Page 1 FTOS Configuration Guide FTOS 8.4.2.7 E-Series TeraScale, C-Series, S-Series (S50/S25)
Page 2 Information in this publication is subject to change without notice. © 2012 Dell Force10. All rights reserved. Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden. © 2012 Dell Inc. Trademarks used in this text: Dell(TM), the Dell logo, Dell Boomi(TM), Dell Precision(TM) , OptiPlex(TM), Latitude(TM), PowerEdge(TM), PowerVault(TM), PowerConnect(TM), OpenManage(TM), EqualLogic(TM), Compellent(TM), KACE(TM), FlexAddress(TM), Force10(TM) and Vostro(TM) are trademarks of Dell Inc.
Page 3: Table Of Contents
1 About this Guide ..........33 Objectives .
Page 4 Change System Logging Settings ......... .63 Display the Logging Buffer and the Logging Configuration .
Page 5 6 802.3ah ............93 Link Layer OAM Overview .
Page 6 MAC Authentication Bypass ..........127 MAB in Single-host and Multi-Host Mode .
Page 7 Configuring BFD for VLANs ......... .198 Configuring BFD for Port-Channels .
Page 8 Boot Behavior ............286 When to Use CAM Profiling .
Page 9 Configuration Tasks ........... .314 Configure the System to be a DHCP Server .
Page 10 Enable Force10 Service Agent ......... . .348 Specify an SMTP Server for FTSA .
Page 11 Failure and Event Logging ......... . .392 Hot-lock Behavior .
Page 12 Configure Management Interfaces on the S-Series ......424 Displaying Information on a Management Interface ......425 VLAN Interfaces .
Page 13 ARP Learning via ARP Request ......... .474 Configurable ARP Retries .
Page 14 Clear IPv6 Routes ..........504 23 Intermediate System to Intermediate System .
Page 15 MAC Learning Limit ........... .562 mac learning-limit dynamic .
Page 16 Configuring Transmit and Receive Mode ........596 Configuring a Time to Live .
Page 17 View the Source-active Cache ........623 Limit the Source-active Cache .
Page 18 Multicast Policies ............665 IPv4 Multicast Policies .
Page 19 Enable OSPFv2 ...........705 Enable Multi-Process OSPF .
Page 20 Refusing Multicast Traffic ..........756 Sending Multicast Traffic .
Page 21 Create VLANs for an Office VOIP Deployment ......795 Configure LLDP-MED for an Office VOIP Deployment ..... .796 Configure Quality of Service for an Office VOIP Deployment .
Page 22 Configure Per-VLAN Spanning Tree Plus ........836 Related Configuration Tasks .
Page 23 Implementation Information ..........878 Configuration Information .
Page 24 Protection from TCP Tiny and Overlapping Fragment Attacks ....935 SCP and SSH ............935 Using SCP with SSH to copy a software image .
Page 25 Show sFlow Globally ..........976 Show sFlow on an Interface .
Page 26 Events that Bring Down a SONET Interface ....... .1013 SONET Port Recovery Mechanism ........1014 SONET MIB .
Page 27 Configuring Spanning Tree ..........1049 Related Configuration Tasks .
Page 28 Clearing a UFD-Disabled Interface ........1090 Displaying Uplink Failure Detection .
Page 29 VRRP Implementation ..........1129 VRRP version 3 .
Page 30 Save a hardware log to a file on the flash .......1176 Manual reload messages .
Page 31 Trace logs ............1214 Buffer full condition .
Page 33: About This Guide
About this Guide Objectives This guide describes the protocols and features supported by the Dell Force10 Operating System (FTOS) and provides configuration instructions and examples for implementing them. It supports the system platforms E-Series, C-Series, and S-Series. The E-Series ExaScale platform is supported with FTOS version 8.1.1.0. and later.
Page 34: Conventions
This symbol is a note associated with some other text on the page that is marked with an asterisk. Related Documents For more information about the Dell Force10 E-Series, C-Series, and S-Series refer to the following documents: • FTOS Command Reference •...
Page 35: Configuration Fundamentals
Configuration Fundamentals The FTOS Command Line Interface (CLI) is a text-based interface through which you can configure interfaces and protocols. The CLI is largely the same for the E-Series, C-Series, and S-Series with the exception of some commands and command outputs. The CLI is structured in modes for security and management purposes.
Page 36: Cli Modes
CLI Modes Different sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (with the exception of EXEC mode commands preceded by the command The do Command on page 40). You can set user access rights to commands and command modes using privilege levels;...
Page 37: Navigating Cli Modes
Figure 2-2. CLI Modes in FTOS EXEC EXEC Privilege CONFIGURATION ARCHIVE AS-PATH ACL INTERFACE GIGABIT ETHERNET 10 GIGABIT ETHERNET INTERFACE RANGE LOOPBACK MANAGEMENT ETHERNET NULL PORT-CHANNEL SONET VLAN VRRP IPv6 IP COMMUNITY-LIST IP ACCESS-LIST STANDARD ACCESS-LIST EXTENDED ACCESS-LIST LINE AUXILIARY CONSOLE VIRTUAL TERMINAL MAC ACCESS-LIST...
Page 38 Table 2-1. FTOS Command Modes Access Command CLI Command Mode Prompt EXEC FTOS> Access the router through the console or Telnet. enable EXEC Privilege FTOS# • From EXEC mode, enter the command • From any other mode, use the command CONFIGURATION FTOS(conf)# •...
Page 39 Table 2-1. FTOS Command Modes Access Command CLI Command Mode Prompt mac access-list standard STANDARD ACCESS- FTOS(config-std-macl)# LIST mac access-list extended EXTENDED ACCESS- FTOS(config-ext-macl)# LIST MULTIPLE FTOS(config-mstp)# protocol spanning-tree mstp SPANNING TREE Per-VLAN SPANNING FTOS(config-pvst)# protocol spanning-tree pvst TREE Plus ip prefix-list PREFIX-LIST FTOS(conf-nprefixl)#...
Page 40: The Do Command
The do Command Enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, etc.) without returning to EXEC mode by preceding the EXEC mode command with the command Figure 2-4 illustrates the command. Note: The following commands cannot be modified by the command: , and enable, disable, exit...
Page 41: Obtaining Help
Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the help command: • Enter at the prompt or after a keyword to list the keywords available in the current mode. •...
Page 42: Command History
• The UP and DOWN arrow keys display previously entered commands (see Command History). • The BACKSPACE and DELETE keys erase the previous letter. • Key combinations are available to move quickly across the command line, as described in Table 2-2.
Page 43: Filtering Show Command Outputs
Filtering show Command Outputs show except find grep | Filter the output of a command to display specific information by adding no-more | save after the command. The variable is the text for which you are specified_text specified_text ignore-case filtering and it IS case sensitive unless the sub-option is implemented.
Page 44: Multiple Users In Configuration Mode
% Warning: User "<username>" on line vty0 "10.11.130.2" is in configuration mode If either of these messages appears, Dell Force10 recommends that you coordinate with the users listed in the message so that you do not unintentionally overwrite each other’s configuration changes.
Page 45: Getting Started
Getting Started This chapter contains the following major sections: • Default Configuration on page 46 • Configure a Host Name on page 47 • Access the System Remotely on page 47 • Configure the Enable Password on page 50 • Configuration File Management on page 50 •...
Page 46: Default Configuration
Figure 3-1. Completed Boot Process .*************. #### #######. ######## ####### ######### ######## ######## .#. ###### ###########. #### .##. ## ### #### ###. ### ### ### ### ### ### ## ### #### ### ######## *# -## ### ###### ### ## ######### ######## *# ### ## ## ###...
Page 47: Configure A Host Name
Configure a Host Name force10 The host name appears in the prompt. The default host name is • Host names must start with a letter and end with a letter or digit. • Characters within the string can be letters, digits, and hyphens. To configure a host name: Step Task...
Page 48: Configure The Management Port Ip Address
Configure the Management Port IP Address Assign IP addresses to the management ports in order to access the system remotely. Note: Assign different IP addresses to each RPM’s management port. To configure the management port IP address: Step Task Command Syntax Command Mode interface ManagementEthernet Enter INTERFACE mode for the...
Page 49: Access The S-Series Remotely
7 is for inputting a password that is already encrypted using a Type 7 hash. Obtaining the encrypted password from the configuration of another Dell Force10 system. Access the S-Series Remotely The S-Series does not have a dedicated management port nor a separate management routing table.
Page 50: Configure The Enable Password
Compact Flash for the internal and external Flash memory. It has a space limitation but does not limit the number of files it can contain. Note: Using flash memory cards in the system that have not been approved by Dell Force10 can cause unexpected system behavior, including a reboot.
Page 51: Copy Files To And From The System
Table 3-1. file-destination • To copy a remote file to Dell Force10 system, combine the syntax for a remote file location file-origin with the syntax for a local file location shown in Table 3-1.
Page 52: Save The Running-Configuration
26292881 bytes successfully copied Save the Running-configuration The running-configuration contains the current system configuration. Dell Force10 recommends that you copy your running-configuration to the startup-configuration. The system uses the startup-configuration during boot-up to configure the system. The startup-configuration is stored in the internal flash on the primary RPM by default, but it can be saved onto an external flash (on an RPM) or a remote server.
Page 53: View Files
Task Command Syntax Command Mode Save the running-configuration to: copy running-config startup-config the startup-configuration on the internal flash of the primary RPM copy running-config rpm flash://filename the internal flash on an RPM Note: The internal flash memories on the RPMs are synchronized whenever there is a change, but only if the RPMs are running the same version of FTOS.
Page 54: Command Syntax
To view a list of files on the internal or external Flash: Step Task Command Syntax Command Mode View a list of files on: dir flash: the internal flash of an RPM EXEC Privilege dir slot: the external flash of an RPM The output of the command also shows the read/write privileges, size (in bytes), and date of modification for each file, as shown in...
Page 55: File System Management
--More-- File System Management The Dell Force10 system can use the internal Flash, external Flash, or remote devices to store files. It stores files on the internal Flash by default but can be configured to store files elsewhere. To view file system information:...
Page 56: View Command History
Figure 3-9, the default storage location is changed to the external Flash of the primary RPM. File management commands then apply to the external Flash rather than the internal Flash. Figure 3-9. Alternative Storage Location FTOS#cd slot0: FTOS#copy running-config test No File System Specified FTOS#copy run test 7419 bytes successfully copied...
Page 57: System Management
System Management c e s System Management is supported on platforms: This chapter explains the different protocols or services used to manage the Dell Force10 system including: • Configure Privilege Levels on page 57 • Configure Logging on page 61 •...
Page 58: Removing A Command From Exec Mode
A user can access all commands at his privilege level and below. Removing a command from EXEC mode Remove a command from the list of available commands in EXEC mode for a specific privilege level privilege exec using the command from CONFIGURATION mode.
Page 59 Task Command Syntax Command Mode privilege configure level level Allow access to INTERFACE, LINE, ROUTE-MAP, CONFIGURATION interface line route-map and/or ROUTER mode. Specify all keywords in the router command. command-keyword ||...|| command-keyword privilege configure interface Allow access to a CONFIGURATION, INTERFACE, CONFIGURATION line route-map...
Page 60 Figure 4-1. Create a Custom Privilege Level FTOS(conf)#do show run priv privilege exec level 3 capture privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp-pdu privilege exec level 3 capture bgp-pdu max-buffer-size privilege configure level 3 line privilege configure level 3 interface FTOS(conf)#do telnet 10.11.80.201 [telnet output omitted]...
Page 61: Apply A Privilege Level To A Username
Apply a Privilege Level to a Username To set a privilege level for a user: Task Command Syntax Command Mode Configure a privilege level for a user. CONFIGURATION username username privilege level Apply a Privilege Level to a Terminal Line To set a privilege level for a terminal line: Task Command Syntax...
Page 62: Log Messages In The Logging Buffer
Log Messages in the Logging Buffer All error messages, except those beginning with %BOOTUP (Message 1), are log in the internal buffer. Message 1 BootUp Events %BOOTUP:RPM0:CP %PORTPIPE-INIT-SUCCESS: Portpipe 0 enabled Configuration Task List for System Log Management The following list includes the configuration tasks for system log management: •...
Page 63: Send System Messages To A Syslog Server
Send System Messages to a Syslog Server Send system messages to a syslog server by specifying a server: Task Command Syntax Command Mode Specify the server to which you want to send system logging ip-address ipv6-address CONFIGURATION messages. You can configure up to eight syslog servers, hostname which may be IPv4 and/or IPv6 addressed.
Page 64: Display The Logging Buffer And The Logging Configuration
Task Command Syntax Command Mode Specify the size of the logging buffer. logging buffered size CONFIGURATION Note: When you decrease the buffer size, FTOS deletes all messages stored in the buffer. Increasing the buffer size does not affect messages in the buffer. logging history size Specify the number of messages that FTOS saves to its size...
Page 65 Figure 4-2. show logging Command Example FTOS#show logging syslog logging: enabled Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
Page 66: Configure A Unix Logging Facility Level
Configure a UNIX Logging Facility Level Facility is a message tag used to describe the application or process that submitted the log message. You can save system log messages with a UNIX system logging facility: Command Syntax Command Mode Purpose logging facility [ facility-type CONFIGURATION...
Page 67: Synchronize Log Messages
Synchronize Log Messages You can configure a terminal line to hold all logs until all command inputs and outputs are complete so that log printing does not interfere when you are performing management tasks. Log synchronization also filters system messages for a specific line based on severity level and limits number of messages that are printed at once.
Page 68: File Transfer Services
File Transfer Services You can configure the system to transfer files over the network using File Transfer Protocol (FTP). Configuration Task List for File Transfer Services The following list includes the configuration tasks for file transfer services: • Enable FTP server on page 68 •...
Page 69: Terminal Lines
Note: You cannot use the change directory ( cd ) command until ftp-server topdir is configured. show running-config ftp Display your FTP configuration using the command from EXEC Privilege mode, as shown in Figure 4-4. Configure FTP client parameters When the system will be an FTP client, configure FTP client parameters: Task Command Syntax Command Mode...
Page 70: Configure Login Authentication For Terminal Lines
Figure 4-5. Applying an Access List to a VTY Line FTOS(config-std-nacl)#show config ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 FTOS(config-std-nacl)#line vty 0 FTOS(config-line-vty)#show config line vty 0 access-class myvtyacl FTOS Behavior: Prior to FTOS version 7.4.2.0, in order to deny access on a VTY line, you must apply an ACL and AAA authentication to the line.
Page 71: Time Out Of Exec Privilege Mode
Step Task Command Syntax Command Mode If you used the line authentication password LINE method in the method list you applied to the terminal line, configure a password for the terminal line. line Figure 4-6 VTY lines 0-2 use a single authentication method, Figure 4-6.
Page 72: Telnet To Another Network Device
Figure 4-7. Configuring EXEC Timeout FTOS(conf)#line con 0 FTOS(config-line-console)#exec-timeout 0 FTOS(config-line-console)#show config line console 0 exec-timeout 0 0 FTOS(config-line-console)# Telnet to Another Network Device To telnet to another device: Task Command Syntax Command Mode telnet-peer-rpm Telnet to the peer RPM. You do not need to configure the management EXEC Privilege port on the peer RPM to be able to telnet to it.
Page 73: Viewing The Configuration Lock Status
A two types of locks can be set: auto and manual. configuration mode exclusive auto • Set an auto-lock using the command from CONFIGURATION mode. When you set an auto-lock, every time a user is in CONFIGURATION mode all other users are denied access.
Page 74: Recovering From A Forgotten Password
send command You can then send any user a message using the from EXEC Privilege mode. Alternatively clear you can clear any line using the command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode. Recovering from a Forgotten Password If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter.
Page 75: Recovering From A Forgotten Enable Password
Step Task Command Syntax Command Mode Figure 4-12. Renaming the startup-config RPM0-CP BOOT_ADMIN # dir flash: Directory of flash: 1 -rwx 11407411 Jun 09 2004 09:38:40 FTOS-EE3-5.3.1.1.bin 2 -rwx 4977 Jun 09 2004 09:38:38 startup-config.bak Reload the system. reload BOOT_ADMIN Copy startup-config.bak to the copy flash://startup-config.bak EXEC Privilege...
Page 76: Recovering From A Forgotten Password On S-Series
Step Task Command Syntax Command Mode Save the running-config to the copy running-config startup-config EXEC Privilege startup-config. The startup-config files on both RPMs will be synchronized. Recovering from a Forgotten Password on S-Series If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter.
Page 77: Recovering From A Failed Start
Recovering from a Failed Start A system that does not start correctly might be attempting to boot from a corrupted FTOS image or from a incorrect location. To resolve the problem, you can restart the system and interrupt the boot process to boot change point the system to another boot location by using the command, as described below.
Page 78 boot change boot system Very similar to the options of the command, the command is available in CONFIGURATION mode on the C-Series and E-Series to set the boot parameters that, when saved to the startup configuration file, are stored in NVRAM and are then used routinely: Task Command Syntax Command Mode...
Page 79: Ethernet Cfm
802.1ag 802.1ag is available only on platform: Ethernet Operations, Administration, and Maintenance (OAM) is a set of tools used to install, monitor, troubleshoot and manage Ethernet infrastructure deployments. Ethernet OAM consists of three main areas: 1. Service Layer OAM: IEEE 802.1ag Connectivity Fault Management (CFM) 2.
Page 80: Maintenance Domains
There is a need for Layer 2 equivalents to manage and troubleshoot native Layer 2 Ethernet networks. With these tools, you can identify, isolate, and repair faults quickly and easily, which reduces operational cost of running the network. OAM also increases availability and reduces mean time to recovery, which allows for tighter service level agreements, resulting in increased revenue for the service provider.
Page 81: Maintenance End Points
MEPs defined in 802.1ag for an 802.1 bridge: • Up-MEP: monitors the forwarding path internal to an bridge on the customer or provider edge; on Dell Force10 systems the internal forwarding path is effectively the switch fabric and forwarding engine. •...
Page 82: Implementation Information
Implementation Information • Since the S-Series has a single MAC address for all physical/LAG interfaces, only one MEP is allowed per MA (per VLAN or per MD level). Configure CFM Configuring CFM is a five-step process: cam-acl 1. Configure the ecfmacl CAM region using the command.
Page 83: Enable Ethernet Cfm
Enable Ethernet CFM Task Command Syntax Command Mode ethernet cfm Spawn the CFM process. No CFM configuration is CONFIGURATION allowed until the CFM process is spawned. disable Disable Ethernet CFM without stopping the CFM ETHERNET CFM process. Create a Maintenance Domain Connectivity Fault Management (CFM) divides a network into hierarchical maintenance domains, as shown in Figure...
Page 84: Create A Maintenance Association
MEPs defined in 802.1ag for an 802.1 bridge: • Up-MEP: monitors the forwarding path internal to an bridge on the customer or provider edge; on Dell Force10 systems the internal forwarding path is effectively the switch fabric and forwarding engine. •...
Page 85: Create A Maintenance Intermediate Point
Task Command Syntax Command Mode FTOS#show ethernet cfm maintenance-points local mep ------------------------------------------------------------------------------- MPID Domain Name Level Type Port CCM-Status MA Name VLAN ------------------------------------------------------------------------------- cfm0 Gi 4/10 Enabled test0 DOWN 00:01:e8:59:23:45 cfm1 Gi 4/10 Enabled test1 DOWN 00:01:e8:59:23:45 cfm2 Gi 4/10 Enabled test2 DOWN...
Page 86 • MIP Database (MIP-DB): Every MIP must maintain a database of all other MEPs in the MA that have announced their presence via CCM Task Command Syntax Command Mode show ethernet cfm maintenance-points remote detail active Display the MEP Database. EXEC Privilege domain expired...
Page 87: Continuity Check Messages
Continuity Check Messages Continuity Check Messages (CCM) are periodic hellos used to: • discover MEPs and MIPs within a maintenance domain • detect loss of connectivity between MEPs • detect misconfiguration, such as VLAN ID mismatch between MEPs • to detect unauthorized MEPs in a maintenance domain Continuity Check Messages (CCM) are multicast Ethernet frames sent at regular intervals from each MEP.
Page 88: Enable Ccm
Enable CCM Step Task Command Syntax Command Mode no ccm disable Enable CCM. ECFM DOMAIN Default: Disabled ccm transmit-interval seconds Configure the transmit interval (mandatory). ECFM DOMAIN Default: 10 seconds The interval specified applies to all MEPs in the domain. Enable Cross-checking Task Command Syntax...
Page 89: Link Trace Cache
Figure 5-4. Linktrace Message and Response MPLS Core Link trace messages carry a unicast target address (the MAC address of an MIP or MEP) inside a multicast frame. The destination group address is based on the MD level of the transmitting MEP (01:80:C2:00:00:3[8 to F]).
Page 90: Enable Cfm Snmp Traps
Task Command Syntax Command Mode FTOS#show ethernet cfm traceroute-cache Traceroute to 00:01:e8:52:4a:f8 on Domain Customer2, Level 7, MA name Test2 with VLAN 2 ------------------------------------------------------------------------------ Hops Host IngressMAC Ingr Action Relay Action Next Host Egress MAC Egress Action FWD Status ------------------------------------------------------------------------------ 00:00:00:01:e8:53:4a:f8 00:01:e8:52:4a:f8 IngOK...
Page 91: Display Ethernet Cfm Statistics
Three values are given within the trap messages: MD Index, MA Index, and MPID. You can reference show ethernet cfm domain show ethernet cfm maintenance-points these values against the output of local mep FTOS#show ethernet cfm maintenance-points local mep ------------------------------------------------------------------------------- MPID Domain Name Level...
Page 92 Task Command Syntax Command Mode Display CFM statistics by port. show ethernet cfm port-statistics interface EXEC Privilege FTOS#show ethernet cfm port-statistics interface gigabitethernet 0/5 Port statistics for port: Gi 0/5 ================================== RX Statistics ============= Total CFM Pkts 75394 CCM Pkts 75394 LBM Pkts 0 LTM Pkts 0 LBR Pkts 0 LTR Pkts 0 Bad CFM Pkts 0 CFM Pkts Discarded 0...
Page 93: Link Layer Oam Overview
802.3ah 802.3ah is available only on platform: A metropolitan area network (MAN) is a set of LANs, geographically separated but managed by a single entity. If the distance is large—across a city, for example—connectivity between LANs is managed by a service provider.
Page 94: Link Layer Oampdus
• Remote Loopback—directs the remote system to reflects back frames that the local system transmits so that an administrator can isolate a fault. • Remote Failure Indication—notifies a peer of a critical link event. Link Layer OAMPDUs Link Layer OAM is conducted using OAMPDUs, shown in Figure 6-1.
Page 95: Link Layer Oam Operational Modes
Link Layer OAM Operational Modes When participating in EFM OAM, system may operate in active or passive mode. • Active mode—Active mode systems initiate discovery. Once the Discovery process completes, they can send any OAMPDU while connected to a peer in Active mode, and a subset of OAMPDUs if the peer is in Passive mode (see Table 6-1).
Page 96: Link Layer Oam Events
Link Layer OAM Events Link Layer OAM defines a set of events that may impact link operation, and monitors the link for those events. If an event occurs, the detecting system notifies its peer. There are two types of events: •...
Page 97: Configure Link Layer Oam
Configure Link Layer OAM Configuring Link Layer OAM is a two-step process: 1. Enable Link Layer OAM. See page 97. 2. Enable any or all of the following: Link Performance Event Monitoring on page 99 Remote Failure Indication on page 102 Remote Loopback on page 103 Related Configuration Tasks •...
Page 98 Task Command Syntax Command Mode FTOS# show ethernet oam discovery interface <interface-name> Output format: <interface name> Local client __________ Administrative configurations: Mode:active Unidirection:not supported Link monitor:supported (on) Remote loopback:not supported MIB retrieval:not supported Mtu size:1500 Operational status: Port status:operational Loopback status:no loopback PDU permission:any PDU revision:1 Remote client...
Page 99: Adjust The Oampdu Transmission Parameters
Adjust the OAMPDU Transmission Parameters Task Command Syntax Command Mode ethernet oam max-rate value min-rate value Specify a the maximum or minimum INTERFACE number of OAMPDUs to be sent per Range: 1-10 second. Default: 10 ethernet oam mode active passive Set the transmission mode to active or INTERFACE passive.
Page 100: Set Threshold Values
Set Threshold Values The available pre-defined errors fall under two categories: • Symbol Errors—a symbol is an (electrical or optical) pulse on the physical medium that represents one or more bits. A symbol error occurs when a symbol degrades in transit so that the receiver is not able to decode it.
Page 101 Frame Errors per Second Task Command Syntax Command Mode ethernet oam link-monitor frame threshold high Specify the high threshold value for INTERFACE none frame errors, or disable the high frames threshold. Range: 1-65535 Default: None ethernet oam link-monitor frame threshold low frames Specify the low threshold for frame INTERFACE errors.
Page 102: Execute An Action Upon Exceeding The High Threshold
Task Command Syntax Command Mode ethernet oam link-monitor frame-seconds window Specify the time period for error INTERFACE milliseconds second per time period condition. Range: 100-900, in multiples of 100 Default: 1000 milliseconds Execute an Action upon Exceeding the High Threshold When an error exceeds the low threshold, an event notification is sent to the peer.
Page 103: Remote Loopback
Remote Loopback An active-mode device can place a passive peer into loopback mode by sending a Loopback Control OAMPDU. When in loopback mode: • the remote peer returns unaltered all non-OAMPDU frames sent by the local peer, and • all outbound data frames are discarded. Note: Control traffic egresses from loopback initiator and from interface in loopback mode.
Page 104: Display Link Layer Oam Configuration And Statistics
Display Link Layer OAM Configuration and Statistics Task Command Syntax Command Mode show ethernet oam status interface interface Display Link Layer OAM status per EXEC Privilege interface. FTOS# show ethernet oam status interface <interface-name> Output Format : <interface-name> General ______ Mode:active PDU max rate:10 packets per second PDU min rate:1 packet per second...
Page 105 Task Command Syntax Command Mode FTOS# show ethernet oam statistics interface <interface-name> <interface-name> Counters: _________ Information OAMPDU Tx: 3439489 Information OAMPDU Rx: 9489 Unique Event Notification OAMPDU Tx: 0 Unique Event Notification OAMPDU x: 0 Duplicate Event Notification OAMPDU Tx: 0 Duplicate Event Notification OAMPDU Rx: 0 Loopback Control OAMPDU Tx: 0 Loopback Control OAMPDU Rx: 2...
Page 106: Manage Link Layer Oam
Manage Link Layer OAM Enable MIB Retrieval Support/Function IEEE 802.3ah defines the Link OAM MIB in Sec 30A.20, “OAM entity managed object class”; all of the objects described there are supported. Note that 802.3ah does not include the ability to set/write remote MIB variables.
Page 107: Protocol Overview
802.1X c e s 802.1X is supported on platforms: This chapter has the following sections: • Protocol Overview on page 107 • Configuring 802.1X on page 111 • Important Points to Remember on page 112 • Enabling 802.1X on page 112 •...
Page 108 (typically RADIUS) via a mandatory intermediary network access device, in this case, a Dell Force10 switch. The network access device mediates all communication between the end-user device and the authentication server so that the network remains secure. The network access device uses EAP over Ethernet (EAPOL) to communicate with the end-user device and EAP over RADIUS to communicate with the server.
Page 109: The Port-Authentication Process
The authenticator changes the port state to authorized if the server can authenticate the supplicant. In this state, network traffic can be forwarded normally. Note: The Dell Force10 switches place 802.1X-enabled ports in the unauthorized state by default. The Port-authentication Process...
Page 110: Eap Over Radius
Figure 7-2. 802.1X Authentication Process Authentication Supplicant Authenticator Server EAP over LAN (EAPOL) EAP over RADIUS Request Identity Response Identity Access Request Access Challenge EAP Request EAP Reponse Access Request Access {Accept | Reject} EAP {Sucess | Failure} EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579.
Page 111: Configuring 802.1X
RADIUS Attributes for 802.1 Support Dell Force10 systems includes the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Table 7-1. 802.1X Supported RADIUS Attributes Attribute Name Description User-Name the name of the supplicant to be authenticated. NAS-IP-Address NAS-Port the physical port number by which the authenticator is connected to the supplicant.
Page 112: Important Points To Remember
Important Points to Remember • FTOS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. • All platforms support only RADIUS as the authentication server. • On E-Series ExaScale, if the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if configured.
Page 113 To enable 802.1X: Step Task Command Syntax Command Mode dot1x authentication Enable 802.1X globally. CONFIGURATION interface range Enter INTERFACE mode on an interface or a range of INTERFACE interfaces. dot1x authentication Enable 802.1X on an interface or a range of interfaces. INTERFACE show running-config | find Verify that 802.1X is enabled globally and at interface level using the command...
Page 114: Configuring Request Identity Re-Transmissions
Configuring Request Identity Re-transmissions If the authenticator sends a Request Identity frame, but the supplicant does not respond, the authenticator waits 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator re-transmits are configurable. Note: There are several reasons why the supplicant might fail to respond;...
Page 115: Forcibly Authorizing Or Unauthorizing A Port
Figure 7-7 shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame: • After 90 seconds and a maximum of 10 times for an unresponsive supplicant • Re-transmits an EAP Request Identity frame Figure 7-7. Configuring a Request Identity Re-transmissions FTOS(conf-if-range-gi-2/1)#dot1x tx-period 90 FTOS(conf-if-range-gi-2/1)#dot1x max-eap-req 10 FTOS(conf-if-range-gi-2/1)#dot1x quiet-period 120...
Page 116: Re-Authenticating A Port
To place a port in one of these three states: Step Task Command Syntax Command Mode dot1x port-control force-authorized Place a port in the ForceAuthorized, INTERFACE force-unauthorized auto ForceUnauthorized, or Auto state. Default: auto Figure 7-8 shows configuration information for a port that has been force-authorized. Figure 7-8.
Page 117: Configuring Timeouts
To configure a maximum number of re-authentications: Step Task Command Syntax Command Mode dot1x reauth-max number Configure the maximum number of INTERFACE times that the supplicant can be Range: 1-10 reauthenticated. Default: 2 Figure 7-9. Configuring a Reauthentiction Period FTOS(conf-if-gi-2/1)#dot1x reauthentication interval 7200 FTOS(conf-if-gi-2/1)#dot1x reauth-max 10 FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.1x information on Gi 2/1:...
Page 118 To terminate the authentication process due to an unresponsive authentication server: Step Task Command Syntax Command Mode dot1x server-timeout seconds Terminate the authentication process due to an INTERFACE unresponsive authentication server. Range: 1-300. Default: 30 dot1x server-timeout Note: When you configure the value, you must take into account the communication medium used to dot1x communicate with an authentication server and the number of RADIUS servers configured.
Page 119: Dynamic Vlan Assignment With Port Authentication
The dynamic VLAN assignment is based on RADIUS attribute 81, Tunnel-Private-Group-ID, and uses the following standard dot1x procedure: 1. The host sends a dot1x packet to the Dell Force10 system. 2. The system forwards a RADIUS REQUEST packet containing the host MAC address and ingress port number.
Page 120 Figure 7-11 shows the configuration on a Dell Force10 switch that uses dynamic VLAN assignment with 802.1X before you connect the end-user device (black and blue text), and after you connect the device (red text). The blue text corresponds to the numbered steps on page 119. Note that the GigabitEthernet 1/11 port, on which dynamic VLAN assignment with 802.1X is configured, is initially an untagged member of VLAN...
Page 121: Guest And Authentication-Fail Vlans
Guest and Authentication-Fail VLANs Typically, the authenticator (Dell Force10 system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured, or the VLAN that the authentication server indicates in the authentication data.
Page 122: Configuring An Authentication-Fail Vlan
Configuring an Authentication-Fail VLAN If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time (30 seconds by default, see Configuring a Quiet Period after a Failed Authentication on page 114). You can configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
Page 123: Multi-Host Authentication
Multi-Host Authentication Multi-Host Authentication is available on platforms: 802.1x assumes that a single end-user is connected to a single authenticator port, as shown in Figure 7-15; this one-to-one mode of authentication is called Single-host mode. If multiple end-users are connected to the same port, a many-to-one configuration, only the first end-user to respond to the identity request is authenticated.
Page 124 When the host mode is changed on a port that is already authenticated: • Single-host to Multi-host: all devices attached to the port that were previously blocked may access the network; the supplicant does not re-authenticate. • Multi-host to Single-host: the port restarts the authentication process, and the first end-user to respond is authenticated and allowed access.
Page 125: Multi-Supplicant Authentication
Task Command Syntax Command Mode dot1x host-mode single-host Configure Single-host Authentication mode on a port. INTERFACE FTOS(conf-if-gi-2/1)#dot1x port-control force-authorized FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.1x information on Gi 2/1: ----------------------------- Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable...
Page 126 During the authentication process, the Dell Force10 system is able to learn the MAC address of the device though the EAPoL frames, and the VLAN assignment from the RADIUS server. With this information it creates an authorized-MAC to VLAN mapping table per port. Then, the system can tag all incoming untagged frames with the appropriate VLAN-ID based on the table entries.
Page 127: Mac Authentication Bypass
MAC Authentication Bypass MAC Authentication Bypass is supported on platforms: MAC Authentication Bypass (MAB) enables you to provide MAC-based security by allowing only known MAC addresses within the network using a RADIUS server. 802.1X-enabled clients can authenticate themselves using the 802.1X protocol. Other devices that do not use 802.1X—like IP phones, printers, and IP fax machines—still need connectivity to the network.
Page 128: Mab In Single-Host And Multi-Host Mode
MAB in Single-host and Multi-Host Mode In single-host and multi-host mode, the switch attempts to authenticate a supplicant using 802.1X. If 802.1X times out because the supplicant does not respond to the Request Identity frame and MAB is enabled, the switch attempts to authenticate the first MAC it learns on the port. Subsequently, for single-host mode, traffic from all other MACs is dropped;...
Page 129 Step Task Command Syntax Command Mode (Optional) Use MAB authentication only— dot1x auth-type mab-only INTERFACE do not use 802.1X authentication first. If MAB fails the port or the MAC address is blocked, the port is placed in the guest VLAN (if configured). 802.1x authentication is not even attempted.
Page 130: Dynamic Cos With 802.1X
VLAN and priority values are automatically applied to incoming packets. The RADIUS server finds the appropriate record based on the supplicant’s credentials and sends the priority re-mapping table to the Dell Force10 system by including Attribute 59 in the AUTH-ACCEPT packet. 802.1X...
Page 131 FTOS Behavior: The following conditions are applied to the use of dynamic CoS with 802.1X authentication on C-Series and S-Series platforms: • In accordance with port-based QoS, incoming dot1p values can be mapped to only four priority values: 0, 2, 4, and 6.
Page 132 802.1X...
Page 133: Ip Access Control Lists (Acl), Prefix Lists, And Route-Maps
IP Access Control Lists (ACL), Prefix Lists, and Route-maps c e s IP Access Control Lists, Prefix Lists, and Route-maps are supported on platforms: c e s Ingress IP ACLs are supported on platforms: Egress IP ACLs are supported on platform: Overview At their simplest, Access Control Lists (ACLs), Prefix lists, and Route-maps permit or deny traffic based on MAC and/or IP addresses.
Page 134: Ip Access Control Lists (Acls)
IP Access Control Lists (ACLs) In the Dell Force10 switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the following criteria (for more information on ACL supported options see the FTOS Command Reference): •...
Page 135 CAM optimization is supported on platforms CAM Profiling CAM optimization is supported on platforms CAM profiling for ACLs is supported on E-Series TeraScale only. For complete information regarding E-Series TeraScale CAM profiles and configuration, refer to Chapter 11, Content Addressable Memory.
Page 136: Cam Optimization
cam-acl Allocate space for IPV6 ACLs on the C-Series by using the command in CONFIGURATION mode. The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. Note that there are 16 FP blocks, but the System Flow requires 3 blocks that cannot be reallocated. The default CAM Allocation settings on a C-Series matching are: •...
Page 137: Implementing Acls On Ftos
Figure 8-1. Command Example: test cam-usage (C-Series) FTOS#test cam-usage service-policy input TestPolicy linecard all Linecard | Portpipe | CAM Partition | Available CAM | Estimated CAM per Port | Status ------------------------------------------------------------------------------------------ 1 | IPv4Flow 232 | Allowed 1 | IPv6Flow 0 | Allowed 0 | IPv4Flow 232 |...
Page 138: Ip Fragment Handling
Standard and Extended ACLs take up the same amount of CAM space. A single ACL rule uses 2 CAM entries whether it is identified as a Standard or Extended ACL. Determine the order in which ACLs are used to classify traffic service-queue When you link class-maps to queues using the command , FTOS matches the class-maps...
Page 139: Ip Fragments Acl Examples
• Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the packet as a whole cannot be reassembled. •...
Page 140: Configure A Standard Ip Acl
In the following, TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with TCP destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied. FTOS(conf)#ip access-list extended ABC FTOS(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24 FTOS(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragment...
Page 141 A standard IP ACL uses the source IP address as its match criterion. Note: On E-Series ExaScale systems, TCP ACL flags are not supported in standard or extended ACLs with IPv6 microcode. An error message is shown if IPv6 microcode is configured and an ACL is entered with a TCP filter included.
Page 142 Figure 8-4. Command example: seq FTOS(config-std-nacl)#seq 25 deny ip host 10.5.0.0 any log FTOS(config-std-nacl)#seq 15 permit tcp 10.3.0.0 /16 any FTOS(config-std-nacl)#show config ip access-list standard dilling seq 15 permit tcp 10.3.0.0/16 any seq 25 deny ip host 10.5.0.0 any log FTOS(config-std-nacl)# no seq To delete a filter, use the...
Page 143: Configure An Extended Ip Acl
Figure 8-6. Command Example: show ip accounting access-list FTOS#show ip accounting access example interface gig 4/12 Extended IP access list example seq 10 deny tcp any any eq 111 seq 15 deny udp any any eq 111 seq 20 deny udp any any eq 2049 seq 25 deny udp any any eq 31337 seq 30 deny tcp any any range 12345 12346 seq 35 permit udp host 10.21.126.225 10.4.5.0 /28...
