Dell C7004 C150 Aggregation Core Chassis Switch Configuration Manual Networking OS 8.4.6.0 Guide For The E Series TeraScale, C Series, S (S50/S25)
2015-01-05
: Dell Dell-C7004-C150-Aggregation-Core-Chassis-Switch-Configuration-Manual-136294 dell-c7004-c150-aggregation-core-chassis-switch-configuration-manual-136294 dell pdf
Open the PDF directly: View PDF .
Page Count: 1320
Dell Networking OS
Configuration Guide
Dell Networking OS 8.4.6.0
E-Series TeraScale, C-Series,
S-Series (S50/S25)
Notes, Cautions, and Warnings
NOTE: A NOTE indicates important information that helps you make better use of your computer.
CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
Information in this publication is subject to change without notice.
© 2014 Dell Force10. All rights reserved.
Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden.
© 2014 Dell Inc.
Copyright © 2014 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Dell and the Dell
logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective
companies.
April 2014
1 About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Information Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
2 Configuration Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Access the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
CLI Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Navigate CLI Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
The do Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Undo Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Obtain Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Enter and Edit Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Command History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Filter show Command Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Multiple Users in Configuration mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Configure a Host Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Access the System Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Access the C-Series and E-Series Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Access the S-Series Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Configure the Enable Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Configuration File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Copy Files to and from the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Save the Running-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
View Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
File System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
View command history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Upgrade and Downgrade Dell Networking OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
4 System Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configure Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Create a Custom Privilege Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Apply a Privilege Level to a Username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Apply a Privilege Level to a Terminal Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Configure Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Log Messages in the Logging Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Configuration Task List for System Log Management . . . . . . . . . . . . . . . . . . . . . . . .62
Disable System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Send System Messages to a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Configure a Unix System as a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
| 3
www.dell.com | support.dell.com
Change System Logging Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Display the Logging Buffer and the Logging Configuration . . . . . . . . . . . . . . . . . . . . . . .64
Configure a UNIX Logging Facility Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Synchronize Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Enable Timestamp on Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
File Transfer Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Configuration Task List for File Transfer Services . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Terminal Lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Deny and Permit Access to a Terminal Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Configure Login Authentication for Terminal Lines . . . . . . . . . . . . . . . . . . . . . . . . . .70
Time out of EXEC Privilege Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Telnet to Another Network Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Lock CONFIGURATION mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
View the Configuration Lock Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Recovering from a Forgotten Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Recovering from a Forgotten Enable Password . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Recovering from a Forgotten Password on S-Series . . . . . . . . . . . . . . . . . . . . . . . .76
Recovering from a Failed Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
5 802.1ag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Ethernet CFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Maintenance Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Maintenance Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Maintenance End Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Configure CFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Enable Ethernet CFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Create a Maintenance Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Create a Maintenance Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Create Maintenance Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Create a Maintenance End Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Create a Maintenance Intermediate Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
MP Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Continuity Check Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Enable CCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Enable Cross-checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Loopback Message and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Linktrace Message and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Link Trace Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Enable CFM SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Display Ethernet CFM Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
4
|
6 802.3ah . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Link Layer OAM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Link Layer OAMPDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Link Layer OAM Operational Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Link Layer OAM Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Link Layer OAM Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Remote Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Configuring Link Layer OAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Enable Link Layer OAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Adjust the OAMPDU Transmission Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Link Performance Event Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Enable Error Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Set Threshold Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Execute an Action upon Exceeding the High Threshold . . . . . . . . . . . . . . . . . . . . .102
Remote Failure Indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Remote Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Display Link Layer OAM Configuration and Statistics . . . . . . . . . . . . . . . . . . . . . . . . . .104
Manage Link Layer OAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Enable MIB Retrieval Support/Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Adjust the Size of the Link OAM Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
7 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
The Port-authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
EAP over RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Configuring 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Enabling 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Configuring Request Identity Re-transmissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Configuring a Quiet Period after a Failed Authentication . . . . . . . . . . . . . . . . . . . . 114
Forcibly Authorize or Unauthorize a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Re-Authenticating a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Periodic Re-Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Configuring Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Dynamic VLAN Assignment with Port Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Guest and Authentication-Fail VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Configure a Guest VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Configure an Authentication-Fail VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Multi-Host Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Multi-Supplicant Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
| 5
www.dell.com | support.dell.com
MAC Authentication Bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
MAB in Single-host and Multi-Host Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
MAB in Multi-Supplicant Authentication Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Dynamic CoS with 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
8 IP Access Control Lists (ACL), Prefix Lists, and Route-maps . . . . . . . . . . . . . . . 133
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
IP Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
CAM Profiling, CAM Allocation, and CAM Optimization . . . . . . . . . . . . . . . . . . . . .134
Implement ACLs on Dell Networking OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
IP Fragment Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Configure a standard IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Configure an extended IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Established Flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Configure Layer 2 and Layer 3 ACLs on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . .146
Assign an IP ACL to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Counting ACL Hits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Configure Ingress ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Configure Egress ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Egress Layer 3 ACL Lookup for Control-plane IP Traffic . . . . . . . . . . . . . . . . . . . .150
Configure ACLs to Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Applying an ACL on Loopback Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
IP Prefix Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Configuration Task List for Prefix Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
ACL Resequencing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Resequence an ACL or Prefix List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Route Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Configuration Task List for Route Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
9 Bidirectional Forwarding Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
How BFD Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Configure Bidirectional Forwarding Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Configuring BFD for Physical Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Configuring BFD for Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
Configuring BFD for OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Configuring BFD for BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Configuring BFD for IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
Configuring BFD for VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
6
|
Configuring BFD for VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Configuring BFD for Port-Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
Configuring Protocol Liveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Troubleshoot BFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
10 Border Gateway Protocol IPv4 (BGPv4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Autonomous Systems (AS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Sessions and Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208
Route Reflectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Confederations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210
BGP Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Best Path Selection Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Local Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Multi-Exit Discriminators (MEDs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Origin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
AS Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Next Hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Multiprotocol BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Implement BGP with Dell Networking OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
4-Byte AS Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
AS4 Number Representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
AS Number Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
BGP4 Management Information Base (MIB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
BGP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Configuration Task List for BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
MBGP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
BGP Regular Expression Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Retain NH in BGP Advertisement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Debug BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Store Last and Bad PDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
Capture PDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
PDU Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
11 Content Addressable Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Content Addressable Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
CAM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
Microcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
CAM Profiling for ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
| 7
www.dell.com | support.dell.com
Boot Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
When to Use CAM Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Select CAM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
CAM Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Test CAM Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
View CAM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
View CAM-ACL settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
View CAM Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Configuring IPv4Flow Sub-partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Configuring Ingress Layer 2 ACL Sub-partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Return to the Default CAM Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
CAM Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Applications for CAM Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
LAG Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
LAG Hashing based on Bidirectional Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
CAM profile for the VLAN ACL group feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
Troubleshoot CAM Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
CAM Profile Mismatches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
QoS CAM Region Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
12 Configuration Replace and Rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Archived Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Configuring Configuration Replace and Rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Enable the Archive Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Archive a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
View the Archive Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
Replace the Current Running Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Roll Back to the Previous Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Configure an Archive File Maximum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Configure Auto-archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Copy and Delete an Archive File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
View and Edit the Contents of an Archive File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
View the Difference between Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . .310
13 Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313
DHCP Packet Format and Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Assign an IP Address using DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
8
|
Configure the System to be a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
Configure the Server for Automatic Address Allocation . . . . . . . . . . . . . . . . . . . . . .317
Specify a Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318
Enabling DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
Configuring a Method of Hostname Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . .319
Allocate Addresses to BOOTP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320
Creating Manual Binding Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320
Check for Address Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
DHCP Clear Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Configure the System to be a Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Configure Secure DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324
Drop DHCP packets on snooped VLANs only . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Dynamic ARP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Source Address Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
14 Equal Cost Multi-Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
ECMP for Flow-based Affinity (E-Series) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Configurable Hash Algorithm (E-Series) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Deterministic ECMP Next Hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
Configurable Hash Algorithm Seed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
Configurable ECMP Hash Algorithm (C- and S-Series) . . . . . . . . . . . . . . . . . . . . . . . . .336
15 Force10 Resilient Ring Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
Ring Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Multiple FRRP Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Important FRRP Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340
Important FRRP Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Implement FRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
FRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
Troubleshoot FRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
Configuration Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
Sample Configuration and Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
16 Force10 Service Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349
Configure Force10 Service Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
Enable Force10 Service Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
| 9
www.dell.com | support.dell.com
Specify an SMTP Server for FTSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
Providing an Administrator E-mail Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
FTSA Messaging Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352
Enable the FTSA Messaging Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352
Add Additional Recipients of FTSA E-mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
Encrypting FTSA Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354
Provide Administrator Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355
Set the Frequency of FTSA Type 3 Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Generating FTSA Type 4 Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Set Parameters FTSA Type 5 Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
FTSA Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357
FTSA Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Create an FTSA Policy Test List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360
Create a Policy Action List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363
Creating a Policy and Assign a Test and Action List . . . . . . . . . . . . . . . . . . . . . . . .365
Additional Policy Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
FTSA Policy Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
Debug FTSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
17 GARP VLAN Registration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375
Configuring GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
Enabling GVRP Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
Enabling GVRP on a Layer 2 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Configuring GVRP Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Configuring a GARP Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
18 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Component Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
RPM Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Online Insertion and Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
RPM Online Insertion and Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Line Card Online Insertion and Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Hitless Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Software Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Runtime System Health Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
SFM Channel Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
Software Component Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
System Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Failure and Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
10
|
Hot-lock Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Warm Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Configure Cache Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
In-Service Modular Hot-Fixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402
Process Restartability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
19 Internet Group Management Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
IGMP Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407
IGMP Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
IGMP version 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
IGMP version 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Configuring IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Viewing IGMP Enabled Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Selecting an IGMP Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413
Viewing IGMP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413
Adjusting Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Adjusting Query and Response Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414
Adjusting the IGMP Querier Timeout Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414
Configuring a Static IGMP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
Enabling IGMP Immediate-leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
IGMP Snooping Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .416
Configuring IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .416
Enabling IGMP Immediate-leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417
Disabling Multicast Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417
Specifying a Port as Connected to a Multicast Router . . . . . . . . . . . . . . . . . . . . . .417
Configuring the Switch as Querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417
Fast Convergence after MSTP Topology Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . .418
Designating a Multicast Router Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .418
20 Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Interface Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
View Basic Interface Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420
Enable a Physical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Configuration Task List for Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Overview of Layer Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424
Configure Layer 2 (Data Link) Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424
Configure Layer 3 (Network) Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425
Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427
Configure Management Interfaces on the E-Series and C-Series . . . . . . . . . . . . .427
Configure Management Interfaces on the S-Series . . . . . . . . . . . . . . . . . . . . . . . .428
| 11
www.dell.com | support.dell.com
Displaying Information on a Management Interface . . . . . . . . . . . . . . . . . . . . . . . .429
VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Loopback Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431
Null Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Port Channel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432
Bulk Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
Interface Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
Bulk Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445
Interface Range Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446
Define the Interface Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447
Choose an Interface-range Macro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447
Monitor and Maintain Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448
Maintenance using TDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
Link Debounce Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450
Important Points to Remember about Link Debounce Timer . . . . . . . . . . . . . . . . .450
Assign a debounce time to an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451
Show debounce times in an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451
Disable ports when one only SFM is available (E300 only) . . . . . . . . . . . . . . . . . .451
Disable port on one SFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452
Splitting QSFP Ports to SFP+ Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452
Link Dampening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453
Enable Link Dampening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453
Ethernet Pause Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455
Threshold Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455
Enable Pause Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456
Configure MTU Size on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458
Port-pipes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Auto-Negotiation on Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460
View Advanced Interface Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
Display Only Configured Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
Configure Interface Sampling Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
Dynamic Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
21 IPv4 Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468
Configuration Task List for IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468
Directed Broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Resolution of Host Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Configuration Task List for ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475
ARP Learning via Gratuitous ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477
12
|
ARP Learning via ARP Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478
Configurable ARP Retries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479
ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Configuration Task List for ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479
UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Configuring UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Important Points to Remember about UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Enabling UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Configuring a Broadcast Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482
Configurations Using UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482
UDP Helper with Broadcast-all Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .483
UDP Helper with Subnet Broadcast Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . .483
UDP Helper with Configured Broadcast Addresses . . . . . . . . . . . . . . . . . . . . . . . .484
UDP Helper with No Configured Broadcast Addresses . . . . . . . . . . . . . . . . . . . . .485
Troubleshooting UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .485
22 IPv6 Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .487
Extended Address Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488
Stateless Autoconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488
IPv6 Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489
Extension Header fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491
Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Implementing IPv6 with Dell Networking OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494
ICMPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Path MTU Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .497
IPv6 Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .497
IPv6 Neighbor Discovery of MTU packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .498
Advertise Neighbor Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .498
QoS for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
IPv6 Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
SSH over an IPv6 Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
Configuration Task List for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500
Change your CAM-Profile on an E-Series system . . . . . . . . . . . . . . . . . . . . . . . . .500
Adjust your CAM-Profile on an C-Series or S-Series . . . . . . . . . . . . . . . . . . . . . . .501
Assign an IPv6 Address to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .502
Assign a Static IPv6 Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503
Telnet with IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503
SNMP over IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .504
Show IPv6 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .504
Show an IPv6 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506
Show IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507
Show the Running-Configuration for an Interface . . . . . . . . . . . . . . . . . . . . . . . . . .509
| 13
www.dell.com | support.dell.com
Clear IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .509
23 Intermediate System to Intermediate System . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
IS-IS Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Multi-Topology IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513
Transition Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513
Interface support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513
Adjacencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .515
Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516
Configuration Task List for IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .517
Configuring the distance of a route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527
Change the IS-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527
IS-IS Metric Styles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535
Configure Metric Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .536
Maximum Values in the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .536
Changing the IS-IS Metric Style in One Level Only . . . . . . . . . . . . . . . . . . . . . . . .536
Leaking from One Level to Another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .538
Sample Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .539
24 Link Aggregation Control Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Introduction to Dynamic LAGs and LACP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .545
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .546
LACP modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .547
LACP Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .547
LACP Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .548
Monitor and Debugging LACP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .550
Shared LAG State Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .550
Configure Shared LAG State Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .551
Important Points about Shared LAG State Tracking . . . . . . . . . . . . . . . . . . . . . . . .552
Configure LACP as Hitless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .553
LACP Basic Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .553
25 Layer 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Managing the MAC Address Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .563
Clear the MAC Address Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .564
Set the Aging Time for Dynamic Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .564
Set the Aging Time for Dynamic Entries on a VLAN . . . . . . . . . . . . . . . . . . . . . . . .564
Configure a Static MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
Display the MAC Address Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
14
|
MAC Learning Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .566
mac learning-limit dynamic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
mac learning-limit station-move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
mac learning-limit no-station-move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
mac learning-limit sticky . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
Displaying MAC Learning-Limited Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . .570
Learning Limit Violation Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .570
Station Move Violation Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .570
Recovering from Learning Limit and Station Move Violations . . . . . . . . . . . . . . . . .571
Per-VLAN MAC Learning Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .571
NIC Teaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
MAC Move Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .574
Microsoft Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .574
Default Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .574
Configuring the Switch for Microsoft Server Clustering . . . . . . . . . . . . . . . . . . . . . .575
Enable and Disable VLAN Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .576
Configuring Redundant Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .577
Important Points about Configuring Redundant Pairs . . . . . . . . . . . . . . . . . . . . . . .578
Restricting Layer 2 Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .580
Far-end Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .581
FEFD state changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .581
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .582
Configuring FEFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .582
Debugging FEFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
26 Link Layer Discovery Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
802.1AB (LLDP) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587
Protocol Data Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587
Optional TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Management TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .589
TIA-1057 (LLDP-MED) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590
TIA Organizationally Specific TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .591
802.3AT (Power-via-MDI) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .595
IEEE 802.3 Organizationally Specific TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596
Power-Via-MDI TLV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596
Configuring LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
LLDP Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598
CONFIGURATION versus INTERFACE Configurations . . . . . . . . . . . . . . . . . . . . . . . .598
Enabling LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Disabling and Undoing LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599
Advertising TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
| 15
www.dell.com | support.dell.com
Viewing the LLDP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .600
Viewing Information Advertised by Adjacent LLDP Agents . . . . . . . . . . . . . . . . . . . . . .601
Configuring LLDPDU Intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602
Configuring Transmit and Receive Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .603
Configuring a Time to Live . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .604
Debugging LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .605
Relevant Management Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .606
27 Multicast Listener Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .613
MLD Version 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .613
MLD Querier Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .614
Joining a Multicast Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .614
Leaving a Multicast Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .615
MLD version 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .615
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .616
Enabling MLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
Related MLD Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .616
Change MLD Timer Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .617
Reduce Host Response Burstiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .617
Reduce Leave Latency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .617
Last Member Query Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .618
Explicit Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .618
Configure a Static Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .618
Display the MLD Group Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .619
Clear MLD Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .619
Change the MLD Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .619
Debug MLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
MLD Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Enable MLD Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .620
Disable MLD Snooping on a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .620
Configure the Switch as a Querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .620
Disable Multicast Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .620
Specify a Port as Connected to a Multicast Router . . . . . . . . . . . . . . . . . . . . . . . . .620
Enable Snooping Explicit Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .621
Display the MLD Snooping Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .621
MLDv2 Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .621
Port Inheritance on Mixed MLD Mode VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . .621
28 Multicast Source Discovery Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .623
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .624
Configuring Multicast Source Discovery Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625
16
|
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625
Enable MSDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Manage the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .630
View the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .631
Limit the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .631
Clear the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .631
Enable the Rejected Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .631
Accept Source-active Messages that fail the RFP Check . . . . . . . . . . . . . . . . . . . . . . .632
Limit the Source-active Messages from a Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .634
Prevent MSDP from Caching a Local Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .635
Prevent MSDP from Caching a Remote Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .636
Prevent MSDP from Advertising a Local Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .637
Log Changes in Peership States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .638
Terminate a Peership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .638
Clear Peer Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .639
Debug MSDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
MSDP with Anycast RP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .640
Reducing Source-active Message Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .642
Specify the RP Address Used in SA Messages . . . . . . . . . . . . . . . . . . . . . . . . . . .642
MSDP Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .646
29 Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .652
Configure Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .652
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .652
Enable Multiple Spanning Tree Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .653
Add and Remove Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .653
Create Multiple Spanning Tree Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .653
Influence MSTP Root Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655
Interoperate with Non-Dell Networking OS Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . .655
Modify Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .656
Modify Interface Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .658
Configure an EdgePort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .659
Configure a Root Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .660
Configure a Loop Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .661
Flush MAC Addresses after a Topology Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .662
Displaying STP Guard Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .662
MSTP Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663
Debugging and Verifying MSTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .668
30 Multicast Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .671
| 17
www.dell.com | support.dell.com
Enable IP Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .671
Multicast with ECMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .672
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .673
Multicast Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .673
IPv4 Multicast Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .673
IPv6 Multicast Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .681
Multicast Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .682
Multicast Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .683
Optimize the E-Series for Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .683
Allocate More Buffer Memory for Multicast WRED . . . . . . . . . . . . . . . . . . . . . . . . .684
Allocate More Bandwidth to Multicast using Egress WFQ . . . . . . . . . . . . . . . . . . .684
Tune the Central Scheduler for Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .684
31 Object Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
Object Tracking Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .685
Tracking Layer 2 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .686
Tracking Layer 3 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687
Tracking IPv4 and IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687
Setting Tracking Delays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .688
VRRP Object Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .688
Object Tracking Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .689
Tracking a Layer 2 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .689
Tracking a Layer 3 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .690
Tracking an IPv4/IPv6 Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .692
Displaying Tracked Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .696
32 Open Shortest Path First (OSPFv2 and OSPFv3) . . . . . . . . . . . . . . . . . . . . . . . 699
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .700
Autonomous System (AS) Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .700
Area Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Networks and Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .702
Router Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .702
Designated and Backup Designated Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .704
Link-State Advertisements (LSAs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .705
Virtual Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
Router Priority and Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .706
Implementing OSPF with Dell Networking OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .707
Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .708
Fast Convergence (OSPFv2, IPv4 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .709
Multi-Process OSPF (OSPFv2, IPv4 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .709
Processing SNMP and Sending SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . .710
RFC-2328 Compliant OSPF Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .710
OSPF ACK Packing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
18
|
OSPF Adjacency with Cisco Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .712
Configuration Task List for OSPFv2 (OSPF for IPv4) . . . . . . . . . . . . . . . . . . . . . . . . . .712
Enable OSPFv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .713
Enable Multi-Process OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .715
Assign an OSPFv2 area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .716
Enable OSPFv2 on interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .717
Configure stub areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .719
Configure OSPF Stub-Router Advertisement . . . . . . . . . . . . . . . . . . . . . . . . . . . . .720
Enable passive interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .721
Enable fast-convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .722
Change OSPFv2 parameters on interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .723
Enable OSPFv2 authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .725
Enable OSPFv2 graceful restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .725
Configure virtual links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .727
Filter routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728
Redistribute routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .729
Troubleshooting OSPFv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .730
Sample Configurations for OSPFv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .733
Basic OSPFv2 Router Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .733
Configuration Task List for OSPFv3 (OSPF for IPv6) . . . . . . . . . . . . . . . . . . . . . . . . . .734
Enable IPv6 Unicast Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .735
Assign IPv6 addresses on an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .735
Assign Area ID on interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .735
Assign OSPFv3 Process ID and Router ID Globally . . . . . . . . . . . . . . . . . . . . . . . .736
Configure stub areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .736
Configure Passive-Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .737
Redistribute routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .738
Configure a default route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .738
Enable OSPFv3 graceful restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .739
OSPFv3 Authentication Using IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .742
Troubleshooting OSPFv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .752
33 PIM Dense-Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755
Refusing Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .756
Requesting Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .757
Configure PIM-DM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .758
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .758
Enable PIM-DM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758
| 19
www.dell.com | support.dell.com
34 PIM Sparse-Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .763
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .764
Requesting Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .764
Refusing Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .764
Sending Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .765
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .765
Configure PIM-SM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .765
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .766
Enable PIM-SM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
Configurable S,G Expiry Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .767
Configure a Static Rendezvous Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .768
Override Bootstrap Router Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .769
Elect an RP using the BSR Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .770
Configure a Designated Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .771
Create Multicast Boundaries and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .771
Set a Threshold for Switching to the SPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .772
PIM-SM Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .772
First Packet Forwarding for Lossless Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .773
Monitoring PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774
PIM-SM and IGMP Snooping: Usage Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .774
PIM-SM Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .775
Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .776
Configuration Notes and Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777
PIM-SM Snooping Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .778
PIM-SM Snooping Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .780
35 PIM Source-Specific Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .787
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .787
Configure PIM-SM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .787
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .787
Enable PIM-SSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .788
Use PIM-SSM with IGMP version 2 Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .788
36 Power over Ethernet and Power over Ethernet Plus . . . . . . . . . . . . . . . . . . . . . . 793
Configuring PoE/PoE+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .796
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .796
Enabling PoE/PoE+ on a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .797
Upgrade the PoE Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .800
Manage Ports using Power Priority and the Power Budget . . . . . . . . . . . . . . . . . . . . . .801
Determine the Power Priority for a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .801
20
|
Determine the Affect of a Port on the Power Budget . . . . . . . . . . . . . . . . . . . . . . .803
Monitor the Power Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .804
Manage Power Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .805
Recover from a Failed Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .806
Insertion and Removal of Liine cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .807
Power Additional PoE Ports on the S-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .807
Deploying VOIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808
Create VLANs for an Office VOIP Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . .808
Configure LLDP-MED for an Office VOIP Deployment . . . . . . . . . . . . . . . . . . . . . .809
Configure Quality of Service for an Office VOIP Deployment . . . . . . . . . . . . . . . . .810
37 Policy-based Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813
Implementing Policy-based Routing with Dell Networking OS . . . . . . . . . . . . . . . . . . .815
Non-contiguous bitmasks for PBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .815
Hot-Lock PBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .815
Configuration Task List for Policy-based Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .816
Create a Redirect List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .816
Create a Rule for a Redirect-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .817
Apply a Redirect-list to an Interface using a Redirect-group . . . . . . . . . . . . . . . . . .820
Show Redirect List Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .821
Sample Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .822
38 Port Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .825
Port Monitoring on E-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .826
E-Series TeraScale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .827
E-Series ExaScale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .827
Port Monitoring on C-Series and S-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .828
Configuring Port Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .831
Flow-based Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .832
Remote Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .833
Remote Port Mirroring Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .834
Configuring Remote Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .834
Displaying Remote-Port Mirroring Configurations . . . . . . . . . . . . . . . . . . . . . . . . . .841
Sample Configuration: Remote Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . .842
39 Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .846
Configure Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .847
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .847
Configure PVLAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .847
| 21
www.dell.com | support.dell.com
Place PVLAN Ports in a Secondary VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .847
Place the Secondary VLANs in a Primary VLAN . . . . . . . . . . . . . . . . . . . . . . . . . .848
Private VLAN show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .848
40 Per-VLAN Spanning Tree Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .851
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .852
Configure Per-VLAN Spanning Tree Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .852
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .852
Enable PVST+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853
Disable PVST+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .853
Influence PVST+ Root Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .853
Modify Global PVST+ Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .856
Modify Interface PVST+ Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .856
Configure an EdgePort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .857
Configure a Root Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .859
Configure a Loop Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .860
PVST+ in Multi-vendor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .861
PVST+ Extended System ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .861
Displaying STP Guard Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .862
PVST+ Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .863
41 Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .867
Port-based QoS Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .868
Set dot1p Priorities for Incoming Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .868
Honor dot1p Priorities on Ingress Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .869
Configure Port-based Rate Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .870
Configure Port-based Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .871
Configure Port-based Rate Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .872
Policy-based QoS Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .873
Classify Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .873
Create a QoS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .877
Create Policy Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .880
QoS Rate Adjustment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .885
Strict-priority Queueing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .886
Weighted Random Early Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .886
Create WRED Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .887
Apply a WRED profile to traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .887
Configure WRED for Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .887
Display Default and Configured WRED Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . .888
Display WRED Drop Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .888
Allocating Bandwidth to Multicast Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .889
22
|
Pre-calculating Available QoS CAM Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .890
Viewing QoS CAM Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .891
42 Routing Information Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 893
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .893
RIPv1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 893
RIPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .894
Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .894
Configuration Task List for RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .895
RIP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .902
43 Remote Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
Fault Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 910
44 Rapid Spanning Tree Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .915
Configuring Rapid Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .915
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .915
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .916
RSTP and VLT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .916
Configure Interfaces for Layer 2 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .917
Enable Rapid Spanning Tree Protocol Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .918
Add and Remove Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .921
Modify Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .921
Modify Interface Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .923
Configure an EdgePort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .923
Influence RSTP Root Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .925
SNMP Traps for Root Elections and Topology Changes . . . . . . . . . . . . . . . . . . . . . . . .925
Fast Hellos for Link State Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .926
Configure a Root Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .927
Configure a Loop Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .928
Displaying STP Guard Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .929
45 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
AAA Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
Configuration Task List for AAA Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .932
AAA Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .934
Configuration Task List for AAA Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . .934
AAA Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .937
Privilege Levels Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .937
| 23
www.dell.com | support.dell.com
Configuration Task List for Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .938
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943
RADIUS Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .943
Configuration Task List for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .945
TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948
Configuration Task List for TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .948
TACACS+ Remote Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . .950
Command Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .952
Protection from TCP Tiny and Overlapping Fragment Attacks . . . . . . . . . . . . . . . . . . .952
SCP and SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 952
Using SCP with SSH to copy a software image . . . . . . . . . . . . . . . . . . . . . . . . . . .954
Secure Shell Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .955
Troubleshooting SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .958
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 958
Trace Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 959
Configuration Tasks for Trace Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .959
VTY Line and Access-Class Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .965
VTY Line Local Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . .965
VTY Line Remote Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . .966
VTY MAC-SA Filter Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .966
46 Service Provider Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
VLAN Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .970
Configure VLAN Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .971
Create Access and Trunk Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .971
Enable VLAN-Stacking for a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .972
Configure the Protocol Type Value for the Outer VLAN Tag . . . . . . . . . . . . . . . . . .972
Dell Networking OS Options for Trunk Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .973
VLAN Stacking in Multi-vendor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .974
VLAN Stacking Packet Drop Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .980
Enable Drop Eligibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .981
Honor the Incoming DEI Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .981
Mark Egress Packets with a DEI Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .982
Dynamic Mode CoS for VLAN Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .983
Layer 2 Protocol Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .985
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .987
Enable Layer 2 Protocol Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .988
Specify a Destination MAC Address for BPDUs . . . . . . . . . . . . . . . . . . . . . . . . . . .988
Rate-limit BPDUs on the E-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .988
Rate-limit BPDUs on the C-Series and S-Series . . . . . . . . . . . . . . . . . . . . . . . . . .989
Debug Layer 2 Protocol Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .989
Provider Backbone Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .989
24
|
47 sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .992
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .992
Enable and Disable sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .993
Enable and Disable on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .993
sFlow Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .994
Show sFlow Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .994
Show sFlow on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .994
Show sFlow on a Line Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .995
Configure Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .996
Polling Intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .996
Sampling Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997
Sub-sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .997
Back-off Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .998
sFlow on LAG ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .998
Extended sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1000
48 Simple Network Management Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1001
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1001
Configure Simple Network Management Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . .1001
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1002
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1002
Create a Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1002
Read Managed Object Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1003
Write Managed Object Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1004
Configure Contact and Location Information using SNMP . . . . . . . . . . . . . . . . . . . . .1005
Subscribe to Managed Object Value Updates using SNMP . . . . . . . . . . . . . . . . . . . .1006
Copy Configuration Files Using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1009
Manage VLANs using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1014
Create a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1014
Assign a VLAN Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1014
Display the Ports in a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1015
Add Tagged and Untagged Ports to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1017
Enable and Disable a Port using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1018
Fetch Dynamic MAC Entries using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1018
Deriving Interface Indices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1020
Monitor Port-channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1022
Troubleshooting SNMP Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1023
| 25
www.dell.com | support.dell.com
49 SONET/SDH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1025
Packet Over SONET (POS) Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1025
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1025
Configuring POS Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1026
10GE WAN Physical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1027
SONET Alarm Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1028
SONET TRAP Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1031
SONET Syslog Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1031
Events that Bring Down a SONET Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1031
SONET Port Recovery Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1032
SONET MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
SONET Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
50 Stacking S-Series Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1037
S-Series Stacking Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1037
High Availability on S-Series Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1037
MAC Addressing on S-Series Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1039
Management Access on S-Series Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1043
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1044
S-Series Stacking Installation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1044
Create an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1044
Add a Unit to an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1047
Remove a Unit from an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1050
Merge Two S-Series Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1052
Split an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1053
S-Series Stacking Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1053
Assign Unit Numbers to Units in an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . .1053
Create a Virtual Stack Unit on an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . .1054
Display Information about an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . .1054
Influence Management Unit Selection on an S-Series Stack . . . . . . . . . . . . . . . .1057
Manage Redundancy on an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1057
Reset a Unit on an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1057
Monitor an S-Series Stack with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1058
Troubleshoot an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1058
Recover from Stack Link Flaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1058
Recover from a Card Problem State on an S-Series Stack . . . . . . . . . . . . . . . . .1059
Recover from a Card Mismatch State on an S-Series Stack . . . . . . . . . . . . . . . .1059
51 Broadcast Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1061
Storm Control Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1061
Situations that Can Lead to Packet Storms . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1061
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1062
26
|
Broadcast Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1062
Layer 3 Broadcast Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1062
Layer 2 Broadcast Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1063
Multicast Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1064
Storm Control Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1064
52 Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1067
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1067
Configuring Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1067
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1068
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1068
Configuring Interfaces for Layer 2 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1069
Enabling Spanning Tree Protocol Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1070
Adding an Interface to the Spanning Tree Group . . . . . . . . . . . . . . . . . . . . . . . . . . . .1072
Removing an Interface from the Spanning Tree Group . . . . . . . . . . . . . . . . . . . . . . . .1072
Modifying Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1073
Modifying Interface STP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1074
Enabling PortFast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1074
Preventing Network Disruptions with BPDU Guard . . . . . . . . . . . . . . . . . . . . . . . . . . .1075
STP Root Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1077
STP Root Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1078
Root Guard Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1078
Root Guard Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1081
SNMP Traps for Root Elections and Topology Changes . . . . . . . . . . . . . . . . . . . . . . .1081
Configuring Spanning Trees as Hitless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1082
STP Loop Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1082
Loop Guard Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1082
Loop Guard Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1085
Displaying STP Guard Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1086
53 System Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1087
Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1087
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1088
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1089
Configuring Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1089
Enable NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1090
Set the Hardware Clock with the Time Derived from NTP . . . . . . . . . . . . . . . . . .1091
Configure NTP broadcasts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1091
Disable NTP on an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1091
Configure a source IP address for NTP packets . . . . . . . . . . . . . . . . . . . . . . . . . .1092
Configure NTP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1093
Dell Networking OS Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1095
Configuring time and date settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1095
| 27
www.dell.com | support.dell.com
Set daylight savings time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1098
54 Uplink Failure Detection (UFD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1103
Feature Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1103
How Uplink Failure Detection Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104
UFD and NIC Teaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1106
Configuring Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1107
Clearing a UFD-Disabled Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1108
Displaying Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1110
Sample Configuration: Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113
55 Upgrade Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1115
Find the upgrade procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1115
Get Help with upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1115
56 VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1117
Virtual LAN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1117
Port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1118
VLAN Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1119
Default VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1120
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1120
Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1120
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1120
Related Protocols and Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1121
Create a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1121
Assign Interfaces to VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1122
Enable Routing between VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1123
Use a Native VLAN on Trunk Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1124
Change the Default VLAN ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1125
Set the Null VLAN as the Default VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1125
Enable VLAN Interface Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126
57 Virtual Routing and Forwarding (VRF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1127
VRF Configuration Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1128
CAM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1130
DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132
IP addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132
VRF Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132
Load the VRF CAM Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1133
Enable VRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1133
Assign an Interface to a VRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134
28
|
View VRF instance information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1135
Connect an OSPF process to a VRF instance . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136
Configure VRRP on a VRF Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136
Sample VRF Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136
57 Virtual Link Trunking (VLT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1145
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1145
VLT on Core Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146
Enhanced VLT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1147
VLT Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1148
Configure Virtual Link Trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1148
RSTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159
58 Virtual Router Redundancy Protocol (VRRP) . . . . . . . . . . . . . . . . . . . . . . . . . . 1193
VRRP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1193
VRRP Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1195
VRRP Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1195
VRRP version 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1196
VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1197
Create a Virtual Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1197
Assign Virtual IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1198
Set VRRP Group (Virtual Router) Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1201
Configure VRRP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1202
Disable Preempt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1203
Change the Advertisement interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1204
Track an Interface or Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1205
VRRP on a VRF Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1208
Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1210
VRRP for IPv4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1210
VRRP for IPv6 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1212
VRRP in VRF Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1215
59 Dell Networking OS XML Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1221
XML Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1221
The Form of XML Requests and Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1222
The Configuration Request and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1223
The “Show” Request and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1224
Configuration Task List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1224
XML Error Conditions and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1228
Summary of XML Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1228
Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1228
Examples of Error Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1229
| 29
www.dell.com | support.dell.com
Using display xml as a Pipe Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1231
60 C-Series Debugging and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1233
Switch Fabric overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1234
Switch Fabric link monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1234
Runtime hardware status monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1236
Inter-CPU timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1238
Bootup diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1239
Recognizing bootup failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1239
Troubleshoot bootup failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1239
Environmental monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1239
Recognize an overtemperature condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1240
Troubleshoot an overtemperature condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1240
Recognize an under-voltage condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1241
Troubleshoot an under-voltage condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1241
Trace logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1241
Automatic trace log updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1242
Save a hardware log to a file on the flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1242
Manual reload messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1243
CP software exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1244
Command history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1244
Advanced debugging commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1245
debug commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1245
show hardware commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1246
Monitoring hardware components with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1248
Hardware watchdog timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1249
Offline diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1250
Configuration task list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1250
Important points to remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1250
Take the line card offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1251
Run offline diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1251
View offline diagnostic test results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1251
Bring the line card online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1254
Buffer tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1255
When to tune buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1256
Buffer tuning commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1257
Sample configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1260
61 E-Series TeraScale Debugging and Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . 1263
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1264
System health checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1264
Runtime dataplane loopback check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1264
Disable RPM-SFM walk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1266
30
|
RPM-SFM bring down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1267
Manual loopback test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1267
Power the SFM on/off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1268
Reset the SFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1270
SFM channel monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1270
Respond to PCDFO events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1271
Inter-CPU timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1272
Debug commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1274
Hardware watchdog timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1274
Show hardware commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1275
Offline diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1275
Important points to remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1276
Offline configuration task list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1276
Parity error detection and correction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1277
Enable parity error correction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1277
Recognize a transient parity error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1278
Recognize a non-recoverable parity error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1279
Trace logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1280
Buffer full condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1280
Manual reload condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1281
CP software exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1281
View trace buffer content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1281
Write the contents of the trace buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1282
Clear the trace buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1282
Recognize a high CPU condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1283
Configure an action upon a hardware error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1283
Buffer traffic manager hardware errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1283
Flexible packet classifier hardware errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1284
Line card MAC hardware errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1284
Core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1284
RPM core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1284
Line card core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1285
62 S-Series Debugging and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1287
Offline diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1287
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1288
Running Offline Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1288
Trace logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1291
Auto Save on Crash or Rollover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1292
Hardware watchdog timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1292
Buffer tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1292
Deciding to tune buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1294
Buffer tuning commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1295
| 31
www.dell.com | support.dell.com
Sample buffer profile configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1297
Troubleshooting packet loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1298
Displaying Drop Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1298
Dataplane Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1300
Displaying Stack Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1302
Displaying Stack Member Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1302
Application core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1303
Mini core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1303
32
A Standards Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1305
IEEE Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1305
RFC and I-D Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1306
MIB Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1317
|
1
About this Guide
Objectives
This guide describes the protocols and features supported by the Dell Networking OS and provides
configuration instructions and examples for implementing them. It supports the system platforms E-Series,
C-Series, and S-Series.
The E-Series ExaScale platform is supported with Dell Networking OS version 8.1.1.0. and later.
Though this guide contains information on protocols, it is not intended to be a complete reference. This
guide is a reference for configuring protocols on Dell Networking systems. For complete information on
protocols, refer to other documentation including IETF Requests for Comment (RFCs). The instructions in
this guide cite relevant RFCs, and Appendix A, Standards Compliance contains a complete list of the
supported RFCs and Management Information Base files (MIBs).
Audience
This document is intended for system administrators who are responsible for configuring and maintaining
networks and assumes you are knowledgeable in Layer 2 and Layer 3 networking technologies.
About this Guide | 33
www.dell.com | support.dell.com
Conventions
This document uses the following conventions to describe command syntax:
Convention
Description
keyword
Keywords are in bold and should be entered in the CLI as listed.
parameter
Parameters are in italics and require a number or word to be entered in the CLI.
{X}
Keywords and parameters within braces must be entered in the CLI.
[X]
Keywords and parameters within brackets are optional.
x|y
Keywords and parameters separated by bar require you to choose one.
Information Symbols
Table 1-1 describes symbols contained in this guide.
Table 1-1.
Information Symbols
Symbol
Warning
Description
Dell Networking OS
Behavior
This symbol informs you of an Dell Networking OS behavior. These
behaviors are inherent to the Dell Networking system or Dell Networking
OS feature and are non-configurable.
ces
Platform Specific
Feature
This symbol informs you of a feature that supported on one or two
platforms only: e is for E-Series, c is for C-Series, s is for S-Series.
et ex
E-Series Specific
Feature/Command
If a feature or command applies to only one of the E-Series platforms, a
separate symbol calls this to attention: et for the TeraScale or e x for
the ExaScale.
*
Exception
This symbol is a note associated with some other text on the page that is
marked with an asterisk.
Related Documents
For more information about the Dell Networking E-Series, C-Series, and S-Series refer to the following
documents:
•
•
•
34
|
Dell Networking OS Command Reference
Installing and Maintaining the System
Dell Networking OS Release Notes
About this Guide
2
Configuration Fundamentals
The Dell Networking OS Command Line Interface (CLI) is a text-based interface through which you can
configure interfaces and protocols. The CLI is largely the same for the E-Series, C-Series, and S-Series
with the exception of some commands and command outputs. The CLI is structured in modes for security
and management purposes. Different sets of commands are available in each mode, and you can limit user
access to modes using privilege levels.
In Dell Networking OS, after a command is enabled, it is entered into the running configuration file. You
can view the current configuration for the whole system or for a particular CLI mode. To save the current
configuration copy the running configuration to another location.
Note: Due to a differences in hardware architecture and the continued system development, features may
occasionally differ between the platforms. These differences are identified by the information symbols
shown on Table 1-1.
Access the Command Line
Access the command line through a serial console port or a Telnet session (Figure 2-1). When the system
successfully boots, you enter the command line in the EXEC mode.
Note: You must have a password configured on a virtual terminal line before you can Telnet into the
system. Therefore, you must use a console connection when connecting to the system for the first time.
Figure 2-1.
Log into the System using Telnet
telnet 172.31.1.53
Trying 172.31.1.53...
Connected to 172.31.1.53.
Escape character is '^]'.
Login: username
Password:
FTOS>
EXEC mode prompt
Configuration Fundamentals | 35
www.dell.com | support.dell.com
CLI Modes
Different sets of commands are available in each mode. A command found in one mode cannot be
executed from another mode (with the exception of EXEC mode commands preceded by the command do;
see The do Command). You can set user access rights to commands and command modes using privilege
levels; for more information on privilege levels and security options, refer to Chapter 45, Security.
The Dell Networking OS CLI is divided into three major mode levels:
•
•
•
EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only
a limited selection of commands is available, notably show commands, which allow you to view
system information.
EXEC Privilege mode has commands to view configurations, clear counters, manage configuration
files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is
unrestricted. You can configure a password for this mode; see Configure the Enable Password.
CONFIGURATION mode enables you to configure security features, time settings, set logging and
SNMP functions, configure static ARP and MAC addresses, and set line cards on the system.
Beneath CONFIGURATION mode are sub-modes that apply to interfaces, protocols, and features.
Figure 2-2 illustrates this sub-mode command structure. Two sub-CONFIGURATION modes are
important when configuring the chassis for the first time:
•
•
INTERFACE sub-mode is the mode in which you configure Layer 2 and Layer 3 protocols and IP
services specific to an interface. An interface can be physical (Management interface, 1-Gigabit
Ethernet, or 10-Gigabit Ethernet, or SONET) or logical (Loopback, Null, port channel, or VLAN).
LINE sub-mode is the mode in which you to configure the console and virtual terminal lines.
Note: At any time, entering a question mark (?) will display the available command options. For example,
when you are in CONFIGURATION mode, entering the question mark first will list all available commands,
including the possible sub-modes.
