reachable, and also resolves the address of the neighbor which a packet is being forwarded to.
ND is also useful for network nodes for discovering other nodes and performing basic link-layer configuration.
Mellanox Technologies Confidential 766
6.2.2
Configuring IPv6
Figure 29: IPv6 Network
To configure Router1:
Step 1.
Enable IP routing. Run: switch (config)# ip routing
Step 2.
Step 3.
Enable forwarding IPv6 unicast packets. Run: switch (config)# ipv6 routing
Configure the VLAN interfaces. Run: switch (config)# interface vlan 10 switch (config interface vlan 10) # exit switch (config)# interface vlan 30 switch (config interface vlan 30) # exit switch (config)# interface vlan 50 switch (config interface vlan 50) # exit
Step 4.
Step 5.
Enable IPv6 on the VLAN interfaces. Run: switch (config)# interface vlan 10 ipv6 enable switch (config)# interface vlan 30 ipv6 enable switch (config)# interface vlan 50 ipv6 enable
Configure IPv6 addresses for each one of the VLAN interfaces. Run: switch (config)# interface vlan 10 ipv6 address 2101:db01::1 /64 switch (config)# interface vlan 30 ipv6 address 2103:db01::2 /64 switch (config)# interface vlan 50 ipv6 address 2105:db01::1 /64
Step 6.
Configure IPv6 unicast. Run: switch (config)# ipv6 route 2002:db01:: /64 2101:db01::2
Step 7.
Configure IPv6 unicast. Run: switch (config)# ipv6 route 2002:db01:: /64 2105:db01::2
To configure Router2:
Step 1.
Disable prefix mode on the CLI. Run: switch (config)# no cli default prefix-mode enable
Mellanox Technologies Confidential 767
Rev 4.20
Step 2.
Step 3.
Step 4.
Step 5.
Step 6.
Step 7.
Step 8.
Step 9.
Enable the VLANs on the system. Run: switch (config)# vlan 10 switch (config vlan 10) # exit switch (config)# vlan 20 switch (config vlan 20) # exit switch (config)# vlan 50 switch (config vlan 50) # exit
Configure the switch ports to accept the VLANs of which they are part only. Run: switch (config)# interface ethernet 1/1 switchport access vlan 10 // port2 switch (config)# interface ethernet 1/2 switchport access vlan 50 // port8 switch (config)# interface ethernet 1/36 switchport access vlan 20 // port5
Disable spanning tree. Run: switch (config)# no spanning-tree
Enable IP routing. Run: switch (config)# ip routing
Enable forwarding IPv6 unicast packets. Run: switch (config)# ipv6 routing
Configure the VLAN interfaces. Run: switch (config)# interface vlan 10 switch (config interface vlan 10) # exit switch (config)# interface vlan 20 switch (config interface vlan 20) # exit switch (config)# interface vlan 50 switch (config interface vlan 50) # exit
Enable IPv6 on the VLAN interfaces. Run: switch (config)# interface vlan 10 ipv6 enable switch (config)# interface vlan 20 ipv6 enable switch (config)# interface vlan 50 ipv6 enable
Configure IPv6 addresses for each one of the VLAN interfaces. Run: switch (config)# interface vlan 10 ipv6 address 2101:db01::2 /64 switch (config)# interface vlan 20 ipv6 address 2102:db01::1 /64 switch (config)# interface vlan 50 ipv6 address 2105:db01::2 /64
Step 10.
Configure IPv6 unicast. Run: switch (config)# ipv6 route 2103:db01:: /64 2101:db01::1
Step 11.
Configure IPv6 unicast. Run: switch (config)# ipv6 route 2103:db01:: /64 2105:db01::1
Rev 4.20
Mellanox Technologies Confidential 768
Ping neighbor to verify IPv6 configuration: switch (config)# ping6 2101:db01::2
PING 2101:db01::2(2101:db01::2) 56 data bytes
64 bytes from 2101:db01::2: icmp_seq=1 ttl=64 time=0.371 ms
64 bytes from 2101:db01::2: icmp_seq=2 ttl=64 time=0.620 ms
64 bytes from 2101:db01::2: icmp_seq=3 ttl=64 time=0.192 ms
64 bytes from 2101:db01::2: icmp_seq=4 ttl=64 time=0.277 ms
64 bytes from 2101:db01::2: icmp_seq=5 ttl=64 time=0.231 ms
Rev 4.20
Mellanox Technologies Confidential 769
6.2.3
Commands
ipv6 enable
ipv6 enable no ipv6 enable
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Assigns automatic local IPv6 address to the interface.
The no form of the command deassigns that automatic local address and disables
IPv6 if no static IPv6 address has been assigned to the interface.
N/A
Unassigned
Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
3.4.1100
admin switch (config vlan 10) # ipv6 enable
• Assigning an IPv6 address to an interface enables IPv6 processing on the interface also
• IPv6 must be enabled globally before running this command per interface. The command
“ipv6 enable” on page 153 must be configured.
Rev 4.20
Mellanox Technologies Confidential 770
ipv6 address
ipv6 address <ipv6-address> /<length> no ipv6 address <ipv6-address> [/<length>]
Syntax Description
Enables IPv6 processing and assigns an IPv6 address to the interface.
The no form of the command removes the specified IPv6 address.
ipv6-address length
IPv6 address. Format: a:b:c:d:e:f:g:h.
Mask length for the associated address space.
Range: 1-128.
Default N/A
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
3.4.1100
admin switch (config vlan 10) # ipv6 address fe80:ac10::fa01:0202 /120 switch (config vlan 10) # ipv6 address fe80:ac10::fa01:0202/120
Related Commands
Note • An interface can have up to 16 IPv6 address assignments
• If the no command does not include a specific address, all address assignments are removed from the interface
• The mask length may be configured without a space (i.e. <ipv6-address>/<length>)
Rev 4.20
Mellanox Technologies Confidential 771
ipv6 nd managed-config-flag
ipv6 nd managed-config-flag no ipv6 nd managed-config-flag
Sets the managed address configuration flag in IPv6 router advertisements.
The no form of the command restores the default setting.
Syntax Description
Default
N/A
Managed address configuration flag is not set
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
3.4.1100
admin switch (config vlan 10) # ipv6 nd managed-config-flag
Rev 4.20
Mellanox Technologies Confidential 772
ipv6 nd ns-interval
ipv6 nd ns-interval <period> no ipv6 nd ns-interval
Syntax Description
Default
Configures the interval between IPv6 neighbor solicitation (NS) transmissions.
The no form of the command restores the default value.
period
1000 milliseconds
In milliseconds. Range: 1000-4294967295.
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
3.4.1100
admin switch (config vlan 10) # ipv6 nd ns-interval 1500
Rev 4.20
Mellanox Technologies Confidential 773
ipv6 nd other-config-flag
ipv6 nd other-config-flag no ipv6 nd other-config-flag
Indicates that other configuration information is available via DHCPv6.
The no form of the command removes the other configuration flag.
Syntax Description
Default
N/A
Not set
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
3.4.1100
admin switch (config vlan 10) # ipv6 nd other-config-flag
Rev 4.20
Mellanox Technologies Confidential 774
ipv6 nd prefix
ipv6 nd prefix <ipv6-address> /<length> [no-advertise] [no-autoconfig] [noonlink] [valid-time {<time> | infinite}] [preferred-time {<time> | infinite}] no ipv6 nd prefix <prefix>
Syntax Description
Default
Configures inclusion for router advertisements (RAs) for neighbor.
The no form of the command removes the corresponding IPv6 nd prefix.
ipv6-address length
IPv6 address. Format: a:b:c:d:e:f:g:h.
Prefix length for the associated address space. Range:
1-128.
no-advertise valid-time
Prevents advertising of the specified prefix.
Time in seconds. Range: 0-4294967295. The value
“infinite” is the same as the maximum value possible.
preferred-time no-autoconfig
Time in seconds. Range: 0-4294967295. The value
“infinite” is the same as the maximum value possible.
Indicates that this prefix can be used for stateless address configuration no-onlink Indicates that this prefix can be used for on-link determination valid-time: 2592000 seconds preferred-time: 604800 seconds no-autoconfig: autoconfig enabled no-onlink: Set
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
3.4.1100
admin switch (config vlan 10) # ipv6 nd prefix fe80:ac10::fa01:0202 /120 Example
Related Commands
Note Valid time must be larger than preferred time
Rev 4.20
Mellanox Technologies Confidential 775
ipv6 nd ra dns-servers lifetime
ipv6 nd ra dns-servers lifetime {<time> | infinite} no ipv6 nd ra dns-servers lifetime
Syntax Description
Default
Sets the default value for the lifetime of any recursive DNS server (RDNSS) configured on the interface.
The no form of the command removes the lifetime value.
time Possible values:
• 0 – RDNSS configured on the command mode interface without a custom lifetime value must not be used
• 1-4294967295 – in seconds
Equivalent to 4294967295.
infinite
If no lifetime period is configured on the interface, the default value is 1.5 times the maximum RA interval set by the command “ipv6 nd ra interval”.
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
3.4.1100
admin
Example
Related Commands
Note switch (config vlan 10) # ipv6 nd ra dns-servers lifetime infinite
• A lifetime value set for an individual RDNSS overrides this value.
• The lifetime value is the maximum amount of time after a route advertisement packet is sent that the RDNSS referenced in the packet may be used for name resolution.
Rev 4.20
Mellanox Technologies Confidential 776
Rev 4.20
ipv6 nd ra dns-server
ipv6 nd ra dns-server <ip-address> [lifetime [<time> | infinite]] no ipv6 nd ra dns-server [<ip-address>]
Syntax Description
Default
Configures the IPv6 address of a preferred recursive DNS server (RDNSS) to include in the neighbor-discovery router advertisements (RAs).
The no form of the command removes the RDNSS from the configuration.
ip-address lifetime
IP address of RDNSS
Maximum lifetime value for the specified RDNSS entry. Possible values:
• 0 – RDNSS address must no longer be used
• 1-4294967295 in seconds infinite Equivalent to 4294967295 seconds.
If no lifetime period is configured on the interface, the default value is 1.5 times the maximum RA interval set by the command “ipv6 nd ra interval”.
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
3.4.1100
admin switch (config vlan 10) # ipv6 nd ra dns-server fe80:ac10::fa01:0202 lifetime infinite
Related Commands
Note • Including RDNSS information in RAs provides DNS server configuration for connected
IPv6 hosts without requiring DHCPv6
• Multiple servers can be configured on the interface by using the command repeatedly
• A lifetime value for the RDNSS can optionally be specified with this command, and overrides any default value configured for the interface using the ipv6 nd ra dns-servers lifetime command
• Lifetime must be configured according to the following:
MaxRtrAdvInterval <= lifetime <= 2*MaxRtrAdvInterval; where MaxRtrAdvInterval is the maximum RA interval
Mellanox Technologies Confidential 777
Rev 4.20
ipv6 nd ra dns-suffix
ipv6 nd ra dns-suffix <domain-name> [lifetime {<time> | infinite}] no ipv6 nd ra dns-suffix [<domain-name>]
Syntax Description
Creates a DNS search list (DNSSL) to include in the neighbor-discovery router advertisements (RAs)
1
.
The no form of the command resets the value of this parameter to its default.
domain-name Domain suffix for IPv6 hosts to append to short unqualified domain names for DNS queries.
The suffix must contain only alphanumeric characters,
“.” (periods), “-” (hyphens), and must begin and end with an alphanumeric character.
lifetime time
Sets the maximum time, in seconds (relative to the time the packet is sent), over which this DNSSL domain name MAY be used for name resolution.
Lifetime must be bounded as follows:
MaxRtrAdvInterval <= Lifetime <= 2*MaxRtrAdvInterval
Possible values:
• 0 – DNSSL must not be used for name resolution
• 1-4294967295 – in seconds infinite A value of all one bits (0xffffffff) equivalent to
4294967295.
The value configured in the command “ipv6 nd ra dns-server”.
Default
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
3.4.1100
admin switch (config vlan 10) # ipv6 nd ra dns-suffix example lifetime infinite
Related Commands
Note • The DNSSL contains the domain names of DNS suffixes for IPv6 hosts to append to short, unqualified domain names for DNS queries
• Multiple DNS domain names can be added to the DNSSL by reusing the command
• A lifetime value for the DNSSL can optionally be specified with this command which overrides any default value configured for the interface using the command “ipv6 nd ra dns-suffixes lifetime”
1. As defined in RFC 6106.
Mellanox Technologies Confidential 778
Rev 4.20
ipv6 nd ra dns-suffixes lifetime
ipv6 nd ra dns-suffixes lifetime {<time> | infinite} no ipv6 nd ra dns-suffixes lifetime
Syntax Description time infinite
Possible values:
• 0 – DNSSL must not be used for name resolution if no custom value is configured
• 1-4294967295 – in seconds
Equivalent to 4294967295.
1.5 times the RA interval configured on the interface Default
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Creates a DNS search list (DNSSL) to include in the neighbor-discovery router advertisements (RAs)
1
.
The no form of the command resets the value of this parameter to its default.
domain-name Domain suffix for IPv6 hosts to append to short unqualified domain names for DNS queries.
The suffix must contain only alphanumeric characters,
“.” (periods), “-” (hyphens), and must begin and end with an alphanumeric character.
3.4.1100
admin switch (config vlan 10) # ipv6 nd ra dns-suffix example lifetime infinite
Related Commands
Note • The DNSSL contains the domain names of DNS suffixes for IPv6 hosts to append to short, unqualified domain names for DNS queries
• Multiple DNS domain names can be added to the DNSSL by reusing the command
1. As defined in RFC 6106.
Mellanox Technologies Confidential 779
Rev 4.20
ipv6 nd ra hop-limit
ipv6 nd ra hop-limit <limit> no ipv6 nd ra hop-limit
Syntax Description
Sets a suggested hop-limit value to be included in route advertisement (RA) packets.
The no form of the command resets the parameter to its default value.
limit The hop-limit value to be included by attached hosts in outgoing packets.
• 0 – unspecified (by this router)
• 1-255 – number of hops
Default Limit value is 64
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
3.4.1100
admin switch (config vlan 10) # ipv6 nd ra hop-limit 70
Mellanox Technologies Confidential 780
Rev 4.20
ipv6 nd ra interval max-period
ipv6 nd ra interval max-period <time> [min-period <time>] no ipv6 nd ra interval
Syntax Description
Configures the interval between IPv6 router advertisement (RA) transmissions.
The no form of the command resets the parameter to its default value.
time Maximum interval between successive IPv6 router advertisement transmissions. Range: 4-1800 seconds.
min-period minimum interval between successive IPv6 router advertisement transmissions.
• No parameter: Default is used
• 4-1800: Valid range when scale is set seconds.
Default max-period: 600 seconds min-period: See Note
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
3.4.1100
admin switch (config vlan 10) # ipv6 nd ra interval max-period 600
• The min-period must be 0.33 * <max-period> if <max-period> is >= 9 seconds; otherwise, the default is MaxRtrAdvInterval
• The parameter min-period must be no less than 3 seconds and no greater than 0.75*maxperiod
Mellanox Technologies Confidential 781
Rev 4.20
ipv6 nd ra lifetime
ipv6 nd ra lifetime <time> no ipv6 nd ra lifetime
Syntax Description
Default 3*<max router advertisement interval>
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
Configures the value that the switch places in the router lifetime field of IPv6 router advertisements (RAs).
The no form of the command resets the parameter to its default value.
time The router lifetime specifies the period that the router can be considered as a default router by RA recipients in seconds.
• 0 – the router should not be considered a default router on this interface
• 1-9000 – lifetime period advertised in RAs should not be less than the max router advertisement interval
3.4.1100
admin switch (config vlan 10) # ipv6 nd ra lifetime 300
Mellanox Technologies Confidential 782
ipv6 nd ra mtu suppress
ipv6 nd ra mtu suppress no ipv6 nd ra mtu suppress
Suppresses the router advertisement (RA) MTU option to ensure that all nodes on a link use the same MTU value.
The no form of the command restores the MTU option to enabled.
Syntax Description
Default
N/A
Suppressed
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
3.4.1100
admin switch (config vlan 10) # ipv6 nd ra mtu suppress
If not suppressed, MTU of the interface is advertised.
Rev 4.20
Mellanox Technologies Confidential 783
ipv6 nd ra suppress
ipv6 nd ra suppress [all] no ipv6 nd ra suppress
Syntax Description
Suppresses periodic IPv6 router advertisement (RA) transmissions.
The no form of the command restores the transmission of RAs.
all Configures the switch to suppress all RAs, including those responding to a router solicitation.
Default Only unsolicited RAs transmitted periodically are suppressed
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
3.4.1100
admin switch (config vlan 10) # ipv6 nd ra suppress all
Rev 4.20
Mellanox Technologies Confidential 784
ipv6 nd reachable-time
ipv6 nd reachable-time <time> no ipv6 nd reachable-time
Syntax Description
Sets the time period the switch includes in the reachable time field of out-going advertisements (RAs).
The no form of the command resets the parameter to its default value.
time In milliseconds; the reachable time defines the period that a node assumes a neighbor is reachable after having received a reachability confirmation. Range: 0-
3600000 where “0” means unspecified by this router.
Default 0 (unspecified)
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
3.4.1100
admin switch (config vlan 10) # ipv6 nd reachable-time 30000
• RAs that advertise zero seconds indicate that the router does not specify a reachable time
• The default value to use for calculating neighbor reachability time is 30 seconds
Rev 4.20
Mellanox Technologies Confidential 785
Rev 4.20
ipv6 nd router-preference
ipv6 nd router-preference {high | medium | low} no ipv6 nd router-preference
Sets the value the switch enters in the default router preference (DRP) field of router advertisements (RAs) it sends.
The no form of the command resets the parameter to its default value.
Syntax Description
Default
N/A
Medium
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
3.4.1100
admin switch (config vlan 10) # ipv6 nd router-preference high
• IPv6 hosts maintain a default router list from which to select a router for traffic to offlink destinations. The router’s address is then saved in the destination cache. The neighbor discovery protocol (NDP) prefers routers that are reachable or probably reachable over routers whose reachability is unknown or suspect. For reachable or probably reachable routers,
NDP can either select the same router every time or cycle through the router list. DRP values specify a host’s preferred router.
• If router lifetime is zero, preference value must be medium
Mellanox Technologies Confidential 786
ipv6 nd retrans-timer
ipv6 nd retrans-timer <time> no ipv6 nd retrans-timer
Syntax Description
Advertises the time between neighbor solicitation (NS) messages in ICMPv6 router advertisement messages.
The no form of the command resets the parameter to its default value.
time In milliseconds; the time between retransmitted neighbor solicitation messages. Possible values:
• 0 – unspecified
• Range – 1000-4294967295
Default 0 (unspecified)
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
3.4.1100
admin switch (config vlan 10) # ipv6 nd retrans-timer
Rev 4.20
Mellanox Technologies Confidential 787
ipv6 nd dad attempts
ipv6 nd dad attempts <number> no ipv6 nd dad attempts
Syntax Description
Sets the number of consecutive neighbor solicitation messages sent for duplicate address detection (DAD) validation.
The no form of the command resets the value to its default.
number Number of attempts:
• 0 – DAD is not performed
• Valid range: 1-1000
Default 1
Configuration Mode Config Interface VLAN
Config Interface Loopback
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
3.4.1100
admin switch (config vlan 10) # ipv6 nd dad attempts 10
Rev 4.20
Mellanox Technologies Confidential 788
Rev 4.20
ipv6 neighbor
ipv6 neighbor <ipv6-addr> {ethernet <port> | port-channel <port-channel> | vlan <vlan-id>} <mac_addr> no ipv6 neighbor <ipv6-addr> [{ethernet <port> | port-channel <port-channel> | vlan <vlan-id>}]
Syntax Description
Creates an IPv6 neighbor discovery cache static entry.
The no form of the command removes the specified static entry from the IPv6 neighbor discovery cache. ipv6-addr ethernet <port>
IPv6 address
Ethernet port. Format <slot>/<port>.
VLAN ID
Default vlan <vlan-id>
N/A
Configuration Mode Config
History
Role
3.4.1100
admin
Example
Related Commands
Note switch (config vlan 10) # ipv6 neighbor 2001:db01::1 vlan 10 4:4:4:4:4:4
This command do not affect any dynamic entries in the cache.
Mellanox Technologies Confidential 789
clear ipv6 neighbors
clear ipv6 neighbors [ethernet <port> | port-channel <port-channel> | vlan
<vlan-id>] [<ipv6-addr>]
Syntax Description
Removes the specified dynamic IPv6 neighbor discovery cache entries. ethernet Ethernet port. Format: <slot>/<port>.
vlan ipv6-addr
VLAN interface
IPv6 address
Default N/A
Configuration Mode Config
History
Role
3.4.1100
admin switch (config) # clear ipv6 neighbors ethernet 1/4 Example
Related Commands
Note • Commands that do not specify an IPv6 address remove all dynamic entries for the listed interface
• Commands that do not specify an interface remove all dynamic entries
•
See the command “clear ipv6 neighbors” on page 148
Rev 4.20
Mellanox Technologies Confidential 790
Rev 4.20
ipv6 route
ipv6 route <ipv6-address> /<length> <next-hop> [<distance>] no ipv6 route <ipv6-address> /<length> [next-hop]
Syntax Description next-hop IPv6 address of the next-hop distance
Default
Configuration Mode Config
Administrative distance assigned to route. Options include:
• No parameter – route is assigned a default administrative distance of 1
• 1-255 – the administrative distance assigned to route
No distance parameter indicated: Administrative distance of 1
History
Role
Example
Creates an IPv6 static route.
The no form of the command deletes static routes. ipv6-address length
IPv6 address. Format: a:b:c:d:e:f:g:h.
Prefix length for the associated address space. Range:
1-128.
3.4.1100
admin switch (config) # ipv6 route 3003:db01:: /64 2001:db01::1 switch (config) #
Related Commands
Note • Static routes have a default administrative distance of 1
• Assigning a higher administrative distance to a static route configures it to be overridden by dynamic routing data.
• Multiple routes which are configured to the same destination with the same administrative distance comprise an Equal Cost Multi-Path (ECMP) route
• A no command not including a source deletes all statements to the destination
Mellanox Technologies Confidential 791
ipv6 routing
ipv6 routing no ipv6 routing
Syntax Description
Default
Enables forwarding IPv6 unicast packets.
The no form of the command disables IPv6 unicast routing.
N/A
Disabled
Configuration Mode Config
History 3.4.1100
Role
Example
Related Commands
Note admin switch (config) # ipv6 routing
• When routing is enabled, the switch attempts to deliver inbound packets to destination addresses by forwarding them to interfaces or next hop addresses specified by the IPv6 routing table
Rev 4.20
Mellanox Technologies Confidential 792
show ipv6 interface
show ipv6 interface [{{ethernet <port> | port-channel <port-channel> | vlan
<vlan-id>}}| brief]
Syntax Description
Displays the status of specified routed interfaces that are configured for IPv6.
ethernet <port> Displays output pertaining to the specified Ethernet interface port-channel <port-channel> vlan <vlan-id>
Displays output pertaining to the specified LAG interface
Displays output pertaining to the specified VLAN interface brief Shows basic IPv6 information regarding all IPv6 interfaces
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.4.1100
admin switch (config) # show ipv6 interface
Vlan10 is Enabled , line protocol is UP
IPv6 : Enabled
Link-local address : fe80::f652:14ff:fe2d:9808
Global Unicast Addresses :
2001:db01::2 /64
Joined Group Addresses :
ff02::1
ff02::2
ff02::1:ff2d:9808
MTU : 1500 bytes
ICMP error messages limited to every milliseconds : 100
ICMP redirects : enabled
ND DAD : enabled
Number of DAD attempts : 1
ND reachable time (milliseconds) : 30000
ND advertised retransmit interval (milliseconds) : 0
ND router advertisements maximum interval (seconds) : 600
ND router advertisements minimum interval (seconds) : 198
ND router advertisements managed configuration flag : unset
ND router advertisements other configuration flag : unset
ND solicited router advertisement : suppressed
ND router advertisements lifetime (seconds) : 1800
ND advertised default router preference : medium
ND router advertisements hop-limit : 64 switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 793
Rev 4.20
show ipv6 neighbors
show ipv6 neighbors [{ethernet <port> | port-channel <port-channel> | vlan
<vlan-id>} | <ipv6-addr> | summary]
Syntax Description
Displays IPv6 neighbor discovery (ND) cache information.
ethernet <port> Shows output pertaining to the specified Ethernet interface.
vlan <vlan-id> Shows output pertaining to the specified VLAN interface.
IPv6 address of individual neighbor
Default ipv6-addr
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.4.1100
admin switch (config) # show ipv6 route
IPv6 Address MAC Address State Interf
------------------------ ----------------- ---------- ------
2001:db01::1 f4:52:14:2d:98:88 Reachable vlan10 switch (config) #
Related Commands
Note
Mellanox Technologies Confidential 794
Rev 4.20
show ipv6 route
show ipv6 route [<ipv6-addr> <prefix>] [connected | static | summary]
Syntax Description
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.4.1100
admin switch (config) # show ipv6 route
Destination Mask Gateway Interface Source Distance/Metric fe80:: 64 :: mgmt0 Connected 256/1 fe80:: 64 :: mgmt1 Connected 256/1
2001:db01:: 64 :: vlan10 Connected 1/1
3003:db01:: 64 2001:db01::1 vlan10 Static 1/20 switch (config) #
Related Commands
Note
Displays IPv6 neighbor discovery (ND) cache information.
ipv6-addr Filters routes by IPv6 address or prefix longer-prefixes connected static summary
Displays output for longer prefix entries
Displays entries for routes to networks directly connected to the switch
Displays entries added through CLI commands
Displays the current contents of the IPv6 routing table in summary format
Mellanox Technologies Confidential 795
6.3
OSPF
Open Shortest Path First (OSPF) is a link-state routing protocol for IP networks. It uses a link state routing algorithm and falls into the group of interior routing protocols, operating within a single autonomous system (AS).
OSPF-speaking routers send Hello packets to all OSPF-enabled IP interfaces. If two routers sharing a common data link agree on certain parameters specified in their respective Hello packets, they become neighbors.
Adjacencies, which can be thought of as virtual point-to-point links, are formed between some neighbors. OSPF defines several network types and several router types. The establishment of an adjacency is determined by the types of routers exchanging Hellos and the type of network over which the Hello packets are exchanged.
Each router sends link-state advertisements (LSAs) over all adjacencies. The LSAs describe all of the router’s links, or interfaces, the router's neighbors, and the state of the links. These links might be to stub networks (those without another router attached), to other OSPF routers, to networks in other areas, or to external networks (those learned from another routing process).
Because of the varying types of link-state information, OSPF defines multiple LSA types.
Each router receiving an LSA from a neighbor records the LSA in its link-state database and sends a copy of the LSA to all of its other neighbors. By flooding LSAs throughout an area, all routers will build identical link-state databases.
When the databases are complete, each router uses the SPF algorithm to calculate a loop-free graph describing the shortest (lowest cost) path to every known destination, with itself as the root.
When all link-state information has been flooded to all routers in an area, and neighbors have verified that their databases are identical, it means the link-state databases have been synchronized and the route tables have been built. Hello packets are exchanged between neighbors as keepalives, and LSAs are retransmitted. If the network topology is stable, no other activity should occur.
For OSPF network design over Mellanox L2 VMS, please refer to Mellanox Virtual Modular
Switch Reference Guide .
6.3.1
Router ID
The router ID is a 32-bit number assigned to the router running the OSPF protocol. This number uniquely identifies the router within an Autonomous System.
Router ID can be configured statically, however, if it is not configured, then the default election is as follows:
• If a loopback interface already exists, the router ID takes the loopback IP address;
• Otherwise, the lowest IP address is elected as router ID
6.3.2
ECMP
Equal-cost multi-path (ECMP) routing is a routing strategy where next-hop packet forwarding to a single destination can occur over multiple paths. The OSPF link-state routing algorithm can find multiple routes to the same destination, all multiple routes are added to the routing table only if those routes are equal-cost routes.
Rev 4.20
Mellanox Technologies Confidential 796
In case there are several routes with different cost, only the route with the lowest cost is selected.
In case there are multiple routes with the same lowest cost, all of them are used (up to maximum of 64 ECMP routes).
ECMP is not configurable but is enabled by default for OSPF.
6.3.3
Configuring OSPF
Figure 30: OSPF Basic Topology
Rev 4.20
Precondition steps:
The following configuration example refers to Router 2 in Figure 30
. The remainder of the routers in the figure are configured similarly.
It is recommended to disable STP before enabling OSPF. Use the command no spanning-tree .
Step 1.
Step 2.
Step 3.
Step 4.
Make sure an L3 license is installed. For a list of the available licenses see
.