Page 144 Step Command Syntax Command Mode Purpose seq sequence-number deny CONFIG-EXT-NACL Configure a drop or forward filter. permit log and monitor options are supported on ip-protocol-number • E-Series only. icmp | ip | tcp | udp host source mask ip-address destination mask host ip-address operator count...
Page 145 When you create the filters with a specific sequence number, you can create the filters in any order and the filters are placed in the correct order. Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter.
Page 146: Established Flag
Figure 8-8 illustrates an extended IP ACL in which the sequence numbers were assigned by the software. The filters were assigned sequence numbers based on the order in which they were configured (for show config example, the first filter was given the lowest sequence number). The command in the IP ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10.
Page 147: Assign An Ip Acl To An Interface
If a rule is simply appended, existing counters are not affected. Table 8-2. L2 and L3 ACL Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Deny Denied by L3 ACL Deny Permit Permitted by L3 ACL Permit Deny Denied by L2 ACL...
Page 148: Counting Acl Hits
To apply an IP ACL (standard or extended) to a physical or port channel interface, use these commands in the following sequence in the INTERFACE mode: Step Command Syntax Command Mode Purpose interface interface slot/port CONFIGURATION Enter the interface number. ip address ip-address INTERFACE...
Page 149: Configuring Ingress Acls
Step Task View the number of packets matching the ACL using the show ip accounting access-list from EXEC Privilege mode. Configuring Ingress ACLs Ingress ACLs are applied to interfaces and to traffic entering the system.These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation.
Page 150: Egress Layer 3 Acl Lookup For Control-Plane Ip Traffic
An egress ACL is used when users would like to restrict egress traffic. For example, when a DOS attack traffic is isolated to one particular interface, you can apply an egress ACL to block that particular flow from exiting the box, thereby protecting downstream devices. ip access-group To create an egress ACLs, use the command...
Page 151: Configuring Acls To Loopback
FTOS Behavior: VRRP hellos and IGMP packets are not affected when egress ACL filtering for CPU traffic is enabled. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface MAC address instead of VRRP virtual MAC address. Configuring ACLs to Loopback ACLs can be supplied on Loopback interfaces supported on platform...
Page 152 Step Command Syntax Command Mode Purpose seq number permit CONFIGURATION If you are applying an extended ACL, and it has loopback-logging any any a deny ip any any entry, this entry denies internally generated packets as well as packets received from external devices. To prevent internally generated packets from being dropped, make sure that the ACL you intend to apply has seq number...
Page 153: Ip Prefix Lists
IP Prefix Lists c e s Prefix Lists are supported on platforms: IP prefix lists control routing policy. An IP prefix list is a series of sequential filters that contain a matching criterion (examine IP route prefix) and an action (permit or deny) to process routes. The filters are processed in sequence so that if a route prefix does not match the criterion in the first filter, the second filter (if configured) is applied.
Page 154: Configure A Prefix List
The following list includes the configuration tasks for prefix lists: • Configure a prefix list on page 154 • Use a prefix list for route redistribution on page 156 For a complete listing of all commands related to prefix lists, refer to the FTOS Command Line Interface document.
Page 155 If you are creating a standard prefix list with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured. The FTOS assigns filters in multiples of five. To configure a filter without a specified sequence number, use these commands in the following sequence starting in the CONFIGURATION mode: Step...
Page 156: Use A Prefix List For Route Redistribution
Figure 8-15. Command example: show ip prefix-list detail FTOS>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10...
Page 157: Acl Resequencing
Figure 8-17. Command Example: show config in the ROUTER RIP Mode FTOS(conf-router_rip)#show config router rip distribute-list prefix juba out network 10.0.0.0 FTOS(conf-router_rip)#router ospf 34 To apply a filter to routes in OSPF, use either of the following commands in the ROUTER OSPF mode: Command Syntax Command Mode Purpose...
Page 158: Resequencing An Acl Or Prefix List
IPv4 and IPv6 ACLs and prefixes and MAC ACLs can be resequenced. No CAM writes happen as a result of resequencing, so there is no packet loss; the behavior is like Hot-lock ACLs. Note: ACL Resequencing does not affect the rules or remarks or the order in which they are applied. It merely renumbers them so that new rules can be placed within the list as desired.
Page 159 Figure 8-19. Resequencing ACLs FTOS(config-ext-nacl)# show config ip access-list extended test remark remark this remark corresponds to permit any host 1.1.1.1 permit ip any host 1.1.1.1 remark remark this remark corresponds to permit ip any host 1.1.1.2 permit ip any host 1.1.1.2 permit ip any host 1.1.1.3 permit ip any host 1.1.1.4 FTOS# end...
Page 160: Route Maps
Figure 8-20. Resequencing Remarks FTOS(config-ext-nacl)# show config ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4...
Page 161: Configuration Task List For Route Maps
Important Points to Remember • For route-maps with more than one match clause: • Two or more match clauses within the same route-map sequence have the same match commands (though the values are different), matching a packet against these clauses is a logical OR operation. •...
Page 162 show config To view the configuration, use the command in the ROUTE-MAP mode (Figure 8-21). Figure 8-21. Command Example: show config in the ROUTE-MAP Mode FTOS(config-route-map)#show config route-map dilling permit 10 FTOS(config-route-map)# You can create multiple instances of this route map by using the sequence number option to place the route maps in the correct order.
Page 163: Configure Route Map Filters
Figure 8-24. Command Example: show route-map FTOS#show route-map dilling route-map dilling, permit, sequence 10 Match clauses: Set clauses: route-map dilling, permit, sequence 15 Match clauses: interface Loopback 23 Set clauses: 3444 FTOS# no route-map To delete a route map, use the command in the CONFIGURATION mode.
Page 164 Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in any instance of that route-map. As an example: FTOS(conf)#route-map force permit 10 FTOS(config-route-map)#match tag 1000 FTOS(conf)#route-map force deny 20 FTOS(config-route-map)#match tag 1000 FTOS(conf)#route-map force deny 30 FTOS(config-route-map)#match tag 1000 In the above route-map, instance 10 permits the route having a tag value of 1000 and instances 20 &...
Page 165 Command Syntax Command Mode Purpose match ip address CONFIG-ROUTE-MAP Match destination routes specified in a prefix list prefix-list-name (IPv4). match ipv6 address CONFIG-ROUTE-MAP Match destination routes specified in a prefix list prefix-list-name (IPv6). match ip next-hop CONFIG-ROUTE-MAP Match next-hop routes specified in a prefix list | prefix-list (IPv4).
Page 166: Configure A Route Map For Route Redistribution
Command Syntax Command Mode Purpose set ipv6 next-hop ip-address CONFIG-ROUTE-MAP Assign an IPv6 address as the route’s next hop. set origin { egp | igp | incomplete } CONFIG-ROUTE-MAP Assign an ORIGIN attribute. set tag tag-value CONFIG-ROUTE-MAP Specify a tag for the redistributed routes. set weight value CONFIG-ROUTE-MAP...
Page 167: Configure A Route Map For Route Tagging
router ospf 34 default-information originate metric-type 1 redistribute static metric 20 metric-type 2 tag 0 route-map staticospf route-map staticospf permit 10 match interface GigabitEthernet 0/0 match metric set level backbone Configure a route map for route tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol.
Page 168 Figure 8-27. Command Example: continue route-map test permit 10 match commu comm-list1 set community 1:1 1:2 1:3 set as-path prepend 1 2 3 4 5 continue 30! IP Access Control Lists (ACL), Prefix Lists, and Route-maps...
Page 169: Bidirectional Forwarding Detection
BFD also carries less overhead than routing protocol hello mechanisms. Control packets can be encapsulated in any form that is convenient, and, on Dell Force10 routers, sessions are maintained by BFD Agents that reside on the line card, which frees resources on the RPM. Only session state changes are reported to the BFD Manager (on the RPM), which in turn notifies the routing protocols that are registered with it.
Page 170: How Bfd Works
How BFD Works Two neighboring systems running BFD establish a session using a three-way handshake. After the session has been established, the systems exchange control packets at agreed upon intervals. In addition, systems send a control packet anytime there is a state change or change in a session parameter; these control packets are sent without regard to transmit and receive intervals.
Page 171 Figure 9-1. BFD in IPv4 Packet Format Bidirectional Forwarding Detection | 171...
Page 172: Field Description
Table 9-1. BFD Packet Fields Field Description Diagnostic Code The reason that the last session failed. State The current local session state. See sessions. Flag A bit that indicates packet function. If the poll bit is set, the receiving system must respond as soon as possible, without regard to its transmit interval.
Page 173 BFD sessions BFD must be enabled on both sides of a link in order to establish a session. The two participating systems can assume either of two roles: • Active—The active system initiates the BFD session. Both systems can be active for the same session. •...
Page 174 handshake. At this point, the discriminator values have been exchanged, and the transmit intervals have been negotiated. 4. The passive system receives the control packet, changes its state to Up. Both systems agree that a session has been established. However, since both members must send a control packet—that requires a response—anytime there is a state change or change in a session parameter, the passive system sends a final response indicating the state change.
Page 175: Configuring Bidirectional Forwarding Detection
Figure 9-3. BFD State Machine current session state Up, Admin Down, Timer the packet received Down Init Down Admin Down, Admin Down, Timer Down, Timer Down Up, Init Init Init, Up Important Points to Remember • BFD for line card ports is hitless, but is not hitless for VLANs since they are instantiated on the RPM. •...
Page 176: Configuring Bfd For Physical Ports
Configuring BFD for Physical Ports BFD on physical ports is useful when no routing protocol is enabled. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet. When BFD is enabled, the local system removes the route as soon as it stops receiving periodic control packets from the remote system.
Page 177 Figure 9-5. Establishing a BFD Session for Physical Ports R1: ACTIVE Role R2: ACTIVE Role 4/24 Force10(config)# bfd enable Force10(config)# interface gigabitethernet 2/1 Force10(conf-if-gi-2/1)# ip address 2.2.2.2/24 Force10(conf-if-gi-2/1)# bfd neighbor 2.2.2.1 Force10(config)# bfd enable Force10(config)# interface gigabitethernet 4/24 Force10(conf-if-gi-2/1)# ip address 2.2.2.1/24 fnC0038mp Force10(conf-if-gi-2/1)# bfd neighbor 2.2.2.2 To establish a session:...
Page 178 Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured per interface; if you change a parameter, the change affects all physical port sessions on that interface. Dell Force10 recommends maintaining the default values. To change session parameters on an interface:...
Page 179 Figure 9-8. Changing Session Parameters for Physical Ports R1(conf-if-gi-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive R1(conf-if-gi-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.2 Remote MAC Addr: 00:01:e8:06:95:a2 Int: GigabitEthernet 4/24 State: Up Configured parameters:...
Page 180: Configuring Bfd For Static Routes
To re-enable BFD on an interface: Step Task Command Syntax Command Mode bfd enable Enable BFD on an interface. INTERFACE Configuring BFD for Static Routes BFD gives systems a link state detection mechanism for static routes. With BFD, systems are notified to remove static routes from the routing table as soon as the link state change occurs, rather than having to wait until packets fail to reach their next hop.
Page 181 To establish a BFD session: Step Task Command Syntax Command Mode ip route bfd Establish BFD sessions for all neighbors that are the next hop CONFIGURATION of a static route. show bfd neighbors Verify that sessions have been created for static routes using the command , as shown show bfd neighbors detail Figure...
Page 182: Configuring Bfd For Ospf
To disable BFD for static routes: Step Task Command Syntax Command Mode no ip route bfd Disable BFD for static routes. CONFIGURATION Configuring BFD for OSPF When using BFD with OSPF, the OSPF protocol registers with the BFD manager on the RPM. BFD sessions are established with all neighboring interfaces participating in OSPF.
Page 183: Show Bfd Neighbors
Figure 9-11. Establishing Sessions with OSPF Neighbors Force10(conf-if-gi-2/1)# ip address 2.2.2.2/24 Force10(conf-if-gi-2/2)# ip address 2.2.3.1/24 Force10(conf-if-gi-2/1)# no shutdown Force10(conf-if-gi-2/2)# no shutdown Force10(conf-if-gi-2/1)# exit Force10(conf-if-gi-2/2)# exit Force10(config)# router ospf 1 Force10(config)# router ospf 1 Force10(config-router_ospf )# network 2.2.2.0/24 area 0 Force10(config-router_ospf )# network 2.2.3.0/24 area 1 Force10(config-router_ospf )# bfd all-neighbors Force10(config-router_ospf )# bfd all-neighbors AREA 0...
Page 184 Changing OSPF session parameters BFD sessions are configured with default intervals and a default role. The parameters that can be configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all OSPF sessions or all OSPF sessions on a particular interface; if you change a parameter globally, the change affects all OSPF neighbors sessions.
Page 185: Configuring Bfd For Bgp
Configuring BFD for BGP BFD for BGP is only supported on platforms: In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces.
Page 186 Note that the sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: bfd all-neighbors • By establishing BFD sessions with all neighbors discovered by BGP ( command) neighbor {ip-address | peer-group-name} • By establishing a BFD session with a specified BGP neighbor ( command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
Page 187 Step Task Command Syntax Command Mode bfd all-neighbors [interval millisecs Configure parameters for a BFD session CONFIG-ROUTER- min_rx millisecs multiplier value role established with all neighbors discovered by {active | passive}] BGP. neighbor { ip-address Establish a BFD session with a specified BGP } bfd peer-group-name neighbor or peer group using the default BFD...
Page 188 bfd all-neighbors • The neighbor inherits only the global timer values that are configured with the command (interval, min_rx, and multiplier). If you explicitly enable (or disable) a peer group for BFD that has no BFD parameters configured (e.g. neighbor advertisement interval) using the command, the peer group inherits any peer-group-name...
Page 189 show The following examples show the BFD for BGP output displayed for these commands. Figure 9-14. Verifying a BFD for BGP Configuration: show running-config bgp Command R2# show running-config bgp router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1...
Page 190 Figure 9-16. Verifying BFD Sessions with BGP Neighbors: show bfd neighbors detail Command R2# show bfd neighbors detail Session Discriminator: 9 Neighbor Discriminator: 10 Local Addr: 1.1.1.3 Local MAC Addr: 00:01:e8:66:da:33 Remote Addr: 1.1.1.2 Remote MAC Addr: 00:01:e8:8a:da:7b Int: TenGigabitEthernet 6/0 State: Up Configured parameters: BFD session parameters: TX (packet transmission), RX...
Page 191 Figure 9-17. Displaying BFD Packet Counters: show bfd counters bgp Command R2# show bfd counters bgp Interface TenGigabitEthernet 6/0 Protocol BGP Messages: Registration De-registration Init Down Admin Down Interface TenGigabitEthernet 6/1 Protocol BGP Messages: Registration De-registration Init Down Admin Down Interface TenGigabitEthernet 6/2 Protocol BGP Messages:...
Page 192 Figure 9-19. Displaying Routing Sessions with BGP Neighbors: show ip bgp neighbors Command R2# show ip bgp neighbors 2.2.2.2 BGP neighbor is 2.2.2.2, remote AS 1, external link BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 Last read 00:00:30, last write 00:00:30 Hold time is 180, keepalive interval is 60 seconds Received 8 messages, 0 in queue...
Page 193: Configuring Bfd For Is-Is
Configuring BFD for IS-IS BFD for IS-IS is supported on platform: When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager on the RPM. BFD sessions are then established with all neighboring interfaces participating in IS-IS. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the IS-IS protocol that a link state change occurred.
Page 194 To establish BFD with all IS-IS neighbors out of a single interface: Step Task Command Syntax Command Mode isis bfd all-neighbors Establish sessions with all IS-IS neighbors out of an INTERFACE interface. show bfd neighbors View the established sessions using the command , as shown in Figure 9-21.
Page 195: Configuring Bfd For Vrrp
Disabling BFD for IS-IS If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the remote system are placed in a Down state (Message 3 on page 179).
Page 196 Figure 9-22. Establishing Sessions with VRRP Neighbors VIRTUAL IP Address: 2.2.5.4 R1: BACKUP R2: MASTER 4/25 Force10(config-if-range-gi-4/25)# ip address 2.2.5.1/24 Force10(conf-if-gi-2/3)#ip address 2.2.5.2/24 Force10(config-if-range-gi-4/25)# no shutdown Force10(config-if-gi-2/3)# no shutdown Force10(config-if-range-gi-4/25)# vrrp-group 1 Force10(config-if-range-gi-4/25)# vrrp-group 1 Force10(config-if-range-gi-4/25)# virtual-address 2.2.5.4 Force10(config-if-range-gi-4/25)# virtual-address 2.2.5.4 IP Address: 2.2.5.3 Force10(config-if-range-gi-4/25)# vrrp bfd all-neighbors Force10(config-if-range-gi-4/25)# vrrp bfd all-neighbors...
Page 197 Figure 9-23. Viewing Established Sessions for VRRP Neighbors R1(conf-if-gi-4/25)#vrrp bfd all-neighbors R1(conf-if-gi-4/25)#do show bfd neighbor - Active session role Ad Dn - Admin Down - CLI - ISIS VRRP BFD Sessions Enabled - OSPF - Static Route (RTM) - VRRP LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients...
Page 198: Configuring Bfd For Vlans
Configuring BFD for VLANs BFD on Dell Force10 systems is a Layer 3 protocol. Therefore, BFD is used with routed VLANs. BFD on VLANs is analogous to BFD on physical ports. If no routing protocol is enabled, and a remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
Page 199 There is one BFD Agent for VLANs and port-channels, which resides on RP2 as opposed to the other agents which are on the line card. Therefore, the 100 total possible sessions that this agent can maintain is shared for VLANs and port-channels. Configuring BFD for VLANs is a two-step process: 1.
Page 200 These parameters are configured per interface; if a configuration change is made, the change affects all sessions on that interface. Caution: When configuring BFD on VLAN or LAG interfaces on the C-Series, Dell Force10 recommends a minimum value of 500 milliseconds for both the transmit and minimum receive time, which yields a final detection time of (500ms *3) 1500 milliseconds.
Page 201: Configuring Bfd For Port-Channels
Configuring BFD for Port-Channels BFD on port-channels is analogous to BFD on physical ports. If no routing protocol is enabled, and a remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
Page 202 These parameters are configured per interface; if you change a parameter, the change affects all sessions on that interface. Caution: When configuring BFD on VLAN or LAG interfaces on the C-Series, Dell Force10 recommends a minimum value of 500 milliseconds for both the transmit and minimum receive time, which yields a final detection time of (500ms *3) 1500 milliseconds.
Page 203: Configuring Protocol Liveness
To disable BFD for a port-channel: Step Task Command Syntax Command Mode no bfd enable Disable BFD for a port-channel. INTERFACE PORT-CHANNEL Configuring Protocol Liveness Protocol Liveness is a feature that notifies the BFD Manager when a client protocol is disabled. When a client is disabled, all BFD sessions for that protocol are torn down.
Page 204 Figure 9-30. debug bfd packet Command Output RX packet dump: 20 c0 03 18 00 00 00 05 00 00 00 04 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:13 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24 TX packet dump: 20 c0 03 18 00 00 00 04 00 00 00 05 00 01 86 a0 00 01 86 a0 00 00 00 00...
Page 205: Border Gateway Protocol Ipv4 (Bgpv4)
C-Series pre-7.7.1.0 E-Series TeraScale This chapter is intended to provide a general description of Border Gateway Protocol version 4 (BGPv4) as it is supported in the Dell Force10 Operating System (FTOS). This chapter includes the following topics: • Protocol Overview •...
Page 206: Autonomous Systems (As)
• Implementing BGP with FTOS • Advertise IGP cost as MED for redistributed routes • Ignore Router-ID for some best-path calculations • 4-Byte AS Numbers • AS4 Number Representation • AS Number Migration • BGP4 Management Information Base (MIB) • Important Points to Remember •...
Page 207 A stub AS is one that is connected to only one other AS. A transit AS is one that provides connections through itself to separate networks. For example as seen in Figure 10-1, Router 1 can use Router 2 (the transit AS) to connect to Router 4. ISPs are always transit ASs, because they provide connections from one network to another.
Page 208: Sessions And Peers
Figure 10-2. Full Mesh Examples 4 Routers 6 Routers 8 Routers The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers.
Page 209: Route Reflectors
In order to make decisions in its operations with other BGP peers, a BGP peer uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in. The BGP protocol defines the messages that each peer should exchange in order to change the session from one state to another.
Page 210: Confederations
To illustrate how these rules affect routing, see Figure 10-3 and the following steps.Routers B, C, D, E, and G are members of the same AS - AS100. These routers are also in the same Route Reflection Cluster, where Router D is the Route Reflector. Router E and H are client peers of Router D; Routers B and C and nonclient peers of Router D.
Page 211: Bgp Attributes
BGP Attributes Routes learned via BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination. These properties are referred to as BGP attributes, and an understanding of how BGP attributes influence route selection is required for the design of robust networks.
Page 212 Figure 10-4. BGP Best Path Selection No, or Not Resulting in a Single Route Locally Highest Lowest Highest Shortest Lowest Learned Lowest Originated Weight Local Pref Origin NEXT-HOP AS Path via EBGP Path Code Cost Tie Breakers Lowest Cluster ID List from Lowest...
Page 213 • AS_CONFED_SEQUENCE has a path length of 1, no matter how many ASs are in the AS_CONFED_SEQUENCE. 5. Prefer the path with the lowest ORIGIN type (IGP is lower than EGP, and EGP is lower than INCOMPLETE). 6. Prefer the path with the lowest Multi-Exit Discriminator (MED) attribute. The following criteria apply: •...
Page 214: Weight
Weight The Weight attribute is local to the router and is not advertised to neighboring routers. If the router learns about more than one route to the same destination, the route with the highest weight will be preferred. The route with the highest weight is installed in the IP routing table. Local Preference Local Preference (LOCAL_PREF) represents the degree of preference within the entire AS.
Page 215: Origin
One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this example, assume the MED is the only attribute applied. In Figure 10-6, AS100 and AS200 connect in two places. Each connection is a BGP session. AS200 sets the MED for its T1 exit point to 100 and the MED for its OC3 exit point to 50.
Page 216 Generally, an IGP indicator means that the route was derived inside the originating AS. EGP generally means that a route was learned from an external gateway protocol. An INCOMPLETE origin code generally results from aggregation, redistribution or other indirect ways of installing routes into BGP. In FTOS, these origin codes appear as shown in Figure 10-7.
Page 217: Next Hop
Next Hop The Next Hop is the IP address used to reach the advertising router. For EBGP neighbors, the Next-Hop address is the IP address of the connection between the neighbors. For IBGP, the EBGP Next-Hop address is carried into the local AS. A Next Hop attribute is set when a BGP speaker advertises itself to another BGP speaker outside its local AS.
Page 218: Byte As Numbers
redistribute metric • If the command does not have any configured and BGP Peer out-bound route-map metric-type internal does have configured, BGP advertises the IGP cost as MED. redistribute metric route-map set metric redistribute route-type • If the command has configured ( metric) metric-type internal...
Page 219: As4 Number Representation
4294967295 Where the 2-Byte format is 1-65535, the 4-Byte format is 1- . Enter AS Numbers using the show ip bgp traditional format. If the ASN is greater than 65535, the dot format is shown when using the commands. For example, an ASN entered as 3183856184 will appear in the show commands as 48581.51768;...
Page 220 ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS Numbers less than 65536 appear in integer format (asplain); AS Numbers equal to or greater than 65536 appear using the decimal method (asdot+). For example, the AS Number 65526 appears as 65526, and the AS Number 65546 appears as 1.10.
Page 221: As Number Migration
Figure 10-10. Dynamic changes when command is disabled in the show running bgp asnotation config AS NOTATION DISABLED FTOS(conf-router_bgp)#no bgp asnotation FTOS(conf-router_bgp)#sho conf router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057 <output truncated> FTOS(conf-router_bgp)#do sho ip bgp BGP table version is 28093, local router ID is 172.30.1.57 AS4 SUPPORT DISABLED FTOS(conf-router_bgp)#no bgp four-octet-as-support...
Page 222: Before Migration
Figure 10-11. Local-AS Scenario Router A AS 100 Router C AS 300 Router B AS 200 Before Migration Router A AS 100 Router C AS 100 AS 300 Router B Local AS After Migration, with Local-AS enabled When you complete your migration, and you have reconfigured your network with the new information you must disable this feature.
Page 223: Bgp4 Management Information Base (Mib)
SNMP objects and notifications (traps) defined in the draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell Force10 website, www.force10networks.com. Note: See the Dell Force10 iSupport webpage for the Force10-BGP4-V2-MIB and other MIB documentation. Important Points to Remember •...
Page 224: Configuration Information
To avoid SNMP timeouts with a large-scale configuration (large number of BGP neighbors and a large BGP Loc-RIB), Dell Force10 recommends setting the timeout and retry count values to a relatively higher number. e.g. t = 60 or r = 5.
Page 225: Bgp Configuration
BGP Configuration To enable the BGP process and begin exchanging information, you must assign an AS number and use commands in the ROUTER BGP mode to configure a BGP neighbor. Defaults By default, BGP is disabled. By default, FTOS compares the MED attribute on different paths from within the same AS (the always-compare-med command is not enabled).
Page 226 • Configure passive peering • Maintain existing AS numbers during an AS migration • Allow an AS number to appear in its own AS path • Enable graceful restart • Filter on an AS-Path attribute • Configure IP community lists •...
Page 227 Use these commands in the following sequence, starting in the CONFIGURATION mode to establish BGP sessions on the router. Step Command Syntax Command Mode Purpose router bgp CONFIGURATION Assign an AS number and enter the as-number ROUTER BGP mode. AS Number: 0-65535 (2-Byte) or 1-4294967295 (4-Byte) or 0.1-65535.65535 (Dotted format) Only one AS is supported per system...
Page 228 show config Enter in CONFIGURATION ROUTER BGP mode to view the BGP configuration. Use the show ip bgp summary command in EXEC Privilege mode to view the BGP status. Figure 10-12 shows the summary with a 2-Byte AS Number displayed; Figure 10-13 shows the summary with a 4-Byte AS Number displayed.
Page 229 Figure 10-14 displays two neighbors, one is an external and the second one is an internal BGP neighbor. The first line of the output for each neighbor displays the AS number and states whether the link is an external or internal. show ip bgp neighbors The third line of the output contains the BGP State.
Page 230 Figure 10-15. Command example: show running-config bgp R2#show running-config bgp router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown...
Page 231 Task Command Syntax Command Mode bgp asnotation asdot Enable ASDOT AS Number CONFIG-ROUTER-BGP representation. Figure 10-17 bgp asnotation asdot+ Enable ASDOT+ AS Number CONFIG-ROUTER-BGP representation.Figure 10-18 Figure 10-16. Command example and output: bgp asnotation asplain FTOS(conf-router_bgp)#bgp asnotation asplain FTOS(conf-router_bgp)#sho conf router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508...
Page 232 Configure Peer Groups To configure multiple BGP neighbors at one time, create and populate a BGP peer group. Another advantage of peer groups is that members of a peer groups inherit the configuration properties of the group and share same update policy. A maximum of 256 Peer Groups are allowed on the system.
Page 233 When you add a peer to a peer group, it inherits all the peer group’s configured parameters. A neighbor become part of a peer group if it has any of the following commands are configured: cannot • neighbor advertisement-interval • neighbor distribute-list out •...
Page 234: Neighbor Shutdown
Figure 10-20. Command example: show config (peer-group enabled FTOS(conf-router_bgp)#neighbor zanzibar no shutdown FTOS(conf-router_bgp)#show config Enabling neighbor zanzibar router bgp 45 bgp fast-external-fallover bgp log-neighbor-changes neighbor zanzibar peer-group neighbor zanzibar no shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.1 shutdown neighbor 10.14.8.60 remote-as 18505 neighbor 10.14.8.60 no shutdown FTOS(conf-router_bgp)# To disable a peer group,...
Page 235 Figure 10-21. Command example: show ip bgp peer-group FTOS>show ip bgp peer-group Peer-group zanzibar, remote AS 65535 BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is zanzibar, peer-group internal, Number of peers in this group 26 Peer-group members (* - outbound optimized): 10.68.160.1 10.68.161.1...
Page 236 The BGP fast fall-over feature is configured on a per-neighbor or peer-group basis and is disabled by default. Command Syntax Command Mode Purpose neighbor { ip-address CONFIG-ROUTER-BGP Enable BGP Fast Fall-Over } fall-over peer-group-name [no] neighbor [neighbor | peer-group] fall-over To disable Fast Fall-Over, use the command in CONFIGURATION ROUTER BGP mode...
Page 237 Figure 10-22. Command example: show ip bgp neighbors FTOS#sh ip bgp neighbors BGP neighbor is 100.100.100.100, remote AS 65517, internal link Member of peer-group test for session parameters BGP version 4, remote router ID 30.30.30.5 BGP state ESTABLISHED, in this state for 00:19:15 Last read 00:00:15, last write 00:00:06 Hold time is 180, keepalive interval is 60 seconds Received 52 messages, 0 notifications, 0 in queue...
Page 238 Figure 10-23. Command example: show ip bgp peer-group FTOS#sh ip bgp peer-group Peer-group test Fall-over enabled BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.100* FTOS#...
Page 239 Step Command Syntax Command Mode Purpose neighbor peer-group-name no CONFIG-ROUTER- Enable the peer group. shutdown neighbor peer-group-name CONFIG-ROUTER- Create and specify a remote peer as a BGP remote-as as-number neighbor. Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED.
Page 240 Figure 10-24. Local-as information shown R2(conf-router_bgp)#show conf router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in Actual AS Number neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 Local-AS Number 6500...
Page 241 Figure 10-25. Allowas-in information shown R2(conf-router_bgp)#show conf router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500...
Page 242 • Advertise to all BGP neighbors and peer-groups that the forwarding state of all routes has been saved. This prompts all peers to continue saving the routes they receive from your E-Series and to continue forwarding traffic. • Bring the secondary RPM online as the primary and re-open sessions with all peers operating in “no shutdown”...
Page 243 Filter on an AS-Path attribute The BGP attribute, AS_PATH, can be used to manipulate routing policies. The AS_PATH attribute contains a sequence of AS numbers representing the route’s path. As the route traverses an Autonomous System, the AS number is prepended to the route. You can manipulate routes based on their AS_PATH to affect interdomain routing.
Page 244 Step Command Syntax Command Mode Purpose { deny | permit } filter CONFIG-AS-PATH Enter the parameter to match BGP AS-PATH for parameter filtering. This is the filter that will be used to match the AS-path. The entries can be any format, letters, numbers, or regular expressions.
Page 245 Figure 10-27. Filtering with Regular Expression FTOS(config)#router bgp 99 FTOS(conf-router_bgp)#neigh AAA peer-group FTOS(conf-router_bgp)#neigh AAA no shut FTOS(conf-router_bgp)#show conf router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown FTOS(conf-router_bgp)#neigh 10.155.15.2 filter-list 1 in FTOS(conf-router_bgp)#ex Create the Access List and Filter FTOS(conf)#ip as-path access-list Eagle...
Page 246: Redistribute Routes
Table 10-4. Regular Expressions Regular Expression Definition ( ) (parenthesis) Specifies patterns for multiple use when followed by one of the multiplier metacharacters: asterisk *, plus sign +, or question mark ? [ ] (brackets) Matches any enclosed character; specifies a range of single characters - (hyphen) Used within brackets to specify a range of AS or community numbers.
Page 247 Command Syntax Command Mode Purpose redistribute ospf [ match ROUTER BGP or Include specific OSPF routes in IS-IS. process-id external { 1 | 2 } | match internal ] CONF-ROUTER_BGPv6_ Configure the following parameters: [ metric-type { external | internal }] •...
Page 248 Use these commands in the following sequence, starting in the CONFIGURATION mode to configure an IP community list. Step Command Syntax Command Mode Purpose ip community-list CONFIGURATION Create a Community list and enter the community-list-name COMMUNITY-LIST mode. { deny | permit } CONFIG-COMMUNITY- Configure a Community list by denying or permitting | local-AS...
Page 249 Figure 10-28. Command example: show ip community-lists FTOS#show ip community-lists ip community-list standard 1 deny 701:20 deny 702:20 deny 703:20 deny 704:20 deny 705:20 deny 14551:20 deny 701:112 deny 702:112 deny 703:112 deny 704:112 deny 705:112 deny 14551:112 deny 701:667 deny 702:667 deny 703:667 Use these commands in the following sequence, starting in the CONFIGURATION mode, To use an IP...
Page 250 Manipulate the COMMUNITY attribute In addition to permitting or denying routes based on the values of the COMMUNITY attributes, you can manipulate the COMMUNITY attribute value and send the COMMUNITY attribute with the route information. By default, FTOS does not send the COMMUNITY attribute. Use the following command in the CONFIGURATION ROUTER BGP mode to send the COMMUNITY attribute to BGP neighbors.
Page 251: Show Ip Bgp Community
Step Command Syntax Command Mode Purpose exit CONFIG-ROUTE-MAP Return to the CONFIGURATION mode. router bgp CONFIGURATION Enter the ROUTER BGP mode. as-number neighbor { ip-address CONFIG-ROUTER-BGP Apply the route map to the neighbor or peer group’s incoming or outgoing routes. peer-group-name route-map { in |...
Page 252 Use any or all of the following commands in the CONFIGURATION ROUTER BGP mode to change how the MED attribute is used. Command Syntax Command Mode Purpose bgp always-compare-med CONFIG-ROUTER- Enable MED comparison in the paths from neighbors with different ASs. By default, this comparison is not performed.
Page 253 Step Command Syntax Command Mode Purpose router bgp CONFIGURATION Enter the ROUTER BGP mode. as-number neighbor { CONFIG-ROUTER-BGP Apply the route map to the neighbor or peer ip-address } route-map group’s incoming or outgoing routes. peer-group-name { in | out } map-name show config To view the BGP configuration, use the...
Page 254 You can also use route maps to change this and other BGP attributes. For example, you can include the following command in a route map to specify the next hop address: Command Syntax Command Mode Purpose set weight weight CONFIG-ROUTE-MAP Sets weight for the route.
Page 255 Refer to Chapter 8, “IP Access Control Lists (ACL), Prefix Lists, and Route-maps,” on page 133 configuration information on prefix lists, AS-PATH ACLs, and route maps. Note: When you configure a new set of BGP policies, always reset the neighbor or peer group by entering the clear ip bgp command in EXEC Privilege mode.
Page 256 Use these commands in the following sequence, starting in the CONFIGURATION mode to filter routes using a route map. Step Command Syntax Command Mode Purpose route-map [ permit | map-name CONFIGURATION Create a route map and assign it a name. deny ] [ sequence-number { match | set }...
Page 257 Step Command Syntax Command Mode Purpose neighbor { CONFIG-ROUTER-B Filter routes based on the criteria in the ip-address } filter-list peer-group-name configured route map. Configure the following { in | out } as-path-name parameters: • ip-address peer-group-name: enter the neighbor’s IP address or the peer group’s name.
Page 258 Aggregate routes FTOS provides multiple ways to aggregate routes in the BGP routing table. At least one specific route of the aggregate must be in the routing table for the configured aggregate to become active. Use the following command in the CONFIGURATION ROUTER BGP mode to aggregate routes. Command Syntax Command Mode Purpose...
Page 259 Use the following commands in the CONFIGURATION ROUTER BGP mode to configure BGP confederations. Command Syntax Command Mode Purpose bgp confederation identifier CONFIG-ROUTER- Specifies the confederation ID. as-number AS-number: 0-65535 (2-Byte) or 1-4294967295 (4-Byte) bgp confederation peers CONFIG-ROUTER- Specifies which confederation sub-AS are peers. as-number [...
Page 260 Figure 10-31. Setting Reuse and Restart Route Values FTOS(conf-router_bgp)#bgp dampening ? Set time before <1-45> Half-life time for the penalty (default = 15) value decrements route-map Route-map to specify criteria for dampening <cr> Set readvertise value FTOS(conf-router_bgp)#bgp dampening 2 ? <1-20000>...
Page 261 To set dampening parameters via a route map, use the following command in CONFIGURATION ROUTE-MAP mode: Command Syntax Command Mode Purpose set dampening CONFIG-ROUTE-MAP Enter the following optional parameters to half-life reuse suppress max-suppress-time configure route dampening parameters: • range: 1 to 45. Number of minutes after half-life which the Penalty is decreased.
Page 262 Use the following command in EXEC Privilege mode to clear information on route dampening and return suppressed routes to active state. Command Syntax Command Mode Purpose clear ip bgp dampening [ ip-address EXEC Privilege Clear all information or only information on a specific mask route.
Page 263 Change BGP timers Use either or both of the following commands in the CONFIGURATION ROUTER BGP mode to configure BGP timers. Command Syntax Command Mode Purpose neighbors { ip-address CONFIG-ROUTER- Configure timer values for a BGP neighbor or peer } timers group.
Page 264 clear ip bgp Use the command in EXEC Privilege mode to reset a BGP connection using BGP soft reconfiguration. Command Syntax Command Mode Purpose neighbor {ipv4-address | ipv6-address | CONFIG-ROUTER- Enable inbound soft-reconfiguration for the peer-group-name} soft-reconfiguration specified BGP neighbor. BGP stores all updates inbound received by the neighbor but does not reset the peer session.
Page 265 Route map continue continue The BGP route map feature (in ROUTE-MAP mode) allows movement from one route-map entry to a specific route-map entry (the ). If the sequence number is not specified, the sequence number continue feature moves to the next sequence number (also known as an implied continue). If a match continue clause exists, the feature executes only after a successful match occurs.
Page 266: Mbgp Configuration
MBGP Configuration MBGP for IPv6 unicast is supported on platforms MBGP for IPv4 Multicast is supported on platform MBGP is not supported on the E-Series ExaScale x platform. Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing.
Page 267: Bgp Regular Expression Optimization
BGP Regular Expression Optimization BGP policies that contain regular expressions to match against as-paths and communities might take a lot show bgp of CPU processing time, thus affect BGP routing convergence. Also, commands that get filtered through regular expressions can to take a lot of CPU cycles, especially when the database is large. FTOS optimizes processing time when using regular expressions by caching and re-using regular expression evaluated results, at the expense of some memory in RP1 processor.
Page 268: Storing Last And Bad Pdus
Command Syntax Command Mode Purpose debug ip bgp ip-address EXEC Privilege Enable soft-reconfiguration debug. Enable soft-reconfiguration soft-reconfiguration debug. peer-group-name To enhance debugging of soft reconfig, use the following command only when route-refresh is not negotiated to avoid the peer from resending messages: bgp soft-reconfig-backup show ip In-BGP is shown via the...
Page 269: Capturing Pdus