36
|
Configuration Fundamentals
Figure 2-2.
CLI Modes in Dell Networking OS
EXEC
EXEC Privilege
CONFIGURATION
ARCHIVE
AS-PATH ACL
INTERFACE
GIGABIT ETHERNET
10 GIGABIT ETHERNET
INTERFACE RANGE
LOOPBACK
MANAGEMENT ETHERNET
NULL
PORT-CHANNEL
SONET
VLAN
VRRP
IP
IPv6
IP COMMUNITY-LIST
IP ACCESS-LIST
STANDARD ACCESS-LIST
EXTENDED ACCESS-LIST
LINE
AUXILIARY
CONSOLE
VIRTUAL TERMINAL
MAC ACCESS-LIST
MONITOR SESSION
MULTIPLE SPANNING TREE
Per-VLAN SPANNING TREE
PREFIX-LIST
RAPID SPANNING TREE
REDIRECT
ROUTE-MAP
ROUTER BGP
ROUTER ISIS
ROUTER OSPF
ROUTER RIP
SPANNING TREE
TRACE-LIST
VLT DOMAIN
Navigate CLI Modes
The Dell Networking OS prompt changes to indicate the CLI mode. Table 2-1 lists the CLI mode, its
prompt, and information on how to access and exit this CLI mode. You must move linearly through the
command modes, with the exception of the end command which takes you directly to EXEC Privilege
mode; the exit command moves you up one command mode level.
Note: Sub-CONFIGURATION modes all have the letters “conf” in the prompt with additional modifiers to
identify the mode and slot/port information. These are shown in Table 2-1.
Configuration Fundamentals | 37
Prompt
Access Command
EXEC
FTOS>
Access the router through the console or Telnet.
EXEC Privilege
FTOS#
•
•
CONFIGURATION
FTOS(conf)#
•
•
From EXEC mode, enter the command enable.
From any other mode, use the command end.
From EXEC privilege mode, enter the command
configure.
From every mode except EXEC and EXEC
Privilege, enter the command exit.
Note: Access all of the following modes from CONFIGURATION mode.
IP ACCESS-LIST
LINE
38
Dell Networking OS Command Modes
CLI Command Mode
INTERFACE modes
www.dell.com | support.dell.com
Table 2-1.
|
ARCHIVE
FTOS(conf-archive)
archive
AS-PATH ACL
FTOS(config-as-path)#
ip as-path access-list
Gigabit Ethernet
Interface
FTOS(conf-if-gi-0/0)#
10 Gigabit Ethernet
Interface
FTOS(conf-if-te-0/0)#
Interface Range
FTOS(conf-if-range)#
Loopback Interface
FTOS(conf-if-lo-0)#
Management Ethernet
Interface
FTOS(conf-if-ma-0/0)#
Null Interface
FTOS(conf-if-nu-0)#
Port-channel Interface
FTOS(conf-if-po-0)#
SONET Interface
FTOS(conf-if-so-0/0)#
VLAN Interface
FTOS(conf-if-vl-0)#
STANDARD ACCESSLIST
FTOS(config-std-nacl)#
EXTENDED ACCESSLIST
FTOS(config-ext-nacl)#
IP COMMUNITY-LIST
FTOS(config-community-list)#
AUXILIARY
FTOS(config-line-aux)#
CONSOLE
FTOS(config-line-console)#
VIRTUAL TERMINAL
FTOS(config-line-vty)#
Configuration Fundamentals
interface
ip access-list standard
ip access-list extended
ip community-list
line
Table 2-1.
Dell Networking OS Command Modes
Prompt
Access Command
STANDARD ACCESSLIST
FTOS(config-std-macl)#
mac access-list standard
EXTENDED ACCESSLIST
FTOS(config-ext-macl)#
mac access-list extended
MULTIPLE
SPANNING TREE
FTOS(config-mstp)#
protocol spanning-tree mstp
Per-VLAN SPANNING
TREE Plus
FTOS(config-pvst)#
protocol spanning-tree pvst
PREFIX-LIST
FTOS(conf-nprefixl)#
ip prefix-list
RAPID SPANNING
TREE
FTOS(config-rstp)#
protocol spanning-tree rstp
REDIRECT
FTOS(conf-redirect-list)#
ip redirect-list
ROUTE-MAP
FTOS(config-route-map)#
route-map
ROUTER BGP
FTOS(conf-router_bgp)#
router bgp
ROUTER ISIS
FTOS(conf-router_isis)#
router isis
ROUTER OSPF
FTOS(conf-router_ospf)#
router ospf
ROUTER RIP
FTOS(conf-router_rip)#
router rip
SPANNING TREE
FTOS(config-span)#
protocol spanning-tree 0
TRACE-LIST
FTOS(conf-trace-acl)#
ip trace-list
VLT DOMAIN
FTOS(conf-vlt-domain)#
vlt domain
MAC ACCESS-LIST
CLI Command Mode
Figure 2-3 illustrates how to change the command mode from CONFIGURATION mode to PROTOCOL
SPANNING TREE.
Figure 2-3.
Changing CLI Modes
FTOS(conf)#protocol spanning-tree 0
FTOS(config-span)#
New command
prompt
Configuration Fundamentals | 39
www.dell.com | support.dell.com
The do Command
Enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE,
SPANNING TREE, etc.) without returning to EXEC mode by preceding the EXEC mode command with
the command do. Figure 2-4 illustrates the do command.
Note: The following commands cannot be modified by the do command: enable, disable, exit, and
configure.
Figure 2-4.
Using the do Command
FTOS(conf)#do show linecard all
“do” form of show command
-- Line cards -Slot Status
NxtBoot
ReqTyp
CurTyp
Version
Ports
--------------------------------------------------------------------------0
not present
1
not present
2
online
online
E48TB
E48TB
1-1-463
48
3
not present
4
not present
5
online
online
E48VB
E48VB
1-1-463
48
Undo Commands
When you enter a command, the command line is added to the running configuration file. Disable a
command and remove it from the running-config by entering the original command preceded by the
command no. For example, to delete an ip address configured on an interface, use the no ip address
ip-address command, as shown in Figure 2-5.
Note: Use the help or ? command as discussed in Obtain Help command to help you construct the “no”
form of a command.
Figure 2-5.
Undo a command with the no Command
FTOS(conf)#interface gigabitethernet 4/17
FTOS(conf-if-gi-4/17)#ip address 192.168.10.1/24
FTOS(conf-if-gi-4/17)#show config
!
IP address assigned
interface GigabitEthernet 4/17
ip address 192.168.10.1/24
no shutdown
FTOS(conf-if-gi-4/17)#no ip address
“no” form of
FTOS(conf-if-gi-4/17)#show config
!
interface GigabitEthernet 4/17
no ip address
IP address removed
IP address command
Layer 2 protocols are disabled by default. Enable them using the no disable command. For example, in
PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.
40
|
Configuration Fundamentals
Obtain Help
Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ?
or help command:
•
Enter ? at the prompt or after a keyword to list the keywords available in the current mode.
• ? after a prompt lists all of the available keywords. The output of this command is the same for the
help command.
Figure 2-6.
? Command Example
“?” at prompt for list of commands
FTOS#?
calendar
cd
change
clear
clock
configure
copy
debug
--More--
•
?
Manage the hardware calendar
Change current directory
Change subcommands
Reset functions
Manage the system clock
Configuring from terminal
Copy from one file to another
Debug functions
after a partial keyword lists all of the keywords that begin with the specified letters.
Figure 2-7.
Keyword? Command Example
FTOS(conf)#cl?
class-map
clock
FTOS(conf)#cl
•
partial keyword plus “[space]?” for matching keywords
A keyword followed by [space]? lists all of the keywords that can follow the specified keyword.
Figure 2-8.
Keyword ? Command Example
FTOS(conf)#clock ?
summer-time
timezone
FTOS(conf)#clock
keyword plus “[space]?” for compatible keywords
Configure summer (daylight savings) time
Configure time zone
Enter and Edit Commands
When entering commands:
•
•
•
The CLI is not case sensitive.
You can enter partial CLI keywords.
• You must enter the minimum number of letters to uniquely identify a command. For example, cl
cannot be entered as a partial keyword because both the clock and class-map commands begin with
the letters “cl.” clo, however, can be entered as a partial keyword because only one command
begins with those three letters.
The TAB key auto-completes keywords in commands. You must enter the minimum number of letters
to uniquely identify a command.
Configuration Fundamentals | 41
www.dell.com | support.dell.com
•
•
•
Table 2-2.
The UP and DOWN arrow keys display previously entered commands (see Command History).
The BACKSPACE and DELETE keys erase the previous letter.
Key combinations are available to move quickly across the command line, as described in Table 2-2.
Short-Cut Keys and their Actions
Key Combination
Action
CNTL-A
Moves the cursor to the beginning of the command line.
CNTL-B
Moves the cursor back one character.
CNTL-D
Deletes character at cursor.
CNTL-E
Moves the cursor to the end of the line.
CNTL-F
Moves the cursor forward one character.
CNTL-I
Completes a keyword.
CNTL-K
Deletes all characters from the cursor to the end of the command line.
CNTL-L
Re-enters the previous command.
CNTL-N
Return to more recent commands in the history buffer after recalling commands with CTRL-P or the
UP arrow key.
CNTL-P
Recalls commands, beginning with the last command
CNTL-R
Re-enters the previous command.
CNTL-U
Deletes the line.
CNTL-W
Deletes the previous word.
CNTL-X
Deletes the line.
CNTL-Z
Ends continuous scrolling of command outputs.
Esc B
Moves the cursor back one word.
Esc F
Moves the cursor forward one word.
Esc D
Deletes all characters from the cursor to the end of the word.
Command History
Dell Networking OS maintains a history of previously-entered commands for each mode. For example:
•
•
42
|
When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC
mode commands.
When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the
previously-entered CONFIGURATION mode commands.
Configuration Fundamentals
Filter show Command Outputs
Filter the output of a show command to display specific information by adding | [except | find | grep |
no-more | save] specified_text after the command. The variable specified_text is the text for which you are
filtering and it IS case sensitive unless the ignore-case sub-option is implemented.
Starting with Dell Networking OS 7.8.1.0, the grep command accepts an ignore-case sub-option that forces
the search to case-insensitive. For example, the commands:
•
•
show run | grep Ethernet
returns a search result with instances containing a capitalized “Ethernet,”
such as interface GigabitEthernet 0/0.
show run | grep ethernet would not return that search result because it only searches for instances
containing a non-capitalized “ethernet.”
Executing the command show run | grep Ethernet ignore-case would return instances containing both
“Ethernet” and “ethernet.”
•
grep displays only the lines containing specified text. Figure 2-9 shows this command used in
combination with the command show linecard all.
Figure 2-9.
Filter Command Outputs with the grep Command
FTOS(conf)#do show linecard all | grep 0
0
not present
Note: Dell Networking OS accepts a space or no space before and after the pipe. To filter on a phrase
with spaces, underscores, or ranges, enclose the phrase with double quotation marks.
•
except displays text that does not match the specified text. Figure 2-10 shows this command used in
combination with the command show linecard all.
Figure 2-10.
Filter Command Outputs with the except Command
FTOS#show linecard all | except 0
-- Line cards -Slot Status
NxtBoot
ReqTyp
CurTyp
Version
Ports
--------------------------------------------------------------------------2
not present
3
not present
4
not present
5
not present
6
not present
Configuration Fundamentals | 43
www.dell.com | support.dell.com
•
find displays the output of the show command beginning from the first occurrence of specified text
Figure 2-11 shows this command used in combination with the command show linecard all.
Figure 2-11.
Filtering Command Outputs with the find Command
FTOS(conf)#do show linecard all | find 0
0
not present
1
not present
2
online
online
E48TB
E48TB
3
not present
4
not present
5
online
online
E48VB
E48VB
6
not present
7
not present
1-1-463
48
1-1-463
48
•
•
display displays additional configuration information.
•
save copies the output to a file for future reference.
no-more displays the output all at once rather than one screen at a time. This is similar to the command
terminal length except that the no-more option affects the output of the specified command only.
Note: You can filter a single command output multiple times. The save option should be the last option
entered. For example:
FTOS# command | grep regular-expression | except regular-expression
| grep other-regular-expression | find regular-expression | save
Multiple Users in Configuration mode
Dell Networking OS notifies all users in the event that there are multiple users logged into
CONFIGURATION mode. A warning message indicates the username, type of connection (console or
vty), and in the case of a vty connection, the IP address of the terminal on which the connection was
established. For example:
•
On the system that telnets into the switch, Message 1 appears:
Message 1 Multiple Users in Configuration mode Telnet Message
% Warning: The following users are currently configuring the system:
User "" on line console0
•
On the system that is connected over the console, Message 2 appears:
Message 2 Multiple Users in Configuration mode Telnet Message
% Warning: User "" on line vty0 "10.11.130.2" is in configuration mode
If either of these messages appears, Dell Networking recommends that you coordinate with the users listed
in the message so that you do not unintentionally overwrite each other’s configuration changes.
44
|
Configuration Fundamentals
3
Getting Started
This chapter contains the following major sections:
•
•
•
•
•
•
Default Configuration
Configure a Host Name
Access the System Remotely
Configure the Enable Password
Configuration File Management
File System Management
When you power up the chassis, the system performs a Power-On Self Test (POST) during which Route
Processor Module (RPM), Switch Fabric Module (SFM), and line card status LEDs blink green.The
system then loads Dell Networking OS and boot messages scroll up the terminal window during this
process. No user interaction is required if the boot process proceeds without interruption.
When the boot process is complete, the RPM and line card status LEDs remain online (green), and the
console monitor displays EXEC mode prompt.
For details on using the Command Line Interface (CLI), see the Access the Command Line section in
Chapter 2, Configuration Fundamentals.
Default Configuration
A version of Dell Networking OS is pre-loaded onto the chassis, however the system is not configured
when you power up for the first time (except for the default hostname, which is Dell Networking OS). You
must configure the system using the CLI.
Configure a Host Name
The host name appears in the prompt. The default host name is Dell Networking OS.
•
Host names must start with a letter and end with a letter or digit.
Getting Started | 45
www.dell.com | support.dell.com
•
Characters within the string can be letters, digits, and hyphens.
To configure a host name:
Step
1
Task
Command Syntax
Command Mode
Create a new host name.
hostname name
CONFIGURATION
Figure 3-1 illustrates the hostname command.
Figure 3-1.
Configuring a Hostname
Default Hostname
FTOS(conf)#hostname R1
R1(conf)#
New Hostname
Access the System Remotely
You can configure the system to access it remotely by Telnet. The method for configuring the C-Series and
E-Series for Telnet access is different from S-Series.
•
•
The C-Series and E-Series have a dedicated management port and a management routing table that is
separate from the IP routing table.
The S-Series does not have a dedicated management port, but is managed from any port. It does not
have a separate management routing table.
Access the C-Series and E-Series Remotely
Note: Use this process for the S60 system.
Configuring the system for Telnet is a three-step process:
1. Configure an IP address for the management port. See Configure the Management Port IP Address.
2. Configure a management route with a default gateway. See Configure a Management Route.
3. Configure a username and password. See Configure a Username and Password.
Configure the Management Port IP Address
Assign IP addresses to the management ports in order to access the system remotely.
46
|
Getting Started
Note: Assign different IP addresses to each RPM’s management port.
To configure the management port IP address:
Step
1
2
Task
Command Syntax
Command Mode
Enter INTERFACE mode for the
Management port.
interface ManagementEthernet slot/port
CONFIGURATION
Assign an IPv4 or IPv6 address to
the interface.
ip address {ipv4-address | ipv6-address}/mask
•
•
•
•
•
3
Enable the interface.
slot range: 0 to 1
port range: 0
INTERFACE
ipv4-address: an address in dotted-decimal
format (A.B.C.D).
ipv6-address: an address in hexadecimal format
(X:X:X:X::X).
mask: a subnet mask in /prefix-length format (/
xx).
no shutdown
INTERFACE
Configure a Management Route
Define a path from the system to the network from which you are accessing the system remotely.
Management routes are separate from IP routes and are only used to manage the system through the
management port.
To configure a management route:
Step
1
Task
Command Syntax
Command Mode
Configure an IPv4 or IPv6
management route to the network
from which you are accessing the
system.
management route {ipv4-address | ipv6-address}/
mask gateway
CONFIGURATION
•
•
•
ip-address: the network address in
dotted-decimal format (A.B.C.D).
mask: a subnet mask in /prefix-length format (/
xx).
gateway: the next hop for network traffic
originating from the management port.
Configure a Username and Password
Configure a system username and password to access the system remotely.
Getting Started | 47
www.dell.com | support.dell.com
To configure a username and password:
Step
1
Task
Command Syntax
Command Mode
Configure a username and
password to access the system
remotely.
username username password [encryption-type]
password
encryption-type specifies how you are inputting the
CONFIGURATION
password, is 0 by default, and is not required.
•
•
0 is for inputting the password in clear text.
7 is for inputting a password that is already
encrypted using a Type 7 hash. Obtaining the
encrypted password from the configuration of
another Dell Networking system.
Access the S-Series Remotely
The S-Series does not have a dedicated management port nor a separate management routing table.
Configure any port on the S-Series to be the port through which you manage the system and configure an
IP route to that gateway.
Note: The S60 system uses management ports and should be configured similar to the C-Series and
E-Series systems. Refer to Access the C-Series and E-Series Remotely
Configuring the system for Telnet access is a three-step process:
1. Configure an IP address for the port through which you will manage the system using the command ip
address from INTERFACE mode, as shown in Figure 3-2.
2. Configure a IP route with a default gateway using the command ip route from CONFIGURATION
mode, as shown in Figure 3-2.
3. Configure a username and password using the command username from CONFIGURATION mode, as
shown in Figure 3-2.
Figure 3-2.
Configure the S-Series for Remote Access
R5(conf)#int gig 0/48
R5(conf-if-gi-0/48)#ip address 10.11.131.240
R5(conf-if-gi-0/48)#show config
!
interface GigabitEthernet 0/48
ip address 10.11.131.240/24
no shutdown
R5(conf-if-gi-0/48)#exit
R5(conf)#ip route 10.11.32.0/23 10.11.131.254
R5(conf)#username admin pass FTOS
48
|
Getting Started
Configure the Enable Password
The EXEC Privilege mode is accessed by the enable command. Configure a password as a basic security
measure. When using a console connection, EXEC Privilege mode is unrestricted by default; it cannot be
reached by a VTY connection if no password is configured. There are two types of enable passwords:
•
enable password
stores the password in the running/startup configuration using a DES encryption
method.
•
enable secret
is stored in the running/startup configuration in using a stronger, MD5 encryption
method.
Dell Networking recommends using the enable secret password.
To configure an enable password:
Task
Command Syntax
Command Mode
Create a password to
access EXEC Privilege
mode.
enable [password | secret] [level level] [encryption-type]
CONFIGURATION
password
level is the privilege level, is 15 by default, and is not required.
encryption-type specifies how you are inputting the password, is 0 by
default, and is not required.
•
•
•
0 is for inputting the password in clear text.
7 is for inputting a password that is already encrypted using a
DES hash. Obtain the encrypted password from the configuration
file of another Dell Networking system.
5 is for inputting a password that is already encrypted using an
MD5 hash. Obtain the encrypted password from the configuration
file of another Dell Networking system.
Configuration File Management
Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the
system from the EXEC Privilege mode.
The E-Series TeraScale and ExaScale platforms architecture use Compact Flash for the internal and
external Flash memory. It has a space limitation but does not limit the number of files it can contain.
Note: Using flash memory cards in the system that have not been approved by Dell Networking can
cause unexpected system behavior, including a reboot.
Getting Started | 49
www.dell.com | support.dell.com
Copy Files to and from the System
The command syntax for copying files is similar to UNIX. The copy command uses the format copy
source-file-url destination-file-url.
Note: See the Dell Networking OS Command Reference for a detailed description of the copy command.
•
•
Table 3-1.
To copy a local file to a remote system, combine the file-origin syntax for a local file location with the
file-destination syntax for a remote file location shown in Table 3-1.
To copy a remote file to Dell Networking system, combine the file-origin syntax for a remote file
location with the file-destination syntax for a local file location shown in Table 3-1.
Form a copy Command
source-file-url Syntax
destination-file-url Syntax
primary RPM
copy flash://filename
flash://filename
standby RPM
copy rpm{0|1}flash://filename
rpm{0|1}flash://filename
primary RPM
copy rpm{0|1}slot0://filename
rpm{0|1}slot0://filename
standby RPM
copy rpm{0|1}slot0://filename
rpm{0|1}slot0://filename
Local File Location
Internal flash:
External flash:
USB Drive (E-Series ExaScale only)
USB drive on RPM0
copy rpm0usbflash://filepath
rpm0usbflash://filename
External USB drive
copy usbflash://filepath
usbflash://filename
Remote File Location
Note: Dell Networking OS supports IPv4 and IPv6 addressing for FTP, TFTP, and SCP (in the hostip field).
FTP server
copy ftp://username:password@{hostip |
hostname}/filepath/filename
ftp://username:password@{hostip | hostname}/
filepath/filename
TFTP server
copy tftp://{hostip | hostname}/filepath/
filename
tftp://{hostip | hostname}/filepath/filename
SCP server
copy scp://{hostip | hostname}/filepath/
filename
scp://{hostip | hostname}/filepath/filename
Important Points to Remember
•
•
•
•
50
|
You may not copy a file from one remote system to another.
You may not copy a file from one location to the same location.
The internal flash memories on the RPMs are synchronized whenever there is a change, but only if
both RPMs are running the same version of Dell Networking OS.
When copying to a server, a hostname can only be used if a DNS server is configured.
Getting Started
The usbflash and rpm0usbflash commands are supported on E-Series ExaScale platform only. Refer
to the Dell Networking OS Release Notes for a list of approved USB vendors.
•
Figure 3-3 shows an example of using the copy command to save a file to an FTP server.
Figure 3-3.
Saving a file to a Remote System
Local Location
Remote Location
FTOS#copy flash://FTOS-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10//FTOS/FTOS-EF-8.2.1.0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27952672 bytes successfully copied
Figure 3-4 shows an example of using the copy command to import a file to the Dell Networking system
from an FTP server.
Figure 3-4.
Saving a file to a Remote System
Remote Location
Local Location
core1#$//copy ftp://myusername:mypassword@10.10.10.10//FTOS/FTOS-EF-8.2.1.0.bin flash://
Destination file name [FTOS-EF-8.2.1.0.bin.bin]:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
26292881 bytes successfully copied
Save the Running-configuration
The running-configuration contains the current system configuration. Dell Networking recommends that
you copy your running-configuration to the startup-configuration. The system uses the
startup-configuration during boot-up to configure the system. The startup-configuration is stored in the
internal flash on the primary RPM by default, but it can be saved onto an external flash (on an RPM) or a
remote server.
To save the running-configuration:
Note: The commands in this section follow the same format as those in Copy Files to and from the
System but use the filenames startup-configuration and running-configuration. These commands assume
that current directory is the internal flash, which is the system default.
Getting Started | 51
www.dell.com | support.dell.com
Task
Command Syntax
Command Mode
Save the running-configuration to:
the startup-configuration on the
internal flash of the primary RPM
copy running-config startup-config
the internal flash on an RPM
copy running-config rpm{0|1}flash://filename
Note: The internal flash memories on the RPMs are synchronized whenever there
is a change, but only if the RPMs are running the same version of Dell Networking
OS.
Note: Dell Networking OS supports IPv4 and IPv6 addressing for FTP, TFTP, and
SCP (in the hostip field).
the external flash of an RPM
copy running-config rpm{0|1}slot0://filename
an FTP server
copy running-config ftp://
username:password@{hostip | hostname}/filepath/
filename
a TFTP server
copy running-config tftp://{hostip | hostname}/
filepath/filename
an SCP server
copy running-config scp://{hostip | hostname}/
filepath/filename
EXEC Privilege
Note: When copying to a server, a hostname can only be used if a DNS server is configured.
Save the running-configuration to the
startup-configuration on the internal flash
of the primary RPM. Then copy the new
startup-config file to the external flash of
the primary RPM.
copy running-config startup-config duplicate
EXEC Privilege
Dell Networking OS Behavior: If you create a startup-configuration on an RPM and then move the
RPM to another chassis, the startup-configuration is stored as a backup file (with the extension .bak),
and a new, empty startup-configuration file is created. To restore your original startup-configuration in
this situation, overwrite the new startup-configuration with the original one using the command copy
startup-config.bak startup-config.
View Files
File information and content can only be viewed on local file systems.
52
|
Getting Started
To view a list of files on the internal or external Flash:
Step
1
Task
Command Syntax
Command Mode
the internal flash of an RPM
dir flash:
EXEC Privilege
the external flash of an RPM
dir slot:
View a list of files on:
The output of the command dir also shows the read/write privileges, size (in bytes), and date of
modification for each file, as shown in Figure 3-5.
Figure 3-5.
Viewing a List of Files in the Internal Flash
To view the contents of a file:
Step
1
Task
Command Syntax
Command Mode
View the:
contents of a file in the internal flash of
an RPM
show file rpm{0|1}flash://filename
contents of a file in the external flash
of an RPM
show file rpm{0|1}slot0://filename
running-configuration
show running-config
startup-configuration
show startup-config
EXEC Privilege
View Configuration Files
Configuration files have three commented lines at the beginning of the file, as shown in Figure 3-6, to help
you track the last time any user made a change to the file, which user made the changes, and when the file
was last saved to the startup-configuration.
In the running-configuration file, if there is a difference between the timestamp on the “Last configuration
change,” and “Startup-config last updated,” then you have made changes that have not been saved and will
not be preserved upon a system reboot.
Getting Started | 53
www.dell.com | support.dell.com
Figure 3-6.
Track Changes with Configuration Comments
FTOS#show running-config
Current Configuration ...
! Version 8.2.1.0
! Last configuration change at Thu Apr 3 23:06:28 2008 by admin
! Startup-config last updated at Thu Apr 3 23:06:55 2008 by admin
!
boot system rpm0 primary flash://FTOS-EF-8.2.1.0.bin
boot system rpm0 secondary flash://FTOS-EF-7.8.1.0.bin
boot system rpm0 default flash://FTOS-EF-7.7.1.1.bin
boot system rpm1 primary flash://FTOS-EF-7.8.1.0.bin
boot system gateway 10.10.10.100
--More--
File System Management
The Dell Networking system can use the internal Flash, external Flash, or remote devices to store files. It
stores files on the internal Flash by default but can be configured to store files elsewhere.
To view file system information:
Task
Command Syntax
Command Mode
View information about each file system.
show file-systems
EXEC Privilege
The output of the command show file-systems (Figure 3-7) shows the total capacity, amount of free
memory, file structure, media type, read/write privileges for each storage device in use.
Figure 3-7.
show file-systems Command Example
FTOS#show file-systems
Size(b)
Free(b)
Feature
Type
Flags
520962048
213778432
dosFs2.0 USERFLASH
127772672
21936128
dosFs2.0 USERFLASH
network
network
network
Prefixes
rw flash:
rw slot0:
rw ftp:
rw tftp:
rw scp:
You can change the default file system so that file management commands apply to a particular device or
memory.
To change the default storage location:
Task
Command Syntax
Command Mode
Change the default directory.
cd directory
EXEC Privilege
In Figure 3-8, the default storage location is changed to the external Flash of the primary RPM. File
management commands then apply to the external Flash rather than the internal Flash.
54
|
Getting Started
Figure 3-8.
Alternative Storage Location
FTOS#cd slot0:
FTOS#copy running-config test
FTOS#copy run test
!
7419 bytes successfully copied
FTOS#dir
Directory of slot0:
1
2
3
4
5
6
7
8
9
drwdrwx
----rw----------------
32768
512
0
7419
0
0
0
0
0
Jan
Jul
Jan
Jul
Jan
Jan
Jan
Jan
Jan
01
23
01
23
01
01
01
01
01
No File System Specified
1980
2007
1970
2007
1970
1970
1970
1970
1970
00:00:00
00:38:44
00:00:00
20:44:40
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
.
..
DCIM
test
BT
200702~1VSN
G
F
F
File Saved to External Flash
slot0: 127772672 bytes total (21927936 bytes free)
View command history
The command-history trace feature captures all commands entered by all users of the system with a time
stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for
each executed command. No password information is saved to the file.
To view the command-history trace, use the show command-history command, as shown in Figure 3-9.
Figure 3-9.
Command Example show command-history
FTOS#show command-history
[12/5 10:57:8]: CMD-(CLI):service password-encryption
[12/5 10:57:12]: CMD-(CLI):hostname FTOS
[12/5 10:57:12]: CMD-(CLI):ip telnet server enable
[12/5 10:57:12]: CMD-(CLI):line console 0
[12/5 10:57:12]: CMD-(CLI):line vty 0 9
[12/5 10:57:13]: CMD-(CLI):boot system rpm0 primary flash://FTOS-CB-1.1.1.2E2.bin
Upgrade and Downgrade Dell Networking OS
Note: To upgrade or downgrade Dell Networking OS, see the release notes for the version you want to
load on the system.
Getting Started | 55
56
|
Getting Started
www.dell.com | support.dell.com
4
System Management
System Management is supported on platforms:
ces
This chapter explains the different protocols or services used to manage the Dell Networking system
including:
•
•
•
•
•
•
•
•
Configure Privilege Levels
Configure Logging
File Transfer Services
Terminal Lines
Lock CONFIGURATION mode
Recovering from a Forgotten Password
Recovering from a Forgotten Password on S-Series
Recovering from a Failed Start
Configure Privilege Levels
Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of
which three are pre-defined. The default privilege level is 1.
•
Level 0—Access to the system
enable, disable, and exit.
•
•
Level 1—Access to the system begins at EXEC mode, and all commands are available.
Level 15—Access to the system begins at EXEC Privilege mode, and all commands are available.
begins at EXEC mode, and EXEC mode commands are limited to
Create a Custom Privilege Level
Custom privilege levels start with the default EXEC mode command set. You can then customize privilege
levels 2-14 by:
•
•
•
restricting access to an EXEC mode command
moving commands from EXEC Privilege to EXEC mode
restricting access
System Management | 57
www.dell.com | support.dell.com
A user can access all commands at his privilege level and below.
Remove a command from EXEC mode
Remove a command from the list of available commands in EXEC mode for a specific privilege level
using the command privilege exec from CONFIGURATION mode. In the command, specify a level greater
than the level given to a user or terminal line, followed by the first keyword of each command to be
restricted.
Move a command from EXEC Privilege mode to EXEC mode
Move a command from EXEC Privilege to EXEC mode for a privilege level using the command privilege
exec from CONFIGURATION mode. In the command, specify the privilege level of the user or terminal
line, and specify all keywords in the command to which you want to allow access.
Allow Access to CONFIGURATION mode commands
Allow access to CONFIGURATION mode using the command privilege exec level level configure from
CONFIGURATION mode. A user that enters CONFIGURATION mode remains at his privilege level, and
has access to only two commands, end and exit. You must individually specify each CONFIGURATION
mode command to which you want to allow access using the command privilege configure level level. In the
command, specify the privilege level of the user or terminal line, and specify all keywords in the command
to which you want to allow access.
Allow Access to INTERFACE, LINE, ROUTE-MAP, and ROUTER mode
1. Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE,
ROUTE-MAP, and ROUTER modes, you must first allow access to the command that enters you into
the mode. For example, allow a user to enter INTERFACE mode using the command privilege
configure level level interface gigabitethernet
2. Then, individually identify the INTERFACE, LINE, ROUTE-MAP or ROUTER commands to which
you want to allow access using the command privilege {interface | line | route-map | router} level level.
In the command, specify the privilege level of the user or terminal line, and specify all keywords in the
command to which you want to allow access.
The following table lists the configuration tasks you can use to customize a privilege level:
58
|
Task
Command Syntax
Command Mode
Remove a command from the list of available commands
in EXEC mode.
privilege exec level level
{command ||...|| command}
CONFIGURATION
Move a command from EXEC Privilege to EXEC mode.
privilege exec level level
{command ||...|| command}
CONFIGURATION
Allow access to CONFIGURATION mode.
privilege exec level level
configure
System Management
CONFIGURATION
Task
Command Syntax
Allow access to INTERFACE, LINE, ROUTE-MAP,
and/or ROUTER mode. Specify all keywords in the
command.
privilege configure level level
{interface | line | route-map |
router} {command-keyword ||...||
command-keyword}
Allow access to a CONFIGURATION, INTERFACE,
LINE, ROUTE-MAP, and/or ROUTER mode command.
privilege {configure |interface |
line | route-map | router} level
level
{command ||...|| command}
Command Mode
CONFIGURATION
CONFIGURATION
The configuration in Figure 4-1 creates privilege level 3. This level:
•
•
•
•
removes the resequence command from EXEC mode by requiring a minimum of privilege level 4,
moves the command capture bgp-pdu max-buffer-size from EXEC Privilege to EXEC mode by,
requiring a minimum privilege level 3, which is the configured level for VTY 0,
allows access to CONFIGURATION mode with the banner command, and
allows access to INTERFACE and LINE modes are allowed with no commands.
System Management | 59
www.dell.com | support.dell.com
Figure 4-1.
60
Create a Custom Privilege Level
FTOS(conf)#do show run priv
!
privilege exec level 3 capture
privilege exec level 3 configure
privilege exec level 4 resequence
privilege exec level 3 capture bgp-pdu
privilege exec level 3 capture bgp-pdu max-buffer-size
privilege configure level 3 line
privilege configure level 3 interface
FTOS(conf)#do telnet 10.11.80.201
[telnet output omitted]
FTOS#show priv
Current privilege level is 3.
FTOS#?
capture
Capture packet
configure
Configuring from terminal
disable
Turn off privileged commands
enable
Turn on privileged commands
exit
Exit from the EXEC
ip
Global IP subcommands
monitor
Monitoring feature
mtrace
Trace reverse multicast path from destination to source
ping
Send echo messages
quit
Exit from the EXEC
show
Show running system information
[output omitted]
FTOS#config
[output omitted]
FTOS(conf)#do show priv
Current privilege level is 3.
FTOS(conf)#?
end
Exit from configuration mode
exit
Exit from configuration mode
interface
Select an interface to configure
line
Configure a terminal line
linecard
Set line card type
FTOS(conf)#interface ?
fastethernet
Fast Ethernet interface
gigabitethernet
Gigabit Ethernet interface
loopback
Loopback interface
managementethernet
Management Ethernet interface
null
Null interface
port-channel
Port-channel interface
range
Configure interface range
sonet
SONET interface
tengigabitethernet
TenGigabit Ethernet interface
vlan
VLAN interface
FTOS(conf)#interface gigabitethernet 1/1
FTOS(conf-if-gi-1/1)#?
end
Exit from configuration mode
exit
Exit from interface configuration mode
FTOS(conf-if-gi-1/1)#exit
FTOS(conf)#line ?
aux
Auxiliary line
console
Primary terminal line
vty
Virtual terminal
FTOS(conf)#line vty 0
FTOS(config-line-vty)#?
exit
Exit from line configuration mode
FTOS(config-line-vty)#
|
System Management
Apply a Privilege Level to a Username
To set a privilege level for a user:
Task
Command Syntax
Command Mode
Configure a privilege level for a user.
username username privilege level
CONFIGURATION
Apply a Privilege Level to a Terminal Line
To set a privilege level for a terminal line:
Task
Command Syntax
Command Mode
Configure a privilege level for a terminal line.
privilege level level
LINE
Note: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode,
but the prompt is hostname#, rather than hostname>.
Configure Logging
Dell Networking OS tracks changes in the system using event and error messages. By default, Dell
Networking OS logs these messages on:
•
•
•
the internal buffer
console and terminal lines, and
any configured syslog servers
Disable Logging
To disable logging:
Task
Command Syntax
Command Mode
Disable all logging except on the console.
no logging on
CONFIGURATION
Disable logging to the logging buffer.
no logging buffer
CONFIGURATION
Disable logging to terminal lines.
no logging monitor
CONFIGURATION
Disable console logging.
no logging console
CONFIGURATION
System Management | 61
www.dell.com | support.dell.com
Log Messages in the Logging Buffer
All error messages, except those beginning with %BOOTUP (Message 1), are log in the internal buffer.
Message 1 BootUp Events
%BOOTUP:RPM0:CP %PORTPIPE-INIT-SUCCESS: Portpipe 0 enabled
Configuration Task List for System Log Management
The following list includes the configuration tasks for system log management:
•
•
Disable System Logging
Send System Messages to a Syslog Server
Disable System Logging
By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, console,
and syslog servers.
Enable and disable system logging using the following commands:
62
|
Task
Command Syntax
Command Mode
Disable all logging except on the console.
no logging on
CONFIGURATION
Disable logging to the logging buffer.
no logging buffer
CONFIGURATION
Disable logging to terminal lines.
no logging monitor
CONFIGURATION
Disable console logging.
no logging console
CONFIGURATION
System Management
Send System Messages to a Syslog Server
Send system messages to a syslog server by specifying a server:
Task
Command Syntax
Command Mode
Specify the server to which you want to send system
messages. You can configure up to eight syslog servers,
which may be IPv4 and/or IPv6 addressed.
logging {ip-address | ipv6-address
| hostname}
CONFIGURATION
Configure a Unix System as a Syslog Server
Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the Unix
system and assigning write permissions to the file.
•
•
on a 4.1 BSD UNIX system, add the line: local7.debugging /var/log/force10.log
on a 5.7 SunOS UNIX system, add the line: local7.debugging /var/adm/force10.log
In the lines above, local7 is the logging facility level and debugging is the severity level.
Change System Logging Settings
You can change the default system logging settings (severity level and the storage location). The default is
to log all messages up to debug level.
Task
Command Syntax
Command Mode
Specify the minimum severity level for logging to the
logging buffer.
logging buffered level
CONFIGURATION
Specify the minimum severity level for logging to the
console.
logging console level
CONFIGURATION
Specify the minimum severity level for logging to
terminal lines.
logging monitor level
CONFIGURATION
Specifying the minimum severity level for logging to a
syslog server.
logging trap level
CONFIGURATION
Specify the minimum severity level for logging to the
syslog history table.
logging history level
CONFIGURATION
System Management | 63
www.dell.com | support.dell.com
Task
Command Syntax
Command Mode
Specify the size of the logging buffer.
Note: When you decrease the buffer size, Dell
Networking OS deletes all messages stored in the buffer.
Increasing the buffer size does not affect messages in the
buffer.
logging buffered size
CONFIGURATION
Specify the number of messages that Dell Networking
OS saves to its logging history table.
logging history size size
CONFIGURATION
Display the logging buffer and configuration using the show logging command from EXEC Privilege
mode, as shown in Figure 4-2.
Display the logging configuration using the show running-config logging command from EXEC
Privilege mode, as shown in Figure 4-3.
Display the Logging Buffer and the Logging Configuration
Display the current contents of the logging buffer and the logging settings for the system using the show
logging command from EXEC Privilege mode, as shown in Figure 4-2.
64
|
System Management
Figure 4-2.
show logging Command Example
FTOS#show logging
syslog logging: enabled
Console logging: level Debugging
Monitor logging: level Debugging
Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes)
Trap logging: level Informational
%IRC-6-IRC_COMMUP: Link to peer RPM is up
%RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
%RPM-2-MSG:CP1 %POLLMGR-2-MMC_STATE: External flash disk missing in 'slot0:'
%CHMGR-5-CARDDETECTED: Line card 0 present
%CHMGR-5-CARDDETECTED: Line card 2 present
%CHMGR-5-CARDDETECTED: Line card 4 present
%CHMGR-5-CARDDETECTED: Line card 5 present
%CHMGR-5-CARDDETECTED: Line card 8 present
%CHMGR-5-CARDDETECTED: Line card 10 present
%CHMGR-5-CARDDETECTED: Line card 12 present
%TSM-6-SFM_DISCOVERY: Found SFM 0
%TSM-6-SFM_DISCOVERY: Found SFM 1
%TSM-6-SFM_DISCOVERY: Found SFM 2
%TSM-6-SFM_DISCOVERY: Found SFM 3
%TSM-6-SFM_DISCOVERY: Found SFM 4
%TSM-6-SFM_DISCOVERY: Found SFM 5
%TSM-6-SFM_DISCOVERY: Found SFM 6
%TSM-6-SFM_DISCOVERY: Found SFM 7
%TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: UP
%TSM-6-SFM_DISCOVERY: Found SFM 8
%TSM-6-SFM_DISCOVERY: Found 9 SFMs
%CHMGR-5-CHECKIN: Checkin from line card 5 (type EX1YB, 1 ports)
%TSM-6-PORT_CONFIG: Port link status for LC 5 => portpipe 0: OK portpipe 1: N/A
%CHMGR-5-LINECARDUP: Line card 5 is up
%CHMGR-5-CHECKIN: Checkin from line card 12 (type S12YC12, 12 ports)
%TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/A
%CHMGR-5-LINECARDUP: Line card 12 is up
%IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8
%IFMGR-5-CSTATE_DN: changed interface Physical state to down: So 12/8
System Management | 65
www.dell.com | support.dell.com
Configure a UNIX Logging Facility Level
Facility is a message tag used to describe the application or process that submitted the log message. You
can save system log messages with a UNIX system logging facility:
Command Syntax
Command Mode
Purpose
logging facility [facility-type]
CONFIGURATION
Specify one of the following parameters.
• auth (for authorization messages)
• cron (for system scheduler messages)
• daemon (for system daemons)
• kern (for kernel messages)
• local0 (for local use)
• local1 (for local use)
• local2 (for local use)
• local3 (for local use)
• local4 (for local use)
• local5 (for local use)
• local6 (for local use)
• local7 (for local use). This is the default.
• lpr (for line printer system messages)
• mail (for mail system messages)
• news (for USENET news messages)
• sys9 (system use)
• sys10 (system use)
• sys11 (system use)
• sys12 (system use)
• sys13 (system use)
• sys14 (system use)
• syslog (for syslog messages)
• user (for user programs)
• uucp (UNIX to UNIX copy protocol)
The default is local7.
Display non-default settings using the show running-config logging command from EXEC mode, as
shown in Figure 4-3.