Enable IP routing functionality. Run: .
switch (config)# ip routing
Enable the desired VLAN. Run: .
switch (config)# vlan 10 switch (config)# vlan 20
Add this VLAN to the desired interface. Run: switch (config)# interface ethernet 1/1 switch (config ethernet 1/1)# switchport access vlan 10 switch (config ethernet 1/1)# exit switch (config)# interface ethernet 1/2 switch (config ethernet 1/2)# switchport access vlan 20
Mellanox Technologies Confidential 797
Step 5.
Step 6.
Step 7.
Step 8.
Create a VLAN interface. Run: switch (config)# interface vlan 10
Apply IP address to the VLAN interface. Run: switch (config interface vlan 10)# ip address 10.10.10.2 /16
Enable the interface. Run: switch (config interface vlan 10)# no shutdown
Create a second VLAN interface. Run: switch (config)# interface vlan 20
Step 9.
Step 2.
Apply IP address to the second VLAN interface. Run: switch (config interface vlan 20)# ip address 10.10.20.2 /16
Step 10.
Enable the second interface. Run: switch (config interface vlan 20)# no shutdown
Basic OSPF Configuration:
Step 1.
To enable OSPF configuration run: switch (config)# protocol ospf
To create a router OSPF instance run: switch (config)# router ospf
Only one instance of OSPF is supported.
Step 3.
Associate the VLAN interfaces to the OSPF area. Area 0 is the backbone area, run: switch (config interface vlan 10)# ip ospf area 0 switch (config interface vlan 10)# exit switch (config)# interface vlan 20 switch (config interface vlan 20)# ip ospf area 0
6.3.4
Verifying OSPF
To verify OSPF configuration and status:
Step 1.
Verify OSPF configuration and status. Run: switch (config) # show ip ospf
Routing Process 1 with ID 10.10.10.10 vrf-default
Stateful High Availability disabled
Graceful-restart is not supported
Supports only single TOS (TOS 0) route
Opaque LSA not supported
OSPF Admin State is enabled
Mellanox Technologies Confidential 798
Rev 4.20
Rev 4.20
Redistributing External Routes: Disabled
Administrative distance 110
Reference Bandwidth is 40Gb
Initial SPF schedule delay 1 msecs
SPF Hold time 10 msecs
Maximum paths to destination 64
Router is not originating router LSA with maximum metric
Condition: Always
Number of external LSAs 0, checksum sum 0
Number of opaque AS LSAs 0,checksum sum 0
Number of areas is 1, 1 normal, 0 stub, 0 nssa
Number of active areas is 1, 1 normal, 0 stub, 0 nssa
Area (0.0.0.0) (Active)
Interfaces in this area: 2 Active Interfaces: 2
Passive Interfaces: 0
SPF Calculation has run 5 times
This area is Normal area
Number of LSAs: 1, checksum sum 7700
Step 2.
switch (config) #
Verify the OSPF neighbors status. Make sure that each neighbor reaches FULL state with its peer to enable it take part in all dynamic routing changes in the network. Run: switch (config) # show ip ospf neighbors
Neighbor 10.10.10.1, interface address 10.10.10.2
In the area 0.0.0.0 via interface Vlan 10
Neighbor priority is 1, State is FULL
BDR is 10.10.10.1
Options 0
Dead timer due in 35
Neighbor 10.10.20.1, interface address 10.10.20.2
In the area 0.0.0.0 via interface Vlan 20
Neighbor priority is 1, State is FULL
BDR is 10.10.20.1
Options 0
Dead timer due in 35 switch (config) #
Mellanox Technologies Confidential 799
Step 3.
Verify the OSPF Interface configuration and status run: switch (config) # show ip ospf interface
Interface Vlan is 10 Enabled, line protocol is Down
IP address 10.10.10.2, Mask 255.255.0.0
Process ID 1 VRF Default, Area 0.0.0.0
OSPF Interface Admin State is enabled
State DOWN, Network Type BROADCAST, Cost 1
Transmit delay 1 sec, Router Priority 1
No designated router on this network
No backup designated router on this network
Timer intervals (sec's): Hello 10, Dead 40, Wait 40, Retransmit 5
No authentication
Number of opaque link LSAs: 0, checksum sum 0
Interface Vlan is 20 Enabled, line protocol is Up
IP address 10.10.20.2, Mask 255.255.0.0
Process ID 1 VRF Default, Area 0.0.0.0
OSPF Interface Admin State is enabled
State DESIGNATED ROUTER, Network Type BROADCAST, Cost 1
Transmit delay 1 sec, Router Priority 1
No designated router on this network
No backup designated router on this network
Timer intervals (sec's): Hello 10, Dead 40, Wait 40, Retransmit 5
No authentication
Number of opaque link LSAs: 0, checksum sum 0 switch (config) #
Rev 4.20
Mellanox Technologies Confidential 800
6.3.5
Commands
6.3.5.1 Config
protocol ospf
protocol ospf no protocol ospf
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note ip routing
Enables Open Shortest Path First Protocol (OSPF), and unhides the related OSPF commands.
The no form of the command deletes the OSPF configuration and hides the OSPF related commands.
N/A
OSPF feature is disabled.
Config
3.3.3500
admin switch (config)# protocol ospf
Rev 4.20
Mellanox Technologies Confidential 801
router ospf
router ospf no router ospf
Syntax Description
Default
Enters router OSPF configuration mode, and creates default OSPF instance if not exist.
The no form of the command deletes the OSPF instance.
N/A
No router OSPF is created.
Configuration Mode Config
History 3.3.3500
Role
Example admin switch (config)# router ospf switch (config router ospf)#
Related Commands N/A
Note Only one OSPF instance is supported.
Rev 4.20
Mellanox Technologies Confidential 802
6.3.5.2 Config Router
router-id
router-id <ip-address> no router-id
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
N/A
Sets Router ID for the OSPF instance.
The no form of the command causes automatic election of router ID by the router.
ip-address The Router id in IP address format.
The router ID is a 32-bit number assigned to the router running the OSPF protocol.
This number uniquely identifies the router within an Autonomous System.
Router ID can be configured statically, however, if it is not configured, then the default election is as follows:
• If a loopback interface already exists, the router ID takes the loopback IP address;
• Otherwise, the lowest IP address is elected as router ID.
Config OSPF Router
3.3.3500
admin switch (config router ospf)# router-id 10.10.10.10
Rev 4.20
Mellanox Technologies Confidential 803
shutdown
shutdown no shutdown
Syntax Description
Default
Disables the OSPF instance.
The no form of the command enables the OSPF instance.
N/A
Enable (no shutdown)
Configuration Mode Config OSPF Router
History 3.3.3500
Role
Example admin switch (config router ospf)# shutdown
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 804
auto-cost reference-bandwidth
auto-cost reference-bandwidth <ref-bw> no auto-cost reference-bandwidth
Syntax Description
Default
Configures reference-bandwidth in Gb/s (Default) or Mb/s.
The no form of the command resets this parameter to its default value.
value
Gb/s
Configuration Mode Config OSPF Router
History 3.3.3500
Range: 1-4294
Role
Example admin switch (config router ospf)# auto-cost reference-bandwidth
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 805
distance
distance <value> no distance
Syntax Description
Default
Configures the OSPF route administrative distance.
The no form of the command resets this parameter to default.
value
110
Configuration Mode Config OSPF Router
History 3.3.3500
OSPF administrative distance. Range is 1-255.
Role
Example admin switch (config router ospf)# distance 100
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 806
Rev 4.20
redistribute
redistribute {bgp | direct | static} no redistribute {bgp | direct | static}
Syntax Description
Import routes from other routing protocols as well as any statically configured routers into OSPF.
The no form of the command disables the importing of the routes.
direct bgp
Redistribute directly connected routes.
Redistribute routes from BGP protocol.
Redistribute static configured routes.
Default static
Disable (no redistribution)
Configuration Mode Config OSPF Router
History
Role
3.2.1000
admin
Example switch (config router ospf)# redistribute direct
Related Commands N/A
Note Routes from multiple protocols can be imported in parallel.
Mellanox Technologies Confidential 807
Rev 4.20
timers throttle spf
timers throttle spf <spf-delay> <spf-hold> no timers throttle spf
Syntax Description
Sets the OSPF throttle SPF timers.
The no form of the command resets the timers to default.
spf-delay The interval by which SPF calculations delayed after a topology change reception. Range is 0-100 milliseconds.
spf-hold The minimum delay between two consecutive delay calculations. Range is 0-1000 milliseconds.
Default
Configuration Mode Config OSPF Router
History 3.3.3500
Role
Example spf-delay: 1 millisecond spf-hold: 10 millisecond admin switch (config router ospf)# timers throttle spf 100 1000
Related Commands N/A
Note
Mellanox Technologies Confidential 808
Rev 4.20
area default-cost
area <area-id> default-cost <cost> no area <area-id> default-cost
Syntax Description
Specifies cost for the default summary route sent into an OSPF stub or not-so-stubby area (NSSA).
The no form of the command sets the cost to the default value.
area-id cost
OSPF area-id. Range is 0-4294967295.
The cost for the default summary route. Range is 1-
16777215.
Default
Configuration Mode Config OSPF Router
History 3.3.3500
Role
Example
The summary route cost is based on the area border router that generated the summary route.
admin switch (config router ospf)# area 0 default-cost 100
Related Commands N/A
Note Base cost for all calculation is 56GbE.
Mellanox Technologies Confidential 809
Rev 4.20
area range
area <area-id> range <ip-address> <prefix> [not-advertise] no area <area-id> range <ip-address> <prefix> [not-advertise]
Syntax Description
Consolidates and summarizes routes at an OSPF area boundary.
The no form of the command removes the ip-prefix range from summarization.
area-id ip-address
OSPF area-ID. Range is 0-4294967295.
IP Address.
not-advertise prefix
Suppresses routes that match the specified IP address.
Netowrk prefix (in the format of /24, or 255.255.255.0 for example).
Default Disabled
Configuration Mode Config OSPF Router
History
Role
3.3.3500
admin
Example switch (config router ospf)# area 0 range 10.10.10.10 /24
Related Commands N/A
Note
Mellanox Technologies Confidential 810
area stub
area <area-id> stub [no-summary] no area <area-id> [stub [no-summary]]
Syntax Description
Configures an area as an OSPF stub area (an area is created if non-existent).
The no form of the command removes the stub area configuration and changes the area to normal, or deletes the area (if stub is not used).
area-id no-summary
OSPF area-ID. Range is 0-4294967295.
Summary route will not be advertized into the stub area.
Default Summary route will be advertized.
Configuration Mode Config OSPF Router
History
Role
3.3.3500
admin
Example switch (config router ospf)# area 0 stub
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 811
Rev 4.20
area nssa
area <area-id> nssa [default-information-originate [metric <m-value>] [metrictype <m-type>]] [nosummary] [translate type7 always] no area <area-id> nssa [default-information-originate ] [no-summary] [translate type7 always]
Syntax Description
Configures an area as an OSPF not-so-stubby (NSSA) area.
The no form of the command removes the NSSA area configuration and changes the area to default.
area-id default-information-originate
OSPF area ID. Range is 0-4294967295.
A default type7 LSA (Link State Advertisements) is generated into the NSSA area.
m-type m-value no-summary translate type7 always
Metric type for OSPF. Range is 1-2.
Metric value for OSPF. Range is 1-65535.
Summary route will not be advertized into the NSSA area.
Type7 LSAs is translated to type5 LSAs (Link State
Advertisements).
Default Default m-type:2
Default m-value:10
Configuration Mode Config OSPF Router
History 3.3.3500
Role
Example admin switch (config router ospf)# area 0 nssa
Related Commands N/A
Note An area can be either stub, NSSA or normal.
Mellanox Technologies Confidential 812
Rev 4.20
summary-address
summary-address <ip-address> <prefix> [not-advertise] no summary-address <ip-address> <prefix> [not-advertise]
Syntax Description
Creates aggregate addresses for the OSPF protocol.
The no form of the command disables the aggregation of the ip-address.
ip-address not-advertise prefix
The summary IP address.
Suppresses routes that match the specified ip-address.
Network prefix (in the format of /24 or 255.255.255.0, for example).
Default N/A
Configuration Mode Config OSPF Router
History
Role
3.3.3500
admin
Example switch (config router ospf)# summary-address 10.10.10.10 /24
Related Commands N/A
Note Maximum of 1500 summarized IP addresses can be configured.
Mellanox Technologies Confidential 813
Rev 4.20
6.3.5.3 Interface
ip ospf cost
ip ospf cost <cost> no ip ospf cost <cost>
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Sets OSPF cost of sending packet of this interface.
The no form of the command resets this parameter to default.
cost
1
The Interface cost used by the OSPF. Range is 1-65535.
Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
3.3.3500
admin switch (config interface vlan 10)# ip ospf cost 100
N/A
Mellanox Technologies Confidential 814
Rev 4.20
ip ospf dead-interval
ip ospf dead-interval <seconds> no ip ospf dead-interval
Syntax Description
Default
Configures the interval during which at least one Hello packet must be received from a neighbor before the router declares that neighbor as down.
The no form of the command resets this parameter to its default.
seconds
40
The dead-interval timer, in seconds. Range is 1-65535.
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
3.3.3500
admin
Example switch (config interface vlan 10)# ip ospf dean-interval 10
Related Commands N/A
Note The value must be the same for all nodes on the network.
Mellanox Technologies Confidential 815
Rev 4.20
ip ospf hello-interval
ip ospf hello-interval <seconds> no ip ospf hello-interval
Syntax Description
Default
Configures the interval between Hello packets that OSPF sends on the interface.
The no form of the command resets this parameter to default.
seconds
10
The Hello interval timer, in seconds. Range is 1-65535.
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
3.3.3500
admin
Example switch (config interface vlan 10)# ip ospf hello-interval 20
Related Commands N/A
Note The value must be the same for all nodes on the network.
Mellanox Technologies Confidential 816
Rev 4.20
ip ospf priority
ip ospf priority <number> no ip ospf priority
Syntax Description
Configures the priority for this OSPF interface.
The no form of the command resets this parameter to default.
number The Interface priority used by the OSPF protocol.
Range is 0-255
Default 1
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
3.3.3500
admin
Example switch (config interface vlan 10)# ip ospf priority 100
Related Commands N/A
Note • Use the “ip ospf priority” command to set the router priority, which determines the designated router for this network. When two routers are attached to a network, both attempt to become the designated router.
• The router with the higher router priority takes precedence. If there is a tie, the router with the higher router ID takes precedence. A router with a router priority set to zero cannot become the designated router or backup designated router.
Mellanox Technologies Confidential 817
Rev 4.20
ip ospf network
ip ospf network <type> no ip ospf network
Syntax Description
Sets the OSPF interface network type.
The no form of the command resets the interface network type to its default.
type The network type on this interface. The options are
‘broadcast’ or ‘point-to-point’.
Default broadcast
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
3.3.3500
admin
Example switch (config interface vlan 10)# ip ospf network point-to-point
Related Commands N/A
Note • The network type influences the behavior of the OSPF interface. An OSPF network type is usually broadcast, which uses OSPF multicasting capabilities. Under this network type, a designated router and backup designated router are elected. For point-to-point networks, there are only two neighbors and multicast is not required.
• All routers on the same network should have the same network type.
Mellanox Technologies Confidential 818
ip ospf retransmit-interval
ip ospf retransmit-interval <seconds> no ip ospf retransmit-interval
Syntax Description
Default
Configures the time between OSPF link-state advertisement (LSA) retransmissions for adjacencies that belongs to the interface.
The no form of the command resets this parameter to its default.
seconds
5
The retransmit interval in seconds. Range is 0-3600.
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example switch (config interface vlan 10)# ip ospf retransmit-interval 10
Related Commands N/A
Note
3.3.3500
admin
Rev 4.20
Mellanox Technologies Confidential 819
ip ospf passive-interface
ip ospf passive-interface no ip ospf passive-interface
Suppresses flooding of OSPF routing updates on an interface.
The no form of the command reverts the status to active OSPF interface.
Syntax Description
Default
N/A
Active interface (no ip ospf passive-interface)
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example switch (config interface vlan 10)# ip ospf passive-interface
Related Commands N/A
Note
3.3.3500
admin
Rev 4.20
Mellanox Technologies Confidential 820
ip ospf transmit-delay
ip ospf transmit-delay <seconds> no ip ospf transmit-delay
Syntax Description
Sets the estimated time required to send an OSPF link-state update packet.
The no form of the command resets this parameter to its default.
seconds The transmit-delay interval in seconds. Range is 0-
3600.
Default 1
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example switch (config interface vlan 10)# ip ospf transmit-delay 2
Related Commands N/A
Note
3.3.3500
admin
Rev 4.20
Mellanox Technologies Confidential 821
ip ospf shutdown
ip ospf shutdown no ip ospf shutdown
Disables the OSPF instance on the interface.
The no form of the command enables the OSPF on this interface.
Syntax Description
Default
N/A
Enabled (no shutdown)
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example switch (config interface vlan 10)# ip ospf shutdown
Related Commands N/A
Note
3.3.3500
admin
Rev 4.20
Mellanox Technologies Confidential 822
ip ospf authentication
ip ospf authentication [message-digest] no ip ospf authentication
Syntax Description
Specifies the authentication type for OSPF.
The no form of the command disables the authentication.
message-digest Specifies that message-digest authentication (MD5) is used.
Default Disabled (no)
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
3.3.3500
admin
Example switch (config interface vlan 10)# ip ospf authentication
Related Commands N/A
Note • Without message-digest option, a simple password authentication will be used.
• Message-digest authentication can be enabled only if a key is configured.
Rev 4.20
Mellanox Technologies Confidential 823
Rev 4.20
ip ospf authentication-key
ip ospf authentication-key [<auth-type>] <password> no ip ospf authentication-key
Syntax Description
Default password
Unencrypted password
Authentication password, up to 8 alphanumeric string.
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
To assign a password for simple password authentication for the OSPF.
The no form of the command deletes the simple password authentication key.
auth-type The authentication type:
0 – unencrypted password
7 – MD5 key
3.3.3500
admin switch (config interface vlan 10)# ip ospf authentication-key 0 mycleartextpassword
Related Commands N/A
Note • When selecting an encrypted password “7”, the user must input a password encrypted with an MD5 key.
• When selecting an unencrypted password “0”, the user must input a cleartext password.
Then when examining the running-config, it exhibits the encrypted password.
Mellanox Technologies Confidential 824
ip ospf message-digest-key
ip ospf message-digest-key <key-id> md5 [auth-type] <key> no ip ospf message-digest-key <key-id>
Syntax Description
Sets the message digest key for MD5 authentication.
The no form of the command deletes the key for MD5 authentication.
auth-type The authentication type:
0 - Unencrypted password
7 - MD5 key key key-id
Authentication password, up to 8 alphanumeric string.
Alphanumeric password of up to 16 bytes.
Default Unencrypted (no)
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
3.3.3500
admin switch (config interface vlan 10)# ip ospf message-digest-key mykeyid md5 7 mykey
Related Commands N/A
Note The user cannot delete the last key until authentication is disabled.
Rev 4.20
Mellanox Technologies Confidential 825
ip ospf area
ip ospf area <area-id> no ip ospf area
Syntax Description
Default
Sets OSPF area of this interface (and creates the area if non-existent).
The no form of the command removes the interface from the area.
area-id
N/A
OSPF area ID. Range is 0-4294967295.
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
Config Interface Loopback
History
Role
Example switch (config interface vlan 10)# ip ospf area 0
Related Commands N/A
Note
3.3.3500
admin
Rev 4.20
Mellanox Technologies Confidential 826
6.3.5.4 Show
show ip ospf
show ip ospf
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Displays general OSPF configuration and status.
N/A
N/A
Any Command Mode
3.3.3500
admin switch (config)# show ip ospf
Routing Process 201 with ID 192.0.2.1 VRF default
Admin Status is Enabled
Stateful High Availability enabled
Graceful-restart is configured
N/A
Rev 4.20
Mellanox Technologies Confidential 827
show ip ospf border-routers
show ip ospf border-routers
Syntax Description
Default
Displays routing table entries to an Area Border Routers.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.3500
admin switch# show ip ospf border-routers
OSPF Process ID p1, vrf default Internal Routing Table
Codes: i - Intra-area route, I - Inter-area route i 40.40.40.40 [10], ABR, Area 0.0.0.0, SPF 71 via
192.0.2.1, Ethernet2/1 i 60.60.60.60 [20], ABR, Area 0.0.0.0, SPF 71 via
192.0.2.1, Ethernet2/1 i 40.40.40.40 [10], ABR, Area 0.0.0.1, SPF 71 via
192.0.2.1, Ethernet2/2 i 60.60.60.60 [20], ABR, Area 0.0.0.1, SPF 71 via
192.0.2.1, Ethernet2/2
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 828
show ip ospf database
show ip ospf database [summary] [<area-id> [<link-state-id>]] [adv-router <ipaddress> | self-originated]
Syntax Description
Displays the OSPF database.
adv-router <ip-address> Filters per advertize router area-id Filters the command per OSPF area-id. Range is 0-
4294967295.
link-state-id self-originated
Default summary
N/A
Configuration Mode Any Command Mode
The link state ID
Self Originate
Summarizes the output of the OSPF database.
History
Role
Example
3.3.3500
admin
Router# show ip ospf database
OSPF Router with ID (50.50.50.50) (Process ID p1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link Count
40.40.40.40 40.40.40.40 930 0x80000004 0x2ea1 3
50.50.50.50 50.50.50.50 935 0x80000002 0x8b52 1
60.60.60.60 60.60.60.60 943 0x800003c5 0x9854 2
Network Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
209.165.201.3 60.60.60.60 944 0x80000001 0x7179
192.0.2.1 50.50.50.50 935 0x80000001 0x516a
Summary Network Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
209.165.201.1 40.40.40.40 929 0x80000001 0x2498
209.165.201.1 50.50.50.50 928 0x80000001 0x5b2f
209.165.201.1 60.60.60.60 1265 0x800003c3 0xf49b
192.0.2.0 40.40.40.40 943 0x80000001 0x53f3
192.0.2.0 50.50.50.50 935 0x80000001 0x26f8
192.0.2.0 60.60.60.60 930 0x80000001 0x7b51
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 829
Rev 4.20
show ip ospf interface
show ip ospf interface [vlan <vlan-id>] [brief]
Syntax Description
Displays the OSPF related interface configuration.
brief Gives a brief summary of the output.
vlan <vlan-id> Displays OSPF interface configuration and status per
VLAN interface.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.3500
admin switch# show ip ospf interface ethernet 1/5
Ethernet1/5 is up, line protocol is down
IP address 192.0.2.1, Process ID 201 VRF RemoteOfficeVRF, area 0.0.0.10
Enabled by interface configuration
State DOWN, Network type BROADCAST, cost 4
Index 1, Transmit delay 1 sec, Router Priority 1
No designated router on this network
No backup designated router on this network
0 Neighbors, flooding to 0, adjacent with 0
Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5
No authentication
Number of opaque link LSAs: 0, checksum sum 0 switch#
This example shows how to display OSPF information in a brief format: switch# show ip ospf interface brief
OSPF Process ID 201 VRF default
Total number of interface: 1
Interface ID Area Cost State Neighbors Status
VL1 2 0.0.0.0 65535 DOWN 0 down switch#
Related Commands N/A
Note
Mellanox Technologies Confidential 830
Rev 4.20
show ip ospf neighbors
show ip ospf neighbors [vlan <vlan-id>] [<neighbor-id>]
Syntax Description
Displays the OSPF related interface neighbor configuration.
vlan <vlan-id> Displays OSPF interface configuration and status per
VLAN interface.
Filers the output per a specific OSPF neighbor.
Default neighbor-id
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.3500
admin
Router# show ip ospf neighbors 10.199.199.137
Neighbor 10.199.199.137, interface address 192.0.2.37
In the area 0.0.0.0 via interface Ethernet2/1
Neighbor priority is 1, State is FULL
Options 2
Dead timer due in 0:00:32
Link State retransmission due in 0:00:04
Neighbor 10.199.199.137, interface address 209.165.201.189
In the area 0.0.0.0 via interface Ethernet4/3
Neighbor priority is 5, State is FULL
Options 2
Dead timer due in 0:00:32
Link State retransmission due in 0:00:03
This example shows how to display the neighbors that match the neighbor
ID on an interface:
Router# show ip ospf neighbors ethernet 2/1 10.199.199.137
Neighbor 10.199.199.137, interface address 192.0.2.37
In the area 0.0.0.0 via interface Ethernet2/1
Neighbor priority is 1, State is FULL
Options 2
Dead timer due in 0:00:37
Link State retransmission due in 0:00:04
This example shows how to display detailed information about OSPF neighbors:
Router# show ip ospf neighbors detail
Neighbor 192.168.5.2, interface address 10.225.200.28
In the area 0 via interface GigabitEthernet1/0/0
Neighbor priority is 1, State is FULL, 6 state changes
DR is 10.225.200.28 BDR is 10.225.200.30
Options is 0x42
LLS Options is 0x1 (LR), last OOB-Resync 00:03:08 ago
Dead timer due in 00:00:36
Neighbor is up for 00:09:46
Index 1/1, retransmission queue length 0, number of retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
Mellanox Technologies Confidential 831
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 832
show ip ospf request-list
show ip ospf request-list <neighbor-id> vlan <vlan-id>
Syntax Description
Displays the OSPF list of all link-state advertisements (LSAs) requested by a router.
neighbor-id Filers the output per a specific OSPF neighbor.
Filers the output per a specific VLAN ID.
Default vlan-id
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.3500
admin
Router# show ip ospf request-list 40.40.40 ethernet 2/1
OSPF Process ID p1
Neighbor 40.40.40.40, interface Ethernet2/1, address 192.0.2.1
1 LSAs on request-list
Type LS ID ADV RTR Seq NO Age Checksum
1 192.0.2.12 192.0.2.12 0x8000020D 8 0x6572
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 833
Rev 4.20
show ip ospf retransmission-list
show ip ospf retransmission-list <neighbor-id> vlan <vlan-id>
Syntax Description
Displays the OSPF list of all link-state advertisements (LSAs) waiting to be resent to neighbors.
neighbor-id vlan-id
Filers the output per a specific OSPF neighbor.
Filers the output per a specific VLAN ID.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.3500
admin
Router# show ip ospf retransmission-list 192.0.2.11 ethernet 2/1
OSPF Router with ID (192.0.2.12) (Process ID 1)
Neighbor 192.0.2.11, interface Ethernet2/1 address 209.165.201.11
Link state retransmission due in 3764 msec, Queue length 2
Type LS ID ADV RTR Seq NO Age Checksum
1 192.0.2.12 192.0.2.12 0x80000210 0 0xB196
Related Commands N/A
Note
Mellanox Technologies Confidential 834
Rev 4.20
show ip ospf summary-address
show ip ospf summary-address
Syntax Description
Default
Displays a list of all summary address redistribution information configured on the
OSPF.
N/A
N/A
Configuration Mode Any Command Mode
History 3.3.3500
Role
Example admin switch (config)# show ip ospf summary-address
Display of Summary addresses for External Routes and area ranges for the summary LSAs
OSPF Process default
OSPF External Summary Address and area-range Configuration Information
-------------------------------------------------------
Network Mask Area Advertise LSA type Metric Tag
--------------------------------------------------------------
1.1.1.1 255.255.255.0 NA Advertise Type5 10 0
2.2.2.0 255.255.255.0 10.10.10.10 Not Advertise Type3 10 0
Related Commands N/A
Note
Mellanox Technologies Confidential 835
6.4
BGP
Border Gateway Protocol (BGP) is an exterior gateway protocol which is designed to transfer routing information between routers. It maintains and propagates a table of routes which designates network reachability among autonomous systems (ASs).
BGP neighbors, or peers, are routers configured manually to converse using the BGP protocol on top of a TCP session on port 179. A BGP speaker periodically sends keep-alive messages to maintain the connection. Network reachability includes such information as forwarding destinations (IPv4 or IPv6) together with a list of ASs that this information traverses and other attributes, so it becomes possible to construct a graph of AS connectivity without routing loops. BGP makes possible to apply policy rules to enforce connectivity graph.
BGP routers communicate through TCP connection on port 179. Connection between BGP neighbors is configured manually or can be established dynamically by configuring dynamic listen groups. When BGP runs between two peers in the same AS, it is referred to as Internal BGP
(iBGP, or Interior Border Gateway Protocol). When it runs between separate ASs, it is called
External BGP (eBGP, or Exterior Border Gateway Protocol). Both sides can initiate a connection, after the initial connectivity is created, BGP state machine drives both sides to enter into ESTAB-
LISHED state where they can exchange UPDATE messages with reachability information.
6.4.1
State Machine
In order to make decisions in its operations with peers, a BGP peer uses a simple finite state machine (FSM) that consists of six states: Idle; Connect; Active; OpenSent; OpenConfirm; and
Established. For each peer-to-peer session, a BGP implementation maintains a state variable that tracks which of these six states the session is in. The BGP protocol defines the messages that each peer should exchange in order to change the session from one state to another.
