FTOS 9.1(0.0) Configuration Guide For The S4810 System 1508082823force10 Reference En Us
User Manual: DELL FORCE10 S4810 pdf | FreeUserManuals.com
Open the PDF directly: View PDF 
.
Page Count: 1146
FTOS Configuration Guide for
the S4810 System
FTOS 9.1(0.0)
Publication Date: June 2013
�Notes, Cautions, and Warnings
NOTE: A NOTE indicates important information that helps you make better use of your computer.
CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to
avoid the problem.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
Information in this publication is subject to change without notice.
© 2013 Dell Force10. All rights reserved.
Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden.
Trademarks used in this text: Dell™, the DELL logo, Dell Precision™, OptiPlex™, Latitude™, PowerEdge™, PowerVault™,
PowerConnect™, OpenManage™, EqualLogic™, KACE™, FlexAddress™ and Vostro™ are trademarks of Dell Inc. Intel®, Pentium®, Xeon®,
Core™ and Celeron® are registered trademarks of Intel Corporation in the U.S. and other countries. AMD® is a registered trademark and AMD
Opteron™, AMD Phenom™, and AMD Sempron™ are trademarks of Advanced Micro Devices, Inc. Microsoft®, Windows®, Windows
Server®, MS-DOS® and Windows Vista® are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or
other countries. Red Hat Enterprise Linux® and Enterprise Linux® are registered trademarks of Red Hat, Inc. in the United States and/or other
countries. Novell® is a registered trademark and SUSE ™ is a trademark of Novell Inc. in the United States and other countries. Oracle® is a
registered trademark of Oracle Corporation and/or its affiliates. Citrix®, Xen®, XenServer® and XenMotion® are either registered trademarks
or trademarks of Citrix Systems, Inc. in the United States and/or other countries. VMware®, Virtual SMP®, vMotion®, vCenter®, and vSphere®
are registered trademarks or trademarks of VMWare, Inc. in the United States or other countries.
Other trademarks and trade names may be used in this publication to refer to either the entities claiming the marks and names or their products.
Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own.
June 2013
�1 About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Information Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
2 Configuration Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Accessing the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
CLI Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Navigating CLI Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
The do Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Undoing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Obtaining Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Entering and Editing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Command History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Filtering show Command Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Multiple Users in Configuration mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Console access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Serial console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Configure a Host Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Access the System Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Access the C-Series, E-Series, S-Series, and the Z-Series Remotely . . . . . . . . . . .41
Access the S-Series Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Configure the Enable Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Configuration File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Copy Files to and from the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Save the Running-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Configure the Overload bit for Startup Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
View Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
File System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
View command history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Upgrading FTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Configure Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Create a Custom Privilege Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Apply a Privilege Level to a Username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Apply a Privilege Level to a Terminal Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
| 1
�www.dell.com | support.dell.com
Configure Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Log Messages in the Internal Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Configuration Task List for System Log Management . . . . . . . . . . . . . . . . . . . . . . . .55
Disable System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Send System Messages to a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Configure a Unix System as a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Change System Logging Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Display the Logging Buffer and the Logging Configuration . . . . . . . . . . . . . . . . . . . . . . .57
Configure a UNIX logging facility level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Synchronize log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Enable timestamp on syslog messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
File Transfer Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Configuration Task List for File Transfer Services . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Terminal Lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Deny and Permit Access to a Terminal Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Configure Login Authentication for Terminal Lines . . . . . . . . . . . . . . . . . . . . . . . . . .63
Time out of EXEC Privilege Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Telnet to Another Network Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Lock CONFIGURATION mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Viewing the Configuration Lock Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Recovering from a Forgotten Password on the S4810 . . . . . . . . . . . . . . . . . . . . . . . . . .67
Recovering from a Forgotten Enable Password on the S4810 . . . . . . . . . . . . . . . . .68
Recovering from a Failed Start on the S4810 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
5 802.1ag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Ethernet CFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Maintenance Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Maintenance Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Maintenance End Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Configure CFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Enable Ethernet CFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Create a Maintenance Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Create a Maintenance Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Create Maintenance Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Create a Maintenance End Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Create a Maintenance Intermediate Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
MP Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Continuity Check Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Enable CCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Enable Cross-checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Loopback Message and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
2
|
�Linktrace Message and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Link Trace Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Enable CFM SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Display Ethernet CFM Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
6 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
The Port-authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
EAP over RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Configuring 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Enabling 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Configuring Request Identity Re-transmissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Configuring a Quiet Period after a Failed Authentication . . . . . . . . . . . . . . . . . . . . .91
Forcibly Authorizing or Unauthorizing a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Re-authenticating a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Periodic Re-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Configuring Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Dynamic VLAN Assignment with Port Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Guest and Authentication-fail VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Configuring a Guest VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Configuring an Authentication-fail VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
7 Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
IP Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
CAM Profiling, CAM Allocation, and CAM Optimization . . . . . . . . . . . . . . . . . . . . .102
Implementing ACLs on FTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
IP Fragment Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Configure a standard IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Configure an extended IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Established Flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Configuring Layer 2 and Layer 3 ACLs on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . 114
Assign an IP ACL to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Counting ACL Hits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Configuring Ingress ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Configuring Egress ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Egress Layer 3 ACL Lookup for Control-plane IP Traffic . . . . . . . . . . . . . . . . . . . . 118
Configuring ACLs to Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Applying an ACL on Loopback Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
IP Prefix Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
| 3
�www.dell.com | support.dell.com
Configuration Task List for Prefix Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
ACL Resequencing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Resequencing an ACL or Prefix List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Route Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Configuration Task List for Route Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
8 Bidirectional Forwarding Detection (BFD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
How BFD Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Configuring Bidirectional Forwarding Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Configuring BFD for Physical Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Configuring BFD for Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Configuring BFD for OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Configuring BFD for IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Configuring BFD for BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Configuring BFD for VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Configuring BFD for VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Configuring BFD for Port-Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Configuring Protocol Liveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Troubleshooting BFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
9 Border Gateway Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Autonomous Systems (AS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Sessions and Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Route Reflectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Confederations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
BGP Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Best Path Selection Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Local Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
Multi-Exit Discriminators (MEDs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Origin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
AS Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Next Hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Multiprotocol BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Implementing BGP with FTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Additional Path (Add-Path) support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Advertise IGP cost as MED for redistributed routes . . . . . . . . . . . . . . . . . . . . . . . .185
Ignore Router-ID for some best-path calculations . . . . . . . . . . . . . . . . . . . . . . . . . .185
4
|
�4-Byte AS Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
AS4 Number Representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
AS Number Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
BGP4 Management Information Base (MIB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
BGP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
Configuration Task List for BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
MBGP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
BGP Regular Expression Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
Debugging BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Storing Last and Bad PDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Capturing PDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
PDU Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
10 Bare Metal Provisioning 3.0 (BMP 3.0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Important Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
BMP Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Preparing BMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
File Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Domain Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Reload Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
BMP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Normal Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
DHCP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
FTOS Image Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Pre-configuration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
Post-configuration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258
Auto-execution Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
System boot and set-up behavior in BMP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . .260
BMP mode: Boot and Set-up Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Reload using the Auto-execution Script (Normal mode only) . . . . . . . . . . . . . . . . .265
Script Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Auto-execution Script - Normal mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
Pre-configuration Script - BMP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
| 5
�www.dell.com | support.dell.com
11 Content Addressable Memory (CAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Content Addressable Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
CAM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Microcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
CAM Profiling for ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
Boot Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Example: EF Line Card with EG Chassis Profile (Card Problem) . . . . . . . . . . . . . .276
Example: EH Line Card with EG Chassis Profile (Card Problem) . . . . . . . . . . . . .276
When to Use CAM Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
Differences Between EtherScale and TeraScale . . . . . . . . . . . . . . . . . . . . . . . . . . .277
Select CAM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
CAM Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Test CAM Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
View CAM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
View CAM-ACL settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
View CAM Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
Configure IPv4Flow Sub-partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
Configure Ingress Layer 2 ACL Sub-partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Return to the Default CAM Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
CAM Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
Applications for CAM Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
LAG Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
LAG Hashing based on Bidirectional Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
CAM profile for the VLAN ACL group feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Troubleshoot CAM Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
CAM Profile Mismatches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
QoS CAM Region Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
12 Control Plane Policing (CoPP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Configure Control Plane Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
Configure CoPP for protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Configure CoPP for CPU queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Show commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
13 Data Center Bridging (DCB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Ethernet Enhancements in Data Center Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Priority-Based Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Enhanced Transmission Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
Data Center Bridging Exchange Protocol (DCBx) . . . . . . . . . . . . . . . . . . . . . . . . . .303
Data Center Bridging in a Traffic Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
6
|
�Enabling Data Center Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
QoS dot1p Traffic Classification and Queue Assignment . . . . . . . . . . . . . . . . . . . . . . .305
Configuring Priority-Based Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Configuring Lossless Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Configuring the PFC Buffer in a Switch Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310
Configuring Enhanced Transmission Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
ETS Prerequisites and Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Creating a QoS ETS Output Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Creating an ETS Priority Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Applying an ETS Output Policy for a Priority Group to an Interface . . . . . . . . . . . .316
ETS Operation with DCBx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
Configuring Bandwidth Allocation for DCBx CIN . . . . . . . . . . . . . . . . . . . . . . . . . . .318
Applying DCB Policies in a Switch Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
Configuring DCBx Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320
DCBx Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320
DCBx Port Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320
DCB Configuration Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Configuration Source Election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Propagation of DCB Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
Auto-Detection and Manual Configuration of the DCBx Version . . . . . . . . . . . . . . .323
DCBx Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324
DCBx Prerequisites and Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
DCBx Configuration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Verifying DCB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
PFC and ETS Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344
Using PFC and ETS to Manage Data Center Traffic . . . . . . . . . . . . . . . . . . . . . . . .344
Using PFC and ETS to Manage Converged Ethernet Traffic in a Switch Stack . . .348
Hierarchical Scheduling in ETS Output Policies . . . . . . . . . . . . . . . . . . . . . . . . . . .349
14 S-Series Debugging and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Offline diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352
Running Offline Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352
Trace logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Auto Save on Crash or Rollover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Last restart reason . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Hardware watchdog timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
show hardware commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357
Environmental monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Recognize an over-temperature condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Troubleshoot an over-temperature condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Recognize an under-voltage condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Troubleshoot an under-voltage condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360
| 7
�www.dell.com | support.dell.com
Buffer tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Deciding to tune buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
Buffer tuning commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363
Sample buffer profile configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Troubleshooting packet loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
Displaying Drop Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
Dataplane Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368
Displaying Stack Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
Displaying Stack Member Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
Application core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371
Mini core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
TCP dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
15 Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375
DHCP Packet Format and Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
Assigning an IP Address using DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Configure the System to be a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Configure the Server for Automatic Address Allocation . . . . . . . . . . . . . . . . . . . . . .379
Specify a Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Enable DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Configure a Method of Hostname Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Create Manual Binding Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Debug DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
DHCP Clear Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
Configure the System to be a Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
Configure the System for User Port Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385
Configure Secure DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385
Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
Drop DHCP packets on snooped VLANs only . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Dynamic ARP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389
Source Address Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
16 Equal Cost Multi-Path (ECMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
ECMP for Flow-based Affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
Configurable Hash Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
Deterministic ECMP Next Hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Configurable Hash Algorithm Seed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Link Bundle Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
8
|
�Managing ECMP Group Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
17 Enabling FIPS Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Preparing the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399
Enabling FIPS Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399
Generating Host-Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400
Monitoring FIPS Mode Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
Disabling the FIPS Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
18 FIP Snooping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
Ensuring Robustness in a Converged Ethernet Network . . . . . . . . . . . . . . . . . . . . . . .403
FIP Snooping on Ethernet Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
FIP Snooping in a Switch Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407
Configuring FIP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407
Enabling the FIP Snooping Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Enabling FIP Snooping on VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Configuring the FC-MAP Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Configuring a Port for a Bridge-to-Bridge Link . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Configuring a Port for a Bridge-to-FCF Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Impact on Other Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
FIP Snooping Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
FIP Snooping Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Configuration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Displaying FIP Snooping Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
FIP Snooping Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .416
19 Force10 Resilient Ring Protocol (FRRP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419
Ring Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Multiple FRRP Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
Important FRRP Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
Important FRRP Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
Implementing FRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
FRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Troubleshooting FRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428
Configuration Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428
Sample Configuration and Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428
20 GARP VLAN Registration Protocol (GVRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431
| 9
�www.dell.com | support.dell.com
Configuring GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
Enabling GVRP Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
Enabling GVRP on a Layer 2 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
Configuring GVRP Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Configuring a GARP Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
21 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Component Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438
RPM Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438
Online Insertion and Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
RPM Online Insertion and Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
Linecard Online Insertion and Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445
Hitless Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Software Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448
Runtime System Health Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448
SFM Channel Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
Software Component Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
System Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
Failure and Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
Hot-lock Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450
Warm Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Configure Cache Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452
Process Restartability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455
22 Internet Group Management Protocol (IGMP). . . . . . . . . . . . . . . . . . . . . . . . . . . 457
IGMP Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457
IGMP Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457
IGMP version 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457
IGMP version 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459
Configuring IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
Viewing IGMP Enabled Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
Selecting an IGMP Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
Viewing IGMP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464
Adjusting Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Adjusting Query and Response Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464
Adjusting the IGMP Querier Timeout Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
Configuring a Static IGMP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
Enabling IGMP Immediate-leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
IGMP Snooping Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466
10
|
�Configuring IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466
Enabling IGMP Immediate-leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467
Disabling Multicast Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467
Specifying a Port as Connected to a Multicast Router . . . . . . . . . . . . . . . . . . . . . .467
Configuring the Switch as Querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467
Fast Convergence after MSTP Topology Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . .468
Designating a Multicast Router Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468
23 Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Interface Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
View Basic Interface Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .470
Enable a Physical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473
Configuration Task List for Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . .473
Overview of Layer Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473
Configure Layer 2 (Data Link) Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .474
Configure Layer 3 (Network) Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475
Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .476
Configure Management Interfaces on the E-Series, C-Series and the S4810 . . . .476
Configure Management Interfaces on the S-Series . . . . . . . . . . . . . . . . . . . . . . . .478
VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Loopback Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480
Null Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Port Channel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480
Bulk Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .493
Interface Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .493
Bulk Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .493
Interface Range Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495
Define the Interface Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495
Choose an Interface-range Macro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495
Monitor and Maintain Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496
Maintenance using TDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .497
Splitting QSFP ports to SFP+ ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .498
Important Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .498
Link Debounce Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
Important Points to Remember about Link Debounce Timer . . . . . . . . . . . . . . . . .499
Assign a debounce time to an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
Show debounce times in an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500
Disable ports when one only SFM is available (E300 only) . . . . . . . . . . . . . . . . . .500
Disable port on one SFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500
Link Dampening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501
Enable Link Dampening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501
| 11
�www.dell.com | support.dell.com
Link Bundle Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503
Ethernet Pause Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503
Threshold Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .504
Enable Pause Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .505
Configure MTU Size on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506
Port-pipes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Auto-Negotiation on Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .508
View Advanced Interface Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .510
Display Only Configured Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .510
Configure Interface Sampling Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Dynamic Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513
24 IPv4 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516
Configuration Task List for IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516
Directed Broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .520
Resolution of Host Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .521
ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Configuration Task List for ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523
ARP Learning via Gratuitous ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .525
ARP Learning via ARP Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .526
Configurable ARP Retries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527
ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Configuration Task List for ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527
UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Configuring UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .528
Important Points to Remember about UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . .529
Enabling UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .529
Configuring a Broadcast Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530
Configurations Using UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530
UDP Helper with Broadcast-all Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530
UDP Helper with Subnet Broadcast Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . .531
UDP Helper with Configured Broadcast Addresses . . . . . . . . . . . . . . . . . . . . . . . .532
UDP Helper with No Configured Broadcast Addresses . . . . . . . . . . . . . . . . . . . . .532
Troubleshooting UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .533
25 IPv6 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535
Extended Address Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .536
Stateless Autoconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .536
IPv6 Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .537
IPv6 Header Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .537
12
|
�Extension Header fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .539
Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Implementing IPv6 with FTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .542
ICMPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Path MTU Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .545
IPv6 Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .546
IPv6 Neighbor Discovery of MTU packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .547
QoS for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .547
IPv6 Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .547
SSH over an IPv6 Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .548
Configuration Task List for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .548
Change your CAM-Profile on an E-Series system . . . . . . . . . . . . . . . . . . . . . . . . .548
Adjust your CAM-Profile on a C-Series or S-Series . . . . . . . . . . . . . . . . . . . . . . . .549
Assign an IPv6 Address to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .550
Assign a Static IPv6 Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .551
Telnet with IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .553
SNMP over IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .553
Show IPv6 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .554
Show an IPv6 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555
Show IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556
Show the Running-Configuration for an Interface . . . . . . . . . . . . . . . . . . . . . . . . . .557
Clear IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .558
26 iSCSI Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
iSCSI Optimization Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .559
Monitoring iSCSI Traffic Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .561
Application of Quality of Service to iSCSI Traffic Flows . . . . . . . . . . . . . . . . . . . . .561
Information Monitored in iSCSI Traffic Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . .561
Detection and Auto-configuration for Dell EqualLogic Arrays . . . . . . . . . . . . . . . . .562
Detection and Port Configuration for Dell Compellent Arrays . . . . . . . . . . . . . . . . .563
Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer . . . . . . . . . . .563
Enabling and Disabling iSCSI Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .564
Default iSCSI Optimization Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .564
iSCSI Optimization Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
Configuring iSCSI Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
Displaying iSCSI Optimization Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
27 Intermediate System to Intermediate System . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .569
IS-IS Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Multi-Topology IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .571
Transition Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .571
Interface support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .572
| 13
�www.dell.com | support.dell.com
Adjacencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573
Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .574
Configuration Task List for IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .574
Configuring the distance of a route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .585
Change the IS-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .585
IS-IS Metric Styles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593
Configure Metric Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593
Maximum Values in the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594
Changing the IS-IS Metric Style in One Level Only . . . . . . . . . . . . . . . . . . . . . . . .594
Leaking from One Level to Another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596
Sample Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
28 Link Aggregation Control Protocol (LACP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Introduction to Dynamic LAGs and LACP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602
LACP modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602
LACP Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .603
LACP Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .603
Monitor and Debugging LACP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .605
Shared LAG State Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .606
Configure Shared LAG State Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .606
Important Points about Shared LAG State Tracking . . . . . . . . . . . . . . . . . . . . . . . .608
Configure LACP as Hitless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .608
LACP Basic Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .608
29 Layer 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Managing the MAC Address Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .619
Clear the MAC Address Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .619
Set the Aging Time for Dynamic Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .620
Configure a Static MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .620
Display the MAC Address Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .621
MAC Learning Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .621
mac learning-limit dynamic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .622
mac learning-limit mac-address-sticky . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .623
mac learning-limit station-move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .623
Learning Limit Violation Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .623
Station Move Violation Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .624
Recovering from Learning Limit and Station Move Violations . . . . . . . . . . . . . . . . .624
Per-VLAN MAC Learning Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625
NIC Teaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
MAC Move Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .627
14
|
�Microsoft Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .627
Default Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .628
Configuring the Switch for Microsoft Server Clustering . . . . . . . . . . . . . . . . . . . . . .628
Enable and Disable VLAN Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .629
Configuring Redundant Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .630
Important Points about Configuring Redundant Pairs . . . . . . . . . . . . . . . . . . . . . . .631
Restricting Layer 2 Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .633
Far-end Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .634
FEFD state changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .635
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .636
Configuring FEFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .636
Debugging FEFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .637
30 Link Layer Discovery Protocol (LLDP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
802.1AB (LLDP) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .639
Protocol Data Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .639
Optional TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Management TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .641
TIA-1057 (LLDP-MED) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643
TIA Organizationally Specific TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643
Configuring LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .647
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .647
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .648
LLDP Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .648
CONFIGURATION versus INTERFACE Configurations . . . . . . . . . . . . . . . . . . . . . . . .648
Enabling LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Disabling and Undoing LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .649
Advertising TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
Viewing the LLDP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651
Viewing Information Advertised by Adjacent LLDP Agents . . . . . . . . . . . . . . . . . . . . . .652
Configuring LLDPDU Intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .653
Configuring Transmit and Receive Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .654
Configuring a Time to Live . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655
Debugging LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .656
Relevant Management Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657
31 Multicast Source Discovery Protocol (MSDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663
Anycast RP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .664
Configuring Multicast Source Discovery Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . .665
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .665
Enable MSDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
| 15
�www.dell.com | support.dell.com
Manage the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .670
View the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .671
Limit the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .671
Clear the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .671
Enable the Rejected Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .671
Accept Source-active Messages that fail the RFP Check . . . . . . . . . . . . . . . . . . . . . . .672
Limit the Source-active Messages from a Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .674
Prevent MSDP from Caching a Local Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .675
Prevent MSDP from Caching a Remote Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .676
Prevent MSDP from Advertising a Local Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .677
Log Changes in Peership States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .678
Terminate a Peership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .678
Clear Peer Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .679
Debug MSDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680
MSDP with Anycast RP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .680
Reducing Source-active Message Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .682
Specify the RP Address Used in SA Messages . . . . . . . . . . . . . . . . . . . . . . . . . . .682
MSDP Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .686
32 Multiple Spanning Tree Protocol (MSTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .691
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .692
Configure Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .692
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .692
Enable Multiple Spanning Tree Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .693
Add and Remove Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .693
Create Multiple Spanning Tree Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .694
Influence MSTP Root Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .695
Interoperate with Non-FTOS Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .695
Modify Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .696
Modify Interface Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .697
Configure an EdgePort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .698
Flush MAC Addresses after a Topology Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .699
MSTP Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .700
Debugging and Verifying MSTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .704
33 Multicast Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .707
Enable IP Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .707
Multicast with ECMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .708
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .708
First Packet Forwarding for Lossless Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .709
Multicast Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .710
16
|
�IPv4 Multicast Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .710
IPv6 Multicast Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .715
Multicast Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .717
34 Open Shortest Path First (OSPFv2 and OSPFv3) . . . . . . . . . . . . . . . . . . . . . . . 719
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .720
Autonomous System (AS) Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .720
Area Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Networks and Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .722
Router Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .722
Designated and Backup Designated Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .724
Link-State Advertisements (LSAs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .725
Virtual Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
Router Priority and Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .726
Implementing OSPF with FTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .727
Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .728
Fast Convergence (OSPFv2, IPv4 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .729
Multi-Process OSPF (OSPFv2, IPv4 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .729
Processing SNMP and Sending SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . .730
RFC-2328 Compliant OSPF Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .730
OSPF ACK Packing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .731
OSPF Adjacency with Cisco Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .731
Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .732
Configuration Task List for OSPFv2 (OSPF for IPv4) . . . . . . . . . . . . . . . . . . . . . . . . . .732
Enable OSPFv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .733
Enable Multi-Process OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .735
Assign an OSPFv2 area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .736
Enable OSPFv2 on interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .737
Configure stub areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .739
Configure OSPF Stub-Router Advertisement . . . . . . . . . . . . . . . . . . . . . . . . . . . . .740
Enable passive interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .741
Enable fast-convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .742
Change OSPFv2 parameters on interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .743
Enable OSPFv2 authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .745
Enable OSPFv2 graceful restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .745
Configure virtual links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .747
Filter routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
Redistribute routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .749
Troubleshooting OSPFv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .750
Sample Configurations for OSPFv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .753
Basic OSPFv2 Router Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .753
Configuration Task List for OSPFv3 (OSPF for IPv6) . . . . . . . . . . . . . . . . . . . . . . . . . .754
Enable IPv6 Unicast Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755
| 17
�www.dell.com | support.dell.com
Assign IPv6 addresses on an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755
Assign Area ID on interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755
Assign OSPFv3 Process ID and Router ID Globally . . . . . . . . . . . . . . . . . . . . . . . .756
Configure stub areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .756
Configure Passive-Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .757
Redistribute routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .758
Configure a default route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .758
Enable OSPFv3 graceful restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .759
OSPFv3 Authentication Using IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .762
Troubleshooting OSPFv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .772
35 PIM Sparse-Mode (PIM-SM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .775
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .775
Requesting Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .776
Refusing Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .776
Sending Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .776
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777
Configure PIM-SM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777
Enable PIM-SM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778
Configurable S,G Expiry Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .779
Configure a Static Rendezvous Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .780
Override Bootstrap Router Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .781
Configure a Designated Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .781
Create Multicast Boundaries and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .782
PIM-SM Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .782
Monitoring PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783
36 Port Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .785
Port Monitoring on E-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .786
E-Series TeraScale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .786
E-Series ExaScale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .787
Port Monitoring on C-Series and S-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .787
Configuring Port Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .790
Flow-based Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .791
37 Private VLANs (PVLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Private VLAN Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .793
Private VLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .795
Private VLAN Configuration Task List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .796
18
|
�Private VLAN Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .799
38 Per-VLAN Spanning Tree Plus (PVST+) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .803
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .804
Configure Per-VLAN Spanning Tree Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .804
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .804
Enable PVST+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805
Disable PVST+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .805
Influence PVST+ Root Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .805
Modify Global PVST+ Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .807
Modify Interface PVST+ Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .808
Configure an EdgePort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .809
PVST+ in Multi-vendor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .810
PVST+ Extended System ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .810
PVST+ Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811
39 Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .817
Port-based QoS Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .817
Set dot1p Priorities for Incoming Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .818
Honor dot1p Priorities on Ingress Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .818
Configure Port-based Rate Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .819
Configure Port-based Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .820
Configure Port-based Rate Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .821
Policy-based QoS Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .822
Classify Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .822
Create a QoS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .826
Create Policy Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .829
QoS Rate Adjustment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .833
Strict-priority Queueing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .834
Weighted Random Early Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .834
Create WRED Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .835
Apply a WRED profile to traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .836
Display Default and Configured WRED Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . .836
Display WRED Drop Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .837
Pre-calculating Available QoS CAM Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .838
40 Routing Information Protocol (RIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .841
RIPv1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
RIPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842
| 19
�www.dell.com | support.dell.com
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .842
Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .842
Configuration Task List for RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .842
RIP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .850
41 Remote Monitoring (RMON) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857
Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857
Fault Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858
42 Rapid Spanning Tree Protocol (RSTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .863
Configuring Rapid Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .863
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .863
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .864
RSTP and VLT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .864
Configure Interfaces for Layer 2 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .865
Enable Rapid Spanning Tree Protocol Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .866
Add and Remove Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .869
Modify Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .869
Modify Interface Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .870
Configure an EdgePort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .871
Influence RSTP Root Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .872
SNMP Traps for Root Elections and Topology Changes . . . . . . . . . . . . . . . . . . . . . . . .873
Fast Hellos for Link State Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .873
43 Software-Defined Networking (SDN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
44 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 877
AAA Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 877
Configuration Task List for AAA Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .877
AAA Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .880
Configuration Task List for AAA Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . .880
AAA Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .883
Privilege Levels Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .883
Configuration Task List for Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .884
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888
RADIUS Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .889
Configuration Task List for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .890
TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 893
Configuration Task List for TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .893
TACACS+ Remote Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . .895
Command Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .897
20
|
�Protection from TCP Tiny and Overlapping Fragment Attacks . . . . . . . . . . . . . . . . . . .897
SCP and SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897
Using SCP with SSH to copy a software image . . . . . . . . . . . . . . . . . . . . . . . . . . .899
Secure Shell Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .900
Troubleshooting SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .903
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903
Trace Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904
Configuration Tasks for Trace Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .904
VTY Line and Access-Class Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .910
VTY Line Local Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . .910
VTY Line Remote Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . 911
VTY MAC-SA Filter Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
45 Service Provider Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
VLAN Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .914
Configure VLAN Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .914
Create Access and Trunk Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .915
Enable VLAN-Stacking for a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .915
Configure the Protocol Type Value for the Outer VLAN Tag . . . . . . . . . . . . . . . . . .916
FTOS Options for Trunk Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .916
Debug VLAN Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .917
VLAN Stacking in Multi-vendor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .918
VLAN Stacking Packet Drop Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .924
Enable Drop Eligibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .925
Honor the Incoming DEI Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .925
Mark Egress Packets with a DEI Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .926
Dynamic Mode CoS for VLAN Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .926
Layer 2 Protocol Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .929
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .931
Enable Layer 2 Protocol Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .931
Specify a Destination MAC Address for BPDUs . . . . . . . . . . . . . . . . . . . . . . . . . . .932
Rate-limit BPDUs on the E-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .932
Rate-limit BPDUs on the C-Series and S-Series . . . . . . . . . . . . . . . . . . . . . . . . . .932
Debug Layer 2 Protocol Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .933
Provider Backbone Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .933
46 sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .936
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .936
Enable and Disable sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .937
Enable and Disable on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .937
| 21
�www.dell.com | support.dell.com
sFlow Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .938
Show sFlow Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .938
Show sFlow on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .938
Show sFlow on a Line Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .939
Specify Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .940
Polling Intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .940
Sampling Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940
Sub-sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .941
Back-off Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .942
sFlow on LAG ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .942
Extended sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 942
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .943
47 Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . 945
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .945
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .945
Configure Simple Network Management Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . .945
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .946
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .946
Setting up SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .946
Create a Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .947
Setting Up User-based Security (SNMPv3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .947
Read Managed Object Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .949
Write Managed Object Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .950
Configure Contact and Location Information using SNMP . . . . . . . . . . . . . . . . . . . . . .950
Subscribe to Managed Object Value Updates using SNMP . . . . . . . . . . . . . . . . . . . . .951
Copy Configuration Files Using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .955
Manage VLANs using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .961
Create a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .961
Assign a VLAN Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .961
Display the Ports in a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .962
Add Tagged and Untagged Ports to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .964
Managing Overload on Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .965
Enable and Disable a Port using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .966
Fetch Dynamic MAC Entries using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .966
Deriving Interface Indices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .968
Monitor Port-channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .969
Troubleshooting SNMP Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .970
48 Stacking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 971
S-Series Stacking Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .971
Stack Management Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .972
Stack Master Election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .972
22
|
�Virtual IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973
Failover Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .974
MAC Addressing on S-Series Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .974
Stacking LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .976
Supported Stacking Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .976
High Availability on S-Series Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .977
Management Access on S-Series Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .978
Important Points to Remember - S4810 Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . .979
S-Series Stacking Installation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .980
Create an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .980
Add Units to an Existing S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .985
Split an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .989
S-Series Stacking Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .989
Assign Unit Numbers to Units in an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . .989
Create a Virtual Stack Unit on an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . .990
Display Information about an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . .990
Influence Management Unit Selection on an S-Series Stack . . . . . . . . . . . . . . . . .992
Manage Redundancy on an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .993
Reset a Unit on an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .993
Verifying a Stack Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .993
LED Status Indicators on an S4810 Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .993
Display Status of Stacking Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .994
Removing Units or Front End Ports from a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . .995
Remove a Unit from an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .995
Remove Front End Port Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .996
Troubleshoot an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .997
Recover from Stack Link Flaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .997
Recover from a Card Problem State on an S-Series Stack . . . . . . . . . . . . . . . . . .997
Recover from a Card Mismatch State on an S-Series Stack . . . . . . . . . . . . . . . . .999
49 Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Configure Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1001
Configure storm control from INTERFACE mode . . . . . . . . . . . . . . . . . . . . . . . . .1001
Configure storm control from CONFIGURATION mode . . . . . . . . . . . . . . . . . . . .1002
50 Spanning Tree Protocol (STP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1003
Configuring Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1003
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1003
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1004
Configuring Interfaces for Layer 2 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1004
Enabling Spanning Tree Protocol Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1006
Adding an Interface to the Spanning Tree Group . . . . . . . . . . . . . . . . . . . . . . . . . . . .1008
| 23
�www.dell.com | support.dell.com
Removing an Interface from the Spanning Tree Group . . . . . . . . . . . . . . . . . . . . . . . .1008
Modifying Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1009
Modifying Interface STP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1010
Enabling PortFast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1010
Preventing Network Disruptions with BPDU Guard . . . . . . . . . . . . . . . . . . . . . . . 1011
STP Root Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1013
STP Root Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1014
Root Guard Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1014
Root Guard Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1016
SNMP Traps for Root Elections and Topology Changes . . . . . . . . . . . . . . . . . . . . . . .1016
Configuring Spanning Trees as Hitless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1017
STP Loop Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1017
Loop Guard Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1017
Loop Guard Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1020
Displaying STP Guard Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1021
51 System Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1023
Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1023
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1024
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1025
Configuring Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1025
Enable NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1026
Set the Hardware Clock with the Time Derived from NTP . . . . . . . . . . . . . . . . . .1026
Configure NTP broadcasts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1027
Disable NTP on an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1027
Configure a source IP address for NTP packets . . . . . . . . . . . . . . . . . . . . . . . . . .1027
Configure NTP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1028
FTOS Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1031
Configuring time and date settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1031
Set daylight saving time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1034
52 Uplink Failure Detection (UFD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039
Feature Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1039
How Uplink Failure Detection Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1040
UFD and NIC Teaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1041
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1042
Configuring Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1043
Clearing a UFD-Disabled Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1044
Displaying Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1046
Sample Configuration: Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1049
24
|
�53 Upgrade Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1051
Find the upgrade procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1051
Get Help with upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1051
54 Virtual LANs (VLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053
Default VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1054
Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1055
VLANs and Port Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1055
Configuration Task List for VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1056
VLAN Interface Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1060
Native VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1061
Enable Null VLAN as the Default VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1062
55 Virtual Link Trunking (VLT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1063
Enhanced VLT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1065
VLT Concepts Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1065
Configuring Virtual Link Trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1066
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1066
Configuration Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1067
RSTP and VLT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1071
VLT Bandwidth Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1071
VLT and IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1072
VLT Port Delayed Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1072
PIM-Sparse Mode Support on VLT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1073
RSTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1074
VLT Configuration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1075
Verifying a VLT Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1089
Sample Configuration: Virtual Link Trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1091
Troubleshooting VLT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1094
56 Virtual Router Redundancy Protocol (VRRP) . . . . . . . . . . . . . . . . . . . . . . . . . . 1097
VRRP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1097
VRRP Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099
VRRP Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1099
VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101
Configuration Task List for VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101
VRRP initialization delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1111
Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1112
VRRP for IPv4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1112
VRRP for IPv6 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114
VRRP in VRF Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116
| 25
�www.dell.com | support.dell.com
57 Standards Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1123
26
IEEE Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1123
RFC and I-D Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1124
MIB Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134
58 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1135
|
�1
About this Guide
Objectives
This guide describes the protocols and features supported by the Force10 Operating System (FTOS) and
provides configuration instructions and examples for implementing them. It supports the system platforms
E-Series, C-Series, S-Series and Z-Series.
Though this guide contains information on protocols, it is not intended to be a complete reference. This
guide is a reference for configuring protocols on Dell Force10 systems. For complete information on
protocols, refer to other documentation including IETF Requests for Comment (RFCs). The instructions in
this guide cite relevant RFCs, and Chapter 57, Standards Compliance contains a complete list of the
supported RFCs and Management Information Base files (MIBs).
Audience
This document is intended for system administrators who are responsible for configuring and maintaining
networks and assumes you are knowledgeable in Layer 2 and Layer 3 networking technologies.
Conventions
This document uses the following conventions to describe command syntax:
Convention
Description
keyword
Keywords are in bold and should be entered in the CLI as listed.
parameter
Parameters are in italics and require a number or word to be entered in the CLI.
{X}
Keywords and parameters within braces must be entered in the CLI.
[X]
Keywords and parameters within brackets are optional.
x|y
Keywords and parameters separated by bar require you to choose one.
About this Guide | 27
�www.dell.com | support.dell.com
Information Symbols
Table 1-1 describes symbols contained in this guide.
Table 1-1.
Information Symbols
Symbol
Warning
Description
ces
Platform Specific
Feature
This symbol informs you of a feature that supported on one or two
platforms only: e is for E-Series, c is for C-Series, s is for S-Series.
et ex
E-Series Specific
Feature/Command
If a feature or command applies to only one of the E-Series platforms, a
separate symbol calls this to attention: et for the TeraScale or e x for
the ExaScale.