Figure 10-34. Viewing the Last Bad PDU from BGP Peers FTOS(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2 BGP neighbor is 1.1.1.2, remote AS 2, external link BGP version 4, remote router ID 2.4.0.1 BGP state ESTABLISHED, in this state for 00:00:01 Last read 00:00:00, last write 00:00:01 Hold time is 90, keepalive interval is 30 seconds Received 1404 messages, 0 in queue...
Page 270 The buffer size supports a maximum value between 40 MB (the default) and 100 MB. The capture buffers are cyclic and reaching the limit prompts the system to overwrite the oldest PDUs when new ones are received for a given neighbor or direction. Setting the buffer size to a value lower than the current max, might cause captured PDUs to be freed to set the new limit.
Page 271: Pdu Counters
With full internet feed (205K) captured, approximately 11.8MB is required to store all of the PDUs, as shown in Figure 10-36. Figure 10-36. Required Memory for Captured PDUs FTOS(conf-router_bgp)#do show capture bgp-pdu neighbor 172.30.1.250 Incoming packet capture enabled for BGP neighbor 172.30.1.250 Available buffer size 29165743, 192991 packet(s) captured using 11794257 bytes [.
Page 272 Figure 10-37. Sample Configuration Illustration Physical Links AS 99 Virtual Links GigE 1/21 GigE 2/11 10.0.1.21 /24 10.0.1.22 /24 Peer Group AAA Loopback 1 192.168.128.2 /24 Loopback 1 ck 1 192.168.128.1 /24 GigE 2/31 GigE 1/31 10.0.2.2 /24 10.0.3.31 /24 GigE 3/11 GigE 3/21 10.0.3.33 /24...
Page 273 Figure 10-38. Enable BGP - Router 1 R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int gig 1/21 R1(conf-if-gi-1/21)#ip address 10.0.1.21/24 R1(conf-if-gi-1/21)#no shutdown R1(conf-if-gi-1/21)#show config interface GigabitEthernet 1/21 ip address 10.0.1.21/24 no shutdown R1(conf-if-gi-1/21)#int gig 1/31...
Page 274 Figure 10-39. Enable BGP - Router 2 R2# conf R2(conf)#int loop 0 R2(conf-if-lo-0)#ip address 192.168.128.2/24 R2(conf-if-lo-0)#no shutdown R2(conf-if-lo-0)#show config interface Loopback 0 ip address 192.168.128.2/24 no shutdown R2(conf-if-lo-0)#int gig 2/11 R2(conf-if-gi-2/11)#ip address 10.0.1.22/24 R2(conf-if-gi-2/11)#no shutdown R2(conf-if-gi-2/11)#show config interface GigabitEthernet 2/11 ip address 10.0.1.22/24 no shutdown R2(conf-if-gi-2/11)#int gig 2/31...
Page 275 Figure 10-40. Enable BGP - Router 3 R3# conf R3(conf)# R3(conf)#int loop 0 R3(conf-if-lo-0)#ip address 192.168.128.3/24 R3(conf-if-lo-0)#no shutdown R3(conf-if-lo-0)#show config interface Loopback 0 ip address 192.168.128.3/24 no shutdown R3(conf-if-lo-0)#int gig 3/11 R3(conf-if-gi-3/11)#ip address 10.0.3.33/24 R3(conf-if-gi-3/11)#no shutdown R3(conf-if-gi-3/11)#show config interface GigabitEthernet 3/11 ip address 10.0.3.33/24 no shutdown R3(conf-if-lo-0)#int gig 3/21...
Page 276 Figure 10-41. Enable Peer Group - Router 1 R1#conf R1(conf)#router bgp 99 R1(conf-router_bgp)# network 192.168.128.0/24 R1(conf-router_bgp)# neighbor AAA peer-group R1(conf-router_bgp)# neighbor AAA no shutdown R1(conf-router_bgp)# neighbor BBB peer-group R1(conf-router_bgp)# neighbor BBB no shutdown R1(conf-router_bgp)# neighbor 192.168.128.2 peer-group AAA R1(conf-router_bgp)# neighbor 192.168.128.3 peer-group BBB R1(conf-router_bgp)# R1(conf-router_bgp)#show config router bgp 99...
Page 277 Figure 10-42. Enable Peer Groups - Router 1 continued Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1, neighbor version 1 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer...
Page 278 Figure 10-43. Enable Peer Groups - Router 2 R2#conf R2(conf)#router bgp 99 R2(conf-router_bgp)# neighbor CCC peer-group R2(conf-router_bgp)# neighbor CC no shutdown R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.3 no shut R2(conf-router_bgp)#show conf...
Page 279 Figure 10-44. Enable Peer Group - Router 3 R3#conf R3(conf)#router bgp 100 R3(conf-router_bgp)# neighbor AAA peer-group R3(conf-router_bgp)# neighbor AAA no shutdown R3(conf-router_bgp)# neighbor CCC peer-group R3(conf-router_bgp)# neighbor CCC no shutdown R3(conf-router_bgp)# neighbor 192.168.128.2 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.2 no shutdown R3(conf-router_bgp)# neighbor 192.168.128.1 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.1 no shutdown R3(conf-router_bgp)#...
Page 280 Figure 10-45. Enable Peer Groups - Router 3 continued Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 2, neighbor version 2 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer...
Page 281: Content Addressable Memory
Content Addressable Memory (CAM) is a type of memory that stores information in the form of a lookup table. On Dell Force10 systems, the CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACL), flows, and routing policies. On Dell Force10 systems, there are one or two CAM (Dual-CAM) modules per port-pipe depending on the type of line card.
Page 282: Cam Profiles
Either ExaScale 10G or 40G CAM line cards can be used in a system. CAM Profiles Dell Force10 systems partition each CAM module so that it can store the different types of information. The size of each partition is specified in the CAM profile. A CAM profile is stored on every card, including each RPM.
Page 283 Table 11-1. CAM Profile Descriptions CAM Profile Description Default An all-purpose profile that allocates CAM space according to the way Dell Force10 systems are most commonly used. Available Microcodes: default, lag-hash-align, lag-hash-mpls, l2-switched-pbr eg-default For EG-series line cards only. EG series line cards have two CAM modules per Port-pipe.
Page 284: Microcode
Microcode Microcode is a compiled set of instructions for a CPU. On Dell Force10 systems, the microcode controls how packets are handled. There is a default microcode, and several other microcodes are available, so that you can adjust packet handling according to your application.
Page 285: Cam Profiling For Acls
Table 11-3. Microcode Descriptions Microcode Description lag-hash-mpls For hashing based on MPLS labels (up to five labels deep). With the default microcode, MPLS packets are distributed over a port-channel based on the MAC source and destination address. With the lag-hash-mpls microcode, MPLS packets are distributed across the port-channel based on IP source and destination address and IP protocol.
Page 286: Boot Behavior
Table 11-4. Layer 2 ACL CAM Sub-partition Sizes Partition % Allocated L2PT FRRP You can re-configure the amount of space, in percentage, allocated to each sub-partition As with the IPv4Flow partition, you can configure the Layer 2 ACL partition from EXEC Privilege mode or CONFIGURATION mode.
Page 287: When To Use Cam Profiling
Message 2 EH Line Card with EG Chassis Profile Error # Before reload: 01:09:56: %RPM0-P:CP %CHMGR-4-EH_PROFILE_WARN: If EH CAM profile is selected, non-EJ cards will be in problem state after reload # After reload: 00:04:46: %RPM0-P:CP %CHMGR-3-PROFILE_MISMATCH: Mismatch: line card 1 has mismatch CAM profile or microcode Figure 11-1.
Page 288: Differences Between Etherscale And Terascale
• Optimize the VLAN ACL Group feature, which permits group VLANs for IP egress ACLs. See profile for the VLAN ACL group feature on page 299. Important Points to Remember • CAM Profiling is available on the E-Series TeraScale with FTOS versions 6.3.1.1 and later. •...
Page 289: Cam Allocation
To change the CAM profile on the entire system: Step Task Command Syntax Command Mode cam-profile microcode profile CONFIGURATION Select a CAM profile microcode Note: If selecting a cam-profile for VRF ( ), implement the command cam-profile ipv4-vrf or ipv4-v6-vrf in the CONFIGURATION mode only.
Page 290: Test Cam Usage
ipv6acl vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges. write-mem or copy run start You must save the new CAM settings to the startup-config ( ) then reload the system for the new settings to take effect.
Page 291: View Cam Profiles
View CAM Profiles show cam-profile View the current CAM profile for the chassis and each component using the command as shown in Figure 11-4. This command also shows the profile that will be loaded upon the next chassis or component reload. Figure 11-4.
Page 292: View Cam Usage
Figure 11-6. View CAM-ACl settings on C-Series and S-Series FTOS# show cam-acl -- Chassis Cam ACL -- Current Settings(in block sizes) L2Acl Ipv4Acl Ipv6Acl Ipv4Qos L2Qos L2PT IpMacAcl VmanQos VmanDualQos -- Line card 0 -- Current Settings(in block sizes) L2Acl Ipv4Acl Ipv6Acl Ipv4Qos...
Page 293: Configure Ipv4Flow Sub-Partitions
Figure 11-7. Viewing CAM Usage Information R1#show cam-usage Linecard|Portpipe| CAM Partition | Total CAM Used CAM |Available CAM ========|========|=================|=============|=============|============== | IN-L2 ACL 1008 | IN-L2 FIB 32768 1132 31636 | IN-L3 ACL 12288 12286 | IN-L3 FIB 262141 262127 | IN-L3-SysFlow 2878 2833 | IN-L3-TrcList...
Page 294 cam-ipv4flow • The IPv4Flow configuration is applied to entire system when you enter the command from CONFIGURATION mode, however, you must save the running-configuration to affect the change. The amount of space that is allocated among the sub-partitions must be equal to the amount of CAM space allocated to IPv4Flow by the selected CAM profile (see Table 11-1.);...
Page 295: Configure Ingress Layer 2 Acl Sub-Partitions
Figure 11-8. Configuring IPv4Flow on the Entire System FTOS(conf)#cam-ipv4flow default FTOS#copy running-config startup-config File with same name already exist. Proceed to copy the file [confirm yes/no]: yes 3914 bytes successfully copied FTOS#sh cam-ipv4flow -- Chassis Cam Ipv4Flow -- Current Settings Next Boot Multicast Fib/Acl : System Flow...
Page 296 Table 11-6. Layer 2 ACL CAM Sub-partition Sizes (continued) Partition % Allocated L2PT FRRP You can re-configure the amount of space, in percentage, allocated to each sub-partition cam-l2acl • Apply the Ingress Layer 2 ACL configuration to entire system by entering the command from CONFIGURATION mode, however, you must save the running-configuration to affect the change.
Page 297: Return To The Default Cam Configuration
Figure 11-9. Configuring Ingress Layer 2 ACL on the Entire System FTOS(conf)#do show cam-l2acl | find “Line card 1” -- Line card 1 -- Current Settings(in percent) Sysflow L2Acl Pvst L2pt Frrp [output omitted] FTOS(conf)#cam-l2acl system-flow 100 l2acl 0 p 0 q 0 l 0 f 0 FTOS(conf)#do show cam-l2acl | find “Line card 1”...
Page 298: Cam Optimization
Figure 11-10. Returning to the default Configuration FTOS(conf)#cam-profile ? default Enable default CAM profile eg-default Enable eg-default CAM profile ipv4-320k Enable 320K CAM profile ipv4-egacl-16k Enable CAM profile with 16K IPv4 egress ACL ipv6-extacl Enable CAM profile with extended ACL l2-ipv4-inacl Enable CAM profile with 32K L2 and 28K IPv4 ingress ACL unified-default...
Page 299: Lag Hashing Based On Bidirectional Flow
In this case, manually adjust the CAM configuration on the card to match the system configuration. Dell Force10 recommends the following to prevent mismatches: • Use the eg-default CAM profile in a chassis that has only EG Series line cards. If this profile is used in a chassis with non-EG line cards, the non-EG line cards enter a problem state.
Page 300: Qos Cam Region Limitation
QoS CAM Region Limitation The default CAM profile allocates a partition within the IPv4Flow region to store QoS service policies. If the QoS CAM space is exceeded, messages similar to the ones in Message 5 are displayed. Message 5 QoS CAM Region Exceeded %EX2YD:12 %DIFFSERV-2-DSA_QOS_CAM_INSTALL_FAILED: Not enough space in L3 Cam(PolicyQos) for class 2 (Gi 12/20) entries on portpipe 1 for linecard 12 %EX2YD:12 %DIFFSERV-2-...
Page 301: Configuration Replace And Rollback
The reboot process takes several minutes by default, and if your startup-configuration is extensive, the process can take several minutes more. As a result, when the Dell Force10 system is deployed in production environment, you must wait for a maintenance window to load a new configuration.
Page 302: Configuring Configuration Replace And Rollback
Configuring Configuration Replace and Rollback Configuring Configuration Replace and Rollback is a three-step process: 1. Enable the archive service. See page 302. 2. Archive a running-configuration. See page 303. 3. Replace the running-configuration with an archived configuration. See page 303. Related Configuration Tasks •...
Page 303: Archiving A Configuration File
You do not have to enable the archive service again if you save the running configuration after completing task. If you reload the system or upgrade your FTOS version without saving the running configuration you must enable the archive service again. Archiving a Configuration File archive config Archive the current running configuration file using the command...
Page 304: Rolling Back To The Previous Configuration
1. The hostname of the Dell Force10 system is changed from “R1” to “FTOS.” 2. The running configuration is replaced with archive_0, in which the hostname is “R1.” Figure 12-3. Replacing the Running-configuration with and Archived Configuration R1#config R1(conf)#hostname FTOS...
Page 305: Configuring An Archive File Maximum
Figure 12-5. Configuring FTOS to Rollback to a Previous Configuration FTOS#configure replace archive_0 time ? <60-1800> Time value (in seconds) FTOS#configure replace archive_0 time 60 This will apply all nessesary additions and deletions to replace the current running-config with the contents of the specified configuration file, which is assumed to be complete configuration, not a partial configuration...
Page 306: Configuring Auto-Archive
Figure 12-8. Configuring the Maximum Number of Archive Files (continued) R1#archive config configuration archived as archive_1 R1#show archive Archive directory: flash:/CFGARCH_DIR Archive Date Time Size Comment archive_0 11/20/2007 09:45:24 6120 Archived archive_1 11/20/2007 10:54:12 6120 Most recently archived R1#archive config configuration archived as archive_2 R1#show archive Archive directory: flash:/CFGARCH_DIR...
Page 307: Copying And Deleting An Archive File
Figure 12-9. Configuring an Archive Time-period R1(conf-archive)#time-period 5 R1(conf-archive)#show config archive maximum 2 time-period 5 R1(conf-archive)# Copying and Deleting an Archive File archive backup Copy an archive file to another location using the command , as shown in Figure 12-10. archive delete Delete an archive file using the command from CONFIG ARCHIVE mode.
Page 308: Viewing The Difference Between Configuration Files
Figure 12-10. Viewing an Archive File R1#archive backup archive_2 flash://archive_2 6120 bytes successfully copied R1#dir Directory of flash: drw- 32768 Jan 01 1980 00:00:00 drwx Nov 16 2007 13:20:22 drw- 8192 Mar 11 2007 00:23:40 TRACE_LOG_DIR drw- 8192 Mar 11 2007 00:23:40 CRASH_LOG_DIR drw- 8192...
Page 309 Figure 12-11. Viewing the Difference between Configuration Files R1#archive config configuration archived as archive_3 R1(conf)#hostname FTOS FTOS(conf)#do show run diff archive_3 running-config ------- < hostname FTOS flash:/CFGARCH_DIR/archive_3 ------- > hostname R1 FTOS(conf)# Configuration Replace and Rollback | 309...
Page 310 Configuration Replace and Rollback...
Page 311: Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol c e s Dynamic Host Configuration Protocol is available on platforms: This chapter contains the following sections: • Protocol Overview on page 311 • Implementation Information on page 314 • Configuration Tasks on page 314 • Configure the System to be a DHCP Server on page 314 •...
Page 312: Dhcp Packet Format And Options
DHCP Packet Format and Options DHCP uses UDP as its transport protocol. The server listens on port 67 and transmits to port 68; the client listens on port 68 and transmits to port 67. The configuration parameters are carried as options in the DHCP packet in Type, Length, Value (TLV) format;...
Page 313: Assigning An Ip Address Using Dhcp
Assigning an IP Address using DHCP When a client joins a network: 1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters.
Page 314: Configuration Tasks
Implementation Information • The Dell Force10 implementation of DHCP is based on RFC 2131 and RFC 3046. • DHCP is available on VLANs and Private VLANs. • IP Source Address Validation is a sub-feature of DHCP Snooping; FTOS uses ACLs internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP Source Address Validation.
Page 315: Configure The Server For Automatic Address Allocation
IP address ranges, lease length specifications, and configuration data that DHCP hosts need. Configuring the Dell Force10 system to be a DHCP server is a 3-step process: Configure the Server for Automatic Address Allocation Specify a Default Gateway...
Page 316: Specify A Default Gateway
To create an address pool: Step Task Command Syntax Command Mode ip dhcp server Access the DHCP server CLI context. CONFIGURATION pool name Create an address pool and give it a name. DHCP network network /prefix-length Specify the range of IP addresses from which the DHCP <POOL>...
Page 317: Enable Dhcp Server
Display the current DHCP configuration. DHCP Figure 13-3, an IP phone is powered by PoE and has acquired an IP address from the Dell Force10 show ip dhcp binding, system, which is advertising LLDP-MED. The leased IP address is displayed using...
Page 318: Allocate Addresses To Bootp Clients
Specify the NetBIOS node type for a Microsoft DHCP <POOL> DHCP client. Dell Force10 recommends specifying clients as hybrid. Allocate Addresses to BOOTP Clients Network segments may have both BOOTP and DHCP clients. In this kind of environment, there might be a BOOTP server and a DHCP server to serve the two types of clients separately.
Page 319: Check For Address Conflicts
To create a manual binding: Step Task Command Syntax Command Mode pool name Create an address pool DHCP host address Specify the client IP address. DHCP <POOL> hardware-address hardware-address type Specify the client hardware address or DHCP <POOL> client-identifier. client-identifier unique-identifier •...
Page 320: Dhcp Clear Commands
Routers do not forward broadcasts, so if there are no DHCP servers on the subnet, the client does not receive a response to its request and therefore cannot access the network. You can configure an interface on the Dell Force10 system to relay the DHCP messages to a specific ip helper-address dhcp-address...
Page 321: Configure Secure Dhcp
Figure 13-4. Configuring Dell Force10 Systems as a DHCP Relay Device DHCP Server 10.11.2.5 Broadcast Unicast DHCP Server Source IP : 10.11.1.5 Source IP : 10.11.1.5 10.11.1.5 Destination IP: 255.255.255.255 Destination IP: 10.11.0.3 Source Port: 67 Source Port: 67 Destination Port: 68...
Page 322: Option 82
• DHCP Snooping on page 322 • Dynamic ARP Inspection on page 325 • Source Address Validation on page 327 Option 82 RFC 3046 (Relay Agent Information option, or Option 82) is used for class-based IP address assignment. The code for the Relay Agent Information option is 82, and is comprised of two sub-options, Circuit ID and Remote ID.
Page 323: Enable Dchp Snooping
When DHCP Snooping is enabled, the relay agent builds a binding table—using DHCPACK messages— containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on an trusted port, it adds an entry to the table. The relay agent then checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is legitimate, and that the packet arrived on the correct port;...
Page 324: Add A Static Entry In The Binding Table
Add a static entry in the binding table Task Command Syntax Command Mode ip dhcp snooping binding mac Add a static entry in the binding table. EXEC Privilege Clear the binding table Task Command Syntax Command Mode clear ip dhcp snooping binding Delete all of the entries in the binding EXEC Privilege table...
Page 325: Drop Dhcp Packets On Snooped Vlans Only
Drop DHCP packets on snooped VLANs only Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE. Starting with FTOS Release 8.2.1.1, line cards maintain a list of snooped VLANs. When the binding table fills, DHCP packets are dropped only on snooped-VLANs, while such packets will be forwarded across non-snooped VLANs.
Page 326 packets to it. Likewise, the attacker sends the gateway an ARP message containing the attacker’s MAC address and the client’s IP address. The gateway then thinks that the attacker is the client, and forwards all packets addressed to the client to it. As a result, the attacker is able to sniff all packets to and from the client.
Page 327: Source Address Validation
show arp inspection database View the number of entries in the ARP database with the command. Figure 13-8. Command example: show arp inspection database FTOS#show arp inspection database Protocol Address Age(min) Hardware Address Interface VLAN ---------------------------------------------------------------------------- Internet 10.1.1.251 00:00:4d:57:f2:50 Gi 0/2 Vl 10 Internet 10.1.1.252...
Page 328: Ip Source Address Validation
• DHCP MAC Source Address Validation on page 328 verifies a DHCP packet’s source hardware address matches the client hardware address field (CHADDR) in the payload. • IP+MAC Source Address Validation on page 328 verifies that the IP source address and MAC source address are a legitimate pair.
Page 329 IP Source Address Validation validates the IP source address of an incoming packet against the DHCP Snooping binding table. IP+MAC Source Address Validation ensures that the IP source address and MAC source address are a legitimate pair, rather validating each attribute individually. IP+MAC Source Address Validation cannot be configured with IP Source Address Validation.
Page 330 Dynamic Host Configuration Protocol...
Page 331: Equal Cost Multi-Path
Equal Cost Multi-Path This chapter describes how to configure: • ECMP for Flow-based Affinity (E-Series), including the configurable hash algorithm • Configurable ECMP Hash Algorithm (C- and S-Series) ECMP for Flow-based Affinity (E-Series) ECMP for Flow-based Affinity (E-Series) is available on platform: The hashing algorithm on E-Series TeraScale and E-Series ExaScale are different: •...
Page 332: Deterministic Ecmp Next Hop
FTOS Behavior: In FTOS versions prior to 8.2.1.2, the ExaScale default hash-algorithm is 0. Beginning with version 8.2.1.2, the default hash-algorithm is 24. For information on the load-balancing criteria used by the hash algorithm to distribute traffic among ECMP paths and LAG members on an E-Series system, see E-Series load-balancing on page 436.
Page 333 Task Command Syntax Command Mode hash-algorithm seed value linecard number Specify the hash algorithm seed. CONFIGURATION port-set number Range: 0 - 4095 Figure 14-1, Core Router 1 is an E-Series TeraScale and Core Router 2 is an E-Series ExaScale. They have similar configurations and have routes for prefix P with two possible next-hops.
Page 334: Configurable Ecmp Hash Algorithm (C- And S-Series)
Configurable ECMP Hash Algorithm (C- and S-Series) Configurable ECMP Hash Algorithm (C- and S-Series) is available on platforms: hash-algorithm On C-Series and S-Series, the command is specific to ECMP groups and has a different default from the E-Series (see Configurable Hash Algorithm (E-Series)).
Page 335: Force10 Resilient Ring Protocol
Force10 Resilient Ring Protocol c e s Force10 Resilient Ring Protocol is supported on platforms The E-Series ExaScale platform is supported with FTOS 8.1.1.0 and later. Force10 Resilient Ring Protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a Metropolitan Area Network (MAN) or large campuses. FRRP is similar to what can be achieved with the Spanning Tree Protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
Page 336: Ring Status
Each Transit node is also configured with a Primary port and a Secondary port on the ring, but the port distinction is ignored as long as the node is configured as a Transit node. If the ring is complete, the Master node logically blocks all data traffic in the transmit and receive directions on the Secondary port to prevent a loop.
Page 337: Multiple Frrp Rings
If the Master node does not receive the Ring Health Frame (RHF) before the fail-period timer expires (a configurable timer), the Master node moves from the Normal state to the Ring-Fault state and unblocks its Secondary port. The Master node also clears its forwarding table and sends a control frame to all other nodes, instructing them to also clear their forwarding tables.
Page 338: Important Frrp Points
In the example shown in Figure 15-2, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups.
Page 339: Important Frrp Concepts
• Ring Status Check Frames are transmitted by the Master Node at specified intervals. • Multiple physical rings can be run on the same switch. • One Master node is supported per ring. All other nodes are Transit nodes. • Each node has 2 member interfaces: Primary and Secondary.
Page 340: Implementing Frrp
• FRRP is media and speed independent. • FRRP is a Dell Force10 proprietary protocol that does not interoperate with any other vendor. • Spanning Tree must be disabled on both Primary and Secondary interfaces before FRRP is enabled. •...
Page 341: Frrp Configuration
• The Control VLAN is used to carry any data traffic; it carries only RHFs. • The Control VLAN cannot have members that are not ring ports. • If multiple rings share one or more member VLANs, they cannot share any links between them. •...
Page 342 • All VLANS must be in Layer 2 mode. • Only ring nodes can be added to the VLAN. • A Control VLAN can belong to one FRRP group only. • Control VLAN ports must be tagged. • All ports on the ring must use the same VLAN ID for the Control VLAN. •...
Page 343 Step Command Syntax Command Mode Purpose member-vlan vlan-id CONFIG-FRRP Identify the Member VLANs for this FRRP {range} group VLAN-ID, Range: VLAN IDs for the ring’s Member VLANS. no disable CONFIG-FRRP Enable FRRP Configure and add the Member VLANs Control and Member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands.
Page 344 Step Command Syntax Command Mode Purpose interface primary int CONFIG-FRRP Assign the Primary and Secondary ports, and the slot/port secondary int Control VLAN for the ports on the ring. slot/port control-vlan Interface: vlan id • For a 10/100/1000 Ethernet interface, enter GigabitEthernet the keyword keyword followed by the slot/port information.
Page 345: Troubleshooting Frrp
Command Syntax Command Mode Purpose clear frrp EXEC PRIVELEGED Clear the counters associated with all FRRP groups Show FRRP configuration Use the following command to view the configuration for the FRRP group. Command Syntax Command Mode Purpose show configuration CONFIG-FRRP Show the configuration for this FRRP group Show FRRP information Use one of the following commands show general FRRP information.
Page 346 Figure 15-3 is an example of a basic FRRP topology. Below the figure are the associated CLI commands. Figure 15-3. Basic Topology and CLI commands TRANSIT Primary Secondary Forwarding Forwarding GigE 2/14 GigE 2/31 Primary Primary Forwarding Forwarding GigE 3/21 GigE 1/24 Secondary Secondary...
Page 347: Force10 Service Agent
Force10 Service Agent (FTSA) is designed automate data collection to relieve these issues. It periodically monitors Dell Force10 or user-specified system variables. If a match condition exists, it triggers data show collection via the CLI.
Page 348: Configure Force10 Service Agent
Configure Force10 Service Agent The minimal FTSA configuration is four steps: 1. Enable FTSA. See page 348. 2. Specify the SMTP server to which FTSA will send E-mails upon a trigger event. See page 349. 3. Specify the source E-mail address that FTSA should use when generating E-mails. See page 349. 4.
Page 349: Specify An Smtp Server For Ftsa
Enter the administrator’s full E-mail address, in the form: username@domain.com, or • Enter the username without the domain name. Dell Force10 recommends using the system name for username your company’s domain name for domain. domain-name If you did not enter the domain name when entering...
Page 350: Ftsa Messaging Service
FTSA Messaging Service The purpose of FTSA is to automatically send information about the switch to the network administrators or Dell Force10 TAC, so that when there is a network problem, the relevant information is collected at the time the problem manifests.
Page 351: Add Additional Recipients Of Ftsa E-Mails
Enable messaging for a individual recipient. enable CALLHOME <SERVER-LABEL> Add Additional Recipients of FTSA E-mails You can add four more recipients for FTSA E-mails, in addition to Dell Force10 TAC and the administrator, for a total of five recipients. Force10 Service Agent | 351...
Page 352: Encrypt Ftsa Messages
E-mail parameters for the recipient. For example, the default recipient is Dell Force10 TAC and the label for this recipient is Force10. FTOS creates the context conf-callhome-Force10 in which you can configure the parameters for E-mails destined for Dell Force10...
Page 353: Provide Administrator Contact Information
Export the public key to a file. Provide Administrator Contact Information Dell Force10 recommends that you provide administrator contact information so that it can be included in Type 3 or greater E-mails. Task Command...
Page 354: Set The Frequency Of Ftsa Type 3 Messages
Set the Frequency of FTSA Type 3 Messages When messaging is enabled, FTSA sends an E-mail every 24 hours containing inventory information to all recipients. There is no facility for setting the frequency for individual recipients. Task Command Command Mode frequency Set the frequency at which FTSA generates CALLHOME...
Page 355: Ftsa Message Types
Task Command Command Mode message-format { xml | text } All E-mails are generated in XML format by CALLHOME ACTIONLIST default. For Type 5 messages only, you may generate E-mails in clear text format. The configuration is per action list. FTOS Behavior: FTOS versions prior to 8.2.1.0 diverted Type 5 messages to the internal flash root directory when you enter the command log-only.
Page 356: Show Inventory
Figure 16-5. FTSA Type 2 Message <AgentInfo> <messagetype>Type - 2</messagetype> <time>00:25:36.893 UTC Thu Feb 19 2009</time> <serialnum>0036232 </serialnum> <hostname>Force10</hostname> <messagenum>0</messagenum> </AgentInfo> show inventory FTSA periodically generates Type 3 messages, which contain the output of the command Figure 16-6. FTSA Type 3 Message ---------------------------------Message Body------------------------------------------ <AgentInfo>...
Page 357: Ftsa Policies
Figure 16-7. FTSA Type 4 Messages ---------------------------------Message Body------------------------------------------ <AgentInfo> <messagetype>Type - 4</messagetype> <time>01:57:46.453 UTC Fri Feb 20 2009</time> <serialnum>0036232 </serialnum> <hostname>Force10</hostname> <messagenum>0</messagenum> </AgentInfo> ---------------------------------Message Attachment------------------------------------ Chassis Type : E300 Chassis Mode : TeraScale Software Version : 7.8.1.0 <log_messages> how logging severity 7 session 1 | display xml <?xml version="1.0"...
Page 358: Create An Ftsa Policy Test List
2. Create the list of actions that FTSA should take if any of the conditions exist. See Create a Policy Action List on page 361. 3. Create a policy and assign a test list and action list. See Create a Policy and Assign a Test and Action List on page 363.
Page 359 Table 16-2 shows the test conditions that are available to add to a custom policy test list. See the Dell Force10 MIB for further description of the given Object Identifiers (OID). You may only specify one test condition within a policy.
Page 360 Table 16-2. Custom Policy Test Conditions Condition Keyword Description memory-free Memory Per-CPU free memory in Megabytes. chSysProcessorMemSize * (1 - Usage chRpmMemUsageUtil) memory-free-percent Per-CPU total free memory in 1 - chRpmMemUsageUtil percent. memory-used Per-CPU total memory usage in chSysProcessorMemSize * Megabytes.
Page 361: Create A Policy Action List
• increase—If the difference between successive samples, calculated by subtracting the first value from the last, is greater than or equal to the previously sampled value, then the action list is executed. • less-than—If the value of the probed system variable is less than the specified value, then the action list is executed.
Page 362 Add actions to a policy action list Once you create a policy action list, FTOS enters the CALLHOME ACTIONLIST context. The list you created is initially empty. You may choose one of three pre-defined action lists and add an unlimited number of custom actions.
Page 363: Create A Policy And Assign A Test And Action List
To add a pre-defined list of actions to your policy action list: Task Command Command Mode default-action [ exception | hardware Add a pre-defined list of actions to CALLHOME ACTIONLIST | software ] your policy action list. You may add an unlimited number of three types of custom actions: Task Command Command Mode...
Page 364: Additional Policy Configurations
Associate a Dell Force10 TAC case number with the CALLHOME POLICY policy. Configure a case number only if you already have a case open with Dell Force10 for the policy. This case number is included in action-list messages sent to Dell Force10.
Page 365 Figure 16-9. Configuring an FTSA Policy for a Linecard Down call-home admin-email pubsadmin@training10.com smtp server-address 192.168.1.1 no enable-all server Force10 recipient pubslab@training10.com keyadd Force10DefaultPublicKey no encrypt enable log-messages delay 60 severity 6 policy lcdown action-list lcdown test-list lcdown policy-test-list lcdown default-test hardware policy-action-list lcdown default-action hardware...
Page 366 Figure 16-11. FTSA Type 5 Message for a Linecard Down Policy ---------------------------------Message Body------------------------------------------ <AgentInfo> <messagetype>Type - 5</messagetype> <time>23:19:37.209 UTC Wed Feb 25 2009</time> <serialnum>0036232 </serialnum> <hostname>R6_E300</hostname> <messagenum>0</messagenum> </AgentInfo> ---------------------------------Message Attachment------------------------------------ <action_list_message> <AgentInfo> <messagetype>Type - 5</messagetype> <time>23:19:37.230 UTC Wed Feb 25 2009</time> <serialnum>0036232 </serialnum>...
Page 367 Figure 16-12. FTSA Type 5 Message for a Linecard Down Policy (continued) </item> <item> <item_name>show logging driverlog linecard 1</item_name> <item_time>23:19:46.191 UTC Wed Feb 25 2009</item_time> <item_output> show logging driverlog linecard 1 [output omitted] </item_output> </item> <item> <item_name>show logging driverlog linecard 4</item_name> <item_time>23:19:46.577 UTC Wed Feb 25 2009</item_time>...
Page 368 Figure 16-13. FTSA Type 5 Message for a Linecard Down Policy (continued) </item> <item> <item_name>remote-exec cp dhsTestCp</item_name> <item_time>23:19:54.597 UTC Wed Feb 25 2009</item_time> <item_output> remote-exec cp dhsTestCp [output omitted] </item_output> </item> <item> <item_name>remote-exec cp dhsTestCp</item_name> <item_time>23:20:00.663 UTC Wed Feb 25 2009</item_time> <item_output>...
Page 369 Figure 16-14. FTSA Type 5 Message for a BGP Peer Down Policy ---------------------------------Message Body------------------------------------------ <AgentInfo> <messagetype>Type - 5</messagetype> <time>17:14:28.394 UTC Thu Feb 26 2009</time> <serialnum>0036232 </serialnum> <hostname>R6_E300</hostname> <messagenum>0</messagenum> </AgentInfo> ---------------------------------Message Attachment------------------------------------ <action_list_message> <AgentInfo> <messagetype>Type - 5</messagetype> <time>17:14:28.415 UTC Thu Feb 26 2009</time> <serialnum>0036232 </serialnum>...
Page 370 Figure 16-15. Configuring an FTSA Policy for an Excessive CRC-error Condition call-home admin-email pubsadmin@training10.com smtp server-address 192.168.1.1 no enable-all server Force10 recipient pubslab@training10.com keyadd Force10DefaultPublicKey no encrypt enable no log-messages policy crcerror action-list crcerror test-list crcerror policy-test-list crcerror test-condition interface-crc 1 greater-than number 500 policy-action-list crcerror no log-only message-format text...
Page 371: Debugging Ftsa
Figure 16-17. FTSA Type 5 Message for an Excessive CRC-error Condition ---------------------------------Message Body------------------------------------------ <AgentInfo> <messagetype>Type - 5</messagetype> <time>21:10:04.678 UTC Tue Mar 10 2009</time> <serialnum>0036232 </serialnum> <hostname>R6_E300</hostname> <messagenum>0</messagenum> </AgentInfo> ---------------------------------Message Attachment------------------------------------ <action_list_message> <AgentInfo> <messagetype>Type - 5</messagetype> <time>21:10:04.686 UTC Tue Mar 10 2009</time> <serialnum>0036232 </serialnum>...
Page 372 Figure 16-18. Call-home Debug All during Type 5 Message Generation #02:13:49 : CALL-HOME: Sending the following email 02:13:49 : From: pubsadmin@training10.com pubslab@training10.com Subject: <messagetype>Type - 5</messagetype> Attachment: ramdisk:/crcerror-21_10_04.685.txt 02:13:49 : Message: <AgentInfo> <messagetype>Type - 5</messagetype> <time>21:10:04.678 UTC Tue Mar 10 2009</time> <serialnum>0036232 </serialnum>...
Page 373: Garp Vlan Registration Protocol
GARP VLAN Registration Protocol c e s GARP VLAN Registration Protocol is supported on platform GVRP is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Protocol Overview Typical VLAN implementation involves manually configuring each Layer 2 switch that participates in a given VLAN.
Page 374: Configuring Gvrp
Figure 17-1. GVRP Compatibility Error Message FTOS(conf)#protocol spanning-tree pvst FTOS(conf-pvst)#no disable % Error: GVRP running. Cannot enable PVST..FTOS(conf)#protocol spanning-tree mstp FTOS(conf-mstp)#no disable % Error: GVRP running. Cannot enable MSTP..FTOS(conf)#protocol gvrp FTOS(conf-gvrp)#no disable % Error: PVST running. Cannot enable GVRP. % Error: MSTP running.
Page 375: Related Configuration Tasks
Figure 17-2. GVRP Configuration Overview GVRP is configured globally and on all VLAN trunk ports for the edge and core switches. Edge Switches Edge Switches Core Switches VLANs 10-20 VLANs 70-80 VLANs 30-50 VLANs 10-20 VLANs 70-80 VLANs 30-50 NOTES: VLAN 1 mode is always fixed and cannot be configured All VLAN trunk ports must be configured for GVRP All VLAN trunk ports must be configured as 802.1Q...
Page 376: Enabling Gvrp On A Layer 2 Interface
Figure 17-3. Enabling GVRP Globally FTOS(conf)#protocol gvrp FTOS(config-gvrp)#no disable FTOS(config-gvrp)#show config protocol gvrp no disable FTOS(config-gvrp)# Enabling GVRP on a Layer 2 Interface gvrp enable Enable GVRP on a Layer 2 interface using the command in INTERFACE mode, as shown in show config Figure 17-4.
Page 377: Configuring A Garp Timer
Based on the configuration in the example shown in Figure 17-5, the interface 1/21 will not be removed from VLAN 34 or VLAN 35 despite receiving a GVRP Leave message. Additionally, the interface will not be dynamically added to VLAN 45 or VLAN 46, even if a GVRP Join message is received. Figure 17-5.
Page 378 FTOS displays Message 1 if an attempt is made to configure an invalid GARP timer. Message 1 GARP Timer Error FTOS(conf)#garp timers join 300 % Error: Leave timer should be >= 3*Join timer. GARP VLAN Registration Protocol...
Page 379: High Availability
High Availability c e s High Availability is supported on platforms: High availability is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. To support all the features within the HA collection, you should have the latest boot code. The following table lists the boot code requirements as of this FTOS release.
Page 380: Component Redundancy
Component Redundancy Dell Force10 systems eliminates single points of failure by providing dedicated or load-balanced redundancy for each component. RPM Redundancy The current version of FTOS supports 1+1 hitless Route Processor Module (RPM) redundancy. The primary RPM performs all routing, switching, and control operations while the standby RPM monitors the primary RPM.
Page 381 Boot the chassis with dual RPMs When you boot the system with two RPMs installed, the RPM in slot R0 is the primary RPM by default. Both RPMs should be running the same version of FTOS. You can configure either RPM to be the primary redundancy primary upon the next chassis reboot using the command from CONFIGURATION mode.
Page 382 Automatic and manual RPM failover RPM failover is the process of the standby RPM becoming the primary RPM. FTOS fails over to the standby RPM when: 1. communication is lost between the standby and primary RPMs 2. you request a failover via the CLI 3.
Page 383 Communication between RPMs E-Series RPMs have three CPUs: Control Processor (CP), Routing Processor 1 (RP1), and Routing Processor 2 (RP2). The CPUs use Fast Ethernet connections to communicate to each other and to the line card CPUs (LP) using Inter-Processor Communication (IPC). The CP monitors the health status of the other processors by sending a heartbeat message.
Page 384 Table 18-2. Failover Behaviors Platform Failover Trigger Failover Behavior RP task or kernel crash on the CP on the primary RPM detects the RP IPC timeout and notifies the primary RPM standby RPM. The standby RPM initiates a failover. FTOS saves an RP application or kernel core dump, the CP trace log, and the CP IPC-related system status.
Page 385 RPM synchronization Data between the two RPMs is synchronized immediately after bootup. Once the two RPMs have done an initial full synchronization (block sync), thereafter FTOS only updates changed data (incremental sync). The data that is synchronized consists of configuration data, operational data, state and status, and statistics depending on the FTOS version.
Page 386 Figure 18-3. Using the redundancy force-failover rpm Command to Copy Software between RPMs FTOS#redundancy force-failover rpm Peer RPM's SW version is different but HA compatible. Failover can be done by warm or hitless upgrade. All linecards will be reset during warm upgrade. Specify hitless upgrade or warm upgrade [confirm hitless/warm]:hitless Proceed with warm upgrade [confirm yes/no]: Specify an Auto-failover Limit...
Page 387: Online Insertion And Removal
Line Card Online Insertion and Removal on page 387 RPM Online Insertion and Removal Dell Force10 systems are functional with only one RPM. If a second RPM is inserted, it comes online as the standby RPM, as shown in Figure 18-4.