The first state is the “Idle” state. In “Idle” state, BGP initializes all resources, refuses all inbound
BGP connection attempts and initiates a TCP connection to the peer. The second state is “Connect”. In the “Connect” state, the router awaits the TCP connection to complete and transitions to the “OpenSent” state if successful. If unsuccessful, it initializes the ConnectRetry timer and transitions to the “Active” state upon expiration. In the “Active” state, the router resets the ConnectRetry timer to zero and returns to the “Connect” state. In the “OpenSent” state, the router sends an Open message and waits for one in return in order to transition to the “OpenConfirm” state.
KeepAlive messages are exchanged and, upon successful receipt, the router is placed into the
“Established” state. In the “Established” state, the router can send/receive: KeepAlive; Update; and Notification messages to/from its peer.
6.4.2
Configuring BGP
Figure 31: Basic BGP Configuration
Rev 4.20
Mellanox Technologies Confidential 836
Rev 4.20
Follow these steps for basic BGP configuration on two switches (Router 1 and Router 2):
Preconditions:
Step 1.
Step 2.
Make sure the license installed supports L3.
Enable IP routing functionality. Run: switch (config)# ip routing
Step 3.
Enable the desired VLAN. Run: switch (config)# vlan 10
The same VLAN must be configured on both switches.
Step 4.
Step 5.
Step 6.
Add this VLAN to the desired interface. Run: switch (config)# interface ethernet 1/1 switch (config ethernet 1/1)# switchport access vlan 10
Create a VLAN interface. Run: switch (config)# interface vlan 10
Apply IP address to the VLAN interface on Router 1. Run: switch (config interface vlan 10)# ip address 10.10.10.1 /24
Step 7.
Step 2.
Apply IP address to the VLAN interface on Router 2. Run: switch (config interface vlan 10)# ip address 10.10.10.2 /24
Step 8.
Enable the interface. Run: switch (config interface vlan 10)# no shutdown
Configure BGP:
Step 1.
Enable BGP. Run: switch (config)# protocol bgp
Configure an AS number that identifies the BGP router. Run: switch (config)# router bgp 100
To run iBGP, the AS number of all remote neighbors should be similar to the local AS number of the configured router.
Step 3.
Step 4.
Configure BGP Router 1 neighbor. Run:.
switch (config router bgp 100)# neighbor 10.10.10.2 remote-as 100
Configure BGP Router 2 neighbor. Run:.
switch (config router bgp 100)# neighbor 10.10.10.1 remote-as 100
Mellanox Technologies Confidential 837
Rev 4.20
6.4.3
Verifying BGP
Step 1.
Check the general status of BGP. Run: switch (config)# show ip bgp summary
BGP router identifier 10.10.10.1, local AS number 100
BGP table version is 100, main routing table version 100
0 network entries using 0 bytes of memory
0 path entries using 0 bytes of memory
0 BGP AS-PATH entries using 0 bytes of memory
0 BGP community entries using 0 bytes of memory
0 BGP extended community entries using 0 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.2 0 100 100 76 3 0 0 00:0:10:19 ESTABLISHED switch (config)#
BGP summary information for VRF default, address family IPv4
Step 2.
• Verify that the state of each BGP neighbor reached to ESTABLISHED state.
• In case the neighbor is disabled (shutdown). The state of the neighbor will be IDLE.
• BGP incoming and outgoing messages should be incremented.
• The AS number of each neighbor is the correct one.
Check the status of the neighbors. Run: switch (config)# show ip bgp neighbors
BGP neighbor is 10.10.10.2, remote AS 100, external link
BGP version 0, remote router ID 0.0.0.0
BGP State = ESTABLISHED
Last read 0:00:00:00, last write 0:00:00:00, hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
Minimum holdtime from neighbor is 0 seconds switch (config)#
You should be able to see running BGP counters and ESTABLISHED state per active neighbor.
Mellanox Technologies Confidential 838
6.4.4
Commands
6.4.4.1 Config
protocol bgp
protocol bgp no protocol bgp
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Enables BGP feature, and unhides BGP related commands.
The no form of the command deletes all BGP configuration and hides BGP related commands.
N/A
Disabled
Config
3.3.5006
admin switch (config)# protocol bgp switch (config)# ip routing
Rev 4.20
Mellanox Technologies Confidential 839
Rev 4.20
clear ip bgp
clear ip bgp [{<ip-address> | all} [soft] [in | out]]
Syntax Description
Clears BGP learned routes from the BGP table and resets the connection to the neighbor.
ip-address A BGP peer IP address. Only the specified neighbor is reset.
all soft
All BGP peers. All BGP neighbors are reset.
Clears BGP learned routes from the BGP table without resetting the connection to the neighbor.
in out
Default N/A
Configuration Mode Config
History 3.3.5006
3.3.5200
Inbound routes are reset.
Outbound routes are reset.
Role
Example
First release
Updated description admin switch (config)# clear ip bgp all switch (config)#
Related Commands N/A
Note This command removes BGP IPv4 learned routes from the routing table, reads all routes from designated peers, and sends routes to those peers as required.
Mellanox Technologies Confidential 840
router bgp
router bgp <as-number> no router bgp <as-number>
Syntax Description
Default N/A
Configuration Mode Config
History 3.3.5006
3.3.5200
Role
Example
Creates and enters a BGP instance with the specified AS number.
The no form of the command deletes all router BGP instance configuration.
as-number Autonomous system number: A unique number to be used to identify the AS. The AS is a number which identifies the BGP router to other routers and tags the routing information passed along. Range: 1-65535.
admin
First version
Updated syntax description switch (config)# router bgp 100 switch (config router bgp 100)#
Related Commands ip routing
Note
Rev 4.20
Mellanox Technologies Confidential 841
6.4.4.2 Config Router
shutdown
shutdown no shutdown
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Gracefully disables BGP protocol without removing existing configuration.
The no form of the command enables BGP.
N/A
Enabled
Config Router BGP
3.3.5006
admin switch (config router bgp 100)# no shutdown
Rev 4.20
Mellanox Technologies Confidential 842
Rev 4.20
aggregate-address
aggregate-address <prefix> [summary-only] [as-set] [attribute-map] no aggregate-address <prefix> [summary-only] [as-set] [attribute-map]
Syntax Description
Creates an aggregate route in the BGP database.
The no form of the command disables ECMP across AS paths.
prefix summary-only as-set
Destination to aggregate
Contributor routes are not advertised.
attribute-map
Includes AS_PATH information from contributor routes as AS_SET attributes
Assigns attribute values in set commands of the map’s permit clauses. Deny clauses and match commands in permit clauses are ignored.
Default Disabled
Configuration Mode Config Router BGP
History
Role
Example
3.4.0000
admin switch-e07c04 [standalone: master] (config router bgp 4) # aggregateaddress 3.5.3.7 /32
Related Commands
Note • Aggregate routes combine the characteristics of multiple routes into a single route that the switch advertises
• Aggregation can reduce the amount of information that a BGP speaker is required to store and transmit when advertising routes to other BGP speakers
• Aggregate routes are advertised only after they are redistributed
Mellanox Technologies Confidential 843
Rev 4.20
bestpath as-path multipath-relax
bestpath as-path multipath-relax no bestpath as-path multipath-relax
Syntax Description
Default
Enables ECMP across AS paths.
The no form of the command disables ECMP across AS paths.
N/A
Disabled
Configuration Mode Config Router BGP
History 3.3.5006
Role
Example
3.3.5200
admin
Updated description and notes switch (config router bgp 100)# bestpath as-path multipath-relax
Related Commands maximum-paths
Note • With this option disabled, only routes with exactly the same AS path as the best route to a destination are considered for ECMP.
• With this option enabled, all routes with similar length AS path as the best route are considered for ECMP.
Mellanox Technologies Confidential 844
Rev 4.20
bgp fast-external-fallover
bgp fast-external-fallover no bgp fast-external-fallover
Syntax Description
Default
Terminates eBGP sessions of any directly adjacent peer without waiting for the holddown timer to expire if the link used to reach the peer goes down.
The no form of the command waits for hold-down timer to expire before terminating eBGP sessions.
N/A no bgp fast-external-fallover
Configuration Mode Config Router BGP
History 3.4.0000
Role
Example admin switch (config router bgp 100)# bgp fast-external-fallover
Related Commands maximum-paths
Note Although this feature improves BGP conversion time, it may cause instability in your
BGP table due to a flapping interface.
Mellanox Technologies Confidential 845
bgp listen limit
bgp listen limit <maximum> no bgp listen limit
Syntax Description
Limits the number of dynamic BGP peers allowed on the switch.
The no form of the command resets to the default value.
maximum The maximum number of dynamic BGP peers to be allowed on the switch. Range: 1-128.
Default 100
Configuration Mode Config Router BGP
History
Role
3.4.0000
admin switch (config router bgp 100)# bgp listen limit 101 Example
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 846
Rev 4.20
bgp listen range
bgp listen range <ip-prefix> <length> peer-group <peer-group-name> remote-as
<as-number> no bgp listen range <ip-prefix> <length>
Syntax Description
Identifies a range of IP addresses from which the switch will accept incoming dynamic BGP peering requests.
After applying the no form of the command, the switch will no longer accept dynamic peering requests on the range.
ip-prefix length
IP address
Mask length (e.g. /24 or 255.255.255.254) peer-group-name remote-as <as-number>
Default 100
Configuration Mode Config Router BGP
Peer group name
Remote peer’s number.
History
Role
Example
3.4.0000
admin switch (config router bgp 100)# bgp listen range 10.10.10.10 /24 peergroup my-group remote-as 13
Related Commands
Note • To create a static peer group, use the command neighbor peer-group
• Neighbors in a dynamic peer group are configured as a group and cannot be configured individually.
Mellanox Technologies Confidential 847
bgp redistribute-internal
bgp redistribute-internal no bgp redistribute-internal
Syntax Description
Enables iBGP redistribution into an interior gateway protocol (IGP).
The no form of the command disables iBGP redistribution into an interior gateway protocol (IGP).
ip-prefix length
IP address
Mask length (e.g. /24 or 255.255.255.254) peer-group-name remote-as <as-number>
Default Disabled
Configuration Mode Config Router BGP
Peer group name
Remote peer’s number.
History
Role
Example
Related Commands
Note
3.4.0000
admin switch (config router bgp 100)# bgp redistribute-internal
Rev 4.20
Mellanox Technologies Confidential 848
Rev 4.20
cluster-id
cluster-id <ip-address> no cluster-id <ip-address>
History
Configures the cluster ID in a cluster with multiple route reflectors.
The no form of the command resets the cluster ID for route reflector.
Syntax Description ip-address
Default
Configuration Mode Config Router BGP
The route reflector cluster ID
• 0.0.0.1 to 255.255.255.255 Valid cluster ID number
• 0.0.0.0 removes the cluster-ID from the switch (similar to
“no cluster-id”)
Cluster ID is the same as Router ID
3.2.1000
3.4.0000
First version
Updated syntax description
Role
Example admin switch (config router bgp 100)# cluster-id 10.10.10.10
Related Commands N/A
Note
Mellanox Technologies Confidential 849
client-to-client reflection
client-to-client reflection no client-to-client reflection
Syntax Description
Default
The switch will be configured as a route reflector.
The no form of the command stops the switch from being a route reflector
N/A client-to-client reflection is enabled
Configuration Mode Config Router BGP
History 3.2.1000
Role
Example admin switch (config router bgp 100)# client-to-client reflection
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 850
Rev 4.20
distance
distance <external> <internal> <local> no distance
Syntax Description
Sets the administrative distance of the routes learned through BGP.
The no form of the command resets the administrative distance its default.
external Administrative distance for external BGP routes.
Range: 1-255.
internal local
Administrative distance for internal BGP routes.
Range: 1-255.
Administrative distance for local BGP routes.
Range: 1-255.
Default external: 200 internal: 200 local: 200
Configuration Mode Config Router BGP
History 3.3.5006
Role
Example admin switch (config router bgp 100)# distance 10 20 30
Related Commands N/A
Note • Routers use administrative distances to decide on a route when two protocols provide routing information to the same destination.
• Lower distance values correspond to higher reliability.
• Routes are external when learned from an external autonomous system.
• Routes are internal when learned from a peer in the local autonomous system.
• Local routes are those networks listed with a network router configuration command, often as back doors, for the router or for the networks being redistributed from another process.
• BGP routing tables do not include routes with a distance of 255.
Mellanox Technologies Confidential 851
graceful-restart stalepath-time
graceful-restart stalepath-time <interval> no graceful-restart stalepath-time
Syntax Description
Default
Configures the maximum time that stale routes from a restarting BGP neighbor are retained after a BGP session is reestablished with that peer.
The no form of the command resets to the default value.
interval
300 seconds
Configuration Mode Config Router BGP
History 3.4.0000
Time in seconds. Range: 1-3600.
Role
Example admin switch (config router bgp 100)# graceful-restart stalepath-time 350
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 852
graceful-restart helper
graceful-restart helper no graceful-restart helper
Syntax Description
Default
Enables BGP graceful restart helper mode on the switch for all BGP neighbors.
The no form of the command disables BGP graceful restart helper mode on the switch for all BGP neighbors.
N/A
Graceful restart is enabled
Configuration Mode Config Router BGP
History 3.4.0000
Role
Example admin switch (config router bgp 100)# graceful-restart helper
Related Commands N/A
Note • When graceful restart helper mode is enabled, the switch retains routes from neighbors capable of graceful restart while those neighbors are restarting BGP
• Individual neighbor configuration takes precedence over the global configuration
Rev 4.20
Mellanox Technologies Confidential 853
Rev 4.20
maximum-paths
maximum-paths [ibgp] <maximum-path>
Syntax Description
Configures the maximum number of parallel eBGP/iBGP routes that the switch installs in the routing table.
ibgp maximum-path
Sets the configuration on the internal BGP.
The number of routes to install to the routing table.
Default 1
Configuration Mode Config Router BGP
History 3.3.5006
3.3.5200
Role
Example
Updated description and notes admin switch (config router bgp 100)# maximum-paths ibgp 10 switch (config router bgp 100)#
Related Commands N/A
Note • This command provides an ECMP parameter that controls the number of equal-cost paths that the switch installs in the routing table for each destination.
• The action is effective after BGP restart.
• If the parameter “ibgp” is not used, the setting is applied on routes learned from peers from other ASs; if “ibgp” is used, the setting is applied to routes learned from peers of the same
AS.
Mellanox Technologies Confidential 854
Rev 4.20
neighbor advertisement-interval
neighbor {<ip-address> | <peer-group-name>} advertisement-interval <delay> no neighbor {<ip-address> | <peer-group-name>} advertisement-interval
Syntax Description
Default 30 seconds
Configuration Mode Config Router BGP
History
Role
Example
3.4.0000
admin
First version switch (config router bgp 100)# neighbor 10.10.10.10 advertisementinterval 90
Related Commands
Note
Sets the minimum route advertisement interval (MRAI) between the sending of BGP routing updates.
The no form of the command disables this function.
ip-address peer-group-name
A BGP peer IP address delay
Peer group name
Time (in seconds) is specified by an integer.
Range: 0-600.
Mellanox Technologies Confidential 855
neighbor allowas-in
neighbor {<ip-address> | <peer-group-name>} allowas-in [number] no neighbor {<ip-address> | <peer-group-name>} allowas-in
Syntax Description
Configures the switch to permit the advertisement of prefixes containing duplicate autonomous switch numbers (ASNs).
The no form of the command disables this function.
ip-address peer-group-name
A BGP peer IP address number
Peer group name
Number of switch’s (ASN) allowed in path.
Range: 1-10.
Default N/A
Configuration Mode Config Router BGP
History
Role
3.4.0000
admin
First version
Example
Note switch (config router bgp 100)# neighbor 10.10.10.10 allowas-in 2
Related Commands ip routing router bgp <as-number>
Neighbors from the same AS as the router are considered as iBGP peers, and neighbors from other ASs are considered eBGP peers.
Rev 4.20
Mellanox Technologies Confidential 856
neighbor description
neighbor {<ip-address> | <peer-group-name>} description <string> no neighbor {<ip-address> | <peer-group-name>} description
Syntax Description
Associates descriptive text with the specified peer or peer group.
The no form of the command removes the description from the peer.
ip-address peer-group-name
IP address of the neighbor.
Peer group name
Default string
No description
Configuration Mode Config Router BGP
History
Role
Example
3.3.5006
3.3.5200
Free string, up to 80 characters in length.
First version
Updated example admin switch (config router bgp 100)# neighbor 10.10.10.10 description The next door neighbor
Related Commands N/A
Note The peer description only appears in the show commands.
Rev 4.20
Mellanox Technologies Confidential 857
Rev 4.20
neighbor ebgp-multihop
neighbor {<ip-address> | <peer-group-name>} ebgp-multihop [<ttl>] no neighbor {<ip-address> | <peer-group-name>} ebgp-multihop
Syntax Description
Enables BGP to connect to external peers that are not directly connected to the switch.
The no form of the command applies the system disables connecting to external peers.
ip-address peer-group-name
IP address of the BGP-speaking neighbor
Peer group name
Default ttl ttl: 1
Configuration Mode Config Router BGP
History
Role
Example
3.3.5006
3.3.5200
Time-to-live. Range: 1-255 hops.
First version
Updated default admin switch (config router bgp 100)# neighbor 10.10.10.10 ebgp-multihop 5
Related Commands ip routing neighbor <ip-address> remote-as <as-number>
Note The command does not establish the multi-hop if the only route to the peer is the default route (0.0.0.0).
Mellanox Technologies Confidential 858
neighbor export-localpref
neighbor {<ip-address> | <peer-group-name>} export-localpref <value> no neighbor {<ip-address> | <peer-group-name>} export-localpref
Syntax Description
Default value
100
Configuration Mode Config Router BGP
History
Role
Example
3.4.0000
admin
Preference value. Range: 0-2147483647.
First version switch (config router bgp 100)# neighbor 10.10.10.10 export-localpref
100
Related Commands
Note
Configures the local preference value sent to the specified peer or peer group.
The no form of the command resets the local preference to its default value.
ip-address peer-group-name
IP address of the BGP-speaking neighbor
Peer group name
Rev 4.20
Mellanox Technologies Confidential 859
neighbor graceful-restart helper
neighbor {<ip-address> | <peer-group-name>} graceful-restart helper no neighbor {<ip-address> | <peer-group-name>} graceful-restart helper
Syntax Description
Enables BGP graceful restart helper mode for the specified BGP neighbor or peer group.
The no form of the command ip-address peer-group-name
IP address of the BGP-speaking neighbor
Peer group name
Default Graceful restart is enabled
Configuration Mode Config Router BGP
History
Role
3.4.0000
admin
First version
Example
Related Commands
Note switch (config router bgp 100)# neighbor graceful-restart helper
• When graceful restart helper mode is enabled, the switch retains routes from neighbors capable of graceful restart while those neighbors are restarting BGP
• Individual neighbor configuration takes precedence over the global configuration
Rev 4.20
Mellanox Technologies Confidential 860
neighbor import-localpref
neighbor {<ip-address> | <peer-group-name>} import-localpref <value> no neighbor {<ip-address> | <peer-group-name>} import-localpref
Syntax Description
Default value
100
Configuration Mode Config Router BGP
History
Role
Example
3.4.0000
admin
Preference value. Range: 0-2147483647.
First version switch (config router bgp 100)# neighbor 10.10.10.10 import-localpref
100
Related Commands
Note
Configures the local preference value assigned to routes received from the specified peer or peer group.
The no form of the command resets the local preference to its default value.
ip-address peer-group-name
IP address of the BGP-speaking neighbor
Peer group name
Rev 4.20
Mellanox Technologies Confidential 861
Rev 4.20
neighbor local-as
Syntax Description neighbor {<ip-address> | <peer-group-name>} local-as <as-id> [no-prepend | replace-as] no neighbor {<ip-address> | <peer-group-name>} local-as
Enables the modification of the AS path attribute for routes received from an eBGP neighbor.
The no form of the command disables AS path modification for the specified peer or peer group.
ip-address peer-group-name no-prepend
IP address of the BGP-speaking neighbor
Peer group name replace-as local-as number is not prepended to the routes received from external neighbors
Prepends only the local autonomous system number (as configured with the IP address argument) to the AS path attribute.
Default 12000
Configuration Mode Config Router BGP
History
Role
Example
3.4.0000
admin
First version switch-e07c04 [standalone: master] (config router bgp 4) # neighbor
100.100.100.100 local-as 123
Related Commands ip routing neighbor <ip-address> remote-as <as-number>
Note • This function allows the switch to appear as a member of a different autonomous system
(AS) to external peers.
• To disable peering with the neighbor run the command clear ip bgp
Mellanox Technologies Confidential 862
Rev 4.20
neighbor maximum-prefix
Syntax Description neighbor {<ip-address> | <peer-group-name>} maximum-prefix <maximum>
[warning-only] no neighbor {<ip-address> | <peer-group-name>} maximum-prefix
Configures the number of BGP routes the switch accepts from a specified neighbor and defines an action when the limit is exceeded.
The no form of the command removes the limitation ip-address peer-group-name maximum
IP address of the BGP-speaking neighbor
Peer group name warning-only
Number of BGP routes the switch accepts from a specified neighbor. Range: 1-2147483647.
Only generates a warning rather than disconnecting the neighbor
Default 12000
Configuration Mode Config Router BGP
History
Role
Example
3.4.0000
admin
First version switch (config router bgp 100)# neighbor 10.10.10.10 maximum-prefix
12000 warning-only
Related Commands ip routing neighbor <ip-address> remote-as <as-number>
Note
Mellanox Technologies Confidential 863
Rev 4.20
neighbor next-hop-peer
neighbor {<ip-address> | <peer-group-name>} next-hop-peer no neighbor {<ip-address> | <peer-group-name>} next-hop-peer
Syntax Description
Configures the switch to list the peer address as the next hop in routes that it receives from the specified peer BGP-speaking neighbor or members of the specified peer group.
The no form of the command disables this function.
ip-address peer-group-name
IP address of the neighbor.
Peer group name
Default no next-hop-peer
Configuration Mode Config Router BGP
History
Role
3.3.5006
admin
Example
Related Commands
Note switch (config router bgp 100)# neighbor 10.10.10.10 next-hop-peer
This command overrides the next hop for all routes received from this neighbor or peer group
Mellanox Technologies Confidential 864
Rev 4.20
neighbor next-hop-self
neighbor {<ip-address> | <peer-group-name>} next-hop-self no neighbor {<ip-address> | <peer-group-name>} next-hop-self
Syntax Description
Configures the IP address of the router as the next hop address in routes advertises to the specific neighbor.
The no form of the command resets this parameter to its default.
ip-address peer-group-name
IP address of the neighbor.
Peer group name
Default no next-hop-self
Configuration Mode Config Router BGP
History
Role
3.3.5006
admin
Example switch (config router bgp 100)# neighbor 10.10.10.10 next-hop-self
Related Commands neighbor <ip-address> remote-as <as-number>
Note • This function is used in networks where BGP neighbors do not directly access all other neighbors on the same subnet.
• In the default state, the next hop is generated based on the IP address and the present next hop in the route information.
Mellanox Technologies Confidential 865
neighbor password
neighbor {<ip-address> | <peer-group-name>} password [<encryption>]
<string> no neighbor {<ip-address> | <peer-group-name>} password
Syntax Description
Enables authentication on a TCP connection with a BGP peer.
The no form of the command resets the value to its default.
ip-address peer-group-name encryption
IP address of the neighbor
Peer group name
Possible values:
• no parameter – clear text
• 0 – clear text
• 7 – obfuscated
Up to 8 bytes in length
Default string
N/A
Configuration Mode Config Router BGP
History
Role
Example
3.4.0000
admin
First version switch (config router bgp 100)# neighbor 10.10.10.10 password 7 admin123
Related Commands
Note • Peers must use the same password to ensure communication.
• neighbor <ip-address> password 7 <password>' can only accept data that was created using 'show config'.
• 'show config' will never show the clear-test password, it will always be obfuscated (and thus displayed using the 'password 7' syntax).
• Router BGP neighbor password cannot be set when enabling secure mode
• Router BGP peer-group password cannot be set when enabling with secure mode
Rev 4.20
Mellanox Technologies Confidential 866
Rev 4.20
neighbor peer-group
1. neighbor {<ip-address>} peer-group <peer-group-name>
2. neighbor {<peer-group-name>} peer-group
3. no neighbor {<ip-address>} peer-group <peer-group-name>
4. no neighbor {<peer-group-name>} peer-group <peer-group-name>
Syntax Description
1. Assigns BGP neighbors to an existing peer group.
2. Creates a peer-group
3. Unassigns BGP neighbors to an existing peer group.
4. Removes a specified neighbor from the peer group ip-address peer-group-name
IP address of the neighbor
Peer group name
Default N/A
Configuration Mode Config Router BGP
History
Role
Example
3.4.0000
admin
First version switch (config router bgp 100)# neighbor groupA peer-group switch (config router bgp 100)# neighbor 1.2.3.4 peer-group groupA
Related Commands
Note • Once a peer group is created, the group name can be used as a parameter in neighbor configuration commands, and the configuration will be applied to all members of the group.
• Settings applied to an individual neighbor in the peer group override group settings.
• A neighbor can only belong to one peer group, so issuing this command for a neighbor that is already a member of another group removes it from that group.
• When a neighbor is removed from a peer group, the neighbor retains the configuration inherited from the peer group.
• Router BGP peer-group password cannot be set when enabling with secure mode
Mellanox Technologies Confidential 867
Rev 4.20
neighbor remote-as
neighbor {<ip-address>} remote-as <as-number> no neighbor {<ip-address>} remote-as <as-number>
Syntax Description
Configures a neighbor.
The no form of the command removes the neighbor, dropping the connection and all routes if already connected.
ip-address peer-group-name
A BGP peer IP address
Peer group name
Default as-number
N/A
Configuration Mode Config Router BGP
History
Role
Example
3.3.5006
3.3.5200
The BGP peer as-number. Range: 1-65535.
First version
Updated description and note admin switch (config router bgp 100)# neighbor 10.10.10.10 remote-as 200 switch (config router bgp 100)#
Related Commands ip routing router bgp <as-number>
Note Neighbors from the same AS as the router are considered as iBGP peers, and neighbors from other ASs are considered eBGP peers.
Mellanox Technologies Confidential 868
Rev 4.20
neighbor remove-private-as
neighbor {<ip-address> | <peer-group-name>} remove-private-as no neighbor {<ip-address> | <peer-group-name>} remove-private-as
Syntax Description
Removes private autonomous system numbers from outbound routing updates for external BGP (eBGP) neighbors.
The no form of the command preserves private AS numbers for the specified peer.
ip-address peer-group-name
A BGP peer IP address
Peer group name
Default N/A
Configuration Mode Config Router BGP
History
Role
Example
3.4.0000
admin
First version switch (config router bgp 100)# neighbor 10.10.10.10 remove-private-as switch (config router bgp 100)#
Related Commands ip routing router bgp <as-number>
Note • This can only be used with external BGP (eBGP) peers.
• If the update has only private AS numbers in the AS path, BGP removes these numbers.
• If the AS path includes both private and public AS numbers, BGP does not remove the private AS numbers. This situation is considered a configuration error.
• If the AS path contains the AS number of the eBGP neighbor, BGP does not remove the private AS number.
• If the AS path contains confederations, BGP removes the private AS numbers only if they come after the confederation portion of the AS path.
Mellanox Technologies Confidential 869
Rev 4.20
neighbor route-map
neighbor {<ip-address> | <peer-group-name>} route-map <route-map-name>
[in | out] no neighbor {<ip-address> | <peer-group-name>} route-map <route-map-name>
[in | out]
Syntax Description
Configures a route map to inbound BGP routes.
The no form of the command undoes the configuration.
ip-address peer-group-name
IP address of the neighbor
Peer group name route-map-name in
Default out
N/A
Configuration Mode Config Router BGP
History 3.3.5006
3.3.5200
Role
Example
String. The name of the route-map
Applies route map to inbound routes
Applies route map to out-bound routes
First version
Updated notes and default
Added “out” parameter 3.4.1100
admin switch (config router bgp 100)# neighbor 10.10.10.10 route-map MyRoute-
Map in
Related Commands neighbor <ip-address> remote-as <as-number> route-map <map-name> [deny | permit] [sequence-number] clear ip bgp {<ip-address> | all}
Note • Only one inbound route-map can be applied to a given neighbor.
• If a new route-map is applied to a neighbor, it replaces the previous route map.
• Changing a route-map only takes effect on routes received or sent after the change.
Mellanox Technologies Confidential 870
neighbor route-reflector-client
neighbor {<ip-address> | <peer-group-name>} route-reflector-client no neighbor {<ip-address> | <peer-group-name>} route-reflector-client
Syntax Description
Default N/A
Configuration Mode Config Router BGP
History
Role
Example
3.3.5006
3.3.5200
First version
Updated notes and default admin switch (config router bgp 100)# neighbor 10.10.10.10 route-reflectorclient
Related Commands
Note
Sets the neighbor as a client but does not set up the reflection itself.
