Page 1 FTOS Configuration Guide for the Z9000 System FTOS 9.1(0.0) Publication Date: February 2013...
Page 2 © 2013 Dell Force10. All rights reserved. Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden. Trademarks used in this text: Dell(™), the DELL logo, Dell Boomi(™), Dell Precision(™), OptiPlex(™), Latitude(™), PowerEdge(™), PowerVault(™), PowerConnect (™), OpenManage(™), EqualLogic(™), Compellent(™), KACE(™), FlexAddress(™), Force10(™) and...
Page 5: Table Of Contents
1 About this Guide ..........27 Objectives .
Page 6 Log Messages in the Internal Buffer ........56 Configuration Task List for System Log Management .
Page 7 6 Access Control Lists (ACLs) ......... 89 Overview .
Page 8 8 Border Gateway Protocol ......... . 159 Protocol Overview .
Page 9 Domain Name Server ..........243 Reload Modes .
Page 10 CAM Profile Mismatches ..........276 QoS CAM Region Limitation .
Page 11 Configure the System to be a DHCP Server ....... . .316 Configuration Tasks .
Page 12 FRRP Configuration ...........347 Troubleshooting FRRP .
Page 13 View Basic Interface Information ......... .374 Enable a Physical Interface .
Page 14 20 IPv4 Routing ........... . 421 IP Addresses .
Page 15 Adjust your CAM-Profile ..........456 Assign an IPv6 Address to an Interface .
Page 16 24 Layer 2............519 Managing the MAC Address Table .
Page 17 Disabling and Undoing LLDP .........550 Advertising TLVs .
Page 18 Create Multiple Spanning Tree Instances ........593 Influence MSTP Root Selection .
Page 19 Assign an OSPFv2 area ..........636 Enable OSPFv2 on interfaces .
Page 20 Monitoring PIM ............681 31 PIM Source-Specific Mode (PIM-SSM) .
Page 21 Port-based QoS Configurations ......... . .723 Set dot1p Priorities for Incoming Traffic .
Page 22 Configure an EdgePort ..........777 Influence RSTP Root Selection .
Page 23 VLAN Stacking Packet Drop Precedence ........830 Enable Drop Eligibility .
Page 24 Subscribe to Managed Object Value Updates using SNMP .....855 Copy Configuration Files Using SNMP ........858 Manage VLANs using SNMP .
Page 25 Disable NTP on an interface ......... .891 Configure a source IP address for NTP packets .
Page 26 VRRP Configuration ...........952 Configuration Task List for VRRP .
Page 27: About This Guide
Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Force10 systems. For complete information on protocols, refer to other documentation including IETF Requests for Comment (RFCs). The instructions in...
Page 28: Conventions
This symbol is a note associated with some other text on the page that is marked with an asterisk. Related Documents For more information about the Dell Force10 E-Series, C-Series, S-Series and Z-Series refer to the following documents: • FTOS Command Reference •...
Page 29: Configuration Fundamentals
Configuration Fundamentals The FTOS Command Line Interface (CLI) is a text-based interface through which you can configure interfaces and protocols. The CLI is largely the same for the E-Series, C-Series, and S-Series with the exception of some commands and command outputs. The CLI is structured in modes for security and management purposes.
Page 30: Cli Modes
CLI Modes Different sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (with the exception of EXEC mode commands preceded by the command The do Command on page 34). You can set user access rights to commands and command modes using privilege levels;...
Page 31: Navigating Cli Modes
Figure 2-2. CLI Modes in FTOS EXEC EXEC Privilege CONFIGURATION ARCHIVE AS-PATH ACL INTERFACE GIGABIT ETHERNET 10 GIGABIT ETHERNET INTERFACE RANGE LOOPBACK MANAGEMENT ETHERNET NULL PORT-CHANNEL SONET VLAN VRRP IPv6 IP COMMUNITY-LIST IP ACCESS-LIST STANDARD ACCESS-LIST EXTENDED ACCESS-LIST LINE AUXILIARY CONSOLE VIRTUAL TERMINAL MAC ACCESS-LIST...
Page 32 Table 2-1. FTOS Command Modes Access Command CLI Command Mode Prompt EXEC FTOS> Access the router through the console or Telnet. From EXEC mode, enter the command enable. EXEC Privilege FTOS# • From any other mode, use the command end. •...
Page 33 Table 2-1. FTOS Command Modes (continued) Access Command CLI Command Mode Prompt mac access-list standard STANDARD ACCESS- FTOS(config-std-macl)# LIST mac access-list extended EXTENDED ACCESS- FTOS(config-ext-macl)# LIST MULTIPLE FTOS(config-mstp)# protocol spanning-tree mstp SPANNING TREE OPENFLOW FTOS(conf-of-instance of-id)# openflow of-instance of-id of-id represents the OpenFlow instance ID. Per-VLAN SPANNING FTOS(config-pvst)# protocol spanning-tree pvst...
Page 34: The Do Command
The do Command Enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, etc.) without returning to EXEC mode by preceding the EXEC mode command with the command Figure 2-4 illustrates the command. Note: The following commands cannot be modified by the do command: enable, disable, exit, and configure.
Page 35: Obtaining Help
Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the help command: • Enter at the prompt or after a keyword to list the keywords available in the current mode. •...
Page 36: Command History
• The UP and DOWN arrow keys display previously entered commands (see Command History). • The BACKSPACE and DELETE keys erase the previous letter. • Key combinations are available to move quickly across the command line, as described in Table 2-2.
Page 37: Filtering Show Command Outputs
Filtering show Command Outputs show except find grep | Filter the output of a command to display specific information by adding no-more | save after the command. The variable is the text for which you are specified_text specified_text ignore-case filtering and it IS case sensitive unless the sub-option is implemented.
Page 38: Multiple Users In Configuration Mode
% Warning: User "<username>" on line vty0 "10.11.130.2" is in configuration mode If either of these messages appears, Dell Force10 recommends that you coordinate with the users listed in the message so that you do not unintentionally overwrite each other’s configuration changes.
Page 39: Getting Started
Getting Started This chapter contains the following major sections: • Default Configuration • Configure a Host Name • Access the System Remotely • Configure the Enable Password • Configuration File Management • File System Management When you power up the switch, the system performs a Power-On Self Test (POST) during which the system LED is amber.
Page 40: Default Configuration
To access the console port, follow the procedures below. Refer to Table 3-1 for the console port pinout. Step Task Install an RJ-45 copper cable into the console port.Use a rollover (crossover) cable to connect the Z9000 console port to a terminal server. Connect the other end of the cable to the DTE terminal server.
Page 41: Configure A Host Name
The C-Series, E-Series, S-Series (except for S25 and S50) and Z-Series have a dedicated management port. The S25 and S50 switches do not have a dedicated management port. • All Dell Force10 products can be managed via the front-end data ports as well. Access the C-Series, E-Series, S-Series, and the Z-Series Remotely Configuring the system for Telnet is a three-step process: 1.
Page 42: Configure The Management Port Ip Address
Configure the Management Port IP Address Assign IP addresses to the management ports in order to access the system remotely. Note: Assign different IP addresses to each RPM’s management port on the E-Series and C-Series platforms. To configure the management port IP address: Step Task Command Syntax...
Page 43: Access The S-Series Remotely
7 is for inputting a password that is already encrypted using a Type 7 hash. Obtaining the encrypted password from the configuration of another Dell Force10system. Access the S-Series Remotely The S-Series does not have a dedicated management port nor a separate management routing table.
Page 44: Configure The Enable Password
Flash memory. It has a space limitation but does not limit the number of files it can contain. Note: Using flash memory cards in the system that have not been approved by Dell Force10 can cause unexpected system behavior, including a reboot.
Page 45: Copy Files To And From The System
Table 3-2. • To copy a remote file to Dell Force10 system, combine the syntax for a remote file location file-origin with the file-destination syntax for a local file location shown in Table 3-2..
Page 46: Save The Running-Configuration
26292881 bytes successfully copied Save the Running-configuration The running-configuration contains the current system configuration. Dell Force10 recommends that you copy your running-configuration to the startup-configuration. The system uses the startup-configuration during boot-up to configure the system. The startup-configuration is stored in the internal flash on the switch by default, but it can be saved onto an external flash or SSD devices (on the switch) or a remote server.
Page 47: Configure The Overload Bit For Startup Scenario
Task Command Syntax Command Mode Save the running-configuration to: copy running-config startup-config the startup-configuration on the internal flash of the primary RPM copy running-config rpm flash://filename the internal flash on an RPM Note: The internal flash memories on the RPMs are synchronized whenever there is a change, but only if the RPMs are running the same version of FTOS.
Page 48: View Configuration Files
To view a list of files on the internal or external Flash: Step Task Command Syntax Command Mode View a list of files on: dir flash: the internal flash of an RPM EXEC Privilege dir slot: the external flash of an RPM The output of the command also shows the read/write privileges, size (in bytes), and date of modification for each file, as shown in...
Page 49: File System Management
--More-- File System Management The Dell Force10 system can use the internal Flash, external Flash, or remote devices to store files. It stores files on the internal Flash by default but can be configured to store files elsewhere. To view file system information:...
Page 50: View Command History
Figure 3-7, the default storage location is changed to the external Flash of the primary RPM. File management commands then apply to the external Flash rather than the internal Flash. Figure 3-7. Alternative Storage Location FTOS#cd slot0: FTOS#copy running-config test No File System Specified FTOS#copy run test 7419 bytes successfully copied...
Page 51: Management
Management e c s z Management is supported on platforms: This chapter explains the different protocols or services used to manage the Dell Force10 system including: • Configure Privilege Levels • Configure Logging • File Transfer Services • Terminal Lines •...
Page 52: Removing A Command From Exec Mode
A user can access all commands at his privilege level and below. Removing a command from EXEC mode Remove a command from the list of available commands in EXEC mode for a specific privilege level privilege exec using the command from CONFIGURATION mode.
Page 53 The following table lists the configuration tasks you can use to customize a privilege level: Task Command Syntax Command Mode privilege exec level level Remove a command from the list of available commands CONFIGURATION in EXEC mode. {command ||...|| command} privilege exec level level Move a command from EXEC Privilege to EXEC mode.
Page 54 Create a Custom Privilege Level FTOS(conf)#do show run priv privilege exec level 3 capture privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp-pdu privilege exec level 3 capture bgp-pdu max-buffer-size privilege configure level 3 line privilege configure level 3 interface FTOS(conf)#do telnet 10.11.80.201 [telnet output omitted]...
Page 55: Apply A Privilege Level To A Username
Apply a Privilege Level to a Username To set a privilege level for a user: Task Command Syntax Command Mode Configure a privilege level for a user. CONFIGURATION username username privilege level Apply a Privilege Level to a Terminal Line To set a privilege level for a terminal line: Task Command Syntax...
Page 56: Log Messages In The Internal Buffer
Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer. Message 1 BootUp Events %BOOTUP:RPM0:CP %PORTPIPE-INIT-SUCCESS: Portpipe 0 enabled Configuration Task List for System Log Management The following list includes the configuration tasks for system log management: •...
Page 57: Send System Messages To A Syslog Server
Send System Messages to a Syslog Server Send system messages to a syslog server by specifying the server with the following command: Task Command Syntax Command Mode Specify the server to which you want to send system logging {ip-address | CONFIGURATION messages.
Page 58: Display The Logging Buffer And The Logging Configuration
Task Command Syntax Command Mode Specify the size of the logging buffer. logging buffered size CONFIGURATION Note: When you decrease the buffer size, FTOS deletes all messages stored in the buffer. Increasing the buffer size does not affect messages in the buffer. logging history size size Specify the number of messages that FTOS saves to its CONFIGURATION...
Page 59 show logging Command FTOS#show logging syslog logging: enabled Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM. %RPM-2-MSG:CP1 %POLLMGR-2-MMC_STATE: External flash disk missing in 'slot0:' %CHMGR-5-CARDDETECTED: Line card 0 present %CHMGR-5-CARDDETECTED: Line card 2 present...
Page 60: Configure A Unix Logging Facility Level
Configure a UNIX logging facility level You can save system log messages with a UNIX system logging facility. To configure a UNIX logging facility level, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose logging facility [facility-type] CONFIGURATION Specify one of the following parameters.
Page 61: Synchronize Log Messages
Synchronize log messages You can configure FTOS to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system. To synchronize log messages, use these commands in the following sequence starting in the CONFIGURATION mode: Step...
Page 62: File Transfer Services
To have FTOS include a timestamp with the syslog message, use the following command syntax in the CONFIGURATION mode: Command Syntax Command Mode Purpose service timestamps log | debug ] datetime CONFIGURATION Add timestamp to syslog messages. Specify localtime msec show-timezone uptime the following optional parameters:...
Page 63 Enable FTP server To enable the system as an FTP server, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose ftp-server enable CONFIGURATION Enable FTP on the system. To view FTP configuration, use the show running-config ftp Command Output in the EXEC privilege mode.
Page 64: Terminal Lines
The auxiliary line (aux) connects secondary devices such as modems. Deny and Permit Access to a Terminal Line Dell Force10 recommends applying only standard ACLs to deny and permit access to VTY lines. • Layer 3 ACL deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with no rules does not deny any traffic.
Page 65: Configure Login Authentication For Terminal Lines
To apply an IP ACL to a line: Task Command Syntax Command Mode ip access-class access-list Apply an ACL to a VTY line. LINE show config To view the configuration, enter the command in the LINE mode, as shown in Applying an Access List to a VTY Line.
Page 66: Time Out Of Exec Privilege Mode
To configure authentication for a terminal line: Step Task Command Syntax Command Mode aaa authentication login {method-list-name | Create an authentication method list. CONFIGURATION default } [method-1] [method-2] [method-3] You may use a mnemonic name or use the keyword default. The default [method-4] [method-5] [method-6] authentication method for terminal lines is local, and the default method...
Page 67: Telnet To Another Network Device
To change the timeout period or disable EXEC timeout. Task Command Syntax Command Mode exec-timeout minutes [seconds] Set the number of minutes and seconds. LINE Default: 10 minutes on console, 30 minutes on VTY. Disable EXEC timeout by setting the timeout period to 0. no exec-timeout Return to the default timeout values.
Page 68: Lock Configuration Mode
Password: FTOS>exit FTOS#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin FTOS# Lock CONFIGURATION mode FTOS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message A two types of locks can be set: auto and manual.
Page 69: Viewing The Configuration Lock Status
Note: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you configure a lock and then exit CONFIGURATION mode, and another user enters CONFIGURATION mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though you are the one that configured the lock.
Page 70 Step Task Command Syntax Command Mode copy flash://startup-config.bak Copy startup-config.bak to the EXEC Privilege running-config running config. no authentication login Remove all authentication statements LINE no password you might have for the console. copy running-config startup-config Save the running-config. EXEC Privilege setenv stconfigignore false Set the system parameters to use the uBoot...
Page 71: Recovering From A Forgotten Enable Password On The S4810 And Z9000
Step Task Command Syntax Command Mode copy running-config startup-config Save the running-config. EXEC Privilege Recovering from a Forgotten Enable Password on the S4810 and Z9000 If you forget the enable password on the S4810: Step Task Command Syntax Command Mode Log onto the system via console.
Page 72: Recovering From A Failed Start On The S4810 And Z9000
Step Task Command Syntax Command Mode grub>setenv enablepwdignore=true Set the system parameters to ignore uBoot grub>save_env enablepwdignore the enable password when the system reloads and save the environment. reset Reload the system. uBoot enable {secret | password} Configure a new enable password. CONFIGURATION copy running-config startup-config Save the running-config to the...
Page 73: Protocol Overview
(typically RADIUS) via a mandatory intermediary network access device, in this case, a Dell Force10switch. The network access device mediates all communication between the end-user device and the authentication server so that the network remains secure. The network access device uses EAP over Ethernet (EAPOL) to communicate with the end-user device and EAP over RADIUS to communicate with the server.
Page 74: The Port-Authentication Process
The authenticator changes the port state to authorized if the server can authenticate the supplicant. In this state, network traffic can be forwarded normally. Note: The Dell Force10 switches place 802.1X-enabled ports in the unauthorized state by default. The Port-authentication Process...
Page 75: Eap Over Radius
3. The authenticator decapsulates the EAP Response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame, and forwards the frame to the authentication server. 4. The authentication server replies with an Access-Challenge. The Access-Challenge is request that the supplicant prove that it is who it claims to be, using a specified method (an EAP-Method).
Page 76 (Supplicant Requested Credentials) 3: Access-Reject 11: Access-Challenge fnC0034mp RADIUS Attributes for 802.1 Support Dell Force10 systems includes the following RADIUS attributes in all 802.1X-triggered Access-Request messages: • Attribute 5—NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Page 77: Configuring 802.1X
Configuring 802.1X Configuring 802.1X on a port is a two-step process: 1. Enable 802.1X globally. See page 77. 2. Enable 802.1X on an interface. See page 77. Related Configuration Tasks • Configuring Request Identity Re-transmissions on page 79 • Configuring Port-control on page 82 •...
Page 78 Figure 5-4. Enabling 802.1X To enable 802.1X: Step Task Command Syntax Command Mode dot1x authentication Enable 802.1X globally. CONFIGURATION interface [range] Enter INTERFACE mode on an interface or a range of INTERFACE interfaces. dot1x authentication Enable 802.1X on an interface or a range of interfaces. INTERFACE show running-config | find Verify that 802.1X is enabled globally and at interface level using the command...
Page 79: Configuring Request Identity Re-Transmissions
show dot1x interface View 802.1X configuration information for an interface using the command , as shown in Figure 5-6. Figure 5-6. Verifying 802.1X Interface Configuration FTOS#show dot1x interface gigabitethernet 2/1 802.1x information on Gi 2/1: ----------------------------- 802.1X Enabled on Dot1x Status: Enable Port Control: AUTO...
Page 80: Configuring A Quiet Period After A Failed Authentication
To configure a maximum number of Request Identity re-transmissions: Step Task Command Syntax Command Mode dot1x max-eap-req number Configure a maximum number of times that a Request INTERFACE Identity frame can be re-transmitted by the Range: 1-10 authenticator. Default: 2 Figure 5-7 shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits a maximum of 10 times.
Page 81: Forcibly Authorizing Or Unauthorizing A Port
Figure 5-7. Configuring a Request Identity Re-transmissions FTOS(conf-if-range-gi-2/1)#dot1x tx-period 90 FTOS(conf-if-range-gi-2/1)#dot1x max-eap-req 10 FTOS(conf-if-range-gi-2/1)#dot1x quiet-period 120 FTOS#show dot1x interface gigabitethernet 2/1 802.1x information on Gi 2/1: ----------------------------- Dot1x Status: Enable Port Control: AUTO Port Auth Status: UNAUTHORIZED New Re-transmit Interval Re-Authentication: Disable Untagged VLAN id:...
Page 82: Re-Authenticating A Port
Figure 5-8. Configuring Port-control FTOS(conf-if-gi-2/1)#dot1x port-control force-authorized FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.1x information on Gi 2/1: ----------------------------- Dot1x Status: Enable New Port-control State Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds...
Page 83: Configuring Timeouts
Figure 5-9. Configuring a Reauthentiction Period FTOS(conf-if-gi-2/1)#dot1x reauthentication interval 7200 FTOS(conf-if-gi-2/1)#dot1x reauth-max 10 FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.1x information on Gi 2/1: ----------------------------- Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Re-authentication Enabled Port Auth Status: UNAUTHORIZED Re-Authentication: Enable Untagged VLAN id: None Tx Period: 90 seconds...
Page 84: Dynamic Vlan Assignment With Port Authentication
RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure: 1) the host sends a dot1x packet to the Dell Force10 system, 2) the system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number, and 3) the RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN assignment using Tunnel-Private-Group-ID.
Page 85: Guest And Authentication-Fail Vlans
Figure 5-11. Dynamic VLAN Assignment with 802.1X Guest and Authentication-fail VLANs Typically, the authenticator (Dell Force10 system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured, or the VLAN that the authentication server indicates in the authentication data.
Page 86: Configuring A Guest Vlan
The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices, and the Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users. • If the supplicant fails authentication a specified number of times, the authenticator places the port in the Authentication-fail VLAN.
Page 87 Figure 5-13. Configuring an Authentication-fail VLAN FTOS(conf-if-gi-1/2)#dot1x auth-fail-vlan 100 max-attempts 5 FTOS(conf-if-gi-1/2)#show config interface GigabitEthernet 1/2 switchport dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown FTOS(conf-if-gi-1/2)# show config View your configuration using the command from INTERFACE mode, as shown in show dot1x interface Figure 5-12, or using the command...
Page 88 802.1X...
Page 89: Access Control Lists (Acls)
Access Control Lists (ACLs) Access Control Lists (ACLs) chapter also includes prefix lists and route maps. e c s z ACLs are supported on platforms: e c s z Ingress IP and MAC ACLs are supported on platforms: Egress IP and MAC ACLs are supported on platforms: Overview At their simplest, Access Control Lists (ACLs), Prefix lists, and Route-maps permit or deny traffic based on MAC and/or IP addresses.
Page 90: Ip Access Control Lists (Acls)
IP Access Control Lists (ACLs) In the Dell Force10 switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the following criteria (for more information on ACL supported options see the FTOS Command Reference): •...
Page 91 c s z CAM optimization is supported on platforms CAM Profiling CAM optimization is supported on platforms The default CAM profile has 1K Layer 2 ingress ACL entries. If you need more memory for Layer 2 ingress ACLs, select the profile l2-ipv4-inacl. When budgeting your CAM allocations for ACLs and QoS configurations, remember that ACL and QoS rules might consume more than one CAM entry depending on complexity.
Page 92: Cam Optimization
The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. Note that there are 16 FP blocks, but the System Flow requires 3 blocks that cannot be reallocated. The default CAM Allocation settings on a C-Series matching are: •...
Page 93: Implementing Acls On Ftos
Implementing ACLs on FTOS One IP ACL can be assigned per interface with FTOS. If an IP ACL is not assigned to an interface, it is not used by the software in any other capacity. The number of entries allowed per ACL is hardware-dependent. Refer to your line card documentation for detailed specification on entries allowed per ACL.
Page 94: Ip Fragment Handling
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8. order Therefore, (without the keyword ) packets within the range 20.1.1.0/24 match positive against cmap1 and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be buffered in queue 4.
Page 95: Ip Fragments Acl Examples
• Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the fragments option and apply it to a loopback interface, the command is accepted, but the ACL entries are not actually installed the offending rule in CAM. IP fragments ACL examples The following configuration permits all packets (both fragmented &...
Page 96: Configure A Standard Ip Acl
To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a configuration similar to the following. FTOS(conf)#ip access-list extended ABC FTOS(conf-ext-nacl)#permit tcp any any fragment FTOS(conf-ext-nacl)#permit udp any any fragment FTOS(conf-ext-nacl)#deny ip any any log FTOS(conf-ext-nacl) Note the following when configuring ACLs with the fragments keyword.
Page 97 Step Command Syntax Command Mode Purpose seq sequence-number { deny | permit } CONFIG-STD-NACL Configure a drop or forward filter. The {source [mask] | any | host ip-address} parameters are: count byte order monitor • log and monitor options are supported on E-Series only.
Page 98 If you are creating a standard ACL with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured. The software assigns filters in multiples of 5. To configure a filter without a specified sequence number, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax...
Page 99: Configure An Extended Ip Acl
To delete a filter, enter the command in the IP ACCESS LIST mode and locate the sequence show config number of the filter you want to delete. Then use the no seq sequence-number command in the IP ACCESS LIST mode. Configure an extended IP ACL Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses.
Page 100 TCP packets: To create a filter for TCP packets with a specified sequence number, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose ip access-list extended CONFIGURATION Create an extended IP ACL and assign it a access-list-name unique name.
Page 101 Figure 6-7. Command Example: seq FTOS(config-ext-nacl)#seq 15 deny ip host 112.45.0.0 any log FTOS(config-ext-nacl)#seq 5 permit tcp 12.1.3.45 0.0.255.255 any FTOS(config-ext-nacl)#show confi ip access-list extended dilling seq 5 permit tcp 12.1.0.0 0.0.255.255 any seq 15 deny ip host 112.45.0.0 any log FTOS(config-ext-nacl)# Configure filters without sequence number If you are creating an extended ACL with only one or two filters, you can let FTOS assign a sequence...
Page 102: Configuring Layer 2 And Layer 3 Acls On An Interface
Figure 6-8. Extended IP ACL FTOS(config-ext-nacl)#deny tcp host 123.55.34.0 any FTOS(config-ext-nacl)#permit udp 154.44.123.34 0.0.255.255 host 34.6.0.0 FTOS(config-ext-nacl)#show config ip access-list extended nimule seq 5 deny tcp host 123.55.34.0 any seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0 FTOS(config-ext-nacl)# To view all configured IP ACLs and the number of packets processed through the ACL, use the show ip command (Figure 232)
Page 103: Assign An Ip Acl To An Interface
For information on MAC ACLs, refer to Chapter 24, Layer Assign an IP ACL to an Interface c s z Ingress IP ACLs are supported on platforms: Ingress and Egress IP ACL are supported on platforms: To pass traffic through a configured IP ACL, you must assign that ACL to a physical interface, a port channel interface, or a VLAN.
Page 104: Counting Acl Hits
To view which IP ACL is applied to an interface, use the command (Figure 232) in the show config INTERFACE mode or the show running-config command in the EXEC mode. Figure 6-9. Command example: show config in the INTERFACE Mode FTOS(conf-if)#show conf interface GigabitEthernet 0/0 ip address 10.2.1.100 255.255.255.0...
Page 105: Configuring Egress Acls
Figure 6-10. Creating an Ingress ACL FTOS(conf)#interface gige 0/0 Use the “in” keyword FTOS(conf-if-gige0/0)#ip access-group abcd in to specify ingress. FTOS(conf-if-gige0/0)#show config gigethernet 0/0 no ip address ip access-group abcd in no shutdown FTOS(conf-if-gige0/0)#end Begin applying rules to FTOS#configure terminal the ACL named FTOS(conf)#ip access-list extended abcd “abcd.”...
Page 106: Egress Layer 3 Acl Lookup For Control-Plane Ip Traffic
Figure 6-11. Creating an Egress ACL FTOS(conf)#interface gige 0/0 Use the “out” keyword FTOS(conf-if-gige0/0)#ip access-group abcd to specify egress. FTOS(conf-if-gige0/0)#show config gigethernet 0/0 no ip address ip access-group abcd out no shutdown FTOS(conf-if-gige0/0)#end Begin applying rules to FTOS#configure terminal FTOS(conf)#ip access-list extended abcd the ACL named FTOS(config-ext-nacl)#permit tcp any any...
Page 107: Acl
Configuring ACLs to Loopback ACLs can be supplied on Loopback interfaces supported on platform Configuring ACLs onto the CPU in a loopback interface protects the system infrastructure from attack— malicious and incidental—by explicate allowing only authorized traffic. The ACLs on loopback interfaces are applied only to the CPU on the RPM—this eliminates the need to apply specific ACLs onto all ingress interfaces and achieves the same results.
Page 108: Ip Prefix Lists
Figure 6-12. Applying an ACL to the Loopback Interface FTOS(conf)#interface loopback 0 FTOS(conf-if-lo-0)#ip access-group abcd Use the keyword. FTOS(conf-if-lo-0)#show config interface Loopback 0 no ip address ip access-group abcd in no shutdown FTOS(conf-if-lo-0)#end FTOS#configure terminal FTOS(conf)#ip access-list extended abcd Add rules to the ACL FTOS(config-ext-nacl)#permit tcp any any named “abcd.”...
Page 109: Implementation Information
The following rules apply to prefix lists: • A prefix list without any permit or deny filters allows all routes. • An “implicit deny” is assumed (that is, the route is dropped) for all route prefixes that do not match a permit or deny filter in a configured prefix list.
Page 110 If you want to forward all routes that do not match the prefix list criteria, you must configure a prefix list filter to permit all routes ( permit 0.0.0.0/0 le 32 ). The “permit all” filter should be the last filter in your prefix list.
Page 111 Figure 6-14. Prefix List FTOS(conf-nprefixl)#permit 123.23.0.0 /16 FTOS(conf-nprefixl)#deny 133.24.56.0 /8 FTOS(conf-nprefixl)#show conf ip prefix-list awe seq 5 permit 123.23.0.0/16 seq 10 deny 133.0.0.0/8 FTOS(conf-nprefixl)# To delete a filter, enter the command in the PREFIX LIST mode and locate the sequence show config number of the filter you want to delete;...
Page 112: Use A Prefix List For Route Redistribution
Use a prefix list for route redistribution To pass traffic through a configured prefix list, you must use the prefix list in a route redistribution command. The prefix list is applied to all traffic redistributed into the routing process and the traffic is either forwarded or dropped depending on the criteria and actions specified in the prefix list.
Page 113: Acl Resequencing
To view the configuration, use the command in the ROUTER OSPF mode (Figure 6-18) show config command in the EXEC mode. show running-config ospf Figure 6-18. Command Example: show config in ROUTER OSPF Mode FTOS(conf-router_ospf)#show config router ospf 34 network 10.2.1.1 255.255.255.255 area 0.0.0.1 distribute-list prefix awe in FTOS(conf-router_ospf)# ACL Resequencing...
Page 114: Resequencing An Acl Or Prefix List
Table 6-4. ACL Resequencing Example (Resequenced) seq 15 permit any host 1.1.1.3 seq 20 permit any host 1.1.1.4 Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs and prefix lists and MAC ACLs. To resequence an ACL or prefix list use the appropriate command in Table 6-5.
Page 115: Route Maps
Remarks and rules that originally have the same sequence number have the same sequence number after resequence command is applied. Remarks that do not have a corresponding rule will be incremented as a rule. These two mechanisms allow remarks to retain their original position in the list. For example, in Figure 6-20, remark 10 corresponds to rule 10 and as such they have the same number...
Page 116: Important Points To Remember
Important Points to Remember For route-maps with more than one match clause: • Two or more match clauses within the same route-map sequence have the same match commands (though the values are different), matching a packet against these clauses is a logical OR operation. •...
Page 117 To view the configuration, use the command in the ROUTE-MAP mode (Figure 6-21). show config Figure 6-21. Command Example: show config in the ROUTE-MAP Mode FTOS(config-route-map)#show config route-map dilling permit 10 FTOS(config-route-map)# You can create multiple instances of this route map by using the sequence number option to place the route maps in the correct order.
Page 118: Configure Route Map Filters
Figure 6-24. Command Example: show route-map FTOS#show route-map dilling route-map dilling, permit, sequence 10 Match clauses: Set clauses: route-map dilling, permit, sequence 15 Match clauses: interface Loopback 23 Set clauses: 3444 FTOS# To delete a route map, use the no route-map map-name command in the CONFIGURATION mode.
Page 119 Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in any instance of that route-map. As an example: FTOS(conf)#route-map force permit 10 FTOS(config-route-map)#match tag 1000 FTOS(conf)#route-map force deny 20 FTOS(config-route-map)#match tag 1000 FTOS(conf)#route-map force deny 30 FTOS(config-route-map)#match tag 1000 In the above route-map, instance 10 permits the route having a tag value of 1000 and instances 20 &...
Page 120 Command Syntax Command Mode Purpose match ipv6 address CONFIG-ROUTE-MAP Match destination routes specified in a prefix list prefix-list-name (IPv6). match ip next-hop CONFIG-ROUTE-MAP Match next-hop routes specified in a prefix list {access-list-name | prefix-list (IPv4). prefix-list-name} match ipv6 next-hop CONFIG-ROUTE-MAP Match next-hop routes specified in a prefix list {access-list-name | prefix-list (IPv6).
Page 121: Configure A Route Map For Route Redistribution
Command Syntax Command Mode Purpose set origin { egp | igp | incomplete } CONFIG-ROUTE-MAP Assign an ORIGIN attribute. set tag tag-value CONFIG-ROUTE-MAP Specify a tag for the redistributed routes. set weight value CONFIG-ROUTE-MAP Specify a value as the route’s weight. Use these commands to create route map instances.
Page 122: Configure A Route Map For Route Tagging
Configure a route map for route tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol. As the route enters a different routing domain, it is tagged and that tag is passed along with the route as it passes through different routing protocols.
Page 123: Bidirectional Forwarding Detection (Bfd)
BFD also carries less overhead than routing protocol hello mechanisms. Control packets can be encapsulated in any form that is convenient, and, on Dell Force10 routers, sessions are maintained by BFD Agents that reside on the line card, which frees resources on the RPM. Only session state changes are reported to the BFD Manager (on the RPM), which in turn notifies the routing protocols that are registered with it.
Page 124: How Bfd Works
How BFD Works Two neighboring systems running BFD establish a session using a three-way handshake. After the session has been established, the systems exchange control packets at agreed upon intervals. In addition, systems send a control packet anytime there is a state change or change in a session parameter; these control packets are sent without regard to transmit and receive intervals.
Page 125 Figure 7-1. BFD in IPv4 Packet Format Bidirectional Forwarding Detection (BFD) |...
Page 126 Table 7-1. BFD Packet Fields Field Description Diagnostic Code The reason that the last session failed. State The current local session state. See sessions. Flag A bit that indicates packet function. If the poll bit is set, the receiving system must respond as soon as possible, without regard to its transmit interval.
Page 127 • Active—The active system initiates the BFD session. Both systems can be active for the same session. • Passive—The passive system does not initiate a session. It only responds to a request for session initialization from the active system. A BFD session has two modes: •...
Page 128 4. The passive system receives the control packet, changes its state to Up. Both systems agree that a session has been established. However, since both members must send a control packet—that requires a response—anytime there is a state change or change in a session parameter, the passive system sends a final response indicating the state change.
Page 129: O To Remember
Figure 7-3. BFD State Machine current session state Up, Admin Down, Timer the packet received Down Init Down Admin Down, Admin Down, Timer Down, Timer Down Up, Init Init Init, Up o to Remember • BFD for line card ports is hitless, but is not hitless for VLANs since they are instantiated on the RPM. •...
Page 130: Configuring Bfd For Physical Ports
• Troubleshooting BFD Configuring BFD for Physical Ports Configuring BFD for Physical Ports is supported on C-Series and E-Series only. BFD on physical ports is useful when no routing protocol is enabled. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet. When BFD is enabled, the local system removes the route as soon as it stops receiving periodic control packets from the remote system.
Page 131 Establishing a session on physical ports To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the following illustration. The configuration parameters do not need to match. Figure 7-5. Establishing a BFD Session for Physical Ports R2: ACTIVE Role R1: ACTIVE Role 4/24...
Page 132 Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured per interface; if you change a parameter, the change affects all physical port sessions on that interface. Dell Force10 recommends maintaining the default values. To change session parameters on an interface:...
Page 133 Figure 7-8. Changing Session Parameters for Physical Ports R1(conf-if-gi-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive R1(conf-if-gi-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.2 Remote MAC Addr: 00:01:e8:06:95:a2 Int: GigabitEthernet 4/24 State: Up Configured parameters:...
Page 134: Configuring Bfd For Static Routes
To re-enable BFD on an interface: Step Task Command Syntax Command Mode bfd enable Enable BFD on an interface. INTERFACE Configuring BFD for Static Routes Configuring BFD for Static Routes is supported on C-Series and E-Series only. BFD gives systems a link state detection mechanism for static routes. With BFD, systems are notified to remove static routes from the routing table as soon as the link state change occurs, rather than having to wait until packets fail to reach their next hop.
Page 135 To establish a BFD session: Step Task Command Syntax Command Mode ip route bfd Establish BFD sessions for all neighbors that are the next hop CONFIGURATION of a static route. show bfd neighbors Verify that sessions have been created for static routes using the command , as shown show bfd neighbors in the following illustration.
Page 136: Configuring Bfd For Ospf
Disabling BFD for static routes If BFD is disabled, all static route BFD sessions are torn down. A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change to the Down state (Message To disable BFD for static routes: Step Task...
Page 137: Command Mode
Figure 7-11. Establishing Sessions with OSPF Neighbors FTOS(conf-if-gi-2/1)# ip address 2.2.2.2/24 FTOS(conf-if-gi-2/2)# ip address 2.2.3.1/24 FTOS(conf-if-gi-6/1)# ip address 2.2.4.1/24 FTOS(conf-if-gi-2/1)# no shutdown FTOS(conf-if-gi-2/2)# no shutdown FTOS(conf-if-gi-6/1)# no shutdown FTOS(conf-if-gi-2/1)# exit FTOS(conf-if-gi-2/2)# exit FTOS(conf-if-gi-6/1)# exit FTOS(config)# router ospf 1 FTOS(config)# router ospf 1 FTOS(config)# router ospf 1 FTOS(config-router_ospf )# network 2.2.2.0/24 area 0 FTOS(config-router_ospf )# network 2.2.3.0/24 area 1...
Page 138 show bfd neighbors View the established sessions using the command , as shown in the following illustration. Figure 7-12. Viewing Established Sessions for OSPF Neighbors R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors - Active session role Ad Dn - Admin Down - CLI - ISIS OSPF BFD Sessions...
Page 139: Configuring Bfd For Is-Is
Disabling BFD for OSPF If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the remote system are placed in a Down state (Message 3).
Page 140: Show Bfd Neighbors
Figure 7-13. Establishing Sessions with IS-IS Neighbors FTOS(conf )# router isis FTOS(conf-router_isis)# net 02.1921.6800.2002.00 FTOS(conf-router_isis)# interface gigabitethernet 2/1 FTOS(conf-router_isis)# interface gigabitethernet 2/2 FTOS(conf-if-gi-2/1)#ip address 2.2.2.2/24 FTOS(conf-if-gi-2/2)#ip address 2.2.3.1/24 FTOS(config-if-gi-2/1)# ip router isis FTOS(config-if-gi-2/2)# ip router isis FTOS(config-if-gi-2/1)# exit FTOS(config-if-gi-2/2)# exit FTOS(conf )# router isis FTOS(conf )# router isis FTOS(conf-router_isis)# bfd all-neighbors...
Page 141 Figure 7-14. Viewing Established Sessions for IS-IS Neighbors R2(conf-router_isis)#bfd all-neighbors R2(conf-router_isis)#do show bfd neighbors IS-IS BFD Sessions Enabled - Active session role Ad Dn - Admin Down - CLI - ISIS - OSPF - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1...
Page 142: Configuring Bfd For Bgp
Disabling BFD for IS-IS If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the remote system are placed in a Down state (Remote System State Change due to Local State Admin Down).
Page 143 For example, the following illustration shows a sample BFD configuration on Router 1 and Router 2 that use eBGP in a transit network to interconnect AS1 and AS2. The eBGP routers exchange information with each other as well as with iBGP routers to maintain connectivity and accessibility within each autonomous system.
Page 144 As long as each BFD for BGP neighbor receives a BFD control packet within the configured BFD interval for failure detection, the BFD session remains up and BGP maintains its adjacencies. If a BFD for BGP neighbor does not receive a control packet within the detection interval, the router informs any clients of the BFD session (other routing protocols) about the failure.
Page 145 no neighbor To remove the disabled state of a BFD for BGP session with a specified neighbor, enter the {ip-address | peer-group-name} bfd disable ROUTER BGP command in configuration mode. The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured bfd all-neighbors with the command or configured for the peer group to which the neighbor belongs.
Page 146 show The following examples show the BFD for BGP output displayed for these commands. Figure 7-16. Verifying a BFD for BGP Configuration: show running-config bgp Command R2# show running-config bgp router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1...
Page 147 Figure 7-18. Verifying BFD Sessions with BGP Neighbors: show bfd neighbors detail Command R2# show bfd neighbors detail Session Discriminator: 9 Neighbor Discriminator: 10 Local Addr: 1.1.1.3 Local MAC Addr: 00:01:e8:66:da:33 Remote Addr: 1.1.1.2 Remote MAC Addr: 00:01:e8:8a:da:7b Int: TenGigabitEthernet 6/0 State: Up Configured parameters: BFD session parameters: TX (packet transmission), RX...
Page 148 Figure 7-19. Displaying BFD Packet Counters: show bfd counters bgp Command R2# show bfd counters bgp Interface TenGigabitEthernet 6/0 Protocol BGP Messages: Registration De-registration Init Down Admin Down Interface TenGigabitEthernet 6/1 Protocol BGP Messages: Registration De-registration Init Down Admin Down Interface TenGigabitEthernet 6/2 Protocol BGP Messages:...
Page 149 Figure 7-21. Displaying Routing Sessions with BGP Neighbors: show ip bgp neighbors Command R2# show ip bgp neighbors 2.2.2.2 BGP neighbor is 2.2.2.2, remote AS 1, external link BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 Last read 00:00:30, last write 00:00:30 Hold time is 180, keepalive interval is 60 seconds Received 8 messages, 0 in queue...
Page 150: Configuring Bfd For Vrrp
Configuring BFD for VRRP BFD for VRRP is only supported on platforms: When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the RPM. BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred.
Page 151 To establish sessions with all VRRP neighbors: Step Task Command Syntax Command Mode vrrp bfd all-neighbors Establish sessions with all VRRP neighbors. INTERFACE Establishing VRRP sessions on VRRP neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions.
Page 152 Figure 7-24. Viewing Established Sessions for VRRP Neighbors R1(conf-if-gi-4/25)#do show vrrp ------------------ GigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1 State: Backup, Priority: 1, Master: 2.2.5.2 Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 95, Bad pkts rcvd: 0, Adv sent: 933, Gratuitous ARP sent: 3 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address:...
Page 153: Configuring Bfd For Vlans
Configuring BFD for VLANs is supported only on platforms BFD on Dell Force10 systems is a Layer 3 protocol. Therefore, BFD is used with routed VLANs. BFD on VLANs is analogous to BFD on physical ports. If no routing protocol is enabled, and a remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
Page 154 Establishing sessions with VLAN neighbors To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the following illustration. The session parameters do not need to match. Figure 7-25. Establishing Sessions with VLAN Neighbors VLAN 200 4/25 FTOS(config-if-gi-4/25)# switchport...
Page 155: Configuring Bfd For Port-Channels
These parameters are configured per interface; if a configuration change is made, the change affects all sessions on that interface. Caution: When configuring BFD on VLAN or LAG interfaces on the C-Series, Dell Force10 recommends a minimum value of 500 milliseconds for both the transmit and minimum receive time, which yields a final detection time of (500ms *3) 1500 milliseconds.