Page 388 Figure 18-5. Inserting and Removing a Line Card FTOS(conf)#do show linecard all Line cards Slot Status NxtBoot ReqTyp CurTyp Version Ports --------------------------------------------------------------------------- not present [output omitted] FTOS(conf)# %RPM0-P:CP %CHMGR-5-CARDDETECTED: Line card 0 present FTOS(conf)# do show linecard Line cards Slot Status NxtBoot ReqTyp...
Page 389: Hitless Behavior
Replace a line card If you are replacing a line card with a line card of the same type, you may replace the card without any additional configuration. If you are replacing a line card with a line card of a different type, remove the card and then remove the no linecard existing line card configuration using the command .
Page 390: Graceful Restart
Hitless behavior is defined in the context of an RPM failover only and does not include line card, SFM, and power module failures. • On the E-Series: Failovers triggered by software exception, hardware exception, forced failover via the CLI, and manual removal of the primary RPM are all hitless. •...
Page 391: Runtime System Health Check
Runtime System Health Check Runtime System Health Check is supported on platform: FTOS runs a system health check to detect data transfer errors within the system. FTOS performs the check during normal operation by interspersing among, test frames among the data frames that carry user and system data.
Page 392: Software Component Health Monitoring
(CRC failures, packet loss, etc.) are measured, and upon exceeding a threshold can be used to initiate recovery mechanism. Failure and Event Logging Dell Force10 systems provides multiple options for logging failures and events. Trace Log Developers interlace messages with software code to track a the execution of a program. These messages are called trace messages;...
Page 393: Hot-Lock Behavior
• The kernel is the central component of an operating system that manages system processors and memory allocation and makes these facilities available to applications. A kernel core dump is the contents of the memory in use by the kernel at the time of an exception. •...
Page 394: Configure Cache Boot
If you attempt an SFM auto upgrade, you must reload the chassis to recover. The Dell Force10 system has the ability to boot the chassis using a cached FTOS image. FTOS stores the system image on the bootflash for each processor so that: •...
Page 395 Figure 18-8. Determining your System Pre-requisites for Cache Boot FTOS#show rpm -- RPM card 0 -- Status : active Next Boot : online Card Type : RPM - Route Processor Module (LC-EF3-RPM) Hardware Revision 2.1 or later Hardware Rev : 2.2i Num Ports Up Time : 1 day, 4 hr, 25 min...
Page 396 Select the FTOS image that you want to cache using the command , as shown in Figure 18-9. Dell Force10 recommends using the keyword with this command to avoid any mis-matched configurations. Note: The cache boot feature is not enabled by default; you must copy the running configuration to the...
Page 397 Figure 18-10. Viewing the Cache Boot Configuration FTOS#show boot system all Current system image information in the system: ============================================= Type Boot Type ---------------------------------------------------------------- DOWNLOAD BOOT 4.7.5.427 invalid DOWNLOAD BOOT 4.7.5.427 invalid DOWNLOAD BOOT 4.7.5.427 invalid linecard 0 DOWNLOAD BOOT 4.7.5.427 invalid linecard 1 is not present.
Page 398: In-Service Modular Hot-Fixes
In-Service Modular Hot-Fixes In-Service Modular Hot-Fixes are supported on platforms: In-Service Modular Hot-Fixes provides a tool whereby you can install a patch while the system is on-line and running. This feature allows a patch to be added to a running FTOS process to obtain debugging information or to resolve a software issue in a deployed system.
Page 399: Process Restartability
Note: The command can be used on both the primary and secondary RPMs, as shown here: show patch FTOS(standby)#show patch Patch version Module Timestamp E.1.1.bgp.1.0 Mon Jun 22 06:51:23 PDT 2009 E.2.1.l2mgr.1.0 l2mgr Mon Jun 22 07:11:15 PDT 2009 FTOS(standby)# Process Restartability c e s Process Restartability...
Page 400 You can select which process may attempt to restart, and the number of consecutive restart attempts before failover, but by default, every process causes a system reload or RPM failover. Task Command Syntax Command Mode process restartable count number period Enable Process Restartability for a process CONFIGURATION...
Page 401 FTOS Behavior: When is enabled, and the respective process restarts, debug tacacs debug radius FTOS does not continue to print debug messages after the restart; you must execute debug tacacs again. This is because debugging is not saved to the running configuration, rather, FTOS debug radius marks the process for debugging with a flag that is cleared during the restart.
Page 402 High Availability...
Page 403: Internet Group Management Protocol
• Dell Force10 systems cannot serve as an IGMP host or an IGMP version 1 IGMP Querier. • FTOS automatically enables IGMP on interfaces on which you enable a multicast routing protocol.
Page 404: Igmp Version 2
IGMP version 2 IGMP version 2 improves upon version 1 by specifying IGMP Leave messages, which allows hosts to notify routers that they no longer care about traffic for a particular group. Leave messages reduce the amount of time that the router takes to stop forwarding traffic for a group to a subnet (leave latency) after the last host leaves the group.
Page 405: Igmp Version 3
Sending an Unsolicited IGMP Report A host does not have to wait for a general query to join a group. It may send an unsolicited IGMP Membership Report, also called an IGMP Join message, to the querier. Leaving a Multicast Group 1.
Page 406: Joining And Filtering Groups And Sources
Figure 19-3. IGMP version 3 Membership Report Packet Format Version Flags Src IP Addr Dest IP Addr IGMP Packet Total Length Frag Offset Protocol Header Options Padding (0xc0) Checksum (224.0.0.22) (Router Alert) Type Reserved Checksum Reserved Number of Group Group Record 1 Group Record 2 Group Record N Records...
Page 407: Leaving And Staying In Groups
Figure 19-4. IGMP Membership Reports: Joining and Filtering Membership Reports: Joining and Filtering IGMP Group-and-Source Specific Query Interface Multicast Group Filter Source Source Non-Querier Querier Address Timer Mode Timer Type: 0x11 224.1.1.1 GMI Exclude Group Address: 244.1.1.1 None Number of Sources: 1 224.1.1.1 Include 10.11.1.1 GMI...
Page 408: Configuring Igmp
Figure 19-5. IGMP Membership Queries: Leaving and Staying in Groups Membership Queries: Leaving and Staying Querier Non-Querier Interface Multicast Group Filter Source Source Non-querier builds identical table Address Timer Mode Timer and waits Other Querier Present 224.1.1.1 Include Interval to assume Querier role 10.11.1.1 LQMT 10.11.1.2 LQMT 224.2.2.2 GMI Exclude None...
Page 409: Selecting An Igmp Version
Figure 19-6. Viewing IGMP-enabled Interfaces FTOS#show ip igmp interface gig 7/16 GigabitEthernet 7/16 is up, line protocol is up Internet address is 10.87.3.2/24 IGMP is enabled on interface IGMP query interval is 60 seconds IGMP querier timeout is 300 seconds IGMP max query response time is 10 seconds Last member query response interval is 199 ms IGMP activity: 0 joins, 0 leaves...
Page 410: Adjusting Timers
Figure 19-8. Viewing Static and Learned IGMP Groups FTOS(conf-if-gi-1/0)#do sho ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224.1.1.1 GigabitEthernet 1/0 00:00:03 Never 224.1.2.1 GigabitEthernet 1/0 00:56:55 00:01:22 1.1.1.2 Adjusting Timers show ip igmp interface View the current value of all IGMP timers using the command...
Page 411: Configuring A Static Igmp Group
Note: The timeout value for an IGMP querier is calculated differently on Dell Force10 FTOS routers than on Cisco IOS routers. As a result, if the IGMP querier in a subnet goes down, a Cisco IOS router may be elected as the new querier before a Dell Force10 FTOS router.
Page 412: Igmp Snooping
IGMP Snooping Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device. Switches forward multicast frames out of all ports in a VLAN by default, even though there may be only some interested hosts, which is a waste of bandwidth. IGMP Snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers.
Page 413: Disabling Multicast Flooding
Figure 19-10. Enabling IGMP Snooping FTOS(conf-if-vl-100)#show config interface Vlan 100 no ip address ip igmp snooping fast-leave shutdown FTOS(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN.
Page 414: Fast Convergence After Mstp Topology Changes
• When enabled, IGMP snooping Querier starts after one query interval in case no IGMP general query (with IP SA lower than its VLAN IP address) is received on any of its VLAN members. Adjusting the Last Member Query Interval When the querier receives a leave message from a receiver, it sends a group-specific query out of the ports specified in the forwarding table.
Page 415: Interfaces
Interfaces This chapter describes interface types, both physical and logical, and how to configure them with FTOS. 10/100/1000 Mbps Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet interfaces are supported on c e s platforms SONET interfaces are only supported on platform and are covered in the SONET/SDH chapter.
Page 416: Interface Types
Interface Types Modes Requires Interface Type Possible Default Mode Creation Default State Physical L2, L3 Unset Shutdown (disabled) Management No Shutdown (enabled) Loopback No Shutdown (enabled) Null Enabled Port Channel L2, L3 Shutdown (disabled) VLAN L2, L3 Yes (except L2 - No Shutdown (enabled) default) L3 - Shutdown (disabled) View Basic Interface Information...
Page 417: Show Interfaces Configured
Figure 20-1. show interfaces Command Example FTOS#show interfaces tengigabitethernet 1/0 TenGigabitEthernet 1/0 is up, line protocol is up Hardware is Force10Eth, address is 00:01:e8:05:f3:6a Current address is 00:01:e8:05:f3:6a Pluggable media present, XFP type is 10GBASE-LR. Medium is MultiRate, Wavelength is 1310nm XFP receive power reading is -3.7685 Interface index is 67436603 Internet address is 65.113.24.238/28...
Page 418: Enable A Physical Interface
Figure 20-3. Interfaces listed in the show running-config Command (Partial) FTOS#show running Current Configuration ... interface GigabitEthernet 9/6 no ip address shutdown interface GigabitEthernet 9/7 no ip address shutdown interface GigabitEthernet 9/8 no ip address shutdown interface GigabitEthernet 9/9 no ip address shutdown Enable a Physical Interface After determining the type of physical interfaces available, the user may enter the INTERFACE mode by...
Page 419: Physical Interfaces
show config To confirm that the interface is enabled, use the command in the INTERFACE mode. exit To leave the INTERFACE mode, use the command or command. The user can not delete a physical interface. Physical Interfaces The Management Ethernet interface, is a single RJ-45 Fast Ethernet port on the Route Processor Module (RPM) of the C-Series and E-Series, and provides dedicated management access to the system.
Page 420: Overview Of Layer Modes
Overview of Layer Modes On all systems running FTOS, you can place physical interfaces, port channels, and VLANs in Layer 2 mode or Layer 3 mode. By default, VLANs are in Layer 2 mode. Table 20-1. Interfaces Types Possible Requires Type of Interface Modes Creation...
Page 421: Configure Layer 3 (Network) Mode
For information on enabling and configuring Spanning Tree Protocol, see Chapter 10, Layer 2, on page show interfaces switchport To view the interfaces in Layer 2 mode, use the command in the EXEC mode. Configure Layer 3 (Network) Mode ip address When you assign an IP address to a physical interface, you place it in Layer 3 mode.
Page 422 Command Syntax Command Mode Purpose ip address [ secondary ] ip-address mask INTERFACE Configure a primary IP address and mask on the interface. The must be in ip-address dotted-decimal format (A.B.C.D) and the must be in slash format (/xx). mask Add the keyword secondary if the IP address is the interface’s backup IP address.
Page 423: Management Interfaces
Management Interfaces Configure Management Interfaces on the E-Series and C-Series On the E-Series and C-Series, the dedicated Management interface is located on the RPM and provides management access to the system. You can configure this interface with FTOS, but the configuration options on this interface are limited.
Page 424: Configure Management Interfaces On The S-Series
Important Things to Remember — virtual-ip virtual-ip • is a CONFIGURATION mode command. You may enter an IPv4 or IPv6 address. • When applied, the management port on the primary RPM assumes the virtual IP address. Entering the show interfaces show ip interface brief commands on the primary RPM management interface will display both the virtual IP address and the actual IP address configured on the interface (see...
Page 425: Displaying Information On A Management Interface
Displaying Information on a Management Interface show interface To view information about the primary RPM management port, use the Managementethernet command in EXEC or EXEC Privilege mode. If there are two RPMs on the system, you cannot view information on the interface. Figure 20-9.
Page 426: Vlan Interfaces
VLAN Interfaces VLANs are logical interfaces and are, by default, in Layer 2 mode. Physical interfaces and port channels can be members of VLANs. For more information on VLANs and Layer 2, refer to Chapter 10, Layer 2, on page 47.
Page 427: Loopback Interfaces
Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Since this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability. You can place Loopback interfaces in default Layer 3 mode. To configure a Loopback interface, use the following command in the CONFIGURATION mode: Command Syntax Command Mode...
Page 428: Port Channel Interfaces
Port Channel Interfaces Port channel interfaces support link aggregation, as described in IEEE Standard 802.3ad. This section covers the following topics: • Port channel definition and standards on page 428 • Port channel benefits on page 428 • Port channel implementation on page 428 •...
Page 429 • Dynamic—Port channels that are dynamically configured using Link Aggregation Control Protocol (LACP). For details, see Chapter 24, Link Aggregation Control Protocol. Table 20-2. Number of Port-channels per Platform Platform Port-channels Members/Channel E-Series C-Series S-Series: S50 and S25 S-Series: S55, S60 and S4810 Table 20-3.
Page 430: Configuration Task List For Port Channel Interfaces
The common speed is determined when the port channel is first enabled. At that time, the software checks the first interface listed in the port channel configuration. If that interface is enabled, its speed configuration becomes the common speed of the port channel. If the other interfaces configured in that port channel are configured with a different speed, FTOS disables them.
Page 431: Add A Physical Interface To A Port Channel
The port channel is now enabled and you can place the port channel in Layer 2 or Layer 3 mode. Use the switchport command to place the port channel in Layer 2 mode or configure an IP address to place the port channel in Layer 3 mode.
Page 432 Figure 20-13. show interfaces port-channel brief Command Example FTOS#show int port brief LAG Mode Status Uptime Ports L2L3 00:06:03 Gi 13/6 (Up) * Gi 13/12 (Up) L2L3 00:06:03 Gi 13/7 (Up) * Gi 13/8 (Up) Gi 13/13 (Up) Gi 13/14 (Up) FTOS# Figure 20-14...
Page 433: Reassign An Interface To A New Port Channel
Figure 20-15. Error Message FTOS(conf-if-portch)#show config interface Port-channel 5 no ip address switchport channel-member GigabitEthernet 1/6 FTOS(conf-if-portch)#int gi 1/6 FTOS(conf-if)#ip address 10.56.4.4 /24 % Error: Port is part of a LAG Gi 1/6. Error message FTOS(conf-if)# Reassign an interface to a new port channel An interface can be a member of only one port channel.
Page 434: Add Or Remove A Port Channel From A Vlan
Figure 20-16. Command Example from Reassigning an Interface to a Different Port Channel FTOS(conf-if-portch)#show config interface Port-channel 4 no ip address channel-member GigabitEthernet 1/8 no shutdown FTOS(conf-if-portch)#no chann gi 1/8 FTOS(conf-if-portch)#int port 5 FTOS(conf-if-portch)#channel gi 1/8 FTOS(conf-if-portch)#sho conf interface Port-channel 5 no ip address channel-member GigabitEthernet 1/8 shutdown...
Page 435: Assign An Ip Address To A Port Channel
To add a port channel to a VLAN, use either of the following commands: Command Syntax Command Mode Purpose tagged port-channel id number INTERFACE Add the port channel to the VLAN as a tagged VLAN interface. An interface with tagging enabled can belong to multiple VLANs.
Page 436 Load balancing through port channels FTOS uses hash algorithms for distributing traffic evenly over channel members in a port channel (LAG). The hash algorithm distributes traffic among ECMP paths and LAG members. The distribution is based on a flow, except for packet-based hashing. A flow is identified by the hash and is assigned to one link. In packet-based hashing, a single flow can be distributed on the LAG and uses one link.
Page 437 On the E-Series, to change the 5-tuple default to 3-tuple, MAC, or packet-based, use the following command in CONFIGURATION mode: Command Syntax Command Mode Purpose [ no ] load-balance [ ip-selection CONFIGURATION To designate a method to balance traffic over a port { 3-tuple | packet-based }] [ mac ] channel.
Page 438 IPv4, IPv6, and non-IP traffic handling on the E-Series load-balance The table below presents the combinations of the command and their effect on traffic types. Table 20-7. The load-balance Commands and Port Channel Types Routed Switched Switched Configuration Commands IP Traffic IP Traffic Non-IP Traffic (IPv4 only)
Page 439 Hash algorithm load-balance command discussed above selects the hash criteria applied to port channels. hash-algorithm If even distribution is not obtained with the load-balance command, the command can be used to select the hash scheme for LAG, ECMP and NH-ECMP. The 12 bit Lag Hash can be rotated or shifted till the desired hash is achieved.
Page 440: Bulk Configuration
dest-ip • — uses destination IP address as part of the hash key • — always uses the least significant bit of the hash key to compute the egress port To change to another method, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose...
Page 441: Bulk Configuration Examples
show configuration command is also available under the interface range mode. This command allows you to display the running configuration only for interfaces that are part of interface range. Bulk Configuration Examples interface range The following are examples of using the command for bulk configuration: •...
Page 442: Overlap Port Ranges
Figure 20-23. Interface Range Prompt Excluding a Smaller Port Range FTOS(conf)#interface range gigabitethernet 2/0 - 23 , gigab 2/1 - 10 FTOS(conf-if-range-gi-2/0-23)# Overlap port ranges If overlapping port ranges are specified, the port range is extended to the smallest start port number and largest end port number: Figure 20-24.
Page 443: Interface Range Macros
Interface Range Macros The user can define an interface-range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface-range macro command string, you must define the macro. To define an interface-range macro, enter this command: Command Syntax Command Mode Purpose...
Page 444: Choose An Interface-Range Macro
Choose an Interface-range Macro interface range To use an interface-range macro in the command, enter this command: Command Syntax Command Mode Purpose interface range macro name CONFIGURATION Selects the interfaces range to be configured using the values saved in a named interface-range macro. The example below shows how to change to the interface-range configuration mode using the interface-range macro named “test”.
Page 445: Maintenance Using Tdr
FTOS# Maintenance using TDR The Time Domain Reflectometer (TDR) is supported on all Dell Force10 switch/routers. TDR is an assistance tool to resolve link issues that helps detect obvious open or short conditions within any of the four copper pairs. TDR sends a signal onto the physical cable and examines the reflection of the signal that returns.
Page 446: Link Debounce Timer
tdr-cable-test To test the condition of cables on 10/100/1000 BASE-T modules, use the command: Step Command Syntax Command Mode Usage tdr-cable-test gigabitethernet EXEC Privilege To test for cable faults on the GigabitEthernet <slot>/ <port> cable. • Between two ports, the user must not start the test on both ends of the cable.
Page 447: Assign A Debounce Time To An Interface
• Changes made do not affect any ongoing debounces. The timer changes take affect from the next debounce onward. Assign a debounce time to an interface Command Syntax Command Mode Purpose link debounce time [milliseconds] INTERFACE Enter the time to delay link status change notification on this interface.
Page 448: Disable Port On One Sfm
When an E300 system boots up and a single SFM is active this configuration, any ports configured with this feature will be shut down. All other ports are booted up. Similarly, if an SFM fails (or is removed) in an E300 system with two SFM, ports configured with this feature will be shut down.
Page 449: Enable Link Dampening
Enable Link Dampening dampening Enable link dampening using the command from INTERFACE mode, as shown in Figure 20-30. Figure 20-30. Configuring Link Dampening R1(conf-if-gi-1/1)#show config interface GigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown R1(conf-if-gi-1/1)#exit show config View the link dampening configuration on an interface using the command , or view show interfaces...
Page 450: Ethernet Pause Frames
Figure 20-33. Clearing Dampening Counters FTOS# clear dampening interface Gi 0/1 FTOS# show interfaces dampening GigabitEthernet0/0 InterfaceState Flaps Penalty Half-LifeReuse SuppressMax-Sup Gi 0/1 Up 1500 Link Dampening Support for XML | display xml View the output of the following show commands in XML by adding to the end of the command: •...
Page 451: Threshold Settings
The globally assigned 48-bit Multicast address 01-80-C2-00-00-01 is used to send and receive pause frames. To allow full duplex flow control, stations implementing the pause operation instruct the MAC to enable reception of frames with destination address equal to this multicast address. The PAUSE frame is defined by IEEE 802.3x and uses MAC Control frames to carry the PAUSE commands.
Page 452: Enable Pause Frames
Note: On the C-Series and S-Series platforms, Ethernet Pause Frames TX should be enabled only after consulting with the Dell Force10 Technical Assistance Center. Ethernet Pause Frames flow control must be enabled on all ports on a chassis or a line card. If not, the system may exhibit unpredictable behavior.
Page 453: Configure Mtu Size On An Interface
Configure MTU Size on an Interface If a packet includes a Layer 2 header, the difference in bytes between the link MTU and IP MTU must be large enough to include the Layer 2 header. For example, for VLAN packets, if the IP MTU is 1400 bytes, the Link MTU must 1422 bytes or greater to accommodate the 22-byte VLAN header: 1400-byte IP MTU + 22-byte VLAN Tag = 1422-byte link MTU On the E-Series and C-Series, you configure the Link MTU size on an interface by entering the...
Page 454: Port-Pipes
Port-pipes A port pipe is a Dell Force10 specific term for the hardware path that packets follow through a system. Port pipes travel through a collection of circuits (ASICs) built into line cards and RPMs on which various processing events for the packets occur. One or two port pipes process traffic for a given set of physical interfaces or a port-set.
Page 455: Auto-Negotiation On Ethernet Interfaces
Note: As a best practice, Dell Force10 recommends keeping auto-negotiation enabled. Auto-negotiation should only be disabled on switch ports that attach to devices not capable of supporting negotiation or where connectivity issues arise from interoperability issues.
Page 456 Note: The show interfaces status command displays link status, but not administrative status. For link and administrative status, use show ip interface [ interface | brief | linecard slot-number ] [ configuration ]. Figure 20-34. show interfaces status Command Example FTOS#show interfaces status Port Description Status Speed...
Page 457: View Advanced Interface Information
Figure 20-36. Setting Auto-Negotiation Options FTOS(conf)# int gi 0/0 FTOS(conf-if)#neg auto FTOS(conf-if-autoneg)# ? Exit from configuration mode exit Exit from autoneg configuration mode mode Specify autoneg mode Negate a command or set its defaults speed duplex negotiation auto For details on the , and commands, see the Interfaces chapter of the FTOS...
Page 458: Configure Interface Sampling Size
Figure 20-37. show Commands with configured Keyword Examples FTOS#show interfaces configured FTOS#show interfaces linecard 0 configured FTOS#show interfaces gigabitEthernet 0 configured FTOS#show ip interface configured FTOS#show ip interface linecard 1 configured FTOS#show ip interface gigabitEthernet 1 configured FTOS#show ip interface br configured FTOS#show ip interface br linecard 1 configured FTOS#show ip interface br gigabitEthernet 1 configured FTOS#show running-config interfaces configured...
Page 459 Figure 20-39. Configuring Rate Interval Example FTOS#show interfaces TenGigabitEthernet 10/0 is down, line protocol is down Hardware is Force10Eth, address is 00:01:e8:01:9e:d9 Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface"...
Page 460: Dynamic Counters
Dynamic Counters By default, counting for the following four applications is enabled: • IPFLOW • IPACL • L2ACL • L2FIB For remaining applications, FTOS automatically turns on counting when the application is enabled, and is turned off when the application is disabled. Please note that if more than four counter-dependent applications are enabled on a port pipe, there is an impact on line rate performance.
Page 461: Clear Interface Counters
Clear interface counters show interfaces clear counters The counters in the command are reset by the command. This command does not clear the counters captured by any SNMP program. To clear the counters, use the following command in the EXEC Privilege mode: Command Syntax Command Mode Purpose...
Page 462 Interfaces...
Page 463: Ipv4 Addressing
IPv4 Addressing c e s IPv4 Addressing is supported on platforms IPv4 addressing is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. FTOS supports various IP addressing features. This chapter explains the basics of Domain Name Service (DNS), Address Resolution Protocol (ARP), and routing principles and their implementation in FTOS.
Page 464: Configuration Task List For Ip Addresses
At its most basic level, an IP address is 32-bits composed of network and host portions and represented in dotted decimal format. For example, 00001010110101100101011110000011 is represented as 10.214.87.131 For more information on IP addressing, refer to 791, Internet Protoco Implementation Information In FTOS, you can configure any IP address as a static route except IP addresses already assigned to interfaces.
Page 465 To assign an IP address to an interface, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose interface Enter the keyword interface followed by the type of CONFIGURATION interface interface and slot/port information: •...
Page 466: Configure Static Routes
FTOS#show ip int gi 0/8 GigabitEthernet 0/8 is up, line protocol is up Internet address is 10.69.8.1/24 Broadcast address is 10.69.8.255 Address determined by config file MTU is 1554 bytes Inbound access list is not set Proxy ARP is enabled Split Horizon is enabled Poison Reverse is disabled ICMP redirects are not sent...
Page 467: Configure Static Routes For The Management Interface
Figure 21-3. show ip route static Command Example (partial) FTOS#show ip route static Destination Gateway Dist/Metric Last Change ----------- ------- ----------- ----------- 2.1.2.0/24 Direct, Nu 0 00:02:30 6.1.2.0/24 via 6.1.20.2, Te 5/0 00:02:30 6.1.2.2/32 via 6.1.20.2, Te 5/0 00:02:30 6.1.2.3/32 via 6.1.20.2, Te 5/0 00:02:30 6.1.2.4/32...
Page 468: Directed Broadcast
show ip management-route To view the configured static routes for the management port, use the command in the EXEC privilege mode. Figure 21-4. show ip management-route Command Example FTOS>show ip management-route Destination Gateway State ----------- ------- ----- 1.1.1.0/24 172.31.1.250 Active 172.16.1.0/24 172.31.1.250 Active...
Page 469: Specify Local System Domain And A List Of Domains
Command Syntax Command Mode Purpose ip domain-lookup CONFIGURATION Enable dynamic resolution of host names. ip name-server CONFIGURATION Specify up to 6 IPv4 or IPv6 name servers. The order you ipv4-address entered the servers determines the order of their use. You ipv4-address2 ipv4-address6 may have IPv4 and IPv6 name servers configured at the...
Page 470: Dns With Traceroute
Command Syntax Command Mode Purpose ip domain-list CONFIGURATION Configure names to complete unqualified host names. name Configure this command up to 6 times to specify a list of possible domain names. FTOS searches the domain names in the order they were configured until a match is found or the list is exhausted.
Page 471: Configuration Task List For Arp
FTOS uses two forms of address resolution: ARP and Proxy ARP. Address Resolution Protocol (ARP) runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, FTOS creates a forwarding table mapping the MAC addresses to their corresponding IP address.
Page 472: Enable Proxy Arp
Command Syntax Command Mode Purpose CONFIGURATION Configure an IP address and MAC address mapping ip-address mac-address interface for an interface. • ip-address: IP address in dotted decimal format (A.B.C.D). • MAC address in nnnn.nnnn.nnnn mac-address: format • interface: enter the interface type slot/port information.
Page 473: Arp Learning Via Gratuitous Arp
Command Syntax Command Mode Purpose clear arp-cache [ interface | ip EXEC privilege Clear the ARP caches for all interfaces or for a specific ip-address] [ no-refresh ] interface by entering the following information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information.
Page 474: Arp Learning Via Arp Request
Beginning with version 8.3.1.0, when a Gratuitous ARP is received, FTOS installs an ARP entry on all 3 CPUs. Task Command Syntax Command Mode Enable ARP learning via gratuitous ARP. arp learn-enable CONFIGURATION ARP Learning via ARP Request In FTOS versions prior to 8.3.1.0, FTOS learns via ARP Requests only if the Target IP specified in the packet matches the IP address of the receiving router interface.
Page 475: Configurable Arp Retries
Configurable ARP Retries In FTOS versions prior to 8.3.1.0 the number of ARP retries is set to 5 and is not configurable. After 5 retries, FTOS backs off for 20 seconds before it sends a new request. Beginning with FTOS version 8.3.1.0, the number of ARP retries is configurable.
Page 476: Udp Helper
Enable ICMP unreachable messages By default, ICMP unreachable messages are disabled. When enabled ICMP unreachable messages are no ip unreachable created and sent out all interfaces. To disable ICMP unreachable messages, use the command. To reenable the creation of ICMP unreachable messages on the interface, use the following command in the INTERFACE mode: Command Syntax Command Mode...
Page 477: Configuring Udp Helper
Configuring UDP Helper Configuring FTOS to direct UDP broadcast is a two-step process: 1. Enable UDP helper and specify the UDP ports for which traffic is forwarded. See Enabling UDP Helper on page 477. 2. Configure a broadcast address on interfaces that will receive UDP broadcast traffic. See Configuring a Broadcast Address on page 478.
Page 478: Configuring A Broadcast Address
Configuring a Broadcast Address ip udp-broadcast-address Configure a broadcast address on an interface using the command , as shown in Figure 21-12. Figure 21-12. Configuring a Broadcast Address FTOS(conf-if-vl-100)#ip udp-broadcast-address 1.1.255.255 FTOS(conf-if-vl-100)#show config interface Vlan 100 ip address 1.1.0.1/24 ip udp-broadcast-address 1.1.255.255 untagged GigabitEthernet 1/2 no shutdown show interfaces...
Page 479: Udp Helper With Broadcast-All Addresses
UDP Helper with Broadcast-all Addresses When the destination IP address of an incoming packet is the IP broadcast address, FTOS rewrites the address to match the configured broadcast address. Figure 21-14: 1. Packet 1 is dropped at ingress if no UDP helper address is configured. ip udp-helper udp-port 2.
Page 480: Udp Helper With Configured Broadcast Addresses
Figure 21-15, Packet 1 has the destination IP address 1.1.1.255, which matches the subnet broadcast address of VLAN 101. If UDP helper is configured and the packet matches the specified UDP port, then the system changes the address to the configured IP broadcast address and floods the packet on VLAN 101.
Page 481: Udp Helper With No Configured Broadcast Addresses
UDP Helper with No Configured Broadcast Addresses • If the incoming packet has a broadcast destination IP address, then the unaltered packet is routed to all Layer 3 interfaces. • If the Incoming packet has a destination IP address that matches the subnet broadcast address of any interface, then the unaltered packet is routed to the matching interfaces.
Page 482 IPv4 Addressing...
Page 483: Ipv6 Addressing
IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief discussion of the differences between IPv4 and IPv6, and the Dell Force10 support of IPv6. This chapter discusses the following, but is not intended to be a comprehensive discussion of IPv6.
Page 484: Extended Address Space
Some key changes in IPv6 are: • Extended Address Space • Stateless Autoconfiguration • Header Format Simplification • Improved Support for Options and Extensions Extended Address Space The address format is extended from 32 bits to 128 bits. This not only provides room for all anticipated needs, it allows for the use of a hierarchical address space structure to optimize global addressing.
Page 485: Ipv6 Headers
IPv6 Headers The IPv6 header has a fixed length of 40 bytes. This provides 16 bytes each for Source and Destination information, and 8 bytes for general header information. The IPv6 header includes the following fields: • Version (4 bits) •...
Page 486 Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities. Routers understand the priority settings and handle them appropriately during conditions of congestion.
Page 487: Extension Header Fields
Table 22-1. Next Header field values (continued) Value Description No Next Header Destinations option header Note: This is not a comprehensive table of Next Header field values. Refer to the Internet Assigned Numbers Authority (IANA) web page http://www.iana.org/assignments/protocol-numbers for a complete and current listing. Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing.
Page 488: Addressing
Hop-by-Hop Options header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero) (Table 22-1). When a Hop-by-Hop Options header is not included, the router knows that it does not have to process any router specific information and immediately processes the packet to its final destination.
Page 489 • 2001:0db8:0000:0000:0000:0000:1428:57ab • 2001:0db8:0000:0000:0000::1428:57ab • 2001:0db8:0:0:0:0:1428:57ab • 2001:0db8:0:0::1428:57ab • 2001:0db8::1428:57ab • 2001:db8::1428:57ab IPv6 networks are written using Classless Inter-Domain Routing (CIDR) notation. An IPv6 network (or subnet) is a contiguous group of IPv6 addresses the size of which must be a power of two; the initial bits of addresses, which are identical for all hosts in the network, are called the network's prefix.
Page 490: Implementing Ipv6 With Ftos
Implementing IPv6 with FTOS FTOS supports both IPv4 and IPv6, and both may be used simultaneously in your system. Note: Dell Force10 recommends that you use FTOS version 7.6.1.0 or later when implementing IPv6 functionality on an E-Series system. Table 22-2 lists the FTOS Version in which an IPv6 feature became available for each platform.
Page 491 Table 22-2. FTOS and IPv6 Feature Support (continued) IS-IS for IPv6 7.5.1 8.2.1 8.4.2 8.4.2 Chapter 23, “Intermediate System to Intermediate System,” on page 507 in the FTOS Configuration Guide IPv6 IS-IS in the FTOS Command Line Reference Guide IS-IS for IPv6 support 7.6.1 8.2.1 8.4.2...
Page 492: Icmpv6
Table 22-2. FTOS and IPv6 Feature Support (continued) PIM-SSM for IPv6 7.5.1 8.2.1 8.4.2 8.4.2 IPv6 Multicast in this chapter IPv6 PIM in the FTOS Command Line Reference Guide MLDv1/v2 7.4.1 8.2.1 8.4.2 8.4.2 IPv6 Multicast in this chapter Multicast IPv6 in the FTOS Command Line Reference Guide MLDv1 Snooping 7.4.1...
Page 493: Ipv6 Neighbor Discovery
largest packet size that can traverse a Path MTU (Maximum Transmission Unit) defines the transmission path without suffering fragmentation. Path MTU for IPv6 uses ICMPv6 Type-2 messages to discover the largest MTU along the path from source to destination and avoid the need to fragment the packet.
Page 494: Ipv6 Neighbor Discovery Of Mtu Packets
Figure 22-3. NDP Router Redistribution Router C Network 2001:db8::1428:57ab Network 2001:db8::1428:57ab Send a Packet to Network 2001:db8::1428:57ab Router A Router B Local Link Packet Destination (2001:db8::1428:57ab) ICMPv6 Redirect (Data: Use Router C) Packet Destination (Destination 2001:db8::1428:57ab) IPv6 Neighbor Discovery of MTU packets With FTOS 8.3.1.0, you can set the MTU advertised through the RA packets to incoming routers, without ip nd mtu altering the actual MTU setting on the interface.
Page 495: Ipv6 Multicast
FTOS IPv6 supports quality of service based on DSCP field. You can configure FTOS to honor the DSCP value on incoming routed traffic and forward the packets with the same value. Refer to Chapter 41, Quality of Service for details. Refer also to the Honor DSCP values on ingress trust diffserv packets...
Page 496: Configuration Task List For Ipv6
Configuration Task List for IPv6 This section contains information regarding the following: • Change your CAM-Profile on an E-Series system (mandatory) • Adjust your CAM-Profile on an C-Series or S-Series • Assign an IPv6 Address to an Interface • Assign a Static IPv6 Route •...
Page 497: Adjust Your Cam-Profile On An C-Series Or S-Series
Figure 22-5. Command Example: (E-Series show cam profile FTOS#show cam-profile -- Chassis CAM Profile -- CamSize : 18-Meg : Current Settings : Next Boot Profile Name : IPV6-ExtACL : IPV6-ExtACL L2FIB : 32K entries : 32K entries L2ACL : 1K entries : 1K entries IPv4FIB : 192K entries...
Page 498: Assign An Ipv6 Address To An Interface
write-mem or copy run start Save the new CAM settings to the startup-config ( ) then reload the system for the new settings to take effect. Command Syntax Command Mode Purpose cam-acl { default | l2acl CONFIGURATION Allocate space for IPV6 ACLs. Enter the CAM ipv4acl number...
Page 499: Assign A Static Ipv6 Route
Assign a Static IPv6 Route c e s IPv6 Static Routes are supported on platforms ipv6 route Use the command to configure IPv6 static routes. Command Syntax Command Mode Purpose ipv6 route prefix type {slot/ CONFIGURATION Set up IPv6 static routes port} forwarding router tag prefix: IPv6 route prefix type {slot/port}: interface type and slot/port...
Page 500: Snmp Over Ipv6
Command Syntax Command Mode Purpose telnet ipv6 address EXEC or Enter the IPv6 Address for the device. EXEC Privileged ipv6 address : x:x:x:x::x mask : prefix length 0-128 IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:).
Page 501: Show An Ipv6 Interface
Command Syntax Command Mode Purpose FTOS#show ipv6 ? accounting IPv6 accounting information cam linecard IPv6 CAM Entries for Line Card fib linecard IPv6 FIB Entries for Line Card interface IPv6 interface information mbgproutes MBGP routing table MLD information mroute IPv6 multicast-routing table neighbors IPv6 neighbor information ospf...
Page 502: Show Ipv6 Routes
Figure 22-6. Command Example: show ipv6 interface FTOS#show ipv6 interface gi 2/2 GigabitEthernet 2/2 is down, line protocol is down IPV6 is enabled Link Local address: fe80::201:e8ff:fe06:95a3 Global Unicast address(es): 3:4:5:6::8, subnet is 3::/24 Global Anycast address(es): Joined Group address(es): ff02::1 ff02::2 ff02::1:ff00:8...
Page 503 show ipv6 route Figure 22-7 illustrates the command output. Figure 22-7. Command Example: show ipv6 route FTOS#show ipv6 route Codes: C - connected, L - local, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1,...
Page 504: Show The Running-Configuration For An Interface
Show the Running-Configuration for an Interface View the configuration for any interface with the following command. Command Syntax Command Mode Purpose show running-config EXEC Show the currently running configuration for the interface type {slot/port} specified interface interface Enter the keyword followed by the type of interface and slot/port information: •...
Page 505 Command Syntax Command Mode Purpose IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing earlier in this chapter. IPv6 Addressing | 505...
Page 506 IPv6 Addressing...
Page 507: Intermediate System To Intermediate System
Intermediate System to Intermediate System is supported on platform: Intermediate System to Intermediate System (IS-IS) protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Force10 supports both IPv4 and IPv6 versions of IS-IS, as described in this chapter. •...
Page 508: Is-Is Addressing
routing information directly with external routers located outside of the routing domains. Level 1-2 systems manage both inter-area and intra-area traffic by maintaining two separate link databases; one for Level 1 routes and one for Level 2 routes. A Level 1-2 router does not advertise Level 2 routes to a Level 1 router.
Page 509: Multi-Topology Is-Is
Multi-Topology IS-IS FTOS 7.8.1.0 and later support Multi-Topology Routing IS-IS. E-Series ExaScale platform x supports Multi-Topology IS-IS with FTOS 8.2.1.0 and later. Multi-Topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. This feature is used to place a virtual physical topology into logical routing domains, which can each support different routing and security policies.
Page 510: Adjacencies
Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement Multi-Topology (MT) extensions. If a local router does not participate in certain MTs, it will not advertise those MT IDs in its IIHs and so will not include that neighbor within its LSPs. If an MT ID is not detected in the remote side's IIHs, the local router does not include that neighbor within its LSPs.
Page 511: Implementation Information
By assigning a name to an IS-IS NET address, you can track IS-IS information on that address easier. FTOS does not support ISO CLNS routing; however, the ISO NET format is supported for addressing. To support IPv6, the Dell Force10 implementation of IS-IS performs the following tasks: •...
Page 512: Configuration Information
Table 23-1 displays the default values for IS-IS. Table 23-1. IS-IS Default Values IS-IS Parameter Default Value Complete Sequence Number PDU (CSNP) interval 10 seconds IS-to-IS hello PDU interval 10 seconds IS-IS interface metric Metric style Narrow Designated Router priority Circuit Type Level 1 and Level 2 IS Type...
Page 513: Configuration Task List For Is-Is
Configuration Task List for IS-IS The following list includes the configuration tasks for IS-IS: • Enable IS-IS on page 513 • Configure Multi-Topology IS-IS (MT IS-IS) on page 516 • Configure IS-IS Graceful Restart on page 517 • Change LSP attributes on page 520 •...
Page 514 Step Task Command Syntax Command Mode interface Enter the interface configuration mode. Enter the keyword interface CONFIGURATION interface followed by the type of interface and slot/port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information. •...
Page 515 Figure 23-2. Command Example: show isis protocol FTOS#show isis protocol IS-IS Router: <Null Tag> System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.0001 Interfaces supported by IS-IS: Vlan 2 GigabitEthernet 4/22 Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: level-1-2 Accept narrow metrics:...
Page 516 Configure Multi-Topology IS-IS (MT IS-IS) Step Task Command Syntax Command Mode multi-topology [ Enable Multi-Topology IS-IS for transition ROUTER ISIS AF IPV6 IPv6. transition Enter the keyword to allow an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.After every router has been configured with the transition...
Page 517 Configure Multi-Topology IS-IS (MT IS-IS) Step Task Command Syntax Command Mode multi-topology [ Enable Multi-Topology IS-IS for ROUTER ISIS AF IPV6 transition IPv6. transition Enter the keyword to allow an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.After every router has been configured with the transition...
Page 518 Command Syntax Command Mode Purpose graceful-restart restart- wait seconds ROUTER-ISIS Enable the Graceful Restart maximum wait time before a restarting peer comes up. Be sure to set the timer to adjacency on the restarting router when implementing this command. Range: 5-120 seconds Default: 30 seconds graceful-restart t1 {interval seconds | ROUTER-ISIS...
Page 519: Show Isis Interface
show isis graceful-restart detail Use the command in EXEC Privilege mode to view all Graceful Restart related configuration. Figure 23-4. Command Example: show isis graceful-restart detail FTOS#show isis graceful-restart detail Configured Timer Value ====================== Graceful Restart : Enabled Interval/Blackout time : 1 min T3 Timer : Manual...
Page 520 Figure 23-5. Command Example: show isis interface show isis interface G1/34 GigabitEthernet 2/10 is up, line protocol is up MTU 1497, Encapsulation SAP Routing Protocol: IS-IS Circuit Type: Level-1-2 Interface Index 0x62cc03a, Local circuit ID 1 Level-1 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.01 Hello Interval: 10, Hello Multiplier: 3, CSNP Interval: 10 Number of active level-1 adjacencies: 1 Level-2 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.01...
Page 521 Figure 23-6. Command Example: show running-config isis FTOS#show running-config isis router isis lsp-refresh-interval 902 net 47.0005.0001.000C.000A.4321.00 net 51.0005.0001.000C.000A.4321.00 FTOS# Configure IS-IS metric style and cost All IS-IS links or interfaces are associated with a cost that is used in the SPF calculations. The possible cost varies depending on the metric style supported.
Page 522 Figure 23-7. Command Example: show isis protocol FTOS#show isis protocol IS-IS Router: <Null Tag> System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.0001 Interfaces supported by IS-IS: Vlan 2 GigabitEthernet 4/22 Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: level-1-2 IS-IS metrics...
Page 523: Configuring The Distance Of A Route
Table 23-3. Correct Value Range for the isis metric command Metric Style Correct Value Range narrow transition 0 to 63 transition 0 to 63 Configuring the distance of a route distance Configure the distance for a route using the command from ROUTER ISIS mode. Change the IS-type You can configure the system to act as one of the following: •...
Page 524 Figure 23-8. Command Example: show isis database FTOS#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL B233.00-00 0x00000003 0x07BF 1088 0/0/0 eljefe.00-00 * 0x00000009 0xF76A 1126 0/0/0 eljefe.01-00 * 0x00000001 0x68DF 1122 0/0/0 eljefe.02-00 * 0x00000001...
Page 525 Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or FTOS does not install the route in the routing table. The prefix lists are globally applied on all interfaces running IS-IS.
Page 526: Ipv6 Routes
Command Syntax Command Mode Purpose distribute-list out [ bgp prefix-list-name ROUTER ISIS Apply a configured prefix list to all outgoing | connected | ospf | rip | IPv4 IS-IS routes. You can configure one of as-number process-id static ] the optional parameters: connected: for directly connected routes.
Page 527 Command Syntax Command Mode Purpose distribute-list out [ bgp ROUTER ISIS-AF Apply a configured prefix list to all outgoing prefix-list-name | connected | ospf | rip | as-number process-id IPV6 IPv6 IS-IS routes. You can configure one of static ] the optional parameters: connected: for directly connected routes.
Page 528 Command Syntax Command Mode Purpose redistribute ospf level-1 level-1-2 ROUTER ISIS Include specific OSPF routes in IS-IS. process-id level-2 [ metric ] [ match external { 1 | 2 } | Configure the following parameters: value match internal ] [ metric-type { external | •...
Page 529 show running-config isis Use the command in EXEC Privilege mode to view IS-IS configuration globally show config (including both IPv4 and IPv6 settings), or the command in ROUTER ISIS mode to view the show config current IPv4 IS-IS configuration, or the command in ROUTER ISIS-ADDRESS FAMILY IPV6 mode to view the current IPv6 IS-IS configuration Configure authentication passwords...
Page 530 When the bit is set, a 1 is placed in the OL column in the show isis database command output. In Figure 23-9, the overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2 Figure 23-9.
Page 531: Is-Is Metric Styles
Command Syntax Command Mode Purpose debug isis snp-packets [ EXEC Privilege View IS-IS SNP packets, include CSNPs and interface PSNPs. To view specific information, enter one of the following optional parameters: • Enter the type of interface and slot/port interface: information to view IS-IS information on that interface only.
Page 532: Configure Metric Values
Configure Metric Values The following topics are covered in this section: • Maximum Values in the Routing Table on page 532 • Changing the IS-IS Metric Style in One Level Only on page 532 • Leaking from One Level to Another on page 534 isis metric For any level (Level-1, Level-2, or Level-1-2), the value range possible in the command in...
Page 533 Table 23-5. Metric Value when Metric Style Changes Beginning metric style Final metric style Resulting IS-IS metric value wide narrow transition default value (10) if the original value is greater than A message is sent to the console. wide wide transition original value narrow wide...
Page 534: Leaking From One Level To Another
Table 23-6. Metric Value when Metric Style Changes Multiple Times Beginning next isis resulting isis metric style metric style metric value Next metric style final isis metric value wide transition truncated value narrow default value (10) A message is sent to the logging buffer wide transition transition truncated value...
Page 535: Sample Configuration
Sample Configuration The following configurations are examples for enabling IPv6 IS-IS. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations. Note: Only one IS-IS process can run on the router, even if both IPv4 and IPv6 routing is being used.
Page 536 Figure 23-10. IS-IS Sample Configuration Router 1 R1(conf)#interface Loopback 0 R1(conf-if-lo-0)#ip address 192.168.1.1/24 R1(conf-if-lo-0)#ipv6 address 2001:db8:9999:1::/48 R1(conf-if-lo-0)#ip router isis 9999 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#router isis 9999 R1(conf-router_isis)#is-type level-1 R1(conf-router_isis)#net FF.F101.0002.0C00.1111.00 R1(conf-router_isis)#ipv6 route 2001:db8:9999:2::/128 2001:db8:1021:2:: R1(conf)#ipv6 route 2001:db8:9999:3::/128 2001:db8:1022:3:: R1(conf)#ip route 192.168.1.2/32 10.0.12.2 R1(conf)#ip route 192.168.1.3/32 10.0.13.3 R1(conf)#interface GigabitEthernet 1/21 R1(conf-if-gi-1/21)#ip address 10.0.12.1/24...
Page 537 Figure 23-11. IS-IS Sample Configuration continued Router 2 R2(conf)#interface Loopback 0 R2(conf-if-lo-0)#ip address 192.168.1.1/24 R2(conf-if-lo-0)#ipv6 address 2001:db8:9999:1::/48 R2(conf-if-lo-0)#ip router isis 9999 R2(conf-if-lo-0)#no shutdown R2(conf-if-lo-0)#router isis 9999 R2(conf-router_isis)#int gi 2/11 R2(conf-if-gi-2/11)#ip address 10.0.12.2/24 R2(conf-if-gi-2/11)#ipv6 address 2001:db8:9999:2::/48 R2(conf-if-gi-2/11)#ip router isis 9999 R2(conf-if-gi-2/11)#isis network point-to-point R2(conf-if-gi-2/11)#no shutdown R2(conf-if-gi-2/11)#int gi 2/31 R2(conf-if-gi-2/31)#ip address 10.0.23.2/24...
Page 538 Figure 23-12. IS-IS Sample Configuration continued Router 3 R3(conf)#interface Loopback 0 R3(conf-if-lo-0)#ip address 192.168.1.3/24 R3(conf-if-lo-0)#ipv6 address 2001:db8:9999:3::/48 R3(conf-if-lo-0)#ip router isis 9999 R3(conf-if-lo-0)#no shutdown R3(conf-if-lo-0)#router isis 9999 R3(conf-router_isis)#net FF.F101.0002.0C00.1133.00 R3(conf-router_isis)#ipv6 route 2001:db8:9999:1::/128 2001:db8:1022:1:: R3(conf)#ipv6 route 2001:db8:9999:2::/128 2001:db8:1023:2:: R3(conf)#ip route 192.168.1.1/32 10.0.13.1 R3(conf)#interface GigabitEthernet 3/14 R3(conf-if-gi-3/14)#ip address 10.0.13.3/24 R3(conf-if-gi-3/14)#ipv6 address 2001:db8:1022:3::/48...
Page 539 Figure 23-13. IPv6 IS-IS Sample Topography Loopback 0 Loopback 0 2001:0db8:9999:2:: /48 2001:0db8:9999:2:: /48 (192.168.1.2 /24) (192.168.1.2 /24) GigE 2/11 GigE 2/31 2001:0db8:1021:2:: /48 2001:0db8:1023:2:: /48 (10.0.12.2 /24) (10.0.23.2 /24) GigE 1/21 GigE 3/21 2001:0db8:1021:1:: /48 2001:0db8:1023:3:: /48 (10.0.12.1 /24) (10.0.23.3 /24) Loopback 0 Loopback 0...
Page 540 Intermediate System to Intermediate System...
Page 541: Link Aggregation Control Protocol
Link Aggregation Control Protocol c e s Link Aggregation Control Protocol is supported on platforms LACP addressing is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. The major sections in the chapter are: • Introduction to Dynamic LAGs and LACP on page 541 •...
Page 542: Important Points To Remember
LACP functions by constantly exchanging custom MAC PDUs across LAN Ethernet links. The protocol packets are only exchanged between ports that are configured as LACP capable. Important Points to Remember • On ExaScale, LACP is supported on 200 physical ports. Use static LAGs for the remaining ports to avoid unpredictable results.
Page 543: Lacp Modes
LACP modes FTOS provides the following three modes for configuration of LACP: • Off—In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. •...
Page 544: Lacp Configuration Tasks
LACP Configuration Tasks The tasks covered in this section are: • Create a LAG • Configure the LAG interfaces as dynamic on page 544 • Set the LACP long timeout on page 545 • Monitor and Debugging LACP on page 546 •...
Page 545: Set The Lacp Long Timeout
Figure 24-3. Creating a Dynamic LAG Example FTOS(conf)#interface Gigabitethernet 3/15 FTOS(conf-if-gi-3/15)#no shutdown FTOS(conf-if-gi-3/15)#port-channel-protocol lacp FTOS(conf-if-gi-3/15-lacp)#port-channel 32 mode active FTOS(conf)#interface Gigabitethernet 3/16 FTOS(conf-if-gi-3/16)#no shutdown FTOS(conf-if-gi-3/16)#port-channel-protocol lacp FTOS(conf-if-gi-3/16-lacp)#port-channel 32 mode active FTOS(conf)#interface Gigabitethernet 4/15 FTOS(conf-if-gi-4/15)#no shutdown FTOS(conf-if-gi-4/15)#port-channel-protocol lacp FTOS(conf-if-gi-4/15-lacp)#port-channel 32 mode active FTOS(conf)#interface Gigabitethernet 4/16 FTOS(conf-if-gi-4/16)#no shutdown FTOS(conf-if-gi-4/16)#port-channel-protocol lacp...
Page 546: Monitor And Debugging Lacp
Figure 24-4. Invoking the LACP Long Timeout FTOS(conf)# interface port-channel 32 FTOS(conf-if-po-32)#no shutdown FTOS(conf-if-po-32)#switchport FTOS(conf-if-po-32)#lacp long-timeout FTOS(conf-if-po-32)#end FTOS# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.a12b Partner System ID: Priority 32768, Address 0001.e801.45a5 Actor Admin Key 1, Oper Key 1, Partner Oper Key 1 LACP LAG 1 is an aggregatable link A - Active LACP, B - Passive LACP, C - Short Timeout, D - Long Timeout...
Page 547: Configure Shared Lag State Tracking
Figure 24-5. LAGs using ECMP without Shared LAG State Tracking Po 1 failure Po 2 over-subscribed fnC0049mp To avoid packet loss, traffic must be re-directed through the next lowest-cost link (R3 to R4). FTOS has the ability to bring LAG 2 down in the event that LAG 1 fails, so that traffic can be re-directed, as described. This is what is meant by Shared LAG State Tracking.
Page 548: Important Points About Shared Lag State Tracking
Figure 24-8, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down upon the failure. This effect is logged by Message 2, in which a console message declares both LAGs down at the same time. Figure 24-8.
Page 549: Configure Lacp As Hitless
Configure LACP as Hitless is supported only on platforms: LACP on Dell Force10 systems can be configured to be hitless. When configured as hitless, there is no noticeable impact on dynamic LAG state upon an RPM failover. Critical LACP state information is synchronized between the two RPMs.
Page 550: Configuring A Lag On Alpha
Figure 24-11. LACP Sample Topology Port Channel 10 ALPHA BRAVO Gig 2/31 Gig 3/21 Gig 2/32 Gig 3/22 Gig 3/23 Gig 2/33 Configuring a LAG on ALPHA Figure 24-12. Creating a LAG on ALPHA Alpha(conf)#interface port-channel 10 Alpha(conf-if-po-10)#no ip address Alpha(conf-if-po-10)#switchport Alpha(conf-if-po-10)#no shutdown Alpha(conf-if-po-10)#show config...
Page 551 Figure 24-13. Inspecting a LAG Port Configuration on ALPHA Alpha#sh int gig 2/31 GigabitEthernet 2/31 is up, line protocol is up Port is part of Port-channel 10 Hardware is Force10Eth, address is 00:01:e8:06:95:c0 Current address is 00:01:e8:06:95:c0 Interface index is 109101113 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes...
Page 552 Figure 24-14. Inspecting Configuration of LAG 10 on ALPHA Indicates the MAC address assigned to the LAG. This does NOT match any of the Alpha#show int port-channel 10 physical interface MAC addresses. Port-channel 10 is up, line protocol is up Created by LACP protocol Hardware address is 00:01:e8:06:96:63, Current address is 00:01:e8:06:96:63 Interface index is 1107755018...
Page 553 Figure 24-15. Using the show lacp Command to Verify LAG 10 Status on ALPHA Alpha#sho lacp 10 Port-channel 10 admin up, oper up, mode lacp Shows LAG status Actor System ID: Priority 32768, Address 0001.e806.953e Partner System ID: Priority 32768, Address 0001.e809.c24a Actor Admin Key 10, Oper Key 10, Partner Oper Key 10 LACP LAG 10 is an aggregatable link A - Active LACP, B - Passive LACP, C - Short Timeout, D - Long Timeout...
Page 554: Summary Of The Configuration On Alpha
Summary of the configuration on ALPHA Figure 24-16. Summary of the configuration on ALPHA Alpha(conf-if-po-10)#int gig 2/31 Alpha(conf-if-gi-2/31)#no ip address Alpha(conf-if-gi-2/31)#no switchport Alpha(conf-if-gi-2/31)#shutdown Alpha(conf-if-gi-2/31)#port-channel-protocol lacp Alpha(conf-if-gi-2/31-lacp)#port-channel 10 mode active Alpha(conf-if-gi-2/31-lacp)#no shut Alpha(conf-if-gi-2/31)#show config interface GigabitEthernet 2/31 no ip address port-channel-protocol LACP port-channel 10 mode active no shutdown Alpha(conf-if-gi-2/31)#...
Page 555: Summary Of The Configuration On Bravo
Summary of the configuration on BRAVO Figure 24-17. Summary of the configuration on BRAVO Bravo(conf-if-gi-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config interface Port-channel 10 no ip address switchport no shutdown Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp...
Page 556 Figure 24-18. Using the show interface Command to Inspect a LAG Port on BRAVO Shows the status of this nterface. Also shows it is part of LAG 10. Bravo#show int gig 3/21 GigabitEthernet 3/21 is up, line protocol is up Port is part of Port-channel 10 Hardware is Force10Eth, address is 00:01:e8:09:c3:82 Current address is 00:01:e8:09:c3:82...
Page 557 Figure 24-19. Using the show interfaces port-channel Command to Inspect LAG 10 This does NOT match any of the physical interface MAC addresses. Force10#sh int port 10 Port-channel 10 is up, line protocol is up Created by LACP protocol Hardware address is 00:01:e8:09:c4:ef, Current address is 00:01:e8:09:c4:ef Interface index is 1107755018 Confirms the number of links to bring up Minimum number of links to bring Port-channel up is 1...
Page 558 Figure 24-20. Using the show lacp Command to Inspect LAG Status Force10#show lacp 10 Port-channel 10 admin up, oper up, mode lacp Shows LAG status Actor System ID: Priority 32768, Address 0001.e809.c24a Partner System ID: Priority 32768, Address 0001.e806.953e Actor Admin Key 10, Oper Key 10, Partner Oper Key 10 LACP LAG 10 is an aggregatable link A - Active LACP, B - Passive LACP, C - Short Timeout, D - Long Timeout E - Aggregatable Link, F - Individual Link, G - IN_SYNC, H - OUT_OF_SYNC...
Page 559: Layer
Layer 2 c e s Layer 2 features are supported on platforms The E-Series ExaScale platform is supported with FTOS 8.1.1.0 and later. This chapter describes the following Layer 2 features: • Managing the MAC Address Table on page 559 •...
Page 560: Clear The Mac Address Table
Clear the MAC Address Table You may clear the MAC address table of dynamic entries: Task Command Syntax Command Mode clear mac-address-table dynamic Clear a MAC address table of dynamic entries. EXEC Privilege all | interface | vlan address address •...
Page 561: Configure A Static Mac Address
Configure a Static MAC Address A static entry is one that is not subject to aging. Static entries must be entered manually: Task Command Syntax Command Mode Create a static MAC address entry in the MAC address table. mac-address-table static CONFIGURATION Display the MAC Address Table To display the contents of the MAC address table:...
Page 562: Mac Learning Limit
MAC Learning Limit This section has the following sub-sections: • mac learning-limit dynamic on page 563 • mac learning-limit station-move on page 563 • mac learning-limit no-station-move on page 564 • mac learning-limit sticky on page 564 • Displaying MAC Learning-Limited Interfaces on page 566 •...
Page 563: Mac Learning-Limit Dynamic
mac learning-limit dynamic After you enable a MAC learning limit, MAC addresses learned on the port and entered in the MAC dynamic address table are static by default. If you configure the MAC learning option, learned MAC addresses are stored in the dynamic region of the table and are subject to aging. Entries created before this option is set are not affected.
Page 564: Mac Learning-Limit No-Station-Move
mac learning-limit no-station-move Note: Sticky MAC is not supported on the S25 or S50 in FTOS release 8.4.2.6. no-station-move option, also known as “sticky MAC,” provides additional port security by preventing a station move. When this option is configured, the first entry in the table is maintained instead no-station-move of creating a new entry on the new interface.
Page 565 FTOS Behavior: The following conditions apply when you enable the sticky-MAC address option for MAC learning on an interface: • When you enable the sticky MAC learning option, all dynamically-learned MAC addresses that you save to the start-up configuration are converted to statically-configured MAC addresses when you reboot the switch.
Page 566: Displaying Mac Learning-Limited Interfaces
Displaying MAC Learning-Limited Interfaces To display a list of all interfaces with a MAC learning limit: Task Command Syntax Command Mode show mac learning-limit Display a list of all interfaces with a MAC learning EXEC Privilege limit. Learning Limit Violation Actions Learning Limit Violation Actions are supported only on platform: You can configure the system to take an action when the MAC learning limit is reached on an interface and mac learning-limit...
Page 567: Recovering From Learning Limit And Station Move Violations
To display a list of interfaces configured with MAC learning limit or station move violation actions: Task Command Syntax Command Mode Display a list of all of the interfaces show mac learning-limit violate-action CONFIGURATION configured with MAC learning limit or station move violation.
Page 568 Figure 25-1. Per-VLAN MAC Learning Limit Internet Exchange Point interface GigabitEthernet 1/1 mac learning-limit 1 vlan 10 mac learning-limit 1 vlan 20 ISP A, B, and C are all public peers through VLAN 10. In addition, ISP A and C are private peers on a separate VLAN, VLAN 20.
Page 569: Nic Teaming
Dell Force10 switch at the time that NIC teaming is being configured on the server. Note: If this command is not configured, traffic continues to be forwarded to the failed NIC until the ARP entry on the switch times out.
Page 570: Mac Move Optimization
When an ARP request is sent to a server cluster, either the active server or all of the servers send a reply, depending on the cluster configuration. If the active server sends a reply, the Dell Force10 switch learns the active server’s MAC address.
Page 571: Configuring The Switch For Microsoft Server Clustering
Configuring the Switch for Microsoft Server Clustering To preserve failover and balancing, the Dell Force10 switch must learn the cluster’s virtual MAC address, and it must forward traffic destined for the server cluster out all member ports in the VLAN connected to vlan-flooding the cluster.
Page 572: Enable And Disable Vlan Flooding
Figure 25-6. Server Cluster: Failover and Balancing Preserved with the vlan-flooding Command Source MAC: MAC S1 Source IP: IP S1 Destination MAC: MAC Client Source MAC: MAC Cluster Type: 0x0806 IP S1 Server1: Ethernet Frame Header ARP Reply MAC S1 Client VLAN 1 IP S2...
Page 573: Configuring Redundant Pairs
Configuring Redundant Pairs Configuring Redundant Pairs is supported: c e s • On physical interfaces on platforms c e s • On static and dynamic port-channel interfaces on platforms The Redundant Pairs feature allows you to provide redundancy for Layer 2 links without using Spanning Tree (STP).
Page 574: Important Points About Configuring Redundant Pairs
To ensure that existing network applications see no difference when a primary interface in a redundant pair transitions to the backup interface, be sure to apply identical configurations of other traffic parameters to each interface. If you remove an interface in a redundant link (remove the line card of a physical interface or delete a port no interface port-channel channel with the command), the redundant pair configuration is also removed.
Page 575 Figure 25-8, interface 3/41 is a backup interface for 3/42, and 3/42 is DOWN as shown in message Message 1. If 3/41 fails, 3/42 transitions to the UP state, which makes the backup link active. A message similar to Message 1 appears whenever you configure a backup port.
Page 576: Restricting Layer 2 Flooding
Restricting Layer 2 Flooding Restricting Layer 2 Flooding is supported only on platform: When Layer 2 multicast traffic must be forwarded on a VLAN that has multiple ports with different speeds on the same port-pipe, forwarding is limited to the speed of the slowest port. Restricted Layer 2 Flooding prevents slower ports from lowering the throughput of multicast traffic on faster ports by restricting flooding to ports with a speed equal to or above a link speed you specify.
Page 577: Far-End Failure Detection
Far-end Failure Detection Far-end Failure Detection is supported only on platform: Far-end Failure Detection (FEFD) is a protocol that senses remote data link errors in a network. It responds by sending a unidirectional report that triggers an echoed response after a specified time interval. Figure 25-10.
Page 578: Configuring Fefd
5. If the FEFD system has been set to Aggressive mode and neighboring echoes are not received after three intervals, the state changes to Err-disabled. All interfaces in the Err-disabled state must be [interface] fefd reset manually reset using the command in EXEC privilege mode (it can be done globally or one interface at a time) before the FEFD enabled system can become operational again.
Page 579 Step Task Command Syntax Command Mode no shutdown Activate the necessary ports INTERFACE administratively fefd interval Enable fefd globally CONFIGURATION mode show fefd Entering the command in EXEC privilege mode displays information about the state of each interface. Figure 25-11. Show FEFD global outputs FTOS#show fefd FEFD is globally 'ON', interval is 3 seconds, mode is 'Normal'.
Page 580: Debugging Fefd
Figure 25-12. FEFD enabled interface configuration FTOS(conf-if-gi-1/0)#show config interface GigabitEthernet 1/0 no ip address switchport fefd mode normal no shutdown FTOS(conf-if-gi-1/0)#do show fefd | grep 1/0 Gi 1/0 Normal Unknown Debugging FEFD debug fefd events By entering the command in EXEC privilege mode, output is displayed whenever events occur that initiate or disrupt an FEFD enabled connection.
Page 581 During an RPM Failover In the event that an RPM failover occurs, FEFD will become operationally down on all enabled ports for approximately 8-10 seconds before automatically becoming operational again. Figure 25-15. FEFD state change during an RPM failover 02-05-2009 12:40:38 Local7.Debug 10.16.151.12...
Page 582 Layer 2...
Page 583: Link Layer Discovery Protocol
Link Layer Discovery Protocol c e s Link Layer Discovery Protocol is supported only on platforms: LLDP is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. This chapter contains the following sections: • 802.1AB (LLDP) Overview on page 583 •...
Page 584 Figure 26-1. Type, Length, Value (TLV) Segment TLV Header TLV Type TLV Length Value (1-127) 7 bits 9 bits 0-511 octets Chassis ID Sub-type Chassis ID fnC0057mp 1- 255 octets 1 octet TLVs are encapsulated in a frame called an LLDP Data Unit (LLDPDU) (Figure 26-2), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors.
Page 585: Optional Tlvs
Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups (Table 26-2) as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Force10 system to advertise any or all of these TLVs. Table 26-2. Optional TLV Types...
Page 586: Tia-1057 (Lldp-Med) Overview
On Dell Force10 systems, indicates the untagged VLAN to which a port belongs Port and Protocol VLAN ID On Dell Force10 systems, indicates the tagged VLAN to which a port belongs (and the untagged VLAN to which a port belongs if the port is in hybrid mode) VLAN Name Indicates the user-defined alphanumeric string that identifies the VLAN.
Page 587: Tia Organizationally Specific Tlvs
LLDP-MED is designed for, but not limited to, VoIP endpoints. TIA Organizationally Specific TLVs The Dell Force10 system is an LLDP-MED Network Connectivity Device (Device Type 4). Network connectivity devices are responsible for: • transmitting an LLDP-MED capabilities TLV to endpoint devices •...
Page 588 26-4). • The possible values of the LLDP-MED Device Type is listed in Table 26-5. The Dell Force10 system is a Network Connectivity device, which is Type 4. advertise med When you enable LLDP-MED in FTOS (using the command ) the system begins transmitting this TLV.
Page 589 Table 26-5. LLDP-MED Device Types Value Device Type Endpoint Class 3 Network Connectivity 5-255 Reserved LLDP-MED Network Policies TLV A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated Layer 2 and Layer 3 configurations, specifically: •...
Page 590: Extended Power Via Mdi Tlv
802.3af powered, LLDP-MED endpoint device. • Power Type—there are two possible power types: Power Sourcing Entity (PSE) or Power Device (PD). The Dell Force10 system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification. •...
Page 591: Configuring Lldp
Dell Force10 systems support up to 8 neighbors per interface. • Dell Force10 systems support a maximum of 8000 total neighbors per system. If the number of interfaces multiplied by 8 exceeds the maximum, the system will not configure more than 8000.
Page 592: Enabling Lldp
Figure 26-7. Configuration and Interface mode LLDP Commands R1(conf)#protocol lldp R1(conf-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol globally Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (default = rx and tx) multiplier LLDP multiplier configuration Negate a command or set its defaults...
Page 593 • If you configure an interface, only the interface will send LLDPDUs with the specified TLVs. If LLDP is configured both globally and at interface level, the interface level configuration overrides the global configuration. To advertise TLVs: Command Step Task Command Mode protocol lldp...
Page 594: Viewing The Lldp Configuration
Viewing the LLDP Configuration show config Display the LLDP configuration using the command in either CONFIGURATION or INTERFACE mode, as shown in Figure 26-9 Figure 26-10, respectively Figure 26-9. Viewing LLDP Global Configurations R1(conf)#protocol lldp R1(conf-lldp)#show config protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description hello 10...
Page 595: Configuring Lldpdu Intervals
Figure 26-12. Viewing All Information Advertised by Adjacent LLDP Agent R1#show lldp neighbors detail ======================================================================== Local Interface Gi 1/21 has 1 neighbor Total Frames Out: 6547 Total Frames In: 4136 Total Neighbor information Age outs: 0 Total Frames Discarded: 0 Total In Error Frames: 0 Total Unrecognized TLVs: 0 Total TLVs Discarded: 0...
Page 596: Configuring Transmit And Receive Mode
R1(conf-lldp)# Configuring Transmit and Receive Mode Once LLDP is enabled, Dell Force10 systems transmit and receive LLDPDUs by default. You can configure the system—at CONFIGURATION level or INTERFACE level—to transmit only by executing mode tx mode rx...
Page 597: Configuring A Time To Live
Figure 26-14. Configuring LLDPDU Transmit and Receive Mode R1(conf)#protocol lldp R1(conf-lldp)#show config protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#mode ? Rx only Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx...
Page 598: Debugging Lldp
Figure 26-15. Configuring LLDPDU Time to Live R1(conf-lldp)#show config protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#multiplier ? <2-10> Multiplier (default=4) R1(conf-lldp)#multiplier 5 R1(conf-lldp)#show config protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description multiplier 5 no disable...
Page 599: Relevant Management Objects
Figure 26-16. debug lldp detail—LLDPDU Packet Dissection Force10# debug lldp interface gigabitethernet 1/2 packet detail tx Force10#1w1d19h : Transmit timer blew off for local interface Gi 1/2 1w1d19h : Forming LLDP pkt to send out of interface Gi 1/2 1w1d19h : TLV: Chassis ID, Len: 7, Subtype: Mac address (4), Value: 00:01:e8:0d:b6:d6 1w1d19h : TLV: Port ID, Len: 20, Subtype: Interface name (5), Value: GigabitEthernet 1/2...
Page 600 Table 26-7. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether the local LLDP agent is enabled for transmit, receive, or both msgTxHold lldpMessageTxHoldMultiplier Multiplier value msgTxInterval lldpMessageTxInterval Transmit Interval value rxInfoTTL lldpRxInfoTTL Time to Live for received TLVs...
Page 601 Table 26-8. LLDP System MIB Objects TLV Type TLV Name TLV Variable System LLDP MIB Object Chassis ID chassis ID subtype Local lldpLocChassisIdSubtype Remote lldpRemChassisIdSubtype chassid ID Local lldpLocChassisId Remote lldpRemChassisId Port ID port subtype Local lldpLocPortIdSubtype Remote lldpRemPortIdSubtype port ID Local lldpLocPortId Remote...
Page 602 Table 26-9. LLDP 802.1 Organizationally Specific TLV MIB Objects TLV Type TLV Name TLV Variable System LLDP MIB Object Port-VLAN ID PVID Local lldpXdot1LocPortVlanId Remote lldpXdot1RemPortVlanId Port and Protocol port and protocol VLAN supported Local lldpXdot1LocProtoVlanSupported VLAN ID Remote lldpXdot1RemProtoVlanSupported port and protocol VLAN enabled Local lldpXdot1LocProtoVlanEnabled...
Page 603 Table 26-10. LLDP-MED System MIB Objects TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object LLDP-MED LLDP-MED Capabilities Local lldpXMedPortCapSupported Capabilities lldpXMedPortConfigTLVsTx Enable Remote lldpXMedRemCapSupported, lldpXMedRemConfigTLVsTx Enable LLDP-MED Class Type Local lldpXMedLocDeviceClass Remote lldpXMedRemDeviceClass Network Policy Application Type Local lldpXMedLocMediaPolicyApp Type Remote...
Page 604 Table 26-10. LLDP-MED System MIB Objects (continued) TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object Extended Power via Power Device Type Local lldpXMedLocXPoEDeviceTyp Remote lldpXMedRemXPoEDeviceTy Power Source Local lldpXMedLocXPoEPSEPower Source, lldpXMedLocXPoEPDPowerS ource Remote lldpXMedRemXPoEPSEPowe rSource, lldpXMedRemXPoEPDPower Source Power Priority Local lldpXMedLocXPoEPDPowerP riority,...
Page 605: Multicast Listener Discovery
Multicast Listener Discovery Multicast Listener Discovery is supported only on platform: MLD Snooping is supported only on platform: Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Page 606: Mld Querier Router
• Maximum Response Delay—the maximum amount of time that the Querier waits to receive a response to a General or Multicast-Address-Specific Query. The value is zero in reports and Done messages. • Multicast Address — set to zero in General Queries, and set to the relevant multicast address in multicast-address-specific queries and done messages.
Page 607: Leaving A Multicast Group
Leaving a Multicast Group A receiver that is no longer interested in traffic for a particular group should leave the group by sending a Done message to the link-scope all-routers multicast address, FF02::02. When a Querier receives a Done message, it sends a Multicast-Address-Specific Query addressed to the relevant multicast group.
Page 608: Enabling Mld
Figure 27-3. MLDv2 Multicast Listener Report Padding Start Frame Source MAC IPv6 Packet Preamble Destination MAC Ethernet Type Delimiter Header Extension Options Version Traffic Class Flow Label Hop Limit Next Header Payload Length Next Header ICMPv6 Packet Length (Router Alert) (58) Type Code...
Page 609: Change Mld Timer Values
• Debug MLD on page 611 • MLD Snooping on page 611 Change MLD Timer Values All non-queriers have a timer that is refreshed when it hears a General Query. If the timer expires, then the router can assume that the Querier is not present, and so it assumes the role of Querier. The Other Querier Present Interval, or Querier Timeout Interval, is the amount of time that passes before a non-querier router assumes that there is no longer a Querier on the link.
Page 610: Last Member Query Interval
Last Member Query Interval The Querier sends a Multicast-Address-Specific Query upon receiving a Done message to ascertain whether there are any remain receivers for a group. The Last Listener Query Interval is the Maximum Response Delay for a Multicast-Address-Specific Query, and also the amount of time between Multicast-Address-Specific Query retransmissions.
Page 611: Display The Mld Group Table
Display the MLD Group Table Task Command Syntax Command Mode show ipv6 mld groups interface Display MLD groups. Group information EXEC Privilege can be filtered, see the FTOS Command Line Reference for the options available with this command. Clear MLD Groups Clear a specific group or all groups on an interface from the multicast routing table using the command clear ipv6 mld groups from EXEC Privilege mode.
Page 612: Enable Mld Snooping
Enable MLD Snooping MLD is automatically enabled when you enable IPv6 PIM, but MLD Snooping must be explicitly enabled. Task Command Syntax Command Mode ipv6 mld snooping enable Enable MLD Snooping CONFIGURATION Disable MLD Snooping on a VLAN When MLD is enabled globally, it is by default enabled on all VLANs. Disable snooping on a VLAN, no ipv6 mld snooping using the command from INTERFACE VLAN mode.
Page 613: Enable Snooping Explicit Tracking
show ipv6 mld snooping mrouter View the ports that are connected to multicast routers using the command from EXEC Privilege mode. Enable Snooping Explicit Tracking The switch can be a querier, and therefore also has the option of updating the group table through explicit-tracking (see Explicit Tracking on page 610).
Page 614 Figure 27-4. Port Inheritance on Mixed-mode VLANs Snooping Table IGMP MLDv2 (*,G) (*,G) VLAN 10 1, 3 (S,G) 1*, 3 exclude (*,G) include (S,G) Figure 27-4, the host on Port 1 sends an exclude—that is, exclude nothing—report to join group G and receive traffic from all transmitting sources for the group.
Page 615: Multicast Source Discovery Protocol
Multicast Source Discovery Protocol Multicast Source Discovery Protocol is supported only on platform MSDP addressing is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Protocol Overview Multicast Source Discovery Protocol (MSDP) is a Layer 3 protocol that connects IPv4 PIM-SM domains. A domain in the context of MSDP is contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as BGP.
Page 616: Implementation Information
Figure 28-1. Multicast Source Discovery Protocol AS X PC 2 PC 3 Area 0 Source Receiver AS Y Area 0 4/31 2/11 3/21 3/41 1/21 PC 1 Receiver RPs advertise each (S,G) in its domain in Type, Length, Value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count”...
Page 617: Configuring Multicast Source Discovery Protocol
Configuring Multicast Source Discovery Protocol Configuring MSDP is a three-step process: 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Figure 28-5 MSDP Sample Configurations on page 638 show the OSPF-BGP configuration used in this chapter for MSDP. Otherwise, see Chapter 32, Open Shortest Path First (OSPFv2 and OSPFv3), on page 691 Chapter 10, Border Gateway Protocol IPv4 (BGPv4), on page...
Page 618 Figure 28-3. Configuring Interfaces for MSDP Multicast Source Discovery Protocol...
Page 619 Figure 28-4. Configuring OSPF and BGP for MSDP Multicast Source Discovery Protocol | 619...
Page 620 Figure 28-5. Configuring PIM in Multiple Routing Domains Multicast Source Discovery Protocol...
Page 621 Figure 28-6. Configuring MSDP Multicast Source Discovery Protocol | 621...
Page 622: Enable Msdp
Enable MSDP Enable MSDP by peering RPs in different administrative domains. Step Task Command Syntax Command Mode ip multicast-msdp Enable MSDP. CONFIGURATION ip msdp peer connect-source PeerPIM systems in different CONFIGURATION administrative domains. Figure 28-7. Configuring an MSDP Peer R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.1 connect-source Loopback 0 R3_E600(conf)#do show ip msdp summary Peer Addr...
Page 623: View The Source-Active Cache
• RPs can transmit SA messages periodically to prevent SA storms, and • only sources that are in the cache are advertised in the SA to prevent transmitting multiple copies of the same source information. View the Source-active Cache Task Command Syntax Command Mode show ip msdp sa-cache...
Page 624: Accept Source-Active Messages That Fail The Rfp Check
• the peer RP is unreachable, • or because of an SA message format error. Task Command Syntax Command Mode ip msdp cache-rejected-sa Cache rejected sources. CONFIGURATION Accept Source-active Messages that fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check. •...
Page 625 Figure 28-10. MSDP Default Peer Scenario 1 Scenario 2 (S4, G4) (S4, G4) (S5, G5) (S5, G5) (S2, G2) (S2, G2) (S3, G3) (S3, G3) Interface A Interface B Interface B Interface A Group Source Peer Group Source Peer RP2 R2 R3 RPF-Fail RP3 R3 RP3 R3...
Page 626: Limit The Source-Active Messages From A Peer
Task Command Syntax Command Mode ip msdp default-peer ip-address list Specify the forwarding-peer and originating-RP from CONFIGURATION which all active sources are accepted without regard for the the RPF check. If you do not specify an access list, the peer accepts all sources advertised by that peer. All sources from RPs denied by the ACL are subjected to the normal RPF check.
Page 627: Prevent Msdp From Caching A Local Source
Prevent MSDP from Caching a Local Source You can prevent MSDP from caching an active source based on source and/or group. Since the source is not cached, it is not advertised to remote RPs. Task Command Syntax Command Mode ip msdp cache-rejected-sa OPTIONAL: Cache sources that are denied by the CONFIGURATION redistribute list in the rejected SA cache.
Page 628: Prevent Msdp From Caching A Remote Source
Prevent MSDP from Caching a Remote Source Task Command Syntax Command Mode ip msdp cache-rejected-sa OPTIONAL: Cache sources that are denied by the CONFIGURATION SA filter in the rejected SA cache. ip msdp sa-filter list out peer list ext-acl Prevent the system from caching remote sources CONFIGURATION learned from a specific peer based on source and group.
Page 629: Prevent Msdp From Advertising A Local Source
Prevent MSDP from Advertising a Local Source Task Command Syntax Command Mode ip msdp sa-filter list in peer list ext-acl Prevent an RP from advertising a source in the SA CONFIGURATION cache. Figure 28-14, R1 stops advertising source 10.11.4.2. Since it is already in the SA cache of R3, the entry remains there until it expires.
Page 630: Log Changes In Peership States
Log Changes in Peership States Task Command Syntax Command Mode ip msdp log-adjacency-changes Log peership state changes. CONFIGURATION Terminate a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639. Task Command Syntax Command Mode...