The no form of the command disables route reflection for the specific peer.
ip-address peer-group-name
IP address of the neighbor.
Peer group name
Rev 4.20
Mellanox Technologies Confidential 871
Rev 4.20
neighbor send-community
neighbor {<ip-address> | <peer-group-name>} send-community no neighbor {<ip-address> | <peer-group-name>} send-community
Syntax Description
Configures the switch to send community attributes to the specified BGP neighbor.
The no form of the command disables sending community attributes for the specified peer.
ip-address peer-group-name
IP address of the neighbor.
Peer group name
Default Enabled
Configuration Mode Config Router BGP
History
Role
3.4.0000
admin
First version
Example switch (config router bgp 100)# neighbor 10.10.10.10 send-community
Related Commands N/A
Note
Mellanox Technologies Confidential 872
Rev 4.20
neighbor shutdown
neighbor {<ip-address> | <peer-group-name>} shutdown no neighbor {<ip-address> | <peer-group-name>} shutdown
Syntax Description
Disables BGP neighbor gracefully.
The no form of the command enables BGP neighbor.
ip-address peer-group-name
IP address of the neighbor.
Peer group name
Default Enabled
Configuration Mode Config Router BGP
History
Role
Example
3.3.5006
3.3.5200
First version
Updated note admin switch (config router bgp 100)# neighbor 10.10.10.10 shutdown
Related Commands N/A
Note Disabling a neighbor terminates all its active sessions and removes associated routing information.
Mellanox Technologies Confidential 873
neighbor soft-reconfiguration inbound
neighbor {<ip-address> | <peer-group-name>} soft-reconfiguration inbound no neighbor {<ip-address> | <peer-group-name>} soft-reconfiguration inbound
Syntax Description
Disables BGP neighbor gracefully.
The no form of the command restores the system default behavior (retaining all routes from the specified neighbor or group).
ip-address peer-group-name
IP address of the neighbor.
Peer group name
Default N/A
Configuration Mode Config Router BGP
History
Role
Example
3.4.0000
admin
First version switch (config router bgp 100)# neighbor 10.10.10.10 soft-reconfiguration inbound
Related Commands N/A
Note • This command also allows the switch to display all advertised routes when the command show ip bgp neighbor advertised-routes is issued.
• The no form of the command configures the switch to discard information about routes received from the specified neighbor or group that fail the import policy.
Rev 4.20
Mellanox Technologies Confidential 874
Rev 4.20
neighbor timers
neighbor {<ip-address> | <peer-group-name>} timers <keep-alive> <hold-time> no neighbor {<ip-address> | <peer-group-name>} timers
Syntax Description
Configures the keepalive and hold times for a specified peer.
The no form of the command resets the parameters to their default values.
ip-address peer-group-name keep-alive
IP address of the neighbor.
Peer group name hold-time
The period between the transmission of consecutive keep-alive messages. Range: 1-3600 seconds. “0” means that keepalive is not sent and the connection does not expire.
The period the switch waits for a keepalive or update message before it disables peering. Range: 3-7200 seconds. “0” means that keepalive is not sent and the connection does not expire.
Default keep-alive: 60 seconds hold-time: 180 seconds
Configuration Mode Config Router BGP
History 3.3.5006
Role
Example
3.3.5200
admin
First version
Updated description switch (config router bgp 100)# neighbor 10.10.10.10 timers 65 195
Related Commands neighbor <ip-address> remote-as <as-number>
Note Hold time must be at least 3 seconds and should be three times longer than the keepalive setting.
Mellanox Technologies Confidential 875
Rev 4.20
neighbor transport connection-mode passive
neighbor {<ip-address> | <peer-group-name>} transport connection-mode
passive no neighbor {<ip-address> | <peer-group-name>} transport connection-mode passive
Syntax Description
Sets the TCP connection for the specified BGP neighbor or peer group to passive mode.
The no form of the command sets the specified BGP neighbor or peer group to active connection mode.
ip-address peer-group-name
IP address of the neighbor.
Peer group name
Default TCP sessions initiated
Configuration Mode Config Router BGP
History
Role
Example
3.4.0000
admin
First version switch (config router bgp 100)# neighbor 10.10.10.10 transport connection-mode passive
Related Commands
Note • When the peer’s transport connection mode is set to passive, it accepts TCP connections for BGP, but does not initiate them.
• BGP peers in active mode can both accept and initiate TCP connections for BGP.
Mellanox Technologies Confidential 876
Rev 4.20
neighbor update-source
neighbor <ip-address> update-source {ethernet <slot/port> | loopback <number> | port-channel <number> | vlan <vlan-id>} no neighbor <ip-address> update-source
Syntax Description
Configures the source-address for routing updates and to establish TCP connections with peers.
The no form of the command disables configured source-address for routing updates and for TCP connection establishment with a peer.
ip-address ethernet <slot/port>
IP address of the neighbor.
Ethernet interface.
History loopback <number> vlan <vlan-id>
Loopback interface number.
VLAN interface. Range: 1-4094.
Default port-channel <number>
BGP uses best local address
Configuration Mode Config Router BGP
LAG interface. Range is 1-4094.
3.3.5006
3.3.5200
First version
Updated example
Role
Example admin switch (config router bgp 100)# neighbor 10.10.10.2 update-source vlan
10
Related Commands N/A
Note
Mellanox Technologies Confidential 877
Rev 4.20
neighbor weight
neighbor {<ip-address> | <peer-group-name>} weight <value> no neighbor {<ip-address> | <peer-group-name>} weight
Syntax Description
Assigns a weight attribute to paths from the specified neighbor.
The no form of the command resets to default values.
ip-address peer-group-name
IP address of the neighbor
Peer group name value
Default
Configuration Mode Config Router BGP
Weight value. Range: 1-65535.
Value is 32768 for router-originated paths and 0 for routes received through BGP
History
Role
3.4.0000
admin
First version
Example switch (config router bgp 100)# neighbor 10.10.10.10 weight 100
Related Commands N/A
Note • Weight values set through route map commands have precedence over neighbor weight command values.
• Other attributes are used only when all paths to the prefix have the same weight.
• A path’s BGP weight is also configurable through route maps.
• When multiple paths to a destination prefix exist, the best-path selection algorithm prefers the path with the highest weight.
• Weight is the first parameter that the BGP best-path selection algorithm considers.
Mellanox Technologies Confidential 878
network
network <ip-prefix> <length> [<route-map-name>] no network <ip-prefix> <length> [<route-map-name>]
Syntax Description
Default N/A
Configuration Mode Config Router BGP
History
Role
Example
3.3.5006
3.3.5200
First version
Updated description, syntax description and notes admin switch (config router bgp 100)# network 10.10.10.0 /24 routemap
Related Commands
Note
Configures a route for advertisement to BGP peers.
The no form of the command removes the route from the BGP routes table, preventing its advertisement. The route is only advertised if the router has a gateway to the destination.
ip-prefix length route-map-name
A string that specific route map is assigned to the network.
/24 or 255.255.255.0 format.
The name of a route-map which is used to set the route’s attributes when it is advertised.
• The parameters “ip-prefix” and “length” specify the route destination.
• The configuration zeros the host portion of the specified network address. For example,
192.0.2.4/24 is stored as 192.0.2.0/24.
Rev 4.20
Mellanox Technologies Confidential 879
Rev 4.20
redistribute
redistribute {connected | static | ospf | ospf-internal | ospf-external} [<routemap>] no redistribute {connected | static | ospf}
Syntax Description
Enables redistribution of specified routes to the BGP domain.
The no form of the command disables route redistribution from the specified source.
connected static
Redistributes the direct routes
Redistributes the user-defined (static) route ospf ospf-internal ospf-external
Redistributes all routes learned by ospf protocol
Redistributes all osfp-learned routes which are marked as internal
Redistributes all osfp-learned routes which are marked as external
Default No redistribution
Configuration Mode Config Router BGP
History
Role
3.2.1000
admin
Example switch (config router bgp 100)# redistribute ospf
Related Commands N/A
Note Multiple redistribution options can be applied.
Mellanox Technologies Confidential 880
Rev 4.20
router-id
router-id <ip-address> no router-id
Syntax Description
Default
Configures a fixed router ID for BGP.
The no form of the command removes the fixed router ID and restores the system default.
ip-address IP Address identified the router ID
The Router ID is dynamically elected (no router-id).
• If a loopback interface is configured, the router ID is set to the IP address of the loopback interface.
• If multiple loopback interfaces are configured, the router ID is set to the IP address of the loopback interface with the highest IP address.
• If no loopback interface is configured, the router ID is set to the highest IP address on a physical interface.
Configuration Mode Config Router BGP
History 3.3.5006
Role
Example admin switch (config router bgp 100)# router-id 10.10.10.10
Related Commands
Note The IP address configured identifies the BGP speaker. The command triggers an automatic notification and session reset for the BGP neighbors.
Mellanox Technologies Confidential 881
Rev 4.20
timers bgp
timers bgp <keep-alive> <hold> no timers bgp
Syntax Description
Configures the BGP keepalive and hold times.
The no form of the command resets the parameters to their default settings.
keep-alive Frequency (in seconds) with which keepalive messages are sent to its peer. Range: 1-3600 seconds; 0 – no keep-alive messages are sent.
hold Interval (in seconds) after not receiving a keepalive message that a peer is declared dead. 3-7200 seconds;
0 – peer is held indefinitely regardless of keep-alive messages.
Default
History
Role
Example
Keepalive time: 60 secs
Hold time: 180 secs
Configuration Mode Config Router BGP
3.3.5006
3.3.5200
First version
Updated syntax description, related commands and notes admin switch (config router bgp 100)# timers bgp 61 181 switch (config router bgp 100)#
Related Commands ip routing neighbor timers router bgp <as-number> show ip bgp
Note • Timer settings apply to every peer connection.
• The command “neighbor timers” configures the times on a specified peer connection.
• Hold time should be three times longer than the keepalive setting.
Mellanox Technologies Confidential 882
Rev 4.20
6.4.4.3 Show
show ip bgp
show ip bgp [<ip-address> <mask> [detail | longer-prefixes [detail]]]
Syntax Description
Default
Configuration Mode
History
Role
Example
Displays information about the BGP routes table (RIB).
ip-address IP address (e.g. 172.3.12.4).
mask detail
Netmask (e.g. /24 or 255.255.255.0).
Displays detailed information about a subset of the bgp learned routes.
longer-prefixes Displays the routes to the specified destination and any routes to a more specific destination.
Example: If “10.20.30.0 /24 longer-prefixes” is run, all routes starting with 10.20.30 regardless of the prefix length (10.20.30.X /24, 10.20.30.X /25, etc.) are displayed – providing there are any such routes received/ sent from/to that neighbor.
N/A
Any Command Mode
3.3.5200
admin switch (config) # show ip bgp
BGP table version is 100, local router ID is 16.0.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
100.100.100.0/24 2.2.2.2 0 2 50 100 e
100.100.100.0/24 2.2.2.12 0 12 50 100 e
Network Next Hop Metric LocPrf Weight Path
20.20.20.0/24 2.2.2.2 0 2 20 e
40.40.40.0/24 4.4.4.4 0 4 40 i
100.100.90.32/28 2.2.2.2 0 2 100 i
100.100.100.0/24 4.4.4.4 0 4 50 i
Related Commands
Note switch (config) #
N/A
Mellanox Technologies Confidential 883
Rev 4.20
show ip bgp community
show ip bgp community <comm
1
> <comm
2
> … <comm n
> [exact] [detail]
Syntax Description
Default
Displays information about the BGP routes (RIB) filtered according to communities.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.4.0000
admin switch (config) # show ip bgp community 100:1
BGP table version is 8, local router ID is 3.5.7.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
r RIB-failure, S Stale, m multipath, b backup-path, x bestexternal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight
Path
*> 3.4.3.11/32 0.0.0.0 0 0 32768 i
*> 3.5.7.88/32 0.0.0.0 0 0 32768 i
*> 3.5.7.99/32 0.0.0.0 0 0 32768 i switch (config) # show ip bgp community 100:1 exact
BGP table version is 8, local router ID is 3.5.7.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
r RIB-failure, S Stale, m multipath, b backup-path, x bestexternal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight
Path
*> 3.4.3.11/32 0.0.0.0 0 0 32768 i
*> 3.5.7.99/32 0.0.0.0 0 0 32768 i
Related Commands N/A
Note
Mellanox Technologies Confidential 884
Rev 4.20
show ip bgp neighbors
show ip bgp neighbors
Syntax Description
Default
Displays summaries information about all BGP neighbors.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.5200
admin switch (config) # show ip bgp neighbors <ip> received switch-e07c04 [standalone: master] (config) # show ip bgp neighbors
3.5.7.5 received
BGP table version is 66, local router ID is 3.5.7.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
r RIB-failure, S Stale, m multipath, b backup-path, x bestexternal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight
Path
*> 100.0.20.0/24 3.5.7.5 10 100 0 5 i
*> 3.5.7.128/32 3.5.7.5 7 100 0 5 i
*> 100.0.30.0/24 3.5.7.5 0 100 0 5 i
*> 10.20.30.0/24 3.5.7.5 0 100 0
5 12 i switch-e07c04 [standalone: master] (config) #
Related Commands N/A
Note
Mellanox Technologies Confidential 885
Rev 4.20
show ip bgp neighbors <ip>
show ip bgp neighbors <ip-address>
Syntax Description
Displays BGP summary information.
ip-address Neighbor IP address.
advertised received both longer-prefixes
Displays routes advertised to the specified neighbor.
Displays routes received and accepted from specified neighbor.
Displays routes received from specified neighbor.
Displays the routes to the specified destination and any routes to a more specific destination.
Example: If “10.20.30.0 /24 longer-prefixes” is run, all routes starting with 10.20.30 regardless of the prefix length (10.20.30.X /24, 10.20.30.X /25, etc.) are displayed – providing there are any such routes received/ sent from/to that neighbor.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.5200
admin switch-e07c04 [standalone: master] (config) # show ip bgp neighbors
3.5.7.5 received
BGP table version is 66, local router ID is 3.5.7.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
r RIB-failure, S Stale, m multipath, b backup-path, x bestexternal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight
Path
*> 100.0.20.0/24 3.5.7.5 10 100 0 5 i
*> 3.5.7.128/32 3.5.7.5 7 100 0 5 i
*> 100.0.30.0/24 3.5.7.5 0 100 0 5 i
*> 10.20.30.0/24 3.5.7.5 0 100 0
5 12 i switch-e07c04 [standalone: master] (config) #
Related Commands N/A
Note
Mellanox Technologies Confidential 886
Rev 4.20
show ip bgp neighbors <ip> received
show ip bgp neighbors <ip-address> received [<ip-address> [<mask>] [longerprefixes]
Syntax Description
Displays BGP summary information.
ip-address Neighbor IP address.
received longer-prefixes
Displays routes received and accepted from specified neighbor.
Displays the routes to the specified destination and any routes to a more specific destination.
Example: If “10.20.30.0 /24 longer-prefixes” is run, all routes starting with 10.20.30 regardless of the prefix length (10.20.30.X /24, 10.20.30.X /25, etc.) are displayed – providing there are any such routes received/ sent from/to that neighbor.
Default N/A
Configuration Mode Any Command Mode
History
Role
3.3.5200
admin
Example
Related Commands N/A
Note
Mellanox Technologies Confidential 887
show ip bgp paths
show ip bgp paths
Syntax Description
Default
Displays summary of all AS paths.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.5200
admin switch (config) # show ip bgp paths
Refcount Metric Path
1 0 4 50 100
1 0 2 50 100
1 0 4 40
1 0 12 50 100
1 0 2
1 0 2 20 switch (config) #
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 888
Rev 4.20
show ip bgp peer-group
show ip bgp peer-group [<peer-group-name>]
Syntax Description
Default
Displays information about peer groups.
peer-group-name
N/A
Configuration Mode Any Command Mode
Displays information about a specific peer-group.
History
Role
Example
3.4.0000
admin switch (config) # show ip bgp peer-group
BGP Peer-group [grpA]:
Hold time: 1, Keep-alive: 60
Allow as-in: 0
Weight: 32768
Max prefix: 12000
Export local preferences: 100, Import local preferences: 100
Soft reconfiguration: set
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
3.5.7.5 0 5 0 0 0 0 0 0:00:00:42
CONNECT
100.100.100.100 0 100 0 0 0 0 0 Never
IDLE
BGP Peer-group [grpB]:
Hold time: 1, Keep-alive: 60
Allow as-in: 0
Weight: 32768
Max prefix: 12000
Export local preferences: 100, Import local preferences: 100
Soft reconfiguration: set
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
3.4.3.7 0 7 0 0 0 0 0 0:00:00:17
ACTIVE
BGP Peer-group [tomer_group]:
Hold time: 1, Keep-alive: 60
Allow as-in: 0
Weight: 32768
Max prefix: 12000
Export local preferences: 100, Import local preferences: 100
Soft reconfiguration: set
Peer-groups count: 3 switch-e07c04 [standalone: master] (config) #
Related Commands N/A
Note
Mellanox Technologies Confidential 889
Rev 4.20
show ip bgp summary
show ip bgp summary
Syntax Description
Default
Displays BGP summary information.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.5200
admin switch (config) # show ip bgp summary
BGP router identifier 3.5.7.4, local AS number 4
BGP table version is 70, main routing table version 70
8 network entries using 2176 bytes of memory
4 path entries using 1088 bytes of memory
4 BGP path attribute entries using 256 bytes of memory
0 multipath network entries and 0 multipath paths
4 BGP community entries using 64 bytes of memory
0 received paths for inbound soft reconfiguration
BGP using 26308 total bytes of memory
Dampening disabled. 0 history paths, 0 dampened paths
BGP activity 37/8 prefixes, 37/4 paths
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
3.4.3.7 4 7 3 9 70 0 0 0:00:00:48
ESTABLISHED
3.5.7.5 0 5 0 0 0 0 0 0:00:01:54
CONNECT
100.100.100.100 0 100 0 0 0 0 0 Never
IDLE switch-e07c04 [standalone: master] (config) #
Related Commands N/A
Note
Mellanox Technologies Confidential 890
6.4.5
IP AS-Path Access-List
6.4.5.1 Commands
ip as-path access-list
ip as-path access-list <list-name> {permit | deny} <reg-exp> [any | egp | igp | incomplete] no ip as-path access-list <list-name>
Syntax Description
Default
Configuration Mode
History
Role
Example
Creates an access list to filter BGP route updates.
The no ip as-path access-list command deletes the named access list.
list-name permit
The name for the access list
Permits access for a matching condition deny reg-exp
Denies access for a matching condition
Regular expression that is used to specify a pattern to match against an input string.
any egp igp incomplete
N/A
Config
3.4.0000
admin
Any route type
External BGP routes
Internal BGP routes
Routes marked as “Incomplete” switch (config)# ip as-path access-list mylist permit
Related Commands
Note switch (config)#
N/A
If access list_name does not exist, this command creates it. If it already exists, this command appends statements to the list.
Rev 4.20
Mellanox Technologies Confidential 891
show ip as-path access-list
show ip as-path access-list [list-name]
Syntax Description
Default
Presents defined as-path access lists list-name
N/A
Configuration Mode Config
Displays a specific prefix-list.
History
Role
3.4.0000
admin
Example switch (config)# show ip as-path access-list mylist
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 892
Rev 4.20
6.4.6
IP Community-List
6.4.6.1 Commands
ip community-list standard
ip community-list standard <list-name> {deny | permit} <list-of-communities> no ip community-list standard <list-name>
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Adds a standard entry to a community-list.
The no form of the command deletes the specified community list.
list-name permit
The name for the community list
Permits access for a matching condition.
deny list-of-communities
Denies access for a matching condition.
List of standard communities:
• <aa:nn>
• <number>
• internet
• local-AS
• no-advertise
• no-export
N/A
Config
3.4.0000
admin switch (config)# ip community-list standard mycommunity permit 1:2 3:4
N/A
A BGP community access list filters route maps that are configured as BGP communities. The command uses regular expressions to name the communities specified by the list.
Mellanox Technologies Confidential 893
Rev 4.20
ip community-list expanded
ip community-list expanded <list-name> {deny | permit} <reg-exp> no ip community-list expanded <list-name>
Syntax Description
Adds a regular expression entry to a community-list
The no form of the command deletes the specified community list.
list-name permit
Configures a named standard community list.
Permits access for a matching condition.
deny reg-exp
Denies access for a matching condition.
Regular expression that is used to specify a pattern to match against an input string.
Default N/A
Configuration Mode Config
History
Role
Example
3.4.0000
admin switch (config)# ip community-list expanded mycommunity permit
1:[0-9]+
Related Commands N/A
Note A BGP community access list filters route maps that are configured as BGP communities. The command uses regular expressions to name the communities specified by the list.
Mellanox Technologies Confidential 894
Rev 4.20
show ip community-list
show ip community-list [community-list-name]
Syntax Description
Default
Displays the defined community lists community-list-name
N/A
Configuration Mode Config
An optional parameter to display only the specified list
History
Role
3.4.0000
admin
Example switch (config)# show ip community-list mycommunity
Related Commands N/A
Note A BGP community access list filters route maps that are configured as BGP communities. The command uses regular expressions to name the communities specified by the list.
Mellanox Technologies Confidential 895
6.5
Policy Rules
6.5.1
Route Map
Route maps define conditions for redistributing routes between routing protocols. A route map clause is identified by a name, filter type (permit or deny) and a sequence number. Clauses with the same name are components of a single route map; the sequence number determines the order in which the clauses are compared to a route.
Rev 4.20
Mellanox Technologies Confidential 896
6.5.1.1 Commands
route-map
route-map <map-name> [deny | permit] [sequence-number] no route-map <map-tag> {deny | permit} [<sequence-number>]
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Creates a route map that can be used for importing, exporting routes and applying local policies.
name deny | permit
Name of the route-map.
Configures the rule to be used.
Sequence number for a route-map specific record.
sequence-number
N/A
Config
3.3.5006
3.3.5200
admin
Updated notes switch (config) # route-map mymap permit 1200 switch (config route-map mymap permit 1200)#
N/A
• All changes in a the route map configuration mode become pending until the end of the route-map session.
• If not configured, deny | permit is configured as permit.
• If not configured, sequence-number default value is 10.
Rev 4.20
Mellanox Technologies Confidential 897
Rev 4.20
continue <sequence-number>
continue <sequence-number> no continue
Syntax Description
Default
Role
Example
Enables additional route map evaluation of routes whose parameters meet the clause’s matching criteria.
The no form of the command removes this configuration from the route map clause.
prefix-list-name
N/A
Configuration Mode Config Route Map
History 3.3.5006
3.3.5200
admin
First version
Updated example switch (config route-map mymap permit 10)# match as-number 40 switch (config route-map mymap permit 10)# set weight 7 switch (config route-map mymap permit 10)# continue 1200 switch (config route-map mymap permit 10)# exit switch (config)# show route-map test route-map test, permit, sequence 10
Match clauses:
as-number 40
Set clauses:
weight 7
continue 1200 switch (config route-map mymap permit 10)# route-map test permit 10 no continue switch (config route-map mymap permit 10)# show route-map test route-map test, permit, sequence 10
Match clauses:
as-number 40
Set clauses:
weight 7 switch (config route-map mymap permit 10)#
Related Commands route-map <map-name> [deny | permit] [sequence-number]
Note • A clause typically contains a match (route-map) and a set (route-map) statement. The evaluation of routes whose settings are the same as match statement parameters normally end and the clause’s set statement are applied to the route. Routes that match a clause containing a continue statement are evaluated against the clause specified by the continue statement.
• When a route matches multiple route-map clauses, the filter action (deny or permit) is determined by the last clause that the route matches. The set statements in all clauses matching the route are applied to the route after the route map evaluation is complete. Multiple set statements are applied in the same order by which the route was evaluated against the clauses containing them.
• Continue cannot be set to go back to a previous clause; <sequence-number> of the continue must always be higher than the current clause’s sequence number.
Mellanox Technologies Confidential 898
abort
abort
Syntax Description
Default
Discards pending changes and returns to global configuration mode.
N/A
N/A
Configuration Mode Config Route Map
History 3.3.5006
3.3.5200
First version
Updated example
Role
Example admin switch (config)# route-map mymap permit 10 match as-number 40 switch (config)# route-map mymap permit 10 set weight 7 switch (config)# show route-map test route-map test, permit, sequence 10
Match clauses:
as-number 40
Set clauses:
weight 7 switch (config)# route-map mymap permit 1200 switch (config route-map mymap permit 1200)# set weight 11 switch (config route-map mymap permit 1200)# abort switch (config)# show route-map mymap route-map mymap, permit, sequence 10
Match clauses:
as-number 40
Set clauses:
weight 7 switch (config)#
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 899
Rev 4.20
exit
exit
Syntax Description
Default
Saves pending route map clause changes to running-config and returns to global configuration mode.
N/A
N/A
Configuration Mode Config Route Map
History 3.3.5006
Role
Example admin switch (config)# route-map mymap permit 10 match as-number 40 switch (config)# route-map mymap permit 10 set weight 7 switch (config)# show route-map test route-map test, permit, sequence 10
Match clauses:
as-number 40
Set clauses:
weight 7 switch (config)# route-map mymap permit 1200 switch (config route-map mymap permit 1200)# set weight 11 switch (config route-map mymap permit 1200)# exit switch (config)# show route-map test route-map mymap, permit, sequence 10
Match clauses:
as-number 40
Set clauses:
weight 7 route-map mymap, permit, sequence 1200
Set clauses:
weight 11 switch (config)#
Related Commands N/A
Note
Mellanox Technologies Confidential 900
match as-number
match as-number <number> no match as-number
Syntax Description
Default
Filters according to one of the AS numbers in the AS path of the route.
The no form of the command removes this configuration from the route map clause.
number
N/A
Configuration Mode Config Route Map
History 3.3.5006
Autonomous system number to check.
Role
Example admin switch (config route-map mymap permit 10)# match as-number 40 switch (config route-map mymap permit 10)#
Related Commands N/A
Note • When a clause contains multiple match commands, the permit or deny filter applies to a route only if its properties are equal to corresponding parameters in each match statement.
• When a route’s properties do not equal the statement parameters, the route is evaluated against the next clause in the route map, as determined by sequence number.
• If all clauses fail to permit or deny the route, the route is denied.
Rev 4.20
Mellanox Technologies Confidential 901
match as-path
match as-path <as-path-list name> no match as-path
Syntax Description
Default
Creates a route map clause entry that matches the route‘s AS path using an as-path access-list.
The no form of the command removes the match statement from the configuration mode route map clause.
number
N/A
Configuration Mode Config Route Map
History 3.3.5006
Autonomous system number to check.
Role
Example admin switch (config route-map mymap permit 10)# match as-path my-list
Related Commands N/A
Note • When a clause contains multiple match commands, the permit or deny filter applies to a route only if its properties are equal to corresponding parameters in each match statement.
• When a route’s properties do not equal the statement parameters, the route is evaluated against the next clause in the route map, as determined by sequence number.
• If all clauses fail to permit or deny the route, the route is denied.
Rev 4.20
Mellanox Technologies Confidential 902
match community
match community <list-of-communities> [exact-match] no match community <list-of-communities>
Syntax Description
Creates a route map clause entry that matches a route if it contains at least the specified communities.
The no form of the command removes the match clause.
list of communities exact-match
List of standard communities:
• <aa:nn>
• <number>
• internet
• local-AS
• no-advertise
• no-export
Creates a route map clause entry that matches the route‘s communities exactly.
Default N/A
Configuration Mode Config Route Map
History
Role
3.3.5006
admin
Example switch (config route-map mymap permit 10)# match community 1:100 3:52
Related Commands N/A
Note • When a clause contains multiple match commands, the permit or deny filter applies to a route only if its properties are equal to corresponding parameters in each match statement.
• When a route’s properties do not equal the statement parameters, the route is evaluated against the next clause in the route map, as determined by sequence number.
• If all clauses fail to permit or deny the route, the route is denied.
Rev 4.20
Mellanox Technologies Confidential 903
match community-list
match community <communities-list-name> exact-match no match community <communities-list-name> exact-match
Syntax Description
Default
Creates a route map clause entry that specifies one route filtering condition
The no form of the command removes the match clause.
communities-list-name
N/A
Configuration Mode Config Route Map
History 3.3.5006
A name of an IP community list
Role
Example admin switch (config route-map mymap permit 10)# match community-list
COM_LIST exact-match
Related Commands N/A
Note • When a clause contains multiple match commands, the permit or deny filter applies to a route only if its properties are equal to corresponding parameters in each match statement.
• When a route’s properties do not equal the statement parameters, the route is evaluated against the next clause in the route map, as determined by sequence number.
• If all clauses fail to permit or deny the route, the route is denied.