Figure 4-3.
show running-config logging Command Example
FTOS#show running-config logging
!
logging buffered 524288 debugging
service timestamps log datetime msec
service timestamps debug datetime msec
!
logging trap debugging
logging facility user
logging source-interface Loopback 0
logging 10.10.10.4
FTOS#
66
|
System Management
Synchronize Log Messages
You can configure a terminal line to hold all logs until all command inputs and outputs are complete so that
log printing does not interfere when you are performing management tasks. Log synchronization also
filters system messages for a specific line based on severity level and limits number of messages that are
printed at once.
Step
1
2
Task
Command Syntax
Command Mode
Enter the LINE mode. Configure the
following parameters for the virtual
terminal lines:
• number range: zero (0) to 8.
• end-number range: 1 to 8.
You can configure multiple virtual
terminals at one time by entering a number
followed by an end-number.
line {console 0 | vty number
[end-number] | aux 0}
CONFIGURATION
Set a level and the maximum number of
messages to be printed. The following
parameters are optional:
• level severity-level range: 0 to 7.
Default is 2. Use the all keyword to
include all messages.
• limit range: 20 to 300. Default is 20.
logging synchronous [level
severity-level | all] [limit]
LINE
Display the logging synchronous configuration using the show config command from LINE mode.
Enable Timestamp on Syslog Messages
Syslog messages, by default, do not include a time/date stamp stating when the error or message was
created. To have Dell Networking OS include a timestamp with the syslog message:
Purpose
Command Syntax
Command Mode
Add timestamp to syslog messages. Specify
the following optional parameters:
• datetime: You can add the keyword
localtime to include the localtime, msec,
and show-timezone. If you do not add
the keyword localtime, the time is UTC.
• uptime. To view time since the last boot.
service timestamps [log | debug] [datetime
[localtime] [msec] [show-timezone] |
uptime]
Default: uptime
CONFIGURATION
Display your configuration using the command show running-config logging from EXEC Privilege
mode, as shown in Figure 4-3.
System Management | 67
www.dell.com | support.dell.com
File Transfer Services
You can configure the system to transfer files over the network using File Transfer Protocol (FTP).
Configuration Task List for File Transfer Services
The following list includes the configuration tasks for file transfer services:
•
•
•
Enable FTP server
Configure FTP server parameters
Configure FTP client parameters
Enable FTP server
To make the system an FTP server:
Task
Command Syntax
Command Mode
Make the system an FTP server.
ftp-server enable
CONFIGURATION
Display your FTP configuration using the command show running-config ftp from EXEC Privilege mode,
as shown in Figure 4-4.
Figure 4-4.
show running-config ftp Command Example
FTOS#show running ftp
!
ftp-server enable
ftp-server username nairobi password 0 zanzibar
FTOS#
Configure FTP server parameters
To configure FTP server parameters:
68
|
Task
Command Syntax
Command Mode
Specify the directory for users using FTP to reach the
system. The default is the internal flash.
ftp-server topdir dir
CONFIGURATION
Specify a user name for all FTP users and configure either
a plain text or encrypted password. Configure the
following optional and required parameters:
• username: Enter a text string
• encryption-type: Enter 0 for plain text or 7 for
encrypted text.
• password: Enter a text string.
ftp-server username username
password [encryption-type]
CONFIGURATION
System Management
password
Note: You cannot use the change directory (cd) command until ftp-server topdir is configured.
Display your FTP configuration using the command show running-config ftp from EXEC Privilege mode,
as shown in Figure 4-4.
Configure FTP client parameters
When the system will be an FTP client, configure FTP client parameters:
Task
Command Syntax
Command Mode
Specify a source interface.
ip ftp source-interface interface
CONFIGURATION
Configure a password.
ip ftp password password
CONFIGURATION
Enter username to use on FTP client.
ip ftp username name
CONFIGURATION
Display the FTP configuration using the command show running-config ftp from EXEC Privilege mode,
Figure 4-4.
Terminal Lines
You can access the system remotely and restrict access to the system by creating user profiles. The terminal
lines on the system provide different means of accessing the system. The console line (console) connects
you through the Console port in the RPMs. The virtual terminal lines (VTY) connect you through Telnet to
the system. The auxiliary line (aux) connects secondary devices such as modems.
Deny and Permit Access to a Terminal Line
Dell recommends applying only standard ACLs to deny and permit access to VTY lines.
•
•
Layer 3 ACL deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with
no rules does not deny any traffic.
You cannot use show ip accounting access-list to display the contents of an ACL that is applied only to
a VTY line.
To apply an IP ACL to a line:
Task
Command Syntax
Command Mode
Apply an ACL to a VTY line.
ip access-class access-list
LINE
To view the configuration, enter the show config command in the LINE mode, as shown in Figure 4-5.
System Management | 69
www.dell.com | support.dell.com
Figure 4-5.
Applying an Access List to a VTY Line
FTOS(config-std-nacl)#show config
!
ip access-list standard myvtyacl
seq 5 permit host 10.11.0.1
FTOS(config-std-nacl)#line vty 0
FTOS(config-line-vty)#show config
line vty 0
access-class myvtyacl
Dell Networking OS Behavior: Prior to Dell Networking OS version 7.4.2.0, in order to deny access
on a VTY line, you must apply an ACL and AAA authentication to the line. Then users are denied
access only after they enter a username and password. Beginning in Dell Networking OS version
7.4.2.0, only an ACL is required, and users are denied access before they are prompted for a
username and password.
Configure Login Authentication for Terminal Lines
You can use any combination of up to 6 authentication methods to authenticate a user on a terminal line. A
combination of authentication methods is called a method list. If the user fails the first authentication
method, Dell Networking OS prompts the next method until all methods are exhausted, at which point the
connection is terminated. The available authentication methods are:
•
•
•
•
•
•
enable—Prompt
for the enable password.
line—Prompt for the e password you assigned to the terminal line. You must configure a password for
the terminal line to which you assign a method list that contains the line authentication method.
Configure a password using the command password from LINE mode.
local—Prompt for the the system username and password.
none—Do not authenticate the user.
radius—Prompt for a username and password and use a RADIUS server to authenticate.
tacacs+—Prompt for a username and password and use a TACACS+ server to authenticate.
To configure authentication for a terminal line:
Step
70
|
Task
Command Syntax
1
Create an authentication method list.
You may use a mnemonic name or
use the keyword default. The default
authentication method for terminal
lines is local, and the default method
list is empty.
aaa authentication login {method-list-name |
default} [method-1] [method-2] [method-3]
[method-4] [method-5] [method-6]
2
Apply the method list from Step 1 to
a terminal line.
login authentication {method-list-name |
default}
System Management
Command Mode
CONFIGURATION
CONFIGURATION
Step
3
Task
Command Syntax
Command Mode
If you used the line authentication
method in the method list you
applied to the terminal line,
configure a password for the terminal
line.
password
LINE
In Figure 4-6 VTY lines 0-2 use a single authentication method, line.
Figure 4-6.
Configuring Login Authentication on a Terminal Line
FTOS(conf)#aaa authentication login myvtymethodlist line
FTOS(conf)#line vty 0 2
FTOS(config-line-vty)#login authentication myvtymethodlist
FTOS(config-line-vty)#password myvtypassword
FTOS(config-line-vty)#show config
line vty 0
password myvtypassword
login authentication myvtymethodlist
line vty 1
password myvtypassword
login authentication myvtymethodlist
line vty 2
password myvtypassword
login authentication myvtymethodlist
FTOS(config-line-vty)#
Time out of EXEC Privilege Mode
EXEC timeout is a basic security feature that returns Dell Networking OS to the EXEC mode after a period
of inactivity on terminal lines.
To change the timeout period or disable EXEC timeout.
Task
Command Syntax
Command Mode
Set the number of minutes and seconds.
Default: 10 minutes on console, 30 minutes on VTY.
Disable EXEC timeout by setting the timeout period to 0.
exec-timeout minutes [seconds]
LINE
Return to the default timeout values.
no exec-timeout
LINE
View the configuration using the command show config from LINE mode.
System Management | 71
www.dell.com | support.dell.com
Figure 4-7.
Configuring EXEC Timeout
FTOS(conf)#line con 0
FTOS(config-line-console)#exec-timeout 0
FTOS(config-line-console)#show config
line console 0
exec-timeout 0 0
FTOS(config-line-console)#
Telnet to Another Network Device
To telnet to another device:
Task
Command Syntax
Telnet to the peer RPM. You do not need to configure the management
port on the peer RPM to be able to telnet to it.
telnet-peer-rpm
Telnet to a device with an IPv4 or IPv6 address. If you do not enter an IP
address, Dell Networking OS enters a Telnet dialog that prompts you for
one.
• Enter an IPv4 address in dotted decimal format (A.B.C.D).
• Enter an IPv6 address in the format
0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is
supported.
Note: Telnet to link-local addresses is not supported.
telnet [ipv4-address |
ipv6-address]
Figure 4-8.
Command Mode
EXEC Privilege
EXEC Privilege
Telnet to Another Network Device
FTOS# telnet 10.11.80.203
Trying 10.11.80.203...
Connected to 10.11.80.203.
Exit character is '^]'.
Login:
Login: admin
Password:
FTOS>exit
FTOS#telnet 2200:2200:2200:2200:2200::2201
Trying 2200:2200:2200:2200:2200::2201...
Connected to 2200:2200:2200:2200:2200::2201.
Exit character is '^]'.
FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1)
login: admin
FTOS#
Lock CONFIGURATION mode
Dell Networking OS allows multiple users to make configurations at the same time. You can lock
CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time
(Message 2).
72
|
System Management
A two types of locks can be set: auto and manual.
•
•
Set an auto-lock using the command configuration mode exclusive auto from CONFIGURATION
mode. When you set an auto-lock, every time a user is in CONFIGURATION mode all other users are
denied access. This means that you can exit to EXEC Privilege mode, and re-enter
CONFIGURATION mode without having to set the lock again.
Set a manual lock using the command configure terminal lock from CONFIGURATION mode. When
you configure a manual lock, which is the default, you must enter this command time you want to enter
CONFIGURATION mode and deny access to others.
Figure 4-9.
Lock CONFIGURATION mode
R1(conf)#configuration mode exclusive auto
BATMAN(conf)#exit
3d23h35m: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by
console
R1#config
! Locks configuration mode exclusively.
R1(conf)#
If another user attempts to enter CONFIGURATION mode while a lock is in place, Message 1 appears on
their terminal.
Message 1 CONFIGURATION mode Locked Error
% Error: User "" on line console0 is in exclusive configuration mode
If any user is already in CONFIGURATION mode when while a lock is in place, Message 2 appears on
their terminal.
Message 2 Cannot Lock CONFIGURATION mode Error
% Error: Can't lock configuration mode exclusively since the following users are currently
configuring the system:
User "admin" on line vty1 ( 10.1.1.1 )
Note: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you
configure a lock and then exit CONFIGURATION mode, and another user enters CONFIGURATION
mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though you
are the one that configured the lock.
Note: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is
unconfigured.
View the Configuration Lock Status
If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which
user has control of CONFIGURATION mode using the command show configuration lock from EXEC
Privilege mode.
System Management | 73
www.dell.com | support.dell.com
You can then send any user a message using the send command from EXEC Privilege mode. Alternatively
you can clear any line using the command clear from EXEC Privilege mode. If you clear a console session,
the user is returned to EXEC mode.
Recovering from a Forgotten Password
If you configure authentication for the console and you exit out of EXEC mode or your console session
times out, you are prompted for a password to re-enter.
If you forget your password:
Step
Task
Command Syntax
Command Mode
1
Log onto the system via console.
2
Power-cycle the chassis by switching off all of the power modules and then switching them back on.
3
Abort bootup by sending the break
signal when prompted.
Figure 4-10.
Ctrl+Shift+6
Enter BOOT_USER mode
Type "go 0x00040004" to enter the Dell Networking OS BLI shell
You can use U-boot native networking facilities
============================================================
Hit any key to stop autoboot:
Starting F10 BLI Shell ...
0
BOOT_USER # enable admin
Password : XXXXXXXXX
RPM0-CP BOOT_ADMIN #
4
Enter BOOT_ADMIN mode using
the command enable admin. Enter
ncorerulz when prompted for a
password.
Figure 4-11.
enable admin
BOOT_USER
Enter BOOT_ADMIN mode
***** Welcome to FTOS Boot Interface *****
Use "help" or "?" for more information.
BOOT_USER # enable admin
Password : XXXXXXXXX
RPM0-CP BOOT_ADMIN #
74
|
5
Rename the startup-config so it does
not load on the next system reload.
rename :flash://startup-config flash://
startup-config.bak
BOOT_ADMIN
6
Verify that startup-config is renamed.
dir flash:
BOOT_ADMIN
System Management
Step
Task
Figure 4-12.
Command Syntax
Command Mode
Rename the startup-config
RPM0-CP BOOT_ADMIN # dir flash:
Directory of flash:
1 -rwx 11407411 Jun 09 2004 09:38:40 FTOS-EE3-5.3.1.1.bin
2 -rwx 4977 Jun 09 2004 09:38:38 startup-config.bak
7
Reload the system.
reload
BOOT_ADMIN
8
Copy startup-config.bak to the
running config.
copy flash://startup-config.bak
running-config
EXEC Privilege
9
Remove all authentication statements
you might have for the console.
no authentication login
no password
LINE
10
Save the running-config.
copy running-config startup-config
EXEC Privilege
Recovering from a Forgotten Enable Password
If you forget the enable password:
Step
Task
Command Syntax
Command Mode
1
Log onto the system via console.
2
Eject the secondary RPM if there is one.
3
Power-cycle the chassis by switching off all of the power modules and then switching them back on.
4
Abort bootup by sending the break
signal when prompted. See
Figure 4-10.
Ctrl+Shift+6
5
Configure the system to ignore the
enable password on bootup.
Note: This command only bypasses
the enable password once. You must
repeat this procedure to bypass it
again.
ignore enable-password
Figure 4-13.
BOOT_USER
Ignore the Enable Password
***** Welcome to FTOS Boot Interface *****
Use "help" or "?" for more information.
BOOT_USER # ignore enable-password
6
Reload the system.
reload
BOOT_USER
7
Configure a new enable password.
enable {secret | password}
CONFIGURATION
8
Insert the secondary RPM.
System Management | 75
www.dell.com | support.dell.com
Step
9
Task
Command Syntax
Command Mode
Save the running-config to the
startup-config. The startup-config
files on both RPMs will be
synchronized.
copy running-config startup-config
EXEC Privilege
Recovering from a Forgotten Password on S-Series
If you configure authentication for the console and you exit out of EXEC mode or your console session
times out, you are prompted for a password to re-enter.
If you forget your password:
Step
Task
Command Syntax
1
Log onto the system via console.
2
Power-cycle the chassis by unplugging the power cord.
3
Abort bootup by sending the break
signal when prompted.
Figure 4-14.
Command Mode
(any key)
Enter BOOT_USER mode
Type "go 0x00040004" to enter the Dell Networking OS BLI shell
You can use U-boot native networking facilities
============================================================
***** Welcome to FTOS Boot Interface *****
Use "help" or "?" for more information.
BOOT_USER #
76
|
4
Configure the system to ignore the
startup-config, which prevents the
system from prompting you for a
password to enter EXEC mode.
Note: This command only bypasses
the password once. You must repeat
this procedure to bypass it again.
ignore startup-config
BOOT_USER
5
Remove all authentication statements
you might have for the console.
no authentication login
CONFIGURATION
6
Reload the system.
reload
BOOT_USER
System Management
Recovering from a Failed Start
A system that does not start correctly might be attempting to boot from a corrupted Dell Networking OS
image or from a incorrect location. To resolve the problem, you can restart the system and interrupt the
boot process to point the system to another boot location by using the boot change command, as described
below. For details on the boot change command, its supporting commands, and other commands that can
help recover from a failed start, refer to the BOOT_USER chapter in the Dell Networking OS Command
Reference.
Step
Task
Command Syntax
Command Mode
1
Power-cycle the chassis (pull the power cord and reinsert it).
2
Abort bootup by sending the break
signal when prompted.
Ctrl-Shift 6 (Ctrl-^)—C-Series and E-Series
(On the S-Series, hit any key)
(during bootup)
3
Tell the system where to access the
Dell Networking OS image used to
boot the system:
• Enter primary to configure the boot
parameters used in the first attempt
to boot the system.
• Enter secondary for when the
primary operating system boot
selection is not available.
• Enter default to configure boot
parameters used if the secondary
operating system boot parameter
selection is not available. The
default location should always be
the internal flash device (flash:),
and a verified image should be
stored there.
boot change {primary | secondary | default}
After entering the keywords and desired option,
press Enter. The software prompts you to enter
the following:
• boot device (ftp, tftp, flash, slot0)
Note: S-Series can only use a TFTP location.
• image file name
• IP address of the server with the image
• username and password (only for FTP)
BOOT_USER
4
On S-Series systems only, assign a port
to be the Management Ethernet
interface.
interface management ethernet port portID
BOOT_USER
5
Assign an IP address to the
Management Ethernet interface.
[no] interface management ethernet ip
BOOT_USER
6
(OPTIONAL) On C- and E-Series
systems only, configure speed, duplex,
and negotiation settings for the
management interface.
interface management port config
{half-duplex | full-duplex | 10m | 100m |
auto-negotiation | no auto-negotiation | show}
BOOT_USER
7
Assign an IP address as the default
gateway for the system.
[no] default-gateway ip-address
BOOT_USER
8
Reload the system.
reload
BOOT_USER
address ip-address mask
System Management | 77
www.dell.com | support.dell.com
Very similar to the options of the boot change command, the boot system command is available in
CONFIGURATION mode on the C-Series and E-Series to set the boot parameters that, when saved to the
startup configuration file, are stored in NVRAM and are then used routinely:
Task
Command Syntax
Command Mode
Configure the system to routinely boot from the
designated location.
After entering rpm0 or rpm1, enter one of the three
keywords and then the file-url.
You can use the command for each of the
combinations of RPM and option.
boot system {rpm0 | rpm1} (default |
primary | secondary} file-url
For file-url, to boot from a file:
• on the internal Flash, enter flash://
CONFIGURATION
•
•
•
followed by the filename.
on an FTP server, enter ftp://
user:password@hostip/filepath
on the external Flash, enter slot0://
followed by the filename.
on a TFTP server, enter tftp://hostip/
filepath
Also, because the C-Series and E-Series can boot from an external flash, you can recover from a failed
boot image on the flash by simply fixing that source. For details on boot code and Dell Networking OS
setup, see the Dell Networking OS Release Notes for the specific Dell Networking OS versions that you
want to use.
The network boot facility has only become available on the S-Series with Dell Networking OS 7.8.1.0 and
its accompanying boot code. In addition to installing Dell Networking OS 7.8.1.0, you must separately
install that new boot code. For installation details, see the S-Series and Dell Networking OS Release Notes
for Version 7.8.1.0.
78
|
System Management
5
802.1ag
802.1ag is available only on platform:
s
Ethernet Operations, Administration, and Maintenance (OAM) is a set of tools used to install, monitor,
troubleshoot and manage Ethernet infrastructure deployments. Ethernet OAM consists of three main areas:
1. Service Layer OAM: IEEE 802.1ag Connectivity Fault Management (CFM)
2. Link Layer OAM: IEEE 802.3ah OAM
3. Ethernet Local management Interface (MEF-16 E-LMI)
Ethernet CFM
Ethernet CFM is an end-to-end, per-service-instance Ethernet OAM scheme which enables: proactive
connectivity monitoring, fault verification, and fault isolation.
The service-instance in the OAM for Metro/Carrier Ethernet context is a VLAN. This service is sold to an
end-customer by a network service provider. Typically the service provider contracts with multiple
network operators to provide end-to-end service between customers. For end-to-end service between
customer switches, connectivity must be present across the service provider through multiple network
operators.
Layer 2 Ethernet networks usually cannot be managed with IP tools such as ICMP Ping and IP Traceroute.
Traditional IP tools often fail because:
•
•
•
•
•
there are complex interactions between various Layer 2 and Layer 3 protocols such as STP, LAG,
VRRP and ECMP configurations.
Ping and traceroute are not designed to verify data connectivity in the network and within each node in
the network (such as in the switching fabric and hardware forwarding tables).
when networks are built from different operational domains, access controls impose restrictions that
cannot be overcome at the IP level, resulting in poor fault visibility. There is a need for hierarchical
domains that can be monitored and maintained independently by each provider or operator.
routing protocols choose a subset of the total network topology for forwarding, making it hard to detect
faults in links and nodes that are not included in the active routing topology. This is made more
complex when using some form of Traffic Engineering (TE) based routing.
network and element discovery and cataloging is not clearly defined using IP troubleshooting tools.
802.1ag | 79
www.dell.com | support.dell.com
There is a need for Layer 2 equivalents to manage and troubleshoot native Layer 2 Ethernet networks. With
these tools, you can identify, isolate, and repair faults quickly and easily, which reduces operational cost of
running the network. OAM also increases availability and reduces mean time to recovery, which allows for
tighter service level agreements, resulting in increased revenue for the service provider.
In addition to providing end-to-end OAM in native Layer 2 Ethernet Service Provider/Metro networks,
you can also use CFM to manage and troubleshoot any Layer 2 network including enterprise, datacenter,
and cluster networks.
Maintenance Domains
Connectivity Fault Management (CFM) divides a network into hierarchical maintenance domains, as
shown in Figure 5-1.
A CFM maintenance domain is a management space on a network that is owned and operated by a single
management entity. The network administrator assigns a unique maintenance level (0 to 7) to each domain
to define the hierarchical relationship between domains. Domains can touch or nest but cannot overlap or
intersect as that would require management by multiple entities.
Figure 5-1.
OAM Domains
Service Provider Network
Customer Network
Customer Network
Ethernet Access
MPLS Core
MPLS Access
Customer Domain (7)
Provider Domain (6)
Operator Domain (5)
Operator Domain (5)
Operator Domain (5)
MPLS Domain (4)
Maintenance Points
Domains are comprised of logical entities called Maintenance Points. A maintenance point is an interface
demarcation that confines CFM frames to a domain. There are two types of maintenance points:
•
•
80
|
802.1ag
Maintenance End Points (MEPs): a logical entity that marks the end-point of a domain
Maintenance Intermediate Points (MIPs): a logical entity configured at a port of a switch that is an
intermediate point of a Maintenance Entity (ME). An ME is a point-to-point relationship between two
MEPs within a single domain. MIPs are internal to a domain, not at the boundary, and respond to CFM
only when triggered by linktrace and loopback messages. MIPs can be configured to snoop Continuity
Check Messages (CCMs) to build a MIP CCM database.
These roles define the relationships between all devices so that each device can monitor the layers under its
responsibility. Maintenance points drop all lower-level frames and forward all higher-level frames.
Figure 5-2.
Maintenance Points
Service Provider Network
Customer Network
Customer Network
Ethernet Access
MPLS Core
MPLS Access
Customer Domain (7)
Provider Domain (6)
Operator Domain (5)
Operator Domain (5)
Operator Domain (5)
MPLS Domain (4)
MEP
MIP
Maintenance End Points
A Maintenance End Point (MEP) is a logical entity that marks the end-point of a domain. There are two
types of MEPs defined in 802.1ag for an 802.1 bridge:
•
•
Up-MEP: monitors the forwarding path internal to an bridge on the customer or provider edge; on
Dell Networking systems the internal forwarding path is effectively the switch fabric and forwarding
engine.
Down-MEP: monitors the forwarding path external another bridge.
Configure Up- MEPs on ingress ports, ports that send traffic towards the bridge relay. Configure
Down-MEPs on egress ports, ports that send traffic away from the bridge relay.
Figure 5-3.
Up-MEP versus Down-MEP
Customer Network
towards relay
Service Provider Ethernet Access
away from relay
Up-MEP
Down-MEP
802.1ag | 81
www.dell.com | support.dell.com
Implementation Information
•
Since the S-Series has a single MAC address for all physical/LAG interfaces, only one MEP is allowed
per MA (per VLAN or per MD level).
Configure CFM
Configuring CFM is a five-step process:
1. Configure the ecfmacl CAM region using the cam-acl command. See Configuring Ingress Layer 2
ACL Sub-partitions.
2. Enable Ethernet CFM.
3. Create a Maintenance Domain.
4. Create a Maintenance Association.
5. Create Maintenance Points.
6. Use CFM tools:
a
Continuity Check Messages
b
Loopback Message and Response
c
Linktrace Message and Response
Related Configuration Tasks
•
•
82
|
802.1ag
Enable CFM SNMP Traps
Display Ethernet CFM Statistics
Enable Ethernet CFM
Task
Command Syntax
Command Mode
Spawn the CFM process. No CFM configuration is
allowed until the CFM process is spawned.
ethernet cfm
CONFIGURATION
Disable Ethernet CFM without stopping the CFM
process.
disable
ETHERNET CFM
Create a Maintenance Domain
Connectivity Fault Management (CFM) divides a network into hierarchical maintenance domains, as
shown in Figure 5-1.
Step
1
Task
Command Syntax
Command Mode
Create maintenance domain.
domain name md-level number
ETHERNET CFM
Range: 0-7
2
Display maintenance domain information.
show ethernet cfm domain [name |
brief]
EXEC Privilege
FTOS# show ethernet cfm domain
Domain Name: customer
Level: 7
Total Service: 1
Services
MA-Name
My_MA
Domain Name: praveen
Level: 6
Total Service: 1
Services
MA-Name
Your_MA
VLAN
CC-Int
X-CHK Status
200
10s
enabled
VLAN
CC-Int
X-CHK Status
100
10s
enabled
802.1ag | 83
www.dell.com | support.dell.com
Create a Maintenance Association
A Maintenance Association MA is a subdivision of an MD that contains all managed entities
corresponding to a single end-to-end service, typically a VLAN. An MA is associated with a VLAN ID.
Task
Command Syntax
Command Mode
Create maintenance association.
service name vlan vlan-id
ECFM DOMAIN
Create Maintenance Points
Domains are comprised of logical entities called Maintenance Points. A maintenance point is a interface
demarcation that confines CFM frames to a domain. There are two types of maintenance points:
•
•
Maintenance End Points (MEPs): a logical entity that marks the end-point of a domain
Maintenance Intermediate Points (MIPs): a logical entity configured at a port of a switch that
constitutes intermediate points of an Maintenance Entity (ME). An ME is a point-to-point relationship
between two MEPs within a single domain.
These roles define the relationships between all devices so that each device can monitor the layers under its
responsibility.
Create a Maintenance End Point
A Maintenance End Point (MEP) is a logical entity that marks the end-point of a domain. There are two
types of MEPs defined in 802.1ag for an 802.1 bridge:
•
•
Up-MEP: monitors the forwarding path internal to an bridge on the customer or provider edge; on
Dell Networking systems the internal forwarding path is effectively the switch fabric and forwarding
engine.
Down-MEP: monitors the forwarding path external another bridge.
Configure Up- MEPs on ingress ports, ports that send traffic towards the bridge relay. Configure
Down-MEPs on egress ports, ports that send traffic away from the bridge relay.
Task
Command Syntax
Command Mode
Create an MEP.
ethernet cfm mep {up-mep | down-mep} domain {name |
level } ma-name name mepid mep-id
INTERFACE
Range: 1-8191
Display configured MEPs and
MIPs.
84
|
802.1ag
show ethernet cfm maintenance-points local [mep | mip]
EXEC Privilege
Task
Command Syntax
Command Mode
FTOS#show ethernet cfm maintenance-points local mep
------------------------------------------------------------------------------MPID Domain Name Level Type
Port
CCM-Status
MA Name
VLAN
Dir
-------------------------------------------------------------------------------
MAC
100
cfm0
7
MEP
Gi 4/10
Enabled
test0
10
DOWN
00:01:e8:59:23:45
200
cfm1
6
MEP
Gi 4/10
Enabled
test1
20
DOWN
00:01:e8:59:23:45
300
cfm2
5
MEP
Gi 4/10
Enabled
test2
30
DOWN
00:01:e8:59:23:45
Create a Maintenance Intermediate Point
Maintenance Intermediate Point (MIP) is a logical entity configured at a port of a switch that constitutes
intermediate points of an Maintenance Entity (ME). An ME is a point-to-point relationship between two
MEPs within a single domain. An MIP is not associated with any MA or service instance, and it belongs to
the entire MD.
Task
Command Syntax
Command Mode
Create an MIP.
ethernet cfm mip domain {name | level} ma-name name
INTERFACE
Display configured MEPs and
MIPs.
show ethernet cfm maintenance-points local [mep | mip]
EXEC Privilege
FTOS#show ethernet cfm maintenance-points local mip
------------------------------------------------------------------------------MPID Domain Name Level
Type
Port
CCM-Status
MA Name
VLAN
Dir
-------------------------------------------------------------------------------
MAC
0
service1
4
MIP
Gi 0/5
Disabled
My_MA
3333
DOWN
00:01:e8:0b:c6:36
0
service1
4
MIP
Gi 0/5
Disabled
Your_MA
3333
UP
00:01:e8:0b:c6:36
MP Databases
CFM maintains two MP databases:
•
•
MEP Database (MEP-DB): Every MEP must maintain a database of all other MEPs in the MA that
have announced their presence via CCM.
MIP Database (MIP-DB): Every MIP must maintain a database of all other MEPs in the MA that
have announced their presence via CCM
Task
Display the MEP Database.
Command Syntax
Command Mode
show ethernet cfm maintenance-points remote detail [active
EXEC Privilege
| domain {level | name} | expired | waiting]
802.1ag | 85
www.dell.com | support.dell.com
Task
Command Syntax
Command Mode
FTOS#show ethernet cfm maintenance-points remote detail
MAC Address: 00:01:e8:58:68:78
Domain Name: cfm0
MA Name: test0
Level: 7
VLAN: 10
MP ID: 900
Sender Chassis ID: FTOS
MEP Interface status: Up
MEP Port status: Forwarding
Receive RDI: FALSE
MP Status: Active
Display the MIP Database.
show ethernet cfm mipdb
EXEC Privilege
MP Database Persistence
86
|
Task
Command Syntax
Command Mode
Set the amount of time that data
from a missing MEP is kept in
the Continuity Check Database.
database hold-time minutes
ECFM DOMAIN
802.1ag
Default: 100 minutes
Range: 100-65535 minutes
Continuity Check Messages
Continuity Check Messages (CCM) are periodic hellos used to:
•
•
•
•
discover MEPs and MIPs within a maintenance domain
detect loss of connectivity between MEPs
detect misconfiguration, such as VLAN ID mismatch between MEPs
to detect unauthorized MEPs in a maintenance domain
Continuity Check Messages (CCM) are multicast Ethernet frames sent at regular intervals from each MEP.
They have a destination address based on the MD level (01:80:C2:00:00:3X where X is the MD level of
the transmitting MEP from 0 to 7). All MEPs must listen to these multicast MAC addresses and process
these messages. MIPs may optionally processes the CCM messages originated by MEPs and construct a
MIP CCM database.
MEPs and MIPs filter CCMs from higher and lower domain levels as described in Table 5-1.
Table 5-1.
Continuity Check Message Processing
Frames at
Frames from
UP-MEP Action
Down-MEP Action MIP Action
Less than my level
Bridge-relay side or Wire side
Drop
Drop
Drop
My level
Bridge-relay side
Consume
Drop
Wire side
Drop
Consume
Add to MIP-DB
and forward
Bridge-relay side or Wire side
Forward
Forward
Forward
Greater than my level
All the remote MEPs in the maintenance domain are defined on each MEP. Each MEP then expects a
periodic CCM from the configured list of MEPs. A connectivity failure is then defined as:
1. Loss of 3 consecutive CCMs from any of the remote MEP, which indicates a network failure
2. Reception of a CCM with an incorrect CCM transmission interval, which indicates a configuration
error.
3. Reception of CCM with an incorrect MEP ID or MAID, which indicates a configuration or
cross-connect error. This could happen when different VLANs are cross-connected due to a
configuration error.
4. Reception of a CCM with an MD level lower than that of the receiving MEP, which indicates a
configuration or cross-connect error.
5. Reception of a CCM containing a port status/interface status TLV, which indicates a failed bridge or
aggregated port.
The Continuity Check protocol sends fault notifications (Syslogs, and SNMP traps if enabled) whenever
any of the above errors are encountered.
802.1ag | 87
www.dell.com | support.dell.com
Enable CCM
Step
1
Task
Command Syntax
Command Mode
Enable CCM.
no ccm disable
ECFM DOMAIN
Default: Disabled
2
Configure the transmit interval (mandatory).
The interval specified applies to all MEPs in
the domain.
ccm transmit-interval seconds
ECFM DOMAIN
Default: 10 seconds
Enable Cross-checking
Task
Command Syntax
Command Mode
Enable cross-checking.
mep cross-check enable
ETHERNET CFM
Default: Disabled
Start the cross-check operation for an MEP.
mep cross-check mep-id
ETHERNET CFM
Configure the amount of time the system waits for a
remote MEP to come up before the cross-check operation
is started.
mep cross-check start-delay
number
ETHERNET CFM
Loopback Message and Response
Loopback Message and Response (LBM, LBR), also called Layer 2 Ping, is an administrative echo
transmitted by MEPs to verify reachability to another MEP or MIP within the maintenance domain. LBM
and LBR are unicast frames.
Task
Command Syntax
Command Mode
Send a Loopback message.
ping ethernet domain name ma-name ma-name remote
{mep-id | mac-addr mac-address} source {mep-id | port
interface}
EXEC Privilege
Linktrace Message and Response
Linktrace Message and Response (LTM, LTR), also called Layer 2 Traceroute, is an administratively sent
multicast frames transmitted by MEPs to track, hop-by-hop, the path to another MEP or MIP within the
maintenance domain. All MEPs and MIPs in the same domain respond to an LTM with a unicast LTR.
Intermediate MIPs forward the LTM toward the target MEP.
88
|
802.1ag
Figure 5-4.
Linktrace Message and Response
MPLS Core
MEP
Lin
MIP
ktra
c e m M essa
MIP
MIP
ge
L i n k t ra ce R e s p o n s e
Link trace messages carry a unicast target address (the MAC address of an MIP or MEP) inside a multicast
frame. The destination group address is based on the MD level of the transmitting MEP
(01:80:C2:00:00:3[8 to F]). The MPs on the path to the target MAC address reply to the LTM with an LTR,
and relays the LTM towards the target MAC until the target MAC is reached or TTL equals 0.
Task
Command Syntax
Command Mode
Send a Linktrace message. Since the
LTM is a Multicast message sent to the
entire ME, there is no need to specify a
destination.
traceroute ethernet domain
EXEC Privilege
Link Trace Cache
After a Link Trace command is executed, the trace information can be cached so that you can view it later
without retracing.
Task
Command Syntax
Command Mode
Enable Link Trace caching.
traceroute cache
CONFIGURATION
Set the amount of time a trace result is cached.
traceroute cache hold-time minutes
ETHERNET CFM
Default: 100 minutes
Range: 10-65535 minutes
Set the size of the Link Trace Cache.
traceroute cache size entries
ETHERNET CFM
Default: 100
Range: 1 - 4095 entries
Display the Link Trace Cache.
show ethernet cfm traceroute-cache
EXEC Privilege
802.1ag | 89
www.dell.com | support.dell.com
Task
Command Syntax
Command Mode
FTOS#show ethernet cfm traceroute-cache
Traceroute to 00:01:e8:52:4a:f8 on Domain Customer2, Level 7, MA name Test2 with VLAN 2
-----------------------------------------------------------------------------Hops
Host
IngressMAC
Ingr Action Relay Action Next Host
-----------------------------------------------------------------------------4 00:00:00:01:e8:53:4a:f8
00:01:e8:52:4a:f8 IngOK
Delete all Link Trace Cache entries.
RlyHit
Egress MAC Egress Action FWD Status
00:00:00:01:e8:52:4a:f8
clear ethernet cfm traceroute-cache
Terminal MEP
EXEC Privilege
Enable CFM SNMP Traps
Task
Command Syntax
Command Mode
Enable SNMP trap messages for
Ethernet CFM.
snmp-server enable traps ecfm
CONFIGURATION
A Trap is sent only when one of the five highest priority defects occur, as shown in Table 5-2.
Table 5-2.
90
|
ECFM SNMP Traps
Cross-connect defect
%ECFM-5-ECFM_XCON_ALARM: Cross connect fault detected by MEP 1 in Domain customer1
at Level 7 VLAN 1000
Error-CCM defect
%ECFM-5-ECFM_ERROR_ALARM: Error CCM Defect detected by MEP 1 in Domain customer1
at Level 7 VLAN 1000
MAC Status defect
%ECFM-5-ECFM_MAC_STATUS_ALARM: MAC Status Defect detected by MEP 1 in Domain
provider at Level 4 VLAN 3000
Remote CCM defect
%ECFM-5-ECFM_REMOTE_ALARM: Remote CCM Defect detected by MEP 3 in Domain customer1
at Level 7 VLAN 1000
RDI defect
%ECFM-5-ECFM_RDI_ALARM: RDI Defect detected by MEP 3 in Domain customer1 at Level
7 VLAN 1000
802.1ag
Three values are given within the trap messages: MD Index, MA Index, and MPID. You can reference
these values against the output of show ethernet cfm domain and show ethernet cfm maintenance-points
local mep.
FTOS#show ethernet cfm maintenance-points local mep
------------------------------------------------------------------------------MPID
Domain Name
Level
Type
Port
CCM-Status
MA Name
VLAN
Dir
MAC
------------------------------------------------------------------------------100
cfm0
test0
7
10
MEP
DOWN
Gi 4/10
00:01:e8:59:23:45
Enabled
FTOS(conf-if-gi-0/6)#do show ethernet cfm domain
Domain Name: My_Name
MD Index: 1
Level: 0
Total Service: 1
Services
MA-Index
MA-Name
1
test
Domain Name: Your_Name
MD Index: 2
Level: 2
Total Service: 1
Services
MA-Index
MA-Name
1
test
VLAN
CC-Int
X-CHK Status
0
1s
enabled
VLAN
CC-Int
X-CHK Status
1s
enabled
100
Display Ethernet CFM Statistics
Task
Command Syntax
Command Mode
Display MEP CCM statistics.
show ethernet cfm statistics [domain {name | level}
vlan-id vlan-id mpid mpid
EXEC Privilege
FTOS#
show ethernet cfm statistics
Domain Name: Customer
Domain Level: 7
MA Name: My_MA
MPID: 300
CCMs:
Transmitted:
LTRs:
Unexpected Rcvd:
LBRs:
Received:
Received Bad MSDU:
Transmitted:
1503
RcvdSeqErrors:
0
0
0
0
0
Rcvd Out Of Order:
0
802.1ag | 91
www.dell.com | support.dell.com
Task
Command Syntax
Command Mode
Display CFM statistics by port.
show ethernet cfm port-statistics [interface]
EXEC Privilege
FTOS#show ethernet cfm port-statistics interface gigabitethernet 0/5
Port statistics for port: Gi 0/5
==================================
RX Statistics
=============
Total CFM Pkts 75394 CCM Pkts 75394
LBM Pkts 0 LTM Pkts 0
LBR Pkts 0 LTR Pkts 0
Bad CFM Pkts 0 CFM Pkts Discarded 0
CFM Pkts forwarded 102417
TX Statistics
=============
Total CFM Pkts 10303 CCM Pkts 0
LBM Pkts 0 LTM Pkts 3
LBR Pkts 0 LTR Pkts 0
92
|
802.1ag
6
802.3ah
802.3ah is available only on platform:
s
A metropolitan area network (MAN) is a set of LANs, geographically separated but managed by a single
entity. If the distance is large—across a city, for example—connectivity between LANs is managed by a
service provider. While LANs use Ethernet, service providers networks use an array of protocols (PPP and
ATM), and a variety access technologies. Implementing Ethernet from end to end, across the service
provider network, simplifies design and management, increases scalability and bandwidth, and reduces
costs.
Ethernet in a service provider environment introduces the concept of Carrier-class Ethernet and requires
some basic management and diagnostic tools. Ethernet Operations, Administration, and Maintenance
(OAM) is that toolset, which can be used to install, monitor, troubleshoot, and manage Ethernet
infrastructure deployments. It consists of three main areas:
1. Service Layer OAM: IEEE 802.1ag, Connectivity Fault Management (CFM)
2. Link Layer OAM: IEEE 802.3ah, Ethernet in the First Mile (EFM) OAM
3. Ethernet Local management Interface (MEF-16 E-LMI)
Link Layer OAM Overview
Link Layer OAM introduces the toolset required to effectively monitor the link between the customer and
service provider, which is called the first mile. Currently, service providers use a variety of access
technologies including ISDN, DSL, and coax cable in the first mile. Implementing Ethernet here reduces
the types of equipment in the subscriber access network, simplifying installation and management, and
increasing bandwidth.
Link Layer OAM performs four primary operations for the purposes of link status, performance
monitoring, and fault detection and isolation for Ethernet in the First Mile:
•
•
OAM Discovery—detects whether the remote system is OAM capable, and negotiates OAM
parameters.
Link Event Monitoring—defines a set of events that may impact link operation, and monitors the link
for those events.
802.3ah | 93
www.dell.com | support.dell.com
•
Remote Loopback—directs the remote system to reflects back frames that the local system transmits
so that an administrator can isolate a fault.
Remote Failure Indication—notifies a peer of a critical link event.
•
Link Layer OAMPDUs
Link Layer OAM is conducted using OAMPDUs, shown in Figure 6-1. OAM is a slow protocol and by
requirement may transmit no more than 10 frames per second, transmits to a multicast destination MAC,
and uses an Ethernet subtype.
Figure 6-1.
OAMPFU Frame Format
00: Information
01: Event Notification
02: Variable Request
03: Variable Response
Destination MAC Source MAC Length/Type Sub-type Flags
(0x03)
(0x8809)
(01-80-c2-00-00-02)
Slow Protocol
multicast address
Code
04: Loopback Control
05-FD: Reserved
FE: Organization Specific
FF: Reserved
Payload
(TLVs)
Padding
FCS
Slow Protocols
use a subtype
0: Link Fault
1: Dying Gasp
2: Critical Event
3: Local Evaluating
4: Local Stable
5: Remote Evaluating
6: Remote Stable
7-15: Reserved
There are six OAMPDU types, identified by the Code field:
•
•
•
•
•
•
Information—carries state information and Local Information and/or Remote Information TLVs.