Page 156 Configuring BFD for port-channels is a two-step process: 1. Enable BFD globally on all participating routers. See Enabling BFD globally. 2. Enable BFD at interface level at both ends of the port-channel. Related configuration tasks • Change session parameters. • Disable BFD a port-channel.
Page 157 These parameters are configured per interface; if you change a parameter, the change affects all sessions on that interface. Caution: When configuring BFD on VLAN or LAG interfaces on the C-Series, Dell Force10 recommends a minimum value of 500 milliseconds for both the transmit and minimum receive time, which yields a final detection time of (500ms *3) 1500 milliseconds.
Page 158: Configuring Protocol Liveness
Configuring Protocol Liveness Protocol Liveness is a feature that notifies the BFD Manager when a client protocol is disabled. When a client is disabled, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state (Message To enable Protocol Liveness: Step...
Page 159: Border Gateway Protocol
Border Gateway Protocol Platforms support BGP according to the following table: FTOS version Platform support IPv4: 8.3.11.2 Z9000 IPv6: 9.0.0.0 8.3.7.0 S4810 8.1.1.0 E-Series ExaScale 7.8.1.0 S-Series 7.7.1.0. C-Series pre-7.7.1.0 E-Series TeraScale This chapter is intended to provide a general description of Border Gateway Protocol version 4 (BGPv4) as it is supported in the Force10 Operating System (FTOS).
Page 160: Autonomous Systems (As)
• Multiprotocol BGP • Implementing BGP with FTOS • Additional Path (Add-Path) support • Advertise IGP cost as MED for redistributed routes • Ignore Router-ID for some best-path calculations • 4-Byte AS Numbers • AS4 Number Representation • AS Number Migration •...
Page 161 A multihomed AS is one that maintains connections to more than one other AS. This allows the AS to remain connected to the internet in the event of a complete failure of one of their connections. However, this type of AS does not allow traffic from one AS to pass through on its way to another AS. A simple example of this is seen in Figure 8-1.
Page 162: Sessions And Peers
Since each BGP router talking to another router is a session, a BGP network needs to be in “full mesh”. This is a topology that has every router directly connected to every other router. Each BGP router within an AS must have iBGP sessions with all other BGP routers in the AS. For example, a BGP network within an AS needs to be in “full mesh.”...
Page 163: Establishing A Session
Establishing a session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established.
Page 164: Route Reflectors
Route Reflectors Route Reflectors reorganize the iBGP core into a hierarchy and allows some route advertisement rules. Note: Route Reflectors (RRs) should not be used in the forwarding path. In iBGP, hierarchal RRs maintaining forwarding plane RRs could create routing loops. Route reflection divides iBGP peers into two groups: client peers and nonclient peers.
Page 165: Confederations
Confederations Communities BGP communities are sets of routes with one or more common attributes. This is a way to assign common attributes to multiple routes at the same time. BGP Attributes Routes learned via BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination.
Page 166 Note: In 8.3.11.4, the bgp bestpath as-path multipath-relax command is disabled by default, preventing BGP from load-balancing a learned route across two or more eBGP peers. To enable load-balancing across Syste different eBGP peers, enable the bgp bestpath as-path multipath-relax command. A system error will result if the bgp bestpath as-path ignore command and the bgp bestpath as-path multipath-relax command are configured at the same time.
Page 167 Best Path selection details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. network redistribute 3. Prefer the path that was locally Originated via a command, command or aggregate-address command. network redistribute •...
Page 168: Weight
11. Prefer the external path originated from the BGP router with the lowest router ID. If both paths are external, prefer the oldest path (first received path). For paths containing a Route Reflector (RR) attribute, the originator ID is substituted for the router ID. 12.
Page 169: Multi-Exit Discriminators (Meds)
Figure 8-5. LOCAL_PREF Example Set Local Preference to 100 Router A AS 100 T1 Link Router C AS 200 Router B Router E Set Local Preference to 200 OC3 Link Router E Router D AS 300 Router F Multi-Exit Discriminators (MEDs) If two Autonomous Systems (AS) connect in more than one place, a Multi-Exit Discriminator (MED) can be used to assign a preference to a preferred path.
Page 170: Origin
Figure 8-6. MED Route Example Set MED to 100 Router A AS 100 T1 Link Router C AS 200 Router B Router E OC3 Link Router D Set MED to 50 Note: With FTOS Release 8.3.1.0, configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes.
Page 171 Figure 8-7. Origin attribute reported FTOS#show ip bgp BGP table version is 0, local router ID is 10.101.15.13 Status codes: s suppressed, d damped, h history, * valid, > best Path source: I - internal, a - aggregate, c - confed-external, r - redistributed, n - network Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop...
Page 172: Next Hop
Next Hop The Next Hop is the IP address used to reach the advertising router. For EBGP neighbors, the Next-Hop address is the IP address of the connection between the neighbors. For IBGP, the EBGP Next-Hop address is carried into the local AS. A Next Hop attribute is set when a BGP speaker advertises itself to another BGP speaker outside its local AS.
Page 173: Advertise Igp Cost As Med For Redistributed Routes
Advertise IGP cost as MED for redistributed routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value.
Page 174: Byte As Numbers
4-Byte AS Numbers FTOS Version 7.7.1 and later support 4-Byte (32-bit) format when configuring Autonomous System Numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message. If a 4-Byte BGP speaker has sent and received this capability from another speaker, all the messages will be 4-octet.
Page 175 ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by a decimal point (.): <high-order 16 bit value>.<low-order 16 bit value>. Some examples are shown in Table 8-2. • All AS Numbers between 0-65535 are represented as a decimal number, when entered in the CLI as well as when displayed in the show command outputs.
Page 176 Figure 8-9. Dynamic changes of the bgp asnotation command in the show running config ASDOT FTOS(conf-router_bgp)#bgp asnotation asdot FTOS(conf-router_bgp)#show conf router bgp 100 bgp asnotation asdot bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057 <output truncated> FTOS(conf-router_bgp)#do show ip bgp BGP table version is 24901, local router ID is 172.30.1.57 <output truncated>...
Page 177: As Number Migration
Figure 8-10. Dynamic changes when bgp asnotation command is disabled in the show running config AS NOTATION DISABLED FTOS(conf-router_bgp)#no bgp asnotation FTOS(conf-router_bgp)#sho conf router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057 <output truncated> FTOS(conf-router_bgp)#do sho ip bgp BGP table version is 28093, local router ID is 172.30.1.57 AS4 SUPPORT DISABLED FTOS(conf-router_bgp)#no bgp four-octet-as-support...
Page 178: Before Migration
Figure 8-11. Local-AS Scenario Router A AS 100 Router C AS 300 Router B AS 200 Before Migration Router A AS 100 Router C AS 100 AS 300 Router B Local AS After Migration, with Local-AS enabled When you complete your migration, and you have reconfigured your network with the new information you must disable this feature.
Page 179: Bgp4 Management Information Base (Mib)
SNMP objects and notifications (traps) defined in the draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell Force10 website, www.force10networks.com. Note: See the Dell Force10 iSupport webpage for the Force10-BGP4-V2-MIB and other MIB documentation. Important Points to Remember •...
Page 180: Configuration Information
To avoid SNMP timeouts with a large-scale configuration (large number of BGP neighbors and a large BGP Loc-RIB), Dell Force10 recommends setting the timeout and retry count values to a relatively higher number. e.g. t = 60 or r = 5.
Page 181: Bgp Configuration
BGP Configuration To enable the BGP process and begin exchanging information, you must assign an AS number and use commands in the ROUTER BGP mode to configure a BGP neighbor. Defaults By default, BGP is disabled. By default, FTOS compares the MED attribute on different paths from within the same AS (the command is not enabled).
Page 182: Configuration Task List For Bgp
Configuration Task List for BGP The following list includes the configuration tasks for BGP: • Enable BGP • Configure AS4 Number Representations • Configure Peer Groups • BGP fast fall-over • Configure passive peering • Maintain existing AS numbers during an AS migration •...
Page 183 In BGP, neighbor routers or peers can be classified as internal or external. External BGP peers must be connected physically to one another (unless you enable the EBGP multihop feature), while internal BGP peers do not need to be directly connected. The IP address of an EBGP neighbor is usually the IP address of the interface directly connected to the router.
Page 184 Step Command Syntax Command Mode Purpose You must Configure Peer Groups before assigning it a remote AS. neighbor {ip-address | CONFIG-ROUTER-BGP Enable the BGP neighbor. peer-group-name} no shutdown Note: When you change the configuration of a BGP neighbor, always reset it by entering the clear ip bgp command in EXEC Privilege mode.
Page 185 Figure 8-13. Command example: show ip bgp summary (4-Byte AS Number displayed) R2#show ip bgp summary 4-Byte AS Number BGP router identifier 192.168.10.2, local AS number 48735.59224 BGP table version is 1, main routing table version 1 1 network entrie(s) using 132 bytes of memory 1 paths using 72 bytes of memory BGP-RIB over all using 73 bytes of memory 1 BGP path attribute entrie(s) using 72 bytes of memory...
Page 186 Figure 8-14. Command example: show ip bgp neighbors FTOS#show ip bgp neighbors External BGP neighbor BGP neighbor is 10.114.8.60, remote AS 18508, external link BGP version 4, remote router ID 10.20.20.20 BGP state ESTABLISHED, in this state for 00:01:58 Last read 00:00:14, hold time is 90, keepalive interval is 30 seconds Received 18552 messages, 0 notifications, 0 in queue Sent 11568 messages, 0 notifications, 0 in queue Received 18549 updates, Sent 11562 updates...
Page 187 Figure 8-15. Command example: show running-config bgp R2#show running-config bgp router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown...
Page 188 Only one form of AS Number Representation is supported at a time. You cannot combine the types of representations within an AS. Task Command Syntax Command Mode bgp asnotation asplain Enable ASPLAIN AS Number CONFIG-ROUTER-BGP representation. Figure 8-16 Note: ASPLAIN is the default method FTOS uses and does not appear in the configuration display.
Page 189 Figure 8-18. Command example and output: bgp asnotation asdot+ FTOS(conf-router_bgp)#bgp asnotation asdot+ FTOS(conf-router_bgp)#sho conf router bgp 100 bgp asnotation asdot+ bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.250 no shutdown 5332332 9911991 65057 18508 12182 7018 46164 i Configure Peer Groups...
Page 190 Step Command Syntax Command Mode Purpose neighbor ip-address peer-group CONFIG-ROUTER-BGP Add an enabled neighbor to the peer group. peer-group-name neighbor {ip-address | peer-group CONFIG-ROUTER-BGP Add a neighbor as a remote AS. name} remote-as as-number Formats: IP Address A.B.C.D Peer-Group Name16 characters AS-number: 0-65535 (2-Byte) or 1-4294967295 | 0.1- 65535.65535 (4-Byte) or 0.1-65535.65535 (Dotted format)
Page 191 Figure 8-19. Command example: show config (creating peer-group) Configuring neighbor zanzibar FTOS(conf-router_bgp)#neighbor zanzibar peer-group FTOS(conf-router_bgp)#show conf router bgp 45 bgp fast-external-fallover bgp log-neighbor-changes neighbor zanzibar peer-group neighbor zanzibar shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.1 shutdown neighbor 10.14.8.60 remote-as 18505 neighbor 10.14.8.60 no shutdown FTOS(conf-router_bgp)# Use the...
Page 192 Figure 8-21. Command example: show ip bgp peer-group FTOS>show ip bgp peer-group Peer-group zanzibar, remote AS 65535 BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is zanzibar, peer-group internal, Number of peers in this group 26 Peer-group members (* - outbound optimized): 10.68.160.1 10.68.161.1...
Page 193 BGP fast fall-over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fall-over feature reduces the convergence time while maintaining stability. The connection to a BGP peer is immediately reset if a link to a directly connected external peer fails.
Page 194 Figure 8-22. Command example: show ip bgp neighbors FTOS#sh ip bgp neighbors BGP neighbor is 100.100.100.100, remote AS 65517, internal link Member of peer-group test for session parameters BGP version 4, remote router ID 30.30.30.5 BGP state ESTABLISHED, in this state for 00:19:15 Last read 00:00:15, last write 00:00:06 Hold time is 180, keepalive interval is 60 seconds Received 52 messages, 0 notifications, 0 in queue...
Page 195 Figure 8-23. Command example: show ip bgp peer-group FTOS#sh ip bgp peer-group Peer-group test Fall-over enabled BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.100* FTOS#...
Page 196 Use these commands in the following sequence, starting in the CONFIGURATION ROUTER BGP mode to configure passive peering. Step Command Syntax Command Mode Purpose neighbor peer-group-name CONFIG-ROUTER-BGP Configure a peer group that does not initiate TCP peer-group passive limit connections with other peers. Enter the limit keyword to restrict the number of sessions accepted.
Page 197 no neighbor local-as Disable this feature, using the command in CONFIGURATION ROUTER BGP mode. Figure 8-24. Local-as information shown R2(conf-router_bgp)#show conf router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123...
Page 198 Figure 8-25. Allowas-in information shown R2(conf-router_bgp)#show conf router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500...
Page 199 • Save all FIB and CAM entries on the line card and continue forwarding traffic while the secondary RPM is coming online. • Advertise to all BGP neighbors and peer-groups that the forwarding state of all routes has been saved. This prompts all peers to continue saving the routes they receive from your E-Series and to continue forwarding traffic.
Page 200 Command Syntax Command Mode Purpose neighbor {ip-address | CONFIG-ROUTER-BGP Set maximum time to retain the restarting peer-group-name} graceful-restart neighbor’s or peer-group’s stale paths. Default [ stale-path-time time-in-seconds] is 360 seconds. Filter on an AS-Path attribute The BGP attribute, AS_PATH, can be used to manipulate routing policies. The AS_PATH attribute contains a sequence of AS numbers representing the route’s path.
Page 201 Use these commands in the following sequence, starting in the CONFIGURATION mode to configure an AS-PATH ACL to filter a specific AS_PATH value. Step Command Syntax Command Mode Purpose ip as-path access-list CONFIGURATION Assign a name to a AS-PATH ACL and enter AS-PATH as-path-name ACL mode.
Page 202 Figure 8-27. Filtering with Regular Expression FTOS(config)#router bgp 99 FTOS(conf-router_bgp)#neigh AAA peer-group FTOS(conf-router_bgp)#neigh AAA no shut FTOS(conf-router_bgp)#show conf router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown FTOS(conf-router_bgp)#neigh 10.155.15.2 filter-list 1 in FTOS(conf-router_bgp)#ex Create the Access List and Filter FTOS(conf)#ip as-path access-list Eagle...
Page 203: Redistribute Routes
Table 8-4. Regular Expressions Regular Expression Definition + (plus) Matches 1 or more sequences of the immediately previous character or pattern. ? (question) Matches 0 or 1 sequence of the immediately previous character or pattern. ( ) (parenthesis) Specifies patterns for multiple use when followed by one of the multiplier metacharacters: asterisk *, plus sign +, or question mark ? [ ] (brackets) Matches any enclosed character;...
Page 204 Command Syntax Command Mode Purpose redistribute ospf process-id ROUTER BGP or Include specific OSPF routes in IS-IS. Configure [ match external { 1 | 2 } | match CONF-ROUTER_BGPv6_AF the following parameters: internal ] [ metric-type { external | process-id range: 1 to 65535 •...
Page 205 • All routes with the NO_EXPORT_SUBCONFED (0xFFFFFF03) community attribute are not sent to CONFED-EBGP or EBGP peers, but are sent to IBGP peers within CONFED-SUB-AS. • All routes with the NO_ADVERTISE (0xFFFFFF02) community attribute must not be advertised. • All routes with the NO_EXPORT (0xFFFFFF01) community attribute must not be advertised outside a BGP confederation boundary, but are sent to CONFED-EBGP and IBGP peers.
Page 206 Step Command Syntax Command Mode Purpose { permit | deny } {{ rt | soo } CONFIG-COMMUNITY- Two types of extended communities are {ASN:NN | IPADDR:N} | LIST supported. Filter routes based on the type of regex REGEX-LINE} extended communities they carry using one of the following keywords: •...
Page 207 Use these commands in the following sequence, starting in the CONFIGURATION mode, To use an IP Community list or Extended Community List to filter routes, you must apply a filter to match community a route map and then apply that route map to a BGP neighbor or peer group. Step Command Syntax Command Mode...
Page 208 If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route map with one or both of the following statements in the route map. Then apply that route map to a BGP neighbor or peer group.
Page 209 Figure 8-29. Command example: show ip bgp community (Partial) FTOS>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.48 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric...
Page 210 Change MED attribute By default, FTOS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the same AS. Use any or all of the following commands in the CONFIGURATION ROUTER BGP mode to change how the MED attribute is used. Command Syntax Command Mode Purpose...
Page 211 Step Command Syntax Command Mode Purpose set local-preference value CONFIG-ROUTE-MAP Change LOCAL_PREF value for routes meeting the criteria of this route map. exit CONFIG-ROUTE-MAP Return to the CONFIGURATION mode. router bgp as-number CONFIGURATION Enter the ROUTER BGP mode. neighbor {ip-address | CONFIG-ROUTER-BGP Apply the route map to the neighbor or peer peer-group-name} route-map...
Page 212 Use the command in CONFIGURATION ROUTER BGP mode or the show config show running-config command in EXEC Privilege mode to view BGP configuration. You can also use route maps to change this and other BGP attributes. For example, you can include the following command in a route map to specify the next hop address: Command Syntax Command Mode...
Page 213 • AS-PATH ACLs (using command) neighbor filter-list • route maps (using command) neighbor route-map Prior to filtering BGP routes, you must create the prefix list, AS-PATH ACL, or route map to be used. Refer to Chapter 6, “Access Control Lists (ACLs),” on page 89 for configuration information on prefix lists, AS-PATH ACLs, and route maps.
Page 214 To view the BGP configuration, use the command in the ROUTER BGP mode. To view a show config prefix list configuration, use the show ip prefix-list detail show ip prefix-list summary commands in EXEC Privilege mode. Use these commands in the following sequence, starting in the CONFIGURATION mode to filter routes using a route map.
Page 215 Step Command Syntax Command Mode Purpose neighbor {ip-address | CONFIG-ROUTER-BGP Filter routes based on the criteria in the peer-group-name} filter-list configured route map. Configure the following as-path-name { in | out } parameters: ip-address or peer-group-name: enter the • neighbor’s IP address or the peer group’s name.
Page 216 When you enable a route reflector, FTOS automatically enables route reflection to all clients. To disable route reflection between all clients in this reflector, use the no bgp client-to-client reflection command in CONFIGURATION ROUTER BGP mode. All clients should be fully meshed before you disable route reflection.
Page 217 Configure BGP confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, BGP confederations are recommended only for IBGP peering involving a large number of IBGP peering sessions per router. Basically, when you configure BGP confederations, you break the AS into smaller sub-AS, and to those outside your network, the confederations appear as one AS.
Page 218 When dampening is applied to a route, its path is described by one of the following terms: • history entry—an entry that stores information on a downed route • dampened path—a path that is no longer advertised • penalized path—a path that is assigned a penalty The CLI example below shows configuring values to start reusing or restarting a route, as well as their default values.
Page 219 To view the BGP configuration, use in the CONFIGURATION ROUTER BGP mode or show config in EXEC Privilege mode. show running-config bgp To set dampening parameters via a route map, use the following command in CONFIGURATION ROUTE-MAP mode: Command Syntax Command Mode Purpose set dampening half-life reuse...
Page 220 To view which routes are dampened (non-active), use the command in show ip bgp dampened-routes EXEC Privilege mode. Use the following command in EXEC Privilege mode to clear information on route dampening and return suppressed routes to active state. Command Syntax Command Mode Purpose clear ip bgp dampening...
Page 221 Change BGP timers Use either or both of the following commands in the CONFIGURATION ROUTER BGP mode to configure BGP timers. Command Syntax Command Mode Purpose neighbors {ip-address | CONFIG-ROUTER-BGP Configure timer values for a BGP neighbor or peer group. peer-group-name} timers keepalive range: 1 to 65535.
Page 222 Use the command in EXEC Privilege mode at the system prompt to reset a BGP connection clear ip bgp using BGP soft reconfiguration. Command Syntax Command Mode Purpose clear ip bgp {* | EXEC Privilege Clear all information or only specific details. neighbor-address | AS Numbers *: Clear all peers | ipv4 | peer-group-name } [soft...
Page 223 Route map continue The BGP route map feature (in ROUTE-MAP mode) allows movement from one route-map continue entry to a specific route-map entry (the sequence number ). If the sequence number is not specified, the continue feature moves to the next sequence number (also known as an implied continue). If a match clause exists, the feature executes only after a successful match occurs.
Page 224: Mbgp Configuration
MBGP Configuration MBGP for IPv6 unicast is supported on platforms MBGP for IPv4 Multicast is supported on platform MBGP is not supported on the E-Series ExaScale x platform. Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing.
Page 225: Bgp Regular Expression Optimization
BGP Regular Expression Optimization BGP policies that contain regular expressions to match against as-paths and communities might take a lot of CPU processing time, thus affect BGP routing convergence. Also, commands that get filtered show bgp through regular expressions can to take a lot of CPU cycles, especially when the database is large. FTOS optimizes processing time when using regular expressions by caching and re-using regular expression evaluated results, at the expense of some memory in RP1 processor.
Page 226: Storing Last And Bad Pdus
to disable all BGP debugging. no debug ip bgp to disable all debugging. undebug all Storing Last and Bad PDUs FTOS stores the last notification sent/received, and the last bad PDU received on per peer basis. The last bad PDU is the one that causes a notification to be issued. These PDUs are shown in the output of the command , as shown in Figure...
Page 227: Capturing Pdus
Capturing PDUs Capture incoming and outgoing PDUs on a per-peer basis using the command capture bgp-pdu neighbor Disable capturing using the no form of this command. direction. The buffer size supports a maximum value between 40 MB (the default) and 100 MB. The capture buffers are cyclic and reaching the limit prompts the system to overwrite the oldest PDUs when new ones are received for a given neighbor or direction.
Page 228: Pdu Counters
• New PDU are captured and there is no more space to store them • The max buffer size is reduced. (This may cause PDUs to be cleared depending upon the buffer space consumed and the new limit.) With full internet feed (205K) captured, approximately 11.8MB is required to store all of the PDUs, as shown in Figure 8-36.
Page 229 Figure 8-37 is a graphic illustration of the configurations shown on the following pages. These configurations show how to create BGP areas using physical and virtual links. They include setting up the interfaces and peers groups with each other. Figure 8-37. Sample Configuration Illustration Physical Links AS 99 Virtual Links...
Page 230 Figure 8-38. Enable BGP - Router 1 R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int gig 1/21 R1(conf-if-gi-1/21)#ip address 10.0.1.21/24 R1(conf-if-gi-1/21)#no shutdown R1(conf-if-gi-1/21)#show config interface GigabitEthernet 1/21 ip address 10.0.1.21/24 no shutdown R1(conf-if-gi-1/21)#int gig 1/31...
Page 231 Figure 8-39. Enable BGP - Router 2 R2# conf R2(conf)#int loop 0 R2(conf-if-lo-0)#ip address 192.168.128.2/24 R2(conf-if-lo-0)#no shutdown R2(conf-if-lo-0)#show config interface Loopback 0 ip address 192.168.128.2/24 no shutdown R2(conf-if-lo-0)#int gig 2/11 R2(conf-if-gi-2/11)#ip address 10.0.1.22/24 R2(conf-if-gi-2/11)#no shutdown R2(conf-if-gi-2/11)#show config interface GigabitEthernet 2/11 ip address 10.0.1.22/24 no shutdown R2(conf-if-gi-2/11)#int gig 2/31...
Page 232 Figure 8-40. Enable BGP - Router 3 R3# conf R3(conf)# R3(conf)#int loop 0 R3(conf-if-lo-0)#ip address 192.168.128.3/24 R3(conf-if-lo-0)#no shutdown R3(conf-if-lo-0)#show config interface Loopback 0 ip address 192.168.128.3/24 no shutdown R3(conf-if-lo-0)#int gig 3/11 R3(conf-if-gi-3/11)#ip address 10.0.3.33/24 R3(conf-if-gi-3/11)#no shutdown R3(conf-if-gi-3/11)#show config interface GigabitEthernet 3/11 ip address 10.0.3.33/24 no shutdown R3(conf-if-lo-0)#int gig 3/21...
Page 233 Figure 8-41. Enable Peer Group - Router 1 R1#conf R1(conf)#router bgp 99 R1(conf-router_bgp)# network 192.168.128.0/24 R1(conf-router_bgp)# neighbor AAA peer-group R1(conf-router_bgp)# neighbor AAA no shutdown R1(conf-router_bgp)# neighbor BBB peer-group R1(conf-router_bgp)# neighbor BBB no shutdown R1(conf-router_bgp)# neighbor 192.168.128.2 peer-group AAA R1(conf-router_bgp)# neighbor 192.168.128.3 peer-group BBB R1(conf-router_bgp)# R1(conf-router_bgp)#show config router bgp 99...
Page 234 Figure 8-42. Enable Peer Groups - Router 1 continued Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1, neighbor version 1 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer...
Page 235 Figure 8-43. Enable Peer Groups - Router 2 R2#conf R2(conf)#router bgp 99 R2(conf-router_bgp)# neighbor CCC peer-group R2(conf-router_bgp)# neighbor CC no shutdown R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.3 no shut R2(conf-router_bgp)#show conf...
Page 236 Figure 8-44. Enable Peer Group - Router 3 R3#conf R3(conf)#router bgp 100 R3(conf-router_bgp)# neighbor AAA peer-group R3(conf-router_bgp)# neighbor AAA no shutdown R3(conf-router_bgp)# neighbor CCC peer-group R3(conf-router_bgp)# neighbor CCC no shutdown R3(conf-router_bgp)# neighbor 192.168.128.2 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.2 no shutdown R3(conf-router_bgp)# neighbor 192.168.128.1 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.1 no shutdown R3(conf-router_bgp)#...
Page 237 Figure 8-45. Enable Peer Groups - Router 3 continued Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 2, neighbor version 2 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer...
Page 238 Border Gateway Protocol...
Page 239: Bare Metal Provisioning 3.0 (Bmp 3.0)
Bare Metal Provisioning 3.0 (BMP 3.0) Bare Metal Provisioning 3.0 (BMP 3.0) is included as part of the FTOS image. It is supported on platforms Overview Bare Metal Provisioning (BMP) is a feature that improves operational efficiency to the system by automatically loading pre-defined configurations and FTOS images using standard protocols such as DHCP and common file transfer mechanisms.
Page 240: Prerequisites
Configuration Tasks • Script Examples Prerequisites Before you use BMP 3.0 to auto-configure a supported Dell Force10 switch, you must first configure: • An external Dynamic Host Configuration Protocol (DHCP) server (required) - a network device offering configuration parameters •...
Page 241: Preparing Bmp
1. Current (new) FTOS build image. 2. Configuration file or pre-configuration script (ZSH, TCL, or Expect script). 3. A list of checksums for all these components. Note: The configuration file is to maintain normal BMP functionality when a pre-configuration script is not sent.
Page 242 • User port stacking Note: BMP will eventually exit when the timeout occurs. DHCP Retry Mechanism BMP requests a different DHCP offer in the following scenarios: • If the command reload-type config-scr-download enable is enabled, the DHCP offer specifies both the boot image and the configuration file.
Page 243: File Server
FTP URL with IP address option configfile "ftp://admin:admin@30.0.0.1/pt-s4810-12"; HTTP URL with DNS option configfile "http://Guest-1/pt-s4810-12"; TFTP option configfile "pt-s4810-12"; ##### bootfile-name could be given in the following way option bootfile-name “ftp://admin:admin@Guest-1/ FTP URL with DNS FTOS-SE-8.3.10.1.bin”; HTTP URL with IP address option bootfile-name "http://30.0.0.1/FTOS-SE-8.3.10.1.bin”;...
Page 244: Bmp Mode
BMP mode is the default boot mode configured for a new system arriving from Dell Force10. This mode obtains the FTOS image and configuration file from a network source (DHCP and file servers). Use Normal mode to boot the switch up with the management port in a no shutdown mode. If the management IP address is present in the start-up configuration file, it will be assigned.
Page 245: Normal Mode
Normal Mode When reloaded in Normal mode, the switch boots up with the management port in a no shutdown mode. If the management IP address is present in the start-up configuration file, it will be assigned. If the management IP address is not present in the start-up configuration file, no IP address will be assigned to the management interface.
Page 246: Post-Configuration Scripts
Post-configuration Scripts In BMP 3.0, after the pre-configuration script has completed and the configuration is loaded, you can run a post-configuration script if one is present in the configuration file. Use the post-configuration script to check the status of configured ports or protocols which can then be sent as a status report to a central repository for your network administrators.
Page 247: Configuration Tasks
Configuration Tasks When the system boots up in BMP mode all ports, including management ports, are placed in L3 mode in state. The system acts as a DHCP client on these ports for a period of time (dhcp-timeout). This no shut allows the system time to send out a DHCP DISCOVER on all the interface up ports to the DHCP Server...
Page 248: System Boot And Set-Up Behavior In Bmp Mode
System boot and set-up behavior in BMP Mode 1. System begins boot up process in BMP mode (default mode). 2. The system sends DHCP Discover on all the interface up ports. 00:01:31: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Ma 0/0. 00:01:31: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Te 0/0.
Page 249: Bmp Mode: Boot And Set-Up Behavior
• If there is a mismatch between the build images, the system upgrades to the downloaded version and reloads. 00:03:06: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_RELEASE_HEADER_INFO: Downloaded Image Major Version 00:03:06: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_RELEASE_HEADER_INFO: Downloaded Image Minor Version 00:03:06: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_RELEASE_HEADER_INFO: Downloaded Image Main Version 00:03:06: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_RELEASE_HEADER_INFO: Downloaded Image Patch Version 00:03:06: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_RELEASE_HEADER_INFO:...
Page 250 Reload without a DHCP Server Offer A switch configured to reload in BMP mode and if the DHCP server cannot be reached, the system keeps on sending DISCOVER messages. 00:01:44: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Te 0/50. 00:01:44: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Te 0/51. 00:01:44: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Ma 0/0.
Page 251 2. The system receives a DHCP offer from a DHCP server with the following parameters: 13:23:47: %STKUNIT0-M:CP %JUMPSTART-5-BOOT_OFFER: DHCP acquired IP 10.16.134.167 mask 255.255.0.0 server IP 10.16.134.207. 13:23:48: %STKUNIT0-M:CP %JUMPSTART-5-BOOT_OFFER: DHCP tftp IP NIL sname NIL dns IP NIL router IP NIL. 13:23:48: %STKUNIT0-M:CP %JUMPSTART-5-BOOT_OFFER: DHCP image file tftp://10.16.127.53/mxl.bin.
Page 252 The first line of the script must contain one of the following: #!/usr/bin/expect #!/usr/bin/tclsh #!/usr/bin/zsh 2. After the first line, but before the actual start of the script, the script must contain the signature “#/ DELL-FORCE10”. Bare Metal Provisioning 3.0 (BMP 3.0)
Page 253: Reload Using The Auto-Execution Script (Normal Mode Only)
The auto-execution script can be written in Expect, TCLSH, or ZSH. If the SmartScripts package is already installed, the post-configuration script can also be written in PERL or Python. • No restraints are required for the auto-execution script, such as the signature “#/DELL-FORCE10” that is required for the pre-configuration script. •...
Page 254: Script Examples
/f10 (mfs:21)... unmounting /kern (kernfs)... unmounting / (/dev/md0a)... done rebooting þ Starting Dell Force10 application 00:00:13: %STKUNIT1-M:CP %RAM-6-ELECTION_ROLE: Stack unit 1 is transitioning to Management unit. 00:00:15: %STKUNIT1-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit 1 present Bare Metal Provisioning 3.0 (BMP 3.0)
Page 255 Dell Force10 Real Time Operating System Software Dell Force10 Operating System Version: 2.0 Dell Force10 Application Software Version: 1-0(0-338) Copyright (c) 1999-2012 by Dell Inc. All Rights Reserved. Build Time: Thu Dec 27 21:32:28 2012 Build Path: /sites/sjc/work/build/buildSpaces/build06/FIT-INDUS-1-0-0/SW/SRC System image file is "dt-maa-s4810-72"...
Page 256 The following line indicates the successful completion of the auto-execution script. 00:00:49: %STKUNIT1-M:CP %JUMPSTART-5-AUTOEXEC_SUCCESS: The AutoExec Script execution returned Success. The following line indicates that the Configuration file is loaded into the switch. FTOS#00:00:51: %STKUNIT1-M:CP %SYS-5-CONFIG_LOAD: Loading configuration file 00:00:52: %STKUNIT1-M:CP %IFMGR-5-ASTATE_UP: Changed interface Admin state to up: Te 0/36 00:00:53: %STKUNIT1-M:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Ma 0/0 Bare Metal Provisioning 3.0 (BMP 3.0)
Page 257: Pre-Configuration Script - Bmp Mode
Pre-configuration Script - BMP Mode #! /usr/bin/expect #/DELL-FORCE10 # Execute F10do and Print proc print_f10do {cmd_str} { set str [exec f10do "$cmd_str"] set tmp_str [string map {\n \r\n} $str ] puts $tmp_str set ftp_ip "20.0.0.1" set ftp_username "lab" set ftp_passwd "lab"...
Page 258 after 5000 puts "Download Complete !!!\r\n" if {[file exists $config_file]} { puts "Config File: $config_file downloaded successfully\r\n" } else { puts "ERROR: Config File: $config_file - Not Found\r\n" if {[file exists $post_conf]} { puts "Post Config Script: $post_conf downloaded successfully\r\n" } else { puts "ERROR: Post Config Script: $post_conf - Not Found\r\n"...
Page 259: Content Addressable Memory
Content Addressable Memory (CAM) is a type of memory that stores information in the form of a lookup table. On Dell Force10 systems, the CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACL), flows, and routing policies. On Dell Force10 systems, there are one or two CAM (Dual-CAM) modules per port-pipe depending on the type of line card.
Page 260: Cam Profiles
CAM Profiles Dell Force10 systems partition each CAM module so that it can store the different types of information. The size of each partition is specified in the CAM profile. A CAM profile is stored on every card, including each RPM. The same profile must be on every line card and RPM in the chassis.
Page 261: Microcode
Microcode Microcode is a compiled set of instructions for a CPU. On Dell Force10 systems, the microcode controls how packets are handled. There is a default microcode, and several other microcodes are available, so that you can adjust packet handling according to your application.
Page 262: Cam Profiling For Acls
Table 10-3. Microcode Descriptions Microcode Description lag-hash-mpls For hashing based on MPLS labels (up to five labels deep). With the default microcode, MPLS packets are distributed over a port-channel based on the MAC source and destination address. With the lag-hash-mpls microcode, MPLS packets are distributed across the port-channel based on IP source and destination address and IP protocol.
Page 263: Boot Behavior
The amount of space that you can distribute to the sub-partitions is equal to the amount of CAM space that the selected CAM profile allocates to the Layer 2 ACL partition. FTOS requires that you specify the amount of CAM space for all sub-partitions and that the sum of all sub-partitions is 100%. FTOS displays the following message if the total allocated space is not correct: % Error: Sum of all regions does not total to 100%.
Page 264: Flow
Line card 1 -- Status : card problem - mismatch cam profile Next Boot : online Required Type : E48TF - 48-port 10/100/1000Base-T line card with RJ-45 interfaces (EF) Current Type : E48TF - 48-port 10/100/1000Base-T line card with RJ-45 interfaces (EF) Hardware Rev : Base - 1.1...
Page 265: Select Cam Profiles
• FTOS automatically reconfigures the CAM profile on line cards and the secondary RPM to match the system CAM profile by saving the correct profile on the card and then rebooting it. • The CAM configuration is applied to entire system when you use CONFIGURATION mode commands.
Page 266 Allocate space for IPV4 ACLs and QoS regions, and IPv6 6 ACLs and QoS regions on the C-Series and cam-acl S-Series by using the command in CONFIGURATION mode. The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. Note that there are 16 FP blocks, but the System Flow requires 3 blocks that cannot be reallocated.
Page 267: Ftos
Step Task Command Syntax Command Mode Verify that the new settings will be written show cam-acl EXEC Privilege to the CAM on the next boot. Reload the system. reload EXEC Privilege Test CAM Usage c e s z test cam-usage command is supported on platforms This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs.
Page 268: View Cam-Acl Settings
Reserved : 8K entries : 8K entries entries entries entries entries Flow entries entries EgACL entries entries MicroCode Name : Default : Default --More-- show cam-profile summary View a brief output of the command using the option. show running-config cam-profile The command shows the current profile and microcode as shown in the following example.
Page 269: Ftos#Show Cam-Acl
L2Qos L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl -- Line card 6 -- Current Settings(in block sizes) L2Acl Ipv4Acl Ipv6Acl Ipv4Qos L2Qos L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl The default values for the command for the are: show cam-acl FTOS#show cam-acl -- Chassis Cam ACL -- Current Settings(in block sizes) L2Acl Ipv4Acl...
Page 270: View Cam Usage
View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and show cam-usage Layer 2 ACL sub-partitions) using the command from EXEC Privilege mode, as shown in the following example. R1#show cam-usage Linecard|Portpipe| CAM Partition | Total CAM Used CAM...
Page 271 Table 10-5. IPv4Flow CAM Sub-partition Sizes Space Allocated Space Allocated Space Allocated Partition (EtherScale) (TeraScale) (ExaScale) System Flow Trace Lists You can re-configure the amount of space allocated for each type of entry FTOS requires that you specify an amount of CAM space for all types and in the order shown in Table 10-5.
Page 272 Current Settings Next Boot Multicast Fib/Acl : System Flow Trace Lists -- Line card 0 -- Current Settings Next Boot Multicast Fib/Acl : System Flow Trace Lists -- Line card 1 -- Current Settings Next Boot Multicast Fib/Acl : System Flow Trace Lists Content Addressable Memory (CAM)
Page 273: Configure Ingress Layer 2 Acl Sub-Partitions
Configure Ingress Layer 2 ACL Sub-partitions IPv4Flow sub-partitions are supported on platform The Ingress Layer 2 ACL CAM partition has sub-partitions for several types of information. Table 10-6 lists the sub-partition and the percentage of the Ingress Layer 2 ACL CAM partition that FTOS allocates to each by default.
Page 274 To re-allocate CAM space within the Ingress Layer 2 ACL partition on the entire system as shown in the following example. : Step Task Command Syntax Command Mode cam-l2acl Re-allocate CAM space within the Ingress CONFIGURATION Layer 2 ACL partition. Save the running-configuration.
Page 275: Return To The Default Cam Configuration
Return to the Default CAM Configuration Return to the default CAM Profile, microcode, IPv4Flow, or Layer 2 ACL configuration using the default keyword from EXEC Privilege mode or from CONFIGURATION mode, as shown in the following example. FTOS(conf)#cam-profile ? default Enable default CAM profile eg-default Enable eg-default CAM profile...
Page 276: Lag Hashing Based On Bidirectional Flow
In this case, manually adjust the CAM configuration on the card to match the system configuration. Dell Force10 recommends the following to prevent mismatches: • Use the eg-default CAM profile in a chassis that has only EG Series line cards. If this profile is used in a chassis with non-EG line cards, the non-EG line cards enter a problem state.
Page 277: Qos Cam Region Limitation
• Change to the default profile if downgrading to and FTOS version earlier than 6.3.1.1. • Use the CONFIGURATION mode commands so that the profile is change throughout the system. • Use the EXEC Privilege mode commands to match the profile of a component to the profile of the target system.
Page 278 Content Addressable Memory (CAM)
Page 279: Control Plane Policing (Copp)
Control Plane Policing (CoPP) Control Plane Policing (CoPP) is supported on platforms: Overview Control Plane Policing (CoPP) uses ACL rules and QoS policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Page 280: Configure Control Plane Policing
Figure 11-2. CoPP solution example Hardware Queue OPSF flood CPU at 1100 PPS Rate Limiting ICMP fails 1100 PPS 400 PPS No CoPP Rules ICMP PING Packets Q7 receives STP at 1100 pps due to network storm/loop. The CPU is hit with the entire 1100 pps and the PING attemp fails intermittently. Hardware Queue CoPP Rule Rate Limiting...
Page 281: Configure Copp For Protocols
The CoPP policies are configured by creating extended ACL rules and specifying rate-limits through QoS policies. The ACLs and QoS policies are assigned as service-policies. Configure CoPP for protocols This section lists the commands necessary to create and enable the service-policies for CoPP. Refer to Access Control Lists (ACLs) Quality of Service (QoS) for complete information about creating ACLs...
Page 282 Sample Config for CoPP protocol configuration Create IP/IPv6/MAC Extended ACL FTOS(conf)#ip access-list extended ospf cpu-qos FTOS(conf-ip-acl-cpuqos)#permit ospf FTOS(conf-ip-acl-cpuqos)#exit FTOS(conf)#ip access-list extended bgp cpu-qos FTOS(conf-ip-acl-cpuqos)#permit bgp FTOS(conf-ip-acl-cpuqos)#exit FTOS(conf)#mac access-list extended lacp cpu-qos FTOS(conf-mac-acl-cpuqos)#permit lacp FTOS(conf-mac-acl-cpuqos)#exit FTOS(conf)#ipv6 access-list ipv6-icmp cpu-qos FTOS(conf-ipv6-acl-cpuqos)#permit icmp FTOS(conf-ipv6-acl-cpuqos)#exit FTOS(conf)#ipv6 access-list ipv6-vrrp cpu-qos FTOS(conf-ipv6-acl-cpuqos)#permit vrrp...
Page 283: Configure Copp For Cpu Queues
Match QoS Class Map to QoS Policy FTOS(conf)#policy-map-input egressFP_rate_policy cpu-qos FTOS(conf-policy-map-in-cpuqos)#class-map class_ospf qos-policy rate_limit_500k FTOS(conf-policy-map-in-cpuqos)#class-map class_bgp qos-policy rate_limit_400k FTOS(conf-policy-map-in-cpuqos)#class-map class_lacp qos-policy rate_limit_200k FTOS(conf-policy-map-in-cpuqos)#class-map class-ipv6 qos-policy rate_limit_200k FTOS(conf-policy-map-in-cpuqos)#exit Create Control Plane Service Policy FTOS(conf)#control-plane-cpuqos FTOS(conf-control-cpuqos)#service-policy rate-limit-protocols egressFP_rate_policy FTOS(conf-control-cpuqos)#exit Configure CoPP for CPU queues Controlling traffic on the CPU queues does not require ACL rules, but does require QoS policies.
Page 284: Show Commands
Sample Config for CoPP CPU queue configuration Create QoS Policy FTOS#conf FTOS(conf)#qos-policy-input cpuq_1 FTOS(conf-qos-policy-in)#rate-police 3000 40 peak 500 40 FTOS(conf-qos-policy-in)#exit FTOS(conf)#qos-policy-input cpuq_2 FTOS(conf-qos-policy-in)#rate-police 5000 80 peak 600 50 FTOS(conf-qos-policy-in)#exit Assign QoS Policy to Queues FTOS(conf)#policy-map-input cpuq_rate_policy cpu-qos FTOS(conf-qos-policy-in)#service-queue 5 qos-policy cpuq_1 FTOS(conf-qos-policy-in)#service-queue 6 qos-policy cpuq_2 FTOS(conf-qos-policy-in)#service-queue 7 qos-policy cpuq_1 Create Control Plane Service Policy...
Page 285 show ip protocol-queue-mapping Use the command to view the queue mapping for each configured protocol. FTOS#show ip protocol-queue-mapping Protocol Src-Port Dst-Port TcpFlag Queue EgPort Rate (kbps) -------- -------- -------- ------- ----- ------ ----------- TCP (BGP) any/179 179/any UDP (DHCP) 67/68 68/67 Q6/Q5 UDP (DHCP-R)
Page 286 Control Plane Policing (CoPP)
Page 287: Z-Series Debugging And Diagnostics
Z-Series Debugging and Diagnostics The chapter contains the following major sections: • Offline Diagnostics • TRACE logs • Hardware watchdog timer • Last restart reason • show hardware commands • Troubleshooting packet loss • Application core dumps • Mini core dumps •...
Page 288: Running Offline Diagnostics
Running Offline Diagnostics 1. Place the unit in the offline state using the command from EXEC Privilege mode, as offline stack-unit shown in Taking a Z-Series Stack Unit Offline. You cannot enter the command on a stacking unit. Note: The system reboots when the off-line diagnostics complete. This is an automatic process in default mode.
Page 289 Figure 12-2. Verifying the Offline/Online Status of a Z-Series Stack Unit FTOS#show system brief | no-more Stack MAC : 00:01:e8:a9:81:9e Reload-Type normal-reload [Next boot : normal-reload] Stack Info Unit UnitType Status ReqTyp CurTyp Version Ports ---------------------------------------------------------------------------- Management offline Z9000 Z9000 9-0-0-0 Member not present...