Rev 4.20
Mellanox Technologies Confidential 904
Rev 4.20
match interface
match interface <interface-type> <number> no match interface
Syntax Description
Default
Matches the route’s interface
The no form of the command removes the match clause.
prefix-list-name
N/A
Configuration Mode Config Route Map
History 3.3.5006
Prefix-list name.
Role
Example admin switch (config route-map mymap permit 10)# match interface ethernet 1/1
Related Commands N/A
Note • When a clause contains multiple match commands, the permit or deny filter applies to a route only if its properties are equal to corresponding parameters in each match statement.
• When a route’s properties do not equal the statement parameters, the route is evaluated against the next clause in the route map, as determined by sequence number.
• If all clauses fail to permit or deny the route, the route is denied.
Mellanox Technologies Confidential 905
Rev 4.20
match ip address
match ip address <prefix-list-name> no match ip address
Syntax Description
Default
Filters according to IPv4 prefix list.
The no form of the command removes this configuration from the route map clause.
prefix-list-name
N/A
Configuration Mode Config Route Map
History 3.3.5006
Prefix-list name.
Role
Example admin switch (config route-map mymap permit 10)# match ip address listSmallRoutes
Related Commands N/A
Note • When a clause contains multiple match commands, the permit or deny filter applies to a route only if its properties are equal to corresponding parameters in each match statement.
• When a route’s properties do not equal the statement parameters, the route is evaluated against the next clause in the route map, as determined by sequence number.
• If all clauses fail to permit or deny the route, the route is denied.
• The prefix-list-name should point to an existing IP prefix-list. If it is not found, no route is considered as a match for this clause.
Mellanox Technologies Confidential 906
match ip next-hop
match ip next-hop <value> no match ip next-hop
Syntax Description
Default
Configures a route’s entry next-hop match.
The no form of the command removes a route-map’s entry next-hop match.
value
N/A
Configuration Mode Config Route Map
History 3.3.5200
Next hop IP address: A.B.C.D (e.g. 10.0.13.86).
Role
Example admin switch (config route-map mymap permit 10)# match ip next-hop
10.10.10.10
Related Commands N/A
Note • When a clause contains multiple match commands, the permit or deny filter applies to a route only if its properties are equal to corresponding parameters in each match statement.
• When a route’s properties do not equal the statement parameters, the route is evaluated against the next clause in the route map, as determined by sequence number.
• If all clauses fail to permit or deny the route, the route is denied.
Rev 4.20
Mellanox Technologies Confidential 907
match local-preference
match local-preference <value> no match local-preference
Syntax Description
Default
Configuration Mode Config Route Map
History 3.3.5200
Role
Example
Configures a route’s entry local-preference match.
The no form of the command removes a route-map’s entry local-preference match.
value
N/A
3.4.0000
admin
Range: 1-2147483647.
First version
Updated value range switch (config route-map mymap permit 10)# match local-preference 10
Related Commands N/A
Note • When a clause contains multiple match commands, the permit or deny filter applies to a route only if its properties are equal to corresponding parameters in each match statement.
• When a route’s properties do not equal the statement parameters, the route is evaluated against the next clause in the route map, as determined by sequence number.
• If all clauses fail to permit or deny the route, the route is denied.
Rev 4.20
Mellanox Technologies Confidential 908
match metric
match metric <value> no match metric
Syntax Description
Default
Configuration Mode Config Route Map
History 3.3.5200
Role
Example
Configures a route’s entry metric match.
The no form of the command removes a route-map’s entry metric match.
value
N/A
3.4.0000
admin
Range: 1-2147483647.
First version
Updated value range switch (config route-map mymap permit 10)# match metric 10
Related Commands N/A
Note • When a clause contains multiple match commands, the permit or deny filter applies to a route only if its properties are equal to corresponding parameters in each match statement.
• When a route’s properties do not equal the statement parameters, the route is evaluated against the next clause in the route map, as determined by sequence number.
• If all clauses fail to permit or deny the route, the route is denied.
Rev 4.20
Mellanox Technologies Confidential 909
set as-path prepend
set as-path prepend <value
1
> <value
2
> ... <value n
> no set as-path prepend
Syntax Description
Modifies as-path on affected routes
The no form of the command removes the set statement from the route map.
value BGP AS number that is prepended to as-path.
Range: 1-4294967295.
Default N/A
Configuration Mode Config Route Map
History
Role
Example switch (config route-map mymap permit 10)# set as-path prepend 5 10
Related Commands N/A
Note
3.4.0000
admin
Rev 4.20
Mellanox Technologies Confidential 910
set as-path tag
set as-path tag <value> no set as-path tag
Syntax Description
Default
Configures a route’s entry AS-path tag parameter.
The no form of the command removes a route-map’s entry AS path tag setting.
value
N/A
Configuration Mode Config Route Map
History 3.3.5200
Range: 1-2147483648.
Role
Example admin switch (config route-map mymap permit 10)# set as-path tag 1
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 911
set community
set community {<list of communities> | none} no set community {<list of communities> | none}
Syntax Description
Sets the community attribute of a distributed route
The no form of the command removes the set statement from the clause.
list of communities List of standard communities:
• <aa:nn>
• <number>
• internet
• local-AS
• no-advertise
• no-export
Default N/A
Configuration Mode Config Route Map
History
Role
3.3.5200
admin
Example switch (config route-map mymap permit 10)# set community 1:2 3:4
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 912
set community additive
set community <list-of-communities> additive no set community <list-of-communities> additive
Syntax Description
Adds the matching communities
The no form of the command removes the set statement from the clause.
list-of-communities List of standard communities:
• <aa:nn>
• <number>
• internet
• local-AS
• no-advertise
• no-export
Default N/A
Configuration Mode Config Route Map
History
Role
3.3.5200
admin
Example switch (config route-map mymap permit 10)# set community none
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 913
set community none
set community none no set community none
Sets the community attribute of a distributed route to be empty
The no form of the command removes the set statement from the clause.
Default N/A
Configuration Mode Config Route Map
History
Role
Example switch (config route-map mymap permit 10)# set community none
Related Commands N/A
Note
3.3.5200
admin
Rev 4.20
Mellanox Technologies Confidential 914
set community delete
set community <list of communities> delete no set community <list of communities> delete
Syntax Description
Deletes matching communities.
The no form of the command removes the set statement from the clause.
list of communities List of standard communities:
• <aa:nn>
• <number>
• internet
• local-AS
• no-advertise
• no-export
Default N/A
Configuration Mode Config Route Map
History
Role
Example
3.3.5200
admin switch-e07c04 [standalone: master] (config) # route-map test_route_map switch-e07c04 [standalone: master] (config route-map test_route_map permit 10) # set community 400:1 delete
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 915
set community-list
set community-list <community-list-name> no set community <list of communities>
Syntax Description
Default
Configures a named standard community list.
The no form of the command removes the set statement from the clause.
<community-list-name>
N/A
Configuration Mode Config Route Map
History 3.3.5200
Name of community list
Role
Example admin switch (config route-map mymap permit 10)# set community internet 1:3 additive
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 916
set community-list additive
set community-list <community-list-name> additive no set community <list of communities> additive
Syntax Description
Default
Adds to existing communities using the communities found in the community list.
The no form of the command removes the set statement from the clause.
<community-list-name>
N/A
Configuration Mode Config Route Map
History 3.3.5200
Name of community list
Role
Example admin switch (config route-map mymap permit 10)# set community-list mycommunity additive
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 917
set community-list delete
set community-list <community-list-name> delete no set community-list
Syntax Description
Default
Deletes the matching community list permit entries from the route community list
The no form of the command removes the set statement from the clause.
community-list-name
N/A
Configuration Mode Config Route Map
History 3.3.5200
Name of community list
Role
Example admin switch (config route-map mymap permit 10)# set community-list mycommunity delete
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 918
set ip next-hop
set ip next-hop <value> no set ip next-hop
Syntax Description
Default
Configures a route’s entry next-hop parameter.
The no form of the command removes a route-map’s entry next-hop setting.
value
N/A
Configuration Mode Config Route Map
History 3.3.5200
Route next-hop IP: A.B.C.D (e.g. 10.0.13.86).
Role
Example admin switch (config route-map mymap permit 10)# set ip next-hop 10.10.10.10
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 919
set local-preference
set local-preference <value> no set local-preference
Syntax Description
Default
Configures a route’s entry local-preference parameter.
The no form of the command removes a route-map’s entry local-pref setting.
value
N/A
Configuration Mode Config Route Map
History 3.3.5200
Route local-pref: 1-2147483648.
Role
Example admin switch (config route-map mymap permit 10)# set local-preference 10
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 920
set metric
set metric <value> no set metric
Syntax Description
Default
Configures a route’s entry metric parameter.
The no form of the command removes a route-map’s entry metric setting.
value
N/A
Configuration Mode Config Route Map
History 3.3.5200
Route metric: 1-2147483647.
Role
Example admin switch (config route-map mymap permit 10)# set metric 10
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 921
set origin
set origin {egp | igp | incomplete} no set origin
Syntax Description
Configures a route’s entry origin parameter.
The no form of the command removes a route-map’s entry origin setting.
egp igp
Set a route’s entry origin parameter to external.
Set a route’s entry origin parameter to internal.
Set a route’s entry origin parameter to incomplete.
Default incomplete
N/A
Configuration Mode Config Route Map
History
Role
3.3.5200
admin
Example switch (config route-map mymap permit 10)# set origin egp
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 922
set tag
set tag <value> no set tag
Syntax Description
Default
Configures a route’s entry tag parameter.
The no form of the command removes a route-map’s entry tag setting.
value
N/A
Configuration Mode Config Route Map
History 3.3.5200
Range: 1-2147483647.
Role
Example
3.4.0000
admin
Updated parameter range switch (config route-map mymap permit 10)# set tag 10
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 923
set weight
set weight <number> no set weight
Syntax Description
Default
Configuration Mode Config Route Map
History 3.3.5006
Role
Example
Configures modifications to redistributed routes.
The no form of the command removes this configuration from the route map clause.
number
N/A
3.4.0000
admin
Value of the weight to set. Range: 1-65535.
First version
Updated parameter range switch (config route-map mymap permit 10)# set weight 7
Related Commands route-map <map-name> [deny | permit] [sequence-number]
Note
Rev 4.20
Mellanox Technologies Confidential 924
show route-map
show route-map [<name>]
Syntax Description
Default
Displays route map configuration.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.5006
admin switch (config)# show route-map mymap route-map mymap, permit, sequence 1200
Set clauses:
continue 1800 switch (config)#
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 925
6.5.2
IP Prefix-List
Prefix-list is a list of entries, each of which can match one or more IP prefixes. A prefix-list is usually used to match a specific IP prefix, mostly in relation to IP route destinations.
The prefix is considered to match the list if one of the entries match the prefix; the entry itself can be marked as a “permit” entry or a “deny” entry, which can be used by the matching code to decide if the route is to be accepted or not.
The prefix is matched to the prefix-list entries in the order of the sequence number of the entries in the list.
Rev 4.20
Mellanox Technologies Confidential 926
6.5.2.1 Commands
ip prefix-list
ip prefix-list <list-name> [seq <number>] {permit | deny} <ip> [eq <length> |
<prefix> [eq <length> | le <length> | ge <length> [le <length>]]] no ip prefix-list <list-name> [seq <number>]
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Creates or updates a prefix-list.
The no form of the command deletes a prefix-list or a prefix-list entry list-name seq <number>
String
Sequence number assigned to entry. Range: 0-65535.
permit deny ip eq | ge | le <mask>
Permits access for a matching condition.
Denies access for a matching condition.
IP address
• eq: Equal to a specified prefix length
• ge: Greater than or equal to a specified prefix length
• le: Less than or equal to a specified prefix length
Sequence value = 10
Config
3.3.5200
admin switch (config)# ip prefix-list a-list permit 10.20.0.0 /16 eq 24 switch (config)#
N/A
Rev 4.20
Mellanox Technologies Confidential 927
show ip prefix-list
show ip prefix-list [<name>]
Syntax Description
Default
Displays prefix-lists.
name
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.5200
admin
Displays a specific prefix-list.
switch (config)# show ip prefix-list prefix-list: a-list
count: 1, range entries: 1, sequences: 10 - 10
seq 10 permit 10.20.0.0 /16 ge 24 (hit count: 0, refcount: 0) prefix-list: b-list
count: 2, range entries: 2, sequences: 10 - 20
seq 10 deny 10.10.0.0 /16 le 24 (hit count: 0, refcount: 0)
seq 20 deny 10.20.0.0 /16 le 24 (hit count: 0, refcount: 0) switch (config)#
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 928
6.6
Multicast (IGMP and PIM)
Protocol independent multicast (PIM) is a collection of protocols that deal with efficient delivery of IP multicast (MC) data. Those protocols are published in the series of RFCs and define different ways and aspects of multicast data distribution. PIM protocol family includes PIM dense mode (PIM-DM), PIM sparse mode (PIM-SM), Bidirectional PIM (PIM-BIDIR) and Bootstrap router (BSR) protocol.
PIM builds and maintains multicast routing tables based on the unicast routing information provided by unicast routing tables that can be maintained statically or dynamically by IP routing protocols like OSPF and BGP.
6.6.1
Basic PIM-SM
PIM relies on the underlying topology gathering protocols that collect unicast routing information and build multicast routing information base (MRIB). The primary role of MRIB is to determine the next hop for PIM messages. MC data flows along with the reverse path of the PIM control.
MC tree construction contains three phases:
1. Construction of a shared distribution tree. This tree is built around a special designated router
(DR) called the rendezvous point (RP).
2. Establishing a native forwarding path from MC sources to the RP
3. Building an optimized MC distribution tree from each MC source to all MC targets bypassing the RP
The first stage of the multicast tree establishment starts when the MC receiver expresses desire to start receiving MC data. It can happen as a result of using one of the L2 protocols like MLD or
IGMP, or by static configuration. When such request is received by the last hop router (a designated router) this router starts to build a distribution path from the RP. It starts to send periodic
“Join” messages to the nearest PIM neighbor router towards the RP. The next router continues to do the same. Eventually the process converges when Join messages reach RP or a router that has already created that distribution tree. Usually that tree is called a shared tree because it is created for any source for specific MC group G and is noted as (*,G).
At that stage, MC senders can start sending MC data. The DR next to the MC source extracts the packets from the data flow and tunnels them to the RP. The RP decapsulates the packets and distributes them to all MC receivers along with the share tree.
On the second stage the RP switches from tunneling of multicast packets from MC sources to forwarding native traffic. When the RP identifies that a new MC source started to send packets, it initiates an establishment of a native forwarding path from the DR of that source to itself. For this purpose it starts to send Join messages towards MC source to nearest neighbor to that source according the MRIB. This is a source specific Join and is noted as (S,G). When data path is established up to the DR, the DR switches from tunneling MC packets to their native forwarding, so the RP does not need to decapsulate MC packets anymore, but still continue to distribute the packets along with shared tree.
On the third phase multicast receivers will try to switch from shared tree to source specific tree by creating a direct distribution path from a multicast source. When last hop router of the multicast receiver identifies multicast traffic coming from any multicast source it will start to send
Join messages towards the source with purpose to create a direct source specific path to that source. Once such path will be established and Designated router that is attached to the source L2
Rev 4.20
Mellanox Technologies Confidential 929
network will start to distribute the multicast traffic directly bypassing shared tree, the last hop router will detach its receivers from shared tree for that data and will switch to the shortest path tree distribution.
6.6.2
Bidirectional PIM
Bidirectional PIM (PIM-BIDIR) is a variant of PIM-SM that builds bidirectional distribution trees that connect multicast senders and receivers. It differs from PIM-SM by eliminating a need to tunnel multicast packets to RP and to keep a state for each (S,G) pair. It also eliminates a need in data driven protocol events. PIM-BIDIR achieves it by defining a new role, Designated Forwarder (DF), and by defining new forwarding rules and keeping all other PIM-SM mechanisms intact.
DF is a PIM enabled router that is the closest router to RP among all PIM routers residing on specific L2 network. It is dynamically elected by all PIM routers on that network. DF is required on each L2 multicast capable network for each RP. DF serves all multicast groups that share the same RP and has following duties:
• It is an only router that is responsible to receive and forward upstream multicast packets on that L2 segment
• It is a router that should collect all Join requests from the routers on that L2 segment
• It is an only router that will distribute downstream multicast packets on that segment.
Once Designated forwarders are elected and forwarding rules are established, PIM routers can start to issue (*,G) Join messages and build shared distribution trees. When shared tree is created, multicast sources can start to exchange data with receivers and it doesn't require any additional maintenance of the multicast states.
Compared to PIM-SM, in bidirectional PIM:
• Each router will keep only (*,G) state and not (*,G) and (S,G) like in PIM-SM
• Multicast traffic from the beginning is forwarded naturally - no need to tunnel data to
RP
• Resulting multicast tree is not shortest path optimal and converges around selected Rendezvous point, but is shared among all participants in that multicast group
In BIDIR-PIM, the packet forwarding rules have been improved over PIM-SM, allowing traffic to be passed up the shared tree toward the RP. To avoid multicast packet looping, bidir-PIM introduces a new mechanism called designated forwarder (DF) election, which establishes a loop-free
SPT rooted at the RP.
6.6.3
PIM Load-Sharing
PIM load-sharing improves network efficiency in IP multicast applications especially in cases when we have multiple equal-cost paths to the same destination. There two methods which enhance IP multicast bandwidth capacity consumption: rendezvous point load sharing and nexthop load sharing.
Routers should be connected via router port and not VLAN interface. Connecting two routers via VLAN interface with PIM load-sharing causes loops in the network.
Rev 4.20
Mellanox Technologies Confidential 930
6.6.3.1 Rendezvous Point Load-Sharing
IP multicast routing is facilitated by use of rendezvous points (RPs) which are anchors in IP multicast distribution trees, and, in case of PIM-BIDIR, are central points that perform IP multicast packet forwarding. Therefore, they can get heavily loaded.
When multiple RPs serve the same multicast IP addresses and are located at an equal distance from a traffic source or receiver, data streams can be shared between those RPs. This enhances switching performance, improves network bandwidth consumption and increases reliability. Data packets based on the packet flow parameters are equally shared between all RPs located at an equal-distance.
6.6.3.2 Next Hop Load-Sharing
Another way to improve network capacity consumption and increase the amount of IP multicast data carried by the network, is to utilize multiple equal-cost paths from RPs to IP multicast receivers. A network usually selects a single path to carry specific multicast group data packets from a source to a specific multicast destination. But when enabling next hop load-sharing, multiple paths between RP and multicast group receivers may be utilized, and based on traffic flow parameters, the data stream may be split to multiple flows that go through several equal-cost paths to the same destination.
6.6.4
Bootstrap Router
For correct operation each PIM router requires a capability to map a multicast group that it needs to serve to a Rendezvous point for that group. This mapping can be done manually or the mapping can be distributed dynamically in the network. BSR protocol serves for this purpose.
This protocol introduces new role in the multicast network – Bootstrap router. That router is responsible to flood multicast group to RP mapping through the multicast routing domain. Bootstrap router is elected dynamically among bootstrap router candidates (C-BSR) and once elected will collect from Rendezvous point candidate (C-RP) mapping information and distribute it in the domain.
Bootstrap activity contains 4 steps. First each C-BSR configured in the network originates floods into the network bootstrap messages that express the router desire to become BSR and also its
BSR priority. Any C-BSR that receives that information and has lower priority will suspend itself, so eventually only one router will send BSR messages and become BSR.
When BSR is elected all RP candidates start to advertise to BSR a list of groups that this RP can serve. On the next step, after BSR learns the group mapping proposals, it forms a final group to
RP mapping in the domain and starts to distribute it among PIM routers in the multicast routing domain. When PIM router receives BSR message with the group to RP mapping, it installs that mapping in the router local cache and uses that information to create multicast distribution trees.
6.6.5
Configuring Multicast
Precondition steps:
Step 1.
Enable IP routing functionality. Run: switch (config)# ip routing
Step 2.
Enable the desired VLAN. Run: switch (config)# vlan 10
Rev 4.20
Mellanox Technologies Confidential 931
Step 3.
Step 4.
Step 5.
Step 6.
Add this VLAN to the desired interface. Run: switch (config)# interface ethernet 1/1 switch (config ethernet 1/1)#switchport access vlan 10
Create a VLAN interface. Run: switch (config)# interface vlan 10
Apply IP address to the VLAN interface. Run: switch (config interface vlan 10)# ip address 10.10.10.10 /24
Enable the interface. Run: switch (config interface vlan 10)# no shutdown
6.6.5.1 Configuring IGMP
IGMP is enabled when IP multicast is enabled and static multicast or PIM is enabled on the interface.
6.6.5.2 Verifying IGMP
Step 1.
Display a brief IGMP interface status. Run : switch (config)# show ip igmp interface brief
IGMP Interfaces for VRF "default", Count: 1
Interface IP Address IGMP Querier Membership Version
VLAN10 10.10.10.1 10.10.10.1 5 v2
Step 2.
Display detailed IGMP interface status. Run : switch (config)#show ip igmp interface vlan 10
IGMP Interfaces for VRF "default"
VLAN10
Interface status: protocol-up/admin-up/link-up
IP address: 10.10.10.1, IP Subnet: 10.10.10.0/24
Active Querier: 10.10.10.1
Membership count: 5
Route-queue depth: 0
IGMP Version: 2
IGMP query interval: 125 secs, configured value: 125 secs
IGMP max response time: 10 secs, configured value: 10 secs
IGMP startup query interval: 125 secs, configured value: 125 secs
IGMP startup query count: 2
IGMP group timeout: 260 secs, configured value: 260 secs
IGMP querier timeout: 260 secs configured value: 260 secs
IGMP last member mrt: 25 secs configured value: 25
IGMP robustness variable: 2
IGMP interface immediate leave: Disabled
IGMP interface statistics:
General (sent/received):
v1/v2-reports: 0/10
v2-queries: 271/0,v2-leaves: 0/0
Rev 4.20
Mellanox Technologies Confidential 932
Rev 4.20
Step 3.
v3-queries: 0/0,
v3-reports: 0/0 switch (config)#
Display the list of IGMP groups and their status. Run : switch (config)#show ip igmp groups
IGMP Connected Group Membership for VRF "default", - 2 total entries
Type: S - Static, D - Dynamic, L - Local, T - SSM Translated
Group Address Type Interface Uptime Expires Last
Reporter
226.0.1.0 D vlan10 [0d 00:00:07.46] [0d 00:04:05.08] 10.10.10.2
226.0.1.1 D vlan10 [0d 00:00:07.47] [0d 00:04:05.08] 10.10.10.2
switch (config)#
6.6.5.3 Configuring PIM
Prerequisites:
Step 1.
If not enabled, enable IP routing. Run: switch (config)# ip routing
Step 2.
Globally enable multicast routing. Run: switch (config)# ip multicast-routing
To configure PIM:
Step 1.
Enable PIM. Run: switch (config)# protocol pim
Step 2.
Globally enable Bidirectional PIM (BIDIR mode). Run: switch (config)# no ip pim bidir shutdown
Mellanox Technologies Confidential 933
Rev 4.20
6.6.6
Commands
6.6.6.1 PIM
protocol pim
protocol pim no protocol pim
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
N/A
Enables protocol independent multicast (PIM).
The no form of the command hides all PIM commands and deletes all PIM configurations.
N/A
Disabled
Config
3.3.5006
admin switch (config) # protocol pim
Mellanox Technologies Confidential 934
ip pim bidir shutdown
ip pim bidir shutdown no ip pim bidir shutdown
Syntax Description
Default
Disables PIM bidir.
The no form of the command enables PIM bidir.
N/A
Disabled
Configuration Mode Config
History 3.3.5006
Role
Example admin switch (config) # no ip pim bidir shutdown
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 935
Rev 4.20
ip pim rp-address
ip pim rp-address <rp-address> [group-list <ip-address> <prefix>] [override] bidir no ip pim rp-address <rp-address> [group-list <ip-address> <prefix>]
Syntax Description
Configures a static IP address of a rendezvous point for a multicast group range or adds new multicast range to existing RP.
The no form of the command removes the rendezvous point for a multicast group range or removes all configuration of the RP.
rp-address ip-address
The static IP address of rendezvous point.
IP address of the group-range (coupled with the prefix parameter).
prefix override
Network prefix (in the format of /24, or 255.255.255.0 for example) of group range.
Specifies that this configuration overrides dynamic configuration learned by BSR.
Specifies that the group range uses a bidirectional PIM.
Default bidir
N/A
Configuration Mode Config
History
Role
3.3.5006
admin
Example switch (config) # ip pim rp-address 10.10.10.10 bidir
Related Commands N/A
Note
Mellanox Technologies Confidential 936
Rev 4.20
ip pim bsr-candidate
ip pim bsr-candidate {vlan <vlan-id> | loopback <number> | ethernet <port>}
[hash-len <hash-length>] [priority <priority>] [interval <interval>] no ip pim bsr-candidate {vlan <vlan-id> | loopback <number> | ethernet <port>}
[hash-len <hash-length>] [priority <priority>] [interval <interval>]
Syntax Description
Configures the switch as a candidate BSR router (C-BSR).
The no form of the command removes BSR-candidate configuration or restores default parameters values.
vlan <vlan-id> loopback <number>
The VLAN ID. Range is 1-4094.
Loopback interface number. ethernet <port> hash-len priority interval
Ethernet interface.
Specifies the hash mask length used in BSR messages.
Range: 0-32.
BSR priority rating. Larger numbers denote higher priority. Range: 0-255.
Period between the transmission of BSMs (seconds).
Range:10-536870906.
Default The interface is not BSR candidate by default.
priority: 64 interval: 60 hash-len: 30
Configuration Mode Config
Config Interface Ethernet configured as a router port
Config Interface Loopback
Config Interface Port Channel configured as a router port
Config Interface VLAN
History
Role
Example
3.3.5006
admin switch (config) # ip pim bsr-candidate vlan 10 priority 100
Mellanox Technologies Confidential 937
Rev 4.20
Related Commands ip pim sparse-mode
Note • IP PIM sparse-mode must be enabled on the interface.
• A BSR is a PIM router within the PIM domain through which dynamic RP selection is implemented. The BSR selects RPs from a list of candidate RPs and exchanges bootstrap messages (BSM) with all routers in the domain. The BSR is elected from one of the C-
BSRs through an exchange of BSMs. A subset of PIM routers within the domain are configured as candidate Bootstrap routers (C-BSRs). Through the exchange of Bootstrap messages (BSMs), the C-BSRs elect the BSR, which then uses BSMs to inform all domain routers of its status.
• Command parameters specify the switch’s BSR address, the interval between BSM transmissions, hash length used for RP calculations and the priority assigned to the switch when electing a BSR.
• Entering an ip pim bsr-candidate command replaces any previously configured bsr-candidate command. If the new command does not specify a priority or interval, the previously configured values persist in running-config.
Mellanox Technologies Confidential 938
ip pim bsr-holdtime
ip pim bsr-holdtime <period> no ip pim bsr-holdtime
Syntax Description
Default
Configures the timeout period an elected BSR remains valid after receiving a BSM.
The no form of the command resets the parameters to their default.
period In seconds. Range: 12-1073741823 (1.073 billion).
period = 2*(BSR candidate interval) + 10
Configuration Mode Config
History 3.3.5006
Role
Example
Related Commands
Note admin switch (config) # ip pim bsr-holdtime 30
Rev 4.20
Mellanox Technologies Confidential 939
Rev 4.20
ip pim rp-candidate
ip pim rp-candidate {vlan <vlan-id> | loopback <number> | ethernet <slot/ port>} group-list <ip-address> <prefix> [bidir] [priority <priority>] [interval
<interval>] no ip pim rp-candidate {vlan <vlan-id> | loopback <number> | ethernet <slot/ port>} group-list <ip-address> <prefix> [bidir] [priority <priority>] [interval
<interval>]
Syntax Description
Configures the switch as a candidate rendezvous point (C-RP).
The no form of the command removes the ip pim rp-candidate from running-config command for the specified multicast group. ethernet <slot/port> port-channel <number>
Ethernet interface.
LAG interface.
VLAN ID. Range: 1-4094.
Loopback interface number.
The group IP address.
Network prefix (for example /24, or 255.255.255.0).
RP priority rating. Range: 0-255, where smaller numbers mean higher priority.
RP-advertisements message transmission interval.
Range: 0-16383.
Default The RP priority is 192.
The BSR message interval is 60 seconds.
Configuration Mode Config
Config Interface Ethernet configured as a router port
Config Interface Loopback
Config Interface Port Channel configured as a router port
Config Interface VLAN
History
Role
Example vlan <vlan-id> loopback <number> ip-address prefix priority interval
3.3.5006
admin switch (config) # ip pim rp-candidate vlan 19 group-list 225.6.5.0 /25 priority 20 interval 30 bidir
Mellanox Technologies Confidential 940
Rev 4.20
Related Commands N/A
Note • The BSR selects a multicast group’s dynamic RP set from the list of C-RPs in the PIM domain. The command specifies the interface (used to derive the RP address), C-RP advertisement interval, and priority rating. The BSR selects the RP set by comparing C-RP priority ratings. The C-RP advertisement interval specifies the period between successive C-RP advertisement message transmissions to the BSR.