S4810
This symbol indicates that the selected feature is supported on the S4810 but not on
other S-Series systems.
Exception
This symbol is a note associated with some other text on the page that is
marked with an asterisk.
*
Related Documents
For more information about the Dell Force10 E-Series, C-Series, S-Series., and Z-Series refer to the
following documents:
•
•
•
28
|
FTOS Command Reference
Installing the System
FTOS Release Notes
About this Guide
�2
Configuration Fundamentals
The FTOS Command Line Interface (CLI) is a text-based interface through which you can configure
interfaces and protocols. The CLI is largely the same for the E-Series, C-Series, and S-Series with the
exception of some commands and command outputs. The CLI is structured in modes for security and
management purposes. Different sets of commands are available in each mode, and you can limit user
access to modes using privilege levels.
In FTOS, after a command is enabled, it is entered into the running configuration file. You can view the
current configuration for the whole system or for a particular CLI mode. To save the current configuration
copy the running configuration to another location.
Note: Due to a differences in hardware architecture and the continued system development, features may
occasionally differ between the platforms. These differences are identified by the information symbols
shown on Table 1-1.
Accessing the Command Line
Access the command line through a serial console port or a Telnet session (Figure 2-1). When the system
successfully boots, you enter the command line in the EXEC mode.
Note: You must have a password configured on a virtual terminal line before you can Telnet into the
system. Therefore, you must use a console connection when connecting to the system for the first time.
Figure 2-1.
Logging into the System using Telnet
telnet 172.31.1.53
Trying 172.31.1.53...
Connected to 172.31.1.53.
Escape character is '^]'.
Login: username
Password:
FTOS>
EXEC mode prompt
Configuration Fundamentals | 29
�www.dell.com | support.dell.com
CLI Modes
Different sets of commands are available in each mode. A command found in one mode cannot be
executed from another mode (with the exception of EXEC mode commands preceded by the command do;
see The do Command on page 34). You can set user access rights to commands and command modes using
privilege levels; for more information on privilege levels and security options, refer to Chapter 9, Security,
on page 627.
The FTOS CLI is divided into three major mode levels:
•
•
•
EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only
a limited selection of commands is available, notably show commands, which allow you to view
system information.
EXEC Privilege mode has commands to view configurations, clear counters, manage configuration
files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is
unrestricted. You can configure a password for this mode; see Configure the Enable Password on
page 44.
CONFIGURATION mode enables you to configure security features, time settings, set logging and
SNMP functions, configure static ARP and MAC addresses, and set line cards on the system.
Beneath CONFIGURATION mode are sub-modes that apply to interfaces, protocols, and features.
Figure 2-2 illustrates this sub-mode command structure. Two sub-CONFIGURATION modes are
important when configuring the chassis for the first time:
•
•
INTERFACE sub-mode is the mode in which you configure Layer 2 and Layer 3 protocols and IP
services specific to an interface. An interface can be physical (Management interface, 1-Gigabit
Ethernet, or 10-Gigabit Ethernet, or SONET) or logical (Loopback, Null, port channel, or VLAN).
LINE sub-mode is the mode in which you to configure the console and virtual terminal lines.
Note: At any time, entering a question mark (?) will display the available command options. For example,
when you are in CONFIGURATION mode, entering the question mark first will list all available commands,
including the possible sub-modes.
30
|
Configuration Fundamentals
�Figure 2-2.
CLI Modes in FTOS
EXEC
EXEC Privilege
CONFIGURATION
ARCHIVE
AS-PATH ACL
INTERFACE
GIGABIT ETHERNET
10 GIGABIT ETHERNET
INTERFACE RANGE
LOOPBACK
MANAGEMENT ETHERNET
NULL
PORT-CHANNEL
SONET
VLAN
VRRP
IP
IPv6
IP COMMUNITY-LIST
IP ACCESS-LIST
STANDARD ACCESS-LIST
EXTENDED ACCESS-LIST
LINE
AUXILIARY
CONSOLE
VIRTUAL TERMINAL
MAC ACCESS-LIST
MONITOR SESSION
MULTIPLE SPANNING TREE
OPENFLOW
Per-VLAN SPANNING TREE
PREFIX-LIST
RAPID SPANNING TREE
REDIRECT
ROUTE-MAP
ROUTER BGP
ROUTER ISIS
ROUTER OSPF
ROUTER RIP
SPANNING TREE
TRACE-LIST
Navigating CLI Modes
The FTOS prompt changes to indicate the CLI mode. Table 2-1 lists the CLI mode, its prompt, and
information on how to access and exit this CLI mode. You must move linearly through the command
modes, with the exception of the end command which takes you directly to EXEC Privilege mode; the exit
command moves you up one command mode level.
Note: Sub-CONFIGURATION modes all have the letters “conf” in the prompt with additional modifiers to
identify the mode and slot/port information. These are shown in Table 2-1.
Configuration Fundamentals | 31
�Prompt
Access Command
EXEC
FTOS>
Access the router through the console or Telnet.
EXEC Privilege
FTOS#
•
•
From EXEC mode, enter the command enable.
From any other mode, use the command end.
CONFIGURATION
FTOS(conf)#
•
From EXEC privilege mode, enter the command
configure.
From every mode except EXEC and EXEC
Privilege, enter the command exit.
•
Note: Access all of the following modes from CONFIGURATION mode.
IP ACCESS-LIST
LINE
32
FTOS Command Modes
CLI Command Mode
INTERFACE modes
www.dell.com | support.dell.com
Table 2-1.
|
ARCHIVE
FTOS(conf-archive)
archive
AS-PATH ACL
FTOS(config-as-path)#
ip as-path access-list
Gigabit Ethernet
Interface
FTOS(conf-if-gi-0/0)#
10 Gigabit Ethernet
Interface
FTOS(conf-if-te-0/0)#
Interface Range
FTOS(conf-if-range)#
Loopback Interface
FTOS(conf-if-lo-0)#
Management Ethernet
Interface
FTOS(conf-if-ma-0/0)#
Null Interface
FTOS(conf-if-nu-0)#
Port-channel Interface
FTOS(conf-if-po-0)#
SONET Interface
FTOS(conf-if-so-0/0)#
VLAN Interface
FTOS(conf-if-vl-0)#
STANDARD ACCESSLIST
FTOS(config-std-nacl)#
EXTENDED ACCESSLIST
FTOS(config-ext-nacl)#
IP COMMUNITY-LIST
FTOS(config-community-list)#
AUXILIARY
FTOS(config-line-aux)#
CONSOLE
FTOS(config-line-console)#
VIRTUAL TERMINAL
FTOS(config-line-vty)#
Configuration Fundamentals
interface
ip access-list standard
ip access-list extended
ip community-list
line
�Table 2-1.
FTOS Command Modes (continued)
Prompt
Access Command
STANDARD ACCESSLIST
FTOS(config-std-macl)#
mac access-list standard
EXTENDED ACCESSLIST
FTOS(config-ext-macl)#
mac access-list extended
MULTIPLE
SPANNING TREE
FTOS(config-mstp)#
protocol spanning-tree mstp
OPENFLOW
FTOS(conf-of-instance of-id)#
openflow of-instance of-id
of-id represents the OpenFlow instance ID.
Per-VLAN SPANNING
TREE Plus
FTOS(config-pvst)#
protocol spanning-tree pvst
PREFIX-LIST
FTOS(conf-nprefixl)#
ip prefix-list
RAPID SPANNING
TREE
FTOS(config-rstp)#
protocol spanning-tree rstp
REDIRECT
FTOS(conf-redirect-list)#
ip redirect-list
ROUTE-MAP
FTOS(config-route-map)#
route-map
ROUTER BGP
FTOS(conf-router_bgp)#
router bgp
ROUTER ISIS
FTOS(conf-router_isis)#
router isis
ROUTER OSPF
FTOS(conf-router_ospf)#
router ospf
ROUTER RIP
FTOS(conf-router_rip)#
router rip
SPANNING TREE
FTOS(config-span)#
protocol spanning-tree 0
TRACE-LIST
FTOS(conf-trace-acl)#
ip trace-list
MAC ACCESS-LIST
CLI Command Mode
Figure 2-3 illustrates how to change the command mode from CONFIGURATION mode to PROTOCOL
SPANNING TREE.
Figure 2-3.
Changing CLI Modes
FTOS(conf)#protocol spanning-tree 0
FTOS(config-span)#
New command
prompt
Configuration Fundamentals | 33
�www.dell.com | support.dell.com
The do Command
Enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE,
SPANNING TREE, etc.) without returning to EXEC mode by preceding the EXEC mode command with
the command do. Figure 2-4 illustrates the do command.
Note: The following commands cannot be modified by the do command: enable, disable, exit, and
configure.
Figure 2-4.
Using the do Command
FTOS(conf)#do show linecard all
“do” form of show command
-- Line cards -Slot Status
NxtBoot
ReqTyp
CurTyp
Version
Ports
--------------------------------------------------------------------------0
not present
1
not present
2
online
online
E48TB
E48TB
1-1-463
48
3
not present
4
not present
5
online
online
E48VB
E48VB
1-1-463
48
Undoing Commands
When you enter a command, the command line is added to the running configuration file. Disable a
command and remove it from the running-config by entering the original command preceded by the
command no. For example, to delete an ip address configured on an interface, use the no ip address
ip-address command, as shown in Figure 2-5.
Note: Use the help or ? command as discussed in Obtaining Help command to help you construct the
“no” form of a command.
Figure 2-5.
Undoing a command with the no Command
FTOS(conf)#interface gigabitethernet 4/17
FTOS(conf-if-gi-4/17)#ip address 192.168.10.1/24
FTOS(conf-if-gi-4/17)#show config
!
IP address assigned
interface GigabitEthernet 4/17
ip address 192.168.10.1/24
“no” form of
no shutdown
FTOS(conf-if-gi-4/17)#no ip address
FTOS(conf-if-gi-4/17)#show config
IP address removed
!
interface GigabitEthernet 4/17
IP address command
Layer 2 protocols are disabled by default. Enable them using the no disable command. For example, in
PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.
34
|
Configuration Fundamentals
�Obtaining Help
Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ?
or help command:
•
Enter ? at the prompt or after a keyword to list the keywords available in the current mode.
• ? after a prompt lists all of the available keywords. The output of this command is the same for the
help command.
Figure 2-6.
? Command Example
“?” at prompt for list of commands
FTOS#?
calendar
cd
change
clear
clock
configure
copy
debug
--More--
•
Manage the hardware calendar
Change current directory
Change subcommands
Reset functions
Manage the system clock
Configuring from terminal
Copy from one file to another
Debug functions
? after a partial keyword lists all of the keywords that begin with the specified letters.
Figure 2-7.
Keyword? Command Example
FTOS(conf)#cl?
class-map
clock
FTOS(conf)#cl
•
partial keyword plus “[space]?” for matching keywords
A keyword followed by [space]? lists all of the keywords that can follow the specified keyword.
Figure 2-8.
Keyword ? Command Example
FTOS(conf)#clock ?
summer-time
timezone
FTOS(conf)#clock
keyword plus “[space]?” for compatible keywords
Configure summer (daylight savings) time
Configure time zone
Entering and Editing Commands
When entering commands:
•
•
•
The CLI is not case sensitive.
You can enter partial CLI keywords.
• You must enter the minimum number of letters to uniquely identify a command. For example, cl
cannot be entered as a partial keyword because both the clock and class-map commands begin
with the letters “cl.” clo, however, can be entered as a partial keyword because only one command
begins with those three letters.
The TAB key auto-completes keywords in commands. You must enter the minimum number of letters
to uniquely identify a command.
Configuration Fundamentals | 35
�www.dell.com | support.dell.com
•
•
•
Table 2-2.
The UP and DOWN arrow keys display previously entered commands (see Command History).
The BACKSPACE and DELETE keys erase the previous letter.
Key combinations are available to move quickly across the command line, as described in Table 2-2.
Short-Cut Keys and their Actions
Key Combination
Action
CNTL-A
Moves the cursor to the beginning of the command line.
CNTL-B
Moves the cursor back one character.
CNTL-D
Deletes character at cursor.
CNTL-E
Moves the cursor to the end of the line.
CNTL-F
Moves the cursor forward one character.
CNTL-I
Completes a keyword.
CNTL-K
Deletes all characters from the cursor to the end of the command line.
CNTL-L
Re-enters the previous command.
CNTL-N
Return to more recent commands in the history buffer after recalling commands with CTRL-P or the
UP arrow key.
CNTL-P
Recalls commands, beginning with the last command
CNTL-R
Re-enters the previous command.
CNTL-U
Deletes the line.
CNTL-W
Deletes the previous word.
CNTL-X
Deletes the line.
CNTL-Z
Ends continuous scrolling of command outputs.
Esc B
Moves the cursor back one word.
Esc F
Moves the cursor forward one word.
Esc D
Deletes all characters from the cursor to the end of the word.
Command History
FTOS maintains a history of previously-entered commands for each mode. For example:
•
•
36
|
When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC
mode commands.
When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the
previously-entered CONFIGURATION mode commands.
Configuration Fundamentals
�Filtering show Command Outputs
Filter the output of a show command to display specific information by adding | [except | find | grep |
no-more | save] specified_text after the command. The variable specified_text is the text for which you are
filtering and it IS case sensitive unless the ignore-case sub-option is implemented.
Starting with FTOS 7.8.1.0, the grep command accepts an ignore-case sub-option that forces the search to
case-insensitive. For example, the commands:
•
show run | grep Ethernet returns a search result with instances containing a capitalized “Ethernet,”
•
such as interface GigabitEthernet 0/0.
show run | grep ethernet would not return that search result because it only searches for instances
containing a non-capitalized “ethernet.”
Executing the command show run | grep Ethernet ignore-case would return instances containing both
“Ethernet” and “ethernet.”
•
grep displays only the lines containing specified text. Figure 2-9 shows this command used in
combination with the command show linecard all.
Figure 2-9.
Filtering Command Outputs with the grep Command
FTOS(conf)#do show linecard all | grep 0
0
not present
Note: FTOS accepts a space or no space before and after the pipe. To filter on a phrase with spaces,
underscores, or ranges, enclose the phrase with double quotation marks.
•
except displays text that does not match the specified text. Figure 2-10 shows this command used in
combination with the command show linecard all.
Figure 2-10.
Filtering Command Outputs with the except Command
FTOS#show linecard all | except 0
-- Line cards -Slot Status
NxtBoot
ReqTyp
CurTyp
Version
Ports
--------------------------------------------------------------------------2
not present
3
not present
4
not present
5
not present
6
not present
Configuration Fundamentals | 37
�www.dell.com | support.dell.com
•
find displays the output of the show command beginning from the first occurrence of specified text
Figure 2-11 shows this command used in combination with the command show linecard all.
Figure 2-11.
Filtering Command Outputs with the find Command
FTOS(conf)#do show linecard all | find 0
0
not present
1
not present
2
online
online
E48TB
E48TB
3
not present
4
not present
5
online
online
E48VB
E48VB
6
not present
7
not present
1-1-463
48
1-1-463
48
•
•
display displays additional configuration information.
•
save copies the output to a file for future reference.
no-more displays the output all at once rather than one screen at a time. This is similar to the command
terminal length except that the no-more option affects the output of the specified command only.
Note: You can filter a single command output multiple times. The save option should be the last option
entered. For example:
FTOS# command | grep regular-expression | except regular-expression
| grep other-regular-expression | find regular-expression | save
Multiple Users in Configuration mode
FTOS notifies all users in the event that there are multiple users logged into CONFIGURATION mode. A
warning message indicates the username, type of connection (console or vty), and in the case of a vty
connection, the IP address of the terminal on which the connection was established. For example:
•
On the system that telnets into the switch, Message 1 appears:
Message 1 Multiple Users in Configuration mode Telnet Message
% Warning: The following users are currently configuring the system:
User "" on line console0
•
On the system that is connected over the console, Message 2 appears:
Message 2 Multiple Users in Configuration mode Telnet Message
% Warning: User "" on line vty0 "10.11.130.2" is in configuration mode
If either of these messages appears, Dell Force10 recommends that you coordinate with the users listed in
the message so that you do not unintentionally overwrite each other’s configuration changes.
38
|
Configuration Fundamentals
�3
Getting Started
This chapter contains the following major sections:
•
•
•
•
•
•
Default Configuration
Configure a Host Name
Access the System Remotely
Configure the Enable Password
Configuration File Management
File System Management
When you power up the chassis, the system performs\ a Power-On Self Test (POST) during which Route
Processor Module (RPM), Switch Fabric Module (SFM), and line card status LEDs blink green.The
system then loads FTOS and boot messages scroll up the terminal window during this process. No user
interaction is required if the boot process proceeds without interruption.
When the boot process is complete, the RPM and line card status LEDs remain online (green), and the
console monitor displays the EXEC mode prompt.
For details on using the Command Line Interface (CLI), refer to Accessing the Command Line in the
Configuration Fundamentals chapter.
Console access
The S4810 has 2 management ports available for system access: a serial console port and an
Out-of-Bounds (OOB) port.
Serial console
The RJ-45/RS-232 console port is labeled on the S4810 chassis. It is in the upper right-hand side, as you
face the I/O side of the chassis.
RJ-45
Console Port
Getting Started | 39
�www.dell.com | support.dell.com
To access the console port, follow the procedures below. Refer to Table 3-1 for the console port pinout.
Step
Task
1
Install an RJ-45 copper cable into the console port.Use a rollover (crossover) cable to connect the S4810
console port to a terminal server.
2
Connect the other end of the cable to the DTE terminal server.
3
Terminal settings on the console port cannot be changed in the software and are set as follows:
9600 baud rate
No parity
8 data bits
1 stop bit
No flow control
Accessing the RJ-45 console port with a DB-9 adapter
You can connect to the console using a RJ-45 to RJ-45 rollover cable and a RJ-45 to DB-9 female DTE
adapter to a terminal server (for example, PC). Table 3-1 lists the pin assignments.
Table 3-1.
Pin Assignments Between the Console and a DTE Terminal Server
S-Series
Console Port RJ-45 to RJ-45 Rollover Cable
RJ-45 to DB-9
Adapter
Terminal Server
Device
Signal
DB-9 Pin
Signal
RJ-45 pinout
RJ-45 Pinout
RTS
1
8
8
CTS
NC
2
7
6
DSR
TxD
3
6
2
RxD
GND
4
5
5
GND
GND
5
4
5
GND
RxD
6
3
3
TxD
NC
7
2
4
DTR
CTS
8
1
7
RTS
Default Configuration
A version of FTOS is pre-loaded onto the chassis, however the system is not configured when you power
up for the first time (except for the default hostname, which is FTOS). You must configure the system
using the CLI.
40
|
Getting Started
�Configure a Host Name
The host name appears in the prompt. The default host name is FTOS.
•
•
Host names must start with a letter and end with a letter or digit.
Characters within the string can be letters, digits, and hyphens.
To configure a host name:
Step
1
Task
Command Syntax
Command Mode
Create a new host name.
hostname name
CONFIGURATION
The example below illustrates the hostname command.
FTOS(conf)#hostname R1
R1(conf)#
Access the System Remotely
You can configure the system to access it remotely by Telnet. The method for configuring the C-Series and
E-Series for Telnet access is different from S-Series.
•
•
•
The C-Series, E-Series, S-Series (except for S25 and S50), and Z9000 have a dedicated management
port and a management routing table that is separate from the IP routing table.
The S-Series (except the S4810) does not have a dedicated management port, but is managed from any
port. It does not have a separate management routing table.
All Dell Force10 products can be managed via the front-end data ports as well.
Access the C-Series, E-Series, S-Series, and the Z-Series
Remotely
Configuring the system for Telnet is a three-step process:
1. Configure an IP address for the management port. See Configure the Management Port IP Address.
2. Configure a management route with a default gateway. See Configure a Management Route.
3. Configure a username and password. See Configure a Username and Password.
Configure the Management Port IP Address
Assign IP addresses to the management ports in order to access the system remotely.
Getting Started | 41
�www.dell.com | support.dell.com
Note: Assign different IP addresses to each RPM’s management port.
To configure the management port IP address:
Step
1
2
Task
Command Syntax
Command Mode
Enter INTERFACE mode for the
Management port.
interface ManagementEthernet slot/port
CONFIGURATION
Assign an IP address to the
interface.
•
•
ip address ip-address/mask
•
•
3
Enable the interface.
slot range: 0 to 1
port range: 0
INTERFACE
ip-address: an address in dotted-decimal
format (A.B.C.D).
mask: a subnet mask in /prefix-length format (/
xx).
no shutdown
INTERFACE
Configure a Management Route
Define a path from the system to the network from which you are accessing the system remotely.
Management routes are separate from IP routes and are only used to manage the system through the
management port.
To configure a management route:
Step
1
Task
Command Syntax
Command Mode
Configure a management route to
the network from which you are
accessing the system.
management route ip-address/mask gateway
• ip-address: the network address in
dotted-decimal format (A.B.C.D).
• mask: a subnet mask in /prefix-length format (/
xx).
• gateway: the next hop for network traffic
originating from the management port.
CONFIGURATION
Configure a Username and Password
Configure a system username and password to access the system remotely.
42
|
Getting Started
�To configure a username and password:
Step
1
Task
Command Syntax
Command Mode
Configure a username and
password to access the system
remotely.
username username password [encryption-type]
password
encryption-type specifies how you are inputting the
password, is 0 by default, and is not required.
CONFIGURATION
•
•
0 is for inputting the password in clear text.
7 is for inputting a password that is already
encrypted using a Type 7 hash. Obtaining the
encrypted password from the configuration of
another Dell Force10 system.
Access the S-Series Remotely
The S-Series does not have a dedicated management port nor a separate management routing table.
Configure any port on the S-Series to be the port through which you manage the system and configure an
IP route to that gateway.
Note: The S4810 system uses management ports and should be configured similar to the C-Series and
E-Series systems. Refer to Access the C-Series, E-Series, S-Series, and the Z-Series Remotely
Configuring the system for Telnet access is a three-step process:
1. Configure an IP address for the port through which you will manage the system using the command ip
address from INTERFACE mode, as shown in the example below.
2. Configure a IP route with a default gateway using the command ip route from CONFIGURATION
mode, as shown in the example below.
3. Configure a username and password using the command username from CONFIGURATION mode,
as shown in the example below.
R5(conf)#int gig 0/48
R5(conf-if-gi-0/48)#ip address 10.11.131.240
R5(conf-if-gi-0/48)#show config
!
interface GigabitEthernet 0/48
ip address 10.11.131.240/24
no shutdown
R5(conf-if-gi-0/48)#exit
R5(conf)#ip route 10.11.32.0/23 10.11.131.254
R5(conf)#username admin pass FTOS
Getting Started | 43
�www.dell.com | support.dell.com
Configure the Enable Password
Access the EXEC Privilege mode using the enable command. The EXEC Privilege mode is unrestricted by
default. Configure a password as a basic security measure. There are two types of enable passwords:
•
enable password stores the password in the running/startup configuration using a DES encryption
method.
•
enable secret is stored in the running/startup configuration in using a stronger, MD5 encryption
method.
Dell Force10 recommends using the enable secret password.
To configure an enable password:
Task
Command Syntax
Command Mode
Create a password to
access EXEC Privilege
mode.
enable [password | secret] [level level] [encryption-type]
password
CONFIGURATION
level is the privilege level, is 15 by default, and is not required.
encryption-type specifies how you are inputting the password, is 0
by default, and is not required.
•
•
•
0 is for inputting the password in clear text.
7 is for inputting a password that is already encrypted using a
DES hash. Obtain the encrypted password from the configuration
file of another Dell Force10 system.
5 is for inputting a password that is already encrypted using an
MD5 hash. Obtain the encrypted password from the configuration
file of another Dell Force10 system.
Configuration File Management
Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the
system from the EXEC Privilege mode.
The E-Series TeraScale and ExaScale platforms architecture use Compact Flash for the internal and
external Flash memory. It has a space limitation but does not limit the number of files it can contain.
Note: Using flash memory cards in the system that have not been approved by Dell Force10 can cause
unexpected system behavior, including a reboot.
44
|
Getting Started
�Copy Files to and from the System
The command syntax for copying files is similar to UNIX. The copy command uses the format copy
source-file-url destination-file-url.
Note: See the FTOS Command Line Reference Guide for a detailed description of the copy command.
•
•
Table 3-2.
To copy a local file to a remote system, combine the file-origin syntax for a local file location with the
file-destination syntax for a remote file location shown in Table 3-2.
To copy a remote file to Dell Force10 system, combine the file-origin syntax for a remote file location
with the file-destination syntax for a local file location shown in Table 3-2.
Forming a copy Command
source-file-url Syntax
destination-file-url Syntax
primary RPM
copy flash://filename
flash://filename
standby RPM
copy rpm{0|1}flash://filename
rpm{0|1}flash://filename
primary RPM
copy rpm{0|1}slot0://filename
rpm{0|1}slot0://filename
standby RPM
copy rpm{0|1}slot0://filename
rpm{0|1}slot0://filename
Local File Location
Internal flash:
External flash:
USB Drive (E-Series ExaScale)
USB drive on RPM0
copy rpm0usbflash://filepath
rpm0usbflash://filename
External USB drive
copy usbflash://filepath
usbflash://filename
Remote File Location
FTP server
copy ftp://username:password@{hostip | ftp://username:password@{hostip |
hostname}/filepath/filename
hostname}/filepath/filename
TFTP server
copy tftp://{hostip | hostname}/filepath/
filename
tftp://{hostip | hostname}/filepath/filename
SCP server
copy scp://{hostip | hostname}/filepath/
filename
scp://{hostip | hostname}/filepath/filename
Important Points to Remember
•
•
•
•
You may not copy a file from one remote system to another.
You may not copy a file from one location to the same location.
The internal flash memories on the RPMs are synchronized whenever there is a change, but only if
both RPMs are running the same version of FTOS.
When copying to a server, a hostname can only be used if a DNS server is configured.
Getting Started | 45
�www.dell.com | support.dell.com
•
•
The usbflash and rpm0usbflash commands are supported on E-Series ExaScale systems. Refer to
your system’s Release Notes for a list of approved USB vendors.
The usbflash command is supported on Z9000. Refer to your system’s Release Notes for a list of
approved USB vendors.
The following text is an example of using the copy command to save a file to an FTP server.
FTOS#copy flash://FTOS-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10//FTOS/FTOS-EF-8.2.1.0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27952672 bytes successfully copied
The following text is an example of using the copy command to import a file to the Dell Force10 system
from an FTP server.
core1#$//copy ftp://myusername:mypassword@10.10.10.10//FTOS/FTOS-EF-8.2.1.0.bin flash://
Destination file name [FTOS-EF-8.2.1.0.bin.bin]:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
26292881 bytes successfully copied
Save the Running-configuration
The running-configuration contains the current system configuration. Dell Force10 recommends that you
copy your running-configuration to the startup-configuration. The system uses the startup-configuration
during boot-up to configure the system. The startup-configuration is stored in the internal flash on the
primary RPM by default, but it can be saved onto an external flash (on an RPM) or a remote server.
To save the running-configuration:
Note: The commands in this section follow the same format as those in Copy Files to and from the
System but use the filenames startup-configuration and running-configuration. These commands assume
that current directory is the internal flash, which is the system default.
46
|
Getting Started
�Task
Command Syntax
Command Mode
Save the running-configuration to:
the startup-configuration on the
internal flash of the primary RPM
copy running-config startup-config
the internal flash on an RPM
copy running-config rpm{0|1}flash://filename
Note: The internal flash memories on the RPMs are synchronized whenever there is a
change, but only if the RPMs are running the same version of FTOS.
the external flash of an RPM
copy running-config rpm{0|1}slot0://filename
an FTP server
copy running-config ftp://
username:password@{hostip | hostname}/
filepath/filename
a TFTP server
copy running-config tftp://{hostip | hostname}/
filepath/filename
an SCP server
copy running-config scp://{hostip | hostname}/
filepath/filename
EXEC Privilege
Note: When copying to a server, a hostname can only be used if a DNS server is configured.
Save the running-configuration to the
startup-configuration on the internal flash
of the primary RPM. Then copy the new
startup-config file to the external flash of
the primary RPM.
copy running-config startup-config duplicate
EXEC Privilege
FTOS Behavior: If you create a startup-configuration on an RPM and then move the RPM to another chassis, the
startup-configuration is stored as a backup file (with the extension .bak), and a new, empty startup-configuration file
is created. To restore your original startup-configuration in this situation, overwrite the new startup-configuration
with the original one using the command copy startup-config.bak startup-config.
Configure the Overload bit for Startup Scenario
For information on setting the router overload bit for a specific period of time after a switch reload is
implemented, see the FTOS Command Line Reference Guide, Chapter 18 - Intermediate System to
Intermediate System (IS-IS).
Getting Started | 47
�www.dell.com | support.dell.com
View Files
File information and content can only be viewed on local file systems. To view a list of files on the internal
or external Flash:
Step
1
Task
Command Syntax
Command Mode
the internal flash of an RPM
dir flash:
EXEC Privilege
the external flash of an RPM
dir slot:
View a list of files on:
The output of the command dir also shows the read/write privileges, size (in bytes), and date of
modification for each file, as shown in the example below.
FTOS#dir
Directory of flash:
1 drw2 drwx
3 drw4 drw5 drw6 drw7 d--8 -rw9 -rw10 -rw11 drw12 -rw13 -rw14 -rw15 -rw--More--
32768
512
8192
8192
8192
8192
8192
33059550
27674906
27674906
8192
7276
7341
27674906
27674906
Jan
Jul
Mar
Mar
Mar
Mar
Mar
Jul
Jul
Jul
Jan
Jul
Jul
Jul
Jul
01
23
30
30
30
30
30
11
06
06
01
20
20
06
06
1980
2007
1919
1919
1919
1919
1919
2007
2007
2007
1980
2007
2007
2007
2007
00:00:00
00:38:44
10:31:04
10:31:04
10:31:04
10:31:04
10:31:04
17:49:46
00:20:24
19:54:52
00:18:28
01:52:40
15:34:46
19:52:22
02:23:22
.
..
TRACE_LOG_DIR
CRASH_LOG_DIR
NVTRACE_LOG_DIR
CORE_DUMP_DIR
ADMIN_DIR
FTOS-EF-7.4.2.0.bin
FTOS-EF-4.7.4.302.bin
boot-image-FILE
diag
startup-config.bak
startup-config
boot-image
boot-flash
To view the contents of a file:
Step
1
48
|
Task
Command Syntax
Command Mode
View the:
contents of a file in the internal flash of
an RPM
show file rpm{0|1}flash://filename
contents of a file in the external flash
of an RPM
show file rpm{0|1}slot0://filename
running-configuration
show running-config
startup-configuration
show startup-config
Getting Started
EXEC Privilege
�View Configuration Files
Configuration files have three commented lines at the beginning of the file, as shown in the example
below, to help you track the last time any user made a change to the file, which user made the changes, and
when the file was last saved to the startup-configuration.
In the running-configuration file, if there is a difference between the timestamp on the “Last configuration
change,” and “Startup-config last updated,” then you have made changes that have not been saved and will
not be preserved upon a system reboot.
FTOS#show running-config
Current Configuration ...
! Version 8.2.1.0
! Last configuration change at Thu Apr 3 23:06:28 2008 by admin
! Startup-config last updated at Thu Apr 3 23:06:55 2008 by admin
!
boot system rpm0 primary flash://FTOS-EF-8.2.1.0.bin
boot system rpm0 secondary flash://FTOS-EF-7.8.1.0.bin
boot system rpm0 default flash://FTOS-EF-7.7.1.1.bin
boot system rpm1 primary flash://FTOS-EF-7.8.1.0.bin
boot system gateway 10.10.10.100
--More--
File System Management
The Dell Force10 system can use the internal Flash, external Flash, or remote devices to store files. It
stores files on the internal Flash by default but can be configured to store files elsewhere.
To view file system information:
Task
Command Syntax
Command Mode
View information about each file system.
show file-systems
EXEC Privilege
The output of the command show file-systems in the example below shows the total capacity, amount of
free memory, file structure, media type, read/write privileges for each storage device in use.
FTOS#show file-systems
Size(b)
Free(b)
Feature
Type
Flags
520962048
213778432
dosFs2.0 USERFLASH
127772672
21936128
dosFs2.0 USERFLASH
network
network
network
Prefixes
rw flash:
rw slot0:
rw ftp:
rw tftp:
rw scp:
You can change the default file system so that file management commands apply to a particular device or
memory.
Getting Started | 49
�www.dell.com | support.dell.com
To change the default storage location:
Task
Command Syntax
Command Mode
Change the default directory.
cd directory
EXEC Privilege
In the example below, the default storage location is changed to the external Flash of the primary RPM.
File management commands then apply to the external Flash rather than the internal Flash.
FTOS#cd slot0:
FTOS#copy running-config test
FTOS#copy run test
!
7419 bytes successfully copied
FTOS#dir
Directory of slot0:
1
2
3
4
5
6
7
8
9
drwdrwx
----rw----------------
32768
512
0
7419
0
0
0
0
0
Jan
Jul
Jan
Jul
Jan
Jan
Jan
Jan
Jan
01
23
01
23
01
01
01
01
01
1980
2007
1970
2007
1970
1970
1970
1970
1970
00:00:00
00:38:44
00:00:00
20:44:40
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
.
..
DCIM
test
BT
200702~1VSN
G
F
F
slot0: 127772672 bytes total (21927936 bytes free)
View command history
The command-history trace feature captures all commands entered by all users of the system with a time
stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for
each executed command. No password information is saved to the file.
To view the command-history trace, use the show command-history command, as shown in the example
below.
FTOS#show command-history
[12/5 10:57:8]: CMD-(CLI):service password-encryption
[12/5 10:57:12]: CMD-(CLI):hostname Force10
[12/5 10:57:12]: CMD-(CLI):ip telnet server enable
[12/5 10:57:12]: CMD-(CLI):line console 0
[12/5 10:57:12]: CMD-(CLI):line vty 0 9
[12/5 10:57:13]: CMD-(CLI):boot system rpm0 primary flash://FTOS-CB-1.1.1.2E2.bin
Upgrading FTOS
Note: To upgrade FTOS, see the Release Notes for the version you want to load on the system.
50
|
Getting Started
�4
Management
Management is supported on platforms:
e c sz
This chapter explains the different protocols or services used to manage the Dell Force10 system
including:
•
•
•
•
•
•
•
Configure Privilege Levels
Configure Logging
File Transfer Services
Terminal Lines
Lock CONFIGURATION mode
Recovering from a Forgotten Password on the S4810
Recovering from a Failed Start on the S4810
Configure Privilege Levels
Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of
which three are pre-defined. The default privilege level is 1.
•
Level 0—Access to the system
enable, disable, and exit.
•
•
Level 1—Access to the system begins at EXEC mode, and all commands are available.
Level 15—Access to the system begins at EXEC Privilege mode, and all commands are available.
begins at EXEC mode, and EXEC mode commands are limited to
Create a Custom Privilege Level
Custom privilege levels start with the default EXEC mode command set. You can then customize privilege
levels 2-14 by:
•
•
•
restricting access to an EXEC mode command
moving commands from EXEC Privilege to EXEC mode
restricting access
A user can access all commands at his privilege level and below.