Page 290 Figure 12-3. Running Offline Diagnostics on a Z-Series Standalone Unit FTOS#diag stack-unit 1 alllevels Warning - diagnostic execution will cause multiple link flaps on the peer side - advisable to shut directly connected ports Proceed with Diags [confirm yes/no]: yes 00:03:35: %S50N:1 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on stack unit 1 00:03:35 : Approximate time to complete these Diags ...
Page 291 Figure 12-4. Verifying the Offline/Online Diagnostics of a Z-Series Standalone Unit flash: 3001958400 bytes total (2716000256 bytes free) FTOS#show file flash://TestReport-SU-0.txt CPU Version : Intel I386 Stack Unit Board temperatur : 49 Degree C Stack Unit Number Serial Number : Z8FX122P00109 Part Number : 7520057401 Product Revision...
Page 292 Test 5 - Psu Source Type Test ........FAIL + TEST - 6 PSU [0] Fan FLOW Type Normal (IO --> Rear) Test 6.000 - Psu Fan module type detect test ......PASS diagS3240GetPsuOnStatus[580]: ERROR: PSU-1 is not present... diagS3240PsuFanModuleTypeDetectTest[448]: ERROR: Getting PSU -1 power status failed. Offline diagnostics can be run in DEBUG Mode as shown in the following example, Running offline diagnostics in DEBUG...
Page 293: Trace Logs
Figure 12-7. show diag stack-unit command example FTOS#show diag stackunit 0 Diag status of Stackunit member 0: -------------------------------------------------------------------------- Stackunit is currently offline. Stackunit level2 diag issued at Thu Apr 09, 2009 02:40:13 PM. Current diag status: Unit diags are done. Duration of execution (Total): 8 min 11 sec.
Page 294: Last Restart Reason
Table 12-2 lists the commands available as of the latest FTOS version on the Z9000. show hardware Note: The show hardware commands should only be used under the guidance of the Dell Force10 Technical Assistance Center. Z-Series Debugging and Diagnostics...
Page 295 Table 12-2. show hardware Commands Command Description show hardware stack-unit {0-11} cpu View internal interface status of the stack-unit CPU port which connects to management statistics the external management interface. show hardware stack-unit {0-11} cpu data-plane View driver-level statistics for the data-plane port on the CPU for the statistics specified stack-unit.
Page 296 The Z9000 supports 32 40G ports or 128 10G ports on four port-pipes, which are also called units. The system displays internal port numbers, not the external port numbers that you will see. See the following table for information that maps the internal unit port number with the port-pipe unit for the 40G (highlighted lines only) and 10G ports (all lines).
Page 297: Environmental Monitoring
Table 12-3. Cross-reference of internal port numbers to user port numbers Internal Unit User Ports 0 User Ports User Ports User Ports No User No User Port to 31 on Unit 32 to 63 on 64 to 95 on 96 to 127 on Ports on Ports on Number...
Page 298: Troubleshoot An Over-Temperature Condition
Use the command in EXEC mode to bring the line card back online. In addition, Dell Force10 requires that you install blanks in all slots without a line card to control airflow for adequate system cooling. Note: Exercise care when removing a card; if it has exceeded the major or shutdown thresholds, the card...
Page 299: Recognize An Under-Voltage Condition
Recognize an under-voltage condition If the system detects an under-voltage condition and declares an alarm. To recognize this condition, look for the system messages in Message Message 3 Under-voltage Condition System Messages %CHMGR-1-CARD_SHUTDOWN: Major alarm: Line card 2 down - auto-shutdown due to under voltage This message in Message 3 indicates that the specified card is not receiving enough power.
Page 300: Buffer Tuning
Buffer tuning Buffer Tuning allows you to modify the way your switch allocates buffers from its available memory, and helps prevent packet drops during a temporary burst of traffic. The S-Series ASICs implement the key functions of queuing, feature lookups, and forwarding lookups in hardware. •...
Page 301: Deciding To Tune Buffers
Front-end Links Deciding to tune buffers Dell Force10 recommends exercising caution when configuring any non-default buffer settings, as tuning can significantly affect system performance. The default values work for most cases. As a guideline, consider tuning buffers if traffic is very bursty (and coming from several interfaces). In this case: •...
Page 302: Buffer Tuning Commands
Buffer tuning commands Note: Buffer profile queue 1 is not supported. Use default buffer profile queue 4. Task Command Command Mode buffer-profile fp fsqueue Define a buffer profile for the FP queues. CONFIGURATION buffer-profile csf csqueue Define a buffer profile for the CSF queues. CONFIGURATION buffer dedicated Change the dedicated buffers on a physical 1G...
Page 303 Display the allocations for any buffer profile using the show commands in Figure 12-12. Display the show buffer-profile {summary | detail} default buffer profile using the command from EXEC Privilege mode, as shown in Figure 12-11. Figure 12-11. Display the Default Buffer Profile FTOS#show buffer-profile detail interface gigabitethernet 0/1 Interface Gi 0/1 Buffer-profile -...
Page 304: Sample Buffer Profile Configuration
If the default buffer profile (4Q) is active, FTOS displays an error message instructing you to remove the no buffer-profile global default configuration using the command Sample buffer profile configuration The two general types of network environments are sustained data transfers and voice/data. Dell Force10 recommends a single-queue approach for data transfers, as shown in Figure 12-13.
Page 305: Troubleshooting Packet Loss
Figure 12-13. Single Queue Application for S50N with Default Packet Pointers buffer-profile fp fsqueue-fp buffer dedicated queue0 3 queue1 3 queue2 3 queue3 3 queue4 3 queue5 3 queue6 3 queue7 3 buffer dynamic 1256 buffer-profile fp fsqueue-hig buffer dedicated queue0 3 queue1 3 queue2 3 queue3 3 queue4 3 queue5 3 queue6 3 queue7 3 buffer dynamic 1256 buffer fp-uplink stack-unit 0 port-set 0 buffer-policy fsqueue-hig buffer fp-uplink stack-unit 0 port-set 1 buffer-policy fsqueue-hig...
Page 306: Dataplane Statistics
Figure 12-14. Displaying Drop Counter Statistics FTOS#show hardware stack-unit 0 drops UNIT No: 0 Total Ingress Drops :0 Total IngMac Drops :0 Total Mmu Drops :0 Total EgMac Drops :0 Total Egress Drops :0 UNIT No: 1 Total Ingress Drops :0 Total IngMac Drops :0 Total Mmu Drops :0 Total EgMac Drops :0...
Page 307 Figure 12-16. Displaying Dataplane Statistics FTOS#show hardware stack-unit 0 cpu data-plane statistics bc pci driver statistics for device: rxHandle noMhdr noMbuf noClus recvd dropped recvToNet rxError rxDatapathErr rxPkt(COS0) rxPkt(COS1) rxPkt(COS2) rxPkt(COS3) rxPkt(COS4) rxPkt(COS5) rxPkt(UNIT0) rxPkt(UNIT1) rxPkt(UNIT2) rxPkt(UNIT3) transmitted txRequested noTxDesc txError txReqTooLarge txInternalError :0...
Page 308: Displaying Stack Member Counters
Displaying Party Bus Statistics FTOS#sh hardware stack-unit 2 cpu party-bus statistics Input Statistics: 27550 packets, 2559298 bytes 0 dropped, 0 errors Output Statistics: 1649566 packets, 1935316203 bytes 0 errors Displaying Stack Member Counters command show hardware stack-unit 0–7 {counters | details | port-stats [detail] | register} displays internal receive and transmit statistics, based on the selected command option.
Page 309: Application Core Dumps
Application core dumps Application core dumps are disabled by default. A core dump file can be very large. Core dumps are stored in the local flash. Enable full application core dumps with the following: Task Command Syntax Command Mode Enable RPM core dumps and specify the logging coredump server CONFIGURATION shutdown mode.
Page 310: Tcp Dumps
Mini core text file example VALID MAGIC ------------------------PANIC STRING ----------------- panic string is :<null> ----------------------STACK TRACE START--------------- 0035d60c <f10_save_mmu+0x120>: 00274f8c <panic+0x144>: 0024e2b0 <db_fncall+0x134>: 0024dee8 <db_command+0x258>: 0024d9c4 <db_command_loop+0xc4>: 002522b0 <db_trap+0x158>: 0026a8d0 <mi_switch+0x1b0>: 0026a00c <bpendtsleep>: ------------------------STACK TRACE END---------------- ---------------------------FREE MEMORY--------------- uvmexp.free = 0x2312 The panic string contains key information regarding the crash.
Page 311 Task Command Syntax Command Mode Enable a TCP dump for CPU bound traffic. tcpdump cp [capture-duration time | CONFIGURATION filter expression | max-file-count value | packet-count value | snap-length value | write-to path] Z-Series Debugging and Diagnostics | 311...
Page 312 Z-Series Debugging and Diagnostics...
Page 313: Dynamic Host Configuration Protocol (Dhcp)
Dynamic Host Configuration Protocol (DHCP) e c sz Dynamic Host Configuration Protocol (DHCP) is available on platforms: (except where noted). This chapter contains the following sections: • Protocol Overview • Implementation Information • Configuration Tasks • Configure the System to be a DHCP Server •...
Page 314: Dhcp Packet Format And Options
DHCP Packet Format and Options DHCP uses UDP as its transport protocol. The server listens on port 67 and transmits to port 68; the client listens on port 68 and transmits to port 67. The configuration parameters are carried as options in the DHCP packet in Type, Length, Value (TLV) format;...
Page 315: Assigning An Ip Address Using Dhcp
Assigning an IP Address using DHCP When a client joins a network: 1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters.
Page 316: Configure The System To Be A Dhcp Server
Implementation Information • The Dell Force10 implementation of DHCP is based on RFC 2131 and RFC 3046. • IP Source Address Validation is a sub-feature of DHCP Snooping; FTOS uses ACLs internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP Source Address Validation.
Page 317: Configure The Server For Automatic Address Allocation
IP address ranges, lease length specifications, and configuration data that DHCP hosts need. Configuring the Dell Force10 system to be a DHCP server is a three-step process: Configure the Server for Automatic Address Allocation Specify a Default Gateway...
Page 318: Specify A Default Gateway
To create an address pool: Step Task Command Syntax Command Mode Access the DHCP server CLI context. ip dhcp server CONFIGURATION Create an address pool and give it a name. pool name DHCP Specify the range of IP addresses from which the network network /prefix-length DHCP <POOL>...
Page 319: Enable Dhcp Server
Display the current DHCP configuration. DHCP In the following figure, an IP phone is powered by PoE and has acquired an IP address from the Dell Force10 system, which is advertising LLDP-MED. The leased IP address is displayed using show ip dhcp...
Page 320: Create Manual Binding Entries
Specify the NetBIOS node type for a Microsoft netbios-node-type type DHCP <POOL> DHCP client. Dell Force10 recommends specifying clients as hybrid. Create Manual Binding Entries An address binding is a mapping between the IP address and Media Access Control (MAC) address of a client.
Page 321: Debug Dhcp Server
Routers do not forward broadcasts, so if there are no DHCP servers on the subnet, the client does not receive a response to its request and therefore cannot access the network. You can configure an interface on the Dell Force10 system to relay the DHCP messages to a specific DHCP server using the command...
Page 322 BROADCAST flag in the DHCP Client PDUs. Note: DHCP Relay is not available on Layer 2 interfaces and VLANs. Figure 13-4. Configuring Dell Force10 Systems as a DHCP Relay Device To view the configuration for an interface, use the command...
Page 323: Configure The System For User Port Stacking
Configure the System for User Port Stacking When you set the DHCP offer on the DHCP server, you can set the stacking-option variable to provide the stack-port detail so a stack can be formed when the units are connected. Configure Secure DHCP DHCP as defined by RFC 2131 provides no authentication or security mechanisms.
Page 324: Dhcp Snooping
The relay agent strips Option 82 from DHCP responses before forwarding them to the client. Task Command Syntax Command Mode Insert Option 82 into DHCP packets. ip dhcp relay information-option CONFIGURATION For routers between the relay agent [trust-downstream] and the DHCP server, enter the trust-downstream option.
Page 325: Add A Static Entry In The Binding Table
Enable DHCP snooping Step Task Command Syntax Command Mode ip dhcp snooping Enable DHCP Snooping globally. CONFIGURATION Specify ports connected to DHCP servers as trusted. ip dhcp snooping trust INTERFACE ip dhcp snooping vlan Enable DHCP Snooping on a VLAN. CONFIGURATION Add a static entry in the binding table Task...
Page 326: Drop Dhcp Packets On Snooped Vlans Only
View the DHACP Snooping statistics with the command as shown in the show ip dhcp snooping following example. FTOS#show ip dhcp snooping IP DHCP Snooping : Enabled. IP DHCP Snooping Mac Verification : Disabled. IP DHCP Relay Information-option : Disabled. IP DHCP Relay Trust Downstream : Disabled.
Page 327: Dynamic Arp Inspection
Dynamic ARP Inspection Dynamic ARP inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism. Network devices accepts ARP request and replies from any device, and ARP replies are accepted even when no request was sent. If a client receives an ARP message for which a relevant entry already exists in its ARP cache, it overwrites the existing entry with the new information.
Page 328 • denial of service—an attacker can send a fraudulent ARP messages to a client to associate a false MAC address with the gateway address, which would blackhole all internet-bound packets from the client. Note: DAI uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM entry is required for every DAI-enabled VLAN, and you can enable DAI on up to 16 VLANs on a system.
Page 329: Source Address Validation
Invalid ARP Replies FTOS# Bypass the ARP Inspection You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multi-switch environments. ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default.
Page 330: Dhcp Mac Source Address Validation
The DHCP binding table associates addresses assigned by the DHCP servers, with the port on which the requesting client is attached. When IP Source Address Validation is enabled on a port, the system verifies that the source IP address is one that is associated with the incoming port. If an attacker is impostering as a legitimate client the source address appears on the wrong ingress port, and the system drops the packet.
Page 331 FTOS creates an ACL entry for each IP+MAC address pair in the binding table and applies it to the interface. Task Command Syntax Command Mode show ip dhcp snooping Display the IP+MAC ACL for an EXEC Privilege source-address-validation [interface] interface for the entire system. Dynamic Host Configuration Protocol (DHCP) | 331...
Page 332 Dynamic Host Configuration Protocol (DHCP)
Page 333: Equal Cost Multi-Path (Ecmp)
Equal Cost Multi-Path (ECMP) e c s Equal Cost Multi-Path (ECMP) is supported on platforms: ECMP for Flow-based Affinity ECMP for Flow-based Affinity is available on platforms The hashing algorithm on E-Series TeraScale and E-Series ExaScale are different. Hashing on ExaScale is based on CRC, checksum, or XOR, and the algorithm on TeraScale is based on checksum only.
Page 334: Deterministic Ecmp Next Hop
FTOS Behavior: In FTOS versions prior to 8.2.1.2, the ExaScale default hash-algorithm is 0. Beginning with version 8.2.1.2, the default hash-algorithm is 24. Deterministic ECMP Next Hop Deterministic ECMP Next Hop arranges all ECMPs in order before writing them into the CAM. For example, suppose the RTM learns 8 ECMPs in the order that the protocols and interfaces came up.
Page 335: Link Bundle Monitoring
In the illustration below, Core Router 1 is an E-Series TeraScale and Core Router 2 is an E-Series ExaScale. They have similar configurations and have routes for prefix P with two possible next-hops. When Deterministic ECMP is enabled and the hash algorithm and seed are configured the same, each flow is consistently sent to the same next hop even though they are routed through two different chassis.
Page 336: Managing Ecmp Group Paths
Enable link bundle monitoring using the command. ecmp-group Note: An ecmp-group index is generated automatically for each unique ecmp-group when the user configures multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indexes are generated in even numbers (0, 2, 4, 6... 1022) and are for information only.
Page 337: Enabling Fips Cryptography
Federal Information Processing Standards (FIPS) Cryptography is supported on the following platforms: This chapter describes how to enable FIPS cryptography requirements on the Dell Force10 platforms. This feature provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce.
Page 338: Enabling Fips Mode
Enabling FIPS Mode You must use the console port to enable or disable FIPS mode. The host attached to the console port must be secured against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. To enable FIPS mode: Task Command Syntax...
Page 339: Monitoring Fips Mode Status
Monitoring FIPS Mode Status The status of the current FIPS mode (Enabled/Disabled) can be viewed directly using either the show fips status command or the show system command as shown below. FTOS#show fips status FIPS Mode : Enabled for the system using the show system command. FTOS#show system Stack MAC : 00:01:e8:8a:ff:0c Reload Type : normal-reload [Next boot : normal-reload]...
Page 340 Enabling FIPS Cryptography...
Page 341: Force10 Resilient Ring Protocol (Frrp)
Force10 Resilient Ring Protocol (FRRP) e c s z Force10 Resilient Ring Protocol (FRRP) is supported on platforms: Force10 Resilient Ring Protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a Metropolitan Area Network (MAN) or large campuses. FRRP is similar to what can be achieved with the Spanning Tree Protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
Page 342: Ring Status
Each Transit node is also configured with a Primary port and a Secondary port on the ring, but the port distinction is ignored as long as the node is configured as a Transit node. If the ring is complete, the Master node logically blocks all data traffic in the transmit and receive directions on the Secondary port to prevent a loop.
Page 343: Multiple Frrp Rings
If the Master node does not receive the Ring Health Frame (RHF) before the fail-period timer expires (a configurable timer), the Master node moves from the Normal state to the Ring-Fault state and unblocks its Secondary port. The Master node also clears its forwarding table and sends a control frame to all other nodes, instructing them to also clear their forwarding tables.
Page 344: Important Frrp Points
In the example shown in Figure 16-2, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups.
Page 345: Important Frrp Concepts
• Multiple physical rings can be run on the same switch • One Master node per ring—all other nodes are Transit • Each node has 2 member interfaces—Primary, Secondary • No limit to the number of nodes on a ring •...
Page 346: Implementing Frrp
• FRRP is media and speed independent. • FRRP is a Dell Force10 proprietary protocol that does not interoperate with any other vendor. • Spanning Tree must be disabled on both Primary and Secondary interfaces before FRRP is enabled. •...
Page 347: Frrp Configuration
• The Control VLAN is used to carry any data traffic; it carries only RHFs. • The Control VLAN cannot have members that are not ring ports. • If multiple rings share one or more member VLANs, they cannot share any links between them. •...
Page 348 • All VLANS must be in Layer 2 mode. • Only ring nodes can be added to the VLAN. • A Control VLAN can belong to one FRRP group only. • Control VLAN ports must be tagged. • All ports on the ring must use the same VLAN ID for the Control VLAN. •...
Page 349 Step Command Syntax Command Mode Purpose mode master CONFIG-FRRP Configure the Master node member-vlan vlan-id CONFIG-FRRP Identify the Member VLANs for this FRRP group {range} VLAN-ID, Range: VLAN IDs for the ring’s Member VLANS. no disable CONFIG-FRRP Enable FRRP Configure and add the Member VLANs Control and Member VLANS are configured normally for Layer 2.
Page 350 Step Command Syntax Command Mode Purpose interface primary int CONFIG-FRRP Assign the Primary and Secondary ports, and the slot/port secondary int Control VLAN for the ports on the ring. slot/port control-vlan Interface: vlan id • For a 10/100/1000 Ethernet interface, enter the GigabitEthernet keyword keyword followed by...
Page 351 Clear FRRP counters Use one of the following commands to clear the FRRP counters. Command Syntax Command Mode Purpose clear frrp ring-id EXEC PRIVELEGED Clear the counters associated with this Ring ID Ring ID: 1-255 clear frrp EXEC PRIVELEGED Clear the counters associated with all FRRP groups Show FRRP configuration Use the following command to view the configuration for the FRRP group.
Page 352: Troubleshooting Frrp
Troubleshooting FRRP Configuration Checks • Each Control Ring must use a unique VLAN ID • Only two interfaces on a switch can be Members of the same Control VLAN • There can be only one Master node for any FRRP Group. •...
Page 353 Figure 16-3. Basic Topology and CLI commands TRANSIT Primary Secondary Forwarding Forwarding GigE 2/14 GigE 2/31 Primary Primary Forwarding Forwarding GigE 3/21 GigE 1/24 Secondary Secondary Forwarding Blocking GigE 3/14 GigE 1/34 TRANSIT MASTER R1 MASTER R2 TRANSIT R3 TRANSIT interface GigabitEthernet 1/24 interface GigabitEthernet 2/14 interface GigabitEthernet 3/14...
Page 354 Force10 Resilient Ring Protocol (FRRP)
Page 355: Garp Vlan Registration Protocol (Gvrp)
GARP VLAN Registration Protocol (GVRP) e c s z GARP VLAN Registration Protocol (GVRP) is supported on platform: Protocol Overview Typical VLAN implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GARP VLAN Registration Protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches.
Page 356: Configuring Gvrp
Figure 17-1. GVRP Compatibility Error Message FTOS(conf)#protocol spanning-tree pvst FTOS(conf-pvst)#no disable % Error: GVRP running. Cannot enable PVST..FTOS(conf)#protocol spanning-tree mstp FTOS(conf-mstp)#no disable % Error: GVRP running. Cannot enable MSTP..FTOS(conf)#protocol gvrp FTOS(conf-gvrp)#no disable % Error: PVST running. Cannot enable GVRP. % Error: MSTP running.
Page 357: Related Configuration Tasks
Figure 17-2. GVRP Configuration Overview GVRP is configured globally and on all VLAN trunk ports for the edge and core switches. Edge Switches Edge Switches Core Switches VLANs 10-20 VLANs 70-80 VLANs 30-50 VLANs 10-20 VLANs 70-80 VLANs 30-50 NOTES: VLAN 1 mode is always fixed and cannot be configured All VLAN trunk ports must be configured for GVRP All VLAN trunk ports must be configured as 802.1Q...
Page 358: Enabling Gvrp On A Layer 2 Interface
Figure 17-3. Enabling GVRP Globally FTOS(conf)#protocol gvrp FTOS(config-gvrp)#no disable FTOS(config-gvrp)#show config protocol gvrp no disable FTOS(config-gvrp)# Enabling GVRP on a Layer 2 Interface gvrp enable Enable GVRP on a Layer 2 interface using the command in INTERFACE mode, as shown in show config Figure 17-4.
Page 359: Configuring A Garp Timer
Based on the configuration in the example shown in Figure 17-5, the interface 1/21 will not be removed from VLAN 34 or VLAN 35 despite receiving a GVRP Leave message. Additionally, the interface will not be dynamically added to VLAN 45 or VLAN 46, even if a GVRP Join message is received. Figure 17-5.
Page 360 FTOS displays Message 1 if an attempt is made to configure an invalid GARP timer. Message 1 GARP Timer Error FTOS(conf)#garp timers join 300 % Error: Leave timer should be >= 3*Join timer. GARP VLAN Registration Protocol (GVRP)
Page 361: Internet Group Management Protocol (Igmp)
Note: The S4810 supports up to 95 interfaces. • Dell Force10 systems cannot serve as an IGMP host or an IGMP version 1 IGMP Querier. • FTOS automatically enables IGMP on interfaces on which you enable a multicast routing protocol.
Page 362: Igmp Version 2
IGMP version 2 IGMP version 2 improves upon version 1 by specifying IGMP Leave messages, which allows hosts to notify routers that they no longer care about traffic for a particular group. Leave messages reduce the amount of time that the router takes to stop forwarding traffic for a group to a subnet (leave latency) after the last host leaves the group.
Page 363: Igmp Version 3
Sending an Unsolicited IGMP Report A host does not have to wait for a general query to join a group. It may send an unsolicited IGMP Membership Report, also called an IGMP Join message, to the querier. Leaving a Multicast Group 1.
Page 364: Joining And Filtering Groups And Sources
Figure 18-3. IGMP version 3 Membership Report Packet Format Version Flags Src IP Addr Dest IP Addr IGMP Packet Total Length Frag Offset Protocol Header Options Padding (0xc0) Checksum (224.0.0.22) (Router Alert) Type Reserved Checksum Reserved Number of Group Group Record 1 Group Record 2 Group Record N Records...
Page 365: Leaving And Staying In Groups
Figure 18-4. IGMP Membership Reports: Joining and Filtering Membership Reports: Joining and Filtering IGMP Group-and-Source Specific Query Interface Multicast Group Filter Source Source Non-Querier Querier Address Timer Mode Timer Type: 0x11 224.1.1.1 GMI Exclude Group Address: 244.1.1.1 None Number of Sources: 1 224.1.1.1 Include 10.11.1.1 GMI...
Page 366: Configuring Igmp
Figure 18-5. IGMP Membership Queries: Leaving and Staying in Groups Membership Queries: Leaving and Staying Querier Non-Querier Interface Multicast Group Filter Source Source Non-querier builds identical table Address Timer Mode Timer and waits Other Querier Present 224.1.1.1 Include Interval to assume Querier role 10.11.1.1 LQMT 10.11.1.2 LQMT 224.2.2.2 GMI Exclude None...
Page 367: Selecting An Igmp Version
Figure 18-6. Viewing IGMP-enabled Interfaces FTOS#show ip igmp interface gig 7/16 GigabitEthernet 7/16 is up, line protocol is up Internet address is 10.87.3.2/24 IGMP is enabled on interface IGMP query interval is 60 seconds IGMP querier timeout is 300 seconds IGMP max query response time is 10 seconds Last member query response interval is 199 ms IGMP activity: 0 joins, 0 leaves...
Page 368: Adjusting Timers
Figure 18-8. Viewing Static and Learned IGMP Groups FTOS(conf-if-gi-1/0)#do sho ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224.1.1.1 GigabitEthernet 1/0 00:00:03 Never 224.1.2.1 GigabitEthernet 1/0 00:56:55 00:01:22 1.1.1.2 Adjusting Timers show ip igmp interface View the current value of all IGMP timers using the command...
Page 369: Configuring A Static Igmp Group
2. When a router receives a query it compares the IP address of the interface on which it was received with the source IP address given in the query. If the receiving router IP address is greater than the source address given in the query, the router stops sending queries. By this method, the router with the lowest IP address on the subnet is elected querier and continues to send queries.
Page 370: Igmp Snooping
IGMP Snooping Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device. Switches forward multicast frames out of all ports in a VLAN by default, even though there may be only some interested hosts, which is a waste of bandwidth. IGMP Snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers.
Page 371: Disabling Multicast Flooding
Figure 18-10. Enabling IGMP Snooping FTOS(conf-if-vl-100)#show config interface Vlan 100 no ip address ip igmp snooping fast-leave shutdown FTOS(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN.
Page 372: Fast Convergence After Mstp Topology Changes
• When enabled, IGMP snooping Querier starts after one query interval in case no IGMP general query (with IP SA lower than its VLAN IP address) is received on any of its VLAN members. Adjusting the Last Member Query Interval When the querier receives a leave message from a receiver, it sends a group-specific query out of the ports specified in the forwarding table.
Page 373: Interfaces
Interfaces This chapter describes interface types, both physical and logical, and how to configure them with FTOS. 10/100/1000 Mbps Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet interfaces are supported on e c s z platforms: SONET interfaces are only supported on platform Basic Interface Configuration: •...
Page 374: Interface Types
• Auto-Negotiation on Ethernet Interfaces • View Advanced Interface Information Interface Types Modes Requires Interface Type Possible Default Mode Creation Default State Physical L2, L3 Unset Shutdown (disabled) Management No Shutdown (enabled) Loopback No Shutdown (enabled) Null Enabled Port Channel L2, L3 Shutdown (disabled) VLAN...
Page 375 Figure 19-1. show interfaces Command Example FTOS#show interfaces tengigabitethernet 1/0 TenGigabitEthernet 0/20 is up, line protocol is up Hardware is DellForce10Eth, address is 00:01:e8:a0:bf:ed Current address is 00:01:e8:a0:bf:ed Pluggable media present, QSFP type is 40GBASE-SR4 Wavelength is 850nm QSFP receive power reading is -2.1304dBm Interface index is 38863874 Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes...
Page 376: Enable A Physical Interface
Figure 19-3. Interfaces listed in the show running-config Command (Partial) FTOS#show running Current Configuration ... interface GigabitEthernet 9/6 no ip address shutdown interface GigabitEthernet 9/7 no ip address shutdown interface GigabitEthernet 9/8 no ip address shutdown interface GigabitEthernet 9/9 no ip address shutdown Enable a Physical Interface After determining the type of physical interfaces available, the user may enter the INTERFACE mode by...
Page 377: Physical Interfaces
To confirm that the interface is enabled, use the command in the INTERFACE mode. show config To leave the INTERFACE mode, use the command or command. exit The user can not delete a physical interface. Physical Interfaces The Management Ethernet interface, is a single RJ-45 Fast Ethernet port on the Route Processor Module (RPM) of the C-Series and E-Series and on each unit of the S4810 and Z9000;...
Page 378: Overview Of Layer Modes
Overview of Layer Modes On all systems running FTOS, you can place physical interfaces, port channels, and VLANs in Layer 2 mode or Layer 3 mode. By default, VLANs are in Layer 2 mode. Table 19-1. Interfaces Types Possible Requires Type of Interface Modes Creation...
Page 379: Configure Layer 3 (Network) Mode
For information on enabling and configuring Spanning Tree Protocol, see Chapter 10, Layer 2, on page show interfaces switchport To view the interfaces in Layer 2 mode, use the command in the EXEC mode. Configure Layer 3 (Network) Mode ip address When you assign an IP address to a physical interface, you place it in Layer 3 mode.
Page 380: Management Interfaces
Command Syntax Command Mode Purpose ip address ip-address mask [secondary] INTERFACE Configure a primary IP address and mask on the interface. The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx). Add the keyword secondary if the IP address is the interface’s backup IP address.
Page 381 To configure a Management interface, use the following command in the CONFIGUR ATION mode: Command Syntax Command Mode Purpose interface managementethernet interface CONFIGURATION Enter the slot and the port (0). ON the E-Series and C-Series, dual RPMs can be in use. Slot range: C-Series, E-Series: 0-1 S4810, Z9000: 0...
Page 382: Configure Management Interfaces On The S-Series
To configure IP addresses on a Management interface, use the following command in the MANAGEMENT INTERFACE mode: Command Syntax Command Mode Purpose ip address ip-address mask INTERFACE Configure an IP address and mask on the interface. ip-address mask: enter an address in •...
Page 383: Vlan Interfaces
As shown in the following example, from EXEC Privilege mode, display the configuration for a given port by entering the command show interface , and the routing table with the show ip route command. Figure 19-9. Viewing Management Routes on the S-Series FTOS#show int gig 0/48 GigabitEthernet 0/48 is up, line protocol is up Description: This is the Managment Interface...
Page 384: Loopback Interfaces
Assign an IP address to an interface with the following command the INTERFACE mode: Command Syntax Command Mode Purpose ip address ip-address mask INTERFACE Configure an IP address and mask on the interface. [ secondary ] • ip-address mask: enter an address in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/24).
Page 385: Null Interfaces
Null Interfaces The Null interface is another virtual interface created by the E-Series software. There is only one Null interface. It is always up, but no traffic is transmitted through this interface. To enter the INTERFACE mode of the Null interface, use the following command in the CONFIGURATION mode: Command Syntax Command Mode...
Page 386: Port Channel Implementation
With this feature, the user can create larger-capacity interfaces by utilizing a group of lower-speed links. For example, the user can build a 5-Gigabit interface by aggregating five 1-Gigabit Ethernet interfaces together. If one of the five interfaces fails, traffic is redistributed across the four remaining interfaces. Port channel implementation FTOS supports two types of port channels: •...
Page 387: Configuration Task List For Port Channel Interfaces
10/100/1000 Mbps interfaces in port channels When both 10/100/1000 interfaces and GigE interfaces are added to a port channel, the interfaces must share a common speed. When interfaces have a configured speed different from the port channel speed, the software disables those interfaces. The common speed is determined when the port channel is first enabled.
Page 388: Add A Physical Interface To A Port Channel
To configure a port channel, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose interface port-channel id-number CONFIGURATION Create a port channel. no shutdown INTERFACE Ensure that the port channel is active. PORT-CHANNEL The port channel is now enabled and you can place the port channel in Layer 2 or Layer 3 mode.
Page 389 To add a physical interface to a port channel, use these commands in the following sequence in the INTERFACE mode of a port channel: Step Command Syntax Command Mode Purpose channel-member interface INTERFACE Add the interface to a port channel. The interface variable is the physical interface PORT-CHANNEL type and slot/port information.
Page 390 Figure 19-12 displays the port channel’s mode (L2 for Layer 2 and L3 for Layer 3 and L2L3 for a Layer 2 port channel assigned to a routed VLAN), the status, and the number of interfaces belonging to the port channel.
Page 391: Reassign An Interface To A New Port Channel
Reassign an interface to a new port channel An interface can be a member of only one port channel. If the interface is a member of a port channel, you must remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, FTOS recalculates the hash algorithm for the port channel.
Page 392: Add Or Remove A Port Channel From A Vlan
Configure the minimum oper up links in a port channel (LAG) You can configure the minimum links in a port channel (LAG) that must be in “oper up” status for the port channel to be considered to be in “oper up” status. Use the following command in the INTERFACE mode: Command Syntax Command Mode Purpose...
Page 393: Assign An Ip Address To A Port Channel
Assign an IP address to a port channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command in the INTERFACE mode: Command Syntax Command Mode Purpose...
Page 394 E-Series load-balancing On the E-Series, the default load-balance criteria are a 5-tuple, as follows: • IP source address • IP destination address • Protocol type • TCP/UDP source port • TCP/UDP destination port Balancing may be applied to IPv4, switched IPv6, and non-IP traffic. For these traffic types, the IP-header-based hash and MAC-based hash may be applied to packets by using the following methods.
Page 395 To distribute IP traffic over an E-Series port channel member, FTOS uses the 5-tuple IP default. The 5-tuple and the 3-tuple hash use the following keys: Table 19-4. 5-tuple and 3-tuple Keys Keys 5-tuple 3-tuple IP source address (lower 32 bits) IP destination address (lower 32 bits) Protocol type TCP/UDP source port...
Page 396 Table 19-5. The load-balance Commands and Port Channel Types Routed Switched Switched Configuration Commands IP Traffic IP Traffic Non-IP Traffic (IPv4 only) Packet based: IPV4 load-balance ip-selection packet-based Packet-based MAC-based No distribution: IPV6 load-balance ip-selection packet-based MAC-based Packet-based MAC-based load-balance ip-selection mac C-Series and S-Series load-balancing For LAG hashing on C-Series and S-Series, the source IP, destination IP, source TCP/UDP port, and destination TCP/UDP port are used for hash computation by default.
Page 397 For the E-Series TeraScale and ExaScale, you can select one of 47 possible hash algorithms. Command Syntax Command Mode Purpose hash-algorithm {algorithm-number} | CONFIGURATION Change the default (0) to another algorithm and apply { ecmp { checksum|crc|xor } it to ECMP, LAG hashing, or a particular line card. [number]} lag Note: To achieve the functionality of hash-align {checksum|crc|xor][number]} nh-ecm...
Page 398: Bulk Configuration
For more on load-balancing, see “Equal Cost Multipath and Link Aggregation Frequently Asked Questions” in the E-Series FAQ section (login required) of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/ToolTips.aspx Bulk Configuration Bulk configuration enables you to determine if interfaces are present, for physical interfaces, or, configured, for logical interfaces.
Page 399: Exclude Duplicate Entries
• Overlap port ranges • Commas • Add ranges Create a single-range Figure 19-18. Creating a Single-Range Bulk Configuration FTOS(config)# interface range gigabitethernet 5/1 - 23 FTOS(config-if-range-gi-5/1-23)# no shutdown Create a multiple-range Figure 19-19. Creating a Multiple-Range Prompt FTOS(conf)#interface range tengigabitethernet 3/0 , gigabitethernet 2/1 - 47 , vlan 1000 FTOS(conf-if-range-gi-2/1-47,so-5/0)# Exclude duplicate entries Duplicate single interfaces and port ranges are excluded from the resulting interface range prompt:...
Page 400: Interface Range Macros
Commas The example below shows how to use commas to add different interface types to the range, enabling all Gigabit Ethernet interfaces in the range 5/1 to 5/23 and both Ten Gigabit Ethernet interfaces 1/1 and 1/2. FTOS(config-if)# interface range gigabitethernet 5/1 - 23, tengigabitethernet 1/1 - 2 FTOS(config-if-range-gi-5/1-23)# no shutdown FTOS(config-if-range-gi-5/1-23)# Figure 19-23.
Page 401: Choose An Interface-Range Macro
Choose an Interface-range Macro interface range To use an interface-range macro in the command, enter this command: Command Syntax Command Mode Purpose interface range macro name CONFIGURATION Selects the interfaces range to be configured using the values saved in a named interface-range macro. The example below shows how to change to the interface-range configuration mode using the interface-range macro named “test”.
Page 402: Maintenance Using Tdr
FTOS# Maintenance using TDR The Time Domain Reflectometer (TDR) is supported on all Dell Force10 switch/routers. TDR is an assistance tool to resolve link issues that helps detect obvious open or short conditions within any of the four copper pairs. TDR sends a signal onto the physical cable and examines the reflection of the signal that returns.
Page 403: Splitting Qsfp Ports To Sfp+ Ports
tdr-cable-test To test the condition of cables on 10/100/1000 BASE-T modules, use the command: Step Command Syntax Command Mode Usage tdr-cable-test gigabitethernet <slot>/ EXEC Privilege To test for cable faults on the GigabitEthernet <port> cable. • Between two ports, the user must not start the test on both ends of the cable.
Page 404: Important Points
Important Points • Splitting a 40G port into 4x10G port is supported only on a standalone unit. • Split ports cannot be used as stack-link to stack an Z9000. • Split ports cannot be a part of any stacked system. •...
Page 405: Assign A Debounce Time To An Interface
• Changes made do not affect any ongoing debounces. The timer changes take affect from the next debounce onward. Assign a debounce time to an interface Command Syntax Command Mode Purpose link debounce time [milliseconds] INTERFACE Enter the time to delay link status change notification on this interface.
Page 406: Disable Ports When One Only Sfm Is Available (E300 Only)
Disable ports when one only SFM is available (E300 only) Selected ports can be shut down when a single SFM is available on the E300 system. Each port to be shut down must be configured individually. When an E300 system boots up and a single SFM is active this configuration, any ports configured with this feature will be shut down.
Page 407: Enable Link Dampening
• Link dampening can be applied to Layer 2 and Layer 3 interfaces. • Link dampening can be configured on individual interfaces in a LAG. Enable Link Dampening Enable link dampening using the command from INTERFACE mode, as shown in dampening Figure 19-28.
Page 408: Ethernet Pause Frames
Figure 19-31. Clearing Dampening Counters FTOS# clear dampening interface Gi 0/1 FTOS# show interfaces dampening GigabitEthernet0/0 InterfaceState Flaps Penalty Half-LifeReuse SuppressMax-Sup Gi 0/1 Up 1500 Link Dampening Support for XML | display xml View the output of the following show commands in XML by adding to the end of the command: •...
Page 409: Threshold Settings
The globally assigned 48-bit Multicast address 01-80-C2-00-00-01 is used to send and receive pause frames. To allow full duplex flow control, stations implementing the pause operation instruct the MAC to enable reception of frames with destination address equal to this multicast address. The PAUSE frame is defined by IEEE 802.3x and uses MAC Control frames to carry the PAUSE commands.
Page 410: Enable Pause Frames
Note: On the C-Series and S-Series (non-S4810) platforms, Ethernet Pause Frames TX should be enabled only after consulting with the Dell Force10 Technical Assistance Center. Note: The S4810 supports only the rx control option. The S4810 does not transmit pause frames.
Page 411: Configure Mtu Size On An Interface
Configure MTU Size on an Interface If a packet includes a Layer 2 header, the difference in bytes between the link MTU and IP MTU must be enough to include the Layer 2 header. For example, for VLAN packets, if the IP MTU is 1400, the Link MTU must be no less than 1422: 1400-byte IP MTU + 22-byte VLAN Tag = 1422-byte link MTU ip mtu...
Page 412: Port-Pipes
Port-pipes A port pipe is a Dell Force10 specific term for the hardware path that packets follow through a system. Port pipes travel through a collection of circuits (ASICs) built into line cards and RPMs on which various processing events for the packets occur. One or two port pipes process traffic for a given set of physical interfaces or a port-set.
Page 413: Auto-Negotiation On Ethernet Interfaces
Note: As a best practice, Dell Force10 recommends keeping auto-negotiation enabled. Auto-negotiation should only be disabled on switch ports that attach to devices not capable of supporting negotiation or where connectivity issues arise from interoperability issues.
Page 414 Note: The show interfaces status command displays link status, but not administrative status. For link and administrative status, use show ip interface [interface | brief | linecard slot-number] [configuration]. Figure 19-32. show interfaces status Command Example FTOS#show interfaces status Port Description Status Speed Duplex Vlan Gi 0/0...
Page 415: View Advanced Interface Information
Figure 19-34. Setting Auto-Negotiation Options FTOS(conf)# int gi 0/0 FTOS(conf-if)#neg auto FTOS(conf-if-autoneg)# ? Exit from configuration mode exit Exit from autoneg configuration mode mode Specify autoneg mode Negate a command or set its defaults show Show autoneg configuration information FTOS(conf-if-autoneg)#mode ? forced-master Force port to master mode forced-slave...
Page 416: Configure Interface Sampling Size
Figure 19-35. show Commands with configured Keyword Examples FTOS#show interfaces configured FTOS#show interfaces linecard 0 configured FTOS#show interfaces gigabitEthernet 0 configured FTOS#show ip interface configured FTOS#show ip interface linecard 1 configured FTOS#show ip interface gigabitEthernet 1 configured FTOS#show ip interface br configured FTOS#show ip interface br linecard 1 configured FTOS#show ip interface br gigabitEthernet 1 configured FTOS#show running-config interfaces configured...
Page 417 Figure 19-37. Configuring Rate Interval Example FTOS#show interfaces TenGigabitEthernet 10/0 is down, line protocol is down Hardware is Force10Eth, address is 00:01:e8:01:9e:d9 Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface"...
Page 418: Dynamic Counters
Dynamic Counters By default, counting for the following four applications is enabled: • IPFLOW • IPACL • L2ACL • L2FIB For remaining applications, FTOS automatically turns on counting when the application is enabled, and is turned off when the application is disabled. Please note that if more than four counter-dependent applications are enabled on a port pipe, there is an impact on line rate performance.
Page 419: Clear Interface Counters
Clear interface counters show interfaces clear counters The counters in the command are reset by the command. This command does not clear the counters captured by any SNMP program. To clear the counters, use the following command in the EXEC Privilege mode: Command Syntax Command Mode Purpose...
Page 420 Interfaces...
Page 421: Ipv4 Routing
IPv4 Routing e c s z IPv4 Routing is supported on platforms: FTOS supports various IP addressing features. This chapter explains the basics of Domain Name Service (DNS), Address Resolution Protocol (ARP), and routing principles and their implementation in FTOS. •...
Page 422: Configuration Task List For Ip Addresses
At its most basic level, an IP address is 32-bits composed of network and host portions and represented in dotted decimal format. For example, 00001010110101100101011110000011 is represented as 10.214.87.131 For more information on IP addressing, refer to 791, Internet Protoco Implementation Information In FTOS, you can configure any IP address as a static route except IP addresses already assigned to interfaces.
Page 423 To assign an IP address to an interface, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose interface interface Enter the keyword interface followed by the type of interface CONFIGURATION and slot/port information: •...
Page 424: Configure Static Routes
Figure 20-2. show ip interface Command Example FTOS#show ip int gi 0/8 GigabitEthernet 0/8 is up, line protocol is up Internet address is 10.69.8.1/24 Broadcast address is 10.69.8.255 Address determined by config file MTU is 1554 bytes Inbound access list is not set Proxy ARP is enabled Split Horizon is enabled Poison Reverse is disabled...