• Running-config supports multiple multicast groups through multiple ip pim rp-candidate statements:
• All commands must specify the same interface. Issuing a command with an interface that differs from existing commands removes all existing commands from running-config.
• Running-config stores the interval and priority setting in a separate statement that applies to all rp-candidate statements. When a command specifies an interval that differs from the previously configured value, the new value replaces the old value and applies to all configured rp-candidate statements. The default interval value is 60 seconds.
• When the no commands do not specify a multicast group, all rp-candidate statements are removed from running-config. The no ip pim rp-candidate interval commands restore the interval setting to the default value of 60 seconds.
• When setting a priority, all previous rp-candidates within all interfaces and groups are configured to this priority.
Mellanox Technologies Confidential 941
Rev 4.20
ip pim sparse-mode
ip pim sparse-mode no ip pim sparse-mode
Sets PIM sparse mode on this interface.
The no form of the command disables the sparse-mode on the interface and deletes all interfaces configuration.
Syntax Description
Default
N/A
Disabled
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example switch (config interface vlan 10) # ip pim sparse-mode
Related Commands N/A
Note
3.3.5006
admin
Mellanox Technologies Confidential 942
ip pim dr-priority
ip pim dr-priority <priority> no ip pim dr-priority
Syntax Description
Configures the designated router (DR) priority of PIM Hello messages.
The no form of the command resets this parameter to its default.
priority The designated router priority of the PIM Hello messages. Range is 1-4294967295.
Default 1
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
3.3.5006
admin
Example switch (config interface vlan 10) # ip pim dr-priority 5
Related Commands ip pim sparse-mode
Note The command “ip pim sparse-mode” must be run prior to using this command.
Rev 4.20
Mellanox Technologies Confidential 943
ip pim hello-interval
ip pim hello-interval <interval> no ip pim hello-interval
Syntax Description
Configures PIM Hello interval in milliseconds.
The no form of the command resets this parameter to its default.
interval PIM Hello interval in milliseconds.
Range:1000-65535000.
Default 30,000 milliseconds
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
3.3.5006
admin
Example switch (config interface vlan 10) # ip pim hello-interval 70000
Related Commands ip pim sparse-mode
Note The command “ip pim sparse-mode” must be run prior to using this command.
Rev 4.20
Mellanox Technologies Confidential 944
ip pim join-prune-interval
ip pim join-prune-interval <period> no ip pim join-prune-interval
Syntax Description
Default
Configures the period between Join/Prune messages that the configuration mode interface originates and sends to the upstream RPF neighbor.
The no form of the command resets this parameter to its default.
period
60 seconds
Range: 1-1000000 seconds.
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
3.3.5200
admin switch (config interface vlan 10) # ip pim join-prune-interval 60
Rev 4.20
Mellanox Technologies Confidential 945
ip pim border
ip pim border no ip pim border
Configures an interface on an IPv4 PIM border.
The no form of the command removes the interface from being a PIM border.
Syntax Description
Default
N/A
Disabled
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
3.3.5006
admin switch (config interface vlan 10) # ip pim border
PIM border blocks PIM control traffic, but sends and receives all multicast traffic.
Rev 4.20
Mellanox Technologies Confidential 946
Rev 4.20
ip pim bsr-border
ip pim bsr-border no ip pim bsr-border
Prevents the switch from sending bootstrap router messages (BSMs) over the configuration mode interface.
The no form of the command resets the parameter to its default value.
Syntax Description
Default
N/A no pim bsr-border
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
Related Commands
Note
3.3.5200
admin switch (config interface vlan 10) # ip pim bsr-border
Mellanox Technologies Confidential 947
ip pim multipath rp
ip pim multipath rp no ip pim multipath rp
Syntax Description
Default
Enables PIM load-sharing for Rendezvous Points (RPs).
The no form of the command disables PIM load-sharing for RPs.
N/A
Disabled
Configuration Mode Config
History 3.4.2008
Role
Example admin switch (config) # ip pim multipath rp
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 948
debug ethernet ip pim
debug ethernet ip pim {all | control-plane | data-path | fail-all | init-shut |
management | memory | packet-dump | resources} no debug ethernet ip pim {all | control-plane | data-path | fail-all | init-shut | management | memory | packet-dump | resources}
Configures the trace level for PIM.
The no form of the command removes the trace level for PIM.
Syntax Description control-plane data-path fail-all init-shut
Control plane traces.
IP packet dump trace.
All failures including Packet Validation Trace.
Init and shutdown messages.
memory packet-dump
Memory related messages.
Packet dump messages.
Default N/A
Configuration Mode Config
History
Role
3.3.5200
admin switch (config)# debug ethernet ip pim all Example
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 949
show ip pim protocol
show ip pim protocol
Syntax Description
Default
Displays PIM protocol information (counters).
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.5200
admin switch (config) # show ip pim protocol
PIM Control Counters
Received Sent Invalid
Assert 0 0 0
Bootstrap Router 0 0 0
CRP Advertisement 0 0 0
Graft 0 0 0
Grapt Ack 0 0 0
Hello 0 0 0
J/P 0 0 0
Register 0 0 0
Register Stop 0 0 0
State Refresh 0 0 0 switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 950
show ip pim bsr
show ip pim bsr
Syntax Description
Default
Displays PIM BSR information.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.5006
admin arc-switch14 [standalone: master] (config) # show ip pim bsr
PIMv2 Bootstrap information
BSR address: 4.4.4.14
Uptime: 00:00:30, BSR Priority: 0, Hash mask length: 30
Expires: 00:00:57
This system is a candidate BSR
Candidate BSR address: 4.4.4.14, priority: 0, hash mask length: 30
interval: 60, holdtime: 130
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 951
show ip pim neighbor
show ip pim neighbor [vlan <vlan-id> | <other interfaces> | <ip-addr>]
Syntax Description
Displays information about IPv4 PIM neighbors.
vlan <vlan-id> Filters the output per specific VLAN ID.
Filters the output per specific neighbor IP address.
Default neighbor-addr
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.5006
admin switch (config) # show ip pim neighbor
PIM Neighbor Status for VRF "default"
Neighbor Interface Uptime Expires Ver DR Prio Mode
5.5.5.1 VLAN5 10:36:45 00:01:43 1
9.9.9.1 VLAN9 10:36:42 00:01:43 1 switch (config) #
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 952
show ip pim rp
show ip pim rp <rp-address>
Syntax Description
Default
Displays information about the rendezvous points (RPs) for PIM.
rp-address
N/A
Configuration Mode Any Command Mode
A rendezvous points address.
History
Role
Example
3.3.5006
admin switch(config)# show ip pim rp
PIM RP Status Information for VRF "default"
BSR: 10.10.10.10, expires: 00:01:16,
priority: 255, hash-length: 0
RP: 11.11.11.11, expires: 00:01:36
priority: 0, RP-source: 10.10.10.10, group ranges:
225.10.0.0/24
RP: 8.8.8.2, expires: 00:01:36
priority: 0, RP-source: 10.10.10.10, group ranges:
225.12.0.0/24 switch(config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 953
show ip pim rp-hash
show ip pim rp-hash <group>
Syntax Description
Displays the hashed value of the group (RP address according the group address).
group Filters the output per a specific IP Multicast group address.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.5006
admin switch (config) # show ip pim rp-hash 225.7.6.2
RP 20.20.20.49, v2
Info Source: 20.20.20.49, via bootstrap, priority 60, holdtime 57
Expires: 00:00:53
PIMv2 Hash Value (mask 255.255.255.252) switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 954
show ip pim rp-candidate
show ip pim rp-candidate
Syntax Description
Default
Displays information about RP candidate status.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.5006
admin switch (config)# show ip pim rp-candidate
Next Candidate-RP-Advertisement in 00:11:22/00:60:00
RP: 10.10.10.10
group prefixes priority
224.0.0.0/4 190
225.0.0.0/4 191 switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 955
Rev 4.20
show ip pim interface
show ip pim interface {[vlan <vlan id> | ethernet <port>] [df] | brief}
Syntax Description
Displays information about the enabled interfaces for PIM.
vlan <vlan-id> Filters the output for specific interface.
ethernet <port> df
Ethernet interface.
Displays information about elected designated forwarders.
Displays a summary of information for all interfaces.
Default brief
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.5006
admin
# arc-switch55 [standalone: master] (config) # show ip pim interface vlan 2919
Interface Vlan2919 address is 70.28.23.80
PIM: enabled
PIM version: 2, mode: sparse
PIM DR: 70.28.23.80 (this system)
PIM DR Priority: 1
PIM configured DR priority:
PIM neighbor count: 1
PIM neighbor holdtime: 105 secs
PIM Hello Interval: 30 seconds, next hello sent in: 00:00:28
PIM Hello Generation ID: 61345
PIM Join-Prune Interval: 60 seconds
PIM domain border: no
PIM Interface Statistics:
General (sent/received):
Hellos: 36/37, JPs: 0/0, Asserts: 0/0
Grafts: 0/0, Graft-Acks: 0/0
DF-Offers: 0/0, DF-Winners: 0/0, DF-Backoffs: 0/0, DF-
Passes: 0/0
Errors:
Checksum errors: 0, Invalid packet types/DF subtypes: 0/0
Authentication failed: 0
Packets from non-neighbors: 1
JPs received on RPF-interface: 0
(*,G) Joins received with no/wrong RP: 0/0
(*,G)/(S,G) JPs received for SSM/Bidir groups: 0/0
Related Commands
Note
Mellanox Technologies Confidential 956
Rev 4.20
show ip pim upstream joins
show ip pim upstream joins
Syntax Description
Default
Displays information about any PIM joins/prunes which are currently being sent to upstream PIM routers
N/A
N/A
Configuration Mode Any Command Mode
History 3.3.5006
Role
Example admin switch (config) # show ip pim upstream joins
Neighbor address: 159.135.45.26
via interface: 159.135.45.34
next message in 43 seconds
Group: 224.0.10.0
Joins:
22.74.49.25
Prunes:
No prunes included
switch (config) #
Related Commands
Note Should contain the following information: neighbor address, interface address, group range, Joins, Prunes.
Mellanox Technologies Confidential 957
6.6.6.2 Multicast
ip multicast-routing
ip multicast-routing no ip multicast-routing
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Allows the switch to forward multicast packets.
The no form of the command disables multicast routing.
N/A
Disabled
Config
3.3.5006
admin switch (config)# ip multicast-routing
N/A
Rev 4.20
Mellanox Technologies Confidential 958
ip mroute
ip mroute {<ip-addr> <ip-mask> <next-hop>} [pref] no ip mroute {<ip-addr> <ip-mask>}
Syntax Description
Configure multicast reverse path forwarding (RPF) static routes.
The no form of the command deletes the static multicast route.
ip-addr ip-mask
Unicast IP address.
Network mask in a dotted format (e.g. 255.255.255.0) or /24 format.
next-hop preference
Default Preference is 1
Configuration Mode Config
Next hop IP address.
Route preference. Range: 1-255.
History
Role
Example
3.3.5006
admin arc-switch14 [standalone: master] (config) # ip mroute 16.16.0.0 /16
3.3.3.1
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 959
ip multicast ttl-threshold
ip multicast ttl-threshold <ttl-value> no ip multicast ttl-threshold
Configures the time-to-live (TTL) threshold of packets being forwarded out of an interface.
The no form of the command removes RPF static routes.
Syntax Description
Default ttl-value
0 – all packets are forwarded
Range: 0-225.
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example switch (config interface vlan 10)# ip multicast ttl-threshold 10
Related Commands N/A
Note
3.3.5006
admin
Rev 4.20
Mellanox Technologies Confidential 960
Rev 4.20
show ip mroute
show ip mroute [summary | <group> [<prefix> [<source>]]]
Syntax Description
Displays information about IPv4 multicast routes.
source Source IP address.
group prefix
IP address of multicast group.
Network prefix of multicast group (in the format of /24, or 255.255.255.0 for example).
Displays a summary of the multicast routes.
Default summary
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.2.1000
admin arc-switch14 [standalone: master] (config) # show ip mroute
IP Multicast Routing Table
Flags: B - Bidir Group, L - Local, P - Pruned, R - RP-bit set, T - SPTbit set
J - Join SPT
Timers: Uptime/Expires
Interface state: Interface, State/Mode
(*, 225.0.0.0/24), 00D 00:14:49, RP 18.18.18.14, flags: BR
Bidir-Upstream: Lo7
Outgoing interface list:
Related Commands N/A
Note
Mellanox Technologies Confidential 961
Rev 4.20
6.6.6.3 IGMP
ip igmp immediate-leave
ip igmp immediate-leave no ip igmp immediate-leave
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Enables the device to remove the group entry from the multicast routing table immediately upon receiving a leave message for the group.
The no form of the command disables immediate-leave.
N/A
Disabled
Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
3.3.5006
admin switch (config interface vlan 10)# ip igmp immediate-leave
N/A
Mellanox Technologies Confidential 962
ip igmp last-member-query-count
ip igmp last-member-query-count <count> no ip igmp last-member-query-count
Syntax Description
Default
Configures the number of query messages the switch sends in response to a groupspecific or group-source-specific leave message.
The no form of the command resets this parameter to its default.
Count
2
Range:1-7.
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
3.3.5006
admin
Example switch (config interface vlan 10)# ip igmp last-member-query-count 7
Related Commands N/A
Note This parameter reflects expected packet loss on a congested network.
Rev 4.20
Mellanox Technologies Confidential 963
ip igmp last-member-query-response-time
ip igmp last-member-query-response-time <interval> no ip igmp last-member-query-response-time
Syntax Description
Configures the IGMP last member query response time in seconds.
The no form of the command resets this parameter to its default.
interval IGMP last member query response time.
Range:1-25 seconds.
Default 1
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
3.3.5006
admin switch (config interface vlan 10)# ip igmp last-member-query-responsetime 10
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 964
ip igmp startup-query-count
ip igmp startup-query-count <count> no ip startup-query-count
Syntax Description
Default
Configures the number of query messages an interface sends during startup.
The no form of the command resets this parameter to its default.
count
2
Range: 1-65535.
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example switch (config interface vlan 10)# ip igmp startup-query-count 10
Related Commands N/A
Note
3.3.5006
admin
Rev 4.20
Mellanox Technologies Confidential 965
ip igmp startup-query-interval
ip igmp startup-query-interval <interval> no ip startup-query-interval
Syntax Description
Default
Configures the IGMP startup query interval in seconds.
The no form of the command resets this parameter to its default.
interval
30
Range: 1-1800 seconds.
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example switch (config interface vlan 10)# ip igmp startup-query-interval 10
Related Commands N/A
Note
3.3.5006
admin
Rev 4.20
Mellanox Technologies Confidential 966
ip igmp query-interval
ip igmp query-interval <interval> no ip igmp query-interval
Syntax Description
Default
Configures the IGMP query interval in seconds.
The no form of the command resets this parameter to its default.
interval
125
Configuration Mode Config Interface VLAN
History 3.3.5006
The IGMP query interval. Range: 1-1800 seconds.
Role
Example admin switch (config interface vlan 10)# ip igmp query-interval 60
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 967
ip igmp query-max-response-time
ip igmp query-max-response-time <time> no ip igmp query-max-response-time
Syntax Description
Default
Configures the IGMP max response time in seconds.
The no form of the command resets this parameter to its default.
time
10
Configuration Mode Config Interface VLAN
History 3.3.5006
The IGMP max response time. Range: 1-25 seconds.
Role
Example admin switch (config interface vlan 10)# ip igmp query-max-response-time 20
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 968
ip igmp robustness-variable
ip igmp robustness-variable <count> no ip igmp robustness-variable
Syntax Description
Default
Configures the IGMP robustness variable.
The no form of the command resets this parameter to its default.
count
2
IGMP robustness variable. Range: 1-7.
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
3.3.5006
admin
Example switch (config interface vlan 10)# ip igmp robustness-variable 4
Related Commands N/A
Note • The robustness variable can be increased to increase the number of times that packets are resent.
• This parameter reflects expected packet loss on a congested network.
Rev 4.20
Mellanox Technologies Confidential 969
ip igmp static-oif
ip igmp static-oif <group> no ip igmp static-oif
Syntax Description
Default
Statically binds an IP interface to a multicast group.
The no form of the command deletes the static multicast address from the interface.
group no ip igmp static-oif
Multicast IP address.
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
3.3.5006
admin
Example switch (config interface vlan 10)# ip igmp static-oif 10.10.10.5
Related Commands N/A
Note PIM must be enabled in order to configure the route in the hardware.
Rev 4.20
Mellanox Technologies Confidential 970
clear ip igmp groups
clear ip igmp groups {all | <group-address> <mask>}
Syntax Description
Clears IGMP group information.
all Clears all IGMP groups.
Clears a specific group.
Default group-address no ip igmp static-oif
Configuration Mode Config
History
Role
Example
3.3.5200
admin switch (config)# clear ip igmp groups all switch (config)#
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 971
Rev 4.20
debug ethernet ip igmp-l3
debug ethernet ip igmp-l3 {all | control-plane | data-path | fail-all | init-shut | management | memory | packet-dump | resources} no debug ethernet ip igmp-l3 {all | control-plane | data-path | fail-all | init-shut | management | memory | packet-dump | resources}
Configures the trace level for IGMP.
The no form of the command removes the trace level for IGMP.
Syntax Description control-plane data-path fail-all init-shut
Control plane traces.
IP packet dump trace.
All failures including Packet Validation Trace.
Init and shutdown messages.
memory packet-dump
Memory related messages.
Packet dump messages.
Default N/A
Configuration Mode Config
History
Role
3.3.5200
admin switch (config)# debug ethernet ip igmp-l3 all Example
Related Commands
Note
Mellanox Technologies Confidential 972
show ip igmp groups
show ip igmp groups [<group>] [vlan <vlan-id>]
Syntax Description
Displays information about IGMP-attached group membership.
group Filters the output to a specific IP multicast group address.
Filters the output to a specific VLAN ID.
Default vlan <vlan-id>
N/A
Configuration Mode Any Command Mode
History
Role
Example admin switch (config)# show ip igmp groups
IGMP Connected Group Membership for VRF "default"
Type: S - Static, D - Dynamic, L - Local, T - SSM Translated
Group Address Type Interface Uptime Expires Last Reporter
225.7.6.0 S vlan19 [0d 00:12:12.14] [0d 00:00:00.00] 0.0.0.0
225.7.10.1 D vlan19 [0d 00:00:01.18] [0d 00:04:08.81] 19.19.19.1
225.7.7.7 S vlan19 [0d 00:12:12.15] [0d 00:00:00.00] 0.0.0.0
225.7.7.7 S vlan21 [0d 00:12:12.15] [0d 00:00:00.00] 0.0.0.0
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 973
show ip igmp interface
show ip igmp interface [vlan <vlan-id> | brief]
Syntax Description
Displays IGMP brief configuration and status.
brief Displays brief output information.
Filters the output to a specific VLAN ID.
Default vlan <vlan-id>
N/A
Configuration Mode Any Command Mode
History
Role admin
Rev 4.20
Mellanox Technologies Confidential 974
Example switch(config)#show ip igmp interface
IGMP Interfaces for VRF "default"
VLAN5
Interface status: protocol-down/admin-up/link-down
IP address: 5.5.5.49, IP Subnet: 5.5.5.0/24
Active Querier: 5.5.5.48
Membership count: 0
Route-queue depth: 0
IGMP Version: 2
IGMP query interval: 125 secs, configured value: 125 secs
IGMP max response time: 100 secs, configured value: 100 secs
IGMP startup query interval: 125 secs, configured value: 125 secs
IGMP startup query count: 2
IGMP group timeout: 350 secs, configured value: 350 secs
IGMP querier timeout: 350 secs configured value: 350 secs
IGMP last member mrt: 10 secs configured value: 10
IGMP robustness variable: 2
IGMP interface immediate leave: Disabled
IGMP interface statistics:
General (sent/received): v1/v2-reports: 0/0 v2-queries: 3/1,v2-leaves: 0/0 v3-queries: 0/0, v3-reports: 0/0
VLAN19
Interface status: protocol-up/admin-up/link-up
IP address: 19.19.19.49, IP Subnet: 19.19.19.0/24
Active Querier: 19.19.19.49
Membership count: 3
Route-queue depth: 0
IGMP Version: 2
IGMP query interval: 125 secs, configured value: 125 secs
IGMP max response time: 10 secs, configured value: 10 secs
IGMP startup query interval: 125 secs, configured value: 125 secs
IGMP startup query count: 2
IGMP group timeout: 260 secs, configured value: 260 secs
IGMP querier timeout: 260 secs configured value: 260 secs
IGMP last member mrt: 1 secs configured value: 1
IGMP robustness variable: 2
IGMP interface immediate leave: Disabled
IGMP interface statistics:
General (sent/received): v1/v2-reports: 0/5 v2-queries: 14/0,v2-leaves: 0/1 v3-queries: 0/0, v3-reports: 0/0
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 975
6.7
VRRP
The Virtual Router Redundancy Protocol (VRRP) is a computer networking protocol that provides for automatic assignment of available IP routers to participating hosts. This increases the availability and reliability of routing paths via automatic default gateway selections on an IP subnetwork.
The protocol achieves this by creating virtual routers, which are an abstract representation of multiple routers (that is, a master and backup routers, acting as a group). The default gateway of a participating host is assigned to the virtual router instead of a physical router. If the physical router that is routing packets on behalf of the virtual router fails, another physical router is selected to automatically replace it. The physical router that is forwarding packets at any given time is called the master router.
VRRP provides information on the state of a router, not the routes processed and exchanged by that router. Each VRRP instance is limited, in scope, to a single subnet. It does not advertise IP routes beyond that subnet or affect the routing table in any way.
Routers have a priority of between 1-255 and the router with the highest priority becomes the master. The configurable priority value ranges from 1-254, the router which owns the interface IP address as one of its associated IP addresses has the priority value 255. When a planned withdrawal of a master router is to take place, its priority can be lowered, which means a backup router will preempt the master router status rather than having to wait for the hold time to expire.
6.7.1
Load Balancing
To create load balancing between routers participating in the same VR, it is recommended to create 2 (or more) VRs. Each router will be a master in one of the VRs, and a backup to the other
VR(s). A group of hosts should be configured with Router 1’s virtual address as the default gateway, while the second group should be configured with Router 2’s virtual address.
Figure 32: Common VRRP Configuration with Load Balancing
Rev 4.20
Mellanox Technologies Confidential 976
Rev 4.20
6.7.2
Configuring VRRP
To configure VRRP:
Precondition steps:
Step 1.
Enable IP routing functionality. Run: switch (config)# ip routing
Step 2.
Enable the desired VLAN. Run: switch (config)# vlan 20
The VLAN cannot be the same one configured for the MLAG IPL, if MLAG is used.
Step 3.
Step 4.
Step 5.
Add this VLAN to the desired interface. Run: switch (config)# interface ethernet 1/1 switch (config ethernet 1/1)# switchport access vlan 20
Create a VLAN interface. Run: switch (config)# interface vlan 20
Apply IP address to the VLAN interface.
On one of the switches, run: switch (config interface vlan 20)# ip address 20.20.20.20 /24
On the other switch, run: switch (config interface vlan 20)# ip address 20.20.20.30 /24
Step 6.
Enable the interface. Run: switch (config interface vlan 20)# no shutdown
Configure VRRP:
This is the same configuration on both switches
Step 1.
Enable VRRP protocol globally. Run: switch (config)# protocol vrrp
Step 2.
Step 3.
Step 4.
Create a virtual router group for an IP interface. Up to 255 VRRP IDs are supported. Run: switch (config interface vlan 20)# vrrp 100
Set the VIP address. Run: switch (config interface vlan 20 vrrp 100)# address 20.20.20.40
Influence the election of the master in the VR cluster make sure that the priority of the desired master is the highest. Note that the higher IP address is selected in case the priority of the routers in the VR are the same. Select the priority. Run: switch (config interface vlan 20 vrrp 100)# priority 200
Mellanox Technologies Confidential 977
Rev 4.20
Step 5.
Step 6.
Step 7.
Step 8.
The advertizement interval should be the same for all the routers within the VR. Modify the interval. Run: switch (config interface vlan 20 vrrp 100)# advertisement-interval 2
The authentication text should be the same for all the routers within the VR. Configure the authentication text. Run: switch (config interface vlan 20 vrrp 100)# authentication text my-password
Use the preempt command to enable a high-priority backup virtual router to preempt the lowpriority master virtual router. Run: switch (config interface vlan 20 vrrp 100)# preempt
Disable VRRP. Run: switch (config interface vlan 20 vrrp 100)# shutdown
The configuration will not be deleted, only the VRRP state machine will be stopped.
6.7.3
Verifying VRRP
Step 1.
Display VRRP brief status. Run: switch(config)# show vrrp
Interface VR Pri Time Pre State VR IP addr
------------------------------------------------------
Vlan20 1 200 2s Y Init 20.20.20.20
… switch(config)#
Step 2.
Display VRRP detailed status. Run: switch (config)# show vrrp detail
VRRP Admin State : Enabled
Vlan20 - Group 1 (IPV4)
Instance Admin State : Enabled
State : Backup
Virtual IP Address : 20.20.20.40
Priority : 200
Advertisement interval (sec) : 2
Preemption : Enabled
Virtual MAC address : AA:BB:CC:DD:EE:FF switch (config)#
Mellanox Technologies Confidential 978
Step 3.
Display VRRP statistic counters. Run: switch (config)# show vrrp statistics
Ethernet1/5 - Group 1 (IPV4)
Invalid packets: 0
Too short: 0
Transitions to Master 6
Total received: 155
Bad TTL: 0
Failed authentication: 0
Unknown authentication: 0
Conflicting authentication: 0
Conflicting Advertise time: 0
Conflicting Addresses: 0
Received with zero priority: 3
Sent with zero priority: 3 switch (config)#
Rev 4.20
Mellanox Technologies Confidential 979
6.7.4
Commands
protocol vrrp
protocol vrrp no protocol vrrp
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Enables VRRP globally and unhides VRRP related commands.
The no form of the command deletes all the VRRP configuration and hides VRRP related commands.
N/A no feature vrrp
Config
3.3.4500
admin switch (config)# protocol vrrp
Rev 4.20
Mellanox Technologies Confidential 980
vrrp
vrrp <number> no vrrp <number>
Syntax Description
Default
Creates a virtual router group on this interface and enters a new configuration mode.
The no form of the command deletes the VRRP instance and the related configuration.
number
N/A
Configuration Mode Config Interface VLAN
History 3.3.4500
A VRRP instance number. Range is 1-255.
Role
Example admin switch (config interface vlan 10)# switch (config interface vlan 10 vrrp 10)#
Related Commands
Note Maximum of 10 VRRP instances are supported.
Rev 4.20
Mellanox Technologies Confidential 981
Rev 4.20
address
address <ip-address> [secondary] no address [<ip-address> [secondary]]
Syntax Description
Sets virtual router IP address (primary and secondary).
The no form of the command deletes the IP address from the VRRP interface.
ip-address secondary
The virtual IP address.
A secondary IP address for the virtual router.
Default N/A
Configuration Mode Config VRRP Interface
History
Role
Example
3.3.4500
admin switch (config vrrp 100)# address 10.10.10.10
switch (config vrrp 100)# address 10.10.10.11 secondary switch (config vrrp 100)# address 10.10.10.12 secondary
Related Commands
Note • This command is the enabler of the protocol. Therefore, set all the protocol parameters initially and only then set the ip-address.
• There are up to 10 IP addresses associated with the VRRP instance. One primary and up to
10 secondary ip-addresses.
• If the configured IP address is the same as the interface IP address, this switch automatically owns the IP address (priority 255).
Mellanox Technologies Confidential 982
shutdown
shutdown no shutdown
Syntax Description
Default
Disables the virtual router.
The no form of the command enables the virtual router (stops the VRRP state machine).
N/A
Enabled (no shutdown)
Configuration Mode Config VRRP Interface
History 3.3.4500
Role
Example
Related Commands
Note admin switch (config vrrp 100)# shutdown
Rev 4.20
Mellanox Technologies Confidential 983
priority
priority <level> no priority
Syntax Description
Default
Sets the priority of the virtual router.
The no form of the command resets the priority to its default.
level
100
Configuration Mode Config VRRP Interface
History 3.3.4500
The virtual router priority level. Range is 1-254.
Role
Example
Related Commands
Note admin switch (config vrrp 100)# priority 200
• The higher IP address will be selected as master, in case the priority of the routers in the
VR are the same.
• To influence the election of the master in the VR cluster make sure that the priority of the desired master is the higher.
Rev 4.20
Mellanox Technologies Confidential 984
preempt
preempt no preempt
Syntax Description
Default
Sets virtual router preemption mode.
