Dell Networking Z9500 Configuration Manual 9.5(0.1) Guide For The Switch
2015-01-05
: Dell Dell-Dell-Networking-Z9500-Configuration-Manual-136337 dell-dell-networking-z9500-configuration-manual-136337 dell pdf
Open the PDF directly: View PDF .
Page Count: 920
Dell Networking Configuration Guide for the
Z9500 Switch
Version 9.5(0.1)
Notes, Cautions, and Warnings
NOTE: A NOTE indicates important information that helps you make better use of your computer.
CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you
how to avoid the problem.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
Copyright © 2014 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. Dell™ and the Dell logo are trademarks of Dell Inc. in the United States and/or other
jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
2014 - 07
Rev. A01
Contents
1 About this Guide................................................................................................. 30
Audience..............................................................................................................................................30
Conventions........................................................................................................................................ 30
Related Documents............................................................................................................................ 30
2 Configuration Fundamentals............................................................................31
Accessing the Command Line............................................................................................................ 31
CLI Modes............................................................................................................................................ 31
Navigating CLI Modes................................................................................................................... 34
The do Command............................................................................................................................... 37
Undoing Commands...........................................................................................................................38
Obtaining Help.................................................................................................................................... 39
Entering and Editing Commands....................................................................................................... 39
Command History.............................................................................................................................. 40
Filtering show Command Outputs.....................................................................................................40
Multiple Users in Configuration Mode............................................................................................... 42
3 Getting Started....................................................................................................43
Console Access................................................................................................................................... 43
Serial Console................................................................................................................................43
Default Configuration......................................................................................................................... 44
Configuring a Host Name...................................................................................................................44
Accessing the System Remotely.........................................................................................................45
Accessing the Z9500 Remotely....................................................................................................45
Configure the Management Port IP Address............................................................................... 45
Configure a Management Route.................................................................................................. 46
Configuring a Username and Password.......................................................................................46
Configuring the Enable Password......................................................................................................46
Manage Configuration Files................................................................................................................ 47
File Storage.................................................................................................................................... 47
Copy Files to and from the System.............................................................................................. 47
Save the Running-Configuration..................................................................................................49
Configure the Overload Bit for a Startup Scenario......................................................................49
Viewing Files.................................................................................................................................. 49
Changes in Configuration Files.................................................................................................... 50
View Command History...................................................................................................................... 51
Upgrading the Dell Networking OS.................................................................................................... 51
Using Hashes to Validate Software Images........................................................................................ 51
4 Switch Management.......................................................................................... 53
Configuring Privilege Levels................................................................................................................53
Creating a Custom Privilege Level................................................................................................53
Removing a Command from EXEC Mode....................................................................................53
Moving a Command from EXEC Privilege Mode to EXEC Mode................................................ 53
Allowing Access to CONFIGURATION Mode Commands.......................................................... 54
Allowing Access to the Following Modes.................................................................................... 54
Applying a Privilege Level to a Username.................................................................................... 56
Applying a Privilege Level to a Terminal Line...............................................................................56
Configuring Logging........................................................................................................................... 56
Audit and Security Logs.................................................................................................................57
Configuring Logging Format ...................................................................................................... 58
Setting Up a Secure Connection to a Syslog Server....................................................................59
Log Messages in the Internal Buffer...................................................................................................60
Configuration Task List for System Log Management................................................................ 60
Disabling System Logging.................................................................................................................. 60
Sending System Messages to a Syslog Server.................................................................................... 61
Configuring a UNIX System as a Syslog Server............................................................................ 61
Display the Logging Buffer and the Logging Configuration..............................................................61
Changing System Logging Settings....................................................................................................62
Configuring a UNIX Logging Facility Level.........................................................................................63
Synchronizing Log Messages............................................................................................................. 64
Enabling Timestamp on Syslog Messages......................................................................................... 64
File Transfer Services...........................................................................................................................65
Configuration Task List for File Transfer Services........................................................................ 65
Enabling the FTP Server................................................................................................................ 65
Configuring FTP Server Parameters............................................................................................. 66
Configuring FTP Client Parameters..............................................................................................66
Terminal Lines..................................................................................................................................... 67
Denying and Permitting Access to a Terminal Line..................................................................... 67
Configuring Login Authentication for Terminal Lines................................................................. 67
Setting Time Out of EXEC Privilege Mode......................................................................................... 68
Using Telnet to Access Another Network Device............................................................................. 69
Lock CONFIGURATION Mode............................................................................................................70
Viewing the Configuration Lock Status........................................................................................ 70
Recovering from a Forgotten Password on the Z9500..................................................................... 71
Ignoring the Startup Configuration and Booting from the Factory-Default Configuration.............71
Recovering from a Failed Start on the Z9500.................................................................................... 72
Restoring Factory-Default Settings.................................................................................................... 72
Important Points to Remember.................................................................................................... 72
Restoring Factory-Default Boot Environment Variables..............................................................73
5 802.1X................................................................................................................... 75
The Port-Authentication Process....................................................................................................... 76
EAP over RADIUS........................................................................................................................... 77
Configuring 802.1X............................................................................................................................. 78
Related Configuration Tasks......................................................................................................... 78
Important Points to Remember..........................................................................................................78
Enabling 802.1X...................................................................................................................................79
Configuring Request Identity Re-Transmissions............................................................................... 80
Configuring a Quiet Period after a Failed Authentication............................................................81
Forcibly Authorizing or Unauthorizing a Port.................................................................................... 82
Re-Authenticating a Port.................................................................................................................... 83
Configuring Timeouts.........................................................................................................................84
Configuring Dynamic VLAN Assignment with Port Authentication..................................................85
Guest and Authentication-Fail VLANs................................................................................................86
Configuring a Guest VLAN............................................................................................................ 87
Configuring an Authentication-Fail VLAN.................................................................................... 87
6 Access Control Lists (ACLs).............................................................................. 89
IP Access Control Lists (ACLs)............................................................................................................ 89
CAM Usage.................................................................................................................................... 90
Implementing ACLs ...................................................................................................................... 91
IP Fragment Handling......................................................................................................................... 92
IP Fragments ACL Examples......................................................................................................... 92
Layer 4 ACL Rules Examples......................................................................................................... 93
Configure a Standard IP ACL.............................................................................................................. 94
Configuring a Standard IP ACL Filter............................................................................................ 95
Configure an Extended IP ACL........................................................................................................... 96
Configuring Filters with a Sequence Number..............................................................................96
Configuring Filters Without a Sequence Number........................................................................ 97
Configure Layer 2 and Layer 3 ACLs.................................................................................................. 98
Using ACL VLAN Groups.....................................................................................................................99
Guidelines for Configuring ACL VLAN Groups............................................................................ 99
Configuring an ACL VLAN Group...............................................................................................100
Allocating ACL VLAN CAM.......................................................................................................... 101
Applying an IP ACL to an Interface................................................................................................... 101
Configure Ingress ACLs...............................................................................................................102
Configure Egress ACLs................................................................................................................103
Applying Egress Layer 3 ACLs (Control-Plane).......................................................................... 103
Counting ACL Hits.......................................................................................................................104
IP Prefix Lists......................................................................................................................................104
Implementation Information...................................................................................................... 105
Configuration Task List for Prefix Lists....................................................................................... 105
ACL Resequencing............................................................................................................................109
Resequencing an ACL or Prefix List............................................................................................109
Route Maps.........................................................................................................................................111
Implementation Information....................................................................................................... 111
Important Points to Remember.........................................................................................................111
Configuration Task List for Route Maps...................................................................................... 111
Configuring Match Routes.......................................................................................................... 114
Configuring Set Conditions......................................................................................................... 115
Configure a Route Map for Route Redistribution.......................................................................116
Configure a Route Map for Route Tagging.................................................................................117
Continue Clause...........................................................................................................................117
7 Bare Metal Provisioning (BMP)....................................................................... 119
Enhanced Behavior of the stop bmp Command............................................................................. 119
Removal of User-Defined String Parameter in the reload-type Command................................... 119
Service Tag Information in the Option 60 String............................................................................. 119
8 Bidirectional Forwarding Detection (BFD).................................................. 120
How BFD Works................................................................................................................................ 120
BFD Packet Format...................................................................................................................... 121
BFD Sessions................................................................................................................................122
BFD Three-Way Handshake........................................................................................................ 123
Session State Changes................................................................................................................ 124
Important Points to Remember........................................................................................................125
Configure BFD................................................................................................................................... 125
Configure BFD for Static Routes.................................................................................................126
Configure BFD for OSPF..............................................................................................................127
Configure BFD for OSPFv3.......................................................................................................... 131
Configure BFD for IS-IS...............................................................................................................132
Configure BFD for BGP............................................................................................................... 135
Configure BFD for VRRP............................................................................................................. 142
Configuring Protocol Liveness....................................................................................................145
9 Border Gateway Protocol IPv4 (BGPv4).......................................................146
Autonomous Systems (AS)................................................................................................................146
Sessions and Peers............................................................................................................................148
Establish a Session.......................................................................................................................149
Route Reflectors................................................................................................................................149
Communities............................................................................................................................... 150
BGP Attributes................................................................................................................................... 150
Best Path Selection Criteria......................................................................................................... 151
Weight.......................................................................................................................................... 153
Local Preference..........................................................................................................................153
Multi-Exit Discriminators (MEDs)................................................................................................ 154
Origin........................................................................................................................................... 155
AS Path......................................................................................................................................... 156
Next Hop......................................................................................................................................156
Multiprotocol BGP.............................................................................................................................156
Implement BGP ................................................................................................................................ 157
Additional Path (Add-Path) Support............................................................................................157
Advertise IGP Cost as MED for Redistributed Routes.................................................................157
Ignore Router-ID for Some Best-Path Calculations..................................................................158
Four-Byte AS Numbers............................................................................................................... 158
AS4 Number Representation...................................................................................................... 158
AS Number Migration..................................................................................................................160
BGP4 Management Information Base (MIB).............................................................................. 162
Important Points to Remember..................................................................................................162
Configuration Information................................................................................................................163
BGP Configuration............................................................................................................................ 163
Enabling BGP............................................................................................................................... 164
Configuring AS4 Number Representations................................................................................168
Configuring Peer Groups............................................................................................................ 169
Configuring BGP Fast Fail-Over.................................................................................................. 172
Configuring Passive Peering....................................................................................................... 174
Maintaining Existing AS Numbers During an AS Migration........................................................ 175
Allowing an AS Number to Appear in its Own AS Path.............................................................. 176
Enabling Neighbor Graceful Restart........................................................................................... 176
Filtering on an AS-Path Attribute.................................................................................................177
Regular Expressions as Filters..................................................................................................... 179
Redistributing Routes..................................................................................................................180
Enabling Additional Paths............................................................................................................ 181
Configuring IP Community Lists................................................................................................. 181
Configuring an IP Extended Community List.............................................................................183
Filtering Routes with Community Lists.......................................................................................184
Manipulating the COMMUNITY Attribute...................................................................................184
Changing MED Attributes........................................................................................................... 186
Changing the LOCAL_PREFERENCE Attribute.......................................................................... 186
Changing the NEXT_HOP Attribute............................................................................................187
Changing the WEIGHT Attribute................................................................................................ 188
Enabling Multipath...................................................................................................................... 188
Filtering BGP Routes................................................................................................................... 188
Filtering BGP Routes Using Route Maps.................................................................................... 190
Filtering BGP Routes Using AS-PATH Information.................................................................... 190
Configuring BGP Route Reflectors............................................................................................. 191
Aggregating Routes.....................................................................................................................192
Configuring BGP Confederations...............................................................................................192
Enabling Route Flap Dampening................................................................................................ 193
Changing BGP Timers.................................................................................................................196
Enabling BGP Neighbor Soft-Reconfiguration.......................................................................... 196
Route Map Continue................................................................................................................... 197
Enabling MBGP Configurations........................................................................................................ 198
BGP Regular Expression Optimization............................................................................................. 199
Debugging BGP.................................................................................................................................199
Storing Last and Bad PDUs.........................................................................................................200
Capturing PDUs...........................................................................................................................201
PDU Counters............................................................................................................................. 202
Sample Configurations..................................................................................................................... 202
10 Content Addressable Memory (CAM)......................................................... 212
CAM Allocation..................................................................................................................................212
Test CAM Usage................................................................................................................................ 214
View CAM-ACL Settings....................................................................................................................214
View CAM Usage............................................................................................................................... 215
Return to the Default CAM Configuration....................................................................................... 216
CAM Optimization.............................................................................................................................216
Applications for CAM Profiling.......................................................................................................... 217
LAG HashingLAG Hashing Based on Bidirectional Flow............................................................ 217
11 Control Plane Policing (CoPP)......................................................................218
Z9500 CoPP Implementation...........................................................................................................218
Protocol-based Control Plane Policing..................................................................................... 218
Queue-based Control Plane Policing........................................................................................ 219
CoPP Example.................................................................................................................................. 220
Configure Control Plane Policing.....................................................................................................221
Configuring CoPP for Protocols................................................................................................. 221
Examples of Configuring CoPP for Protocols........................................................................... 222
Configuring CoPP for CPU Queues........................................................................................... 224
Examples of Configuring CoPP for CPU Queues......................................................................224
Displaying CoPP Configuration.................................................................................................. 225
Troubleshooting CoPP Operation................................................................................................... 229
Enabling CPU Traffic Statistics................................................................................................... 229
Viewing CPU Traffic Statistics.....................................................................................................229
Troubleshooting CPU Packet Loss.............................................................................................229
Viewing Per-Protocol CoPP Counters.......................................................................................232
Viewing Per-Queue CoPP Counters..........................................................................................234
12 Debugging and Diagnostics......................................................................... 236
Offline Diagnostics........................................................................................................................... 236
Important Points to Remember................................................................................................. 236
Running Offline Diagnostics.......................................................................................................236
Examples of Running Offline Diagnostics.................................................................................. 237
TRACE Logs.......................................................................................................................................245
Auto Save on Reload, Crash, or Rollover................................................................................... 245
Last Restart Reason.......................................................................................................................... 246
Line Card Restart Causes and Reasons......................................................................................246
show hardware Commands.............................................................................................................246
Environmental Monitoring............................................................................................................... 248
Display Power Supply Status...................................................................................................... 248
Display Fan Status....................................................................................................................... 249
Display Transceiver Type............................................................................................................ 249
Recognize an Over-Temperature Condition............................................................................. 251
Troubleshoot an Over-Temperature Condition........................................................................252
Troubleshooting Packet Loss........................................................................................................... 254
Displaying Drop Counters.......................................................................................................... 254
Displaying Dataplane Statistics................................................................................................... 256
Displaying Line-Card Counters.................................................................................................. 257
Accessing Application Core Dumps.................................................................................................258
Mini Core Dumps.............................................................................................................................. 259
Full Kernel Core Dumps....................................................................................................................259
Enabling TCP Dumps........................................................................................................................260
13 Dynamic Host Configuration Protocol (DHCP)........................................ 261
DHCP Packet Format and Options...................................................................................................261
Assign an IP Address using DHCP.................................................................................................... 263
Implementation Information............................................................................................................264
Configure the System to be a DHCP Server.................................................................................... 265
Configuring the Server for Automatic Address Allocation........................................................ 265
Specifying a Default Gateway.....................................................................................................267
Configure a Method of Hostname Resolution...........................................................................267
Using DNS for Address Resolution............................................................................................. 267
Using NetBIOS WINS for Address Resolution............................................................................ 267
Creating Manual Binding Entries................................................................................................ 268
Debugging the DHCP Server......................................................................................................268
Using DHCP Clear Commands.................................................................................................. 268
Configure the System to be a Relay Agent......................................................................................269
Configure the System to be a DHCP Client..................................................................................... 271
DHCP Client on a Management Interface..................................................................................271
DHCP Client Operation with Other Features.............................................................................272
Configure Secure DHCP................................................................................................................... 272
Option 82.....................................................................................................................................273
DHCP Snooping.......................................................................................................................... 273
Drop DHCP Packets on Snooped VLANs Only.......................................................................... 275
Dynamic ARP Inspection............................................................................................................ 276
Configuring Dynamic ARP Inspection........................................................................................ 277
Source Address Validation................................................................................................................ 278
Enabling IP Source Address Validation.......................................................................................278
DHCP MAC Source Address Validation...................................................................................... 279
Enabling IP+MAC Source Address Validation............................................................................ 279
14 Equal Cost Multi-Path (ECMP).....................................................................280
ECMP for Flow-Based Affinity..........................................................................................................280
Enabling Deterministic ECMP Next Hop....................................................................................280
Configuring the Hash Algorithm Seed.......................................................................................280
Link Bundle Monitoring.....................................................................................................................281
Managing ECMP Group Paths.....................................................................................................281
Creating an ECMP Group Bundle...............................................................................................282
Modifying the ECMP Group Threshold...................................................................................... 282
ECMP Support in L3 Host and LPM Tables...................................................................................... 283
15 Enabling FIPS Cryptography........................................................................ 285
Configuration Tasks..........................................................................................................................285
Preparing the System........................................................................................................................285
Enabling FIPS Mode.......................................................................................................................... 286
Generating Host-Keys...................................................................................................................... 286
Monitoring FIPS Mode Status........................................................................................................... 287
Disabling FIPS Mode......................................................................................................................... 287
16 Force10 Resilient Ring Protocol (FRRP).....................................................289
Protocol Overview............................................................................................................................289
Ring Status.................................................................................................................................. 290
Multiple FRRP Rings.....................................................................................................................291
Important FRRP Points................................................................................................................ 291
Important FRRP Concepts.......................................................................................................... 291
Implementing FRRP.......................................................................................................................... 293
FRRP Configuration.......................................................................................................................... 293
Creating the FRRP Group........................................................................................................... 293
Configuring the Control VLAN................................................................................................... 294
Configuring and Adding the Member VLANs.............................................................................295
Setting the FRRP Timers............................................................................................................. 296
Clearing the FRRP Counters.......................................................................................................296
Viewing the FRRP Configuration................................................................................................ 297
Viewing the FRRP Information....................................................................................................297
Troubleshooting FRRP...................................................................................................................... 297
Configuration Checks................................................................................................................. 297
Sample Configuration and Topology...............................................................................................297
17 GARP VLAN Registration Protocol (GVRP)................................................ 300
Important Points to Remember....................................................................................................... 300
Configure GVRP................................................................................................................................ 301
Related Configuration Tasks.......................................................................................................301
Enabling GVRP Globally....................................................................................................................302
Enabling GVRP on a Layer 2 Interface............................................................................................. 302
Configure GVRP Registration........................................................................................................... 302
Configure a GARP Timer.................................................................................................................. 303
18 Internet Group Management Protocol (IGMP).........................................305
IGMP Implementation Information..................................................................................................305
IGMP Protocol Overview..................................................................................................................305
IGMP Version 2............................................................................................................................305
IGMP Version 3............................................................................................................................307
Configure IGMP.................................................................................................................................310
Related Configuration Tasks.......................................................................................................310
Viewing IGMP Enabled Interfaces..................................................................................................... 311
Selecting an IGMP Version................................................................................................................ 311
Viewing IGMP Groups....................................................................................................................... 312
Adjusting Timers................................................................................................................................ 312
Adjusting Query and Response Timers.......................................................................................312
Adjusting the IGMP Querier Timeout Value............................................................................... 313
Configuring a Static IGMP Group..................................................................................................... 313
Enabling IGMP Immediate-Leave.....................................................................................................314
IGMP Snooping................................................................................................................................. 314
IGMP Snooping Implementation Information............................................................................314
Configuring IGMP Snooping.......................................................................................................314
Removing a Group-Port Association..........................................................................................315
Disabling Multicast Flooding....................................................................................................... 315
Specifying a Port as Connected to a Multicast Router.............................................................. 316
Configuring the Switch as Querier............................................................................................. 316
Fast Convergence after MSTP Topology Changes.......................................................................... 317
Designating a Multicast Router Interface......................................................................................... 317
19 Interfaces......................................................................................................... 318
Basic Interface Configuration........................................................................................................... 318
Advanced Interface Configuration................................................................................................... 318
Port Numbering Convention............................................................................................................ 318
Interface Types.................................................................................................................................. 319
View Basic Interface Information..................................................................................................... 319
Enabling a Physical Interface............................................................................................................ 321
Physical Interfaces............................................................................................................................ 322
Port Pipes.....................................................................................................................................322
Network Processing Units (NPUs).............................................................................................. 322
Configuration Task List for Physical Interfaces..........................................................................322
Overview of Layer Modes........................................................................................................... 323
Configuring Layer 2 (Data Link) Mode........................................................................................323
Configuring Layer 2 (Interface) Mode........................................................................................ 324
Configuring Layer 3 (Network) Mode.........................................................................................324
Configuring Layer 3 (Interface) Mode........................................................................................ 325
Egress Interface Selection (EIS)........................................................................................................ 325
Important Points to Remember................................................................................................. 326
Configuring EIS........................................................................................................................... 326
Management Interfaces....................................................................................................................326
Configuring a Dedicated Management Interface ..................................................................... 326
Configuring a Management Interface on an Ethernet Port...................................................... 328
VLAN Interfaces.................................................................................................................................329
Loopback Interfaces......................................................................................................................... 330
Null Interfaces...................................................................................................................................330
Port Channel Interfaces....................................................................................................................330
Port Channel Definition and Standards...................................................................................... 331
Port Channel Benefits..................................................................................................................331
Port Channel Implementation.................................................................................................... 331
10/40 Gbps Interfaces in Port Channels.................................................................................... 332
Configuration Tasks for Port Channel Interfaces...................................................................... 332
Creating a Port Channel............................................................................................................. 332
Adding a Physical Interface to a Port Channel.......................................................................... 333
Reassigning an Interface to a New Port Channel...................................................................... 335
Configuring the Minimum Oper Up Links in a Port Channel.................................................... 336
Adding or Removing a Port Channel from a VLAN................................................................... 336
Assigning an IP Address to a Port Channel................................................................................ 337
Deleting or Disabling a Port Channel......................................................................................... 337
Load Balancing Through Port Channels.................................................................................... 337
Load-Balancing Methods............................................................................................................337
Changing the Hash Algorithm....................................................................................................338
Bulk Configuration............................................................................................................................339
Interface Range........................................................................................................................... 339
Bulk Configuration Examples..................................................................................................... 339
Defining Interface Range Macros..................................................................................................... 341
Define the Interface Range.........................................................................................................342
Choosing an Interface-Range Macro........................................................................................ 342
Monitoring and Maintaining Interfaces............................................................................................342
Displaying Traffic Statistics on HiGig Ports......................................................................................343
Link Bundle Monitoring.................................................................................................................... 344
Monitoring HiGig Link Bundles........................................................................................................ 344
Guidelines for Monitoring HiGig Link-Bundles .........................................................................345
Enabling HiGig Link-Bundle Monitoring.................................................................................... 346
Splitting QSFP Ports to SFP+ Ports...................................................................................................347
Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port...................................................... 347
Link Dampening................................................................................................................................ 352
Important Points to Remember..................................................................................................353
Enabling Link Dampening........................................................................................................... 353
Using Ethernet Pause Frames for Flow Control.............................................................................. 355
Threshold Settings...................................................................................................................... 355
Enabling Pause Frames............................................................................................................... 356
Configure the MTU Size on an Interface......................................................................................... 356
Auto-Negotiation on Ethernet Interfaces........................................................................................ 357
Set Auto-Negotiation Options................................................................................................... 358
View Advanced Interface Information............................................................................................. 358
Configuring the Interface Sampling Size................................................................................... 359
Dynamic Counters............................................................................................................................360
Clearing Interface Counters........................................................................................................361
20 Internet Protocol Security (IPSec).............................................................. 362
Configuring IPSec ............................................................................................................................ 363
21 IPv4 Routing....................................................................................................364
IP Addresses...................................................................................................................................... 364
Implementation Information...................................................................................................... 364
Configuration Tasks for IP Addresses.............................................................................................. 364
Assigning IP Addresses to an Interface............................................................................................ 365
Configuring Static Routes................................................................................................................ 366
Configure Static Routes for the Management Interface................................................................. 367
Enabling Directed Broadcast............................................................................................................ 367
Resolution of Host Names............................................................................................................... 368
Enabling Dynamic Resolution of Host Names................................................................................ 368
Specifying the Local System Domain and a List of Domains..........................................................369
Configuring DNS with Traceroute................................................................................................... 369
ARP.................................................................................................................................................... 370
Configuration Tasks for ARP.............................................................................................................370
Configuring Static ARP Entries..........................................................................................................371
Enabling Proxy ARP........................................................................................................................... 371
Clearing ARP Cache.......................................................................................................................... 371
ARP Learning via Gratuitous ARP......................................................................................................372
Enabling ARP Learning via Gratuitous ARP...................................................................................... 372
ARP Learning via ARP Request..........................................................................................................372
Configuring ARP Retries....................................................................................................................373
ICMP.................................................................................................................................................. 374
Configuration Tasks for ICMP.......................................................................................................... 374
Enabling ICMP Unreachable Messages............................................................................................374
UDP Helper........................................................................................................................................375
Configure UDP Helper................................................................................................................ 375
Important Points to Remember..................................................................................................375
Enabling UDP Helper........................................................................................................................ 375
Configuring a Broadcast Address.....................................................................................................376
Configurations Using UDP Helper....................................................................................................376
UDP Helper with Broadcast-All Addresses...................................................................................... 376
UDP Helper with Subnet Broadcast Addresses................................................................................377
UDP Helper with Configured Broadcast Addresses........................................................................ 378
UDP Helper with No Configured Broadcast Addresses.................................................................. 378
Troubleshooting UDP Helper........................................................................................................... 379
22 IPv6 Routing................................................................................................... 380
Protocol Overview............................................................................................................................380
Extended Address Space............................................................................................................ 380
Stateless Autoconfiguration....................................................................................................... 380
IPv6 Headers................................................................................................................................381
IPv6 Header Fields.......................................................................................................................382
Extension Header Fields..............................................................................................................383
IPv6 Addressing...........................................................................................................................384
IPv6 Implementation on the Dell Networking OS...........................................................................386
Configuring the LPM Table for IPv6 Extended Prefixes.................................................................. 388
ICMPv6.............................................................................................................................................. 388
Path MTU Discovery......................................................................................................................... 388
IPv6 Neighbor Discovery..................................................................................................................389
IPv6 Neighbor Discovery of MTU Packets................................................................................. 390
Configuring the IPv6 Recursive DNS Server.............................................................................. 390
Secure Shell (SSH) Over an IPv6 Transport......................................................................................392
Configuration Tasks for IPv6............................................................................................................ 392
Adjusting Your CAM Profile........................................................................................................ 393
Assigning an IPv6 Address to an Interface................................................................................. 393
Assigning a Static IPv6 Route..................................................................................................... 394
Configuring Telnet with IPv6......................................................................................................395
SNMP over IPv6...........................................................................................................................395
Displaying IPv6 Information....................................................................................................... 395
Displaying an IPv6 Configuration...............................................................................................396
Displaying IPv6 Routes............................................................................................................... 396
Displaying the Running Configuration for an Interface............................................................ 398
Clearing IPv6 Routes...................................................................................................................398
23 Intermediate System to Intermediate System.......................................... 399
IS-IS Protocol Overview................................................................................................................... 399
IS-IS Addressing................................................................................................................................ 399
Multi-Topology IS-IS........................................................................................................................400
Transition Mode..........................................................................................................................400
Interface Support........................................................................................................................ 401
Adjacencies..................................................................................................................................401
Graceful Restart................................................................................................................................ 401
Timers.......................................................................................................................................... 401
Implementation Information............................................................................................................402
Configuration Information............................................................................................................... 403
Configuration Tasks for IS-IS..................................................................................................... 403
Configuring the Distance of a Route..........................................................................................412
Changing the IS-Type................................................................................................................. 412
Redistributing IPv4 Routes.......................................................................................................... 415
Redistributing IPv6 Routes..........................................................................................................416
Configuring Authentication Passwords...................................................................................... 417
Setting the Overload Bit.............................................................................................................. 417
Debugging IS-IS.......................................................................................................................... 418
IS-IS Metric Styles..............................................................................................................................419
Configure Metric Values................................................................................................................... 419
Maximum Values in the Routing Table...................................................................................... 420
Change the IS-IS Metric Style in One Level Only......................................................................420
Leaks from One Level to Another.............................................................................................. 422
Sample Configurations..................................................................................................................... 422
24 Link Aggregation Control Protocol (LACP)...............................................425
Introduction to Dynamic LAGs and LACP....................................................................................... 425
Important Points to Remember................................................................................................. 425
LACP Modes................................................................................................................................ 426
Configuring LACP Commands...................................................................................................426
LACP Configuration Tasks................................................................................................................ 427
Creating a LAG............................................................................................................................ 427
Configuring the LAG Interfaces as Dynamic..............................................................................427
Setting the LACP Long Timeout.................................................................................................428
Monitoring and Debugging LACP.............................................................................................. 429
Shared LAG State Tracking............................................................................................................... 429
Configuring Shared LAG State Tracking.................................................................................... 430
Important Points about Shared LAG State Tracking.................................................................. 431
LACP Basic Configuration Example................................................................................................. 432
Configure a LAG on ALPHA........................................................................................................ 432
25 Layer 2..............................................................................................................440
Manage the MAC Address Table......................................................................................................440
Clearing the MAC Address Table............................................................................................... 440
Setting the Aging Time for Dynamic Entries............................................................................. 440
Configuring a Static MAC Address..............................................................................................441
Displaying the MAC Address Table.............................................................................................441
MAC Learning Limit...........................................................................................................................441
Setting the MAC Learning Limit..................................................................................................442
mac learning-limit Dynamic.......................................................................................................442
mac learning-limit mac-address-sticky.....................................................................................442
mac learning-limit station-move............................................................................................... 443
mac learning-limit no-station-move.........................................................................................443
Learning Limit Violation Actions................................................................................................ 444
Setting Station Move Violation Actions......................................................................................444
Recovering from Learning Limit and Station Move Violations................................................. 444
NIC Teaming..................................................................................................................................... 445
Configure Redundant Pairs.............................................................................................................. 446
Important Points about Configuring Redundant Pairs..............................................................448
Far-End Failure Detection................................................................................................................ 449
FEFD State Changes....................................................................................................................450
Configuring FEFD........................................................................................................................ 451
Enabling FEFD on an Interface................................................................................................... 452
Debugging FEFD......................................................................................................................... 453