Page 425: Configure Static Routes For The Management Interface
Figure 20-3. show ip route static Command Example (partial) FTOS#show ip route static Destination Gateway Dist/Metric Last Change ----------- ------- ----------- ----------- 2.1.2.0/24 Direct, Nu 0 00:02:30 6.1.2.0/24 via 6.1.20.2, Te 5/0 00:02:30 6.1.2.2/32 via 6.1.20.2, Te 5/0 00:02:30 6.1.2.3/32 via 6.1.20.2, Te 5/0 00:02:30 6.1.2.4/32...
Page 426: Directed Broadcast
show ip management-route To view the configured static routes for the management port, use the command in the EXEC privilege mode. Figure 20-4. show ip management-route Command Example FTOS>show ip management-route Destination Gateway State ----------- ------- ----- 1.1.1.0/24 172.31.1.250 Active 172.16.1.0/24 172.31.1.250 Active...
Page 427: Specify Local System Domain And A List Of Domains
Command Syntax Command Mode Purpose ip domain-lookup CONFIGURATION Enable dynamic resolution of host names. ip name-server ip-address CONFIGURATION Specify up to 6 name servers. The order you entered the [ip-address2 ... ip-address6] servers determines the order of their use. show hosts To view current bindings, use the command.
Page 428: Dns With Traceroute
Command Syntax Command Mode Purpose ip domain-list name CONFIGURATION Enter up to 63 characters to configure names to complete unqualified host names. Configure this command up to 6 times to specify a list of possible domain names. FTOS searches the domain names in the order they were configured until a match is found or the list is exhausted.
Page 429: Configuration Task List For Arp
FTOS uses two forms of address resolution: ARP and Proxy ARP. Address Resolution Protocol (ARP) runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, FTOS creates a forwarding table mapping the MAC addresses to their corresponding IP address.
Page 430: Enable Proxy Arp
Command Syntax Command Mode Purpose arp ip-address mac-address interface CONFIGURATION Configure an IP address and MAC address mapping for an interface. ip-address: IP address in dotted decimal format • (A.B.C.D). • mac-address: MAC address in nnnn.nnnn.nnnn format interface: enter the interface type slot/port •...
Page 431: Arp Learning Via Gratuitous Arp
Command Syntax Command Mode Purpose clear arp-cache [interface | ip EXEC privilege Clear the ARP caches for all interfaces or for a specific ip-address] [ no-refresh ] interface by entering the following information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information.
Page 432: Arp Learning Via Arp Request
Beginning with version 8.3.1.0, when a Gratuitous ARP is received, FTOS installs an ARP entry on all 3 CPUs. Task Command Syntax Command Mode Enable ARP learning via gratuitous ARP. arp learn-enable CONFIGURATION ARP Learning via ARP Request In FTOS versions prior to 8.3.1.0, FTOS learns via ARP Requests only if the Target IP specified in the packet matches the IP address of the receiving router interface.
Page 433: Configurable Arp Retries
Configurable ARP Retries In FTOS versions prior to 8.3.1.0 the number of ARP retries is set to 5 and is not configurable. After 5 retries, FTOS backs off for 20 seconds before it sends a new request. Beginning with FTOS version 8.3.1.0, the number of ARP retries is configurable.
Page 434: Udp Helper
To reenable the creation of ICMP unreachable messages on the interface, use the following command in the INTERFACE mode: Command Syntax Command Mode Purpose ip unreachable INTERFACE Set FTOS to create and send ICMP unreachable messages on the interface. show config To view if ICMP unreachable messages are sent on the interface, use the command in the show config...
Page 435: Important Points To Remember About Udp Helper
2. Configure a broadcast address on interfaces that will receive UDP broadcast traffic. See Configuring a Broadcast Address on page 435. Important Points to Remember about UDP Helper ip directed broadcast • The existing command is rendered meaningless if UDP helper is enabled on the same interface.
Page 436: Configurations Using Udp Helper
Figure 20-12. Configuring a Broadcast Address FTOS(conf-if-vl-100)#ip udp-broadcast-address 1.1.255.255 FTOS(conf-if-vl-100)#show config interface Vlan 100 ip address 1.1.0.1/24 ip udp-broadcast-address 1.1.255.255 untagged GigabitEthernet 1/2 no shutdown show interfaces View the configured broadcast address for an interface using the command , as shown in Figure 20-13.
Page 437: Udp Helper With Subnet Broadcast Addresses
ip udp-helper udp-port 2. If UDP helper (using the command ) is enabled, and the UDP destination port of the packet matches the UDP port configured, the system changes the destination address to the configured broadcast 1.1.255.255 and routes the packet to VLANs 100 and 101. If an IP broadcast ip udp-broadcast-address address is not configured (using the command ) on VLANs 100 or 101, the...
Page 438: Udp Helper With Configured Broadcast Addresses
Figure 20-15. UDP helper with Subnet Broadcast Addresses Preamble Start Frame Destination MAC Ethernet Type LLDPDU Padding Source MAC Delimiter (01:80:C2:00:00:0E) (0x88CC) TLV 1 TLV 2 TLV 3 TLV 4 TLV 5 TLV 6 TLV 7 TLV 127 TLV 0 System Capabilities Management Addr Organizationally Specific...
Page 439: Troubleshooting Udp Helper
Troubleshooting UDP Helper debug ip udp-helper Display debugging information using the command , as shown in Figure 20-17. Figure 20-17. Debugging UDP Broadcast FTOS(conf)# debug ip udp-helper 01:20:22: Pkt rcvd on Gi 5/0 with IP DA (0xffffffff) will be sent on Gi 5/1 Gi 5/2 Vlan 3 01:44:54: Pkt rcvd on Gi 7/0 is handed over for DHCP processing.
Page 440 IPv4 Routing...
Page 441: Ipv6 Routing
IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief discussion of the differences between IPv4 and IPv6, and the Dell Force10 support of IPv6. This chapter discusses the following, but is not intended to be a comprehensive discussion of IPv6.
Page 442: Extended Address Space
Protocol Overview IPv6 is an evolution of IPv4. IPv6 is generally installed as an upgrade in devices and operating systems. Most new devices and operating systems support both IPv4 and IPv6. Some key changes in IPv6 are: • Extended Address Space •...
Page 443: Ipv6 Headers
The router redirect functionality in Neighbor Discovery Protocol (NDP) is similar to IPv4 router redirect messages. Neighbor Discovery Protocol (NDP) uses ICMPv6 redirect messages (Type 137) to inform nodes that a better router exists on the link. IPv6 Headers The IPv6 header has a fixed length of 40 bytes. This provides 16 bytes each for Source and Destination information and 8 bytes for general header information.
Page 444 Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Page 445: Extension Header Fields
Table 21-1. Next Header field values Value Description Encrypted Security Authentication header No Next Header Destinations option header Note: This is not a comprehensive table of Next Header field values. Refer to the Internet Assigned Numbers Authority (IANA) web page at http://www.iana.org/assignments/ protocol-numbers for a complete and current listing.
Page 446 Extension headers are processed in the order in which they appear in the packet header. Hop-by-Hop Options header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero) (Table 21-1).
Page 447: Addressing
Addressing IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab is a valid IPv6 address. If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons(::). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab can be shortened to 2001:0db8::1428:57ab.
Page 448: Implementing Ipv6 With Ftos
Implementing IPv6 with FTOS FTOS supports both IPv4 and IPv6 and both may be used simultaneously in your system. Note: Dell Force10 recommends that you use FTOS version 7.6.1.0 or later when implementing IPv6 functionality on an E-Series system. Table 21-2 lists the FTOS Version in which an IPv6 feature became available for each platform.
Page 449 Table 21-2. FTOS and IPv6 Feature Support (continued) Static routing 7.4.1 8.2.1 7.8.1 7.8.1 8.3.10 8.3.11 Assign a Static IPv6 Route this chapter Route 7.4.1 8.2.1 7.8.1 8.4.2 8.3.10 8.3.11 OSPF, IS-IS, and IPv6 BGP redistribution chapters in the FTOS Command Line Interface Reference Guide Multiprotocol 7.4.1...
Page 450 Table 21-2. FTOS and IPv6 Feature Support (continued) Secure Shell 7.5.1 8.2.1 7.8.1 7.8.1 8.3.10 8.3.11 SSH over an IPv6 Transport (SSH) client this chapter support over IPv6 (outbound SSH) Layer 3 only Secure Shell 7.4.1 8.2.1 7.8.1 7.8.1 8.3.10 8.3.11 SSH over an IPv6 Transport (SSH) server...
Page 451: Icmpv6
ICMPv6 c e s z ICMPv6 is supported on platforms ICMP for IPv6 combines the roles of ICMP, IGMP and ARP in IPv4. Like IPv4, it provides functions for reporting delivery and forwarding errors, and provides a simple echo service for troubleshooting. The FTOS implementation of ICMPv6 is based on RFC 4443.
Page 452 Figure 21-2. Path MTU Discovery Process IPv6 Routing...
Page 453: Ipv6 Neighbor Discovery
IPv6 device to determine the relationship of the neighboring node. Note: To avoid problems with network discovery, Dell Force10 recommends configuring the static route last or assigning an IPv6 address to the interface and assigning an address to the peer (the forwarding router’s address) less than 10 seconds apart.
Page 454: Ipv6 Neighbor Discovery Of Mtu Packets
IPv6 Neighbor Discovery of MTU packets With FTOS 8.3.1.0, you can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The command sets the value advertised to ipv6 nd mtu routers.
Page 455: Ssh Over An Ipv6 Transport
SSH over an IPv6 Transport c e s z IPv6 SSH is supported on platforms FTOS supports both inbound and outbound SSH sessions using IPv6 addressing. Inbound SSH supports accessing the system through the management interface as well as through a physical Layer 3 interface. Security Refer to the chapter in the...
Page 456: Adjust Your Cam-Profile
Figure 21-4. Command Example: (E-Series) show cam-profile summary FTOS#show cam-profile summary -- Chassis CAM Profile -- : Current Settings : Next Boot Profile Name : IPV6-ExtACL : IPV6-ExtACL MicroCode Name : IPv6-ExtACL : IPv6-ExtACL -- Line card 1 -- : Current Settings : Next Boot Profile Name : IPV6-ExtACL : IPV6-ExtACL...
Page 457: Assign An Ipv6 Address To An Interface
option sets the CAM Profile as follows: default • L3 ACL (ipv4acl): 6 • L2 ACL(l2acl): 5 • IPv6 L3 ACL (ipv6acl): 0 • L3 QoS (ipv4qos): 1 • L2 QoS (l2qos): 1 Save the new CAM settings to the startup-config ( ) then reload the system for write-mem copy run start...
Page 458: Assign A Static Ipv6 Route
When you configure IPv6 addresses on multiple interfaces ( command) and verify the ipv6 address configuration ( command), the same link local (fe80) address is displayed for each show ipv6 interfaces IPv6 interface. Command Syntax Command Mode Purpose CONFIG-INTERFACE Enter the IPv6 Address for the device. ipv6 address ipv6 address/mask : x:x:x:x::x ipv6 address...
Page 459 Note: After you configure a static IPv6 route ( command) and configure the forwarding router’s address ipv6 route (specified in the command) on a neighbor’s interface, the IPv6 neighbor is not displayed in the ipv6 route show ipv6 command output. route Command Syntax Command Mode...
Page 460: Telnet With Ipv6
Telnet with IPv6 c e s z IPv6 Telnet is supported on platforms The Telnet client and server in FTOS support IPv6 connections. You can establish a Telnet session directly to the router using an IPv6 Telnet client, or an IPv6 Telnet connection can be initiated from the router. Note: Telnet to link local addresses is supported on the S4810 and Z9000.
Page 461: Show Ipv6 Information
Show IPv6 Information c e s z All of the following show commands are supported on platforms View specific IPv6 configuration with the following commands. Command Syntax Command Mode Purpose show ipv6 ? EXEC List the IPv6 show options. EXEC Privileged FTOS#show ipv6 ? accounting IPv6 accounting information...
Page 462: Show An Ipv6 Interface
Show an IPv6 Interface View the IPv6 configuration for a specific interface with the following command. Command Syntax Command Mode Purpose show ipv6 interface type {slot/ EXEC Show the currently running configuration for the port} specified interface. Enter the keyword interface followed by the type of interface and slot/port information:...
Page 463 Figure 21-6. Command Example: show ipv6 interface (Z9000) FTOS#show ipv6 int te 1/10 TenGigabitEthernet 1/10 is up, line protocol is up IPV6 is enabled Link Local address: fe80::201:e8ff:fe8b:3166 Global Unicast address(es): 400::1, subnet is 400::/64 412::22, subnet is 412::/64 Global Anycast address(es): Joined Group address(es): ff02::1 ff02::2...
Page 464: Show Ipv6 Routes
Show IPv6 Routes View the global IPv6 routing information with the following command. Command Syntax Command Mode Purpose EXEC Show IPv6 routing information for the specified show ipv6 route type route type. Enter the keyword: • To display information about a network, enter (X:X:X:X::X).
Page 465: Command Output
Figure 21-8. Command Example: show ipv6 route FTOS#show ipv6 route Codes: C - connected, L - local, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default,...
Page 466: Show The Running-Configuration For An Interface
Show the Running-Configuration for an Interface View the configuration for any interface with the following command. Command Syntax Command Mode Purpose show running-config EXEC Show the currently running configuration for the interface specified interface type {slot/port} Enter the keyword interface followed by the type of interface and slot/port information: •...
Page 467 Command Syntax Command Mode Purpose IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing earlier in this chapter. IPv6 Routing | 467...
Page 468 IPv6 Routing...
Page 469: Link Aggregation Control Protocol (Lacp)
Link Aggregation Control Protocol (LACP) e c s z Link Aggregation Control Protocol (LACP) is supported on platforms: The major sections in the chapter are: • Introduction to Dynamic LAGs and LACP on page 469 • LACP Configuration Tasks on page 471 •...
Page 470: Lacp Modes
Important Points to Remember • LACP enables you to add members to a port channel (LAG) as long as it has no static members. Conversely, if the LAG already contains a statically defined member ( command), channel-member command is not permitted. port-channel mode •...
Page 471: Lacp Configuration Commands
LACP Configuration Commands If aggregated ports are configured with compatible LACP modes (Off, Active, Passive), LACP can automatically link them, as defined in IEEE 802.3, Section 43. The following commands configure LACP: Command Syntax Command Mode Purpose [ no ] lacp system-priority CONFIGURATION Configure the system priority.
Page 472: Configure The Lag Interfaces As Dynamic
The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the command tagged on the LAG (Figure 22-2): Figure 22-2. Placing a LAG into a Non-default VLAN FTOS(conf)#interface vlan 10 FTOS(conf-if-vl-10)#tagged port-channel 32 Configure the LAG interfaces as dynamic After creating a LAG, configure the dynamic LAG interfaces.
Page 473: Monitor And Debugging Lacp
To configure the LACP long timeout (Figure 196): Step Task Command Syntax Command Mode Set the LACP timeout value to 30 seconds. lacp long-timeout CONFIG-INT-PO Figure 22-4. Invoking the LACP Long Timeout FTOS(conf)# interface port-channel 32 FTOS(conf-if-po-32)#no shutdown FTOS(conf-if-po-32)#switchport FTOS(conf-if-po-32)#lacp long-timeout FTOS(conf-if-po-32)#end FTOS# show lacp 32 Port-channel 32 admin up, oper up, mode lacp...
Page 474: Shared Lag State Tracking
Shared LAG State Tracking Shared LAG State Tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG.
Page 475 Figure 22-6, LAGs 1 and 2 have been placed into to the same failover group. Figure 22-6. Configuring Shared LAG State Tracking R2#config R2(conf)#port-channel failover-group R2(conf-po-failover-grp)#group 1 port-channel 1 port-channel 2 View the failover group configuration using the show running-configuration po-failover-group command, as shown in Figure 22-7.
Page 476: Important Points About Shared Lag State Tracking
Configure LACP as Hitless is supported only on platforms: LACP on Dell Force10 systems can be configured to be hitless. When configured as hitless, there is no noticeable impact on dynamic LAG state upon an RPM failover. Critical LACP state information is synchronized between the two RPMs.
Page 477: Lacp Basic Configuration Example
Figure 22-10. Enabling Hitless LACP FTOS(conf)#redundancy protocol lacp FTOS#show running-config redundancy redundancy protocol lacp FTOS# FTOS#show running-config interface gigabitethernet 0/12 interface GigabitEthernet 0/12 no ip address port-channel-protocol LACP port-channel 200 mode active no shutdown LACP Basic Configuration Example The screenshots in this section are based on the example topology shown in Figure 22-11.
Page 478: Configuring A Lag On Alpha
Configuring a LAG on ALPHA Figure 22-12. Creating a LAG on ALPHA Alpha(conf)#interface port-channel 10 Alpha(conf-if-po-10)#no ip address Alpha(conf-if-po-10)#switchport Alpha(conf-if-po-10)#no shutdown Alpha(conf-if-po-10)#show config interface Port-channel 10 no ip address switchport no shutdown Alpha(conf-if-po-10)# Figure 22-13. Inspecting a LAG Port Configuration on ALPHA Alpha#sh int gig 2/31 GigabitEthernet 2/31 is up, line protocol is up Port is part of Port-channel 10...
Page 479 Figure 22-14. Inspecting Configuration of LAG 10 on ALPHA Indicates the MAC address assigned to the LAG. This does NOT match any of the Alpha#show int port-channel 10 physical interface MAC addresses. Port-channel 10 is up, line protocol is up Created by LACP protocol Hardware address is 00:01:e8:06:96:63, Current address is 00:01:e8:06:96:63 Interface index is 1107755018...
Page 480 Figure 22-15. Using the show lacp Command to Verify LAG 10 Status on ALPHA Alpha#sho lacp 10 Port-channel 10 admin up, oper up, mode lacp Shows LAG status Actor System ID: Priority 32768, Address 0001.e806.953e Partner System ID: Priority 32768, Address 0001.e809.c24a Actor Admin Key 10, Oper Key 10, Partner Oper Key 10 LACP LAG 10 is an aggregatable link A - Active LACP, B - Passive LACP, C - Short Timeout, D - Long Timeout...
Page 481: Summary Of The Configuration On Alpha
Summary of the configuration on ALPHA Figure 22-16. Summary of the configuration on ALPHA Alpha(conf-if-po-10)#int gig 2/31 Alpha(conf-if-gi-2/31)#no ip address Alpha(conf-if-gi-2/31)#no switchport Alpha(conf-if-gi-2/31)#shutdown Alpha(conf-if-gi-2/31)#port-channel-protocol lacp Alpha(conf-if-gi-2/31-lacp)#port-channel 10 mode active Alpha(conf-if-gi-2/31-lacp)#no shut Alpha(conf-if-gi-2/31)#show config interface GigabitEthernet 2/31 no ip address port-channel-protocol LACP port-channel 10 mode active no shutdown Alpha(conf-if-gi-2/31)#...
Page 482: Summary Of The Configuration On Bravo
Summary of the configuration on BRAVO Figure 22-17. Summary of the configuration on BRAVO Bravo(conf-if-gi-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config interface Port-channel 10 no ip address switchport no shutdown Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp...
Page 483 Figure 22-18. Using the show interface Command to Inspect a LAG Port on BRAVO Shows the status of this nterface. Also shows it is part of LAG 10. Bravo#show int gig 3/21 GigabitEthernet 3/21 is up, line protocol is up Port is part of Port-channel 10 Hardware is Force10Eth, address is 00:01:e8:09:c3:82 Current address is 00:01:e8:09:c3:82...
Page 484 Figure 22-19. Using the show interfaces port-channel Command to Inspect LAG 10 Indicates the MAC address assigned to the LAG. This does NOT match any of the physical interface MAC addresses. FTOS#sh int port 10 Port-channel 10 is up, line protocol is up Created by LACP protocol Hardware address is 00:01:e8:09:c4:ef, Current address is 00:01:e8:09:c4:ef Interface index is 1107755018...
Page 485 Figure 22-20. Using the show lacp Command to Inspect LAG Status FTOS#show lacp 10 Port-channel 10 admin up, oper up, mode lacp Shows LAG status Actor System ID: Priority 32768, Address 0001.e809.c24a Partner System ID: Priority 32768, Address 0001.e806.953e Actor Admin Key 10, Oper Key 10, Partner Oper Key 10 LACP LAG 10 is an aggregatable link A - Active LACP, B - Passive LACP, C - Short Timeout, D - Long Timeout E - Aggregatable Link, F - Individual Link, G - IN_SYNC, H - OUT_OF_SYNC...
Page 486 Link Aggregation Control Protocol (LACP)
Page 487: Intermediate System To Intermediate System
FTOS 8.3.10.0 and on Z9000 with FTOS 9.0.0.0. Intermediate System to Intermediate System (IS-IS) protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Force10 supports both IPv4 and IPv6 versions of IS-IS, as it is detailed in this chapter.
Page 488: Is-Is Addressing
systems manage destination paths for external routers. Only Level 2 routers can exchange data packets or routing information directly with external routers located outside of the routing domains. Level 1-2 systems manage both inter-area and intra-area traffic by maintaining two separate link databases; one for Level 1 routes and one for Level 2 routes.
Page 489: Multi-Topology Is-Is
Multi-Topology IS-IS FTOS 7.8.1.0 and later support Multi-Topology Routing IS-IS. E-Series ExaScale platform x supports Multi-Topology IS-IS with FTOS 8.2.1.0 and later. S-Series platform supports Multi-Topology IS-IS with FTOS 8.3.10.0 and later. Multi-Topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases.
Page 490: Interface Support
Interface support MT IS-IS is supported on physical Ethernet interfaces, physical Sonet interfaces, port-channel interfaces (static & dynamic using LACP), and VLAN interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement Multi-Topology (MT) extensions. If a local router does not participate in certain MTs, it will not advertise those MT IDs in its IIHs and so will not include that neighbor within its LSPs.
Page 491: Implementation Information
By assigning a name to an IS-IS NET address, you can track IS-IS information on that address easier. FTOS does not support ISO CLNS routing; however, the ISO NET format is supported for addressing. To support IPv6, the Dell Force10 implementation of IS-IS performs the following tasks: •...
Page 492: Configuration Task List For Is-Is
Table 23-1 displays the default values for IS-IS. Table 23-1. IS-IS Default Values IS-IS Parameter Default Value Complete Sequence Number PDU (CSNP) interval 10 seconds IS-to-IS hello PDU interval 10 seconds IS-IS interface metric Metric style Narrow Designated Router priority Circuit Type Level 1 and Level 2 IS Type...
Page 493 • Set the overload bit on page 509 • Debug IS-IS on page 510 Enable IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address. To exchange protocol information with neighbors, enable IS-IS on an interface, instead of on a network as with other routing protocols.
Page 494 Step Task Command Syntax Command Mode Enter the interface configuration mode. Enter the keyword interface interface CONFIGURATION followed by the type of interface and slot/port interface information: • For a 1-Gigabit Ethernet interface, enter the keyword followed by the slot/port information. GigabitEthernet •...
Page 495 Figure 23-2. Command Example: show isis protocol FTOS#show isis protocol IS-IS Router: <Null Tag> System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.0001 Interfaces supported by IS-IS: Vlan 2 GigabitEthernet 4/22 Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: level-1-2 Accept narrow metrics:...
Page 496 Configure Multi-Topology IS-IS (MT IS-IS) Step Task Command Syntax Command Mode Enable Multi-Topology IS-IS for multi-topology transition ROUTER ISIS AF IPV6 IPv6. Enter the keyword to allow transition an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.After every router has been configured with the transition keyword, and all the routers are in...
Page 497 Configure Multi-Topology IS-IS (MT IS-IS) Step Task Command Syntax Command Mode Enable Multi-Topology IS-IS for ROUTER ISIS AF IPV6 multi-topology transition IPv6. Enter the keyword to allow transition an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.After every router has been configured with the transition keyword, and all the routers are in...
Page 498 Command Syntax Command Mode Purpose graceful-restart restart-wait seconds ROUTER-ISIS Enable the Graceful Restart maximum wait time before a restarting peer comes up. Be sure to set the timer to adjacency on the restarting router when implementing this command. Range: 5-120 seconds Default: 30 seconds graceful-restart t1 {interval seconds | ROUTER-ISIS...
Page 499 Use the command in EXEC Privilege mode to view all Graceful Restart show isis graceful-restart detail related configuration. Figure 23-4. Command Example: show isis graceful-restart detail FTOS#show isis graceful-restart detail Configured Timer Value ====================== Graceful Restart : Enabled Interval/Blackout time : 1 min T3 Timer : Manual...
Page 500 Figure 23-5. Command Example: show isis interface FTOS#show isis interface G1/34 GigabitEthernet 2/10 is up, line protocol is up MTU 1497, Encapsulation SAP Routing Protocol: IS-IS Circuit Type: Level-1-2 Interface Index 0x62cc03a, Local circuit ID 1 Level-1 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.01 Hello Interval: 10, Hello Multiplier: 3, CSNP Interval: 10 Number of active level-1 adjacencies: 1 Level-2 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.01...
Page 501 Figure 23-6. Command Example: show running-config isis FTOS#show running-config isis router isis lsp-refresh-interval 902 net 47.0005.0001.000C.000A.4321.00 net 51.0005.0001.000C.000A.4321.00 FTOS# Configure IS-IS metric style and cost All IS-IS links or interfaces are associated with a cost that is used in the SPF calculations. The possible cost varies depending on the metric style supported.
Page 502 Figure 23-7. Command Example: show isis protocol FTOS#show isis protocol IS-IS Router: <Null Tag> System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.0001 Interfaces supported by IS-IS: Vlan 2 GigabitEthernet 4/22 Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: level-1-2 IS-IS metrics settings...
Page 503: Configuring The Distance Of A Route
Table 23-3. Correct Value Range for the isis metric command Metric Style Correct Value Range narrow transition 0 to 63 transition 0 to 63 Configuring the distance of a route Configure the distance for a route using the command from ROUTER ISIS mode. distance Change the IS-type You can configure the system to act as one of the following:...
Page 504 Figure 23-8. Command Example: show isis database FTOS#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL B233.00-00 0x00000003 0x07BF 1088 0/0/0 eljefe.00-00 * 0x00000009 0xF76A 1126 0/0/0 eljefe.01-00 * 0x00000001 0x68DF 1122 0/0/0 eljefe.02-00 * 0x00000001...
Page 505 Configure the prefix list in the PREFIX LIST mode prior to assigning it to the IS-IS process. For configuration information on prefix lists, see Chapter 6, Access Control Lists (ACLs). IPv4 routes Use the following commands in ROUTER ISIS mode to apply prefix lists to incoming or outgoing IPv4 routes.
Page 506: Ipv6 Routes
IPv6 routes Use these commands in ADDRESS-FAMILY IPV6 mode to apply prefix lists to incoming or outgoing IPv6 routes. = ROUTER ISIS These commands apply to IPv6 IS-IS only. Use the mode previously shown to apply Note: prefix lists to IPv4 routes. Command Syntax Command Mode Purpose...
Page 507 Redistribute routes In addition to filtering routes, you can add routes from other routing instances or protocols to the IS-IS process. With the command syntax, you can include BGP, OSPF, RIP, static, or directly redistribute connected routes in the IS-IS process. Note: Do not route iBGP routes to IS-IS unless there are route-maps associated with the IS-IS redistribution.
Page 508 IPv6 routes Use any of the these commands in ROUTER ISIS ADDRESS-FAMILY IPV6 mode to add routes from other routing instances or protocols. ROUTER ISIS These commands apply to IPv6 IS-IS only. Use the mode previously shown to apply Note: prefix lists to IPv4 routes.
Page 509 Use either or both of the commands in ROUTER ISIS mode to configure a simple text password. Command Syntax Command Mode Purpose area-password [hmac-md5] ROUTER ISIS Configure authentication password for an area. FTOS password supports HMAC-MD5 authentication. This password is inserted in Level 1 LSPs, Complete SNPs, and Partial SNPs.
Page 510 Figure 23-9. Command Example: show isis database FTOS#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL B233.00-00 0x00000003 0x07BF 1074 0/0/0 when overload bit eljefe.00-00 * 0x0000000A 0xF963 1196 0/0/1 is set, 1 is listed in eljefe.01-00 * 0x00000001 0x68DF...
Page 511: Is-Is Metric Styles
Command Syntax Command Mode Purpose EXEC Privilege View sent and received LSPs. debug isis update-packets interface To view specific information, enter one of the following optional parameters: • interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only.
Page 512: Maximum Values In The Routing Table
For any level (Level-1, Level-2, or Level-1-2), the value range possible in the command in isis metric INTERFACE mode changes depending on the metric style. Table 23-4. Correct Value Range for the isis metric Command Metric Style Correct Value Range for the isis metric Command wide 0 to 16777215 narrow...
Page 513 Table 23-5. Metric Value when Metric Style Changes (continued) Beginning metric style Final metric style Resulting IS-IS metric value transition wide original value transition narrow original value transition narrow transition original value transition wide transition original value narrow transition wide original value narrow transition narrow...
Page 514: Leaking From One Level To Another
Leaking from One Level to Another In the following scenarios, each IS-IS level is configured with a different metric style. Table 23-7. Metric Value with Different Levels Configured with Different Metric Styles Level-1 metric style Level-2 metric style Resulting isis metric value narrow wide original value...
Page 515: Sample Configuration
Sample Configuration The following configurations are examples for enabling IPv6 IS-IS. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations. Note: Only one IS-IS process can run on the router, even if both IPv4 and IPv6 routing is being used.
Page 516 Figure 23-10. IS-IS Sample Configuration - Congruent Topology FTOS(conf-if-te-3/17)#show config interface TenGigabitEthernet 3/17 ip address 24.3.1.1/24 ipv6 address 24:3::1/76 ip router isis ipv6 router isis no shutdown FTOS (conf-if-te-3/17)# FTOS (conf-router_isis)#show config router isis metric-style wide level-1 metric-style wide level-2 net 34.0000.0000.AAAA.00 FTOS (conf-router_isis)# Figure 23-11.
Page 517 Figure 23-13. IPv6 IS-IS Sample Topography Intermediate System to Intermediate System | 517...
Page 518 Intermediate System to Intermediate System...
Page 519: Layer
Layer 2 e c s z Layer 2 features are supported on platforms: This chapter describes the following Layer 2 features: • Managing the MAC Address Table • MAC Learning Limit • NIC Teaming • Microsoft Clustering • Configuring Redundant Pairs •...
Page 520: Set The Aging Time For Dynamic Entries
Set the Aging Time for Dynamic Entries Learned MAC addresses are entered in the table as dynamic entries, which means that they are subject to aging. For any dynamic entry, if no packet arrives on the switch with the MAC address as the source or destination address within the timer period, the address is removed from the table.
Page 521: Display The Mac Address Table
Display the MAC Address Table To display the contents of the MAC address table: Task Command Syntax Command Mode show mac-address-table [address | Display the contents of the MAC address table. EXEC Privilege aging-time [vlan vlan-id]| count | address displays the specified entry. •...
Page 522: Mac Learning-Limit Dynamic
FTOS Behavior: When configuring MAC Learning Limit on a port or VLAN the configuration is accepted (becomes part of running-config and show mac learning-limit interface) before the system verifies that sufficient CAM space exists. If the CAM check fails, the a message is displayed: %E90MH:5 %ACL_AGENT-2-ACL_AGENT_LIST_ERROR: Unable to apply access-list Mac-Limit GigabitEthernet 5/84...
Page 523: Mac Learning-Limit Mac-Address-Sticky
mac learning-limit mac-address-sticky Using sticky MAC addresses allows you to associate a specific port with MAC addresses from trusted devices. If sticky MAC is enabled, the specified port will retain any dynamically-learned addresses and prevent them from being transferred or learned on other ports. is configured and sticky MAC is enabled, all dynamically-learned addresses are mac-learning-limit converted to sticky MAC addresses for the selected port.
Page 524: Learning Limit Violation Actions
FTOS Behavior: The C-Series and S-Series do not generate a station-move violation log entry for physical interfaces mac learning-limit mac learning-limit or port-channels when you configure or when you configure station-move-violation log mac learning-limit . FTOS detects a station-move violation only when you configure dynamic mac learning-limit station-move-violation log , and logs the violation only when you configure the...
Page 525: Station Move Violation Actions
Station Move Violation Actions Station Move Violation Actions are supported on platforms: S-Series (S25/S50) no-station-move is the default behavior (see mac learning-limit no-station-move on page 523). You can configure the system to take an action if a station move occurs using one the following options with the mac learning-limit command:.
Page 526: Per-Vlan Mac Learning Limit
Per-VLAN MAC Learning Limit Per-VLAN MAC Learning Limit is available only on platform: An individual MAC learning limit can be configured for each VLAN using Per-VLAN MAC Learning Limit. One application of Per-VLAN MAC Learning Limit is on access ports. In Figure 24-1, an Internet Exchange Point (IXP) connects multiple Internet Service Provider (ISP).
Page 527: Nic Teaming
ARP entry must be “moved”. To ensure that this happens, you must configure the mac-address-table station-move refresh-arp command on the Dell Force10 switch at the time that NIC teaming is being configured on the server. Layer 2 | 527...
Page 528: Mac Move Optimization
Note: If this command is not configured, traffic continues to be forwarded to the failed NIC until the ARP entry on the switch times out. Figure 24-3. Configuring mac-address-table station-move refresh-arp Command Port 0/1 Move MAC MAC: A:B A:B:C:D address IP: 1.1.1.1 Port 0/5 fnC0026mp...
Page 529: Microsoft Clustering
When an ARP request is sent to a server cluster, either the active server or all of the servers send a reply, depending on the cluster configuration. If the active server sends a reply, the Dell Force10 switch learns the active server’s MAC address.
Page 530: Configuring The Switch For Microsoft Server Clustering
Configuring the Switch for Microsoft Server Clustering To preserve failover and balancing, the Dell Force10 switch must learn the cluster’s virtual MAC address, and it must forward traffic destined for the server cluster out all member ports in the VLAN connected to vlan-flooding the cluster.
Page 531: Enable And Disable Vlan Flooding
Enable and Disable VLAN Flooding • ARP entries already resolved through the VLAN are deleted when the feature is enabled. This ensures that ARP entries across the VLAN are consistent. • All ARP entries learned after the feature is enabled are deleted when the feature is disabled, and RP2 no vlan-flooding triggers ARP resolution.
Page 532 Figure 24-7. Configuring Redundant Layer 2 Pairs without Spanning Tree Redundant links create a switching loop. Without STP broadcast storms occurs. Use backup interfaces to create redundant links in networks without STP FTOS(conf-if-gi-3/41)#switchport FTOS(conf-if-gi-4/31)#switchport FTOS(conf-if-gi-3/41)#switchport backup gi 3/42 FTOS(conf-if-gi-4/31)#no shutdown FTOS(conf-if-gi-3/41)#no shutdown 3/41 4/31...
Page 533: Important Points About Configuring Redundant Pairs
Important Points about Configuring Redundant Pairs • You may not configure any interface to be a backup for more than one interface, no interface can have more than one backup, and a backup interface may not have a backup interface. •...
Page 534: Restricting Layer 2 Flooding
Figure 24-8. CLI for Configuring Redundant Layer 2 Pairs without Spanning Tree FTOS(conf-if-range-gi-3/41-42)#switchport backup interface GigabitEthernet 3/42 FTOS(conf-if-range-gi-3/41-42)#show config interface GigabitEthernet 3/41 no ip address switchport switchport backup interface GigabitEthernet 3/42 no shutdown interface GigabitEthernet 3/42 no ip address switchport no shutdown FTOS(conf-if-range-gi-3/41-42)# FTOS(conf-if-range-gi-3/41-42)#do show ip int brief | find 3/41...
Page 535: Far-End Failure Detection
Conversely, if you want all multicast traffic to be flooded on all ports, but some specific traffic to be mac-flood-list min-speed restrict-flooding restricted, use with the option, but without configured. This configuration restricts flooding only for traffic with destination multicast MAC addresses within the multicast MAC address range you specify.
Page 536: Fefd State Changes
Figure 24-10. Configuring Far-end Failure Detection FTOS(conf-if-gi-4/0)#show config interface GigabitEthernet 4/0 no ip address switchport fefd FTOS(conf-if-gi-1/0)#show config no shutdown interface GigabitEthernet 1/0 no ip address switchport fefd no shutdown Keep-alive Interval 2w0d4h : FEFD packet sent via interface Gi 1/0 Sender state -- Bi-directional Sender info -- Mgmt Mac(00:01:e8:14:89:25), Slot-Port(Gi 1/0) Peer info -- Mgmt Mac (00:01:e8:14:89:25), Slot-Port(Gi 4/0)
Page 537: Configuring Fefd
1. An interface on which FEFD is not configured is in Normal mode by default. 2. Once FEFD is enabled on an interface, it transitions to the Unknown state and sends an FEFD packet to the remote end of the link. 3.
Page 538 Report interval frequency and mode adjustments can be made by supplementing this command as well. Step Task Command Syntax Command Mode ip address ip Setup two or more connected INTERFACE interfaces for Layer 2 or Layer 3 use address, switchport no shutdown Activate the necessary ports INTERFACE...
Page 539: Debugging Fefd
Step Task Command Syntax Command Mode fefd {disable | Enable FEFD on each interface INTERFACE interval | mode} Figure 24-12. FEFD enabled interface configuration FTOS(conf-if-gi-1/0)#show config interface GigabitEthernet 1/0 no ip address switchport fefd mode normal no shutdown FTOS(conf-if-gi-1/0)#do show fefd | grep 1/0 Gi 1/0 Normal Unknown...
Page 540 During an RPM Failover In the event that an RPM failover occurs, FEFD will become operationally down on all enabled ports for approximately 8-10 seconds before automatically becoming operational again. Figure 24-15. FEFD state change during an RPM failover 02-05-2009 12:40:38 Local7.Debug 10.16.151.12...
Page 541: Link Layer Discovery Protocol (Lldp)
Link Layer Discovery Protocol (LLDP) e c s z Link Layer Discovery Protocol (LLDP) is supported only on platforms: This chapter contains the following sections: • 802.1AB (LLDP) Overview on page 541 • TIA-1057 (LLDP-MED) Overview on page 544 • Configuring LLDP on page 548 802.1AB (LLDP) Overview Link Layer Discovery Protocol (LLDP)—defined by IEEE 802.1AB—is a protocol that enables a LAN...
Page 542: Optional Tlvs
TLVs are encapsulated in a frame called an LLDP Data Unit (LLDPDU) (Figure 25-2), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements.
Page 543: Management Tlvs
Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups (Table 25-2) as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Force10 system to advertise any or all of these TLVs. Table 25-2. Optional TLV Types...
Page 544: Tia-1057 (Lldp-Med) Overview
Type TLV Description Port and Protocol VLAN ID On Dell Force10 systems, indicates the tagged VLAN to which a port belongs (and the untagged VLAN to which a port belongs if the port is in hybrid mode) VLAN Name Indicates the user-defined alphanumeric string that identifies the VLAN. This TLV is supported on C-Series only.
Page 545: Tia Organizationally Specific Tlvs
TIA Organizationally Specific TLVs The Dell Force10 system is an LLDP-MED Network Connectivity Device (Device Type 4). Network connectivity devices are responsible for: • transmitting an LLDP-MED capabilities TLV to endpoint devices • storing the information that endpoint devices advertise Table 25-3 describes the five types of TIA-1057 Organizationally Specific TLVs.
Page 546 25-4). • The possible values of the LLDP-MED Device Type is listed in Table 25-5. The Dell Force10 system is a Network Connectivity device, which is Type 4. advertise med When you enable LLDP-MED in FTOS (using the command ) the system begins transmitting this TLV.
Page 547 LLDP-MED Network Policies TLV A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated Layer 2 and Layer 3 configurations, specifically: • VLAN ID • VLAN tagged or untagged status • Layer 2 priority • DSCP value The application type is a represented by an integer (the Type integer in Table...
Page 548: Configuring Lldp
802.3af powered, LLDP-MED endpoint device. • Power Type—there are two possible power types: Power Sourcing Entity (PSE) or Power Device (PD). The Dell Force10 system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification. •...
Page 549: Lldp Compatibility
Dell Force10 systems support up to 8 neighbors per interface. • Dell Force10 systems support a maximum of 8000 total neighbors per system. If the number of interfaces multiplied by 8 exceeds the maximum, the system will not configure more than 8000.
Page 550: Enabling Lldp
Figure 25-7. Configuration and Interface mode LLDP Commands R1(conf)#protocol lldp R1(conf-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol globally Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (default = rx and tx) multiplier LLDP multiplier configuration Negate a command or set its defaults...
Page 551: Protocol Lldp
If LLDP is configured both globally and at interface level, the interface level configuration overrides the global configuration. To advertise TLVs: Command Step Task Command Mode protocol lldp Enter LLDP mode. CONFIGURATI ON or INTERFACE advertise {management-tlv | Advertise one or more TLVs. Include the keyword for PROTOCOL dot1-tlv | dot3-tlv | med} each TLV you want to advertise.
Page 552: Viewing The Lldp Configuration
Viewing the LLDP Configuration show config Display the LLDP configuration using the command in either CONFIGURATION or INTERFACE mode, as shown in Figure 25-9 Figure 25-10, respectively Figure 25-9. Viewing LLDP Global Configurations R1(conf)#protocol lldp R1(conf-lldp)#show config protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description hello 10...
Page 553: Configuring Lldpdu Intervals
Remote MTU: 1554 Remote System Desc: Dell Force10 Networks Real Time Operating System Software . Dell Force10 Operating System Version: 1.0. Force10 App lication Software Version: 7.5.1.0. Copyright (c) 19 99-Build Time: Thu Aug 9 01:05:51 PDT 2007 Existing System Capabilities:...
Page 554: Configuring Transmit And Receive Mode
R1(conf-lldp)# Configuring Transmit and Receive Mode Once LLDP is enabled, Dell Force10 systems transmit and receive LLDPDUs by default. You can configure the system—at CONFIGURATION level or INTERFACE level—to transmit only by executing mode tx mode rx...
Page 555: Configuring A Time To Live
Figure 25-14. Configuring LLDPDU Transmit and Receive Mode R1(conf)#protocol lldp R1(conf-lldp)#show config protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#mode ? Rx only Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx...
Page 556: Debugging Lldp
Figure 25-15. Configuring LLDPDU Time to Live R1(conf-lldp)#show config protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#multiplier ? <2-10> Multiplier (default=4) R1(conf-lldp)#multiplier 5 R1(conf-lldp)#show config protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description multiplier 5 no disable...
Page 557: Relevant Management Objects
Figure 25-17. Relevant Management Objects FTOS supports all IEEE 802.1AB MIB objects. • Table 25-7 lists the objects associated with received and transmitted TLVs. • Table 25-8 lists the objects associated with the LLDP configuration on the local agent. • Table 25-9 lists the objects associated with IEEE 802.1AB Organizationally Specific TLVs.
Page 558 Table 25-7. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether the local LLDP agent is enabled for transmit, receive, or both msgTxHold lldpMessageTxHoldMultiplier Multiplier value msgTxInterval lldpMessageTxInterval Transmit Interval value rxInfoTTL lldpRxInfoTTL Time to Live for received TLVs...
Page 559 Table 25-8. LLDP System MIB Objects TLV Type TLV Name TLV Variable System LLDP MIB Object Chassis ID chassis ID subtype Local lldpLocChassisIdSubtype Remote lldpRemChassisIdSubtype chassid ID Local lldpLocChassisId Remote lldpRemChassisId Port ID port subtype Local lldpLocPortIdSubtype Remote lldpRemPortIdSubtype port ID Local lldpLocPortId Remote...
Page 560 Table 25-9. LLDP 802.1 Organizationally Specific TLV MIB Objects TLV Type TLV Name TLV Variable System LLDP MIB Object Port-VLAN ID PVID Local lldpXdot1LocPortVlanId Remote lldpXdot1RemPortVlanId Port and Protocol port and protocol VLAN supported Local lldpXdot1LocProtoVlanSupported VLAN ID Remote lldpXdot1RemProtoVlanSupported port and protocol VLAN enabled Local lldpXdot1LocProtoVlanEnabled...
Page 561 Table 25-10. LLDP-MED System MIB Objects (continued) TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object Network Policy Application Type Local lldpXMedLocMediaPolicyApp Type Remote lldpXMedRemMediaPolicyAp pType Unknown Policy Flag Local lldpXMedLocMediaPolicyUnk nown Remote lldpXMedLocMediaPolicyUnk nown Tagged Flag Local lldpXMedLocMediaPolicyTag Remote lldpXMedLocMediaPolicyTag VLAN ID...
Page 562 Table 25-10. LLDP-MED System MIB Objects (continued) TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object Extended Power via Power Device Type Local lldpXMedLocXPoEDeviceTyp Remote lldpXMedRemXPoEDeviceTy Power Source Local lldpXMedLocXPoEPSEPower Source, lldpXMedLocXPoEPDPowerS ource Remote lldpXMedRemXPoEPSEPowe rSource, lldpXMedRemXPoEPDPower Source Power Priority Local lldpXMedLocXPoEPDPowerP riority,...
Page 563: Multicast Source Discovery Protocol (Msdp)
Multicast Source Discovery Protocol (MSDP) Multicast Source Discovery Protocol (MSDP) is supported on platforms: Protocol Overview Multicast Source Discovery Protocol (MSDP) is a Layer 3 protocol that connects IPv4 PIM-SM domains. A domain in the context of MSDP is contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as BGP.
Page 564 Figure 26-1. Multicast Source Discovery Protocol AS X PC 2 PC 3 Area 0 Source Receiver AS Y Area 0 4/31 2/11 3/21 3/41 1/21 PC 1 Receiver RPs advertise each (S,G) in its domain in Type, Length, Value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count”...