Management | 51
�www.dell.com | support.dell.com
Removing a command from EXEC mode
Remove a command from the list of available commands in EXEC mode for a specific privilege level
using the command privilege exec from CONFIGURATION mode. In the command, specify a level greater
than the level given to a user or terminal line, followed by the first keyword of each command to be
restricted.
Move a command from EXEC privilege mode to EXEC mode
Move a command from EXEC Privilege to EXEC mode for a privilege level using the command privilege
exec from CONFIGURATION mode. In the command, specify the privilege level of the user or terminal
line, and specify all keywords in the command to which you want to allow access.
Allow Access to CONFIGURATION mode commands
Allow access to CONFIGURATION mode using the command privilege exec level level configure from
CONFIGURATION mode. A user that enters CONFIGURATION mode remains at his privilege level, and
has access to only two commands, end and exit. You must individually specify each CONFIGURATION
mode command to which you want to allow access using the command privilege configure level level. In the
command, specify the privilege level of the user or terminal line, and specify all keywords in the command
to which you want to allow access.
Allow Access to INTERFACE, LINE, ROUTE-MAP, and ROUTER mode
1. Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE,
ROUTE-MAP, and ROUTER modes, you must first allow access to the command that enters you into
the mode. For example, allow a user to enter INTERFACE mode using the command privilege configure
level level interface gigabitethernet
2. Then, individually identify the INTERFACE, LINE, ROUTE-MAP or ROUTER commands to which
you want to allow access using the command privilege {interface | line | route-map | router} level level. In
the command, specify the privilege level of the user or terminal line, and specify all keywords in the
command to which you want to allow access.
The following table lists the configuration tasks you can use to customize a privilege level:
52
|
Task
Command Syntax
Command Mode
Remove a command from the list of available commands
in EXEC mode.
privilege exec level level
{command ||...|| command}
CONFIGURATION
Move a command from EXEC Privilege to EXEC mode.
privilege exec level level
{command ||...|| command}
CONFIGURATION
Allow access to CONFIGURATION mode.
privilege exec level level configure
Management
CONFIGURATION
�Task
Command Syntax
Allow access to INTERFACE, LINE, ROUTE-MAP,
and/or ROUTER mode. Specify all keywords in the
command.
privilege configure level level
{interface | line | route-map |
router} {command-keyword ||...||
command-keyword}
Allow access to a CONFIGURATION, INTERFACE,
LINE, ROUTE-MAP, and/or ROUTER mode command.
privilege {configure |interface | line
| route-map | router} level level
{command ||...|| command}
Command Mode
CONFIGURATION
CONFIGURATION
The configuration in the following example creates privilege level 3. This level:
•
•
•
•
removes the resequence command from EXEC mode by requiring a minimum of privilege level 4
moves the command capture bgp-pdu max-buffer-size from EXEC Privilege to EXEC mode by requiring
a minimum privilege level 3, which is the configured level for VTY 0
allows access to CONFIGURATION mode with the banner command
allows access to INTERFACE and LINE modes are allowed with no commands
FTOS(conf)#do show run priv
!
privilege exec level 3 capture
privilege exec level 3 configure
privilege exec level 4 resequence
privilege exec level 3 capture bgp-pdu
privilege exec level 3 capture bgp-pdu max-buffer-size
privilege configure level 3 line
privilege configure level 3 interface
FTOS(conf)#do telnet 10.11.80.201
[telnet output omitted]
FTOS#show priv
Current privilege level is 3.
FTOS#?
capture
Capture packet
configure
Configuring from terminal
disable
Turn off privileged commands
enable
Turn on privileged commands
exit
Exit from the EXEC
ip
Global IP subcommands
monitor
Monitoring feature
mtrace
Trace reverse multicast path from destination to source
ping
Send echo messages
quit
Exit from the EXEC
show
Show running system information
[output omitted]
FTOS#config
[output omitted]
FTOS(conf)#do show priv
Current privilege level is 3.
FTOS(conf)#?
Management | 53
�www.dell.com | support.dell.com
end
Exit from configuration mode
exit
Exit from configuration mode
interface
Select an interface to configure
line
Configure a terminal line
linecard
Set line card type
FTOS(conf)#interface ?
fastethernet
Fast Ethernet interface
gigabitethernet
Gigabit Ethernet interface
loopback
Loopback interface
managementethernet
Management Ethernet interface
null
Null interface
port-channel
Port-channel interface
range
Configure interface range
sonet
SONET interface
tengigabitethernet
TenGigabit Ethernet interface
vlan
VLAN interface
FTOS(conf)#interface gigabitethernet 1/1
FTOS(conf-if-gi-1/1)#?
end
Exit from configuration mode
exit
Exit from interface configuration mode
FTOS(conf-if-gi-1/1)#exit
FTOS(conf)#line ?
aux
Auxiliary line
console
Primary terminal line
vty
Virtual terminal
FTOS(conf)#line vty 0
FTOS(config-line-vty)#?
exit
Exit from line configuration mode
FTOS(config-line-vty)#
Apply a Privilege Level to a Username
To set a privilege level for a user:
Task
Command Syntax
Command Mode
Configure a privilege level for a user.
username username privilege level
CONFIGURATION
Apply a Privilege Level to a Terminal Line
To set a privilege level for a terminal line:
54
|
Task
Command Syntax
Command Mode
Configure a privilege level for a terminal line.
privilege level level
LINE
Management
�Note: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode,
but the prompt is hostname#, rather than hostname>.
Configure Logging
FTOS tracks changes in the system using event and error messages. By default, FTOS logs these messages
on:
•
•
•
the internal buffer
console and terminal lines, and
any configured syslog servers
Disable Logging
To disable logging:
Task
Command Syntax
Command Mode
Disable all logging except on the console.
no logging on
CONFIGURATION
Disable logging to the logging buffer.
no logging buffer
CONFIGURATION
Disable logging to terminal lines.
no logging monitor
CONFIGURATION
Disable console logging.
no logging console
CONFIGURATION
Log Messages in the Internal Buffer
All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
Message 1 BootUp Events
%BOOTUP:RPM0:CP %PORTPIPE-INIT-SUCCESS: Portpipe 0 enabled
Configuration Task List for System Log Management
The following list includes the configuration tasks for system log management:
•
•
Disable System Logging
Send System Messages to a Syslog Server
Management | 55
�www.dell.com | support.dell.com
Disable System Logging
By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, console,
and syslog servers.
Enable and disable system logging using the following commands:
Task
Command Syntax
Command Mode
Disable all logging except on the console.
no logging on
CONFIGURATION
Disable logging to the logging buffer.
no logging buffer
CONFIGURATION
Disable logging to terminal lines.
no logging monitor
CONFIGURATION
Disable console logging.
no logging console
CONFIGURATION
Send System Messages to a Syslog Server
Send system messages to a syslog server by specifying the server with the following command:
Task
Command Syntax
Command Mode
Specify the server to which you want to send system
messages. You can configure up to eight syslog servers.
logging {ip-address | hostname}
CONFIGURATION
Configure a Unix System as a Syslog Server
Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the Unix
system and assigning write permissions to the file.
•
•
on a 4.1 BSD UNIX system, add the line: local7.debugging /var/log/ftos.log
on a 5.7 SunOS UNIX system, add the line: local7.debugging /var/adm/ftos.log
In the lines above, local7 is the logging facility level and debugging is the severity level.
56
|
Management
�Change System Logging Settings
You can change the default settings of the system logging by changing the severity level and the storage
location. The default is to log all messages up to debug level, that is, all system messages. By changing the
severity level in the logging commands, you control the number of system messages logged.
Task
Command Syntax
Command Mode
Specify the minimum severity level for logging to the logging buffer.
logging buffered level
CONFIGURATION
Specify the minimum severity level for logging to the console.
logging console level
CONFIGURATION
Specify the minimum severity level for logging to terminal lines.
logging monitor level
CONFIGURATION
Specifying the minimum severity level for logging to a syslog server.
logging trap level
CONFIGURATION
Specify the minimum severity level for logging to the syslog history
table.
logging history level
CONFIGURATION
Task
Command Syntax
Command Mode
Specify the size of the logging buffer.
Note: When you decrease the buffer size, FTOS deletes
all messages stored in the buffer. Increasing the buffer
size does not affect messages in the buffer.
logging buffered size
CONFIGURATION
Specify the number of messages that FTOS saves to its
logging history table.
logging history size size
CONFIGURATION
To change one of the settings for logging system messages, use any or all of the following commands in
the CONFIGURATION mode:
To view the logging buffer and configuration, use the show logging command in the EXEC privilege mode
as shown in the example for Display the Logging Buffer and the Logging Configuration.
To change the severity level of messages logged to a syslog server, use the following command in the
CONFIGURATION mode:
To view the logging configuration, use the show running-config logging command in the EXEC privilege
mode as shown in the example for Configure a UNIX logging facility level.
Display the Logging Buffer and the Logging Configuration
Display the current contents of the logging buffer and the logging settings for the system, use the show
logging command in the EXEC privilege mode as shown in the example below.
FTOS#show logging
Management | 57
�www.dell.com | support.dell.com
syslog logging: enabled
Console logging: level Debugging
Monitor logging: level Debugging
Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes)
Trap logging: level Informational
%IRC-6-IRC_COMMUP: Link to peer RPM is up
%RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
%RPM-2-MSG:CP1 %POLLMGR-2-MMC_STATE: External flash disk missing in 'slot0:'
%CHMGR-5-CARDDETECTED: Line card 0 present
%CHMGR-5-CARDDETECTED: Line card 2 present
%CHMGR-5-CARDDETECTED: Line card 4 present
%CHMGR-5-CARDDETECTED: Line card 5 present
%CHMGR-5-CARDDETECTED: Line card 8 present
%CHMGR-5-CARDDETECTED: Line card 10 present
%CHMGR-5-CARDDETECTED: Line card 12 present
%TSM-6-SFM_DISCOVERY: Found SFM 0
%TSM-6-SFM_DISCOVERY: Found SFM 1
%TSM-6-SFM_DISCOVERY: Found SFM 2
%TSM-6-SFM_DISCOVERY: Found SFM 3
%TSM-6-SFM_DISCOVERY: Found SFM 4
%TSM-6-SFM_DISCOVERY: Found SFM 5
%TSM-6-SFM_DISCOVERY: Found SFM 6
%TSM-6-SFM_DISCOVERY: Found SFM 7
%TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: UP
%TSM-6-SFM_DISCOVERY: Found SFM 8
%TSM-6-SFM_DISCOVERY: Found 9 SFMs
%CHMGR-5-CHECKIN: Checkin from line card 5 (type EX1YB, 1 ports)
%TSM-6-PORT_CONFIG: Port link status for LC 5 => portpipe 0: OK portpipe 1: N/A
%CHMGR-5-LINECARDUP: Line card 5 is up
%CHMGR-5-CHECKIN: Checkin from line card 12 (type S12YC12, 12 ports)
%TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/A
%CHMGR-5-LINECARDUP: Line card 12 is up
%IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8
%IFMGR-5-CSTATE_DN: changed interface Physical state to down: So 12/8
To view any changes made, use the show running-config logging command in the EXEC privilege mode as
shown in the example for Configure a UNIX logging facility level.
Configure a UNIX logging facility level
You can save system log messages with a UNIX system logging facility.
58
|
Management
�To configure a UNIX logging facility level, use the following command in the CONFIGURATION mode:
Command Syntax
Command Mode
Purpose
logging facility [facility-type]
CONFIGURATION
Specify one of the following parameters.
• auth (for authorization messages)
• cron (for system scheduler messages)
• daemon (for system daemons)
• kern (for kernel messages)
• local0 (for local use)
• local1 (for local use)
• local2 (for local use)
• local3 (for local use)
• local4 (for local use)
• local5 (for local use)
• local6 (for local use)
• local7 (for local use). This is the default.
• lpr (for line printer system messages)
• mail (for mail system messages)
• news (for USENET news messages)
• sys9 (system use)
• sys10 (system use)
• sys11 (system use)
• sys12 (system use)
• sys13 (system use)
• sys14 (system use)
• syslog (for syslog messages)
• user (for user programs)
• uucp (UNIX to UNIX copy protocol)
The default is local7.
To view nondefault settings, use the show running-config logging command in the EXEC mode as shown in
the example below.
FTOS#show running-config logging
!
logging buffered 524288 debugging
service timestamps log datetime msec
service timestamps debug datetime msec
!
logging trap debugging
logging facility user
logging source-interface Loopback 0
logging 10.10.10.4
FTOS#
Management | 59
�www.dell.com | support.dell.com
Synchronize log messages
You can configure FTOS to filter and consolidate the system messages for a specific line by synchronizing
the message output. Only the messages with a severity at or below the set level appear. This feature works
on the terminal and console connections available on the system.
To synchronize log messages, use these commands in the following sequence starting in the
CONFIGURATION mode:
Step
1
2
Command Syntax
Command Mode
Purpose
line {console 0 | vty number [end-number]
| aux 0}
CONFIGURATION
Enter the LINE mode. Configure the
following parameters for the virtual
terminal lines:
• number range: zero (0) to 8.
• end-number range: 1 to 8.
You can configure multiple virtual
terminals at one time by entering a number
and an end-number.
logging synchronous [level severity-level |
all] [limit]
LINE
Configure a level and set the maximum
number of messages to be printed.
Configure the following optional
parameters:
• level severity-level range: 0 to 7.
Default is 2. Use the all keyword to
include all messages.
• limit range: 20 to 300. Default is 20.
To view the logging synchronous configuration, use the show config command in the LINE mode.
Enable timestamp on syslog messages
By default, syslog messages do not include a time/date stamp stating when the error or message was
created.
To have FTOS include a timestamp with the syslog message, use the following command syntax in the
CONFIGURATION mode:
60
|
Command Syntax
Command Mode
Purpose
service timestamps [log |
debug] [datetime [localtime]
[msec] [show-timezone] |
uptime]
CONFIGURATION
Add timestamp to syslog messages. Specify the following
optional parameters:
• datetime: You can add the keyword localtime to include the
localtime, msec, and show-timezone. If you do not add
the keyword localtime, the time is UTC.
• uptime. To view time since last boot.
If neither parameter is specified, FTOS configures uptime.
Management
�To view the configuration, use the show running-config logging command in the EXEC privilege mode.
To disable time stamping on syslog messages, enter no service timestamps [log | debug].
File Transfer Services
With FTOS, you can configure the system to transfer files over the network using File Transfer Protocol
(FTP). One FTP application is copying the system image files over an interface on to the system; however,
FTP is not supported on VLAN interfaces.
For more information on FTP, refer to RFC 959, File Transfer Protocol.
Note: To transmit large files, Dell Force10 recommends configuring the switch as an FTP server.
Configuration Task List for File Transfer Services
The following list includes the configuration tasks for file transfer services:
•
•
•
Enable FTP server (mandatory)
Configure FTP server parameters (optional)
Configure FTP client parameters (optional)
Enable FTP server
To enable the system as an FTP server, use the following command in the CONFIGURATION mode:
Command Syntax
Command Mode
Purpose
ftp-server enable
CONFIGURATION
Enable FTP on the system.
To view FTP configuration, use the show running-config ftp command in the EXEC privilege mode as
shown in the example below.
FTOS#show running ftp
!
ftp-server enable
ftp-server username nairobi password 0 zanzibar
FTOS#
Configure FTP server parameters
After the FTP server is enabled on the system, you can configure different parameters.
Management | 61
�www.dell.com | support.dell.com
To configure FTP server parameters, use any or all of the following commands in the CONFIGURATION
mode:
Command Syntax
Command Mode
Purpose
ftp-server topdir dir
CONFIGURATION
Specify the directory for users using FTP to reach the
system.
The default is the internal flash directory.
ftp-server username username
password [encryption-type]
CONFIGURATION
Specify a user name for all FTP users and configure either
a plain text or encrypted password. Configure the
following optional and required parameters:
• username: Enter a text string
• encryption-type: Enter 0 for plain text or 7 for
encrypted text.
• password: Enter a text string.
password
Note: You cannot use the change directory (cd) command until ftp-server topdir has been
configured.
To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode.
Configure FTP client parameters
To configure FTP client parameters, use the following commands in the CONFIGURATION mode:
Command Syntax
Command Mode
Purpose
ip ftp source-interface interface
CONFIGURATION
Enter the following keywords and slot/port or number
information:
• For a Gigabit Ethernet interface, enter the keyword
GigabitEthernet followed by the slot/port information.
• For a loopback interface, enter the keyword loopback
followed by a number between 0 and 16383.
• For a port channel interface, enter the keyword
port-channel followed by a number from 1 to 255 for
TeraScale and ExaScale, 1 to 32 for EtherScale.
• For a SONET interface, enter the keyword sonet
followed by the slot/port information.
• For a 10-Gigabit Ethernet interface, enter the keyword
TenGigabitEthernet followed by the slot/port
information.
• For a VLAN interface, enter the keyword vlan followed
by a number from 1 to 4094.
• For a 40-Gigabit Ethernet interface, enter the keyword
fortyGigE followed by the slot/port information.
ip ftp password password
CONFIGURATION
Configure a password.
ip ftp username name
CONFIGURATION
Enter username to use on FTP client.
To view FTP configuration, use the show running-config ftp command in the EXEC privilege mode as
shown in the example for Enable FTP server.
62
|
Management
�Terminal Lines
You can access the system remotely and restrict access to the system by creating user profiles. The terminal
lines on the system provide different means of accessing the system. The console line (console) connects
you through the Console port in the RPMs. The virtual terminal lines (VTY) connect you through Telnet to
the system. The auxiliary line (aux) connects secondary devices such as modems.
Deny and Permit Access to a Terminal Line
Dell Force10 recommends applying only standard ACLs to deny and permit access to VTY lines.
•
•
Layer 3 ACL deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with
no rules does not deny any traffic.
You cannot use show ip accounting access-list to display the contents of an ACL that is applied only to a
VTY line.
To apply an IP ACL to a line:
Task
Command Syntax
Command Mode
Apply an ACL to a VTY line.
ip access-class access-list
LINE
To view the configuration, enter the show config command in the LINE mode, as shown in the example
below.
FTOS(config-std-nacl)#show config
!
ip access-list standard myvtyacl
seq 5 permit host 10.11.0.1
FTOS(config-std-nacl)#line vty 0
FTOS(config-line-vty)#show config
line vty 0
access-class myvtyacl
FTOS Behavior: Prior to FTOS version 7.4.2.0, in order to deny access on a VTY line, you must apply an ACL and
AAA authentication to the line. Then users are denied access only after they enter a username and password.
Beginning in FTOS version 7.4.2.0, only an ACL is required, and users are denied access before they are
prompted for a username and password.
Configure Login Authentication for Terminal Lines
You can use any combination of up to 6 authentication methods to authenticate a user on a terminal line. A
combination of authentication methods is called a method list. If the user fails the first authentication
method, FTOS prompts the next method until all methods are exhausted, at which point the connection is
terminated. The available authentication methods are:
Management | 63
�www.dell.com | support.dell.com
•
•
•
•
•
•
enable—Prompt
for the enable password.
line—Prompt for the e password you assigned to the terminal line. You must configure a password for
the terminal line to which you assign a method list that contains the line authentication method.
Configure a password using the command password from LINE mode.
local—Prompt for the the system username and password.
none—Do not authenticate the user.
radius—Prompt for a username and password and use a RADIUS server to authenticate.
tacacs+—Prompt for a username and password and use a TACACS+ server to authenticate.
To configure authentication for a terminal line:
Step
Task
Command Syntax
1
Create an authentication method list.
You may use a mnemonic name or
use the keyword default. The default
authentication method for terminal
lines is local, and the default method
list is empty.
aaa authentication login {method-list-name |
default} [method-1] [method-2] [method-3]
[method-4] [method-5] [method-6]
2
Apply the method list from Step 1 to
a terminal line.
login authentication {method-list-name |
default}
CONFIGURATION
3
If you used the line authentication
method in the method list you
applied to the terminal line,
configure a password for the terminal
line.
password
LINE
In the example below, VTY lines 0-2 use a single authentication method, line.
FTOS(conf)#aaa authentication login myvtymethodlist line
FTOS(conf)#line vty 0 2
FTOS(config-line-vty)#login authentication myvtymethodlist
FTOS(config-line-vty)#password myvtypassword
FTOS(config-line-vty)#show config
line vty 0
password myvtypassword
login authentication myvtymethodlist
line vty 1
password myvtypassword
login authentication myvtymethodlist
line vty 2
password myvtypassword
login authentication myvtymethodlist
FTOS(config-line-vty)#
64
|
Management
Command Mode
CONFIGURATION
�Time out of EXEC Privilege Mode
EXEC timeout is a basic security feature that returns FTOS to the EXEC mode after a period of inactivity
on terminal lines.
To change the timeout period or disable EXEC timeout.
Task
Command Syntax
Command Mode
Set the number of minutes and seconds.
Default: 10 minutes on console, 30 minutes on VTY.
Disable EXEC timeout by setting the timeout period to 0.
exec-timeout minutes [seconds]
LINE
Return to the default timeout values.
no exec-timeout
LINE
View the configuration using the command show config from LINE mode.
FTOS(conf)#line con 0
FTOS(config-line-console)#exec-timeout 0
FTOS(config-line-console)#show config
line console 0
exec-timeout 0 0
FTOS(config-line-console)#
Telnet to Another Network Device
To telnet to another device:
Note: The system allows 120 telnet sessions per minute, allowing the login and logout of 10 telnet
sessions 12 times in a minute. If the system reaches this non-practical limit, the telnet service will be
stopped for 10 minutes. Console and SSH service may be used to access the system during downtime.
Task
Command Syntax
Telnet to the peer RPM. You do not need to configure the management
port on the peer RPM to be able to telnet to it.
telnet-peer-rpm
Telnet to a device with an IPv4 or IPv6 address. If you do not enter an IP
address, FTOS enters a Telnet dialog that prompts you for one.
• Enter an IPv4 address in dotted decimal format (A.B.C.D).
• Enter an IPv6 address in the format
0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is
supported.
telnet [ip-address]
Command Mode
EXEC Privilege
EXEC Privilege
FTOS# telnet 10.11.80.203
Trying 10.11.80.203...
Connected to 10.11.80.203.
Exit character is '^]'.
Management | 65
�www.dell.com | support.dell.com
Login:
Login: admin
Password:
FTOS>exit
FTOS#telnet 2200:2200:2200:2200:2200::2201
Trying 2200:2200:2200:2200:2200::2201...
Connected to 2200:2200:2200:2200:2200::2201.
Exit character is '^]'.
FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1)
login: admin
FTOS#
Lock CONFIGURATION mode
FTOS allows multiple users to make configurations at the same time. You can lock CONFIGURATION
mode so that only one user can be in CONFIGURATION mode at any time (Message 2).
A two types of locks can be set: auto and manual.
•
•
Set an auto-lock using the command configuration mode exclusive auto from CONFIGURATION mode.
When you set an auto-lock, every time a user is in CONFIGURATION mode all other users are denied
access. This means that you can exit to EXEC Privilege mode, and re-enter CONFIGURATION mode
without having to set the lock again.
Set a manual lock using the command configure terminal lock from CONFIGURATION mode. When
you configure a manual lock, which is the default, you must enter this command time you want to enter
CONFIGURATION mode and deny access to others.
FTOS(conf)#configuration mode exclusive auto
BATMAN(conf)#exit
3d23h35m: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by
console
FTOS#config
! Locks configuration mode exclusively.
FTOS(conf)#
If another user attempts to enter CONFIGURATION mode while a lock is in place, Message 1 appears on
their terminal.
Message 1 CONFIGURATION mode Locked Error
% Error: User "" on line console0 is in exclusive configuration mode
If any user is already in CONFIGURATION mode when while a lock is in place, Message 2 appears on
their terminal.
Message 2 Cannot Lock CONFIGURATION mode Error
% Error: Can't lock configuration mode exclusively since the following users are
currently configuring the system:
User "admin" on line vty1 ( 10.1.1.1 )
66
|
Management
�Note: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you
configure a lock and then exit CONFIGURATION mode, and another user enters CONFIGURATION
mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though you
are the one that configured the lock.
Note: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is
unconfigured.
Viewing the Configuration Lock Status
If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which
user has control of CONFIGURATION mode using the command show configuration lock from EXEC
Privilege mode.
You can then send any user a message using the send command from EXEC Privilege mode. Alternatively
you can clear any line using the command clear from EXEC Privilege mode. If you clear a console session,
the user is returned to EXEC mode.
Recovering from a Forgotten Password on the S4810
If you configure authentication for the console and you exit out of EXEC mode or your console session
times out, you are prompted for a password to re-enter.
If you forget your password:
Step
Task
Command Syntax
Command Mode
1
Log onto the system via console.
2
Power-cycle the chassis by switching off all of the power modules and then switching them back on.
3
Hit any key to abort the boot process.
You enter uBoot i mme id at ely, as
indicated by the => prompt.
hit any key
(during bootup)
4
Set the system parameters to ignore
the startup configuration file when
the system reloads.
setenv stconfigignore true
uBoot
5
To save the changes use the saveenv
command.
saveenv
uBoot
6
Reload the system.
reset
uBoot
7
Copy startup-config.bak to the
running config.
copy flash://startup-config.bak
running-config
EXEC Privilege
8
Remove all authentication statements
you might have for the console.
no authentication login
no password
LINE
Management | 67
�www.dell.com | support.dell.com
Step
Task
Command Syntax
Command Mode
9
Save the running-config.
copy running-config startup-config
EXEC Privilege
10
Set the system parameters to use the
startup configuration file when the
system reloads.
setenv stconfigignore false
uBoot
11
Save the running-config.
copy running-config startup-config
EXEC Privilege
Recovering from a Forgotten Enable Password on the S4810
If you forget the enable password:
Step
Task
Command Syntax
Command Mode
1
Log onto the system via console.
2
Power-cycle the chassis by switching off all of the power modules and then switching them back on.
3
Hit any key to abort the boot process.
You enter uBoot immediately, as
indicated by the => prompt.
hit any key
(during bootup)
4
Set the system parameters to ignore
the enable password when the system
reloads.
setenv enablepwdignore true
uBoot
5
Reload the system.
reset
uBoot
6
Configure a new enable password.
enable {secret | password}
CONFIGURATION
7
Save the running-config to the
startup-config.
copy running-config startup-config
EXEC Privilege
Recovering from a Failed Start on the S4810
A system that does not start correctly might be attempting to boot from a corrupted FTOS image or from a
mis-specified location. In that case, you can restart the system and interrupt the boot process to point the
system to another boot location. Use the setenv command, as described below. For details on the setenv
command, its supporting commands, and other commands that can help recover from a failed start, see the
Boot User chapter in the FTOS Command Line Reference for the S4810.
Step
68
|
Task
Command Syntax
1
Power-cycle the chassis (pull the power cord and reinsert it).
2
Hit any key to abort the boot process.
You enter uBoot immediately, as
indicated by the => prompt.
Management
hit any key
Command Mode
(during bootup)
�Step
Task
Command Syntax
Command Mode
3
Assign the new location to the FTOS
image to be used when the system
reloads.
setenv [primary_image f10boot location |
secondary_image f10boot location |
default_image f10boot location]
uBoot
4
Assign an IP address to the
Management Ethernet interface.
setenv ipaddre address
uBoot
6
Assign an IP address as the default
gateway for the system.
setenv gatewayip address
uBoot
7
Reload the system.
reset
uBoot
5
Management | 69
�70
|
Management
www.dell.com | support.dell.com
�5
802.1ag
802.1ag is available only on platform:
s
Ethernet Operations, Administration, and Maintenance (OAM) is a set of tools used to install, monitor,
troubleshoot and manage Ethernet infrastructure deployments. Ethernet OAM consists of three main areas:
1. Service Layer OAM: IEEE 802.1ag Connectivity Fault Management (CFM)
2. Link Layer OAM: IEEE 802.3ah OAM
3. Ethernet Local management Interface (MEF-16 E-LMI)
Ethernet CFM
Ethernet CFM is an end-to-end per-service-instance Ethernet OAM scheme which enables: proactive
connectivity monitoring, fault verification, and fault isolation.
The service-instance with regard to OAM for Metro/Carrier Ethernet is a VLAN. This service is sold to an
end-customer by a network service provider. Typically the service provider contracts with multiple
network operators to provide end-to-end service between customers. For end-to-end service between
customer switches, connectivity must be present across the service provider through multiple network
operators.
Layer 2 Ethernet networks usually cannot be managed with IP tools such as ICMP Ping and IP Traceroute.
Traditional IP tools often fail because:
•
•
•
•
•
there are complex interactions between various Layer 2 and Layer 3 protocols such as STP, LAG,
VRRP and ECMP configurations.
Ping and traceroute are not designed to verify data connectivity in the network and within each node in
the network (such as in the switching fabric and hardware forwarding tables).
when networks are built from different operational domains, access controls impose restrictions that
cannot be overcome at the IP level, resulting in poor fault visibility. There is a need for hierarchical
domains that can be monitored and maintained independently by each provider or operator.
routing protocols choose a subset of the total network topology for forwarding, making it hard to detect
faults in links and nodes that are not included in the active routing topology. This is made more
complex when using some form of Traffic Engineering (TE) based routing.
network and element discovery and cataloging is not clearly defined using IP troubleshooting tools.
802.1ag | 71
�www.dell.com | support.dell.com
There is a need for Layer 2 equivalents to manage and troubleshoot native Layer 2 Ethernet networks. With
these tools, you can identify, isolate, and repair faults quickly and easily, which reduces operational cost of
running the network. OAM also increases availability and reduces mean time to recovery, which allows for
tighter service level agreements, resulting in increased revenue for the service provider.
In addition to providing end-to-end OAM in native Layer 2 Ethernet Service Provider/Metro networks,
you can also use CFM to manage and troubleshoot any Layer 2 network including enterprise, datacenter,
and cluster networks.
Maintenance Domains
Connectivity Fault Management (CFM) divides a network into hierarchical maintenance domains, as
shown in the illustration below.
A CFM maintenance domain is a management space on a network that is owned and operated by a single
management entity. The network administrator assigns a unique maintenance level (0 to 7) to each domain
to define the hierarchical relationship between domains. Domains can touch or nest but cannot overlap or
intersect as that would require management by multiple entities.
Service Provider Network
Customer Network
Customer Network
Ethernet Access
MPLS Core
MPLS Access
Customer Domain (7)
Provider Domain (6)
Operator Domain (5)
Operator Domain (5)
Operator Domain (5)
MPLS Domain (4)
Maintenance Points
Domains are comprised of logical entities called Maintenance Points. A maintenance point is an interface
demarcation that confines CFM frames to a domain. There are two types of maintenance points:
•
•
72
|
802.1ag
Maintenance End Points (MEPs): a logical entity that marks the end-point of a domain
Maintenance Intermediate Points (MIPs): a logical entity configured at a port of a switch that is an
intermediate point of a Maintenance Entity (ME). An ME is a point-to-point relationship between two
MEPs within a single domain. MIPs are internal to a domain, not at the boundary, and respond to CFM
only when triggered by linktrace and loopback messages. MIPs can be configured to snoop Continuity
Check Messages (CCMs) to build a MIP CCM database.
�These roles define the relationships between all devices so that each device can monitor the layers under its
responsibility. Maintenance points drop all lower-level frames and forward all higher-level frames.
Service Provider Network
Customer Network
Customer Network
Ethernet Access
MPLS Core
MPLS Access
Customer Domain (7)
Provider Domain (6)
Operator Domain (5)
Operator Domain (5)
Operator Domain (5)
MPLS Domain (4)
MEP
MIP
Maintenance End Points
A Maintenance End Point (MEP) is a logical entity that marks the end-point of a domain. There are two
types of MEPs defined in 802.1ag for an 802.1 bridge:
•
•
Up-MEP: monitors the forwarding path internal to an bridge on the customer or provider edge; on
Dell Force10 systems the internal forwarding path is effectively the switch fabric and forwarding
engine.
Down-MEP: monitors the forwarding path external another bridge.
Configure Up- MEPs on ingress ports, ports that send traffic towards the bridge relay. Configure
Down-MEPs on egress ports, ports that send traffic away from the bridge relay.
Customer Network
towards relay
Service Provider Ethernet Access
away from relay
Up-MEP
Down-MEP
802.1ag | 73
�www.dell.com | support.dell.com
Implementation Information
•
Since the S-Series has a single MAC address for all physical/LAG interfaces, only one MEP is allowed
per MA (per VLAN or per MD level).
Configure CFM
Configuring CFM is a five-step process:
1. Configure the ecfmacl CAM region using the cam-acl command. Refer to Configure Ingress Layer 2
ACL Sub-partitions.
2. Enable Ethernet CFM.
3. Create a Maintenance Domain.
4. Create a Maintenance Association.
5. Create Maintenance Points.
6. Use CFM tools:
a
Continuity Check Messages
b
Loopback Message and Response
c
Linktrace Message and Response
Related Configuration Tasks
•
•
74
|
802.1ag
Enable CFM SNMP Traps.
Display Ethernet CFM Statistics
�Enable Ethernet CFM
Task
Command Syntax
Command Mode
Spawn the CFM process. No CFM configuration is
allowed until the CFM process is spawned.
ethernet cfm
CONFIGURATION
Disable Ethernet CFM without stopping the CFM
process.
disable
ETHERNET CFM
Create a Maintenance Domain
Connectivity Fault Management (CFM) divides a network into hierarchical maintenance domains, as
shown in the illustration in Maintenance Domains.
Step
1
Task
Command Syntax
Command Mode
Create maintenance domain.
domain name md-level number
ETHERNET CFM
Range: 0-7
2
Display maintenance domain information.
show ethernet cfm domain [name |
brief]
EXEC Privilege
FTOS# show ethernet cfm domain
Domain Name: customer
Level: 7
Total Service: 1
Services
MA-Name
My_MA
Domain Name: praveen
Level: 6
Total Service: 1
Services
MA-Name
Your_MA
VLAN
CC-Int
X-CHK Status
200
10s
enabled
VLAN
CC-Int
X-CHK Status
100
10s
enabled
802.1ag | 75
�www.dell.com | support.dell.com
Create a Maintenance Association
A Maintenance Association MA is a subdivision of an MD that contains all managed entities
corresponding to a single end-to-end service, typically a VLAN. An MA is associated with a VLAN ID.
Task
Command Syntax
Command Mode
Create maintenance association.
service name vlan vlan-id
ECFM DOMAIN
Create Maintenance Points
Domains are comprised of logical entities called Maintenance Points. A maintenance point is a interface
demarcation that confines CFM frames to a domain. There are two types of maintenance points:
•
•
Maintenance End Points (MEPs): a logical entity that marks the end-point of a domain
Maintenance Intermediate Points (MIPs): a logical entity configured at a port of a switch that
constitutes intermediate points of an Maintenance Entity (ME). An ME is a point-to-point relationship
between two MEPs within a single domain.
These roles define the relationships between all devices so that each device can monitor the layers under its
responsibility.
Create a Maintenance End Point
A Maintenance End Point (MEP) is a logical entity that marks the end-point of a domain. There are two
types of MEPs defined in 802.1ag for an 802.1 bridge:
•
•
Up-MEP: monitors the forwarding path internal to an bridge on the customer or provider edge; on
Dell Force10 systems the internal forwarding path is effectively the switch fabric and forwarding
engine.