26 Link Layer Discovery Protocol (LLDP)........................................................ 455
802.1AB (LLDP) Overview................................................................................................................. 455
Protocol Data Units.....................................................................................................................455
Optional TLVs....................................................................................................................................456
Management TLVs...................................................................................................................... 456
TIA-1057 (LLDP-MED) Overview......................................................................................................458
TIA Organizationally Specific TLVs.............................................................................................459
Configure LLDP.................................................................................................................................463
Related Configuration Tasks...................................................................................................... 463
Important Points to Remember................................................................................................. 464
LLDP Compatibility..................................................................................................................... 464
CONFIGURATION versus INTERFACE Configurations................................................................... 464
Enabling LLDP................................................................................................................................... 465
Disabling and Undoing LLDP......................................................................................................465
Enabling LLDP on Management Ports............................................................................................. 465
Disabling and Undoing LLDP on Management Ports................................................................465
Advertising TLVs................................................................................................................................466
Viewing the LLDP Configuration......................................................................................................467
Viewing Information Advertised by Adjacent LLDP Agents............................................................ 468
Configuring LLDPDU Intervals......................................................................................................... 469
Configuring Transmit and Receive Mode........................................................................................469
Configuring a Time to Live............................................................................................................... 470
Debugging LLDP................................................................................................................................471
Relevant Management Objects........................................................................................................ 472
27 Microsoft Network Load Balancing............................................................ 478
NLB Unicast and Multicast Modes................................................................................................... 478
NLB Unicast Mode Example....................................................................................................... 478
NLB Multicast Mode Example.....................................................................................................479
NLB Benefits......................................................................................................................................479
NLB Restrictions................................................................................................................................479
NLB VLAN Flooding.......................................................................................................................... 480
Configuring NLB on a Switch...........................................................................................................480
.....................................................................................................................................................480
28 Multicast Source Discovery Protocol (MSDP)...........................................481
Protocol Overview............................................................................................................................ 481
Anycast RP........................................................................................................................................ 483
Implementation Information............................................................................................................483
Configure Multicast Source Discovery Protocol.............................................................................483
Related Configuration Tasks...................................................................................................... 483
Enable MSDP.....................................................................................................................................487
Manage the Source-Active Cache...................................................................................................488
Viewing the Source-Active Cache............................................................................................. 488
Limiting the Source-Active Cache............................................................................................. 489
Clearing the Source-Active Cache............................................................................................ 489
Enabling the Rejected Source-Active Cache............................................................................ 489
Accept Source-Active Messages that Fail the RFP Check.............................................................. 489
Specifying Source-Active Messages................................................................................................ 493
Limiting the Source-Active Messages from a Peer......................................................................... 494
Preventing MSDP from Caching a Local Source.............................................................................494
Preventing MSDP from Caching a Remote Source.........................................................................495
Preventing MSDP from Advertising a Local Source........................................................................ 496
Logging Changes in Peership States................................................................................................497
Terminating a Peership.....................................................................................................................497
Clearing Peer Statistics..................................................................................................................... 497
Debugging MSDP............................................................................................................................. 498
MSDP with Anycast RP..................................................................................................................... 498
Configuring Anycast RP................................................................................................................... 500
Reducing Source-Active Message Flooding..............................................................................500
Specifying the RP Address Used in SA Messages...................................................................... 500
MSDP Sample Configurations.......................................................................................................... 503
29 Multiple Spanning Tree Protocol (MSTP).................................................. 506
Protocol Overview............................................................................................................................506
Spanning Tree Variations..................................................................................................................507
Implementation Information...................................................................................................... 507
Configure Multiple Spanning Tree Protocol....................................................................................507
Related Configuration Tasks.......................................................................................................507
Enable Multiple Spanning Tree Globally..........................................................................................508
Adding and Removing Interfaces.....................................................................................................508
Creating Multiple Spanning Tree Instances.....................................................................................508
Influencing MSTP Root Selection.....................................................................................................510
Interoperate with Non-Dell Bridges.................................................................................................510
Changing the Region Name or Revision.......................................................................................... 511
Modifying Global Parameters............................................................................................................511
Modifying the Interface Parameters................................................................................................. 512
Configuring an EdgePort.................................................................................................................. 513
Flush MAC Addresses after a Topology Change..............................................................................514
MSTP Sample Configurations........................................................................................................... 514
Router 1 Running-ConfigurationRouter 2 Running-ConfigurationRouter 3 RunningConfigurationExample Running-Configuration.........................................................................515
Debugging and Verifying MSTP Configurations.............................................................................. 518
30 Multicast Features.......................................................................................... 521
Enabling IP Multicast......................................................................................................................... 521
Multicast with ECMP......................................................................................................................... 521
Implementation Information............................................................................................................ 522
First Packet Forwarding for Lossless Multicast................................................................................ 523
Multicast Policies...............................................................................................................................523
IPv4 Multicast Policies.................................................................................................................523
31 Open Shortest Path First (OSPFv2 and OSPFv3)....................................... 531
Protocol Overview.............................................................................................................................531
Autonomous System (AS) Areas..................................................................................................531
Area Types................................................................................................................................... 532
Networks and Neighbors............................................................................................................ 533
Router Types............................................................................................................................... 533
Designated and Backup Designated Routers.............................................................................535
Link-State Advertisements (LSAs)............................................................................................... 535
Virtual Links..................................................................................................................................537
Router Priority and Cost..............................................................................................................537
OSPF Implementation...................................................................................................................... 538
Fast Convergence (OSPFv2, IPv4 Only)..................................................................................... 538
Multi-Process OSPFv2 (IPv4 only).............................................................................................. 538
RFC-2328 Compliant OSPF Flooding........................................................................................ 539
OSPF ACK Packing......................................................................................................................540
Setting OSPF Adjacency with Cisco Routers............................................................................. 540
Configuration Information................................................................................................................541
Configuration Task List for OSPFv2 (OSPF for IPv4).................................................................. 541
Sample Configurations for OSPFv2..................................................................................................556
Basic OSPFv2 Router Topology..................................................................................................556
OSPF Area 0 — Te 1/1 and 1/2.................................................................................................... 556
OSPF Area 0 — Te 3/1 and 3/2....................................................................................................557
OSPF Area 0 — Te 2/1 and 2/2....................................................................................................557
Configuration Task List for OSPFv3 (OSPF for IPv6)........................................................................557
Enabling IPv6 Unicast Routing................................................................................................... 558
Assigning IPv6 Addresses on an Interface................................................................................. 558
Assigning Area ID on an Interface.............................................................................................. 558
Assigning OSPFv3 Process ID and Router ID Globally.............................................................. 559
Configuring Stub Areas............................................................................................................... 559
Configuring Passive-Interface.................................................................................................... 559
Redistributing Routes................................................................................................................. 560
Configuring a Default Route...................................................................................................... 560
OSPFv3 Authentication Using IPsec........................................................................................... 561
Troubleshooting OSPFv3............................................................................................................568
32 Pay As You Grow ........................................................................................... 570
Installing a License............................................................................................................................570
Displaying License Information........................................................................................................ 573
33 PIM Sparse-Mode (PIM-SM)..........................................................................575
Implementation Information............................................................................................................ 575
Protocol Overview............................................................................................................................ 575
Requesting Multicast Traffic........................................................................................................575
Refuse Multicast Traffic...............................................................................................................576
Send Multicast Traffic..................................................................................................................576
Configuring PIM-SM..........................................................................................................................577
Related Configuration Tasks....................................................................................................... 577
Enable PIM-SM.................................................................................................................................. 577
Configuring S,G Expiry Timers..........................................................................................................578
Configuring a Static Rendezvous Point............................................................................................579
Overriding Bootstrap Router Updates....................................................................................... 580
Configuring a Designated Router.................................................................................................... 580
Creating Multicast Boundaries and Domains...................................................................................581
Enabling PIM-SM Graceful Restart................................................................................................... 581
34 PIM Source-Specific Mode (PIM-SSM)....................................................... 582
Implementation Information............................................................................................................582
Important Points to Remember................................................................................................. 582
Configure PIM-SMM......................................................................................................................... 583
Related Configuration Tasks.......................................................................................................583
Enabling PIM-SSM.............................................................................................................................583
Use PIM-SSM with IGMP Version 2 Hosts........................................................................................583
Configuring PIM-SSM with IGMPv2........................................................................................... 584
35 Policy-based Routing (PBR)......................................................................... 586
Overview........................................................................................................................................... 586
Implementing Policy-based Routing with Dell Networking OS..................................................... 588
Configuration Task List for Policy-based Routing.......................................................................... 588
PBR Exceptions (Permit)..............................................................................................................591
Sample Configuration.......................................................................................................................593
Create the Redirect-List GOLDAssign Redirect-List GOLD to Interface 2/11View
Redirect-List GOLD.....................................................................................................................594
36 Port Monitoring..............................................................................................596
Local Port Monitoring.......................................................................................................................596
Important Points to Remember................................................................................................. 596
Examples of Port Monitoring......................................................................................................596
Configuring Port Monitoring...................................................................................................... 598
Remote Port Mirroring......................................................................................................................599
Remote Port Mirroring Example.................................................................................................599
Configuring Remote Port Mirroring...........................................................................................600
Displaying a Remote-Port Mirroring Configuration..................................................................602
Configuring Remote Port Monitoring........................................................................................602
Encapsulated Remote-Port Monitoring.......................................................................................... 606
37 Private VLANs (PVLAN)..................................................................................608
Private VLAN Concepts.................................................................................................................... 608
Using the Private VLAN Commands................................................................................................ 609
Configuration Task List..................................................................................................................... 610
Creating PVLAN ports................................................................................................................. 610
Creating a Primary VLAN............................................................................................................. 611
Creating a Community VLAN......................................................................................................612
Creating an Isolated VLAN.......................................................................................................... 613
Private VLAN Configuration Example...............................................................................................614
Inspecting the Private VLAN Configuration..................................................................................... 615
38 Per-VLAN Spanning Tree Plus (PVST+)...................................................... 618
Protocol Overview............................................................................................................................ 618
Implementation Information............................................................................................................ 619
Configure Per-VLAN Spanning Tree Plus.........................................................................................619
Related Configuration Tasks.......................................................................................................619
Enabling PVST+................................................................................................................................. 619
Disabling PVST+............................................................................................................................... 620
Influencing PVST+ Root Selection...................................................................................................620
Modifying Global PVST+ Parameters...............................................................................................622
Modifying Interface PVST+ Parameters........................................................................................... 623
Configuring an EdgePort..................................................................................................................624
PVST+ in Multi-Vendor Networks.................................................................................................... 625
Enabling PVST+ Extend System ID...................................................................................................625
PVST+ Sample Configurations......................................................................................................... 626
39 Quality of Service (QoS)................................................................................628
Implementation Information............................................................................................................628
Port-Based QoS Configurations...................................................................................................... 629
Setting dot1p Priorities for Incoming Traffic..............................................................................629
Honoring dot1p Priorities on Ingress Traffic..............................................................................630
Configuring Port-Based Rate Policing.......................................................................................630
Configuring Port-Based Rate Shaping....................................................................................... 631
Policy-Based QoS Configurations................................................................................................... 632
Classify Traffic............................................................................................................................. 632
Create a QoS Policy....................................................................................................................638
Create Policy Maps......................................................................................................................641
DSCP Color Maps............................................................................................................................. 645
Creating a DSCP Color Map....................................................................................................... 645
Displaying DSCP Color Maps..................................................................................................... 646
Displaying a DSCP Color Policy Configuration ........................................................................ 646
Enabling QoS Rate Adjustment........................................................................................................ 647
Enabling Strict-Priority Queueing....................................................................................................648
Weighted Random Early Detection................................................................................................. 648
Creating WRED Profiles.............................................................................................................. 649
Applying a WRED Profile to Traffic.............................................................................................650
Displaying Default and Configured WRED Profiles................................................................... 650
Displaying WRED Drop Statistics................................................................................................650
Explicit Congestion Notification.......................................................................................................651
ECN Packet Classification........................................................................................................... 651
Example: Color-marking non-ECN Packets in One Traffic Class............................................ 652
Example: Color-marking non-ECN Packets in Different Traffic Classes................................. 652
Using A Configurable Weight for WRED and ECN.......................................................................... 653
Benefits of Using a Configurable Weight for WRED with ECN................................................. 654
Setting Average Queue Size using a Weight..............................................................................654
Global Service-Pools for WRED with ECN.................................................................................655
Configuring a Weight for WRED and ECN Operation............................................................... 656
Pre-Calculating Available QoS CAM Space..................................................................................... 657
SNMP Support for Buffer Statistics Tracking................................................................................... 658
40 Routing Information Protocol (RIP)........................................................... 659
Protocol Overview............................................................................................................................659
RIPv1............................................................................................................................................ 659
RIPv2............................................................................................................................................659
Implementation Information............................................................................................................660
Configuration Information............................................................................................................... 660
Configuration Task List...............................................................................................................660
RIP Configuration Example.........................................................................................................667
41 Remote Monitoring (RMON)........................................................................ 673
Implementation Information............................................................................................................ 673
Fault Recovery...................................................................................................................................673
Setting the RMON Alarm............................................................................................................ 674
Configuring an RMON Event...................................................................................................... 675
Configuring RMON Collection Statistics....................................................................................675
Configuring the RMON Collection History................................................................................ 676
42 Rapid Spanning Tree Protocol (RSTP)........................................................ 677
Protocol Overview............................................................................................................................ 677
Configuring Rapid Spanning Tree.................................................................................................... 677
Related Configuration Tasks....................................................................................................... 677
Important Points to Remember........................................................................................................677
RSTP and VLT.............................................................................................................................. 678
Configuring Interfaces for Layer 2 Mode.........................................................................................678
Enabling Rapid Spanning Tree Protocol Globally............................................................................679
Adding and Removing Interfaces..................................................................................................... 681
Modifying Global Parameters...........................................................................................................682
Enabling SNMP Traps for Root Elections and Topology Changes........................................... 683
Modifying Interface Parameters.......................................................................................................683
Influencing RSTP Root Selection..................................................................................................... 684
Configuring an EdgePort..................................................................................................................684
Configuring Fast Hellos for Link State Detection............................................................................ 685
43 Security............................................................................................................ 687
Role-Based Access Control..............................................................................................................687
Overview of RBAC.......................................................................................................................687
User Roles................................................................................................................................... 690
AAA Authentication and Authorization for Roles.......................................................................693
Role Accounting......................................................................................................................... 696
Display Information About User Roles....................................................................................... 697
AAA Accounting................................................................................................................................699
Configuration Task List for AAA Accounting............................................................................. 699
AAA Authentication........................................................................................................................... 701
Configuration Task List for AAA Authentication.........................................................................701
AAA Authorization.............................................................................................................................704
Privilege Levels Overview........................................................................................................... 704
Configuration Task List for Privilege Levels............................................................................... 705
RADIUS.............................................................................................................................................. 709
RADIUS Authentication and Authorization................................................................................ 709
Configuration Task List for RADIUS............................................................................................ 710
TACACS+........................................................................................................................................... 713
Configuration Task List for TACACS+.........................................................................................713
TACACS+ Remote Authentication and Authorization............................................................... 715
Command Authorization.............................................................................................................716
Protection from TCP Tiny and Overlapping Fragment Attacks....................................................... 717
Enabling SCP and SSH....................................................................................................................... 717
Using SCP with SSH to Copy a Software Image.........................................................................718
Removing the RSA Host Keys and Zeroizing Storage ............................................................... 719
Configuring When to Re-generate an SSH Key ........................................................................ 719
Configuring the SSH Server Cipher List..................................................................................... 720
Configuring the HMAC Algorithm for the SSH Server...............................................................720
Configuring the SSH Server Cipher List...................................................................................... 721
Secure Shell Authentication........................................................................................................ 721
Troubleshooting SSH.................................................................................................................. 724
Telnet.................................................................................................................................................724
VTY Line and Access-Class Configuration.......................................................................................725
VTY Line Local Authentication and Authorization..................................................................... 725
VTY Line Remote Authentication and Authorization.................................................................726
VTY MAC-SA Filter Support.........................................................................................................726
44 Service Provider Bridging.............................................................................728
VLAN Stacking................................................................................................................................... 728
Important Points to Remember..................................................................................................729
Configure VLAN Stacking........................................................................................................... 730
Creating Access and Trunk Ports............................................................................................... 730
Enable VLAN-Stacking for a VLAN.............................................................................................. 731
Configuring the Protocol Type Value for the Outer VLAN Tag................................................. 731
Configuring Options for Trunk Ports.......................................................................................... 731
Debugging VLAN Stacking.......................................................................................................... 732
VLAN Stacking in Multi-Vendor Networks................................................................................. 733
VLAN Stacking Packet Drop Precedence.........................................................................................736
Enabling Drop Eligibility.............................................................................................................. 736
Honoring the Incoming DEI Value..............................................................................................737
Marking Egress Packets with a DEI Value...................................................................................738
Dynamic Mode CoS for VLAN Stacking........................................................................................... 738
Mapping C-Tag to S-Tag dot1p Values..................................................................................... 740
Layer 2 Protocol Tunneling.............................................................................................................. 740
Implementation Information...................................................................................................... 742
Enabling Layer 2 Protocol Tunneling......................................................................................... 742
Specifying a Destination MAC Address for BPDUs.................................................................... 743
Setting Rate-Limit BPDUs........................................................................................................... 743
Debugging Layer 2 Protocol Tunneling.....................................................................................744
Provider Backbone Bridging.............................................................................................................744
45 sFlow.................................................................................................................745
Overview............................................................................................................................................745
Implementation Information............................................................................................................ 745
Important Points to Remember................................................................................................. 746
Enabling and Disabling sFlow...........................................................................................................746
Enabling and Disabling sFlow on an Interface.................................................................................746
sFlow Show Commands................................................................................................................... 747
Displaying Show sFlow Global....................................................................................................747
Displaying Show sFlow on an Interface..................................................................................... 747
Displaying Show sFlow on a Line Card...................................................................................... 748
Configuring Specify Collectors........................................................................................................ 748
Changing the Polling Intervals......................................................................................................... 748
Back-Off Mechanism........................................................................................................................749
sFlow on LAG ports...........................................................................................................................749
Enabling Extended sFlow..................................................................................................................749
Important Points to Remember..................................................................................................750
46 Simple Network Management Protocol (SNMP)......................................752
Protocol Overview............................................................................................................................ 752
Implementation Information............................................................................................................ 752
Configuration Task List for SNMP.....................................................................................................752
Related Configuration Tasks....................................................................................................... 753
Important Points to Remember........................................................................................................753
Set up SNMP......................................................................................................................................753
Creating a Community................................................................................................................753
Setting Up User-Based Security (SNMPv3).................................................................................754
Reading Managed Object Values......................................................................................................755
Writing Managed Object Values....................................................................................................... 756
Configuring Contact and Location Information using SNMP.........................................................756
Subscribing to Managed Object Value Updates using SNMP..........................................................757
Enabling a Subset of SNMP Traps.................................................................................................... 758
Copy Configuration Files Using SNMP............................................................................................ 760
Copying a Configuration File......................................................................................................762
Copying Configuration Files via SNMP.......................................................................................763
Copying the Startup-Config Files to the Running-Config........................................................ 763
Copying the Startup-Config Files to the Server via FTP............................................................764
Copying the Startup-Config Files to the Server via TFTP..........................................................764
Copy a Binary File to the Startup-Configuration....................................................................... 765
Additional MIB Objects to View Copy Statistics.........................................................................765
Obtaining a Value for MIB Objects.............................................................................................766
Manage VLANs using SNMP..............................................................................................................767
Creating a VLAN.......................................................................................................................... 767
Assigning a VLAN Alias................................................................................................................ 767
Displaying the Ports in a VLAN....................................................................................................767
Add Tagged and Untagged Ports to a VLAN.............................................................................. 767
Managing Overload on Startup........................................................................................................ 768
Enabling and Disabling a Port using SNMP......................................................................................769
Fetch Dynamic MAC Entries using SNMP........................................................................................ 770
Deriving Interface Indices..................................................................................................................771
Monitor Port-Channels..................................................................................................................... 772
Troubleshooting SNMP Operation................................................................................................... 774
47 Storm Control................................................................................................. 775
Configure Storm Control.................................................................................................................. 775
Configuring Storm Control from INTERFACE Mode................................................................. 775
Configuring Storm Control from CONFIGURATION Mode...................................................... 775
48 Spanning Tree Protocol (STP)......................................................................776
Protocol Overview............................................................................................................................ 776
Configure Spanning Tree..................................................................................................................776
Related Configuration Tasks....................................................................................................... 776
Important Points to Remember........................................................................................................776
Configuring Interfaces for Layer 2 Mode......................................................................................... 777
Enabling Spanning Tree Protocol Globally...................................................................................... 778
Adding an Interface to the Spanning Tree Group........................................................................... 780
Modifying Global Parameters........................................................................................................... 781
Modifying Interface STP Parameters................................................................................................782
Enabling PortFast.............................................................................................................................. 782
Preventing Network Disruptions with BPDU Guard........................................................................ 783
Selecting STP Root............................................................................................................................785
STP Root Guard................................................................................................................................ 786
Root Guard Scenario.................................................................................................................. 786
Configuring Root Guard............................................................................................................. 787
Enabling SNMP Traps for Root Elections and Topology Changes................................................. 788
STP Loop Guard................................................................................................................................ 788
Configuring Loop Guard.............................................................................................................789
Displaying STP Guard Configuration............................................................................................... 790
49 System Time and Date...................................................................................792
Network Time Protocol.................................................................................................................... 792
Protocol Overview...................................................................................................................... 793
Configure the Network Time Protocol...................................................................................... 793
Enabling NTP...............................................................................................................................794
Setting the Hardware Clock with the Time Derived from NTP.................................................794
Configuring NTP Broadcasts...................................................................................................... 795
Disabling NTP on an Interface....................................................................................................795
Configuring a Source IP Address for NTP Packets.................................................................... 795
Configuring NTP Authentication................................................................................................ 796
Time and Date...................................................................................................................................799
Configuration Task List .............................................................................................................. 799
Setting the Time and Date for the Switch Hardware Clock...................................................... 799
Setting the Time and Date for the Switch Software Clock....................................................... 799
Setting the Timezone................................................................................................................. 800
Set Daylight Saving Time............................................................................................................800
Setting Daylight Saving Time Once........................................................................................... 800
Setting Recurring Daylight Saving Time.....................................................................................801
50 Tunneling ....................................................................................................... 803
Configuring a Tunnel........................................................................................................................803
Configuring Tunnel Keepalive Settings........................................................................................... 804
Configuring a Tunnel Interface........................................................................................................805
Configuring Tunnel allow-remote Decapsulation..........................................................................805
Configuring Tunnel source anylocal Decapsulation...................................................................... 806
Multipoint Receive-Only Tunnels.................................................................................................... 806
Guidelines for Configuring Multipoint Receive-Only Tunnels................................................. 806
51 Upgrade Procedures......................................................................................808
Upgrade OverviewGet Help with Upgrades.................................................................................... 808
Z9500 Bootup and Upgrades.......................................................................................................... 808
52 Uplink Failure Detection (UFD)....................................................................810
Feature Description...........................................................................................................................810
How Uplink Failure Detection Works................................................................................................811
UFD and NIC Teaming...................................................................................................................... 812
Important Points to Remember........................................................................................................812
Configuring Uplink Failure Detection...............................................................................................813
Clearing a UFD-Disabled Interface...................................................................................................815
Displaying Uplink Failure Detection................................................................................................. 816
Sample Configuration: Uplink Failure Detection............................................................................. 818
53 Virtual LANs (VLANs)..................................................................................... 820
Default VLAN.....................................................................................................................................820
Port-Based VLANs............................................................................................................................. 821
VLANs and Port Tagging................................................................................................................... 821
Configuration Task List.....................................................................................................................822
Creating a Port-Based VLAN...................................................................................................... 822
Assigning Interfaces to a VLAN...................................................................................................823
Moving Untagged Interfaces...................................................................................................... 824
Assigning an IP Address to a VLAN.............................................................................................826
Configuring Native VLANs................................................................................................................826
Enabling Null VLAN as the Default VLAN......................................................................................... 827
54 Virtual Link Trunking (VLT).......................................................................... 828
Overview........................................................................................................................................... 828
VLT on Core Switches................................................................................................................ 829
Enhanced VLT............................................................................................................................. 829
VLT Terminology.............................................................................................................................. 830
Configure Virtual Link Trunking........................................................................................................831
Important Points to Remember..................................................................................................831
Configuration Notes................................................................................................................... 832
Primary and Secondary VLT Peers............................................................................................. 835
RSTP and VLT.............................................................................................................................. 836
VLT Bandwidth Monitoring.........................................................................................................836
VLT and Stacking.........................................................................................................................836
VLT and IGMP Snooping............................................................................................................. 837
VLT IPv6....................................................................................................................................... 837
VLT Port Delayed Restoration.....................................................................................................837
PIM-Sparse Mode Support on VLT............................................................................................. 837
VLT Routing ................................................................................................................................839
Non-VLT ARP Sync......................................................................................................................841
RSTP Configuration.......................................................................................................................... 842
Preventing Forwarding Loops in a VLT Domain........................................................................ 842
Sample RSTP Configuration....................................................................................................... 842
Configuring VLT.......................................................................................................................... 843
eVLT Configuration Example........................................................................................................... 854
eVLT Configuration Step Examples............................................................................................855
PIM-Sparse Mode Configuration Example...................................................................................... 857
Verifying a VLT Configuration.......................................................................................................... 857
Additional VLT Sample Configurations............................................................................................ 861
Configuring Virtual Link Trunking (VLT Peer 1)Configuring Virtual Link Trunking (VLT Peer
2)Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access
Switch)......................................................................................................................................... 861
Troubleshooting VLT........................................................................................................................ 863
Reconfiguring Stacked Switches as VLT.......................................................................................... 865
Specifying VLT Nodes in a PVLAN....................................................................................................865
Association of VLTi as a Member of a PVLAN............................................................................866
MAC Synchronization for VLT Nodes in a PVLAN..................................................................... 867
PVLAN Operations When One VLT Peer is Down..................................................................... 867
PVLAN Operations When a VLT Peer is Restarted..................................................................... 867
Interoperation of VLT Nodes in a PVLAN with ARP Requests...................................................868
Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN....... 868
Configuring a VLT VLAN or LAG in a PVLAN................................................................................... 870
Creating a VLT LAG or a VLT VLAN............................................................................................ 870
Associating the VLT LAG or VLT VLAN in a PVLAN.................................................................... 871
Proxy ARP Capability on VLT Peer Nodes........................................................................................872
Working of Proxy ARP for VLT Peer Nodes................................................................................872
VLT Nodes as Rendezvous Points for Multicast Resiliency............................................................. 873
55 VLT Proxy Gateway........................................................................................ 875
Proxy Gateway in VLT Domains....................................................................................................... 875
LLDP organizational TLV for proxy gateway.............................................................................. 877
Sample Configuration Scenario for VLT Proxy Gateway...........................................................878
Configuring an LLDP VLT Proxy Gateway....................................................................................... 880
56 Virtual Router Redundancy Protocol (VRRP)............................................881
VRRP Overview..................................................................................................................................881
VRRP Benefits................................................................................................................................... 882
VRRP Implementation...................................................................................................................... 882
VRRP Configuration..........................................................................................................................883
Configuration Task List............................................................................................................... 883
Setting VRRP Initialization Delay................................................................................................ 893
Sample Configurations.....................................................................................................................894
VRRP for an IPv4 Configuration................................................................................................. 894
VRRP in a VRF Configuration......................................................................................................899
57 Standards Compliance.................................................................................. 905
IEEE Compliance.............................................................................................................................. 905
RFC and I-D Compliance................................................................................................................. 906
General Internet Protocols.........................................................................................................906
Border Gateway Protocol (BGP).................................................................................................907
General IPv4 Protocols...............................................................................................................908
General IPv6 Protocols...............................................................................................................909
Intermediate System to Intermediate System (IS-IS).................................................................910
Network Management................................................................................................................ 912
Multicast...................................................................................................................................... 918
Open Shortest Path First (OSPF)................................................................................................. 919
Routing Information Protocol (RIP)........................................................................................... 920
MIB Location.....................................................................................................................................920
1
About this Guide
This guide describes the protocols and features that the Dell Networking Operating Software (OS)
supports on the Z9500 system and provides configuration instructions and examples for implementing
them.
Though this guide contains information on protocols, it is not intended to be a complete reference. This
guide is a reference for configuring protocols on Dell Networking systems. For complete information
about protocols, refer to related documentation, including IETF requests for comments (RFCs). The
instructions in this guide cite relevant RFCs. The Standards Compliance chapter contains a complete list
of the supported RFCs and management information base files (MIBs).
Audience
This document is intended for system administrators who are responsible for configuring and maintaining
networks and assumes knowledge in Layer 2 and Layer 3 networking technologies.
Conventions
This guide uses the following conventions to describe command syntax.
Keyword
Keywords are in Courier (a monospaced font) and must be entered in the CLI as
listed.
parameter
Parameters are in italics and require a number or word to be entered in the CLI.
{X}
Keywords and parameters within braces must be entered in the CLI.
[X]
Keywords and parameters within brackets are optional.
x|y
Keywords and parameters separated by a bar require you to choose one option.
x||y
Keywords and parameters separated by a double bar allows you to choose any or
all of the options.
Related Documents
For more information about the Dell Networking Z9500 system, refer to the following documents:
•
Dell Networking Z9500 Getting Started Guide
•
Dell Networking Z9500 Installation Guide
•
Dell Networking Z9500 Command Line Reference Guide
•
Dell Networking Z9500 Release Notes
30
About this Guide
Configuration Fundamentals
2
The Dell Networking OS command line interface (CLI) is a text-based interface you can use to configure
interfaces and protocols.
The CLI is structured in modes for security and management purposes. Different sets of commands are
available in each mode, and you can limit user access to modes using privilege levels.
After you enter a command, the command is added to the running configuration file. You can view the
current configuration for the whole system or for a particular CLI mode. To save the current
configuration, copy the running configuration to another location.
NOTE: Due to differences in hardware architecture and continued system development, features
may occasionally differ between the platforms. Differences are noted in each CLI description and
related documentation.
Accessing the Command Line
Access the CLI through a serial console port or a Telnet session.
When the system successfully boots, enter the command line in EXEC mode.
NOTE: You must have a password configured on a virtual terminal line before you can Telnet into
the system. Therefore, you must use a console connection when connecting to the system for the
first time.
telnet 172.31.1.53
Trying 172.31.1.53...
Connected to 172.31.1.53.
Escape character is '^]'.
Login: username
Password:
Dell>
CLI Modes
Different sets of commands are available in each mode.
A command found in one mode cannot be executed from another mode (except for EXEC mode
commands with a preceding do command (refer to the do Command section).
You can set user access rights to commands and command modes using privilege levels; for more
information about privilege levels and security options, refer to the Privilege Levels Overview section in
the Security chapter.
The CLI is divided into three major mode levels:
Configuration Fundamentals
31
•
•
•
EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a
limited selection of commands is available, notably the show commands, which allow you to view
system information.
EXEC Privilege mode has commands to view configurations, clear counters, manage configuration
files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is
unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password
section in the Getting Started chapter.
CONFIGURATION mode allows you to configure security features, time settings, set logging and
SNMP functions, configure static ARP and MAC addresses, and set line cards on the system.
Beneath CONFIGURATION mode are submodes that apply to interfaces, protocols, and features. The
following example shows the submode command structure. Two sub-CONFIGURATION modes are
important when configuring the chassis for the first time:
•
•
INTERFACE submode is the mode in which you configure Layer 2 and Layer 3 protocols and IP
services specific to an interface. An interface can be physical (Management interface, 10 Gigabit
Ethernet, or 40 Gigabit Ethernet, or logical (Loopback, Null, port channel, or virtual local area network
[VLAN]).
LINE submode is the mode in which you to configure the console and virtual terminal lines.
NOTE: At any time, entering a question mark (?) displays the available command options. For
example, when you are in CONFIGURATION mode, entering the question mark first lists all available
commands, including the possible submodes.
The CLI modes are:
EXEC
EXEC Privilege
CONFIGURATION
AS-PATH ACL
CONTROL-PLANE
CLASS-MAP
DCB POLICY
DHCP
DHCP POOL
ECMP-GROUP
EXTENDED COMMUNITY
FRRP
INTERFACE
GIGABIT ETHERNET
10 GIGABIT ETHERNET
40 GIGABIT ETHERNET
INTERFACE RANGE
LOOPBACK
MANAGEMENT ETHERNET
NULL
PORT-CHANNEL
TUNNEL
VLAN
VRRP
IP
IPv6
IP COMMUNITY-LIST
IP ACCESS-LIST
STANDARD ACCESS-LIST
EXTENDED ACCESS-LIST
MAC ACCESS-LIST
LINE
AUXILLIARY
CONSOLE
32
Configuration Fundamentals
uBoot
VIRTUAL TERMINAL
LLDP
LLDP MANAGEMENT INTERFACE
MONITOR SESSION
MULTIPLE SPANNING TREE
OPENFLOW INSTANCE
PVST
PORT-CHANNEL FAILOVER-GROUP
PREFIX-LIST
PRIORITY-GROUP
PROTOCOL GVRP
QOS POLICY
RSTP
ROUTE-MAP
ROUTER BGP
BGP ADDRESS-FAMILY
ROUTER ISIS
ISIS ADDRESS-FAMILY
ROUTER OSPF
ROUTER OSPFV3
ROUTER RIP
SPANNING TREE
TRACE-LIST
VLT DOMAIN
VRRP
UPLINK STATE GROUP
EXEC
EXEC Privilege
CONFIGURATION
AS-PATH ACL
CONTROL-PLANE
CLASS-MAP
DCB POLICY
DHCP
DHCP POOL
ECMP-GROUP
EXTENDED COMMUNITY
FRRP
INTERFACE
GIGABIT ETHERNET
10 GIGABIT ETHERNET
40 GIGABIT ETHERNET
INTERFACE RANGE
LOOPBACK
MANAGEMENT ETHERNET
NULL
PORT-CHANNEL
TUNNEL
VLAN
VRRP
IP
IPv6
IP COMMUNITY-LIST
IP ACCESS-LIST
STANDARD ACCESS-LIST
EXTENDED ACCESS-LIST
MAC ACCESS-LIST
LINE
AUXILLIARY
CONSOLE
VIRTUAL TERMINAL
Configuration Fundamentals
33
LLDP
LLDP MANAGEMENT INTERFACE
MONITOR SESSION
MULTIPLE SPANNING TREE
OPENFLOW INSTANCE
PVST
PORT-CHANNEL FAILOVER-GROUP
PREFIX-LIST
PRIORITY-GROUP
PROTOCOL GVRP
QOS POLICY
RSTP
ROUTE-MAP
ROUTER BGP
BGP ADDRESS-FAMILY
ROUTER ISIS
ISIS ADDRESS-FAMILY
ROUTER OSPF
ROUTER OSPFV3
ROUTER RIP
SPANNING TREE
TRACE-LIST
VLT DOMAIN
VRRP
UPLINK STATE GROUP
GRUB
Navigating CLI Modes
The Dell Networking OS prompt changes to indicate the CLI mode.
The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI
mode. Move linearly through the command modes, except for the end command which takes you
directly to EXEC Privilege mode and the exit command which moves you up one command mode level.
NOTE: Sub-CONFIGURATION modes all have the letters “conf” in the prompt with more modifiers
to identify the mode and slot/port information.