Information OAMPDUs are used in discovery, and as keepalives.
• Local Information TLVs—indicates support for variable retrieval, link performance events, and
remote loopback, unidirectional support, and OAM mode
• Remote Information TLVs—a copy of the peer’s Local Information TLV.
Event Notification—carries TLVs for each concurrent link fault.
Variable Request—carries MIB object descriptors for which the remote peer should return values.
Variable Response—carries the requested MIB object values.
Loopback Control—carries the loopback control command (enable and disable).
Organization Specific—contains and OUI followed by data, the format and function of which is
defined by the organization.
OAMPDU Flags
1-bit flags are used it indicate OAM state and link state. During discovery, flags 3-6 are used to indicate the
state of peership establishment. Flags 0-2 are used to indicate a local critical link event to the remote peer.
94
|
802.3ah
Link Layer OAM Operational Modes
When participating in EFM OAM, system may operate in active or passive mode.
•
•
Active mode—Active mode systems initiate discovery. Once the Discovery process completes, they
can send any OAMPDU while connected to a peer in Active mode, and a subset of OAMPDUs if the
peer is in Passive mode (see Table 6-1).
Passive mode—Passive mode systems wait for an active mode system to initiate discovery, and do not
send Variable Request or Loopback Control OAMPDUs.
Taken from IEEE 802.3ah, Table 6-1 summarizes the permitted actions in each role.
Table 6-1.
Active Mode and Passive Mode Behaviors
Capability
Active
Passive
Initiates OAM Discovery process
Yes
No
Reacts to OAM Discovery process initiation
Yes
Yes
Required to send Information OAMPDUs
Yes
Yes
Permitted to send Event Notification OAMPDUs
Yes
Yes
Permitted to send Variable Request OAMPDUs
Yes
No
Permitted to send Variable Response OAMPDUs (the peer must be in Active mode)
Yes
Yes
Permitted to send Loopback Control OAMPDUs
Yes
No
Reacts to Loopback Control OAMPDUs (the peer must be in Active mode)
Yes
Yes
Permitted to send Organization Specific OAMPDUs
Yes
Yes
Link Layer OAM Discovery
OAM Discovery is the mechanism a Link Layer OAM-capable system uses to determine if the remote
system on the link has OAM functionality enabled. OAM Discovery ascertains OAM parameters, such as
maximum allowable OAMPDU size, and supported functions such as OAM remote loopback.
The discovery process is as follows:
1. If the link is not in Fault state, Active mode systems send Information OAMPDUs that contain (only)
the Local Information TLV.
2. Once a system receives an Information OAMPDU, it responds with an Information OAMPDU that
contains the Local and Remote Information TLV. Negotiation is complete when both systems have
received their peer’s information and are satisfied with it; to be satisfied, both peers on the link must be
have link performance event monitoring enabled.
3. When negotiation is complete, both peers may send any type of OAMPDU.
802.3ah | 95
www.dell.com | support.dell.com
Link Layer OAM Events
Link Layer OAM defines a set of events that may impact link operation, and monitors the link for those
events. If an event occurs, the detecting system notifies its peer. There are two types of events:
•
•
Critical Link Events—There are three critical events; each has an associated flag which can be set in
the OAMPDU when the event occurs. Critical link events are communicated to the peer using Remote
Failure Indication.
• Link Fault—A fault occurred in the receive direction of the local peer.
• Dying Gasp—An unrecoverable local failure condition occurred. Dying Gasp notification is not
supported on S-Series.
• Critical Event—An unspecified critical event occurred. Critical Event notification is not
supported on S-Series.
Link Performance Events—Link events are either symbol errors or frame errors, and are
communicated using Link Event TLVs.
• Symbol Errors—a symbol is an (electrical or optical) pulse on the physical medium that
represents one or more bits. A symbol error occurs when a symbol degrades in transit so that the
receiver is not able to decode it. Gigabit and 10-Gigabit Ethernet have and expect symbol rate, also
called Baud.
• Frame Errors—frame errors are frames with a bad CRC.
Remote Loopback
An active-mode device can place a passive peer into loopback mode by sending a Loopback Control
OAMPDU. When in loopback mode:
•
•
the remote peer returns unaltered all non-OAMPDU frames sent by the local peer, and
all outbound data frames are discarded (control frames are still forwarded).
Implementation Information
•
•
•
•
96
|
802.3ah
Critical Link Events Dying Gasp and Critical Event are not supported.
MIB retrieval is not supported.
Both peers on a link must have Link Performance Monitoring Enabled, or else discovery does not
complete.
Control frames are still forwarded when an interface is in loopback mode.
Configuring Link Layer OAM
Configuring Link Layer OAM is a two-step process:
1. Enable Link Layer OAM.
2. Enable any or all of the following:
a
Link Performance Event Monitoring
b
Remote Failure Indication
c
Remote Loopback
Related Configuration Tasks
•
•
•
Adjust the OAMPDU Transmission Parameters
Display Link Layer OAM Configuration and Statistics
Manage Link Layer OAM
Enable Link Layer OAM
Link Layer OAM is disabled by default. Enabling it places the system in Active mode and initiates OAM
discovery.Both peers on the link must be have link performance event monitoring enabled for discovery to
complete.
Task
Command Syntax
Command Mode
Enable Ethernet OAM.
ethernet oam
INTERFACE
Default: Disabled
Display the OAM discovery status.
show ethernet oam discovery interface interface
EXEC Privilege
802.3ah | 97
www.dell.com | support.dell.com
Task
Command Syntax
Command Mode
FTOS# show ethernet oam discovery interface
Output format:
Local client
__________
Administrative configurations:
Mode:active
Unidirection:not supported
Link monitor:supported (on)
Remote loopback:not supported
MIB retrieval:not supported
Mtu size:1500
Operational status:
Port status:operational
Loopback status:no loopback
PDU permission:any
PDU revision:1
Remote client
___________
MAC address:0030.88fe.87de
Vendor(OUI):0x00 0x00 0x0C
Administrative configurations:
Mode:active
Unidirection:not supported
Link monitor:supported
Remote loopback:not supported
MIB retrieval:not supported
Mtu size:1500
Display Link Layer OAM sessions.
show ethernet oam summary
FTOS# show ethernet oam summary
Output format :
Symbols:* - Master Loopback State, # - Slave Loopback State
Capability codes:L - Link Monitor, R - Remote Loopback
U - Unidirection,V - Variable Retrieval
LocalRemote
InterfaceMAC AddressOUIModeCapability
Gi6/1/10023.84ac.b8000000DactiveL R
98
|
802.3ah
EXEC Privilege
Adjust the OAMPDU Transmission Parameters
Task
Command Syntax
Command Mode
Specify a the maximum or minimum
number of OAMPDUs to be sent per
second.
ethernet oam [max-rate value | min-rate value]
INTERFACE
Set the transmission mode to active or
passive.
ethernet oam mode {active | passive}
Specify the amount of time that the
system waits to receive an OAMPDU
from a peer before considering it
non-operational.
ethernet oam timeout value
Range: 1-10
Default: 10
INTERFACE
Default: Active
INTERFACE
Range: 2-30 seconds
Default: 5 seconds
Link Performance Event Monitoring
Link Performance Event Monitoring OAM monitors the receive side of a link for a set of pre-defined
errors and executes an action when a threshold is exceeded; it is enabled by default. Both peers on the link
must be have link performance event monitoring enabled for discovery to complete.
There is a high and low threshold for each pre-defined error; an event occurs when any threshold is
exceeded. Dell Networking OS periodically polls hardware registers for the current frame and symbol
error count. If an interface exceeds a threshold, a notification is sent to the peer and the interface is placed
in error-disabled state.
•
•
Enable Error Monitoring
Execute an Action upon Exceeding the High Threshold
Enable Error Monitoring
The polling interval for Link Performance Monitoring is 100 milliseconds.
Task
Command Syntax
Command Mode
Start (or stop) Link Performance
Monitoring on an interface.
ethernet oam link-monitor on
no ethernet oam link-monitor on
INTERFACE
Default: Enabled
Enable (or disable) support for Link
Performance Monitoring on an interface.
ethernet oam link-monitor supported
no ethernet oam link-monitor supported
INTERFACE
Default: Enabled
802.3ah | 99
www.dell.com | support.dell.com
Set Threshold Values
The available pre-defined errors fall under two categories:
•
•
Symbol Errors—a symbol is an (electrical or optical) pulse on the physical medium that represents
one or more bits. A symbol error occurs when a symbol degrades in transit so that the receiver is not
able to decode it. Gigabit and 10-Gigabit Ethernet have and expect symbol rate, also called Baud.
Frame Errors—frame errors are frames with a bad CRC.
The available pre-defined errors are:
•
•
•
•
Symbol Errors per Second—the number of symbol errors during a specified period exceeds a
threshold.
Frame Errors per Second—the number of frame errors during a specified period exceeds a threshold.
Frame Errors per Frame Period—the number of frame errors within the last N frames exceeds a
threshold.
Frame Error Seconds per Time Period—an error second is a 1-second period with at least one
frame error. The Frame Error Seconds per Time Period error occurs when the number of error seconds
within the last M seconds exceeds a threshold.
Symbol Errors per Second
Task
Command Syntax
Command Mode
Specify the high threshold value for
symbol errors, or disable the high
threshold.
ethernet oam link-monitor symbol-period threshold
high {symbols | none}
INTERFACE
Specify the low threshold for symbol
errors.
ethernet oam link-monitor symbol-period threshold
low symbols
Range: 1-65535
Default: None
INTERFACE
Range: 0-65535
Default: 10
Specify the time period for symbol
errors per second condition.
ethernet oam link-monitor symbol-period window
symbols
Range: 1-65535 (times 1,000,000 symbols)
Default: 10 (10,000,000 symbols)
100
|
802.3ah
INTERFACE
Frame Errors per Second
Task
Specify the high threshold value for
frame errors, or disable the high
threshold.
Command Syntax
Command Mode
ethernet oam link-monitor frame threshold high
INTERFACE
{frames | none}
Range: 1-65535
Default: None
Specify the low threshold for frame
errors.
ethernet oam link-monitor frame threshold low frames
Specify the time period for frame
errors per second condition.
ethernet oam link-monitor frame window milliseconds
INTERFACE
Range: 0-65535
Default: 1
INTERFACE
Range: 10-600 milliseconds
Default: 100 milliseconds
Frame Errors per Frame Period
Task
Command Syntax
Command Mode
Specify the high threshold value for
frame errors per frame period, or
disable the high threshold.
ethernet oam link-monitor frame-period threshold
high {frames | none}
INTERFACE
Specify the low threshold for frame
errors per frame period.
ethernet oam link-monitor frame-period threshold low
frames
Range: 1-65535
Default: None
INTERFACE
Range: 0-65535
Default: 1
Specify the frame period for frame
errors per frame period condition.
ethernet oam link-monitor frame-period window
milliseconds
INTERFACE
Range: 1-65535 (times 10,000 frames)
Default: 1000 (10 million frames)
Error Seconds per Time Period
Task
Command Syntax
Command Mode
Specify the high threshold value for
frame error seconds per time period, or
disable the high threshold.
ethernet oam link-monitor frame-seconds threshold
high {milliseconds | none}
INTERFACE
Specify the low threshold for frame
error seconds per time period.
ethernet oam link-monitor frame-seconds threshold
low milliseconds
Range: 1-900
Default: None
INTERFACE
Range: 1-900
Default: 1
802.3ah | 101
www.dell.com | support.dell.com
Task
Command Syntax
Command Mode
Specify the time period for error
second per time period condition.
ethernet oam link-monitor frame-seconds window
milliseconds
INTERFACE
Range: 100-900, in multiples of 100
Default: 1000 milliseconds
Execute an Action upon Exceeding the High Threshold
When an error exceeds the low threshold, an event notification is sent to the peer. When an error exceeds
the high threshold, a pre-defined action is triggered such as disabling the interface.
Task
Command Syntax
Command Mode
Disable an interface when the high
threshold is exceeded for any of the
monitored error conditions.
ethernet oam link-monitor high-threshold action
error-disable-interface
INTERFACE
Default: Enabled
Remote Failure Indication
Remote Failure Indication is the mechanism a system uses to notify its peer of a local critical link event.
There are three critical events; each has an associated flag which can be set in the OAMPDU when the
event occurs.
•
•
•
Link Fault—A fault occurred in the receive direction of the local peer.
Dying Gasp—An unrecoverable local failure condition occurred. Dying Gasp notification is not
supported on S-Series.
Critical Event—An unspecified critical event occurred. Critical Event notification is not supported on
S-Series.
When a link fault, dying gasp, or critical event occurs, the system sets an associated bit in subsequent
OAMPDUs until the error is resolved (polling occurs every 100ms), and you can configure the system to
take an additional action.
Task
Command Syntax
Command Mode
Block or disable an interface when a
particular critical link event occurs.
ethernet oam remote-failure {critical-event |
dying-gasp | link-fault} action {error-block-interface |
error-disable-interface}
INTERFACE
Default: Disabled
102
|
802.3ah
Remote Loopback
An active-mode device can place a passive peer into loopback mode by sending a Loopback Control
OAMPDU. When in loopback mode:
•
•
the remote peer returns unaltered all non-OAMPDU frames sent by the local peer, and
all outbound data frames are discarded.
Note: Control traffic egresses from loopback initiator and from interface in loopback mode. You must
explicitly disable L2/L3 protocols to stop control traffic.
Task
Command Syntax
Command Mode
Enable support for the OAM loopback
capability on an interface so that it can
exchange information with a remote peer.
ethernet oam remote-loopback supported
INTERFACE
Configure the maximum amount of time
the local peer waits for a frame to be
returned before considering the remote
peer to be non-operational.
ethernet oam remote-loopback timeout seconds
INTERFACE
Start or stop loopback operation on a local
interface with a remote peer.
ethernet oam remote-loopback {start | stop}
interface interface
EXEC Privilege
Default: Enabled
802.3ah | 103
www.dell.com | support.dell.com
Display Link Layer OAM Configuration and Statistics
Task
Command Syntax
Command Mode
Display Link Layer OAM status per
interface.
show ethernet oam status interface interface
EXEC Privilege
FTOS# show ethernet oam status interface
Output Format :
General
______
Mode:active
PDU max rate:10 packets per second
PDU min rate:1 packet per second
Link timeout:5 seconds
High threshold action:no action
Link Monitoring
____________
Status supported (on)
Symbol Period Error
Window:1 million symbols
Low threshold:1 error symbol(s)
High threshold:none
Frame Error
Window:1 million symbols
Low threshold:1 error symbol(s)
High threshold:none
Frame Period Error
Window:1 x 100,000 frames
Low threshold:1 error symbol(s)
High threshold:none
Frame Seconds Error
Window:600 x 100 milliseconds
Low threshold:1 error second(s)
High threshold:none
Display Link Layer OAM statistics per
interface.
104
|
802.3ah
show ethernet oam statistics interface interface
EXEC Privilege
Task
Command Syntax
Command Mode
FTOS# show ethernet oam statistics interface
Counters:
_________
Information OAMPDU Tx: 3439489
Information OAMPDU Rx: 9489
Unique Event Notification OAMPDU Tx: 0
Unique Event Notification OAMPDU x: 0
Duplicate Event Notification OAMPDU Tx: 0
Duplicate Event Notification OAMPDU Rx: 0
Loopback Control OAMPDU Tx: 0
Loopback Control OAMPDU Rx: 2
Variable Request OAMPDU Tx: 0
Variable Request OAMPDU Rx: 0
Variable Response OAMPDU Tx: 0
Variable Response OAMPDU Rx: 0
FTOS OAMPDU Tx:: 10
FTOS OAMPDU Rx:: 21
Unsupported OAMPDU Tx:: 0
Unsupported OAMPDU Rx:0
Frame Lost due to OAM:0
Local Faults:
0 Link Fault Records
0 Dying Gasp Records
Total dying Gasps:: 2
Time Stamp: 00:40:23
Total dying Gasps:: 1
Time Stamp: 00:41:23
0 Critical Event Records
Remote Faults:
_________
0 Link Fault Records
0 Dying Gasp Records
0 Critical Event Records
Local Event Logs:
_____________
0 Errored Symbol Period Records
0 Errored Frame Records
0 Errored Frame Period Records
0 Errored Frame Second Records
Remote Event Logs:
_____________
0 Errored Symbol Period Records
0 Errored Frame Records
0 Errored Frame Period Records
0 Errored Frame Second Records
Clear Link Layer OAM statistics.
clear ethernet oam statistics interface interface
EXEC Privilege
802.3ah | 105
www.dell.com | support.dell.com
Manage Link Layer OAM
Enable MIB Retrieval Support/Function
IEEE 802.3ah defines the Link OAM MIB in Sec 30A.20, “OAM entity managed object class”; all of the
objects described there are supported. Note that 802.3ah does not include the ability to set/write remote
MIB variables.
You must enable MIB retrieval support and the MIB retrieval function.
Task
Command Syntax
Command Mode
Enable MIB retrieval support and/or
the MIB retrieval function.
ethernet oam mib-retrieval {supported | on}
INTERFACE
Default: Disabled
Adjust the Size of the Link OAM Event Log
106
|
Task
Command Syntax
Command Mode
Configure the size of the OAM event
log.
ethernet oam event-log size entries
CONFIGURATION
802.3ah
Range: 0 to 200. Default: 50.
7
802.1X
802.1X is supported on platforms:
ces
This chapter has the following sections:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Protocol Overview
Configuring 802.1X
Important Points to Remember
Enabling 802.1X
Configuring Request Identity Re-transmissions
Forcibly Authorize or Unauthorize a Port
Re-Authenticating a Port
Configuring Timeouts
Dynamic VLAN Assignment with Port Authentication
Guest and Authentication-Fail VLANs
Multi-Host Authentication
Multi-Supplicant Authentication
MAC Authentication Bypass
Dynamic CoS with 802.1X
Protocol Overview
802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed
from sending or receiving traffic on the network until its identity can be verified (through a username and
password, for example); all ingress frames, except those used for 802.1X authentication, are dropped. This
feature is named for its IEEE specification.
802.1X | 107
www.dell.com | support.dell.com
802.1X employs Extensible Authentication Protocol (EAP)* to transfer a device’s credentials to an
authentication server (typically RADIUS) via a mandatory intermediary network access device, in this
case, a Dell Networking switch. The network access device mediates all communication between the
end-user device and the authentication server so that the network remains secure. The network access
device uses EAP over Ethernet (EAPOL) to communicate with the end-user device and EAP over
RADIUS to communicate with the server.
End-user Device
Force10 switch
EAP over LAN (EAPOL)
RADIUS Server
EAP over RADIUS
Figure 7-1 and Figure show how EAP frames are encapsulated in Ethernet and Radius frames.
Note: Dell Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0,
PEAPv1, and MS-CHAPv2 with PEAP.
*
Figure 7-1.
EAPOL Frame Format
Start Frame
Delimiter
Preamble
Destination MAC
(1:80:c2:00:00:03)
Source MAC
(Auth Port MAC)
EAPOL Frame
Ethernet Type
(0x888e)
Protocol Version
Range: 0-4
(1)
Type: 0: EAP Packet
1: EAPOL Start
2: EAPOL Logoff
3: EAPOL Key
4: EAPOL Encapsulated-ASF-Alert
Range: 1-4
Codes: 1: Request
2: Response
3: Success
4: Failure
Packet Type
Code
(0-4)
Padding
EAP Frame
Length
ID
(Seq Number)
Range: 1-255
Codes: 1: Identity
2: Notification
3: NAK
4: MD-5 Challenge
5: One-Time Challenge
6: Generic Token Card
FCS
EAP-Method Frame
Length
EAP-Method
Code
(0-255)
Length
EAP-Method Data
(Supplicant Requested Credentials)
The authentication process involves three devices:
•
•
108
|
802.1X
The device attempting to access the network is the supplicant. The supplicant is not allowed to
communicate on the network until the port is authorized by the authenticator. It can only communicate
with the authenticator in response to 802.1X requests.
The device with which the supplicant communicates is the authenticator. The authenicator is the gate
keeper of the network. It translates and forwards requests and responses between the authentication
server and the supplicant. The authenticator also changes the status of the port based on the results of
the authentication process. The Dell Networking switch is the authenticator.
•
The authentication-server selects the authentication method, verifies the information provided by the
supplicant, and grants it network access privileges.
Ports can be in one of two states:
•
•
Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in
or out of the port.
The authenticator changes the port state to authorized if the server can authenticate the supplicant. In
this state, network traffic can be forwarded normally.
Note: The Dell Networking switches place 802.1X-enabled ports in the unauthorized state by default.
The Port-authentication Process
The authentication process begins when the authenticator senses that a link status has changed from down
to up:
1. When the authenticator senses a link state change, it requests that the supplicant identify itself using an
EAP Identity Request Frame.
2. The supplicant responds with its identity in an EAP Response Identity frame.
3. The authenticator decapsulates the EAP Response from the EAPOL frame, encapsulates it in a
RADIUS Access-Request frame, and forwards the frame to the authentication server.
4. The authentication server replies with an Access-Challenge. The Access-Challenge is request that the
supplicant prove that it is who it claims to be, using a specified method (an EAP-Method). The
challenge is translated and forwarded to the supplicant by the authenticator.
5. The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant provides
the requested challenge information in an EAP Response, which is translated and forwarded to the
authentication server as another Access-Request.
6. If the identity information provided by the supplicant is valid, the authentication server sends an
Access-Accept frame in which network privileges are specified. The authenticator changes the port
state to authorized, and forwards an EAP Success frame. If the identity information is invalid, the
server sends and Access-Reject frame. The port state remains unauthorized, and the authenticator
forwards EAP Failure frame.
802.1X | 109
www.dell.com | support.dell.com
Figure 7-2.
802.1X Authentication Process
Supplicant
Authenticator
EAP over LAN (EAPOL)
Authentication
Server
EAP over RADIUS
Request Identity
Response Identity
Access Request
Access Challenge
EAP Request
EAP Reponse
Access Request
Access {Accept | Reject}
EAP {Sucess | Failure}
EAP over RADIUS
802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as
defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type,
Length, Value (TLV) format. The Type value for EAP messages is 79.
Figure 7-3.
Code
RADIUS Frame Format
Identifier
Range: 1-4
Codes: 1: Access-Request
2: Access-Accept
3: Access-Reject
11: Access-Challenge
110
|
802.1X
Length
Message-Authenticator
Attribute
Type
(79)
EAP-Message Attribute
Length
EAP-Method Data
(Supplicant Requested Credentials)
RADIUS Attributes for 802.1 Support
Dell Networking systems includes the following RADIUS attributes in all 802.1X-triggered
Access-Request messages:
Table 7-1.
802.1X Supported RADIUS Attributes
Attribute
Name
Description
1
User-Name
the name of the supplicant to be authenticated.
4
NAS-IP-Address
5
NAS-Port
24
State
30
Called-Station-Id
31
Calling-Station-Id
relays the supplicant MAC address to the authentication server.
61
NAS-Port-Type
NAS-port physical port type. 5 indicates Ethernet.
64
Tunnel-Type
65
Tunnel-Medium-Type
79
EAP-Message
encapsulates EAP packets
80
Message-Authenticator
a calculated value included in Access-Requests to prevent spoofing.
81
Tunnel-Private-Group-ID
associate a tunneled session with a particular group of users.
the physical port number by which the authenticator is connected to the
supplicant.
Configuring 802.1X
Configuring 802.1X on a port is a two-step process:
1. Enable 802.1X globally.
2. Enable 802.1X on an interface.
Related Configuration Tasks
•
•
•
•
•
•
Configuring Request Identity Re-transmissions
Configure Port-control
Re-Authenticating a Port
Configuring Timeouts
Configure a Guest VLAN
Configure an Authentication-Fail VLAN
802.1X | 111
www.dell.com | support.dell.com
Important Points to Remember
•
•
•
•
•
Dell Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0,
PEAPv1, and MS-CHAPv2 with PEAP.
All platforms support only RADIUS as the authentication server.
On E-Series ExaScale, if the primary RADIUS server becomes unresponsive, the authenticator begins
using a secondary RADIUS server, if configured.
802.1X is not supported on port-channels or port-channel members.
On the C-series and S-Series platforms:
• Traffic may be forwarded on an 802.1X-enabled port that is in an unauthorized state and
interoperates with a device through a MAC-authentication bypass (MAB) or the guest VLAN.
802.1X authentication on the port returns to normal operation only after a port flap or if you
disable and then re-enable 802.1X authentication on the port.
• If you enable multi-supplicant authorization on a port, configure a maximum number of
supplicants that can be authenticated, and enable periodic re-authentication, if some of the
supplicants fail re-authentication, these unauthorized supplicants are still counted in the total
number of supplicants that can access the port.
• Traffic may be transmitted on an 802.1X-enabled port before the port changes to an authorized
state.
• A MAB-authenticated port becomes unauthorized after an RPM failover.
Enabling 802.1X
802.1X must be enabled globally and at interface level.
Figure 7-4.
Enabling 802.1X
Supplicant
Authenticator
2/1
Force10(conf )#dot1x authentication
Force10(conf )#interface range gigabitethernet 2/1 - 2
Force10(conf-if-range-gi-2/1-2)#dot1x authentication
Force10(conf-if-range-gi-2/1-2)#show config
!
interface GigabitEthernet 2/1
ip address 2.2.2.2/24
dot1x authentication
no shutdown
!
interface GigabitEthernet 2/2
ip address 1.0.0.1/24
dot1x authentication
no shutdown
112
|
802.1X
2/2
Authentication
Server
To enable 802.1X:
Step
Task
Command Syntax
Command Mode
1
Enable 802.1X globally.
dot1x authentication
CONFIGURATION
2
Enter INTERFACE mode on an interface or a range of
interfaces.
interface [range]
INTERFACE
3
Enable 802.1X on an interface or a range of interfaces.
dot1x authentication
INTERFACE
Verify that 802.1X is enabled globally and at interface level using the command show running-config | find
dot1x from EXEC Privilege mode, as shown in Figure 7-5.
Figure 7-5.
Verify 802.1X Global Configuration
FTOS#show running-config | find dot1x
dot1x authentication
!
[output omitted]
!
interface GigabitEthernet 2/1
ip address 2.2.2.2/24
dot1x authentication
no shutdown
!
interface GigabitEthernet 2/2
ip address 1.0.0.1/24
dot1x authentication
no shutdown
--More--
802.1X Enabled
802.1X Enabled on
View 802.1X configuration information for an interface using the command show dot1x interface, as
shown in Figure 7-6.
Figure 7-6.
Verify 802.1X Interface Configuration
FTOS#show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
AUTO
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Tx Period:
30 seconds
Quiet Period:
60 seconds
ReAuth Max:
2
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
2
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:
802.1X Enabled on Interface
All ports unauthorized by default
Initialize
Initialize
802.1X | 113
www.dell.com | support.dell.com
Configuring Request Identity Re-transmissions
If the authenticator sends a Request Identity frame, but the supplicant does not respond, the authenticator
waits 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before
re-transmitting and the maximum number of times that the authenticator re-transmits are configurable.
Note: There are several reasons why the supplicant might fail to respond; the supplicant might have been
booting when the request arrived, there might be a physical layer problem, or the supplicant might not be
802.1x capable.
To configure the amount of time that the authenticator waits before re-transmitting an EAP Request
Identity frame:
Step
1
Task
Command Syntax
Command Mode
Configure the amount of time that the authenticator
waits before re-transmitting an EAP Request Identity
frame.
dot1x tx-period number
INTERFACE
Range: 1-31536000 (1 year)
Default: 30
To configure a maximum number of Request Identity re-transmissions:
Step
1
Task
Command Syntax
Command Mode
Configure a maximum number of times that a Request
Identity frame can be re-transmitted by the
authenticator.
dot1x max-eap-req number
INTERFACE
Range: 1-10
Default: 2
Figure 7-7 shows configuration information for a port for which the authenticator re-transmits an EAP
Request Identity frame after 90 seconds and re-transmits a maximum of 10 times.
Configuring a Quiet Period after a Failed Authentication
If the supplicant fails the authentication process, the authenticator sends another Request Identity frame
after 30 seconds by default, but this period can be configured.
Note: The quiet period (dot1x quiet-period) is an transmit interval for after a failed authentication where as
the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive supplicant.
To configure the quiet period after a failed authentication:
Step
1
114
|
Task
Command Syntax
Command Mode
Configure the amount of time that the authenticator
waits to re-transmit a Request Identity frame after a
failed authentication.
dot1x quiet-period seconds
INTERFACE
802.1X
Range: 1-65535
Default: 60
Figure 7-7 shows configuration information for a port for which the authenticator re-transmits an EAP
Request Identity frame:
•
•
After 90 seconds and a maximum of 10 times for an unresponsive supplicant
Re-transmits an EAP Request Identity frame
Figure 7-7.
Configure a Request Identity Re-transmissions
FTOS(conf-if-range-gi-2/1)#dot1x tx-period 90
FTOS(conf-if-range-gi-2/1)#dot1x max-eap-req 10
FTOS(conf-if-range-gi-2/1)#dot1x quiet-period 120
FTOS#show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
AUTO
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
2
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:
New Re-transmit Interval
New Quiet Period
New Maximum Re-transmissions
Initialize
Initialize
Forcibly Authorize or Unauthorize a Port
IEEE 802.1X requires that a port can be manually placed into any of three states:
•
•
ForceAuthorized is an authorized state. A device connected to this port in this state is never subjected
to the authentication process, but is allowed to communicate on the network. Placing the port in this
state is same as disabling 802.1X on the port.
ForceUnauthorized an unauthorized state. A device connected to a port in this state is never subjected
to the authentication process and is not allowed to communicate on the network. Placing the port in
this state is the same as shutting down the port. Any attempt by the supplicant to initiate authentication
is ignored.
Note: On the C-Series, traffic may continue to be transmitted after an 802.1x-enabled port is configured
as force-unauthorized.
•
Auto is an unauthorized state by default. A device connected to this port is this state is subjected to the
authentication process. If the process is successful, the port is authorized and the connected device can
communicate on the network. All ports are placed in the auto state by default.
802.1X | 115
www.dell.com | support.dell.com
To place a port in one of these three states:
Step
1
Task
Command Syntax
Command Mode
Place a port in the ForceAuthorized,
ForceUnauthorized, or Auto state.
dot1x port-control {force-authorized |
force-unauthorized | auto}
INTERFACE
Default: auto
Figure 7-8 shows configuration information for a port that has been force-authorized.
Figure 7-8.
Configure Port-control
FTOS(conf-if-gi-2/1)#dot1x port-control force-authorized
FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
2
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:
Auth PAE State:
New Port-control State
Initialize
Initialize
Initialize
Re-Authenticating a Port
Periodic Re-Authentication
After the supplicant has been authenticated and the port has been authorized, the authenticator can be
configured to re-authenticate the supplicant periodically. If re-authentication is enabled, the supplicant is
required to re-authenticate every 3600 seconds, but this interval can be configured. A maximum number of
re-authentications can be configured as well.
To configure a re-authentication or a re-authentication period:
Step
1
116
|
Task
Command Syntax
Command Mode
Configure the authenticator to
periodically re-authenticate the
supplicant.
dot1x reauthentication [interval] seconds
INTERFACE
802.1X
Range: 1-65535
Default: 60
To configure a maximum number of re-authentications:
Step
1
Task
Command Syntax
Command Mode
Configure the maximum number of
times that the supplicant can be
reauthenticated.
dot1x reauth-max number
INTERFACE
Figure 7-9.
Range: 1-10
Default: 2
Configure a Reauthentiction Period
FTOS(conf-if-gi-2/1)#dot1x reauthentication interval 7200
FTOS(conf-if-gi-2/1)#dot1x reauth-max 10
FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Enable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:
Auth PAE State:
Backend State:
Re-authentication Enabled
New Maximum Re-authentications
New Re-authentication Period
Initialize
Initialize
Initialize
Initialize
Configuring Timeouts
If the supplicant or the authentication server is unresponsive, the authenticator terminates the
authentication process after 30 seconds by default. The amount of time that the authenticator waits for a
response can be configured. The timeout for the supplicant applies to all EAP frames except for Request
Identity frames which are governed by the tx-period and max-eap-req configurations.
To terminate the authentication process due to an unresponsive supplicant:
Step
1
Task
Command Syntax
Command Mode
Terminate the authentication process due to an
unresponsive supplicant.
dot1x supplicant-timeout seconds
INTERFACE
Range: 1-300. Default: 30
802.1X | 117
www.dell.com | support.dell.com
To terminate the authentication process due to an unresponsive authentication server:
Step
1
Task
Command Syntax
Command Mode
Terminate the authentication process due to an
unresponsive authentication server.
dot1x server-timeout seconds
INTERFACE
Range: 1-300. Default: 30
Note: When you configure the dot1x server-timeout value, you must take into account the communication medium used to
communicate with an authentication server and the number of RADIUS servers configured. Ideally, the dot1x
server-timeout value (in seconds) is based on the configured RADIUS-server timeout and retransmit values and calculated
according to the following formula:
dot1x server-timeout seconds > (radius-server retransmit seconds + 1) * radius-server timeout seconds
Where the default values are as follows: dot1x server-timeout (30 seconds), radius-server retransmit
(3 seconds), and radius-server timeout (5 seconds).
For example:
FTOS(conf)#radius-server host 10.11.197.105 timeout 6
FTOS(conf)#radius-server host 10.11.197.105 retransmit 4
FTOS(conf)#interface gigabitethernet 2/23
FTOS(conf-if-gi-2/23)#dot1x server-timeout 40
Figure 7-10 shows configuration information for a port for which the authenticator terminates the
authentication process for an unresponsive supplicant or server after 15 seconds.
Figure 7-10.
Configure a Timeout
FTOS(conf-if-gi-2/1)#dot1x port-control force-authorized
FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Disable
Guest VLAN id:
NONE
Auth-Fail VLAN:
Disable
Auth-Fail VLAN id:
NONE
Auth-Fail Max-Attempts:
NONE
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout:
15 seconds
Server Timeout:
15 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:
118
|
802.1X
Initialize
Initialize
New Supplicant and Server Timeouts
Dynamic VLAN Assignment with Port Authentication
Dynamic VLAN Assignment with Port Authentication is supported on platforms:
c s et
Dell Networking OS supports dynamic VLAN assignment when using 802.1X. During 802.1x
authentication, the existing VLAN configuration of a port assigned to a non-default VLAN is overwritten
and the port is assigned to a specified VLAN.
•
•
If 802.1x authentication is disabled on the port, the port is re-assigned to the previously-configured
VLAN.
If 802.1x authentication fails and if the authentication-fail VLAN is enabled for the port (see
Configure an Authentication-Fail VLAN), the port is assigned to the authentication-fail VLAN.
The dynamic VLAN assignment is based on RADIUS attribute 81, Tunnel-Private-Group-ID, and uses the
following standard dot1x procedure:
1. The host sends a dot1x packet to the Dell Networking system.
2. The system forwards a RADIUS REQUEST packet containing the host MAC address and ingress port
number.
3. The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the
VLAN assignment using Tunnel-Private-Group-ID.
The dynamic VLAN assignment from the RADIUS server always overrides the configuration on the
switch for the given port. This applies to ports already configured with a non-default VLAN.
Note: For the C-Series, S-Series, and E-Series TeraScale platforms, the dynamic VLAN assignment fails
if a port is assigned to a non-default VLAN and if the non-default VLAN assignment was configured on an
Dell Networking OS version earlier than 8.4.2.3.
To configure dynamic VLAN assignment with 802.1x port authentication:
Step
Task
1
Configure 802.1x globally and at interface level (see Enabling 802.1X) along with relevant RADIUS server
configurations.
2
Make the interface a switchport so that it can be assigned to a VLAN.
3
Create the VLAN to which the interface will be assigned.
4
Connect the supplicant to the port configured for 802.1X.
5
Verify that the port has been authorized and placed in the desired VLAN by entering the show dot1x interface
and show vlan commands (red text in Figure 7-11).
802.1X | 119
www.dell.com | support.dell.com
Figure 7-11 shows the configuration on a Dell Networking switch that uses dynamic VLAN assignment
with 802.1X before you connect the end-user device (black and blue text), and after you connect the device
(red text).
The blue text corresponds to the numbered steps on page 119. Note that the GigabitEthernet 1/11 port, on
which dynamic VLAN assignment with 802.1X is configured, is initially an untagged member of VLAN
300. After a successful 802.1x authentication with dynamic VLAN configuration, the port becomes an
untagged member of VLAN 400 (assigned by the RADIUS server during authentication).
Figure 7-11.
Dynamic VLAN Assignment with 802.1X
Force10(conf-if-gi-1/11)#show config
interface GigabitEthernet 1/11
no ip address
2
switchport
dot1x authentication 1
no shutdown
End-user Device
Force10 switch
4
***After authentication***
Force10#show dot1x interface gigabitethernet 1/11
802.1x information on Gi 1/11:
----------------------------Dot1x Status:
Enable
Port Control:
AUTO
Port Auth Status:
AUTHORIZED
Re-Authentication: Disable
Untagged VLAN id: 400
Tx Period:
30 seconds
Quiet Period:
60 seconds
ReAuth Max:
2
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
2
Auth Type:
SINGLE_HOST
Auth PAE State:
Authenticated
Backend State:
Idle
Force10(conf-if-vl-300)#show config
interface Vlan 300
no ip address
untagged GigabitEthernet 1/11
shutdown
RADIUS Server
1/11
1
radius-server host 10.11.197.169
auth-port 1645
key 7 387a7f2df5969da4
Force10(conf-if-vl-400)# show config
interface Vlan 400 3
no ip address
shutdown
Force10#show vlan
Codes: * - Default VLAN, G - GVRP VLANs
Q: U - Untagged, T - Tagged
x - Dot1x untagged, X - Dot1x tagged
G - GVRP tagged
NUM Status Description
* 1
Inactive
300 Inactive
400 Inactive
Q Ports
U Gi 1/11
***After authentication***
Force10#show vlan
Codes: * - Default VLAN, G - GVRP VLANs
Q: U - Untagged, T - Tagged
x - Dot1x untagged, X - Dot1x tagged
G - GVRP tagged
NUM Status Description
Q Ports
* 1
Inactive
300
In active
400
Active
x Gi 1/11
***After disconnectiong the end-user device, the GigabitEthernet 1/11
port is re-assigned to VLAN 300.
Note: In the show vlan command output, if the statically-configured VLAN and the 802.1X
dynamically-assigned VLAN are the same, the 802.1x-authorized port is displayed with U for Untagged.
If the two VLANs are not the same, the 802.1x-authorized port is displayed with x for Dot1X untagged.
120
|
802.1X
Guest and Authentication-Fail VLANs
Typically, the authenticator (Dell Networking system) denies the supplicant access to the network until the
supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places
it in either the VLAN for which the port is configured, or the VLAN that the authentication server indicates
in the authentication data.
Note: Ports cannot be dynamically assigned to the default VLAN.
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this
behavior is not appropriate. External users of an enterprise network, for example, might not be able to be
authenticated, but still need access to the network. Also, some dumb-terminals such as network printers do
not have 802.1X capability and therefore cannot authenticate themselves. To be able to connect such
devices, they must be allowed access the network without compromising network security.
The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices,
and the Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users.
•
•
If the supplicant fails authentication a specified number of times, the authenticator places the port in
the Authentication-fail VLAN.
If a port is already forwarding on the Guest VLAN when 802.1X is enabled, then the port is moved out
of the Guest VLAN, and the authentication process begins.
Configure a Guest VLAN
If the supplicant does not respond to a Request Identity frame within a determined amount of time
([reauth-max + 1] * tx-period, see Configuring Request Identity Re-transmissions) the system assumes that
the host does not have 802.1X capability, and the port is placed in the Guest VLAN.
Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using
the command dot1x guest-vlan from INTERFACE mode, as shown in Figure 7-12.
Figure 7-12.
Configure a Guest VLAN
FTOS(conf-if-gi-1/2)#dot1x guest-vlan 200
FTOS(conf-if-gi-1/2)#show config
!
interface GigabitEthernet 1/2
switchport
dot1x guest-vlan 200
no shutdown
FTOS(conf-if-gi-1/2)#
View your configuration using the command show config from INTERFACE mode, as shown in
Figure 7-12, or using the command show dot1x interface command from EXEC Privilege mode as shown
in Figure 7-14.
802.1X | 121
www.dell.com | support.dell.com
Configure an Authentication-Fail VLAN
If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of
time (30 seconds by default, see Configuring a Quiet Period after a Failed Authentication). You can
configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by
default), after which the port is placed in the Authentication-fail VLAN.
Configure a port to be placed in the VLAN after failing the authentication process as specified number of
times using the command dot1x auth-fail-vlan from INTERFACE mode, as shown in Figure 7-13. Configure
the maximum number of authentication attempts by the authenticator using the keyword max-attempts with
this command.
Figure 7-13.
Configure an Authentication-fail VLAN
FTOS(conf-if-gi-1/2)#dot1x auth-fail-vlan 100 max-attempts 5
FTOS(conf-if-gi-1/2)#show config
!
interface GigabitEthernet 1/2
switchport
dot1x guest-vlan 200
dot1x auth-fail-vlan 100 max-attempts 5
no shutdown
View your configuration using the command show config from INTERFACE mode, as shown in
Figure 7-12, or using the command show dot1x interface command from EXEC Privilege mode as shown in
Figure 7-14.