Down-MEP: monitors the forwarding path external another bridge.
Configure Up- MEPs on ingress ports, ports that send traffic towards the bridge relay. Configure
Down-MEPs on egress ports, ports that send traffic away from the bridge relay.
Task
Command Syntax
Command Mode
Create an MEP.
ethernet cfm mep {up-mep | down-mep} domain {name | level }
ma-name name mepid mep-id
INTERFACE
Range: 1-8191
Display configured MEPs and
MIPs.
76
|
802.1ag
show ethernet cfm maintenance-points local [mep | mip]
EXEC Privilege
�Task
Command Syntax
Command Mode
FTOS#show ethernet cfm maintenance-points local mep
------------------------------------------------------------------------------MPID
Domain Name
Level
Type
Port
CCM-Status
MA Name
VLAN
Dir
MAC
------------------------------------------------------------------------------100
cfm0
test0
7
10
MEP
DOWN
Gi 4/10
00:01:e8:59:23:45
Enabled
200
cfm1
test1
6
20
MEP
DOWN
Gi 4/10
00:01:e8:59:23:45
Enabled
300
cfm2
test2
5
30
MEP
DOWN
Gi 4/10
00:01:e8:59:23:45
Enabled
Create a Maintenance Intermediate Point
Maintenance Intermediate Point (MIP) is a logical entity configured at a port of a switch that constitutes
intermediate points of an Maintenance Entity (ME). An ME is a point-to-point relationship between two
MEPs within a single domain. An MIP is not associated with any MA or service instance, and it belongs to
the entire MD.
Task
Command Syntax
Command Mode
Create an MIP.
ethernet cfm mip domain {name | level } ma-name name
INTERFACE
Display configured MEPs and
MIPs.
show ethernet cfm maintenance-points local [mep | mip]
EXEC Privilege
FTOS#show ethernet cfm maintenance-points local mip
------------------------------------------------------------------------------MPID
Domain Name
Level
Type
Port
CCM-Status
MA Name
VLAN
Dir
MAC
------------------------------------------------------------------------------0
service1
My_MA
4
3333
MIP
DOWN
Gi 0/5
00:01:e8:0b:c6:36
Disabled
0
service1
Your_MA
4
3333
MIP
UP
Gi 0/5
00:01:e8:0b:c6:36
Disabled
MP Databases
CFM maintains two MP databases:
•
MEP Database (MEP-DB): Every MEP must maintain a database of all other MEPs in the MA that
have announced their presence via CCM.
802.1ag | 77
�www.dell.com | support.dell.com
•
MIP Database (MIP-DB): Every MIP must maintain a database of all other MEPs in the MA that
have announced their presence via CCM
Task
Command Syntax
Command Mode
Display the MEP Database.
show ethernet cfm maintenance-points remote detail [active |
domain {level | name} | expired | waiting]
EXEC Privilege
FTOS#show ethernet cfm maintenance-points remote detail
MAC Address: 00:01:e8:58:68:78
Domain Name: cfm0
MA Name: test0
Level: 7
VLAN: 10
MP ID: 900
Sender Chassis ID: Force10
MEP Interface status: Up
MEP Port status: Forwarding
Receive RDI: FALSE
MP Status: Active
Display the MIP Database.
show ethernet cfm mipdb
EXEC Privilege
MP Database Persistence
Task
Command Syntax
Command Mode
Set the amount of time that data
from a missing MEP is kept in
the Continuity Check Database.
database hold-time minutes
ECFM DOMAIN
Default: 100 minutes
Range: 100-65535 minutes
Continuity Check Messages
Continuity Check Messages (CCM) are periodic hellos used to:
•
•
•
•
discover MEPs and MIPs within a maintenance domain
detect loss of connectivity between MEPs
detect misconfiguration, such as VLAN ID mismatch between MEPs
to detect unauthorized MEPs in a maintenance domain
Continuity Check Messages (CCM) are multicast Ethernet frames sent at regular intervals from each MEP.
They have a destination address based on the MD level (01:80:C2:00:00:3X where X is the MD level of
the transmitting MEP from 0 to 7). All MEPs must listen to these multicast MAC addresses and process
these messages. MIPs may optionally processes the CCM messages originated by MEPs and construct a
MIP CCM database.
78
|
802.1ag
�MEPs and MIPs filter CCMs from higher and lower domain levels as described in Table 5-1, "Continuity
Check Message Processing," in 802.1ag.
Table 5-1.
Continuity Check Message Processing
Frames at
Frames from
UP-MEP Action
Down-MEP Action MIP Action
Less than my level
Bridge-relay side or Wire side
Drop
Drop
Drop
My level
Bridge-relay side
Consume
Drop
Wire side
Drop
Consume
Add to MIP-DB
and forward
Bridge-relay side or Wire side
Forward
Forward
Forward
Greater than my level
All the remote MEPs in the maintenance domain are defined on each MEP. Each MEP then expects a
periodic CCM from the configured list of MEPs. A connectivity failure is then defined as:
1. Loss of 3 consecutive CCMs from any of the remote MEP, which indicates a network failure
2. Reception of a CCM with an incorrect CCM transmission interval, which indicates a configuration
error.
3. Reception of CCM with an incorrect MEP ID or MAID, which indicates a configuration or
cross-connect error. This could happen when different VLANs are cross-connected due to a
configuration error.
4. Reception of a CCM with an MD level lower than that of the receiving MEP, which indicates a
configuration or cross-connect error.
5. Reception of a CCM containing a port status/interface status TLV, which indicates a failed bridge or
aggregated port.
The Continuity Check protocol sends fault notifications (Syslogs, and SNMP traps if enabled) whenever
any of the above errors are encountered.
Enable CCM
Step
1
Task
Command Syntax
Command Mode
Enable CCM.
no ccm disable
ECFM DOMAIN
Default: Disabled
2
Configure the transmit interval (mandatory).
The interval specified applies to all MEPs in
the domain.
ccm transmit-interval seconds
ECFM DOMAIN
Default: 10 seconds
802.1ag | 79
�www.dell.com | support.dell.com
Enable Cross-checking
Task
Command Syntax
Command Mode
Enable cross-checking.
mep cross-check enable
ETHERNET CFM
Default: Disabled
Start the cross-check operation for an MEP.
mep cross-check mep-id
ETHERNET CFM
Configure the amount of time the system waits for a
remote MEP to come up before the cross-check operation
is started.
mep cross-check start-delay number
ETHERNET CFM
Loopback Message and Response
Loopback Message and Response (LBM, LBR), also called Layer 2 Ping, is an administrative echo
transmitted by MEPs to verify reachability to another MEP or MIP within the maintenance domain. LBM
and LBR are unicast frames.
Task
Command Syntax
Command Mode
Send a Loopback message.
ping ethernet domain name ma-name ma-name remote {mep-id
| mac-addr mac-address} source {mep-id | port interface}
EXEC Privilege
Linktrace Message and Response
Linktrace Message and Response (LTM, LTR), also called Layer 2 Traceroute, is an administratively sent
multicast frames transmitted by MEPs to track, hop-by-hop, the path to another MEP or MIP within the
maintenance domain. All MEPs and MIPs in the same domain respond to an LTM with a unicast LTR.
Intermediate MIPs forward the LTM toward the target MEP.
MPLS Core
MEP
Lin
MIP
ktra
c e m M essa
MIP
ge
L i n k t ra ce R e s p o n s e
80
|
802.1ag
MIP
�Link trace messages carry a unicast target address (the MAC address of an MIP or MEP) inside a multicast
frame. The destination group address is based on the MD level of the transmitting MEP
(01:80:C2:00:00:3[8 to F]). The MPs on the path to the target MAC address reply to the LTM with an LTR,
and relays the LTM towards the target MAC until the target MAC is reached or TTL equals 0.
Task
Command Syntax
Command Mode
Send a Linktrace message. Since the
LTM is a Multicast message sent to the
entire ME, there is no need to specify a
destination.
traceroute ethernet domain
EXEC Privilege
Link Trace Cache
After a Link Trace command is executed, the trace information can be cached so that you can view it later
without retracing.
Task
Command Syntax
Command Mode
Enable Link Trace caching.
traceroute cache
CONFIGURATION
Set the amount of time a trace result is cached.
traceroute cache hold-time minutes
ETHERNET CFM
Default: 100 minutes
Range: 10-65535 minutes
Set the size of the Link Trace Cache.
traceroute cache size entries
ETHERNET CFM
Default: 100
Range: 1 - 4095 entries
Display the Link Trace Cache.
show ethernet cfm traceroute-cache
EXEC Privilege
FTOS#show ethernet cfm traceroute-cache
Traceroute to 00:01:e8:52:4a:f8 on Domain Customer2, Level 7, MA name Test2 with VLAN 2
-----------------------------------------------------------------------------Hops
Host
IngressMAC
Ingr Action
Relay Action
Next Host
Egress MAC
Egress Action FWD Status
-----------------------------------------------------------------------------4
00:00:00:01:e8:53:4a:f8
00:00:00:01:e8:52:4a:f8
Delete all Link Trace Cache entries.
00:01:e8:52:4a:f8
IngOK
clear ethernet cfm traceroute-cache
RlyHit
Terminal MEP
EXEC Privilege
802.1ag | 81
�www.dell.com | support.dell.com
Enable CFM SNMP Traps.
Task
Command Syntax
Command Mode
Enable SNMP trap messages for
Ethernet CFM.
snmp-server enable traps ecfm
CONFIGURATION
A Trap is sent only when one of the five highest priority defects occur, as shown in Table 5-2, "ECFM
SNMP Traps," in 802.1ag.
Table 5-2.
ECFM SNMP Traps
Cross-connect defect
%ECFM-5-ECFM_XCON_ALARM: Cross connect fault detected by MEP 1 in Domain customer1 at Level 7 VLAN 1000
Error-CCM defect
%ECFM-5-ECFM_ERROR_ALARM: Error CCM Defect detected by MEP 1 in Domain customer1 at Level 7 VLAN 1000
MAC Status defect
%ECFM-5-ECFM_MAC_STATUS_ALARM: MAC Status Defect detected by MEP 1 in Domain provider at Level 4 VLAN 3000
Remote CCM defect
%ECFM-5-ECFM_REMOTE_ALARM: Remote CCM Defect detected by MEP 3 in Domain customer1 at Level 7 VLAN 1000
RDI defect
%ECFM-5-ECFM_RDI_ALARM: RDI Defect detected by MEP 3 in Domain customer1 at Level 7 VLAN 1000
Three values are giving within the trap messages: MD Index, MA Index, and MPID. You can reference
these values against the output of show ethernet cfm domain and show ethernet cfm maintenance-points local
mep.
FTOS#show ethernet cfm maintenance-points local mep
------------------------------------------------------------------------------MPID
Domain Name
Level
Type
Port
CCM-Status
MA Name
VLAN
Dir
MAC
------------------------------------------------------------------------------100
cfm0
test0
7
10
MEP
DOWN
Gi 4/10
00:01:e8:59:23:45
Enabled
FTOS(conf-if-gi-0/6)#do show ethernet cfm domain
Domain Name: My_Name
MD Index: 1
Level: 0
Total Service: 1
Services
MA-Index
MA-Name
1
test
Domain Name: Your_Name
MD Index: 2
Level: 2
Total Service: 1
Services
MA-Index
MA-Name
1
82
|
802.1ag
test
VLAN
CC-Int
X-CHK Status
0
1s
enabled
VLAN
CC-Int
X-CHK Status
1s
enabled
100
�Display Ethernet CFM Statistics
Task
Command Syntax
Command Mode
Display MEP CCM statistics.
show ethernet cfm statistics [domain {name | level}
vlan-id vlan-id mpid mpid
EXEC Privilege
FTOS#
show ethernet cfm statistics
Domain Name: Customer
Domain Level: 7
MA Name: My_MA
MPID: 300
CCMs:
Transmitted:
LTRs:
Unexpected Rcvd:
LBRs:
Received:
Received Bad MSDU:
Transmitted:
Display CFM statistics by port.
1503
RcvdSeqErrors:
0
0
0
0
0
Rcvd Out Of Order:
show ethernet cfm port-statistics [interface]
0
EXEC Privilege
FTOS#show ethernet cfm port-statistics interface gigabitethernet 0/5
Port statistics for port: Gi 0/5
==================================
RX Statistics
=============
Total CFM Pkts 75394 CCM Pkts 75394
LBM Pkts 0 LTM Pkts 0
LBR Pkts 0 LTR Pkts 0
Bad CFM Pkts 0 CFM Pkts Discarded 0
CFM Pkts forwarded 102417
TX Statistics
=============
Total CFM Pkts 10303 CCM Pkts 0
LBM Pkts 0 LTM Pkts 3
LBR Pkts 0 LTR Pkts 0
802.1ag | 83
�84
|
802.1ag
www.dell.com | support.dell.com
�6
802.1X
802.1X is supported on platforms:
ecsz
Protocol Overview
802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed
from sending or receiving packets on the network until its identity can be verified (through a username and
password, for example). This feature is named for its IEEE specification.
802.1X employs Extensible Authentication Protocol (EAP)* to transfer a device’s credentials to an
authentication server (typically RADIUS) via a mandatory intermediary network access device, in this
case, a Dell Force10 switch. The network access device mediates all communication between the end-user
device and the authentication server so that the network remains secure. The network access device uses
EAP over Ethernet (EAPOL) to communicate with the end-user device and EAP over RADIUS to
communicate with the server.
The illustration above and the illustration below show how EAP frames are encapsulated in Ethernet and
RADIUS frames.
802.1X | 85
�www.dell.com | support.dell.com
Start Frame
Delimiter
Preamble
Destination MAC
(1:80:c2:00:00:03)
Source MAC
(Auth Port MAC)
EAPOL Frame
Ethernet Type
(0x888e)
Protocol Version
Range: 0-4
(1)
Type: 0: EAP Packet
1: EAPOL Start
2: EAPOL Logoff
3: EAPOL Key
4: EAPOL Encapsulated-ASF-Alert
Range: 1-4
Codes: 1: Request
2: Response
3: Success
4: Failure
Packet Type
Code
(0-4)
ID
(Seq Number)
FCS
EAP Frame
Length
Range: 1-255
Codes: 1: Identity
2: Notification
3: NAK
4: MD-5 Challenge
5: One-Time Challenge
6: Generic Token Card
*
Padding
EAP-Method Frame
Length
EAP-Method
Code
(0-255)
Length
EAP-Method Data
(Supplicant Requested Credentials)
Note: FTOS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and
MS-CHAPv2 with PEAP.
The authentication process involves three devices:
•
The device attempting to access the network is the supplicant. The supplicant is not allowed to
communicate on the network until the port is authorized by the authenticator. It can only communicate
with the authenticator in response to 802.1X requests.
The device with which the supplicant communicates is the authenticator. The authenicator is the gate
keeper of the network. It translates and forwards requests and responses between the authentication
server and the supplicant. The authenticator also changes the status of the port based on the results of
the authentication process. The Dell Force10 switch is the authenticator.
The authentication-server selects the authentication method, verifies the information provided by the
supplicant, and grants it network access privileges.
•
•
Ports can be in one of two states:
•
Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in
or out of the port.
The authenticator changes the port state to authorized if the server can authenticate the supplicant. In
this state, network traffic can be forwarded normally.
•
Note: The Dell Force10 switches place 802.1X-enabled ports in the unauthorized state by default.
The Port-authentication Process
The authentication process begins when the authenticator senses that a link status has changed from down
to up:
86
|
802.1X
�1. When the authenticator senses a link state change, it requests that the supplicant identify itself using an
EAP Identity Request Frame.
2. The supplicant responds with its identity in an EAP Response Identity frame.
3. The authenticator decapsulates the EAP Response from the EAPOL frame, encapsulates it in a
RADIUS Access-Request frame, and forwards the frame to the authentication server.
4. The authentication server replies with an Access-Challenge. The Access-Challenge is request that the
supplicant prove that it is who it claims to be, using a specified method (an EAP-Method). The
challenge is translated and forwarded to the supplicant by the authenticator.
5. The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant provides
the requested challenge information in an EAP Response, which is translated and forwarded to the
authentication server as another Access-Request.
6. If the identity information provided by the supplicant is valid, the authentication server sends an
Access-Accept frame in which network privileges are specified. The authenticator changes the port
state to authorized, and forwards an EAP Success frame. If the identity information is invalid, the
server sends and Access-Reject frame. The port state remains unauthorized, and the authenticator
forwards EAP Failure frame
Supplicant
Authenticator
EAP over LAN (EAPOL)
Authentication
Server
EAP over RADIUS
Request Identity
Response Identity
Access Request
Access Challenge
EAP Request
EAP Reponse
Access Request
Access {Accept | Reject}
EAP {Sucess | Failure}
EAP over RADIUS
802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as
defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type,
Length, Value (TLV) format. The Type value for EAP messages is 79.
802.1X | 87
�www.dell.com | support.dell.com
Code
Identifier
Length
Range: 1-4
Codes: 1: Access-Request
2: Access-Accept
3: Access-Reject
11: Access-Challenge
Message-Authenticator
Attribute
Type
(79)
EAP-Message Attribute
Length
EAP-Method Data
(Supplicant Requested Credentials)
fnC0034mp
RADIUS Attributes for 802.1 Support
Dell Force10 systems includes the following RADIUS attributes in all 802.1X-triggered Access-Request
messages:
•
•
•
•
Attribute 31—Calling-station-id: relays the supplicant MAC address to the authentication server.
Attribute 41—NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet.
Attribute 61—NAS-Port: the physical port number by which the authenticator is connected to the
supplicant.
Attribute 81—Tunnel-Private-Group-ID: associate a tunneled session with a particular group of
users.
Configuring 802.1X
Configuring 802.1X on a port is a one-step process:
1. Enabling 802.1X.
Related Configuration Tasks
•
•
•
•
•
•
88
|
802.1X
Configuring Request Identity Re-transmissions
Forcibly Authorizing or Unauthorizing a Port
Re-authenticating a Port
Configuring Timeouts
Configuring a Guest VLAN
Configuring an Authentication-fail VLAN
�Important Points to Remember
•
•
•
•
FTOS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and
MS-CHAPv2 with PEAP.
All platforms support only RADIUS as the authentication server.
If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary
RADIUS server, if configured.
802.1X is not supported on port-channels or port-channel members.
Enabling 802.1X
802.1X must be enabled globally.
To enable 802.1X:
Step
Task
Command Syntax
Command Mode
1
Enable 802.1X globally.
dot1x authentication
CONFIGURATION
2
Enter INTERFACE mode on an interface or a range of
interfaces.
interface [range]
INTERFACE
3
Enable 802.1X on the supplicant interface only.
dot1x authentication
INTERFACE
Verify that 802.1X is enabled globally and at interface level using the command show running-config | find
dot1x from EXEC Privilege mode, as shown in the example below.
FTOS#show running-config | find dot1x
dot1x authentication
!
[output omitted]
!
interface TenGigabitEthernet 2/1
802.1X | 89
�www.dell.com | support.dell.com
no ip address
dot1x authentication
no shutdown
!
FTOS#
View 802.1X configuration information for an interface using the command show dot1x interface, as
shown in the example below.
FTOS#show dot1x interface TenGigabitEthernet 2/1
802.1x information on Te 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
AUTO
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Disable
Guest VLAN id:
NONE
Auth-Fail VLAN:
Disable
Auth-Fail VLAN id:
NONE
Auth-Fail Max-Attempts:
NONE
Mac-Auth-Bypass:
Disable
Mac-Auth-Bypass Only:
Disable
Tx Period:
30 seconds
Quiet Period:
60 seconds
ReAuth Max:
2
Supplicant Timeout:
30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
2
Host Mode:
SINGLE_HOST
Auth PAE State:
Initialize
Backend State:
Initialize
Configuring Request Identity Re-transmissions
If the authenticator sends a Request Identity frame, but the supplicant does not respond, the authenticator
waits 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before
re-transmitting and the maximum number of times that the authenticator re-transmits are configurable.
Note: There are several reasons why the supplicant might fail to respond; the supplicant might have been
booting when the request arrived, or there might be a physical layer problem.
90
|
802.1X
�To configure the amount of time that the authenticator waits before re-transmitting an EAP Request
Identity frame:
Step
1
Task
Command Syntax
Command Mode
Configure the amount of time that the authenticator
waits before re-transmitting an EAP Request Identity
frame.
dot1x tx-period number
INTERFACE
Range: 1 - 65535 (1 year)
Default: 30
To configure a maximum number of Request Identity re-transmissions:
Step
1
Task
Command Syntax
Command Mode
Configure a maximum number of times that a Request
Identity frame can be re-transmitted by the
authenticator.
dot1x max-eap-req number
INTERFACE
Range: 1- 10
Default: 2
The example in Configuring a Quiet Period after a Failed Authentication shows configuration information
for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and
re-transmits a maximum of 10 times.
Configuring a Quiet Period after a Failed Authentication
If the supplicant fails the authentication process, the authenticator sends another Request Identity frame
after 30 seconds by default, but this period can be configured.
Note: The quiet period (dot1x quiet-period) is an transmit interval for after a failed authentication where as
the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive supplicant.
To configure the quiet period after a failed authentication:
Step
1
Task
Command Syntax
Command Mode
Configure the amount of time that the authenticator
waits to re-transmit a Request Identity frame after a
failed authentication.
dot1x quiet-period seconds
INTERFACE
Range: 1- 65535
Default: 60
The example below shows configuration information for a port for which the authenticator re-transmits an
EAP Request Identity frame:
•
•
after 90 seconds and a maximum of 10 times for an unresponsive supplicant
Re-transmits an EAP Request Identity frame
FTOS(conf-if-range-Te-0/0)#dot1x tx-period 90
FTOS(conf-if-range-Te-0/0)#dot1x max-eap-req 10
FTOS(conf-if-range-Te-0/0)#dot1x quiet-period 120
FTOS#show dot1x interface TenGigabitEthernet 2/1
802.1X | 91
�www.dell.com | support.dell.com
802.1x information on Te 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
AUTO
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
2
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:
Initialize
Initialize
Forcibly Authorizing or Unauthorizing a Port
IEEE 802.1X requires that a port can be manually placed into any of three states:
•
ForceAuthorized is an authorized state. A device connected to this port in this state is never subjected
to the authentication process, but is allowed to communicate on the network. Placing the port in this
state is same as disabling 802.1X on the port.
ForceUnauthorized an unauthorized state. A device connected to a port in this state is never subjected
to the authentication process and is not allowed to communicate on the network. Placing the port in
this state is the same as shutting down the port. Any attempt by the supplicant to initiate authentication
is ignored.
Auto is an unauthorized state by default. A device connected to this port is this state is subjected to the
authentication process. If the process is successful, the port is authorized and the connected device can
communicate on the network. All ports are placed in the auto state by default.
•
•
To place a port in one of these three states:
Step
1
Task
Command Syntax
Command Mode
Place a port in the ForceAuthorized,
ForceUnauthorized, or Auto state.
dot1x port-control {force-authorized |
force-unauthorized | auto}
INTERFACE
Default: auto
The example below shows configuration information for a port that has been force-authorized.
FTOS(conf-if-Te-0/0)#dot1x port-control force-authorized
FTOS(conf-if-Te-0/0)#show dot1x interface TenGigabitEthernet 0/0
92
|
802.1X
�802.1x information on Te 0/0:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
2
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:
Auth PAE State:
Backend State:
Initialize
Initialize
Initialize
Initialize
Re-authenticating a Port
Periodic Re-authentication
After the supplicant has been authenticated, and the port has been authorized, the authenticator can be
configured to re-authenticates the supplicant periodically. If re-authentication is enabled, the supplicant is
required to re-authenticate every 3600 seconds, but this interval can be configured. A maximum number of
re-authentications can be configured as well.
To configure a re-authentication or a re-authentication period:
Step
1
Task
Command Syntax
Command Mode
Configure the authenticator to
periodically re-authenticate the
supplicant.
dot1x reauthentication [interval] seconds
INTERFACE
Range: 1-65535
Default:3600
802.1X | 93
�www.dell.com | support.dell.com
To configure a maximum number of re-authentications:
Step
1
Task
Command Syntax
Command Mode
Configure the maximum number of
times that the supplicant can be
reauthenticated.
dot1x reauth-max number
INTERFACE
Range: 1-10
Default: 2
FTOS(conf-if-Te-0/0)#dot1x reauthentication interval 7200
FTOS(conf-if-Te-0/0)#dot1x reauth-max 10
FTOS(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0
802.1x information on Te 0/0:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Enable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:
Auth PAE State:
Backend State:
Initialize
Initialize
Initialize
Initialize
Configuring Timeouts
If the supplicant or the authentication server is unresponsive, the authenticator terminates the
authentication process after 30 seconds by default. This amount of time that the authenticator waits for a
response can be configured.
To terminate the authentication process due to an unresponsive supplicant:
Step
1
Task
Command Syntax
Command Mode
Terminate the authentication process due to an
unresponsive supplicant.
dot1x supplicant-timeout seconds
INTERFACE
Range: 1-300
Default: 30
94
|
802.1X
�To terminate the authentication process due to an unresponsive authentication server:
Step
1
Task
Command Syntax
Command Mode
Terminate the authentication process due to an
unresponsive authentication server.
dot1x server-timeout seconds
INTERFACE
Range: 1-300
Default: 30
The example below shows configuration information for a port for which the authenticator terminates the
authentication process for an unresponsive supplicant or server after 15 seconds.
FTOS(conf-if-Te-0/0)#dot1x port-control force-authorized
FTOS(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0
802.1x information on Te 0/0:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Disable
Guest VLAN id:
NONE
Auth-Fail VLAN:
Disable
Auth-Fail VLAN id:
NONE
Auth-Fail Max-Attempts:
NONE
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout:
15 seconds
Server Timeout:
15 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:
Initialize
Initialize
802.1X | 95
�www.dell.com | support.dell.com
Dynamic VLAN Assignment with Port Authentication
FTOS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is
RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x
procedure: 1) the host sends a dot1x packet to the Dell Force10system, 2) the system forwards a RADIUS
REQEST packet containing the host MAC address and ingress port number, and 3) the RADIUS server
authenticates the request and returns a RADIUS ACCEPT message with the VLAN assignment using
Tunnel-Private-Group-ID.
Step
Task
1
Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to
the illustration in Dynamic VLAN Assignment with Port Authentication).
2
Make the interface a switchport so that it can be assigned to a VLAN.
3
Create the VLAN to which the interface will be assigned.
4
Connect the supplicant to the port configured for 802.1X.
5
Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in Dynamic
VLAN Assignment with Port Authentication).
The illustration below shows the configuration on the Dell Force10 system before connecting the end-user
device in black and blue text, and after connecting the device in red text. The blue text corresponds to the
preceding numbered steps on dynamic VLAN assignment with 802.1X.
96
|
802.1X
�Guest and Authentication-fail VLANs
Typically, the authenticator (Dell Force10 system) denies the supplicant access to the network until the
supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places
it in either the VLAN for which the port is configured, or the VLAN that the authentication server indicates
in the authentication data.
Note: Ports cannot be dynamically assigned to the default VLAN.
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this
behavior is not appropriate. External users of an enterprise network, for example, might not be able to be
authenticated, but still need access to the network. Also, some dumb-terminals such as network printers do
not have 802.1X capability and therefore cannot authenticate themselves. To be able to connect such
devices, they must be allowed access the network without compromising network security.
The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices,
and the Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users.
•
•
If the supplicant fails authentication a specified number of times, the authenticator places the port in
the Authentication-fail VLAN.
If a port is already forwarding on the Guest VLAN when 802.1X is enabled, then the port is moved out
of the Guest VLAN, and the authentication process begins.
Configuring a Guest VLAN
If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, (refer to
Configuring Timeouts) the system assumes that the host does not have 802.1X capability, and the port is
placed in the Guest VLAN.
Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using
the command dot1x guest-vlan from INTERFACE mode, as shown in the example below.
FTOS(conf-if-Te-2/1)#dot1x guest-vlan 200
FTOS(conf-if-Te 2/1))#show config
!
interface TenGigabitEthernet 21
switchport
dot1x guest-vlan 200
no shutdown
FTOS(conf-if-Te 2/1))#
View your configuration using the command show config from INTERFACE mode, as shown in the
example above, or using the command show dot1x interface command from EXEC Privilege mode as
shown in the second example below.
802.1X | 97
�www.dell.com | support.dell.com
Configuring an Authentication-fail VLAN
If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount
of time (30 seconds by default, see Configuring a Quiet Period after a Failed Authentication). You can
configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by
default), after which the port is placed in the Authentication-fail VLAN.
Configure a port to be placed in the VLAN after failing the authentication process as specified number of
times using the command dot1x auth-fail-vlan from INTERFACE mode, as shown in the example below.
Configure the maximum number of authentication attempts by the authenticator using the keyword
max-attempts with this command.
FTOS(conf-if-Te-2/1)#dot1x guest-vlan 200
FTOS(conf-if-Te 2/1)#show config
!
interface TenGigabitEthernet 2/1
switchport
dot1x authentication
dot1x guest-vlan 200
no shutdown
FTOS(conf-if-Te-2/1)#
FTOS(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5
FTOS(conf-if-Te-2/1)#show config
!
interface TenGigabitEthernet 2/1
switchport
dot1x authentication
dot1x guest-vlan 200
dot1x auth-fail-vlan 100 max-attempts 5
no shutdown
FTOS(conf-if-Te-2/1)#
View your configuration using the command show config from INTERFACE mode, as shown in the
example in Configuring a Guest VLAN, or using the command show dot1x interface command from EXEC
Privilege mode as shown in the example below.
FTOS(conf-if-Te 2/1)#dot1x port-control force-authorized
FTOS(conf-if-Te 2/1)#show dot1x interface TenGigabitEthernet 2/1
802.1x information on Te 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Disabled
Guest VLAN id:
200
Auth-Fail VLAN:
Disabled
98
|
802.1X
�Auth-Fail VLAN id:
Auth-Fail Max-Attempts:
Tx Period:
Quiet Period:
ReAuth Max:
Supplicant Timeout:
Server Timeout:
Re-Auth Interval:
Max-EAP-Req:
Auth Type:
100
5
90 seconds
120 seconds
10
15 seconds
15 seconds
7200 seconds
10
SINGLE_HOST
Auth PAE State:
Backend State:
Initialize
Initialize
802.1X | 99
�100
|
802.1X
www.dell.com | support.dell.com
�7
Access Control Lists (ACLs)
This chapter describes the Access Control Lists (ACLs), prefix lists, and route-maps.
ecsz
Ingress IP and MAC ACLs are supported on platforms: e c s z
Egress IP and MAC ACLs are supported on platforms: e s z
Access Control Lists (ACLs) are supported on platforms:
Overview
At their simplest, Access Control Lists (ACLs), Prefix lists, and Route-maps permit or deny traffic based
on MAC and/or IP addresses. This chapter discusses implementing IP ACLs, IP Prefix lists and
Route-maps. For MAC ACLS, refer to Layer 2.
An ACL is essentially a filter containing some criteria to match (examine IP, TCP, or UDP packets) and an
action to take (permit or deny). ACLs are processed in sequence so that if a packet does not match the
criterion in the first filter, the second filter (if configured) is applied. When a packet matches a filter, the
switch drops or forwards the packet based on the filter’s specified action. If the packet does not match any
of the filters in the ACL, the packet is dropped ( implicit deny).
The number of ACLs supported on a system depends on your CAM size. See CAM Profiling, CAM
Allocation, and CAM Optimization in this chapter for more information. Refer to Content Addressable
Memory (CAM) for complete CAM profiling information.
This chapter covers the following topics:
•
•
•
•
•
•
•
•
IP Access Control Lists (ACLs)
• CAM Profiling, CAM Allocation, and CAM Optimization
• Implementing ACLs on FTOS
IP Fragment Handling
Configure a standard IP ACL
Configure an extended IP ACL
Configuring Layer 2 and Layer 3 ACLs on an Interface
Assign an IP ACL to an Interface
Configuring Ingress ACLs
Configuring Egress ACLs
Access Control Lists (ACLs) | 101
�www.dell.com | support.dell.com
•
•
•
•
Configuring ACLs to Loopback
• Applying an ACL on Loopback Interfaces
IP Prefix Lists
ACL Resequencing
Route Maps
IP Access Control Lists (ACLs)
In the Dell Force10 switch/routers, you can create two different types of IP ACLs: standard or extended. A
standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the
following criteria (for more information on ACL supported options see the FTOS Command Reference):
•
•
•
•
•
•
•
IP protocol number
Source IP address
Destination IP address
Source TCP port number
Destination TCP port number
Source UDP port number
Destination UDP port number
For extended ACL TCP and UDP filters, you can match criteria on specific or ranges of TCP or UDP
ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions.
When creating an access list, the sequence of the filters is important. You have a choice of assigning
sequence numbers to the filters as you enter them, or FTOS will assign numbers in the order the filters are
created. The sequence numbers, whether configured or assigned by FTOS, are listed in the show config
and show ip accounting access-list command display output.
Ingress and egress Hot Lock ACLs allow you to append or delete new rules into an existing ACL (already
written into CAM) without disrupting traffic flow. Existing entries in CAM are shuffled to accommodate
the new entries. Hot Lock ACLs are enabled by default and support both standard and extended ACLs and
on all platforms.
Note: Hot Lock ACLs are supported for Ingress ACLs only.
CAM Profiling, CAM Allocation, and CAM Optimization
CAM Profiling is supported on platform
e
User Configurable CAM Allocations are supported on platform
CAM optimization is supported on platforms
102
|
Access Control Lists (ACLs)
cs
c and s
�CAM Profiling
CAM optimization is supported on platforms
et
The default CAM profile has 1K Layer 2 ingress ACL entries. If you need more memory for Layer 2
ingress ACLs, select the profile l2-ipv4-inacl.
When budgeting your CAM allocations for ACLs and QoS configurations, remember that ACL and QoS
rules might consume more than one CAM entry depending on complexity. For example, TCP and UDP
rules with port range options might require more than one CAM entry.
The Layer 2 ACL CAM partition has sub-partitions for several types of information. Table 7-1 lists the
sub-partition and the percentage of the Layer 2 ACL CAM partition that FTOS allocates to each by default.
Table 7-1.
Partition
Layer 2 ACL CAM Sub-partition Sizes
% Allocated
Sysflow
6
L2ACL
14
*PVST
50
QoS
12
L2PT
13
FRRP
5
You can re-configure the amount of space, in percentage, allocated to each sub-partition. As with the
IPv4Flow partition, you can configure the Layer 2 ACL partition from EXEC Privilege mode or
CONFIGURATION mode.
The amount of space that you can distribute to the sub-partitions is equal to the amount of CAM space that
the selected CAM profile allocates to the Layer 2 ACL partition. FTOS requires that you specify the
amount of CAM space for all sub-partitions and that the sum of all sub-partitions is 100%. FTOS displays
the following message if the total allocated space is not correct:
% Error: Sum of all regions does not total to 100%.
User Configurable CAM Allocation
User Configurable CAM Allocations are supported on platform
c and
Allocate space for IPV6 ACLs on the by using the cam-acl command in CONFIGURATION mode.