Table 1. Command Modes
CLI Command Mode
Prompt
Access Command
EXEC
Dell>
Access the router through the
console or Telnet.
EXEC Privilege
Dell#
•
•
CONFIGURATION
Dell(conf)#
•
•
34
From EXEC mode, enter the
enable command.
From any other mode, use
the end command.
From EXEC privilege mode,
enter the configure
command.
From every mode except
EXEC and EXEC Privilege,
enter the exit command.
Configuration Fundamentals
CLI Command Mode
Prompt
Access Command
AS-PATH ACL
Dell(config-as-path)#
ip as-path access-list
10 Gigabit Ethernet Interface
Dell(conf-if-te-0/0)#
interface (INTERFACE modes)
40 Gigabit Ethernet Interface
Dell(conf-if-fo-0/0)#
interface (INTERFACE modes)
Interface Range
Dell(conf-if-range)#
interface (INTERFACE modes)
Loopback Interface
Dell(conf-if-lo-0)#
interface (INTERFACE modes)
Management Ethernet Interface
Dell(conf-if-ma-0/0)#
interface (INTERFACE modes)
Null Interface
Dell(conf-if-nu-0)#
interface (INTERFACE modes)
Port-channel Interface
Dell(conf-if-po-0)#
interface (INTERFACE modes)
Tunnel Interface
Dell(conf-if-tu-0)#
interface (INTERFACE modes)
VLAN Interface
Dell(conf-if-vl-0)#
interface (INTERFACE modes)
STANDARD ACCESS-LIST
Dell(config-std-nacl)#
ip access-list standard (IP
ACCESS-LIST Modes)
EXTENDED ACCESS-LIST
Dell(config-ext-nacl)#
ip access-list extended (IP
ACCESS-LIST Modes)
IP COMMUNITY-LIST
Dell(config-communitylist)#
ip community-list
AUXILIARY
Dell(config-line-aux)#
line (LINE Modes)
CONSOLE
Dell(config-lineconsole)#
line (LINE Modes)
VIRTUAL TERMINAL
Dell(config-line-vty)#
line (LINE Modes)
STANDARD ACCESS-LIST
Dell(config-std-macl)#
mac access-list standard
(MAC ACCESS-LIST Modes)
EXTENDED ACCESS-LIST
Dell(config-ext-macl)#
mac access-list extended
(MAC ACCESS-LIST Modes)
MULTIPLE SPANNING TREE
Dell(config-mstp)#
protocol spanning-tree
mstp
Per-VLAN SPANNING TREE Plus
Dell(config-pvst)#
protocol spanning-tree
pvst
PREFIX-LIST
Dell(conf-nprefixl)#
ip prefix-list
RAPID SPANNING TREE
Dell(config-rstp)#
protocol spanning-tree
rstp
REDIRECT
Dell(conf-redirect-list)#
ip redirect-list
NOTE: Access all of the
following modes from
CONFIGURATION mode.
Configuration Fundamentals
35
CLI Command Mode
Prompt
Access Command
ROUTE-MAP
Dell(config-route-map)#
route-map
ROUTER BGP
Dell(conf-router_bgp)#
router bgp
BGP ADDRESS-FAMILY
Dell(conf-router_bgp_af)# address-family {ipv4
multicast | ipv6 unicast}
(for IPv4)
(ROUTER BGP Mode)
Dell(confrouterZ_bgpv6_af)# (for IPv6)
ROUTER ISIS
Dell(conf-router_isis)#
router isis
ISIS ADDRESS-FAMILY
Dell(conf-router_isisaf_ipv6)#
address-family ipv6
unicast (ROUTER ISIS Mode)
ROUTER OSPF
Dell(conf-router_ospf)#
router ospf
ROUTER OSPFV3
Dell(confipv6router_ospf)#
ipv6 router ospf
ROUTER RIP
Dell(conf-router_rip)#
router rip
SPANNING TREE
Dell(config-span)#
protocol spanning-tree 0
TRACE-LIST
Dell(conf-trace-acl)#
ip trace-list
CLASS-MAP
Dell(config-class-map)#
class-map
CONTROL-PLANE
Dell(conf-controlcpuqos)#
control-plane-cpuqos
DCB POLICY
Dell(conf-dcb-in)# (for input dcb-input for input policy
policy)
dcb-output for output policy
Dell(conf-dcb-out)# (for
output policy)
DHCP
Dell(config-dhcp)#
ip dhcp server
DHCP POOL
Dell(config-dhcp-poolname)#
pool (DHCP Mode)
ECMP
Dell(conf-ecmp-groupecmp-group-id)#
ecmp-group
EIS
Dell(conf-mgmt-eis)#
management egressinterface-selection
FRRP
Dell(conf-frrp-ring-id)#
protocol frrp
LLDP
Dell(conf-lldp)# or
Dell(conf-if—interfacelldp)#
protocol lldp
(CONFIGURATION or INTERFACE
Modes)
LLDP MANAGEMENT INTERFACE Dell(conf-lldp-mgmtIf)#
management-interface (LLDP
Mode)
LINE
line console orline vty
36
Dell(config-line-console)
or Dell(config-line-vty)
Configuration Fundamentals
CLI Command Mode
Prompt
Access Command
MONITOR SESSION
Dell(conf-mon-sesssessionID)#
monitor session
OPENFLOW INSTANCE
Dell(conf-of-instance-ofid)#
openflow of-instance
PORT-CHANNEL FAILOVERGROUP
Dell(conf-po-failovergrp)#
port-channel failovergroup
PRIORITY GROUP
Dell(conf-pg)#
priority-group
PROTOCOL GVRP
Dell(config-gvrp)#
protocol gvrp
QOS POLICY
Dell(conf-qos-policy-outets)#
qos-policy-output
VLT DOMAIN
Dell(conf-vlt-domain)#
vlt domain
VRRP
Dell(conf-if-interfacetype-slot/port-vrid-vrrpgroup-id)#
vrrp-group
u-Boot
Dell(=>)#
Press any key when the following
line appears on the console
during a system boot: Hit any
key to stop autoboot:
UPLINK STATE GROUP
Dell(conf-uplink-stategroup-groupID)#
uplink-state-group
The following example shows how to change the command mode from CONFIGURATION mode to
PROTOCOL SPANNING TREE.
Example of Changing Command Modes
Dell(conf)#protocol spanning-tree 0
Dell(config-span)#
The do Command
Use the do command to enter an EXEC mode command from any CONFIGURATION mode
(CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode.
The following examples show how to use the do command in CONFIGURATION mode.
Rainier(conf)# do show ip interface brief
Interface
IP-Address
OK
Protocol
TenGigabitEthernet 0/0
unassigned
NO
TenGigabitEthernet 0/1
unassigned
NO
TenGigabitEthernet 0/2
unassigned
NO
TenGigabitEthernet 0/3
unassigned
NO
TenGigabitEthernet 0/4
unassigned
YES
TenGigabitEthernet 0/5
unassigned
YES
TenGigabitEthernet 0/6
unassigned
YES
TenGigabitEthernet 0/7
unassigned
YES
Configuration Fundamentals
Method Status
Manual
Manual
Manual
Manual
Manual
Manual
Manual
Manual
up
up
up
up
up
up
up
up
down
down
down
down
up
up
up
up
37
TenGigabitEthernet 0/8
TenGigabitEthernet 0/9
unassigned
unassigned
YES Manual up
YES Manual up
up
up
Rainier(conf)# do show version
Dell Real Time Operating System Software
Dell Operating System Version: 2.0
Dell Application Software Version: 9-5
Copyright (c) 1999-2014 by Dell Inc. All Rights Reserved.
Build Time: Wed Jul 2 11:24:04 2014
Build Path: /sites/eqx/work/swbuild01_1/build16/MERCED-MR-9-5-0/SW/SRC
Dell Networking OS uptime is 2 hour(s), 20 minute(s)
System image file is "rith-rainier"
System Type: Z9500
Control Processor: Intel Centerton with 3 Gbytes (3203928064 bytes) of memory,
cores(s) 2.
16G bytes of boot flash memory.
1
2
520
2
36-port TE/FG (ZC)
48-port TE/FG (ZC)
Ten GigabitEthernet/IEEE 802.3 interface(s)
Forty GigabitEthernet/IEEE 802.3 interface(s)
Rainier(conf)# do show running-config interface
!
interface TenGigabitEthernet 0/0
no ip address
no shutdown
tengigabitethernet 0/0
Undoing Commands
When you enter a command, the command line is added to the running configuration file (runningconfig).
To disable a command and remove it from the running-config, enter the no command, then the original
command. For example, to delete an IP address configured on an interface, use the no ip address
ip-address command.
NOTE: Use the help or ? command as described in Obtaining Help.
Example of Viewing Disabled Commands
Dell(conf)#interface tengigabitethernet 4/17
Dell(conf-if-te-4/17)#ip address 192.168.10.1/24
Dell(conf-if-te-4/17)#show config
!
interface TenGigabitEthernet 4/17
ip address 192.168.10.1/24
no shutdown
Dell(conf-if-te-4/17)#no ip address
Dell(conf-if-te-4/17)#show config
!
interface TenGigabitEthernet 4/17
no ip address
no shutdown
Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command.
For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.
38
Configuration Fundamentals
Obtaining Help
Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using
the ? or help command:
•
To list the keywords available in the current mode, enter ? at the prompt or after a keyword.
•
Enter ? after a command prompt lists all of the available keywords. The output of this command is the
same as the help command.
Dell#?
calendar
Manage the hardware calendar
cd
Change current directory
change
Change subcommands
clear
Reset functions
clock
Manage the system clock
configure
Configuring from terminal
copy
Copy from one file to another
debug
Debug functions
--More--
•
Enter ? after a partial keyword lists all of the keywords that begin with the specified letters.
Dell(conf)#cl?
class-map
clock
Dell(conf)#cl
•
Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword.
Dell(conf)#clock ?
summer-time
Configure summer (daylight savings) time
timezone
Configure time zone
Dell(conf)#clock
Entering and Editing Commands
Notes for entering commands.
•
The CLI is not case-sensitive.
•
You can enter partial CLI keywords.
– Enter the minimum number of letters to uniquely identify a command. For example, you cannot
enter cl as a partial keyword because both the clock and class-map commands begin with the
letters “cl.” You can enter clo, however, as a partial keyword because only one command begins
with those three letters.
•
The TAB key auto-completes keywords in commands. Enter the minimum number of letters to
uniquely identify a command.
•
The UP and DOWN arrow keys display previously entered commands (refer to Command History).
•
The BACKSPACE and DELETE keys erase the previous letter.
•
Key combinations are available to move quickly across the command line. The following table
describes these short-cut key combinations.
Short-Cut Key
Combination
Action
CNTL-A
Moves the cursor to the beginning of the command line.
CNTL-B
Moves the cursor back one character.
Configuration Fundamentals
39
Short-Cut Key
Combination
Action
CNTL-D
Deletes character at cursor.
CNTL-E
Moves the cursor to the end of the line.
CNTL-F
Moves the cursor forward one character.
CNTL-I
Completes a keyword.
CNTL-K
Deletes all characters from the cursor to the end of the command line.
CNTL-L
Re-enters the previous command.
CNTL-N
Return to more recent commands in the history buffer after recalling commands
with CTRL-P or the UP arrow key.
CNTL-P
Recalls commands, beginning with the last command.
CNTL-R
Re-enters the previous command.
CNTL-U
Deletes the line.
CNTL-W
Deletes the previous word.
CNTL-X
Deletes the line.
CNTL-Z
Ends continuous scrolling of command outputs.
Esc B
Moves the cursor back one word.
Esc F
Moves the cursor forward one word.
Esc D
Deletes all characters from the cursor to the end of the word.
Command History
The Dell Networking OS maintains a history of previously-entered commands for each mode. For
example:
•
•
When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC
mode commands.
When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered
CONFIGURATION mode commands.
Filtering show Command Outputs
Filter the output of a show command to display specific information by adding | [except | find |
grep | no-more | save] specified_text after the command.
The variable specified_text is the text for which you are filtering and it IS case sensitive unless you
use the ignore-case sub-option.
The grep command accepts an ignore-case sub-option that forces the search to case-insensitive. For
example, the commands:
•
40
show run | grep Ethernet returns a search result with instances containing a capitalized
“Ethernet,” such as interface TengigabitEthernet 0/0.
Configuration Fundamentals
•
•
show run | grep ethernet does not return that search result because it only searches for
instances containing a non-capitalized “ethernet.”
show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and
“ethernet.”
The grep command displays only the lines containing specified text. The following example shows this
command used in combination with the show processes command.
Dell#show processes cpu cp | grep system
0
72000
7200
10000
0
system
17.97%
17.81%
17.96%
NOTE: Dell Networking OS accepts a space or no space before and after the pipe. To filter a phrase
with spaces, underscores, or ranges, enclose the phrase with double quotation marks.
The except keyword displays text that does not match the specified text. The following example shows
this command used in combination with the show processes command.
Example of the except Keyword
Dell#show processes cpu cp | except system
CPU utilization for five seconds: 28%/1%; one minute: 28%; five minutes: 28%
PID Runtime(ms) Invoked
uSecs
5Sec
1Min
5Min TTY Process
538
43770
4377
10000
6.50% 7.59% 8.68%
0
sys
535
51140
5114
10000
3.54% 3.53% 3.83%
0
sysdlp
614
300
30
10000
0.59% 0.06% 0.07%
0
ssMgr
557
190
19
10000
0.20% 0.00% 0.03%
0
ipm
615
130
13
10000
0.00% 0.02% 0.03%
0 ipSecMgr
508
290
29
10000
0.00% 0.02% 0.04%
0 confdMgr
720
330
33
10000
0.00% 0.13% 0.10%
0
clish
19
410
41
10000
0.00% 0.00% 0.00%
0 mount_mfs
30
60
6
10000
0.00% 0.00% 0.00%
0 mount_mfs
25
1720
172
10000
0.00% 0.00% 0.00%
0 mount_mfs
22
0
0
0
0.00% 0.00% 0.00%
0 mount_mfs
533
0
0
0
0.00% 0.00% 0.00%
0
sysmon
12
0
0
0
0.00% 0.00% 0.00%
0 mount_mfs
2
10
1
10000
0.00% 0.00% 0.00%
0
sh
1
0
0
0
0.00% 0.00% 0.00%
0
init
529
0
0
0
0.00% 0.00% 0.00%
0
sysmon
523
10
1
10000
0.00% 0.00% 0.00%
0 mount_mfs
646
0
0
0
0.00% 0.00% 0.00%
0
cron
445
0
0
0
0.00% 0.00% 0.00%
0 flashmntr
579
5670
567
10000
0.00% 0.00% 0.00%
0
confd
329
0
0
0
0.00% 0.00% 0.00%
0
inetd
655
270
27
10000
0.00% 0.00% 0.00%
0
login
244
30
3
10000
0.00% 0.00% 0.00%
0
sh
74
30
3
10000
0.00% 0.00% 0.00%
0
sh
Example of the find Keyword
The find keyword displays the output of the show command beginning from the first occurrence of
specified text. The following example shows this command used in combination with the show
processes command.
Dell#show processes cpu cp | find system
0
72900
7290
10000 17.79% 17.93%
538
42710
4271
10000
6.52%
7.74%
535
50600
5060
10000
3.56%
3.61%
720
290
29
10000
0.20%
0.07%
614
250
25
10000
0.00%
0.03%
615
130
13
10000
0.00%
0.02%
Configuration Fundamentals
17.96%
8.68%
3.83%
0.17%
0.07%
0.04%
0 system
0
sysd
0 sysdlp
0
clish
0
ssMgr
0 ipSecMgr
41
508
655
557
579
19
22
533
12
2
1
529
523
646
445
329
244
74
30
25
290
270
180
5670
410
0
0
0
10
0
0
10
0
0
0
30
30
60
1720
29
27
18
567
41
0
0
0
1
0
0
1
0
0
0
3
3
6
172
10000
10000
10000
10000
10000
0
0
0
10000
0
0
10000
0
0
0
10000
10000
10000
10000
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.02%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.09%
0.09%
0.06%
1.85%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
confdMgr
login
ipm
confd
mount_mfs
mount_mfs
sysmon
mount_mfs
sh
init
sysmon
mount_mfs
cron
flashmntr
inetd
sh
sh
mount_mfs
mount_mfs
The display command displays additional configuration information.
The no-more command displays the output all at once rather than one screen at a time. This is similar to
the terminal length command except that the no-more option affects the output of the specified
command only.
The save command copies the output to a file for future reference.
NOTE: You can filter a single command output multiple times. The save option must be the last
option entered. For example: Dell# command | grep regular-expression | except
regular-expression | grep other-regular-expression | find regular-expression
| save.
Multiple Users in Configuration Mode
The Z9500 operating system notifies all users when there are multiple users logged in to
CONFIGURATION mode.
A warning message indicates the username, type of connection (console or VTY), and in the case of a VTY
connection, the IP address of the terminal on which the connection was established. For example:
•
On the system that telnets into the switch, this message appears:
% Warning: The following users are currently configuring the system:
User "" on line console0
•
On the system that is connected over the console, this message appears:
% Warning: User "" on line vty0 "10.11.130.2" is in configuration
mode
If either of these messages appears, Dell Networking recommends coordinating with the users listed in
the message so that you do not unintentionally overwrite each other’s configuration changes.
42
Configuration Fundamentals
Getting Started
3
This chapter describes how you start configuring your Z9500 operating software.
When you power up the chassis, the system performs a power-on self test (POST) and loads the Dell
Networking operating software. Boot messages scroll up the terminal window during this process. No
user interaction is required if the boot process proceeds without interruption.
When the boot process completes, the system status LED remains online (green) and the console
monitor displays the EXEC mode prompt.
For details about using the command line interface (CLI), refer to the Accessing the Command Line
section in the Configuration Fundamentals chapter.
Console Access
The Z9500 has two management ports:
•
A serial RS-232 /RJ-45 console port for a local management connection
•
An out-of-band (OOB) Ethernet port to manage the switch using its IP address
Serial Console
The RJ-45/RS-232 console port is labeled on the I/O side (upper right-hand) of the Z9500 chassis.
Figure 1. RJ-45 Console Port
1.
RJ-45 Console Port
Getting Started
43
Accessing the Console Port
To access the console port, follow these steps:
For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter.
1.
Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the
Z9500 console port to a terminal server.
2.
Connect the other end of the cable to the DTE terminal server.
3.
Terminal settings on the console port cannot be changed in the software and are set as follows:
•
9600 baud rate
•
No parity
•
8 data bits
•
1 stop bit
•
No flow control
Pin Assignments
You can connect to the console using a RJ-45 to RJ-45 rollover cable and a RJ-45 to DB-9 female DTE
adapter to a terminal server (for example, a PC).
The pin assignments between the console and a DTE terminal server are as follows:
Table 2. Pin Assignments Between the Console and a DTE Terminal Server
Console Port
RJ-45 to RJ-45
Rollover Cable
RJ-45 to RJ-45
Rollover Cable
RJ-45 to DB-9
Adapter
Terminal Server
Device
Signal
RJ-45 Pinout
RJ-45 Pinout
DB-9 Pin
Signal
RTS
1
8
8
CTS
NC
2
7
6
DSR
TxD
3
6
2
RxD
GND
4
5
5
GND
GND
5
4
5
GND
RxD
6
3
3
TxD
NC
7
2
4
DTR
CTS
8
1
7
RTS
Default Configuration
Although a version of the Dell Networking OS is pre-loaded on the switch, the system is not configured
when you power up the first time (except for the default hostname, which is Dell). You must configure
the system using the CLI.
Configuring a Host Name
The host name appears in the prompt. The default host name is Dell.
•
44
Host names must start with a letter and end with a letter or digit.
Getting Started
•
Characters within the string can be letters, digits, and hyphens.
To create a host name, use the following command.
•
Create a host name.
CONFIGURATION mode
hostname name
Example of the hostname Command
Dell(conf)#hostname R1
R1(conf)#
Accessing the System Remotely
You can configure the system to access it remotely by Telnet or SSH.
•
The Z9500 has a dedicated management port and a management routing table that is separate from
the IP routing table.
•
You can manage all Dell Networking products in-band via the front-end data ports through interfaces
assigned an IP address as well.
Accessing the Z9500 Remotely
Configuring the system for Telnet is a three-step process:
1.
Configure an IP address for the management port. Configure the Management Port IP Address
2.
Configure a management route with a default gateway. Configure a Management Route
3.
Configure a username and password. Configure a Username and Password
Configure the Management Port IP Address
To access the system remotely, assign IP addresses to the management ports.
NOTE: Assign an IP address to the management port.
1.
Enter INTERFACE mode for the Management port.
CONFIGURATION mode
interface ManagementEthernet 0/0
•
2.
The slot number is 0.
• The port number is 0.
Assign an IP address to the interface.
INTERFACE mode
ip address ip-address/mask
3.
•
ip-address: an address in dotted-decimal format (A.B.C.D).
•
mask: a subnet mask in /prefix-length format (/ xx).
Enable the interface.
INTERFACE mode
Getting Started
45
no shutdown
Configure a Management Route
Define a path from the Z9500 to the network from which you are accessing the system remotely.
Management routes are separate from IP routes and are only used to manage the Z9500 through the
management port.
•
Configure a management route to the network from which you are accessing the system.
CONFIGURATION mode
management route ip-address/mask gateway
– ip-address: the network address in dotted-decimal format (A.B.C.D).
– mask: a subnet mask in /prefix-length format (/ xx).
– gateway: the next hop for network traffic originating from the management port.
Configuring a Username and Password
To access the system remotely, you must configure a system username and password.
•
Configure a username and password to access the system remotely.
CONFIGURATION mode
username username password [encryption-type] password
– encryption-type: specifies how you are inputting the password, is 0 by default, and is not
required.
*
0 is for inputting the password in clear text.
*
7 is for inputting a password that is already encrypted using a Type 7 hash. Obtaining the
encrypted password from the configuration of another Dell Networking system.
Configuring the Enable Password
Access EXEC Privilege mode using the enable command. EXEC Privilege mode is unrestricted by default.
Configure a password as a basic security measure.
There are two types of enable passwords:
•
enable password stores the password in the running/startup configuration using a DES encryption
method.
•
enable secret is stored in the running/startup configuration in using a stronger, MD5 encryption
method.
Dell Networking recommends using the enable secret password.
To configure an enable password, use the following command.
•
Create a password to access EXEC Privilege mode.
CONFIGURATION mode
enable [password | secret] [level level] [encryption-type] password
– level: is the privilege level, is 15 by default, and is not required
46
Getting Started
– encryption-type: specifies how you are inputting the password, is 0 by default, and is not
required.
*
*
*
0 is for inputting the password in clear text.
7 is for inputting a password that is already encrypted using a DES hash. Obtain the encrypted
password from the configuration file of another Dell Networking system.
5 is for inputting a password that is already encrypted using an MD5 hash. Obtain the
encrypted password from the configuration file of another Dell Networking system.
Manage Configuration Files
Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the
system from EXEC Privilege mode.
File Storage
The Dell Networking OS can use the internal Flash, external Flash, or remote devices to store files.
The system stores files on the internal Flash by default, but can be configured to store files elsewhere.
To view file system information, use the following command.
•
View information about each file system.
EXEC Privilege mode
show file-systems
The output of the show file-systems command in the following example shows the total capacity,
amount of free memory, file structure, media type, read/write privileges for each storage device in use.
Dell#show file-systems
Size(b)
Free(b)
6429872128 6397476864
15775404032 15775399936
-
Feature
FAT32
FAT32
-
Type
USERFLASH
USBFLASH
network
network
network
Flags
rw
rw
rw
rw
rw
Prefixes
flash:
usbflash:
ftp:
tftp:
scp:
You can change the default file system so that file management commands apply to a particular device
or memory.
To change the default directory, use the following command.
•
Change the default directory.
EXEC Privilege mode
cd directory
Copy Files to and from the System
The command syntax for copying files is similar to UNIX. The copy command uses the format copy
source-file-url destination-file-url.
NOTE: For a detailed description of the copy command, refer to the Dell Networking OS Command
Reference.
Getting Started
47
•
To copy a local file to a remote system, combine the file-origin syntax for a local file location with the
file-destination syntax for a remote file location.
•
To copy a remote file to Dell Networking system, combine the file-origin syntax for a remote file
location with the file-destination syntax for a local file location.
Table 3. Forming a copy Command
Location
source-file-url Syntax
destination-file-url Syntax
Internal flash: System
copy flash://filename
flash://filename
For a remote file location:
copy ftp://
username:password@{hostip
| hostname}/filepath/
filename
ftp://
username:password@{hostip
| hostname}/ filepath/
filename
copy http://
username:password@{hostip
| hostname}/filepath/
filename
http://
username:password@{hostip
| hostname}/ filepath/
filename
copy scp://{hostip |
hostname}/filepath/
filename
scp://{hostip |
hostname}/filepath/
filename
copy tftp://{hostip |
hostname}/filepath/
filename
tftp://{hostip |
hostname}/filepath/
filename
FTP server
For a remote file location:
HTTP server
For a remote file location:
SCP server
For a remote file location:
TFTP server
Important Points to Remember
•
You may not copy a file from one remote system to another.
•
You may not copy a file from one location to the same location.
•
When copying to a server, you can only use a host name if a domain name server (DNS) server is
configured.
•
The host IP address (hostip) supports IPv4 and IPv6 addresses in the source-file-url and destinationfile-url variables.
•
When copying files to and from the system using FTP, HTTP, TFTP, or Telnet, you can specify a default
IP source interface for the file transfer protocol (ip {ftp | http |tlenet | tftp} sourceinterface commands). The IP source interface can be a loopback, port-channel, or physical
interface.
•
HTTP copy operations support egress interface selection (EIS) to isolate management-plane and
control-plane domains for HTTP traffic. For more information, see Egress Interface Selection (EIS).
Example of Copying a File to an FTP Server
Dell#copy flash://FTOS-ZC-9.2.1.0B2.bin ftp://
myusername:mypassword@10.10.10.10//FTOS/FTOS-ZC-9.2.1.0B2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
94926657 bytes successfully copied
Example of Importing a File to the Local System
core1#$//copy ftp://myusername:mypassword@10.10.10.10//FTOS/
FTOS-ZC-9.2.1.0B2 flash://
Destination file name [FTOS-EF-8.2.1.0.bin.bin]:
48
Getting Started
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
26292881 bytes successfully copied
Save the Running-Configuration
The running-configuration contains the current system configuration. Dell Networking recommends
coping your running-configuration to the startup-configuration.
The system uses the startup-configuration during boot-up to configure the system. The startupconfiguration is stored in the internal flash on the system by default, but it can be saved on a USB flash
device or a remote server.
The commands in this section follow the same format as those commands in the Copy Files to and from
the System section but use the filenames startup-configuration and running-configuration. These
commands assume that current directory is the internal flash, which is the system default.
•
Save the running-configuration to the startup-configuration on the system.
EXEC Privilege mode
•
copy running-config startup-config
Save the running-configuration to an FTP server.
EXEC Privilege mode
•
copy running-config ftp:// username:password@{hostip | hostname}/filepath/
filename
Save the running-configuration to a TFTP server.
EXEC Privilege mode
•
copy running-config tftp://{hostip | hostname}/ filepath/filename
Save the running-configuration to an SCP server.
EXEC Privilege mode
copy running-config scp://{hostip | hostname}/ filepath/filename
NOTE: When copying to a server, a host name can only be used if a DNS server is configured.
Configure the Overload Bit for a Startup Scenario
For information about setting the router overload bit for a specific period of time after a switch reload is
implemented, refer to the Intermediate System to Intermediate System (IS-IS) section in the Dell
Networking OS Command Line Reference Guide.
Viewing Files
You can only view file information and content on local file systems.
To view a list of files or the contents of a file, use the following commands.
•
View a list of files on the internal flash.
EXEC Privilege mode
•
dir flash:
View the contents of a file in the internal flash.
EXEC Privilege mode
show file flash://filename
Getting Started
49
•
View a list of files on an external flash.
EXEC Privilege mode
•
dir usbflash:
View the running-configuration.
EXEC Privilege mode
•
show running-config
View the startup-configuration.
EXEC Privilege mode
show startup-config
Example of the dir Command
The output of the dir command also shows the read/write privileges, size (in bytes), and date of
modification for each file.
Dell#dir
Directory of flash:
1 drw32768
2 drwx
512
3 drw8192
4 drw8192
5 drw8192
6 drw8192
7 d--8192
8 -rw- 33059550
9 -rw- 27674906
10 -rw- 27674906
11 drw8192
12 -rw7276
13 -rw7341
14 -rw- 27674906
15 -rw- 27674906
--More--
Jan
Jul
Mar
Mar
Mar
Mar
Mar
Jul
Jul
Jul
Jan
Jul
Jul
Jul
Jul
01
23
30
30
30
30
30
11
06
06
01
20
20
06
06
1980
2007
1919
1919
1919
1919
1919
2007
2007
2007
1980
2007
2007
2007
2007
00:00:00
00:38:44
10:31:04
10:31:04
10:31:04
10:31:04
10:31:04
17:49:46
00:20:24
19:54:52
00:18:28
01:52:40
15:34:46
19:52:22
02:23:22
.
..
TRACE_LOG_DIR
CRASH_LOG_DIR
NVTRACE_LOG_DIR
CORE_DUMP_DIR
ADMIN_DIR
FTOS-EF-7.4.2.0.bin
FTOS-EF-4.7.4.302.bin
boot-image-FILE
diag
startup-config.bak
startup-config
boot-image
boot-flash
Changes in Configuration Files
Configuration files have three commented lines at the beginning of the file, as shown in the following
example, to help you track the last time any user made a change to the file, which user made the
changes, and when the file was last saved to the startup-configuration.
In the running-configuration file, if there is a difference between the timestamp on the “Last
configuration change,” and “Startup-config last updated,” you have made changes that have not been
saved and will not be preserved after a system reboot.
Example of the show running-config Command
Dell#show running-config
Current Configuration ...
! Version 9-2(1-552)
! Last configuration change at Tue Jan 21 09:32:57 2014 by admin
!
boot system primary tftp://10.11.8.13/rithvik-rainier
boot system secondary tftp://10.11.8.13/rithvik-rainier
boot system default system: A:
boot system gateway 172.27.1.1
50
Getting Started
!
redundancy auto-synchronize full
redundancy disable-auto-reboot
!
service timestamps log datetime
!
logging coredump
!
hostname pt-z9500-11
!
enable password 7 b125455cf679b208e79b910e85789edf
!
username admin password 7 1d28e9f33f99cf5c
!
linecard 0 provision Z9500LC36
--More—
View Command History
The command-history trace feature captures all commands entered by all users of the system with a time
stamp and writes these messages to a dedicated trace log buffer.
The system generates a trace message for each executed command. No password information is saved
to the file.
To view the command-history trace, use the show command-history command.
Example of the show command-history Command
Dell#show command-history
[12/5 10:57:8]: CMD-(CLI):service password-encryption
[12/5 10:57:12]: CMD-(CLI):hostname Force10
[12/5 10:57:12]: CMD-(CLI):ip telnet server enable
[12/5 10:57:12]: CMD-(CLI):line console 0
[12/5 10:57:12]: CMD-(CLI):line vty 0 9
Upgrading the Dell Networking OS
NOTE: To upgrade the Dell Networking operating software, refer to the Release Notes for the
version you want to load on the switch.
Using Hashes to Validate Software Images
You can use the MD5 message-digest algorithm or SHA256 Secure Hash Algorithm to validate the
software image on the flash drive, after the image has been transferred to the system, but before the
image has been installed. The validation calculates a hash value of the downloaded image file on system’s
flash drive, and, optionally, compares it to a Dell Networking published hash for that file.
The MD5 or SHA256 hash provides a method of validating that you have downloaded the original
software. Calculating the hash on the local image file, and comparing the result to the hash published for
that file on iSupport, provides a high level of confidence that the local copy is exactly the same as the
published software image. This validation procedure, and the verify {md5 | sha256} command to support
it, can prevent the installation of corrupted or modified images.
Getting Started
51
The verify {md5 | sha256} command calculates and displays the hash of any file on the specified local
flash drive. You can compare the displayed hash against the appropriate hash published on i-Support.
Optionally, the published hash can be included in the verify {md5 | sha256} command, which will display
whether it matches the calculated hash of the indicated file.
To validate a software image:
1.
Download Dell Networking OS software image file from the iSupport page to the local (FTP or TFTP)
server. The published hash for that file is displayed next to the software image file on the iSupport
page.
2.
Go on to the Dell Networking system and copy the software image to the flash drive, using the copy
command.
3.
Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256
flash://FTOS-SE-9.5.0.0.bin
4.
Compare the generated hash value to the expected hash value published on the iSupport page.
To validate the software image on the flash drive after the image has been transferred to the system, but
before the image has been installed, use the verify {md5 | sha256} [ flash://]img-file [hash-value]
command in EXEC mode.