Figure 7-14. View Guest and Authentication-fail VLAN Configurations
FTOS(conf-if-gi-2/1)#dot1x port-control force-authorized
FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Enable
Guest VLAN id:
200
Auth-Fail VLAN:
Enable
Auth-Fail VLAN id:
100
Auth-Fail Max-Attempts:
5
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout:
15 seconds
Server Timeout:
15 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:
122
|
802.1X
Initialize
Initialize
Multi-Host Authentication
Multi-Host Authentication is available on platforms:
c et s
802.1x assumes that a single end-user is connected to a single authenticator port, as shown in Figure 7-15;
this one-to-one mode of authentication is called Single-host mode. If multiple end-users are connected to
the same port, a many-to-one configuration, only the first end-user to respond to the identity request is
authenticated. Subsequent responses are ignored, and a system log is generated to indicate reception of
unexpected 802.1x frames. When a port is authorized, the authenticated supplicant MAC address is
associated with the port, and traffic from any other source MACs is dropped.
Figure 7-15.
Single-host Authentication Mode
End-user Device
Force10 switch
EAP over LAN (EAPOL)
RADIUS Server
EAP over RADIUS
When multiple end-users are connected to a single authenticator port, Single-host mode authentication
does not authenticate all end-users, and all but one are denied access to the network. For these cases
(Figure 7-16), Dell Networking OS offers Multi-host mode authentication.
Figure 7-16.
Multi-host Authentication Mode
Force10 switch
EAP over LAN (EAPOL)
RADIUS Server
EAP over RADIUS
End-user Devices
When Multi-host mode authentication is configured, the first client to respond to an identity request is
authenticated, and subsequent responses are still ignored, but since the authenticator expects the possibility
of multiple responses, no system log is generated. After the first supplicant is authenticated, all end-users
attached to the authorized port are allowed to access the network.
If the authorized port becomes unauthorized due to re-authentication failure or the supplicant sends an
EAPOL logoff frame, all attached end-users are denied access to the network.
802.1X | 123
www.dell.com | support.dell.com
When the host mode is changed on a port that is already authenticated:
•
•
Single-host to Multi-host: all devices attached to the port that were previously blocked may access
the network; the supplicant does not re-authenticate.
Multi-host to Single-host: the port restarts the authentication process, and the first end-user to
respond is authenticated and allowed access.
Task
Command Syntax
Command Mode
Configure Multi-host Authentication mode on a port.
Enter no dot1x host-mode to return to Single-host
mode.
dot1x host-mode multi-host
INTERFACE
FTOS(conf-if-gi-2/1)#dot1x port-control force-authorized
FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Enable
Guest VLAN id:
200
Auth-Fail VLAN:
Enable
Auth-Fail VLAN id:
100
Auth-Fail Max-Attempts:
5
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout:
15 seconds
Server Timeout:
15 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Host Mode:
MULTI_HOST
Auth PAE State:
Backend State:
124
Default: Single-host mode
|
802.1X
Initialize
Initialize
Task
Command Syntax
Command Mode
Configure Single-host Authentication mode on a port.
dot1x host-mode single-host
INTERFACE
FTOS(conf-if-gi-2/1)#dot1x port-control force-authorized
FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Enable
Guest VLAN id:
200
Auth-Fail VLAN:
Enable
Auth-Fail VLAN id:
100
Auth-Fail Max-Attempts:
5
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout:
15 seconds
Server Timeout:
15 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Host Mode:
SINGLE_HOST
Auth PAE State:
Backend State:
Initialize
Initialize
Multi-Supplicant Authentication
Multi-Supplicant Authentication is available on platforms:
cs
The 802.1X Multi-supplicant Authentication enables multiple devices on a single authenticator port to
access the network by authenticating each device. In addition, Multi-supplicant Authentication uses
dynamic MAC-based VLAN assignment to place devices on different VLANs. This feature is different
from Multi-host Authentication in which multiple devices connected to a single authenticator port can
access the network after only the one device is authenticated, and all hosts are placed in the same VLAN as
the authenticated device.
Multi-supplicant authentication is needed, for example, in the case of a workstation at which a VOIP phone
and PC are connected to a single authenticator port. Multi-host authentication could authenticate the first
device to respond, and then both devices could access the network. However, if you wanted to place them
in different VLANs—a VOIP VLAN and a data VLAN— you would need to authenticate the devices
separately so that the RADIUS server can send each device’s VLAN assignment during that devices
authentication process.
802.1X | 125
www.dell.com | support.dell.com
During the authentication process, the Dell Networking system is able to learn the MAC address of the
device though the EAPoL frames, and the VLAN assignment from the RADIUS server. With this
information it creates an authorized-MAC to VLAN mapping table per port. Then, the system can tag all
incoming untagged frames with the appropriate VLAN-ID based on the table entries.
Task
Command Syntax
Command Mode
Enable Multi-Supplicant Authentication mode on a port.
dot1x host-mode multi-auth
INTERFACE
Default: Single-host mode
FTOS#show dot1x interface gigabitethernet 1/3 details
802.1x information on Gi 1/3:
----------------------------Dot1x Status:
Enable
Port Control:
AUTO
Port Auth Status:
MULTI-AUTH
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Disable
Guest VLAN id:
NONE
Auth-Fail VLAN:
Disable
Auth-Fail VLAN id:
NONE
Auth-Fail Max-Attempts:
NONE
Tx Period:
30 seconds
Quiet Period:
60 seconds
ReAuth Max:
2
Supplicant Timeout:
30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
2
Host Mode:
MULTI-AUTH
Auth PAE State:
Initialize
Backend State:
Initialize
Supplicants on Gi 1/3:
---------------------00:01:e9:45:00:03 AUTHENTICATED
00:01:e9:55:00:10 AUTHENTICATING
00:01:e9:B5:00:03 UNAUTHENTICATED
Restrict the number of supplicants that can be
authenticated on the port in multi-auth mode.
dot1x max-supplicants number
Default: 128
INTERFACE
Note: On the C-Series, during multi-supplicant authentication, devices that fail authentication may still be
counted towards the maximum number of supplicants supported by 802.1X authentication to access the
port, thus preventing the full number of supplicants to be authenticated.
126
|
802.1X
MAC Authentication Bypass
MAC Authentication Bypass is supported on platforms:
cs
MAC Authentication Bypass (MAB) enables you to provide MAC-based security by allowing only known
MAC addresses within the network using a RADIUS server.
802.1X-enabled clients can authenticate themselves using the 802.1X protocol. Other devices that do not
use 802.1X—like IP phones, printers, and IP fax machines—still need connectivity to the network. The
guest VLAN provides one way to access the network. However, placing trusted devices on the quarantined
VLAN is not the best practice. MAB allows devices that have known static MAC addresses to be
authenticated using their MAC address, and places them into a VLAN different from the VLAN in which
unknown devices are placed.
For an 802.1X-incapable device, 802.1X time will out if the device does not respond to the Request
Identity frame. If MAB is enabled, the port is then put into learning state and waits indefinitely until the
device sends a packet. Once its MAC is learned, it is sent for authentication to the RADIUS server (as both
the username and password, in hexadecimal format without any colons). If the server authenticates
successfully, the port is dynamically assigned to a MAB VLAN using a RADIUS attribute 81, or is
assigned to the untagged VLAN of the port. Afterwards, packets from any other MAC address are
dropped. If authentication fails, the authenticator waits the quiet-period and then restarts the authentication
process.
MAC authentication bypass works in conjunction and in competition with the guest VLAN and
authentication-fail VLAN. When both features are enabled:
1. If authentication fails, the port it is placed into the authentication-fail VLAN.
2. If the host does not respond to the Request Identity frame, the port transitions to MAB initiation state.
3. If MAB times out or MAC authentication fails, the port is placed into the guest VLAN.
If both MAB and re-authentication are enabled, when the re-auth period finishes and whether the previous
authentication was through MAB or 802.1X, 802.1X authentication is tried first. If 802.1X times out,
MAB authentication is tried. The port remains authorized throughout the reauthentication process. Once a
port is enabled/disabled through 802.1X authentication, changes to MAB do not take effect until the MAC
is asked to re-authenticate or the port status is toggled.
Note: On the C-Series and S-Series, a MAB-authenticated port becomes unauthorized after an RPM
failover.
802.1X | 127
www.dell.com | support.dell.com
MAB in Single-host and Multi-Host Mode
In single-host and multi-host mode, the switch attempts to authenticate a supplicant using 802.1X. If
802.1X times out because the supplicant does not respond to the Request Identity frame and MAB is
enabled, the switch attempts to authenticate the first MAC it learns on the port. Subsequently, for
single-host mode, traffic from all other MACs is dropped; for multi-host mode, all traffic from all other
MACs is accepted.
After a port is authenticated by MAB, if the switch detects an 802.1X EAPoL start message from the
authenticated MAC, the switch re-authenticates using 802.1X first, while keeping the port authorized.
Note: On the C-Series and S-Series, if the switch is in multi-host mode, a MAC address that was
MAB-authenticated but later was disabled from MAB authentication, is not denied access but moved to
the guest VLAN. If the switch is in single-host mode, the MAC address is disallowed access.
MAB in Multi-Supplicant Authentication Mode
Multi-supplicant authentication (multi-auth) mode is like the other modes in that the switch first attempts
to authenticate the supplicant using 802.1X. If 802.1X times out because the supplicant does not respond to
the Request Identity frame and MAB authentication is enabled, the switch attempts to authenticate every
MAC it learns on the port, up to 128 MACs, which is the maximum number of supplicants 802.1X can
authenticate on a single port in multi-authentication mode.
If any supplicant that has been authenticated using MAB starts to speak EAPoL, the switch
re-authenticates that supplicant using 802.1X first, while keeping the MAC authorized through the
re-authentication process.
Step
1
Task
Command Syntax
Command Mode
Configure the following attributes on the RADIUS Server:
•
Attribute 1—User-name: Use the supplicant MAC address in hex format without any colons. For example,
enter 10:34:AA:33:44:F8 as 1034AA3344F8.
• Attribute 2—Password: Use the supplicant MAC address, but encrypted in MD5.
• Attribute 4—NAS-IP-Address: IPv4 address of the switch that is used to communicate with the RADIUS
server.
• Attribute 5—NAS -Port: The port number of the interface being authorized entered as an integer.
• Attribute 30—Called-Station-Id: MAC address of the ingress interfaces of the authenticator.
• Attribute 31—Calling-Station-Id: MAC address of the 802.1X supplicant.
• Attribute 87—NAS-Port-Id: The name of the interface being authorized entered as a string.
Note: Only attributes 1 and 2 are used for MAB; Attributes 30 and 31 are not mandatory in the MAB method.
2
128
|
Enable MAB.
802.1X
dot1x mac-auth-bypass
INTERFACE
Step
Task
Command Syntax
Command Mode
3
(Optional) Use MAB authentication only—
do not use 802.1X authentication first. If
MAB fails the port or the MAC address is
blocked, the port is placed in the guest
VLAN (if configured). 802.1x
authentication is not even attempted.
Re-authentication is performed using
802.1X timers.
dot1x auth-type mab-only
INTERFACE
4
Display the 802.1X and MAB configuration.
show dot1x interface
EXEC Privilege
FTOS#show dot1x int Gi 2/32
802.1X information on Gi 2/32:
----------------------------Dot1x Status:Enable
Port Control:AUTO
Port Auth Status:UNAUTHORIZED
Re-Authentication:Disable
Untagged VLAN id:None
Guest VLAN:Enable
Guest VLAN id:10
Auth-Fail VLAN:Enable
Auth-Fail VLAN id:11
Auth-Fail Max-Attempts:3
Mac-Auth-Bypass:Enable
Tx Period:30 seconds
Quiet Period:60 seconds
ReAuth Max:2
Supplicant Timeout:30 seconds
Server Timeout:30 seconds
Re-Auth Interval:3600 seconds
Max-EAP-Req:2
Auth Type:SINGLE_HOST
Auth PAE State:Initialize
Backend State:Initialize
802.1X | 129
www.dell.com | support.dell.com
Dynamic CoS with 802.1X
Dynamic CoS with 802.1X is supported on platforms:
cs
Class of Service (CoS) is a method of traffic management that groups similar types of traffic so that they
are serviced differently. One way of classifying traffic is 802.1p, which uses the 3-bit Priority field in the
VLAN tag to mark frames (other classification methods include ToS, ACL, and DSCP). Once traffic is
classified, you can use Quality of Service (QoS) traffic management to control the level of service for a
class in terms of bandwidth and delivery time.
For incoming traffic, Dell Networking OS allows you to set a static priority value on a per-port basis or
dynamically set a priority on a per-port basis by leveraging 802.1X.
Note: When priority is statically configured using dynamic dot1p and dynamically configured using
Dynamic CoS with 802.1X, the dynamic configuration takes precedence.
One use for Dynamic CoS with 802.1X is when the traffic from a server should be classified based on the
application that it is running. Static dot1p priority configuration done from the switch is not sufficient in
this case, as the server application might change. You would instead need to push the CoS configuration to
the switches based on the application the server is running.
Dynamic CoS uses RADIUS attribute 59, called User-Priority-Table, to specify the priority value for
incoming frames. Attribute 59 has an 8-octet field that maps the incoming dot1p values to new values; it is
essentially a dot1p re-mapping table. The position of each octet corresponds to a priority value: the first
octet maps to incoming priority 0, the second octet maps to incoming priority 1, etc. The value in each
octet represents the corresponding new priority.
To use the Dynamic CoS with 802.1X authentication, no configuration command is required. You must
only configure the supplicant records on the RADIUS server, including VLAN assignment and CoS
priority re-mapping table. VLAN and priority values are automatically applied to incoming packets. The
RADIUS server finds the appropriate record based on the supplicant’s credentials and sends the priority
re-mapping table to the Dell Networking system by including Attribute 59 in the AUTH-ACCEPT packet.
130
|
802.1X
Dell Networking OS Behavior: The following conditions are applied to the use of dynamic CoS with
802.1X authentication on C-Series and S-Series platforms:
• In accordance with port-based QoS, incoming dot1p values can be mapped to only four priority values: 0, 2,
4, and 6. If the RADIUS server returns any other dot1p value (1, 3, 5, or 7), the value is not used and frames
are forwarded on egress queue 0 without changing the incoming dot1p value. The example shows how
dynamic CoS remaps (or does not remap) the dot1p priority in 802.1X-authenticated traffic and how the
frames are forwarded:
Incoming Frame
Tagged dot1p
-------------0
1
2
3
4
5
6
7
•
RADIUS-based
CoS Remap Table
--------------7
5
4
6
3
1
2
4
Outgoing Frame
Tagged dot1p
-------------0
1
4
6
4
5
2
4
Egress Queue
-----------0
0
2
3
0
0
0
2
The priority of untagged packets is assigned according to the remapped value of priority 0 traffic in the
RADIUS-based table. For example, in the following remapping table, untagged packets are tagged with
priority 2:
FTOS#show dot1x cos-mapping interface Gigabitethernet 2/32
802.1Xp CoS remap table on Gi 2/32:
----------------------------Dot1p Remapped Dot1p
0
2
1
6
2
5
3
4
4
3
5
2
6
1
7
0
•
•
•
•
•
After being re-tagged by dynamic CoS for 802.1X, packets are forwarded in the switch according to their
new CoS priority.
When a supplicant logs off from an 802.1X authentication session, the dynamic CoS table is deleted or reset.
When an 802.1x session is re-authenticated, the previously assigned CoS table is retained through
the re-authentication process. If the re-authentication fails, the CoS table is deleted. If the
re-authentication is successful and the authentication server does not include a CoS table in the
AUTH-ACCEPT packet, the previously assigned CoS table MUST be deleted. If the
re-authentication is successful and the server sends a CoS table, the old CoS table is overwritten
with the new one.
If multi-supplicant authentication mode is enabled on a port, you can configure a CoS mapping table for
specified MAC addresses in the RADIUS server. Dell Networking OS will then maintain a per-MAC CoS
table for each port, and mark the priority of all traffic originating from a configured MAC address with the
corresponding table value.
To display the CoS priority-mapping table provided by the RADIUS server and applied to authenticated
supplicants on an 802.1X-enabled port, enter the show dot1x cos-mapping interface
command.
802.1X | 131
132
|
802.1X
www.dell.com | support.dell.com
8
IP Access Control Lists (ACL), Prefix Lists, and
Route-maps
IP Access Control Lists, Prefix Lists, and Route-maps are supported on platforms:
ces
ces
Egress IP ACLs are supported on platform: e
Ingress IP ACLs are supported on platforms:
Overview
At their simplest, Access Control Lists (ACLs), Prefix lists, and Route-maps permit or deny traffic based
on MAC and/or IP addresses. This chapter discusses implementing IP ACLs, IP Prefix lists and
Route-maps. For MAC ACLS, refer to the Access Control Lists (ACLs) chapter in the Dell Networking OS
Command Line Reference Guide.
An ACL is essentially a filter containing some criteria to match (examine IP, TCP, or UDP packets) and an
action to take (permit or deny). ACLs are processed in sequence so that if a packet does not match the
criterion in the first filter, the second filter (if configured) is applied. When a packet matches a filter, the
switch drops or forwards the packet based on the filter’s specified action. If the packet does not match any
of the filters in the ACL, the packet is dropped ( implicit deny).
The number of ACLs supported on a system depends on your CAM size. See CAM Profiling, CAM
Allocation, and CAM Optimization in this chapter for more information. Refer to Chapter 11, Content
Addressable Memory for complete CAM profiling information.
This chapter covers the following topics:
•
•
•
•
•
IP Access Control Lists (ACLs)
• CAM Profiling, CAM Allocation, and CAM Optimization
• Implement ACLs on Dell Networking OS
IP Fragment Handling
Configure a standard IP ACL
Configure an extended IP ACL
Configure Layer 2 and Layer 3 ACLs on an Interface
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 133
www.dell.com | support.dell.com
•
•
•
•
•
•
•
Assign an IP ACL to an Interface
Configure Ingress ACLs
Configure Egress ACLs
Configure ACLs to Loopback
• Applying an ACL on Loopback Interfaces
IP Prefix Lists
ACL Resequencing
Route Maps
IP Access Control Lists (ACLs)
In the Dell Networking switch/routers, you can create two different types of IP ACLs: standard or
extended. A standard ACL filters packets based on the source IP packet. An extended ACL filters traffic
based on the following criteria (for more information on ACL supported options see the Dell Networking
OS Command Reference):
•
•
•
•
•
•
•
IP protocol number
Source IP address
Destination IP address
Source TCP port number
Destination TCP port number
Source UDP port number
Destination UDP port number
For extended ACL TCP and UDP filters, you can match criteria on specific or ranges of TCP or UDP
ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions.
When creating an access list, the sequence of the filters is important. You have a choice of assigning
sequence numbers to the filters as you enter them, or Dell Networking OS will assign numbers in the order
the filters are created. The sequence numbers, whether configured or assigned by Dell Networking OS, are
listed in the show config and show ip accounting access-list command display output.
Ingress and egress Hot Lock ACLs allow you to append or delete new rules into an existing ACL (already
written into CAM) without disrupting traffic flow. Existing entries in CAM are shuffled to accommodate
the new entries. Hot Lock ACLs are enabled by default and support both standard and extended ACLs on
all platforms.
Note: Hot Lock ACLs are supported on Ingress ACLs only.
CAM Profiling, CAM Allocation, and CAM Optimization
CAM Profiling is supported on platform
134
|
e
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
User Configurable CAM Allocation are supported on platform
CAM optimization is supported on platforms
c
cs
CAM Profiling
CAM optimization is supported on platforms
et
CAM profiling for ACLs is supported on E-Series TeraScale only. For complete information regarding
E-Series TeraScale CAM profiles and configuration, refer to Chapter 11, Content Addressable Memory.
The default CAM profile has 1K Layer 2 ingress ACL entries. If you need more memory for Layer 2
ingress ACLs, select the profile l2-ipv4-inacl.
When budgeting your CAM allocations for ACLs and QoS configurations, remember that ACL and QoS
rules might consume more than one CAM entry depending on complexity. For example, TCP and UDP
rules with port range options might require more than one CAM entry.
The Layer 2 ACL CAM partition has sub-partitions for several types of information. Table 8-1 lists the
sub-partition and the percentage of the Layer 2 ACL CAM partition that Dell Networking OS allocates to
each by default.
Table 8-1.
Partition
Layer 2 ACL CAM Sub-partition Sizes
% Allocated
Sysflow
6
L2ACL
14
*PVST
50
QoS
12
L2PT
13
FRRP
5
You can re-configure the amount of space, in percentage, allocated to each sub-partition. As with the
IPv4Flow partition, you can configure the Layer 2 ACL partition from EXEC Privilege mode or
CONFIGURATION mode.
The amount of space that you can distribute to the sub-partitions is equal to the amount of CAM space that
the selected CAM profile allocates to the Layer 2 ACL partition. Dell Networking OS requires that you
specify the amount of CAM space for all sub-partitions and that the sum of all sub-partitions is 100%. Dell
Networking OS displays the following message if the total allocated space is not correct:
% Error: Sum of all regions does not total to 100%.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 135
www.dell.com | support.dell.com
User Configurable CAM Allocation
User Configurable CAM Allocations are supported on platform
c
Allocate space for IPV6 ACLs on the C-Series by using the cam-acl command in CONFIGURATION
mode.
The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. Note that there
are 16 FP blocks, but the System Flow requires 3 blocks that cannot be reallocated. The default CAM
Allocation settings on a C-Series matching are:
•
•
•
•
•
L3 ACL (ipv4acl): 4
L2 ACL(l2acl) : 6
IPv6 L3 ACL (ipv6acl): 0
L3 QoS (ipv4qos): 2
L2 QoS (l2qos): 1
An l2acl must have a value of at least 1, because l2acl must always have a profile-space allocated. An
ipv6acl cannot have a value of 1. An ipv6acl must have CAM-space allocated in multiples of 4. One of the
modules must have a CAM-space value of 1. All other profile allocations can use either even or odd
numbered ranges.
You must save the new CAM settings to the startup-config (write-mem or copy run start) then reload the
system for the new settings to take effect.
CAM optimization
CAM optimization is supported on platforms
cs
When this command is enabled, if a Policy Map containing classification rules (ACL and/or dscp/
ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single
copy of the policy is written (only 1 FP entry will be used). When the command is disabled, the system
behaves as described in this chapter.
Test CAM Usage
The test cam-usage command is supported on platforms
ces
This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS
optimization for IPv6 ACLs.
Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy.
Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege
mode to verify the actual CAM space required. Figure 8-1 gives a sample of the output shown when
executing the command. The status column indicates whether or not the policy can be enabled.
136
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
Figure 8-1.
Command Example: test cam-usage (C-Series)
FTOS#test cam-usage service-policy input TestPolicy linecard all
Linecard | Portpipe | CAM Partition | Available CAM | Estimated CAM per Port | Status
-----------------------------------------------------------------------------------------2 |
1 | IPv4Flow
|
232 |
0 | Allowed
2 |
1 | IPv6Flow
|
0 |
0 | Allowed
4 |
0 | IPv4Flow
|
232 |
0 | Allowed
4 |
0 | IPv6Flow
|
0 |
0 | Allowed
FTOS#
Implement ACLs on Dell Networking OS
One IP ACL can be assigned per interface with Dell Networking OS. If an IP ACL is not assigned to an
interface, it is not used by the software in any other capacity.
The number of entries allowed per ACL is hardware-dependent. Refer to your line card documentation for
detailed specification on entries allowed per ACL.
If counters are enabled on IP ACL rules that are already configured, those counters are reset when a new
rule is inserted or prepended. If a rule is appended, the existing counters are not affected. This is applicable
to the following features:
•
•
•
L2 Ingress Access list
L2 Egress Access list
L3 Egress Access list
Note: IP ACLs are supported over VLANs in Version 6.2.1.1 and higher.
V
ACLs and VLANs
There are some differences when assigning ACLs to a VLAN rather than a physical port. For example,
when using a single port-pipe, if you apply an ACL to a VLAN, one copy of the ACL entries would get
installed in the ACL CAM on the port-pipe. The entry would look for the incoming VLAN in the packet.
Whereas if you apply an ACL on individual ports of a VLAN, separate copies of the ACL entries would be
installed for each port belonging to a port-pipe.
When you use the log keyword, CP processor will have to log details about the packets that match.
Depending on how many packets match the log entry and at what rate, CP might become busy as it has to
log these packets’ details. However the other processors (RP1 and RP2) should be unaffected. This option
is typically useful when debugging some problem related to control traffic. We have used this option
numerous times in the field and have not encountered any problems in such usage so far.
ACL Optimization
If an access list contains duplicate entries, Dell Networking OS deletes one entry to conserve CAM space.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 137
www.dell.com | support.dell.com
Standard and Extended ACLs take up the same amount of CAM space. A single ACL rule uses 2 CAM
entries whether it is identified as a Standard or Extended ACL.
Determine the order in which ACLs are used to classify traffic
When you link class-maps to queues using the command service-queue, Dell Networking OS matches the
class-maps according to queue priority (queue numbers closer to 0 have lower priorities). For example, in
Figure 8-2, class-map cmap2 is matched against ingress packets before cmap1.
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
Therefore, (without the keyword order) packets within the range 20.1.1.0/24 match positive against cmap1
and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be
buffered in queue 4.
In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use
the order keyword to specify the order in which you want to apply ACL rules, as shown in Figure 8-2. The
order can range from 0 to 254. Dell Networking OS writes to the CAM ACL rules with lower order
numbers (order numbers closer to 0) before rules with higher order numbers so that packets are matched as
you intended. By default, all ACL rules have an order of 254.
Figure 8-2.
Use the Order Keyword in ACLs
FTOS(conf)#ip access-list standard acl1
FTOS(config-std-nacl)#permit 20.0.0.0/8
FTOS(config-std-nacl)#exit
FTOS(conf)#ip access-list standard acl2
FTOS(config-std-nacl)#permit 20.1.1.0/24 order 0
FTOS(config-std-nacl)#exit
FTOS(conf)#class-map match-all cmap1
FTOS(conf-class-map)#match ip access-group acl1
FTOS(conf-class-map)#exit
FTOS(conf)#class-map match-all cmap2
FTOS(conf-class-map)#match ip access-group acl2
FTOS(conf-class-map)#exit
FTOS(conf)#policy-map-input pmap
FTOS(conf-policy-map-in)#service-queue 7 class-map cmap1
FTOS(conf-policy-map-in)#service-queue 4 class-map cmap2
FTOS(conf-policy-map-in)#exit
FTOS(conf)#interface gig 1/0
FTOS(conf-if-gi-1/0)#service-policy input pmap
IP Fragment Handling
Dell Networking OS supports a configurable option to explicitly deny IP fragmented packets, particularly
second and subsequent packets. It extends the existing ACL command syntax with the fragments keyword
for all Layer 3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp).
•
138
|
Both standard and extended ACLs support IP fragments.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
•
•
•
•
•
•
Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these
fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the
packet as a whole cannot be reassembled.
Implementing the required rules will use a significant number of CAM entries per TCP/UDP entry.
For IP ACL, Dell Networking OS always applies implicit deny. You do not have to configure it.
For IP ACL, Dell Networking OS applies implicit permit for second and subsequent fragment just
prior to the implicit deny.
If an explicit deny is configured, the second and subsequent fragments will not hit the implicit permit
rule for fragments.
Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with
the fragments option and apply it to a loopback interface, the command is accepted, but the ACL
entries are not actually installed the offending rule in CAM.
IP fragments ACL examples
The following configuration permits all packets (both fragmented & non-fragmented) with destination IP
10.1.1.1. The second rule does not get hit at all.
FTOS(conf)#ip access-list extended ABC
FTOS(conf-ext-nacl)#permit ip any 10.1.1.1/32
FTOS(conf-ext-nacl)#deny ip any 10.1.1.1./32 fragments
FTOS(conf-ext-nacl)
To deny second/subsequent fragments, use the same rules in a different order. These ACLs deny all second
& subsequent fragments with destination IP 10.1.1.1 but permit the first fragment & non fragmented
packets with destination IP 10.1.1.1 .
FTOS(conf)#ip access-list extended ABC
FTOS(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments
FTOS(conf-ext-nacl)#permit ip any 10.1.1.1/32
FTOS(conf-ext-nacl)
Layer 4 ACL rules examples
In the below scenario, first fragments non-fragmented TCP packets from 10.1.1.1 with TCP destination
port equal to 24 are permitted. All other fragments are denied.
FTOS(conf)#ip access-list extended ABC
FTOS(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
FTOS(conf-ext-nacl)#deny ip any any fragment
FTOS(conf-ext-nacl)
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 139
www.dell.com | support.dell.com
In the following, TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with TCP
destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are
permitted. All other IP packets that are non-first fragments are denied.
FTOS(conf)#ip access-list extended ABC
FTOS(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
FTOS(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragment
FTOS(conf-ext-nacl)#deny ip any any fragment
FTOS(conf-ext-nacl)
To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/
UDP fragments, use a configuration similar to the following.
FTOS(conf)#ip access-list extended ABC
FTOS(conf-ext-nacl)#permit tcp any any fragment
FTOS(conf-ext-nacl)#permit udp any any fragment
FTOS(conf-ext-nacl)#deny ip any any log
FTOS(conf-ext-nacl)
Note the following when configuring ACLs with the fragments keyword.
When an ACL filters packets it looks at the Fragment Offset (FO) to determine whether or not it is a fragment.
FO = 0 means it is either the first fragment or the packet is a non-fragment.
FO > 0 means it is dealing with the fragments of the original packet.
Permit ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information matches the L3 information in the ACL line, the packet's fragment offset (FO) is
checked.
•If a packet's FO > 0, the packet is permitted.
•If a packet's FO = 0 , the next ACL entry is processed.
Deny ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information does match the L3 information in the ACL line, the packet's fragment offset (FO) is
checked.
•If a packet's FO > 0, the packet is denied.
•If a packet's FO = 0, the next ACL line is processed.
Configure a standard IP ACL
To configure an ACL, use commands in the IP ACCESS LIST mode and the INTERFACE mode. The
following list includes the configuration tasks for IP ACLs:
For a complete listing of all commands related to IP ACLs, refer to the Dell Networking OS Command
Line Interface Reference document.
Refer to Configure an extended IP ACL to set up extended ACLs.
140
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
A standard IP ACL uses the source IP address as its match criterion.
Note: On E-Series ExaScale systems, TCP ACL flags are not supported in standard or extended ACLs
with IPv6 microcode. An error message is shown if IPv6 microcode is configured and an ACL is entered
with a TCP filter included.
FTOS(conf-ipv6-acl)#seq 8 permit tcp any any urg
May 5 08:32:34: %E90MJ:0 %ACL_AGENT-2-ACL_AGENT_ENTRY_ERROR: Unable to write seq 8 of
list test as individual TCP flags are not supported on linecard 0
To configure a standard IP ACL, use these commands in the following sequence:
Step
1
2
Command Syntax
Command Mode
Purpose
ip access-list standard access-listname
CONFIGURATION
Enter IP ACCESS LIST mode by
naming a standard IP access list.
seq sequence-number {deny | permit}
{source [mask] | any | host ip-address}
[count [byte] | log] [order] [monitor]
[fragments]
CONFIG-STD-NACL
Configure a drop or forward filter. The
parameters are:
• log and monitor options are
supported on E-Series only.
Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a
new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or
another number.
When you use the log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’
details.
To view the rules of a particular ACL configured on a particular interface, use the show ip accounting
access-list ACL-name interface interface command (Figure 226) in EXEC Privilege mode.
Figure 8-3.
Command Example: show ip accounting access-list
FTOS#show ip accounting access ToOspf interface gig 1/6
Standard IP access list ToOspf
seq 5 deny any
seq 10 deny 10.2.0.0 /16
seq 15 deny 10.3.0.0 /16
seq 20 deny 10.4.0.0 /16
seq 25 deny 10.5.0.0 /16
seq 30 deny 10.6.0.0 /16
seq 35 deny 10.7.0.0 /16
seq 40 deny 10.8.0.0 /16
seq 45 deny 10.9.0.0 /16
seq 50 deny 10.10.0.0 /16
FTOS#
Figure 8-4 illustrates how the seq command orders the filters according to the sequence number assigned.
In the example, filter 25 was configured before filter 15, but the show config command displays the filters
in the correct order.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 141
www.dell.com | support.dell.com
Figure 8-4.
Command example: seq
FTOS(config-std-nacl)#seq 25 deny ip host 10.5.0.0 any log
FTOS(config-std-nacl)#seq 15 permit tcp 10.3.0.0 /16 any
FTOS(config-std-nacl)#show config
!
ip access-list standard dilling
seq 15 permit tcp 10.3.0.0/16 any
seq 25 deny ip host 10.5.0.0 any log
FTOS(config-std-nacl)#
To delete a filter, use the no seq sequence-number command in the IP ACCESS LIST mode.
If you are creating a standard ACL with only one or two filters, you can let Dell Networking OS assign a
sequence number based on the order in which the filters are configured. The software assigns filters in
multiples of 5.
To configure a filter without a specified sequence number, use these commands in the following sequence,
starting in the CONFIGURATION mode:
Step
1
Command Syntax
Command Mode
Purpose
ip access-list standard
CONFIGURATION
Create a standard IP ACL and assign it a
unique name.
CONFIG-STD-NACL
Configure a drop or forward IP ACL filter.
• log and monitor options are supported
on E-Series only.
access-list-name
2
{deny | permit} {source [mask] | any
| host ip-address} [count [byte] |
log] [order] [monitor] [fragments]
When you use the log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’
details.
Figure 8-5 illustrates a standard IP ACL in which the sequence numbers were assigned by the Dell
Networking OS. The filters were assigned sequence numbers based on the order in which they were
configured (for example, the first filter was given the lowest sequence number). The show config
command in the IP ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10.
Figure 8-5.
Standard IP ACL
FTOS(config-route-map)#ip access standard kigali
FTOS(config-std-nacl)#permit 10.1.0.0/16
FTOS(config-std-nacl)#show config
!
ip access-list standard kigali
seq 5 permit 10.1.0.0/16
FTOS(config-std-nacl)#
To view all configured IP ACLs, use the show ip accounting access-list command (Figure 229) in the
EXEC Privilege mode.
142
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
Figure 8-6.
Command Example: show ip accounting access-list
FTOS#show ip accounting access example interface gig 4/12
Extended IP access list example
seq 10 deny tcp any any eq 111
seq 15 deny udp any any eq 111
seq 20 deny udp any any eq 2049
seq 25 deny udp any any eq 31337
seq 30 deny tcp any any range 12345 12346
seq 35 permit udp host 10.21.126.225 10.4.5.0 /28
seq 40 permit udp host 10.21.126.226 10.4.5.0 /28
seq 45 permit udp 10.8.0.0 /16 10.50.188.118 /31 range 1812 1813
seq 50 permit tcp 10.8.0.0 /16 10.50.188.118 /31 eq 49
seq 55 permit udp 10.15.1.0 /24 10.50.188.118 /31 range 1812 1813
To delete a filter, enter the show config command in the IP ACCESS LIST mode and locate the sequence
number of the filter you want to delete. Then use the no seq sequence-number command in the IP ACCESS
LIST mode.
Configure an extended IP ACL
Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP
host addresses, UDP addresses, and UDP host addresses.
Since traffic passes through the filter in the order of the filter’s sequence, you can configure the extended
IP ACL by first entering the IP ACCESS LIST mode and then assigning a sequence number to the filter.
Note: On E-Series ExaScale systems, TCP ACL flags are not supported in standard or extended ACLs
with IPv6 microcode. An error message is shown if IPv6 microcode is configured and an ACL is entered
with a TCP filter included.
FTOS(conf-ipv6-acl)#seq 8 permit tcp any any urg
May 5 08:32:34: %E90MJ:0 %ACL_AGENT-2-ACL_AGENT_ENTRY_ERROR: Unable to write seq 8 of
list test as individual TCP flags are not supported on linecard 0
Configure filters with sequence number
To create a filter for packets with a specified sequence number, use these commands in the following
sequence, starting in the CONFIGURATION mode:
Step
1
Command Syntax
Command Mode
Purpose
ip access-list extended
access-list-name
CONFIGURATION
Enter the IP ACCESS LIST mode by creating
an extended IP ACL.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 143
www.dell.com | support.dell.com
Step
Command Syntax
Command Mode
Purpose
2
seq sequence-number {deny |
permit} {ip-protocol-number |
icmp | ip | tcp | udp}
{source mask | any | host
ip-address} {destination mask |
any | host ip-address} [operator
port [port]] [count [byte] | log]
[order] [monitor] [fragments]
CONFIG-EXT-NACL
Configure a drop or forward filter.
• log and monitor options are supported on
E-Series only.
When you use the log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’
details.
TCP packets: To create a filter for TCP packets with a specified sequence number, use these commands in
the following sequence, starting in the CONFIGURATION mode:
Step
1
Command Syntax
Command Mode
Purpose
ip access-list extended
CONFIGURATION
Create an extended IP ACL and assign it a
unique name.
CONFIG-EXT-NACL
Configure an extended IP ACL filter for TCP
packets.
• log and monitor options are supported on
E-Series only.
access-list-name
seq sequence-number {deny |
permit} tcp {source mask | any
| host ip-address}} [count
[byte] | log] [order] [monitor]
[fragments]
2
When you use the log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’
details.
UDP packets: To create a filter for UDP packets with a specified sequence number, use these commands
in the following sequence, starting in the CONFIGURATION mode:
Step
1
Command Syntax
Command Mode
Purpose
ip access-list extended
CONFIGURATION
Create a extended IP ACL and assign it a unique
name.
CONFIG-EXT-NACL
Configure an extended IP ACL filter for UDP
packets.
• log and monitor options are supported on
E-Series only.
access-list-name
2
144
|
seq sequence-number {deny |
permit} {ip-protocol-number
udp} {source mask | any |
host ip-address} {destination
mask | any | host ip-address}
[operator port [port]] [count
[byte] | log] [order] [monitor]
[fragments]
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
When you create the filters with a specific sequence number, you can create the filters in any order and the
filters are placed in the correct order.
Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a
new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or
another number.
Figure 8-7 illustrates how the seq command orders the filters according to the sequence number assigned.
In the example, filter 15 was configured before filter 5, but the show config command displays the filters
in the correct order.
Figure 8-7.
Command Example: seq
FTOS(config-ext-nacl)#seq 15 deny ip host 112.45.0.0 any log
FTOS(config-ext-nacl)#seq 5 permit tcp 12.1.3.45 0.0.255.255 any
FTOS(config-ext-nacl)#show confi
!
ip access-list extended dilling
seq 5 permit tcp 12.1.0.0 0.0.255.255 any
seq 15 deny ip host 112.45.0.0 any log
FTOS(config-ext-nacl)#
Configure filters without sequence number
If you are creating an extended ACL with only one or two filters, you can let Dell Networking OS assign a
sequence number based on the order in which the filters are configured. Dell Networking OS assigns filters
in multiples of 5.
To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the
following commands in the IP ACCESS LIST mode:
Command Syntax
Command Mode
Purpose
{deny | permit} {source mask | any | host
ip-address} [count [byte] | log] [order]
[monitor] [fragments]
CONFIG-EXT-NACL
Configure a deny or permit filter to
examine IP packets.
• log and monitor options are
supported on E-Series only.
{deny | permit} tcp {source mask] | any |
host ip-address}} [count [byte] | log]
[order] [monitor] [fragments]
CONFIG-EXT-NACL
Configure a deny or permit filter to
examine TCP packets.
• log and monitor options are
supported on E-Series only.
{deny | permit} udp {source mask | any |
host ip-address}} [count [byte] | log]
[order] [monitor] [fragments]
CONFIG-EXT-NACL
Configure a deny or permit filter to
examine UDP packets.
• log and monitor options are
supported on E-Series only.
When you use the log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’
details.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 145
www.dell.com | support.dell.com
Figure 8-8 illustrates an extended IP ACL in which the sequence numbers were assigned by the software.
The filters were assigned sequence numbers based on the order in which they were configured (for
example, the first filter was given the lowest sequence number). The show config command in the IP
ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10.
Figure 8-8.
Extended IP ACL
FTOS(config-ext-nacl)#deny tcp host 123.55.34.0 any
FTOS(config-ext-nacl)#permit udp 154.44.123.34 0.0.255.255 host 34.6.0.0
FTOS(config-ext-nacl)#show config
!
ip access-list extended nimule
seq 5 deny tcp host 123.55.34.0 any
seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0
FTOS(config-ext-nacl)#
To view all configured IP ACLs and the number of packets processed through the ACL, use the show ip
accounting access-list command (Figure 232) in the EXEC Privilege mode.
Established Flag
The est (established) flag is deprecated for Terascale series line cards. Employ the ack and rst flags to
achieve the same functionality.
To obtain the functionality of est, use the following ACLs:
•
•
permit tcp any any rst
permit tcp any any ack
Configure Layer 2 and Layer 3 ACLs on an Interface
Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode. If both L2 and L3
ACLs are applied to an interface, the following rules apply:
•
•
•
The packets routed by Dell Networking OS are governed by the L3 ACL only, since they are not
filtered against an L2 ACL.
The packets switched by Dell Networking OS are first filtered by the L3 ACL, then by the L2 ACL.
When packets are switched by Dell Networking OS, the egress L3 ACL does not filter the packet.
For the following features, if counters are enabled on rules that have already been configured and a new
rule is either inserted or prepended, all the existing counters will be reset:
•
•
•
146
|
L2 Ingress Access list
L3 Egress Access list
L2 Egress Access list
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
If a rule is simply appended, existing counters are not affected.
Table 8-2.
L2 and L3 ACL Filtering on Switched Packets
L2 ACL Behavior
L3 ACL Behavior
Decision on Targeted Traffic
Deny
Deny
Denied by L3 ACL
Deny
Permit
Permitted by L3 ACL
Permit
Deny
Denied by L2 ACL
Permit
Permit
Permitted by L2 ACL
Note: If an interface is configured as a “vlan-stack access” port, the packets are filtered by an
L2 ACL only. The L3 ACL applied to such a port does not affect traffic. That is, existing rules
for other features (such as trace-list, PBR, and QoS) are applied accordingly to the permitted
traffic.
For information on MAC ACLs, refer to the Access Control Lists (ACLs) chapter in the Dell Networking
OS Command Line Reference Guide.