Page 565: Anycast Rp
Anycast RP Using Multicast Source Discovery Protocol (MSDP), Anycast RP provides load sharing and redundancy in Protocol Independent Multicast sparse mode (PIM-SM) networks. Anycast RP allows two or more rendezvous points (RPs) to share the load for source registration and the ability to act as hot backup routers for each other.
Page 566: Related Configuration Tasks
Related Configuration Tasks • Enable MSDP • Manage the Source-active Cache • Accept Source-active Messages that fail the RFP Check • Limit the Source-active Messages from a Peer • Prevent MSDP from Caching a Local Source • Prevent MSDP from Caching a Remote Source •...
Page 567 Figure 26-3. Configuring Interfaces for MSDP Multicast Source Discovery Protocol (MSDP) | 567...
Page 568 Figure 26-4. Configuring OSPF and BGP for MSDP Multicast Source Discovery Protocol (MSDP)
Page 569 Figure 26-5. Configuring PIM in Multiple Routing Domains Multicast Source Discovery Protocol (MSDP) | 569...
Page 570 Figure 26-6. Configuring MSDP Multicast Source Discovery Protocol (MSDP)
Page 571: Enable Msdp
Enable MSDP Enable MSDP by peering RPs in different administrative domains. Step Task Command Syntax Command Mode ip multicast-msdp Enable MSDP. CONFIGURATION ip msdp peer connect-source PeerPIM systems in different CONFIGURATION administrative domains. Figure 26-7. Configuring an MSDP Peer R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.1 connect-source Loopback 0 R3_E600(conf)#do show ip msdp summary Peer Addr...
Page 572: View The Source-Active Cache
• RPs can transmit SA messages periodically to prevent SA storms, and • only sources that are in the cache are advertised in the SA to prevent transmitting multiple copies of the same source information. View the Source-active Cache Task Command Syntax Command Mode show ip msdp sa-cache...
Page 573: Enable The Rejected Source-Active Cache
Enable the Rejected Source-active Cache Active sources can be rejected because • the RPF check failed, • the SA limit is reached, • the peer RP is unreachable, • or because of an SA message format error. Task Command Syntax Command Mode ip msdp cache-rejected-sa Cache rejected sources.
Page 574 Figure 26-10. MSDP Default Peer Scenario 1 Scenario 2 (S4, G4) (S5, G5) (S4, G4) (S5, G5) (S2, G2) (S2, G2) (S3, G3) (S3, G3) Interface A Interface B Interface B Interface A Group Source Peer Group Source Peer RP2 R2 R3 RPF-Fail RP3 R3 RP3 R3...
Page 575: Limit The Source-Active Messages From A Peer
Task Command Syntax Command Mode ip msdp default-peer ip-address list Specify the forwarding-peer and originating-RP from CONFIGURATION which all active sources are accepted without regard for the the RPF check. If you do not specify an access list, the peer accepts all sources advertised by that peer. All sources from RPs denied by the ACL are subjected to the normal RPF check.
Page 576: Prevent Msdp From Caching A Local Source
Prevent MSDP from Caching a Local Source You can prevent MSDP from caching an active source based on source and/or group. Since the source is not cached, it is not advertised to remote RPs. Task Command Syntax Command Mode ip msdp cache-rejected-sa OPTIONAL: Cache sources that are denied by the CONFIGURATION redistribute list in the rejected SA cache.
Page 577: Prevent Msdp From Caching A Remote Source
Prevent MSDP from Caching a Remote Source Task Command Syntax Command Mode ip msdp cache-rejected-sa OPTIONAL: Cache sources that are denied by the CONFIGURATION SA filter in the rejected SA cache. ip msdp sa-filter list out peer list ext-acl Prevent the system from caching remote sources CONFIGURATION learned from a specific peer based on source and group.
Page 578: Prevent Msdp From Advertising A Local Source
Prevent MSDP from Advertising a Local Source Task Command Syntax Command Mode ip msdp sa-filter list in peer list ext-acl Prevent an RP from advertising a source in the SA CONFIGURATION cache. Figure 26-14, R1 stops advertising source 10.11.4.2. Since it is already in the SA cache of R3, the entry remains there until it expires.
Page 579: Log Changes In Peership States
Log Changes in Peership States Task Command Syntax Command Mode ip msdp log-adjacency-changes Log peership state changes. CONFIGURATION Terminate a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639. Task Command Syntax Command Mode...
Page 580: Clear Peer Statistics
Clear Peer Statistics Task Command Syntax Command Mode clear ip msdp peer peer-address Reset the TCP connection to the peer and clear all peer CONFIGURATION statistics. Figure 26-16. Clearing Peer Statistics R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.3(639) Connect Source: Lo 0 State: Established...
Page 581: Debug Msdp
Debug MSDP Task Command Syntax Command Mode Display the information exchanged between peers. debug ip msdp CONFIGURATION Figure 26-17. Debugging MSDP R1_E600(conf)#do debug ip msdp All MSDP debugging has been turned on R1_E600(conf)#03:16:08 : MSDP-0: Peer 192.168.0.3, sent Keepalive msg 03:16:09 : MSDP-0: Peer 192.168.0.3, rcvd Keepalive msg 03:16:27 : MSDP-0: Peer 192.168.0.3,...
Page 582: Interface Loopback
Figure 26-18. MSDP with Anycast RP (10.11.4.2, 239.0.0.1), uptime 00:00:52, expires 00:03:20, flags: Incoming interface: GigabitEthernet 2/1, RPF neighbor 0.0.0.0 Outgoing interface list: GigabitEthernet 2/11 Forward/Sparse 00:00:50/00:02:40 GigabitEthernet 2/31 Forward/Sparse 00:00:50/00:02:40 AS X PC 2 PC 3 Area 0 Source Receiver AS Y Area 0...
Page 583: Reducing Source-Active Message Flooding
Reducing Source-active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group. A mesh in this context is a topology in which each RP in a set of RPs has a peership with all other RPs in the set.
Page 584 Figure 26-19. R1 Configuration for MSDP with Anycast RP ip multicast-routing interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32...
Page 585 Figure 26-20. R2 Configuration for MSDP with Anycast RP ip multicast-routing interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown interface Loopback 0 ip pim sparse-mode...
Page 586 Figure 26-21. R3 Configuration for MSDP with Anycast RP ip multicast-routing interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown router ospf 1 network 10.11.6.0/24 area 0...
Page 587: Msdp Sample Configurations
MSDP Sample Configurations The following figures show the running-configurations for the routers shown in figures Figure 26-5, Figure 26-4, Figure 26-5, Figure 26-6. Figure 26-22. MSDP Sample Configuration: R1 Running-config ip multicast-routing interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown interface GigabitEthernet 1/2 ip address 10.11.2.1/24...
Page 588 Figure 26-23. MSDP Sample Configuration: R2 Running-config ip multicast-routing interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown interface Loopback 0 ip address 192.168.0.2/32...
Page 589 Figure 26-24. MSDP Sample Configuration: R3 Running-config ip multicast-routing interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown interface ManagementEthernet 0/0 ip address 10.11.80.3/24 no shutdown interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown...
Page 590 Figure 26-25. MSDP Sample Configuration: R4 Running-config ip multicast-routing interface GigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown interface GigabitEthernet 4/22 ip address 10.10.42.1/24 no shutdown interface GigabitEthernet 4/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown interface Loopback 0 ip address 192.168.0.4/32 no shutdown router ospf 1...
Page 591: Multiple Spanning Tree Protocol (Mstp)
Multiple Spanning Tree Protocol (MSTP) e c s z Multiple Spanning Tree Protocol (MSTP) is supported on platforms: Protocol Overview Multiple Spanning Tree Protocol (MSTP)—specified in IEEE 802.1Q-2003—is an RSTP-based spanning tree variation that improves on PVST+. MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances.
Page 592: Configure Multiple Spanning Tree Protocol
FTOS supports three other variations of Spanning Tree, as shown in Table Table 27-1. FTOS Supported Spanning Tree Protocols Dell Force10Term IEEE Specification Spanning Tree Protocol 802.1d Rapid Spanning Tree Protocol 802.1w Multiple Spanning Tree Protocol 802.1s Per-VLAN Spanning Tree Plus...
Page 593: Enable Multiple Spanning Tree Globally
• Preventing Network Disruptions with BPDU Guard on page 883 • SNMP Traps for Root Elections and Topology Changes on page 779 • Configuring Spanning Trees as Hitless on page 886 Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP: Step Task Command Syntax...
Page 594 msti vlan Create an MSTI using the command from PROTOCOL MSTP mode. Specify the keyword followed by the VLANs that you want to participate in the MSTI, as shown in Figure 27-3. Figure 27-3. Mapping VLANs to MSTI Instances FTOS(conf)#protocol spanning-tree mstp FTOS(conf-mstp)#msti 1 vlan 100 FTOS(conf-mstp)#msti 2 vlan 200-300 FTOS(conf-mstp)#show config...
Page 595: Influence Mstp Root Selection
For a bridge to be in the same MSTP region as another, all three of these qualities must match exactly. The default values for name and revision will match on all Dell Force10 FTOS equipment. If you have non-FTOS equipment that will participate in MSTP, ensure these values to match on all the equipment.
Page 596: Modify Global Parameters
Max-hops is the maximum number of hops a BPDU can travel before a receiving switch discards it. recommends that only experienced network administrators change MSTP parameters. Note: Dell Force10 Poorly planned modification of MSTP parameters can negatively impact network performance. To change MSTP parameters, use the following commands on the root bridge:...
Page 597: Modify Interface Parameters
Command Syntax Command Mode hello-time seconds Change the hello-time parameter. PROTOCOL MSTP Note: With large configurations (especially those with more ports) Dell Force10 recommends that you increase the hello-time. Range: 1 to 10 Default: 2 seconds max-age seconds Change the max-age parameter.
Page 598: Configure An Edgeport
Table 27-2. MSTP Default Port Cost Values Port Cost Default Value 10-Gigabit Ethernet interfaces 2000 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 To change the port cost or priority of an interface: Task Command Syntax Command Mode...
Page 599: Flush Mac Addresses After A Topology Change
show config Verify that EdgePort is enabled on a port using the command from the INTERFACE mode, as shown in Figure 27-8. FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel then all the member ports are disabled in the hardware. 2 When a physical port is added to a port channel already in error disable state, the new member port will also be disabled in the hardware.
Page 600 Figure 27-9. MSTP with Three VLANs Mapped to Two Spanning Tree Instances root Forwarding Figure 27-10. Router 1 Running-configuration protocol spanning-tree mstp no disable Enable MSTP globally name Tahiti Set Region Name and Revision revision 123 Map MSTP Instances to VLANs MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 interface GigabitEthernet 1/21...
Page 601 Figure 27-11. Router 2 Running-configuration protocol spanning-tree mstp no disable Enable MSTP globally name Tahiti Set Region Name and Revision revision 123 Map MSTP Instances to VLANs MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 interface GigabitEthernet 2/11 no ip address switchport no shutdown Assign Layer-2 interfaces...
Page 602 Figure 27-12. Router 3 Running-configuration protocol spanning-tree mstp no disable Enable MSTP globally name Tahiti Set Region Name and Revision revision 123 Map MSTP Instances to VLANs MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 interface GigabitEthernet 3/11 no ip address switchport no shutdown Assign Layer-2 interfaces...
Page 603: Debugging And Verifying Mstp Configuration
Figure 27-13. SFTOS Example Running-Configuration spanning-tree spanning-tree configuration name Tahiti spanning-tree configuration revision 123 spanning-tree MSTi instance 1 Enable MSTP globally spanning-tree MSTi vlan 1 100 Set Region Name and Revision spanning-tree MSTi instance 2 Map MSTP Instances to VLANs spanning-tree MSTi vlan 2 200 spanning-tree MSTi vlan 2 300 interface...
Page 604 Figure 27-14. Displaying BPDUs and Events FTOS#debug spanning-tree mstp bpdu 1w1d17h : MSTP: Sending BPDU on Gi 1/31 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x68 CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 20000 Regional Bridge Id: 32768:0001.e809.c24a, CIST Port Id: 128:384 Msg Age: 2, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: my-mstp-region, Rev: 0, Int Root Path Cost: 20000 Rem Hops: 19, Bridge Id: 32768:0001.e80d.b6d6...
Page 605 Figure 27-15. Sample Output for show running-configuration spanning-tree mstp command FTOS#show run spanning-tree mstp protocol spanning-tree mstp name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 Figure 27-16. Displaying BPDUs and Events - Debug Log of Successful MSTP Configuration FTOS#debug spanning-tree mstp bpdu MSTP debug bpdu is ON FTOS#...
Page 606 Multiple Spanning Tree Protocol (MSTP)
Page 607: Multicast Features
Multicast Features e c s z Multicast Features are supported on platforms: This chapter contains the following sections: • Enable IP Multicast on page 607 • Multicast with ECMP on page 608 • First Packet Forwarding for Lossless Multicast on page 609 •...
Page 608: Multicast With Ecmp
Multicast with ECMP Dell Force10 multicast uses Equal-cost Multi-path (ECMP) routing to load-balance multiple streams across equal cost links. When creating the shared-tree Protocol Independent Multicast (PIM) uses routes from all configured routing protocols to select the best route to the rendezvous point (RP). If there are multiple, equal-cost paths, the PIM selects the route with the least number of currently running multicast streams.
Page 609: First Packet Forwarding For Lossless Multicast
Both scenarios might be unacceptable depending on the multicast application. Beginning with the FTOS versions above, when the Dell Force10 system is the RP, and has receivers for a group G, it forwards all initial multicast packets for the group based on the (*,G) entry rather than discarding them until the (S,G) entry is created, making Dell Force10 systems suitable for applications sensitive to multicast packet loss.
Page 610: Multicast Policies
Multicast Policies FTOS offers parallel Multicast features for IPv4 and IPv6. • IPv4 Multicast Policies on page 610 • IPv6 Multicast Policies on page 615 IPv4 Multicast Policies • Limit the Number of Multicast Routes on page 610 • Prevent a Host from Joining a Group on page 611 •...
Page 611 Note: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that is exists per port-pipe. Any software-configured limit might be superseded by this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit set by the ip multicast-limit is reached.
Page 612 Figure 28-2. Preventing a Host from Joining a Group Multicast Features...
Page 613 Rate Limit IGMP Join Requests If you expect a burst of IGMP Joins, protect the IGMP process from overload by limiting that rate at which ip igmp group-join-limit new groups can be joined using the command from INTERFACE mode. Hosts whose IGMP requests are denied will use the retry mechanism built-in to IGMP so that they’re membership is delayed rather than permanently denied.
Page 614 Figure 28-3. Preventing a Source from Transmitting to a Group Multicast Features...
Page 615: Ipv6 Multicast Policies
Prevent a PIM Router from Processing a Join Permit or deny PIM Join/Prune messages on an interface using an extended IP access list. Use the ip pim join-filter command to prevent the PIM SM router from creating state based on multicast source and/ or group.
Page 616 Prevent an IPv6 Neighbor from Forming an Adjacency Task Command Syntax Command Mode ipv6 pim neighbor-filter access-list Prevent a router from participating in PIM. CONFIGURATION FTOS(conf)#ipv6 pim neighbor-filter NEIGH_ACL FTOS(conf)#ipv6 access-list NEIGH_ACL FTOS(conf-ipv6-acl)#show config ipv6 access-list NEIGH_ACL seq 5 deny ipv6 host fe80::201:e8ff:fe0a:5ad any seq 10 permit ipv6 any any FTOS(conf-ipv6-acl)# Prevent an IPv6 Source from Registering with the RP...
Page 617: Multicast Traceroute
RPF neighbor. While computing the RPF neighbor, static mroutes and mBGP routes are preferred over unicast routes. When a Dell Force10 system is the last hop to the destination, FTOS sends a response to the query.
Page 618 Multicast Features...
Page 619: Open Shortest Path First (Ospfv2 And Ospfv3)
Open Shortest Path First (OSPFv2 and OSPFv3) c e s Z Open Shortest Path First version 2 (OSPF for IPv4) is supported on platforms c e Z Open Shortest Path First version 3 (OSPF for IPv6) is supported on platforms OSPF for IPv4 is supported on the E-Series ExaScale platform with FTOS 8.1.1.0;...
Page 620: Autonomous System (As) Areas
Protocol Overview Open Shortest Path First (OSPF) routing is a link-state routing protocol that calls for the sending of Link-State Advertisements (LSAs) to all other routers within the same Autonomous System (AS) Areas. Information on attached interfaces, metrics used, and other variables is included in OSPF LSAs. As OSPF routers accumulate link-state information, they use the SPF algorithm (Shortest Path First algorithm) to calculate the shortest path to each node.
Page 621: Area Types
Autonomous System Areas Figure 29-1. Area Types of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any Autonomous Backbone Areas can be defined in such a way that the System (AS). All other areas must connect to Area 0. backbone is not contiguous.
Page 622: Networks And Neighbors
Each router has a unique ID, written in decimal format (A.B.C.D). The router ID does not have to be associated with a valid IP address. However, Dell Force10 recommends that the router ID and the router’s IP address reflect each other to make troubleshooting easier.
Page 623 OSPF Routing Examples Figure 29-2. Backbone Router (BR) A Backbone Router (BR) is part of the OSPF Backbone, Area 0. This includes all Area Border Routers (ABRs). It can also include any routers that connect only to the Backbone and another ABR, but are only part of Area 0, such as Router I in Figure 29-2 above.
Page 624: Designated And Backup Designated Routers
Area Border Router (ABR) Within an AS, an Area Border (ABR) connects one or more areas to the Backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
Page 625: Link-State Advertisements (Lsas)
OSPFv3 can treat LSAs as having link-local flooding scope, or store and flood them as if they are understood, while ignoring them in their own SPF algorithms. • OSPFv2 always discards unknown LSA types. The LSA types supported by Dell Force10 are defined as follows: • Type 1 - Router LSA •...
Page 626: Virtual Links
For all LSA types, there are 20-byte LSA headers. One of the fields of the LSA header is the Link-State ID. Each router link is defined as one of four types: type 1, 2, 3, or 4. The LSA includes a link ID field that identifies, by the network number and mask, the object to which this link connects.
Page 627: Implementing Ospf With Ftos
Priority and Costs Example Figure 29-3. Implementing OSPF with FTOS FTOS supports up to 10,000 OSPF routes for OSPFv2. Within that 10,000 up to 8,000 routes can be designated as external and up to 2,000 designated as inter/intra area routes. FTOS version 7.8.1.0 and later support multiple OSPF processes (OSPF MP) on OSPFv2 only.
Page 628: Graceful Restart
LSAs, thereby notifying its neighbors that the restart is complete. This should happen before the grace period expires. Dell Force10 routers support the following OSPF graceful restart functionality: • Restarting role in which a router is enabled to perform its own graceful restart.
Page 629: Fast Convergence (Ospfv2, Ipv4 Only)
• Helper role in which the router's graceful restart function is to help a restarting neighbor router in its graceful restarts. • Helper-reject role in which OSPF does not participate in the graceful restart of a neighbor. OSPFv2 supports “helper-only” and “restarting-only” roles. By default, both helper and restarting roles are enabled.
Page 630: Processing Snmp And Sending Snmp Traps (Ospfv2, Ipv4 Only)
• The E-Series supports up to 28 OSPFv2 processes. • The C-Series supports up to 6 OSPFv2 processes. • The S50 and S25 support up to 4 OSPFv2 processes. • The S55 and S60 support up to 16 OSPFv2 processes. •...
Page 631: Ospf Ack Packing
Changing the hello interval on the Cisco router automatically changes the dead interval as well. To ensure equal intervals between the routers, manually set the dead interval of the Dell Force10 router to match the Cisco configuration. Use the command in INTERFACE mode: ip ospf dead-interval <x>...
Page 632: Configuration Information
Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 1.1.1.1 (Backup Designated Router) FTOS (conf-if-gi-2/2)# http://support.dell.com/force10 For more information regarding this functionality or for assistance, go to Configuration Information The interfaces must be in Layer-3 mode (assigned an IP address) and enabled so that they can send and receive traffic.
Page 633: Configuration Task List For Ospfv2 (Ospf For Ipv4)
Configuration Task List for OSPFv2 (OSPF for IPv4) Open Shortest Path First version 2 (OSPF for IPv4) is supported on platforms: c e s z 1. Configure a physical interface. Assign an IP address, physical or loopback, to the interface to enable Layer 3 routing.
Page 634 % Error: No router ID available. In CONFIGURATION ROUTER OSPF mode, assign the Router ID. The Router ID is not required to be the router’s IP address. Dell Force10 recommends using the IP address as the Router ID for easier management and troubleshooting:...
Page 635: Enable Multi-Process Ospf (Ospfv2, Ipv4 Only)
Use the command in EXEC mode to view the current OSPFv2 status. show ip ospf process-id Command Example: show ip ospf Figure 29-8. process-id FTOS#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.10 Supports only single TOS (TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 FTOS#...
Page 636: Assign An Ospfv2 Area
% Error: No router ID available. In CONFIGURATION ROUTER OSPF mode, assign the Router ID. The Router ID is not required to be the router’s IP address. Dell Force10 recommends using the IP address as the Router ID for easier management and troubleshooting.
Page 637: Enable Ospfv2 On Interfaces
IP Address to an Area FTOS(conf-router_ospf-1)#network 20.20.20.20/24 area 2 FTOS(conf-router_ospf-1)# Dell Force10 recommends that the OSPFv2 Router ID be the interface IP addresses for easier management and troubleshooting. Use the command in CONFIGURATION ROUTER OSPF mode to view the configuration.
Page 638 Command Example: show ip ospf process-id interface Figure 29-10. FTOS>show ip ospf 1 interface GigabitEthernet 12/17 is up, line protocol is up Internet Address 10.2.2.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 11.1.2.1, Interface address 10.2.2.1 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.0 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5...
Page 639: Configure Stub Areas
Configure stub areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas. Type 5 LSAs are not flooded into stub areas; the Area Border Router (ABR) advertises a default route into the stub area to which it is attached. Stub area routers use the default route to reach external destinations. To ensure connectivity in your OSPFv2 network, never configure the backbone area as a stub area.
Page 640: Configure Ospf Stub-Router Advertisement
Configure OSPF Stub-Router Advertisement Configure OSPF Stub-Router Advertisement is supported on platforms: When you bring a new router onto an OSPF network, you can configure the router to function as a stub area by globally reconfiguring the OSPF link cost so that other routers do not use a path that forwards traffic destined to other networks through the new router for a specified time until the router’s switching and routing functions are up and running, and the routing tables in network routers have converged.
Page 641: Enable Passive Interfaces
Enable passive interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface will neither send nor receive routing updates, the network on that interface will still be included in OSPF updates sent via other interfaces.
Page 642: Enable Fast-Convergence
29-15). Note: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements. Higher convergence levels should only be selected following consultation with Dell Force10 technical support. Open Shortest Path First (OSPFv2 and OSPFv3)
Page 643: Change Ospfv2 Parameters On Interfaces
Figure 29-14 shows the convergence settings when fast-convergence is enabled and Figure 29-15 shows settings when fast-convergence is disabled. These displays appear with the command. show ip ospf Command Example: show ip ospf process-id (fast-convergence enabled ) Figure 29-14. FTOS(conf-router_ospf-1)#fast-converge 2 FTOS(conf-router_ospf-1)#ex FTOS(conf)#ex FTOS#show ip ospf 1...
Page 644 Use any or all of the following commands in CONFIGURATION INTERFACE mode to change OSPFv2 parameters on the interfaces: Command Syntax Command Mode Usage ip ospf cost CONFIG-INTERFACE Change the cost associated with OSPF traffic on the interface. Cost: 1 to 65535 (default depends on the interface speed).
Page 645: Enable Ospfv2 Authentication
Graceful Restart is enabled for the global OSPF process. Use these commands to configure OSPFv2 graceful restart. Refer to Graceful Restart for feature details. The Dell Force10 implementation of OSPFv2 graceful restart enables you to specify: Open Shortest Path First (OSPFv2 and OSPFv3) | 645...
Page 646 • —the length of time the graceful restart process can last before OSPF terminates it. grace period • helper-reject neighbors —the router ID of each restart router that does not receive assistance from the configured router. • —the situation or situations that trigger a graceful restart. mode •...
Page 647: Filter Routes
Command Example: show run ospf Figure 29-17. FTOS#show run ospf router ospf 1 graceful-restart grace-period 300 graceful-restart role helper-only graceful-restart mode unplanned-only graceful-restart helper-reject 10.1.1.1 graceful-restart helper-reject 20.1.1.1 network 10.0.2.0/24 area 0 FTOS# Use the following command to disable OSPFv2 graceful-restart after you have enabled it. Command Syntax Command Mode Usage...
Page 648: Redistribute Routes
Use the following commands in CONFIGURATION-ROUTER OSPF mode to apply prefix lists to incoming or outgoing OSPF routes. Command Syntax Command Mode Usage distribute-list in [ prefix-list-name interface CONFIG-ROUTER- Apply a configured prefix list to incoming OSPF-id OSPF routes. distribute-list out [ connected | prefix-list-name CONFIG-ROUTER-...
Page 649: Troubleshooting Ospfv2
Troubleshooting OSPFv2 FTOS has several tools to make troubleshooting easier. Be sure to check the following, as these are typical issues that interrupt an OSPFv2 process. Note that this is not a comprehensive list, just some examples of typical troubleshooting checks. •...
Page 650 Use the command to see the state of all the enabled OSPFv2 processes. show running-config ospf Command Syntax Command Mode Usage show running-config ospf EXEC Privilege View the summary of all OSPF process IDs enables on the router. Command Example: show running-config ospf Figure 29-19.
Page 651 Use the following command in EXEC Privilege mode to configure the debugging options of an OSPFv2 process: Command Syntax Command Mode Usage debug ip ospf process-id EXEC Privilege View debug messages. [ event | packet | spf ] To view debug messages for a specific OSPF process ID, enter debug ip ospf process-id.
Page 652: Sample Configurations For Ospfv2
Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations. You can copy and paste from these examples to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, etc.
Page 653: Configuration Task List For Ospfv3 (Ospf For Ipv6)
Configuration Task List for OSPFv3 (OSPF for IPv6) c e z Open Shortest Path First version 3 (OSPF for IPv6) is supported on platforms The configuration options of OSPFv3 are the same as those for OSPFv2, but may be configured with differently labeled commands.
Page 654: Enable Ipv6 Unicast Routing
Enable IPv6 Unicast Routing Command Syntax Command Mode Usage ipv6 unicast routing CONFIGURATION Enables IPv6 unicast routing globally. Assign IPv6 addresses on an interface Command Syntax Command Mode Usage ipv6 address ipv6 address CONF-INT-type slot/port Assign IPv6 address to the interface. IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:).
Page 655: Configure Passive-Interface
Use the command syntax in the CONFIGURATION mode to disable OSPF. no ipv6 router ospf process-id Use the command syntax in the EXEC Privilege mode to reset the OSPFv3 process. clear ipv6 ospf process Configure stub areas Command Syntax Command Mode Usage area stub...
Page 656: Configure A Default Route
Redistribute routes You can add routes from other routing instances or protocols to the OSPFv3 process. With the redistribute command syntax, you can include RIP, static, or directly connected routes in the OSPF process. Command Syntax Command Mode Usage redistribute { bgp | connected | CONF-IPV6-ROUTER-OSPF Specify which routes will be redistributed static } [ metric...
Page 657: Enable Ospfv3 Graceful Restart
Enable OSPFv3 graceful restart Graceful Restart for OSPFv3 is supported on platforms . Refer to Graceful Restart for more information on the feature. By default, OSPFv3 graceful restart is disabled and functions only in a helper role to help restarting neighbor routers in their graceful restarts when it receives a Grace LSA.
Page 658 To display information on the use and configuration of OSPFv3 graceful restart, enter any of the following commands: Command Syntax Command Mode Usage show run ospf EXEC Privilege Display the graceful-restart configuration for OSPFv2 and (Figure 29-22) OSPFv3 show ipv6 ospf database EXEC Privilege Display the Type-11 Grace LSAs sent and received on an OSPFv3 grace-lsa...
Page 659: Ospfv3 Authentication Using Ipsec
Command Example: show ipv6 ospf database grace-lsa Figure 29-24. FTOS#show ipv6 ospf database grace-lsa Type-11 Grace LSA (Area 0) LS Age : 10 Link State ID : 6.16.192.66 Advertising Router : 100.1.1.1 LS Seq Number : 0x80000001 Checksum : 0x1DF1 Length : 36 Associated Interface : Gi 5/3...
Page 660 • The encapsulating security payload encapsulates data, enabling the protection of data that follows in the datagram. ESP provides authentication and confidentiality of every packet. The ESP extension header is designed to provide a combination of security services for both IPv4 and IPv6. The ESP header is inserted after the IP header and before the next layer protocol header in transport mode.
Page 661 • IPsec security associations (SAs) are supported only in transport mode (tunnel mode is not supported). • ESP with null encryption is supported for authenticating only OSPFv3 protocol headers. • ESP with non-null encryption is supported for full confidentiality. • 3DES, DES, AES-CBC, and NULL encryption algorithms are supported;...
Page 662 To configure IPsec authentication on an interface, enter the following command: Command Syntax Command Mode Usage ipv6 ospf authentication { null | INTERFACE Enable IPsec authentication for OSPFv3 packets on an ipsec spi number { MD5 | SHA1 } IPv6-based interface, where: [key-encryption-type] key} null causes an authentication policy configured for the area to not be inherited on the interface.
Page 663 To configure IPsec encryption on an interface, enter the following command: Command Command Syntax Mode Usage ipv6 ospf encryption { null | ipsec INTERFACE Enable IPsec encryption for OSPFv3 packets on an spi number esp encryption-algorithm IPv6-based interface, where: [key-encryption-type] key null causes an encryption policy configured for the authentication-algorithm area to not be inherited on the interface.
Page 664 Configuring IPsec Authentication for an OSPFv3 Area Prerequisite: Before you enable IPsec authentication on an OSPFv3 area, you must first enable OSPFv3 globally on the router (see Configuration Task List for OSPFv3 (OSPF for IPv6)). To configure IPsec authentication for an OSPFv3 area, enter the following command in global configuration mode: Command Syntax Command Mode...
Page 665 Configuring IPsec Encryption for an OSPFv3 Area Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, you must first enable OSPFv3 globally on the router (see Configuration Task List for OSPFv3 (OSPF for IPv6)). To configure IPsec encryption in an OSPFv3 area, enter the following command in global configuration mode: Command Syntax Command Mode...
Page 666 If you have enabled IPsec authentication in an OSPFv3 area with the command, you area authentication cannot use the command in the area at the same time. area encryption The configuration of IPsec encryption on an interface-level takes precedence over an area-level configuration.
Page 667 Command Example: show crypto ipsec policy Figure 29-25. FTOS#show crypto ipsec policy Crypto IPSec client security policy data In this encryption policy, the keys Policy name : OSPFv3-1-502 are not encrypted. Policy refcount Inbound ESP SPI : 502 (0x1F6) Outbound ESP SPI : 502 (0x1F6) Inbound ESP Auth Key...
Page 668 To display the IPsec security associations (SAs) used on OSPFv3 interfaces, enter the following command: Command Syntax Command Mode Usage show crypto ipsec sa ipv6 EXEC Privilege Displays security associations set up for OSPFv3 links in IPsec [ interface interface ] authentication and encryption policies on the router.
Page 669 Command Example: show crypto ipsec sa ipv6 Figure 29-26. FTOS#show crypto ipsec sa ipv6 Interface: TenGigabitEthernet 0/0 Link Local address: fe80::201:e8ff:fe40:4d10 IPSecv6 policy name: OSPFv3-1-500 inbound ah sas spi : 500 (0x1f4) transform : ah-md5-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound ah sas...
Page 670: Troubleshooting Ospfv3
Troubleshooting OSPFv3 FTOS has several tools to make troubleshooting easier. Be sure to check the following, as these are typical issues that interrupt the OSPFv3 process. Note that this is not a comprehensive list, just some examples of typical troubleshooting checks. •...
Page 671 Use the following command in EXEC Privilege mode to configure the debugging options of an OSPFv3 process: Command Syntax Command Mode Usage EXEC Privilege View debug messages for all OSPFv3 interfaces. debug ipv6 ospf event packet type slot port • : View OSPF event messages.
Page 672 Open Shortest Path First (OSPFv2 and OSPFv3)
Page 673: Pim Sparse-Mode (Pim-Sm)
Implementation Information • The Dell Force10 implementation of PIM-SM is based on the IETF Internet Draft draft-ietf-pim-sm-v2-new-05. • C-Series supports a maximum of 31 PIM interfaces and 4K multicast entries including (*,G), and (S,G) entries.
Page 674: Requesting Multicast Traffic
Requesting Multicast Traffic A host requesting multicast traffic for a particular group sends an IGMP Join message to its gateway router. The gateway router is then responsible for joining the shared tree to the RP (RPT) so that the host can receive the requested traffic.
Page 675: Configure Pim-Sm
source, including the RP, create an (S,G) entry and list the interface on which the message was received as an outgoing interface, thus recreating a SPT to the source. 3. Once the RP starts receiving multicast traffic via the (S,G) it unicasts a Register-Stop message to the first-hop DR so that multicast packets are no longer encapsulated in PIM Register packets and unicast.
Page 676: Enable Pim-Sm
Enable PIM-SM You must enable PIM-SM on each participating interface: Step Task Command Command Mode ip multicast-routing Enable multicast routing on the system. CONFIGURATION ip pim sparse-mode Enable PIM-Sparse Mode INTERFACE show ip pim interface Display which interfaces are enabled with PIM-SM using the command from EXEC Privilege mode, as shown in Figure...
Page 677: Configurable S,G Expiry Timers
Figure 30-3. Viewing the PIM Multicast Routing Table FTOS#show ip pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.6, flags: SCJ...
Page 678: Configure A Static Rendezvous Point
Step Task Command Syntax Command Mode ip pim sparse-mode sg-expiry-timer seconds Set the expiry time for a CONFIGURATION sg-list access-list-name specific (S,G) entry Figure 30-4). Range 211-86400 seconds Default: 210 Note: The expiry time configuration is nullified, and the default global expiry time is used if: an ACL is specified for an in the ip pim sparse-mode sg-expiry-timer command, but the ACL has not been •...
Page 679: Override Bootstrap Router Updates
Override Bootstrap Router Updates PIM-SM routers need to know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. override ip pim rp-address If you have configured a static RP for a group, use the option with the command...
Page 680: Create Multicast Boundaries And Domains
FTOS supports graceful restart based on the GenID. A Dell Force10 PIM router announces its graceful restart capability to its neighbors up front as an option in its hello messages.
Page 681: Monitoring Pim
The default value is 60 seconds. In helper-only mode, the system preserves the PIM states of a neighboring router while the neighbor gracefully restarts, but the Dell Force10 system allows itself to be taken off the forwarding path if it ip pim graceful-restart helper-only restarts.
Page 682 PIM Sparse-Mode (PIM-SM)
Page 683: Pim Source-Specific Mode (Pim-Ssm)
SPT. PIM-SSM uses IGMPv3. Since receivers subscribe to a source and group, the RP and shared tree is unnecessary, so only SPTs are used. On Dell Force10systems, it is possible to use PIM-SM with IGMPv3 to achieve the same result, but PIM-SSM eliminates the unnecessary protocol overhead.
Page 684 Figure 31-1. PIM-SM with IGMPv2 versus PIM-SM with IGMPv3 PIM Source-Specific Mode (PIM-SSM)
Page 685: Implementation Information
Implementation Information • The Dell Force10implementation of PIM-SSM is based on RFC 3569. • C-Series supports a maximum of 31 PIM interfaces and 4K multicast entries including (*,G), and (S,G) entries. There is no limit on the number of PIM neighbors C-Series can have.
Page 686: Enable Pim-Ssm
Enable PIM-SSM To enable PIM-SSM: Step Task Command Syntax Command Mode Create an ACL that uses permit rules to specify what range of ip access-list CONFIGURATION addresses should use SSM. You must at least include one standard name rule, permit 232.0.0.0/8, which is the default range for PIM-SSM.
Page 687 • When an extended ACL is associated with this command, FTOS displays an error message. If you apply an extended ACL before you create it, FTOS accepts the configuration, but when the ACL is later defined, FTOS ignores the ACL and the stated mapping has no effect. show ip igmp ssm-map Display the source to which a group is mapped using the command ], as...
Page 688 Figure 31-3. Using PIM-SM with IGMPv2 versus PIM-SSM with IGMPv2 PIM Source-Specific Mode (PIM-SSM)
Page 689 Figure 31-4. Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ip access-list standard map seq 5 permit host 239.0.0.2 ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2...
Page 690 PIM Source-Specific Mode (PIM-SSM)
Page 691: Port Monitoring
Port Monitoring e c s z Port Monitoring is supported on platforms: Port Monitoring, also known as Port Mirroring, is a feature that copies all incoming or outgoing packets on one port and forwards (mirrors) them to another port. The source port is the monitored port (MD) and the destination port is the monitoring port (MG).
Page 692: Port Monitoring On E-Series
• The C-Series and S-Series may only have four destination ports per port-pipe. There is no limitation on the total number of monitoring sessions. Table 32-1 lists the maximum number of monitoring sessions per system. For the C-Series and S-Series, the total number of sessions is derived by consuming a unique destination port in each session, in each port-pipe.
Page 693: E-Series Exascale
On the E-Series TeraScale, FTOS supports a single source-destination statement in a monitor session (Message 2). E-Series TeraScale supports only one source and one destination port per port-pipe (Message 3). Therefore, the E-Series TeraScale supports as many monitoring sessions as there are port-pipes in the system.
Page 694 The number of source ports FTOS allows within a port-pipe is equal to the number of physical ports in the port-pipe (n). However, n number of ports may only have four different destination ports (Message Figure 32-2. Number of Monitoring Ports on the C-Series and S-Series FTOS#show mon session SessionID Source...
Page 695 Figure 32-4. Number of Monitoring Ports on the C-Series and S-Series FTOS(conf-mon-sess-300)#do show mon session SessionID Source Destination Direction Mode Type --------- ------ ----------- --------- ---- ---- Gi 0/13 Gi 0/1 interface Port-based Gi 0/14 Gi 0/2 interface Port-based Gi 0/15 Gi 0/3 interface Port-based...
Page 696: Configuring Port Monitoring
FTOS Behavior: The C-Series and S-Series continue to mirror outgoing traffic even after an MD participating in Spanning Tree Protocol transitions from the forwarding to blocking. Configuring Port Monitoring To configure port monitoring: Step Task Command Syntax Command Mode show interface Verify that the intended monitoring port has no EXEC Privilege configuration other than no shutdown, as shown in...
Page 697 Figure 32-7. Port Monitoring Example Host Traffic Server Traffic Host Server FTOS(conf-if-gi-1/2)#show config interface GigabitEthernet 1/2 no ip address no shutdown Sniffer FTOS(conf )#monitor session 0 FTOS(conf-mon-sess-0)#source gig 1/1 destination gig 1/2 direction rx Port Monitoring | 697...
Page 698: Flow-Based Monitoring
Flow-based Monitoring Flow-based Monitoring is supported only on platform Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 2 and Layer 3 ingress and egress traffic.
Page 699: Private Vlans
Private VLANs c s z The Private VLAN (PVLAN) feature is supported on platforms: For syntax details on the commands discussed in this chapter, see the Private VLANs Commands chapter in the FTOS Command Reference. This chapter contains the following major sections: •...
Page 700: Private Vlan Concepts
Private VLAN Concepts The VLAN types in a private VLAN (PVLAN) include: Community VLAN — A is a type of secondary VLAN in a primary VLAN: community VLAN • Ports in a community VLAN can communicate with each other. • Ports in a community VLAN can communicate with all promiscuous ports in the primary VLAN.
Page 701: Private Vlan Commands
Each of the port types can be any type of physical Ethernet port, including port channels (LAGs). For details on port channels, see Port Channel Interfaces on page 385 Chapter 19, Interfaces. For an introduction to VLANs, see Chapter 24, Layer Private VLAN Commands The commands dedicated to supporting the Private VLANs feature are: Table 33-1.
Page 702: Private Vlan Configuration Task List
Private VLAN Configuration Task List The following sections contain the procedures that configure a private VLAN: • Creating PVLAN ports • Creating a Primary VLAN on page 703 • Creating a Community VLAN on page 704 • Creating an Isolated VLAN on page 704 Creating PVLAN ports Private VLAN ports are those that will be assigned to the private VLAN (PVLAN).
Page 703: Creating A Primary Vlan
Creating a Primary VLAN A primary VLAN is a port-based VLAN that is specifically enabled as a primary VLAN to contain the promiscuous ports and PVLAN trunk ports for the private VLAN. A primary VLAN also contains a mapping to secondary VLANs, which are comprised of community VLANs and isolated VLANs. Step Command Syntax Command Mode...
Page 704: Creating A Community Vlan
Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN. The ports in a community VLAN can talk to each other and with the promiscuous ports in the primary VLAN. Step Command Syntax Command Mode Purpose...
Page 705: Private Vlan Configuration Example
Figure 33-2. Configuring VLANs for a Private VLAN FTOS#conf FTOS(conf)# interface vlan 10 FTOS(conf-vlan-10)# private-vlan mode primary FTOS(conf-vlan-10)# private-vlan mapping secondary-vlan 100-101 FTOS(conf-vlan-10)# untagged Gi 2/1 FTOS(conf-vlan-10)# tagged Gi 2/3 FTOS(conf)# interface vlan 101 FTOS(conf-vlan-101)# private-vlan mode community FTOS(conf-vlan-101)# untagged Gi 2/10 FTOS(conf)# interface vlan 100 FTOS(conf-vlan-100)# private-vlan mode isolated FTOS(conf-vlan-100)# untagged Gi 2/2...
Page 706: Inspecting The Private Vlan Configuration
The result is that: • The ports in community VLAN 4001 can communicate directly with each other and with promiscuous ports. • The ports in community VLAN 4002 can communicate directly with each other and with promiscuous ports • The ports in isolated VLAN 4003 can only communicate with the promiscuous ports in the primary VLAN 4000.
Page 707: Show Arp
show vlan private-vlan mapping • : Display the primary-secondary VLAN mapping. See the example output from the S50V, above, in Figure 33-6. show • commands revised to display PVLAN data are: • show arp show vlan: • See revised output in Figure 33-7.
Page 708 Figure 33-8. Example running-config Output of PVLAN Configuration from S50V interface GigabitEthernet 0/3 no ip address switchport switchport mode private-vlan promiscuous no shutdown interface GigabitEthernet 0/4 no ip address switchport switchport mode private-vlan host no shutdown interface GigabitEthernet 0/5 no ip address switchport switchport mode private-vlan host no shutdown...
Page 709: Per-Vlan Spanning Tree Plus (Pvst+)
Per-VLAN Spanning Tree Plus (PVST+) e c s z Per-VLAN Spanning Tree Plus (PVST+) is supported platforms: Protocol Overview Per-VLAN Spanning Tree Plus (PVST+) is a variation of Spanning Tree—developed by a third party— that allows you to configure a separate Spanning Tree instance for each VLAN. For more information on Spanning Tree, see Chapter 44, Spanning Tree Protocol (STP).
Page 710: Configure Per-Vlan Spanning Tree Plus
The FTOS implementation of PVST+ uses IEEE 802.1s costs as the default costs (Table 34-2). Other implementations use IEEE 802.1d costs as the default costs if you are using Dell Force10 systems in a multi-vendor network, verify that the costs are values you intended. •...
Page 711: Enable Pvst
• PVST+ in Multi-vendor Networks on page 716 • PVST+ Extended System ID on page 716 • PVST+ Sample Configurations on page 717 Enable PVST+ When you enable PVST+, FTOS instantiates STP on each active VLAN. To enable PVST+ globally: Step Task Command Syntax...
Page 712 Figure 34-3. Load Balancing with PVST+ STI 2 root STI 3 root STI 1: VLAN 100 vlan 100 bridge-priority 4096 vlan 100 bridge-priority 4096 STI 2: VLAN 200 STI 2: VLAN 200 STI 3: VLAN 300 2/32 3/22 Blocking 3/12 2/12 1/22 1/32...
Page 713: Modify Global Pvst+ Parameters
Default: 15 seconds vlan hello-time Change the hello-time parameter. PROTOCOL PVST Note: With large configurations (especially those with more ports) Dell Force10recommends that you increase the hello-time. Range: 1 to 10 Default: 2 seconds Per-VLAN Spanning Tree Plus (PVST+) | 713...