•
md5: MD5 message-digest algorithm
•
sha256: SHA256 Secure Hash Algorithm
•
flash: (Optional) Specifies the flash drive. The default is to use the flash drive. You can just enter the
image file name.
•
hash-value: (Optional). Specify the relevant hash published on i-Support.
•
img-file: Enter the name of the Dell Networking software image file to validate
Examples: Without Entering the Hash Value for Verification
MD5
Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin
MD5 hash for FTOS-SE-9.5.0.0.bin: 275ceb73a4f3118e1d6bcf7d75753459
SHA256
Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin
SHA256 hash for FTOS-SE-9.5.0.0.bin:
e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933
Examples: Entering the Hash Value for Verification
MD5
Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin 275ceb73a4f3118e1d6bcf7d75753459
MD5 hash VERIFIED for FTOS-SE-9.5.0.0.bin
SHA256
Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin
e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933
SHA256 hash VERIFIED for FTOS-SE-9.5.0.0.bin
52
Getting Started
Switch Management
4
This chapter describes the switch management tasks supported on the Z9500.
Configuring Privilege Levels
Privilege levels restrict access to commands based on user or terminal line.
There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1.
Level
Description
Level 0
Access to the system begins at EXEC mode, and EXEC mode commands are
limited to enable, disable, and exit.
Level 1
Access to the system begins at EXEC mode, and all commands are available.
Level 15
Access to the system begins at EXEC Privilege mode, and all commands are
available.
For information about how access and authorization is controlled based on a user’s role, see Role-Based
Access Control.
Creating a Custom Privilege Level
Custom privilege levels start with the default EXEC mode command set. You can then customize privilege
levels 2-14 by:
•
restricting access to an EXEC mode command
•
moving commands from EXEC Privilege to EXEC mode
•
restricting access
A user can access all commands at his privilege level and below.
Removing a Command from EXEC Mode
To remove a command from the list of available commands in EXEC mode for a specific privilege level,
use the privilege exec command from CONFIGURATION mode.
In the command, specify a level greater than the level given to a user or terminal line, then the first
keyword of each command you wish to restrict.
Moving a Command from EXEC Privilege Mode to EXEC Mode
To move a command from EXEC Privilege to EXEC mode for a privilege level, use the privilege exec
command from CONFIGURATION mode.
In the command, specify the privilege level of the user or terminal line and specify all keywords in the
command to which you want to allow access.
Switch Management
53
Allowing Access to CONFIGURATION Mode Commands
To allow access to CONFIGURATION mode, use the privilege exec level level configure
command from CONFIGURATION mode.
A user that enters CONFIGURATION mode remains at his privilege level and has access to only two
commands, end and exit. You must individually specify each CONFIGURATION mode command you
want to allow access to using the privilege configure level level command. In the command,
specify the privilege level of the user or terminal line and specify all the keywords in the command to
which you want to allow access.
Allowing Access to the Following Modes
This section describes how to allow access to the INTERFACE, LINE, ROUTE-MAP, and ROUTER modes.
Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE, ROUTE-MAP,
and ROUTER modes, you must first allow access to the command that enters you into the mode. For
example, to allow a user to enter INTERFACE mode, use the privilege configure level level
interface tengigabitethernet command.
Next, individually identify the INTERFACE, LINE, ROUTE-MAP or ROUTER commands to which you want
to allow access using the privilege {interface | line | route-map | router} level
level command. In the command, specify the privilege level of the user or terminal line and specify all
the keywords in the command to which you want to allow access.
To remove, move or allow access, use the following commands.
The configuration in the following example creates privilege level 3. This level:
•
removes the resequence command from EXEC mode by requiring a minimum of privilege level 4
•
moves the capture bgp-pdu max-buffer-size command from EXEC Privilege to EXEC mode by
requiring a minimum privilege level 3, which is the configured level for VTY 0
•
allows access to CONFIGURATION mode with the banner command
•
allows access to INTERFACE and LINE modes are allowed with no commands
•
Remove a command from the list of available commands in EXEC mode.
CONFIGURATION mode
•
privilege exec level level {command ||...|| command}
Move a command from EXEC Privilege to EXEC mode.
CONFIGURATION mode
•
privilege exec level level {command ||...|| command}
Allow access to CONFIGURATION mode.
CONFIGURATION mode
•
privilege exec level level configure
Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all the keywords in
the command.
CONFIGURATION mode
privilege configure level level {interface | line | route-map | router}
{command-keyword ||...|| command-keyword}
54
Switch Management
•
Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode
command.
CONFIGURATION mode
privilege {configure |interface | line | route-map | router} level level
{command ||...|| command}
Example of EXEC Privilege Commands
Dell(conf)#do show run priv
!
privilege exec level 3 capture
privilege exec level 3 configure
privilege exec level 4 resequence
privilege exec level 3 capture bgp-pdu
privilege exec level 3 capture bgp-pdu max-buffer-size
privilege configure level 3 line
privilege configure level 3 interface
Dell(conf)#do telnet 10.11.80.201
[telnet output omitted]
Dell#show priv
Current privilege level is 3.
Dell#?
capture
Capture packet
configure
Configuring from terminal
disable
Turn off privileged commands
enable
Turn on privileged commands
exit
Exit from the EXEC
ip
Global IP subcommands
monitor
Monitoring feature
mtrace
Trace reverse multicast path from destination to source
ping
Send echo messages
quit
Exit from the EXEC
show
Show running system information
[output omitted]
Dell#config
[output omitted]
Dell(conf)#do show priv
Current privilege level is 3.
Dell(conf)#?
end
Exit from configuration mode
exit
Exit from configuration mode
interface
Select an interface to configure
line
Configure a terminal line
linecard
Set line card type
Dell(conf)#interface ?
loopback
Loopback interface
managementethernet Management Ethernet interface
null
Null interface
port-channel
Port-channel interface
range
Configure interface range
tengigabitethernet TenGigabit Ethernet interface
vlan
VLAN interface
Dell(conf)#interface tengigabitethernet 1/1
Dell(conf-if-te-1/1)#?
end
Exit from configuration mode
exit
Exit from interface configuration mode
Dell(conf-if-te-1/1)#exit
Dell(conf)#line ?
aux
Auxiliary line
console
Primary terminal line
vty
Virtual terminal
Switch Management
55
Dell(conf)#line vty 0
Dell(config-line-vty)#?
exit
Exit from line configuration mode
Dell(config-line-vty)#
Applying a Privilege Level to a Username
To set the user privilege level, use the following command.
•
Configure a privilege level for a user.
CONFIGURATION mode
username username privilege level
Applying a Privilege Level to a Terminal Line
To set a privilege level for a terminal line, use the following command.
•
Configure a privilege level for a user.
CONFIGURATION mode
username username privilege level
NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC
mode, but the prompt is hostname#, rather than hostname>.
Configuring Logging
The Dell Networking operating system tracks changes in the system using event and error messages.
By default, the operating system logs these messages on:
•
the internal buffer
•
console and terminal lines
•
any configured syslog servers
To disable logging, use the following commands.
•
Disable all logging except on the console.
CONFIGURATION mode
•
no logging on
Disable logging to the logging buffer.
CONFIGURATION mode
•
no logging buffer
Disable logging to terminal lines.
CONFIGURATION mode
•
no logging monitor
Disable console logging.
CONFIGURATION mode
no logging console
56
Switch Management
Audit and Security Logs
This section describes how to configure, display, and clear audit and security logs.
The following is the configuration task list for audit and security logs:
•
Enabling Audit and Security Logs
•
Displaying Audit and Security Logs
•
Clearing Audit Logs
Enabling Audit and Security Logs
You enable audit and security logs to monitor configuration changes or determine if these changes affect
the operation of the system in the network. You log audit and security events to a system log server,
using the logging extended command in CONFIGURATION mode. This command is available with or
without RBAC enabled. For information about RBAC, see Role-Based Access Control.
Audit Logs
The audit log contains configuration events and information. The types of information in this log consist
of the following:
•
User logins to the switch.
•
System events for network issues or system issues.
•
Users making configuration changes. The switch logs who made the configuration changes and the
date and time of the change. However, each specific change on the configuration is not logged. Only
that the configuration was modified is logged with the user ID, date, and time of the change.
•
Uncontrolled shutdown.
Security Logs
The security log contains security events and information. RBAC restricts access to audit and security logs
based on the CLI sessions’ user roles. The types of information in this log consist of the following:
•
Establishment of secure traffic flows, such as SSH.
•
Violations on secure flows or certificate issues.
•
Adding and deleting of users.
•
User access and configuration changes to the security and crypto parameters (not the key
information but the crypto configuration)
Important Points to Remember
When you enabled RBAC and extended logging:
•
Only the system administrator user role can execute this command.
•
The system administrator and system security administrator user roles can view security events and
system events.
•
The system administrator user roles can view audit, security, and system events.
•
Only the system administrator and security administrator user roles can view security logs.
Switch Management
57
•
The network administrator and network operator user roles can view system events.
NOTE: If extended logging is disabled, you can only view system events, regardless of RBAC user
role.
Example of Enabling Audit and Security Logs
Dell(conf)#logging extended
Displaying Audit and Security Logs
To display audit logs, use the show logging auditlog command in Exec mode. To view these logs,
you must first enable the logging extended command. Only the RBAC system administrator user role can
view the audit logs. Only the RBAC security administrator and system administrator user role can view the
security logs. If extended logging is disabled, you can only view system events, regardless of RBAC user
role. To view security logs, use the show logging command.
Example of the show logging auditlog Command
For information about the logging extended command, see Enabling Audit and Security Logs
Dell#show logging auditlog
May 12 12:20:25: Dell#: %CLI-6-logging extended by admin from vty0 (10.14.1.98)
May 12 12:20:42: Dell#: %CLI-6-configure terminal by admin from vty0
(10.14.1.98)
May 12 12:20:42: Dell#: %CLI-6-service timestamps log datetime by admin from
vty0 (10.14.1.98)
Example of the show logging Command for Security
For information about the logging extended command, see Enabling Audit and Security Logs
Dell#show logging
Jun 10 04:23:40: %STKUNIT0-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for
user admin on line vty0 ( 10.14.1.91 )
Clearing Audit Logs
To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is
enabled, only the system administrator user role can issue this command.
Example of the clear logging auditlog Command
Dell# clear logging auditlog
Configuring Logging Format
To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version [0 | 1}
command in CONFIGURATION mode. By default, the system log version is set to 0.
The following describes the two log messages formats:
•
0 – Displays syslog messages format as described in RFC 3164, The BSD syslog Protocol
•
1 – Displays syslog message format as described in RFC 5424, The SYSLOG Protocol
Example of Configuring the Logging Message Format
Dell(conf)#logging version ?
<0-1> Select syslog version (default = 0)
Dell(conf)#logging version 1
58
Switch Management
Setting Up a Secure Connection to a Syslog Server
You can use reverse tunneling with the port forwarding to securely connect to a syslog server.
Pre-requisites
To configure a secure connection from the switch to the syslog server:
1.
On the switch, enable the SSH server
Dell(conf)#ip ssh server enable
2.
On the syslog server, create a reverse SSH tunnel from the syslog server to FTOS switch, using
following syntax:
ssh -R ::
user@remote_host -nNf
In the following example the syslog server IP address is 10.156.166.48 and the listening port is
5141. The switch IP address is 10.16.131.141 and the listening port is 5140
ssh -R 5140:10.156.166.48:5141 admin@10.16.131.141 -nNf
Switch Management
59
3.
Configure logging to a local host. locahost is “127.0.0.1” or “::1”.
If you do not, the system displays an error when you attempt to enable role-based only AAA
authorization.
Dell(conf)# logging localhost tcp port
Dell(conf)#logging 127.0.0.1 tcp 5140
Log Messages in the Internal Buffer
All error messages, except those beginning with %BOOTUP (Message), are logged in the internal buffer.
Configuration Task List for System Log Management
There are two configuration tasks for system log management:
•
Disable System Logging
•
Send System Messages to a Syslog Server
•
Send System Messages to a Syslog Server
•
Change System Logging Settings
•
Display the Logging Buffer and the Logging Configuration
•
Configure a UNIX Logging Facility Level
•
Enable Timestamp on Syslog Messages
•
Synchronize Log Messages
•
Audit and Security Logs
•
•
Configuring Logging Format
Secure Connection to a Syslog Server
Disabling System Logging
By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the
console, and the syslog servers.
To disable system logging, use the following commands.
•
Disable all logging except on the console.
CONFIGURATION mode
•
no logging on
Disable logging to the logging buffer.
CONFIGURATION mode
•
no logging buffer
Disable logging to terminal lines.
CONFIGURATION mode
•
no logging monitor
Disable console logging.
CONFIGURATION mode
60
Switch Management
no logging console
Sending System Messages to a Syslog Server
To send system messages to a specified syslog server, use the following command. The following syslog
standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009,
obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.
•
Specify the server to which you want to send system messages. You can configure up to eight syslog
servers.
CONFIGURATION mode
logging {ip-address | ipv6-address | hostname} {{udp {port}} | {tcp {port}}}
Configuring a UNIX System as a Syslog Server
To configure a UNIX System as a syslog server, use the following command.
•
Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the
UNIX system and assigning write permissions to the file.
– Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/ftos.log
– Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log
In the previous lines, local7 is the logging facility level and debugging is the severity level.
Display the Logging Buffer and the Logging
Configuration
To display the current contents of the logging buffer and the logging settings for the system, use the
show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered
based on the user roles. Only the security administrator and system administrator can view the security
logs.
Example of the show logging Command
Dell#show logging
Syslog logging: enabled
Console logging: level debugging
Monitor logging: level debugging
Buffer logging: level debugging, 416 Messages Logged, Size (40960 bytes)
Trap logging: level informational
Logging to 10.1.2.4
Logging to 172.31.1.4
Logging to 133.33.33.4
Logging to 172.16.1.162
Logging to 10.10.10.4
Jan 21 09:52:21: %SYSTEM:CP %SYS-5-CONFIG_I: Configured from vty0
( 10.11.8.68 )by admin
Jan 21 09:32:57: %SYSTEM:CP %SYS-5-CONFIG_I: Configured from vty0
( 10.11.8.68 )by admin
Jan 21 09:32:57: %SYSTEM:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable
password authentication success on vty0 ( 10.11.8.68 )
Jan 21 09:32:57: %SYSTEM:CP %SEC-5-LOGIN_SUCCESS: Login successful for user
admin on line vty0 ( 10.11.8.68 )
Jan 21 04:11:02: %SYSTEM:CP %IFMGR-5-OSTATE_DN: Changed interface state to
down: Te 0/1
Switch Management
61
Jan 21 04:11:02: %SYSTEM:CP
down: Te 0/0
Jan 21 03:12:54: %SYSTEM:LP
changed to 60 % of the full
Jan 21 03:12:54: %SYSTEM:LP
% of the full speed
Jan 21 03:02:51: %SYSTEM:LP
changed to 80 % of the full
Jan 21 03:02:51: %SYSTEM:LP
% of the full speed
Jan 21 02:56:54: %SYSTEM:CP
WARM_START.
Jan 21 02:56:54: %SYSTEM:CP
Te 2/3
--More--
%IFMGR-5-OSTATE_DN: Changed interface state to
%CHMGR-2-PSU_FAN_SPEED_CHANGE: PSU_Fan speed
speed
%CHMGR-2-FAN_SPEED_CHANGE: Fan speed changed to 40
%CHMGR-2-PSU_FAN_SPEED_CHANGE: PSU_Fan speed
speed
%CHMGR-2-FAN_SPEED_CHANGE: Fan speed changed to 50
%SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP
%IFMGR-5-OSTATE_UP: Changed interface state to up:
To view any changes made, use the show running-config logging command in EXEC privilege
mode, as shown in the example for Configure a UNIX Logging Facility Level.
Changing System Logging Settings
You can change the default settings of the system logging by changing the severity level and the storage
location.
The default is to log all messages up to debug level, that is, all system messages. By changing the severity
level in the logging commands, you control the number of system messages logged.
To specify the system logging settings, use the following commands.
•
Specify the minimum severity level for logging to the logging buffer.
CONFIGURATION mode
•
logging buffered level
Specify the minimum severity level for logging to the console.
CONFIGURATION mode
•
logging console level
Specify the minimum severity level for logging to terminal lines.
CONFIGURATION mode
•
logging monitor level
Specify the minimum severity level for logging to a syslog server.
CONFIGURATION mode
•
logging trap level
Specify the minimum severity level for logging to the syslog history table.
CONFIGURATION mode
•
logging history level
Specify the size of the logging buffer.
CONFIGURATION mode
logging buffered size
62
Switch Management
•
NOTE: When you decrease the buffer size, the operating system deletes all messages stored in
the buffer. Increasing the buffer size does not affect messages in the buffer.
Specify the number of messages that the operating system saves to its logging history table.
CONFIGURATION mode
logging history size size
To view the logging buffer and configuration, use the show logging command in EXEC privilege mode,
as shown in the example for Display the Logging Buffer and the Logging Configuration.
To view the logging configuration, use the show running-config logging command in privilege
mode, as shown in the example for Configure a UNIX Logging Facility Level.
Configuring a UNIX Logging Facility Level
You can save system log messages with a UNIX system logging facility.
To configure a UNIX logging facility level, use the following command.
•
Specify one of the following parameters.
CONFIGURATION mode
logging facility [facility-type]
– auth (for authorization messages)
– cron (for system scheduler messages)
– daemon (for system daemons)
– kern (for kernel messages)
– local0 (for local use)
– local1 (for local use)
– local2 (for local use)
– local3 (for local use)
– local4 (for local use)
– local5 (for local use)
– local6 (for local use)
– local7 (for local use)
– lpr (for line printer system messages)
– mail (for mail system messages)
– news (for USENET news messages)
– sys9 (system use)
– sys10 (system use)
– sys11 (system use)
– sys12 (system use)
– sys13 (system use)
– sys14 (system use)
– syslog (for syslog messages)
– user (for user programs)
Switch Management
63
– uucp (UNIX to UNIX copy protocol)
Example of the show running-config logging Command
To view non-default settings, use the show running-config logging command in EXEC mode.
Dell#show running-config logging
!
logging buffered 524288 debugging
service timestamps log datetime msec
service timestamps debug datetime msec
!
logging trap debugging
logging facility user
logging source-interface Loopback 0
logging 10.10.10.4
Dell#
Synchronizing Log Messages
You can configure the Dell Networking OS to filter and consolidate the system messages for a specific
line by synchronizing the message output.
Only the messages with a severity at or below the set level appear. This feature works on the terminal and
console connections available on the system.
1.
Enter LINE mode.
CONFIGURATION mode
line {console 0 | vty number [end-number] | aux 0}
Configure the following parameters for the virtual terminal lines:
•
number: the range is from zero (0) to 8.
•
end-number: the range is from 1 to 8.
You can configure multiple virtual terminals at one time by entering a number and an end-number.
2.
Configure a level and set the maximum number of messages to print.
LINE mode
logging synchronous [level severity-level | all] [limit]
Configure the following optional parameters:
•
level severity-level: the range is from 0 to 7. The default is 2. Use the all keyword to
include all messages.
•
limit: the range is from 20 to 300. The default is 20.
To view the logging synchronous configuration, use the show config command in LINE mode.
Enabling Timestamp on Syslog Messages
By default, syslog messages do not include a time/date stamp stating when the error or message was
created.
To enable timestamp, use the following command.
64
Switch Management
•
Add timestamp to syslog messages.
CONFIGURATION mode
service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone]
| uptime]
Specify the following optional parameters:
– You can add the keyword localtime to include the localtime, msec, and show-timezone. If
you do not add the keyword localtime, the time is UTC.
– uptime: To view time since last boot.
If you do not specify a parameter, the system configures uptime.
To view the configuration, use the show running-config logging command in EXEC privilege mode.
To disable time stamping on syslog messages, use the no service timestamps [log | debug]
command.
File Transfer Services
You can configure the system to transfer files over the network using the file transfer protocol (FTP).
One FTP application is copying the system image files over an interface on to the system; however, FTP is
not supported on virtual local area network (VLAN) interfaces.
For more information about FTP, refer to RFC 959, File Transfer Protocol.
NOTE: To transmit large files, Dell Networking recommends configuring the switch as an FTP
server.
Configuration Task List for File Transfer Services
The configuration tasks for file transfer services are:
•
Enable FTP Server (mandatory)
•
Configure FTP Server Parameters (optional)
•
Configure FTP Client Parameters (optional)
Enabling the FTP Server
To enable the system as an FTP server, use the following command.
To view FTP configuration, use the show running-config ftp command in EXEC privilege mode.
•
Enable FTP on the system.
CONFIGURATION mode
ftp-server enable
Example of Viewing FTP Configuration
Dell#show running ftp
!
ftp-server enable
Switch Management
65
ftp-server username nairobi password 0 zanzibar
Dell#
Configuring FTP Server Parameters
After you enable the FTP server on the system, you can configure different parameters.
To specify the system logging settings, use the following commands.
•
Specify the directory for users using FTP to reach the system.
CONFIGURATION mode
ftp-server topdir dir
•
The default is the internal flash directory.
Specify a user name for all FTP users and configure either a plain text or encrypted password.
CONFIGURATION mode
ftp-server username username password [encryption-type] password
Configure the following optional and required parameters:
– username: enter a text string.
– encryption-type: enter 0 for plain text or 7 for encrypted text.
– password: enter a text string.
NOTE: You cannot use the change directory (cd) command until you have configured ftpserver topdir.
To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode.
Configuring FTP Client Parameters
To configure FTP client parameters, use the following commands.
•
Enter the following keywords and slot/port or number information:
– For a loopback interface, enter the keyword loopback then a number between 0 and 16383.
– For a port channel interface, enter the keywords port-channel then a number from 1 to 255.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
– For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
CONFIGURATION mode
•
ip ftp source-interface interface
Configure a password.
CONFIGURATION mode
•
ip ftp password password
Enter a username to use on the FTP client.
CONFIGURATION mode
66
Switch Management
ip ftp username name
To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode,
as shown in the example for Enable FTP Server.
Terminal Lines
You can access the system remotely and restrict access to the system by creating user profiles.
Terminal lines on the system provide different means of accessing the system. The console line (console)
connects you through the console port. The virtual terminal lines (VTYs) connect you through Telnet to
the system.
Denying and Permitting Access to a Terminal Line
Dell Networking recommends applying only standard access control lists (ACLs) to deny and permit
access to VTY lines.
•
Layer 3 ACLs deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with
no rules does not deny traffic.
•
You cannot use the show ip accounting access-list command to display the contents of an
ACL that is applied only to a VTY line.
To apply an IP ACL to a line, Use the following command.
•
Apply an ACL to a VTY line.
LINE mode
ip access-class access-list
Example of an ACL that Permits Terminal Access
To view the configuration, use the show config command in LINE mode.
Dell(config-std-nacl)#show config
!
ip access-list standard myvtyacl
seq 5 permit host 10.11.0.1
Dell(config-std-nacl)#line vty 0
Dell(config-line-vty)#show config
line vty 0
access-class myvtyacl
Configuring Login Authentication for Terminal Lines
You can use any combination of up to six authentication methods to authenticate a user on a terminal
line.
A combination of authentication methods is called a method list. If the user fails the first authentication
method, the system prompts the next method until all methods are exhausted, at which point the
connection is terminated. The available authentication methods are:
enable
Prompt for the enable password.
line
Prompt for the password you assigned to the terminal line. Configure a password
for the terminal line to which you assign a method list that contains the line
authentication method. Configure a password using the password command from
LINE mode.
Switch Management
67
local
Prompt for the system username and password.
none
Do not authenticate the user.
radius
Prompt for a username and password and use a RADIUS server to authenticate.
tacacs+
Prompt for a username and password and use a TACACS+ server to authenticate.
1.
Configure an authentication method list. You may use a mnemonic name or use the keyword
default. The default authentication method for terminal lines is local and the default method list is
empty.
CONFIGURATION mode
aaa authentication login {method-list-name | default} [method-1] [method-2]
[method-3] [method-4] [method-5] [method-6]
2.
Apply the method list from Step 1 to a terminal line.
CONFIGURATION mode
login authentication {method-list-name | default}
3.
If you used the line authentication method in the method list you applied to the terminal line,
configure a password for the terminal line.
LINE mode
password
Example of Terminal Line Authentication
In the following example, VTY lines 0-2 use a single authentication method, line.
Dell(conf)#aaa authentication login myvtymethodlist line
Dell(conf)#line vty 0 2
Dell(config-line-vty)#login authentication myvtymethodlist
Dell(config-line-vty)#password myvtypassword
Dell(config-line-vty)#show config
line vty 0
password myvtypassword
login authentication myvtymethodlist
line vty 1
password myvtypassword
login authentication myvtymethodlist
line vty 2
password myvtypassword
login authentication myvtymethodlist
Dell(config-line-vty)#
Setting Time Out of EXEC Privilege Mode
EXEC time-out is a basic security feature that returns the system to EXEC mode after a period of inactivity
on the terminal lines.
To set time out, use the following commands.
•
Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes
on VTY. Disable EXEC time out by setting the time-out period to 0.
LINE mode
exec-timeout minutes [seconds]
68
Switch Management
•
Return to the default time-out values.
LINE mode
no exec-timeout
Example of Setting the Time Out Period for EXEC Privilege Mode
The following example shows how to set the time-out period and how to view the configuration using
the show config command from LINE mode.
Dell(conf)#line con 0
Dell(config-line-console)#exec-timeout 0
Dell(config-line-console)#show config
line console 0
exec-timeout 0 0
Dell(config-line-console)#
Using Telnet to Access Another Network Device
To telnet to another device, use the following commands.
NOTE: On the Z9500, the system allows 120 Telnet sessions per minute, allowing the login and
logout of 10 Telnet sessions, 12 times in a minute. If the system reaches this non-practical limit, the
Telnet service is stopped for 10 minutes. You can use console and SSH service to access the system
during downtime.
•
Telnet to a device with an IPv4 or IPv6 address.
EXEC Privilege
telnet [ip-address]
If you do not enter an IP address, the system enters a Telnet dialog that prompts you for one.
Enter an IPv4 address in dotted decimal format (A.B.C.D).
Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros
is supported.
Example of the telnet Command for Device Access
Dell# telnet 10.11.80.203
Trying 10.11.80.203...
Connected to 10.11.80.203.
Exit character is '^]'.
Login:
Login: admin
Password:
Dell>exit
Dell#telnet 2200:2200:2200:2200:2200::2201
Trying 2200:2200:2200:2200:2200::2201...
Connected to 2200:2200:2200:2200:2200::2201.
Exit character is '^]'.
FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1)
login: admin
Dell#
Switch Management
69
Lock CONFIGURATION Mode
The system allows multiple users to make configurations at the same time. You can lock
CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message
2).
You can set two types of locks: auto and manual.
•
Set auto-lock using the configuration mode exclusive auto command from
CONFIGURATION mode. When you set auto-lock, every time a user is in CONFIGURATION mode, all
other users are denied access. This means that you can exit to EXEC Privilege mode, and re-enter
CONFIGURATION mode without having to set the lock again.
•
Set manual lock using the configure terminal lock command from CONFIGURATION mode.
When you configure a manual lock, which is the default, you must enter this command each time you
want to enter CONFIGURATION mode and deny access to others.
Viewing the Configuration Lock Status
If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which
user has control of CONFIGURATION mode using the show configuration lock command from
EXEC Privilege mode.
You can then send any user a message using the send command from EXEC Privilege mode.
Alternatively, you can clear any line using the clear command from EXEC Privilege mode. If you clear a
console session, the user is returned to EXEC mode.
Example of Locking CONFIGURATION Mode for Single-User Access
Dell(conf)#configuration mode exclusive auto
BATMAN(conf)#exit
3d23h35m: %SYSTEM-P:CP %SYS-5-CONFIG_I: Configured from console by console
Dell#config
! Locks configuration mode exclusively.
Dell(conf)#
If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears
on their terminal (message 1): % Error: User "" on line console0 is in exclusive
configuration mode.
If any user is already in CONFIGURATION mode when while a lock is in place, the following appears on
their terminal (message 2): % Error: Can't lock configuration mode exclusively since
the following users are currently configuring the system: User "admin" on line
vty1 ( 10.1.1.1 ).
NOTE: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you
configure a lock and then exit CONFIGURATION mode, and another user enters CONFIGURATION
mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though
you are the one that configured the lock.
NOTE: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is
unconfigured.
70
Switch Management
Recovering from a Forgotten Password on the Z9500
If you configure authentication for the console and you exit out of EXEC mode or your console session
times out, you are prompted for a password to re-enter.
If you forget your password, follow these steps:
1.
Log onto the system using the console.
2.
Power-cycle the chassis by disconnecting and.then reconnecting the power cord.
3.
During bootup, press Esc when prompted to abort the boot process.
4.
At the BLI prompt, set the system parameter to ignore the enable password and reload the system:
You enter Boot-Line Interface (BLI) mode at the BOOT_USER# prompt.
BOOT_USER# ignore enable-password
BOOT_USER# reload
NOTE: You must manually enter each CLI command. The system rejects a command if you
copy and paste it in the command line.
5.
Configure a new password.
CONFIGURATION mode
enable {secret | password}
6.
Save the change in the running configuration to the startup configuration.
EXEC Privilege mode
copy running-config startup-config
Ignoring the Startup Configuration and Booting from the
Factory-Default Configuration
If you do not want to do not want to boot up with your current startup configuration and do not want to
delete it, you can interrupt the boot process and boot up with the Z9500 factory-default configuration.
To boot up with the factory-default configuration:
1.
Log onto the system using the console.
2.
Power-cycle the chassis by disconnecting and.then reconnecting the power cord.
3.
During bootup, press Esc when prompted to abort the boot process.
You enter Boot-Line Interface (BLI) mode at the BOOT_USER# prompt.
4.
At the BLI prompt, set the system parameter to ignore the startup configuration and reload the
system:
BOOT_USER# ignore startup-config
BOOT_USER# reload
NOTE: You must manually enter each CLI command. The system rejects a command if you
copy and paste it in the command line.
Switch Management
71
Recovering from a Failed Start on the Z9500
A switch that does not start correctly might be trying to boot from a corrupted Dell Networking OS image
or from a mis-specified location.
In this case, you can restart the system and interrupt the boot process to point the system to another
boot location.
1.
Power-cycle the chassis (pull the power cord and reinsert it).
2.
During bootup, press the ESC key when this message appears: Press Esc to stop autoboot...
You enter Boot-Line Interface (BLI) mode at the BOOT_USER# prompt.
3.
At the BLI prompt, set the system parameter to ignore the enable password and reload the system:
BOOT_USER mode
BOOT_USER# boot change primary
You are prompted to enter a valid boot device (for example, ftp o r tftp) and a path or filename for
the Dell Networking OS image that you want to use.
4.
(Optional) Set the secondary and default boot locations by entering the following commands:
BOOT_USER mode
BOOT_USER# boot change secondary
BOOT_USER# boot change default
5.
Reboot the chassis.
BOOT_USER mode
reload
Restoring Factory-Default Settings
When you restore factory-default settings on a switch, the existing NVRAM settings, startup configuration,
and all configured settings are deleted.
To restore the factory-default settings, enter the restore factory-defaults {clear-all |
nvram} command in EXEC Privilege mode.
CAUTION: There is no undo for this command.
Important Points to Remember
•
•
When you restore the factory-default settings on all units in a stack, the units are placed in standalone
mode.
After the restore is complete, a switch reloads immediately.
The following example shows how the restore factory-defaults command restores a switch to its factory
default settings.
Dell# restore factory-defaults nvram
***********************************************************************
* Warning - Restoring factory defaults will delete the existing
*
* persistent settings (stacking, fanout, etc.)
*
72
Switch Management
* After restoration the unit(s) will be powercycled immediately.
*
* Proceed with caution !
*
***********************************************************************
Proceed with factory settings? Confirm [yes/no]:yes
-- Restore status -Unit
Nvram
Config
-----------------------0
Success
Power-cycling the unit(s).
....
Restoring Factory-Default Boot Environment Variables
The Boot line determines the location of the image that is used to boot up the switch after restoring
factory-default settings. Ideally, these locations contain valid images, which the switch uses to boot up.
When you restore factory-default settings, you can either use a flash boot procedure or a network boot
procedure to boot the switch.
When you use a flash boot procedure to boot the switch, the reset boot variables are displayed below
restore bootvar in the command output.
•
If the primary boot line is A: and the A: partition contains a valid image, the primary boot line is set to
A:, the secondary boot line is set to B: (if B: also contains a valid image), and default boot line is set to
a Null String.
•
If the primary boot line is B: and the B: partition contains a valid image, the primary boot line is set to
B:, the secondary boot line is set to A: (if A: also contains a valid image), and default boot line is set to
a Null string.
•
If either partition contains an invalid or corrupted image, the partition is not set in any of the boot
lines. If both partitions contain invalid images, the primary, secondary, and default boot lines are set to
a Null string.
When you use a network boot procedure to boot the switch, the reset boot variables are displayed below
restore bootvar in the command output.