The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. Note that there
are 16 FP blocks, but the System Flow requires 3 blocks that cannot be reallocated. The default CAM
Allocation settings on a C-Series matching are:
Access Control Lists (ACLs) | 103
�www.dell.com | support.dell.com
•
•
•
•
•
L3 ACL (ipv4acl): 6
L2 ACL(l2acl): 5
IPv6 L3 ACL (ipv6acl): 0
L3 QoS (ipv4qos): 1
L2 QoS (l2qos): 1
The ipv6acl allocation must be entered as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use
either even or odd numbered ranges.
You must save the new CAM settings to the startup-config (write-mem or copy run start) then reload the
system for the new settings to take effect.
CAM optimization
CAM optimization is supported on platforms
cs
When this command is enabled, if a Policy Map containing classification rules (ACL and/or dscp/
ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single
copy of the policy is written (only 1 FP entry will be used). When the command is disabled, the system
behaves as described in this chapter.
Test CAM Usage
The test cam-usage command is supported on platforms
ces
This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS
optimization for IPv6 ACLs.
Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy.
Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege
mode to verify the actual CAM space required. The example below gives a sample of the output shown
when executing the command. The status column indicates whether or not the policy can be enabled.
FTOS#test cam-usage service-policy input TestPolicy linecard all
Linecard | Portpipe | CAM Partition | Available CAM | Estimated CAM per Port | Status
-----------------------------------------------------------------------------------------2 |
1 | IPv4Flow
|
232 |
0 | Allowed
2 |
1 | IPv6Flow
|
0 |
0 | Allowed
4 |
0 | IPv4Flow
|
232 |
0 | Allowed
4 |
0 | IPv6Flow
|
0 |
0 | Allowed
FTOS#
104
|
Access Control Lists (ACLs)
�Implementing ACLs on FTOS
One IP ACL can be assigned per interface with FTOS. If an IP ACL is not assigned to an interface, it is not
used by the software in any other capacity.
The number of entries allowed per ACL is hardware-dependent. Refer to your line card documentation for
detailed specification on entries allowed per ACL.
If counters are enabled on IP ACL rules that are already configured, those counters are reset when a new
rule is inserted or prepended. If a rule is appended, the existing counters are not affected. This is applicable
to the following features:
•
•
•
L2 Ingress Access list
L2 Egress Access list
L3 Egress Access list
Note: IP ACLs are supported over VLANs in Version 6.2.1.1 and higher.
V
ACLs and VLANs
There are some differences when assigning ACLs to a VLAN rather than a physical port. For example,
when using a single port-pipe, if you apply an ACL to a VLAN, one copy of the ACL entries would get
installed in the ACL CAM on the port-pipe. The entry would look for the incoming VLAN in the packet.
Whereas if you apply an ACL on individual ports of a VLAN, separate copies of the ACL entries would be
installed for each port belonging to a port-pipe.
When you use the log keyword, CP processor will have to log details about the packets that match.
Depending on how many packets match the log entry and at what rate, CP might become busy as it has to
log these packets’ details. However the other processors (RP1 and RP2) should be unaffected. This option
is typically useful when debugging some problem related to control traffic. We have used this option
numerous times in the field and have not encountered any problems in such usage so far.
ACL Optimization
If an access list contains duplicate entries, FTOS deletes one entry to conserve CAM space. Standard and
Extended ACLs take up the same amount of CAM space. A single ACL rule uses 2 CAM entries whether
it is identified as a Standard or Extended ACL.
Determine the order in which ACLs are used to classify traffic
When you link class-maps to queues using the command service-queue, FTOS matches the class-maps
according to queue priority (queue numbers closer to 0 have lower priorities). For example, in the example
below, class-map cmap2 is matched against ingress packets before cmap1.
Access Control Lists (ACLs) | 105
�www.dell.com | support.dell.com
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
Therefore, (without the keyword order) packets within the range 20.1.1.0/24 match positive against cmap1
and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be
buffered in queue 4.
In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use
the order keyword to specify the order in which you want to apply ACL rules, as shown in the example
below. The order can range from 0 to 254. FTOS writes to the CAM ACL rules with lower order numbers
(order numbers closer to 0) before rules with higher order numbers so that packets are matched as you
intended. By default, all ACL rules have an order of 254.
FTOS(conf)#ip access-list standard acl1
FTOS(config-std-nacl)#permit 20.0.0.0/8
FTOS(config-std-nacl)#exit
FTOS(conf)#ip access-list standard acl2
FTOS(config-std-nacl)#permit 20.1.1.0/24 order 0
FTOS(config-std-nacl)#exit
FTOS(conf)#class-map match-all cmap1
FTOS(conf-class-map)#match ip access-group acl1
FTOS(conf-class-map)#exit
FTOS(conf)#class-map match-all cmap2
FTOS(conf-class-map)#match ip access-group acl2
FTOS(conf-class-map)#exit
FTOS(conf)#policy-map-input pmap
FTOS(conf-policy-map-in)#service-queue 7 class-map cmap1
FTOS(conf-policy-map-in)#service-queue 4 class-map cmap2
FTOS(conf-policy-map-in)#exit
FTOS(conf)#interface gig 1/0
FTOS(conf-if-gi-1/0)#service-policy input pmap
IP Fragment Handling
FTOS supports a configurable option to explicitly deny IP fragmented packets, particularly second and
subsequent packets. It extends the existing ACL command syntax with the fragments keyword for all Layer
3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp).
•
•
•
•
•
•
106
|
Both standard and extended ACLs support IP fragments.
Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these
fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the
packet as a whole cannot be reassembled.
Implementing the required rules will use a significant number of CAM entries per TCP/UDP entry.
For IP ACL, FTOS always applies implicit deny. You do not have to configure it.
For IP ACL, FTOS applies implicit permit for second and subsequent fragment just prior to the
implicit deny.
If an explicit deny is configured, the second and subsequent fragments will not hit the implicit permit
rule for fragments.
Access Control Lists (ACLs)
�•
Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with
the fragments option and apply it to a loopback interface, the command is accepted, but the ACL
entries are not actually installed the offending rule in CAM.
IP fragments ACL examples
The following configuration permits all packets (both fragmented & non-fragmented) with destination IP
10.1.1.1. The second rule does not get hit at all.
FTOS(conf)#ip access-list extended ABC
FTOS(conf-ext-nacl)#permit ip any 10.1.1.1/32
FTOS(conf-ext-nacl)#deny ip any 10.1.1.1./32 fragments
FTOS(conf-ext-nacl)
To deny second/subsequent fragments, use the same rules in a different order. These ACLs deny all second
& subsequent fragments with destination IP 10.1.1.1 but permit the first fragment & non fragmented
packets with destination IP 10.1.1.1.
FTOS(conf)#ip access-list extended ABC
FTOS(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments
FTOS(conf-ext-nacl)#permit ip any 10.1.1.1/32
FTOS(conf-ext-nacl)
Layer 4 ACL rules examples
In the below scenario, first fragments non-fragmented TCP packets from 10.1.1.1 with TCP destination
port equal to 24 are permitted. All other fragments are denied.
FTOS(conf)#ip access-list extended ABC
FTOS(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
FTOS(conf-ext-nacl)#deny ip any any fragment
FTOS(conf-ext-nacl)
In the following, TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with TCP
destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are
permitted. All other IP packets that are non-first fragments are denied.
FTOS(conf)#ip access-list extended ABC
FTOS(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
FTOS(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragment
FTOS(conf-ext-nacl)#deny ip any any fragment
FTOS(conf-ext-nacl)
To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/
UDP fragments, use a configuration similar to the following.
FTOS(conf)#ip access-list extended ABC
FTOS(conf-ext-nacl)#permit tcp any any fragment
FTOS(conf-ext-nacl)#permit udp any any fragment
FTOS(conf-ext-nacl)#deny ip any any log
Access Control Lists (ACLs) | 107
�www.dell.com | support.dell.com
FTOS(conf-ext-nacl)
Note the following when configuring ACLs with the fragments keyword.
When an ACL filters packets it looks at the Fragment Offset (FO) to determine whether or not it is a fragment.
•
•
FO = 0 means it is either the first fragment or the packet is a non-fragment.
FO > 0 means it is dealing with the fragments of the original packet.
Permit ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information matches the L3 information in the ACL line, the packet's fragment offset (FO) is
checked.
•
•
If a packet's FO > 0, the packet is permitted.
If a packet's FO = 0 , the next ACL entry is processed.
Deny ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information does match the L3 information in the ACL line, the packet's fragment offset (FO) is
checked.
•
•
If a packet's FO > 0, the packet is denied.
If a packet's FO = 0, the next ACL line is processed.
Configure a standard IP ACL
To configure an ACL, use commands in the IP ACCESS LIST mode and the INTERFACE mode. The
following list includes the configuration tasks for IP ACLs:
For a complete listing of all commands related to IP ACLs, refer to the FTOS Command Line Interface
Reference document.
Refer to Configure an extended IP ACL to set up extended ACLs.
A standard IP ACL uses the source IP address as its match criterion.
To configure a standard IP ACL, use these commands in the following sequence:
Step
1
2
108
|
Command Syntax
Command Mode
Purpose
ip access-list standard access-listname
CONFIGURATION
Enter IP ACCESS LIST mode by
naming a standard IP access list.
seq sequence-number {deny | permit}
{source [mask] | any | host ip-address}
[count [byte] | log ] [order] [monitor]
[fragments]
CONFIG-STD-NACL
Configure a drop or forward filter. The
parameters are:
• log and monitor options are
supported on E-Series only.
Access Control Lists (ACLs)
�Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a
new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or
another number.
When you use the log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’
details.
To view the rules of a particular ACL configured on a particular interface, use the show ip accounting
access-list ACL-name interface interface command in EXEC Privilege mode as shown in the example
below.
FTOS#show ip accounting access ToOspf interface gig 1/6
Standard IP access list ToOspf
seq 5 deny any
seq 10 deny 10.2.0.0 /16
seq 15 deny 10.3.0.0 /16
seq 20 deny 10.4.0.0 /16
seq 25 deny 10.5.0.0 /16
seq 30 deny 10.6.0.0 /16
seq 35 deny 10.7.0.0 /16
seq 40 deny 10.8.0.0 /16
seq 45 deny 10.9.0.0 /16
seq 50 deny 10.10.0.0 /16
FTOS#
The example below illustrates how the seq command orders the filters according to the sequence number
assigned. In the example, filter 25 was configured before filter 15, but the show config command displays
the filters in the correct order.
FTOS(config-std-nacl)#seq 25 deny ip host 10.5.0.0 any log
FTOS(config-std-nacl)#seq 15 permit tcp 10.3.0.0 /16 any
FTOS(config-std-nacl)#show config
!
ip access-list standard dilling
seq 15 permit tcp 10.3.0.0/16 any
seq 25 deny ip host 10.5.0.0 any log
FTOS(config-std-nacl)#
To delete a filter, use the no seq sequence-number command in the IP ACCESS LIST mode.
If you are creating a standard ACL with only one or two filters, you can let FTOS assign a sequence
number based on the order in which the filters are configured. The software assigns filters in multiples of 5.
Access Control Lists (ACLs) | 109
�www.dell.com | support.dell.com
To configure a filter without a specified sequence number, use these commands in the following sequence,
starting in the CONFIGURATION mode:
Step
1
Command Syntax
Command Mode
Purpose
ip access-list standard
CONFIGURATION
Create a standard IP ACL and assign it a
unique name.
CONFIG-STD-NACL
Configure a drop or forward IP ACL filter.
• log and monitor options are supported
on E-Series only.
access-list-name
2
{deny | permit} {source [mask] | any
| host ip-address} [count [byte] |
log ] [order] [monitor] [fragments]
When you use the log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’
details.
The example below illustrates a standard IP ACL in which the sequence numbers were assigned by the
FTOS. The filters were assigned sequence numbers based on the order in which they were configured (for
example, the first filter was given the lowest sequence number). The show config command in the IP
ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10.
FTOS(config-route-map)#ip access standard kigali
FTOS(config-std-nacl)#permit 10.1.0.0/16
FTOS(config-std-nacl)#show config
!
ip access-list standard kigali
seq 5 permit 10.1.0.0/16
FTOS(config-std-nacl)#
To view all configured IP ACLs, use the show ip accounting access-list command in the EXEC Privilege
mode as shown in the example below.
FTOS#show ip accounting access example interface gig 4/12
Extended IP access list example
seq 10 deny tcp any any eq 111
seq 15 deny udp any any eq 111
seq 20 deny udp any any eq 2049
seq 25 deny udp any any eq 31337
seq 30 deny tcp any any range 12345 12346
seq 35 permit udp host 10.21.126.225 10.4.5.0 /28
seq 40 permit udp host 10.21.126.226 10.4.5.0 /28
seq 45 permit udp 10.8.0.0 /16 10.50.188.118 /31 range 1812 1813
seq 50 permit tcp 10.8.0.0 /16 10.50.188.118 /31 eq 49
seq 55 permit udp 10.15.1.0 /24 10.50.188.118 /31 range 1812 1813
To delete a filter, enter the show config command in the IP ACCESS LIST mode and locate the sequence
number of the filter you want to delete. Then use the no seq sequence-number command in the IP ACCESS
LIST mode.
110
|
Access Control Lists (ACLs)
�Configure an extended IP ACL
Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP
host addresses, UDP addresses, and UDP host addresses.
Since traffic passes through the filter in the order of the filter’s sequence, you can configure the extended
IP ACL by first entering the IP ACCESS LIST mode and then assigning a sequence number to the filter.
Note: On E-Series ExaScale systems, TCP ACL flags are not supported in an extended ACL with IPv6
microcode. An error message is shown if IPv6 microcode is configured and an ACL is entered with a TCP
filter included.
FTOS(conf-ipv6-acl)#seq 8 permit tcp any any urg
May 5 08:32:34: %E90MJ:0 %ACL_AGENT-2-ACL_AGENT_ENTRY_ERROR: Unable to write seq
8 of list test as individual TCP flags are not supported on linecard 0
Configure filters with sequence number
To create a filter for packets with a specified sequence number, use these commands in the following
sequence, starting in the CONFIGURATION mode:
Step
1
2
Command Syntax
Command Mode
Purpose
ip access-list extended
access-list-name
CONFIGURATION
Enter the IP ACCESS LIST mode by creating
an extended IP ACL.
CONFIG-EXT-NACL
Configure a drop or forward filter.
• log and monitor options are supported on
E-Series only.
seq sequence-number
{deny | permit}
{ip-protocol-number |
icmp | ip | tcp | udp}
{source mask | any | host
ip-address} {destination
mask | any | host
ip-address} [operator
port [port]] [count [byte]
| log ] [order] [monitor]
[fragments]
When you use the log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’
details.
Access Control Lists (ACLs) | 111
�www.dell.com | support.dell.com
TCP packets: To create a filter for TCP packets with a specified sequence number, use these commands in
the following sequence, starting in the CONFIGURATION mode:
Step
1
Command Syntax
Command Mode
Purpose
ip access-list extended
CONFIGURATION
Create an extended IP ACL and assign it a
unique name.
CONFIG-EXT-NACL
Configure an extended IP ACL filter for TCP
packets.
• log and monitor options are supported on
E-Series only.
access-list-name
2
seq sequence-number
{deny | permit} tcp
{source mask | any |
host ip-address}}
[count [byte] | log ]
[order] [monitor]
[fragments]
When you use the log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’
details.
UDP packets: To create a filter for UDP packets with a specified sequence number, use these commands
in the following sequence, starting in the CONFIGURATION mode:
Step
1
Command Syntax
Command Mode
Purpose
ip access-list extended
CONFIGURATION
Create a extended IP ACL and assign it a unique
name.
CONFIG-EXT-NACL
Configure an extended IP ACL filter for UDP
packets.
• log and monitor options are supported on
E-Series only.
access-list-name
2
seq
sequence-number
{deny | permit}
{ip-protocol-number
udp} {source mask |
any | host ip-address}
{destination mask |
any | host ip-address}
[operator port [port]]
[count [byte] | log ]
[order] [monitor]
[fragments]
When you create the filters with a specific sequence number, you can create the filters in any order and the
filters are placed in the correct order.
Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a
new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or
another number.
112
|
Access Control Lists (ACLs)
�The following example illustrates how the seq command orders the filters according to the sequence
number assigned. In the example, filter 15 was configured before filter 5, but the show config command
displays the filters in the correct order.
FTOS(config-ext-nacl)#seq 15 deny ip host 112.45.0.0 any log
FTOS(config-ext-nacl)#seq 5 permit tcp 12.1.3.45 0.0.255.255 any
FTOS(config-ext-nacl)#show confi
!
ip access-list extended dilling
seq 5 permit tcp 12.1.0.0 0.0.255.255 any
seq 15 deny ip host 112.45.0.0 any log
FTOS(config-ext-nacl)#
Configure filters without sequence number
If you are creating an extended ACL with only one or two filters, you can let FTOS assign a sequence
number based on the order in which the filters are configured. FTOS assigns filters in multiples of 5.
To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the
following commands in the IP ACCESS LIST mode:
Command Syntax
Command Mode
Purpose
{deny | permit} {source mask | any
| host ip-address} [count [byte] |
log ] [order] [monitor] [fragments]
CONFIG-EXT-NACL
Configure a deny or permit filter to
examine IP packets.
• log and monitor options are
supported on E-Series only.
{deny | permit} tcp {source mask] |
any | host ip-address}} [count
[byte] | log ] [order] [monitor]
[fragments]
CONFIG-EXT-NACL
Configure a deny or permit filter to
examine TCP packets.
• log and monitor options are
supported on E-Series only.
{deny | permit} udp {source mask |
any | host ip-address}} [count
[byte] | log ] [order] [monitor]
[fragments]
CONFIG-EXT-NACL
Configure a deny or permit filter to
examine UDP packets.
• log and monitor options are
supported on E-Series only.
When you use the log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’
details.
The following example illustrates an extended IP ACL in which the sequence numbers were assigned by
the software. The filters were assigned sequence numbers based on the order in which they were
configured (for example, the first filter was given the lowest sequence number). The show config
command in the IP ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10.
FTOS(config-ext-nacl)#deny tcp host 123.55.34.0 any
FTOS(config-ext-nacl)#permit udp 154.44.123.34 0.0.255.255 host 34.6.0.0
Access Control Lists (ACLs) | 113
�www.dell.com | support.dell.com
FTOS(config-ext-nacl)#show config
!
ip access-list extended nimule
seq 5 deny tcp host 123.55.34.0 any
seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0
FTOS(config-ext-nacl)#
To view all configured IP ACLs and the number of packets processed through the ACL, use the show ip
accounting access-list command in the EXEC Privilege mode as shown in the first example in Configure
a standard IP ACL.
Established Flag
The est (established) flag is deprecated for Terascale series line cards.The flag is only available on legacy
EtherScale linecards. Employ the ack and rst flags instead to achieve the same functionality.
To obtain the functionality of est, use the following ACLs:
•
•
permit tcp any any rst
permit tcp any any ack
Configuring Layer 2 and Layer 3 ACLs on an Interface
Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode. If both L2 and L3
ACLs are applied to an interface, the following rules apply:
•
•
•
The packets routed by FTOS are governed by the L3 ACL only, since they are not filtered against an
L2 ACL.
The packets switched by FTOS are first filtered by the L3 ACL, then by the L2 ACL.
When packets are switched by FTOS, the egress L3 ACL does not filter the packet.
For the following features, if counters are enabled on rules that have already been configured and a new
rule is either inserted or prepended, all the existing counters will be reset:
•
•
•
L2 Ingress Access list
L3 Egress Access list
L2 Egress Access list
If a rule is simply appended, existing counters are not affected.
Table 7-2.
114
|
L2 and L3 ACL Filtering on Switched Packets
L2 ACL Behavior
L3 ACL Behavior
Decision on Targeted Traffic
Deny
Deny
Denied by L3 ACL
Deny
Permit
Permitted by L3 ACL
Access Control Lists (ACLs)
�Table 7-2.
L2 and L3 ACL Filtering on Switched Packets
L2 ACL Behavior
L3 ACL Behavior
Decision on Targeted Traffic
Permit
Deny
Denied by L3 ACL
Permit
Permit
Permitted by L3 ACL
Note: If an interface is configured as a vlan-stack access port, the packets are filtered by an L2 ACL only.
The L3 ACL applied to such a port does not affect traffic. That is, existing rules for other features (such as
trace-list, PBR, and QoS) are applied accordingly to the permitted traffic.
For information on MAC ACLs, refer to Layer 2.
Assign an IP ACL to an Interface
Ingress IP ACLs are supported on platforms:
c
Ingress and Egress IP ACLs are supported on platform:
e and s
To pass traffic through a configured IP ACL, you must assign that ACL to a physical interface, a port
channel interface, or a VLAN. The IP ACL is applied to all traffic entering a physical or port channel
interface and the traffic is either forwarded or dropped depending on the criteria and actions specified in
the ACL.
The same ACL may be applied to different interfaces and that changes its functionality. For example, you
can take ACL “ABCD”, and apply it using the in keyword and it becomes an ingress access list. If you
apply the same ACL using the out keyword, it becomes an egress access list. If you apply the same ACL to
the loopback interface, it becomes a loopback access list.
This chapter covers the following topics:
•
•
•
Configuring Ingress ACLs
Configuring Egress ACLs
Configuring ACLs to Loopback
For more information on Layer-3 interfaces, refer to Interfaces.
To apply an IP ACL (standard or extended) to a physical or port channel interface, use these commands in
the following sequence in the INTERFACE mode:
Step
Command Syntax
Command Mode
Purpose
1
interface interface slot/port
CONFIGURATION
Enter the interface number.
2
ip address ip-address
INTERFACE
Configure an IP address for the interface, placing
it in Layer-3 mode.
Access Control Lists (ACLs) | 115
�www.dell.com | support.dell.com
Step
Command Syntax
Command Mode
Purpose
3
ip access-group access-list-name
{in | out} [implicit-permit] [vlan
vlan-range]
INTERFACE
Apply an IP ACL to traffic entering or exiting an
interface.
• out: configure the ACL to filter outgoing
traffic. This keyword is supported only on
E-Series.
Note: The number of entries allowed per ACL is
hardware-dependent. Refer to your line card
documentation for detailed specification on entries
allowed per ACL.
ip access-list [standard |
extended] name
4
INTERFACE
Apply rules to the new ACL.
To view which IP ACL is applied to an interface, use the show config command in the INTERFACE mode
as shown below or the show running-config command in the EXEC mode.
FTOS(conf-if)#show conf
!
interface GigabitEthernet 0/0
ip address 10.2.1.100 255.255.255.0
ip access-group nimule in
no shutdown
FTOS(conf-if)#
Use only Standard ACLs in the access-class command to filter traffic on Telnet sessions.
Counting ACL Hits
You can view the number of packets matching the ACL by using the count option when creating ACL
entries. E-Series supports packet and byte counts simultaneously. C-Series and S-Series support only one
at any given time.
To view the number of packets matching an ACL that is applied to an interface:
Step
116
|
Task
1
Create an ACL that uses rules with the count option. See Configure a standard IP ACL
2
Apply the ACL as an inbound or outbound ACL on an interface. See Assign an IP ACL to an Interface
3
View the number of packets matching the ACL using the show ip accounting access-list from EXEC
Privilege mode.
Access Control Lists (ACLs)
�Configuring Ingress ACLs
Ingress ACLs are applied to interfaces and to traffic entering the system.These system-wide ACLs
eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target
traffic, it is a simpler implementation.
To create an ingress ACLs, use the ip access-group command in the EXEC Privilege mode as shown
below. This example also shows applying the ACL, applying rules to the newly created access group, and
viewing the access list:
FTOS(conf)#interface gige 0/0
FTOS(conf-if-gige0/0)#ip access-group abcd in
FTOS(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd in
no shutdown
FTOS(conf-if-gige0/0)#end
FTOS#configure terminal
FTOS(conf)#ip access-list extended abcd
FTOS(config-ext-nacl)#permit tcp any any
FTOS(config-ext-nacl)#deny icmp any any
FTOS(config-ext-nacl)#permit 1.1.1.2
FTOS(config-ext-nacl)#end
FTOS#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 15 permit 1.1.1.2
Configuring Egress ACLs
Egress ACLs are supported on platforms
e and
Egress ACLs are applied to line cards and affect the traffic leaving the system. Configuring egress ACLs
onto physical interfaces protects the system infrastructure from attack—malicious and incidental—by
explicitly allowing only authorized traffic.These system-wide ACLs eliminate the need to apply ACLs
onto each interface and achieves the same results. By localizing target traffic, it is a simpler
implementation.
An egress ACL is used when users would like to restrict egress traffic. For example, when a DOS attack
traffic is isolated to one particular interface, you can apply an egress ACL to block that particular flow
from exiting the box, thereby protecting downstream devices.
Access Control Lists (ACLs) | 117
�www.dell.com | support.dell.com
To create an egress ACLs, use the ip access-group command in the EXEC Privilege mode as shown in the
example below. This example also shows viewing the configuration, applying rules to the newly created
access group, and viewing the access list:
FTOS(conf)#interface gige 0/0
FTOS(conf-if-gige0/0)#ip access-group abcd out
FTOS(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd out
no shutdown
FTOS(conf-if-gige0/0)#end
FTOS#configure terminal
FTOS(conf)#ip access-list extended abcd
FTOS(config-ext-nacl)#permit tcp any any
FTOS(config-ext-nacl)#deny icmp any any
FTOS(config-ext-nacl)#permit 1.1.1.2
FTOS(config-ext-nacl)#end
FTOS#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 15 permit 1.1.1.2
Egress Layer 3 ACL Lookup for Control-plane IP Traffic
By default, packets originated from the system are not filtered by egress ACLs. If you initiate a ping
session from the system, for example, and apply an egress ACL to block this type of traffic on the
interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature
enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and
CPU-forwarded traffic. Using permit rules with the count option, you can track on a per-flow basis
whether CPU-generated and CPU-forwarded packets were transmitted successfully..
Task
Command Syntax
Command Mode
Apply Egress ACLs to IPv4 system
traffic.
ip control-plane [egress filter]
CONFIGURATION
Apply Egress ACLs to IPv6 system
traffic.
ipv6 control-plane [egress filter]
CONFIGURATION
Create a Layer 3 ACL using permit
rules with the count option to describe
the desired CPU traffic
permit ip {source mask | any |
host ip-address} {destination mask
| any | host ip-address} count
CONFIG-NACL
Note: The ip control-plane [egress filter] and the ipv6 control-plane [egress filter] commands are not
supported on S4810 systems.
118
|
Access Control Lists (ACLs)
�FTOS Behavior: VRRP hellos and IGMP packets are not affected when egress ACL filtering for CPU traffic is
enabled. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface MAC
address instead of VRRP virtual MAC address.
Configuring ACLs to Loopback
ACLs can be supplied on Loopback interfaces supported on platform
e
Configuring ACLs onto the CPU in a loopback interface protects the system infrastructure from attack—
malicious and incidental—by explicate allowing only authorized traffic.
The ACLs on loopback interfaces are applied only to the CPU on the RPM—this eliminates the need to
apply specific ACLs onto all ingress interfaces and achieves the same results. By localizing target traffic, it
is a simpler implementation.
The ACLs target and handle Layer 3 traffic destined to terminate on the system including routing
protocols, remote access, SNMP, ICMP, and etc. Effective filtering of Layer 3 traffic from Layer 3 routers
reduces the risk of attack.
Note: Loopback ACLs are supported only on ingress traffic.
Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the
fragments option and apply it to a loopback interface, the command is accepted, but the ACL entries are
not actually installed the offending rule in CAM.
See also Loopback Interfaces in the Interfaces chapter.
Applying an ACL on Loopback Interfaces
ACLs can be applied on Loopback interfaces supported on platform
e
To apply an ACL (standard or extended) for loopback, use these commands in the following sequence:
Step
Command Syntax
Command Mode
Purpose
interface loopback 0
CONFIGURATION
Only loopback 0 is supported for the loopback
ACL.
2
ip access-list [standard |
extended] name
CONFIGURATION
Apply rules to the new ACL.
3
ip access-group name in
INTERFACE
Apply an ACL to traffic entering loopback.
• in: configure the ACL to filter incoming
traffic
Note: ACLs for loopback can only be
applied to incoming traffic.
1
Access Control Lists (ACLs) | 119
�www.dell.com | support.dell.com
To apply ACLs on loopback, use the ip access-group command in the INTERFACE mode as shown in the
example below. This example also shows the interface configuration status, adding rules to the access
group, and displaying the list of rules in the ACL:
FTOS(conf)#interface loopback 0
FTOS(conf-if-lo-0)#ip access-group abcd in
FTOS(conf-if-lo-0)#show config
!
interface Loopback 0
no ip address
ip access-group abcd in
no shutdown
FTOS(conf-if-lo-0)#end
FTOS#configure terminal
FTOS(conf)#ip access-list extended abcd
FTOS(config-ext-nacl)#permit tcp any any
FTOS(config-ext-nacl)#deny icmp any any
FTOS(config-ext-nacl)#permit 1.1.1.2
FTOS(config-ext-nacl)#end
FTOS#show ip accounting access-list
!
Extended Ingress IP access list abcd on Loopback 0
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 10 deny icmp any any
permit 1.1.1.2
Note: Refer to the section VTY Line Local Authentication and Authorization in the Security chapter.
IP Prefix Lists
Prefix Lists are supported on platforms:
cesz
IP prefix lists control routing policy. An IP prefix list is a series of sequential filters that contain a matching
criterion (examine IP route prefix) and an action (permit or deny) to process routes. The filters are
processed in sequence so that if a route prefix does not match the criterion in the first filter, the second
filter (if configured) is applied. When the route prefix matches a filter, FTOS drops or forwards the packet
based on the filter’s designated action. If the route prefix does not match any of the filters in the prefix list,
the route is dropped (that is, implicit deny).
A route prefix is an IP address pattern that matches on bits within the IP address. The format of a route
prefix is A.B.C.D/X where A.B.C.D is a dotted-decimal address and /X is the number of bits that should be
matched of the dotted decimal address. For example, in 112.24.0.0/16, the first 16 bits of the address
112.24.0.0 match all addresses between 112.24.0.0 to 112.24.255.255.
Below are some examples that permit or deny filters for specific routes using the le and ge parameters,
where x.x.x.x/x represents a route prefix:
120
|
Access Control Lists (ACLs)
�•
•
•
•
To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8
To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8
le 12
To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24
To permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20
The following rules apply to prefix lists:
•
•
•
A prefix list without any permit or deny filters allows all routes.
An “implicit deny” is assumed (that is, the route is dropped) for all route prefixes that do not match a
permit or deny filter in a configured prefix list.
Once a route matches a filter, the filter’s action is applied. No additional filters are applied to the route.
Implementation Information
In FTOS, prefix lists are used in processing routes for routing protocols (for example, RIP, OSPF, and
BGP).
Note: The S-Series platform does not support all protocols. It is important to know which protocol you are
supporting prior to implementing Prefix-Lists.
Configuration Task List for Prefix Lists
To configure a prefix list, you must use commands in the PREFIX LIST, the ROUTER RIP, ROUTER
OSPF, and ROUTER BGP modes. Basically, you create the prefix list in the PREFIX LIST mode, and
assign that list to commands in the ROUTER RIP, ROUTER OSPF and ROUTER BGP modes.
The following list includes the configuration tasks for prefix lists:
•
•
Configure a prefix list
Use a prefix list for route redistribution
For a complete listing of all commands related to prefix lists, refer to the FTOS Command Line Interface
Reference document.
Configure a prefix list
To configure a prefix list, use these commands in the following sequence, starting in the
CONFIGURATION mode:
Step
1
Command Syntax
Command Mode
Purpose
ip prefix-list prefix-name
CONFIGURATION
Create a prefix list and assign it a unique
name.
You are in the PREFIX LIST mode.
Access Control Lists (ACLs) | 121
�www.dell.com | support.dell.com
Step
Command Syntax
Command Mode
Purpose
2
seq sequence-number {deny |
permit} ip-prefix [ge
min-prefix-length] [le
max-prefix-length]
CONFIG-NPREFIXL
Create a prefix list with a sequence number
and a deny or permit action. The optional
parameters are:
• ge min-prefix-length: is the minimum
prefix length to be matched (0 to 32).
• le max-prefix-length: is the maximum
prefix length to be matched (0 to 32).
If you want to forward all routes that do not match the prefix list criteria, you must configure a prefix list
filter to permit all routes (permit 0.0.0.0/0 le 32). The “permit all” filter should be the last filter in your
prefix list. To permit the default route only, enter permit 0.0.0.0/0.
The example below illustrates how the seq command orders the filters according to the sequence number
assigned. In the example, filter 20 was configured before filter 15 and 12, but the show config command
displays the filters in the correct order.
FTOS(conf-nprefixl)#seq 20 permit 0.0.0.0/0 le 32
FTOS(conf-nprefixl)#seq 12 deny 134.23.0.0 /16
FTOS(conf-nprefixl)#seq 15 deny 120.23.14.0 /8 le 16
FTOS(conf-nprefixl)#show config
!
ip prefix-list juba
seq 12 deny 134.23.0.0/16
seq 15 deny 120.0.0.0/8 le 16
seq 20 permit 0.0.0.0/0 le 32
FTOS(conf-nprefixl)#
Note the last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix
list, you specify that all routes not matching any criteria in the prefix list are forwarded.
To delete a filter, use the no seq sequence-number command in the PREFIX LIST mode.
If you are creating a standard prefix list with only one or two filters, you can let FTOS assign a sequence
number based on the order in which the filters are configured. The FTOS assigns filters in multiples of
five.
To configure a filter without a specified sequence number, use these commands in the following sequence
starting in the CONFIGURATION mode:
Step
1
122
|
Command Syntax
Command Mode
Purpose
ip prefix-list prefix-name
CONFIGURATION
Create a prefix list and assign it a unique
name.
Access Control Lists (ACLs)
�Step
Command Syntax
Command Mode
Purpose
2
{deny | permit} ip-prefix [ge
min-prefix-length] [le
max-prefix-length]
CONFIG-NPREFIXL
Create a prefix list filter with a deny or
permit action. The optional parameters are:
• ge min-prefix-length: is the minimum
prefix length to be matched (0 to 32).
• le max-prefix-length: is the maximum
prefix length to be matched (0 to 32).
The example below illustrates a prefix list in which the sequence numbers were assigned by the software.
The filters were assigned sequence numbers based on the order in which they were configured (for
example, the first filter was given the lowest sequence number). The show config command in the
PREFIX LIST mode displays the two filters with the sequence numbers 5 and 10.
FTOS(conf-nprefixl)#permit 123.23.0.0 /16
FTOS(conf-nprefixl)#deny 133.24.56.0 /8
FTOS(conf-nprefixl)#show conf
!
ip prefix-list awe
seq 5 permit 123.23.0.0/16
seq 10 deny 133.0.0.0/8
FTOS(conf-nprefixl)#
To delete a filter, enter the show config command in the PREFIX LIST mode and locate the sequence
number of the filter you want to delete; then use the no seq sequence-number command in the PREFIX
LIST mode.