Page 631: Clear Peer Statistics
Clear Peer Statistics Task Command Syntax Command Mode clear ip msdp peer peer-address Reset the TCP connection to the peer and clear all peer CONFIGURATION statistics. Figure 28-16. Clearing Peer Statistics R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.3(639) Connect Source: Lo 0 State: Established...
Page 632: Debug Msdp
Debug MSDP Task Command Syntax Command Mode Display the information exchanged between peers. debug ip msdp CONFIGURATION Figure 28-17. Debugging MSDP R1_E600(conf)#do debug ip msdp All MSDP debugging has been turned on R1_E600(conf)#03:16:08 : MSDP-0: Peer 192.168.0.3, sent Keepalive msg 03:16:09 : MSDP-0: Peer 192.168.0.3, rcvd Keepalive msg 03:16:27 : MSDP-0: Peer 192.168.0.3,...
Page 633: Interface Loopback
Figure 28-18. MSDP with Anycast RP (10.11.4.2, 239.0.0.1), uptime 00:00:52, expires 00:03:20, flags: Incoming interface: GigabitEthernet 2/1, RPF neighbor 0.0.0.0 Outgoing interface list: GigabitEthernet 2/11 Forward/Sparse 00:00:50/00:02:40 GigabitEthernet 2/31 Forward/Sparse 00:00:50/00:02:40 AS X PC 2 PC 3 Area 0 Source Receiver AS Y Area 0...
Page 634: Reducing Source-Active Message Flooding
Reducing Source-active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group. A mesh in this context is a topology in which each RP in a set of RPs has a peership with all other RPs in the set.
Page 635 Figure 28-19. R1 Configuration for MSDP with Anycast RP ip multicast-routing interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32...
Page 636 Figure 28-20. R2 Configuration for MSDP with Anycast RP ip multicast-routing interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown interface Loopback 0 ip pim sparse-mode...
Page 637 Figure 28-21. R3 Configuration for MSDP with Anycast RP ip multicast-routing interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown router ospf 1 network 10.11.6.0/24 area 0...
Page 638: Msdp Sample Configurations
MSDP Sample Configurations The following figures show the running-configurations for the routers shown in figures Figure 28-5, Figure 28-4, Figure 28-5, Figure 28-6. Figure 28-22. MSDP Sample Configuration: R1 Running-config ip multicast-routing interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown interface GigabitEthernet 1/2 ip address 10.11.2.1/24...
Page 639 Figure 28-23. MSDP Sample Configuration: R2 Running-config ip multicast-routing interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown interface Loopback 0 ip address 192.168.0.2/32...
Page 640 Figure 28-24. MSDP Sample Configuration: R3 Running-config ip multicast-routing interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown interface ManagementEthernet 0/0 ip address 10.11.80.3/24 no shutdown interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown...
Page 641 Figure 28-25. MSDP Sample Configuration: R4 Running-config ip multicast-routing interface GigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown interface GigabitEthernet 4/22 ip address 10.10.42.1/24 no shutdown interface GigabitEthernet 4/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown interface Loopback 0 ip address 192.168.0.4/32 no shutdown router ospf 1...
Page 642 Multicast Source Discovery Protocol...
Page 643: Multiple Spanning Tree Protocol
Multiple Spanning Tree Protocol c e s Multiple Spanning Tree Protocol is supported on platforms: MSTP addressing is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Protocol Overview Multiple Spanning Tree Protocol (MSTP)—specified in IEEE 802.1Q-2003—is an RSTP-based spanning tree variation that improves on PVST+.
Page 644: Configure Multiple Spanning Tree Protocol
FTOS supports three other variations of Spanning Tree, as shown in Table Table 29-1. FTOS Supported Spanning Tree Protocols Dell Force10 Term IEEE Specification Spanning Tree Protocol 802.1d Rapid Spanning Tree Protocol 802.1w Multiple Spanning Tree Protocol 802.1s Per-VLAN Spanning Tree Plus...
Page 645: Enable Multiple Spanning Tree Globally
Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP: Step Task Command Syntax Command Mode protocol spanning-tree mstp Enter PROTOCOL MSTP mode. CONFIGURATION no disable Enable MSTP. PROTOCOL MSTP show config Verify that MSTP is enabled using the command from PROTOCOL MSTP mode, as shown in Figure 29-2.
Page 646 Figure 29-3. Mapping VLANs to MSTI Instances FTOS(conf)#protocol spanning-tree mstp FTOS(conf-mstp)#msti 1 vlan 100 FTOS(conf-mstp)#msti 2 vlan 200-300 FTOS(conf-mstp)#show config protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping. View to which instance a show spanning-tree mst vlan VLAN is mapped using the command from EXEC Privilege mode, as shown...
Page 647: Influence Mstp Root Selection
For a bridge to be in the same MSTP region as another, all three of these qualities must match exactly. The default values for name and revision will match on all Dell Force10 FTOS equipment. If you have non-FTOS equipment that will participate in MSTP, ensure these values to match on all the equipment.
Page 648: Modify Global Parameters
Max-hops is the maximum number of hops a BPDU can travel before a receiving switch discards it. Note: Dell Force10 recommends that only experienced network administrators change MSTP parameters. Poorly planned modification of MSTP parameters can negatively impact network performance.
Page 649 Command Mode hello-time seconds Change the hello-time parameter. PROTOCOL MSTP Note: With large configurations (especially those with more ports) Dell Force10 recommends that you increase the hello-time. Range: 1 to 10 Default: 2 seconds max-age seconds Change the max-age parameter.
Page 650: Modify Interface Parameters
Modify Interface Parameters You can adjust two interface parameters to increase or decrease the probability that a port becomes a forwarding port: • Port cost is a value that is based on the interface type. The greater the port cost, the less likely the port will be selected to be a forwarding port.
Page 651: Configure An Edgeport
Configure an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should bpduguard behave otherwise; it does not go through the Learning and Listening states. The shutdown-on-violation option causes the interface hardware to be shutdown when it receives a BPDU.
Page 652: Configure A Root Guard
Configure a Root Guard Use the Root Guard feature in a Layer 2 MSTP network to avoid bridging loops. You enable root guard on a per-port or per-port-channel basis. FTOS Behavior: The following conditions apply to a port enabled with root guard: •...
Page 653: Configure A Loop Guard
Configure a Loop Guard The Loop Guard feature provides protection against Layer 2 forwarding loops (STP loops) caused by a hardware failure, such as a cable failure or an interface fault. When a cable or interface fails, a participating STP link may become unidirectional (STP requires links to be bidirectional) and an STP port does not receive BPDUs.
Page 654: Flush Mac Addresses After A Topology Change
Flush MAC Addresses after a Topology Change FTOS has an optimized MAC address flush mechanism for RSTP, MSTP, and PVST+ that flushes addresses only when necessary, which allows for faster convergence during topology changes. However, tc-flush-standard you may activate the flushing mechanism defined by 802.1Q-2003 using the command which flushes MAC addresses upon every topology change notification.
Page 655: Mstp Sample Configurations
MSTP Sample Configurations The running-configurations in Figure 29-11, Figure 29-12, and Figure 29-12 support the topology shown Figure 29-10. The configurations are from FTOS systems. An S50 system using SFTOS, configured as shown Figure 29-14, could be substituted for an FTOS router in this sample following topology and MSTP would function as designed.
Page 656 Figure 29-11. Router 1 Running-configuration protocol spanning-tree mstp no disable Enable MSTP globally name Tahiti Set Region Name and Revision revision 123 Map MSTP Instances to VLANs MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 interface GigabitEthernet 1/21 no ip address switchport Assign Layer-2 interfaces no shutdown...
Page 657 Figure 29-12. Router 2 Running-configuration protocol spanning-tree mstp no disable Enable MSTP globally name Tahiti Set Region Name and Revision revision 123 Map MSTP Instances to VLANs MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 interface GigabitEthernet 2/11 no ip address switchport no shutdown Assign Layer-2 interfaces...
Page 658 Figure 29-13. Router 3 Running-configuration protocol spanning-tree mstp no disable Enable MSTP globally name Tahiti Set Region Name and Revision revision 123 Map MSTP Instances to VLANs MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 interface GigabitEthernet 3/11 no ip address switchport no shutdown Assign Layer-2 interfaces...
Page 659 Figure 29-14. SFTOS Example Running-Configuration spanning-tree spanning-tree configuration name Tahiti spanning-tree configuration revision 123 spanning-tree MSTi instance 1 Enable MSTP globally spanning-tree MSTi vlan 1 100 Set Region Name and Revision spanning-tree MSTi instance 2 Map MSTP Instances to VLANs spanning-tree MSTi vlan 2 200 spanning-tree MSTi vlan 2 300 interface...
Page 660: Debugging And Verifying Mstp Configuration
Debugging and Verifying MSTP Configuration debug spanning-tree mstp bpdu Display BPDUs using the command from EXEC Privilege mode. Display debug spanning-tree mstp events MSTP-triggered topology change messages Figure 29-15. Displaying BPDUs and Events FTOS#debug spanning-tree mstp bpdu 1w1d17h : MSTP: Sending BPDU on Gi 1/31 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x68 CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 20000 Regional Bridge Id: 32768:0001.e809.c24a, CIST Port Id: 128:384...
Page 661 Figure 29-16. Sample Output for command show running-configuration spanning-tree mstp FTOS#show run spanning-tree mstp protocol spanning-tree mstp name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 Figure 29-17. Displaying BPDUs and Events - Debug Log of Successful MSTP Configuration FTOS#debug spanning-tree mstp bpdu MSTP debug bpdu is ON FTOS#...
Page 662 Multiple Spanning Tree Protocol...
Page 663: Multicast Features
Multicast Features c e s Multicast Features are supported on platforms: Multicast is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. This chapter contains the following sections: • Enable IP Multicast on page 663 • Multicast with ECMP on page 664 •...
Page 664: Multicast With Ecmp
CONFIGURATION Multicast with ECMP Dell Force10 multicast uses Equal-cost Multi-path (ECMP) routing to load-balance multiple streams across equal cost links. When creating the shared-tree Protocol Independent Multicast (PIM) uses routes from all configured routing protocols to select the best route to the rendezvous point (RP). If there are multiple, equal-cost paths, the PIM selects the route with the least number of currently running multicast streams.
Page 665: Multicast Policies
Implementation Information • Because protocol control traffic in FTOS is redirected using the MAC address, and multicast control traffic and multicast data traffic might map to the same MAC address, FTOS might forward data traffic with certain MAC addresses to the CPU in addition to control traffic. As the upper five bits of an IP Multicast address are dropped in the translation, 32 different multicast group IDs all map to the same Ethernet address.
Page 666 Limit the Number of Multicast Routes Task Command Syntax Command Mode Limit the total number of multicast routes on the system. ip multicast-limit CONFIGURATION Range: 1-50000 Default: 15000 When the limit is reached, FTOS does not process any IGMP or MLD joins to PIM—though it still processes leave messages—until the number of entries decreases below 95% of the limit.
Page 667 Prevent a Host from Joining a Group You can prevent a host from joining a particular group by blocking specific IGMP reports. Create an ip igmp access-group extended access list containing the permissible source-group pairs. Use the command from INTERFACE mode to apply the access li access-list-name Note: For rules in IGMP access lists, is the multicast source, not the source of the IGMP packet.
Page 668 Figure 30-2. Preventing a Host from Joining a Group Multicast Features...
Page 669 Rate Limit IGMP Join Requests If you expect a burst of IGMP Joins, protect the IGMP process from overload by limiting that rate at which ip igmp group-join-limit new groups can be joined using the command from INTERFACE mode. Hosts whose IGMP requests are denied will use the retry mechanism built-in to IGMP so that they’re membership is delayed rather than permanently denied.
Page 670 Figure 30-3. Preventing a Source from Transmitting to a Group Prevent a PIM Router from Processing a Join Permit or deny PIM Join/Prune messages on an interface using an extended IP access list. Use the ip pim join-filter command to prevent the PIM SM router from creating state based on multicast source and/ or group.
Page 671 Using a Static Multicast MAC Address Using a Static Multicast MAC Address is supported on platform When a multicast source and multicast receivers are in the same VLAN, you can configure a router so that multicast traffic is switched only to the ports assigned to a VLAN that is associated with a static multicast MAC address.
Page 672 show To display the current configuration of Layer 2 multicast switching on a router, enter the mac-address-table static multicast vlan vlan-id vlan vlan-id command in EXEC multicast-mac-address mode. Static MAC addresses configured for Layer 2 multicast forwarding with an associated VLAN and assigned output ports are displayed as shown in Figure 30-4.
Page 673: Ipv6 Multicast Policies
IPv6 Multicast Policies IPv6 Multicast Policies is available only on platform: • Limit the Number of IPv6 Multicast Routes on page 673 • Prevent an IPv6 Neighbor from Forming an Adjacency on page 673 • Prevent an IPv6 Source from Registering with the RP on page 674 •...
Page 674: Multicast Traceroute
Prevent an IPv6 Source from Registering with the RP Task Command Syntax Command Mode ipv6 pim register-filter access-list Configured on the source DR, prevent the CONFIGURATION source DR from sending register packets to the RP for specific sources and groups. FTOS(conf)#ipv6 pim register-filter REG-FIL_ACL FTOS(conf)#ipv6 access-list REG-FIL_ACL FTOS(conf-ipv6-acl)#deny ipv6 165:87:34::10/128 ff0e::225:1:2:0/112...
Page 675: Multicast Quality Of Service
RPF neighbor. While computing the RPF neighbor, static mroutes and mBGP routes are preferred over unicast routes. When a Dell Force10 system is the last hop to the destination, FTOS sends a response to the query.
Page 676: Allocate More Buffer Memory For Multicast Wred
• Allocate More Buffer Memory for Multicast WRED • Allocate More Bandwidth to Multicast using Egress WFQ Allocate More Buffer Memory for Multicast WRED Allocate more buffer memory to multicast WRED (Weighted Random Early Detection) for bursty multicast traffic that might temporarily become oversubscribed. For example, the example WRED profile Figure 41-14 on page 872 allocates multicast traffic a minimum of 40 megabytes (out of 80 megabytes) of buffer memory and up to 60 megabytes.
Page 677: Object Tracking
Object Tracking c e s IPv4/IPv6 Object Tracking is available on platforms: This chapter covers the following information: • Object Tracking Overview • Object Tracking Configuration • Displaying Tracked Objects Object tracking allows FTOS client processes, such as VRRP, to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes.
Page 678: Tracking Layer 2 Interfaces
You can create a tracked object to monitor the metric of the default route 0.0.0.0/0. After you configure the default route as a tracked object, you can configure the VRRP group to track the state of the route. In this way, the VRRP priority of the router with the better metric as determined by OSPF automatically becomes master of the VRRP group.
Page 679: Tracking Layer 3 Interfaces
Tracking Layer 3 Interfaces You can create an object that tracks the Layer 3 state (IPv4 or IPv6 routing status) of an interface. • The Layer 3 status of an interface is UP only if the Layer 2 status of the interface is UP and the interface has a valid IP address.
Page 680: Setting Tracking Delays
• If the scaled metric for a route is greater than or equal to the DOWN threshold or the route is not entered in the routing table, the state of a route is DOWN. The UP and DOWN thresholds are user-configurable for each tracked route. The default UP threshold is 254;...
Page 681: Object Tracking Configuration
You can assign a unique priority-cost value from 1 to 254 to each tracked VRRP object or group interface. The priority cost is subtracted from the VRRP group priority if a tracked VRRP object is in a DOWN state. If a VRRP group router acts as owner-master, the run-time VRRP group priority remains fixed at 255 and changes in the state of a tracked object have no effect.
Page 682: Tracking A Layer 3 Interface
To configure object tracking on the status of a Layer 2 interface, use the following commands. To remove no track object-id object tracking on a Layer 2 interface, enter the command. Step Task Command Syntax Command Mode track object-id interface interface Configure object tracking on the CONFIGURATION line-protocol...
Page 683 For an IPv4 interface, a routing object only tracks the UP/DOWN status of the specified IPv4 interface track interface ip-routing command). • The status of an IPv4 interface is UP only if the Layer 2 status of the interface is UP and the interface has a valid IP address.
Page 684: Tracking An Ipv4/Ipv6 Route
Figure 31-4. Command Example: track interface ipv6 routing FTOS(conf)#track 103 interface gigabitethernet 7/11 ipv6 routing FTOS(conf-track-103)#description Austin access point FTOS(conf-track-103)#end FTOS#show track 103 Track 103 Interface GigabitEthernet 7/11 ipv6 routing Description: Austin access point IPv6 routing is Down (shutdown) 2 changes, last change 00:03:25 Tracked by: Tracking an IPv4/IPv6 Route You can create an object that tracks the reachability or metric of an IPv4 or IPv6 route.
Page 685 The tracking process uses a protocol-specific resolution value to convert the actual metric in the rout- ing table to a scaled metric in the range 0 to 255. The resolution value is user-configurable and calcu- lates the scaled metric by dividing a route's cost by the resolution value set for the route type: •...
Page 686 Figure 31-5. Command Example: track ip route reachability FTOS(conf)#track 104 ip route 10.0.0.0/8 reachability FTOS(conf-track-104)#delay up 20 down 10 FTOS(conf-track-104)#end FTOS#show track 104 Track 104 IP route 10.0.0.0/8 reachability Reachability is Down (route not in route table) 2 changes, last change 00:02:49 Tracked by: FTOS#configure FTOS(conf)#track 4 ip route 3.1.1.0/24 reachability vrf vrf1...
Page 687 Step Task Command Syntax Command Mode delay {[ up ] [ down (Optional) Configure the time OBJECT seconds seconds delay used before communicating TRACKING Valid delay times are from 0 to 180 seconds. Default: a change in the UP and/or DOWN status of a tracked route.
Page 688: Displaying Tracked Objects
Displaying Tracked Objects You can display the currently configured objects used to track Layer 2 and Layer 3 interfaces, and IPv4 show and IPv6 routes, by entering the following commands: [ brief ] | interface [ brief ] [ vrf ] | ip route [ brief ] [ vrf ] | resolution | show track...
Page 689 Figure 31-11. Command Example: show track resolution FTOS#show track resolution IP Route Resolution ISIS OSPF IPv6 Route Resolution ISIS OSPF Figure 31-12. Command Example: show track vrf FTOS#show track vrf red Track 5 IP route 192.168.0.0/24 reachability, Vrf: red Reachability is Up (CONNECTED) 3 changes, last change 00:02:39 First-hop interface is GigabitEthernet 13/4 Tracked by:...
Page 690 Object Tracking...
Page 691: Open Shortest Path First (Ospfv2 And Ospfv3)
Open Shortest Path First (OSPFv2 and OSPFv3) c e s Open Shortest Path First version 2 (OSPF for IPv4) is supported on platforms Open Shortest Path First version 3 (OSPF for IPv6) is supported on platforms OSPF for IPv4 is supported on the E-Series ExaScale platform with FTOS 8.1.1.0; OSPF for IPv6 is supported on E-Series ExaScale with FTOS version 8.2.1.0 and later.
Page 692: Autonomous System (As) Areas
Protocol Overview Open Shortest Path First (OSPF) routing is a link-state routing protocol that calls for the sending of Link-State Advertisements (LSAs) to all other routers within the same Autonomous System (AS) Areas. Information on attached interfaces, metrics used, and other variables is included in OSPF LSAs. As OSPF routers accumulate link-state information, they use the SPF algorithm (Shortest Path First algorithm) to calculate the shortest path to each node.
Page 693: Area Types
Figure 32-1. Autonomous System Areas Router M Router K Router F Router E Router L Area 200 Router D Router C Router G Area 100 Area 0 Router H Router B Router A Router I Router J Area 300 Area Types The Backbone of the network is Area 0.
Page 694: Networks And Neighbors
A Stub Area (SA) does not receive external route information, except for the default route. These areas do receive information from inter-area (IA) routes. Note that all routers within an assigned Stub area must be configured as stubby, and no generate LSAs that do not apply. For example, a Type 5 LSA is intended for external areas and the Stubby area routers may not generate external LSAs.
Page 695 Figure 32-2. OSPF Routing Examples Router M Interior Router Router K Router F Router E Interior Router Router L Stub Area Router D Area 200 Router C Router G Not So Stubby Area Area 100 Backbone Area Area 0 Router H Router B Backbone Router Area Border Router...
Page 696: Designated And Backup Designated Routers
Area Border Router (ABR) Within an AS, an Area Border (ABR) connects one or more areas to the Backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
Page 697: Link-State Advertisements (Lsas)
Link-State Advertisements (LSAs) A Link-State Advertisement (LSA) communicates the router's local routing topology to all other local routers in the same area. • OSPFv3 can treat LSAs as having link-local flooding scope, or store and flood them as if they are understood, while ignoring them in their own SPF algorithms.
Page 698: Virtual Links
For all LSA types, there are 20-byte LSA headers. One of the fields of the LSA header is the Link-State ID. Each router link is defined as one of four types: type 1, 2, 3, or 4. The LSA includes a link ID field that identifies, by the network number and mask, the object this link connects to.
Page 699: Implementing Ospf With Ftos
Figure 32-3. Priority and Costs Example Router 2 Router 3 Priority 180 Priority 100 Cost 50 Cost 25 Router 1 Priority 200 Cost 21 Router 4 Priority 150 Cost 20 Router 1 selected by the system as DR. Router 2 selected by the system as BDR. If R1 fails, the system subtracts 21 from R1 s priority number.
Page 700: Graceful Restart
LSAs, thereby notifying its neighbors that the restart is complete. This should happen before the grace period expires. Dell Force10 routers support the following OSPF graceful restart functionality: • Restarting role in which a router is enabled to perform its own graceful restart.
Page 701: Fast Convergence (Ospfv2, Ipv4 Only)
period. You reconfigure OSPFv3 graceful restart to a “restarting-only” role when you enable the helper-reject role on an interface. OSPFv3 supports the helper-reject role on a per-interface basis. Configuring helper-reject role on an OSPFv2 router or OSPFv3 interface enables the restarting-only role globally on the router or locally on the interface.
Page 702: Processing Snmp And Sending Snmp Traps
Each OSPFv2 process has a unique process ID and must have an associated Router ID. There must be an equal number of interfaces must be in Layer-3 mode for the number of processes created. For example, if 5 OSPFv2 processes are created on a system, there must be at least 5 interfaces assigned in Layer-3 mode. Each OSPFv2 process is independent.
Page 703: Ospf Ack Packing
Figure 32-4. Enabling RFC-2328 Compliant OSPF Flooding 00:10:41 : OSPF(1000:00): Printed only for ACK packets Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 1000 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.0 seq:0x8000000c LSType:Type-5 AS External id:160.1.2.0 adv:6.1.0.0 seq:0x8000000c 00:10:41 : OSPF(1000:00): Rcv.
Page 704: Configuration Requirements
To ensure equal intervals between the routers, manually set the dead interval of the Dell Force10 router to match the Cisco configuration. Use the command “ip ospf dead-interval <x>” in interface mode: Figure 32-6. Command Example: ip ospf intervals FTOS(conf)#int gi 2/2...
Page 705: Enable Ospfv2
2. Enable OSPF globally. Assign network area and neighbors. 3. Add interfaces or configure other attributes. The following configuration steps include two mandatory steps and several optional ones: • Enable OSPFv2 (mandatory) • Enable Multi-Process OSPF • Assign an OSPFv2 area (mandatory) •...
Page 706 % Error: No router ID available. In CONFIGURATION ROUTER OSPF mode, assign the Router ID. The Router ID is not required to be the router’s IP address. Dell Force10 recommends using the IP address as the Router ID for easier management and troubleshooting.
Page 707: Enable Multi-Process Ospf
Enable Multi-Process OSPF Multi-Process OSPF allows multiple OSPFv2 processes on a single router. The following list shows the number of processes supported on each platform type. • The E-Series supports up to 30 OSPFv2 processes. • The C-Series supports up to 6 OSPFv2 processes. •...
Page 708: Assign An Ospfv2 Area
In CONFIGURATION ROUTER OSPF mode, assign the Router ID. The Router ID is not required to be the router’s IP address. Dell Force10 recommends using the IP address as the Router ID for easier management and troubleshooting. Command Syntax Command Mode...
Page 709: Enable Ospfv2 On Interfaces
Enable OSPFv2 on interfaces Each interface must have OSPFv2 enabled on it. It must be configured for Layer 3 protocol, and not be shutdown. OSPFv2 can also be assigned to a loopback interface as a virtual interface. OSPF functions and features, such as MD5 Authentication, Grace Period, Authentication Wait Time, etc, are assigned on a per interface basis.
Page 710 Figure 32-10. Command Example: show ip ospf process-id interface FTOS>show ip ospf 1 interface GigabitEthernet 12/17 is up, line protocol is up Internet Address 10.2.2.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 11.1.2.1, Interface address 10.2.2.1 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.0 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5...
Page 711: Configure Stub Areas
Configure stub areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas. Type 5 LSAs are not flooded into stub areas; the Area Border Router (ABR) advertises a default route into the stub area to which it is attached. Stub area routers use the default route to reach external destinations To ensure connectivity in your OSPFv2 network, never configure the backbone area as a stub area.
Page 712: Configure Ospf Stub-Router Advertisement
Configure OSPF Stub-Router Advertisement Configure OSPF Stub-Router Advertisement is supported on platforms: When you bring a new router onto an OSPF network, you can configure the router to function as a stub area by globally reconfiguring the OSPF link cost so that other routers do not use a path that forwards traffic destined to other networks through the new router for a specified time until the router’s switching and routing functions are up and running, and the routing tables in network routers have converged.
Page 713: Enable Passive Interfaces
Enable passive interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface will neither send nor receive routing updates, the network on that interface will still be included in OSPF updates sent via other interfaces.
Page 714: Enable Fast-Convergence
Note: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements. Higher convergence levels should only be selected following consultation with Dell Force10 technical support. Open Shortest Path First (OSPFv2 and OSPFv3)
Page 715: Change Ospfv2 Parameters On Interfaces
Figure 32-14 shows the convergence settings when fast-convergence is enabled and Figure 32-15 shows show ip ospf settings when fast-convergence is disabled. These displays appear with the command. Figure 32-14. Command Example: show ip ospf process-id (fast-convergence enabled ) FTOS(conf-router_ospf-1)#fast-converge 2 FTOS(conf-router_ospf-1)#ex FTOS(conf)#ex FTOS#show ip ospf 1...
Page 716 Use any or all of the following commands in CONFIGURATION INTERFACE mode to change OSPFv2 parameters on the interfaces: Command Syntax Command Mode Usage ip ospf cost CONFIG-INTERFACE Change the cost associated with OSPF traffic on the interface. Cost: 1 to 65535 (default depends on the interface speed).
Page 717: Enable Ospfv2 Authentication
Refer to Graceful Restart on page 700 for feature details. The Dell Force10 implementation of OSPFv2 graceful restart enables you to specify: grace period • —the length of time the graceful restart process can last before OSPF terminates it.
Page 718 helper-reject neighbors • —the router ID of each restart router that does not receive assistance from the configured router. mode • —the situation or situations that trigger a graceful restart. role • —the role or roles the configured router can perform. Note: By default, OSPFv2 graceful restart is disabled.
Page 719: Configure Virtual Links
Figure 32-17. Command Example: show run ospf FTOS#show run ospf router ospf 1 graceful-restart grace-period 300 graceful-restart role helper-only graceful-restart mode unplanned-only graceful-restart helper-reject 10.1.1.1 graceful-restart helper-reject 20.1.1.1 network 10.0.2.0/24 area 0 FTOS# Use the following command to disable OSPFv2 graceful-restart after you have enabled it. Command Syntax Command Mode Usage...
Page 720: Filter Routes
Use the following command in CONFIGURATION ROUTER OSPF mode to configure virtual links. Command Syntax Command Mode Usage area virtual-link CONFIG-ROUTER- Configure the optional parameters of a hello-interval area-id router-id OSPF-id virtual link: seconds | retransmit-interval seconds | transmit-delay seconds | dead-interval seconds | authentication-key •...
Page 721: Redistribute Routes
Command Syntax Command Mode Usage seq sequence-number {deny |permit} ip-prefix CONFIG- PREFIX Create a prefix list with a sequence LIST [ge min-prefix-length] [le max-prefix-length] number and a deny or permit action. The optional parameters are: ge min-prefix-length: is the minimum prefix length to be matched (0 to 32).
Page 722: Troubleshooting Ospfv2
show running-config ospf To view the current OSPF configuration, use the command in the EXEC mode show config or the command in the ROUTER OSPF mode Figure 32-19. Command Example: show config FTOS(conf-router_ospf)#show config router ospf 34 network 10.1.2.32 0.0.0.255 area 2.2.2.2 network 10.1.3.24 0.0.0.255 area 3.3.3.3 distribute-list dilling in FTOS(conf-router_ospf)#...
Page 723 show running-config ospf Use the command to see the state of all the enabled OSPFv2 processes. Command Syntax Command Mode Usage show running-config ospf EXEC Privilege View the summary of all OSPF process IDs enables on the router. Figure 32-20. Command Example: show running-config ospf FTOS#show run ospf router ospf 3 router ospf 4...
Page 724 Use the following command in EXEC Privilege mode to configure the debugging options of an OSPFv2 process: Command Syntax Command Mode Usage debug ip ospf process-id EXEC Privilege View debug messages. [ event | packet | spf ] To view debug messages for a specific OSPF process ID, enter debug ip ospf process-id.
Page 725: Sample Configurations For Ospfv2
Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations. You can copy and paste from these examples to your CLI. Be sure you make the necessary changes to support your own IP Addresses, Interfaces, Names, etc.
Page 726: Configuration Task List For Ospfv3 (Ospf For Ipv6)
Configuration Task List for OSPFv3 (OSPF for IPv6) Open Shortest Path First version 3 (OSPF for IPv6) is supported on platforms The configuration options of OSPFv3 are the same as those for OSPFv2, but may be configured with differently labeled commands. Process IDs and areas need to be specified. Interfaces and addresses need to be included in the process.
Page 727: Enable Ipv6 Unicast Routing
Enable IPv6 Unicast Routing Command Syntax Command Mode Usage ipv6 unicast routing CONFIGURATION Enables IPv6 unicast routing globally. Assign IPv6 addresses on an interface Command Syntax Command Mode Usage ipv6 address ipv6 address CONF-INT-type slot/port Assign IPv6 address to the interface. IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon...
Page 728: Assign Ospfv3 Process Id And Router Id Globally
Assign OSPFv3 Process ID and Router ID Globally Command Syntax Command Mode Usage ipv6 router ospf {process ID} CONFIGURATION Enable the OSPFv3 process globally and enter OSPFv3 mode. Range: 0-65535 router-id {number} CONF-IPV6-ROUTER-OSPF Assign the Router ID for this OSPFv3 process number: IPv4 address Format: A.B.C.D...
Page 729: Configure Passive-Interface
Configure Passive-Interface Use the following command to suppress the interface’s participation on an OSPFv3 interface. This command stops the router from sending updates on that interface. Command Syntax Command Mode Usage passive-interface CONF-IPV6-ROUTER-OSPF Specify whether some or all some of the interfaces will be {type slot/port} passive.
Page 730: Configure A Default Route
Redistribute routes redistribute You can add routes from other routing instances or protocols to the OSPFv3 process. With the command syntax, you can include RIP, static, or directly connected routes in the OSPF process. Command Syntax Command Mode Usage redistribute { bgp | connected | CONF-IPV6-ROUTER-OSPF Specify which routes will be redistributed static } [ metric...
Page 731: Enable Ospfv3 Graceful Restart
Enable OSPFv3 graceful restart Graceful Restart for OSPFv3 is supported only on platform t . Refer to Graceful Restart on page 700 for more information on the feature. By default, OSPFv3 graceful restart is disabled and functions only in a helper role to help restarting neighbor routers in their graceful restarts when it receives a Grace LSA.
Page 732 To display information on the use and configuration of OSPFv3 graceful restart, enter any of the following commands: Command Syntax Command Mode Usage show run ospf EXEC Privilege Display the graceful-restart configuration for OSPFv2 and (Figure 32-23) OSPFv3 show ipv6 ospf database EXEC Privilege Display the Type-11 Grace LSAs sent and received on an grace-lsa...
Page 733 Figure 32-24. Command Example: show ipv6 ospf database database-summary FTOS#show ipv6 ospf database database-summary OSPFv3 Router with ID (200.1.1.1) (Process ID 1) Process 1 database summary Type Count/Status Oper Status Admin Status Area Bdr Rtr Status AS Bdr Rtr Status AS Scope LSA Count AS Scope LSA Cksum sum Originate New LSAS...
Page 734: Ospfv3 Authentication Using Ipsec
OSPFv3 Authentication Using IPsec OSPFv3 Authentication Using IPsec is supported only on platform: Starting in release 8.4.2.0, OSPFv3 uses the IP Security (IPsec) to provide authentication for OSPFv3 packets. IPsec authentication ensures security in the transmission of OSPFv3 packets between IPsec-enabled routers.
Page 735 OSPFv3 Authentication using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552, including: • To use IPsec, you configure an authentication (using AH) or encryption (using ESP) security policy on an interface or in an OSPFv3 area. Each security policy consists of a security policy index (SPI) and the key used to validate OSPFv3 packets.
Page 736 • Configuring IPsec Authentication for an OSPFv3 Area • Configuring IPsec Encryption for an OSPFv3 Area • Displaying OSPFv3 IPsec Security Policies Configuring IPsec Authentication on an Interface Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, you must first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (see Configuration Task List for OSPFv3 (OSPF for IPv6) on page...
Page 737 Configuring IPsec Encryption on an Interface Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, you must first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (see Configuration Task List for OSPFv3 (OSPF for IPv6) on page 726).
Page 738 no ipv6 ospf encryption ipsec spi To remove an IPsec encryption policy from an interface, enter the number command. To remove null encryption on an interface to allow the interface to inherit the no ipv6 ospf encryption null encryption policy configured for the OSPFv3 area, enter the command.
Page 739 To display the configuration of IPsec authentication policies on the router, enter the show crypto ipsec policy command. Configuring IPsec Encryption for an OSPFv3 Area Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, you must first enable OSPFv3 globally on the router (see Configuration Task List for OSPFv3 (OSPF for IPv6) on page 726).
Page 740 area encryption Note that when you configure encryption with the command, you enable both IPsec area encryption and authentication. However, when you enable authentication on an area with the authentication command, you do not enable encryption at the same time. area authentication If you have enabled IPsec authentication in an OSPFv3 area with the command, you...
Page 741 Figure 32-26. Command Example: show crypto ipsec policy FTOS#show crypto ipsec policy Crypto IPSec client security policy data In this encryption policy, the keys Policy name : OSPFv3-1-502 are not encrypted. Policy refcount Inbound ESP SPI : 502 (0x1F6) Outbound ESP SPI : 502 (0x1F6) Inbound ESP Auth Key...
Page 742 To display the IPsec security associations (SAs) used on OSPFv3 interfaces, enter the following command: Command Syntax Command Mode Usage show crypto ipsec sa ipv6 EXEC Privilege Displays security associations set up for OSPFv3 links in IPsec [ interface interface ] authentication and encryption policies on the router.
Page 743 Figure 32-27. Command Example: show crypto ipsec sa ipv6 FTOS#show crypto ipsec sa ipv6 Interface: TenGigabitEthernet 0/0 Link Local address: fe80::201:e8ff:fe40:4d10 IPSecv6 policy name: OSPFv3-1-500 inbound ah sas spi : 500 (0x1f4) transform : ah-md5-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound ah sas...
Page 744: Troubleshooting Ospfv3
Troubleshooting OSPFv3 FTOS has several tools to make troubleshooting easier. Be sure to check the following, as these are typical issues that interrupt the OSPFv3 process. Note that this is not a comprehensive list, just some examples of typical troubleshooting checks. •...
Page 745 Use the following command in EXEC Privilege mode to configure the debugging options of an OSPFv3 process: Command Syntax Command Mode Usage debug ipv6 ospf [ event | EXEC Privilege View debug messages for all OSPFv3 interfaces. packet ] {type slot/port} event : View OSPF event messages.
Page 746 Open Shortest Path First (OSPFv2 and OSPFv3)
Page 747: Pim Dense-Mode
PIM Dense-Mode c e s PIM Dense-Mode is supported on platforms: PIM-Dense Mode (PIM-DM) is a multicast protocol that directs routers to forward multicast traffic to all subnets until the router receives a request to stop; this behavior is the opposite of PIM-Sparse Mode, which does not forward multicast traffic to a subnet until the traffic is specifically requested using a PIM Join message.
Page 748: Refusing Multicast Traffic
Figure 33-1. Multicast Flooding in a PIM-DM Network Source Group Address: 239.192.0.1 Hello Adjacency Receiver PIM-DM 001 Refusing Multicast Traffic If a PIM-DM router has no receivers for a group, it refuses multicast traffic by sending a PIM Prune message to address 224.0.0.13 out of the source interface. The upstream neighbor receives the prune message and determines if it has any remaining neighbors downstream.
Page 749: Requesting Multicast Traffic
When a router receives a prune message, it flags the relevant (S,G) entry and sets a timer. If the timer expires, it begins flooding traffic out of the interface, and downstream routers must again evaluate whether to prune itself from the tree. To prevent the timer from expiring, while the source is sending traffic for the (S,G), the first-hop router periodically sends an (S,G) state-refresh messages down the entire SPT.
Page 750: Configure Pim-Dm
Configure PIM-DM Configuring PIM-DM is a two-step process: ip multicast-routing 1. Enable multicast routing using the command from CONFIGURATION mode. 2. Enable PIM-DM on an interface. See page 750. Related Configuration Tasks clear ip pim tib • Clear the PIM TIB using the command from EXEC Privilege mode.
Page 751: Show Ip Pim Interface
Figure 33-4. Enabling PIM-DM R2_E300(conf-if-range-gi-2/0,gi-2/21,gi-2/23)#show config interface GigabitEthernet 2/0 ip address 2.1.6.1/24 ip pim dense-mode no shutdown interface GigabitEthernet 2/21 ip address 2.1.1.2/24 ip pim dense-mode no shutdown R1_E600(conf-if-range-gi-1/0,gi-1/12,gi-1/13)#show config interface GigabitEthernet 2/23 ip address 2.1.3.1/24 interface GigabitEthernet 1/0 ip pim dense-mode description Connection to Ixia no shutdown ip address 2.1.0.1/24...
Page 752 Figure 33-6. Viewing PIM Neighbors Command Example R1_E600(conf)#do show ip pim neighbor Neighbor Interface Uptime/Expires DR Prio/Mode GR Address 2.1.1.2 Gi 1/12 01:43:51/00:01:35 2.1.2.2 Gi 1/13 02:00:46/00:01:41 R1_E600(conf)# show ip pim tib Display the PIM routing table using the command from EXEC privilege mode, as shown in Figure 33-7.
Page 753 Figure 33-7. Viewing the PIM Multicast Routing Table ------------------------------------- Router 1 ---------------------------------------------- R1_E600(conf)#do show ip pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, A - Candidate for MSDP Advertisement K - Ack-Pending State Timers: Uptime/Expires...
Page 754 PIM Dense-Mode...
Page 755: Pim Sparse-Mode
Implementation Information • The Dell Force10 implementation of PIM-SM is based on the IETF Internet Draft draft-ietf-pim-sm-v2-new-05. • C-Series supports a maximum of 31 PIM interfaces and 4K multicast entries including (*,G), and (S,G) entries.