•
If the primary partition contains a valid image and the secondary partition does not contain a valid
image, the primary boot line is set to A: and the secondary and default boot lines are set to a Null
string.
•
If both partitions have valid images, the primary boot line value is set to the partition configured to
boot the device in case of a network failure. The secondary and default boot lines are set to a Null
string.
Important Points to Remember
•
The CLI remains at the boot prompt if no partition contains a valid image.
•
To enable a TFTP boot after restoring factory default settings, you must stop the boot process using
the boot-line interface (BLI).
•
The tftpboot command does not work after you perform a reset bootvar because the
management IP address, network mask, and gateway IP address are all reset to NULL.
In case the system fails to reload the image from a flash partition, follow these steps:
1.
Power-cycle the chassis (pull the power cord and reinsert it).
Switch Management
73
2.
When prompted by the system, press the Esc key to abort the boot process.
You are placed in the boot-line interface (BLI) at the BOOT_USER # prompt.
Press any key
3.
Assign the new location of the FTOS image to be used when the system reloads.
To boot from flash partition A:
BOOT_USER # boot change primary
boot device : flash
file name : systema
BOOT_USER #
To boot from flash partition B:
BOOT_USER # boot change primary
boot device : flash
file name : systemb
BOOT_USER #
To boot from the network:
BOOT_USER # boot change primary
boot device : tftp
file name : FTOS-SI-9-5-0-169.bin
Server IP address : 10.16.127.35
BOOT_USER #
4.
Assign an IP address and network mask to the Management Ethernet interface.
BOOT_USER # interface management ethernet ip address ip_address_with_mask
For example, 10.16.150.106/16.
5.
Assign an IP address as the default gateway for the system.
default-gateway gateway_ip_address
For example, 10.16.150.254.
6.
The environment variables are auto saved.
7.
Reload the system.
BOOT_USER # reload
74
Switch Management
802.1X
5
802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is
disallowed from sending or receiving packets on the network until its identity can be verified (through a
username and password, for example). This feature is named for its IEEE specification.
802.1X employs extensible authentication protocol (EAP) to transfer a device’s credentials to an
authentication server (typically RADIUS) using a mandatory intermediary network access device, in this
case, a Dell Networking switch. The network access device mediates all communication between the
end-user device and the authentication server so that the network remains secure. The network access
device uses EAP-over-Ethernet (EAPOL) to communicate with the end-user device and EAP-overRADIUS to communicate with the server.
NOTE: The Dell Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS,
PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.
The following figures show how the EAP frames are encapsulated in Ethernet and RADIUS frames.
Figure 2. EAP Frames Encapsulated in Ethernet and RADUIS
802.1X
75
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS
The authentication process involves three devices:
•
The device attempting to access the network is the supplicant. The supplicant is not allowed to
communicate on the network until the authenticator authorizes the port. It can only communicate
with the authenticator in response to 802.1X requests.
•
The device with which the supplicant communicates is the authenticator. The authenticator is the
gate keeper of the network. It translates and forwards requests and responses between the
authentication server and the supplicant. The authenticator also changes the status of the port based
on the results of the authentication process. The Dell Networking switch is the authenticator.
•
The authentication-server selects the authentication method, verifies the information the supplicant
provides, and grants it network access privileges.
Ports can be in one of two states:
•
Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in
or out of the port.
•
The authenticator changes the port state to authorized if the server can authenticate the supplicant.
In this state, network traffic can be forwarded normally.
NOTE: The Z9500 places 802.1X-enabled ports in the unauthorized state by default.
The Port-Authentication Process
The authentication process begins when the authenticator senses that a link status has changed from
down to up:
1.
When the authenticator senses a link state change, it requests that the supplicant identify itself using
an EAP Identity Request frame.
2.
The supplicant responds with its identity in an EAP Response Identity frame.
3.
The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a
RADIUS Access-Request frame and forwards the frame to the authentication server.
76
802.1X
4.
The authentication server replies with an Access-Challenge frame. The Access-Challenge frame
requests that the supplicant prove that it is who it claims to be, using a specified method (an EAPMethod). The challenge is translated and forwarded to the supplicant by the authenticator.
5.
The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant
provides the Requested Challenge information in an EAP response, which is translated and
forwarded to the authentication server as another Access-Request frame.
6.
If the identity information provided by the supplicant is valid, the authentication server sends an
Access-Accept frame in which network privileges are specified. The authenticator changes the port
state to authorized and forwards an EAP Success frame. If the identity information is invalid, the
server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator
forwards an EAP Failure frame.
Figure 4. EAP Port-Authentication
EAP over RADIUS
802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as
defined in RFC 3579.
EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV)
format. The Type value for EAP messages is 79.
802.1X
77
Figure 5. EAP Over RADIUS
RADIUS Attributes for 802.1 Support
Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request
messages:
Attribute 31
Calling-station-id: relays the supplicant MAC address to the authentication server.
Attribute 41
NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet.
Attribute 61
NAS-Port: the physical port number by which the authenticator is connected to
the supplicant.
Attribute 81
Tunnel-Private-Group-ID: associate a tunneled session with a particular group of
users.
Configuring 802.1X
Configuring 802.1X on a port is a one-step process.
For more information, refer to Enabling 802.1X.
Related Configuration Tasks
•
Configuring Request Identity Re-Transmissions
•
Forcibly Authorizing or Unauthorizing a Port
•
Re-Authenticating a Port
•
Configuring Timeouts
•
Configuring a Guest VLAN
•
Configuring an Authentication-Fail VLAN
Important Points to Remember
•
The system supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MSCHAPv2 with PEAP.
•
All platforms support only RADIUS as the authentication server.
•
If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary
RADIUS server, if configured.
78
802.1X
•
802.1X is not supported on port-channels or port-channel members.
Enabling 802.1X
Enable 802.1X globally.
Figure 6. 802.1X Enabled
1.
Enable 802.1X globally.
CONFIGURATION mode
dot1x authentication
2.
Enter INTERFACE mode on an interface or a range of interfaces.
INTERFACE mode
interface [range]
3.
Enable 802.1X on the supplicant interface only.
INTERFACE mode
dot1x authentication
802.1X
79
Examples of Verifying that 802.1X is Enabled Globally or on an Interface
Verify that 802.1X is enabled globally and at the interface level using the show running-config |
find dot1x command from EXEC Privilege mode.
The bold lines show that 802.1X is enabled.
Dell#show running-config | find dot1x
dot1x authentication
!
[output omitted]
!
interface TenGigabitEthernet 2/1
no ip address
dot1x authentication
no shutdown
!
Dell#
View 802.1X configuration information for an interface using the show dot1x interface command.
The bold lines show that 802.1X is enabled on all ports unauthorized by default.
Dell#show dot1x interface TenGigabitEthernet 2/1
802.1x information on Te 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
AUTO
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Disable
Guest VLAN id:
NONE
Auth-Fail VLAN:
Disable
Auth-Fail VLAN id:
NONE
Auth-Fail Max-Attempts: NONE
Mac-Auth-Bypass:
Disable
Mac-Auth-Bypass Only:
Disable
Tx Period:
30 seconds
Quiet Period:
60 seconds
ReAuth Max:
2
Supplicant Timeout:
30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
2
Host Mode:
SINGLE_HOST
Auth PAE State:
Initialize
Backend State:
Initialize
Configuring Request Identity Re-Transmissions
If the authenticator sends a Request Identity frame, but the supplicant does not respond, the
authenticator waits 30 seconds and then re-transmits the frame.
The amount of time that the authenticator waits before re-transmitting and the maximum number of
times that the authenticator re-transmits are configurable.
NOTE: There are several reasons why the supplicant might fail to respond; for example, the
supplicant might have been booting when the request arrived or there might be a physical layer
problem.
80
802.1X
To configure re-transmissions, use the following commands.
•
Configure the amount of time that the authenticator waits before re-transmitting an EAP Request
Identity frame.
INTERFACE mode
dot1x tx-period number
The range is from 1 to 65535 (1 year)
•
The default is 30.
Configure a maximum number of times the authenticator re-transmits a Request Identity frame.
INTERFACE mode
dot1x max-eap-req number
The range is from 1 to 10.
The default is 2.
The example in Configuring a Quiet Period after a Failed Authentication shows configuration information
for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and
re-transmits a maximum of 10 times.
Configuring a Quiet Period after a Failed Authentication
If the supplicant fails the authentication process, the authenticator sends another Request Identity frame
after 30 seconds by default, but you can configure this period.
NOTE: The quiet period (dot1x quiet-period) is a transmit interval for after a failed
authentication; the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive
supplicant.
To configure a quiet period, use the following command.
•
Configure the amount of time that the authenticator waits to re-transmit a Request Identity frame
after a failed authentication.
INTERFACE mode
dot1x quiet-period seconds
The range is from 1 to 65535.
The default is 60 seconds.
Example of Configuring and Verifying Port Authentication
The following example shows configuration information for a port for which the authenticator retransmits an EAP Request Identity frame:
•
after 90 seconds and a maximum of 10 times for an unresponsive supplicant
•
re-transmits an EAP Request Identity frame
802.1X
81
The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions.
Dell(conf-if-range-Te-0/0)#dot1x tx-period 90
Dell(conf-if-range-Te-0/0)#dot1x max-eap-req 10
Dell(conf-if-range-Te-0/0)#dot1x quiet-period 120
Dell#show dot1x interface TenGigabitEthernet 2/1
802.1x information on Te 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
AUTO
Port Auth Status:
UNAUTHORIZED
Re-Authentication: Disable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
2
Supplicant Timeout:
30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Initialize
Backend State:
Initialize
Forcibly Authorizing or Unauthorizing a Port
IEEE 802.1X requires that a port can be manually placed into any of three states:
•
ForceAuthorized — an authorized state. A device connected to this port in this state is never
subjected to the authentication process, but is allowed to communicate on the network. Placing the
port in this state is same as disabling 802.1X on the port.
•
ForceUnauthorized — an unauthorized state. A device connected to a port in this state is never
subjected to the authentication process and is not allowed to communicate on the network. Placing
the port in this state is the same as shutting down the port. Any attempt by the supplicant to initiate
authentication is ignored.
•
Auto — an unauthorized state by default. A device connected to this port in this state is subjected to
the authentication process. If the process is successful, the port is authorized and the connected
device can communicate on the network. All ports are placed in the Auto state by default.
To set the port state, use the following command.
•
Place a port in the ForceAuthorized, ForceUnauthorized, or Auto state.
INTERFACE mode
dot1x port-control {force-authorized | force-unauthorized | auto}
The default state is auto.
Example of Placing a Port in Force-Authorized State and Viewing the Configuration
The example shows configuration information for a port that has been force-authorized.
The bold line shows the new port-control state.
Dell(conf-if-Te-0/0)#dot1x port-control force-authorized
Dell(conf-if-Te-0/0)#show dot1x interface TenGigabitEthernet 0/0
802.1x information on Te 0/0:
82
802.1X
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
2
Supplicant Timeout:
30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Initialize
Backend State:
Initialize
Auth PAE State:
Initialize
Backend State:
Initialize
Re-Authenticating a Port
You can configure the authenticator for periodic re-authentication.
After the supplicant has been authenticated, and the port has been authorized, you can configure the
authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the
supplicant is required to re-authenticate every 3600 seconds, but you can configure this interval. You can
configure a maximum number of re-authentications as well.
To configure re-authentication time settings, use the following commands.
•
Configure the authenticator to periodically re-authenticate the supplicant.
INTERFACE mode
dot1x reauthentication [interval] seconds
The range is from 1 to 65535.
•
The default is 3600.
Configure the maximum number of times that the supplicant can be re-authenticated.
INTERFACE mode
dot1x reauth-max number
The range is from 1 to 10.
The default is 2.
Example of Re-Authenticating a Port and Verifying the Configuration
The bold lines show that re-authentication is enabled and the new maximum and re-authentication time
period.
Dell(conf-if-Te-0/0)#dot1x reauthentication interval 7200
Dell(conf-if-Te-0/0)#dot1x reauth-max 10
Dell(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0
802.1x information on Te 0/0:
----------------------------Dot1x Status:
Enable
802.1X
83
Port Control:
FORCE_AUTHORIZED
Port Auth Status: UNAUTHORIZED
Re-Authentication:
Enable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout:
30 seconds
Server Timeout:
30 seconds
Re-Auth Interval: 7200 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Initialize
Backend State:
Initialize
Auth PAE State:
Initialize
Backend State:
Initialize
Configuring Timeouts
If the supplicant or the authentication server is unresponsive, the authenticator terminates the
authentication process after 30 seconds by default. You can configure the amount of time the
authenticator waits for a response.
To terminate the authentication process, use the following commands.
•
Terminate the authentication process due to an unresponsive supplicant.
INTERFACE mode
dot1x supplicant-timeout seconds
The range is from 1 to 300.
•
The default is 30.
Terminate the authentication process due to an unresponsive authentication server.
INTERFACE mode
dot1x server-timeout seconds
The range is from 1 to 300.
The default is 30.
Example of Viewing Configured Server Timeouts
The example shows configuration information for a port for which the authenticator terminates the
authentication process for an unresponsive supplicant or server after 15 seconds.
The bold lines show the new supplicant and server timeouts.
Dell(conf-if-Te-0/0)#dot1x port-control force-authorized
Dell(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0
802.1x information on Te 0/0:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
84
802.1X
Guest VLAN:
Disable
Guest VLAN id:
NONE
Auth-Fail VLAN:
Disable
Auth-Fail VLAN id:
NONE
Auth-Fail Max-Attempts: NONE
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout: 15 seconds
Server Timeout:
15 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Auth Type:
Auth PAE State:
Backend State:
SINGLE_HOST
Initialize
Initialize
Enter the tasks the user should do after finishing this task (optional).
Configuring Dynamic VLAN Assignment with Port
Authentication
On the Z9500, 802.1X authentication supports dynamic VLAN assignment.
The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN
assignment uses the standard dot1x procedure:
1.
The host sends a dot1x packet to the Dell Networking system
2.
The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port
number
3.
The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN
assignment using Tunnel-Private-Group-ID
The illustration shows the configuration before connecting the end user device in black and blue text,
and after connecting the device in red text. The blue text corresponds to the preceding numbered steps
on dynamic VLAN assignment with 802.1X.
802.1X
85
Figure 7. Dynamic VLAN Assignment
1.
Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations
(refer to the illustration inDynamic VLAN Assignment with Port Authentication).
2.
Make the interface a switchport so that it can be assigned to a VLAN.
3.
Create the VLAN to which the interface will be assigned.
4.
Connect the supplicant to the port configured for 802.1X.
5.
Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in
Dynamic VLAN Assignment with Port Authentication).
Guest and Authentication-Fail VLANs
Typically, the authenticator (the Dell system) denies the supplicant access to the network until the
supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and
places it in either the VLAN for which the port is configured or the VLAN that the authentication server
indicates in the authentication data.
NOTE: Ports cannot be dynamically assigned to the default VLAN.
86
802.1X
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases
this behavior is not appropriate. External users of an enterprise network, for example, might not be able
to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network
printers, do not have 802.1X capability and therefore cannot authenticate themselves. To be able to
connect such devices, they must be allowed access the network without compromising network security.
The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices
and the Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users.
•
If the supplicant fails authentication a specified number of times, the authenticator places the port in
the Authentication-fail VLAN.
•
If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of
the Guest VLAN and the authentication process begins.
Configuring a Guest VLAN
If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the
system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN.
NOTE: For more information about configuring timeouts, refer to Configuring Timeouts.
Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using
the dot1x guest-vlan command from INTERFACE mode. View your configuration using the show
config command from INTERFACE mode or using the show dot1x interface command from EXEC
Privilege mode.
Example of Viewing Guest VLAN Configuration
Dell(conf-if-Te-2/1)#dot1x guest-vlan 200
Dell(conf-if-Te 2/1))#show config
!
interface TenGigabitEthernet 21
switchport
dot1x guest-vlan 200
no shutdown
Dell(conf-if-Te 2/1))#
Configuring an Authentication-Fail VLAN
If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified
amount of time.
NOTE: For more information about authenticator re-attempts, refer to Configuring a Quiet Period
after a Failed Authentication.
You can configure the maximum number of times the authenticator re-attempts authentication after a
failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
Configure a port to be placed in the VLAN after failing the authentication process as specified number of
times using the dot1x auth-fail-vlan command from INTERFACE mode. Configure the maximum
number of authentication attempts by the authenticator using the keyword max-attempts with this
command.
Example of Configuring Maximum Authentication Attempts
Dell(conf-if-Te-2/1)#dot1x guest-vlan 200
Dell(conf-if-Te 2/1)#show config
802.1X
87
!
interface TenGigabitEthernet 2/1
switchport
dot1x authentication
dot1x guest-vlan 200
no shutdown
Dell(conf-if-Te-2/1)#
Dell(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5
Dell(conf-if-Te-2/1)#show config
!
interface TenGigabitEthernet 2/1
switchport
dot1x authentication
dot1x guest-vlan 200
dot1x auth-fail-vlan 100 max-attempts 5
no shutdown
Dell(conf-if-Te-2/1)#
View your configuration using the show config command from INTERFACE mode, as shown in the
example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC
Privilege mode.
Example of Viewing Configured Authentication
802.1x information on Te 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Disabled
Guest VLAN id:
200
Auth-Fail VLAN:
Disabled
Auth-Fail VLAN id: 100
Auth-Fail Max-Attempts: 5
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout:
15 seconds
Server Timeout:
15 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:
88
Initialize
Initialize
802.1X
Access Control Lists (ACLs)
6
This chapter describes access control lists (ACLs), prefix lists, and route-maps.
•
Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on
the Z9500.
At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on
MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps.
For MAC ACLS, refer to Layer 2.
An ACL is essentially a filter containing some criteria to match (examine IP, transmission control protocol
[TCP], or user datagram protocol [UDP] packets) and an action to take (permit or deny). ACLs are
processed in sequence so that if a packet does not match the criterion in the first filter, the second filter
(if configured) is applied. When a packet matches a filter, the switch drops or forwards the packet based
on the filter’s specified action. If the packet does not match any of the filters in the ACL, the packet is
dropped (implicit deny).
The number of ACLs supported on a system depends on your content addressable memory (CAM) size.
For more information, refer to User Configurable CAM Allocation and CAM Optimization. For complete
CAM profiling information, refer to Content Addressable Memory (CAM).
IP Access Control Lists (ACLs)
You can create two different types of IP ACLs: standard or extended.
A standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the
following criteria:
•
•
•
•
•
•
•
IP protocol number
Source IP address
Destination IP address
Source TCP port number
Destination TCP port number
Source UDP port number
Destination UDP port number
For more information about ACL options, refer to the Dell Networking OS Command Reference Guide.
For extended ACL, TCP, and UDP filters, you can match criteria on specific or ranges of TCP or UDP
ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions.
When creating an access list, the sequence of the filters is important. You have a choice of assigning
sequence numbers to the filters as you enter them, or the system assigns numbers in the order the filters
are created. The sequence numbers are listed in the display output of the show config and show ip
accounting access-list commands.
Access Control Lists (ACLs)
89
Ingress and egress Hot Lock ACLs allow you to append or delete new rules into an existing ACL (already
written into CAM) without disrupting traffic flow. Existing entries in the CAM are shuffled to
accommodate the new entries. Hot lock ACLs are enabled by default and support both standard and
extended ACLs and on all platforms.
NOTE: Hot lock ACLs are supported for Ingress ACLs only.
CAM Usage
The following section describes CAM allocation and CAM optimization.
•
User Configurable CAM Allocation
•
CAM Optimization
User-Configurable CAM Allocation
User-configurable content-addressable memory (CAM) allows you to specify the amount of memory
space that you want to allocate for ACLs.
To allocate ACL CAM, use the cam-acl command in CONFIGURATION mode. For information about
how to allocate CAM for ACL VLANs, see Allocating ACL VLAN CAM.
The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP
blocks. (There are 16 FP blocks, but System Flow requires three blocks that cannot be reallocated.)
Enter the allocation as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd
numbered ranges.
Save the new CAM settings to the startup-config (use write-mem or copy run start) then reload the
system for the new settings to take effect.
Test CAM Usage
The test cam-usage command is supported on the Z9500.
This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS
optimization for IPv6 ACLs.
To determine whether sufficient ACL CAM space is available to enable a service-policy, use this
command. To verify the actual CAM space required, create a class map with all the required ACL rules,
then execute the test cam-usage command in Privilege mode. The following example shows the
output when executing this command. The status column indicates whether you can enable the policy.
Example of the test cam-usage Command
Dell#test cam-usage service-policy input TestPolicy linecard all
Linecard|Portpipe|CAM Partition|Available CAM|Estimated CAM per Port|Status
-------------------------------------------------------------------------2|
1|
IPv4Flow|
232|
0|Allowed
2|
1|
IPv6Flow|
0|
0|Allowed
4|
0|
IPv4Flow|
232|
0|Allowed
4|
0|
IPv6Flow|
0|
0|Allowed
Dell#
90
Access Control Lists (ACLs)
Implementing ACLs
You can assign one IP ACL per physical or VLAN interface. If you do not assign an IP ACL to an interface,
it is not used by the software in any other capacity.
The number of entries allowed per ACL is hardware-dependent.
If you enable counters on IP ACL rules that are already configured, those counters are reset when a new
rule is inserted or prepended. If a rule is appended, the existing counters are not affected. This is
applicable to the following features:
•
L2 Ingress Access list
•
L2 Egress Access list
•
L3 Egress Access list
ACLs and VLANs
There are some differences when assigning ACLs to a VLAN rather than a physical port.
For example, when using a single port-pipe, if you apply an ACL to a VLAN, one copy of the ACL entries is
installed in the ACL CAM on the port-pipe. The entry looks for the incoming VLAN in the packet. Whereas
if you apply an ACL on individual ports of a VLAN, separate copies of the ACL entries are installed for each
port belonging to a port-pipe.
When you use the log keyword, the CP has to log the details about the packets that match. Depending
on how many packets match the log entry and at what rate, the CP might become busy as it has to log
these packets’ details. However, the Route Processor (RP) is unaffected. This option is typically useful
when debugging some problem related to control traffic. We have used this option numerous times in
the field and have not encountered problems so far.
ACL Optimization
If an access list contains duplicate entries, the system deletes one entry to conserve CAM space.
Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM
entries whether it is identified as a standard or extended ACL.
Determine the Order in which ACLs are Used to Classify Traffic
When you link class-maps to queues using the service-queue command, the system matches the
class-maps according to queue priority (queue numbers closer to 0 have lower priorities).
As shown in the following example, class-map cmap2 is matched against ingress packets before cmap1.
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
Therefore (without the keyword order), packets within the range 20.1.1.0/24 match positive against
cmap1 and are buffered in queue 7, though you intended for these packets to match positive against
cmap2 and be buffered in queue 4.
In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use
the order keyword to specify the order in which you want to apply ACL rules. The order can range from
0 to 254. The system writes to the CAM ACL rules with lower-order numbers (order numbers closer to 0)
before rules with higher-order numbers so that packets are matched as you intended. By default, all ACL
rules have an order of 254.
Access Control Lists (ACLs)
91
Example of the order Keyword to Determine ACL Sequence
Dell(conf)#ip access-list standard acl1
Dell(config-std-nacl)#permit 20.0.0.0/8
Dell(config-std-nacl)#exit
Dell(conf)#ip access-list standard acl2
Dell(config-std-nacl)#permit 20.1.1.0/24 order 0
Dell(config-std-nacl)#exit
Dell(conf)#class-map match-all cmap1
Dell(conf-class-map)#match ip access-group acl1
Dell(conf-class-map)#exit
Dell(conf)#class-map match-all cmap2
Dell(conf-class-map)#match ip access-group acl2
Dell(conf-class-map)#exit
Dell(conf)#policy-map-input pmap
Dell(conf-policy-map-in)#service-queue 7 class-map cmap1
Dell(conf-policy-map-in)#service-queue 4 class-map cmap2
Dell(conf-policy-map-in)#exit
Dell(conf)#interface tengig 1/0
Dell(conf-if-te-1/0)#service-policy input pmap
IP Fragment Handling
The system supports a configurable option to explicitly deny IP fragmented packets, particularly second
and subsequent packets.
It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable
to all Layer protocols (permit/deny ip/tcp/udp/icmp).
•
Both standard and extended ACLs support IP fragments.
•
Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these
fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the
packet as a whole cannot be reassembled.
•
Implementing the required rules uses a significant number of CAM entries per TCP/UDP entry.
•
For an IP ACL, the system always applies implicit deny. You do not have to configure it.
•
For an IP ACL, the system applies implicit permit for second and subsequent fragment just prior to the
implicit deny.
•
If you configure an explicit deny, the second and subsequent fragments do not hit the implicit permit
rule for fragments.
•
Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL
with the fragments option and apply it to a Loopback interface, the command is accepted but the
ACL entries are not actually installed the offending rule in CAM.
IP Fragments ACL Examples
The following examples show how you can use ACL commands with the fragment keyword to filter
fragmented packets.
Example of Permitting All Packets on an Interface
The following configuration permits all packets (both fragmented and non-fragmented) with destination
IP 10.1.1.1. The second rule does not get hit at all.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32Dell(conf-ext-nacl)#deny ip any
10.1.1.1./32 fragments
Dell(conf-ext-nacl)
92
Access Control Lists (ACLs)
Example of Denying Second and Subsequent Fragments
To deny the second/subsequent fragments, use the same rules in a different order. These ACLs deny all
second and subsequent fragments with destination IP 10.1.1.1 but permit the first fragment and nonfragmented packets with destination IP 10.1.1.1.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments
Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32
Dell(conf-ext-nacl)
Layer 4 ACL Rules Examples
The following examples show the ACL commands for Layer 4 packet filtering.
Permit an ACL line with L3 information only, and the fragments keyword is present:
If a packet’s L3 information matches the L3 information in the ACL line, the packet's FO is checked.
•
•
If a packet's FO > 0, the packet is permitted.
If a packet's FO = 0, the next ACL entry is processed.
Deny ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information does match the L3 information in the ACL line, the packet's FO is checked.
•
•
If a packet's FO > 0, the packet is denied.
If a packet's FO = 0, the next ACL line is processed.
Example of Permitting All Packets from a Specified Host
In this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted.
All others are denied.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
Dell(conf-ext-nacl)#deny ip any any fragment
Dell(conf-ext-nacl)
Example of Permitting Only First Fragments and Non-Fragmented Packets from a Specified Host
In the following example, the TCP packets that are first fragments or non-fragmented from host 10.1.1.1
with TCP destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host
10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragment
Dell(conf-ext-nacl)#deny ip any any fragment
Dell(conf-ext-nacl)
Example of Logging Denied Packets
To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/
UDP fragments, use a configuration similar to the following.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit tcp any any fragment
Dell(conf-ext-nacl)#permit udp any any fragment
Dell(conf-ext-nacl)#deny ip any any log
Dell(conf-ext-nacl)
When configuring ACLs with the fragments keyword, be aware of the following.
Access Control Lists (ACLs)
93
When an ACL filters packets, it looks at the fragment offset (FO) to determine whether it is a fragment.
•
•
FO = 0 means it is either the first fragment or the packet is a non-fragment.
FO > 0 means it is dealing with the fragments of the original packet.
Configure a Standard IP ACL
To configure an ACL, use commands in IP ACCESS LIST mode and INTERFACE mode.
For a complete list of all the commands related to IP ACLs, refer to the Dell Networking OS Command
Line Interface Reference Guide. To set up extended ACLs, refer to Configure an Extended IP ACL.
A standard IP ACL uses the source IP address as its match criterion.
1.
Enter IP ACCESS LIST mode by naming a standard IP access list.
CONFIGURATION mode
ip access-list standard access-listname
2.
Configure a drop or forward filter.
CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address}
[count [byte]] [order] [fragments]
NOTE: When assigning sequence numbers to filters, keep in mind that you might need to insert a
new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five.
When you use the log keyword, the CP logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these
packets’ details.
To view the rules of a particular ACL configured on a particular interface, use the show ip accounting
access-list ACL-name interface interface command in EXEC Privilege mode.
Examples of Using a Standard IP ACL
The following example shows viewing the rules of a specific ACL on an interface.
Dell#show ip accounting access-list ToOspf interface gig 1/6
Standard IP access list ToOspf
seq 5 deny any
seq 10 deny 10.2.0.0 /16
seq 15 deny 10.3.0.0 /16
seq 20 deny 10.4.0.0 /16
seq 25 deny 10.5.0.0 /16
seq 30 deny 10.6.0.0 /16
seq 35 deny 10.7.0.0 /16
seq 40 deny 10.8.0.0 /16
seq 45 deny 10.9.0.0 /16
seq 50 deny 10.10.0.0 /16
Dell#
The following example shows how the seq command orders the filters according to the sequence
number assigned. In the example, filter 25 was configured before filter 15, but the show config
command displays the filters in the correct order.
Dell(config-std-nacl)#seq 25 deny ip host 10.5.0.0 any log
Dell(config-std-nacl)#seq 15 permit tcp 10.3.0.0 /16 any
Dell(config-std-nacl)#show config
94
Access Control Lists (ACLs)
!
ip access-list standard dilling
seq 15 permit tcp 10.3.0.0/16 any
seq 25 deny ip host 10.5.0.0 any log
Dell(config-std-nacl)#
To delete a filter, use the no seq sequence-number command in IP ACCESS LIST mode.
Configuring a Standard IP ACL Filter
If you are creating a standard ACL with only one or two filters, you can let the system assign a sequence
number based on the order in which the filters are configured. The software assigns filters in multiples of
five.
1.
Configure a standard IP ACL and assign it a unique name.
CONFIGURATION mode
ip access-list standard access-list-name
2.
Configure a drop or forward IP ACL filter.
CONFIG-STD-NACL mode
{deny | permit} {source [mask] | any | host ip-address} [count [byte]]
[order] [fragments]
When you use the log keyword, the CP logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these
packets’ details.
The following example shows a standard IP ACL in which the system assigns the sequence numbers. The
filters were assigned sequence numbers based on the order in which they were configured (for example,
the first filter was given the lowest sequence number). The show config command in IP ACCESS LIST
mode displays the two filters with the sequence numbers 5 and 10.
Examples of Viewing Filter Sequence Standard ACLs
The following example shows viewing a filter sequence for a specified standard ACL.
Dell(config-route-map)#ip access standard kigali
Dell(config-std-nacl)#permit 10.1.0.0/16
Dell(config-std-nacl)#show config
!
ip access-list standard kigali
seq 5 permit 10.1.0.0/16 seq 10 deny tcp any any eq 111
Dell(config-std-nacl)#
To view all configured IP ACLs, use the show ip accounting access-list command in EXEC
Privilege mode.
Dell#show ip accounting access example interface gig 4/12
Extended IP access list example
seq 10 deny tcp any any eq 111
seq 15 deny udp any any eq 111
seq 20 deny udp any any eq 2049
seq 25 deny udp any any eq 31337
seq 30 deny tcp any any range 12345 12346
seq 35 permit udp host 10.21.126.225 10.4.5.0 /28
seq 40 permit udp host 10.21.126.226 10.4.5.0 /28
seq 45 permit udp 10.8.0.0 /16 10.50.188.118 /31 range 1812 1813
Access Control Lists (ACLs)
95
seq 50 permit tcp 10.8.0.0 /16 10.50.188.118 /31 eq 49
seq 55 permit udp 10.15.1.0 /24 10.50.188.118 /31 range 1812 1813
To delete a filter, enter the show config command in IP ACCESS LIST mode and locate the sequence
number of the filter you want to delete. Then use the no seq sequence-number command in IP
ACCESS LIST mode.
Configure an Extended IP ACL
Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP
host addresses, UDP addresses, and UDP host addresses.
Because traffic passes through the filter in the order of the filter’s sequence, you can configure the
extended IP ACL by first entering IP ACCESS LIST mode and then assigning a sequence number to the
filter.
Configuring Filters with a Sequence Number
To configure filters with a sequence number, use the following commands.
1.
Enter IP ACCESS LIST mode by creating an extended IP ACL.
CONFIGURATION mode
ip access-list extended access-list-name
2.
Configure a drop or forward filter.
CONFIG-EXT-NACL mode
seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp |
udp} {source mask | any | host ip-address} {destination mask | any | host
ip-address} [operator port [port]] [count [byte]] [order] [fragments]
When you use the log keyword, the CP logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these
packets’ details.
Configure Filters, TCP Packets
To create a filter for TCP packets with a specified sequence number, use the following commands.
1.
Create an extended IP ACL and assign it a unique name.
CONFIGURATION mode
ip access-list extended access-list-name
2.
Configure an extended IP ACL filter for TCP packets.
CONFIG-EXT-NACL mode
seq sequence-number {deny | permit} tcp {source mask | any | host ipaddress}} [count [byte]] [order] [fragments]
Configure Filters, TCP Packets
To create a filter for UDP packets with a specified sequence number, use the following commands.
1.