Page 714: Modify Interface Pvst+ Parameters
Note: The FTOS implementation of PVST+ uses IEEE 802.1s costs as the default costs. Other implementations use IEEE 802.1d costs as the default costs if you are using Dell Force10systems in a multi-vendor network, verify that the costs are values you intended.
Page 715: Configure An Edgeport
Task Command Syntax Command Mode spanning-tree pvst vlan priority Change the port priority of an interface. INTERFACE Range: 0 to 240, in increments of 16 Default: 128 show spanning-tree The values for interface PVST+ parameters are given in the output of the command pvst , as shown in Figure...
Page 716: Pvst+ In Multi-Vendor Networks
If PVST+ is enabled on the Dell Force10 switch in this network, P1 and P2 receive BPDUs from each other. Ordinarily, the Bridge ID in the frame matches the Root ID, a loop is detected, and the rules of convergence require that P2 move to blocking state because it has the lowest port ID.
Page 717: Pvst+ Sample Configurations
Figure 34-5. PVST+ with Extend System ID VLAN unaware Dell Force10 System untagged in VLAN 10 untagged in VLAN 20 moves to blocking unless Extended System ID is enabled Task Command Syntax Command Mode extend system-id Augment the Bridge ID with the VLAN ID.
Page 718 Figure 34-6. PVST+ Sample Configuration: R1 Running-configuration interface GigabitEthernet 1/22 no ip address switchport no shutdown interface GigabitEthernet 1/32 no ip address switchport no shutdown protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 interface Vlan 100 no ip address tagged GigabitEthernet 1/22,32 no shutdown interface Vlan 200...
Page 719 Figure 34-7. PVST+ Sample Configuration: R2 Running-configuration interface GigabitEthernet 2/12 no ip address switchport no shutdown interface GigabitEthernet 2/32 no ip address switchport no shutdown interface Vlan 100 no ip address tagged GigabitEthernet 2/12,32 no shutdown interface Vlan 200 no ip address tagged GigabitEthernet 2/12,32 no shutdown interface Vlan 300...
Page 720 Per-VLAN Spanning Tree Plus (PVST+)
Page 721: Quality Of Service (Qos)
Quality of Service (QoS) e c s z Quality of Service (QoS) is supported on platforms: Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. The E-Series has eight unicast queues per port and 128 multicast queues per-port pipe. Traffic is queued on ingress and egress.
Page 722 Table 35-1. FTOS Support for Port-based, Policy-based, and Multicast QoS Features Feature Platform Direction c e s z Create an input QoS policy Ingress c e s z Configure policy-based rate policing Set a DSCP value for egress packets c e s z Set a dot1p value for egress packets c e s z Create an output QoS policy...
Page 723: Port-Based Qos Configurations
(WFQ Scheduling) (WRED) Implementation Information Dell Force10’s QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication. It also implements these Internet Engineering Task Force (IETF) documents: • RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 Headers •...
Page 724: Set Dot1P Priorities For Incoming Traffic
• Configure Port-based Rate Limiting • Configure Port-based Rate Shaping Set dot1p Priorities for Incoming Traffic Change the priority of incoming traffic on the interface using the command from dot1p-priority INTERFACE mode, as shown in Figure 35-2. FTOS places traffic marked with a priority in a queue based Table 35-2.
Page 725: Configure Port-Based Rate Policing
On the C-Series and S-Series you can configure from CONFIGURATION service-class dynamic dot1p mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class entry supersedes any INTERFACE entries. See Mapping dot1p values to service queues dynamic dot1p on page 738.
Page 726: Configure Port-Based Rate Limiting
Figure 35-5. Displaying your Rate Policing Configuration FTOS#show interfaces gigabitEthernet 1/2 rate police Rate police 300 (50) peak 800 (50) Traffic Monitor 0: normal 300 (50) peak 800 (50) Out of profile yellow 23386960 red 320605113 Traffic Monitor 1: normal NA peak NA Out of profile yellow 0 red 0 Traffic Monitor 2: normal NA peak NA Out of profile yellow 0 red 0...
Page 727: Configure Port-Based Rate Shaping
Figure 35-7. Displaying How Your Rate Limiting Configuration Affects Traffic FTOS#show interfaces gigabitEthernet 1/1 rate limit Rate limit 300 (50) peak 800 (50) Traffic Monitor 0: normal 300 (50) peak 800 (50) Out of profile yellow 23386960 red 320605113 Traffic Monitor 1: normal NA peak NA Out of profile yellow 0 red 0 Traffic Monitor 2: normal NA peak NA Out of profile yellow 0 red 0...
Page 728: Classify Traffic
Figure 35-9. Constructing Policy-based QoS Configurations Interface Input Service Policy Output Service Policy Input Input Output Output Policy Policy Policy Policy Input QoS Output QoS Class Map DSCP Policy Policy Rate Rate Outgoing L3 ACL WRED B/W % Policing Limiting Fields Marking Classify Traffic...
Page 729: Create A Layer 2 Class Map
Figure 35-10. Using the Order Keyword in ACLs FTOS(conf)#ip access-list standard acl1 FTOS(config-std-nacl)#permit 20.0.0.0/8 FTOS(config-std-nacl)#exit FTOS(conf)#ip access-list standard acl2 FTOS(config-std-nacl)#permit 20.1.1.0/24 order 0 FTOS(config-std-nacl)#exit FTOS(conf)#class-map match-all cmap1 FTOS(conf-class-map)#match ip access-group acl1 FTOS(conf-class-map)#exit FTOS(conf)#class-map match-all cmap2 FTOS(conf-class-map)#match ip access-group acl2 FTOS(conf-class-map)#exit FTOS(conf)#policy-map-input pmap FTOS(conf-policy-map-in)#service-queue 7 class-map cmap1 FTOS(conf-policy-map-in)#service-queue 4 class-map cmap2...
Page 730: Set Dscp Values For Egress Packets Based On Flow
In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use order keyword to specify the order in which you want to apply ACL rules, as shown in Figure 35-10. The order can range from 0 to 254. FTOS writes to the CAM ACL rules with lower order numbers (order numbers closer to 0) before rules with higher order numbers so that packets are matched as you intended.
Page 731 FTOS Behavior: An explicit “deny any" rule in a Layer 3 ACL used in a (match any or match all) class-map creates a "default to Queue 0" entry in the CAM, which causes unintended traffic classification. Below, traffic is classified in two Queues, 1 and 2. Class-map ClassAF1 is “match any,” and ClassAF2 is “match all”.
Page 732: Create A Qos Policy
Create a QoS Policy There are two types of QoS policies: input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. There are two types of input QoS policies: Layer 3 and Layer 2.
Page 733: Create An Output Qos Policy
Figure 35-12. Marking DSCP Values for Egress Packets FTOS#config FTOS(conf)#qos-policy-input my-input-qos-policy FTOS(conf-qos-policy-in)#set ip-dscp 34 % Info: To set the specified DSCP value 34 (100-010 b) the QoS policy must be mapped to queue 4 (100 b). FTOS(conf-qos-policy-in)#show config qos-policy-input my-input-qos-policy set ip-dscp 34 FTOS(conf-qos-policy-in)#end FTOS#...
Page 734 Note: Dell Force10 recommends assigning bandwidth to all queues. If queues are left un-allocated, the remaining bandwidth is shared equally among the un-allocated queues. If the sum of the allocated bandwidth percentage exceeds 100% 1% from the allocated queues will be assigned to each un-allocated queues.
Page 735: Create Policy Maps
Specify a WRED profile to yellow and/or green traffic using the command from QOS-POLICY-OUT wred mode. See Apply a WRED profile to traffic. Create Policy Maps There are two types of policy maps: input and output. Create Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2.
Page 736 Table 35-5. Default DSCP to Queue Mapping DSCP/CP E-Series C-Series S-Series hex range Traditional IP Internal Internal Internal DSCP/CP (XXX)xxx decimal DSCP Definition Precedence Queue ID Queue ID Queue ID 111XXX Network Control 48–63 110XXX Internetwork Control 101XXX EF (Expedited CRITIC/ECP Forwarding) 32–47...
Page 737 When using QoS service policies with multiple class maps, you can configure FTOS to use the incoming DSCP or dot1p marking as a secondary option for packet queuing in the event that no match occurs in the class maps. When class-maps are used, traffic is matched against each class-map sequentially from first to last. The sequence is based on the priority of the rules, as follows: 1.
Page 738: Apply An Input Policy Map To An Interface
To enable Fall Back to trust diffserve or dot1p: Task Command Syntax Command Mode Classify packets according to their DSCP value as a secondary trust {diffserve | dot1p} POLICY-MAP-IN option in case no match occurs against the configured class fallback maps.
Page 739: Qos Rate Adjustment
2. Once you create an output policy map, do one or more of the following: • Apply an output QoS policy to a queue • Specify an aggregate QoS policy • Apply an output policy map to an interface 3. Apply the policy map to an interface. See page Apply an output QoS policy to a queue Apply an output QoS policy to queues using the command...
Page 740: Strict-Priority Queueing
QoS Rate Adjustment is disabled by default, and no is listed in the running-configuration. qos-rate-adjust Task Command Syntax Command Mode Include a specified number of bytes of packet overhead qos-rate-adjust overhead-bytes CONFIGURATION to include in rate limiting, policing, and shaping Default: Disabled calculations.
Page 741: Create Wred Profiles
Figure 35-13. Packet Drop Rate for WREDl All Pckts 0 Pckts Total Buffer Space Buffer Space fnC0045mp You can create a custom WRED profile or use on of the five pre-defined profiles. Table 35-7. Pre-defined WRED Profiles (E-Series) Default Profile Minimum Maximum Name...
Page 742: Apply A Wred Profile To Traffic
FTOS assigns a color (also called drop precedence)—red, yellow, or green—to each packet based on it DSCP value before queuing it. DSCP is a 6 bit field. Dell Force10 uses the first three bits of this field (DP) to determine the drop precedence. DP values of 110 and 100 map to yellow, and all other values map to green.
Page 743 Figure 35-16. show qos statistics Command Example (E-Series) FTOS#show qos statistics wred-profile Interface Gi 5/11 Queue# Drop-statistic WRED-name Dropped Pkts Green WRED1 51623 Yellow WRED2 51300 Out of Profile Green WRED1 52082 Yellow WRED2 51004 Out of Profile Green WRED1 50567 Yellow WRED2...
Page 744: Pre-Calculating Available Qos Cam Space
Pre-calculating Available QoS CAM Space c e s z Pre-calculating Available QoS CAM Space is supported on platforms: Before version 7.3.1 there was no way to measure the number of CAM entries a policy-map would consume (the number of CAM entries that a rule uses is not predictable; 1 to 16 entries might be used per rule depending upon its complexity).
Page 745 • Exception indicates that the number of CAM entries required to write the policy-map to the CAM is greater than the number of available CAM entries, and therefore the policy-map cannot be applied to an interface in the specified port-pipe. Note: The command show cam-usage provides much of the same information as test cam-usage, but whether or not a policy-map can be successfully applied to an interface cannot be determined without first measuring how many CAM entries the policy-map would consume;...
Page 746 Quality of Service (QoS)
Page 747: Routing Information Protocol (Rip)
Routing Information Protocol (RIP) e c s z Routing Information Protocol (RIP) is supported only on platforms: RIP is supported on the S-Series following the release of FTOS version 7.8.1.0, and on the C-Series with FTOS versions 7.6.1.0 and after. Routing Information Protocol (RIP) is based on a distance-vector algorithm, it tracks distances or hop counts to nearby routers when establishing network connections.
Page 748: Ripv2
RIP must receive regular routing updates to maintain a correct routing table. Response messages containing a router’s full routing table are transmitted every 30 seconds. If a router does not send an update within a certain amount of time, the hop count to that route is changed to unreachable (a route hop metric of 16 hops).
Page 749: Configuration Task List For Rip
Configuration Task List for RIP • Enable RIP globally on page 749 (mandatory) • Configure RIP on interfaces on page 750 (optional) • Control RIP routing updates on page 751 (optional) • Set send and receive version on page 752 (optional) •...
Page 750: Configure Rip On Interfaces
show ip rip database When the RIP process has learned the RIP routes, use the command in the EXEC mode to view those routes (Figure 385). Figure 36-2. show ip rip database Command Example (Partial) FTOS#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 0/0 160.160.0.0/16...
Page 751: Control Rip Routing Updates
Purpose neighbor ip-address ROUTER RIP Define a specific router to exchange RIP information between it and the Dell Force10 system. You can use this command multiple times to exchange RIP information with as many RIP networks as you want. passive-interface interface...
Page 752 To add routes from other routing instances or protocols, use any of the following commands in the ROUTER RIP mode: Command Syntax Command Mode Purpose redistribute { connected | static } [ metric ROUTER RIP Include directly connected or metric-value] [ route-map map-name] user-configured (static) routes in RIP.
Page 753 Figure 36-3. show ip protocols Command Example FTOS#show ip protocols Routing Protocols is RIP Sending updates every 30 seconds, next due in 23 Invalid after 180 seconds, hold down 180, flushed after 240 Output delay 8 milliseconds between packets Automatic network summarization is in effect Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is...
Page 754: Generate A Default Route
Figure 36-5. show ip protocols Command Example FTOS#show ip protocols Routing Protocols is RIP Sending updates every 30 seconds, next due in 11 Invalid after 180 seconds, hold down 180, flushed after 240 Output delay 8 milliseconds between packets Automatic network summarization is in effect Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is...
Page 755: Control Route Metrics
If you must perform routing between discontiguous subnets, disable automatic summarization. With automatic route summarization disabled, subnets are advertised. autosummary The command requires no other configuration commands. To disable automatic route no autosummary summarization, in the ROUTER RIP mode, enter Note: If the ip split-horizon command is enabled on an interface, then the system does not advertise the summarized address.
Page 756: Rip Configuration Example
To enable RIP debugging, use the following command in the EXEC privilege mode: Command Syntax Command Mode Purpose debug ip rip [interface | database | events | trigger ] EXEC privilege Enable debugging of RIP. Figure 36-6 shows the confirmation when the debug function is enabled. Figure 36-6.
Page 757: Configuring Ripv2 On Core 2
Configuring RIPv2 on Core 2 Figure 36-8. Configuring RIPv2 on Core 2 Core2(conf-if-gi-2/31)# Core2(conf-if-gi-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config router rip network 10.0.0.0 version 2 Core2(conf-router_rip)# Core 2 Output The screenshots in this section are: show ip rip database •...
Page 758 Figure 36-10. Using show ip route Command to Show RIP Configuration on Core 2 Core2#show ip route Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1,...
Page 759: Rip Configuration On Core 3
RIP Configuration on Core 3 Figure 36-12. RIP Configuration on Core 3 Core3(conf-if-gi-3/21)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.20.0 Core3(conf-router_rip)#show config router rip network 10.0.0.0 network 192.168.1.0 network 192.168.2.0 version 2 Core3(conf-router_rip)# Core 3 RIP Output The screenshots in this section are: show ip rip database •...
Page 760 Figure 36-14. Using show ip routes for Core 3 RIP Setup Core3#show ip routes Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default,...
Page 761: Rip Configuration Summary
RIP Configuration Summary Figure 36-16. Summary of Core 2 RIP Configuration Using Output of show run Command interface GigabitEthernet 2/11 ip address 10.11.10.1/24 no shutdown interface GigabitEthernet 2/31 ip address 10.11.20.2/24 no shutdown interface GigabitEthernet 2/41 ip address 10.200.10.1/24 no shutdown interface GigabitEthernet 2/42 ip address 10.250.10.1/24 no shutdown...
Page 762 Routing Information Protocol (RIP)
Page 763: Remote Monitoring (Rmon)
Remote Monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Force10Ethernet Interfaces. RMON operates with SNMP and monitors all nodes on a LAN segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
Page 764: Fault Recovery
Chassis Down—When a chassis goes down, all sampled data is lost. But the RMON configurations are saved in the configuration file, and the sampling process continues after the chassis returns to operation. Platform Adaptation—RMON supports all Dell Force10 chassis and all Dell Force10 Ethernet Interfaces.
Page 765 Set rmon alarm rmon alarm rmon hc-alarm To set an alarm on any MIB object, use the command in GLOBAL CONFIGURATION mode. To disable the alarm, use the form of this command: Command Syntax Command Mode Purpose [no] rmon alarm number variable CONFIGURATION Set an alarm on any MIB object.
Page 766: Configure An Rmon Event
Figure 37-1. rmon alarm Command Example FTOS(conf)#rmon alarm 10 1.3.6.1.2.1.2.2.1.20.1 20 delta rising-threshold 15 1 falling-threshold 0 owner nms1 Alarm Number MIB Variable Monitor Interval Counter Value Limit Triggered Event The above example configures RMON alarm number 10. The alarm monitors the MIB variable 1.3.6.1.2.1.2.2.1.20.1 (ifEntry.ifOutErrors) once every 20 seconds until the alarm is disabled, and checks the rise or fall of the variable.
Page 767: Configure Rmon Collection Statistics
Figure 37-2. rmon event Command Example FTOS(conf)#rmon event 1 log trap eventtrap description “High ifOutErrors” owner nms1 The above configuration example creates RMON event number 1, with the description “High ifOutErrors”, and generates a log entry when the event is triggered by an alarm. The user nms1 owns the row that is created in the event table by this command.
Page 768: Configure Rmon Collection History
Configure RMON collection history rmon collection To enable the RMON MIB history group of statistics collection on an interface, use the history command in interface configuration mode. To remove a specified RMON history group of statistics collection, use the form of this command. Command Syntax Command Mode Purpose...
Page 769: Rapid Spanning Tree Protocol (Rstp)
STP and MSTP. FTOS supports three other variations of Spanning Tree, as shown in Table 38-1. Table 38-1. FTOS Supported Spanning Tree Protocols Dell Force10 Term IEEE Specification Spanning Tree Protocol (STP) 802.1d Rapid Spanning Tree Protocol 802.1w...
Page 770: Configure Interfaces For Layer 2 Mode
VLANs sends multiple messages to the RSTP task. When using the command, Dell Force10 recommends limiting the range to 5 ports and 40 VLANs. Configure Interfaces for Layer 2 Mode All interfaces on all bridges that will participate in Rapid Spanning Tree must be in Layer 2 and enabled.
Page 771 Figure 38-1. Configuring Interfaces for Layer 2 Mode R1(conf)# int range gi 1/1 - 4 R1(conf-if-gi-1/1-4)# switchport R1(conf-if-gi-1/1-4)# no shutdown R1(conf-if-gi-1/1-4)#show config interface GigabitEthernet 1/1 no ip address switchport no shutdown interface GigabitEthernet 1/2 no ip address switchport no shutdown interface GigabitEthernet 1/3 no ip address switchport...
Page 772: Enable Rapid Spanning Tree Protocol Globally
Enable Rapid Spanning Tree Protocol Globally Rapid Spanning Tree Protocol must be enabled globally on all participating bridges; it is not enabled by default. To enable Rapid Spanning Tree globally for all Layer 2 interfaces: Step Task Command Syntax Command Mode CONFIGURATION protocol spanning-tree rstp Enter the PROTOCOL SPANNING TREE RSTP...
Page 773 Figure 38-4. Rapid Spanning Tree Enabled Globally root Forwarding Blocking Port 684 (GigabitEthernet 4/43) is alternate Discarding Discarding Port path cost 20000, Port priority 128, Port Identifier 128.684 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.684, designated path cost 20000 Number of transitions to forwarding state 0 BPDU : sent 3, received 219...
Page 774 Figure 38-5. show spanning-tree rstp Command Example FTOS#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.cbb4 Configured hello time 2, max age 20, forward delay 15, max hops 0 We are the root Current root has priority 32768, Address 0001.e801.cbb4 Number of topology changes 4, last change occurred 00:02:17 ago on Gi 1/26...
Page 775: Add And Remove Interfaces
Max-age is the length of time the bridge maintains configuration information before it refreshes that information by recomputing the RST topology. Note: Dell Force10 recommends that only experienced network administrators change the Rapid Spanning Tree group parameters. Poorly planned modification of the RSTG parameters can negatively impact network performance.
Page 776: Modify Interface Parameters
RSTP • Default: 15 seconds hello-time seconds Change the hello-time parameter. PROTOCOL Note: With large configurations (especially those with more ports) Dell SPANNING TREE Force10 recommends that you increase the hello-time. RSTP Range: 1 to 10 Default: 2 seconds max-age seconds Change the max-age parameter.
Page 777: Configure An Edgeport
Verify that EdgePort is enabled on a port using the command from the EXEC show config privilege mode or the command from INTERFACE mode; Dell Force10 recommends using show config command, as shown in Figure 38-7. Rapid Spanning Tree Protocol (RSTP) | 777...
Page 778: Influence Rstp Root Selection
FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel then all the member ports are disabled in the hardware. 2 When a physical port is added to a port channel already in error disable state, the new member port will also be disabled in the hardware.
Page 779: Snmp Traps For Root Elections And Topology Changes
Figure 38-8. bridge-priority Command Example FTOS(conf-rstp)#bridge-priority 4096 04:27:59: %RPM0-P:RP2 %SPANMGR-5-STP_ROOT_CHANGE: RSTP root changed. My Bridge ID: 4096:0001.e80b.88bd Old Root: 32768:0001.e801.cbb4 New Root: 4096:0001.e80b.88bd Old root bridge ID New root bridge ID SNMP Traps for Root Elections and Topology Changes snmp-server enable Enable SNMP traps for RSTP, MSTP, and PVST+ collectively using the command traps xstp Fast Hellos for Link State Detection...
Page 780 Rapid Spanning Tree Protocol (RSTP)
Page 781: Security
Security e c s z Security features are supported on platforms: This chapter discusses several ways to provide access security to the Dell Force10system. Accounting on page 781 • AAA Authentication on page 784 • AAA Authorization on page 787 •...
Page 782: Enable Aaa Accounting
Accounting Configuration Task List for AAA The following sections present the AAA Accounting configuration tasks: • Enable AAA Accounting on page 782 (mandatory) • Suppress AAA Accounting for null username sessions on page 783 (optional) • Configure Accounting of EXEC and privilege-level command usage on page 783 (optional) •...
Page 783: Suppress Aaa Accounting For Null Username Sessions
Suppress AAA Accounting for null username sessions When AAA Accounting is activated, the FTOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. An example of login method-list none this is a user who comes in on a line where the AAA Authentication command is applied.
Page 784: Aaa Authentication
Accounting (AAA) to help secure networks against unauthorized access. In the Dell Force10 implementation, the Dell Force10 system acts as a RADIUS or TACACS+ client and sends authentication requests to a central RADIUS or TACACS+ server that contains all user authentication and network service access information.
Page 785: Configure Aaa Authentication Login Methods
Configure login authentication for terminal lines You can assign up to five authentication methods to a method list. FTOS evaluates the methods in the order in which you enter them in each list. If the first method list does not respond or returns an error, FTOS applies the next method list until the user either passes or fails the authentication.
Page 786: Enable Aaa Authentication
LINE mode or the the EXEC Privilege mode. Note: Dell Force10 recommends that you use the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with SSH.
Page 787: Aaa Authorization
FTOS(config)# line vty 0 9 FTOS(config-line-vty)# enable authentication mymethodlist Server-side configuration TACACS+: When using TACACS+, Dell Force10 sends an initial packet with service type SVC_ENABLE, and then, a second packet with just the password. The TACACS server must have an entry for username $enable$.
Page 788: Configuration Task List For Privilege Levels
• Privilege level 1—is the default level for the EXEC mode. At this level, you can interact with the router, for example, view some show commands and Telnet and ping to test connectivity, but you cannot configure the router. This level is often called the “user” level. One of the commands available enable in Privilege level 1 is the command, which you can use to enter a specific privilege level.
Page 789: Configure The Enable Password Command
To configure a username and password, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose username name access-class CONFIGURATION Assign a user name and password. Configure the nopassword | optional and required parameters: access-list-name password • name: Enter a text string up to 63 characters encryption-type password...
Page 790: Configure Custom Privilege Levels
Configure custom privilege levels In addition to assigning privilege levels to the user, you can configure the privilege levels of commands so that they are visible in different privilege levels. Within FTOS, commands have certain privilege levels. With the privilege command, the default level can be changed or you can reset their privilege level back to the default.
Page 791 Step Command Syntax Command Mode Purpose privilege mode {level level CONFIGURATION Configure level and commands for a mode or command | reset command} reset a command’s level. Configure the following required and optional parameters: mode: Enter a keyword for the modes (exec, •...
Page 792 Figure 39-3. User john’s Login and the List of Available Commands apollo% telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'. Login: john Password: FTOS#show priv Current privilege level is 8 FTOS#? configure Configuring from terminal disable Turn off privileged commands enable Turn on privileged commands exit...
Page 793 Version 2.00.1201. Copyright (C) 2009 American Megatrends, Inc. EVALUATION COPY. Press <DEL> or <F2> to enter setup. Grub 1.99~rc1 (Dell Force10) Built by root at bsdlab on Thu_Aug_18_06:51:21_UTC_2011 Z9000 Boot selector Label 3.0.1.1 NetBoot Label 0.0.0.0 During system boot, press ESC when prompted during the countdown to stop the auto-boot process.
Page 794: Radius
RADIUS server and a RADIUS client (the Dell Force10 system). The system sends user information to the RADIUS server and requests authentication of the user and password. The RADIUS server returns one of the following responses: •...
Page 795: Idle Time
RADIUS exec-authorization stores a user-shell profile and that is applied during user login. You may name the relevant named-lists with either a unique name or the default name. When authorization is enabled by the RADIUS server, the server returns the following information to the client: •...
Page 796: Configuration Task List For Radius
Set access to privilege levels through RADIUS privilege level Through the RADIUS server, you can use the command to configure a privilege level for the user to enter into when they connect to a session.This value is configured on the client system. Configuration Task List for RADIUS To authenticate users using RADIUS, at least one RADIUS server must be specified so that the system can communicate with and configure RADIUS as one of your authentication methods.
Page 797: Apply The Method List To Terminal Lines
Apply the method list to terminal lines To enable RADIUS AAA login authentication for a method list, you must apply it to a terminal line. To configure a terminal line for RADIUS authentication and authorization, enter the following commands: Command Syntax Command Mode Purpose line {aux 0 | console 0 | vty number...
Page 798 show running-config radius To view the RADIUS configuration, use the command in the EXEC Privilege mode. no radius-server host To delete a RADIUS server host, use the } command. hostname ip-address Set global communication parameters for all RADIUS server hosts You can configure global communication parameters (auth-port, key, retransmit, and timeout parameters) and specific host communication parameters on the same system.
Page 799: Tacacs
Monitor RADIUS To view information on RADIUS transactions, use the following command in the EXEC Privilege mode: Command Syntax Command Mode Purpose debug radius EXEC Privilege View RADIUS transactions to troubleshoot problems. TACACS+ FTOS supports Terminal Access Controller Access Control System (TACACS+ client, including support for login authentication.
Page 800 To select TACACS as the login authentication method, use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose tacacs-server host {ip-address | host} CONFIGURATION Configure a TACACS+ server host. Enter the IP address or host name of the TACACS+ server.
Page 801: Tacacs+ Remote Authentication And Authorization
Figure 39-4. Failed Authentication FTOS(conf)# FTOS(conf)#do show run aaa aaa authentication enable default tacacs+ enable aaa authentication enable LOCAL enable tacacs+ aaa authentication login default tacacs+ local aaa authentication login LOCAL local tacacs+ aaa authorization exec default tacacs+ none aaa authorization commands 1 default tacacs+ none aaa authorization commands 15 default tacacs+ none aaa accounting exec default start-stop tacacs+ aaa accounting commands 1 default start-stop tacacs+...
Page 802 access-class Figure 39-5 demonstrates how to configure the from a TACACS+ server. This causes the deny10 configured access-class on the VTY line to be ignored. If you have configured a ACL on the TACACS+ server, FTOS downloads it and applies it. If the user is found to be coming from the 10.0.0.0 subnet, FTOS also immediately closes the Telnet connection.
Page 803: Command Authorization
no tacacs-server host To delete a TACACS+ server host, use the } command. hostname ip-address freebsd2# telnet 2200:2200:2200:2200:2200::2202 Trying 2200:2200:2200:2200:2200::2202... Connected to 2200:2200:2200:2200:2200::2202. Escape character is '^]'. Login: admin Password: FTOS# FTOS# Command Authorization The AAA command authorization feature configures FTOS to send each configuration command to a TACACS server for authorization before it is added to the running configuration.
Page 804 Command Mode Purpose ip ssh server version {1|2} CONFIGURATION Configure the Dell Force10 system as an SSH server that uses only version 1 or 2. To view the SSH configuration, use the following command in EXEC Privilege mode: Command Syntax...
Page 805: Using Scp With Ssh To Copy A Software Image
Figure 39-6. Specifying an SSH version FTOS(conf)#ip ssh server version 2 FTOS(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. Authentication : disabled. no ip ssh server enable To disable SSH server functions, enter Using SCP with SSH to copy a software image To use Secure Copy (SCP) to copy a software image through an SSH connection from one switch to...
Page 806: Secure Shell Authentication
2, respectively. SSH Authentication by Password Authenticate an SSH client by prompting for a password when attempting to connect to the Dell Force10 system. This is the simplest methods of authentication and uses SSH version 1. ip ssh password-authentication enable...
Page 807: Rsa Authentication Of Ssh
Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub. Copy the public key id_rsa.pub to the Dell Force10 system. no ip ssh password-authentication Disable password authentication if enabled. CONFIGURATION...
Page 808 Figure 39-11. Creating rhosts admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.201 admin Copy the file shosts and rhosts to the Dell Force10 system. • no ip ssh password-authentication Disable password authentication and • CONFIGURATION • no ip ssh rsa-authentication RSA authentication, if configured •...
Page 809: Troubleshooting Ssh
Message 2 RSA Authentication Error %Error: No username set for this term. • Host-based authentication must be enabled on the server (Dell Force10 system) and the client (Unix machine). Message 3 appears if you attempt to log in via SSH and host-based is disabled on the client.
Page 810: Trace Lists
Trace Lists Trace Lists feature is supported only on the E-Series: You can log packet activity on a port to confirm the source of traffic attacking a system. Once the Trace list is enabled on the system, you view its traffic log to confirm the source address of the attacking traffic. In FTOS, Trace lists are similar to extended IP ACLs, except that Trace lists are not applied to an interface.
Page 811 Since traffic passes through the filter in the order of the filter’s sequence, you can configure the trace list by first entering the TRACE LIST mode and then assigning a sequence number to the filter. To create a filter for packets with a specified sequence number, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax...
Page 812 Step Command Syntax Command Mode Purpose seq sequence-number {deny | permit} TRACE LIST Configure a trace list filter for TCP host packets. source mask ip-address operator port port source: An IP address as the source IP • address for the filter to match. host destination mask mask: a network mask...
Page 813 Figure 39-13. Trace list Using seq Command Example FTOS(config-trace-acl)#seq 15 deny ip host 12.45.0.0 any log FTOS(config-trace-acl)#seq 5 permit tcp 121.1.3.45 0.0.255.255 any FTOS(config-trace-acl)#show conf ip trace-list dilling seq 5 permit tcp 121.1.0.0 0.0.255.255 any seq 15 deny ip host 12.45.0.0 any log FTOS(config-trace-acl)# If you are creating a Trace list with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured.
Page 814 Command Syntax Command Mode Purpose {deny | permit} tcp host source mask TRACE LIST Configure a deny or permit filter to examine TCP packets. Configure the ]] { ip-address operator port port destination following required and optional host ip-address mask operator port port parameters:...
Page 815 Figure 39-14. Trace List Example FTOS(config-trace-acl)#deny tcp host 123.55.34.0 any FTOS(config-trace-acl)#permit udp 154.44.123.34 0.0.255.255 host 34.6.0.0 FTOS(config-trace-acl)#show config ip trace-list nimule seq 5 deny tcp host 123.55.34.0 any seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0 show To view all configured Trace lists and the number of packets processed through the Trace list, use the ip accounting trace-list command (Figure 39-15)
Page 816: Vty Line And Access-Class Configuration
VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in FTOS. These depend on which authentication scheme you use — line, local, or remote: Table 39-1. VTY Access Username VTY access-class access-class Authentication Method support? support? Remote authorization support? Line Local...
Page 817: Vty Line Remote Authentication And Authorization
FTOS retrieves the access class from the VTY line. The Dell Force10 OS takes the access class from the VTY line and applies it to ALL users. FTOS does not need to know the identity of the incoming user and can immediately apply the access class. If the...
Page 818 Figure 39-18. Example Access Class Configuration Using TACACS+ Without Prompt FTOS(conf)#mac access-list standard sourcemac FTOS(config-std-mac)#permit 00:00:5e:00:01:01 FTOS(config-std-mac)#deny any FTOS(conf)# FTOS(conf)#line vty 0 9 FTOS(config-line-vty)#access-class sourcemac FTOS(config-line-vty)#end Security...
Page 819: Service Provider Bridging
Service Provider Bridging e c s z Service Provider Bridging is supported on platforms: This chapter contains the following major sections: • VLAN Stacking on page 819 • VLAN Stacking Packet Drop Precedence on page 830 • Dynamic Mode CoS for VLAN Stacking on page 832 •...
Page 820: Configure Vlan Stacking
To switch traffic, these interfaces must be added to a non-default VLAN-Stack-enabled VLAN. • Dell Force10 cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN. • You can ping across a trunk port only if both systems on the link are an E-Series. You cannot ping across the link if one or both of the systems is a C-Series or S-Series.
Page 821: Create Access And Trunk Ports
Create Access and Trunk Ports An access port is a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN. A trunk port is a port on a service provider bridge that connects to another service provider bridge and is a member of multiple service provider VLANs.
Page 822: Configure The Protocol Type Value For The Outer Vlan Tag
show vlan Display the status and members of a VLAN using the command from EXEC Privilege mode. Members of a VLAN-Stacking-enabled VLAN are marked with an M in column Q. Figure 40-3. Display the Members of a VLAN-Stacking-enabled VLAN FTOS#show vlan Codes: * - Default VLAN, G - GVRP VLANs Status Q Ports...
Page 823: Debug Vlan Stacking
Step Task Command Syntax Command Mode [tagged | untagged] Add the port to a 802.1Q VLAN as tagged or untagged. INTERFACE VLAN Figure 40-4 GigabitEthernet 0/1 a trunk port that is configured as a hybrid port and then added to VLAN 100 as untagged VLAN 101 as tagged, and VLAN 103, which is a stacking VLAN.
Page 824: Vlan Stacking In Multi-Vendor Networks
0x9100, and it is, so R2 forwards the frame. Given the matching-TPID requirement, there are limitations when you employ Dell Force10 systems at network edges, at which, frames are either double tagged on ingress (R4) or the outer tag is removed on egress (R3).
Page 825 Figure 40-6. TPID Match and First-byte Match on the E-Series TeraScale Building D TPID 0x9191 R3-E-Series TeraScale R2-E-Series TeraScale TPID: 0x9100 TPID: 0x9100 R1-E-Series TeraScale Building B TPID: 0x9191 TPID TPID (0x9100) (VLAN Purple) (0x8100) (VLAN Red) Building C R4-Non-Force10 System TPID TPID: 0x9100 (0x8100)
Page 826 Figure 40-7. TPID Mismatch and 0x8100 Match on the E-Series TeraScale Building D TPID 0x8100 TPID 0x9100 R3-E-Series TeraScale R2-E-Series TeraScale TPID: 0x8181 TPID: 0x8181 Building B R1-E-Series TeraScale TPID: 0x9100 TPID TPID (0x8100) (VLAN Purple) (0x8100) (VLAN Red) Building C R4-Non-Force10 System TPID TPID: 0x8100...
Page 827 Figure 40-8. First-byte TPID Match on the E-Series ExaScale Building D TPID 0x9191 R2-E-Series ExaScale TPID: 0x9100 R1-E-Series TeraScale TPID: 0x9191 Building C Table 40-1 details the outcome of matched and mis-matched TPIDs in a VLAN-stacking network with the E-Series. Table 40-1.
Page 828 vlan-stack protocol-type You can configure the first eight bits of the TPID using the command The TPID on the C-Series and S-Series systems is global. Ingress frames that do not match the system TPID are treated as untagged. This rule applies for both the outer tag TPID of a double-tagged frame and the TPID of a single-tagged frame.
Page 829 Figure 40-10. Single and Double-tag First-byte TPID Match on C-Series and S-Series TPID 0x8181 R2-C-Series w/ FTOS <8.2.1.0 TPID: 0x8181 R3-C-Series w/ FTOS >=8.2.1.0 TPID: 0x8181 R1-C-Series w/ FTOS <8.2.1.0 Building B TPID: 0x8181 R4-Non-Force10 System TPID: 0x8100 TPID (0x8100) (VLAN Red) Building A Figure 40-11.
Page 830: Vlan Stacking Packet Drop Precedence
Table 40-2 details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the C-Series and S-Series. Table 40-2. C-Series and S-Series Behaviors for Mis-matched TPID Network Incoming System Position Packet TPID TPID Match Type Pre-8.2.1.0 8.2.1.0+ Ingress Access Point untagged 0xUVWX —...
Page 831: Enable Drop Eligibility
Enable Drop Eligibility You must enable Drop Eligibility globally before you can honor or mark the DEI value. Task Command Syntax Command Mode dei enable Make packets eligible for dropping based on their DEI value. By CONFIGURATION default, packets are colored green, and DEI is marked 0 on egress. When Drop Eligibility is enabled, DEI mapping or marking takes place according to the defaults.
Page 832: Mark Egress Packets With A Dei Value
Task Command Syntax Command Mode FTOS#show interface dei-honor Default Drop precedence: Green Interface CFI/DEI Drop precedence ------------------------------------------------------------- Gi 0/1 Green Gi 0/1 Yellow Gi 8/9 Gi 8/40 Yellow Mark Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress (see Honor the Incoming DEI Value).
Page 833 Figure 40-12. Statically and Dynamically Assigned dot1p for VLAN Stacking Untagged S-Tag with statically-assigned dot1p S-Tag DATA 0x0800 DATA 0x0800 0x9100 C-Tag S-Tag C-Tag 0x8100 0x8100 0x9100 C-Tagged S-Tag with mapped dot1p When configuring Dynamic Mode CoS, you have two options: mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p.
Page 834 FTOS Behavior: For Option A above, when there is a conflict between the queue selected by Dynamic Mode CoS (vlan-stack dot1p-mapping) and a QoS configuration, the queue selected by Dynamic Mode CoS takes precedence. However, rate policing for the queue is determined by QoS configuration.
Page 835: Layer 2 Protocol Tunneling
To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly: Step Task Command Syntax Command Mode cam-acl l2acl number ipv4acl number Allocate CAM space to enable queuing CONFIGURATION ipv6acl number ipv4qos number l2qos frames according to the C-Tag or the number l2pt number ipmacacl number S-Tag.
Page 836 (Figure 40-14). FTOS Behavior: In FTOS versions prior to 8.2.1.0, the MAC address that Dell Force10 systems use to overwrite the Bridge Group Address on ingress was non-configurable. The value of the L2PT MAC address was the Dell Force10-unique MAC address, 01-01-e8-00-00-00. As such, with these FTOS...
Page 837: Implementation Information
Figure 40-14. VLAN Stacking with L2PT BPDU w/ destination Building B MAC address: 01-80-C2-00-00-00 no spanning-tree no spanning-tree BPDU w/ destination MAC address: 01-01-e8-00-00-00 Non-Force10 Non-Force10 System R1-E-Series System BPDU w/ destination MAC address: 01-80-C2-00-00-00 Building A Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs.
Page 838: Enable Layer 2 Protocol Tunneling
CONFIGURATION protocol-tunnel stp Tunnel BPDUs the VLAN. INTERFACE VLAN Specify a Destination MAC Address for BPDUs By default, FTOS uses a Dell Force10-unique MAC address for tunneling BPDUs. You can configure another value. Task Command Syntax Command Mode protocol-tunnel destination-mac...
Page 839: Debug Layer 2 Protocol Tunneling
There are total 13 user-configurable FP blocks on the C-Series and S-Series. The default number of blocks for L2PT is 0; you must allocate at least one to enable BPDU rate-limiting. Step Task Command Syntax Command Mode cam-acl l2acl Create at least one FP group for L2PT. See CONFIGURATION CAM Allocation on page 265 for details on...
Page 840 Provider Backbone Bridging through IEEE 802.1ad eliminates the need for tunneling BPDUs with L2PT and increases the reliability of provider bridge networks as the network core need only learn the MAC addresses of core switches, as opposed to all MAC addresses received from attached customer devices. Task Command Syntax Command Mode...
Page 841: Sflow
sFlow e c s z Configuring sFlow is supported on platforms: • Enable and Disable sFlow on page 843 • sFlow Show Commands on page 844 • Specify Collectors on page 846 • Polling Intervals on page 846 • Sampling Rate on page 846 •...
Page 842: Implementation Information
Implementation Information Dell Force10’s sFlow is designed so that the hardware sampling rate is per line card port-pipe and is decided based upon all the ports in that port-pipe. If sFlow is not enabled on any port specifically, then the global sampling rate is downloaded to that port and is to calculate the port-pipe’s lowest sampling rate.
Page 843: Enable And Disable Sflow
• FTOS exports all sFlow packets to the collector. A small sampling rate can equate to a large number of exported packets. A backoff mechanism will automatically be applied to reduce this amount. Some sampled packets may be dropped when the exported packet rate is high and the backoff mechanism is about to or is starting to take effect.
Page 844: Sflow Show Commands
sFlow Show Commands FTOS includes the following sFlow display commands: • Show sFlow Globally on page 49 • Show sFlow on an Interface on page 50 • Show sFlow on a Line Card on page 50 Show sFlow Globally Use the following command to view sFlow statistics: Command Syntax Command Mode Purpose...
Page 845: Show Sflow On A Line Card
Figure 41-3. Command Example: show sflow interface FTOS#show sflow interface gigabitethernet 1/16 Gi 1/16 Configured sampling rate :8192 Actual sampling rate :8192 Sub-sampling rate Counter polling interval Samples rcvd from h/w Samples dropped for sub-sampling :6 The configuration, shown in Figure 41-2, is also displayed in the running configuration (Figure...
Page 846: Specify Collectors
Specify Collectors sflow collector command allows identification of sFlow Collectors to which sFlow datagrams are forwarded. The user can specify up to two sFlow collectors. If two Collectors are specified, the samples are sent to both. Collection through Management interface is supported on platform: Command Syntax Command Mode Usage...
Page 847: Sub-Sampling
command, when issued in CONFIGURATION mode, changes the default sflow sample-rate sampling rate. By default, the sampling rate of an interface is set to the same value as the current global default sampling rate.If the value entered is not a correct power of 2, the command generates an error message with the previous and next power-of-2 value.
Page 848: Back-Off Mechanism
Back-off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until CPU condition is cleared.
Page 849: Important Points To Remember
The IP destination address has to be learned via BGP in order to export extended-gateway data, prior to FTOS version 7.8.1.0. • If the IP destination address is not learned via BGP the Dell Force10 system does not export extended-gateway data, prior to FTOS version 7.8.1.0. •...
Page 850 Table 41-1. Extended Gateway Summary srcAS and dstAS and IP SA IP DA srcPeerAS dstPeerAS Description static/connected/IGP static/connected/IGP — — Extended gateway data is not exported because there is no AS information. static/connected/IGP Exported src_as & src_peer_as are zero because there is no AS information for IGP.
Page 851: Simple Network Management Protocol (Snmp)
Note: The configurations in this chapter use a Unix environment with net-snmp version 5.4. This is only one of many RFC-compliant SNMP utilities you can use to manage your Dell Force10system using SNMP. Also, these configurations use SNMP version 2c.
Page 852: Create A Community