Assign an IP ACL to an Interface
c and s
Ingress and Egress IP ACL are supported on platform: e
Ingress IP ACLs are supported on platforms:
To pass traffic through a configured IP ACL, you must assign that ACL to a physical interface, a port
channel interface, or a VLAN. The IP ACL is applied to all traffic entering a physical or port channel
interface and the traffic is either forwarded or dropped depending on the criteria and actions specified in
the ACL.
The same ACL may be applied to different interfaces and that changes its functionality. For example, you
can take ACL "ABCD", and apply it using the in keyword and it becomes an ingress access list. If you
apply the same ACL using the out keyword, it becomes an egress access list. If you apply the same ACL to
the loopback interface, it becomes a loopback access list.
This chapter covers the following topics:
•
•
•
Configure Ingress ACLs
Configure Egress ACLs
Configure ACLs to Loopback
For more information on Layer-3 interfaces, refer to Chapter 20, Interfaces.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 147
www.dell.com | support.dell.com
To apply an IP ACL (standard or extended) to a physical or port channel interface, use these commands in
the following sequence in the INTERFACE mode:
Step
Command Syntax
Command Mode
Purpose
1
interface interface slot/port
CONFIGURATION
Enter the interface number.
2
ip address ip-address
INTERFACE
Configure an IP address for the interface, placing
it in Layer-3 mode.
3
ip access-group access-list-name
{in | out} [implicit-permit] [vlan
vlan-range]
INTERFACE
Apply an IP ACL to traffic entering or exiting an
interface.
• out: configure the ACL to filter outgoing
traffic. This keyword is supported only on
E-Series.
Note: The number of entries allowed per
ACL is hardware-dependent. Refer to
your line card documentation for detailed
specification on entries allowed per ACL.
4
ip access-list [standard |
extended] name
INTERFACE
Apply rules to the new ACL.
To view which IP ACL is applied to an interface, use the show config command (Figure 232) in the
INTERFACE mode or the show running-config command in the EXEC mode.
Figure 8-9.
Command example: show config in the INTERFACE Mode
FTOS(conf-if)#show conf
!
interface GigabitEthernet 0/0
ip address 10.2.1.100 255.255.255.0
ip access-group nimule in
no shutdown
FTOS(conf-if)#
Use only Standard ACLs in the access-class command to filter traffic on Telnet sessions.
Counting ACL Hits
You can view the number of packets matching the ACL by using the count option when creating ACL
entries. E-Series supports packet and byte counts simultaneously. C-Series and S-Series support only one
at any given time.
To view the number of packets matching an ACL that is applied to an interface:
Step
148
|
Task
1
Create an ACL that uses rules with the count option. See Configure a standard IP ACL
2
Apply the ACL as an inbound or outbound ACL on an interface. See Assign an IP ACL to an Interface
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
Step
3
Task
View the number of packets matching the ACL using the show ip accounting access-list from EXEC
Privilege mode.
Configure Ingress ACLs
Ingress ACLs are applied to interfaces and to traffic entering the system.These system-wide ACLs
eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target
traffic, it is a simpler implementation.
To create an ingress ACLs, use the ip access-group command (Figure 233) in the EXEC Privilege mode.
This example also shows applying the ACL, applying rules to the newly created access group, and viewing
the access list:
Figure 8-10.
Create an Ingress ACL
FTOS(conf)#interface gige 0/0
FTOS(conf-if-gige0/0)#ip access-group abcd in
FTOS(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd in
no shutdown
FTOS(conf-if-gige0/0)#end
FTOS#configure terminal
FTOS(conf)#ip access-list extended abcd
FTOS(config-ext-nacl)#permit tcp any any
FTOS(config-ext-nacl)#deny icmp any any
FTOS(config-ext-nacl)#permit 1.1.1.2
FTOS(config-ext-nacl)#end
FTOS#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
permit 1.1.1.2
Use the “in” keyword
to specify ingress.
Begin applying rules
to the ACL named
“abcd.”
View the access-list.
Configure Egress ACLs
Layer 2 and Layer 3 ACLs are supported on platform
e
Egress ACLs are applied to line cards and affect the traffic leaving the system. Configuring egress ACLs
onto physical interfaces protects the system infrastructure from attack—malicious and incidental—by
explicitly allowing only authorized traffic.These system-wide ACLs eliminate the need to apply ACLs
onto each interface and achieves the same results. By localizing target traffic, it is a simpler
implementation.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 149
www.dell.com | support.dell.com
An egress ACL is used when users would like to restrict egress traffic. For example, when a DOS attack
traffic is isolated to one particular interface, you can apply an egress ACL to block that particular flow
from exiting the box, thereby protecting downstream devices.
To create an egress ACLs, use the ip access-group command Figure 8-11 in the EXEC Privilege mode.
This example also shows viewing the configuration, applying rules to the newly created access group, and
viewing the access list:
Figure 8-11.
Create an Egress ACL
FTOS(conf)#interface gige 0/0
FTOS(conf-if-gige0/0)#ip access-group abcd out
FTOS(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd out
no shutdown
FTOS(conf-if-gige0/0)#end
FTOS#configure terminal
FTOS(conf)#ip access-list extended abcd
FTOS(config-ext-nacl)#permit tcp any any
FTOS(config-ext-nacl)#deny icmp any any
FTOS(config-ext-nacl)#permit 1.1.1.2
FTOS(config-ext-nacl)#end
FTOS#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
permit 1.1.1.2
Use the “out”
keyword to specify
egress.
Begin applying rules
to the ACL named
“abcd.”
View the access-list.
Egress Layer 3 ACL Lookup for Control-plane IP Traffic
By default, packets originated from the system are not filtered by egress ACLs. If you initiate a ping
session from the system, for example, and apply an egress ACL to block this type of traffic on the
interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature
enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and
CPU-forwarded traffic. Using permit rules with the count option, you can track on a per-flow basis
whether CPU-generated and CPU-forwarded packets were transmitted successfully..
150
|
Task
Command Syntax
Command Mode
Apply Egress ACLs to IPv4 system
traffic.
ip control-plane [egress filter]
CONFIGURATION
Apply Egress ACLs to IPv6 system
traffic.
ipv6 control-plane [egress filter]
CONFIGURATION
Create a Layer 3 ACL using permit
rules with the count option to describe
the desired CPU traffic
permit ip {source mask | any |
host ip-address} {destination mask
| any | host ip-address} count
CONFIG-NACL
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
Dell Networking OS Behavior: VRRP hellos and IGMP packets are not affected when egress ACL
filtering for CPU traffic is enabled. Packets sent by the CPU with the source address as the VRRP
virtual IP address have the interface MAC address instead of VRRP virtual MAC address.
Configure ACLs to Loopback
ACLs can be supplied on Loopback interfaces supported on platform
e
Configuring ACLs onto the CPU in a loopback interface protects the system infrastructure from attack—
malicious and incidental—by explicate allowing only authorized traffic.
The ACLs on loopback interfaces are applied only to the CPU on the RPM—this eliminates the need to
apply specific ACLs onto all ingress interfaces and achieves the same results. By localizing target traffic, it
is a simpler implementation.
The ACLs target and handle Layer 3 traffic destined to terminate on the system including routing
protocols, remote access, SNMP, ICMP, and etc. Effective filtering of Layer 3 traffic from Layer 3 routers
reduces the risk of attack.
Note: Loopback ACLs are supported only on ingress traffic.
Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the
fragments option and apply it to a loopback interface, the command is accepted, but the ACL entries are
not actually installed the offending rule in CAM.
See also Loopback Interfaces in the Interfaces chapter.
Applying an ACL on Loopback Interfaces
ACLs can be applied on Loopback interfaces supported on platform
e
To apply an ACL (standard or extended) for loopback, use these commands in the following sequence:
Step
1
Command Syntax
Command Mode
Purpose
interface loopback 0
CONFIGURATION
Only loopback 0 is supported for the loopback
ACL.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 151
www.dell.com | support.dell.com
Step
Command Syntax
Command Mode
Purpose
[seq number] permit
loopback-logging any any
CONFIGURATION
If you are applying an extended ACL, and it has
a deny ip any any entry, this entry denies
internally generated packets as well as packets
received from external devices. To prevent
internally generated packets from being dropped,
make sure that the ACL you intend to apply has
the following entry: [seq number] permit
loopback-logging any any. This line may be
anywhere in the ACL.
3
ip access-list [standard |
extended] name
CONFIGURATION
Apply rules to the new ACL.
4
ip access-group name in
INTERFACE
Apply an ACL to traffic entering loopback.
• in: configure the ACL to filter incoming
traffic
Note: ACLs for loopback can only be
applied to incoming traffic.
2
To apply ACLs on loopback, use the ip access-group command Figure 8-12 in the INTERFACE mode.
This example also shows the interface configuration status, adding rules to the access group, and
displaying the list of rules in the ACL:
Figure 8-12.
Apply an ACL to the Loopback Interface
FTOS(conf)#interface loopback 0
FTOS(conf-if-lo-0)#ip access-group abcd in
FTOS(conf-if-lo-0)#show config
!
interface Loopback 0
no ip address
ip access-group abcd in
no shutdown
FTOS(conf-if-lo-0)#end
FTOS#configure terminal
FTOS(conf)#ip access-list extended abcd
FTOS(config-ext-nacl)#permit tcp any any
FTOS(config-ext-nacl)#deny icmp any any
FTOS(config-ext-nacl)#permit 1.1.1.2
FTOS(config-ext-nacl)#end
FTOS#show ip accounting access-list
!
Extended Ingress IP access list abcd on Loopback 0
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 10 deny icmp any any
Use the in keyword.
Add rules to the ACL
named “abcd.”
Display the ACL.
Note: See also the section VTY Line Local Authentication and Authorization.
152
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
IP Prefix Lists
Prefix Lists are supported on platforms:
ces
IP prefix lists control routing policy. An IP prefix list is a series of sequential filters that contain a matching
criterion (examine IP route prefix) and an action (permit or deny) to process routes. The filters are
processed in sequence so that if a route prefix does not match the criterion in the first filter, the second
filter (if configured) is applied. When the route prefix matches a filter, Dell Networking OS drops or
forwards the packet based on the filter’s designated action. If the route prefix does not match any of the
filters in the prefix list, the route is dropped (that is, implicit deny).
A route prefix is an IP address pattern that matches on bits within the IP address. The format of a route
prefix is A.B.C.D/X where A.B.C.D is a dotted-decimal address and /X is the number of bits that should be
matched of the dotted decimal address. For example, in 112.24.0.0/16, the first 16 bits of the address
112.24.0.0 match all addresses between 112.24.0.0 to 112.24.255.255.
Below are some examples that permit or deny filters for specific routes using the le and ge parameters,
where x.x.x.x/x represents a route prefix:
•
•
•
•
To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8
To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8
le 12
To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24
To permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20
The following rules apply to prefix lists:
•
•
•
A prefix list without any permit or deny filters allows all routes.
An “implicit deny” is assumed (that is, the route is dropped) for all route prefixes that do not match a
permit or deny filter in a configured prefix list.
Once a route matches a filter, the filter’s action is applied. No additional filters are applied to the route.
Implementation Information
In Dell Networking OS, prefix lists are used in processing routes for routing protocols (for example, RIP,
OSPF, and BGP).
Note: The S-Series platform does not support all protocols. It is important to know which protocol you are
supporting prior to implementing Prefix-Lists.
Configuration Task List for Prefix Lists
To configure a prefix list, you must use commands in the PREFIX LIST, the ROUTER RIP, ROUTER
OSPF, and ROUTER BGP modes. Basically, you create the prefix list in the PREFIX LIST mode, and
assign that list to commands in the ROUTER RIP, ROUTER OSPF and ROUTER BGP modes.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 153
www.dell.com | support.dell.com
The following list includes the configuration tasks for prefix lists:
•
•
Configuring a prefix list
Use a prefix list for route redistribution
For a complete listing of all commands related to prefix lists, refer to the Dell Networking OS Command Line
Interface Reference document.
Configuring a prefix list
To configure a prefix list, use these commands in the following sequence, starting in the
CONFIGURATION mode:
Step
1
2
Command Syntax
Command Mode
Purpose
ip prefix-list prefix-name
CONFIGURATION
Create a prefix list and assign it a unique
name.
You are in the PREFIX LIST mode.
seq sequence-number {deny |
permit} ip-prefix [ge
min-prefix-length] [le
max-prefix-length]
CONFIG-NPREFIXL
Create a prefix list with a sequence number
and a deny or permit action. The optional
parameters are:
• ge min-prefix-length: is the minimum
prefix length to be matched (0 to 32).
• le max-prefix-length: is the maximum
prefix length to be matched (0 to 32).
If you want to forward all routes that do not match the prefix list criteria, you must configure a prefix list
filter to permit all routes (permit 0.0.0.0/0 le 32). The “permit all” filter should be the last filter in your
prefix list. To permit the default route only, enter permit 0.0.0.0/0.
Figure 8-13 illustrates how the seq command orders the filters according to the sequence number assigned.
In the example, filter 20 was configured before filter 15 and 12, but the show config command displays
the filters in the correct order.
Figure 8-13.
Command Example: seq
FTOS(conf-nprefixl)#seq 20 permit 0.0.0.0/0 le 32
FTOS(conf-nprefixl)#seq 12 deny 134.23.0.0 /16
FTOS(conf-nprefixl)#seq 15 deny 120.23.14.0 /8 le 16
FTOS(conf-nprefixl)#show config
!
ip prefix-list juba
seq 12 deny 134.23.0.0/16
seq 15 deny 120.0.0.0/8 le 16
seq 20 permit 0.0.0.0/0 le 32
FTOS(conf-nprefixl)#
Note the last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix
list, you specify that all routes not matching any criteria in the prefix list are forwarded.
To delete a filter, use the no seq sequence-number command in the PREFIX LIST mode.
154
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
If you are creating a standard prefix list with only one or two filters, you can let Dell Networking OS
assign a sequence number based on the order in which the filters are configured. The Dell Networking OS
assigns filters in multiples of five.
To configure a filter without a specified sequence number, use these commands in the following sequence
starting in the CONFIGURATION mode:
Step
1
2
Command Syntax
Command Mode
Purpose
ip prefix-list prefix-name
CONFIGURATION
Create a prefix list and assign it a unique
name.
{deny | permit} ip-prefix [ge
min-prefix-length] [le
max-prefix-length]
CONFIG-NPREFIXL
Create a prefix list filter with a deny or
permit action. The optional parameters are:
• ge min-prefix-length: is the minimum
prefix length to be matched (0 to 32).
• le max-prefix-length: is the maximum
prefix length to be matched (0 to 32).
Figure 8-14 illustrates a prefix list in which the sequence numbers were assigned by the software. The
filters were assigned sequence numbers based on the order in which they were configured (for example,
the first filter was given the lowest sequence number). The show config command in the PREFIX LIST
mode displays the two filters with the sequence numbers 5 and 10.
Figure 8-14.
Prefix List
FTOS(conf-nprefixl)#permit 123.23.0.0 /16
FTOS(conf-nprefixl)#deny 133.24.56.0 /8
FTOS(conf-nprefixl)#show conf
!
ip prefix-list awe
seq 5 permit 123.23.0.0/16
seq 10 deny 133.0.0.0/8
FTOS(conf-nprefixl)#
To delete a filter, enter the show config command in the PREFIX LIST mode and locate the sequence
number of the filter you want to delete; then use the no seq sequence-number command in the PREFIX
LIST mode.
To view all configured prefix lists, use either of the following commands in the EXEC mode:
Command Syntax
Command Mode
Purpose
show ip prefix-list detail [prefix-name]
EXEC Privilege
Show detailed information about configured Prefix
lists.
show ip prefix-list summary
EXEC Privilege
Show a table of summarized information about
configured Prefix lists.
[prefix-name]
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 155
www.dell.com | support.dell.com
Figure 8-15.
Command example: show ip prefix-list detail
FTOS>show ip prefix detail
Prefix-list with the last deletion/insertion: filter_ospf
ip prefix-list filter_in:
count: 3, range entries: 3, sequences: 5 - 10
seq 5 deny 1.102.0.0/16 le 32 (hit count: 0)
seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0)
seq 10 permit 0.0.0.0/0 le 32 (hit count: 0)
ip prefix-list filter_ospf:
count: 4, range entries: 1, sequences: 5 - 10
seq 5 deny 100.100.1.0/24 (hit count: 0)
seq 6 deny 200.200.1.0/24 (hit count: 0)
seq 7 deny 200.200.2.0/24 (hit count: 0)
seq 10 permit 0.0.0.0/0 le 32 (hit count: 0)
FTOS>
Figure 8-16.
Command Example: show ip prefix-list summary
FTOS>show ip prefix summary
Prefix-list with the last deletion/insertion: filter_ospf
ip prefix-list filter_in:
count: 3, range entries: 3, sequences: 5 - 10
ip prefix-list filter_ospf:
count: 4, range entries: 1, sequences: 5 - 10
FTOS>
Use a prefix list for route redistribution
To pass traffic through a configured prefix list, you must use the prefix list in a route redistribution
command. The prefix list is applied to all traffic redistributed into the routing process and the traffic is
either forwarded or dropped depending on the criteria and actions specified in the prefix list.
To apply a filter to routes in RIP (RIP is supported on C and E-Series.), use either of the following
commands in the ROUTER RIP mode:
Command Syntax
Command Mode
Purpose
router rip
CONFIGURATION
Enter RIP mode
distribute-list prefix-list-name in
CONFIG-ROUTER-RIP
Apply a prefix list to filter the network
prefixes in incoming route updates. You can
specify an interface.
If you enter the name of a nonexistent prefix
list, all routes are forwarded.
CONFIG-ROUTER-RIP
Apply a prefix list to filter network prefixes
advertised in outgoing route updates. You
can specify an interface or type of route.
If you enter the name of a non-existent prefix
list, all routes are forwarded.
[interface]
distribute-list prefix-list-name out
[interface | connected | static | ospf]
To view the configuration, use the show config command in the ROUTER RIP mode Figure 8-17or the
show running-config rip command in the EXEC mode.
156
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
Figure 8-17.
Command Example: show config in the ROUTER RIP Mode
FTOS(conf-router_rip)#show config
!
router rip
distribute-list prefix juba out
network 10.0.0.0
FTOS(conf-router_rip)#router ospf 34
To apply a filter to routes in OSPF, use either of the following commands in the ROUTER OSPF mode:
Command Syntax
Command Mode
Purpose
router ospf
CONFIGURATION
Enter OSPF mode
distribute-list prefix-list-name in
[interface]
CONFIG-ROUTER-OSPF
Apply a configured prefix list to incoming
routes. You can specify an interface.
If you enter the name of a non-existent prefix
list, all routes are forwarded.
distribute-list prefix-list-name out
[connected | rip | static]
CONFIG-ROUTER-OSPF
Apply a configured prefix list to incoming
routes. You can specify which type of routes
are affected.
If you enter the name of a non-existent prefix
list, all routes are forwarded.
To view the configuration, use the show config command in the ROUTER OSPF mode Figure 8-18 or the
show running-config ospf command in the EXEC mode.
Figure 8-18.
Command Example: show config in ROUTER OSPF Mode
FTOS(conf-router_ospf)#show config
!
router ospf 34
network 10.2.1.1 255.255.255.255 area 0.0.0.1
distribute-list prefix awe in
FTOS(conf-router_ospf)#
ACL Resequencing
Resequencing an ACL or Prefix List is supported on platform
e
ACL Resequencing allows you to re-number the rules and remarks in an access or prefix list. The
placement of rules within the list is critical because packets are matched against rules in sequential order.
Use Resequencing whenever there is no longer an opportunity to order new rules as desired using current
numbering scheme.
For example, Table 8-3 contains some rules that are numbered in increments of 1. No new rules can be
placed between these, so apply resequencing to create numbering space, as shown in Table 8-4. In the same
example, apply resequencing if more than two rules must be placed between rules 7 and 10.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 157
www.dell.com | support.dell.com
IPv4 and IPv6 ACLs and prefixes and MAC ACLs can be resequenced. No CAM writes happen as a result
of resequencing, so there is no packet loss; the behavior is like Hot-lock ACLs.
Note: ACL Resequencing does not affect the rules or remarks or the order in which they are applied. It
merely renumbers them so that new rules can be placed within the list as desired.
Table 8-3.
ACL Resequencing Example (Insert New Rules)
seq 5 permit any host 1.1.1.1
seq 6 permit any host 1.1.1.2
seq 7 permit any host 1.1.1.3
seq 10 permit any host 1.1.1.4
Table 8-4.
ACL Resequencing Example (Resequenced)
seq 5 permit any host 1.1.1.1
seq 10 permit any host 1.1.1.2
seq 15 permit any host 1.1.1.3
seq 20 permit any host 1.1.1.4
Resequence an ACL or Prefix List
Resequencing is available for IPv4 and IPv6 ACLs and prefix lists and MAC ACLs. To resequence an
ACL or prefix list use the appropriate command in Table 8-5. You must specify the list name, starting
number, and increment when using these commands.
Table 8-5.
Resequencing ACLs and Prefix Lists
List
Command
Command Mode
IPv4, IPv6, or MAC ACL
resequence access-list {ipv4 | ipv6 | mac} {access-list-name
StartingSeqNum Step-to-Increment}
Exec
IPv4 or IPv6 prefix-list
resequence prefix-list {ipv4 | ipv6} {prefix-list-name StartingSeqNum Exec
Step-to-Increment}
Figure 8-19 shows the resequencing of an IPv4 access-list beginning with the number 2 and incrementing
by 2.
158
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
Figure 8-19.
Resequence ACLs
FTOS(config-ext-nacl)# show config
!
ip access-list extended test
remark 4 XYZ
remark 5 this remark corresponds to permit any host 1.1.1.1
seq 5 permit ip any host 1.1.1.1
remark 9 ABC
remark 10 this remark corresponds to permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.2
seq 15 permit ip any host 1.1.1.3
seq 20 permit ip any host 1.1.1.4
FTOS# end
FTOS# resequence access-list ipv4 test 2 2
FTOS# show running-config acl
!
ip access-list extended test
remark 2 XYZ
remark 4 this remark corresponds to permit any host 1.1.1.1
seq 4 permit ip any host 1.1.1.1
remark 6 this remark has no corresponding rule
remark 8 this remark corresponds to permit ip any host 1.1.1.2
seq 8 permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.3
seq 12 permit ip any host 1.1.1.4
Remarks and rules that originally have the same sequence number have the same sequence number after
the resequence command is applied. Remarks that do not have a corresponding rule will be incremented as
as a rule. These two mechanisms allow remarks to retain their original position in the list.
For example, in Figure 8-20, remark 10 corresponds to rule 10 and as such they have the same number
before and after the command is entered. Remark 4 is incremented as a rule, and all rules have retained
their original positions.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 159
www.dell.com | support.dell.com
Figure 8-20.
Resequence Remarks
FTOS(config-ext-nacl)# show config
!
ip access-list extended test
remark 4 XYZ
remark 5 this remark corresponds to permit any host 1.1.1.1
seq 5 permit ip any host 1.1.1.1
remark 9 ABC
remark 10 this remark corresponds to permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.2
seq 15 permit ip any host 1.1.1.3
seq 20 permit ip any host 1.1.1.4
FTOS# end
FTOS# resequence access-list ipv4 test 2 2
FTOS# show running-config acl
!
ip access-list extended test
remark 2 XYZ
remark 4 this remark corresponds to permit any host 1.1.1.1
seq 4 permit ip any host 1.1.1.1
remark 6 this remark has no corresponding rule
remark 8 this remark corresponds to permit ip any host 1.1.1.2
seq 8 permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.3
seq 12 permit ip any host 1.1.1.4
Route Maps
Route-maps are supported on platforms:
ces
Like ACLs and prefix lists, route maps are composed of a series of commands that contain a matching
criterion and an action, yet route maps can change the packets meeting the criterion. ACLs and prefix lists
can only drop or forward the packet or traffic. Route maps process routes for route redistribution. For
example, a route map can be called to filter only specific routes and to add a metric.
Route maps also have an “implicit deny.” Unlike ACLs and prefix lists, however, where the packet or
traffic is dropped, in route maps, if a route does not match any of the route map conditions, the route is not
redistributed.
Implementation Information
The Dell Networking OS implementation of route maps allows route maps with no match command or no
set command. When there is no match command, all traffic matches the route map and the set command
applies.
160
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
Important Points to Remember
•
•
•
For route-maps with more than one match clause:
• Two or more match clauses within the same route-map sequence have the same match commands
(though the values are different), matching a packet against these clauses is a logical OR operation.
• Two or more match clauses within the same route-map sequence have different match commands,
matching a packet against these clauses is a logical AND operation.
If no match is found in a route-map sequence, the process moves to the next route-map sequence until
a match is found, or there are no more sequences.
When a match is found, the packet is forwarded; no more route-map sequences are processed.
• If a continue clause is included in the route-map sequence, the next or a specified route-map
sequence is processed after a match is found.
Configuration Task List for Route Maps
You configure route maps in the ROUTE-MAP mode and apply them in various commands in the
ROUTER RIP and ROUTER OSPF modes.
The following list includes the configuration tasks for route maps:
•
•
•
•
Create a route map (mandatory)
Configure route map filters (optional)
Configure a route map for route redistribution (optional)
Configure a route map for route tagging (optional)
Create a route map
Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route
map filters are do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters
match certain routes and set or specify values.
To create a route map and enter the ROUTE-MAP mode, use the following command in the
CONFIGURATION mode:
Command Syntax
Command Mode
Purpose
route-map map-name [permit | deny]
CONFIGURATION
Create a route map and assign it a unique name.
The optional permit and deny keywords are the
action of the route map. The default is permit.
The optional parameter seq allows you to assign
a sequence number to the route map instance.
[sequence-number]
The default action is permit and the default sequence number starts at 10. When the keyword deny is used
in configuring a route map, routes that meet the match filters are not redistributed.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 161
www.dell.com | support.dell.com
To view the configuration, use the show config command in the ROUTE-MAP mode (Figure 8-21).
Figure 8-21.
Command Example: show config in the ROUTE-MAP Mode
FTOS(config-route-map)#show config
!
route-map dilling permit 10
FTOS(config-route-map)#
You can create multiple instances of this route map by using the sequence number option to place the route
maps in the correct order. Dell Networking OS processes the route maps with the lowest sequence number
first. When a configured route map is applied to a command, like redistribute, traffic passes through all
instances of that route map until a match is found. Figure 8-22 shows an example with two instances of a
route map.
Figure 8-22.
Command Example: show route-map with Multiple Instances of a Route Map
FTOS#show route-map
route-map zakho, permit, sequence 10
Match clauses:
Set clauses:
route-map zakho, permit, sequence 20
Match clauses:
interface GigabitEthernet 0/1
Set clauses:
tag 35
level stub-area
FTOS#
Route map zakho has two instances
To delete all instances of that route map, use the no route-map map-name command. To delete just one
instance, add the sequence number to the command syntax (Figure 8-24).
Figure 8-23.
Delete one Instance of a Route Map
FTOS(conf)#no route-map zakho 10
FTOS(conf)#end
FTOS#show route-map
route-map zakho, permit, sequence 20
Match clauses:
interface GigabitEthernet 0/1
Set clauses:
tag 35
level stub-area
FTOS#
Figure 8-24 shows an example of a route map with multiple instances. The show config command
displays only the configuration of the current route map instance. To view all instances of a specific route
map, use the show route-map command.
162
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
Figure 8-24.
Command Example: show route-map
FTOS#show route-map dilling
route-map dilling, permit, sequence 10
Match clauses:
Set clauses:
route-map dilling, permit, sequence 15
Match clauses:
interface Loopback 23
Set clauses:
tag 3444
FTOS#
To delete a route map, use the no route-map map-name command in the CONFIGURATION mode.
Configure route map filters
Within the ROUTE-MAP mode, there are match and set commands. Basically, match commands search
for a certain criterion in the routes and the set commands change the characteristics of those routes, either
adding something or specifying a level.
When there are multiple match commands of the same parameter under one instance of route-map, then
Dell Networking OS does a match between either of those match commands. If there are multiple match
commands of different parameter, then Dell Networking OS does a match ONLY if there is a match among
ALL match commands. The following example explains better:
Example 1
FTOS(conf)#route-map force permit 10
FTOS(config-route-map)#match tag 1000
FTOS(config-route-map)#match tag 2000
FTOS(config-route-map)#match tag 3000
In the above route-map, if a route has any of the tag value specified in the match commands, then there is a
match.
Example 2
FTOS(conf)#route-map force permit 10
FTOS(config-route-map)#match tag 1000
FTOS(config-route-map)#match metric 2000
In the above route-map, only if a route has both the characteristics mentioned in the route-map, it is
matched. Explaining further, the route must have a tag value of 1000 and a metric value of 2000. Only
then is there a match.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 163
www.dell.com | support.dell.com
Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in
any instance of that route-map. As an example:
FTOS(conf)#route-map force permit 10
FTOS(config-route-map)#match tag 1000
FTOS(conf)#route-map force deny 20
FTOS(config-route-map)#match tag 1000
FTOS(conf)#route-map force deny 30
FTOS(config-route-map)#match tag 1000
In the above route-map, instance 10 permits the route having a tag value of 1000 and instances 20 & 30
denies the route having a tag value of 1000. In the above scenario, Dell Networking OS scans all the
instances of the route-map for any permit statement. If there is a match anywhere, the route is permitted,
though other instances of the route-map denies it.
To configure match criterion for a route map, use any or all of the following commands in the
ROUTE-MAP mode:
Command Syntax
Command Mode
Purpose
match as-path as-path-name
CONFIG-ROUTE-MAP
Match routes with the same AS-PATH numbers.
match community
CONFIG-ROUTE-MAP
Match routes with COMMUNITY list attributes in
their path.
CONFIG-ROUTE-MAP
Match routes whose next hop is a specific
interface. The parameters are:
• For a Fast Ethernet interface, enter the
keyword FastEthernet followed by the slot/
port information.
• For a 1-Gigabit Ethernet interface, enter the
keyword gigabitEthernet followed by the
slot/port information.
• For a loopback interface, enter the keyword
loopback followed by a number between
zero (0) and 16383.
• For a port channel interface, enter the keyword
port-channel followed by a number from 1
to 255 for TeraScale and ExaScale.
• For a SONET interface, enter the keyword
sonet followed by the slot/port information.
• For a 10-Gigabit Ethernet interface, enter the
keyword tengigabitEthernet followed by
the slot/port information.
• For a VLAN, enter the keyword vlan followed
by a number from 1 to 4094.
E-Series ExaScale platforms support
4094 VLANs with Dell Networking OS
version 8.2.1.0 and later. Earlier ExaScale
supports 2094 VLANS.
community-list-name [exact]
match interface interface
164
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
Command Syntax
Command Mode
Purpose
match ip address prefix-list-name
CONFIG-ROUTE-MAP
Match destination routes specified in a prefix list
(IPv4).
match ipv6 address prefix-list-name
CONFIG-ROUTE-MAP
Match destination routes specified in a prefix list
(IPv6).
match ip next-hop
{access-list-name | prefix-list
prefix-list-name}
CONFIG-ROUTE-MAP
Match next-hop routes specified in a prefix list
(IPv4).
match ipv6 next-hop
{access-list-name | prefix-list
prefix-list-name}
CONFIG-ROUTE-MAP
Match next-hop routes specified in a prefix list
(IPv6).
match ip route-source
{access-list-name | prefix-list
prefix-list-name}
CONFIG-ROUTE-MAP
Match source routes specified in a prefix list
(IPv4).
match ipv6 route-source
{access-list-name | prefix-list
prefix-list-name}
CONFIG-ROUTE-MAP
Match source routes specified in a prefix list
(IPv6).
match metric metric-value
CONFIG-ROUTE-MAP
Match routes with a specific value.
match origin {egp | igp |
incomplete}
CONFIG-ROUTE-MAP
Match BGP routes based on the ORIGIN attribute.
match route-type {external
[type-1 | type-2] | internal | level-1
| level-2 | local }
CONFIG-ROUTE-MAP
Match routes specified as internal or external to
OSPF, ISIS level-1, ISIS level-2, or locally
generated.
match tag tag-value
CONFIG-ROUTE-MAP
Match routes with a specific tag.
To configure a set condition, use any or all of the following commands in the ROUTE-MAP mode:
Command Syntax
Command Mode
Purpose
set as-path prepend as-number [...
as-number]
CONFIG-ROUTE-MAP
Add an AS-PATH number to the beginning of
the AS-PATH
set automatic-tag
CONFIG-ROUTE-MAP
Generate a tag to be added to redistributed
routes.
set level {backbone | level-1 | level-1-2
| level-2 | stub-area }
CONFIG-ROUTE-MAP
Specify an OSPF area or ISIS level for
redistributed routes.
set local-preference value
CONFIG-ROUTE-MAP
Specify a value for the BGP route’s
LOCAL_PREF attribute.
set metric {+ | - | metric-value}
CONFIG-ROUTE-MAP
Specify a value for redistributed routes.
set metric-type {external | internal |
type-1 | type-2}
CONFIG-ROUTE-MAP
Specify an OSPF or ISIS type for redistributed
routes.
set next-hop ip-address
CONFIG-ROUTE-MAP
Assign an IP address as the route’s next hop.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 165
www.dell.com | support.dell.com
Command Syntax
Command Mode
Purpose
set ipv6 next-hop ip-address
CONFIG-ROUTE-MAP
Assign an IPv6 address as the route’s next hop.
set origin {egp | igp | incomplete}
CONFIG-ROUTE-MAP
Assign an ORIGIN attribute.
set tag tag-value
CONFIG-ROUTE-MAP
Specify a tag for the redistributed routes.
set weight value
CONFIG-ROUTE-MAP
Specify a value as the route’s weight.
Use these commands to create route map instances. There is no limit to the number of set and match
commands per route map, but the convention is to keep the number of match and set filters in a route map
low. Set commands do not require a corresponding match command.
Configure a route map for route redistribution
Route maps on their own cannot affect traffic and must be included in different commands to affect routing
traffic. To apply a route map to traffic on the E-Series, you must call or include that route map in a
command such as the redistribute or default-information originate commands in OSPF, ISIS, and BGP.
Route redistribution occurs when Dell Networking OS learns the advertising routes from static or directly
connected routes or another routing protocol. Different protocols assign different values to redistributed
routes to identify either the routes and their origins. The metric value is the most common attribute that is
changed to properly redistribute other routes into a routing protocol. Other attributes that can be changed
include the metric type (for example, external and internal route types in OSPF) and route tag. Use the
redistribute command in OSPF, RIP, ISIS, and BGP to set some of these attributes for routes that are
redistributed into those protocols.
Route maps add to that redistribution capability by allowing you to match specific routes and set or change
more attributes when redistributing those routes.
In Figure 8-25, the redistribute command calls the route map static ospf to redistribute only certain
static routes into OSPF. According to the route map static ospf, only routes that have a next hop of
Gigabitethernet interface 0/0 and that have a metric of 255 will be redistributed into the OSPF backbone
area.
Note: When re-distributing routes using route-maps, the user must take care to create the
route-map defined in the redistribute command under the routing protocol. If no route-map is
created, then NO routes are redistributed.
166
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
Figure 8-25.
Route Redistribution into OSPF
router ospf 34
default-information originate metric-type 1
redistribute static metric 20 metric-type 2 tag 0 route-map staticospf
!
route-map staticospf permit 10
match interface GigabitEthernet 0/0
match metric 255
set level backbone
Configure a route map for route tagging
One method for identifying routes from different routing protocols is to assign a tag to routes from that
protocol. As the route enters a different routing domain, it is tagged and that tag is passed along with the
route as it passes through different routing protocols. This tag can then be used when the route leaves a
routing domain to redistribute those routes again.
In Figure 8-26, the redistribute ospf command with a route map is used in the ROUTER RIP mode to
apply a tag of 34 to all internal OSPF routes that are redistributed into RIP.
Figure 8-26.
Tagging OSPF Routes Entering a RIP Routing Domain
!
router rip
redistribute ospf 34 metric 1 route-map torip
!
route-map torip permit 10
match route-type internal
set tag 34
!
Continue clause
Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more
route-map modules are processed. If the continue command is configured at the end of a module, the next
module (or a specified module) is processed even after a match is found. Figure 8-27 shows a continue
clause at the end of a route-map module. In this example, if a match is found in the route-map “test”
module 10, module 30 will be processed.
Note: If the continue clause is configured without specifying a module, the next sequential module is
processed.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 167
www.dell.com | support.dell.com
Figure 8-27.
168
Command Example: continue
!
route-map test permit 10
match commu comm-list1
set community 1:1 1:2 1:3
set as-path prepend 1 2 3 4 5
continue 30!
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
9
Bidirectional Forwarding Detection
Bidirectional Forwarding Detection is supported only on platforms:
BFD is supported on E-Series ExaScale
ce
ex with Dell Networking OS 8.2.1.0 and later.
Protocol Overview
Bidirectional Forwarding Detection (BFD) is a protocol that is used to rapidly detect communication
failures between two adjacent systems. It is a simple and lightweight replacement for existing routing
protocol link state detection mechanisms. It also provides a failure detection solution for links on which no
routing protocol is used.
BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a
three-way handshake. After the session has been established, the systems exchange periodic control
packets at sub-second intervals. If a system does not receive a hello packet within a specified amount of
time, routing protocols are notified that the forwarding path is down.
BFD provides forwarding path failure detection times on the order of milliseconds rather than seconds as
with conventional routing protocol hellos. It is independent of routing protocols, and as such provides a
consistent method of failure detection when used across a network. Networks converge faster because BFD
triggers link state changes in the routing protocol sooner and more consistently, because BFD can
eliminate the use of multiple protocol-dependent timers and methods.
BFD also carries less overhead than routing protocol hello mechanisms. Control packets can be
encapsulated in any form that is convenient, and, on Dell Networking routers, sessions are maintained by
BFD Agents that reside on the line card, which frees resources on the RPM. Only session state changes are
reported to the BFD Manager (on the RPM), which in turn notifies the routing protocols that are registered
with it.
BFD is an independent and generic protocol, which all media, topologies, and routing protocols can
support using any encapsulation. Dell Networking has implemented BFD at Layer 3 and with UDP
encapsulation. BFD functionality will be implemented in phases. OSPF, IS-IS (not on C-Series), VRRP,
VLANs, LAGs, static routes, and physical ports support BFD, based on the IETF internet draft
draft-ietf-bfd-base-03.
Bidirectional Forwarding Detection | 169
www.dell.com | support.dell.com
How BFD Works
Two neighboring systems running BFD establish a session using a three-way handshake. After the session
has been established, the systems exchange control packets at agreed upon intervals. In addition, systems
send a control packet anytime there is a state change or change in a session parameter; these control
packets are sent without regard to transmit and receive intervals.
Note: Dell Networking OS does not support multi-hop BFD sessions.
If a system does not receive a control packet within an agreed-upon amount of time, the BFD Agent
changes the session state to Down. It then notifies the BFD Manager of the change, and sends a control
packet to the neighbor that indicates the state change (though it might not be received if the link or
receiving interface is faulty). The BFD Manager notifies the routing protocols that are registered with it
(clients) that the forwarding path is down, and a link state change is triggered in all protocols.
Note: A session state change from Up to Down is the only state change that triggers a link state change in
the routing protocol client.
BFD packet format
Control packets are encapsulated in UDP packets. Figure 9-1 shows the complete encapsulation of a BFD
control packet inside an IPv4 packet.
170
|
Bidirectional Forwarding Detection
Version
(4)
IHL
TOS
Total Length
Preamble
Flags
Start Frame
Delimiter
Frag Offset
Destination MAC
TTL
(255)
Source MAC
Protocol
Ethernet Type
(0x8800)
Header
Checksum
Version
(1)
State
Range: 3784
Source Port
Options
Diag Code
Dest IP Addr
Padding
Checksum
UDP Packet
Detect Mult
My
Discriminator
Your
Discriminator
Random number generated by
remote system to identify a
session
Required
Min RX Interval
Required Min
Echo RX Interval
Auth Type
The minimum interval between
Echo packtes that the local system
is capable of supporting
The minimum interval between
control packets that the local
system is capable of supporting
Desired
Min TX Interval
The intervals at which the local
system would like to transmit
control packets
BFD Control Packet
Random number generated by
the local system to identify
a session
Length
The number of packets that
must be missed in a row in
order to declare a session down
Length
P: Poll
F: Final
C: Control Plane Independent
A: Authentication Present
D: Demand
(Final bit reserved)
Flags
Range: 3784
Echo: 3785
Destination Port
Padding
FCS
Range: 0-31
Code: 0: AdminDown
Range: 0-31
1: Down
Bit:
Code: 0: No Diagnostic
2: Init
1: Control Detection Time Expired
3: Up
2: Echo Function Failed
3: Neighbor Signaled Session Down
4: Forwarding Plane Reset
5: Path Down
6: Concatenated Path Down
7: Administratively Down
8: Reverse Concatenated Path Down
9-31: Reserved for Future Use
Src IP Addr
IP Packet
Auth Length
Auth Data
Figure 9-1.
BFD in IPv4 Packet Format
Bidirectional Forwarding Detection | 171
www.dell.com | support.dell.com
Table 9-1.
BFD Packet Fields
Field
Description
Diagnostic Code
The reason that the last session failed.
State
The current local session state. See BFD sessions.
Flag
A bit that indicates packet function. If the poll bit is set, the receiving system must respond as
soon as possible, without regard to its transmit interval. The responding system clears the poll
bit and sets the final bit in its response. The poll and final bits are used during the handshake
and Demand mode (see BFD sessions).
Note: Dell Networking OS does not currently support multi-point sessions, Demand
mode, authentication, or control plane independence; these bits are always clear.
Detection Multiplier
The number of packets that must be missed in order to declare a session down.
Length
The entire length of the BFD packet.
My Discriminator
A random number generated by the local system to identify the session.
Your Discriminator
A random number generated by the remote system to identify the session. Discriminator
values are necessary to identify the session to which a control packet belongs since there can
be many sessions running on a single interface.
Desired Min TX Interval
The minimum rate at which the local system would like to send control packets to the remote
system.