96
Create an extended IP ACL and assign it a unique name.
Access Control Lists (ACLs)
CONFIGURATION mode
ip access-list extended access-list-name
2.
Configure an extended IP ACL filter for UDP packets.
CONFIG-EXT-NACL mode
seq sequence-number {deny | permit} tcp {source mask | any | host ipaddress}} [count [byte]] [order] [fragments]
Example of the seq Command
When you create the filters with a specific sequence number, you can create the filters in any order and
the filters are placed in the correct order.
NOTE: When assigning sequence numbers to filters, you may have to insert a new filter. To prevent
reconfiguring multiple filters, assign sequence numbers in multiples of five or another number.
The example below shows how the seq command orders the filters according to the sequence number
assigned. In the example, filter 15 was configured before filter 5, but the show config command
displays the filters in the correct order.
Dell(config-ext-nacl)#seq 15 deny ip host 112.45.0.0 any log
Dell(config-ext-nacl)#seq 5 permit tcp 12.1.3.45 0.0.255.255 any
Dell(config-ext-nacl)#show confi
!
ip access-list extended dilling
seq 5 permit tcp 12.1.0.0 0.0.255.255 any
seq 15 deny ip host 112.45.0.0 any log
Dell(config-ext-nacl)#
Configuring Filters Without a Sequence Number
If you are creating an extended ACL with only one or two filters, you can let the system assign a
sequence number based on the order in which the filters are configured. Filters are assigned in multiples
of five.
To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the
following commands:
•
Configure a deny or permit filter to examine IP packets.
CONFIG-EXT-NACL mode
•
{deny | permit} {source mask | any | host ip-address} [count [byte]] [order]
[fragments]
Configure a deny or permit filter to examine TCP packets.
CONFIG-EXT-NACL mode
•
{deny | permit} tcp {source mask] | any | host ip-address}} [count [byte]]
[order] [fragments]
Configure a deny or permit filter to examine UDP packets.
CONFIG-EXT-NACL mode
{deny | permit} udp {source mask | any | host ip-address}} [count [byte]]
[order] [fragments]
Access Control Lists (ACLs)
97
When you use the log keyword, the CP logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these
packets’ details.
The following example shows an extended IP ACL in which the sequence numbers were assigned by the
software. The filters were assigned sequence numbers based on the order in which they were configured
(for example, the first filter was given the lowest sequence number). The show config command in IP
ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10.
Example of Viewing Filter Sequence for a Specified Extended ACL
Dell(config-ext-nacl)#deny tcp host 123.55.34.0 any
Dell(config-ext-nacl)#permit udp 154.44.123.34 0.0.255.255 host 34.6.0.0
Dell(config-ext-nacl)#show config
!
ip access-list extended nimule
seq 5 deny tcp host 123.55.34.0 any
seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0
Dell(config-ext-nacl)#
To view all configured IP ACLs and the number of packets processed through the ACL, use the show ip
accounting access-list command in EXEC Privilege mode, as shown in the first example in
Configure a Standard IP ACL Filter.
Configure Layer 2 and Layer 3 ACLs
Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode.
If both L2 and L3 ACLs are applied to an interface, the following rules apply:
•
When the system routes the packets, only the L3 ACL governs them because they are not filtered
against an L2 ACL.
•
When the system switches the packets, first the L3 ACL filters them, then the L2 ACL filters them.
•
When the system switches the packets, the egress L3 ACL does not filter the packet.
For the following features, if you enable counters on rules that have already been configured and a new
rule is either inserted or prepended, all the existing counters are reset:
•
L2 ingress access list
•
L3 egress access list
•
L2 egress access list
If a rule is simply appended, existing counters are not affected.
Table 4. L2 and L3 Filtering on Switched Packets
L2 ACL Behavior
L3 ACL Behavior
Decision on Targeted Traffic
Deny
Deny
L3 ACL denies.
Deny
Permit
L3 ACL permits.
Permit
Deny
L3 ACL denies.
Permit
Permit
L3 ACL permits.
98
Access Control Lists (ACLs)
NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets.
The L3 ACL applied to such a port does not affect traffic. That is, existing rules for other features
(such as trace-list, policy-based routing [PBR], and QoS) are applied to the permitted traffic.
For information about MAC ACLs, refer to Layer 2.
Using ACL VLAN Groups
Use an ACL VLAN group to optimize ACL CAM usage by minimizing the number of CAM entries when you
apply an egress IP ACL on the member interfaces of specified VLANs.
When you apply an ACL on individual VLANs, the amount of CAM space required increases greatly
because the ACL rules are saved for each VLAN ID. To avoid excessive use of the CAM space, you can
configure ACL VLAN groups to combine all VLANs on which ACL filtering criteria is applied in a single
class ID instead of multiple VLAN IDs.
NOTE: CAM optimization applies only when you use an ACL VLAN group; it does not apply if you
apply an ACL on individual VLANs.
Guidelines for Configuring ACL VLAN Groups
Keep the following points in mind when you configure ACL VLAN groups:
•
The VLAN member interfaces, on which the ACL in an ACL VLAN group is applied, function as
restricted interfaces. The ACL VLAN group name identifies the group of VLANs on which hierarchical
filtering is performed.
•
You can add only one ACL to an interface at a time.
•
When you apply an ACL VLAN group to a member interface, an error message is displayed if an ACL
with different criteria has already been separately applied to the interface.
•
The maximum number of members in an ACL VLAN group is determined by the type of switch and its
hardware capabilities. This scaling limit depends on the number of slices that are allocated for ACL
CAM optimization. If one slice is allocated, the maximum number of VLAN members is 256 for all ACL
VLAN groups. If two slices are allocated, the maximum number of VLAN members is 512 for all ACL
VLAN groups.
•
The maximum number of VLAN groups that you can configure also depends on the hardware
specifications of the switch. Each VLAN group is mapped to a unique ID in the hardware. The
maximum number of ACL VLAN groups supported is 31. Only a maximum of two components (iSCSI
counters, Open Flow, ACL optimization) can be allocated virtual flow processing slices at a time.
•
Port ACL optimization is applicable only for ACLs that are applied without the VLAN range.
•
You cannot view the statistical details of ACL rules per VLAN and per interface if you enable the ACL
VLAN group capability. You can view the counters per ACL only by using the show ip accounting
access list command.
•
On a port, you can apply Layer 2 ACLs on a VLAN or a set of VLANs. In this case, CAM optimization is
not applied.
•
To enable optimization of CAM space for Layer 2 or Layer 3 ACLs that are applied to ports, the port
number is removed as a qualifier for ACL application on ports, and port bits are used. When you apply
the same ACL to a set of ports, the port bitmap is set when the ACL flow processor (FP) entry is added.
When you remove the ACL from a port, the port bitmap is removed.
•
If you do not attach an ACL to any of the ports, the FP entries are deleted. Similarly, when the same
ACL is applied on a set of ports, only one set of entries is installed in the FP, thereby effectively saving
Access Control Lists (ACLs)
99
CAM space. The optimization is enabled only if you specify the optimized option with the ip
access-group command. This option is not valid for VLAN and LAG interfaces.
Configuring an ACL VLAN Group
Configure an ACL VLAN group to optimize ACL CAM use.
NOTE: After you configure an ACL VLAN group, you must allocate CAM memory for ACL VLAN
services to enable CAM optimization. See Allocating ACL VLAN CAM for more information.
1.
Create an ACL VLAN group
CONFIGURATION mode
acl-vlan-group group-name
You can create up to eight different ACL VLAN groups.
2.
Add a description.
ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode
description description
3.
Apply an egress IP ACL.
ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode
ip access-group access-list-name out implicit-permit
4.
Specify the VLAN members in the ACL VLAN group.
ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode
member vlan vlan-range
5.
Verify the currently configured ACL VLAN groups on the switch.
ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode
show acl-vlan-group {group-name | detail}
Dell#show acl-vlan-group detail
Group Name :
TestGroupSeventeenTwenty
Egress IP Acl :
SpecialAccessOnlyExpertsAllowed
Vlan Members :
100,200,300
Group Name :
CustomerNumberIdentificationEleven
Egress IP Acl :
AnyEmployeeCustomerElevenGrantedAccess
Vlan Members :
2-10,99
Group Name :
HostGroup
Egress IP Acl :
Group5
Vlan Members :
1,1000
Dell#
100
Access Control Lists (ACLs)
Allocating ACL VLAN CAM
CAM optimization for ACL VLAN groups is not enabled by default. You must allocate blocks of ACL VLAN
CAM to enable ACL CAM optimization by using the cam-acl-vlan command.
By default, 0 blocks of CAM are allocated for VLAN services in the VLAN Content Aware Processor
(VCAP), an application that modifies VLAN settings before forwarding packets on member interfaces. The
cam-acl-vlan {vlanaclopt | vlaniscsi | vlanopenflow} command allows you to allocate
filter processor (FP) blocks of memory for ACL VLAN services: iSCSI counters, Open Flow, and ACL VLAN
optimization.
You can configure CAM allocation for only two of these VLAN services at a time. You can allocate from 0
to 2 FP blocks for each VLAN service.
To allocate the number of FP blocks for ACL VLAN optimization, enter the cam-acl-vlan vlanaclopt
<0-2> command. After you configure ACL VLAN CAM, reboot the switch to enable CAM allocation for
ACL VLAN optimization.
To display the number of FP blocks currently allocated to different ACL VLAN services, enter the show
cam-acl-vlan command.
To display the amount of CAM space currently used and available for Layer 2 and Layer 3 ACLs on the
switch, enter the show cam-usage command.
Applying an IP ACL to an Interface
To pass traffic through a configured IP ACL, assign that ACL to a physical interface, a port channel
interface, or a VLAN.
The IP ACL is applied to all traffic entering a physical or port channel interface and the traffic is either
forwarded or dropped depending on the criteria and actions specified in the ACL.
The same ACL may be applied to different interfaces and that changes its functionality. For example, you
can take ACL “ABCD” and apply it using the in keyword and it becomes an ingress access list. If you apply
the same ACL using the out keyword, it becomes an egress access list. If you apply the same ACL to the
Loopback interface, it becomes a Loopback access list.
For more information about Layer 3 interfaces, refer to Interfaces.
1.
Enter the interface number.
CONFIGURATION mode
interface interface {slot/port | port-channel-number}
2.
Configure an IP address for the interface, placing it in Layer 3 mode.
INTERFACE mode
ip address ip-address
3.
Apply an IP ACL to traffic entering or exiting an interface.
INTERFACE mode
Access Control Lists (ACLs)
101
ip access-group access-list-name {in} [implicit-permit] [vlan vlan-range]
NOTE: The number of entries allowed per ACL is hardware-dependent. For detailed
specification about entries allowed per ACL, refer to your line card documentation.
4.
Apply rules to the new ACL.
INTERFACE mode
ip access-list [standard | extended] name
To view which IP ACL is applied to an interface, use the show config command in INTERFACE mode, or
use the show running-config command in EXEC mode.
Example of Viewing ACLs Applied to an Interface
Dell(conf-if)#show conf
!
interface TengigabitEthernet 0/0
ip address 10.2.1.100 255.255.255.0
ip access-group nimule in
no shutdown
Dell(conf-if)#
To filter traffic on Telnet sessions, use only standard ACLs in the access-class command.
Configure Ingress ACLs
Ingress ACLs are applied to interfaces and to traffic entering the system.
These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same
results. By localizing target traffic, it is a simpler implementation.
To create an ingress ACL, use the ip access-group command in EXEC Privilege mode. The example
shows applying the ACL, rules to the newly created access group, and viewing the access list.
Example of Applying ACL Rules to Ingress Traffic and Viewing ACL Configuration
To specify ingress, use the in keyword. Begin applying rules to the ACL with the ip access-list
extended abcd command. To view the access-list, use the show command.
Dell(conf)#interface gige 0/0
Dell(conf-if-gige0/0)#ip access-group abcd in
Dell(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd in
no shutdown
Dell(conf-if-gige0/0)#end
Dell#configure terminal
Dell(conf)#ip access-list extended abcd
Dell(config-ext-nacl)#permit tcp any any
Dell(config-ext-nacl)#deny icmp any any
Dell(config-ext-nacl)#permit 1.1.1.2
Dell(config-ext-nacl)#end
Dell#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
102
Access Control Lists (ACLs)
seq 10 deny icmp any any
seq 15 permit 1.1.1.2
Configure Egress ACLs
Egress ACLs are supported on interfaces and affect the traffic leaving the system.
Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack —
malicious and incidental — by explicitly allowing only authorized traffic. These system-wide ACLs
eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target
traffic, it is a simpler implementation.
To restrict egress traffic, use an egress ACL. For example, when a direct operating system (DOS) attack
traffic is isolated to a specific interface, you can apply an egress ACL to block the flow from the exiting
the box, thus protecting downstream devices.
To create an egress ACL, use the ip access-group command in EXEC Privilege mode. The example
shows viewing the configuration, applying rules to the newly created access group, and viewing the
access list.
Example of Applying ACL Rules to Egress Traffic and Viewing ACL Configuration
To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list
extended abcd command. To view the access-list, use the show command.
Dell(conf)#interface gige 0/0
Dell(conf-if-gige0/0)#ip access-group abcd out
Dell(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd out
no shutdown
Dell(conf-if-gige0/0)#end
Dell#configure terminal
Dell(conf)#ip access-list extended abcd
Dell(config-ext-nacl)#permit tcp any any
Dell(config-ext-nacl)#deny icmp any any
Dell(config-ext-nacl)#permit 1.1.1.2
Dell(config-ext-nacl)#end
Dell#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 15 permit 1.1.1.2
Applying Egress Layer 3 ACLs (Control-Plane)
By default, packets originated from the system are not filtered by egress ACLs.
For example, if you initiate a ping session from the system and apply an egress ACL to block this type of
traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL
feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and
CPU-forwarded traffic. Using permit rules with the count option, you can track on a per-flow basis
whether CPU-generated and CPU-forwarded packets were transmitted successfully.
1.
Apply Egress ACLs to IPv4 system traffic.
Access Control Lists (ACLs)
103
CONFIGURATION mode
ip control-plane [egress filter]
2.
Apply Egress ACLs to IPv6 system traffic.
CONFIGURATION mode
ipv6 control-plane [egress filter]
3.
Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic.
CONFIG-NACL mode
permit ip {source mask | any | host ip-address} {destination mask | any |
host ip-address} count
Dell Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group
management protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU
traffic. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface
MAC address instead of VRRP virtual MAC address.
Counting ACL Hits
You can view the number of packets matching the ACL by using the count option when creating ACL
entries.
1.
Create an ACL that uses rules with the count option. Refer to Configure a Standard IP ACL Filter.
2.
Apply the ACL as an inbound or outbound ACL on an interface. Refer to Applying an IP ACL.
3.
show ip accounting access-list
EXEC Privilege mode
View the number of packets matching the ACL.
IP Prefix Lists
IP prefix lists are supported to control routing policy.
An IP prefix list is a series of sequential filters that contain a matching criterion (examine IP route prefix)
and an action (permit or deny) to process routes. The filters are processed in sequence so that if a route
prefix does not match the criterion in the first filter, the second filter (if configured) is applied. When the
route prefix matches a filter, the system drops or forwards the packet based on the filter’s designated
action. If the route prefix does not match any of the filters in the prefix list, the route is dropped (that is,
implicit deny).
A route prefix is an IP address pattern that matches on bits within the IP address. The format of a route
prefix is A.B.C.D/X where A.B.C.D is a dotted-decimal address and /X is the number of bits that should be
matched of the dotted decimal address. For example, in 112.24.0.0/16, the first 16 bits of the address
112.24.0.0 match all addresses between 112.24.0.0 to 112.24.255.255.
The following examples show permit or deny filters for specific routes using the le and ge parameters,
where x.x.x.x/x represents a route prefix:
•
To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8.
•
To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8.
104
Access Control Lists (ACLs)
•
To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24.
•
To permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20.
The following rules apply to prefix lists:
•
A prefix list without any permit or deny filters allows all routes.
•
An “implicit deny” is assumed (that is, the route is dropped) for all route prefixes that do not match a
permit or deny filter in a configured prefix list.
•
After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route.
Implementation Information
Prefix lists are used in processing routes for routing protocols (for example, router information protocol
[RIP], open shortest path first [OSPF], and border gateway protocol [BGP]).
NOTE: It is important to know which protocol your system supports prior to implementing prefixlists.
Configuration Task List for Prefix Lists
To configure a prefix list, use commands in PREFIX LIST, ROUTER RIP, ROUTER OSPF, and ROUTER BGP
modes.
Create the prefix list in PREFIX LIST mode and assign that list to commands in ROUTER RIP, ROUTER
OSPF and ROUTER BGP modes.
The following list includes the configuration tasks for prefix lists, as described in the following sections.
•
Configuring a prefix list
•
Use a prefix list for route redistribution
For a complete listing of all commands related to prefix lists, refer to the Dell Networking OS Command
Line Reference Guide.
Creating a Prefix List
To create a prefix list, use the following commands.
1.
Create a prefix list and assign it a unique name.
You are in PREFIX LIST mode.
CONFIGURATION mode
ip prefix-list prefix-name
2.
Create a prefix list with a sequence number and a deny or permit action.
CONFIG-NPREFIXL mode
seq sequence-number {deny | permit} ip-prefix [ge min-prefix-length] [le
max-prefix-length]
The optional parameters are:
•
ge min-prefix-length: the minimum prefix length to match (from 0 to 32).
•
le max-prefix-length: the maximum prefix length to match (from 0 to 32).
Access Control Lists (ACLs)
105
Example of Assigning Sequence Numbers to Filters
If you want to forward all routes that do not match the prefix list criteria, configure a prefix list filter to
permit all routes (permit 0.0.0.0/0 le 32). The “permit all” filter must be the last filter in your prefix
list. To permit the default route only, enter permit 0.0.0.0/0.
The following example shows how the seq command orders the filters according to the sequence
number assigned. In the example, filter 20 was configured before filter 15 and 12, but the show config
command displays the filters in the correct order.
Dell(conf-nprefixl)#seq 20 permit 0.0.0.0/0 le 32
Dell(conf-nprefixl)#seq 12 deny 134.23.0.0 /16
Dell(conf-nprefixl)#seq 15 deny 120.23.14.0 /8 le 16
Dell(conf-nprefixl)#show config
!
ip prefix-list juba
seq 12 deny 134.23.0.0/16
seq 15 deny 120.0.0.0/8 le 16
seq 20 permit 0.0.0.0/0 le 32
Dell(conf-nprefixl)#
NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a
prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded.
To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.
If you are creating a standard prefix list with only one or two filters, you can let the system assign a
sequence number based on the order in which the filters are configured. The system assigns filters in
multiples of five.
Creating a Prefix List Without a Sequence Number
To create a filter without a specified sequence number, use the following commands.
1.
Create a prefix list and assign it a unique name.
CONFIGURATION mode
ip prefix-list prefix-name
2.
Create a prefix list filter with a deny or permit action.
CONFIG-NPREFIXL mode
{deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length]
The optional parameters are:
•
ge min-prefix-length: is the minimum prefix length to be matched (0 to 32).
•
le max-prefix-length: is the maximum prefix length to be matched (0 to 32).
Example of Creating a Filter with System-Assigned Sequence Numbers
The example shows a prefix list in which the sequence numbers were assigned by the software. The filters
were assigned sequence numbers based on the order in which they were configured (for example, the
first filter was given the lowest sequence number). The show config command in PREFIX LIST mode
displays the two filters with the sequence numbers 5 and 10.
Dell(conf-nprefixl)#permit 123.23.0.0 /16
Dell(conf-nprefixl)#deny 133.24.56.0 /8
106
Access Control Lists (ACLs)
Dell(conf-nprefixl)#show conf
!
ip prefix-list awe
seq 5 permit 123.23.0.0/16
seq 10 deny 133.0.0.0/8
Dell(conf-nprefixl)#
To delete a filter, enter the show config command in PREFIX LIST mode and locate the sequence
number of the filter you want to delete, then use the no seq sequence-number command in PREFIX
LIST mode.
Viewing Prefix Lists
To view all configured prefix lists, use the following commands.
•
Show detailed information about configured prefix lists.
EXEC Privilege mode
•
show ip prefix-list detail [prefix-name]
Show a table of summarized information about configured Prefix lists.
EXEC Privilege mode
show ip prefix-list summary [prefix-name]
Examples of the show ip prefix-list Commands
The following example shows the show ip prefix-list detail command.
Dell>show ip prefix detail
Prefix-list with the last deletion/insertion: filter_ospf
ip prefix-list filter_in:
count: 3, range entries: 3, sequences: 5 - 10
seq 5 deny 1.102.0.0/16 le 32 (hit count: 0)
seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0)
seq 10 permit 0.0.0.0/0 le 32 (hit count: 0)
ip prefix-list filter_ospf:
count: 4, range entries: 1, sequences: 5 - 10
seq 5 deny 100.100.1.0/24 (hit count: 0)
seq 6 deny 200.200.1.0/24 (hit count: 0)
seq 7 deny 200.200.2.0/24 (hit count: 0)
seq 10 permit 0.0.0.0/0 le 32 (hit count: 0)
The following example shows the show ip prefix-list summary command.
Dell>
Dell>show ip prefix summary
Prefix-list with the last deletion/insertion: filter_ospf
ip prefix-list filter_in:
count: 3, range entries: 3, sequences: 5 - 10
ip prefix-list filter_ospf:
count: 4, range entries: 1, sequences: 5 - 10
Dell>
Applying a Prefix List for Route Redistribution
To pass traffic through a configured prefix list, use the prefix list in a route redistribution
command.
Apply the prefix list to all traffic redistributed into the routing process. The traffic is either forwarded or
dropped, depending on the criteria and actions specified in the prefix list.
To apply a filter to routes in RIP, use the following commands.
Access Control Lists (ACLs)
107
•
Enter RIP mode.
CONFIGURATION mode
•
router rip
Apply a configured prefix list to incoming routes. You can specify an interface.
If you enter the name of a nonexistent prefix list, all routes are forwarded.
CONFIG-ROUTER-RIP mode
•
distribute-list prefix-list-name in [interface]
Apply a configured prefix list to outgoing routes. You can specify an interface or type of route.
If you enter the name of a non-existent prefix list, all routes are forwarded.
CONFIG-ROUTER-RIP mode
distribute-list prefix-list-name out [interface | connected | static | ospf]
Example of Viewing Configured Prefix Lists (ROUTER RIP mode)
To view the configuration, use the show config command in ROUTER RIP mode, or the show
running-config rip command in EXEC mode.
Dell(conf-router_rip)#show config
!
router rip
distribute-list prefix juba out
network 10.0.0.0
Dell(conf-router_rip)#router ospf 34
Applying a Filter to a Prefix List (OSPF)
To apply a filter to routes in open shortest path first (OSPF), use the following commands.
•
Enter OSPF mode.
CONFIGURATION mode
•
router ospf
Apply a configured prefix list to incoming routes. You can specify an interface.
If you enter the name of a non-existent prefix list, all routes are forwarded.
CONFIG-ROUTER-OSPF mode
•
distribute-list prefix-list-name in [interface]
Apply a configured prefix list to incoming routes. You can specify which type of routes are affected.
If you enter the name of a non-existent prefix list, all routes are forwarded.
CONFIG-ROUTER-OSPF mode
distribute-list prefix-list-name out [connected | rip | static]
Example of Viewing Configured Prefix Lists (ROUTER OSPF mode)
To view the configuration, use the show config command in ROUTER OSPF mode, or the show
running-config ospf command in EXEC mode.
108
Access Control Lists (ACLs)
Dell(conf-router_ospf)#show config
!
router ospf 34
network 10.2.1.1 255.255.255.255 area 0.0.0.1
distribute-list prefix awe in
Dell(conf-router_ospf)#
ACL Resequencing
ACL resequencing allows you to re-number the rules and remarks in an access or prefix list.
The placement of rules within the list is critical because packets are matched against rules in sequential
order. To order new rules using the current numbering scheme, use resequencing whenever there is no
opportunity.
For example, the following table contains some rules that are numbered in increments of 1. You cannot
place new rules between these packets, so apply resequencing to create numbering space, as shown in
the second table. In the same example, apply resequencing if more than two rules must be placed
between rules 7 and 10.
You can resequence IPv4 and IPv6 ACLs, prefixes, and MAC ACLs. No CAM writes happen as a result of
resequencing, so there is no packet loss; the behavior is similar Hot-lock ACLs.
NOTE: ACL resequencing does not affect the rules, remarks, or order in which they are applied.
Resequencing merely renumbers the rules so that you can place new rules within the list as needed.
Table 5. ACL Resequencing
Rules
Resquencing
Rules Before Resequencing:
seq 5 permit any host 1.1.1.1
seq 6 permit any host 1.1.1.2
seq 7 permit any host 1.1.1.3
seq 10 permit any host 1.1.1.4
Rules After Resequencing:
seq 5 permit any host 1.1.1.1
seq 10 permit any host 1.1.1.2
seq 15 permit any host 1.1.1.3
seq 20 permit any host 1.1.1.4
Resequencing an ACL or Prefix List
Resequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs.
To resequence an ACL or prefix list, use the following commands. You must specify the list name, starting
number, and increment when using these commands.
•
IPv4, IPv6, or MAC ACL
EXEC mode
•
resequence access-list {ipv4 | ipv6 | mac} {access-list-name StartingSeqNum
Step-to-Increment}
IPv4 or IPv6 prefix-list
Access Control Lists (ACLs)
109
EXEC mode
resequence prefix-list {ipv4 | ipv6} {prefix-list-name StartingSeqNum Stepto-Increment}
Examples of Resequencing ACLs When Remarks and Rules Have the Same Number or Different
Numbers
The example shows the resequencing of an IPv4 access-list beginning with the number 2 and
incrementing by 2.
Remarks and rules that originally have the same sequence number have the same sequence number after
you apply the resequence command.
The following example shows resequencing ACLs when the remarks and rules have the same number.
Dell(config-ext-nacl)# show config
!
ip access-list extended test
remark 4 XYZ
remark 5 this remark corresponds to permit any host 1.1.1.1
seq 5 permit ip any host 1.1.1.1
remark 9 ABC
remark 10 this remark corresponds to permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.2
seq 15 permit ip any host 1.1.1.3
seq 20 permit ip any host 1.1.1.4
Dell# end
Dell# resequence access-list ipv4 test 2 2
Dell# show running-config acl
!
ip access-list extended test
remark 2 XYZ
remark 4 this remark corresponds to permit any host 1.1.1.1
seq 4 permit ip any host 1.1.1.1
remark 6 this remark has no corresponding rule
remark 8 this remark corresponds to permit ip any host 1.1.1.2
seq 8 permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.3
seq 12 permit ip any host 1.1.1.4
Remarks that do not have a corresponding rule are incremented as a rule. These two mechanisms allow
remarks to retain their original position in the list. The following example shows remark 10 corresponding
to rule 10 and as such, they have the same number before and after the command is entered. Remark 4 is
incremented as a rule, and all rules have retained their original positions.
Dell(config-ext-nacl)# show config
!
ip access-list extended test
remark 4 XYZ
remark 5 this remark corresponds to permit any host 1.1.1.1
seq 5 permit ip any host 1.1.1.1
remark 9 ABC
remark 10 this remark corresponds to permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.2
seq 15 permit ip any host 1.1.1.3
seq 20 permit ip any host 1.1.1.4
Dell# end
Dell# resequence access-list ipv4 test 2 2
Dell# show running-config acl
!
ip access-list extended test
110
Access Control Lists (ACLs)
remark 2 XYZ
remark 4 this remark corresponds to permit any host 1.1.1.1
seq 4 permit ip any host 1.1.1.1
remark 6 this remark has no corresponding rule
remark 8 this remark corresponds to permit ip any host 1.1.1.2
seq 8 permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.3
seq 12 permit ip any host 1.1.1.4
Route Maps
Although route maps are similar to ACLs and prefix lists in that they consist of a series of commands that
contain a matching criterion and an action, route maps can modify parameters in matching packets.
ACLs and prefix lists can only drop or forward the packet or traffic. Route maps process routes for route
redistribution. For example, a route map can be called to filter only specific routes and to add a metric.
Route maps also have an “implicit deny.” Unlike ACLs and prefix lists; however, where the packet or traffic
is dropped, in route maps, if a route does not match any of the route map conditions, the route is not
redistributed.
Implementation Information
The implementation of route maps allows route maps with the no match or no set commands. When
there is no match command, all traffic matches the route map and the set command applies.
Important Points to Remember
•
For route-maps with more than one match clause:
– Two or more match clauses within the same route-map sequence have the same match
commands (though the values are different), matching a packet against these clauses is a logical
OR operation.
– Two or more match clauses within the same route-map sequence have different match
commands, matching a packet against these clauses is a logical AND operation.
•
If no match is found in a route-map sequence, the process moves to the next route-map sequence
until a match is found, or there are no more sequences.
•
When a match is found, the packet is forwarded and no more route-map sequences are processed.
– If a continue clause is included in the route-map sequence, the next or a specified route-map
sequence is processed after a match is found.
Configuration Task List for Route Maps
Configure route maps in ROUTE-MAP mode and apply the maps in various commands in ROUTER RIP
and ROUTER OSPF modes.
The following list includes the configuration tasks for route maps, as described in the following sections.
•
Create a route map (mandatory)
•
Configure route map filters (optional)
•
Configure a route map for route redistribution (optional)
•
Configure a route map for route tagging (optional)
Access Control Lists (ACLs)
111
Creating a Route Map
Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route
map filters do not contain the permit and deny actions found in ACLs and prefix lists.
Route map filters match certain routes and set or specify values.
To create a route map, use the following command.
•
Create a route map and assign it a unique name. The optional permit and deny keywords are the
action of the route map.
CONFIGURATION mode
route-map map-name [permit | deny] [sequence-number]
The default is permit.
The optional seq keyword allows you to assign a sequence number to the route map instance.
Examples of Working with Route Maps
The default action is permit and the default sequence number starts at 10. When you use the keyword
deny in configuring a route map, routes that meet the match filters are not redistributed.
To view the configuration, use the show config command in ROUTE-MAP mode.
The following example shows viewing a configured route-map.
Dell(config-route-map)#show config
!
route-map dilling permit 10
Dell(config-route-map)#
You can create multiple instances of this route map by using the sequence number option to place the
route maps in the correct order. The system processes the route maps with the lowest sequence number
first. When a configured route map is applied to a command, such as redistribute, traffic passes
through all instances of that route map until a match is found. The following is an example with two
instances of a route map.
Dell#show route-map
route-map zakho, permit, sequence 10
Match clauses:
Set clauses:
route-map zakho, permit, sequence 20
Match clauses:
interface TengigabitEthernet 0/1
Set clauses:
tag 35
level stub-area
Dell#
To delete all instances of that route map, use the no route-map map-name command. To delete just
one instance, add the sequence number to the command syntax.
Dell(conf)#no route-map zakho 10
Dell(conf)#end
Dell#show route-map
route-map zakho, permit, sequence 20
Match clauses:
interface TengigabitEthernet 0/1
112
Access Control Lists (ACLs)
Set clauses:
tag 35
level stub-area
Dell#
The following example shows a route map with multiple instances. The show config command displays
only the configuration of the current route map instance. To view all instances of a specific route map,
use the show route-map command.
Dell#show route-map dilling
route-map dilling, permit, sequence 10
Match clauses:
Set clauses:
route-map dilling, permit, sequence 15
Match clauses:
interface Loopback 23
Set clauses:
tag 3444
Dell#
To delete a route map, use the no route-map map-name command in CONFIGURATION mode.
Configure Route Map Filters
Within ROUTE-MAP mode, there are match and set commands.
•
match commands search for a certain criterion in the routes.
•
set commands change the characteristics of routes, either adding something or specifying a level.
When there are multiple match commands with the same parameter under one instance of route-map,
the system does a match between all of those match commands. If there are multiple match commands
with different parameters, the system does a match ONLY if there is a match among ALL the match
commands.
In the following example, there is a match if a route has any of the tag values specified in the match
commands.
Example of the match Command to Match Any of Several Values
Dell(conf)#route-map force permit 10
Dell(config-route-map)#match tag 1000
Dell(config-route-map)#match tag 2000
Dell(config-route-map)#match tag 3000
In the next example, there is a match only if a route has both of the specified characteristics. In this
example, there a match only if the route has a tag value of 1000 and a metric value of 2000.
Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens
in any instance of that route-map.
Example of the match Command to Match All Specified Values
Dell(conf)#route-map force permit 10
Dell(config-route-map)#match tag 1000
Dell(config-route-map)#match metric 2000
In the following example, instance 10 permits the route having a tag value of 1000 and instances 20 and
30 deny the route having a tag value of 1000. In this scenario, the system scans all the instances of the
Access Control Lists (ACLs)
113
route-map for any permit statement. If there is a match anywhere, the route is permitted. However, other
instances of the route-map deny it.