To view all configured prefix lists, use either of the following commands in the EXEC mode:
Command Syntax
Command Mode
Purpose
show ip prefix-list detail [prefix-name]
EXEC Privilege
Show detailed information about configured Prefix
lists.
show ip prefix-list summary
EXEC Privilege
Show a table of summarized information about
configured Prefix lists.
[prefix-name]
FTOS>show ip prefix detail
Prefix-list with the last deletion/insertion: filter_ospf
ip prefix-list filter_in:
count: 3, range entries: 3, sequences: 5 - 10
seq 5 deny 1.102.0.0/16 le 32 (hit count: 0)
seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0)
seq 10 permit 0.0.0.0/0 le 32 (hit count: 0)
ip prefix-list filter_ospf:
count: 4, range entries: 1, sequences: 5 - 10
seq 5 deny 100.100.1.0/24 (hit count: 0)
seq 6 deny 200.200.1.0/24 (hit count: 0)
seq 7 deny 200.200.2.0/24 (hit count: 0)
seq 10 permit 0.0.0.0/0 le 32 (hit count: 0)
Access Control Lists (ACLs) | 123
�www.dell.com | support.dell.com
FTOS>
FTOS>show ip prefix summary
Prefix-list with the last deletion/insertion: filter_ospf
ip prefix-list filter_in:
count: 3, range entries: 3, sequences: 5 - 10
ip prefix-list filter_ospf:
count: 4, range entries: 1, sequences: 5 - 10
FTOS>
Use a prefix list for route redistribution
To pass traffic through a configured prefix list, you must use the prefix list in a route redistribution
command. The prefix list is applied to all traffic redistributed into the routing process and the traffic is
either forwarded or dropped depending on the criteria and actions specified in the prefix list.
To apply a filter to routes in RIP (RIP is supported on C and E-Series.), use either of the following
commands in the ROUTER RIP mode:
Command Syntax
Command Mode
Purpose
router rip
CONFIGURATION
Enter RIP mode
distribute-list prefix-list-name in
CONFIG-ROUTER-RIP
Apply a configured prefix list to incoming
routes. You can specify an interface.
If you enter the name of a nonexistent prefix
list, all routes are forwarded.
CONFIG-ROUTER-RIP
Apply a configured prefix list to outgoing
routes. You can specify an interface or type
of route.
If you enter the name of a non-existent prefix
list, all routes are forwarded.
[interface]
distribute-list prefix-list-name out
[interface | connected | static | ospf]
To view the configuration, use the show config command in the ROUTER RIP mode as shown in the
example below or the show running-config rip command in the EXEC mode.
FTOS(conf-router_rip)#show config
!
router rip
distribute-list prefix juba out
network 10.0.0.0
FTOS(conf-router_rip)#router ospf 34
To apply a filter to routes in OSPF, use either of the following commands in the ROUTER OSPF mode:
124
|
Command Syntax
Command Mode
Purpose
router ospf
CONFIGURATION
Enter OSPF mode
Access Control Lists (ACLs)
�Command Syntax
Command Mode
Purpose
distribute-list prefix-list-name in
[interface]
CONFIG-ROUTER-OSPF
Apply a configured prefix list to incoming
routes. You can specify an interface.
If you enter the name of a non-existent prefix
list, all routes are forwarded.
distribute-list prefix-list-name out
[connected | rip | static]
CONFIG-ROUTER-OSPF
Apply a configured prefix list to incoming
routes. You can specify which type of routes
are affected.
If you enter the name of a non-existent prefix
list, all routes are forwarded.
To view the configuration, use the show config command in the ROUTER OSPF mode as shown in the
example below or the show running-config ospf command in the EXEC mode.
FTOS(conf-router_ospf)#show config
!
router ospf 34
network 10.2.1.1 255.255.255.255 area 0.0.0.1
distribute-list prefix awe in
FTOS(conf-router_ospf)#
ACL Resequencing
ACL Resequencing allows you to re-number the rules and remarks in an access or prefix list. The
placement of rules within the list is critical because packets are matched against rules in sequential order.
Use Resequencing whenever there is no longer an opportunity to order new rules as desired using current
numbering scheme.
For example, Table 7-3 contains some rules that are numbered in increments of 1. No new rules can be
placed between these, so apply resequencing to create numbering space, as shown in Table 7-4. In the same
example, apply resequencing if more than two rules must be placed between rules 7 and 10.
IPv4 and IPv6 ACLs and prefixes and MAC ACLs can be resequenced. No CAM writes happen as a result
of resequencing, so there is no packet loss; the behavior is like Hot-lock ACLs.
Note: ACL Resequencing does not affect the rules or remarks or the order in which they are applied. It
merely renumbers them so that new rules can be placed within the list as desired.
Table 7-3.
ACL Resequencing Example (Insert New Rules)
seq 5 permit any host 1.1.1.1
seq 6 permit any host 1.1.1.2
Access Control Lists (ACLs) | 125
�www.dell.com | support.dell.com
Table 7-3.
ACL Resequencing Example (Insert New Rules)
seq 7 permit any host 1.1.1.3
seq 10 permit any host 1.1.1.4
Table 7-4.
ACL Resequencing Example (Resequenced)
seq 5 permit any host 1.1.1.1
seq 10 permit any host 1.1.1.2
seq 15 permit any host 1.1.1.3
seq 20 permit any host 1.1.1.4
Resequencing an ACL or Prefix List
Resequencing is available for IPv4 and IPv6 ACLs and prefix lists and MAC ACLs. To resequence an
ACL or prefix list use the appropriate command in Table 7-5. You must specify the list name, starting
number, and increment when using these commands.
Table 7-5.
Resequencing ACLs and Prefix Lists
List
Command
Command Mode
IPv4, IPv6, or MAC ACL
resequence access-list {ipv4 | ipv6 | mac} {access-list-name
StartingSeqNum Step-to-Increment}
Exec
IPv4 or IPv6 prefix-list
resequence prefix-list {ipv4 | ipv6} {prefix-list-name StartingSeqNum
Step-to-Increment}
Exec
The following example shows the resequencing of an IPv4 access-list beginning with the number 2 and
incrementing by 2.
FTOS(config-ext-nacl)# show config
!
ip access-list extended test
remark 4 XYZ
remark 5 this remark corresponds to permit any host 1.1.1.1
seq 5 permit ip any host 1.1.1.1
remark 9 ABC
remark 10 this remark corresponds to permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.2
seq 15 permit ip any host 1.1.1.3
seq 20 permit ip any host 1.1.1.4
FTOS# end
FTOS# resequence access-list ipv4 test 2 2
FTOS# show running-config acl
126
|
Access Control Lists (ACLs)
�!
ip access-list extended test
remark 2 XYZ
remark 4 this remark corresponds to permit any host 1.1.1.1
seq 4 permit ip any host 1.1.1.1
remark 6 this remark has no corresponding rule
remark 8 this remark corresponds to permit ip any host 1.1.1.2
seq 8 permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.3
seq 12 permit ip any host 1.1.1.4
Remarks and rules that originally have the same sequence number have the same sequence number after
the resequence command is applied. Remarks that do not have a corresponding rule will be incremented as
as a rule. These two mechanisms allow remarks to retain their original position in the list.
For example, in the following example, remark 10 corresponds to rule 10 and as such, they have the same
number before and after the command is entered. Remark 4 is incremented as a rule, and all rules have
retained their original positions.
FTOS(config-ext-nacl)# show config
!
ip access-list extended test
remark 4 XYZ
remark 5 this remark corresponds to permit any host 1.1.1.1
seq 5 permit ip any host 1.1.1.1
remark 9 ABC
remark 10 this remark corresponds to permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.2
seq 15 permit ip any host 1.1.1.3
seq 20 permit ip any host 1.1.1.4
FTOS# end
FTOS# resequence access-list ipv4 test 2 2
FTOS# show running-config acl
!
ip access-list extended test
remark 2 XYZ
remark 4 this remark corresponds to permit any host 1.1.1.1
seq 4 permit ip any host 1.1.1.1
remark 6 this remark has no corresponding rule
remark 8 this remark corresponds to permit ip any host 1.1.1.2
seq 8 permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.3
seq 12 permit ip any host 1.1.1.4
Access Control Lists (ACLs) | 127
�www.dell.com | support.dell.com
Route Maps
Route-maps are supported on platforms:
ces z
Like ACLs and prefix lists, route maps are composed of a series of commands that contain a matching
criterion and an action, yet route maps can change the packets meeting the criterion. ACLs and prefix lists
can only drop or forward the packet or traffic. Route maps process routes for route redistribution. For
example, a route map can be called to filter only specific routes and to add a metric.
Route maps also have an “implicit deny.” Unlike ACLs and prefix lists, however, where the packet or
traffic is dropped, in route maps, if a route does not match any of the route map conditions, the route is not
redistributed.
Implementation Information
The FTOS implementation of route maps allows route maps with no match command or no set command.
When there is no match command, all traffic matches the route map and the set command applies.
Important Points to Remember
•
•
•
For route-maps with more than one match clause:
• Two or more match clauses within the same route-map sequence have the same match commands
(though the values are different), matching a packet against these clauses is a logical OR operation.
• Two or more match clauses within the same route-map sequence have different match commands,
matching a packet against these clauses is a logical AND operation.
If no match is found in a route-map sequence, the process moves to the next route-map sequence until
a match is found, or there are no more sequences.
When a match is found, the packet is forwarded; no more route-map sequences are processed.
• If a continue clause is included in the route-map sequence, the next or a specified route-map
sequence is processed after a match is found.
Configuration Task List for Route Maps
You configure route maps in the ROUTE-MAP mode and apply them in various commands in the
ROUTER RIP and ROUTER OSPF modes.
The following list includes the configuration tasks for route maps:
•
•
•
•
128
|
Create a route map (mandatory)
Configure route map filters (optional)
Configure a route map for route redistribution (optional)
Configure a route map for route tagging (optional)
Access Control Lists (ACLs)
�Create a route map
Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route
map filters are do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters
match certain routes and set or specify values.
To create a route map and enter the ROUTE-MAP mode, use the following command in the
CONFIGURATION mode:
Command Syntax
Command Mode
Purpose
route-map map-name [permit | deny]
CONFIGURATION
Create a route map and assign it a unique name.
The optional permit and deny keywords are the
action of the route map. The default is permit.
The optional parameter seq allows you to assign
a sequence number to the route map instance.
[sequence-number]
The default action is permit and the default sequence number starts at 10. When the keyword deny is used
in configuring a route map, routes that meet the match filters are not redistributed.
To view the configuration, use the show config command in the ROUTE-MAP mode as shown in the
example below.
FTOS(config-route-map)#show config
!
route-map dilling permit 10
FTOS(config-route-map)#
You can create multiple instances of this route map by using the sequence number option to place the route
maps in the correct order. FTOS processes the route maps with the lowest sequence number first. When a
configured route map is applied to a command, like redistribute, traffic passes through all instances of that
route map until a match is found. The following text shows an example with two instances of a route map.
FTOS#show route-map
route-map zakho, permit, sequence 10
Match clauses:
Set clauses:
route-map zakho, permit, sequence 20
Match clauses:
interface GigabitEthernet 0/1
Set clauses:
tag 35
level stub-area
FTOS#
To delete all instances of that route map, use the no route-map map-name command. To delete just one
instance, add the sequence number to the command syntax as shown in the following example.
FTOS(conf)#no route-map zakho 10
FTOS(conf)#end
Access Control Lists (ACLs) | 129
�www.dell.com | support.dell.com
FTOS#show route-map
route-map zakho, permit, sequence 20
Match clauses:
interface GigabitEthernet 0/1
Set clauses:
tag 35
level stub-area
FTOS#
The following text shows an example of a route map with multiple instances. The show config command
displays only the configuration of the current route map instance. To view all instances of a specific route
map, use the show route-map command.
FTOS#show route-map dilling
route-map dilling, permit, sequence 10
Match clauses:
Set clauses:
route-map dilling, permit, sequence 15
Match clauses:
interface Loopback 23
Set clauses:
tag 3444
FTOS#
To delete a route map, use the no route-map map-name command in the CONFIGURATION mode.
Configure route map filters
Within the ROUTE-MAP mode, there are match and set commands. Basically, match commands search
for a certain criterion in the routes and the set commands change the characteristics of those routes, either
adding something or specifying a level.
When there are multiple match commands of the same parameter under one instance of route-map, then
FTOS does a match between either of those match commands. If there are multiple match commands of
different parameter, then FTOS does a match ONLY if there is a match among ALL match commands.
The following example explains better:
Example 1
FTOS(conf)#route-map force permit 10
FTOS(config-route-map)#match tag 1000
FTOS(config-route-map)#match tag 2000
FTOS(config-route-map)#match tag 3000
In the above route-map, if a route has any of the tag value specified in the match commands, then there is a
match.
Example 2
FTOS(conf)#route-map force permit 10
FTOS(config-route-map)#match tag 1000
130
|
Access Control Lists (ACLs)
�FTOS(config-route-map)#match metric 2000
In the above route-map, only if a route has both the characteristics mentioned in the route-map, it is
matched. Explaining further, the route must have a tag value of 1000 and a metric value of 2000. Only then
is there a match.
Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in
any instance of that route-map. As an example:
FTOS(conf)#route-map force permit 10
FTOS(config-route-map)#match tag 1000
FTOS(conf)#route-map force deny 20
FTOS(config-route-map)#match tag 1000
FTOS(conf)#route-map force deny 30
FTOS(config-route-map)#match tag 1000
In the above route-map, instance 10 permits the route having a tag value of 1000 and instances 20 & 30
denies the route having a tag value of 1000. In the above scenario, FTOS scans all the instances of the
route-map for any permit statement. If there is a match anywhere, the route is permitted, though other
instances of the route-map denies it.
To configure match criterion for a route map, use any or all of the following commands in the
ROUTE-MAP mode:
Command Syntax
Command Mode
Purpose
match as-path as-path-name
CONFIG-ROUTE-MAP
Match routes with the same AS-PATH numbers.
match community
CONFIG-ROUTE-MAP
Match routes with COMMUNITY list attributes in
their path.
community-list-name [exact]
Access Control Lists (ACLs) | 131
�www.dell.com | support.dell.com
Command Syntax
Command Mode
Purpose
match interface interface
CONFIG-ROUTE-MAP
Match routes whose next hop is a specific
interface. The parameters are:
• For a Fast Ethernet interface, enter the
keyword FastEthernet followed by the slot/
port information.
• For a 1-Gigabit Ethernet interface, enter the
keyword gigabitEthernet followed by the
slot/port information.
• For a loopback interface, enter the keyword
loopback followed by a number between
zero (0) and 16383.
• For a port channel interface, enter the keyword
port-channel followed by a number from 1
to 255 for TeraScale and ExaScale, 1 to 32 for
EtherScale.
• For a SONET interface, enter the keyword
sonet followed by the slot/port information.
• For a 10-Gigabit Ethernet interface, enter the
keyword tengigabitEthernet followed by
the slot/port information.
• For a VLAN, enter the keyword vlan followed
by a number from 1 to 4094.
• For a 40-Gigabit Ethernet interface, enter the
keyword fortyGigE followed by the slot/port
information.
132
|
match ip address prefix-list-name
CONFIG-ROUTE-MAP
Match destination routes specified in a prefix list
(IPv4).
match ipv6 address prefix-list-name
CONFIG-ROUTE-MAP
Match destination routes specified in a prefix list
(IPv6).
match ip next-hop
{access-list-name | prefix-list
prefix-list-name}
CONFIG-ROUTE-MAP
Match next-hop routes specified in a prefix list
(IPv4).
match ipv6 next-hop
{access-list-name | prefix-list
prefix-list-name}
CONFIG-ROUTE-MAP
Match next-hop routes specified in a prefix list
(IPv6).
match ip route-source
{access-list-name | prefix-list
prefix-list-name}
CONFIG-ROUTE-MAP
Match source routes specified in a prefix list
(IPv4).
match ipv6 route-source
{access-list-name | prefix-list
prefix-list-name}
CONFIG-ROUTE-MAP
Match source routes specified in a prefix list
(IPv6).
match metric metric-value
CONFIG-ROUTE-MAP
Match routes with a specific value.
match origin {egp | igp |
incomplete}
CONFIG-ROUTE-MAP
Match BGP routes based on the ORIGIN attribute.
match route-type {external
[type-1 | type-2] | internal | level-1
| level-2 | local }
CONFIG-ROUTE-MAP
Match routes specified as internal or external to
OSPF, ISIS level-1, ISIS level-2, or locally
generated.
Access Control Lists (ACLs)
�Command Syntax
Command Mode
Purpose
match tag tag-value
CONFIG-ROUTE-MAP
Match routes with a specific tag.
To configure a set condition, use any or all of the following commands in the ROUTE-MAP mode:
Command Syntax
Command Mode
Purpose
set as-path prepend as-number [...
as-number]
CONFIG-ROUTE-MAP
Add an AS-PATH number to the beginning of
the AS-PATH
set automatic-tag
CONFIG-ROUTE-MAP
Generate a tag to be added to redistributed
routes.
set level {backbone | level-1 | level-1-2 |
level-2 | stub-area}
CONFIG-ROUTE-MAP
Specify an OSPF area or ISIS level for
redistributed routes.
set local-preference value
CONFIG-ROUTE-MAP
Specify a value for the BGP route’s
LOCAL_PREF attribute.
set metric {+ | - | metric-value}
CONFIG-ROUTE-MAP
Specify a value for redistributed routes.
set metric-type {external | internal |
type-1 | type-2}
CONFIG-ROUTE-MAP
Specify an OSPF or ISIS type for redistributed
routes.
set next-hop ip-address
CONFIG-ROUTE-MAP
Assign an IP address as the route’s next hop.
set ipv6 next-hop ip-address
CONFIG-ROUTE-MAP
Assign an IPv6 address as the route’s next hop.
set origin {egp | igp | incomplete}
CONFIG-ROUTE-MAP
Assign an ORIGIN attribute.
set tag tag-value
CONFIG-ROUTE-MAP
Specify a tag for the redistributed routes.
set weight value
CONFIG-ROUTE-MAP
Specify a value as the route’s weight.
Use these commands to create route map instances. There is no limit to the number of set and match
commands per route map, but the convention is to keep the number of match and set filters in a route map
low. Set commands do not require a corresponding match command.
Configure a route map for route redistribution
Route maps on their own cannot affect traffic and must be included in different commands to affect routing
traffic. To apply a route map to traffic on the E-Series, you must call or include that route map in a
command such as the redistribute or default-information originate commands in OSPF, ISIS, and BGP.
Route redistribution occurs when FTOS learns the advertising routes from static or directly connected
routes or another routing protocol. Different protocols assign different values to redistributed routes to
identify either the routes and their origins. The metric value is the most common attribute that is changed
to properly redistribute other routes into a routing protocol. Other attributes that can be changed include
the metric type (for example, external and internal route types in OSPF) and route tag. Use the redistribute
command in OSPF, RIP, ISIS, and BGP to set some of these attributes for routes that are redistributed into
those protocols.
Access Control Lists (ACLs) | 133
�www.dell.com | support.dell.com
Route maps add to that redistribution capability by allowing you to match specific routes and set or change
more attributes when redistributing those routes.
In the following example, the redistribute command calls the route map static ospf to redistribute
only certain static routes into OSPF. According to the route map static ospf, only routes that have a
next hop of Gigabitethernet interface 0/0 and that have a metric of 255 will be redistributed into the OSPF
backbone area.
Note: When re-distributing routes using route-maps, the user must take care to create the
route-map defined in the redistribute command under the routing protocol. If no route-map is
created, then NO routes are redistributed.
router ospf 34
default-information originate metric-type 1
redistribute static metric 20 metric-type 2 tag 0 route-map staticospf
!
route-map staticospf permit 10
match interface GigabitEthernet 0/0
match metric 255
set level backbone
Configure a route map for route tagging
One method for identifying routes from different routing protocols is to assign a tag to routes from that
protocol. As the route enters a different routing domain, it is tagged and that tag is passed along with the
route as it passes through different routing protocols. This tag can then be used when the route leaves a
routing domain to redistribute those routes again.
In the following example, the redistribute ospf command with a route map is used in the ROUTER RIP
mode to apply a tag of 34 to all internal OSPF routes that are redistributed into RIP.
!
router rip
redistribute ospf 34 metric 1 route-map torip
!
route-map torip permit 10
match route-type internal
set tag 34
!
Continue clause
Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more
route-map modules are processed. If the continue command is configured at the end of a module, the next
module (or a specified module) is processed even after a match is found. The following example shows a
continue clause at the end of a route-map module. In this example, if a match is found in the route-map
“test” module 10, module 30 will be processed.
134
|
Access Control Lists (ACLs)
�Note: If the continue clause is configured without specifying a module, the next sequential module is
processed.
!
route-map test permit 10
match commu comm-list1
set community 1:1 1:2 1:3
set as-path prepend 1 2 3 4 5
continue 30!
Access Control Lists (ACLs) | 135
�www.dell.com | support.dell.com
136
|
Access Control Lists (ACLs)
�8
Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD) is supported only on platforms: e c z
Protocol Overview
Bidirectional Forwarding Detection (BFD) is a protocol that is used to rapidly detect communication
failures between two adjacent systems. It is a simple and lightweight replacement for existing routing
protocol link state detection mechanisms. It also provides a failure detection solution for links on which no
routing protocol is used.
BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a
three-way handshake. After the session has been established, the systems exchange periodic control
packets at sub-second intervals. If a system does not receive a hello packet within a specified amount of
time, routing protocols are notified that the forwarding path is down.
BFD provides forwarding path failure detection times on the order of milliseconds rather than seconds as
with conventional routing protocol hellos. It is independent of routing protocols, and as such provides a
consistent method of failure detection when used across a network. Networks converge faster because BFD
triggers link state changes in the routing protocol sooner and more consistently, because BFD can
eliminate the use of multiple protocol-dependent timers and methods.
BFD also carries less overhead than routing protocol hello mechanisms. Control packets can be
encapsulated in any form that is convenient, and, on Dell Force10 routers, sessions are maintained by BFD
Agents that reside on the line card, which frees resources on the RPM. Only session state changes are
reported to the BFD Manager (on the RPM), which in turn notifies the routing protocols that are registered
with it.
BFD is an independent and generic protocol, which all media, topologies, and routing protocols can
support using any encapsulation. Dell Force10 has implemented BFD at Layer 3 and with UDP
encapsulation. BFD functionality will be implemented in phases. The C-Series and E-Series support BFD
on OSPF, IS-IS, VLANs, VRRP, LAGs, and physical ports based on the IETF internet draft document
draft-ietf-bfd-base-03. On the S4810, BFD is supported on dynamic routing protocols such as OSPF, IS-IS
and BGP.
Bidirectional Forwarding Detection (BFD) | 137
�www.dell.com | support.dell.com
How BFD Works
Two neighboring systems running BFD establish a session using a three-way handshake. After the session
has been established, the systems exchange control packets at agreed upon intervals. In addition, systems
send a control packet anytime there is a state change or change in a session parameter; these control
packets are sent without regard to transmit and receive intervals.
Note: FTOS does not support multi-hop BFD sessions.
If a system does not receive a control packet within an agreed-upon amount of time, the BFD Agent
changes the session state to Down. It then notifies the BFD Manager of the change, and sends a control
packet to the neighbor that indicates the state change (though it might not be received if the link or
receiving interface is faulty). The BFD Manager notifies the routing protocols that are registered with it
(clients) that the forwarding path is down, and a link state change is triggered in all protocols.
Note: A session state change from Up to Down is the only state change that triggers a link state change in the routing
protocol client.
BFD packet format
Control packets are encapsulated in UDP packets. The following illustration shows the complete
encapsulation of a BFD control packet inside an IPv4 packet.
138
|
Bidirectional Forwarding Detection (BFD)
�Version
(4)
IHL
TOS
Total Length
Preamble
Flags
Start Frame
Delimiter
Frag Offset
Destination MAC
TTL
(255)
Source MAC
Protocol
Ethernet Type
(0x888e)
Header
Checksum
Version
(1)
State
Range: 3784
Source Port
Options
Diag Code
Dest IP Addr
Padding
Checksum
UDP Packet
Detect Mult
My
Discriminator
Your
Discriminator
Random number generated by
remote system to identify a
session
Required
Min RX Interval
Required Min
Echo RX Interval
Auth Type
The minimum interval between
Echo packtes that the local system
is capable of supporting
The minimum interval between
control packets that the local
system is capable of supporting
Desired
Min TX Interval
The intervals at which the local
system would like to transmit
control packets
BFD Control Packet
Random number generated by
the local system to identify
a session
Length
The number of packets that
must be missed in a row in
order to declare a session down
Length
P: Poll
F: Final
C: Control Plane Independent
A: Authentication Present
D: Demand
(Final bit reserved)
Flags
Range: 3784
Echo: 3785
Destination Port
Padding
FCS
Range: 0-31
Code: 0: AdminDown
Range: 0-31
1: Down
Bit:
Code: 0: No Diagnostic
2: Init
1: Control Detection Time Expired
3: Up
2: Echo Function Failed
3: Neighbor Signaled Session Down
4: Forwarding Plane Reset
5: Path Down
6: Concatenated Path Down
7: Administratively Down
8: Reverse Concatenated Path Down
9-31: Reserved for Future Use
Src IP Addr
IP Packet
Auth Length
Auth Data
Figure 8-1.
BFD in IPv4 Packet Format
Bidirectional Forwarding Detection (BFD) | 139
�www.dell.com | support.dell.com
Table 8-1.
BFD Packet Fields
Field
Description
Diagnostic Code
The reason that the last session failed.
State
The current local session state. See BFD sessions.
Flag
A bit that indicates packet function. If the poll bit is set, the receiving system must respond as
soon as possible, without regard to its transmit interval. The responding system clears the poll
bit and sets the final bit in its response. The poll and final bits are used during the handshake
and Demand mode (see BFD sessions).
Note: FTOS does not currently support multi-point sessions, Demand mode, authentication, or
control plane independence; these bits are always clear.
Detection Multiplier
The number of packets that must be missed in order to declare a session down.
Length
The entire length of the BFD packet.
My Discriminator
A random number generated by the local system to identify the session.
Your Discriminator
A random number generated by the remote system to identify the session. Discriminator
values are necessary to identify the session to which a control packet belongs since there can
be many sessions running on a single interface.
Desired Min TX Interval
The minimum rate at which the local system would like to send control packets to the remote
system.
Required Min RX Interval
The minimum rate at which the local system would like to receive control packets from the
remote system.
Required Min Echo RX
The minimum rate at which the local system would like to receive echo packets.
Note: FTOS does not currently support the echo function.
Authentication Type
Authentication Length
An optional method for authenticating control packets.
Note: FTOS does not currently support the BFD authentication function.
Authentication Data
Two important parameters are calculated using the values contained in the control packet.
•
•
Transmit interval — Transmit interval is the agreed-upon rate at which a system sends control
packets. Each system has its own transmit interval, which is the greater of the last received remote
Desired TX Interval and the local Required Min RX Interval.
Detection time — Detection time is the amount of time that a system does not receive a control
packet, after which the system determines that the session has failed. Each system has its own
detection time.
• In Asynchronous mode: Detection time is the remote Detection Multiplier multiplied by greater of
the remote Desired TX Interval and the local Required Min RX Interval.
• In Demand mode: Detection time is the local Detection Multiplier multiplied by the greater of the
local Desired Min TX and the remote Required Min RX Interval.
BFD sessions
BFD must be enabled on both sides of a link in order to establish a session. The two participating systems
can assume either of two roles:
140
|
Bidirectional Forwarding Detection (BFD)
�•
•
Active—The active system initiates the BFD session. Both systems can be active for the same session.
Passive—The passive system does not initiate a session. It only responds to a request for session
initialization from the active system.
A BFD session has two modes:
•
•
Asynchronous mode—In Asynchronous mode, both systems send periodic control messages at an
agreed upon interval to indicate that their session status is Up.
Demand mode—If one system requests Demand mode, the other system stops sending periodic
control packets; it only sends a response to status inquiries from the Demand mode initiator. Either
system (but not both) can request Demand mode at any time.
Note: FTOS supports asynchronous mode only.
A session can have four states: Administratively Down, Down, Init, and Up.
•
•
•
•
Administratively Down—The local system will not participate in a particular session.
Down—The remote system is not sending any control packets or at least not within the detection time
for a particular session.
Init—The local system is communicating.
Up—The both systems are exchanging control packets.
The session is declared down if:
•
•
•
A control packet is not received within the detection time.
Sufficient echo packets are lost.
Demand mode is active and a control packet is not received in response to a poll packet.
BFD three-way handshake
A three-way handshake must take place between the systems that will participate in the BFD session. The
handshake shown in the illustration below assumes that there is one active and one passive system, and that
this is the first session established on this link. The default session state on both ports is Down.
1. The active system sends a steady stream of control packets that indicates that its session state is Down,
until the passive system responds. These packets are sent at the desired transmit interval of the Active
system, and the Your Discriminator field is set to zero.
2. When the passive system receives any of these control packets, it changes its session state to Init, and
sends a response that indicates its state change. The response includes its session ID in the My
Discriminator field, and the session ID of the remote system in the Your Discriminator field.
3. The active system receives the response from the passive system, and changes its session state to Up. It
then sends a control packet indicating this state change. This is the third and final part of the
handshake. At this point, the discriminator values have been exchanged, and the transmit intervals
have been negotiated.
Bidirectional Forwarding Detection (BFD) | 141
�www.dell.com | support.dell.com
4. The passive system receives the control packet, changes its state to Up. Both systems agree that a
session has been established. However, since both members must send a control packet—that requires
a response—anytime there is a state change or change in a session parameter, the passive system sends
a final response indicating the state change. After this, periodic control packets are exchanged.
Transmit Interval: User-configurable
Default Session State: Down
Default Session State: Down
Version: 1
Diag Code: 0 (assumes no previous session)
State: Down
Flag: P:1
Detect Multiplier: User-configurable
My Discriminator: X ( Active System Session ID)
Your Discriminator: 0
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable
ACTIVE System
PASSIVE System
Steady Rate of Control Packets
Version: 1
Diag Code: 0 (assumes no previous session)
State: Init
Flag: F: 1
Detect Multiplier: User-configurable
My Discriminator: Y (Passsive System Session ID)
Your Discriminator: X
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable
Init State Change
Version: 1
Diag Code: 0 (assumes no previous session)
State: Up
Flag: P: 1
Detect Multiplier: User-configurable
My Discriminator: X
Your Discriminator: Y
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable
Up State Change
Version: 1
Diag Code: 0 (assumes no previous session)
State: Up
Flag: F: 1
Detect Multiplier: User-configurable
My Discriminator: Y
Your Discriminator: X
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable
Up State Change
Version: 1
Diag Code: 0 (assumes no previous session)
State: Up
Flag: P: Clear
Detect Multiplier: User-configurable
My Discriminator: X
Your Discriminator: Y
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable
Periodic Control Packet
fnC0036mp
Session state changes
The illustration below shows how the session state on a system changes based on the status notification it
receives from the remote system. For example, if a session on a system is down, and it receives a Down
status notification from the remote system, the session state on the local system changes to Init.
current session state
Up, Admin Down, Timer
the packet received
Down
Init
Down
Admin Down,
Timer
Down
Init
Init, Up
Admin Down,
Down,
Timer
Up
Up, Init
fnC0037mp
142
|
Bidirectional Forwarding Detection (BFD)
�Important Points to Remember
•
•
•
•
•
•
•
BFD for line card ports is hitless, but is not hitless for VLANs since they are instantiated on the RPM.
FTOS supports a maximum of 100 sessions per BFD agent on C-Series and E-Series. Each linecard
processor has a BFD Agent, so the limit translates to 100 BFD sessions per linecard (plus, on the
E-Series, 100 BFD sessions on RP2, which handles LAG and VLANs). On the S4810, FTOS supports
128 sessions per stack unit at 200 minimum transmit and receive intervals with a multiplier of 3, and
64 sessions at 100 minimum transmit and receive intervals with a multiplier of 4.
BFD must be enabled on both ends of a link.
Demand mode, authentication, and the Echo function are not supported.
BFD is not supported on multi-hop and virtual links.
Protocol Liveness is supported for routing protocols only.
FTOS supports only OSPF, IS-IS, (E-Series, Z-Series and
only), BGP (
only), and
VRRP (not on
) protocols as BFD clients.
Configuring Bidirectional Forwarding Detection
The remainder of this chapter is divided into the following sections:
•
•
•
•
•
•
•
•
•
•
Configuring BFD for Physical Ports
Configuring BFD for Static Routes
Configuring BFD for OSPF
Configuring BFD for IS-IS
Configuring BFD for BGP
Configuring BFD for VRRP
Configuring BFD for VLANs
Configuring BFD for Port-Channels
Configuring Protocol Liveness
Troubleshooting BFD
Configuring BFD for Physical Ports
Configuring BFD for Physical Ports is supported on C-Series and E-Series only.
BFD on physical ports is useful when no routing protocol is enabled. Without BFD, if the remote system
fails, the local system does not remove the connected route until the first failed attempt to send a packet.
When BFD is enabled, the local system removes the route as soon as it stops receiving periodic control
packets from the remote system.
Configuring BFD for a physical port is a two-step process:
1. Enabling BFD globally.
Bidirectional Forwarding Detection (BFD) | 143
�www.dell.com | support.dell.com
2. Establish a session with a next-hop neighbor.
Related configuration tasks
•
•
Viewing physical port session parameters.
Disabling and re-enabling BFD.
Enabling BFD globally
BFD must be enabled globally on both routers, as shown in the illustration in Establishing a session on
physical ports.
To enable BFD globally:
Step
1
Task
Command Syntax
Command Mode
Enable BFD globally.
bfd enable
CONFIGURATION
Verify that BFD is enabled globally using the command show running bfd, as shown in the example below.
R1(conf)#bfd ?
enable
Enable BFD protocol
protocol-liveness
Enable BFD protocol-liveness
R1(conf)#bfd enable
R1(conf)#do show running-config bfd
!
bfd enable
R1(conf)#
Establishing a session on physical ports
To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the
illustration below. The configuration parameters do not need to match.
144
|
Bidirectional Forwarding Detection (BFD)
�R2: ACTIVE Role
R1: ACTIVE Role
4/24
2/1
FTOS(config)# bfd enable
FTOSconfig)# interface gigabitethernet 2/1
FTOS(conf-if-gi-2/1)# ip address 2.2.2.2/24
FTOS(conf-if-gi-2/1)# bfd neighbor 2.2.2.1
FTOS(config)# bfd enable
FTOS(config)# interface gigabitethernet 4/24
FTOS(conf-if-gi-2/1)# ip address 2.2.2.1/24
FTOS(conf-if-gi-2/1)# bfd neighbor 2.2.2.2
fnC0038mp
To establish a session:
Step
Task
Command Syntax
Command Mode
1
Enter interface mode
interface
CONFIGURATION
2
Assign an IP address to the interface if one is not already
assigned.
ip address ip-address
INTERFACE
Verify that the session is established using the command show bfd neighbors, as shown in the example
below.