Required Min RX Interval
The minimum rate at which the local system would like to receive control packets from the
remote system.
Required Min Echo RX
The minimum rate at which the local system would like to receive echo packets.
Note: Dell Networking OS does not currently support the echo function.
Authentication Type
Authentication Length
An optional method for authenticating control packets.
Note: Dell Networking OS does not currently support the BFD authentication function.
Authentication Data
Two important parameters are calculated using the values contained in the control packet.
•
•
172
|
Transmit interval — Transmit interval is the agreed-upon rate at which a system sends control
packets. Each system has its own transmit interval, which is the greater of the last received remote
Desired TX Interval and the local Required Min RX Interval.
Detection time — Detection time is the amount of time that a system does not receive a control
packet, after which the system determines that the session has failed. Each system has its own
detection time.
• In Asynchronous mode: Detection time is the remote Detection Multiplier multiplied by greater of
the remote Desired TX Interval and the local Required Min RX Interval.
• In Demand mode: Detection time is the local Detection Multiplier multiplied by the greater of the
local Desired Min TX and the remote Required Min RX Interval.
Bidirectional Forwarding Detection
BFD sessions
BFD must be enabled on both sides of a link in order to establish a session. The two participating systems
can assume either of two roles:
•
•
Active—The active system initiates the BFD session. Both systems can be active for the same session.
Passive—The passive system does not initiate a session. It only responds to a request for session
initialization from the active system.
A BFD session has two modes:
•
•
Asynchronous mode—In Asynchronous mode, both systems send periodic control messages at an
agreed upon interval to indicate that their session status is Up.
Demand mode—If one system requests Demand mode, the other system stops sending periodic
control packets; it only sends a response to status inquiries from the Demand mode initiator. Either
system (but not both) can request Demand mode at any time.
Note: Dell Networking OS supports asynchronous mode only.
A session can have four states: Administratively Down, Down, Init, and Up.
•
•
•
•
Administratively Down—The local system will not participate in a particular session.
Down—The remote system is not sending any control packets or at least not within the detection time
for a particular session.
Init—The local system is communicating.
Up—The both systems are exchanging control packets.
The session is declared down if:
•
•
•
A control packet is not received within the detection time.
Sufficient echo packets are lost.
Demand mode is active and a control packet is not received in response to a poll packet.
BFD three-way handshake
A three-way handshake must take place between the systems that will participate in the BFD session. The
handshake shown in Figure 9-2 assumes that there is one active and one passive system, and that this is the
first session established on this link. The default session state on both ports is Down.
1. The active system sends a steady stream of control packets that indicates that its session state is Down,
until the passive system responds. These packets are sent at the desired transmit interval of the Active
system, and the Your Discriminator field is set to zero.
2. When the passive system receives any of these control packets, it changes its session state to Init, and
sends a response that indicates its state change. The response includes its session ID in the My
Discriminator field, and the session ID of the remote system in the Your Discriminator field.
3. The active system receives the response from the passive system, and changes its session state to Up. It
then sends a control packet indicating this state change. This is the third and final part of of the
Bidirectional Forwarding Detection | 173
www.dell.com | support.dell.com
handshake. At this point, the discriminator values have been exchanged, and the transmit intervals
have been negotiated.
4. The passive system receives the control packet, changes its state to Up. Both systems agree that a
session has been established. However, since both members must send a control packet—that requires
a response—anytime there is a state change or change in a session parameter, the passive system sends
a final response indicating the state change. After this, periodic control packets are exchanged.
Figure 9-2.
BFD Three-way Handshake
Transmit Interval: User-configurable
Default Session State: Down
ACTIVE System
Default Session State: Down
Version: 1
Diag Code: 0 (assumes no previous session)
State: Down
Flag: P:1
Detect Multiplier: User-configurable
My Discriminator: X ( Active System Session ID)
Your Discriminator: 0
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable
PASSIVE System
Steady Rate of Control Packets
Init State Change
Version: 1
Diag Code: 0 (assumes no previous session)
State: Up
Flag: P: 1
Detect Multiplier: User-configurable
My Discriminator: X
Your Discriminator: Y
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable
Version: 1
Diag Code: 0 (assumes no previous session)
State: Up
Flag: P: Clear
Detect Multiplier: User-configurable
My Discriminator: X
Your Discriminator: Y
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable
Up State Change
Up State Change
Periodic Control Packet
Version: 1
Diag Code: 0 (assumes no previous session)
State: Init
Flag: F: 1
Detect Multiplier: User-configurable
My Discriminator: Y (Passsive System Session ID)
Your Discriminator: X
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable
Version: 1
Diag Code: 0 (assumes no previous session)
State: Up
Flag: F: 1
Detect Multiplier: User-configurable
My Discriminator: Y
Your Discriminator: X
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable
fnC0036mp
Session state changes
Figure 9-3 shows how the session state on a system changes based on the status notification it receives
from the remote system. For example, if a session on a system is down, and it receives a Down status
notification from the remote system, the session state on the local system changes to Init.
174
|
Bidirectional Forwarding Detection
Figure 9-3.
BFD State Machine
current session state
Up, Admin Down, Timer
the packet received
Down
Init
Down
Admin Down,
Timer
Down
Init
Admin Down,
Down,
Timer
Init, Up
Up
Up, Init
Important Points to Remember
•
•
•
•
•
•
•
•
BFD for line card ports is hitless, but is not hitless for VLANs since they are instantiated on the RPM.
BFD is supported on C-Series and E-Series only.
Dell Networking OS supports a maximum of 100 sessions per BFD agent. Each linecard processor has
a BFD Agent, so the limit translates to 100 BFD sessions per linecard (plus, on the E-Series, 100 BFD
sessions on RP2, which handles LAG and VLANs).
BFD must be enabled on both ends of a link.
Demand mode, authentication, and the Echo function are not supported.
BFD is not supported on multi-hop and virtual links.
Protocol Liveness is supported for routing protocols only.
Dell Networking OS supports only OSPF, ISIS (E-Series only), and VRRP protocols as BFD clients.
Configure Bidirectional Forwarding Detection
The remainder of this chapter is divided into the following sections:
•
•
•
•
•
•
•
•
•
•
Configuring BFD for Physical Ports
Configuring BFD for Static Routes
Configuring BFD for OSPF
Configuring BFD for BGP
Configuring BFD for IS-IS
Configuring BFD for VRRP
Configuring BFD for VLANs
Configuring BFD for Port-Channels
Configuring Protocol Liveness
Troubleshoot BFD
Bidirectional Forwarding Detection | 175
www.dell.com | support.dell.com
Configuring BFD for Physical Ports
BFD on physical ports is useful when no routing protocol is enabled. Without BFD, if the remote system
fails, the local system does not remove the connected route until the first failed attempt to send a packet.
When BFD is enabled, the local system removes the route as soon as it stops receiving periodic control
packets from the remote system.
Configuring BFD for a physical port is a two-step process:
1. Enable BFD globally.
2. Establish a session with a next-hop neighbor.
Related configuration tasks
•
•
Change session parameters. See Changing physical port session parameters.
Disable or re-enable BFD on an interface. See Disabling and re-enabling BFD.
Enabling BFD globally
BFD must be enabled globally on both routers, as shown in Figure 9-5.
To enable BFD globally:
Step
1
Task
Command Syntax
Command Mode
Enable BFD globally.
bfd enable
CONFIGURATION
Verify that BFD is enabled globally using the command show running bfd, as shown in Figure 9-4.
Figure 9-4.
Enable BFD Globally
R1(conf)#bfd ?
enable
protocol-liveness
R1(conf)#bfd enable
Enable BFD protocol
Enable BFD protocol-liveness
R1(conf)#do show running-config bfd
!
bfd enable
R1(conf)#
BFD Enabled Globally
Establishing a session on physical ports
To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in
Figure 9-5. The configuration parameters do not need to match.
176
|
Bidirectional Forwarding Detection
Figure 9-5.
Establishing a BFD Session for Physical Ports
R2: ACTIVE Role
R1: ACTIVE Role
4/24
2/1
Force10(config)# bfd enable
Force10(config)# interface gigabitethernet 2/1
Force10(conf-if-gi-2/1)# ip address 2.2.2.2/24
Force10(conf-if-gi-2/1)# bfd neighbor 2.2.2.1
Force10(config)# bfd enable
Force10(config)# interface gigabitethernet 4/24
Force10(conf-if-gi-2/1)# ip address 2.2.2.1/24
Force10(conf-if-gi-2/1)# bfd neighbor 2.2.2.2
fnC0038mp
To establish a session:
Step
Task
Command Syntax
Command Mode
1
Enter interface mode
interface
CONFIGURATION
2
Assign an IP address to the interface if one is not already
assigned.
ip address ip-address
INTERFACE
3
Identify the neighbor with which the interface will
participate in the BFD session.
bfd neighbor ip-address
INTERFACE
Verify that the session is established using the command show bfd neighbors, as shown in Figure 9-6.
Figure 9-6.
View Established Sessions for Physical Ports
R1(conf-if-gi-4/24)#do show bfd neighbors
*
- Active session role
Ad Dn
- Admin Down
C
- CLI
I
- ISIS
O
- OSPF
R
- Static Route (RTM)
LocalAddr
* 2.2.2.1
RemoteAddr
2.2.2.2
Interface State Rx-int Tx-int Mult Clients
Gi 4/24
Up
100
100
3
C
BFD Session Enabled
The command show bfd neighbors detail shows more specific information about BFD sessions
(Figure 9-7).
Bidirectional Forwarding Detection | 177
www.dell.com | support.dell.com
Figure 9-7.
View Session Details
R1(conf-if-gi-4/24)#do show bfd neighbors detail
Session Discriminator: 1
Neighbor Discriminator: 1
Local Addr: 2.2.2.1
Local MAC Addr: 00:01:e8:09:c3:e5
Remote Addr: 2.2.2.2
Remote MAC Addr: 00:01:e8:06:95:a2
Int: GigabitEthernet 4/24
State: Up
Configured parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Neighbor parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Actual parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Role: Active
Delete session on Down: False
Client Registered: CLI
Uptime: 00:03:57
Statistics:
Number of packets received from neighbor: 1775
Number of packets sent to neighbor: 1775
Number of state changes: 1
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 4
When both interfaces are configured for BFD, log messages are displayed indicating state changes, as
shown in Message 1.
Message 1 BFD Session State Changes
R1(conf-if-gi-4/24)#00:36:01: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Down for
neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0)
00:36:02: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Up for neighbor 2.2.2.2 on
interface Gi 4/24 (diag: 0)
Changing physical port session parameters
BFD sessions are configured with default intervals and a default role (active). The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
These parameters are configured per interface; if you change a parameter, the change affects all physical
port sessions on that interface. Dell Networking recommends maintaining the default values.
To change session parameters on an interface:
Step
1
Task
Command Syntax
Command Mode
Change session parameters for all
sessions on an interface.
bfd interval milliseconds min_rx milliseconds
multiplier value role [active | passive]
INTERFACE
View session parameters using the show bfd neighbors detail command.
178
|
Bidirectional Forwarding Detection
Figure 9-8.
Change Session Parameters for Physical Ports
R1(conf-if-gi-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive
R1(conf-if-gi-4/24)#do show bfd neighbors detail
Session Discriminator: 1
Neighbor Discriminator: 1
Local Addr: 2.2.2.1
Local MAC Addr: 00:01:e8:09:c3:e5
Remote Addr: 2.2.2.2
Remote MAC Addr: 00:01:e8:06:95:a2
Int: GigabitEthernet 4/24
State: Up
Configured parameters:
TX: 100ms, RX: 100ms, Multiplier: 4
Neighbor parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Actual parameters:
TX: 100ms, RX: 100ms, Multiplier: 4
Role: Passive
Delete session on Down: False
Client Registered: CLI
Uptime: 00:09:06
Statistics:
Number of packets received from neighbor: 4092
Number of packets sent to neighbor: 4093
Number of state changes: 1
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 7
Parameter Changes
Disabling and re-enabling BFD
BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured. If
BFD is disabled, all of the sessions on that interface are placed in an Administratively Down state
(Message 2), and the remote systems are notified of the session state change (Message 3).
To disable BFD on an interface:
Step
1
Task
Command Syntax
Command Mode
Disable BFD on an interface.
no bfd enable
INTERFACE
Message 2 Disable BFD on a Local Interface
R1(conf-if-gi-4/24)#01:00:52: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Ad Dn for
neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0)
Message 3 Remote System State Change due to Local State Admin Down
R2>01:32:53: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Down for neighbor 2.2.2.1
on interface Gi 2/1 (diag: 7)
Bidirectional Forwarding Detection | 179
www.dell.com | support.dell.com
To re-enable BFD on an interface:
Step
1
Task
Command Syntax
Command Mode
Enable BFD on an interface.
bfd enable
INTERFACE
Configuring BFD for Static Routes
BFD gives systems a link state detection mechanism for static routes. With BFD, systems are notified to
remove static routes from the routing table as soon as the link state change occurs, rather than having to
wait until packets fail to reach their next hop.
Configuring BFD for static routes is a three-step process:
1. Enable BFD globally. See Enabling BFD globally.
2. On the local system, establish a session with the next hop of a static route. See page 180.
3. On the remote system, establish a session with the physical port that is the origin of the static route.
See Establishing a session on physical ports.
Related configuration tasks
•
•
Change session parameters. See page 181.
Disable BFD for all static routes. See page 181.
Establishing sessions for static routes
Sessions are established for all neighbors that are the next hop of a static route.
Figure 9-9.
Enabling BFD for Static Routes
Force10(config)# interface gigabitethernet 2/2
Force10(conf-if-gi-2/2)# ip address 2.2.3.1/24
Force10(conf-if-gi-2/2)# no shutdown
Force10(config)# interface gigabitethernet 2/1
Force10(conf-if-gi-2/1)# ip address 2.2.2.2/24
Force10(conf-if-gi-2/1)# no shutdown
Force10(conf-if-gi-2/1)# bfd neighbor 2.2.2.1
R1
R3
R2
4/24
2/1
2.2.2.1/24
2.2.2.2/24
Force10(config)# interface gigabitethernet 4/24
Force10(conf-if-gi-4/24)# ip address 2.2.2.1/24
Force10(conf-if-gi-4/24)# no shutdown
Force10(config)# ip route 2.2.3.0/24 2.2.2.2
Force10(config)# ip route bfd
2/2
2.2.3.1/24
6/0
2.2.3.2/24
Force10(config)# interface gigabitethernet 6/0
Force10(conf-if-gi-6/0)# ip address 2.2.3.2/24
Force10(conf-if-gi-6/0)# no shutdown
fnC0039mp
180
|
Bidirectional Forwarding Detection
To establish a BFD session:
Step
1
Task
Command Syntax
Command Mode
Establish BFD sessions for all neighbors that are the next hop
of a static route.
ip route bfd
CONFIGURATION
Verify that sessions have been created for static routes using the command show bfd neighbors, as shown in
Figure 9-10. View detailed session information using the command show bfd neighbors detail, as shown in
Figure 9-8.
Figure 9-10.
View Established Sessions for Static Routes
R1(conf)#ip route 2.2.3.0/24 2.2.2.2
R1(conf)#ip route bfd
R1(conf)#do show bfd neighbors
*
Ad Dn
C
I
O
R
-
Active session role
Admin Down
CLI
ISIS
OSPF
Static Route (RTM)
LocalAddr
2.2.2.1
RemoteAddr
2.2.2.2
BFD for Static Routes Enabled
Interface State Rx-int Tx-int Mult Clients
Gi 4/24
Up
100
100
4
R
Changing static route session parameters
BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
These parameters are configured for all static routes; if you change a parameter, the change affects all
sessions for static routes.
To change parameters for static route sessions:
Step
1
Task
Command Syntax
Command Mode
Change parameters for all static route
sessions.
ip route bfd interval milliseconds min_rx
milliseconds multiplier value role [active |
passive]
CONFIGURATION
View session parameters using the command show bfd neighbors detail, as shown in Figure 9-8.
Disabling BFD for static routes
If BFD is disabled, all static route BFD sessions are torn down. A final Admin Down packet is sent to all
neighbors on the remote systems, and those neighbors change to the Down state (Message 3).
Bidirectional Forwarding Detection | 181
www.dell.com | support.dell.com
To disable BFD for static routes:
Step
1
Task
Command Syntax
Command Mode
Disable BFD for static routes.
no ip route bfd
CONFIGURATION
Configuring BFD for OSPF
When using BFD with OSPF, the OSPF protocol registers with the BFD manager on the RPM. BFD
sessions are established with all neighboring interfaces participating in OSPF. If a neighboring interface
fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the OSPF protocol
that a link state change occurred.
Configuring BFD for OSPF is a two-step process:
1. Enable BFD globally. See Enabling BFD globally.
2. Establish sessions for all or particular OSPF neighbors. See Establishing sessions with OSPF
neighbors.
Related configuration tasks
•
•
Change session parameters. See Changing OSPF session parameters.
Disable BFD sessions for OSPF. See Disabling BFD for OSPF.
Establishing sessions with OSPF neighbors
BFD sessions can be established with all OSPF neighbors at once, or sessions can be established with all
neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the full
state.
182
|
Bidirectional Forwarding Detection
Figure 9-11.
Establishing Sessions with OSPF Neighbors
Force10(conf-if-gi-2/1)# ip address 2.2.2.2/24
Force10(conf-if-gi-2/1)# no shutdown
Force10(conf-if-gi-2/1)# exit
Force10(config)# router ospf 1
Force10(config-router_ospf )# network 2.2.2.0/24 area 0
Force10(config-router_ospf )# bfd all-neighbors
Force10(conf-if-gi-2/2)# ip address 2.2.3.1/24
Force10(conf-if-gi-2/2)# no shutdown
Force10(conf-if-gi-2/2)# exit
Force10(config)# router ospf 1
Force10(config-router_ospf )# network 2.2.3.0/24 area 1
Force10(config-router_ospf )# bfd all-neighbors
AREA 1
AREA 0
R2
R1
R3
2/2
2/1
4/24
2.2.2.1/24
2.2.2.2/24
Force10(conf-if-gi-4/24)# ip address 2.2.2.1/24
Force10(conf-if-gi-4/24)# no shutdown
Force10(conf-if-gi-4/24)# exit
Force10(config)# router ospf 1
Force10(config-router_ospf )# network 2.2.2.0/24 area 0
Force10(config-router_ospf )# bfd all-neighbors
6/0
2.2.3.2/24
2.2.3.1/24
Force10(conf-if-gi-6/0)# ip address 2.2.3.2/24
Force10(conf-if-gi-6/0)# no shutdown
Force10(conf-if-gi-6/0)# exit
Force10(config)# router ospf 1
Force10(config-router_ospf )# network 2.2.3.0/24 area 1
Force10(config-router_ospf )# bfd all-neighbors
6/1
2.2.4.1/24
Force10(conf-if-gi-6/1)# ip address 2.2.4.1/24
Force10(conf-if-gi-6/1)# no shutdown
Force10(conf-if-gi-6/1)# exit
Force10(config)# router ospf 1
Force10(config-router_ospf )# network 2.2.4.0/24 area 1
Force10(config-router_ospf )# bfd all-neighbors
R4 2.2.4.2/24
1/1
Force10(conf-if-gi-6/0)# ip address 2.2.4.2/24
Force10(conf-if-gi-6/0)# no shutdown
Force10(conf-if-gi-6/0)# exit
Force10(config)# router ospf 1
Force10(config-router_ospf )# network 2.2.4.0/24 area 1
Force10(config-router_ospf )# bfd all-neighbors
fnC0040mp
To establish BFD with all OSPF neighbors:
Step
1
Task
Command Syntax
Command Mode
Establish sessions with all OSPF neighbors.
bfd all-neighbors
ROUTER-OSPF
To establish BFD for all OSPF neighbors on a single interface:
Step
1
Task
Command Syntax
Command Mode
Establish sessions with all OSPF neighbors on a
single interface.
ip ospf bfd all-neighbors
INTERFACE
View the established sessions using the command show bfd neighbors, as shown in Figure 9-12.
Figure 9-12.
View Established Sessions for OSPF Neighbors
R2(conf-router_ospf)#bfd all-neighbors
R2(conf-router_ospf)#do show bfd neighbors
*
Ad Dn
C
I
O
R
-
Active session role
Admin Down
CLI
ISIS
OSPF
Static Route (RTM)
LocalAddr
* 2.2.2.2
RemoteAddr
2.2.2.1
OSPF BFD Sessions Enabled
Interface State Rx-int Tx-int Mult Clients
Gi 2/1
Up
100
100
3
O
Bidirectional Forwarding Detection | 183
www.dell.com | support.dell.com
Changing OSPF session parameters
BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
These parameters are configured for all OSPF sessions or all OSPF sessions on a particular interface; if
you change a parameter globally, the change affects all OSPF neighbors sessions. If you change a
parameter at interface level, the change affects all OSPF sessions on that interface.
To change parameters for all OSPF sessions:
Step
1
Task
Command Syntax
Command Mode
Change parameters for OSPF
sessions.
bfd all-neighbors interval milliseconds
min_rx milliseconds multiplier value role
[active | passive]
ROUTER-OSPF
To change parameters for OSPF sessions on an interface:
Step
1
Task
Command Syntax
Command Mode
Change parameters for all OSPF
sessions on an interface.
ip ospf bfd all-neighbors interval
milliseconds min_rx milliseconds multiplier
value role [active | passive]
INTERFACE
View session parameters using the command show bfd neighbors detail, as shown in Figure 9-8.
Disabling BFD for OSPF
If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a
Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the
remote system are placed in a Down state (Message 3). Disabling BFD does not trigger a change in BFD
clients; a final Admin Down packet is sent before the session is terminated.
To disable BFD sessions with all OSPF neighbors:
Step
1
Task
Command Syntax
Command Mode
Disable BFD sessions with all OSPF
neighbors.
no bfd all-neighbors
ROUTER-OSPF
To disable BFD sessions with all OSPF neighbors out of an interface:
Step
1
184
|
Task
Command Syntax
Command Mode
Disable BFD sessions with all OSPF
neighbors out of an interface
ip ospf bfd all-neighbors disable
INTERFACE
Bidirectional Forwarding Detection
Configuring BFD for BGP
BFD for BGP is only supported on platforms:
ec
In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding
paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence.
BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces. BFD for BGP does
not support IPv6 and the BGP multihop feature.
Prerequisites
Before configuring BFD for BGP, you must first perform the following tasks:
1. Configure BGP on the routers that you want to interconnect as described in BGP Configuration.
2. Enable fast fall-over for BGP neighbors to reduce convergence time (neighbor fall-over command) as
described in BGP fast fall-over.
Establishing sessions with BGP neighbors
Figure 9-13 shows a sample BFD configuration on Router 1 and Router 2 that use eBGP in a transit
network to interconnect AS1 and AS2. The eBGP routers exchange information with each other as well as
with iBGP routers to maintain connectivity and accessibility within each autonomous system.
Figure 9-13.
BFD Session Between BGP Neighbors
Interior BGP
Interior BGP
Router 1
2/2
2.2.4.2
Router 2
1/1
2.2.4.3
Exterior BGP
AS 1
Force10(conf )# bfd enable
Force10(conf )# router bgp 1
Force10(conf-router-bgp)# neighbor 2.2.4.3 remote-as 2
Force10(conf-router-bgp)# neighbor 2.2.4.3 no shutdown
Force10(conf-router-bgp)# bfd all-neighbors interval 200 min_rx 200
multiplier 6 role active
OR
Force10(conf-router-bgp)# neighbor 2.2.4.3 bfd
AS 2
Force10(conf )# bfd enable
Force10(conf )# router bgp 2
Force10(conf-router-bgp)# neighbor 2.2.4.2 remote-as 1
Force10(conf-router-bgp)# neighbor 2.2.4.2 no shutdown
Force10(conf-router-bgp)# bfd all-neighbors interval 200 min_rx 200
multiplier 6 role active
OR
Force10(conf-router-bgp)# neighbor 2.2.4.2 bfd
Bidirectional Forwarding Detection | 185
www.dell.com | support.dell.com
Note that the sample configuration shows alternative ways to establish a BFD session with a BGP
neighbor:
•
•
By establishing BFD sessions with all neighbors discovered by BGP (bfd all-neighbors command)
By establishing a BFD session with a specified BGP neighbor (neighbor {ip-address | peer-group-name}
bfd command)
BFD packets originating from a router are assigned to the highest priority egress queue to minimize
transmission delays. Incoming BFD control packets received from the BGP neighbor are assigned to the
highest priority queue within the Control Plane Policing (COPP) framework to avoid BFD packets drops
due to queue congestion.
BFD notifies BGP of any failure conditions that it detects on the link. Recovery actions are initiated by
BGP.
BFD for BGP is supported only on directly-connected BGP neighbors and only in BGP IPv4 networks.
•
•
On an E-Series TeraScale or C-Series router, up to 100 simultaneous BFD sessions are supported per
line card.
On an S4810 router, up to 64 simultaneous BFD sessions are supported.
As long as each BFD for BGP neighbor receives a BFD control packet within the configured BFD interval
for failure detection, the BFD session remains up and BGP maintains its adjacencies. If a BFD for BGP
neighbor does not receive a control packet within the detection interval, the router informs any clients of
the BFD session (other routing protocols) about the failure. It then depends on the individual routing
protocols that uses the BGP link to determine the appropriate response to the failure condition. The typical
response is usually to terminate the peering session for the routing protocol and reconverge by bypassing
the failed neighboring router. A log message is generated whenever BFD detects a failure condition.
You can configure BFD for BGP on the following types of interfaces: physical port (10GE or 40GE), port
channel, and VLAN.
To establish a BFD session with one or all BGP neighbors, follow these steps:
Step
186
|
Task
Command Syntax
Command Mode
1
Enable BFD globally.
bfd enable
CONFIGURATION
2
Specify the AS number and enter ROUTER
BGP configuration mode.
router bgp as-number
CONFIGURATION
3
Add a BGP neighbor or peer group in a
remote AS.
neighbor {ip-address | peer-group
name} remote-as as-number
CONFIG-ROUTERBGP
4
Enable the BGP neighbor.
neighbor {ip-address |
peer-group-name} no shutdown
CONFIG-ROUTERBGP
Bidirectional Forwarding Detection
Step
5
Task
Command Syntax
Command Mode
Configure parameters for a BFD session
established with all neighbors discovered by
BGP.
bfd all-neighbors [interval millisecs
min_rx millisecs multiplier value role
{active | passive}]
CONFIG-ROUTERBGP
OR
OR
Establish a BFD session with a specified BGP
neighbor or peer group using the default BFD
session parameters.
neighbor {ip-address |
peer-group-name} bfd
Notes:
- When you establish a BFD session with a specified BGP neighbor or peer group using the neighbor bfd
command, the default BFD session parameters are used (interval: 100 milliseconds, min_rx: 100 milliseconds,
multiplier: 3 packets, and role: active).
- When you explicitly enable or disable a BGP neighbor for a BFD session with the neighbor bfd or neighbor
bfd disable commands:
- The neighbor does not inherit the BFD enable/disable values configured with the bfd all-neighbors command
or configured for the peer group to which the neighbor belongs.
- The neighbor only inherits the global timer values configured with the bfd all-neighbors command (interval,
min_rx, and multiplier).
6
Repeat Steps 1 to 5 on each BGP peer participating in a BFD session.
Disabling BFD for BGP
To disable a BFD for BGP session with a specified neighbor, enter the neighbor {ip-address |
peer-group-name} bfd disable command in ROUTER BGP configuration mode.
To remove the disabled state of a BFD for BGP session with a specified neighbor, enter the no neighbor
{ip-address | peer-group-name} bfd disable command in ROUTER BGP configuration mode. The BGP link
with the neighbor returns to normal operation and uses the BFD session parameters globally configured
with the bfd all-neighbors command or configured for the peer group to which the neighbor belongs.
Use BFD in a BGP Peer Group
If you establish a BFD session for the members of a peer group (neighbor peer-group-name bfd command
in ROUTER BGP configuration mode), members of the peer group may have BFD:
•
•
•
Explicitly enabled (neighbor ip-address bfd command)
Explicitly disabled (neighbor ip-address bfd disable command)
Inherited (neither explicitly enabled or disabled) according to the current BFD configuration of the
peer group. For information on BGP peer groups, see Configure Peer Groups.
If you explicitly enable (or disable) a BGP neighbor for BFD that belongs to a peer group:
•
The neighbor does not inherit the BFD enable/disable values configured with the bfd all-neighbors
command or configured for the peer group to which the neighbor belongs.
Bidirectional Forwarding Detection | 187
www.dell.com | support.dell.com
•
The neighbor inherits only the global timer values that are configured with the bfd all-neighbors
command (interval, min_rx, and multiplier).
If you explicitly enable (or disable) a peer group for BFD that has no BFD parameters configured (e.g.
advertisement interval) using the neighbor peer-group-name bfd command, the peer group inherits any
BFD settings configured with the bfd all-neighbors command.
Display BFD for BGP Information
To display information about BFD for BGP sessions on a router, enter one of the following show
commands:
Task
Command
Command Mode
Verify a BFD for BGP configuration.
show running-config bgp
EXEC Privilege
Figure 9-14
188
|
Verify that a BFD for BGP session has been
successfully established with a BGP neighbor. A
line-by-line listing of established BFD
adjacencies is displayed.
show bfd neighbors [interface] [detail]
Display BFD packet counters for sessions with
BGP neighbors.
show bfd counters bgp [interface]
Check to see if BFD is enabled for BGP
connections.
show ip bgp summary
Displays routing information exchanged with
BGP neighbors, including BFD for BGP
sessions.
show ip bgp neighbors [ip-address]
Bidirectional Forwarding Detection
EXEC Privilege
Figure 9-15 and Figure 9-16
EXEC Privilege
Figure 9-17
EXEC Privilege
Figure 9-18
Figure 9-19
EXEC Privilege
The following examples show the BFD for BGP output displayed for these show commands.
Figure 9-14.
Verify a BFD for BGP Configuration: show running-config bgp Command
R2# show running-config bgp
!
router bgp 2
neighbor 1.1.1.2 remote-as 1
neighbor 1.1.1.2 no shutdown
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 no shutdown
neighbor 3.3.3.2 remote-as 1
neighbor 3.3.3.2 no shutdown
bfd all-neighbors
Figure 9-15.
Verify BFD Sessions with BGP Neighbors: show bfd neighbors Command
R2# show bfd neighbors
*
Ad Dn
B
C
I
O
R
M
V
-
Active session role
Admin Down
BGP
CLI
ISIS
OSPF
Static Route (RTM)
MPLS
VRRP
LocalAddr
* 1.1.1.3
* 2.2.2.3
* 3.3.3.3
RemoteAddr
1.1.1.2
2.2.2.2
3.3.3.2
Interface
Te 6/0
Te 6/1
Te 6/2
State
Up
Up
Up
Rx-int
100
100
100
Tx-int
100
100
100
Mult
3
3
3
Clients
B
B
B
Bidirectional Forwarding Detection | 189
www.dell.com | support.dell.com
Figure 9-16.
Verify BFD Sessions with BGP Neighbors: show bfd neighbors detail Command
R2# show bfd neighbors detail
Session Discriminator: 9
Neighbor Discriminator: 10
Local Addr: 1.1.1.3
Local MAC Addr: 00:01:e8:66:da:33
Remote Addr: 1.1.1.2
Remote MAC Addr: 00:01:e8:8a:da:7b
Int: TenGigabitEthernet 6/0
State: Up
Configured parameters:
BFD session parameters: TX (packet transmission), RX
TX: 100ms, RX: 100ms, Multiplier: 3
(packet reception), and multiplier (maximum number of
Neighbor parameters:
missed packets)
TX: 100ms, RX: 100ms, Multiplier: 3
Actual parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Role: Active
Delete session on Down: True
Client Registered: BGP
Uptime: 00:07:55
Statistics:
Number of packets received from neighbor: 4762
Number of packets sent to neighbor: 4490
Number of state changes: 2
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 5
Session Discriminator: 10
Neighbor Discriminator: 11
Local Addr: 2.2.2.3
Local MAC Addr: 00:01:e8:66:da:34
Remote Addr: 2.2.2.2
Remote MAC Addr: 00:01:e8:8a:da:7b
Int: TenGigabitEthernet 6/1
State: Up
Configured parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Neighbor parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Actual parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Role: Active
Delete session on Down: True
Client Registered: BGP
Uptime: 00:02:22
Statistics:
Number of packets received from neighbor: 1428
Number of packets sent to neighbor: 1428
Number of state changes: 1
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 4
190
|
Bidirectional Forwarding Detection
Figure 9-17.
Display BFD Packet Counters: show bfd counters bgp Command
R2# show bfd counters bgp
Interface TenGigabitEthernet 6/0
Protocol BGP
Messages:
Registration
: 5
De-registration : 4
Init
: 0
Up
: 6
Down
: 0
Admin Down
: 2
Interface TenGigabitEthernet 6/1
Protocol BGP
Messages:
Registration
: 5
De-registration : 4
Init
: 0
Up
: 6
Down
: 0
Admin Down
: 2
Interface TenGigabitEthernet 6/2
Protocol BGP
Messages:
Registration
: 1
De-registration : 0
Init
: 0
Up
: 1
Down
: 0
Admin Down
: 2
Figure 9-18.
Display BFD for BGP Status: show ip bgp summary Command
R2# show ip bgp summary
Message displayed when BFD is enabled
BGP router identifier 10.0.0.1, local AS number 2
for BGP connections
BGP table version is 0, main routing table version 0
BFD is enabled, Interval 100 Min_rx 100 Multiplier 3 Role Active
3 neighbor(s) using 24168 bytes of memory
Neighbor
AS
1.1.1.2
2.2.2.2
3.3.3.2
1
1
1
MsgRcvd
MsgSent
TblVer
InQ
282
273
282
281
273
281
0
0
0
0
0
0
OutQ Up/Down
0 00:38:12
(0) 04:32:26
0 00:38:12
State/Pfx
0
0
0
Bidirectional Forwarding Detection | 191
www.dell.com | support.dell.com
Figure 9-19.
Display Routing Sessions with BGP Neighbors: show ip bgp neighbors Command
R2# show ip bgp neighbors 2.2.2.2
BGP neighbor is 2.2.2.2, remote AS 1, external link
BGP version 4, remote router ID 12.0.0.4
BGP state ESTABLISHED, in this state for 00:05:33
Last read 00:00:30, last write 00:00:30
Hold time is 180, keepalive interval is 60 seconds
Received 8 messages, 0 in queue
1 opens, 0 notifications, 0 updates
7 keepalives, 0 route refresh requests
Sent 9 messages, 0 in queue
2 opens, 0 notifications, 0 updates
7 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 30 seconds
Minimum time before advertisements start is 0 seconds
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
Message displayed when a BFD session is enabled with a BGP
ROUTE_REFRESH(2)
neighbor that inherits the global BFD session settings
CISCO_ROUTE_REFRESH(128)
configured with the global bfd all-neighbors command
Neighbor is using BGP global mode BFD configuration
For address family: IPv4 Unicast
BGP table version 0, neighbor version 0
Prefixes accepted 0 (consume 0 bytes), withdrawn 0 by peer, martian prefixes ignored 0
Prefixes advertised 0, denied 0, withdrawn 0 from peer
Connections established 1; dropped 0
Last reset never
Local host: 2.2.2.3, Local port: 63805
Foreign host: 2.2.2.2, Foreign port: 179
E1200i_ExaScale#
R2# show ip bgp neighbors 2.2.2.3
BGP neighbor is 2.2.2.3, remote AS 1, external link
Member of peer-group pg1 for session parameters
Message displayed when a BFD session with a
BGP version 4, remote router ID 12.0.0.4
BGP neighbor has been explicitly enabled using
BGP state ESTABLISHED, in this state for 00:05:33
the neighbor ip-address bfd command
...
Neighbor is using BGP neighbor mode BFD configuration
Peer active in peer-group outbound optimization
...
R2# show ip bgp neighbors 2.2.2.4
BGP neighbor is 2.2.2.4, remote AS 1, external link
Message displayed when a BGP neighbor is in a
Member of peer-group pg1 for session parameters
peer group for which a BFD session has been
BGP version 4, remote router ID 12.0.0.4
explicitly enabled using the neighbor
BGP state ESTABLISHED, in this state for 00:05:33
...
peer-group-name bfd command
Neighbor is using BGP peer-group mode BFD configuration
Peer active in peer-group outbound optimization
...
192
|
Bidirectional Forwarding Detection
Configuring BFD for IS-IS
BFD for IS-IS is supported on platform:
e
When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager on the RPM. BFD
sessions are then established with all neighboring interfaces participating in IS-IS. If a neighboring
interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the IS-IS
protocol that a link state change occurred.
Configuring BFD for IS-IS is a two-step process:
1. Enable BFD globally. See Enabling BFD globally.
2. Establish sessions for all or particular IS-IS neighbors. See page 193.
Related configuration tasks
•
•
Change session parameters. See page 194.
Disable BFD sessions for IS-IS. See page 195.
Establishing sessions with IS-IS neighbors
BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all
neighbors out of a specific interface.
Figure 9-20.
Establishing Sessions with IS-IS Neighbors
Force10(conf )# router isis
Force10(conf-router_isis)# net 02.1921.6800.2002.00
Force10(conf-router_isis)# interface gigabitethernet 2/1
Force10(conf-if-gi-2/1)#ip address 2.2.2.2/24
Force10(config-if-gi-2/1)# ip router isis
Force10(config-if-gi-2/1)# exit
Force10(conf )# router isis
Force10(conf-router_isis)# bfd all-neighbors
Force10(conf-router_isis)# interface gigabitethernet 2/2
Force10(conf-if-gi-2/2)#ip address 2.2.3.1/24
Force10(config-if-gi-2/2)# ip router isis
Force10(config-if-gi-2/2)# exit
Force10(conf )# router isis
Force10(conf-router_isis)# bfd all-neighbors
AREA 2
AREA 1
AREA 3
R2: Level 2
R1: Level 1 - 2
4/24
2/1
R3: Level 1 - 2
2/2
6/0
Force10(conf )# router isis
Force10(conf-router_isis)# net 01.1921.6800.1001.00
Force10(conf-router_isis)# interface gigabitethernet 4/24
Force10(config-if-gi-4/24)# ip address 2.2.2.1/24
Force10(config-if-gi-4/24)# ip router isis
Force10(config-if-gi-4/24)# exit
Force10(conf )# router isis
Force10(conf-router_isis)# bfd all-neighbors
Force10(conf )# router isis
Force10(conf-router_isis)# net 03.1921.6800.3003.00
Force10(conf-router_isis)# interface gigabitethernet 6/0
Force10(conf-if-gi-6/0)#ip address 2.2.3.2/24
Force10(config-if-gi-6/0)# ip router isis
Force10(config-if-gi-6/0)# exit
Force10(conf )# router isis
Force10(conf-router_isis)# bfd all-neighbors
6/1
Force10(conf-router_isis)# interface gigabitethernet 6/1
Force10(conf-if-gi-6/1)#ip address 2.2.4.1/24
fnC0041mp
Non-IS-IS Participating System
To establish BFD with all IS-IS neighbors:
Step
1
Task
Command Syntax
Command Mode
Establish sessions with all IS-IS neighbors.
bfd all-neighbors
ROUTER-ISIS
Bidirectional Forwarding Detection | 193
www.dell.com | support.dell.com
To establish BFD with all IS-IS neighbors out of a single interface:
Step
1
Task
Command Syntax
Command Mode
Establish sessions with all IS-IS neighbors out of an
interface.
isis bfd all-neighbors
INTERFACE
View the established sessions using the command show bfd neighbors, as shown in Figure 9-21.
Figure 9-21.
View Established Sessions for IS-IS Neighbors
R2(conf-router_isis)#bfd all-neighbors
R2(conf-router_isis)#do show bfd neighbors
*
Ad Dn
C
I
O
R
-
Active session role
Admin Down
CLI
ISIS
OSPF
Static Route (RTM)
LocalAddr
* 2.2.2.2
* 2.2.3.1
RemoteAddr
2.2.2.1
2.2.3.2
IS-IS BFD Sessions Enabled
Interface State Rx-int Tx-int Mult Clients
Gi 2/1
Up
100
100
3
I
Gi 2/2
Up
100
100
3
I
Changing IS-IS session parameters
BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface; if you
change a parameter globally, the change affects all IS-IS neighbors sessions. If you change a parameter at
interface level, the change affects all IS-IS sessions on that interface.
To change parameters for all IS-IS sessions:
Step
1
Task
Command Syntax
Command Mode
Change parameters for all IS-IS
sessions.
bfd all-neighbors interval milliseconds
min_rx milliseconds multiplier value role
[active | passive]
ROUTER-ISIS
To change parameters for IS-IS sessions on an interface:
Step
1
Task
Command Syntax
Command Mode
Change parameters for all IS-IS
sessions out of an interface.
isis bfd all-neighbors interval milliseconds
min_rx milliseconds multiplier value role
[active | passive]
INTERFACE
View session parameters using the command show bfd neighbors detail, as shown in Figure 9-8.
194
|
Bidirectional Forwarding Detection
Disabling BFD for IS-IS
If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a
Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the
remote system are placed in a Down state (Message 3). Disabling BFD does not trigger a change in BFD
clients; a final Admin Down packet is sent before the session is terminated.
To disable BFD sessions with all IS-IS neighbors:
Step
1
Task
Command Syntax
Command Mode
Disable BFD sessions with all IS-IS
neighbors.
no bfd all-neighbors
ROUTER-ISIS
To disable BFD sessions with all IS-IS neighbors out of an interface:
Step
1
Task
Command Syntax
Command Mode
Disable BFD sessions with all IS-IS
neighbors out of an interface
isis bfd all-neighbors disable
INTERFACE
Configuring BFD for VRRP
When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the RPM. BFD
sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface
fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol
that a link state change occurred.
Configuring BFD for VRRP is a three-step process:
1. Enable BFD globally. See Enabling BFD globally.
2. Establish VRRP BFD sessions with all VRRP-participating neighbors.
3. On the master router, establish a VRRP BFD sessions with the backup routers. See page 195.
Related configuration tasks
•
•
Change session parameters. See page 197.