Example of the match Command to Permit and Deny Routes
Dell(conf)#route-map force permit 10
Dell(config-route-map)#match tag 1000
Dell(conf)#route-map force deny 20
Dell(config-route-map)#match tag 1000
Dell(conf)#route-map force deny 30
Dell(config-route-map)#match tag 1000
Configuring Match Routes
To configure match criterion for a route map, use the following commands.
•
Match routes with the same AS-PATH numbers.
CONFIG-ROUTE-MAP mode
•
match as-path as-path-name
Match routes with COMMUNITY list attributes in their path.
CONFIG-ROUTE-MAP mode
•
match community community-list-name [exact]
Match routes whose next hop is a specific interface.
CONFIG-ROUTE-MAP mode
match interface interface
The parameters are:
– For a loopback interface, enter the keyword loopback then a number between zero (0) and
16383.
– For a port channel interface, enter the keywords port-channel then a number.
– For a 10-Gigabit Ethernet interface, enter the keyword tengigabitEthernet then the slot/port
information.
– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
•
– For a VLAN, enter the keyword vlan then a number from 1 to 4094.
Match destination routes specified in a prefix list (IPv4).
CONFIG-ROUTE-MAP mode
•
match ip address prefix-list-name
Match destination routes specified in a prefix list (IPv6).
CONFIG-ROUTE-MAP mode
•
match ipv6 address prefix-list-name
Match next-hop routes specified in a prefix list (IPv4).
CONFIG-ROUTE-MAP mode
•
114
match ip next-hop {access-list-name | prefix-list prefix-list-name}
Match next-hop routes specified in a prefix list (IPv6).
Access Control Lists (ACLs)
CONFIG-ROUTE-MAP mode
•
match ipv6 next-hop {access-list-name | prefix-list prefix-list-name}
Match source routes specified in a prefix list (IPv4).
CONFIG-ROUTE-MAP mode
•
match ip route-source {access-list-name | prefix-list prefix-list-name}
Match source routes specified in a prefix list (IPv6).
CONFIG-ROUTE-MAP mode
•
match ipv6 route-source {access-list-name | prefix-list prefix-list-name}
Match routes with a specific value.
CONFIG-ROUTE-MAP mode
•
match metric metric-value
Match BGP routes based on the ORIGIN attribute.
CONFIG-ROUTE-MAP mode
•
match origin {egp | igp | incomplete}
Match routes specified as internal or external to OSPF, ISIS level-1, ISIS level-2, or locally generated.
CONFIG-ROUTE-MAP mode
•
match route-type {external [type-1 | type-2] | internal | level-1 | level-2 |
local }
Match routes with a specific tag.
CONFIG-ROUTE-MAP mode
match tag tag-value
To create route map instances, use these commands. There is no limit to the number of match
commands per route map, but the convention is to keep the number of match filters in a route map low.
Set commands do not require a corresponding match command.
Configuring Set Conditions
To configure a set condition, use the following commands.
•
Add an AS-PATH number to the beginning of the AS-PATH.
CONFIG-ROUTE-MAP mode
•
set as-path prepend as-number [... as-number]
Generate a tag to be added to redistributed routes.
CONFIG-ROUTE-MAP mode
•
set automatic-tag
Specify an OSPF area or ISIS level for redistributed routes.
CONFIG-ROUTE-MAP mode
•
set level {backbone | level-1 | level-1-2 | level-2 | stub-area}
Specify a value for the BGP route’s LOCAL_PREF attribute.
CONFIG-ROUTE-MAP mode
Access Control Lists (ACLs)
115
•
set local-preference value
Specify a value for redistributed routes.
CONFIG-ROUTE-MAP mode
•
set metric {+ | - | metric-value}
Specify an OSPF or ISIS type for redistributed routes.
CONFIG-ROUTE-MAP mode
•
set metric-type {external | internal | type-1 | type-2}
Assign an IP address as the route’s next hop.
CONFIG-ROUTE-MAP mode
•
set next-hop ip-address
Assign an IPv6 address as the route’s next hop.
CONFIG-ROUTE-MAP mode
•
set ipv6 next-hop ip-address
Assign an ORIGIN attribute.
CONFIG-ROUTE-MAP mode
•
set origin {egp | igp | incomplete}
Specify a tag for the redistributed routes.
CONFIG-ROUTE-MAP mode
•
set tag tag-value
Specify a value as the route’s weight.
CONFIG-ROUTE-MAP mode
set weight value
To create route map instances, use these commands. There is no limit to the number of set commands
per route map, but the convention is to keep the number of set filters in a route map low. Set commands
do not require a corresponding match command.
Configure a Route Map for Route Redistribution
Route maps on their own cannot affect traffic and must be included in different commands to affect
routing traffic.
Route redistribution occurs when the system learns the advertising routes from static or directly
connected routes or another routing protocol. Different protocols assign different values to redistributed
routes to identify either the routes and their origins. The metric value is the most common attribute that
is changed to properly redistribute other routes into a routing protocol. Other attributes that can be
changed include the metric type (for example, external and internal route types in OSPF) and route tag.
Use the redistribute command in OSPF, RIP, ISIS, and BGP to set some of these attributes for routes
that are redistributed into those protocols.
Route maps add to that redistribution capability by allowing you to match specific routes and set or
change more attributes when redistributing those routes.
In the following example, the redistribute command calls the route map static ospf to
redistribute only certain static routes into OSPF. According to the route map static ospf, only routes
116
Access Control Lists (ACLs)
that have a next hop of Tengigabitethernet interface 0/0 and that have a metric of 255 are redistributed
into the OSPF backbone area.
NOTE: When re-distributing routes using route-maps, you must create the route-map defined in
the redistribute command under the routing protocol. If you do not create a route-map, NO
routes are redistributed.
Example of Calling a Route Map to Redistribute Specified Routes
router ospf 34
default-information originate metric-type 1
redistribute static metric 20 metric-type 2 tag 0 route-map staticospf
!
route-map staticospf permit 10
match interface TengigabitEthernet 0/0
match metric 255
set level backbone
Configure a Route Map for Route Tagging
One method for identifying routes from different routing protocols is to assign a tag to routes from that
protocol.
As the route enters a different routing domain, it is tagged. The tag is passed along with the route as it
passes through different routing protocols. You can use this tag when the route leaves a routing domain
to redistribute those routes again.
In the following example, the redistribute ospf command with a route map is used in ROUTER RIP
mode to apply a tag of 34 to all internal OSPF routes that are redistributed into RIP.
Example of the redistribute Command Using a Route Tag
!
router rip
redistribute ospf 34 metric 1 route-map torip
!
route-map torip permit 10
match route-type internal
set tag 34
!
Continue Clause
Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more
route-map modules are processed.
If you configure the continue command at the end of a module, the next module (or a specified
module) is processed even after a match is found. The following example shows a continue clause at the
end of a route-map module. In this example, if a match is found in the route-map “test” module 10,
module 30 is processed.
NOTE: If you configure the continue clause without specifying a module, the next sequential
module is processed.
Example of Using the continue Clause in a Route Map
!
route-map test permit 10
match commu comm-list1
Access Control Lists (ACLs)
117
set community 1:1 1:2 1:3
set as-path prepend 1 2 3 4 5
continue 30!
118
Access Control Lists (ACLs)
Bare Metal Provisioning (BMP)
7
Starting with Dell Networking OS Release 9.2(1.0), BMP is supported on the Z9500 switch. This chapter
describes the latest Bare Metal Provisioning (BMP) enhancements that apply to the Z9500. For details
about supported BMP commands and configuration procedures, refer to the Dell Networking Open
Automation Guide.
Enhanced Behavior of the stop bmp Command
The stop bmp command behaves as follows:
•
When a Dell Networking OS image upgrade is in progress, stop bmp aborts the BMP process after
the Dell Networking OS image is upgraded.
•
When configuration settings are being applied from the specified file, stop bmp aborts the BMP
process after all configurations are applied in the system.
•
When pre-configuration or post-configuration scripts are running, stop bmp stops execution of the
script and aborts the BMP process immediately.
•
When a configuration or script file is being downloaded, stop bmp aborts the BMP process after the
download without applying the configuration or running the script.
During the BMP process, avoid working in CONFIGURATION mode to prevent conflicts between BMPbased configuration changes and user-based changes.
Removal of User-Defined String Parameter in the reloadtype Command
In the reload-type command, vendor-class-identifier replaces the user-defined-string
parameter.
Service Tag Information in the Option 60 String
The vendor class identifier (option 60) supports up to 128 characters to include the Type, Hardware, Serial
Number, Service Tag, and OS Version fields.
Bare Metal Provisioning (BMP)
119
8
Bidirectional Forwarding Detection (BFD)
BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It
is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It
also provides a failure detection solution for links on which no routing protocol is used.
BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a
three-way handshake. After the session has been established, the systems exchange periodic control
packets at sub-second intervals. If a system does not receive a hello packet within a specified amount of
time, routing protocols are notified that the forwarding path is down.
BFD provides forwarding path failure detection times on the order of milliseconds rather than seconds as
with conventional routing protocol hellos. It is independent of routing protocols, and as such, provides a
consistent method of failure detection when used across a network. Networks converge faster because
BFD triggers link state changes in the routing protocol sooner and more consistently because BFD
eliminates the use of multiple protocol-dependent timers and methods.
BFD also carries less overhead than routing protocol hello mechanisms. Control packets can be
encapsulated in any form that is convenient, and, on Dell Networking routers, BFD agents maintain
sessions that reside on the line card, which frees resources on the Route Processor. Only session state
changes are reported to the BFD Manager (on the Route Processor), which in turn notifies the routing
protocols that are registered with it.
BFD is an independent and generic protocol, which all media, topologies, and routing protocols can
support using any encapsulation. Dell Networking has implemented BFD at Layer 3 and with user
datagram protocol (UDP) encapsulation. BFD functionality will be implemented in phases. On the Z9500,
BFD is supported on static routes and dynamic routing protocols, such as VRRP, OSPF, OSPFv3, IS-IS, and
BGP.
How BFD Works
Two neighboring systems running BFD establish a session using a three-way handshake.
After the session has been established, the systems exchange control packets at agreed upon intervals. In
addition, systems send a control packet anytime there is a state change or change in a session parameter.
These control packets are sent without regard to transmit and receive intervals.
NOTE: The Dell Networking OS does not support multi-hop BFD sessions.
If a system does not receive a control packet within an agreed-upon amount of time, the BFD agent
changes the session state to Down. It then notifies the BFD manager of the change and sends a control
packet to the neighbor that indicates the state change (though it might not be received if the link or
receiving interface is faulty). The BFD manager notifies the routing protocols that are registered with it
(clients) that the forwarding path is down and a link state change is triggered in all protocols.
NOTE: A session state change from Up to Down is the only state change that triggers a link state
change in the routing protocol client.
120
Bidirectional Forwarding Detection (BFD)
BFD Packet Format
Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration
shows the complete encapsulation of a BFD control packet inside an IPv4 packet.
Figure 8. BFD in IPv4 Packet Format
Field
Description
Diagnostic Code
The reason that the last session failed.
State
The current local session state. Refer to BFD Sessions.
Flag
A bit that indicates packet function. If the poll bit is set, the receiving system must
respond as soon as possible, without regard to its transmit interval. The responding
system clears the poll bit and sets the final bit in its response. The poll and final bits
are used during the handshake and in Demand mode (refer to BFD Sessions).
Bidirectional Forwarding Detection (BFD)
121
Field
Description
NOTE: The Dell Networking OS does not currently support multi-point
sessions, Demand mode, authentication, or control plane independence;
these bits are always clear.
Detection
Multiplier
The number of packets that must be missed in order to declare a session down.
Length
The entire length of the BFD packet.
My Discriminator
A random number generated by the local system to identify the session.
Your Discriminator A random number generated by the remote system to identify the session.
Discriminator values are necessary to identify the session to which a control packet
belongs because there can be many sessions running on a single interface.
Desired Min TX
Interval
The minimum rate at which the local system would like to send control packets to
the remote system.
Required Min RX
Interval
The minimum rate at which the local system would like to receive control packets
from the remote system.
Required Min Echo The minimum rate at which the local system would like to receive echo packets.
RX
NOTE: The Dell Networking OS does not currently support the echo function.
Authentication
Type,
Authentication
Length,
Authentication
Data
An optional method for authenticating control packets.
NOTE: The Dell Networking OS does not currently support the BFD
authentication function.
Two important parameters are calculated using the values contained in the control packet.
Transmit
interval
Transmit interval is the agreed-upon rate at which a system sends control packets.
Each system has its own transmit interval, which is the greater of the last received
remote Desired TX Interval and the local Required Min RX Interval.
Detection time
Detection time is the amount of time that a system does not receive a control
packet, after which the system determines that the session has failed. Each system
has its own detection time.
•
In Asynchronous mode: Detection time is the remote Detection Multiplier
multiplied by greater of the remote Desired TX Interval and the local Required
Min RX Interval.
•
In Demand mode: Detection time is the local Detection Multiplier multiplied by
the greater of the local Desired Min TX and the remote Required Min RX
Interval.
BFD Sessions
BFD must be enabled on both sides of a link in order to establish a session.
The two participating systems can assume either of two roles:
122
Bidirectional Forwarding Detection (BFD)
Active
The active system initiates the BFD session. Both systems can be active for the
same session.
Passive
The passive system does not initiate a session. It only responds to a request for
session initialization from the active system.
A BFD session has two modes:
Asynchronous
mode
In Asynchronous mode, both systems send periodic control messages at an agreed
upon interval to indicate that their session status is Up.’
Demand mode
If one system requests Demand mode, the other system stops sending periodic
control packets; it only sends a response to status inquiries from the Demand
mode initiator. Either system (but not both) can request Demand mode at any time.
NOTE: The Dell Networking OS supports Asynchronous mode only.
A session can have four states: Administratively Down, Down, Init, and Up.
Administratively
Down
The local system does not participate in a particular session.
Down
The remote system is not sending control packets or at least not within the
detection time for a particular session.
Init
The local system is communicating.
Up
Both systems are exchanging control packets.
The session is declared down if:
•
A control packet is not received within the detection time.
•
Sufficient echo packets are lost.
•
Demand mode is active and a control packet is not received in response to a poll packet.
BFD Three-Way Handshake
A three-way handshake must take place between the systems that participate in the BFD session.
The handshake shown in the following illustration assumes that there is one active and one passive
system, and that this session is the first session established on this link. The default session state on both
ports is Down.
1.
The active system sends a steady stream of control packets that indicates that its session state is
Down, until the passive system responds. These packets are sent at the desired transmit interval of
the Active system. The Your Discriminator field is set to zero.
2.
When the passive system receives any of these control packets, it changes its session state to Init
and sends a response that indicates its state change. The response includes its session ID in the My
Discriminator field and the session ID of the remote system in the Your Discriminator field.
3.
The active system receives the response from the passive system and changes its session state to
Up. It then sends a control packet indicating this state change. This is the third and final part of the
handshake. Now the discriminator values have been exchanged and the transmit intervals have been
negotiated.
4.
The passive system receives the control packet and changes its state to Up. Both systems agree that
a session has been established. However, because both members must send a control packet — that
requires a response — anytime there is a state change or change in a session parameter, the passive
Bidirectional Forwarding Detection (BFD)
123
system sends a final response indicating the state change. After this, periodic control packets are
exchanged.
Figure 9. BFD Three-Way Handshake State Changes
Session State Changes
The following illustration shows how the session state on a system changes based on the status
notification it receives from the remote system. For example, if a session on a system is down and it
124
Bidirectional Forwarding Detection (BFD)
receives a Down status notification from the remote system, the session state on the local system
changes to Init.
Figure 10. Session State Changes
Important Points to Remember
•
On the Z9500, the system supports 128 sessions at 200 minimum transmit and receive intervals with a
multiplier of 3, and 64 sessions at 100 minimum transmit and receive intervals with a multiplier of 4.
•
Enable BFD on both ends of a link.
•
Demand mode, authentication, and the Echo function are not supported.
•
BFD is not supported on multi-hop and virtual links.
•
Protocol Liveness is supported for routing protocols only.
•
The Z9500 supports only OSPF, IS-IS, and VRRP protocols as BFD clients; BGP is not supported.
Configure BFD
This section contains the following procedures.
•
Configure BFD for Static Routes
•
Configure BFD for OSPF
•
Configure BFD for OSPFv3
Bidirectional Forwarding Detection (BFD)
125
•
Configure BFD for IS-IS
•
Configure BFD for BGP
•
Configure BFD for VRRP
•
Configuring Protocol Liveness
Configure BFD for Static Routes
Configuring BFD for static routes is supported on the Z9500 switch..
BFD offers systems a link state detection mechanism for static routes. With BFD, systems are notified to
remove static routes from the routing table as soon as the link state change occurs, rather than waiting
until packets fail to reach their next hop.
Configuring BFD for static routes is a three-step process:
1.
Enable BFD globally.
2.
Configure static routes on both routers on the system (either local or remote).
3.
Configure an IP route to connect BFD on the static routes using the ip route bfd command.
Related Configuration Tasks
•
Changing Static Route Session Parameters
•
Disabling BFD for Static Routes
Establishing Sessions for Static Routes
Sessions are established for all neighbors that are the next hop of a static route.
Figure 11. Establishing Sessions for Static Routes
To establish a BFD session, use the following command.
•
Establish BFD sessions for all neighbors that are the next hop of a static route.
CONFIGURATION mode
ip route bfd
Example of the show bfd neighbors Command to Verify Static Routes
To verify that sessions have been created for static routes, use the show bfd neighbors command.
126
Bidirectional Forwarding Detection (BFD)
R1(conf)#ip route 2.2.3.0/24 2.2.2.2
R1(conf)#ip route bfd
R1(conf)#do show bfd neighbors
* - Active session role
Ad Dn - Admin Down
C - CLI
I - ISIS
O - OSPF
R - Static Route (RTM)
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients
2.2.2.1
2.2.2.2
Te 4/24
Up
100
100
4
R
To view detailed session information, use the show bfd neighbors detail command, as shown in
the examples in Displaying BFD for BGP Information.
Changing Static Route Session Parameters
BFD sessions are configured with default intervals and a default role.
The parameters you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier,
and system role. These parameters are configured for all static routes. If you change a parameter, the
change affects all sessions for static routes.
To change parameters for static route sessions, use the following command .
•
Change parameters for all static route sessions.
CONFIGURATION mode
ip route bfd interval milliseconds min_rx milliseconds multiplier value role
[active | passive]
To view session parameters, use the show bfd neighbors detail command, as shown in the
examples in Displaying BFD for BGP Information.
Disabling BFD for Static Routes
If you disable BFD, all static route BFD sessions are torn down.
A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change
to the Down state.
To disable BFD for static routes, use the following command.
•
Disable BFD for static routes.
CONFIGURATION mode
no ip route bfd
Configure BFD for OSPF
When using BFD with OSPF, the OSPF protocol registers with the BFD manager. BFD sessions are
established with all neighboring interfaces participating in OSPF. If a neighboring interface fails, the BFD
Bidirectional Forwarding Detection (BFD)
127
agent on the line card notifies the BFD manager, which in turn notifies the OSPF protocol that a link state
change occurred.
NOTE:
If you enable BFD after OSPF with a large number (more than 100) of OSPF neighbors on a VLAN
port-channel and if the VLAN has more than one port-channel, BFD does not come up
immediately. (This behavior occurs only if you enable BFD after connections with all OSPF
neighbors are fully established.)
BFD does not come up for 5 to 6 minutes in a scenario when all the following conditions are met:
•
A large number of BFD neighbors are present.
•
The neighbors are reachable over a VLAN through a port-channel and the VLAN has multiple
port-channels as members.
•
BFD is enabled after all the OSPF neighbors are in an established state.
This delay should not be seen after a reload because OSPF will throttle neighbor establishment.
Configuring BFD for OSPF is a two-step process:
1.
Enable BFD globally.
2.
Establish sessions with OSPF neighbors.
Related Configuration Tasks
•
Changing OSPF Session Parameters
•
Disabling BFD for OSPF
128
Bidirectional Forwarding Detection (BFD)
Establishing Sessions with OSPF Neighbors
BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all
neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full
state.
Figure 12. Establishing Sessions with OSPF Neighbors
To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following
commands.
•
Establish sessions with all OSPF neighbors.
ROUTER-OSPF mode
•
bfd all-neighbors
Establish sessions with OSPF neighbors on a single interface.
Bidirectional Forwarding Detection (BFD)
129
INTERFACE mode
ip ospf bfd all-neighbors
Example of Verifying Sessions with OSPF Neighbors
To view the established sessions, use the show bfd neighbors command.
The bold line shows the OSPF BFD sessions.
R2(conf-router_ospf)#bfd all-neighbors
R2(conf-router_ospf)#do show bfd neighbors
*
- Active session role
Ad Dn - Admin Down
C
- CLI
I
- ISIS
O
- OSPF
R
- Static Route (RTM)
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients
* 2.2.2.2 2.2.2.1
Te 2/1
Up
100
100
3
O
* 2.2.3.1 2.2.3.2 Te 2/2 Up 100 100 3 O
Changing OSPFv3 Session Parameters
Configure BFD sessions with default intervals and a default role.
The parameters that you can configure are: desired tx interval, required min rx interval,
detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all
OSPFv3 sessions on a particular interface. If you change a parameter globally, the change affects all
OSPFv3 neighbors sessions. If you change a parameter at the interface level, the change affects all
OSPFv3 sessions on that interface.
To change parameters for all OSPFv3 sessions or for OSPFv3 sessions on a single interface, use the
following commands.
To view session parameters, use the show bfd neighbors detail command, as shown in the
example in Displaying BFD for BGP Information.
•
Change parameters for all OSPFv3 sessions.
ROUTER-OSPFv3 mode
•
bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value
role [active | passive]
Change parameters for OSPFv3 sessions on a single interface.
INTERFACE mode
ipv6 ospf bfd all-neighbors interval milliseconds min_rx milliseconds
multiplier value role [active | passive]
Disabling BFD for OSPFv3
If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a
Down state.
If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote
system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin
Down packet is sent before the session is terminated.
130
Bidirectional Forwarding Detection (BFD)
To disable BFD sessions, use the following commands.
•
Disable BFD sessions with all OSPFv3 neighbors.
ROUTER-OSPFv3 mode
•
no bfd all-neighbors
Disable BFD sessions with OSPFv3 neighbors on a single interface.
INTERFACE mode
ipv6 ospf bfd all-neighbors disable
Configure BFD for OSPFv3
BFD for OSPFv3 provides support for IPV6.
Configuring BFD for OSPFv3 is a two-step process:
1.
Enable BFD globally.
2.
Establish sessions with OSPFv3 neighbors.
Related Configuration Tasks
•
Changing OSPFv3 Session Parameters
•
Disabling BFD for OSPFv3
Changing OSPFv3 Session Parameters
Configure BFD sessions with default intervals and a default role.
The parameters that you can configure are: desired tx interval, required min rx interval,
detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all
OSPFv3 sessions on a particular interface. If you change a parameter globally, the change affects all
OSPFv3 neighbors sessions. If you change a parameter at the interface level, the change affects all
OSPFv3 sessions on that interface.
To change parameters for all OSPFv3 sessions or for OSPFv3 sessions on a single interface, use the
following commands.
To view session parameters, use the show bfd neighbors detail command, as shown in the
example in Displaying BFD for BGP Information.
•
Change parameters for all OSPFv3 sessions.
ROUTER-OSPFv3 mode
•
bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value
role [active | passive]
Change parameters for OSPFv3 sessions on a single interface.
INTERFACE mode
ipv6 ospf bfd all-neighbors interval milliseconds min_rx milliseconds
multiplier value role [active | passive]
Bidirectional Forwarding Detection (BFD)
131
Disabling BFD for OSPFv3
If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a
Down state.
If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote
system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin
Down packet is sent before the session is terminated.
To disable BFD sessions, use the following commands.
•
Disable BFD sessions with all OSPFv3 neighbors.
ROUTER-OSPFv3 mode
•
no bfd all-neighbors
Disable BFD sessions with OSPFv3 neighbors on a single interface.
INTERFACE mode
ipv6 ospf bfd all-neighbors disable
Establishing Sessions with OSPFv3 Neighbors
You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific
interface. Sessions are only established when the OSPFv3 adjacency is in the Full state.
To establish BFD with all OSPFv3 neighbors or with OSPFv3 neighbors on a single interface, use the
following commands.
•
Establish sessions with all OSPFv3 neighbors.
ROUTER-OSPFv3 mode
•
bfd all-neighbors
Establish sessions with OSPFv3 neighbors on a single interface.
INTERFACE mode
ipv6 ospf bfd all-neighbors
To view the established sessions, use the show bfd neighbors command.
Configure BFD for IS-IS
When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager. BFD sessions are then
established with all neighboring interfaces participating in IS-IS. If a neighboring interface fails, the BFD
agent on the line card notifies the BFD manager, which in turn notifies the IS-IS protocol that a link state
change occurred.
Configuring BFD for IS-IS is a two-step process:
1.
Enable BFD globally.
2.
Establish sessions for all or particular IS-IS neighbors.
Related Configuration Tasks
•
Changing IS-IS Session Parameters
•
Disabling BFD for IS-IS
132
Bidirectional Forwarding Detection (BFD)
Establishing Sessions with IS-IS Neighbors
BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all
neighbors out of a specific interface.
Figure 13. Establishing Sessions with IS-IS Neighbors
To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following
commands.
•
Establish sessions with all IS-IS neighbors.
ROUTER-ISIS mode
•
bfd all-neighbors
Establish sessions with IS-IS neighbors on a single interface.
INTERFACE mode
isis bfd all-neighbors
Example of Verifying Sessions with IS-IS Neighbors
To view the established sessions, use the show bfd neighbors command.
Bidirectional Forwarding Detection (BFD)
133
The bold line shows that IS-IS BFD sessions are enabled.
R2(conf-router_isis)#bfd all-neighbors
R2(conf-router_isis)#do show bfd neighbors
*
- Active session role
Ad Dn - Admin Down
C
- CLI
I - ISIS
O
- OSPF
R
- Static Route (RTM)
LocalAddr
* 2.2.2.2
RemoteAddr Interface State Rx-int Tx-int Mult Clients
2.2.2.1
Te 2/1
Up
100
100
3
I
Changing IS-IS Session Parameters
BFD sessions are configured with default intervals and a default role.
The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection
Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out
of an interface. If you change a parameter globally, the change affects all IS-IS neighbors sessions. If you
change a parameter at the interface level, the change affects all IS-IS sessions on that interface.
To change parameters for all IS-IS sessions or for IS-IS sessions on a single interface, use the following
commands.
To view session parameters, use the show bfd neighbors detail command, as shown in Verifying
BFD Sessions with BGP Neighbors Using the show bfd neighbors Command in Displaying BFD for
BGP Information.
•
Change parameters for all IS-IS sessions.
ROUTER-ISIS mode
•
bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value
role [active | passive]
Change parameters for IS-IS sessions on a single interface.
INTERFACE mode
isis bfd all-neighbors interval milliseconds min_rx milliseconds multiplier
value role [active | passive]
Disabling BFD for IS-IS
If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a
Down state.
If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote
system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin
Down packet is sent before the session is terminated.
To disable BFD sessions, use the following commands.
•
Disable BFD sessions with all IS-IS neighbors.
ROUTER-ISIS mode
•
no bfd all-neighbors
Disable BFD sessions with IS-IS neighbors on a single interface.
134
Bidirectional Forwarding Detection (BFD)
INTERFACE mose
isis bfd all-neighbors disable
Configure BFD for BGP
In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding
paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD
for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces. BFD for BGP does not
support IPv6 and the BGP multihop feature.
Prerequisites
Before configuring BFD for BGP, you must first configure the following settings:
1.
Configure BGP on the routers that you want to interconnect, as described in Border Gateway
Protocol IPv4 (BGPv4).
2.
Enable fast fall-over for BGP neighbors to reduce convergence time (the neighbor fall-over
command), as described in BGP Fast Fall-Over.
Establishing Sessions with BGP Neighbors
Before configuring BFD for BGP, you must first configure BGP on the routers that you want to
interconnect.
For more information, refer to Border Gateway Protocol IPv4 (BGPv4).
For example, the following illustration shows a sample BFD configuration on Router 1 and Router 2 that
use eBGP in a transit network to interconnect AS1 and AS2. The eBGP routers exchange information with
each other as well as with iBGP routers to maintain connectivity and accessibility within each
autonomous system.
Bidirectional Forwarding Detection (BFD)
135
Figure 14. Establishing Sessions with BGP Neighbors
The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor:
•
By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors
command).
•
By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peergroup-name} bfd command)
BFD packets originating from a router are assigned to the highest priority egress queue to minimize
transmission delays. Incoming BFD control packets received from the BGP neighbor are assigned to the
highest priority queue within the control plane policing (COPP) framework to avoid BFD packets drops
due to queue congestion.
BFD notifies BGP of any failure conditions that it detects on the link. Recovery actions are initiated by
BGP.
BFD for BGP is supported only on directly-connected BGP neighbors and only in BGP IPv4 networks. Up
to 128 simultaneous BFD sessions are supported
As long as each BFD for BGP neighbor receives a BFD control packet within the configured BFD interval
for failure detection, the BFD session remains up and BGP maintains its adjacencies. If a BFD for BGP
neighbor does not receive a control packet within the detection interval, the router informs any clients of
the BFD session (other routing protocols) about the failure. It then depends on the individual routing
protocols that uses the BGP link to determine the appropriate response to the failure condition. The
136
Bidirectional Forwarding Detection (BFD)
typical response is to terminate the peering session for the routing protocol and reconverge by bypassing
the failed neighboring router. A log message is generated whenever BFD detects a failure condition.
1.
Enable BFD globally.
CONFIGURATION mode
bfd enable
2.
Specify the AS number and enter ROUTER BGP configuration mode.
CONFIGURATION mode
router bgp as-number
3.
Add a BGP neighbor or peer group in a remote AS.
CONFIG-ROUTERBGP mode
neighbor {ip-address | peer-group name} remote-as as-number
4.
Enable the BGP neighbor.
CONFIG-ROUTERBGP mode
neighbor {ip-address | peer-group-name} no shutdown
5.
Configure parameters for a BFD session established with all neighbors discovered by BGP. OR
Establish a BFD session with a specified BGP neighbor or peer group using the default BFD session
parameters.
CONFIG-ROUTERBGP mode
bfd all-neighbors [interval millisecs min_rx millisecs multiplier value role
{active | passive}]
OR
neighbor {ip-address | peer-group-name} bfd
NOTES:
6.
•
When you establish a BFD session with a specified BGP neighbor or peer group using the
neighbor bfd command, the default BFD session parameters are used (interval: 100
milliseconds, min_rx: 100 milliseconds, multiplier: 3 packets, and role: active).
•
When you explicitly enable or disable a BGP neighbor for a BFD session with the neighbor bfd
or neighbor bfd disable commands, the neighbor does not inherit the BFD enable/disable
values configured with the bfd all-neighbors command or configured for the peer group to
which the neighbor belongs. Also, the neighbor only inherits the global timer values configured
with the bfd all-neighbors command (interval, min_rx, and multiplier).
Repeat Steps 1 to 5 on each BGP peer participating in a BFD session.
Disabling BFD for BGP
You can disable BFD for BGP.
To disable a BFD for BGP session with a specified neighbor, use the first command. To remove the
disabled state of a BFD for BGP session with a specified neighbor, use the second command.
The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally
configured with the bfd all-neighbors command or configured for the peer group to which the
neighbor belongs.
•
Disable a BFD for BGP session with a specified neighbor.
Bidirectional Forwarding Detection (BFD)
137
ROUTER BGP mode
•
neighbor {ip-address | peer-group-name} bfd disable
Remove the disabled state of a BFD for BGP session with a specified neighbor.
ROUTER BGP mode
no neighbor {ip-address | peer-group-name} bfd disable
Use BFD in a BGP Peer Group
You can establish a BFD session for the members of a peer group (the neighbor peer-group-name
bfd command in ROUTER BGP configuration mode).
Members of the peer group may have BFD:
•
Explicitly enabled (the neighbor ip-address bfd command)
•
Explicitly disabled (the neighbor ip-address bfd disable command)
•
Inherited (neither explicitly enabled or disabled) according to the current BFD configuration of the
peer group. For information about BGP peer groups, refer to Configure Peer Groups.
If you explicitly enable (or disable) a BGP neighbor for BFD that belongs to a peer group:
•
The neighbor does not inherit the BFD enable/disable values configured with the bfd allneighbors command or configured for the peer group to which the neighbor belongs.
•
The neighbor inherits only the global timer values that are configured with the bfd all-neighbors
command (interval, min_rx, and multiplier).
If you explicitly enable (or disable) a peer group for BFD that has no BFD parameters configured (for
example, advertisement interval) using the neighbor peer-group-name bfd command, the peer
group inherits any BFD settings configured with the bfd all-neighbors command.
Displaying BFD for BGP Information
You can display related information for BFD for BGP.