Related Configuration Tasks The following list contains configuration tasks for SNMP: • Read Managed Object Values • Write Managed Object Values • Subscribe to Managed Object Value Updates using SNMP • Copy Configuration Files Using SNMP • Manage VLANs using SNMP •...
Page 853: Read Managed Object Values
show running-config snmp, View your SNMP configuration using the command from EXEC Privilege mode, as shown in Figure 42-1. Figure 42-1. Creating an SNMP Community FTOS#snmp-server community my-snmp-community ro 22:31:23: %RPM1-P:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START. FTOS#do show running-config snmp snmp-server community mycommunity ro Read Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same...
Page 854: Write Managed Object Values
> snmpset -v 2c -c mycommunity 10.11.131.161 sysName.0 s "R5" SNMPv2-MIB::sysName.0 = STRING: R5 Configure Contact and Location Information using SNMP You may configure system contact and location information from the Dell Force10 system or from the management station using SNMP. Simple Network Management Protocol (SNMP)
Page 855: Subscribe To Managed Object Value Updates Using Snmp
Subscribe to Managed Object Value Updates using SNMP By default, the Dell Force10 system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system.
Page 856 PORT_LINKDN:changed interface state to down:%d snmp linkup PORT_LINKUP:changed interface state to up:%d Enable a subset of Dell Force10 enterpriseSpecific SNMP traps using one of the listed command options Table 42-2 with the command . Note that the option enables all...
Page 857 Table 42-2. Dell Force10 Enterprise-specific SNMP Traps Command Option Trap envmon CARD_SHUTDOWN: %sLine card %d down - %s CARD_DOWN: %sLine card %d down - %s LINECARDUP: %sLine card %d is up CARD_MISMATCH: Mismatch: line card %d is type %s - type %s required.
Page 858: Copy Configuration Files Using Snmp
• copy the running-config file to the startup-config file. • copy configuration files from the Dell Force10 system to a server. • copy configuration files from a server to the Dell Force10 system. When a startup or running configuration copy performed via SNMP or CLI is complete, a trap is sent. This trap is enabled by the command .
Page 859 • Copy startup-config ftp://... /abc.txt Note: Where ‘ftp’ is indicated in the examples above, scp or TFTP can also be used. A copy performed by CLI or SNMP can be differentiated by the trap string printed at the SNMP host. The copyAlarmIndex sent to the host has a value of ‘-1’...
Page 860 CONFIGURATION community-name rw write privileges. Copy the f10-copy-config.mib MIB from the Dell Force10 iSupport webpage to the server to which you are copying the configuration file. On the server, use the command snmpset as shown: snmpset -v snmp-version -c community-name -m mib_path/f10-copy-config.mib force10system-ip-address mib-object.index {i | a | s} object-value...
Page 861 Note: In UNIX, enter the command snmpset for help using this command. Place the file snmpset f10-copy-config.mib the directory from which you are executing the command or in the snmpset tool path. Table 42-4. Copying Configuration Files via SNMP Task Copy the running-config to the startup-config using the following command from the UNIX machine: snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 2 copyDestFileType.index i 3...
Page 862 3 copyDestFileName.4 s /home/myfilename Copy a binary file from the server to the startup-configuration on the Dell Force10 system via FTP using the following command from the UNIX server: snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.index s filepath/filename copyDestFileType.index i 3...
Page 863 Dell Force10 provides additional MIB Objects to view copy statistics. These are provided in Table 42-5. Table 42-5. MIB Objects for Copying Configuration Files via SNMP MIB Object Values Description copyState .1.3.6.1.4.1.6027.3.5.1.1.1.11 1= running Specifies the state of the copy operation.
Page 864: Manage Vlans Using Snmp
Figure 42-13 shows the command syntax using MIB object names, and Figure 42-14 shows the same command using the object OIDs. In both cases, the object is followed by same index number used in the command. snmpset Figure 42-13. Obtaining MIB Object Values for a Copy Operation using Object-name Syntax >...
Page 865: Display The Ports In A Vlan
> snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.1.1107787786 s "My VLAN" SNMPv2-SMI::mib-2.17.7.1.4.3.1.1.1107787786 = STRING: "My VLAN" [Dell Force10 system output] FTOS#show int vlan 10 Vlan 10 is down, line protocol is down Vlan alias name is: My VLAN Address is 00:01:e8:cc:cc:ce, Current address is 00:01:e8:cc:cc:ce...
Page 866 The table that the Dell Force10 system sends in response to the request is a table that contains snmpget hexadecimal (hex) pairs, each pair representing a group of eight ports. • On the E-Series, 12 hex pairs represents a line card. Twelve pairs accommodates the greatest currently available line card port density, 96 ports.
Page 867: Add Tagged And Untagged Ports To A Vlan
The value 40 is in the first set of 7 hex pairs, indicating that these ports are in Stack Unit 0. The hex value 40 is 0100 0000 in binary. As described above, the left-most position in the string represents Port 1. The next position from the left represents Port 2 and has a value of 1, indicating that Port 0/2 is in VLAN 10.
Page 868: Enable And Disable A Port Using Snmp
Enable and Disable a Port using SNMP Step Task Command Syntax Command Mode snmp-server community Create an SNMP community on the Dell Force10 CONFIGURATION system. show interface From the Dell Force10 system, identify the interface EXEC Privilege index of the port for which you want to change the admin status.
Page 869 E-Series is 96 ports, and line card numbering begins with 0; GigabitEthernet 1/21 is the 21st port on Line Card 1, and 96 + 21 yields 118. Figure 42-22. Fetching Dynamic MAC Addresses on the Default VLAN ------------------------MAC Addresses on Dell Force10 System------------------------------- R1_E600#show mac-address-table VlanId...
Page 870: Deriving Interface Indices
Figure 42-24. Fetching Dynamic MAC Addresses on the Default VLAN ------------------------MAC Addresses on Dell Force10 System------------------------------- R1_E600(conf)#do show mac-address-table VlanId Mac Address Type Interface State 1000 00:01:e8:06:95:ac Dynamic Po 1 Active ------------------------------Query from Management Station-------------------------------- >snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.4.1.6027.3.2.1.1.5 SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.1.1000.0.1.232.6.149.172.1...
Page 871: View System Image
Number Type For interface indexing, slot and port numbering begins with the binary one. If the Dell Force10 system begins slot and port numbering from 0, then the binary 1 represents slot and port 0. For example, the index number in...
Page 872 Simple Network Management Protocol (SNMP)
Page 873: Storm Control
Storm Control e c s z Storm Control is supported on platforms: c s z Storm Control for Multicast is supported on platforms: The storm control feature enables you to control unknown-unicast and broadcast traffic on Layer 2 and Layer 3 physical interfaces. FTOS Behavior: On the E-Series, FTOS supports broadcast control for Layer 3 traffic only.
Page 874: Configure Storm Control From Configuration Mode
• The percentage of storm control is calculated based on the advertised rate of the line card, not by the speed setting. Configure storm control from CONFIGURATION mode Configure storm control from CONFIGURATION mode using the command storm control. From CONFIGURATION mode you can configure storm control for ingress and egress traffic.
Page 875: Spanning Tree Protocol (Stp)
CPU utilization and memory consumption. FTOS supports three other variations of Spanning Tree, as shown here: Table 44-1. FTOS Supported Spanning Tree Protocols Dell Force10Term IEEE Specification Spanning Tree Protocol (STP) 802.1d Rapid Spanning Tree Protocol 802.1w...
Page 876: Related Configuration Tasks
Related Configuration Tasks • Adding an Interface to the Spanning Tree Group on page 880 • Removing an Interface from the Spanning Tree Group on page 880 • Modifying Global Parameters on page 881 • Modifying Interface STP Parameters on page 882 •...
Page 877: Configuring Interfaces For Layer 2 Mode
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that will participate in Spanning Tree must be in Layer 2 mode and enabled. Figure 44-1. Example of Configuring Interfaces for Layer 2 Mode R1(conf)# int range gi 1/1 - 4 R1(conf-if-gi-1/1-4)# switchport R1(conf-if-gi-1/1-4)# no shutdown R1(conf-if-gi-1/1-4)#show config...
Page 878: Enabling Spanning Tree Protocol Globally
Enabling Spanning Tree Protocol Globally Spanning Tree Protocol must be enabled globally; it is not enabled by default. To enable Spanning Tree globally for all Layer 2 interfaces: Step Task Command Syntax Command Mode CONFIGURATION protocol spanning-tree 0 Enter the PROTOCOL SPANNING TREE mode. no disable Enable Spanning Tree.
Page 879 Figure 44-4. Spanning Tree Enabled Globally root Forwarding Blocking Port 290 (GigabitEthernet 2/4) is Blocking Port path cost 4, Port priority 8, Port Identifier 8.290 Designated root has priority 32768, address 0001.e80d.2462 Designated bridge has priority 32768, address 0001.e80d.2462 Designated port id is 8.497, designated path cost 0 Timers: message age 1, forward delay 0, hold 0 Number of transitions to forwarding state 1 BPDU: sent 21, received 486...
Page 880: Adding An Interface To The Spanning Tree Group
show spanning-tree 0 brief Confirm that a port is participating in Spanning Tree using the command from EXEC privilege mode. Figure 44-6. show spanning-tree brief Command Example FTOS#show spanning-tree 0 brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e80d.2462 We are the root of the spanning tree Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID...
Page 881: Modifying Global Parameters
Spanning Tree. Note: Dell Force10 recommends that only experienced network administrators change the Spanning Tree parameters. Poorly planned modification of the Spanning Tree parameters can negatively impact network performance.
Page 882: Modifying Interface Stp Parameters
show spanning-tree 0 View the current values for global parameters using the command from EXEC privilege mode. See Figure 44-5. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. •...
Page 883: Preventing Network Disruptions With Bpdu Guard
BPDU. The port on the Dell Force10 system is configured with Portfast. If the switch is connected to the hub, the BPDUs that the switch generates might trigger an undesirable topology change. If BPDU Guard is enabled, when the edge port receives the BPDU, the BPDU will be dropped, the port will be blocked, and a console message will be generated.
Page 884 Note: Note that unless the shutdown-on-violation option is enabled, spanning-tree only drops packets after a BPDU violation; the physical interface remains up, as shown below. FTOS(conf-if-gi-0/7)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e805.fb07 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e85d.0e90...
Page 885: Stp Root Selection
Figure 44-8. Enabling BPDU Guard FTOS(conf-if-gi-3/41)# spanning-tree 0 portfast bpduguard shutdown-on-violation FTOS(conf-if-gi-3/41)#show config interface GigabitEthernet 3/41 no ip address switchport spanning-tree 0 portfast bpduguard shutdown-on-violation no shutdown 3/41 Switch with Spanning Tree Enabled FTOS Behavior: BPDU Guard and BPDU filtering (see Removing an Interface from the Spanning Tree Group on page 880) both block BPDUs, but are two separate features.
Page 886: Configuring Spanning Trees As Hitless
show spanning-tree root View only the root information using the command (see Figure 44-9) from EXEC privilege mode. Figure 44-9. show spanning-tree root Command Example FTOS#show spanning-tree 0 root Root ID Priority 32768, Address 0001.e80d.2462 We are the root of the spanning tree Root Bridge hello time 2, max age 20, forward delay 15 FTOS# SNMP Traps for Root Elections and Topology Changes...
Page 887: System Time And Date
Multiple candidates can be combined to minimize the accumulated error. Temporarily or permanently insane time sources will be detected and avoided. Dell Force10 recommends configuring NTP for the most accurate time. In FTOS, other time sources can be configured (the hardware clock and the software clock).
Page 888: Protocol Overview
• Clock offset represents the amount to adjust the local clock to bring it into correspondence with the reference clock. • Roundtrip delay provides the capability to launch a message to arrive at the reference clock at a specified time. •...
Page 889: Configuring Network Time Protocol
1: carrier loss 2: synch loss 3: format error 4: interface/link failure Implementation Information • Dell Force10 systems can only be an NTP client. Configuring Network Time Protocol Configuring NTP is a one-step process: Enable NTP Related Configuration Tasks •...
Page 890: Enable Ntp
Enable NTP NTP is disabled by default. To enable it, specify an NTP server to which the Dell Force10 system will synchronize. Enter the command multiple times to specify multiple servers. You may specify an unlimited number of servers at the expense of CPU resources.
Page 891: Set The Hardware Clock With The Time Derived From Ntp
Set the Hardware Clock with the Time Derived from NTP Task Command Command Mode ntp update-calendar Periodically update the system hardware clock with the time CONFIGURATION value derived from NTP. Figure 45-4. Displaying the Calculated NTP Synchronization Variables R5/R8(conf)#do show calendar 06:31:02 UTC Mon Mar 13 1989 R5/R8(conf)#ntp update-calendar 1 R5/R8(conf)#do show calendar...
Page 892: Configure A Source Ip Address For Ntp Packets
Configure a source IP address for NTP packets By default, the source address of NTP packets is the IP address of the interface used to reach the network. You can configure one interface’s IP address to be included in all NTP packets. To configure an IP address as the source address of NTP packets, use the following command in the CONFIGURATION mode: Command Syntax...
Page 893 To configure NTP authentication, use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose ntp authenticate CONFIGURATION Enable NTP authentication. ntp authentication-key number md5 key CONFIGURATION Set an authentication key. Configure the following parameters: number: Range 1 to 4294967295.
Page 894 Command Syntax Command Mode Purpose ntp server ip-address [ key keyid] [ prefer ] CONFIGURATION Configure an NTP server. Configure the IP [ version number] address of a server and the following optional parameters: key keyid: Configure a text string as the key •...
Page 895: Ftos Time And Date
• Root Delay (sys.rootdelay, peer.rootdelay, pkt.rootdelay): This is a signed fixed-point number indicating the total roundtrip delay to the primary reference source at the root of the synchronization subnet, in seconds. Note that this variable can take on both positive and negative values, depending on clock precision and skew.
Page 896: Set The Time And Date For The Switch Hardware Clock
Set the time and date for the switch hardware clock Command Syntax Command Mode Purpose calendar set time month day year EXEC Privilege Set the hardware clock to the current time and date. time: Enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format, for example, 17:15:00 is 5:15 pm.
Page 897: Set The Timezone
The software clock runs only when the software is up. The clock restarts, based on the hardware clock, when the switch reboots. Command Syntax Command Mode Purpose clock set time month day year EXEC Privilege Set the system software clock to the current time and date.
Page 898: Set Daylight Saving Time
Command Syntax Command Mode Purpose FTOS#conf FTOS(conf)#clock timezone Pacific -8 FTOS(conf)#01:40:19: %RPM0-P:CP %CLOCK-6-TIME CHANGE: Timezone configuration changed from "UTC 0 hrs 0 mins" to "Pacific -8 hrs 0 mins" FTOS# Set daylight saving time FTOS supports setting the system to daylight saving time once or on a recurring basis every year. System Time and Date...
Page 899: Set Daylight Saving Time Once
Set Daylight Saving Time Once Set a date (and time zone) on which to convert the switch to daylight saving time on a one-time basis. Command Syntax Command Mode Purpose clock summer-time time-zone date CONFIGURATION Set the clock to the appropriate timezone and daylight start-month start-day start-year saving time.
Page 900: Set Recurring Daylight Saving Time
Command Syntax Command Mode Purpose FTOS(conf)#clock summer-time pacific date Mar 14 2009 00:00 Nov 7 2009 00:00 FTOS(conf)#02:02:13: %RPM0-P:CP %CLOCK-6-TIME CHANGE: Summertime configuration changed from "none" to "Summer time starts 00:00:00 Pacific Sat Mar 14 2009;Summer time ends 00:00:00 pacific Sat Nov 7 2009"...
Page 901 Command Syntax Command Mode Purpose start-year: Enter a four-digit number as the year. Range: 1993 to 2035 start-time: Enter the time in hours:minutes. For the hour variable, use the 24-hour format, example, 17:15 is 5:15 pm. end-week: If you entered a start-week, Enter the one of the following as the week that daylight saving ends: week-number:...
Page 902 Command Syntax Command Mode Purpose FTOS(conf)#clock summer-time pacific recurring ? <1-4> Week number to start first Week number to start last Week number to start <cr> FTOS(conf)#clock summer-time pacific recurring FTOS(conf)#02:10:57: %RPM0-P:CP %CLOCK-6-TIME CHANGE: Summertime configuration changed from "Summer time starts 00:00:00 Pacific Sat Mar 14 2009 ; Summer time ends 00:00:00 pacific Sat Nov 7 2009"...
Page 903: Upgrade Procedures
FTOS version. Follow the procedures in the FTOS Release Notes for the software version you wish to upgrade to. Get Help with upgrades Direct any questions or concerns about FTOS Upgrade Procedures to Dell Force10’s Technical Support Center. You can reach Technical Support: www.force10networks.com/support/ •...
Page 904 Upgrade Procedures...
Page 905: Virtual Lans (Vlan)
Virtual LANs (VLAN) e c s z Virtual LANs (VLAN) are supported on platforms: This section contains the following subsections: • Default VLAN • Port-Based VLANs • VLANs and Port Tagging • Configuration Task List for VLANs • Enable Null VLAN as the Default VLAN Virtual LANs, or VLANs, are a logical broadcast domain or logical grouping of interfaces in a LAN in which all data received is kept locally and broadcast to all members of the group.
Page 906: Default Vlan
Table 47-1 displays the defaults for VLANs in FTOS. Table 47-1. VLAN Defaults on FTOS Feature Default Spanning Tree group ID All VLANs are part of Spanning Tree group 0 Mode Layer 2 (no IP address is assigned) Default VLAN ID VLAN 1 Default VLAN When interfaces are configured for Layer 2 mode, they are automatically placed in the Default VLAN as...
Page 907: Port-Based Vlans
Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, you must create another VLAN and place the interface into that VLAN. Alternatively, enter the switchport command, and FTOS removes the interface from the Default VLAN. A tagged interface requires an additional step to remove it from Layer 2 mode.
Page 908: Configuration Task List For Vlans
• The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). • Tag Control Information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but 2 are reserved. Note: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1518 bytes specified in the IEEE 802.3 standard.
Page 909: Assign Interfaces To A Vlan
show vlan Use the command (Figure 47-3) in the EXEC privilege mode to view the configured VLANs. Figure 47-3. show vlan Command Example FTOS#show vlan Codes: * - Default VLAN, G - GVRP VLANs Status Q Ports Inactive U So 9/4-11 Active U Gi 0/1,18 Active...
Page 910 To tag frames leaving an interface in Layer 2 mode, you must assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use these commands in the following sequence: Step Command Syntax Command Mode Purpose interface vlan vlan-id...
Page 911 untagged Use the command to move untagged interfaces from the Default VLAN to another VLAN: Step Command Syntax Command Mode Purpose interface vlan vlan-id CONFIGURATION Access the INTERFACE VLAN mode of the VLAN to which you want to assign the interface. untagged interface INTERFACE...
Page 912: Vlan Interface Counters
Assign an IP address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces. shutdown command in INTERFACE mode does not affect Layer 2 traffic on the interface; the shutdown command only prevents Layer 3 traffic from traversing over the interface.
Page 913: Native Vlans
Native VLANs Traditionally, ports can be either untagged for membership to one VLAN or tagged for membership to multiple VLANs. An untagged port must be connected to a VLAN-unaware station (one that does not understand VLAN tags), and a tagged port must be connected to a VLAN-aware station (one that generates and understands VLAN tags).
Page 914: Enable Null Vlan As The Default Vlan
Enable Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured. This presents a vulnerability because both interfaces are initially placed in the native VLAN, VLAN 1, and for that period customers are able to access each other's networks.
Page 915: Virtual Link Trunking (Vlt)
Virtual Link Trunking (VLT) Virtual Link Trunking (VLT) is supported on platforms Overview Virtual link trunking (VLT) allows physical links between two chassis to appear as a single virtual link to the network core. VLT reduces the role of Spanning Tree protocols by allowing LAG terminations on two separate distribution or core switches, and by supporting a loop free topology.
Page 916 Figure 48-1. Virtual Link Trunking Out-of-Band Management Network Backup Backup Link Link S4810 VLT Domain S4810 Chassis Chassis Interconnect Trunk Virtual Link Trunk Switch or Server that supports LACP (802.1ad) VLT peer devices have independent management planes. A chassis interconnect trunk between the VLT chassis maintains synchronization of L2/L3 control planes across the two VLT peers.
Page 917: Enhanced Vlt
Enhanced VLT An enhanced VLT (eVLT) configuration creates a port channel between two VLT domains by allowing two different VLT domains, using different VLT Domain ID numbers, connected by a standard LACP LAG to form a loop-free Layer 2 topology in the aggregation layer. This configuration supports a maximum of four (4) nodes per eVLT domain, increasing the number of available ports and allowing for dual redundancy of the VLT.
Page 918: Configuring Virtual Link Trunking
RSTP Configuration. • Dell Force10 strongly recommends that the VLTi (VLT interconnect) must be a static LAG and that LACP should be disabled on the VLTi. • The spanning tree root bridge should be at the Aggregation layer. If RSTP is enabled on the VLT...
Page 919: Configuration Notes
• Port-channel link aggregation (LAG) across the ports in the VLT interconnect is required; individual ports are not supported. Dell Force10 strongly recommends configuring a static LAG for VLTi. • IGMP state information is synchronized between the VLT chassis over the VLT interconnect.
Page 920 VLTi connection. • If the size of the MTU for VLTi members is less than 1496 bytes, MAC addresses may not be synced. Dell Force10 recommends retaining the default MTU allocation (1554 bytes) for VLTi members. • VLT Backup link: •...
Page 921 • VLT allows multiple active parallel paths from access switches to VLT chassis. • VLT supports port-channel links with LACP between access switches and VLT peer switches. Dell Force10 recommends that you use static port channels on VLTi. • If VLTi connectivity with a peer is lost but the VLT backup connectivity indicates the peer is still alive, the VLT ports on the Secondary peer are orphaned and will be shut down.
Page 922 • All system management protocols are supported on VLT ports, including SNMP, RMON, AAA, ACL, DNS, FTP, SSH, Syslog, NTP, RADIUS, SCP, TACACS+, Telnet, and LLDP. • Layer 3 VLAN connectivity VLT peers is enabled by configuring a VLAN network interface for the same VLAN on both switches.
Page 923: Rstp And Vlt
the network. In either case, upon recovery of the peer link or reestablishment of message forwarding across the interconnect trunk, the two VLT peers resynchronize any MAC addresses learned while communication was interrupted, and the VLT system continues normal data forwarding.
Page 924: Vlt And Igmp Snooping
When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (Message 2) and an SNMP trap. Message 2 Excessive VLTi Bandwidth Usage Drops Below Threshold Value Error %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (port-channel 25) reaches below threshold.
Page 925: Pim-Sparse Mode Support On Vlt
PIM-Sparse Mode Support on VLT The Designated Router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. The VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes will be elected as the PIM Designated Router.
Page 926: Rstp Configuration
If the VLT node elected as the designated router fails, traffic loss will occur until another VLT node is elected the designated router. RSTP Configuration The RSTP Spanning Tree protocol is supported in a VLT domain. Before you configure VLT on peer switches, you must configure the Rapid Spanning Tree Protocol (RSTP) in the network if it will be included in your configuration.
Page 927: Vlt Configuration Procedure
VLT domain are automatically assigned after both sides of the VLTi are configured. Note: If a third-party ToR unit is used, Dell Force10 recommends using static LAGs on the VLTi between VLT peers to avoid potential problems if the VLT peers are rebooted.
Page 928 4. (Optional) Manually reconfigure default VLT settings, such as MAC address and VLT primary/ secondary roles. 5. Connect the peer switches in a VLT domain to an attached access device (switch or server). Configure a VLT interconnect Step Task Command Syntax Command Mode Configure the port channel to be used for the VLT interface port-channel...
Page 929 Use the command at any time to set an amount of time, in seconds, to delay the system from delay-restore restoring the VLT port. Refer to VLT Port Delayed Restoration for more information. Configure a VLT port delay period Step Task Command Syntax Command Mode...
Page 930 (Optional) Reconfigure default VLT settings Step Task Command Syntax Command Mode (Optional) When you create a VLT domain on a switch, unit-id {0 | 1} VLT DOMAIN the FTOS software automatically assigns a unique unit CONFIGURATION ID (0 or 1) to each peer switch. The unit IDs are used for internal system operations.
Page 931 Use the parameter to configure the VLAN where a VLT peer will forward received packets peer-down-vlan over the VLTi from an adjacent VLT peer that is down. When a VLT peer with BMP reboots, untagged DHCP discover packets are sent to the peer over the VLTi. Using this configuration ensures the DHCP discover packets are forwarded to the VLAN that has the DHCP server.
Page 932 (Optional) Configure Enhanced VLT (eVLT) Step Task Command Syntax Command Mode Configure the IP address of the management interface VLT DOMAIN back-up destination on the remote VLT peer to be used as the endpoint of the ip-address interval seconds CONFIGURATION VLT backup link for sending out-of-band hello messages.
Page 933 CONFIGURATION ured between the peer units (not shown). Note: To benefit from the protocol negotiations, Dell Force10 recommends VLTs used as facing hosts/switches are configured with LACP. Both peers should use the same port channel ID. channel-member 3. Configure the peer-link port-chan-...
Page 934 In the following sample VLT configuration steps, VLT peer 1 is S4810-2, VLT peer 2 is S4810-4, and the ToR is S60-1: Note: If a third-party ToR unit is used, Dell Force10 recommends using static LAGs with VLT peers to avoid potential problems if the VLT peers are rebooted.
Page 935 Configure the backup link between the VLT peer units. Configure the peer 2 management ip/ interface ip for which connectivity is present in VLT peer 1. Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 2. s4810-2#show running-config vlt vlt domain 5 peer-link port-channel 1...
Page 936 s4810-4#show running-config interface tengigabitethernet 0/40 interface TenGigabitEthernet 0/40 no ip address port-channel-protocol LACP port-channel 2 mode active no shutdown s4810-4# configuring VLT peer lag in VLT s4810-4#show running-config interface port-channel 2 interface Port-channel 2 no ip address switchport vlt-peer-lag port-channel 2 no shutdown s4810-4# s4810-4#show interfaces port-channel 2 brief...
Page 937 FTOS(conf)#show vlt brief VLT Domain Brief ------------------ Domain ID: Role: Primary Role Priority: 32768 ICL Link Status: HeartBeat Status: Not Established VLT Peer Status: Version: 5(1) Local System MAC address: 00:01:e8:8b:14:3c Remote System MAC address: 00:01:e8:8b:15:20 Remote system version: 5 (1) Delay-Restore timer: 90 seconds FTOS#FTOS(conf-if-vl-100)#show vlt detail...
Page 938 eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network. In this example there are two domains being configured. Domain 1 consists of Peer 1 and Peer 2; Domain 2 consists of Peer 3 and Peer 4 as shown below. In Domain 1, configure Peer 1 first, then configure Peer 2.
Page 939 Domain_1_Peer1(conf-if-range-te-0/16-17)#no shutdown Next, configure the VLT domain and VLTi on Peer 2: Domain_1_Peer2#configure Domain_1_Peer2(conf)#interface port-channel 1 Domain_1_Peer2(conf-if-po-1)#channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer2#no shutdown Domain_1_Peer2(conf)#vlt domain 200 Domain_1_Peer2(conf-vlt-domain)#peer-link port-channel 1 Domain_1_Peer2(conf-vlt-domain)#back-up destination 10.16.130.12 Domain_1_Peer2(conf-vlt-domain)#system-mac mac-address 00:0a:00:0a:00:0a Domain_1_Peer2(conf-vlt-domain)#unit-id 1 Configure eVLT on Peer 2: Domain_1_Peer2(conf)#interface port-channel 100 Domain_1_Peer2(conf-if-po-100)#switchport Domain_1_Peer2(conf-if-po-100)#vlt-peer-lag port-channel 100...
Page 940 Domain_2_Peer4(conf)#vlt domain 200 Domain_2_Peer4(conf-vlt-domain)#peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)#back-up destination 10.18.130.12 Domain_2_Peer4(conf-vlt-domain)#system-mac mac-address 00:0b:00:0b:00:0b Domain_2_Peer4(conf-vlt-domain)#unit-id 1 Configure eVLT on Peer 4: Domain_2_Peer4(conf)#interface port-channel 100 Domain_2_Peer4(conf-if-po-100)#switchport Domain_2_Peer4(conf-if-po-100)#vlt-peer-lag port-channel 100 Domain_2_Peer4(conf-if-po-100)#no shutdown Add links to the eVLT port-channel on Peer 4: Domain_2_Peer4(conf)#interface range tengigabitethernet 0/31 - 32 Domain_2_Peer4(conf-if-range-te-0/16-17)#port-channel-protocol LACP Domain_2_Peer4(conf-if-range-te-0/16-17)#port-channel 100 mode active Domain_2_Peer4(conf-if-range-te-0/16-17)#no shutdown...
Page 941: Verifying A Vlt Configuration
Verifying a VLT Configuration show To monitor the operation or verify the configuration of a VLT domain, enter any of the following commands on the primary and secondary VLT switches: Show Command Syntax Description show vlt backup-link Displays information on backup link operation (see Figure 48-4).
Page 942 Destination: 10.11.200.20 Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: 34998 HeartBeat Messages Sent: 1030 HeartBeat Messages Received: 1014 Figure 48-5. show vlt brief Command Output on VLT peer switches FTOS(conf)#show vlt brief VLT Domain Brief ------------------ Domain ID: Role: Primary Role Priority:...
Page 943: Sample Configuration: Virtual Link Trunking
Figure 48-8. show running-config vlt Command Output on VLT peer switches FTOS#VLTpeer1#show running-config vlt vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.18 FTOS#VLTpeer2#show running-config vlt vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.20 Figure 48-9. show vlt statistics Command Output on VLT peer switches FTOS_VLTpeer1#show vlt statistics VLT Statistics ----------------...
Page 944 Figure 48-10. Configuring Virtual Link Trunking (VLT Peer 1) FTOS_VLTpeer1(conf)#vlt domain 999 FTOS_VLTpeer1(conf-vlt-domain)#peer-link port-channel 100 FTOS_VLTpeer1(conf-vlt-domain)#back-up destination 10.11.206.35 FTOS_VLTpeer1(conf-vlt-domain)#exit Enable VLT and create a VLT domain with a backup-link and interconnect (VLTi) FTOS_VLTpeer1(conf)#interface ManagementEthernet 0/0 FTOS_VLTpeer1(conf-if-ma-0/0)#ip address 10.11.206.23/16 FTOS_VLTpeer1(conf-if-ma-0/0)#no shutdown Configure the backup link FTOS_VLTpeer1(conf-if-ma-0/0)#exit FTOS_VLTpeer1(conf)#interface port-channel 100...
Page 945 Figure 48-11. Configuring Virtual Link Trunking (VLT Peer 2) FTOS_VLTpeer2(conf)#vlt domain 999 FTOS_VLTpeer2(conf-vlt-domain)#peer-link port-channel 100 FTOS_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.23 Enable VLT and create a VLT domain FTOS_VLTpeer2(conf-vlt-domain)#exit with a backup-link VLT interconnect (VLTi) FTOS_VLTpeer2(conf)#interface ManagementEthernet 0/0 FTOS_VLTpeer2(conf-if-ma-0/0)#ip address 10.11.206.35/16 FTOS_VLTpeer2(conf-if-ma-0/0)#no shutdown Configure the backup link FTOS_VLTpeer2(conf-if-ma-0/0)#exit FTOS_VLTpeer2(conf)#interface port-channel 100...
Page 946: Troubleshooting Vlt
Troubleshooting VLT Use the following information to help troubleshoot different VLT issues that may occur. Note: For information on VLT failure mode timing and its impact, contact your Dell Force10 representative. Behavior During Run Description Behavior at Peer Up Time...
Page 947 Behavior During Run Description Behavior at Peer Up Time Action to Take The VLT peer does not The VLT peer does not Verify the unit ID is correct Unit ID mismatch boot up. The VLTi is forced boot up. The VLTi is forced on both VLT peers.
Page 948 Virtual Link Trunking (VLT)
Page 949: Virtual Router Redundancy Protocol (Vrrp)
Virtual Router Redundancy Protocol (VRRP) e c s z Virtual Router Redundancy Protocol (VRRP) is supported on platforms: This chapter covers the following information: • VRRP Overview • VRRP Benefits • VRRP Implementation • VRRP Configuration • Sample Configurations VRRP Overview Virtual Router Redundancy Protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network.
Page 950 Figure 49-1 below, Router A is configured as the MASTER router. It is configured with the IP address of the virtual router and sends any packets addressed to the virtual router through interface GigabitEthernet 1/1 to the Internet. As the BACKUP router, Router B is also configured with the IP address of the virtual router.
Page 951: Vrrp Benefits
VRRP advertisement packets reaching the RP2 processor on the E-Series, the CP on the C-Series, or the FP on the S-Series. To avoid throttling VRRP advertisement packets, Dell Force10 recommends you to increase the VRRP advertisement interval to a value higher than the default value of 1 second. The recommendations are as follows: Table 49-1.
Page 952: Vrrp Configuration
Table 49-1. Recommended VRRP Advertise Intervals Recommended Advertise Interval Groups/Interface E-Series E-Series Total VRRP Groups E-Series C-Series S-Series Z-Series ExaScale TeraScale C-Series S-Series Z-Series Between 450 and 600 3 seconds 4 seconds 3 - 4 seconds 3 - 4 seconds Between 600 and 800 4 seconds 5 seconds...
Page 953: Create A Virtual Router
Create a Virtual Router To enable VRRP, you must create a Virtual Router. In FTOS, a VRRP Group is identified by the Virtual Router Identifier (VRID). To enable a Virtual Router, use the following command in the INTERFACE mode. To delete a VRRP no vrrp-group vrid group, use the command in the INTERFACE mode.
Page 954: Assign Virtual Ip Addresses
Though a single VRRP group can contain virtual IP addresses belonging to multiple IP subnets configured on the interface, Dell Force10 recommends you configure virtual IP addresses belonging to the same IP subnet for any one VRRP group.
Page 955 Step Task Command Syntax Command Mode virtual-address ip-address1 [...ip-address12] Configure virtual IP addresses INTERFACE -VRID for this VRID. Range: up to 12 addresses Figure 49-4. Command Example: virtual-address FTOS(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.1 FTOS(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.2 FTOS(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.3 FTOS(conf-if-gi-1/1-vrid-111)# Figure 49-5. Command Example Display: show config for the Interface FTOS(conf-if-gi-1/1)#show conf interface GigabitEthernet 1/1 ip address 10.10.10.1/24...
Page 956 Figure 49-6. Command Example Display: show vrrp Same VRRP Group (VRID) FTOS#do show vrrp ------------------ GigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 1768, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address:...
Page 957: Configure Vrrp Authentication
Configure the VRRP Group’s priority with the following command in the VRRP mode: Task Command Syntax Command Mode priority priority Configure the priority for the VRRP INTERFACE -VRID group. Range: 1-255 Default: 100 Figure 49-7. Command Example: priority in Interface VRRP mode FTOS(conf-if-gi-1/2)#vrrp-group 111 FTOS(conf-if-gi-1/2-vrid-111)#priority 125 Figure 49-8.
Page 958: Disable Preempt
Configure simple authentication with the following command in the VRRP mode: Task Command Syntax Command Mode Configure a simple text password. authentication-type simple INTERFACE-VRID [encryption-type] password Parameters: encryption-type: 0 indicates unencrypted; 7 indicates encrypted password: plain text Figure 49-9. Command Example: authentication-type FTOS(conf-if-gi-1/1-vrid-111)#authentication-type ? FTOS(conf-if-gi-1/1-vrid-111)#authentication-type simple 0 force10 Encryption type...
Page 959: Change The Advertisement Interval
BACKUP virtual router with the highest priority transitions to MASTER. Note: Dell Force10 recommends you to increase the VRRP advertisement interval to a value higher than the default value of 1 second to avoid throttling VRRP advertisement packets. If you do change the time interval between VRRP advertisements on one router, you must change it on all participating routers.
Page 960 Figure 49-13. Command Example: advertise-interval FTOS(conf-if-gi-1/1)#vrrp-group 111 FTOS(conf-if-gi-1/1-vrid-111)#advertise-interval 10 FTOS(conf-if-gi-1/1-vrid-111)# Figure 49-14. Command Example Display: advertise-interval in VRID mode FTOS(conf-if-gi-1/1-vrid-111)#show conf vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 FTOS(conf-if-gi-1/1-vrid-111)# Track an Interface Set FTOS to monitor the state of any interface according to the Virtual group.
Page 961: Vrrp Initialization Delay
Figure 49-15. Command Example: track FTOS(conf-if-gi-1/1)#vrrp-group 111 FTOS(conf-if-gi-1/1-vrid-111)#track gigabitethernet 1/2 FTOS(conf-if-gi-1/1-vrid-111)# Figure 49-16. Command Example Display: track in VRID mode FTOS(conf-if-gi-1/1-vrid-111)#show conf vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 track GigabitEthernet 1/2 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 FTOS(conf-if-gi-1/1-vrid-111)#...
Page 962: Sample Configurations
Task Command Syntax Command Mode vrrp delay reload seconds Set the delay time for VRRP initialization on all INTERFACE the interfaces in the system configured for Seconds range: 0-900 VRRP. This is the gap between system boot up Default: 0 completion and VRRP enabling.
Page 963 Figure 49-17. Configure VRRP Router 2 R2(conf)#int gi 2/31 R2(conf-if-gi-2/31)#ip address 10.1.1.3/24 R2(conf-if-gi-2/31)#no shut R2(conf-if-gi-2/31)#vrrp-group 99 R2(conf-if-gi-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-gi-2/31-vrid-99)#no shut R2(conf-if-gi-2/31)#show conf interface GigabitEthernet 2/31 ip address 10.1.1.1/24 vrrp-group 99 virtual-address 10.1.1.3 no shutdown R2(conf-if-gi-2/31)#end R2#show vrrp ------------------ GigabitEthernet 2/31, VRID: 99, Net: 10.1.1.2 State: Master, Priority: 100, Master: 10.1.1.2 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1...
Page 964 Figure 49-18. VRRP Topography Illustration R2#show vrrp R2#show vrrp ------------------ ------------------ GigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 GigabitEthernet 2/31, VRID: 99, Net: 10.1.1.3 State Master: R2 was the first State: Master, Priority: 100, Master: 10.1.1.1 (local) State: Master, Priority: 100, Master: 10.1.1.3 (local) interface configured with VRRP Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec...
Page 965: Standards Compliance
Standards Compliance This appendix contains the following sections: • IEEE Compliance • RFC and I-D Compliance • MIB Location Note: Unless noted, when a standard cited here is listed as supported by FTOS, FTOS also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website.
Page 966: Rfc And I-D Compliance
• Force10 — PVST+ • SFF-8431 — SFP+ Direct Attach Cable (10GSFP+Cu) • MTU — 9,252 bytes RFC and I-D Compliance The following standards are supported by FTOS, and are grouped by related protocol. The columns showing support by platform indicate which version of FTOS first supports the standard. Note: Checkmarks ( ) in the E-Series column indicate that FTOS support was added before FTOS ...
Page 967: General Ipv4 Protocols
General IPv4 Protocols FTOS support, per platform RFC# Full Name  Internet Protocol 7.6.1 7.5.1 8.1.1  Internet Control Message Protocol 7.6.1 7.5.1 8.1.1  An Ethernet Address Resolution Protocol 7.6.1 7.5.1 8.1.1  1027 Using ARP to Implement Transparent Subnet 7.6.1 7.5.1 8.1.1...
Page 968 General IPv6 Protocols  2460 Internet Protocol, Version 6 (IPv6) Specification 7.8.1 7.8.1 8.2.1  2461 Neighbor Discovery for IP Version 6 (IPv6) 7.8.1 7.8.1 8.2.1 (Partial)  2462 IPv6 Stateless Address Autoconfiguration 7.8.1 7.8.1 8.2.1 (Partial)  2463 Internet Control Message Protocol (ICMPv6) for 7.8.1 7.8.1 8.2.1...
Page 969 Border Gateway Protocol (BGP)  8.1.1 draft-ietf-idr A Border Gateway Protocol 4 (BGP-4) 7.8.1 7.7.1 -bgp4-20  8.1.1 draft-ietf-idr Graceful Restart Mechanism for BGP 7.8.1 7.7.1 -restart-06 Open Shortest Path First (OSPF) FTOS support, per platform RFC# Full Name  1587 The OSPF Not-So-Stubby Area (NSSA) Option 7.6.1...
Page 970 Intermediate System to Intermediate System (IS-IS) Restart Signaling for IS-IS 5306 8.3.1 8.3.1  draft-ietf-isis Point-to-point operation over LAN in link-state routing 8.1.1 -igp-p2p-ove protocols r-lan-06 draft-ietf-isis Routing IPv6 with IS-IS 7.5.1 8.2.1 -ipv6-06  draft-kaplan- Extended Ethernet Frame Size Support 8.1.1 isis-ext-eth- Routing Information Protocol (RIP)
Page 971 Multiprotocol Label Switching (MPLS) 5036 LDP Specification 8.3.1 5063 Extensions to GMPLS Resource Reservation Protocol 8.3.1 (RSVP) Graceful Restart Multicast FTOS support, per platform RFC# Full Name  1112 Host Extensions for IP Multicasting 7.8.1 7.7.1 8.1.1  2236 Internet Group Management Protocol, Version 2 7.8.1 7.7.1 8.1.1...
Page 972: Network Management
Network Management FTOS support, per platform RFC# Full Name  1155 Structure and Identification of Management Information 7.6.1 7.5.1 8.1.1 for TCP/IP-based Internets  1156 Management Information Base for Network 7.6.1 7.5.1 8.1.1 Management of TCP/IP-based internets  1157 A Simple Network Management Protocol (SNMP) 7.6.1 7.5.1 8.1.1...
Page 973 Network Management (continued) FTOS support, per platform RFC# Full Name  2576 Coexistence Between Version 1, Version 2, and Version 7.6.1 7.5.1 8.1.1 3 of the Internet-standard Network Management Framework  2578 Structure of Management Information Version 2 7.6.1 7.5.1 8.1.1 (SMIv2) ...
Page 974 Dell Force10 BGP MIB (draft-ietf-idr-bgp4-mibv2-05) 7.8.1 7.7.1 8.1.1 GP4-V2-MI FORCE10-F Dell Force10 CIDR Multipath Routes MIB (The IP 7.6.1 8.1.1 IB-MIB Forwarding Table provides information that you can use to determine the egress port of an IP packet and troubleshoot an IP reachability issue. It reports the...
Page 975 Dell Force10 Enterprise Link Aggregation MIB 7.6.1 7.5.1 8.1.1 INKAGG-M  FORCE10-C Dell Force10 E-Series Enterprise Chassis MIB 8.1.1 HASSIS-MI  FORCE10-C Dell Force10 File Copy MIB (supporting SNMP SET 7.7.1 7.7.1 8.1.1 OPY-CONFI operation) G-MIB  FORCE10- Dell Force10 Monitoring MIB 7.6.1 7.5.1 8.1.1...
Page 976: Mib Location
MIB Location Dell Force10 MIBs are under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/csportal20/MIBs/MIB_OIDs.aspx Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/Support/AccountRequest.aspx...
Page 977: Index
Index Numerics definition 10/100/1000 Base-T Ethernet line card, auto IP ACL definition negotiation RADIUS 100/1000 Ethernet interfaces ANSI/TIA-1057 port channels Applying an ACL to Loopback 4-Byte AS Numbers Area Border Router. See ABR. 802.1AB 802.1D support AS-PATH ACL 802.1p "permit all routes" statement 802.1p/Q configuring 802.1Q...
Page 978 CLI Modes enabling a peer group LINE establishing BGP process COMMUNITY attribute External BGP requirements changing in a path Fast External Fallover default filtering routes based on AS-PATH NO_ADVERTISE filtering routes using a route map NO_EXPORT filtering routes using IP Community list NO_EXPORT_SUBCONFED filtering routes using prefix lists Community list...
Page 979 interface types forward delay null interface FRRP interfaces FRRP Master Node auto negotiation setting FRRP Transit Node clearing counters FTOS commands allowed when part of a port channel configuring secondary IP addresses configuring client parameters determining configuration configuring server parameters member of port channel enabling server viewing Layer 3 interfaces...
Page 980 using the le and ge parameters definition IP routing using NET VLANs Level 1-2 ip scp topdir definition Level 2 ip ssh authentication-retries definition ip ssh connection-rate-limit using NET ip ssh hostbased-authentication enable line card, auto negotiation ip ssh password-authentication enable Link Aggregation Group ip ssh pub-key-file link debounce interface...
Page 981 available command definition MAC hashing scheme entering the interface management interface information accessing configuring a management interface configuring IP address definition Open Shortest Path First IP address consideration OSFP Adjacency with Cisco Routers management interface, switch OSPF max age backbone area MBGP changing authentication parameters Member VLAN (FRRP)
Page 982 member of VLANs default Port channels benefits defaults port channels dot1p queue numbers adding physical interface dot1p-priority values assigning IP address purpose of input policies commands allowed on individual interfaces rate limit outgoing traffic configuring QoS (Quality of Service) chapter containing 100/1000 and GE interfaces QSFP port splitting IP routing...
Page 983 setting route metrics SSH connection summarizing routes SSH debug timer values SSH display version 1 description SSH host-keys version default on interfaces ssh-peer-rpm RIP routes, maximum SSHv2 server RIPv1 standard IP ACL RIPv2 static route root bridge changing parameters route maps configuring match commands default configuring set commands...
Page 984 ports Trace list orphan Trace lists VRRP configuring a trace list advertisement interval configuring filter without sequence number benefits configuring trace list for TCP changing advertisement interval configuring trace list for UDP configuring priority trunk port configuring simple authentication definition disabling preempt MAC address user level...