R1(conf-if-gi-4/24)#do show bfd neighbors
*
- Active session role
Ad Dn
- Admin Down
C
- CLI
I
- ISIS
O
- OSPF
R
- Static Route (RTM)
LocalAddr
* 2.2.2.1
RemoteAddr
Interface State Rx-int Tx-int Mult Clients
2.2.2.2
Gi 4/24
Up
100
100
3
C
The example below for the command show bfd neighbors detail shows more specific information about
BFD sessions.
R1(conf-if-gi-4/24)#do show bfd neighbors detail
Session Discriminator: 1
Neighbor Discriminator: 1
Local Addr: 2.2.2.1
Local MAC Addr: 00:01:e8:09:c3:e5
Remote Addr: 2.2.2.2
Remote MAC Addr: 00:01:e8:06:95:a2
Int: GigabitEthernet 4/24
State: Up
Configured parameters:
Bidirectional Forwarding Detection (BFD) | 145
�www.dell.com | support.dell.com
TX:
100ms, RX:
100ms, Multiplier: 3
Neighbor parameters:
TX:
100ms, RX:
100ms, Multiplier: 3
Actual parameters:
TX:
100ms, RX:
100ms, Multiplier: 3
Role: Active
Delete session on Down: False
Client Registered: CLI
Uptime: 00:03:57
Statistics:
Number of packets received from neighbor: 1775
Number of packets sent to neighbor: 1775
Number of state changes: 1
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 4
When both interfaces are configured for BFD, log messages are displayed indicating state changes, as
shown in Message 1.
Message 1 BFD Session State Changes
R1(conf-if-gi-4/24)#00:36:01: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to
Down for neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0)
00:36:02: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Up for neighbor
2.2.2.2 on interface Gi 4/24 (diag: 0)
Viewing physical port session parameters
BFD sessions are configured with default intervals and a default role (active). Dell Force10 recommends
maintaining the default values.
View session parameters using the show bfd neighbors detail command.
R1(conf-if-gi-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive
R1(conf-if-gi-4/24)#do show bfd neighbors detail
Session Discriminator: 1
Neighbor Discriminator: 1
Local Addr: 2.2.2.1
Local MAC Addr: 00:01:e8:09:c3:e5
Remote Addr: 2.2.2.2
Remote MAC Addr: 00:01:e8:06:95:a2
Int: GigabitEthernet 4/24
State: Up
Configured parameters:
TX:
100ms, RX:
100ms, Multiplier: 4
Neighbor parameters:
TX:
100ms, RX:
100ms, Multiplier: 3
Actual parameters:
TX:
100ms, RX:
100ms, Multiplier: 4
Role: Passive
146
|
Bidirectional Forwarding Detection (BFD)
�Delete session on Down: False
Client Registered: CLI
Uptime: 00:09:06
Statistics:
Number of packets received from neighbor: 4092
Number of packets sent to neighbor: 4093
Number of state changes: 1
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 7
Disabling and re-enabling BFD
BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured. If
BFD is disabled, all of the sessions on that interface are placed in an Administratively Down state
(Message 2), and the remote systems are notified of the session state change (Message 3).
To disable BFD on an interface:
Step
1
Task
Command Syntax
Command Mode
Disable BFD on an interface.
no bfd enable
INTERFACE
Message 2 Disabling BFD on a Local Interface
R1(conf-if-gi-4/24)#01:00:52: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Ad
Dn for neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0)
Message 3 Remote System State Change due to Local State Admin Down
R2>01:32:53: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Down for neighbor
2.2.2.1 on interface Gi 2/1 (diag: 7)
To re-enable BFD on an interface:
Step
1
Task
Command Syntax
Command Mode
Enable BFD on an interface.
bfd enable
INTERFACE
Configuring BFD for Static Routes
Configuring BFD for Static Routes is supported on C-Series and E-Series only.
BFD gives systems a link state detection mechanism for static routes. With BFD, systems are notified to
remove static routes from the routing table as soon as the link state change occurs, rather than having to
wait until packets fail to reach their next hop.
Bidirectional Forwarding Detection (BFD) | 147
�www.dell.com | support.dell.com
Configuring BFD for static routes is a three-step process:
1. Enabling BFD globally.
2. On the local system, establish a session with the next hop of a static route. Refer to Configuring BFD
for Static Routes.
3. On the remote system, establish a session with the physical port that is the origin of the static route.
Refer to Establishing a session on physical ports.
Related configuration tasks
•
•
Changing static route session parameters.
Disabling BFD for static routes.
Establishing sessions for static routes
Sessions are established for all neighbors that are the next hop of a static route.
FTOS(config)# interface gigabitethernet 2/2
FTOS(conf-if-gi-2/2)# ip address 2.2.3.1/24
FTOS(conf-if-gi-2/2)# no shutdown
FTOS(config)# interface gigabitethernet 2/1
FTOS(conf-if-gi-2/1)# ip address 2.2.2.2/24
FTOS(conf-if-gi-2/1)# no shutdown
FTOS(conf-if-gi-2/1)# bfd neighbor 2.2.2.1
R1
R3
R2
4/24
2/2
2/1
2.2.2.1/24
2.2.2.2/24
FTOS(config)# interface gigabitethernet 4/24
FTOS(conf-if-gi-4/24)# ip address 2.2.2.1/24
FTOS(conf-if-gi-4/24)# no shutdown
FTOS(config)# ip route 2.2.3.0/24 2.2.2.2
FTOS(config)# ip route bfd
2.2.3.1/24
6/0
2.2.3.2/24
FTOS(config)# interface gigabitethernet 6/0
FTOS(conf-if-gi-6/0)# ip address 2.2.3.2/24
FTOS(conf-if-gi-6/0)# no shutdown
fnC0039mp
To establish a BFD session:
Step
1
Task
Command Syntax
Command Mode
Establish BFD sessions for all neighbors that are the next hop
of a static route.
ip route bfd
CONFIGURATION
Verify that sessions have been created for static routes using the command show bfd neighbors, as shown
in the example below.
R1(conf)#ip route 2.2.3.0/24 2.2.2.2
R1(conf)#ip route bfd
R1(conf)#do show bfd neighbors
148
|
*
- Active session role
Ad Dn
- Admin Down
C
- CLI
Bidirectional Forwarding Detection (BFD)
�I
- ISIS
O
- OSPF
R
- Static Route (RTM)
LocalAddr
RemoteAddr
Interface State Rx-int Tx-int Mult Clients
2.2.2.1
2.2.2.2
Gi 4/24
Up
100
100
4
R
View detailed session information using the command show bfd neighbors detail, as shown in the example
in Verifying BFD sessions with BGP neighbors using show bfd neighbors detail.
Changing static route session parameters
BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
These parameters are configured for all static routes; if you change a parameter, the change affects all
sessions for static routes.
To change parameters for static route sessions:
Step
1
Task
Command Syntax
Command Mode
Change parameters for all static route
sessions.
ip route bfd interval milliseconds min_rx
milliseconds multiplier value role [active |
passive]
CONFIGURATION
View session parameters using the command show bfd neighbors detail, as shown in the example in
Verifying BFD sessions with BGP neighbors using show bfd neighbors detail.
Disabling BFD for static routes
If BFD is disabled, all static route BFD sessions are torn down. A final Admin Down packet is sent to all
neighbors on the remote systems, and those neighbors change to the Down state (Message 3).
To disable BFD for static routes:
Step
1
Task
Command Syntax
Command Mode
Disable BFD for static routes.
no ip route bfd
CONFIGURATION
Configuring BFD for OSPF
BFD for OSPF is only supported on platforms:
ecz
When using BFD with OSPF, the OSPF protocol registers with the BFD manager on the RPM. BFD
sessions are established with all neighboring interfaces participating in OSPF. If a neighboring interface
fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the OSPF protocol
that a link state change occurred.
Bidirectional Forwarding Detection (BFD) | 149
�www.dell.com | support.dell.com
Configuring BFD for OSPF is a two-step process:
1. Enabling BFD globally.
2. Establishing sessions with OSPF neighbors.
Related configuration tasks
•
•
Changing OSPF session parameters.
Disabling BFD for OSPF.
Establishing sessions with OSPF neighbors
BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all
neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the full
state.
FTOS(conf-if-gi-2/1)# ip address 2.2.2.2/24
FTOS(conf-if-gi-2/1)# no shutdown
FTOS(conf-if-gi-2/1)# exit
FTOS(config)# router ospf 1
FTOS(config-router_ospf )# network 2.2.2.0/24 area 0
FTOS(config-router_ospf )# bfd all-neighbors
FTOS(conf-if-gi-2/2)# ip address 2.2.3.1/24
FTOS(conf-if-gi-2/2)# no shutdown
FTOS(conf-if-gi-2/2)# exit
FTOS(config)# router ospf 1
FTOS(config-router_ospf )# network 2.2.3.0/24 area 1
FTOS(config-router_ospf )# bfd all-neighbors
AREA 1
AREA 0
R2
R1
2.2.2.1/24
2.2.2.2/24
FTOS(conf-if-gi-4/24)# ip address 2.2.2.1/24
FTOS(conf-if-gi-4/24)# no shutdown
FTOS(conf-if-gi-4/24)# exit
FTOS(config)# router ospf 1
FTOS(config-router_ospf )# network 2.2.2.0/24 area 0
FTOS(config-router_ospf )# bfd all-neighbors
R3
2/2
2/1
4/24
FTOS(conf-if-gi-6/1)# ip address 2.2.4.1/24
FTOS(conf-if-gi-6/1)# no shutdown
FTOS(conf-if-gi-6/1)# exit
FTOS(config)# router ospf 1
FTOS(config-router_ospf )# network 2.2.4.0/24 area 1
FTOS(config-router_ospf )# bfd all-neighbors
6/0
2.2.3.2/24
2.2.3.1/24
FTOS(conf-if-gi-6/0)# ip address 2.2.3.2/24
FTOS(conf-if-gi-6/0)# no shutdown
FTOS(conf-if-gi-6/0)# exit
FTOS(config)# router ospf 1
FTOS(config-router_ospf )# network 2.2.3.0/24 area 1
FTOS(config-router_ospf )# bfd all-neighbors
6/1
2.2.4.1/24
R4 2.2.4.2/24
1/1
FTOS(conf-if-gi-6/0)# ip address 2.2.4.2/24
FTOS(conf-if-gi-6/0)# no shutdown
FTOS(conf-if-gi-6/0)# exit
FTOS(config)# router ospf 1
FTOS(config-router_ospf )# network 2.2.4.0/24 area 1
FTOS(config-router_ospf )# bfd all-neighbors
To establish BFD with all OSPF neighbors:
Step
1
150
|
Task
Command Syntax
Command Mode
Establish sessions with all OSPF neighbors.
bfd all-neighbors
ROUTER-OSPF
Bidirectional Forwarding Detection (BFD)
�To establish BFD for all OSPF neighbors on a single interface:
Step
1
Task
Command Syntax
Command Mode
Establish sessions with all OSPF neighbors on a
single interface.
ip ospf bfd all-neighbors
INTERFACE
View the established sessions using the command show bfd neighbors, as shown in the example below.
R2(conf-router_ospf)#bfd all-neighbors
R2(conf-router_ospf)#do show bfd neighbors
*
- Active session role
Ad Dn
- Admin Down
C
- CLI
I
- ISIS
O
- OSPF
R
- Static Route (RTM)
RemoteAddr
Interface State Rx-int Tx-int Mult Clients
* 2.2.2.2
LocalAddr
2.2.2.1
Gi 2/1
Up
100
100
3
O
* 2.2.3.1
2.2.3.2
Gi 2/2
Up
100
100
3
O
Changing OSPF session parameters
BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
These parameters are configured for all OSPF sessions or all OSPF sessions on a particular interface; if
you change a parameter globally, the change affects all OSPF neighbors sessions. If you change a
parameter at interface level, the change affects all OSPF sessions on that interface.
To change parameters for all OSPF sessions:
Step
1
Task
Command Syntax
Command Mode
Change parameters for OSPF
sessions.
bfd all-neighbors interval milliseconds
min_rx milliseconds multiplier value role
[active | passive]
ROUTER-OSPF
To change parameters for OSPF sessions on an interface:
Step
1
Task
Command Syntax
Command Mode
Change parameters for all OSPF
sessions on an interface.
ip ospf bfd all-neighbors interval
milliseconds min_rx milliseconds multiplier
value role [active | passive]
INTERFACE
View session parameters using the command show bfd neighbors detail, as shown in the example in
Displaying BFD for BGP Information.
Bidirectional Forwarding Detection (BFD) | 151
�www.dell.com | support.dell.com
Disabling BFD for OSPF
If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a
Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the
remote system are placed in a Down state (Message 3). Disabling BFD does not trigger a change in BFD
clients; a final Admin Down packet is sent before the session is terminated.
To disable BFD sessions with all OSPF neighbors:
Step
1
Task
Command Syntax
Command Mode
Disable BFD sessions with all OSPF neighbors.
no bfd all-neighbors
ROUTER-OSPF
To disable BFD sessions with all OSPF neighbors out of an interface:
Step
1
Task
Command Syntax
Command Mode
Disable BFD sessions with all OSPF neighbors out
of an interface
ip ospf bfd all-neighbors
disable
INTERFACE
Configuring BFD for IS-IS
BFD for IS-IS is supported on platforms:
ez
When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager on the RPM. BFD
sessions are then established with all neighboring interfaces participating in IS-IS. If a neighboring
interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the IS-IS
protocol that a link state change occurred.
Configuring BFD for IS-IS is a two-step process:
1. Enable BFD globally. See Enabling BFD globally.
2. Establish sessions for all or particular IS-IS neighbors.
Related configuration tasks
•
•
Change session parameters.
Disable BFD sessions for IS-IS.
Establishing sessions with IS-IS neighbors
BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all
neighbors out of a specific interface.
152
|
Bidirectional Forwarding Detection (BFD)
�Figure 8-2.
Establishing Sessions with IS-IS Neighbors
FTOS(conf )# router isis
FTOS(conf-router_isis)# net 02.1921.6800.2002.00
FTOS(conf-router_isis)# interface gigabitethernet 2/1
FTOS(conf-if-gi-2/1)#ip address 2.2.2.2/24
FTOS(config-if-gi-2/1)# ip router isis
FTOS(config-if-gi-2/1)# exit
FTOS(conf )# router isis
FTOS(conf-router_isis)# bfd all-neighbors
FTOS(conf-router_isis)# interface gigabitethernet 2/2
FTOS(conf-if-gi-2/2)#ip address 2.2.3.1/24
FTOS(config-if-gi-2/2)# ip router isis
FTOS(config-if-gi-2/2)# exit
FTOS(conf )# router isis
FTOS(conf-router_isis)# bfd all-neighbors
AREA 2
AREA 1
AREA 3
R2: Level 2
R1: Level 1 - 2
4/24
2/1
R3: Level 1 - 2
2/2
6/0
FTOS(conf )# router isis
FTOS(conf-router_isis)# net 01.1921.6800.1001.00
FTOS(conf-router_isis)# interface gigabitethernet 4/24
FTOS(config-if-gi-4/24)# ip address 2.2.2.1/24
FTOS(config-if-gi-4/24)# ip router isis
FTOS(config-if-gi-4/24)# exit
FTOS(conf )# router isis
FTOS(conf-router_isis)# bfd all-neighbors
6/1
FTOS(conf )# router isis
FTOS(conf-router_isis)# net 03.1921.6800.3003.00
FTOS(conf-router_isis)# interface gigabitethernet 6/0
FTOS(conf-if-gi-6/0)#ip address 2.2.3.2/24
FTOS(config-if-gi-6/0)# ip router isis
FTOS(config-if-gi-6/0)# exit
FTOS(conf )# router isis
FTOS(conf-router_isis)# bfd all-neighbors
FTOS(conf-router_isis)# interface gigabitethernet 6/1
FTOS(conf-if-gi-6/1)#ip address 2.2.4.1/24
fnC0041mp
To establish BFD with all IS-IS neighbors:
Step
1
Task
Command Syntax
Command Mode
Establish sessions with all IS-IS neighbors.
bfd all-neighbors
ROUTER-ISIS
To establish BFD with all IS-IS neighbors out of a single interface:
Step
1
Task
Command Syntax
Command Mode
Establish sessions with all IS-IS neighbors out of an
interface.
isis bfd all-neighbors
INTERFACE
View the established sessions using the command show bfd neighbors, as shown in Figure 8-3.
Figure 8-3.
Viewing Established Sessions for IS-IS Neighbors
R2(conf-router_isis)#bfd all-neighbors
R2(conf-router_isis)#do show bfd neighbors
*
Ad Dn
C
I
O
R
-
Active session role
Admin Down
CLI
ISIS
OSPF
Static Route (RTM)
LocalAddr
Clients
* 2.2.2.2
IS-IS BFD Sessions Enabled
RemoteAddr
Interface State Rx-int Tx-int Mult
2.2.2.1
Gi 2/1
Up
100
100
3
I
Bidirectional Forwarding Detection (BFD) | 153
�www.dell.com | support.dell.com
Changing IS-IS session parameters
BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface; if you
change a parameter globally, the change affects all IS-IS neighbors sessions. If you change a parameter at
interface level, the change affects all IS-IS sessions on that interface.
To change parameters for all IS-IS sessions:
Step
1
Task
Command Syntax
Command Mode
Change parameters for all IS-IS
sessions.
bfd all-neighbors interval milliseconds
min_rx milliseconds multiplier value role
[active | passive]
ROUTER-ISIS
To change parameters for IS-IS sessions on an interface:
Step
1
Task
Command Syntax
Command Mode
Change parameters for all IS-IS
sessions out of an interface.
isis bfd all-neighbors interval milliseconds
min_rx milliseconds multiplier value role
[active | passive]
INTERFACE
View session parameters using the command show bfd neighbors detail.
Disabling BFD for IS-IS
If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a
Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the
remote system are placed in a Down state (Message 3). Disabling BFD does not trigger a change in BFD
clients; a final Admin Down packet is sent before the session is terminated.
To disable BFD sessions with all IS-IS neighbors:
Step
1
154
|
Task
Command Syntax
Command Mode
Disable BFD sessions with all IS-IS
neighbors.
no bfd all-neighbors
ROUTER-ISIS
Bidirectional Forwarding Detection (BFD)
�To disable BFD sessions with all IS-IS neighbors out of an interface:
Step
1
Task
Command Syntax
Command Mode
Disable BFD sessions with all IS-IS
neighbors out of an interface.
isis bfd all-neighbors disable
INTERFACE
Configuring BFD for BGP
BFD for BGP is only supported on platforms: cez
In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding
paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence.
BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces. BFD for BGP does
not support IPv6 and the BGP multihop feature.
Prerequisites
Before configuring BFD for BGP, you must first configure the following settings:
1. Configure BGP on the routers that you want to interconnect as described in Chapter 9, Border
Gateway Protocol.
2. Enable fast fall-over for BGP neighbors to reduce convergence time (neighbor fall-over command) as
described in BGP fast fall-over.
Establishing sessions with BGP neighbors
Before configuring BFD for BGP, you must first configure BGP on the routers that you want to
interconnect. For more information, refer to Chapter 9, Border Gateway Protocol.
For example, the following illustration shows a sample BFD configuration on Router 1 and Router 2 that
use eBGP in a transit network to interconnect AS1 and AS2. The eBGP routers exchange information with
each other as well as with iBGP routers to maintain connectivity and accessibility within each autonomous
system.
Bidirectional Forwarding Detection (BFD) | 155
�www.dell.com | support.dell.com
Interior BGP
Interior BGP
Router 1
2/2
2.2.4.2
Router 2
1/1
2.2.4.3
Exterior BGP
AS 1
FTOS(conf )# bfd enable
FTOS(conf )# router bgp 1
FTOS(conf-router-bgp)# neighbor 2.2.4.3 remote-as 2
FTOS(conf-router-bgp)# neighbor 2.2.4.3 no shutdown
FTOS(conf-router-bgp)# bfd all-neighbors interval 200 min_rx 200
multiplier 6 role active
OR
FTOS(conf-router-bgp)# neighbor 2.2.4.3 bfd
AS 2
FTOS(conf )# bfd enable
FTOS(conf )# router bgp 2
FTOS(conf-router-bgp)# neighbor 2.2.4.2 remote-as 1
FTOS(conf-router-bgp)# neighbor 2.2.4.2 no shutdown
FTOS(conf-router-bgp)# bfd all-neighbors interval 200 min_rx 200
multiplier 6 role active
OR
FTOS(conf-router-bgp)# neighbor 2.2.4.2 bfd
Note that the sample configuration shows alternative ways to establish a BFD session with a BGP
neighbor:
•
•
By establishing BFD sessions with all neighbors discovered by BGP (bfd all-neighbors command)
By establishing a BFD session with a specified BGP neighbor (neighbor {ip-address | peer-group-name}
bfd command)
BFD packets originating from a router are assigned to the highest priority egress queue to minimize
transmission delays. Incoming BFD control packets received from the BGP neighbor are assigned to the
highest priority queue within the Control Plane Policing (COPP) framework to avoid BFD packets drops
due to queue congestion.
BFD notifies BGP of any failure conditions that it detects on the link. Recovery actions are initiated by
BGP.
BFD for BGP is supported only on directly-connected BGP neighbors and only in BGP IPv4 networks.
•
•
156
|
On an E-Series ExaScale, up to 100 simultaneous BFD sessions are supported.
On an S4810, up to 128 simultaneous BFD sessions are supported.
Bidirectional Forwarding Detection (BFD)
�As long as each BFD for BGP neighbor receives a BFD control packet within the configured BFD interval
for failure detection, the BFD session remains up and BGP maintains its adjacencies. If a BFD for BGP
neighbor does not receive a control packet within the detection interval, the router informs any clients of
the BFD session (other routing protocols) about the failure. It then depends on the individual routing
protocols that uses the BGP link to determine the appropriate response to the failure condition. The typical
response is usually to terminate the peering session for the routing protocol and reconverge by bypassing
the failed neighboring router. A log message is generated whenever BFD detects a failure condition.
On C-Series and E-Series only, you can configure BFD for BGP on the following types of interfaces:
physical port (10GE or 40GE), port channel, and VLAN.
To establish a BFD session with one or all BGP neighbors, follow these steps:
Step
Task
Command Syntax
Command Mode
1
Enable BFD globally.
bfd enable
CONFIGURATION
2
Specify the AS number and enter ROUTER
BGP configuration mode.
router bgp as-number
CONFIGURATION
3
Add a BGP neighbor or peer group in a
remote AS.
neighbor {ip-address | peer-group
name} remote-as as-number
CONFIG-ROUTERBGP
4
Enable the BGP neighbor.
neighbor {ip-address |
peer-group-name} no shutdown
CONFIG-ROUTERBGP
Configure parameters for a BFD session
established with all neighbors discovered by
BGP.
bfd all-neighbors [interval millisecs
min_rx millisecs multiplier value role
{active | passive}]
CONFIG-ROUTERBGP
OR
OR
Establish a BFD session with a specified BGP
neighbor or peer group using the default BFD
session parameters.
neighbor {ip-address |
peer-group-name} bfd
5
Notes:
- When you establish a BFD session with a specified BGP neighbor or peer group using the neighbor bfd
command, the default BFD session parameters are used (interval: 100 milliseconds, min_rx: 100 milliseconds,
multiplier: 3 packets, and role: active).
- When you explicitly enable or disable a BGP neighbor for a BFD session with the neighbor bfd or neighbor bfd
disable commands:
- The neighbor does not inherit the BFD enable/disable values configured with the bfd all-neighbors command or
configured for the peer group to which the neighbor belongs.
- The neighbor only inherits the global timer values configured with the bfd all-neighbors command (interval,
min_rx, and multiplier).
6
Repeat Steps 1 to 5 on each BGP peer participating in a BFD session.
Disabling BFD for BGP
To disable a BFD for BGP session with a specified neighbor, enter the neighbor {ip-address |
peer-group-name} bfd disable command in ROUTER BGP configuration mode.
Bidirectional Forwarding Detection (BFD) | 157
�www.dell.com | support.dell.com
To remove the disabled state of a BFD for BGP session with a specified neighbor, enter the no neighbor
{ip-address | peer-group-name} bfd disable command in ROUTER BGP configuration mode. The BGP link
with the neighbor returns to normal operation and uses the BFD session parameters globally configured
with the bfd all-neighbors command or configured for the peer group to which the neighbor belongs.
Using BFD in a BGP Peer Group
If you establish a BFD session for the members of a peer group (neighbor peer-group-name bfd command
in ROUTER BGP configuration mode), members of the peer group may have BFD:
•
•
•
Explicitly enabled (neighbor ip-address bfd command)
Explicitly disabled (neighbor ip-address bfd disable command)
Inherited (neither explicitly enabled or disabled) according to the current BFD configuration of the
peer group. For information on BGP peer groups, refer to Configure Peer Groups.
If you explicitly enable (or disable) a BGP neighbor for BFD that belongs to a peer group:
•
•
The neighbor does not inherit the BFD enable/disable values configured with the bfd all-neighbors
command or configured for the peer group to which the neighbor belongs.
The neighbor inherits only the global timer values that are configured with the bfd all-neighbors
command (interval, min_rx, and multiplier).
If you explicitly enable (or disable) a peer group for BFD that has no BFD parameters configured (e.g.
advertisement interval) using the neighbor peer-group-name bfd command, the peer group inherits any
BFD settings configured with the bfd all-neighbors command.
Displaying BFD for BGP Information
To display information about BFD for BGP sessions on a router, enter one of the following show
commands:
Task
Command
Command Mode
Verify a BFD for BGP configuration.
show running-config bgp
Verifying a BFD for BGP Configuration
EXEC Privilege
Verify that a BFD for BGP session has been
successfully established with a BGP neighbor. A
line-by-line listing of established BFD
adjacencies is displayed.
show bfd neighbors [interface] [detail]
Verifying BFD sessions with BGP neighbors
using show bfd neighbors and Verifying
BFD sessions with BGP neighbors using
show bfd neighbors detail
EXEC Privilege
Check to see if BFD is enabled for BGP
connections.
show ip bgp summary
Displaying BFD for BGP status
EXEC Privilege
Displays routing information exchanged with
BGP neighbors, including BFD for BGP
sessions.
show ip bgp neighbors [ip-address]
Displaying Routing Sessions with BGP
neighbors
EXEC Privilege
The following examples show the BFD for BGP output displayed for these show commands.
158
|
Bidirectional Forwarding Detection (BFD)
�Verifying a BFD for BGP Configuration
R2# show running-config bgp
!
router bgp 2
neighbor 1.1.1.2 remote-as 1
neighbor 1.1.1.2 no shutdown
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 no shutdown
neighbor 3.3.3.2 remote-as 1
neighbor 3.3.3.2 no shutdown
bfd all-neighbors
Verifying BFD sessions with BGP neighbors using show bfd neighbors
R2# show bfd neighbors
*
- Active session role
Ad Dn
- Admin Down
B
- BGP
C
- CLI
I
- ISIS
O
- OSPF
R
- Static Route (RTM)
M
- MPLS
V
- VRRP
RemoteAddr
Interface State Rx-int Tx-int Mult Clients
* 1.1.1.3
LocalAddr
1.1.1.2
Te 6/0
Up
100
100
3
B
* 2.2.2.3
2.2.2.2
Te 6/1
Up
100
100
3
B
* 3.3.3.3
3.3.3.2
Te 6/2
Up
100
100
3
B
Verifying BFD sessions with BGP neighbors using show bfd neighbors detail
R2# show bfd neighbors detail
Session Discriminator: 9
Neighbor Discriminator: 10
Local Addr: 1.1.1.3
Local MAC Addr: 00:01:e8:66:da:33
Remote Addr: 1.1.1.2
Remote MAC Addr: 00:01:e8:8a:da:7b
Int: TenGigabitEthernet 6/0
State: Up
Configured parameters:
TX:
100ms, RX:
100ms, Multiplier: 3
Neighbor parameters:
TX:
100ms, RX:
100ms, Multiplier: 3
Actual parameters:
TX:
100ms, RX:
100ms, Multiplier: 3
Role: Active
Bidirectional Forwarding Detection (BFD) | 159
�www.dell.com | support.dell.com
Delete session on Down: True
Client Registered: BGP
Uptime: 00:07:55
Statistics:
Number of packets received from neighbor: 4762
Number of packets sent to neighbor: 4490
Number of state changes: 2
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 5
Session Discriminator: 10
Neighbor Discriminator: 11
Local Addr: 2.2.2.3
Local MAC Addr: 00:01:e8:66:da:34
Remote Addr: 2.2.2.2
Remote MAC Addr: 00:01:e8:8a:da:7b
Int: TenGigabitEthernet 6/1
State: Up
Configured parameters:
TX:
100ms, RX:
100ms, Multiplier: 3
Neighbor parameters:
TX:
100ms, RX:
100ms, Multiplier: 3
Actual parameters:
TX:
100ms, RX:
100ms, Multiplier: 3
Role: Active
Delete session on Down: True
Client Registered: BGP
Uptime: 00:02:22
Statistics:
Number of packets received from neighbor: 1428
Number of packets sent to neighbor: 1428
Number of state changes: 1
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 4
Displaying BFD Packet Counters
R2# show bfd counters bgp
Interface TenGigabitEthernet 6/0
Protocol BGP
Messages:
Registration
: 5
De-registration
: 4
Init
: 0
Up
: 6
Down
: 0
Admin Down
: 2
Interface TenGigabitEthernet 6/1
160
|
Bidirectional Forwarding Detection (BFD)
�Protocol BGP
Messages:
Registration
: 5
De-registration
: 4
Init
: 0
Up
: 6
Down
: 0
Admin Down
: 2
Interface TenGigabitEthernet 6/2
Protocol BGP
Messages:
Registration
: 1
De-registration
: 0
Init
: 0
Up
: 1
Down
: 0
Admin Down
: 2
Displaying BFD for BGP status
R2# show ip bgp summary
BGP router identifier 10.0.0.1, local AS number 2
BGP table version is 0, main routing table version 0
BFD is enabled, Interval 100 Min_rx 100 Multiplier 3 Role Active
3 neighbor(s) using 24168 bytes of memory
Neighbor
AS
MsgRcvd
MsgSent
TblVer
InQ
1.1.1.2
2.2.2.2
3.3.3.2
OutQ Up/Down
State/Pfx
1
282
281
0
0
0 00:38:12
0
1
273
273
0
0
(0) 04:32:26
0
1
282
281
0
0
0 00:38:12
0
Displaying Routing Sessions with BGP neighbors
R2# show ip bgp neighbors 2.2.2.2
BGP neighbor is 2.2.2.2, remote AS 1, external link
BGP version 4, remote router ID 12.0.0.4
BGP state ESTABLISHED, in this state for 00:05:33
Last read 00:00:30, last write 00:00:30
Hold time is 180, keepalive interval is 60 seconds
Received 8 messages, 0 in queue
1 opens, 0 notifications, 0 updates
7 keepalives, 0 route refresh requests
Sent 9 messages, 0 in queue
2 opens, 0 notifications, 0 updates
7 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 30 seconds
Minimum time before advertisements start is 0 seconds
Bidirectional Forwarding Detection (BFD) | 161
�www.dell.com | support.dell.com
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Neighbor is using BGP global mode BFD configuration
For address family: IPv4 Unicast
BGP table version 0, neighbor version 0
Prefixes accepted 0 (consume 0 bytes), withdrawn 0 by peer, martian prefixes ignored 0
Prefixes advertised 0, denied 0, withdrawn 0 from peer
Connections established 1; dropped 0
Last reset never
Local host: 2.2.2.3, Local port: 63805
Foreign host: 2.2.2.2, Foreign port: 179
E1200i_ExaScale#
R2# show ip bgp neighbors 2.2.2.3
BGP neighbor is 2.2.2.3, remote AS 1, external link
Member of peer-group pg1 for session parameters
BGP version 4, remote router ID 12.0.0.4
BGP state ESTABLISHED, in this state for 00:05:33
...
Neighbor is using BGP neighbor mode BFD configuration
Peer active in peer-group outbound optimization
...
R2# show ip bgp neighbors 2.2.2.4
BGP neighbor is 2.2.2.4, remote AS 1, external link
Member of peer-group pg1 for session parameters
BGP version 4, remote router ID 12.0.0.4
BGP state ESTABLISHED, in this state for 00:05:33
...
Neighbor is using BGP peer-group mode BFD configuration
Peer active in peer-group outbound optimization
...
162
|
Bidirectional Forwarding Detection (BFD)
�Configuring BFD for VRRP
BFD for VRRP is only supported on platforms:
ec
When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the RPM. BFD
sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface
fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol
that a link state change occurred.
Configuring BFD for VRRP is a three-step process:
1. Enable BFD globally. Refer to Enabling BFD globally.
2. Establish VRRP BFD sessions with all VRRP-participating neighbors.
3. On the master router, establish a VRRP BFD sessions with the backup routers. Refer to Establishing
sessions with all VRRP neighbors.
Related configuration tasks
•
•
Changing VRRP session parameters.
Establishing sessions with OSPF neighbors.
Establishing sessions with all VRRP neighbors
BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a
particular neighbor.
Bidirectional Forwarding Detection (BFD) | 163
�www.dell.com | support.dell.com
VIRTUAL
IP Address: 2.2.5.4
R1: BACKUP
R2: MASTER
2/3
4/25
FTOS(config-if-range-gi-4/25)# ip address 2.2.5.1/24
FTOS(config-if-range-gi-4/25)# no shutdown
FTOS(config-if-range-gi-4/25)# vrrp-group 1
FTOS(config-if-range-gi-4/25)# virtual-address 2.2.5.4
FTOS(config-if-range-gi-4/25)# vrrp bfd all-neighbors
FTOS(config-if-range-gi-4/25)# vrrp bfd neighbor 2.2.5.2
IP Address: 2.2.5.3
Gateway: 2.2.5.1
FTOS(conf-if-gi-2/3)#ip address 2.2.5.2/24
FTOS(config-if-gi-2/3)# no shutdown
FTOS(config-if-range-gi-4/25)# vrrp-group 1
FTOS(config-if-range-gi-4/25)# virtual-address 2.2.5.4
FTOS(config-if-range-gi-4/25)# vrrp bfd all-neighbors
FTOS(config-if-range-gi-4/25)# vrrp bfd neighbor 2.2.5.1
fnC0042mp
To establish sessions with all VRRP neighbors:
Step
1
Task
Command Syntax
Command Mode
Establish sessions with all VRRP neighbors.
vrrp bfd all-neighbors
INTERFACE
Establishing VRRP sessions on VRRP neighbors
The master router does not care about the state of the backup router, so it does not participate in any VRRP
BFD sessions. Therefore, VRRP BFD sessions on the backup router cannot change to the UP state. The
master router must be configured to establish an individual VRRP session the backup router.
To establish a session with a particular VRRP neighbor:
Step
1
Task
Command Syntax
Command Mode
Establish a session with a particular VRRP
neighbor.
vrrp bfd neighbor ip-address
INTERFACE
View the established sessions using the command show bfd neighbors, as shown in the example below.