Disable or re-enable BFD on an interface. See page 182.
Establishing sessions with all VRRP neighbors
BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a
particular neighbor.
Bidirectional Forwarding Detection | 195
www.dell.com | support.dell.com
Figure 9-22.
Establish Sessions with VRRP Neighbors
VIRTUAL
IP Address: 2.2.5.4
R1: BACKUP
R2: MASTER
2/3
4/25
Force10(config-if-range-gi-4/25)# ip address 2.2.5.1/24
Force10(config-if-range-gi-4/25)# no shutdown
Force10(config-if-range-gi-4/25)# vrrp-group 1
Force10(config-if-range-gi-4/25)# virtual-address 2.2.5.4
Force10(config-if-range-gi-4/25)# vrrp bfd all-neighbors
Force10(config-if-range-gi-4/25)# vrrp bfd neighbor 2.2.5.2
Force10(conf-if-gi-2/3)#ip address 2.2.5.2/24
Force10(config-if-gi-2/3)# no shutdown
Force10(config-if-range-gi-4/25)# vrrp-group 1
Force10(config-if-range-gi-4/25)# virtual-address 2.2.5.4
Force10(config-if-range-gi-4/25)# vrrp bfd all-neighbors
Force10(config-if-range-gi-4/25)# vrrp bfd neighbor 2.2.5.1
IP Address: 2.2.5.3
Gateway: 2.2.5.1
fnC0042mp
To establish sessions with all VRRP neighbors:
Step
1
Task
Command Syntax
Command Mode
Establish sessions with all VRRP neighbors.
vrrp bfd all-neighbors
INTERFACE
Establishing VRRP sessions on VRRP neighbors
The master router does not care about the state of the backup router, so it does not participate in any VRRP
BFD sessions. Therefore, VRRP BFD sessions on the backup router cannot change to the UP state. The
master router must be configured to establish an individual VRRP session the backup router.
To establish a session with a particular VRRP neighbor:
Step
1
Task
Command Syntax
Command Mode
Establish a session with a particular VRRP
neighbor.
vrrp bfd neighbor ip-address
INTERFACE
View the established sessions using the command show bfd neighbors, as shown in Figure 9-23.
196
|
Bidirectional Forwarding Detection
Figure 9-23.
View Established Sessions for VRRP Neighbors
R1(conf-if-gi-4/25)#vrrp bfd all-neighbors
R1(conf-if-gi-4/25)#do show bfd neighbor
*
Ad Dn
C
I
O
R
V
-
Active session role
Admin Down
CLI
ISIS
OSPF
Static Route (RTM)
VRRP
LocalAddr
* 2.2.5.1
RemoteAddr
2.2.5.2
VRRP BFD Sessions Enabled
Interface State Rx-int Tx-int Mult Clients
Gi 4/25
Down 1000
1000
3
V
Session state information is also shown in the show vrrp command output, as shown in Figure 9-24.
Figure 9-24.
View Established Sessions for VRRP Neighbors
R1(conf-if-gi-4/25)#do show vrrp
-----------------GigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1
State: Backup, Priority: 1, Master: 2.2.5.2
Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec
Adv rcvd: 95, Bad pkts rcvd: 0, Adv sent: 933, Gratuitous ARP sent: 3
Virtual MAC address:
00:00:5e:00:01:01
Virtual IP address:
2.2.5.4
Authentication: (none)
BFD Neighbors:
VRRP BFD Session State
RemoteAddr
State
2.2.5.2
Up
Changing VRRP session parameters
BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
You can change parameters for all VRRP sessions for a particular neighbor.
To change parameters for all VRRP sessions:
Step
1
Task
Command Syntax
Command Mode
Change parameters for all VRRP
sessions.
vrrp bfd all-neighbors interval milliseconds
min_rx milliseconds multiplier value role
[active | passive]
INTERFACE
Bidirectional Forwarding Detection | 197
www.dell.com | support.dell.com
To change parameters for a particular VRRP session:
Step
1
Task
Command Syntax
Command Mode
Change parameters for a particular
VRRP session.
vrrp bfd neighbor ip-address interval
milliseconds min_rx milliseconds multiplier
value role [active | passive]
INTERFACE
View session parameters using the command show bfd neighbors detail, as shown in Figure 9-8.
Disabling BFD for VRRP
If any or all VRRP sessions are disabled, the sessions are torn down. A final Admin Down control packet
is sent to all neighbors and sessions on the remote system change to the Down state (Message 3).
To disable all VRRP sessions on an interface:
Step
1
Task
Command Syntax
Command Mode
Disable all VRRP sessions on an
interface.
no vrrp bfd all-neighbors
INTERFACE
To disable all VRRP sessions in a particular VRRP group:
Step
1
Task
Command Syntax
Command Mode
Disable all VRRP sessions in a
VRRP group.
bfd disable
VRRP
Task
Command Syntax
Command Mode
Disable a particular VRRP session on
an interface.
no vrrp bfd neighbor ip-address
INTERFACE
To disable a particular VRRP session:
Step
1
Configuring BFD for VLANs
BFD on Dell Networking systems is a Layer 3 protocol. Therefore, BFD is used with routed VLANs. BFD
on VLANs is analogous to BFD on physical ports. If no routing protocol is enabled, and a remote system
fails, the local system does not remove the connected route until the first failed attempt to send a packet. If
BFD is enabled, the local system removes the route when it stops receiving periodic control packets from
the remote system.
There is one BFD Agent for VLANs and port-channels, which resides on RP2 as opposed to the other
agents which are on the line card. Therefore, the 100 total possible sessions that this agent can maintain is
shared for VLANs and port-channels.
198
|
Bidirectional Forwarding Detection
Configuring BFD for VLANs is a two-step process:
1. Enable BFD globally on all participating routers. See Enabling BFD globally.
2. Establish sessions with VLAN neighbors. See page 199.
Related configuration tasks
•
•
Change session parameters. See page 200.
Disable BFD for VLANs. See page 182.
Establishing sessions with VLAN neighbors
To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in
Figure 9-25. The session parameters do not need to match.
Figure 9-25.
Establish Sessions with VLAN Neighbors
R1
R2
VLAN 200
4/25
Force10(config-if-gi-4/25)# switchport
Force10(config-if-gi-4/25)# no shutdown
Force10(config-if-gi-4/25)# interface vlan 200
Force10(config-if-vl-200)# ip address 2.2.3.1/24
Force10(config-if-vl-200)# untagged gigabitethernet 4/25
Force10(config-if-vl-200)# no shutdown
Force10(config-if-vl-200)# bfd neighbor 2.2.3.2
2/3
Force10(config-if-gi-2/3)# switchport
Force10(config-if-gi-2/3)# no shutdown
Force10(config-if-gi-2/3)# interface vlan 200
Force10(config-if-vl-200)# ip address 2.2.3.2/24
Force10(config-if-vl-200)# untagged gigabitethernet 2/3
Force10(config-if-vl-200)# no shutdown
Force10(config-if-vl-200)# bfd neighbor 2.2.3.2
fnC0043mp
To establish a BFD session with a VLAN neighbor:
Step
1
Task
Command Syntax
Establish sessions with a VLAN neighbor.
bfd neighbor ip-address
Command Mode
INTERFACE VLAN
View the established sessions using the command show bfd neighbors, as shown in Figure 9-26.
Bidirectional Forwarding Detection | 199
www.dell.com | support.dell.com
Figure 9-26.
View Established Sessions for VLAN Neighbors
R2(conf-if-vl-200)#bfd neighbor 2.2.3.2
R2(conf-if-vl-200)#do show bfd neighbors
*
Ad Dn
C
I
O
R
V
-
Active session role
Admin Down
CLI
ISIS
VLAN BFD
OSPF
Static Route (RTM)
VRRP
LocalAddr
* 2.2.3.2
RemoteAddr
2.2.3.1
Sessions Enabled
Interface State Rx-int Tx-int Mult Clients
Vl 200
Up
100
100
3
C
Changing session parameters
BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
These parameters are configured per interface; if a configuration change is made, the change affects all
sessions on that interface.
Caution: When configuring BFD on VLAN or LAG interfaces on the C-Series, Dell Networking
recommends a minimum value of 500 milliseconds for both the transmit and minimum receive time, which
yields a final detection time of (500ms *3) 1500 milliseconds.
To change session parameters on an interface:
Step
1
Task
Command Syntax
Command Mode
Change session parameters for all
sessions on an interface.
bfd interval milliseconds min_rx milliseconds
multiplier value role [active | passive]
INTERFACE VLAN
View session parameters using the command show bfd neighbors detail, as shown in Figure 9-8.
Disabling BFD for VLANs
If BFD is disabled on an interface, sessions on the interface are torn down. A final Admin Down control
packet is sent to all neighbors, and sessions on the remote system change to the Down state (Message 3).
To disable BFD on a VLAN interface:
Step
1
200
|
Task
Command Syntax
Command Mode
Disable all sessions on a VLAN
interface.
no bfd enable
INTERFACE VLAN
Bidirectional Forwarding Detection
Configuring BFD for Port-Channels
BFD on port-channels is analogous to BFD on physical ports. If no routing protocol is enabled, and a
remote system fails, the local system does not remove the connected route until the first failed attempt to
send a packet. If BFD is enabled, the local system removes the route when it stops receiving periodic
control packets from the remote system.
There is one BFD Agent for VLANs and port-channels, which resides on RP2 as opposed to the other
agents which are on the line card. Therefore, the 100 total possible sessions that this agent can maintain is
shared for VLANs and port-channels.
Configuring BFD for port-channels is a two-step process:
1. Enable BFD globally on all participating routers. See Enabling BFD globally.
2. Enable BFD at interface level at both ends of the port-channel. See page 201.
Related configuration tasks
•
•
Change session parameters. See page 202.
Disable BFD a port-channel. See page 202.
Establishing sessions on port-channels
To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in
Figure 9-5. The session parameters do not need to match.
Figure 9-27.
Establish Sessions on Port-Channels
Force10(config-if-range-gi-4/24-5)# port-channel-protocol lacp
Force10(config-if-range-gi-4/24-5)# port-channel 1 mode active
Force10(config-if-range-gi-4/24-5)# no shutdown
Force10(config-if-range-gi-4/24-5)# interface port-channel 1
Force10(config-if-po-1)# ip address 2.2.2.1/24
Force10(config-if-po-1)# no shutdown
Force10(config-if-po-1)# bfd neighbor 2.2.2.2
2/1
4/24
4
24
Port Channel 1
4
4/25
2/2
Force10(config-if-range-gi-2/1-2)# port-channel-protocol lacp
Force10(config-if-range-gi-2/1-2)# port-channel 1 mode active
Force10(config-if-range-gi-2/1-2)# no shutdown
Force10(config-if-range-gi-2/1-2)# interface port-channel 1
Force10(config-if-po-1)# ip address 2.2.2.2/24
Force10(config-if-po-1)# no shutdown
Force10(config-if-po-1)# bfd neighbor 2.2.2.1
fnC0044mp
Bidirectional Forwarding Detection | 201
www.dell.com | support.dell.com
To establish a session on a port-channel:
Step
1
Task
Command Syntax
Establish a session on a port-channel.
bfd neighbor ip-address
Command Mode
INTERFACE PORT-CHANNEL
View the established sessions using the command show bfd neighbors, as shown in Figure 9-21.
Figure 9-28.
View Established Sessions for VLAN Neighbors
R2(conf-if-po-1)#bfd neighbors 2.2.2.1
R2(conf-if-po-1)#do show bfd neighors
*
Ad Dn
C
I
O
R
V
-
Active session role
Admin Down
CLI
ISIS
Port-channel
OSPF
Static Route (RTM)
VRRP
LocalAddr
* 2.2.2.2
RemoteAddr
2.2.2.1
BFD Sessions Enabled
Interface State Rx-int Tx-int Mult Clients
Po 1
Up
100
100
3
C
Changing port-channel session parameters
BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
These parameters are configured per interface; if you change a parameter, the change affects all sessions on
that interface.
Caution: When configuring BFD on VLAN or LAG interfaces on the C-Series, Dell Networking
recommends a minimum value of 500 milliseconds for both the transmit and minimum receive time, which
yields a final detection time of (500ms *3) 1500 milliseconds.
To change session parameters on an interface:
Step
1
Task
Command Syntax
Command Mode
Change session parameters for all
sessions on a port-channel interface.
bfd interval milliseconds min_rx milliseconds
multiplier value role [active | passive]
INTERFACE
PORT-CHANNEL
View session parameters using the command show bfd neighbors detail, as shown in Figure 9-8.
Disabling BFD for port-channels
If BFD is disabled on an interface, sessions on the interface are torn down. A final Admin Down control
packet is sent to all neighbors, and sessions on the remote system are placed in a Down state (Message 3).
202
|
Bidirectional Forwarding Detection
To disable BFD for a port-channel:
Step
1
Task
Command Syntax
Command Mode
Disable BFD for a port-channel.
no bfd enable
INTERFACE PORT-CHANNEL
Configuring Protocol Liveness
Protocol Liveness is a feature that notifies the BFD Manager when a client protocol is disabled. When a
client is disabled, all BFD sessions for that protocol are torn down. Neighbors on the remote system
receive an Admin Down control packet and are placed in the Down state (Message 3).
To enable Protocol Liveness:
Step
1
Task
Command Syntax
Command Mode
Enable Protocol Liveness
bfd protocol-liveness
CONFIGURATION
Troubleshoot BFD
Examine control packet field values using the command debug bfd detail. Figure 9-29 shows a three-way
handshake using this command.
Figure 9-29.
debug bfd detail Command Output
R1(conf-if-gi-4/24)#00:54:38: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state
to Down for neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0)
00:54:38 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24
TX packet dump:
Version:1, Diag code:0, State:Down, Poll bit:0, Final bit:0, Demand bit:0
myDiscrim:4, yourDiscrim:0, minTx:1000000, minRx:1000000, multiplier:3, minEchoRx:0
00:54:38 : Received packet for session with neighbor 2.2.2.2 on Gi 4/24
RX packet dump:
Version:1, Diag code:0, State:Init, Poll bit:0, Final bit:0, Demand bit:0
myDiscrim:6, yourDiscrim:4, minTx:1000000, minRx:1000000, multiplier:3, minEchoRx:0
00:54:38: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Up for neighbor
2.2.2.2 on interface Gi 4/24 (diag: 0)
Examine control packets in hexadecimal format using the command debug bfd packet.
Bidirectional Forwarding Detection | 203
www.dell.com | support.dell.com
Figure 9-30.
204
debug bfd packet Command Output
RX packet dump:
20 c0 03 18 00 00
00 01 86 a0 00 00
00:34:13 : Sent packet for
TX packet dump:
20 c0 03 18 00 00
00 01 86 a0 00 00
00:34:14 : Received packet
RX packet dump:
20 c0 03 18 00 00
00 01 86 a0 00 00
00:34:14 : Sent packet for
TX packet dump:
00 05 00 00 00 04 00 01 86 a0
00 00
session with neighbor 2.2.2.2 on Gi 4/24
00 04 00 00 00 05 00 01 86 a0
00 00
for session with neighbor 2.2.2.2 on Gi 4/24
00 05 00 00 00 04 00 01 86 a0
00 00
session with neighbor 2.2.2.2 on Gi 4/24
The output for the command debug bfd event is the same as the log messages that appear on the console by
default.
|
Bidirectional Forwarding Detection
10
Border Gateway Protocol IPv4 (BGPv4)
Border Gateway Protocol IPv4 (BGPv4) version 4 (BGPv4) is supported on platforms:
ces
Platforms support BGP according to the following table:
Dell Networking
OS version
Platform support
8.1.1.0
E-Series ExaScale
7.8.1.0
S-Series
7.7.1.0.
C-Series
pre-7.7.1.0
E-Series TeraScale
ex
s
c
et
This chapter is intended to provide a general description of Border Gateway Protocol version 4 (BGPv4) as
it is supported in the Dell Networking OS.
This chapter includes the following topics:
•
•
Protocol Overview
• Autonomous Systems (AS)
• Sessions and Peers
• Route Reflectors
• Confederations
BGP Attributes
• Best Path Selection Criteria
• Weight
• Local Preference
• Multi-Exit Discriminators (MEDs)
• AS Path
• Next Hop
Border Gateway Protocol IPv4 (BGPv4) | 205
www.dell.com | support.dell.com
•
•
•
•
Multiprotocol BGP
Implement BGP with Dell Networking OS
• Advertise IGP cost as MED for redistributed routes
• Ignore Router-ID for some best-path calculations
• 4-Byte AS Numbers
• AS4 Number Representation
• AS Number Migration
• BGP4 Management Information Base (MIB)
• Important Points to Remember
Configuration Information
• Configuration Task List for BGP
• MBGP Configuration
• Store Last and Bad PDUs
• Capture PDUs
• PDU Counters
Sample Configurations
BGP protocol standards are listed in the Appendix A, Standards Compliance chapter.
Protocol Overview
Border Gateway Protocol (BGP) is an external gateway protocol that transmits interdomain routing
information within and between Autonomous Systems (AS). Its primary function is to exchange network
reachability information with other BGP systems. BGP generally operates with an Internal Gateway
Protocol (IGP) such as OSPF or RIP, allowing you to communicate to external ASs smoothly. BGP adds
reliability to network connections be having multiple paths from one router to another.
Autonomous Systems (AS)
BGP Autonomous Systems (ASs) are a collection of nodes under common administration, with common
network routing policies. Each AS has a number, already assigned by an internet authority. You do not
assign the BGP number.
AS Numbers (ASNs) are important because the ASN uniquely identifies each network on the Internet. The
IANA has reserved AS numbers 64512 through 65534 to be used for private purposes. The ASNs 0 and
65535 are reserved by the IANA and should not be used in a live environment.
Autonomous Systems can be grouped into three categories, defined by their connections and operation.
A multihomed AS is one that maintains connections to more than one other AS. This allows the AS to
remain connected to the internet in the event of a complete failure of one of their connections. However,
this type of AS does not allow traffic from one AS to pass through on its way to another AS. A simple
example of this is seen in Figure 10-1.
206
|
Border Gateway Protocol IPv4 (BGPv4)
A stub AS is one that is connected to only one other AS.
A transit AS is one that provides connections through itself to separate networks. For example as seen in
Figure 10-1, Router 1 can use Router 2 (the transit AS) to connect to Router 4. ISPs are always transit ASs,
because they provide connections from one network to another. The ISP is considered to be “selling transit
service” to the customer network, so thus the term Transit AS.
When BGP operates inside an Autonomous System (AS1 or AS2 as seen in Figure 10-1), it is
referred to as Internal BGP (IBGP Interior Border Gateway Protocol). When BGP operates
between Autonomous Systems (AS1 and AS2), it is called External BGP (EBGP Exterior Border
Gateway Protocol). IBGP provides routers inside the AS with the knowledge to reach routers external to
the AS. EBGP routers exchange information with other EBGP routers as well as IBGP routers to maintain
connectivity and accessibility.
Figure 10-1.
BGP Autonomous Zones
Interior BGP
Interior BGP
Router 3
Router 5
Router 1
Router 4
Router 2
Router 6
Exterior BGP
Router 7
AS 1
AS 2
BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP
is a path vector protocol - a computer network in which BGP maintains the path that update
information takes as it diffuses through the network. Updates traveling through the network and
returning to the same node are easily detected and discarded.
BGP does not use traditional Interior Gateway Protocol (IGP) matrix, but makes routing decisions based
on path, network policies and/or rulesets. Unlike most protocols, BGP uses TCP as its transport protocol.
Since each BGP routers talking to another router is a session, a BGP network needs to be in “full mesh”.
This is a topology that has every router directly connected to every other router. For example, as seen in
Figure 10-2, four routers connected in a full mesh have three peers each, six routers have 5 peers each, and
eight routers in full mesh will have seven peers each.
Border Gateway Protocol IPv4 (BGPv4) | 207
www.dell.com | support.dell.com
Figure 10-2.
Full Mesh Examples
4 Routers
6 Routers
8 Routers
The number of BGP speakers each BGP peer must maintain increases exponentially. Network
management quickly becomes impossible.
Sessions and Peers
When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of
that session are Peers. A Peer is also called a Neighbor.
Establish a session
Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic
routing policies.
208
|
Border Gateway Protocol IPv4 (BGPv4)
In order to make decisions in its operations with other BGP peers, a BGP peer uses a simple finite state
machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For
each peer-to-peer session, a BGP implementation tracks which of these six states the session is in. The
BGP protocol defines the messages that each peer should exchange in order to change the session from one
state to another.
The first state is the Idle mode. BGP initializes all resources, refuses all inbound BGP connection attempts,
and initiates a TCP connection to the peer.
The next state is Connect. In this state the router waits for the TCP connection to complete, transitioning
to the OpenSent state if successful.
If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state
when the timer expires.
In the Active state, the router resets the ConnectRetry timer to zero, and returns to the Connect state.
Upon successful OpenSent transition, the router sends an Open message and waits for one in return.
Keepalive messages are exchanged next, and upon successful receipt, the router is placed in the
Established state. Keepalive messages continue to be sent at regular periods (established by the Keepalive
timer) to verify connections.
Once established, the router can now send/receive Keepalive, Update, and Notification messages to/from
its peer.
Peer Groups
Peer Groups are neighbors grouped according to common routing policies. They enable easier system
configuration and management by allowing groups of routers to share and inherit policies.
Peer groups also aid in convergence speed. When a BGP process needs to send the same information to a
large number of peers, it needs to set up a long output queue to get that information to all the proper peers.
If they are members of a peer group, however, the information can be sent to one place then passed onto
the peers within the group.
Route Reflectors
Route Reflectors reorganize the iBGP core into a hierarchy and allows some route advertisement rules.
Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and
its client peers form a route reflection cluster. Since BGP speakers announce only the best route for a given
prefix, route reflector rules are applied after the router makes its best path decision.
•
•
If a route was received from a nonclient peer, reflect the route to all client peers.
If the route was received from a client peer, reflect the route to all nonclient and all client peers.
Border Gateway Protocol IPv4 (BGPv4) | 209
Figure 10-3.
Route Reflection Example
Router A
{
eBGP Route
eBGP Route
Router B
Router E
{
www.dell.com | support.dell.com
To illustrate how these rules affect routing, see Figure 10-3 and the following steps.Routers B, C, D, E, and
G are members of the same AS - AS100. These routers are also in the same Route Reflection Cluster,
where Router D is the Route Reflector. Router E and H are client peers of Router D; Routers B and C and
nonclient peers of Router D.
Router F
iBGP Routes
Route Reflector
Router D
Route Reflector Client Peers
Router C
Router G
iBGP Routes
Router H
{
iBGP Route
eBGP Route
1. Router B receives an advertisement from Router A through eBGP. Since the route is learned through
eBGP, Router B advertises it to all its iBGP peers: Routers C and D.
2. Router C receives the advertisement but does not advertise it to any peer because its only other peer is
Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B.
3. Router D does not advertise the route to Router C because Router C is a nonclient peer and the route
advertisement came from Router B who is also a non-client peer.
4. Router D does reflect the advertisement to Routers E and G because they are client peers of Router D.
5. Routers E and G then advertise this iBGP learned route to their eBGP peers Routers F and H.
Confederations
Communities
BGP communities are sets of routes with one or more common attributes. This is a way to assign
common attributes to multiple routes at the same time.
210
|
Border Gateway Protocol IPv4 (BGPv4)
BGP Attributes
Routes learned via BGP have associated properties that are used to determine the best route to a destination
when multiple paths exist to a particular destination. These properties are referred to as BGP attributes, and
an understanding of how BGP attributes influence route selection is required for the design of robust
networks. This section describes the attributes that BGP uses in the route selection process:
•
•
•
•
•
•
Weight
Local Preference
Multi-Exit Discriminators (MEDs)
Origin
AS Path
Next Hop
Best Path Selection Criteria
Paths for active routes are grouped in ascending order according to their neighboring external AS number
(BGP best path selection is deterministic by default, which means the bgp non-deterministic-med
command is NOT applied).
The best path in each group is selected based on specific criteria. Only one “best path” is selected at a time.
If any of the criteria results in more than one path, BGP moves on to the next option in the list. For
example, two paths may have the same weights, but different local preferences. BGP sees that the Weight
criteria results in two potential “best paths” and moves to local preference to reduce the options. If a
number of best paths is determined, this selection criteria is applied to group’s best to determine the
ultimate best path.
In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are compared in
the order in which they arrive. This method can lead to Dell Networking OS choosing different best paths
from a set of paths, depending on the order in which they were received from the neighbors, since MED
may or may not get compared between adjacent paths. In deterministic mode, Dell Networking OS
compares MED between adjacent paths within an AS group since all paths in the AS group are from the
same AS.
Figure 10-4 illustrates the decisions BGP goes through to select the best path. The list following the
illustration details the path selection criteria.
Border Gateway Protocol IPv4 (BGPv4) | 211
www.dell.com | support.dell.com
Figure 10-4.
BGP Best Path Selection
No, or Not Resulting in a Single Route
Highest
Weight
Highest
Local Pref
Locally
Originated
Path
Shortest
AS Path
Lowest
Origin
Code
Lowest
MED
Learned
via EBGP
Lowest
NEXT-HOP
Cost
Tie Breakers
Lowest
Cluster ID
List
from
Lowest
Router ID
from
Lowest
Neighbor
Addr
A Single Route is Selected and Installed in the Routing Table
Best Path selection details
1. Prefer the path with the largest WEIGHT attribute.
2. Prefer the path with the largest LOCAL_PREF attribute.
3. Prefer the path that was locally Originated via a network command, redistribute command or
aggregate-address command.
•
Routes originated with the network or redistribute commands are preferred over routes originated
with the aggregate-address command.
4. Prefer the path with the shortest AS_PATH (unless the bgp bestpath as-path ignore command is
configured, then AS_PATH is not considered). The following criteria apply:
•
•
•
212
|
An AS_SET has a path length of 1, no matter how many ASs are in the set.
A path with no AS_PATH configured has a path length of 0.
AS_CONFED_SET is not included in the AS_PATH length.
Border Gateway Protocol IPv4 (BGPv4)
•
AS_CONFED_SEQUENCE has a path length of 1, no matter how many ASs are in the
AS_CONFED_SEQUENCE.
5. Prefer the path with the lowest ORIGIN type (IGP is lower than EGP, and EGP is lower than
INCOMPLETE).
6. Prefer the path with the lowest Multi-Exit Discriminator (MED) attribute. The following criteria apply:
•
•
•
This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs
are compared only if the first AS in the AS_SEQUENCE is the same for both paths.
If the bgp always-compare-med command is entered, MEDs are compared for all paths.
Paths with no MED are treated as “worst” and assigned a MED of 4294967295.
7. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths.
8. Prefer the path with the lowest IGP metric to the BGP next-hop.
9. Dell Networking OS deems the paths as equal and does not perform steps 9 through 11 listed below, if
the following criteria is met:
•
•
•
the IBGP multipath or EBGP multipath are configured (maximum-path command)
the paths being compared were received from the same AS with the same number of ASs in the AS
Path but with different NextHops
the paths were received from IBGP or EBGP neighbor respectively
10. If the bgp bestpath router-id ignore command is enabled and:
•
•
If the Router-ID is the same for multiple paths (because the routes were received from the same
route) skip this step.
If the Router-ID is NOT the same for multiple paths, Prefer the path that was first received as the
Best Path. The path selection algorithm should return without performing any of the checks
outlined below.
11. Prefer the path originated from the BGP router with the lowest router ID. For paths containing a Route
Reflector (RR) attribute, the originator ID is substituted for the router ID.
12. If two paths have the same router ID, prefer the path with the lowest cluster ID length. Paths without a
cluster ID length are set to a 0 cluster ID length.
13. Prefer the path originated from the neighbor with the lowest address. (The neighbor address is used in
the BGP neighbor configuration, and corresponds to the remote peer used in the TCP connection with
the local router.)
After a number of best paths is determined, this selection criteria is applied to group’s best to determine the
ultimate best path.
In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are compared in
the order in which they arrive. This method can lead to Dell Networking OS choosing different best paths
from a set of paths, depending on the order in which they were received from the neighbors since MED
may or may not get compared between adjacent paths. In deterministic mode, Dell Networking OS
compares MED between adjacent paths within an AS group since all paths in the AS group are from the
same AS.
Border Gateway Protocol IPv4 (BGPv4) | 213
www.dell.com | support.dell.com
Weight
The Weight attribute is local to the router and is not advertised to neighboring routers. If the router learns
about more than one route to the same destination, the route with the highest weight will be preferred. The
route with the highest weight is installed in the IP routing table.
Local Preference
Local Preference (LOCAL_PREF) represents the degree of preference within the entire AS. The higher the
number, the greater the preference for the route.
The Local Preference (LOCAL_PREF) is one of the criteria used to determine the best path, so keep in
mind that other criteria may impact selection, as shown in Figure 10-4. For this example, assume that
LOCAL_PREF is the only attribute applied. In Figure 10-5, AS100 has two possible paths to AS 200.
Although the path through the Router A is shorter (one hop instead of two) the LOCAL_PREF settings
have the preferred path go through Router B and AS300. This is advertised to all routers within AS100
causing all BGP speakers to prefer the path through Router B.
Figure 10-5.
LOCAL_PREF Example
Set Local Preference to 100
Router A
AS 100
T1 Link
Router C
AS 200
Router B
Router E
Set Local Preference to 200
OC3 Link
Router E
Router D
AS 300
Router F
Multi-Exit Discriminators (MEDs)
If two Autonomous Systems (AS) connect in more than one place, a Multi-Exit Discriminator (MED) can
be used to assign a preference to a preferred path. The MED is one of the criteria used to determine the best
path, so keep in mind that other criteria may impact selection, as shown in Figure 10-4.
214
|
Border Gateway Protocol IPv4 (BGPv4)
One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this
example, assume the MED is the only attribute applied. In Figure 10-6, AS100 and AS200 connect in two
places. Each connection is a BGP session. AS200 sets the MED for its T1 exit point to 100 and the MED
for its OC3 exit point to 50. This sets up a path preference through the OC3 link. The MEDs are advertised
to AS100 routers so they know which is the preferred path.
An MED is a non-transitive attribute. If AS100 sends an MED to AS200, AS200 does not pass it on to
AS300 or AS400. The MED is a locally relevant attribute to the two participating Autonomous Systems
(AS100 and AS200).
Note that the MEDs are advertised across both links, so that if a link goes down AS 1 still has connectivity
to AS300 and AS400.
Figure 10-6.
MED Route Example
AS 100
Set MED to 100
Router A
T1 Link
Router C
AS 200
Router B
Router E
OC3 Link
Router D
Set MED to 50
Note: With Dell Networking OS Release 8.3.1.0, configuring the set metric-type internal command in a
route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The
configured set metric value overwrites the default IGP cost.
Origin
The Origin indicates the origin of the prefix, or how the prefix came into BGP. There are three Origin
codes: IGP, EGP, INCOMPLETE.
•
•
•
IGP indicated the prefix originated from information learned through an interior gateway protocol.
EGP indicated the prefix originated from information learned from an EGP protocol, which NGP
replaced.
INCOMPLETE indicates that the prefix originated from an unknown source.
Border Gateway Protocol IPv4 (BGPv4) | 215
www.dell.com | support.dell.com
Generally, an IGP indicator means that the route was derived inside the originating AS. EGP generally
means that a route was learned from an external gateway protocol. An INCOMPLETE origin code
generally results from aggregation, redistribution or other indirect ways of installing routes into BGP.
In Dell Networking OS, these origin codes appear as shown in Figure 10-7. The question mark (?)
indicates an Origin code of INCOMPLETE. The lower case letter (i) indicates an Origin code of IGP.
Figure 10-7.
Origin attribute reported
FTOS#show ip bgp
BGP table version is 0, local router ID is 10.101.15.13
Status codes: s suppressed, d damped, h history, * valid, > best
Path source: I - internal, a - aggregate, c - confed-external, r - redistributed, n - network
Origin codes: i - IGP, e - EGP, ? - incomplete
*>
*>
*>
Network
7.0.0.0/29
7.0.0.0/30
9.2.0.0/16
Next Hop
10.114.8.33
10.114.8.33
10.114.8.33
Metric
0
0
10
LocPrf
0
0
0
Weight
18508
18508
18508
Path
?
?
701 i
AS Path
The AS Path is the list of all Autonomous Systems that all the prefixes listed in the update have passed
through. The local AS number is added by the BGP speaker when advertising to a eBGP neighbor.
In Dell Networking OS the AS Path is shown in Figure 10-8. Note that the Origin attribute is shown
following the AS Path information.
Figure 10-8.
AS Path attribute reported
FTOS#show ip bgp paths
Total 30655 Paths
Address
Hash Refcount
0x4014154
0
3
0x4013914
0
3
0x5166d6c
0
3
0x5e62df4
0
2
0x3a1814c
0
26
0x567ea9c
0
75
0x6cc1294
0
2
0x6cc18d4
0
1
0x5982e44
0
162
0x67d4a14
0
2
0x559972c
0
31
0x59cd3b4
0
2
0x7128114
0
10
0x536a914
0
3
0x2ffe884
0
1
216
|
Metric
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
Border Gateway Protocol IPv4 (BGPv4)
Path
701 3549 19421 i
701 7018 14990 i
209 4637 1221 9249 9249 i
701 17302 i
209 22291 i
209 3356 2529 i
209 1239 19265 i
701 2914 4713 17935 i
209 i
701 19878 ?
209 18756 i
209 7018 15227 i
209 3356 13845 i
209 701 6347 7781 i
701 3561 9116 21350 i
Next Hop
The Next Hop is the IP address used to reach the advertising router. For EBGP neighbors, the Next-Hop
address is the IP address of the connection between the neighbors. For IBGP, the EBGP Next-Hop address
is carried into the local AS. A Next Hop attribute is set when a BGP speaker advertises itself to another
BGP speaker outside its local AS. It can also be set when advertising routes within an AS. The Next Hop
attribute also serves as a way to direct traffic to another BGP speaker, rather than waiting for a speaker to
advertise.
Dell Networking OS allows you to set the Next Hop attribute in the CLI. Setting the Next Hop attribute lets
you determine a router as the next hop for a BGP neighbor.
Multiprotocol BGP
ec
MBGP for IPv4 Multicast is supported on platform c e s
MBGP for IPv6 unicast is supported on platforms
Multiprotocol Extensions for BGP (MBGP) is defined in IETF RFC 2858. MBGP allows different types of
address families to be distributed in parallel. This allows information about the topology of IP
Multicast-capable routers to be exchanged separately from the topology of normal IPv4 and IPv6 unicast
routers. It allows a multicast routing topology different from the unicast routing topology.
Note: It is possible to configure BGP peers that exchange both unicast and multicast network layer
reachability information (NLRI), but you cannot connect Multiprotocol BGP with BGP. Therefor, You
cannot redistribute Multiprotocol BGP routes into BGP.
Implement BGP with Dell Networking OS
Advertise IGP cost as MED for redistributed routes
When using multipath connectivity to an external AS, you can advertise the MED value selectively to each
peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting
others to a constant pre-defined metric as MED value.
Dell Networking OS 8.3.1.0 and later support configuring the set metric-type internal command in a
route-map to advertise the IGP cost as the MED to outbound EBGP peers when redistributing routes. The
configured set metric value overwrites the default IGP cost.
By using the redistribute command in conjunction with the route-map command, you can specify whether a
peer advertises the standard MED or uses the IGP cost as the MED.
Note the following when configuring this functionality:
Border Gateway Protocol IPv4 (BGPv4) | 217
www.dell.com | support.dell.com
•
•
•
If the redistribute command does not have any metric configured and BGP Peer out-bound route-map
does have metric-type internal configured, BGP advertises the IGP cost as MED.
If the redistribute command has metric configured (route-map set metric or redistribute route-type
metric) and the BGP Peer out-bound route-map has metric-type internal configured, BGP advertises the
metric configured in the redistribute command as MED.
If BGP peer out-bound route-map has metric configured, then all other metrics are overwritten by this.
Note: When redistributing static, connected or OSPF routes, there is no metric option. Simply assign the
appropriate route-map to the redistributed route.
Table 10-1gives some examples of these rules.
Table 10-1.
Example MED advertisement
Command Settings
BGP Local Routing
Information Base
MED Advertised to Peer
WITH route-map
WITHOUT route-map
metric-type internal metric-type internal
redistribute isis
(IGP cost = 20)
MED: IGP cost 20
MED = 20
MED = 0
redistribute isis
route-map set metric 50
MED: IGP cost 50
MED: 50
MED: 50
redistribute isis metric 100
MED: IGP cost 100
MED: 100
MED: 100
Ignore Router-ID for some best-path calculations
Dell Networking OS 8.3.1.0 and later allow you to avoid unnecessary BGP best-path transitions between
external paths under certain conditions. The bgp bestpath router-id ignore command reduces network
disruption caused by routing and forwarding plane changes and allows for faster convergence.
4-Byte AS Numbers
Dell Networking OS Version 7.7.1 and later support 4-Byte (32-bit) format when configuring Autonomous
System Numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the
OPEN message. If a 4-Byte BGP speaker has sent and received this capability from another speaker, all the
messages will be 4-octet. The behavior of a 4-Byte BGP speaker will be different with the peer depending
on whether the peer is 4-Byte or 2-Byte BGP speaker.
218
|
Border Gateway Protocol IPv4 (BGPv4)
Where the 2-Byte format is 1-65535, the 4-Byte format is 1-4294967295. Enter AS Numbers using the
traditional format. If the ASN is greater than 65535, the dot format is shown when using the show ip bgp
commands. For example, an ASN entered as 3183856184 will appear in the show commands as
48581.51768; an ASN of 65123 is shown as 65123. To calculate the comparable dot format for an ASN
from a traditional format, use ASN/65536. ASN%65536.
Table 10-2.
4-Byte ASN Dot Format Examples
Traditional Format
Dot Format
65001
Is
0.65501
65536
The
1.0
100000
Same As
1.34464
4294967295
65535.65535
When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte identified
routers. You cannot mix them.
Configure the 4-byte AS numbers with the four-octect-support command.
AS4 Number Representation
Dell Networking OS version 8.2.1.0 supports multiple representations of an 4-byte AS Numbers: asplain,
asdot+, and asdot.
Note: The ASDOT and ASDOT+ representations are supported only in conjunction with the 4-Byte AS
Numbers feature. If 4-Byte AS Numbers are not implemented, only ASPLAIN representation is supported.
ASPLAIN is the method Dell Networking OS has used for all previous Dell Networking OS versions.It
remains the default method with Dell Networking OS 8.2.1.0 and later. With the ASPLAIN notation, a 32
bit binary AS number is translated into a decimal value.
•
•
All AS Numbers between 0-65535 are represented as a decimal number when entered in the CLI as
well as when displayed in the show command outputs.
AS Numbers larger than 65535 are represented using ASPLAIN notation as well. 65546 is
represented as 65546.
ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by a
decimal point (.): .. Some examples are shown in
Table 10-2.
•
•
All AS Numbers between 0-65535 are represented as a decimal number, when entered in the CLI as
well as when displayed in the show command outputs.
AS Numbers larger than 65535 is represented using ASDOT notation as .. For example: AS 65546 is represented as 1.10.
Border Gateway Protocol IPv4 (BGPv4) | 219
www.dell.com | support.dell.com
ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS Numbers less than
65536 appear in integer format (asplain); AS Numbers equal to or greater than 65536 appear using the
decimal method (asdot+). For example, the AS Number 65526 appears as 65526, and the AS Number
65546 appears as 1.10.
Dynamic AS Number Notation application
Dell Networking OS 8.3.1.0 applies the ASN Notation type change dynamically to the running-config
statements. When you apply or change an asnotation, the type selected is reflected immediately in the
running-configuration and the show commands (Figure 10-9 and Figure 10-10).
Figure 10-9.
Dynamic changes of the bgp asnotation command in the show running config
ASDOT
FTOS(conf-router_bgp)#bgp asnotation asdot
FTOS(conf-router_bgp)#show conf
!
router bgp 100
bgp asnotation asdot
bgp four-octet-as-support
neighbor 172.30.1.250 local-as 65057
Source Exif Data:
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.6
Linearized : No
Language : en
Format : application/pdf
Creator : Dell Inc.
Title : Dell Networking OS 8.4.6.0 Configuration Guide for the E-Series TeraScale, C-Series, S-Series (S50/S25)
Subject : Reference Guide7
Description : Reference Guide7
Producer : Acrobat Distiller 11.0 (Windows); modified using iTextSharp 5.1.3 (c) 1T3XT BVBA
Keywords : Servers, Storage, & Networking#Networking#Blade InterconnectsChassis SwitchesFixed Port SwitchesNetworking SoftwareWireless##force10 c150#force10-c150#Reference Guide7#C-Series# E-Series TeraScale# S-Series (S50/S25)# Config guide# 8.4.6.0
Create Date : 2014:04:21 15:47:14Z
Creator Tool : FrameMaker 11.0
Modify Date : 2014:05:02 18:00:44-05:00
Page Mode : UseOutlines
Page Count : 1320
Author : Dell Inc.
Productcode : force10-c150
Typecode : rg7
Typedescription : Reference Guide7
Languagecodes : en-us
Publishdate : 2014-05-02 00:00:00
Expirydate : 9999-09-09 00:00:00
Manualurl : ftp://ftp.dell.com/Manuals/all-products/esuprt_ser_stor_net/esuprt_networking/esuprt_net_chas_swtchs/force10-c150_Reference%20Guide7_en-us.pdf
Readytocopy : false
Isdeleted : False
Businesskeywords : C-Series# E-Series TeraScale# S-Series (S50/S25)# Config guide# 8.4.6.0
Futureproductindication : No
Categorypathforfutureproducts :
Filesize : 9699
Isrestricted : False
Productpath : esuprt_net_chas_swtchs
Creationdate : D:20140421154714Z
Moddate : D:20140502154634-05'00'
EXIF Metadata provided by EXIF.tools