Dell Force10 Z9000 Configuration Manual

Table of Contents

About this Guide

Configuration Fundamentals

Getting Started

Access Control Lists (Acls)

Bidirectional Forwarding Detection (BFD)

Border Gateway Protocol

Bare Metal Provisioning 3.0 (BMP 3.0)

View Cam-Acl Settings C S

The Show Cam-Acl Command Is Supported on Platforms C S

Content Addressable Memory

Control Plane Policing (Copp)

Z-Series Debugging and Diagnostics

Dynamic Host Configuration Protocol (DHCP)

Equal Cost Multi-Path (ECMP)

Enabling FIPS Cryptography

Force10 Resilient Ring Protocol (FRRP)

GARP VLAN Registration Protocol (GVRP)

Internet Group Management Protocol (IGMP)

Interfaces

Ipv4 Routing

Ipv6 Routing

Link Aggregation Control Protocol (LACP)

Intermediate System to Intermediate System

Link Layer Discovery Protocol (LLDP)

Multicast Source Discovery Protocol (MSDP)

Multiple Spanning Tree Protocol (MSTP)

Multicast Features

Open Shortest Path First (Ospfv2 and Ospfv3)

PIM Sparse-Mode (PIM-SM)

PIM Source-Specific Mode (PIM-SSM)

Port Monitoring

Private Vlans

Per-VLAN Spanning Tree Plus (PVST+)

Quality of Service (Qos)

Routing Information Protocol (RIP)

Remote Monitoring (RMON)

Rapid Spanning Tree Protocol (RSTP)

Security

Service Provider Bridging

Sflow

Simple Network Management Protocol (SNMP)

Storm Control

Spanning Tree Protocol (STP)

System Time and Date

Upgrade Procedures

Virtual Lans (VLAN)

Virtual Link Trunking (VLT)

Virtual Router Redundancy Protocol (VRRP)

Standards Compliance

Index

View CAM-ACL Settings

Quick Links

Chapters

Troubleshooting

Related Manuals for Dell Force10 Z9000

Summary of Contents for Dell Force10 Z9000