To display information about BFD for BGP sessions on a router, use the following commands and refer to
the following examples.
•
Verify a BFD for BGP configuration.
EXEC Privilege mode
•
show running-config bgp
Verify that a BFD for BGP session has been successfully established with a BGP neighbor. A line-byline listing of established BFD adjacencies is displayed.
EXEC Privilege mode
•
show bfd neighbors [interface] [detail]
Check to see if BFD is enabled for BGP connections.
EXEC Privilege mode
•
show ip bgp summary
Displays routing information exchanged with BGP neighbors, including BFD for BGP sessions.
EXEC Privilege mode
show ip bgp neighbors [ip-address]
138
Bidirectional Forwarding Detection (BFD)
Examples of Verifying BGP Information
The following example shows viewing a BGP configuration.
R2# show running-config bgp
!
router bgp 2
neighbor 1.1.1.2 remote-as 1
neighbor 1.1.1.2 no shutdown
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 no shutdown
neighbor 3.3.3.2 remote-as 1
neighbor 3.3.3.2 no shutdown
bfd all-neighbors
The following example shows viewing all BGP neighbors.
R2# show bfd neighbors
*
- Active session role
Ad Dn - Admin Down
B
- BGP
C
- CLI
I
- ISIS
O
- OSPF
R
- Static Route (RTM)
M
- MPLS
V
- VRRP
LocalAddr
* 1.1.1.3
* 2.2.2.3
* 3.3.3.3
RemoteAddr
1.1.1.2
2.2.2.2
3.3.3.2
Interface
Te 6/0
Te 6/1
Te 6/2
State
Up
Up
Up
Rx-int
100
100
100
Tx-int
100
100
100
Mult
3
3
3
Clients
B
B
B
The following example shows viewing BFD neighbor detail. The bold lines show the BFD session
parameters: TX (packet transmission), RX (packet reception), and multiplier (maximum number of missed
packets).
R2# show bfd neighbors detail
Session Discriminator: 9
Neighbor Discriminator: 10
Local Addr: 1.1.1.3
Local MAC Addr: 00:01:e8:66:da:33
Remote Addr: 1.1.1.2
Remote MAC Addr: 00:01:e8:8a:da:7b
Int: TenGigabitEthernet 6/0
State: Up
Configured parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Neighbor parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Actual parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Role: Active
Delete session on Down: True
Client Registered: BGP
Uptime: 00:07:55
Statistics:
Number of packets received from neighbor: 4762
Number of packets sent to neighbor: 4490
Number of state changes: 2
Number of messages from IFA about port state change: 0
Bidirectional Forwarding Detection (BFD)
139
Number of messages communicated b/w Manager and Agent: 5
Session Discriminator: 10
Neighbor Discriminator: 11
Local Addr: 2.2.2.3
Local MAC Addr: 00:01:e8:66:da:34
Remote Addr: 2.2.2.2
Remote MAC Addr: 00:01:e8:8a:da:7b
Int: TenGigabitEthernet 6/1
State: Up
Configured parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Neighbor parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Actual parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Role: Active
Delete session on Down: True
Client Registered: BGP
Uptime: 00:02:22
Statistics:
Number of packets received from neighbor: 1428
Number of packets sent to neighbor: 1428
Number of state changes: 1
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 4
The following example shows viewing the configured BFD counters.
R2# show bfd counters bgp
Interface TenGigabitEthernet 6/0
Protocol BGP
Messages:
Registration
De-registration
Init
Up
Down
Admin Down
:
:
:
:
:
:
5
4
0
6
0
2
Interface TenGigabitEthernet 6/1
Protocol BGP
Messages:
Registration
De-registration
Init
Up
Down
Admin Down
:
:
:
:
:
:
5
4
0
6
0
2
Interface TenGigabitEthernet 6/2
Protocol BGP
Messages:
Registration
De-registration
Init
Up
Down
Admin Down
140
:
:
:
:
:
:
1
0
0
1
0
2
Bidirectional Forwarding Detection (BFD)
The following example shows viewing BFD summary information. The bold line shows the message that
displays when you enable BFD for BGP connections.
R2# show ip bgp summary
BGP router identifier 10.0.0.1, local AS number 2
BGP table version is 0, main routing table version 0
BFD is enabled, Interval 100 Min_rx 100 Multiplier 3 Role Active
3 neighbor(s) using 24168 bytes of memory
Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/Pfx
1.1.1.2
2.2.2.2
3.3.3.2
0
0
0
1
1
1
282
273
282
281
273
281
0
0
0
0
0
0
0
(0)
0
00:38:12
04:32:26
00:38:12
The following example shows viewing BFD information for a specified neighbor. The bold lines show the
message that displays when you enable a BFD session with different configurations:
•
•
•
Message displayed when you enable a BFD session with a BGP neighbor that inherits the global BFD
session settings configured with the global bfd all-neighbors command.
Message displayed when you enable a BFD session with a BGP neighbor using the neighbor ipaddress bfd command.
Message displayed when you enable a BGP neighbor in a peer group for which you enabled a BFD
session using the neighbor peer-group-name bfd command
R2# show ip bgp neighbors 2.2.2.2
BGP neighbor is 2.2.2.2, remote AS 1, external link
BGP version 4, remote router ID 12.0.0.4
BGP state ESTABLISHED, in this state for 00:05:33
Last read 00:00:30, last write 00:00:30
Hold time is 180, keepalive interval is 60 seconds
Received 8 messages, 0 in queue
1 opens, 0 notifications, 0 updates
7 keepalives, 0 route refresh requests
Sent 9 messages, 0 in queue
2 opens, 0 notifications, 0 updates
7 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 30 seconds
Minimum time before advertisements start is 0 seconds
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Neighbor is using BGP global mode BFD configuration
For address family: IPv4 Unicast
BGP table version 0, neighbor version 0
Prefixes accepted 0 (consume 0 bytes), withdrawn 0 by peer, martian prefixes
ignored 0
Prefixes advertised 0, denied 0, withdrawn 0 from peer
Connections established 1; dropped 0
Last reset never
Local host: 2.2.2.3, Local port: 63805
Bidirectional Forwarding Detection (BFD)
141
Foreign host: 2.2.2.2, Foreign port: 179
R2#
R2# show ip bgp neighbors 2.2.2.3
BGP neighbor is 2.2.2.3, remote AS 1, external link
Member of peer-group pg1 for session parameters
BGP version 4, remote router ID 12.0.0.4
BGP state ESTABLISHED, in this state for 00:05:33
...
Neighbor is using BGP neighbor mode BFD configuration
Peer active in peer-group outbound optimization
...
R2# show ip bgp neighbors 2.2.2.4
BGP neighbor is 2.2.2.4, remote AS 1, external link
Member of peer-group pg1 for session parameters
BGP version 4, remote router ID 12.0.0.4
BGP state ESTABLISHED, in this state for 00:05:33
...
Neighbor is using BGP peer-group mode BFD configuration
Peer active in peer-group outbound optimization
...
Configure BFD for VRRP
When using BFD with VRRP, the VRRP protocol registers with the BFD manager. BFD sessions are
established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD
agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state
change occurred.
Configuring BFD for VRRP is a three-step process:
1.
Enable BFD globally.
2.
Establish VRRP BFD sessions with all VRRP-participating neighbors.
3.
On the master router, establish a VRRP BFD sessions with the backup routers. Refer to Establishing
Sessions with All VRRP Neighbors.
Related Configuration Tasks
•
Changing VRRP Session Parameters.
•
Establishing Sessions with OSPF Neighbors.
142
Bidirectional Forwarding Detection (BFD)
Establishing Sessions with All VRRP Neighbors
BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a
particular neighbor.
Figure 15. Establishing Sessions with All VRRP Neighbors
To establish sessions with all VRRP neighbors, use the following command.
•
Establish sessions with all VRRP neighbors.
INTERFACE mode
vrrp bfd all-neighbors
Establishing VRRP Sessions on VRRP Neighbors
The master router does not care about the state of the backup router, so it does not participate in any
VRRP BFD sessions.
VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to
establish an individual VRRP session the backup router.
To establish a session with a particular VRRP neighbor, use the following command.
•
Establish a session with a particular VRRP neighbor.
INTERFACE mode
vrrp bfd neighbor ip-address
Examples of Viewing VRRP Sessions
To view the established sessions, use the show bfd neighbors command.
Bidirectional Forwarding Detection (BFD)
143
The following example shows viewing sessions with VRRP neighbors. The bold line shows that VRRP BFD
sessions are enabled.
R1(conf-if-te-4/25)#vrrp bfd all-neighbors
R1(conf-if-te-4/25)#do show bfd neighbor
*
- Active session role
Ad Dn - Admin Down
C
- CLI
I
- ISIS
O
- OSPF
R
- Static Route (RTM)
V
- VRRP
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients
* 2.2.5.1 2.2.5.2 Te 4/25 Down 1000 1000 3 V
To view session state information, use the show vrrp command.
The following example shows viewing VRRP session state information. The bold line shows the VRRP BFD
session.
R1(conf-if-te-4/25)#do show vrrp
-----------------TenGigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1
State: Backup, Priority: 1, Master: 2.2.5.2
Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec
Adv rcvd: 95, Bad pkts rcvd: 0, Adv sent: 933, Gratuitous ARP sent: 3
Virtual MAC address:
00:00:5e:00:01:01
Virtual IP address:
2.2.5.4
Authentication: (none)
BFD Neighbors:
RemoteAddr State
2.2.5.2
Up
Changing VRRP Session Parameters
BFD sessions are configured with default intervals and a default role.
The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection
Multiplier, and system role. You can change parameters for all VRRP sessions or for a particular neighbor.
To change parameters for all VRRP sessions or for a particular VRRP session, use the following
commands.
•
Change parameters for all VRRP sessions.
INTERFACE mode
•
vrrp bfd all-neighbors interval milliseconds min_rx milliseconds multiplier
value role [active | passive]
Change parameters for a particular VRRP session.
INTERFACE mode
vrrp bfd neighbor ip-address interval milliseconds min_rx milliseconds
multiplier value role [active | passive]
To view session parameters, use the show bfd neighbors detail command, as shown in the
example in Verifying BFD Sessions with BGP Neighbors Using the show bfd neighbors command
example in Displaying BFD for BGP Information.
144
Bidirectional Forwarding Detection (BFD)
Disabling BFD for VRRP
If you disable any or all VRRP sessions, the sessions are torn down.
A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to
the Down state.
To disable all VRRP sessions on an interface, sessions for a particular VRRP group, or for a particular VRRP
session on an interface, use the following commands.
•
Disable all VRRP sessions on an interface.
INTERFACE mode
•
no vrrp bfd all-neighbors
Disable all VRRP sessions in a VRRP group.
VRRP mode
•
bfd disable
Disable a particular VRRP session on an interface.
INTERFACE mode
no vrrp bfd neighbor ip-address
Configuring Protocol Liveness
Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled.
When you disable a client, all BFD sessions for that protocol are torn down. Neighbors on the remote
system receive an Admin Down control packet and are placed in the Down state.
To enable protocol liveness, use the following command.
•
Enable Protocol Liveness.
CONFIGURATION mode
bfd protocol-liveness
Bidirectional Forwarding Detection (BFD)
145
Border Gateway Protocol IPv4 (BGPv4)
9
This chapter provides a general description of BGPv4 as it is supported in the Dell Networking OS.
BGP protocol standards are listed in the Standards Compliance chapter.
BGP is an external gateway protocol that transmits interdomain routing information within and between
autonomous systems (AS). The primary function of the BGP is to exchange network reachability
information with other BGP systems. BGP generally operates with an internal gateway protocol (IGP) such
as open shortest path first (OSPF) or router information protocol (RIP), allowing you to communicate to
external ASs smoothly. BGP adds reliability to network connections by having multiple paths from one
router to another.
Autonomous Systems (AS)
BGP autonomous systems (ASs) are a collection of nodes under common administration with common
network routing policies.
Each AS has a number, which an internet authority already assigns. You do not assign the BGP number.
AS numbers (ASNs) are important because the ASN uniquely identifies each network on the internet. The
Internet Assigned Numbers Authority (IANA) has reserved AS numbers 64512 through 65534 to be used
for private purposes. IANA reserves ASNs 0 and 65535 and must not be used in a live environment.
You can group autonomous systems into three categories (multihomed, stub, and transit), defined by
their connections and operation.
•
multihomed AS — is one that maintains connections to more than one other AS. This group allows
the AS to remain connected to the Internet in the event of a complete failure of one of their
connections. However, this type of AS does not allow traffic from one AS to pass through on its way
to another AS. A simple example of this group is seen in the following illustration.
•
stub AS — is one that is connected to only one other AS.
•
transit AS — is one that provides connections through itself to separate networks. For example, in the
following illustration, Router 1 can use Router 2 (the transit AS) to connect to Router 4. Internet
service providers (ISPs) are always transit ASs, because they provide connections from one network to
another. The ISP is considered to be “selling transit service” to the customer network, so thus the term
Transit AS.
When BGP operates inside an AS (AS1 or AS2, as seen in the following illustration), it is referred to as
Internal BGP (IBGP Interior Border Gateway Protocol). When BGP operates between ASs (AS1 and AS2), it
is called External BGP (EBGP Exterior Border Gateway Protocol). IBGP provides routers inside the AS with
the knowledge to reach routers external to the AS. EBGP routers exchange information with other EBGP
routers as well as IBGP routers to maintain connectivity and accessibility.
146
Border Gateway Protocol IPv4 (BGPv4)
Figure 16. Interior BGP
BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is
a path vector protocol — a computer network in which BGP maintains the path that updated information
takes as it diffuses through the network. Updates traveling through the network and returning to the
same node are easily detected and discarded.
BGP does not use a traditional interior gateway protocol (IGP) matrix, but makes routing decisions based
on path, network policies, and/or rulesets. Unlike most protocols, BGP uses TCP as its transport protocol.
Since each BGP router talking to another router is a session, a BGP network needs to be in “full mesh.”
This is a topology that has every router directly connected to every other router. Each BGP router within
an AS must have iBGP sessions with all other BGP routers in the AS. For example, a BGP network within
an AS needs to be in “full mesh.” As seen in the illustration below, four routers connected in a full mesh
have three peers each, six routers have five peers each, and eight routers in full mesh have seven peers
each.
Border Gateway Protocol IPv4 (BGPv4)
147
Figure 17. BGP Routers in Full Mesh
The number of BGP speakers each BGP peer must maintain increases exponentially. Network
management quickly becomes impossible.
Sessions and Peers
When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of
that session are Peers. A Peer is also called a Neighbor.
148
Border Gateway Protocol IPv4 (BGPv4)
Establish a Session
Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic
routing policies.
In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state
machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For
each peer-to-peer session, a BGP implementation tracks which of these six states the session is in. The
BGP protocol defines the messages that each peer should exchange in order to change the session from
one state to another.
State
Description
Idle
BGP initializes all resources, refuses all inbound BGP connection attempts, and
initiates a TCP connection to the peer.
Connect
In this state the router waits for the TCP connection to complete, transitioning to
the OpenSent state if successful.
If that transition is not successful, BGP resets the ConnectRetry timer and
transitions to the Active state when the timer expires.
Active
The router resets the ConnectRetry timer to zero and returns to the Connect state.
OpenSent
After successful OpenSent transition, the router sends an Open message and waits
for one in return.
OpenConfirm
After the Open message parameters are agreed between peers, the neighbor
relation is established and is in the OpenConfirm state. This is when the router
receives and checks for agreement on the parameters of open messages to
establish a session.
Established
Keepalive messages are exchanged next, and after successful receipt, the router is
placed in the Established state. Keepalive messages continue to be sent at regular
periods (established by the Keepalive timer) to verify connections.
After the connection is established, the router can now send/receive Keepalive, Update, and Notification
messages to/from its peer.
Peer Groups
Peer groups are neighbors grouped according to common routing policies. They enable easier system
configuration and management by allowing groups of routers to share and inherit policies.
Peer groups also aid in convergence speed. When a BGP process needs to send the same information to
a large number of peers, the BGP process needs to set up a long output queue to get that information to
all the proper peers. If the peers are members of a peer group however, the information can be sent to
one place and then passed onto the peers within the group.
Route Reflectors
Route reflectors reorganize the iBGP core into a hierarchy and allow some route advertisement rules.
NOTE: Do not use route reflectors (RRs) in the forwarding path. In iBGP, hierarchal RRs maintaining
forwarding plane RRs could create routing loops.
Border Gateway Protocol IPv4 (BGPv4)
149
Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector
and its client peers form a route reflection cluster. Because BGP speakers announce only the best route
for a given prefix, route reflector rules are applied after the router makes its best path decision.
•
•
If a route was received from a nonclient peer, reflect the route to all client peers.
If the route was received from a client peer, reflect the route to all nonclient and all client peers.
To illustrate how these rules affect routing, refer to the following illustration and the following steps.
Routers B, C, D, E, and G are members of the same AS (AS100). These routers are also in the same Route
Reflection Cluster, where Router D is the Route Reflector. Router E and H are client peers of Router D;
Routers B and C and nonclient peers of Router D.
Figure 18. BGP Router Rules
1.
Router B receives an advertisement from Router A through eBGP. Because the route is learned
through eBGP, Router B advertises it to all its iBGP peers: Routers C and D.
2.
Router C receives the advertisement but does not advertise it to any peer because its only other peer
is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B.
3.
Router D does not advertise the route to Router C because Router C is a nonclient peer and the
route advertisement came from Router B who is also a nonclient peer.
4.
Router D does reflect the advertisement to Routers E and G because they are client peers of Router
D.
5.
Routers E and G then advertise this iBGP learned route to their eBGP peers Routers F and H.
Communities
BGP communities are sets of routes with one or more common attributes. Communities are a way to
assign common attributes to multiple routes at the same time.
BGP Attributes
Routes learned using BGP have associated properties that are used to determine the best route to a
destination when multiple paths exist to a particular destination.
These properties are referred to as BGP attributes, and an understanding of how BGP attributes influence
route selection is required for the design of robust networks. This section describes the attributes that
BGP uses in the route selection process:
•
Weight
150
Border Gateway Protocol IPv4 (BGPv4)
•
Local Preference
•
Multi-Exit Discriminators (MEDs)
•
Origin
•
AS Path
•
Next Hop
Best Path Selection Criteria
Paths for active routes are grouped in ascending order according to their neighboring external AS
number (BGP best path selection is deterministic by default, which means the bgp nondeterministic-med command is NOT applied).
The best path in each group is selected based on specific criteria. Only one “best path” is selected at a
time. If any of the criteria results in more than one path, BGP moves on to the next option in the list. For
example, two paths may have the same weights, but different local preferences. BGP sees that the Weight
criteria results in two potential “best paths” and moves to local preference to reduce the options. If a
number of best paths is determined, this selection criteria is applied to group’s best to determine the
ultimate best path.
In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are
compared in the order in which they arrive. This method can lead to the system choosing different best
paths from a set of paths, depending on the order in which they were received from the neighbors
because MED may or may not get compared between the adjacent paths. In deterministic mode, the
system compares MED between the adjacent paths within an AS group because all paths in the AS group
are from the same AS.
The following illustration shows that the decisions BGP goes through to select the best path. The list
following the illustration details the path selection criteria.
Border Gateway Protocol IPv4 (BGPv4)
151
Figure 19. BGP Best Path Selection
Best Path Selection Details
1.
Prefer the path with the largest WEIGHT attribute.
2.
Prefer the path with the largest LOCAL_PREF attribute.
3.
Prefer the path that was locally Originated via a network command, redistribute
command or aggregate-address command.
a.
4.
Routes originated with the Originated via a network or redistribute commands are
preferred over routes originated with the aggregate-address command.
Prefer the path with the shortest AS_PATH (unless the bgp bestpath as-path ignore command
is configured, then AS_PATH is not considered). The following criteria apply:
a.
An AS_SET has a path length of 1, no matter how many ASs are in the set.
b.
A path with no AS_PATH configured has a path length of 0.
c.
AS_CONFED_SET is not included in the AS_PATH length.
d.
AS_CONFED_SEQUENCE has a path length of 1, no matter how many ASs are in the
AS_CONFED_SEQUENCE.
5.
Prefer the path with the lowest ORIGIN type (IGP is lower than EGP, and EGP is lower than
INCOMPLETE).
6.
Prefer the path with the lowest multi-exit discriminator (MED) attribute. The following criteria apply:
152
a.
This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs
are compared only if the first AS in the AS_SEQUENCE is the same for both paths.
b.
If you entered the bgp always-compare-med command, MEDs are compared for all paths.
Border Gateway Protocol IPv4 (BGPv4)
c.
Paths with no MED are treated as “worst” and assigned a MED of 4294967295.
7.
Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths.
8.
Prefer the path with the lowest IGP metric to the BGP if next-hop is selected when
synchronization is disabled and only an internal path remains.
9.
The system deems the paths as equal and does not perform steps 9 through 11, if the following
criteria is met:
a.
the IBGP multipath or EBGP multipath are configured (the maximum-path command).
b.
the paths being compared were received from the same AS with the same number of ASs in the
AS Path but with different NextHops.
c.
the paths were received from IBGP or EBGP neighbor respectively.
10. If the bgp bestpath router-id ignore command is enabled and:
11.
a.
if the Router-ID is the same for multiple paths (because the routes were received from the same
route) skip this step.
b.
if the Router-ID is NOT the same for multiple paths, prefer the path that was first received as
the Best Path. The path selection algorithm returns without performing any of the checks
detailed here.
Prefer the external path originated from the BGP router with the lowest router ID. If both paths are
external, prefer the oldest path (first received path). For paths containing a route reflector (RR)
attribute, the originator ID is substituted for the router ID.
12. If two paths have the same router ID, prefer the path with the lowest cluster ID length. Paths without
a cluster ID length are set to a 0 cluster ID length.
13. Prefer the path originated from the neighbor with the lowest address. (The neighbor address is used
in the BGP neighbor configuration and corresponds to the remote peer used in the TCP connection
with the local router.)
After a number of best paths is determined, this selection criteria is applied to group’s best to determine
the ultimate best path.
In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are
compared in the order in which they arrive. This method can lead to the system choosing different best
paths from a set of paths, depending on the order in which they were received from the neighbors
because MED may or may not get compared between the adjacent paths. In deterministic mode, the
system compares MED between the adjacent paths within an AS group because all paths in the AS group
are from the same AS.
Weight
The weight attribute is local to the router and is not advertised to neighboring routers.
If the router learns about more than one route to the same destination, the route with the highest weight
is preferred. The route with the highest weight is installed in the IP routing table.
Local Preference
Local preference (LOCAL_PREF) represents the degree of preference within the entire AS. The higher the
number, the greater the preference for the route.
Local preference (LOCAL_PREF) is one of the criteria used to determine the best path, so keep in mind
that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. For
this example, assume that thelocal preference (LOCAL_PREF) is the only attribute applied. In the
following illustration, AS100 has two possible paths to AS 200. Although the path through Router A is
shorter (one hop instead of two), the LOCAL_PREF settings have the preferred path go through Router B
Border Gateway Protocol IPv4 (BGPv4)
153
and AS300. This is advertised to all routers within AS100, causing all BGP speakers to prefer the path
through Router B.
Figure 20. BGP Local Preference
Multi-Exit Discriminators (MEDs)
If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a
preference to a preferred path.
MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact
selection, as shown in the illustration in Best Path Selection Criteria.
One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this
example, assume the MED is the only attribute applied. In the following illustration, AS100 and AS200
connect in two places. Each connection is a BGP session. AS200 sets the MED for its T1 exit point to 100
and the MED for its OC3 exit point to 50. This sets up a path preference through the OC3 link. The MEDs
are advertised to AS100 routers so they know which is the preferred path.
MEDs are non-transitive attributes. If AS100 sends an MED to AS200, AS200 does not pass it on to AS300
or AS400. The MED is a locally relevant attribute to the two participating ASs (AS100 and AS200).
NOTE: The MEDs are advertised across both links, so if a link goes down, AS 1 still has connectivity
to AS300 and AS400.
154
Border Gateway Protocol IPv4 (BGPv4)
Figure 21. Multi-Exit Discriminators
Origin
The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin
codes: IGP, EGP, INCOMPLETE.
Origin Type
Description
IGP
Indicates the prefix originated from information learned through an interior
gateway protocol.
EGP
Indicates the prefix originated from information learned from an EGP protocol,
which NGP replaced.
INCOMPLETE
Indicates that the prefix originated from an unknown source.
Generally, an IGP indicator means that the route was derived inside the originating AS. EGP generally
means that a route was learned from an external gateway protocol. An INCOMPLETE origin code
generally results from aggregation, redistribution, or other indirect ways of installing routes into BGP.
In the Dell Networking OS, these origin codes appear as shown in the following example. The question
mark (?) indicates an origin code of INCOMPLETE (shown in bold). The lower case letter (i) indicates an
origin code of IGP (shown in bold).
Example of Viewing Origin Codes
Dell#show ip bgp
BGP table version is 0, local router ID is 10.101.15.13
Status codes: s suppressed, d damped, h history, * valid, > best
Path source: I - internal, a - aggregate, c - confed-external, r redistributed, n - network
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 7.0.0.0/29
*> 7.0.0.0/30
*> 9.2.0.0/16
Next Hop
10.114.8.33
10.114.8.33
10.114.8.33
Border Gateway Protocol IPv4 (BGPv4)
Metric
0
0
10
LocPrf
0
0
0
Weight
18508
18508
18508
Path
?
?
701 i
155
AS Path
The AS path is the list of all ASs that all the prefixes listed in the update have passed through.
The local AS number is added by the BGP speaker when advertising to a eBGP neighbor.
The AS path is shown in the following example. The origin attribute is shown following the AS path
information (shown in bold).
Example of Viewing AS Paths
Dell#show ip bgp paths
Total 30655 Paths
Address
Hash Refcount Metric
0x4014154 0
3
18508
0x4013914 0
3
18508
0x5166d6c 0
3
18508
0x5e62df4 0
2
18508
0x3a1814c 0
26
18508
0x567ea9c 0
75
18508
0x6cc1294 0
2
18508
0x6cc18d4 0
1
18508
0x5982e44 0
162
18508
0x67d4a14 0
2
18508
0x559972c 0
31
18508
0x59cd3b4 0
2
18508
0x7128114 0
10
18508
0x536a914 0
3
18508
0x2ffe884 0
1
18508
Path
701 3549 19421 i
701 7018 14990 i
209 4637 1221 9249 9249 i
701 17302 i
209 22291 i
209 3356 2529 i
209 1239 19265 i
701 2914 4713 17935 i
209 i
701 19878 ?
209 18756 i
209 7018 15227 i
209 3356 13845 i
209 701 6347 7781 i
701 3561 9116 21350 i
Next Hop
The next hop is the IP address used to reach the advertising router.
For EBGP neighbors, the next-hop address is the IP address of the connection between the neighbors.
For IBGP, the EBGP next-hop address is carried into the local AS. A next hop attribute is set when a BGP
speaker advertises itself to another BGP speaker outside its local AS and when advertising routes within
an AS. The next hop attribute also serves as a way to direct traffic to another BGP speaker, rather than
waiting for a speaker to advertise.
The system allows you to set the next hop attribute in the CLI. Setting the next hop attribute lets you
determine a router as the next hop for a BGP neighbor.
Multiprotocol BGP
Multiprotocol extensions for BGP (MBGP) is defined in IETF RFC 2858. MBGP allows different types of
address families to be distributed in parallel.
MBGP allows information about the topology of the IP multicast-capable routers to be exchanged
separately from the topology of normal IPv4 and IPv6 unicast routers. It allows a multicast routing
topology different from the unicast routing topology.
NOTE: It is possible to configure BGP peers that exchange both unicast and multicast network layer
reachability information (NLRI), but you cannot connect multiprotocol BGP with BGP. Therefore,
you cannot redistribute multiprotocol BGP routes into BGP.
156
Border Gateway Protocol IPv4 (BGPv4)
Implement BGP
The following sections describe how BGP is implemented on the Z9500 switch.
Additional Path (Add-Path) Support
The add-path feature reduces convergence times by advertising multiple paths to its peers for the same
address prefix without replacing existing paths with new ones. By default, a BGP speaker advertises only
the best path to its peers for a given address prefix. If the best path becomes unavailable, the BGP speaker
withdraws its path from its local RIB and recalculates a new best path. This situation requires both IGP
and BGP convergence and can be a lengthy process. BGP add-path also helps switchover to the next
new best path when the current best path is unavailable.
Advertise IGP Cost as MED for Redistributed Routes
When using multipath connectivity to an external AS, you can advertise the MED value selectively to each
peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting
others to a constant pre-defined metric as MED value.
Use the set metric-type internal command in a route-map to advertise the IGP cost as the MED
to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the
default IGP cost.
By using the redistribute command with the route-map command, you can specify whether a peer
advertises the standard MED or uses the IGP cost as the MED.
When configuring this functionality:
•
If the redistribute command does not have metric configured and the BGP peer outbound
route-map does have metric-type internal configured, BGP advertises the IGP cost as MED.
•
If the redistribute command has metric configured (route-map set metric or
redistribute route-type metric) and the BGP peer outbound route-map has metric-type
internal configured, BGP advertises the metric configured in the redistribute command as
MED.
•
If BGP peer outbound route-map has metric configured, all other metrics are overwritten by this
configuration.
NOTE: When redistributing static, connected, or OSPF routes, there is no metric option. Simply
assign the appropriate route-map to the redistributed route.
The following table lists some examples of these rules.
Table 6. Redistributed Route Rules
Command Settings
BGP Local Routing
Information Base
MED Advertised to Peer
WITH route-map
metric-type internal
MED Advertised to Peer
WITHOUT route-map
metric-type internal
redistribute isis (IGP cost MED: IGP cost 20
= 20)
MED = 20
MED = 0
redistribute isis routemap set metric 50
MED: IGP cost 50
MED: 50 MED: 50
MED: 50 MED: 50
redistribute isis metric
100
MED: IGP cost 100
MED: 100
MED: 100
Border Gateway Protocol IPv4 (BGPv4)
157
Ignore Router-ID for Some Best-Path Calculations
You can avoid unnecessary BGP best-path transitions between external paths under certain conditions.
The bgp bestpath router-id ignore command reduces network disruption caused by routing and
forwarding plane changes and allows for faster convergence.
Four-Byte AS Numbers
The 4-Byte (32-bit) format is supported to configure autonomous system numbers (ASNs).
The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message. If a 4-Byte
BGP speaker has sent and received this capability from another speaker, all the messages will be 4-octet.
The behavior of a 4-Byte BGP speaker is different with the peer depending on whether the peer is a 4Byte or 2-Byte BGP speaker.
Where the 2-Byte format is 1-65535, the 4-Byte format is 1-4294967295. Enter AS numbers using the
traditional format. If the ASN is greater than 65535, the dot format is shown when using the show ip
bgp commands. For example, an ASN entered as 3183856184 appears in the show commands as
48581.51768; an ASN of 65123 is shown as 65123. To calculate the comparable dot format for an ASN
from a traditional format, use ASN/65536. ASN%65536.
Traditional Format
DOT Format
65001
0.65501
65536
1.0
100000
1.34464
4294967295
65535.65535
When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte
identified routers. You cannot mix them.
Configure 4-byte AS numbers with the four-octet-support command.
AS4 Number Representation
Multiple representations of 4-byte AS numbers (asplain, asdot+, and asdot) are supported.
NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers
feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported.
ASPLAIN is the default method the system uses. With the ASPLAIN notation, a 32-bit binary AS number is
translated into a decimal value.
•
All AS numbers between 0 and 65535 are represented as a decimal number when entered in the CLI
and when displayed in the show commands output.
•
AS numbers larger than 65535 are represented using ASPLAIN notation. When entered in the CLI and
when displayed in the show commands output, 65546 is represented as 65546.
ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by a
decimal point (.): .. Some examples are shown in the
following table.
158
Border Gateway Protocol IPv4 (BGPv4)
•
All AS numbers between 0 and 65535 are represented as a decimal number, when entered in the CLI
and when displayed in the show commands outputs.
•
AS Numbers larger than 65535 is represented using ASDOT notation as .. For example: AS 65546 is represented as 1.10.
ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS numbers less than 65536
appear in integer format (asplain); AS numbers equal to or greater than 65536 appear in the decimal
format (asdot+). For example, the AS number 65526 appears as 65526 and the AS number 65546 appears
as 1.10.
Dynamic AS Number Notation Application
A change in the ASN notation type is dynamically applied to the running-config statements.
When you apply or change an ASN notation, the type selected is reflected immediately in the runningconfiguration and the show commands (refer to the following two examples).
Example of Dynamic Changes in the Running Configuration When Using the bgp asnotation
Command
ASDOT
Dell(conf-router_bgp)#bgp asnotation asdot
Dell(conf-router_bgp)#show conf
!
router bgp 100
bgp asnotation asdot
bgp four-octet-as-support
neighbor 172.30.1.250 local-as 65057