The no form of the command disables the virtual router preemption.
N/A
Enabled (preempt)
Configuration Mode Config VRRP Interface
History 3.3.4500
Role
Example
Related Commands
Note admin switch (config vrrp 100)# preempt
To set this router as backup for the current virtual router master, preempt must be enabled.
Rev 4.20
Mellanox Technologies Confidential 985
authentication text
authentication text <password> no authentication text
Syntax Description
Sets virtual router authentication password and enables authentication.
The no form of the command disables the authentication mechanism.
password The virtual router authentication password. The password string must be up to 8 alphanumeric characters.
Default Disabled
Configuration Mode Config VRRP Interface
History
Role
3.3.4500
admin switch (config vrrp 100)# authentication text mypassword Example
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 986
advertisement-interval
advertisement-interval <seconds> no advertisement-interval
Syntax Description
Sets the virtual router advertisement-interval.
The no form of the command resets the parameter to its default.
seconds The virtual router advertisement-interval in seconds.
Range: 1-255.
Default 1
Configuration Mode Config VRRP Interface
History
Role
3.3.4500
admin switch (config vrrp 100)# advertisement-interval 10 Example
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 987
show vrrp
show vrrp [interface <type> <number>] [vr <id>]
Syntax Description
Displays VRRP brief configuration and status.
interface <type> <number> vr <id>
Filters the output to a specific interface type and number.
Filters the output to a specific virtual router.
Range: 1-10.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4500
admin switch(config)# show vrrp
Interface VR Pri Time Pre State VR IP addr
------------------------------------------------------
Eth1/5 1 200 2s Y Init 192.0.1.10
… switch(config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 988
show vrrp detail
show vrrp detail [interface <type> <number>] [vr <id>]
Syntax Description
Displays detailed VRRP configuration and status.
interface <type> <number> vr <id>
Filters the output to a specific interface type and number.
Filters the output to a specific virtual router.
Range: 1-255.
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4500
admin switch (config)# show vrrp detail
VRRP Admin State : Enabled
Vlan20 - Group 1 (IPV4)
Instance Admin State : Enabled
State : Backup
Virtual IP Address : 20.20.20.40
Priority : 200
Advertisement interval (sec) : 2
Preemption : Enabled
Virtual MAC address : AA:BB:CC:DD:EE:FF switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 989
show vrrp statistics
show vrrp statistics [interface <type <number>] [vr <id>]
Syntax Description
Displays VRRP counters.
interface <type> <number> vr <id>
Default N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4500
admin switch (config)# show vrrp statistics
Ethernet1/5 - Group 1 (IPV4)
Invalid packets: 0
Too short: 0
Transitions to Master 6
Total received: 155
Bad TTL: 0
Failed authentication: 0
Unknown authentication: 0
Conflicting authentication: 0
Conflicting Advertise time: 0
Conflicting Addresses: 0
Received with zero priority: 3
Sent with zero priority: 3 switch (config)#
Related Commands
Note
Filters the output to a specific interface type and number.
Filters the output to a specific virtual router.
Range: 1-255.
Rev 4.20
Mellanox Technologies Confidential 990
6.8
MAGP
Multi-active gateway protocol (MAGP) is aimed to solve the default gateway problem when a host is connected to a set of switch routers (SRs) via MLAG.
The network functionality in that case requires that each SR is an active default gateway router to the host, thus reducing hops between the SRs and directly forwarding IP traffic to the L3 cloud regardless which SR traffic comes through.
Designated traffic, such as ping to the MAGP interface is not supported. One of the two switches will be able to ping, so a ping from one switch can be done.
Rev 4.20
6.8.1
MAGP Configuration
Prerequisite steps:
Step 1.
Enable IP routing functionality. Run: switch (config)# ip routing
Step 2.
Enable the desired VLAN. Run: switch (config)# vlan 20 switch (config vlan 20)#
The VLAN cannot be the same one configured for the MLAG IPL, if MLAG is used.
Step 3.
Step 4.
Step 5.
Add this VLAN to the desired interface. Run: switch (config)# interface ethernet 1/1 switch (config interface ethernet 1/1)# switchport access vlan 20
Create a VLAN interface. Run: switch (config)# interface vlan 20 switch (config interface vlan 20)#
Set an IP address to the VLAN interface. Run: switch (config interface vlan 20)# ip address 11.11.11.11 /8
Step 6.
Enable the interface. Run: switch (config interface vlan 20)# no shutdown
To configure MAGP:
Step 1.
Enable MAGP protocol globally. Run: switch (config)# protocol magp
Step 2.
Create a virtual router group for an IP interface. Run: switch (config interface vlan 20)# magp 100
Mellanox Technologies Confidential 991
Rev 4.20
Up to 255 MAGP IDs are supported.
Step 3.
Set a virtual router primary IP address. Run: switch (config interface vlan 20 magp 100)# ip virtual-router address 11.11.11.254
The IP address must be in the same subnet of the VLAN interface. This IP address is the default gateway for this MAGP instance. This should become the default gateway configured on the hosts connected to the relevant MLAG.
Step 4.
Set a virtual router primary MAC address. Run: switch (config interface vlan 20 magp 100)# ip virtual-router mac-address
AA:BB:CC:DD:EE:FF
To verify the MAGP configuration, run: switch (config)# show magp 1
MAGP 1
Interface vlan:1
MAGP state:Master
MAGP virtual IP: 11.11.11.254
MAGP virtual MAC: AA:BB:CC:DD:EE:FF switch (config)#
This output is to be expected in both MAGP switches.
Mellanox Technologies Confidential 992
6.8.2
Commands
protocol magp
protocol magp no protocol magp
Syntax Description
Default
Configuration Mode
History
Role
Example
Enables MAGP globally and unhides MAGP commands.
The no form of the command deletes all the MAGP configuration and hides MAGP commands.
N/A
Disabled
Config
3.3.4500
admin switch (config)# protocol magp switch (config)#
Related Commands
Note IP routing must be enabled to enable MAGP.
Rev 4.20
Mellanox Technologies Confidential 993
magp
magp <instance> no magp <instance>
Syntax Description
Default
Creates an MAGP instance on this interface and enters a new configuration mode.
The no form of the command deletes the MAGP instance.
instance
Disabled
Configuration Mode Config Interface VLAN
History 3.3.4500
MAGP instance number. Range: 1-255.
Role
Example admin switch (config interface vlan 10)# magp 1 switch (config interface vlan 10 magp 1)#
Related Commands
Note • Only one MAGP instance can be created on an interface
• Different interfaces cannot share an MAGP instance
• MAGP and VRRP are mutually exclusive
Rev 4.20
Mellanox Technologies Confidential 994
shutdown
shutdown no shutdown
Syntax Description
Default
Enables MAGP instance.
The no form of the command disables the MAGP instance.
N/A
Disabled
Configuration Mode Config Interface VLAN MAGP
History 3.3.4500
Role
Example admin switch (config interface vlan 10 magp 1)# protocol magp switch (config interface vlan 10 magp 1)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 995
ip virtual-router address
ip virtual-router address <ip-address> no ip virtual-router address
Syntax Description
Default
Sets MAGP virtual IP address.
The no form of the command resets this parameter to its default.
ip-address
N/A
The virtual router IP address.
Configuration Mode Config Interface VLAN MAGP
History 3.3.4500
Role
Example admin switch (config interface vlan 10 magp 1)# ip virtual-router address
10.10.10.10
switch (config interface vlan 10 magp 1)#
Related Commands
Note The MAGP virtual IP address must be different from the interface IP address
Rev 4.20
Mellanox Technologies Confidential 996
Rev 4.20
ip virtual-router mac-address
ip virtual-router mac-address <mac-address> no ip virtual-router mac-address
Syntax Description
Default
Sets MAGP virtual MAC address.
The no form of the command resets the MAC address to its default.
mac-address MAC address. Format: AA:BB:CC:DD:EE:FF.
00:00:5E:00:01-<magp instance>
Configuration Mode Config Interface VLAN MAGP
History 3.3.4500
Role
Example admin switch (config interface vlan 10 magp 1)# ip virtual-router mac-address
AA:BB:CC:DD:EE:FF switch (config interface vlan 10 magp 1)#
Related Commands
Note
Mellanox Technologies Confidential 997
show magp
show magp [<instance> | interface vlan <id>]
Syntax Description
Default
Displays the configuration of a specific MAGP instance.
instance
N/A
Configuration Mode Any Command Mode
MAGP instance number. Range: 1-255.
History
Role
Example
3.3.4500
admin switch (config)# show magp 3
Magp instance id: 3
Interface : vlan 10
Magp state: Active
Magp virtual ip :192.168.1.1
Magp virtual MAC : 00:11:22:22:44:55 switch (config)#
Related Commands
Note
Rev 4.20
Mellanox Technologies Confidential 998
6.9
DHCP Relay
DHCP Relay is not supported on SX10xx-xxxR and SX60xx-xxxR systems.
Since Dynamic Host Configuration Protocol must work correctly even before DHCP clients have been configured, the DHCP server and DHCP client need to be connected to the same network.
In larger networks, this is not always practical because each network link contains one or more
DHCP relay agents. These DHCP relay agents receive messages from DHCP clients and forward them to DHCP servers thus extending the reach of the DHCP beyond the local network.
Rev 4.20
Mellanox Technologies Confidential 999
Rev 4.20
6.9.1
Commands
ip dhcp relay address
ip dhcp relay address <ip-address> no ip dhcp relay address <ip-address>
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Configures IP address of the DHCP server to forward DHCP requests.
The no form of the command deletes the DHCP server IP address.
ip-address
N/A
Valid IP unicast address of DHCP server.
Config
3.3.4150
admin switch (config)# ip dhcp relay address 10.10.10.10
switch (config)#
N/A
• Up to 16 IP addresses may be configured
• To enable DHCP relay, at least one IP address should be configured, or always-on parameter should be turned on using the command “ip dhcp relay always-on”
Mellanox Technologies Confidential 1000
ip dhcp relay information option
ip dhcp relay information option no ip dhcp relay information option
Syntax Description
Default
Enables the DHCP relay agent to insert option 82 info on the packets.
The no form of the command removes option 82 from the packets.
N/A
Disabled
Configuration Mode Config
History 3.3.4150
Role
Example admin switch (config)# ip dhcp relay information option switch (config)#
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 1001
Rev 4.20
ip dhcp relay always-on
ip dhcp relay always-on no ip dhcp relay always-on
Syntax Description
Default
Broadcasts DHCP requests to all interfaces with the DHCP relay agent.
The no form of the command disables the “always-on” mode.
N/A
Disabled
Configuration Mode Config
History 3.3.4150
Role
Example admin switch (config)# ip dhcp relay always-on switch (config)#
Related Commands N/A
Note • In order to enable DHCP relay, at least one IP address should be configured, or always-on parameter should be turned on using the command “ip dhcp relay always-on”
• When DHCP servers are configured. requests are forwarded only to configured servers
Mellanox Technologies Confidential 1002
Rev 4.20
clear ip dhcp relay counters
clear ip dhcp relay counters
Syntax Description
Default
Clears all DHCP relay counters (all interfaces).
N/A
Disabled
Configuration Mode Config
History
Role
Example
3.3.4150
admin switch (config)# clear ip dhcp relay counters switch (config)#
Related Commands N/A
Note • In order to enable DHCP relay, at least one IP address should be configured, or always-on parameter should be turned on using the command “ip dhcp relay always-on”
• When DHCP servers are configured. requests are forwarded only to configured servers
Mellanox Technologies Confidential 1003
Rev 4.20
6.9.1.1 Interface
ip dhcp relay information option circuit-id
ip dhcp relay information option circuit-id <label> no ip dhcp relay information option circuit-id
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Specifies the content of tags that the switch attaches to DHCP requests before they are forwarded.
The no form of the command removes the label assigned.
label Specifies the label attached to packets. The string may be up to 15 characters.
The label is taken from the IP interface name (e.g. “vlan1”)
Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
3.3.4150
admin switch (config interface vlan 10)# ip dhcp relay information options circuit-id my-label switch (config interface vlan 10)#
N/A
Mellanox Technologies Confidential 1004
clear ip dhcp relay counters
ip dhcp relay counters no ip dhcp relay counters
Syntax Description
Default
Clears all DHCP relay counters on the interface.
N/A
N/A
Configuration Mode Config Interface VLAN
Config Interface Ethernet configured as a router port
Config Interface Port Channel configured as a router port
History
Role
Example
3.3.4150
admin switch (config interface vlan 10)# clear ip dhcp relay counters switch (config interface vlan 10)#
Related Commands N/A
Note
Rev 4.20
Mellanox Technologies Confidential 1005
6.9.1.2 Show
show ip dhcp relay
show ip dhcp relay
Syntax Description
Default
Configuration Mode
History
Role
Example
Related Commands
Note
Displays DHCP relay configuration and status.
N/A
N/A
Any Command Mode
3.3.4150
admin switch (config)# show ip dhcp relay
DHCP servers: 172.22.22.11, 172.33.33.33, … (or N/A)
DHCP clients requests are processed on all interfaces
DHCP server responses are processed on all interfaces
DHCP relay agent information option is {enabled, disabled}
DHCP relay agent always-on is {enabled, disabled}
Interface Label
--------- --------
Vlan10 my-label switch (config)#
N/A
Rev 4.20
Mellanox Technologies Confidential 1006
Rev 4.20
show ip dhcp relay counters
show ip dhcp relay counters
Syntax Description
Default
Displays the DHCP relay counters.
N/A
N/A
Configuration Mode Any Command Mode
History
Role
Example
3.3.4150
admin switch (config)#show ip dhcp relay counters
Interface Received Forwarded Dropped
--------- -------- --------- --------
All Req 376 376 0
All Resp 277 277 0
Interface Received Forwarded Dropped Last cleared
--------- -------- --------- ------- ------------vlan1000 1000 1000 0 <Date> vlan1020 2000 2000 0 <Date>
// <Date> == <DD-MM-YY, Hour-Minutes-Seconds> - something like: “20-07-13, 22:34:36” switch (config)#
Related Commands N/A
Note
Mellanox Technologies Confidential 1007
Appendix A: Enhancing System Security According to
NIST SP 800-131A
A.1
Overview
This appendix describes how to enhance the security of a system in order to comply with the
NIST SP 800-131A standard. This standard is a document which defines cryptographically
“acceptable” technologies. This document explains how to protect against possible cryptographic vulnerabilities in the system by using secure methods. Because of compatibility issues, this security state is not the default of the system and it should be manually set.
Rev 4.20
Some protocols, however, cannot be operated in a manner that complies with the NIST
SP 800-131A standard.
A.2
Web Certificate
Mellanox supports signature generation of sha256WithRSAEncryption,
sha1WithRSAEncryption self-signed certificates, and importing certificates as text in PEM format.
To configure a default certificate:
Step 1.
Create a new sha256 certificate. Run: switch (config) # crypto certificate name <cert name> generate self-signed hash-algorithm sha256
For more details and parameters refer to the command crypto certificate name in the
MLNX-OS User Manual.
Step 2.
Step 2.
Show crypto certificate detail. Run: switch (config) # show crypto certificate detail
Step 3.
Search for “signature algorithm” in the output.
Set this certificate as the default certificate. Run: switch (config) # crypto certificate default-cert name <cert name>
To configure default parameters and create a new certificate:
Step 1.
Define the default hash algorithm. Run: switch (config) # crypto certificate generation default hash-algorithm sha256
Generate a new certificate with default values. Run: switch (config) # crypto certificate name <cert name> generate self-signed
Mellanox Technologies Confidential 1008
Rev 4.20
When no options are selected, the generated certificate uses the default values for each field.
To test strict mode connect to the WebUI using HTTPS and get the certificate. Search for
“signature algorithm”.
There are other ways to configure the certificate to sha256. For example, it is possible to use certificate generation default hash-algorithm and then regenerate the certificate using these default values. Please refer to the MLNX-OS User Manual for further details.
It is recommended to delete browsing data and previous certificates before retrying to connect to the WebUI.
Make sure not to confuse “signature algorithm” with “Thumbprint algorithm”.
A.3
SNMP
SNMPv3 supports configuring username, authentication keys and privacy keys. For authentication keys it is possible to use MD5 or SHA. For privacy keys AES or DES are to be used.
To configure strict mode, create a new user with HMAC-SHA1-96 and AES-128. Run: switch (config) # snmp-server user <username> v3 auth sha <password1> priv aes-128 <password2>
To verify the user in the CLI, run: switch (config) # show snmp user
To test strict mode, configure users and check them using the CLI, then run an SNMP request with the new users.
For more information please refer to the MLNX-OS User Manual.
SNMPv1 and SNMPv2 are not considered to be secure. To run in strict mode, only use
SNMPv3.
A.4
SSH
The SSH server on the switch by default uses secure and unsecure ciphers, message authentication code (MAC), key exchange methods, and public key algorithm. When configuring SSH
Mellanox Technologies Confidential 1009
server to strict mode, the aforementioned security methods only use approved algorithms as detailed in the NIST 800-181A specification and the user can connect to the switch via SSH in strict mode only.
To enable strict security mode, run: switch (config) # ssh server security strict
The no form of the command disables strict security mode.
Make sure to configure the SSH server to work with minimum version 2 since 1 is vulnerable to security breaches.
To configure min-version to strict mode, run: switch (config) # ssh server min-version 2
Rev 4.20
Once this is done, the user cannot revert back to minimum version 1.
A.5
HTTPS
By default, Mellanox switch supports HTTPS encryption using TLS1.0 up to TLS1.2. To work in strict mode you must configure the system to use TLS1.2. Working in TLS1.2 mode also bans
MD5 ciphers which are not allowed per NIST 800-131a. In strict mode, the switch supports encryption with TLS1.2 only with the following supported ciphers:
• RSA_WITH_AES_128_CBC_SHA256
• RSA_WITH_AES_256_CBC_SHA256
• DHE_RSA_WITH_AES_128_CBC_SHA256
• DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
To enable all encryption methods, run: switch (config) # web https ssl ciphers all
To enable only TLS ciphers (enabled by default), run: switch (config) # web https ssl ciphers TLS
To enable HTTPS strict mode, run: switch (config) # web https ssl ciphers TLS1.2
Mellanox Technologies Confidential 1010
To verify which encryption methods are used, run: switch (config)# show web
Web User Interface:
Web interface enabled: yes
HTTP enabled: yes
HTTP port: 80
HTTP redirect to HTTPS: no
HTTPS enabled: yes
HTTPS port: 443
HTTPS ssl-ciphers: TLS1.2
HTTPS certificate name: default-cert
Listen enabled: yes
No Listen Interfaces.
Inactivity timeout: disabled
Session timeout: 2 hr 30 min
Session renewal: 30 min
Web file transfer proxy:
Proxy enabled: no
Web file transfer certificate authority:
HTTPS server cert verify: yes
HTTPS supplemental CA list: default-ca-list switch (config)#
On top of enabling HTTPS, to prevent security breaches HTTP must be disabled.
To disable HTTP, run: switch (config)# no web http enable
A.6
LDAP
By default, Mellanox switch supports LDAP encryption SSL version 3 or TLS1.0 up to TLS1.2.
The only banned algorithm is MD5 which is not allowed per NIST 800-131a. In strict mode, the switch supports encryption with TLS1.2 only with the following supported ciphers:
• DHE-DSS-AES128-SHA256
• DHE-RSA-AES128-SHA256
• DHE-DSS-AES128-GCM-SHA256
• DHE-RSA-AES128-GCM-SHA256
• DHE-DSS-AES256-SHA256
• DHE-RSA-AES256-SHA256
• DHE-DSS-AES256-GCM-SHA384
• DHE-RSA-AES256-GCM-SHA384
• ECDH-ECDSA-AES128-SHA256
• ECDH-RSA-AES128-SHA256
• ECDH-ECDSA-AES128-GCM-SHA256
Rev 4.20
Mellanox Technologies Confidential 1011
• ECDH-RSA-AES128-GCM-SHA256
• ECDH-ECDSA-AES256-SHA384
• ECDH-RSA-AES256-SHA384
• ECDH-ECDSA-AES256-GCM-SHA384
• ECDH-RSA-AES256-GCM-SHA384
• ECDHE-ECDSA-AES128-SHA256
• ECDHE-RSA-AES128-SHA256
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-ECDSA-AES256-SHA384
• ECDHE-RSA-AES256-SHA384
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-GCM-SHA384
• AES128-SHA256
• AES128-GCM-SHA256
• AES256-SHA256
• AES256-GCM-SHA384
To enable LDAP strict mode, run: switch (config) # ldap ssl mode {start-tls | ssl}
Both modes operate using SSL. The different lies in the connection initialization and the port used.
To enable all encryption methods (enabled by default), run: switch (config) # ldap ssl ciphers TLS1.2
To verify which encryption methods are used, run: switch (config)# show ldap
User base DN : ou=People,dc=test,dc=com
User search scope : subtree
Login attribute : uid
Bind DN : cn=manager,dc=test,dc=com
Bind password : ********
Group base DN :
Group attribute : member
LDAP version : 3
Referrals : yes
Server port : 389 (not active)
Search Timeout : 5
Rev 4.20
Mellanox Technologies Confidential 1012
Bind Timeout : 5
SSL mode : ssl
Server SSL port : 636
SSL ciphers : TLS1.2
SSL cert verify : yes
SSL ca-list : default-ca-list
LDAP servers:
1: 10.134.47.5
switch (config)#
Please make sure that “(not active)” does not appear adjacent to the line “SSL ciphers”.
A.7
Password Hashing
To compile with NIST 800-131a, Mellanox switches support password encryption with SHA512 algorithm.
To see the password encryption used, run: switch (config)# show usernames
USERNAME FULL NAME CAPABILITY ACCOUNT STATUS admin System Administrator admin No password required for login monitor System Monitor monitor Password set (SHA512) xmladmin XML Admin User admin No password required for login xmluser XML Monitor User monitor No password required for login
Using default usernames and passwords or using usernames without passwords is highly not recommended.
When moving to strict mode, the password of each user must be reconfigured to a non-default value using the CLI command username.
For example, if you have a user ID “myuser” whose password is hashed with MD5, this user must be recreated manually using the command “username myuser password mypassword”. The password then is automatically hashed using SHA512.
The following output demonstrates the example above: switch (config)# show usernames
USERNAME FULL NAME CAPABILITY ACCOUNT STATUS admin System Administrator admin No password required for login myuser System Monitor monitor Password set (MD5) switch (config)# username myuser password mypassword switch (config)# show usernames
USERNAME FULL NAME CAPABILITY ACCOUNT STATUS admin System Administrator admin No password required for login myuser System Monitor monitor Password set (SHA512)
Rev 4.20
Mellanox Technologies Confidential 1013
Rev 4.20
Appendix B: Security Vulnerabilities and Exposures
Table 49 presents the status of common vulnerabilities and security exposures that may affect
MLNX-OS.
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-1999-0517 Not vulnerable: Requires strict mode
An SNMP community name is the default (e.g. public), null, or missing.
CVE-2006-0175 Not vulnerable Directory traversal vulnerability in scp for OpenSSH before
3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-
0992.
CVE-2006-1653 N/A The default configuration for OpenSSH enables AllowTcp-
Forwarding, which could allow remote authenticated users to perform a port bounce, when configured with an anonymous access program such as AnonCVS.
CVE-2006-2760 N/A sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190. NOTE: it could be argued that in most environments, this does not cross privilege boundaries without requiring leverage of a separate vulnerability.
CVE-2005-2797 N/A
CVE-2005-2798 Not vulnerable sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.
CVE-2006-0225 N/A
OpenSSH 4.0, and other versions before 4.2, does not properly handle dynamic port forwarding ("-D" option) when a listen address is not provided, which may cause OpenSSH to enable the GatewayPorts functionality.
scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
CVE-2006-4924 Not vulnerable sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.
3.4.0000
3.3.3500
N/A
N/A
N/A
3.3.3500
N/A
3.4.0000
Mellanox Technologies Confidential 1014
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2006-4925
CVE-2006-5051
CVE-2006-5052
CVE-2006-5229
N/A
N/A
N/A
N/A packet.c in ssh in OpenSSH allows remote attackers to cause a denial of service (crash) by sending an invalid protocol sequence with USERAUTH_SUCCESS before
NEWKEYS, which causes newkeys[mode] to be NULL.
Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
Unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI "authentication abort."
OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds.
CVE-2006-5794 Not vulnerable Unspecified vulnerability in the sshd Privilege Separation
Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist.
CVE-2007-0726 N/A The SSH key generation process in OpenSSH in Apple Mac
OS X 10.3.9 and 10.4 through 10.4.8 allows remote attackers to cause a denial of service by connecting to the server before SSH has finished creating keys, which causes the keys to be regenerated and can break trust relationships that were based on the original keys.
CVE-2007-2243 N/A OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-
1483.
N/A
N/A
N/A
N/A
3.4.0000
N/A
N/A
Mellanox Technologies Confidential 1015
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2007-2768
CVE-2007-3102
N/A
N/A
OpenSSH, when using OPIE (One-Time Passwords in
Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-
2007-2243.
Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username.
NOTE: some of these details are obtained from third party information.
CVE-2007-4654 N/A Unspecified vulnerability in SSHield 1.6.1 with OpenSSH
3.0.2p1 on Cisco WebNS 8.20.0.1 on Cisco Content Services Switch (CSS) series 11000 devices allows remote attackers to cause a denial of service (connection slot exhaustion and device crash) via a series of large packets designed to exploit the SSH CRC32 attack detection overflow (CVE-2001-0144), possibly a related issue to CVE-
2002-1024.
CVE-2007-4752 Not vulnerable ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted
X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
CVE-2007-5715 N/A DenyHosts 2.6 processes OpenSSH sshd "not listed in
AllowUsers" log messages with an incorrect regular expression that does not match an IP address, which might allow remote attackers to avoid detection and blocking when making invalid login attempts with a username not present in AllowUsers, as demonstrated by the root username, a different vulnerability than CVE-2007-4323.
CVE-2007-6415 N/A
CVE-2008-1483 Not vulnerable OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
CVE-2008-1657 N/A scponly 4.6 and earlier allows remote authenticated users to bypass intended restrictions and execute arbitrary code by invoking scp, as implemented by OpenSSH, with the -F and
-o options.
OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file.
N/A
N/A
N/A
3.4.0000
N/A
N/A
3.4.0000
N/A
Mellanox Technologies Confidential 1016
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2008-3234 Only affects
CVE-2008-3259
OpenSSH version 4.x.
MLNX-OS uses 3.8.1p1.
N/A sshd in OpenSSH 4 on Debian GNU/Linux, and the
20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.
OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost configuration setting is disabled, which allows local users on some platforms to hijack the X11 forwarding port via a bind to a single IP address, as demonstrated on the HP-UX platform.
CVE-2008-3844 N/A Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for OpenSSH, as signed in August 2008 using a legitimate Red Hat GPG key, contain an externally introduced modification (Trojan Horse) that allows the package authors to have an unknown impact. NOTE: since the malicious packages were not distributed from any official Red
Hat sources, the scope of this issue is restricted to users who may have obtained these packages through unofficial distribution points. As of 20080827, no unofficial distributions of this software are known.
CVE-2008-4109 Not vulnerable A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not asyncsignal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-
5051.
CVE-2008-5161 Not vulnerable Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through
5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in
Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.
N/A
N/A
N/A
3.4.0000
3.4.0000
Mellanox Technologies Confidential 1017
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2009-2904
CVE-2010-4478
N/A
N/A
A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in
Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252.
CVE-2010-4755 N/A
CVE-2010-5298 Not vulnerable Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RE-
LEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (useafter-free and parsing error) via an SSL connection in a multithreaded environment.
CVE-2011-0539 N/A
The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FX-
P_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.
The key_certify function in usr.bin/ssh/key.c in OpenSSH
5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it easier to conduct hash collision attacks.
CVE-2011-3389 Not vulnerable The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla
Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosenboundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 Web-
Socket API, (2) the Java URLConnection API, or (3) the
Silverlight WebClient API, aka a "BEAST" attack.
N/A
N/A
N/A
3.4.0008
N/A
3.3.3500
Mellanox Technologies Confidential 1018
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2011-3607 Not vulnerable Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted
HTTP request header, leading to a heap-based buffer overflow.
CVE-2011-4317 Not vulnerable The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through
2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2)
ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368.
CVE-2011-4327 N/A ssh-keysign.c in ssh-keysign in OpenSSH before 5.8p2 on certain platforms executes ssh-rand-helper with unintended open file descriptors, which allows local users to obtain sensitive key information via the ptrace system call.
CVE-2011-5000 N/A The ssh_gssapi_parse_ename function in gss-serv.c in
OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant.
CVE-2012-0031 Not vulnerable scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function.
CVE-2012-0053 Not vulnerable protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
3.3.3500
3.3.3500
N/A
N/A
3.3.3500
3.3.3500
Mellanox Technologies Confidential 1019
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2012-0814 Not vulnerable The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory.