R1(conf-if-gi-4/25)#vrrp bfd all-neighbors
R1(conf-if-gi-4/25)#do show bfd neighbor
164
|
*
- Active session role
Ad Dn
- Admin Down
Bidirectional Forwarding Detection (BFD)
�C
- CLI
I
- ISIS
O
- OSPF
R
- Static Route (RTM)
V
- VRRP
LocalAddr
Interface State Rx-int Tx-int Mult Clients
2.2.5.2
Gi 4/25
* 2.2.5.1
RemoteAddr
Down
1000
1000
3
V
Session state information is also shown in the show vrrp command output, as shown in the following
example.
R1(conf-if-gi-4/25)#do show vrrp
-----------------GigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1
State: Backup, Priority: 1, Master: 2.2.5.2
Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec
Adv rcvd: 95, Bad pkts rcvd: 0, Adv sent: 933, Gratuitous ARP sent: 3
Virtual MAC address:
00:00:5e:00:01:01
Virtual IP address:
2.2.5.4
Authentication: (none)
BFD Neighbors:
RemoteAddr
State
2.2.5.2
Up
Changing VRRP session parameters
BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
You can change parameters for all VRRP sessions for a particular neighbor.
To change parameters for all VRRP sessions:
Step
1
Task
Command Syntax
Command Mode
Change parameters for all VRRP
sessions.
vrrp bfd all-neighbors interval milliseconds
min_rx milliseconds multiplier value role
[active | passive]
INTERFACE
To change parameters for a particular VRRP session:
Step
1
Task
Command Syntax
Command Mode
Change parameters for a particular
VRRP session.
vrrp bfd neighbor ip-address interval
milliseconds min_rx milliseconds multiplier
value role [active | passive]
INTERFACE
Bidirectional Forwarding Detection (BFD) | 165
�www.dell.com | support.dell.com
View session parameters using the command show bfd neighbors detail, as shown in the example in
Verifying BFD sessions with BGP neighbors using show bfd neighbors detail.
Disabling BFD for VRRP
If any or all VRRP sessions are disabled, the sessions are torn down. A final Admin Down control packet
is sent to all neighbors and sessions on the remote system change to the Down state (Message 3).
To disable all VRRP sessions on an interface:
Step
1
Task
Command Syntax
Command Mode
Disable all VRRP sessions on an interface.
no vrrp bfd all-neighbors
INTERFACE
To disable all VRRP sessions in a particular VRRP group:
Step
1
Task
Command Syntax
Command Mode
Disable all VRRP sessions in a VRRP group.
bfd disable
VRRP
Task
Command Syntax
Command Mode
Disable a particular VRRP session on an interface.
no vrrp bfd neighbor
ip-address
INTERFACE
To disable a particular VRRP session:
Step
1
Configuring BFD for VLANs
Configuring BFD for VLANs is supported on platforms c e.
BFD on Dell Force10 systems is a Layer 3 protocol. Therefore, BFD is used with routed VLANs. BFD on
VLANs is analogous to BFD on physical ports. If no routing protocol is enabled, and a remote system fails,
the local system does not remove the connected route until the first failed attempt to send a packet. If BFD
is enabled, the local system removes the route when it stops receiving periodic control packets from the
remote system.
There is one BFD Agent for VLANs and port-channels, which resides on RP2 as opposed to the other
agents which are on the line card. Therefore, the 100 total possible sessions that this agent can maintain is
shared for VLANs and port-channels.
Configuring BFD for VLANs is a two-step process:
1. Enabling BFD globally.
2. Establishing sessions with VLAN neighbors.
166
|
Bidirectional Forwarding Detection (BFD)
�Related configuration tasks
•
Establishing sessions with OSPF neighbors.
Establishing sessions with VLAN neighbors
To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the
illustration below. The session parameters do not need to match.
R1
R2
VLAN 200
4/25
2/3
FTOS(config-if-gi-4/25)# switchport
FTOS(config-if-gi-4/25)# no shutdown
FTOS(config-if-gi-4/25)# interface vlan 200
FTOS(config-if-vl-200)# ip address 2.2.3.1/24
FTOS(config-if-vl-200)# untagged gigabitethernet 4/25
FTOS(config-if-vl-200)# no shutdown
FTOS(config-if-vl-200)# bfd neighbor 2.2.3.2
FTOS(config-if-gi-2/3)# switchport
FTOS(config-if-gi-2/3)# no shutdown
FTOS(config-if-gi-2/3)# interface vlan 200
FTOS(config-if-vl-200)# ip address 2.2.3.2/24
FTOS(config-if-vl-200)# untagged gigabitethernet 2/3
FTOS(config-if-vl-200)# no shutdown
FTOS(config-if-vl-200)# bfd neighbor 2.2.3.2
fnC0043mp
Disabling BFD for VLANs
If BFD is disabled on an interface, sessions on the interface are torn down. A final Admin Down control
packet is sent to all neighbors, and sessions on the remote system change to the Down state (Message 3).
To disable BFD on a VLAN interface:
Step
1
Task
Command Syntax
Command Mode
Disable all sessions on a VLAN interface.
no bfd enable
INTERFACE VLAN
Configuring BFD for Port-Channels
Configuring BFD for port-channels is supported on platforms: c e
BFD on port-channels is analogous to BFD on physical ports. If no routing protocol is enabled, and a
remote system fails, the local system does not remove the connected route until the first failed attempt to
send a packet. If BFD is enabled, the local system removes the route when it stops receiving periodic
control packets from the remote system.
There is one BFD Agent for VLANs and port-channels, which resides on RP2 as opposed to the other
agents which are on the line card. Therefore, the 100 total possible sessions that this agent can maintain is
shared for VLANs and port-channels.
Bidirectional Forwarding Detection (BFD) | 167
�www.dell.com | support.dell.com
Configuring BFD for port-channels is a two-step process:
1. Enabling BFD globally.
2. Establishing sessions on port-channels.
Related configuration tasks
•
Disabling BFD for port-channels.
Establishing sessions on port-channels
To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the
example below. The session parameters do not need to match.
FTOS(config-if-range-gi-4/24-5)# port-channel-protocol lacp
FTOS(config-if-range-gi-4/24-5)# port-channel 1 mode active
FTOS(config-if-range-gi-4/24-5)# no shutdown
FTOS(config-if-range-gi-4/24-5)# interface port-channel 1
FTOS(config-if-po-1)# ip address 2.2.2.1/24
FTOS(config-if-po-1)# no shutdown
FTOS(config-if-po-1)# bfd neighbor 2.2.2.2
2/1
4/24
Port Channel 1
4/25
2/2
FTOS(config-if-range-gi-2/1-2)# port-channel-protocol lacp
FTOS(config-if-range-gi-2/1-2)# port-channel 1 mode active
FTOS(config-if-range-gi-2/1-2)# no shutdown
FTOS(config-if-range-gi-2/1-2)# interface port-channel 1
FTOS(config-if-po-1)# ip address 2.2.2.2/24
FTOS(config-if-po-1)# no shutdown
FTOS(config-if-po-1)# bfd neighbor 2.2.2.1
fnC0044mp
Disabling BFD for port-channels
If BFD is disabled on an interface, sessions on the interface are torn down. A final Admin Down control
packet is sent to all neighbors, and sessions on the remote system are placed in a Down state (Message 3).
To disable BFD for a port-channel:
Step
1
168
|
Task
Command Syntax
Command Mode
Disable BFD for a port-channel.
no bfd enable
INTERFACE PORT-CHANNEL
Bidirectional Forwarding Detection (BFD)
�Configuring Protocol Liveness
Protocol Liveness is a feature that notifies the BFD Manager when a client protocol is disabled. When a
client is disabled, all BFD sessions for that protocol are torn down. Neighbors on the remote system
receive an Admin Down control packet and are placed in the Down state (Message 3).
To enable Protocol Liveness:
Step
1
Task
Command Syntax
Command Mode
Enable Protocol Liveness
bfd protocol-liveness
CONFIGURATION
Troubleshooting BFD
Examine control packet field values using the command debug bfd detail. The following example shows a
three-way handshake using this command.
R1(conf-if-gi-4/24)#00:54:38: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to
Down for neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0)
00:54:38 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24
TX packet dump:
Version:1, Diag code:0, State:Down, Poll bit:0, Final bit:0, Demand bit:0
myDiscrim:4, yourDiscrim:0, minTx:1000000, minRx:1000000, multiplier:3, minEchoRx:0
00:54:38 : Received packet for session with neighbor 2.2.2.2 on Gi 4/24
RX packet dump:
Version:1, Diag code:0, State:Init, Poll bit:0, Final bit:0, Demand bit:0
myDiscrim:6, yourDiscrim:4, minTx:1000000, minRx:1000000, multiplier:3, minEchoRx:0
00:54:38: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Up for neighbor 2.2.2.2
on interface Gi 4/24 (diag: 0)
Examine control packets in hexadecimal format using the command debug bfd packet.
RX packet dump:
20 c0 03 18 00 00 00 05 00 00 00 04 00 01 86 a0
00 01 86 a0 00 00 00 00
00:34:13 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24
TX packet dump:
20 c0 03 18 00 00 00 04 00 00 00 05 00 01 86 a0
00 01 86 a0 00 00 00 00
00:34:14 : Received packet for session with neighbor 2.2.2.2 on Gi 4/24
RX packet dump:
20 c0 03 18 00 00 00 05 00 00 00 04 00 01 86 a0
00 01 86 a0 00 00 00 00
00:34:14 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24
TX packet dump:
20 c0 03 18 00 00 00 04 00 00 00 05 00 01 86 a0
00 01 86 a0 00 00 00 00
00:34:14 : Received packet for session with neighbor 2.2.2.2 on Gi 4/24
RX packet dump:
Bidirectional Forwarding Detection (BFD) | 169
�www.dell.com | support.dell.com
20 c0 03 18 00 00 00 05 00 00 00 04 00 01 86 a0
170
00 01 86 a0 00 00 00 00
00:34:14 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24
L
The output for the command debug bfd event is the same as the log messages that appear on the console by
default.
|
Bidirectional Forwarding Detection (BFD)
�9
Border Gateway Protocol
Platforms support BGP according to the following table:
FTOS version
Platform support
IPv4: 8.3.11.2
IPv6: 9.0.0.0
Z9000
8.3.7.0
S4810
8.1.1.0
E-Series ExaScale
7.8.1.0
S-Series
7.7.1.0.
C-Series
pre-7.7.1.0
E-Series TeraScale
z
ex
s
c
et
This chapter is intended to provide a general description of Border Gateway Protocol version 4 (BGPv4) as
it is supported in the Force10 Operating System (FTOS).
This chapter includes the following topics:
•
•
Protocol Overview
• Autonomous Systems (AS)
• Sessions and Peers
• Route Reflectors
• Confederations
BGP Attributes
• Best Path Selection Criteria
• Weight
• Local Preference
• Multi-Exit Discriminators (MEDs)
• AS Path
• Next Hop
Border Gateway Protocol | 171
�www.dell.com | support.dell.com
•
•
•
•
Multiprotocol BGP
Implementing BGP with FTOS
• Additional Path (Add-Path) support
• Advertise IGP cost as MED for redistributed routes
• Ignore Router-ID for some best-path calculations
• 4-Byte AS Numbers
• AS4 Number Representation
• AS Number Migration
• BGP4 Management Information Base (MIB)
• Important Points to Remember
Configuration Information
• Configuration Task List for BGP
• MBGP Configuration
• Storing Last and Bad PDUs
• Capturing PDUs
• PDU Counters
Sample Configurations
BGP protocol standards are listed in the Appendix 50, Standards Compliance chapter.
Protocol Overview
Border Gateway Protocol (BGP) is an external gateway protocol that transmits interdomain routing
information within and between Autonomous Systems (AS). Its primary function is to exchange network
reachability information with other BGP systems. BGP generally operates with an Internal Gateway
Protocol (IGP) such as OSPF or RIP, allowing you to communicate to external ASs smoothly. BGP adds
reliability to network connections having multiple paths from one router to another.
Autonomous Systems (AS)
BGP Autonomous Systems (ASs) are a collection of nodes under common administration, with common
network routing policies. Each AS has a number, already assigned by an internet authority. You do not
assign the BGP number.
AS Numbers (ASNs) are important because the ASN uniquely identifies each network on the Internet. The
IANA has reserved AS numbers 64512 through 65534 to be used for private purposes. The ASNs 0 and
65535 are reserved by the IANA and should not be used in a live environment.
Autonomous Systems can be grouped into three categories, defined by their connections and operation.
172
|
Border Gateway Protocol
�A multihomed AS is one that maintains connections to more than one other AS. This allows the AS to
remain connected to the internet in the event of a complete failure of one of their connections. However,
this type of AS does not allow traffic from one AS to pass through on its way to another AS. A simple
example of this is seen in Figure 9-1.
A stub AS is one that is connected to only one other AS.
A transit AS is one that provides connections through itself to separate networks. For example as seen in
Figure 9-1, Router 1 can use Router 2 (the transit AS) to connect to Router 4. ISPs are always transit ASs,
because they provide connections from one network to another. The ISP is considered to be “selling transit
service” to the customer network, so thus the term Transit AS.
When BGP operates inside an Autonomous System (AS1 or AS2 as seen in Figure 9-1), it is
referred to as Internal BGP (IBGP Interior Border Gateway Protocol). When BGP operates
between Autonomous Systems (AS1 and AS2), it is called External BGP (EBGP Exterior Border
Gateway Protocol). IBGP provides routers inside the AS with the knowledge to reach routers external to
the AS. EBGP routers exchange information with other EBGP routers as well as IBGP routers to maintain
connectivity and accessibility.
BGP Autonomous Zones
lpbgp1111
Figure 9-1.
Router 5
Router 3
Router 1
Router 4
Router 2
Router 6
Exterior BGP
(EBGP)
AS 1
Interior BGP (IBGP)
Router 7
AS 2
Interior BGP (IBGP)
BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP
is a path vector protocol - a computer network in which BGP maintains the path that update
information takes as it diffuses through the network. Updates traveling through the network and
returning to the same node are easily detected and discarded.
BGP does not use traditional Interior Gateway Protocol (IGP) matrix, but makes routing decisions based
on path, network policies and/or rulesets. Unlike most protocols, BGP uses TCP as its transport protocol.
Border Gateway Protocol | 173
�www.dell.com | support.dell.com
Since each BGP router talking to another router is a session, a BGP network needs to be in “full mesh”.
This is a topology that has every router directly connected to every other router. Each BGP router within an
AS must have iBGP sessions with all other BGP routers in the AS. For example, a BGP network within an
AS needs to be in “full mesh.” As seen in Figure 9-2, four routers connected in a full mesh have three peers
each, six routers have 5 peers each, and eight routers in full mesh will have seven peers each.
Figure 9-2.
Full Mesh Examples
4 Routers
6 Routers
8 Routers
The number of BGP speakers each BGP peer must maintain increases exponentially. Network
management quickly becomes impossible.
Sessions and Peers
When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of
that session are Peers. A Peer is also called a Neighbor.
174
|
Border Gateway Protocol
�Establishing a session
Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic
routing policies.
In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state
machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For
each peer-to-peer session, a BGP implementation tracks which of these six states the session is in. The
BGP protocol defines the messages that each peer should exchange in order to change the session from one
state to another.
The first state is the Idle mode. BGP initializes all resources, refuses all inbound BGP connection attempts,
and initiates a TCP connection to the peer.
The next state is Connect. In this state the router waits for the TCP connection to complete, transitioning
to the OpenSent state if successful.
If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state
when the timer expires.
In the Active state, the router resets the ConnectRetry timer to zero, and returns to the Connect state.
Upon successful OpenSent transition, the router sends an Open message and waits for one in return.
Once the Open message parameters are agreed between peers then the neighbor relation is established and
is in Open confirm state. This is when the router receives and checks for agreement on the parameters of
open messages to establish a session.
Keepalive messages are exchanged next, and upon successful receipt, the router is placed in the
Established state. Keepalive messages continue to be sent at regular periods (established by the Keepalive
timer) to verify connections.
Once established, the router can now send/receive Keepalive, Update, and Notification messages to/from
its peer.
Peer Groups
Peer Groups are neighbors grouped according to common routing policies. They enable easier system
configuration and management by allowing groups of routers to share and inherit policies.
Peer groups also aid in convergence speed. When a BGP process needs to send the same information to a
large number of peers, it needs to set up a long output queue to get that information to all the proper peers.
If they are members of a peer group, however, the information can be sent to one place then passed onto
the peers within the group.
Border Gateway Protocol | 175
�www.dell.com | support.dell.com
Route Reflectors
Route Reflectors reorganize the iBGP core into a hierarchy and allows some route advertisement rules.
Note: Route Reflectors (RRs) should not be used in the forwarding path. In iBGP, hierarchal RRs
maintaining forwarding plane RRs could create routing loops.
Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and
its client peers form a route reflection cluster. Since BGP speakers announce only the best route for a given
prefix, route reflector rules are applied after the router makes its best path decision.
•
•
If a route was received from a nonclient peer, reflect the route to all client peers.
If the route was received from a client peer, reflect the route to all nonclient and all client peers.
To illustrate how these rules affect routing, see Figure 9-3 and the following steps. Routers B, C, D, E, and
G are members of the same AS - AS100. These routers are also in the same Route Reflection Cluster,
where Router D is the Route Reflector. Router E and H are client peers of Router D; Routers B and C and
nonclient peers of Router D.
Route Reflection Example
Router A
{
eBGP Route
eBGP Route
Router B
Router E
{
Figure 9-3.
Router F
iBGP Routes
Route Reflector
Router D
Route Reflector Client Peers
Router C
Router G
iBGP Routes
Router H
{
iBGP Route
eBGP Route
1. Router B receives an advertisement from Router A through eBGP. Since the route is learned through
eBGP, Router B advertises it to all its iBGP peers: Routers C and D.
2. Router C receives the advertisement but does not advertise it to any peer because its only other peer is
Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B.
3. Router D does not advertise the route to Router C because Router C is a nonclient peer and the route
advertisement came from Router B who is also a non-client peer.
4. Router D does reflect the advertisement to Routers E and G because they are client peers of Router D.
5. Routers E and G then advertise this iBGP learned route to their eBGP peers Routers F and H.
176
|
Border Gateway Protocol
�Confederations
Communities
BGP communities are sets of routes with one or more common attributes. This is a way to assign
common attributes to multiple routes at the same time.
BGP Attributes
Routes learned via BGP have associated properties that are used to determine the best route to a destination
when multiple paths exist to a particular destination. These properties are referred to as BGP attributes, and
an understanding of how BGP attributes influence route selection is required for the design of robust
networks. This section describes the attributes that BGP uses in the route selection process:
•
•
•
•
•
•
Weight
Local Preference
Multi-Exit Discriminators (MEDs)
Origin
AS Path
Next Hop
Best Path Selection Criteria
Paths for active routes are grouped in ascending order according to their neighboring external AS number
(BGP best path selection is deterministic by default, which means the bgp non-deterministic-med
command is NOT applied).
The best path in each group is selected based on specific criteria. Only one “best path” is selected at a time.
If any of the criteria results in more than one path, BGP moves on to the next option in the list. For
example, two paths may have the same weights, but different local preferences. BGP sees that the Weight
criteria results in two potential “best paths” and moves to local preference to reduce the options. If a
number of best paths is determined, this selection criteria is applied to group’s best to determine the
ultimate best path.
In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are compared in
the order in which they arrive. This method can lead to FTOS choosing different best paths from a set of
paths, depending on the order in which they were received from the neighbors, since MED may or may not
get compared between adjacent paths. In deterministic mode, FTOS compares MED between adjacent
paths within an AS group since all paths in the AS group are from the same AS.
Border Gateway Protocol | 177
�www.dell.com | support.dell.com
178
Syste
Note: In 8.3.11.4, the bgp bestpath as-path multipath-relax command is disabled by default, preventing
BGP from load-balancing a learned route across two or more eBGP peers. To enable load-balancing across
different eBGP peers, enable the bgp bestpath as-path multipath-relax command.
A system error will result if the bgp bestpath as-path ignore command and the bgp bestpath as-path
multipath-relax command are configured at the same time. Only enable one command at a time.
Figure 9-4 illustrates the decisions BGP goes through to select the best path. The list following the
illustration details the path selection criteria.
Figure 9-4.
|
BGP Best Path Selection
Border Gateway Protocol
�Best Path selection details
1. Prefer the path with the largest WEIGHT attribute.
2. Prefer the path with the largest LOCAL_PREF attribute.
3. Prefer the path that was locally Originated via a network command, redistribute command or
aggregate-address command.
•
Routes originated with the network or redistribute commands are preferred over routes originated
with the aggregate-address command.
4. Prefer the path with the shortest AS_PATH (unless the bgp bestpath as-path ignore command is
configured, then AS_PATH is not considered). The following criteria apply:
•
•
•
•
An AS_SET has a path length of 1, no matter how many ASs are in the set.
A path with no AS_PATH configured has a path length of 0.
AS_CONFED_SET is not included in the AS_PATH length.
AS_CONFED_SEQUENCE has a path length of 1, no matter how many ASs are in the
AS_CONFED_SEQUENCE.
5. Prefer the path with the lowest ORIGIN type (IGP is lower than EGP, and EGP is lower than
INCOMPLETE).
6. Prefer the path with the lowest Multi-Exit Discriminator (MED) attribute. The following criteria apply:
•
•
•
This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs
are compared only if the first AS in the AS_SEQUENCE is the same for both paths.
If the bgp always-compare-med command is entered, MEDs are compared for all paths.
Paths with no MED are treated as “worst” and assigned a MED of 4294967295.
7. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths.
8. Prefer the path with the lowest IGP metric to the BGP next-hop is selected when synchronization is
disabled and only an internal path remains.
9. FTOS deems the paths as equal and does not perform steps 9 through 11 listed below if the following
criteria are met:
•
•
•
•
the IBGP multipath or EBGP multipath is configured (using the maximum-path command)
the bgp bestpath as-path multipath-relax command is not configured and the received paths are
from the same AS with the same number of ASs in the AS path but have different NextHops
the bgp bestpath as-path multipath-relax command is configured and the learned paths are from
different ASs but have equal AS path numbers
the paths were received from IBGP or EBGP neighbor respectively
10. If the bgp bestpath router-id ignore command is enabled and:
•
•
If the Router-ID is the same for multiple paths (because the routes were received from the same
route) skip this step.
If the Router-ID is NOT the same for multiple paths, Prefer the path that was first received as the
Best Path. The path selection algorithm should return without performing any of the checks
outlined below.
Border Gateway Protocol | 179
�www.dell.com | support.dell.com
11. Prefer the external path originated from the BGP router with the lowest router ID. If both paths are
external, prefer the oldest path (first received path). For paths containing a Route Reflector (RR)
attribute, the originator ID is substituted for the router ID.
12. If two paths have the same router ID, prefer the path with the lowest cluster ID length. Paths without a
cluster ID length are set to a 0 cluster ID length.
13. Prefer the path originated from the neighbor with the lowest address. (The neighbor address is used in
the BGP neighbor configuration, and corresponds to the remote peer used in the TCP connection with
the local router.)
After a number of best paths is determined, this selection criteria is applied to group’s best to determine the
ultimate best path.
In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are compared in
the order in which they arrive. This method can lead to FTOS choosing different best paths from a set of
paths, depending on the order in which they were received from the neighbors since MED may or may not
get compared between adjacent paths. In deterministic mode, FTOS compares MED between adjacent
paths within an AS group since all paths in the AS group are from the same AS.
Weight
The Weight attribute is local to the router and is not advertised to neighboring routers. If the router learns
about more than one route to the same destination, the route with the highest weight will be preferred. The
route with the highest weight is installed in the IP routing table.
Local Preference
Local Preference (LOCAL_PREF) represents the degree of preference within the entire AS. The higher the
number, the greater the preference for the route.
The Local Preference (LOCAL_PREF) is one of the criteria used to determine the best path, so keep in
mind that other criteria may impact selection, as shown in Figure 9-4. For this example, assume that
LOCAL_PREF is the only attribute applied. In Figure 9-5, AS100 has two possible paths to AS 200.
Although the path through the Router A is shorter (one hop instead of two) the LOCAL_PREF settings
have the preferred path go through Router B and AS300. This is advertised to all routers within AS100
causing all BGP speakers to prefer the path through Router B.
180
|
Border Gateway Protocol
�Figure 9-5.
LOCAL_PREF Example
Set Local Preference to 100
Router A
AS 100
T1 Link
Router C
AS 200
Router B
Router E
Set Local Preference to 200
OC3 Link
Router E
Router D
AS 300
Router F
Multi-Exit Discriminators (MEDs)
If two Autonomous Systems (AS) connect in more than one place, a Multi-Exit Discriminator (MED) can
be used to assign a preference to a preferred path. The MED is one of the criteria used to determine the best
path, so keep in mind that other criteria may impact selection, as shown in Figure 9-4.
One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this
example, assume the MED is the only attribute applied. In Figure 9-6, AS100 and AS200 connect in two
places. Each connection is a BGP session. AS200 sets the MED for its T1 exit point to 100 and the MED
for its OC3 exit point to 50. This sets up a path preference through the OC3 link. The MEDs are advertised
to AS100 routers so they know which is the preferred path.
An MED is a non-transitive attribute. If AS100 sends an MED to AS200, AS200 does not pass it on to
AS300 or AS400. The MED is a locally relevant attribute to the two participating Autonomous Systems
(AS100 and AS200).
Note that the MEDs are advertised across both links, so that if a link goes down AS 1 still has connectivity
to AS300 and AS400.
Border Gateway Protocol | 181
�www.dell.com | support.dell.com
Figure 9-6.
MED Route Example
AS 100
Set MED to 100
Router A
T1 Link
Router C
AS 200
Router B
Router E
OC3 Link
Router D
Set MED to 50
Note: With FTOS Release 8.3.1.0, configuring the set metric-type internal command in a route-map
advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set
metric value overwrites the default IGP cost. If the outbound route-map uses MED, it will overwrite the
IGP MED.
Origin
The Origin indicates the origin of the prefix, or how the prefix came into BGP. There are three Origin
codes: IGP, EGP, INCOMPLETE.
•
•
•
IGP indicated the prefix originated from information learned through an interior gateway protocol.
EGP indicated the prefix originated from information learned from an EGP protocol, which NGP
replaced.
INCOMPLETE indicates that the prefix originated from an unknown source.
Generally, an IGP indicator means that the route was derived inside the originating AS. EGP generally
means that a route was learned from an external gateway protocol. An INCOMPLETE origin code
generally results from aggregation, redistribution or other indirect ways of installing routes into BGP.
In FTOS, these origin codes appear as shown in Figure 9-7. The question mark (?) indicates an Origin code
of INCOMPLETE. The lower case letter (i) indicates an Origin code of IGP.
182
|
Border Gateway Protocol
�Figure 9-7.
Origin attribute reported
FTOS#show ip bgp
BGP table version is 0, local router ID is 10.101.15.13
Status codes: s suppressed, d damped, h history, * valid, > best
Path source: I - internal, a - aggregate, c - confed-external, r - redistributed, n - network
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
*>
7.0.0.0/29
10.114.8.33
*>
7.0.0.0/30
*>
9.2.0.0/16
Metric
LocPrf Weight Path
0
0 18508
?
10.114.8.33
0
0 18508
?
10.114.8.33
10
0 18508
701 i
AS Path
The AS Path is the list of all Autonomous Systems that all the prefixes listed in the update have passed
through. The local AS number is added by the BGP speaker when advertising to a eBGP neighbor.
In FTOS the AS Path is shown in Figure 9-8. Note that the Origin attribute is shown following the AS Path
information.
Figure 9-8.
AS Path attribute reported
FTOS#show ip bgp paths
Total 30655 Paths
Address
Hash Refcount Metric Path
0x4014154
0
3 18508
701 3549 19421 i
0x4013914
0
3 18508
701 7018 14990 i
0x5166d6c
0
3 18508
209 4637 1221 9249 9249 i
0x5e62df4
0
2 18508
701 17302 i
0x3a1814c
0
26 18508
209 22291 i
0x567ea9c
0
75 18508
209 3356 2529 i
0x6cc1294
0
2 18508
209 1239 19265 i
0x6cc18d4
0
1 18508
701 2914 4713 17935 i
0x5982e44
0
162 18508
0x67d4a14
0
2 18508
701 19878 ?
0x559972c
0
31 18508
209 18756 i
0x59cd3b4
0
2 18508
209 i
209 7018 15227 i
Border Gateway Protocol | 183
�www.dell.com | support.dell.com
Next Hop
The Next Hop is the IP address used to reach the advertising router. For EBGP neighbors, the Next-Hop
address is the IP address of the connection between the neighbors. For IBGP, the EBGP Next-Hop address
is carried into the local AS. A Next Hop attribute is set when a BGP speaker advertises itself to another
BGP speaker outside its local AS. It can also be set when advertising routes within an AS. The Next Hop
attribute also serves as a way to direct traffic to another BGP speaker, rather than waiting for a speaker to
advertise.
FTOS allows you to set the Next Hop attribute in the CLI. Setting the Next Hop attribute lets you
determine a router as the next hop for a BGP neighbor.
Multiprotocol BGP
ec
MBGP for IPv4 Multicast is supported on platform c e s z
MBGP for IPv6 unicast is supported on platforms
Multiprotocol Extensions for BGP (MBGP) is defined in IETF RFC 2858. MBGP allows different types of
address families to be distributed in parallel. This allows information about the topology of IP
Multicast-capable routers to be exchanged separately from the topology of normal IPv4 and IPv6 unicast
routers. It allows a multicast routing topology different from the unicast routing topology.
Note: It is possible to configure BGP peers that exchange both unicast and multicast network layer
reachability information (NLRI), but you cannot connect Multiprotocol BGP with BGP. Therefore, you
cannot redistribute Multiprotocol BGP routes into BGP.
Implementing BGP with FTOS
Additional Path (Add-Path) support
BGP Add-path is supported on platforms
ez
The Add-path feature reduces convergence times by advertising multiple paths to its peers for the same
address prefix without replacing existing paths with new ones. By default, a BGP speaker advertises only
the best path to its peers for a given address prefix. If the best path becomes unavailable, the BGP speaker
withdraws it path from its local RIB and recalculates a new best path. This requires both IGP and BGP
convergence and can therefore be a lengthy process. BGP Add-path also helps switchover to the next new
best path when the current best path is unavailable.
184
|
Border Gateway Protocol
�Advertise IGP cost as MED for redistributed routes
When using multipath connectivity to an external AS, you can advertise the MED value selectively to each
peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting
others to a constant pre-defined metric as MED value.
FTOS 8.3.1.0 and later support configuring the set metric-type internal command in a route-map to
advertise the IGP cost as the MED to outbound EBGP peers when redistributing routes. The configured set
metric value overwrites the default IGP cost.
By using the redistribute command in conjunction with the route-map command, you can specify whether
a peer advertises the standard MED or uses the IGP cost as the MED.
Note the following when configuring this functionality:
•
•
•
If the redistribute command does not have any metric configured and BGP Peer out-bound route-map
does have metric-type internal configured, BGP advertises the IGP cost as MED.
If the redistribute command has metric configured (route-map set metric or redistribute route-type
metric ) and the BGP Peer out-bound route-map has metric-type internal configured, BGP advertises
the metric configured in the redistribute command as MED.
If BGP peer out-bound route-map has metric configured, then all other metrics are overwritten by this.
Note: When redistributing static, connected or OSPF routes, there is no metric option. Simply assign the
appropriate route-map to the redistributed route.
Table 9-1 gives some examples of these rules.
Table 9-1.
Example MED advertisement
Command Settings
BGP Local Routing
Information Base
MED Advertised to Peer
WITH route-map
metric-type internal
WITHOUT route-map
metric-type internal
redistribute isis
(IGP cost = 20)
MED: IGP cost 20
MED = 20
MED = 0
redistribute isis
route-map set metric 50
MED: IGP cost 50
MED: 50
MED: 50
redistribute isis metric 100
MED: IGP cost 100
MED: 100
MED: 100
Ignore Router-ID for some best-path calculations
FTOS 8.3.1.0 and later allow you to avoid unnecessary BGP best-path transitions between external paths
under certain conditions. The bgp bestpath router-id ignore command reduces network disruption caused
by routing and forwarding plane changes and allows for faster convergence.
Border Gateway Protocol | 185
�www.dell.com | support.dell.com
4-Byte AS Numbers
FTOS Version 7.7.1 and later support 4-Byte (32-bit) format when configuring Autonomous System
Numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN
message. If a 4-Byte BGP speaker has sent and received this capability from another speaker, all the
messages will be 4-octet. The behavior of a 4-Byte BGP speaker will be different with the peer depending
on whether the peer is 4-Byte or 2-Byte BGP speaker.
Where the 2-Byte format is 1-65535, the 4-Byte format is 1-4294967295. Enter AS Numbers using the
traditional format. If the ASN is greater than 65535, the dot format is shown when using the show ip bgp
commands. For example, an ASN entered as 3183856184 will appear in the show commands as
48581.51768; an ASN of 65123 is shown as 65123. To calculate the comparable dot format for an ASN
from a traditional format, use ASN/65536. ASN%65536.
Table 9-2.
4-Byte ASN Dot Format Examples
Traditional Format
Dot Format
65001
Is
0.65501
65536
The
1.0
100000
Same As
1.34464
4294967295
65535.65535
When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte identified
routers. You cannot mix them.
Configure the 4-byte AS numbers with the four-octet-support command.
AS4 Number Representation
FTOS version 8.2.1.0 supports multiple representations of an 4-byte AS Numbers: asplain, asdot+, and
asdot.
Note: The ASDOT and ASDOT+ representations are supported only in conjunction with the 4-Byte AS
Numbers feature. If 4-Byte AS Numbers are not implemented, only ASPLAIN representation is supported.
ASPLAIN is the method FTOS has used for all previous FTOS versions.It remains the default method with
FTOS 8.2.1.0 and later. With the ASPLAIN notation, a 32 bit binary AS number is translated into a
decimal value.
•
•
All AS Numbers between 0-65535 are represented as a decimal number when entered in the CLI as
well as when displayed in the show command outputs.
AS Numbers larger than 65535 are represented using ASPLAIN notation as well. 65546 is
represented as 65546.
186
|
Border Gateway Protocol
�ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by a
decimal point (.): .. Some examples are shown in
Table 9-2.
•
•
All AS Numbers between 0-65535 are represented as a decimal number, when entered in the CLI as
well as when displayed in the show command outputs.
AS Numbers larger than 65535 is represented using ASDOT notation as .. For example: AS 65546 is represented as 1.10.
ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS Numbers less than
65536 appear in integer format (asplain); AS Numbers equal to or greater than 65536 appear using the
decimal method (asdot+). For example, the AS Number 65526 appears as 65526, and the AS Number
65546 appears as 1.10.
Dynamic AS Number Notation application
FTOS 8.3.1.0 applies the ASN Notation type change dynamically to the running-config statements. When
you apply or change an asnotation, the type selected is reflected immediately in the running-configuration
and the show commands (Figure 9-9 and Figure 9-10).
Border Gateway Protocol | 187
�www.dell.com | support.dell.com
Figure 9-9.
Dynamic changes of the bgp asnotation command in the show running config
ASDOT
FTOS(conf-router_bgp)#bgp asnotation asdot
FTOS(conf-router_bgp)#show conf
!
router bgp 100
bgp asnotation asdot
bgp four-octet-as-support
neighbor 172.30.1.250 local-as 65057