Page 756: Protocol Overview
Protocol Overview To distribute the same traffic to multiple receivers, PIM-SM creates a tree extending from a root, called the Rendezvous Point (RP), down branches that extend to the nodes which have requested the traffic. Nodes requesting the same traffic belong to the same multicast group. Initially, a single PIM-SM tree called a shared tree to distribute traffic.
Page 757: Sending Multicast Traffic
Sending Multicast Traffic With PIM-SM, all multicast traffic must initially originate from the RP. A source must unicast traffic to the RP so that the RP can learn about the source and create an SPT to it. Then the last-hop DR may create an SPT directly to the source.
Page 758: Enable Pim-Sm
3. Enable PIM-SM on an interface. See page 758. Related Configuration Tasks • Configurable S,G Expiry Timers on page 759 • Configure a Static Rendezvous Point on page 760 • Elect an RP using the BSR Mechanism on page 762 •...
Page 759: Configurable S,G Expiry Timers
Figure 34-2. Viewing PIM Neighbors Command Example FTOS#show ip pim neighbor Neighbor Interface Uptime/Expires Address Prio/Mode 127.87.5.5 Gi 4/11 01:44:59/00:01:16 127.87.3.5 Gi 4/12 01:45:00/00:01:16 / DR 127.87.50.5 Gi 7/13 00:03:08/00:01:37 FTOS# show ip | ipv6 pim tib Display the PIM routing table using the command from EXEC privilege mode, as shown in Figure...
Page 760: Configure A Static Rendezvous Point
Configure the expiry time for a particular (S,G) entry: Step Task Command Syntax Command Mode ip access-list extended access-list-name Create an Extended ACL CONFIGURATION [ seq sequence-number] permit ip Specify the source and group CONFIG-EXT-NACL | any | host to which the timer will be source-address/mask applied using extended ACLs source-address} {destination-address/mask |...
Page 761: Override Bootstrap Router Updates
Figure 34-5. Electing a Rendezvous Point FTOS#sh run int loop0 interface Loopback 0 ip address 1.1.1.1/32 ip pim sparse-mode no shutdown FTOS#sh run pim ip pim rp-address 1.1.1.1 group-address 224.0.0.0/4 Override Bootstrap Router Updates PIM-SM routers need to know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration.
Page 762: Elect An Rp Using The Bsr Mechanism
IP Version Task Command Syntax Command Mode IPv6 Override bootstrap router RP election results ipv6 pim rp-address CONFIGURATION with your static RP configuration. IPv6 Display the assigned RP for a group. show ipv6 pim rp EXEC Privilege IPv6 Display the assigned RP for a group range show ipv6 pim rp mapping EXEC Privilege (group-to-RP mapping).
Page 763: Configure A Designated Router
Configure a Designated Router Multiple PIM-SM routers might be connected to a single LAN segment. One of these routers is elected to act on behalf of directly connected hosts. This router is the Designated Router (DR). The DR is elected using hello messages. Each PIM router learns about its neighbors by periodically sending a hello message out of each PIM-enabled interface.
Page 764: Set A Threshold For Switching To The Spt
IP Version Task Command Syntax Command Mode IPv6 Filter inbound and outbound Bootstrap Router ipv6 pim bsr-border INTERFACE messages per interface. Remove candidate RP advertisements. clear ip pim rp-mapping EXEC PRIVILEGE Set a Threshold for Switching to the SPT Set a Threshold for Switching to the SPT is available only on platform: Initially, a single PIM-SM tree called a shared tree to distribute traffic.
Page 765: First Packet Forwarding For Lossless Multicast
The default value is 60 seconds. In helper-only mode, the system preserves the PIM states of a neighboring router while the neighbor gracefully restarts, but the Dell Force10 system allows itself to be taken off the forwarding path if it ip pim graceful-restart helper-only restarts.
Page 766: Monitoring Pim
To prevent these delivery errors you must statically map the potential incoming interfaces for the (*,G) entries via the CLI. When you create this mapping, (*,G) entries are programmed in hardware. Packets are then fast forwarded starting with the first packet, and the potential for these delivery errors is avoided. Step Task Command Syntax...
Page 767: Pim-Sm Snooping
• It is recommended that you do not enable IGMP snooping on a PIM-SM snooping-enabled VLAN interface unless until it is necessary for VLAN operation. Table 34-1. Egress Ports Used for Multicast Traffic with PIM-SM and IGMP Snooping Multicast Traffic PIM-SM and IGMP Snooping Configuration Egress Ports PIM-SM snooped VLANs...
Page 768: Feature Overview
Feature Overview PIM-SM snooping functions in a Layer 2 network in which multiple routers are interconnected by a switch, such as an IXP where Internet service providers (ISPs) exchange Internet traffic between their networks. By default, the switch floods multicast traffic to all VLAN member ports, regardless of whether there are multicast receivers downstream that are joined to a multicast group.
Page 769: Configuration Notes And Restrictions
• In the downstream PIM TIB, states and timers are maintained for each VLAN and member port. The downstream outgoing-interface timers for each valid (*,G) and (S,G) entry are started for each VLAN/ port and upstream neighbor combination: (port,*,G,neighbor) or (port,S,G,neighbor), where port is a downstream port and neighbor is the upstream neighbor.
Page 770: Pim-Sm Snooping Example
PIM-SM Snooping Example Figure 34-8 shows an example with PIM-SM snooping enabled. When Router A sends a join message to Router B, the switches forward the join message only to Router B without flooding the message to other connected routers, such as Routers C and D. Figure 34-8.
Page 771 Similarly, in Figure 34-8, when PIM-SM snooping is enabled and multicast data is sent to VLAN members of group G, the switches forward the data traffic from the server attached to Router B only to the router (Router A) in the multicast group that should receive it. Without PIM-SM snooping, the switches would flood the data to all connected routers, including Routers C and D.
Page 772: Pim-Sm Snooping Configuration
PIM-SM Snooping Configuration You can enable PIM-SM snooping globally on a switch or on individual VLANs. PIM-SM snooping is not enabled by default and does not require an IP address, PIM-DM, or PIM-SM. PIM-SM snooping and PIM multicast routing are mutually exclusive: PIM-SM snooping cannot be enabled on a switch/router if PIM-SM or PIM-DM is enabled.
Page 773 Verify PIM-SM Snooping show To display information about PIM-SM snooping operation, enter one of the following commands: Task Command Command Mode show ip pim snooping neighbor [vlan Display information about PIM neighbors EXEC Privilege vlan-id] discovered by PIM-SM snooping. Figure 34-10 show ip pim snooping tib [vlan vlan-id] Display information about PIM group members EXEC Privilege...
Page 774 Figure 34-11. PIM-SM snooping: show ip pim snooping tib FTOS#show ip pim snooping tib PIM Multicast Snooping Table Flags: J/P - (*,G) Join/Prune, j/p - (S,G) Join/Prune SGR-P - (S,G,R) Prune Timers: Uptime/Expires * : Inherited port (*, 225.1.2.1), uptime 00:00:01, expires 00:02:59, RP 165.87.70.1, flags: J Incoming interface: Vlan 2, RPF neighbor 0.0.0.0 Outgoing interface list: GigabitEthernet 4/11...
Page 775 Figure 34-13. PIM-SM snooping: show ip pim summary FTOS#show ip pim summary PIM TIB version 495 Uptime 22:44:52 Entries in PIM-TIB/MFC : 2/2 Active Modes : PIM-SNOOPING Interface summary: 1 active PIM interface 0 passive PIM interfaces 3 active PIM neighbors TIB summary: 1/1 (*,G) entries in PIM-TIB/MFC 1/1 (S,G) entries in PIM-TIB/MFC...
Page 776 Figure 34-14. PIM-SM snooping: show ip mroute snooping FTOS#show ip mroute snooping IPv4 Multicast Snooping Table (*, 224.0.0.0), uptime 17:46:23 Incoming vlan: Vlan 2 Outgoing interface list: GigabitEthernet 4/13 (*, 225.1.2.1), uptime 00:04:16 Incoming vlan: Vlan 2 Outgoing interface list: GigabitEthernet 4/11 GigabitEthernet 4/13 (165.87.1.7, 225.1.2.1), uptime 00:03:17...
Page 777: Pim Source-Specific Mode
SPT. PIM-SSM uses IGMPv3. Since receivers subscribe to a source and group, the RP and shared tree is unnecessary, so only SPTs are used. On Dell Force10 systems, it is possible to use PIM-SM with IGMPv3 to achieve the same result, but PIM-SSM eliminates the unnecessary protocol overhead.
Page 778 Figure 35-1. PIM-SM with IGMPv2 versus PIM-SM with IGMPv3 PIM Source-Specific Mode...
Page 779: Configure Pim-Sm
Implementation Information • The Dell Force10 implementation of PIM-SSM is based on RFC 3569. • C-Series supports a maximum of 31 PIM interfaces and 4K multicast entries including (*,G), and (S,G) entries. There is no limit on the number of PIM neighbors C-Series can have.
Page 780: Enable Pim-Ssm
Enable PIM-SSM To enable PIM-SSM: Step Task Command Syntax Command Mode Create an ACL that uses permit rules to specify what range of ip | ipv6 access-list CONFIGURATION addresses should use SSM. You must at least include one standard name permit 232.0.0.0/8 rule, , which is the default range for...
Page 781 • When an extended ACL is associated with this command, FTOS displays an error message. If you apply an extended ACL before you create it, FTOS accepts the configuration, but when the ACL is later defined, FTOS ignores the ACL and the stated mapping has no effect. show ip igmp ssm-map Display the source to which a group is mapped using the command ], as...
Page 782 Figure 35-3. Using PIM-SM with IGMPv2 versus PIM-SSM with IGMPv2 PIM Source-Specific Mode...
Page 783 Figure 35-4. Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ip access-list standard map seq 5 permit host 239.0.0.2 ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2...
Page 784 PIM Source-Specific Mode...
Page 785: Power Over Ethernet
Power over Ethernet Power over Ethernet (PoE) is supported only on platforms: This chapter contains the following major sections: • Configuring Power over Ethernet on page 786 • Power Additional PoE Ports on the S-Series on page 794 • Deploying VOIP on page 795 FTOS supports Power over Ethernet (PoE), as described by IEEE 802.3af .
Page 786: Configuring Power Over Ethernet
Note: The S25V and S50V models contain AC power supplies in order to support PoE. You can also add the external Dell Force10 470W Redundant Power Supply to power more PoE devices. For details, see Power Additional PoE Ports on the S-Series on page 794...
Page 787: Enabling Poe On A Port
Related Configuration Tasks • Manage Ports using Power Priority and the Power Budget on page 789 • Monitor the Power Budget on page 792 • Manage Power Priorities on page 792 • Recover from a Failed Power Supply on page 793 •...
Page 788 show power inline View the amount of power that a port is consuming using the command from EXEC privilege mode. Figure 36-2. PoE Allocation Displayed with show power inline Command FTOS(conf-if-range-gi-0/1-48)#do show power inline Interface Admin Inline Power Inline Power Class User Allocated...
Page 789: Manage Ports Using Power Priority And The Power Budget
Port Number Unit (S-Series only) The stack member unit ID. Catalog Name (C-Series only) Displays the component’s Dell Force10 catalog number. Slot ID (C-Series only) Displays the slot number in which the line card or RPM is installed. Total Power Available The total power available in the stack member or chassis.
Page 790 The PD then boots using this allocated power. After bootup, if the PD is LLDP-MED capable, it might send in Extended Power via MDI TLV to the system. In this case, the Dell Force10 switch revises the power allocation to the value that the PD requests via LLDP-MED. The advertised Power Requirement from the PD could be less than or greater than the currently allocated value.
Page 791: Determine The Affect Of A Port On The Power Budget
Determine the Affect of a Port on the Power Budget The PoE power budget is affected differently depending on how PoE is enabled and whether a device is connected: power inline auto 1. When you configure a port with without the power limit option, power max_milliwatts is only allocated after you connect a device to the port.
Page 792: Monitor The Power Budget
Monitor the Power Budget The power budget is the amount of power available from the installed PSUs minus the power required to show power inline show power detail operate the chassis. Use the (Figure 36-2 on page 788) (Figure 36-3 on page 788) commands to help you determine if power is available for additional PoE ports (1478.40 Watts are supplied per C-Series PSU;...
Page 793: Recover From A Failed Power Supply
[ no ] power inline priority critical high You can augment the default prioritization using the command critical }, where is the highest priority, and is the lowest. FTOS ignores any LLDP-MED priority on this port if you configure a priority with this command. If you do not configure a port priority with this command, FTOS honors any LLDP-MED priority.
Page 794: Power Additional Poe Ports On The S-Series
By default, 320 Watts is available for PoE on the S50V and S25V models of the S-Series. You have the option of enabling more power by connecting the external Dell Force10 DC 470W Redundant Power Supply to the Current Sharing terminal of the S50V and S25V. This power supply is in backup mode by...
Page 795: Deploying Voip
Deploying VOIP VoIP phones on the market today follow the same basic boot and operations process: 1. Wait for an LLDP from the Ethernet switch. 2. Obtain an IP address from a DHCP server. 3. Send an LLDP-MED frame to the switch. 4.
Page 796: Configure Lldp-Med For An Office Voip Deployment
Figure 36-8. Creating VLANs for an Office VOIP Deployment FTOS#show running-config interface configured interface GigabitEthernet 6/0 no ip address no shutdown interface GigabitEthernet 6/10 no ip address portmode hybrid switchport! power inline auto no shutdown interface Vlan 100 description "Data VLAN" no ip address untagged GigabitEthernet 6/10-11,22-23,46-47 shutdown...
Page 797: Configure Quality Of Service For An Office Voip Deployment
Configure Quality of Service for an Office VOIP Deployment There are multiple ways you can use QoS to map ingress phone and PC traffic so that you can give them each a different quality of service. See Chapter 41, Quality of Service.
Page 798 Classifying VOIP traffic and applying QoS policies Avoid congestion and give precedence to voice and signaling traffic by classifying traffic based on subnet and using strict priority and bandwidth weights on egress, as outlined in the steps below. Figure 36-12 depicts the topology and shows the configuration for a C-Series.
Page 799 Figure 36-13. Classifying VOIP Traffic and Applying QoS Policies for an Office VOIP Deployment FTOS#sh run acl ip access-list extended pc-subnet seq 5 permit ip 201.1.1.0/24 any ip access-list extended phone-signalling seq 5 permit ip 192.1.1.0/24 host 192.1.1.1 ip access-list extended phone-subnet seq 5 permit ip 192.1.1.0/24 any FTOS#sh run class-map class-map match-any pc-subnet...
Page 800 Power over Ethernet...
Page 801: Policy-Based Routing
Policy-based Routing c e s Policy-based Routing is supported on platforms: PBR is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. PBR is supported on the E-Series TeraScale, C-Series, and S-Series platforms in FTOS 8.4.2.0 and later. This chapter covers the following topics: •...
Page 802 Figure 37-1. PBR Example Customer Finance Engineering Marketing Sales Operations Support With 3 separate internet connections As an example, a policy can be applied to from the Edge Routers, route traffic from the Customer Support bandwidth can be allotted to meet LAN subnets over the 45 Mbps pipe, Internet each department's needs.
Page 803: Implementing Policy-Based Routing With Ftos
2. If the specified next-hops are not reachable, then the normal routing table is used to forward the traffic. 3. FTOS supports multiple next-hop entries in the redirect lists. 4. Redirect-Lists are applied at Ingress. Implementing Policy-based Routing with FTOS Non-contiguous bitmasks for PBR Non-contiguous bitmasks for PBR allows more granular and flexible control over routing policies.
Page 804: Configuration Task List For Policy-Based Routing
Configuration Task List for Policy-based Routing To enable the PBR: Create a Redirect List Create a Rule for a Redirect-list Apply a Redirect-list to an Interface using a Redirect-group Create a Redirect List Use the following command in CONFIGURATION mode: Command Syntax Command Mode Purpose...
Page 805: Create A Rule For A Redirect-List
Create a Rule for a Redirect-list Use the following command in CONFIGURATION REDIRECT-LIST mode to set the rules for the redirect list. You can enter the command multiple times and create a sequence of redirect rules. Use the nn redirect version of the command to organize your rules Command Command Syntax...
Page 806 Figure 37-4. Creating a Rule Example FTOS(conf-redirect-list)#redirect ? A.B.C.D Forwarding router's address IP address of sonet SONET interface forwarding router FTOS(conf-redirect-list)#redirect 3.3.3.3 ? <0-255> An IP protocol number icmp Internet Control Message Protocol IP protocol number Any Internet Protocol Transmission Control Protocol User Datagram Protocol Source address and FTOS(conf-redirect-list)#redirect 3.3.3.3 ip ?
Page 807 PBR Exceptions (Permit) permit Use the command to create an exception to a redirect list. Exceptions are used when a forwarding decision should be based on the routing table rather than a routing policy. FTOS assigns the first available sequence number to a rule configured without a sequence number and inserts the rule into the PBR CAM region next to the existing entries.
Page 808: Apply A Redirect-List To An Interface Using A Redirect-Group
Apply a Redirect-list to an Interface using a Redirect-group IP redirect lists are supported on physical interfaces as well as VLAN and port-channel interfaces. Note: When you apply a redirect-list on a port-channel on the E-Series, when traffic is redirected to the next hop and the destination port-channel is shut down, the traffic is dropped.
Page 809: Show Redirect List Configuration
Show Redirect List Configuration To view the configuration redirect list configuration, use the following command in EXEC mode: Command Syntax Command Mode Purpose show ip redirect-list EXEC View the redirect list configuration and the associated interfaces. redirect-list-name show cam pbr EXEC View the redirect list entries programmed in the CAM.
Page 810: Sample Configuration
Figure 37-12. Showing CAM PBR Configuration Example FTOS(conf-if-gi-8/1)#do show cam pbr l 8 p0 TCP Flag: Bit 5 - URG, Bit 4 - ACK, Bit 3 - PSH, Bit 2 - RST, Bit 1 - SYN, Bit 0 - FIN Port VlanID Proto Tcp SrcIp DstIp...
Page 811 Figure 37-13. PBR Sample Illustration Customer Support 192.168.1.0 /24 192.168.2.0 /24 EDGE_ROUTER Internet Policy-based Routing | 811...
Page 812 Figure 37-14. PBR Sample Configuration Create the Redirect-List GOLD. EDGE_ROUTER(conf-if-gi-3/23)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#$direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#$redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#sho config ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD.
Page 813: Port Monitoring
Port Monitoring c e s Port Monitoring is supported on platforms: Port Monitoring is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Port Monitoring is a feature that copies all incoming or outgoing packets on one port and forwards (mirrors) them to another port.
Page 814: Port Monitoring On E-Series
• A source port (MD) can only be monitored by one destination port (MG). The following error is displayed if you try to assign a monitored port to more than one monitoring port. FTOS(conf)#mon ses 1 FTOS(conf-mon-sess-1)#$gig 0/0 destination gig 0/60 direction both FTOS(conf-mon-sess-1)#do show mon ses SessionID Source...
Page 815: E-Series Terascale
E-Series TeraScale The E-Series TeraScale system supports 1 monitoring session per port-pipe. E-Series TeraScale supports a maximum of 28 port pipes. On the E-Series TeraScale, FTOS supports a single source-destination statement in a monitor session (Message 2). E-Series TeraScale supports only one source and one destination port per port-pipe (Message 3).
Page 816: Port Monitoring On C-Series And S-Series
Port Monitoring on C-Series and S-Series The C-Series and S-Series support multiple source-destination statements in a monitor session, but there may only be one destination port in a monitoring session (Message Message 4 One Destination Port in a Monitoring Session Error Message on C-Series and S-Series % Error: Only one MG port is allowed in a session.
Page 817 Figure 38-3. Number of Monitoring Ports on the C-Series and S-Series FTOS(conf)#mon ses 300 FTOS(conf-mon-sess-300)#source gig 0/17 destination gig 0/4 direction tx % Error: Exceeding max MG ports for this MD port pipe. FTOS(conf-mon-sess-300)# FTOS(conf-mon-sess-300)#source gig 0/17 destination gig 0/1 direction tx FTOS(conf-mon-sess-300)#do show mon session SessionID Source...
Page 818 Figure 38-5. Port Monitoring Configurations on the C-Series and S-Series Line Card 0 Line Card 1 Port-Pipe 0 Port-Pipe 1 Port-Pipe 0 Port-Pipe 1 Monitor Session 0 Monitor Session 1 Monitor Session 2 Port Monitoring 003 FTOS Behavior: On the C-Series and S-Series, all monitored frames are tagged if the configured monitoring direction is transmit (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port.
Page 819: Configuring Port Monitoring
Configuring Port Monitoring To configure port monitoring: Step Command Syntax Command Mode Task show interface EXEC Privilege Verify that the intended monitoring port has no no shutdown configuration other than , as shown in Figure 38-6. monitor session CONFIGURATION Create a monitoring session using the command monitor session from CONFIGURATION mode, as shown in Figure 38-6.
Page 820: Flow-Based Monitoring
Figure 38-7. Port Monitoring Example Host Traffic Server Traffic Host Server Force10(conf-if-gi-1/2)#show config interface GigabitEthernet 1/2 no ip address no shutdown Sniffer Force10(conf )#monitor session 0 Force10(conf-mon-sess-0)#source gig 1/1 destination gig 1/2 direction rx Port Monitoring 001 Flow-based Monitoring Flow-based Monitoring is supported only on platform Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead all traffic on the interface.
Page 821: Remote Port Mirroring
Figure 38-8. Configuring Flow-based Monitoring FTOS(conf)#monitor session 0 FTOS(conf-mon-sess-0)#flow-based enable FTOS(conf)#ip access-list ext testflow FTOS(config-ext-nacl)#seq 5 permit icmp any any count bytes monitor FTOS(config-ext-nacl)#seq 10 permit ip 102.1.1.0/24 any count bytes monitor FTOS(config-ext-nacl)#seq 15 deny udp any any count bytes FTOS(config-ext-nacl)#seq 20 deny tcp any any count bytes FTOS(config-ext-nacl)#exit FTOS(conf)#interface gig 1/1...
Page 822: Configuring Remote Port Mirroring
Remote port mirroring uses the analyzers shown in the aggregation network in Site A. The VLAN traffic on monitored links from the access network is tagged and assigned to a dedicated L2 VLAN. Monitored links are configured in two source sessions shown with orange and green circles. Each source session uses a separate reserved VLAN to transmit mirrored packets (mirrored source-session traffic is shown with an orange or green circle with a blue border).
Page 823 • You can configure any switch in the network with source ports and destination ports, and allow it to function in an intermediate transport session for a reserved VLAN at the same time for multiple remote-port mirroring sessions. You can enable and disable individual mirroring sessions. •...
Page 824: Configuration Procedure
- The VLAN consists of more than 128 ports. - You add a port to a VLAN, which has already been configured in a source session, and the newly added port exceeds the 128-port limit. - You configure a range of VLANs in a source session and the combined number of ports in the VLANs exceeds 128.
Page 825 Configure a dedicated L2 VLAN for Remote Port Mirroring Step Command Syntax Command Mode Task interface vlan vlan-id CONFIGURATION Create a VLAN to transport mirrored traffic in remote port mirroring. Valid vlan-id values are 1 to 4094. The default VLAN ID is not supported.
Page 826 Configure a Source Session on Multiple Switches Step Command Syntax Command Mode Task source { single-interface | range interface-range specifies one of the following MONITOR range { interface-list | SESSION interface ranges: interface-range | gigabitethernet slot/first_port - last_port mixed-interface-list } | tengigabitethernet slot/first_port - last_port vlan vlan-id | range { vlan-list | port-channel first_number - last_number...
Page 827 Configure a Destination Session on Multiple Switches Step Command Syntax Command Mode Task monitor session session-id CONFIGURATION Configure the destination session for remote port mirroring and enter Monitor Session configuration mode. source remote-vlan vlan-id MONITOR SESSION Associate the reserved L2 VLAN used to transport destination { single-interface mirrored traffic with this destination session and | range { interface-list |...
Page 828: Displaying Remote-Port Mirroring Configurations
Displaying Remote-Port Mirroring Configurations show config To display the current configuration of remote port mirroring for a specified session, enter the command in MONITOR SESSION configuration mode. FTOS(conf-mon-sess-50)# show config monitor session 50 source GigabitEthernet 1/2 destination remote-vlan 50 direction both mode Remote-Port-Mirroring source vlan 4, vlan 11 - 12, destination remote-vlan 50 direction both mode Remote-Port-Mirroring no disable To display the currently configured source and destination sessions for remote port mirroring on a switch,...
Page 829: Sample Configuration: Remote Port Mirroring
Sample Configuration: Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches). Figure 38-10 shows a sample configuration of remote port mirroring on a source switch.
Page 830 Figure 38-12 shows a sample configuration of remote port mirroring on a destination switch. Note that in show monitor session output of a destination session, the source is the reserved VLAN (for example, remote-vlan 22) and the destination is the destination port (for example, Gi 4/73) to which an analyzer is attached.
Page 831: Private Vlans
Private VLANs Private VLANs is available on platforms: Private VLANs (PVLANs) provide Layer 2 isolation between ports within the same VLAN. That is, peer-to-peer communication is restricted or blocked. This is done by dividing the VLAN, into subdomains, and then restricting or blocking traffic flow between them. Note: While conceptually, the primary VLAN is divided into secondary VLANs, when configuring PVLAN in FTOS, you explicitly define the secondary VLANs, and then make them members of the primary VLAN.
Page 832: Configure Private Vlans
There are three types of ports in PVLAN: • Host Ports—these ports are the ones that Private VLAN aims to isolate. They are connected to end-stations. • Promiscuous Ports—these ports are members of the primary VLAN, and function as gateways to the primary and secondary VLANs.
Page 833: Configure Pvlan Ports
Related Configuration Tasks • Private VLAN show Commands on page 834 Configure PVLAN Ports You must assign switchports a PVLAN Port role—host, promiscuous, or trunk—before you can add them to a primary or secondary VLAN. • Host ports may not be a part of a non-private (regular) VLAN. •...
Page 834: Place The Secondary Vlans In A Primary Vlan
Place the Secondary VLANs in a Primary VLAN A primary VLAN is a port-based VLAN that is specifically designated as a private VLAN. Doing so enables the VLAN to be divided into secondary VLANs. Step Task Command Syntax Command Mode interface vlan vlan-id Access INTERFACE VLAN mode CONFIGURATION...
Page 835: Per-Vlan Spanning Tree Plus
Per-VLAN Spanning Tree Plus c e s Per-VLAN Spanning Tree Plus is supported platforms: Port Monitoring is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Protocol Overview Per-VLAN Spanning Tree Plus (PVST+) is a variation of Spanning Tree—developed by a third party— that allows you to configure a separate Spanning Tree instance for each VLAN.
Page 836: Configure Per-Vlan Spanning Tree Plus
The FTOS implementation of PVST+ uses IEEE 802.1s costs as the default costs (Table 40-2). Other implementations use IEEE 802.1d costs as the default costs if you are using Dell Force10 systems in a multi-vendor network, verify that the costs are values you intended. •...
Page 837: Enable Pvst
Enable PVST+ When you enable PVST+, FTOS instantiates STP on each active VLAN. To enable PVST+ globally: Step Task Command Syntax Command Mode protocol spanning-tree pvst Enter PVST context. PROTOCOL PVST no disable Enable PVST+. PROTOCOL PVST Disable PVST+ Task Command Syntax Command Mode disable...
Page 838 Figure 40-3. Load Balancing with PVST+ STI 2 root STI 3 root STI 1: VLAN 100 vlan 100 bridge-priority 4096 vlan 100 bridge-priority 4096 STI 2: VLAN 200 STI 2: VLAN 200 STI 3: VLAN 300 3/22 2/32 Blocking 3/12 2/12 1/22 1/32...
Page 839 Figure 40-4. Display the PVST+ Forwarding Topology Force10_E600(conf)#do show spanning-tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15 We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.b6d6...
Page 840: Modify Global Pvst+ Parameters
Default: 15 seconds vlan hello-time Change the hello-time parameter. PROTOCOL PVST Note: With large configurations (especially those with more ports) Dell Force10 recommends that you increase the hello-time. Range: 1 to 10 Default: 2 seconds vlan max-age Change the max-age parameter.
Page 841: Configure An Edgeport
Note: The FTOS implementation of PVST+ uses IEEE 802.1s costs as the default costs. Other implementations use IEEE 802.1d costs as the default costs if you are using Dell Force10 systems in a multi-vendor network, verify that the costs are values you intended.
Page 842 To enable EdgePort on an interface, use the following command: Task Command Syntax Command Mode spanning-tree pvst edge-port Enable EdgePort on an interface. INTERFACE bpduguard | shutdown-on-violation show spanning-tree pvst The EdgePort status of each interface is given in the output of the command , as shown in Figure...
Page 843: Configure A Root Guard
Configure a Root Guard Use the Root Guard feature in a Layer 2 PVST+ network to avoid bridging loops. You enable root guard on a per-port or per-port-channel basis. FTOS Behavior: The following conditions apply to a port enabled with root guard: •...
Page 844: Configure A Loop Guard
Configure a Loop Guard The Loop Guard feature provides protection against Layer 2 forwarding loops (STP loops) caused by a hardware failure, such as a cable failure or an interface fault. When a cable or interface fails, a participating STP link may become unidirectional (STP requires links to be bidirectional) and an STP port does not receive BPDUs.
Page 845: Pvst+ In Multi-Vendor Networks
If PVST+ is enabled on the Dell Force10 switch in this network, P1 and P2 receive BPDUs from each other. Ordinarily, the Bridge ID in the frame matches the Root ID, a loop is detected, and the rules of convergence require that P2 move to blocking state because it has the lowest port ID.
Page 846: Displaying Stp Guard Configuration
Task Command Syntax Command Mode extend system-id Augment the Bridge ID with the VLAN ID. PROTOCOL PVST FTOS(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768...
Page 847: Pvst+ Sample Configurations
PVST+ Sample Configurations Figure 40-7, Figure 40-8, and Figure 40-9 provide the running configurations for the topology shown in Figure 40-3. Figure 40-7. PVST+ Sample Configuration: R1 Running-configuration interface GigabitEthernet 1/22 no ip address switchport no shutdown interface GigabitEthernet 1/32 no ip address switchport no shutdown...
Page 848 Figure 40-8. PVST+ Sample Configuration: R2 Running-configuration interface GigabitEthernet 2/12 no ip address switchport no shutdown interface GigabitEthernet 2/32 no ip address switchport no shutdown interface Vlan 100 no ip address tagged GigabitEthernet 2/12,32 no shutdown interface Vlan 200 no ip address tagged GigabitEthernet 2/12,32 no shutdown interface Vlan 300...
Page 849: Quality Of Service
Quality of Service c e s Quality of Service (QoS) is supported on platforms: Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. The E-Series has eight unicast queues per port and 128 multicast queues per-port pipe. Traffic is queued on ingress and egress.
Page 850 Table 41-1. FTOS Support for Port-based, Policy-based, and Multicast QoS Features (continued) Feature Platform Direction c e s Create an input QoS policy Ingress c e s Configure policy-based rate policing c e s Set a DSCP value for egress packets c e s Set a dot1p value for egress packets c e s...
Page 851: Implementation Information
(WFQ Scheduling) (WRED) Implementation Information Dell Force10 QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication. It also implements these Internet Engineering Task Force (IETF) documents: • RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 Headers •...
Page 852: Port-Based Qos Configurations
Port-based QoS Configurations You can configure the following QoS features on an interface: • Set dot1p Priorities for Incoming Traffic on page 852 • Configure Port-based Rate Policing on page 854 • Configure Port-based Rate Limiting on page 855 • Configure Port-based Rate Shaping on page 856 •...
Page 853: Honor Dot1P Priorities On Ingress Traffic
Honor dot1p Priorities on Ingress Traffic service-class By default FTOS does not honor dot1p priorities on ingress traffic. Use the command dynamic dot1p from INTERFACE mode to honor dot1p priorities on ingress traffic, as shown in Figure 41-3. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel.
Page 854: Configure Port-Based Rate Policing
Configure Port-based Rate Policing rate police Rate policing ingress traffic on an interface using the command from INTERACE mode, as shown in Figure 41-4. If the interface is a member of a VLAN, you may specify the VLAN for which ingress packets are policed.
Page 855: Configure Port-Based Rate Limiting
Configure Port-based Rate Limiting Configure Port-based Rate Limiting is supported only on platform FTOS Behavior: On the C-Series and S-Series, rate shaping is effectively rate limiting because of its smaller buffer size. On the E-Series: — 802.1Q-priority tagged frames are sometimes not rate-limited according to the configured rate-limit value.
Page 856: Configure Port-Based Rate Shaping
Configure Port-based Rate Shaping Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted. If any stream exceeds the configured bandwidth on a continuous basis, it can consume all of the buffer space that is allocated to the port. rate shape Apply rate shaping to outgoing traffic on a port using the command from INTERFACE mode, as...
Page 857: Policy-Based Qos Configurations
Policy-based QoS Configurations Policy-based QoS configurations consist of the components shown in Figure 41-9. Figure 41-9. Constructing Policy-based QoS Configurations Interface Input Service Policy Output Service Policy Input Input Output Output Policy Policy Policy Policy Input QoS Output QoS Class Map DSCP Policy Policy...
Page 858: Create A Layer 2 Class Map
2. Once you create a class-map, FTOS places you in CLASS MAP mode. From this mode, specify your match ip match criteria using the command , as shown in Figure 41-10. Match-any class maps allow up to five ACLs, and match-all class-maps allow only one ACL. service-queue 3.
Page 859: Set Dscp Values For Egress Packets Based On Flow
Determine the order in which ACLs are used to classify traffic service-queue When you link class-maps to queues using the command , FTOS matches the class-maps according to queue priority (queue numbers closer to 0 have lower priorities). For example, in Figure 41-10, class-map cmap2 is matched against ingress packets before cmap1.
Page 860 FTOS Behavior: An explicit “deny any" rule in a Layer 3 ACL used in a (match any or match all) class-map creates a "default to Queue 0" entry in the CAM, which causes unintended traffic classification. Below, traffic is classified in two Queues, 1 and 2. Class-map ClassAF1 is “match any,” and ClassAF2 is “match all”.
Page 861: Create A Qos Policy
Create a QoS Policy There are two types of QoS policies: input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. There are two types of input QoS policies: Layer 3 and Layer 2.
Page 862: Create An Output Qos Policy
Figure 41-12. Marking DSCP Values for Egress Packets FTOS#config FTOS(conf)#qos-policy-input my-input-qos-policy FTOS(conf-qos-policy-in)#set ip-dscp 34 % Info: To set the specified DSCP value 34 (100-010 b) the QoS policy must be mapped to queue 4 (100 b). FTOS(conf-qos-policy-in)#show config qos-policy-input my-input-qos-policy set ip-dscp 34 FTOS(conf-qos-policy-in)#end FTOS#...
Page 863 1. Assigning a weight to one queue affects the amount of bandwidth that is allocated to other queues. Therefore, whenever you are allocating bandwidth to one queue, Dell Force10 recommends that you evaluate your bandwidth requirements for all other queues as well.
Page 864: Create Policy Maps
Table 41-4 shows an example of choosing bandwidth weights for all four queues to achieve a target bandwidth allocation. Table 41-4. Assigning Bandwidth Weights for the C-Series and S-Series Equivalent Target Queue Weight Percentage Allocation 0.44% 28.44% 56.89% 14.22% Specify WRED drop precedence Specify WRED drop precedence is supported only on platform wred...
Page 865 Apply an input QoS policy to an input policy map policy-aggregate Apply an input QoS policy to an input policy map using the command from POLICY-MAP-IN mode. Honor DSCP values on ingress packets FTOS provides the ability to honor DSCP values on ingress packets using Trust DSCP feature. Enable this trust diffserv feature using the command from POLICY-MAP-IN mode.
Page 866 Honoring dot1p values on ingress packets FTOS provides the ability to honor dot1p values on ingress packets with the Trust dot1p feature. Enable trust dot1p Trust dot1p using the command from POLICY-MAP-IN mode. Table 41-6 specifies the queue to which the classified traffic is sent based on the dot1p value. Table 41-6.
Page 867 In the following configuration, packets are classified to queues using the three class maps: policy-map-input input-policy service-queue 1 class-map qos-BE1 service-queue 3 class-map qos-AF3 service-queue 4 class-map qos-AF4 class-map match-any qos-AF3 match ip dscp 24 match ip access-group qos-AF3-ACL class-map match-any qos-AF4 match ip dscp 32 match ip access-group qos-AF4-ACL class-map match-all qos-BE1...
Page 868: Apply An Input Policy Map To An Interface
On the C-Series and S-Series all traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, then you can create service classes based the queueing strategy in Table 41-6 using the service-class dynamic dot1p command from INTERFACE mode.
Page 869: Qos Rate Adjustment
Specify an aggregate QoS policy policy-aggregate Specify an aggregate QoS policy using the command from POLICY-MAP-OUT mode. Apply an output policy map to an interface service-policy output Apply an input policy map to an interface using the command from INTERFACE mode.
Page 870: Strict-Priority Queueing
Strict-priority Queueing strict-priority You can assign strict-priority to one unicast queue, 1-7, using the command from CONFIGURATION mode. Strict-priority means that FTOS dequeues all packets from the assigned queue before servicing any other queues. strict-priority bandwidth-percentage bandwidth-weight • supersedes percentage configurations. •...
Page 871: Create Wred Profiles
FTOS assigns a color (also called drop precedence)—red, yellow, or green—to each packet based on it DSCP value before queuing it. DSCP is a 6 bit field. Dell Force10 uses the first three bits of this field (DP) to determine the drop precedence. DP values of 110 and 100 map to yellow, and all other values map to green.
Page 872: Display Default And Configured Wred Profiles
WRED can be used in combination with storm control to regulate broadcast and unknown-unicast traffic. storm-control broadcast This feature is available through an additional option in command unknown-unicast ] at CONFIGURATION. See the FTOS Command Line Reference for information on using this command.
Page 873: Allocating Bandwidth To Multicast Queues
Figure 41-15. show qos statistics Command Example FTOS#show qos statistics wred-profile Interface Gi 5/11 Queue# Drop-statistic WRED-name Dropped Pkts Green WRED1 51623 Yellow WRED2 51300 Out of Profile Green WRED1 52082 Yellow WRED2 51004 Out of Profile Green WRED1 50567 Yellow WRED2 49965...
Page 874: Pre-Calculating Available Qos Cam Space
For example, if you configure 70% bandwidth to multicast, 80% bandwidth to one queue in unicast and 0 % to all remaining unicast queues, then first, FTOS assigns 70% bandwidth to multicast, then FTOS derives the 80% bandwidth for unicast from the remaining 30% of total bandwidth. Pre-calculating Available QoS CAM Space c e s Pre-calculating Available QoS CAM Space...
Page 875: Viewing Qos Cam Entries
• Status indicates whether or not the specified policy-map can be completely applied to an interface in the port-pipe. • Allowed indicates that the policy-map can be applied because the estimated number of CAM entries is less or equal to the available number of CAM entries. The number of interfaces in the port-pipe to which the policy-map can be applied is given in parenthesis.
Page 876 Quality of Service...
Page 877: Routing Information Protocol
Routing Information Protocol c e s Routing Information Protocol is supported only on platforms: RIP is supported on the S-Series following the release of FTOS version 7.8.1.0, and on the C-Series with FTOS versions 7.6.1.0 and after. RIP is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Routing Information Protocol (RIP) is based on a distance-vector algorithm, it tracks distances or hop counts to nearby routers when establishing network connections.
Page 878: Ripv2
RIP must receive regular routing updates to maintain a correct routing table. Response messages containing a router’s full routing table are transmitted every 30 seconds. If a router does not send an update within a certain amount of time, the hop count to that route is changed to unreachable (a route hop metric of 16 hops).