CVE-2012-2687 N/A Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.
CVE-2012-4929 Not vulnerable The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a “CRIME” attack.
CVE-2012-4930 Not vulnerable The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows manin-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
CVE-2013-7423 Not vulnerable The send_dg function in resolv/res_send.c in GNU C
Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send
DNS queries to unintended locations via a large number of request that trigger a call to the getaddrinfo function.
CVE-2014-0195 Not vulnerable The dtls1_reassemble_fragment function in d1_both.c in
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in
DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service
(buffer overflow and application crash) via a long non-initial fragment.
3.3.3500
N/A
3.3.3500
3.3.3500
3.4.3000
3.4.0008
Mellanox Technologies Confidential 1020
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2014-0198 Not vulnerable The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.
CVE-2014-0221 Not vulnerable The dtls1_get_message_fragment function in d1_both.c in
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
CVE-2014-0224 Not vulnerable OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of
ChangeCipherSpec messages, which allows man-in-themiddle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
CVE-2014-0475 Not vulnerable Multiple directory traversal vulnerabilities in GNU C
Library (aka glibc or libc6) before 2.20 allow contextdependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.
CVE-2014-1692 N/A The hash_buffer function in schnorr.c in OpenSSH through
6.4, when Makefile.inc is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attackers to cause a denial of service
(memory corruption) or have unspecified other impact via vectors that trigger an error condition.
CVE-2014-2532 N/A sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.
CVE-2014-3470 Not vulnerable The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service
(NULL pointer dereference and client crash) by triggering a
NULL certificate value.
3.4.0008
3.4.0008
3.4.1000
3.4.3000
N/A
N/A
3.4.0008
Mellanox Technologies Confidential 1021
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2014-3505 Not vulnerable Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before
1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted
DTLS packets that trigger an error condition.
CVE-2014-3506 Not vulnerable d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values.
CVE-2014-3507 Not vulnerable Memory leak in d1_both.c in the DTLS implementation in
OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and
1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.
CVE-2014-3508 Not vulnerable The OBJ_obj2txt function in crypto/objects/obj_dat.c in
OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and
1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows contextdependent attackers to obtain sensitive information from process stack memory by reading output from
X509_name_oneline, X509_name_print_ex, and unspecified other functions.
CVE-2014-3509 Not vulnerable Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before
1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service
(memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve
(EC) Supported Point Formats Extension data.
CVE-2014-3510 Not vulnerable The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and
1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous
ECDH ciphersuite.
CVE-2014-3511 Not vulnerable The ssl23_get_client_hello function in s23_srvr.c in
OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.
3.4.1000
3.4.1000
3.4.1000
3.4.1000
3.4.1000
3.4.1000
3.4.1000
Mellanox Technologies Confidential 1022
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2014-3513 Not vulnerable Memory leak in d1_srtp.c in the DTLS SRTP extension in
OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message.
CVE-2014-3566 Not vulnerable The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the
"POODLE" issue.
CVE-2014-3567 Not vulnerable Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.
CVE-2014-3569 N/A The ssl23_get_client_hello function in s23_srvr.c in
OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.
CVE-2014-3570 Not vulnerable The BN_sqr implementation in OpenSSL before 0.9.8zd,
1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.
CVE-2014-3571 Not vulnerable OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.
CVE-2014-3572 Not vulnerable The ssl3_get_key_exchange function in s3_clnt.c in
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct
ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.
3.4.1000
3.4.1000
3.4.1000
N/A
3.4.3000
3.4.3000
3.4.3000
Mellanox Technologies Confidential 1023
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2014-6040 Not vulnerable GNU C Library (aka glibc) before 2.20 allows contextdependent attackers to cause a denial of service (out-ofbounds read and crash) via a multibyte character value of
"0xffff" to the iconv function when converting (1) IBM933,
(2) IBM935, (3) IBM937, (4) IBM939, or (5) IBM1364 encoded data to UTF-8.
CVE-2014-6271 Not vulnerable GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP
Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka
"ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
CVE-2014-7817 Not vulnerable The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))".
CVE-2014-8176 Not vulnerable The dtls1_clear_queues function in ssl/d1_lib.c in
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote
DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.
CVE-2014-8275 Not vulnerable OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/ dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/ x_all.c.
CVE-2014-9293 Not vulnerable The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
3.4.2300
3.4.0008
3.4.3000
3.4.3000
3.4.3000
3.4.1000
Mellanox Technologies Confidential 1024
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2014-9294 Not vulnerable util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
CVE-2014-9295 Not vulnerable Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used,
(2) the ctl_putdata function, and (3) the configure function.
CVE-2014-9296 Not vulnerable The receive function in ntp_proto.c in ntpd in NTP before
4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended association change via crafted packets.
CVE-2014-9297 N/A This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
CVE-2015-0204 Not vulnerable The ssl3_get_key_exchange function in s3_clnt.c in
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSAto-EXPORT_RSA downgrade attacks and facilitate bruteforce decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on
OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
CVE-2015-0205 Not vulnerable The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL
1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.
CVE-2015-0206 Not vulnerable Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before
1.0.1k allows remote attackers to cause a denial of service
(memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection.
3.4.1000
3.4.1000
3.4.1000
3.4.3000
3.4.3000
3.4.3000
3.4.3000
Mellanox Technologies Confidential 1025
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2015-0207 Not vulnerable The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state information of independent data streams, which allows remote attackers to cause a denial of service (application crash) via crafted
DTLS traffic, as demonstrated by DTLS 1.0 traffic to a
DTLS 1.2 server.
CVE-2015-0208 Not vulnerable The ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c in
OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted RSA PSS parameters to an endpoint that uses the certificate-verification feature.
CVE-2015-0209 N/A Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf,
1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before
1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic
Curve (EC) private-key file that is improperly handled during import.
CVE-2015-0235 Not vulnerable Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before
2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or
(2) gethostbyname2 function, aka "GHOST."
CVE-2015-0285 N/A The ssl3_client_hello function in s3_clnt.c in OpenSSL
1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack.
CVE-2015-0286 Not vulnerable The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in
OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before
1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.
CVE-2015-0287 Not vulnerable The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before
1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize
CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.
3.4.2008
3.4.2008
3.4.3000
3.4.2002
3.4.3000
3.4.3000
3.4.3000
Mellanox Technologies Confidential 1026
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2015-0288 Not vulnerable The X509_to_X509_REQ function in crypto/x509/ x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r,
1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key.
CVE-2015-0289 Not vulnerable The PKCS#7 implementation in OpenSSL before 0.9.8zf,
1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before
1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.
CVE-2015-0290 Not vulnerable The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash) via unspecified vectors.
CVE-2015-0291 Not vulnerable The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by using an invalid signature_algorithms extension in the ClientHello message during a renegotiation.
CVE-2015-0292 Not vulnerable Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and
1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.
CVE-2015-0293 Not vulnerable The SSLv2 implementation in OpenSSL before 0.9.8zf,
1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before
1.0.2a allows remote attackers to cause a denial of service
(s2_lib.c assertion failure and daemon exit) via a crafted
CLIENT-MASTER-KEY message.
CVE-2015-1787 Not vulnerable The ssl3_get_client_key_exchange function in s3_srvr.c in
OpenSSL 1.0.2 before 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero.
3.4.3000
3.4.3000
3.4.2008
3.4.2008
3.4.3000
3.4.3000
3.4.2008
Mellanox Technologies Confidential 1027
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2015-1789 Not vulnerable The X509_cmp_time function in crypto/x509/x509_vfy.c in
OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before
1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback.
CVE-2015-1790 Not vulnerable The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data.
CVE-2015-1791 Not vulnerable Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before
1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a
NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.
CVE-2015-1792 Not vulnerable The do_free_upto function in crypto/cms/cms_smime.c in
OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before
1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.
CVE-2015-1798 N/A The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC.
CVE-2015-1799 N/A The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer.
3.4.3000
3.4.3000
3.4.3000
3.4.3000
3.4.3000
3.4.3000
Mellanox Technologies Confidential 1028
Rev 4.20
Table 49 - Common Vulnerabilities and Exposures
CVE Vulnerability
1 Description
Fixed in
Version
CVE-2015-2808 Not vulnerable: Requires strict mode
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
CVE-2015-3456 Not vulnerable The Floppy Disk Controller (FDC) in QEMU, as used in
Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_C-
MD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICA-
TION_COMMAND, or other unspecified commands, aka
VENOM. Though the VENOM vulnerability is also agnostic of the guest operating system, an attacker (or an attacker’s malware) would need to have administrative or root privileges in the guest operating system in order to exploit VENOM.
CVE-2015-4000 Not vulnerable The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by
DHE_EXPORT and then rewriting a ServerHello with
DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
CVE-2015-5119 Not vulnerable This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
1. Vulnerability may take the following three values:
N/A – not relevant to MLNX-OS
Not vulnerable – Mellanox products are protected against this vulnerability
Not vulnerable: Requires strict mode – working in strict mode protects against this vulnerability
3.4.1120
3.4.3000
3.4.3000
3.4.3000
Mellanox Technologies Confidential 1029
Rev 4.20
Appendix C: UI Changes in Version 3.4.2008
Relevant changes in the CLI in this section are marked in boldface.
In order to improve user interface and unify look and feel across all Mellanox switch platforms,
MLNX-OS® versions 3.4.2008 and above introduce some changes in user interface.
C.1
Interface Addressing Change
Interface addressing in interface specific commands has changed in order to align the InfiniBand interface schema with that of Ethernet’s, and to support the EDR director switch system which has 2 ASICs per leaf.
C.1.1
CLI Change
Interface referencing for director switches has become <slot/module/port> and their show command output text displays IB<slot/module/port>.
Before: After: switch (config) # show interfaces ib L01/1
Slot L01 port 1 state
Logical port state : Initialize
Physical port state : LinkUp switch (config) # show interfaces ib 1/1/1
IB1/1/1 state:
Logical port state : Initialize
Physical port state : LinkUp
Current line rate : 40.0 Gbps
10.0(FDR10) or 14.0 Gbos rate
...
Current line rate : 40.0 Gbps
Supported speeds : 2.5, 5.0, 10.0(QDR), Supported speeds : sdr, ddr, qdr, fdr10
...
Internal interface referencing for director switch systems has become as follows:
Before: switch (config) # show interfaces ib internal S01/1
Slot S01 port 1 state
Connected to slot/chip : 1/1
Connected to port : 19
Connected device active: -
Error state : 0
Logical port state : Initialize
Physical port state : LinkUp
Current line rate : 40.0 Gbps
Supported speeds : .5, 5.0, 10.0(QDR),
10.0(FDR10) or 14.0 Gbos rate
...
After: switch (config) # show interfaces ib internal spine 1/
1/1
IB1/1/1 state:
Connected to slot/chip : 1/1
Connected to port : 19
Connected device active: -
Error state : 0
Logical port state : Initialize
Physical port state : LinkUp
Current line rate : 40.0 Gbps
Supported speeds : sdr, ddr, qdr, fdr10
...
Mellanox Technologies Confidential 1030
Rev 4.20
Interface show command output text on 1U switches has become IB<slot/port>.
Before: After: switch (config) # show interfaces ib 1/1
Slot 1 port 1 state
Logical port state : Down
Physical port state : Polling switch (config) # show interfaces ib 1/1
IB1/1 state:
Logical port state : Down
Physical port state : Polling
Current line rate : Current line rate : -
Supported speeds : 2.5, 5.0, 10.0(QDR), Supported speeds : sdr, ddr, qdr, fdr10,
10.0(FDR10) or 14.0 Gbos rate
...
fdr
...
C.1.2
MIB ifTable Change
The ifDescr column now displays interfaces in the syntax IB<slot/port>.
Figure 33: 1U MIB ifTable Before Screenshot
Figure 34: 1U MIB ifTable After Screenshot
For director switches the ifDescr column displays interfaces in the syntax IB<slot/module/port>.
Mellanox Technologies Confidential 1031
Figure 35: Director Switch MIB ifTable Before Screenshot
Rev 4.20
Figure 36: Director Switch MIB ifTable After Screenshot
C.1.3
WebUI Ports Page Change
In the “Ports” page of the MLNX-OS® WebUI, the “Port number” field has been modified to reflect the change in the CLI. “Port number” now displays interfaces in the following syntax for director switches: <slot>/<module>/<port>.
C.2
Interface Speed Configuration Change
Interface speed configuration has changed in order to improve user experience when configuring
InfiniBand speeds and to support additional permutations for setting allowed speeds.
C.2.1
CLI Change
Interface speed configuration commands accept any of the following speed name combinations:
SDR; DDR; QDR; FDR10; FDR; EDR.
Commands with the old syntax, however, are still supported.
Mellanox Technologies Confidential 1032
Rev 4.20
Before: After: switch (config interface ib 1/1) # speed ?
1 2.5 Gbps
3 2.5 or 5.0 Gbps
5 2.5 or 10.0(QDR) Gbps
7 2.5, 5.0 or 10.0(QDR) Gbps
8 10.0(FDR10) Gbps
13 2.5, 10.0(QDR) or 10(FDR10) Gbps
15 2.5, 5.0, 10.0(QDR) or 10.0(FDR10) Gbps switch (config interface ib 1/1) # speed ?
sdr 10.0 Gbps rate on 4 lane width ddr 20.0 Gbps rate on 4 lane width qdr 40.0 Gbps rate on 4 lane width fdr10 40.0 Gbps rate on 4 lane width fdr 56.0 Gbps rate on 4 lane width force Force a speed vector without the sdr bit
Before: switch (config interface ib 1/1) # speed ?
10 10.0 Gbps rate on 4 lane width
100 20.0 Gbps rate on 4 lane width
1000 40.0 Gbps rate on 4 lane width
10000 40.0 Gbps rate on 4 lane width auto 56.0 Gbps rate on 4 lane width
After: switch (config interface ib 1/1) # speed ?
sdr 10.0 Gbps rate on 4 lane width ddr 20.0 Gbps rate on 4 lane width qdr 40.0 Gbps rate on 4 lane width fdr10 40.0 Gbps rate on 4 lane width fdr 56.0 Gbps rate on 4 lane width force Force a speed vector without the sdr bit switch (config interface ib 1/1) # speed ddr fdr fdr10 force qdr sdr switch (config interface ib 1/1) # speed sdr fdr qdr switch (config interface ib 1/1) #
Show interface commands display speed names instead of the speed figures.
Before: After: switch (config) # show interfaces ib L01/1
Slot L01 port 1 state:
Logical port state : Down
Physical port state : Polling switch (config) # show interfaces ib 1/1
IB1/1 state:
Logical port state : Down
Physical port state : Polling
Current line rate : Current line rate : -
Supported speeds : 2.5, 5.0, 10.0(QDR), Supported speeds : sdr, ddr, qdr, fdr10,
10.0(FDR10) or 14.0 Gbps
...
fdr
...
C.2.2
WebUI Change
In the Ports page of the MLNX-OS WebUI, the “Supported speeds” and “Speed” fields have been modified to reflect the change in the CLI. “Supported speeds” and “Speed” now display speed names instead of the speed figures.
Mellanox Technologies Confidential 1033
Figure 37: Ports WebUI Page
Rev 4.20
C.3
IB SM Link Speed Change
IB SM link speed has changed to improve user experience when configuring InfiniBand interface speeds, to support additional permutations for setting allowed speeds, and to display clear default values and negotiation outputs.
IB SM link speed commands accept any of the following speed name combinations: SDR; DDR;
QDR; FDR10; FDR; EDR.
Commands with the old syntax, however, are still supported.
Before: After: switch (config) # ib sm force-link-speed ?
0 Do not modify switch assigned default value
1 Negotiate only 2.5 Gbps rate
3 Negotiate 2.5 or 5.0 Gbps rate
5 Negotiate 2.5 or 10.0 Gbps rate
7 Negotiate 2.5, 5.0, or 10.0 Gbps rate
13 Negotiate 2.5, 10.0(QDR) or 10.0(FDR19) Gbps
15 Negotiate 2.5, 5.0, 10.0(QDR) or 10.0(FDR10) Gbps
21 Negotiate 2.5, 10.0(QDR) or 14.0 Gbps
23 Negotiate 2.5, 5.0, 10.0(QDR) or 14.0 Gbps
29 Negotiate 2.5, 10.0(QDR), 10.0(FDR10) or 14.0 Gbps
31 Negotiate 2.5, 5.0, 10.0(QDR), 10.0(FDR10) or 14.0
Gbps switch (config) # ib sm force-link-speed ?
sdr 10.0 Gbps rate on 4 lane width ddr 20.0 Gbps rate on 4 lane width qdr 40.0 Gbps rate on 4 lane width fdr10 40.0 Gbps rate on 4 lane width fdr 56.0 Gbps rate on 4 lane width edr 100.0 Gbps rate on 4 lane width
Mellanox Technologies Confidential 1034
Rev 4.20
The command “no ib sm force-link-speed” configures default speed.
Before: After: switch (config) # no ib sm force-link-speed switch (config) # show ib sm force-link-speed switch (config) # no ib sm force-link-speed switch (config) # show ib sm force-link-speed
15 (Negotiate 2.5, 5.0, 10.0(QDR) or 10.0(FDR10) Gbps) Default: set to PortInfo:LinkSpeedSupported
Show IB SM speed command displays negotiation as well as speed names.
Before: switch (config) # show ib sm force-link-speed
5 (Negotiate 2.5 or 10.0 Gbps rate)
After: switch (config) # show ib sm force-link-speed
Negotiate: sdr, qdr
The output of the command “show ib sm force-link-speed-ext”:
Before: switch (config) # show ib sm force-link-speed-ext
1 (Allow extended negotiation speeds with 14.0 Gbps rate)
After: switch (config) # show ib sm force-link-speed-ext
Negotiate: fdr
C.4
Multi-ASIC Support
Multi-ASIC support has been added to MLNX-OS in order to support the new EDR director switch systems whose leafs feature two ASICs per leaf, to improve MIB module indexing and better represent module hierarchy, to add an additional hierarchy level with an ASIC device to support more than one ASIC per module, and to add support to all sensors.
C.4.1
CLI Change
Added a new “Device” column to the output of the command “show guids”.
Before: switch (config) # show guids
==============================================
SX module GUID
==============================================
SYSTEM 00:05:C9:03:00:42:D8:00
S01 00:02:C9:03:00:84:3B:60
L17 00:02:C9:03:00:84:3B:40
L18 00:02:C9:03:00:84:3A:F0
S05 00:02:C9:03:00:84:3B:70
L01 00:02:C9:03:00:84:3B:80
L03 00:02:C9:03:00:84:3B:90
L04 00:02:C9:03:00:61:ED:00
L06 00:02:C9:03:00:84:3B:A0
L09 00:02:C9:03:00:84:3B:50
L11 00:02:C9:03:00:84:3B:10
L13 00:02:C9:03:00:61:EC:B0
L15 00:02:C9:03:00:66:C9:B0
L16 00:02:C9:03:00:66:C9:60
...
After: switch (config) # show guids
==============================================
Module Device GUID
==============================================
SYSTEM - 00:05:C9:03:00:42:D8:00
S01 SX 00:02:C9:03:00:84:3B:60
S02 SX 00:02:C9:03:00:84:3B:40
S03 SX 00:02:C9:03:00:84:3A:F0
S04 SX 00:02:C9:03:00:84:3B:70
S05 SX 00:02:C9:03:00:84:3B:80
S06 SX 00:02:C9:03:00:84:3B:90
S07 SX 00:02:C9:03:00:61:ED:00
S08 SX 00:02:C9:03:00:84:3B:A0
S09 SX 00:02:C9:03:00:84:3B:50
S10 SX 00:02:C9:03:00:84:3B:10
S11 SX 00:02:C9:03:00:61:EC:B0
S12 SX 00:02:C9:03:00:66:C9:B0
S13 SX 00:02:C9:03:00:66:C9:60
...
Mellanox Technologies Confidential 1035
Rev 4.20
The output of the command “show guid” on EDR director switch: switch (config) # show guids
==============================================
Module Device GUID
==============================================
SYSTEM - 00:05:C9:03:00:42:D8:00
S01 SIB 00:02:C9:03:00:84:3B:60
S02 SIB 00:02:C9:03:00:84:3B:40
S03 SIB 00:02:C9:03:00:84:3A:F0
S04 SIB 00:02:C9:03:00:84:3B:70
S05 SIB 00:02:C9:03:00:84:3B:80
S06 SIB 00:02:C9:03:00:84:3B:90
S07 SIB 00:02:C9:03:00:61:ED:00
S08 SIB 00:02:C9:03:00:84:3B:A0
S09 SIB 00:02:C9:03:00:84:3B:50
S10 SIB 00:02:C9:03:00:84:3B:10
S11 SIB 00:02:C9:03:00:61:EC:B0
S12 SIB 00:02:C9:03:00:66:C9:B0
S13 SIB 00:02:C9:03:00:66:C9:60
S14 SIB 00:02:C9:03:00:66:C9:50
S15 SIB 00:02:C9:03:00:66:C9:50
S16 SIB 00:02:C9:03:00:66:C9:50 l01 SIB1 00:02:C9:03:00:31:81:80 l01 SIB2 00:02:C9:03:00:31:81:81
...
On 1U switches, the command “show guids” displays “MGMT” under the “Module” column instead of “1”.
Before: switch (config) # show guids
============================================
SX module GUID
============================================
SYSTEM 00:02:C9:03:00:A8:EA:10
1 00:02:C9:03:00:A8:EA:12
After: switch (config) # show guids
=============================================
Module Device GUID
=============================================
SYSTEM - F4:52:14:03:00:11:E4:F0
MGMT SX F4:52:14:03:00:11:E4:F2
Added a “Device” column to the command “show asic-version”.
Before: switch (config) # show asic-version
==============================
Module Version
==============================
MGMT 9.3.3150
After: switch (config) # show asic-version
================================================
Module Device Version
================================================
MGMT SX 9.3.3150
Mellanox Technologies Confidential 1036
The output of the command “show asic-version” on an EDR director switch system: switch (config) # show guids
================================================
Module Device Version
================================================ l01 SIB1 11.0.1296
l01 SIB2 11.0.1296
l02 SIB1 11.0.1296
l02 SIB2 11.0.1296
l03 SIB1 11.0.1296
l03 SIB2 11.0.1296
l04 SIB1 11.0.1296
l04 SIB2 11.0.1296
l05 SIB1 11.0.1296
l05 SIB2 11.0.1296
l06 SIB1 11.0.1296
l06 SIB2 11.0.1296
...
C.4.2
MIB entPhysicalTable Change
The entPhysicalIndex and entPhysicalDescr columns now display and convey module hierarchy.
• entPhysicalDescr in entPhysicalTable revamped now represents ASIC module hierarchy
• entPhysicalIndex in entPhysicalTable now represents a legend and not just a running number. For example (line 9 in
), “S01/BOARD_MONITOR/T1” has the index 301030011 which indicates the following: 3=Spine, 1=index, 3=BOARD_MON-
ITOR, 1=T, 1=T1.
Figure 38: MIB entPhysicalTable Before Screenshot
Rev 4.20
Mellanox Technologies Confidential 1037
Figure 39: MIB entPhysicalTable After Screenshot
Rev 4.20
C.5
MGMT Module Display Change
The MGMT module display is improved to better represent the actual structure of modules within the system. The commands “show power consumers” and “show temperature” now display information from the MGMT module.
The output of the command “show power consumers” on a 1U PPC switch system:
Before: After: switch (config) # show power consumers
==================================================================
Module Device Power Voltage Current Status
(Watts) (Amp)
==================================================================
CURR_MONITOR MONITOR 33.31 11.72 2.84 OK switch (config) # show power consumers
==================================================================
Module Device Power Voltage Current Status
(Watts) (Amp)
==================================================================
MGMT CURR 33.31 11.72 2.84 OK
Total power used : 33.31 W
Max power : 235.00 W
Total power used : 33.31 W
Max power : 235.00 W
The output of the command “show temperature” on a 1U PPC switch system:
Before: switch (config) # show temperature
========================================================
Module Component Reg CurTemp Status
(Celsius)
========================================================
MGMT BOARD_MONITOR T1 26.50 OK
MGMT CPU_MEZZ_TEMP T1 27.00 OK
CPU_X86 CPU Core Sensor T1 28.00 OK
CPU_X86 CPU Core Sensor T2 30.00 OK
CPU_X86 CPU Core Sensor T3 56.00 OK
CPU_X86 CPU Core Sensor T4 26.00 OK
CPU_X86 CPU package Sensor T4 38.00 OK
MGMT QSFP_TEMP1 T1 27.00 OK
...
After: switch (config) # show temperature
========================================================
Module Component Reg CurTemp Status
(Celsius)
========================================================
MGMT CPU Core Sensor T1 28.00 OK
MGMT CPU Core Sensor T2 30.00 OK
MGMT CPU Core Sensor T3 56.00 OK
MGMT CPU Core Sensor T4 26.00 OK
MGMT CPU package Sensor T4 40.00 OK
MGMT BOARD_MONITOR T1 26.50 OK
MGMT CPU_MEZZ_TEMP T1 27.00 OK
MGMT QSFP_TEMP1 T1 27.00 OK
...
Mellanox Technologies Confidential 1038
Rev 4.20
C.6
MLNX-OS Image Name Change
The “SX_” prefix has been removed from the name of the MLNX-OS image.
C.6.1
CLI Change
The output of the command “show version”:
Before: switch (config) # show version
Product name: SX_X86_64
Product release: SX_3.4.0008
Build ID: #1-dev
Build date: 2014-11-10 20:07:51
Target arch: x86_64
Target hw: x86_64
Built by: jenkins@fit74
Version summary: SX_X86_64 SX_3.4.0008 2014-11-10 20:07:51
X86_64
...
The output of the command “show version”: switch (config) # show images
Installed images:
After: switch (config) # show version
Product name: MLNX-OS
Product release: 3.4.2000
Build ID: #1-dev
Build date: 2015-05-06 02:16:39
Target arch: x86_64
Target hw: m460ex
Built by: jenkins@fit74
Version summary: X86_64 3.4.2000 2015-04-12 20:06:05 X86_64
...
Partition 1:
PPC_M460EX 3.4.2000 2015-05-06 02:16:39 ppc
Partition 2:
SX_PPC_M460EX SX_3.4.0000 2014-10-14 20:26:41 ppc //older version with “SX_” suffix
Last boot partition: 1
Next boot partition: 1
...
C.6.2
WebUI Status Page Change
In the “Status” page of the MLNX-OS WebUI, the “Software Version” field has been modified to reflect the change in the image file name so now it appears without the prefix “SX_” (
).
Mellanox Technologies Confidential 1039
Figure 40: Status WebUI Page
Rev 4.20
C.7
CPU Module Display Change
The CPU module has been removed from the outputs of the CLI commands “show inventory” and “show modules”.
C.7.1
CLI Change
The command “show inventory” does not list CPU under the “Module” column.
Before switch (config) # show inventory
=================================================================================================
Module Type Part number Serial Number Asic revision HW Revision
=================================================================================================
CHASSIS SX6036 MSX6036F-1SFS MT1343X02004 N/A A3
MGMT SX6036 MSX6036F-1SFS MT1343X02004 2 A3
FAN SXX0XX_FAN MSX60-FF MT1342X03954 N/A A1
PS1 SXX0XX_PS MSX60-PF MT1342X03824 N/A A1
CPU CPU SA000203-B MT1140X00201 N/A A1
After switch (config) # show inventory
=================================================================================================
Module Type Part number Serial Number Asic revision HW Revision
=================================================================================================
CHASSIS SX6036 MSX6036F-1SFS MT1343X02004 N/A A3
MGMT SX6036 MSX6036F-1SFS MT1343X02004 2 A3
FAN SXX0XX_FAN MSX60-FF MT1342X03954 N/A A1
PS1 SXX0XX_PS MSX60-PF MT1342X03824 N/A A1
Mellanox Technologies Confidential 1040
Rev 4.20
The command “show module” does not list CPU under the “Module” column.
Before: switch (config) # show module
====================================================
Module Type Present Power Is Fatal
====================================================
MGMT SX6036 1 1 Not Fatal
FAN SXX0XX_FAN 1 1 Not Fatal
PS1 SXX0XX_PS 1 1 Not Fatal
PS2 SXX0XX_PS 0 0 Not Fatal
CPU CPU 1 1 Not Fatal
After: switch (config) # show module
====================================================
Module Type Present Power Is Fatal
====================================================
MGMT SX6036 1 1 Not Fatal
FAN SXX0XX_FAN 1 1 Not Fatal
PS1 SXX0XX_PS 1 1 Not Fatal
PS2 SXX0XX_PS 0 0 Not Fatal
C.7.2
WebUI System Inventory Page Change
In the “System > Inventory” page of the MLNX-OS WebUI, the “Module” column does not dis-
play the CPU module anymore ( Figure 41
).
Figure 41: System Inventory WebUI Page
Mellanox Technologies Confidential 1041
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project