Page 879: Configuration Task List For Rip
Configuration Task List for RIP • Enable RIP globally on page 879 (mandatory) • Configure RIP on interfaces on page 880 (optional) • Control RIP routing updates on page 881 (optional) • Set send and receive version on page 882 (optional) •...
Page 880: Configure Rip On Interfaces
show ip rip database When the RIP process has learned the RIP routes, use the command in the EXEC mode to view those routes (Figure 385). Figure 42-2. show ip rip database Command Example (Partial) FTOS#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 0/0 160.160.0.0/16...
Page 881: Control Rip Routing Updates
Purpose neighbor ROUTER RIP Define a specific router to exchange RIP information ip-address between it and the Dell Force10 system. You can use this command multiple times to exchange RIP information with as many RIP networks as you want. passive-interface...
Page 882 To add routes from other routing instances or protocols, use any of the following commands in the ROUTER RIP mode: Command Syntax Command Mode Purpose redistribute { connected | static } [ metric ROUTER RIP Include directly connected or ] [ route-map metric-value map-name user-configured (static) routes in RIP.
Page 883 version Figure 42-3 shows an example of the RIP configuration after the ROUTER RIP mode command is version set to RIPv2. When the ROUTER RIP mode command is set, the interface (GigabitEthernet 0/0) participating in the RIP process is also set to send and receive RIPv2. Figure 42-3.
Page 884: Generate A Default Route
Figure 42-5. show ip protocols Command Example FTOS#show ip protocols Routing Protocols is RIP Sending updates every 30 seconds, next due in 11 Invalid after 180 seconds, hold down 180, flushed after 240 Output delay 8 milliseconds between packets Automatic network summarization is in effect Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is...
Page 885: Control Route Metrics
If you must perform routing between discontiguous subnets, disable automatic summarization. With automatic route summarization disabled, subnets are advertised. autosummary The command requires no other configuration commands. To disable automatic route no autosummary summarization, in the ROUTER RIP mode, enter Note: If the ip split-horizon command is enabled on an interface, then the system does not advertise the summarized address.
Page 886: Rip Configuration Example
To enable RIP debugging, use the following command in the EXEC privilege mode: Command Syntax Command Mode Purpose debug ip rip [ | database | events | trigger ] EXEC privilege Enable debugging of RIP. interface Figure 42-6 shows the confirmation when the debug function is enabled. Figure 42-6.
Page 887: Configuring Ripv2 On Core 2
Configuring RIPv2 on Core 2 Figure 42-8. Configuring RIPv2 on Core 2 Core2(conf-if-gi-2/31)# Core2(conf-if-gi-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config router rip network 10.0.0.0 version 2 Core2(conf-router_rip)# Core 2 Output The screenshots in this section are: show ip rip database •...
Page 888 Figure 42-10. Using show ip route Command to Show RIP Configuration on Core 2 Core2#show ip route Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1,...
Page 889: Rip Configuration On Core 3
RIP Configuration on Core 3 Figure 42-12. RIP Configuration on Core 3 Core3(conf-if-gi-3/21)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.20.0 Core3(conf-router_rip)#show config router rip network 10.0.0.0 network 192.168.1.0 network 192.168.2.0 version 2 Core3(conf-router_rip)# Core 3 RIP Output The screenshots in this section are: show ip rip database •...
Page 890 Figure 42-14. Using show ip routes for Core 3 RIP Setup Core3#show ip routes Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default,...
Page 891: Rip Configuration Summary
RIP Configuration Summary Figure 42-16. Summary of Core 2 RIP Configuration Using Output of show run Command interface GigabitEthernet 2/11 ip address 10.11.10.1/24 no shutdown interface GigabitEthernet 2/31 ip address 10.11.20.2/24 no shutdown interface GigabitEthernet 2/41 ip address 10.200.10.1/24 no shutdown interface GigabitEthernet 2/42 ip address 10.250.10.1/24 no shutdown...
Page 892 Routing Information Protocol...
Page 893: Remote Monitoring
Remote Monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Force10 Ethernet Interfaces. RMON operates with SNMP and monitors all nodes on a LAN segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
Page 894: Fault Recovery
Chassis Down—When a chassis goes down, all sampled data is lost. But the RMON configurations are saved in the configuration file, and the sampling process continues after the chassis returns to operation. Platform Adaptation—RMON supports all Dell Force10 chassis and all Dell Force10 Ethernet Interfaces.
Page 895 Set rmon alarm rmon alarm rmon hc-alarm To set an alarm on any MIB object, use the command in GLOBAL CONFIGURATION mode. To disable the alarm, use the form of this command: Command Syntax Command Mode Purpose [no] rmon alarm number variable CONFIGURATION Set an alarm on any MIB object.
Page 896: Configure An Rmon Event
Figure 43-1. rmon alarm Command Example FTOS(conf)#rmon alarm 10 1.3.6.1.2.1.2.2.1.20.1 20 delta rising-threshold 15 1 falling-threshold 0 owner nms1 Alarm Number MIB Variable Monitor Interval Counter Value Limit Triggered Event The above example configures RMON alarm number 10. The alarm monitors the MIB variable 1.3.6.1.2.1.2.2.1.20.1 (ifEntry.ifOutErrors) once every 20 seconds until the alarm is disabled, and checks the rise or fall of the variable.
Page 897: Configure Rmon Collection Statistics
Figure 43-2. rmon event Command Example FTOS(conf)#rmon event 1 log trap eventtrap description “High ifOutErrors” owner nms1 The above configuration example creates RMON event number 1, with the description “High ifOutErrors”, and generates a log entry when the event is triggered by an alarm. The user nms1 owns the row that is created in the event table by this command.
Page 898: Configure Rmon Collection History
Configure RMON collection history rmon collection To enable the RMON MIB history group of statistics collection on an interface, use the history command in interface configuration mode. To remove a specified RMON history group of statistics collection, use the form of this command. Command Syntax Command Mode Purpose...
Page 899: Rapid Spanning Tree Protocol
Rapid Spanning Tree Protocol c e s Rapid Spanning Tree Protocol is supported on platforms: RSTP is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Protocol Overview Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol—specified by IEEE 802.1w—that is essentially the same as Spanning-Tree Protocol (STP) but provides faster convergence and interoperability with switches configured with STP and MSTP.
Page 900: Configure Interfaces For Layer 2 Mode
VLANs sends multiple messages to the RSTP task. When using the command, Dell Force10 recommends limiting the range to 5 ports and 40 VLANs. Configure Interfaces for Layer 2 Mode All interfaces on all bridges that will participate in Rapid Spanning Tree must be in Layer 2 and enabled.
Page 901: Enable Rapid Spanning Tree Protocol Globally
To configure the interfaces for Layer 2 and then enable them: Step Task Command Syntax Command Mode no ip address If the interface has been assigned an IP address, INTERFACE remove it. switchport Place the interface in Layer 2 mode. INTERFACE no shutdown Enable the interface.
Page 902 Figure 44-3. Verifying RSTP is Enabled FTOS(conf-rstp)#show config Indicates that Rapid Spanning Tree is enabled protocol spanning-tree rstp no disable FTOS(conf-rstp)# When you enable Rapid Spanning Tree, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. •...
Page 903 Figure 44-5. show spanning-tree rstp Command Example FTOS#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.cbb4 Configured hello time 2, max age 20, forward delay 15, max hops 0 We are the root Current root has priority 32768, Address 0001.e801.cbb4 Number of topology changes 4, last change occurred 00:02:17 ago on Gi 1/26...
Page 904: Add And Remove Interfaces
Max-age is the length of time the bridge maintains configuration information before it refreshes that information by recomputing the RST topology. Note: Dell Force10 recommends that only experienced network administrators change the Rapid Spanning Tree group parameters. Poorly planned modification of the RSTG parameters can negatively impact network performance.
Page 905 Default: 15 seconds hello-time seconds Change the hello-time parameter. PROTOCOL Note: With large configurations (especially those with more SPANNING TREE ports) Dell Force10 recommends that you increase the RSTP hello-time. Range: 1 to 10 Default: 2 seconds max-age seconds Change the max-age parameter.
Page 906: Modify Interface Parameters
Modify Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • Port cost is a value that is based on the interface type. The default values are listed in Table 44-2. The greater the port cost, the less likely the port will be selected to be a forwarding port.
Page 907 Verify that EdgePort is enabled on a port using the command from the EXEC show config privilege mode or the command from INTERFACE mode; Dell Force10 recommends using show config command, as shown in Figure 44-7. FTOS Behavior: Regarding...
Page 908: Influence Rstp Root Selection
Influence RSTP Root Selection The Rapid Spanning Tree Protocol determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it will be selected as the root bridge. To change the bridge priority, use the following command: Task Command Syntax Command Mode...
Page 909: Fast Hellos For Link State Detection
Fast Hellos for Link State Detection Fast Hellos for Link State Detection is available only on platform: Use RSTP Fast Hellos to achieve sub-second link-down detection so that convergence is triggered faster. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed. RSTP Fast Hellos decrease the hello interval to the order of milliseconds and all timers derived from the hello timer are adjusted accordingly.
Page 910: Configure A Root Guard
Configure a Root Guard Use the Root Guard feature in a Layer 2 RSTP network to avoid bridging loops. You enable root guard on a per-port or per-port-channel basis. FTOS Behavior: The following conditions apply to a port enabled with root guard: •...
Page 911: Configure A Loop Guard
Configure a Loop Guard The Loop Guard feature provides protection against Layer 2 forwarding loops (STP loops) caused by a hardware failure, such as a cable failure or an interface fault. When a cable or interface fails, a participating STP link may become unidirectional (STP requires links to be bidirectional) and an STP port does not receive BPDUs.
Page 912: Displaying Stp Guard Configuration
Displaying STP Guard Configuration show spanning-tree To verify the STP guard configured on RSTP port or port-channel interfaces, enter the rstp guard command. Refer to Chapter 52, “Spanning Tree Protocol,” on page 1049 for information on how to configure and use the STP root guard, loop guard, and BPDU guard features. Figure 44-9 shows an example for an RSTP network (instance 0) in which: •...
Page 913: Security
Security features are supported on platforms This chapter discusses several ways to provide access security to the Dell Force10 system. Platform-specific features are identified by the icons (as shown below). Security features are supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later.
Page 914: Enable Aaa Accounting
Accounting Configuration Task List for AAA The following sections present the AAA Accounting configuration tasks: • Enable AAA Accounting on page 914 (mandatory) • Suppress AAA Accounting for null username sessions on page 915 (optional) • Configure Accounting of EXEC and privilege-level command usage on page 915 (optional) •...
Page 915: Suppress Aaa Accounting For Null Username Sessions
Suppress AAA Accounting for null username sessions When AAA Accounting is activated, the FTOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. An example of login method-list none this is a user who comes in on a line where the AAA Authentication command is applied.
Page 916 show No specific command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, perform the following task in Privileged EXEC mode: Command Syntax Command Mode Purpose show accounting CONFIGURATION Step through all active sessions and print all the accounting records for the actively accounted functions.
Page 917: Aaa Authentication
Accounting (AAA) to help secure networks against unauthorized access. In the Dell Force10 implementation, the Dell Force10 system acts as a RADIUS or TACACS+ client and sends authentication requests to a central RADIUS or TACACS+ server that contains all user authentication and network service access information.
Page 918: Configure Aaa Authentication Login Methods
To view the configuration, use the command in the LINE mode or the the EXEC Privilege mode. Note: Dell Force10 recommends that you use the method only as a backup. This method none does not authenticate users. The and enable methods do not work with SSH.
Page 919: Enable Aaa Authentication
Enable AAA Authentication To enable AAA authentication, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose aaa authentication enable default CONFIGURATION • —Uses the listed authentication methods that follow this argument as the default [... method-list-nam method1 default list of methods when a user logs in.
Page 920: Aaa Authorization
Server-side configuration TACACS+: When using TACACS+, Dell Force10 sends an initial packet with service type SVC_ENABLE, and then, a second packet with just the password. The TACACS server must have an entry for username $enable$. RADIUS: When using RADIUS authentication, FTOS sends an authentication packet with the following: Username: $enab15$ Password: <password-entered-by-user>...
Page 921: Configuration Task List For Privilege Levels
By default, commands in FTOS are assigned to different privilege levels. You can access those commands protocol spanning-tree only if you have access to that privilege level. For example, to reach the command, enable you must log in to the router, enter the command for privilege level 15 (this is the default level for the command) and then enter the CONFIGURATION mode.
Page 922: Configure The Enable Password Command
Configure the enable password command enable To configure FTOS, you must use the command to enter the EXEC Privilege level 15. After entering the command, FTOS requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. A password for any privilege level can enable always be changed.
Page 923 To assign commands and passwords to a custom privilege level, you must be in privilege level 15 and use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose username name access-class CONFIGURATION Assign a user name and password. Configure the privilege level optional and required parameters: access-list-name...
Page 924 Figure 45-2. Configuring a Custom Privilege Level FTOS(conf)#username john privilege 8 password john The user john is assigned privilege level FTOS(conf)#enable password level 8 notjohn 8 and assigned a password. FTOS(conf)#privilege exec level 8 configure All other users are assigned a password FTOS(conf)#privilege config level 8 snmp-server to access privilege level 8 FTOS(conf)#end...
Page 925: Radius
RADIUS server and a RADIUS client (the Dell Force10 system). The system sends user information to the RADIUS server and requests authentication of the user and password. The RADIUS server returns one of the following responses: •...
Page 926: Radius Authentication And Authorization
RADIUS Authentication and Authorization FTOS supports RADIUS for user authentication (text password) at login and can be specified as one of the aaa authentication login login authentication methods in the command. When configuring AAA authorization, you can configure to limit the attributes of services available to a user.
Page 927: Idle Time
RADIUS_EAP_MSG RADIUS_MSG_AUTHENTICATOR RADIUS_TUNNEL_PRIVATE_GROUP_ID NAS_IPv6_ADDRESS RADIUS exec-authorization stores a user-shell profile and that is applied during user login. You may name the relevant named-lists with either a unique name or the default name. When authorization is enabled by the RADIUS server, the server returns the following information to the client: •...
Page 928: Configuration Task List For Radius
Auto-command You can configure the system through the RADIUS server to automatically execute a command when you auto-command connect to a specific line. To do this, use the command . The auto-command is executed when the user is authenticated and before the prompt appears to the user. Set access to privilege levels through RADIUS privilege level Through the RADIUS server, you can use the command...
Page 929: Apply The Method List To Terminal Lines
Command Syntax Command Mode Purpose aaa authorization exec CONFIGURATION Create methodlist with RADIUS and TACACS+ as default radius method-list-name authorization methods. Typical order of methods: tacacs+ RADIUS, TACACS+, Local, None. If authorization is radius denied by RADIUS, the session ends ( should not be the last method specified).
Page 930 radius-server host To specify multiple RADIUS server hosts, configure the command multiple times. If multiple RADIUS server hosts are configured, FTOS attempts to connect with them in the order in which they were configured. When FTOS attempts to authenticate a user, the software connects with the RADIUS server hosts one at a time, until a RADIUS server host responds with an accept or reject response.
Page 931: Tacacs
show running-config To view the configuration of RADIUS communication parameters, use the command in the EXEC Privilege mode. Monitor RADIUS To view information on RADIUS transactions, use the following command in the EXEC Privilege mode: Command Syntax Command Mode Purpose debug radius EXEC Privilege View RADIUS transactions to troubleshoot...
Page 932 To select TACACS as the login authentication method, use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose tacacs-server host ipv4-address CONFIGURATION Configure a TACACS+ server host. Enter ipv6-address host the IP address or host name of the TACACS+ server.
Page 933: Tacacs+ Remote Authentication And Authorization
Figure 45-4. Failed Authentication FTOS(conf)# FTOS(conf)#do show run aaa aaa authentication enable default tacacs+ enable aaa authentication enable LOCAL enable tacacs+ aaa authentication login default tacacs+ local aaa authentication login LOCAL local tacacs+ aaa authorization exec default tacacs+ none aaa authorization commands 1 default tacacs+ none aaa authorization commands 15 default tacacs+ none aaa accounting exec default start-stop tacacs+ aaa accounting commands 1 default start-stop tacacs+...
Page 934 access-class Figure 45-5 demonstrates how to configure the from a TACACS+ server. This causes the deny10 configured access-class on the VTY line to be ignored. If you have configured a ACL on the TACACS+ server, FTOS downloads it and applies it. If the user is found to be coming from the 10.0.0.0 subnet, FTOS also immediately closes the Telnet connection.
Page 935: Command Authorization
no tacacs-server host To delete a TACACS+ server host, use the } command. hostname ip-address freebsd2# telnet 2200:2200:2200:2200:2200::2202 Trying 2200:2200:2200:2200:2200::2202... Connected to 2200:2200:2200:2200:2200::2202. Escape character is '^]'. Login: admin Password: FTOS# FTOS# Command Authorization The AAA command authorization feature configures FTOS to send each configuration command to a TACACS server for authorization before it is added to the running configuration.
Page 936 Command Mode Purpose ip ssh server version CONFIGURATION Configure the Dell Force10 system as an SSH server that uses only version 1 or 2. To view the SSH configuration, use the following command in EXEC Privilege mode: Command Syntax Command Mode...
Page 937: Using Scp With Ssh To Copy A Software Image
Figure 45-6. Specifying an SSH version FTOS(conf)#ip ssh server version 2 FTOS(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. Authentication : disabled. no ip ssh server enable To disable SSH server functions, enter Using SCP with SSH to copy a software image To use Secure Copy (SCP) to copy a software image through an SSH connection from one switch to...
Page 938: Secure Shell Authentication
2, respectively. SSH Authentication by Password Authenticate an SSH client by prompting for a password when attempting to connect to the Dell Force10 system. This is the simplest methods of authentication and uses SSH version 1. ip ssh password-authentication enable...
Page 939: Rsa Authentication Of Ssh
Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub. Copy the public key id_rsa.pub to the Dell Force10 system. no ip ssh password-authentication Disable password authentication if enabled. CONFIGURATION...
Page 940 Figure 45-11. Creating rhosts admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.201 admin Copy the file shosts and rhosts to the Dell Force10 system. • no ip ssh password-authentication Disable password authentication and • CONFIGURATION • no ip ssh rsa-authentication RSA authentication, if configured •...
Page 941: Troubleshooting Ssh
Message 2 RSA Authentication Error %Error: No username set for this term. • Host-based authentication must be enabled on the server (Dell Force10 system) and the client (Unix machine). Message 3 appears if you attempt to log in via SSH and host-based is disabled on the client.
Page 942: Trace Lists
Trace Lists Trace Lists feature is supported only on the E-Series: You can log packet activity on a port to confirm the source of traffic attacking a system. Once the Trace list is enabled on the system, you view its traffic log to confirm the source address of the attacking traffic. In FTOS, Trace lists are similar to extended IP ACLs, except that Trace lists are not applied to an interface.
Page 943 Since traffic passes through the filter in the order of the filter’s sequence, you can configure the trace list by first entering the TRACE LIST mode and then assigning a sequence number to the filter. To create a filter for packets with a specified sequence number, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax...
Page 944 Step Command Syntax Command Mode Purpose seq sequence-number deny permit TRACE LIST Configure a trace list filter for TCP host ip-address packets. source mask ]] { operator port port destination mask • source : An IP address as the source IP address for the filter to match.
Page 945 Figure 45-13. Trace list Using seq Command Example FTOS(config-trace-acl)#seq 15 deny ip host 12.45.0.0 any log FTOS(config-trace-acl)#seq 5 permit tcp 121.1.3.45 0.0.255.255 any FTOS(config-trace-acl)#show conf ip trace-list dilling seq 5 permit tcp 121.1.0.0 0.0.255.255 any seq 15 deny ip host 12.45.0.0 any log If you are creating a Trace list with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured.
Page 946 Command Syntax Command Mode Purpose deny permit host TRACE LIST Configure a deny or permit filter to source mask examine TCP packets. Configure the ]] { ip-address operator port port destination mask following required and optional host ip-address operator port port parameters: established...
Page 947 Figure 45-14. Trace List Example FTOS(config-trace-acl)#deny tcp host 123.55.34.0 any FTOS(config-trace-acl)#permit udp 154.44.123.34 0.0.255.255 host 34.6.0.0 FTOS(config-trace-acl)#show config ip trace-list nimule seq 5 deny tcp host 123.55.34.0 any seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0 show To view all configured Trace lists and the number of packets processed through the Trace list, use the ip accounting trace-list command (Figure 110)
Page 948: Vty Line And Access-Class Configuration
VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in FTOS. These depend on which authentication scheme you use — line, local, or remote: Table 45-1. VTY Access Username VTY access-class access-class Authentication Method support? support? Remote authorization support? Line Local...
Page 949: Vty Line Remote Authentication And Authorization
FTOS retrieves the access class from the VTY line. The Dell Force10 OS takes the access class from the VTY line and applies it to ALL users. FTOS does not need to know the identity of the incoming user and can immediately apply the access class. If the...
Page 950 Figure 45-18. Example Access Class Configuration Using TACACS+ Without Prompt FTOS(conf)#mac access-list standard sourcemac FTOS(config-std-mac)#permit 00:00:5e:00:01:01 FTOS(config-std-mac)#deny any FTOS(conf)# FTOS(conf)#line vty 0 9 FTOS(config-line-vty)#access-class sourcemac FTOS(config-line-vty)#end Security...
Page 951: Service Provider Bridging
Service Provider Bridging c e s Service Provider Bridging is supported on platforms: This chapter contains the following major sections: • VLAN Stacking on page 951 • VLAN Stacking Packet Drop Precedence on page 962 • Dynamic Mode CoS for VLAN Stacking on page 965 •...
Page 952: Important Points To Remember
To switch traffic, these interfaces must be added to a non-default VLAN-Stack-enabled VLAN. • Dell Force10 cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN. • You can ping across a trunk port only if both systems on the link are an E-Series. You cannot ping across the link if one or both of the systems is a C-Series or S-Series.
Page 953: Configure Vlan Stacking
Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process: 1. Create access and trunk ports. See page 953. 2. Assign access and trunk ports to a VLAN. See page 954. 3. Make the VLAN VLAN-stacking capable. Related Configuration Tasks • Configure the Protocol Type Value for the Outer VLAN Tag on page 954 •...
Page 954: Enable Vlan-Stacking For A Vlan
show config Display the VLAN-Stacking configuration for a switchport using the command from INTERFACE mode, as shown in Figure 46-3. Figure 46-3. Displaying the VLAN-Stack Configuration on a Layer 2 Port FTOS#show run interface gi 7/0 interface GigabitEthernet 7/0 no ip address switchport vlan-stack access no shutdown...
Page 955: Ftos Options For Trunk Ports
FTOS Options for Trunk Ports 802.1ad trunk ports may also be tagged members of a VLAN so that it can carry single and double-tagged traffic. You can enable trunk ports to carry untagged, single-tagged, and double-tagged VLAN traffic by making the trunk port a hybrid port.
Page 956: Vlan Stacking In Multi-Vendor Networks
0x9100, and it is, so R2 forwards the frame. Given the matching-TPID requirement, there are limitations when you employ Dell Force10 systems at network edges, at which, frames are either double tagged on ingress (R4) or the outer tag is removed on egress (R3).
Page 957 Figure 46-6. TPID Match and First-byte Match on the E-Series TeraScale Building D TPID 0x9191 R3-E-Series TeraScale R2-E-Series TeraScale TPID: 0x9100 TPID: 0x9100 Building B R1-E-Series TeraScale TPID: 0x9191 TPID TPID (0x9100) (VLAN Purple) (0x8100) (VLAN Red) Building C R4-Non-Force10 System TPID TPID: 0x9100 (0x8100)
Page 958 Figure 46-7. TPID Mismatch and 0x8100 Match on the E-Series TeraScale Building D TPID 0x8100 TPID 0x9100 R3-E-Series TeraScale R2-E-Series TeraScale TPID: 0x8181 TPID: 0x8181 R1-E-Series TeraScale Building B TPID: 0x9100 TPID TPID (0x8100) (VLAN Purple) (0x8100) (VLAN Red) Building C R4-Non-Force10 System TPID TPID: 0x8100...
Page 959 Figure 46-8. First-byte TPID Match on the E-Series ExaScale Building D TPID 0x9191 R2-E-Series ExaScale TPID: 0x9100 R1-E-Series TeraScale TPID: 0x9191 Building C Table 46-1 details the outcome of matched and mis-matched TPIDs in a VLAN-stacking network with the E-Series. Table 46-1.
Page 960 vlan-stack protocol-type You can configure the first eight bits of the TPID using the command The TPID on the C-Series and S-Series systems is global. Ingress frames that do not match the system TPID are treated as untagged. This rule applies for both the outer tag TPID of a double-tagged frame and the TPID of a single-tagged frame.
Page 961 Figure 46-10. Single and Double-tag First-byte TPID Match on C-Series and S-Series TPID 0x8181 R2-C-Series w/ FTOS <8.2.1.0 TPID: 0x8181 R3-C-Series w/ FTOS >=8.2.1.0 TPID: 0x8181 R1-C-Series w/ FTOS <8.2.1.0 Building B TPID: 0x8181 R4-Non-Force10 System TPID: 0x8100 TPID (0x8100) (VLAN Red) Building A Figure 46-11.
Page 962: Vlan Stacking Packet Drop Precedence
Table 46-2 details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the C-Series and S-Series. Table 46-2. C-Series and S-Series Behaviors for Mis-matched TPID Network Incoming System Position Packet TPID TPID Match Type Pre-8.2.1.0 8.2.1.0+ Ingress Access Point untagged 0xUVWX —...
Page 963: Enable Drop Eligibility
Enable Drop Eligibility You must enable Drop Eligibility globally before you can honor or mark the DEI value. Task Command Syntax Command Mode dei enable Make packets eligible for dropping based on their DEI value. By CONFIGURATION default, packets are colored green, and DEI is marked 0 on egress. When Drop Eligibility is enabled, DEI mapping or marking takes place according to the defaults.
Page 964: Mark Egress Packets With A Dei Value
Task Command Syntax Command Mode FTOS#show interface dei-honor Default Drop precedence: Green Interface CFI/DEI Drop precedence ------------------------------------------------------------- Gi 0/1 Green Gi 0/1 Yellow Gi 8/9 Gi 8/40 Yellow Mark Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress (see Honor the Incoming DEI Value).
Page 965: Dynamic Mode Cos For Vlan Stacking
Dynamic Mode CoS for VLAN Stacking Dynamic Mode CoS for VLAN Stacking is available only on platforms: One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.1p bits on the S-Tag may be configured statically for each customer or derived from the C-Tag using Dynamic Mode CoS.
Page 966 FTOS Behavior: For Option A above, when there is a conflict between the queue selected by Dynamic Mode CoS ( ) and a QoS configuration, the queue selected by vlan-stack dot1p-mapping Dynamic Mode CoS takes precedence. However, rate policing for the queue is determined by QoS configuration.
Page 967: Layer 2 Protocol Tunneling
To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly: Step Task Command Syntax Command Mode cam-acl l2acl number ipv4acl number Allocate CAM space to enable queuing CONFIGURATION ipv6acl number ipv4qos number l2qos frames according to the C-Tag or the number l2pt number ipmacacl number S-Tag.
Page 968 (Figure 46-14). FTOS Behavior: In FTOS versions prior to 8.2.1.0, the MAC address that Dell Force10 systems use to overwrite the Bridge Group Address on ingress was non-configurable. The value of the L2PT MAC address was the Force10-unique MAC address, 01-01-e8-00-00-00. As such, with these FTOS...
Page 969: Implementation Information
Figure 46-14. VLAN Stacking with L2PT BPDU w/ destination Building B MAC address: 01-80-C2-00-00-00 no spanning-tree no spanning-tree BPDU w/ destination MAC address: 01-01-e8-00-00-00 Non-Force10 Non-Force10 System R1-E-Series System BPDU w/ destination MAC address: 01-80-C2-00-00-00 Building A Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs.
Page 970: Enable Layer 2 Protocol Tunneling
Enable Layer 2 Protocol Tunneling Step Task Command Syntax Command Mode show cam-profile Verify that the system is running the default CAM profile; EXEC Privilege you must use this CAM profile for L2PT. protocol-tunnel enable Enable protocol tunneling globally on the system. CONFIGURATION protocol-tunnel stp Tunnel BPDUs the VLAN.
Page 971: Rate-Limit Bpdus On The C-Series And S-Series
Rate-limit BPDUs on the C-Series and S-Series CAM space is allocated in sections called Field Processor (FP) blocks. There are total 13 user-configurable FP blocks on the C-Series and S-Series. The default number of blocks for L2PT is 0; you must allocate at least one to enable BPDU rate-limiting. Step Task Command Syntax...
Page 972 The same is true for GVRP. 802.1ad specifies that provider bridges participating in GVRP use a reserved destination MAC address called the Provider Bridge GVRP Address, 01-80-C2-00-00-0D, to exchange GARP PDUs instead of the GVRP Address, 01-80-C2-00-00-21, specified in 802.1Q. Only bridges in the service provider network use this destination MAC address so these bridges treat GARP PDUs originating from the customer network as normal data frames, rather than consuming them.
Page 973: Sflow
sFlow c e s sFlow is supported on platforms sFlow is supported on E-Series ExaScale x with FTOS 8.1.1.0. and later • Enable and Disable sFlow on page 975 • sFlow Show Commands on page 976 • Configure Collectors on page 978 •...
Page 974: Implementation Information
Implementation Information Dell Force10 sFlow is designed so that the hardware sampling rate is per line card port-pipe and is decided based upon all the ports in that port-pipe. If sFlow is not enabled on any port specifically, then the global sampling rate is downloaded to that port and is to calculate the port-pipe’s lowest sampling rate.
Page 975: Enable And Disable Sflow
• FTOS exports all sFlow packets to the collector. A small sampling rate can equate to a large number of exported packets. A backoff mechanism will automatically be applied to reduce this amount. Some sampled packets may be dropped when the exported packet rate is high and the backoff mechanism is about to or is starting to take effect.
Page 976: Sflow Show Commands
sFlow Show Commands FTOS includes the following sFlow display commands: • Show sFlow Globally on page 49 • Show sFlow on an Interface on page 50 • Show sFlow on a Line Card on page 50 Show sFlow Globally Use the following command to view sFlow statistics: Command Syntax Command Mode Purpose...
Page 977: Show Sflow On A Line Card
Figure 47-3. Command Example: show sflow interface FTOS#show sflow interface gigabitethernet 1/16 Gi 1/16 Configured sampling rate :8192 Actual sampling rate :8192 Sub-sampling rate Counter polling interval Samples rcvd from h/w Samples dropped for sub-sampling :6 The configuration, shown in Figure 47-2, is also displayed in the running configuration (Figure...
Page 978: Configure Collectors
Configure Collectors sflow collector command allows you to configure sFlow collectors to which sFlow datagrams are forwarded. You can configure up to two sFlow collectors (IPv4 or IPv6). If you configure two collectors, traffic samples are sent to both devices. sFlow collection through the Management interface is supported on platform: c e s IPv6 sFlow collectors and agents are supported on platforms:...
Page 979: Sampling Rate
Sampling Rate Sampling Rate is supported on platform The sFlow sampling rate is the number of packets that are skipped before the next sample is taken. sFlow does not have time-based packet sampling. sflow sample-rate command, when issued in CONFIGURATION mode, changes the default sampling rate.
Page 980: Back-Off Mechanism
Note: Sampling rate backoff can change the sampling rate value that is set in the hardware. This equation shows the relationship between actual sampling rate, sub-sampling rate, and the hardware sampling rate for an interface: Actual sampling rate = sub-sampling rate * hardware sampling rate Note the absence of a configured rate in the equation.
Page 981 sflow extended-switch extended-router extended-gateway enable Use the command command. By default packing of any of the extended information in the datagram is disabled. show sflow Use the command to confirm that extended information packing is enabled, as shown in Figure 47-6.
Page 982: Important Points To Remember
The IP destination address has to be learned via BGP in order to export extended-gateway data, prior to FTOS version 7.8.1.0. • If the IP destination address is not learned via BGP the Dell Force10 system does not export extended-gateway data, prior to FTOS version 7.8.1.0. •...
Page 983: Simple Network Management Protocol
SNMP is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Note: On Dell Force10 routers, standard and private SNMP MIBs are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
Page 984: Create A Community
Configuring SNMP requires only a single step: 1. Create a community. See page 984. Related Configuration Tasks The following list contains configuration tasks for SNMP: • Read Managed Object Values on page 985 • Write Managed Object Values on page 986 •...
Page 985: Read Managed Object Values
Message 1 SNMP Enabled 22:31:23: %RPM1-P:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START. show running-config snmp View your SNMP configuration, using the command from EXEC Privilege mode, as shown in Figure 48-1. Figure 48-1. Creating an SNMP Community FTOS#snmp-server community my-snmp-community ro 22:31:23: %RPM1-P:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START.
Page 986: Write Managed Object Values
Task Command Figure 48-4. Reading the Value of Many Managed Objects at Once > snmpwalk -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1 SNMPv2-MIB::sysDescr.0 = STRING: Force10 Networks Real Time Operating System Software Force10 Operating System Version: 1.0 Force10 Application Software Version: E_MAIN4.7.6.350 Copyright (c) 1999-2007 by Force10 Networks, Inc.
Page 987: Configure Contact And Location Information Using Snmp
Configure Contact and Location Information using SNMP You may configure system contact and location information from the Dell Force10 system or from the management station using SNMP. To configure system contact and location information from the Dell Force10 system: Task...
Page 988: Subscribe To Managed Object Value Updates Using Snmp
Subscribe to Managed Object Value Updates using SNMP By default, the Dell Force10 system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system.
Page 989 Table 48-2. Dell Force10 Enterprise-specific SNMP Traps Command Option Trap Examples envmon CARD_SHUTDOWN: %sLine card %d down - %s CARD_DOWN: %sLine card %d down - %s LINECARDUP: %sLine card %d is up CARD_MISMATCH: Mismatch: line card %d is type %s - type %s required.
Page 990: Copy Configuration Files Using Snmp
Use SNMP from a remote client to: • copy the running-config file to the startup-config file, or • copy configuration files from the Dell Force10 system to a server • copy configuration files from a server to the Dell Force10 system Simple Network Management Protocol...
Page 991 All of these tasks can be performed using IPv4 or IPv6 addresses. The examples in this section use IPv4 addresses; IPv6 addresses can be substituted for the IPv4 addresses in all of the examples. The relevant MIBs for these functions are: Table 48-3.
Page 992 Create an SNMP community string with read/ CONFIGURATION community-name rw write privileges. Copy the f10-copy-config.mib MIB from the Dell Force10 iSupport webpage to the server to which you are copying the configuration file. snmpset On the server, use the command as shown: snmpset -v snmp-version -c community-name -m mib_path/f10-copy-config.mib force10system-ip-address...
Page 993 Note: In Unix, enter the command for help using this command. Place the file snmpset snmpset f10-copy-config.mib the directory from which you are executing the command or in the snmpset tool path. Table 48-4. Copying Configuration Files via SNMP Task Copy the running-config to the startup-config using the following command from the Unix machine: snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 2 copyDestFileType.index i 3...
Page 994 /home/myfilename copyServerAddress.4 a 11.11.11.11 Copy a binary file from the server to the startup-configuration on the Dell Force10 system via FTP using the following command from the Unix server: snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.index s filepath/filename copyDestFileType.index i 3...
Page 995 Dell Force10 provides additional MIB Objects to view copy statistics. These are provided in Table 48-5. Table 48-5. MIB Objects for Copying Configuration Files via SNMP MIB Object Values Description copyState .1.3.6.1.4.1.6027.3.5.1.1.1.1.11 1= running Specifies the state of the copy operation.
Page 996 Figure 48-13 shows the command syntax using MIB object names, and Figure 48-14 shows the same command using the object OIDs. In both cases, the object is followed by same index number used in the snmpset command. Figure 48-13. Obtaining MIB Object Values for a Copy Operation using Object-name Syntax >...
Page 997: Manage Vlans Using Snmp
Manage VLANs using SNMP The qBridgeMIB managed objects in the Q-BRIDGE-MIB, defined in RFC 2674, enable you to use SNMP manage VLANs. Create a VLAN Use the dot1qVlanStaticRowStatus object to create a VLAN. The snmpset operation in Figure 48-15 creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. Figure 48-15.
Page 998 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 snmpget The table that the Dell Force10 system sends in response to the request is a table that contains hexadecimal (hex) pairs, each pair representing a group of eight ports.
Page 999: Add Tagged And Untagged Ports To A Vlan
Figure 48-18 shows the output for an S-Series. All hex pairs are 00, indicating that no ports are assigned to VLAN 10. In Figure 48-19, Port 0/2 is added to VLAN 10 as untagged. And the first hex pair changes from 00 to 04.
Page 1000 Figure 48-20. Adding Untagged Ports to a VLAN using SNMP >snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"...
Page 1001: Enable And Disable A Port Using Snmp
OID: Fetch Dynamic MAC Entries using SNMP Dell Force10 supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. Note: The 802.1q Q-BRIDGE MIB defines VLANs with regard to 802.1d, as 802.1d itself does not define them.

This manual is also suitable for:

Force10 Force10 c300 Force10 s25v Force10 s50v Force10 s50n Force10 s25p ... Show all

Dell Force10 C150 Configuration Manual

About this Guide

Configuration Fundamentals

Getting Started

System Management

5 802.1Ag

6 802.3Ah

7 802.1X

IP Access Control Lists (ACL), Prefix Lists, and Route-Maps

Bidirectional Forwarding Detection

Border Gateway Protocol Ipv4 (Bgpv4)

Content Addressable Memory

Configuration Replace and Rollback

Dynamic Host Configuration Protocol

Equal Cost Multi-Path

Quick Links

Troubleshooting

Related Manuals for Dell Force10 C150

Summary of Contents for Dell Force10 C150