Page 14
Link Bundle Monitoring ..........505 Ethernet Pause Frames .
Page 15
Detection and Auto-configuration for Dell EqualLogic Arrays ....564 Detection and Port Configuration for Dell Compellent Arrays ....565 Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer .
Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Force10 systems. For complete information on protocols, refer to other documentation including IETF Requests for Comment (RFCs). The instructions in...
This symbol is a note associated with some other text on the page that is marked with an asterisk. Related Documents For more information about the Dell Force10 E-Series, C-Series, S-Series., and Z-Series refer to the following documents: • FTOS Command Reference •...
Configuration Fundamentals The FTOS Command Line Interface (CLI) is a text-based interface through which you can configure interfaces and protocols. The CLI is largely the same for the E-Series, C-Series, and S-Series with the exception of some commands and command outputs. The CLI is structured in modes for security and management purposes.
CLI Modes Different sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (with the exception of EXEC mode commands preceded by the command The do Command on page 36). You can set user access rights to commands and command modes using privilege levels;...
Figure 2-2. CLI Modes in FTOS EXEC EXEC Privilege CONFIGURATION ARCHIVE AS-PATH ACL INTERFACE GIGABIT ETHERNET 10 GIGABIT ETHERNET INTERFACE RANGE LOOPBACK MANAGEMENT ETHERNET NULL PORT-CHANNEL SONET VLAN VRRP IPv6 IP COMMUNITY-LIST IP ACCESS-LIST STANDARD ACCESS-LIST EXTENDED ACCESS-LIST LINE AUXILIARY CONSOLE VIRTUAL TERMINAL MAC ACCESS-LIST...
Page 34
Table 2-1. FTOS Command Modes Access Command CLI Command Mode Prompt FTOS> EXEC Access the router through the console or Telnet. FTOS# • From EXEC mode, enter the command enable. EXEC Privilege • From any other mode, use the command end. FTOS(conf)# •...
Page 35
Table 2-1. FTOS Command Modes (continued) Access Command CLI Command Mode Prompt STANDARD ACCESS- FTOS(config-std-macl)# mac access-list standard LIST EXTENDED ACCESS- FTOS(config-ext-macl)# mac access-list extended LIST MULTIPLE FTOS(config-mstp)# protocol spanning-tree mstp SPANNING TREE OPENFLOW FTOS(conf-of-instance of-id)# openflow of-instance of-id of-id represents the OpenFlow instance ID. Per-VLAN SPANNING FTOS(config-pvst)# protocol spanning-tree pvst...
The do Command Enter an EXEC mode command from any CONFIGURA TION mode (CONFIGURATION, INTERFACE, SPANNING TREE, etc.) without returning to EXEC mode by preceding the EXEC mode command with the command Figure 2-4 illustrates the command. Note: The following commands cannot be modified by the do command: enable, disable, exit, and configure.
Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the command: help • Enter at the prompt or after a keyword to list the keywords available in the current mode. •...
• The UP and DOWN arrow keys display previously entered commands (see Command History). • The BACKSPACE and DELETE keys erase the previous letter. • Key combinations are available to move quickly across the command line, as described in Table 2-2.
Filtering show Command Outputs Filter the output of a command to display specific information by adding show except find grep | after the command. The variable is the text for which you are no-more | save specified_text specified_text filtering and it IS case sensitive unless the sub-option is implemented.
% Warning: User "<username>" on line vty0 "10.11.130.2" is in configuration mode If either of these messages appears, Dell Force10 recommends that you coordinate with the users listed in the message so that you do not unintentionally overwrite each other’s configuration changes.
Getting Started This chapter contains the following major sections: • Default Configuration • Configure a Host Name • Access the System Remotely • Configure the Enable Password • Configuration File Management • File System Management When you power up the chassis, the system performs\ a Power-On Self Test (POST) during which Route Processor Module (RPM), Switch Fabric Module (SFM), and line card status LEDs blink green.The system then loads FTOS and boot messages scroll up the terminal window during this process.
To access the console port, follow the procedures below. Refer to Table 3-1 for the console port pinout. Step Task Install an RJ-45 copper cable into the console port.Use a rollover (crossover) cable to connect the S4810 console port to a terminal server. Connect the other end of the cable to the DTE terminal server.
The S-Series (except the S4810) does not have a dedicated management port, but is managed from any port. It does not have a separate management routing table. • All Dell Force10 products can be managed via the front-end data ports as well. Access the C-Series, E-Series, S-Series, and the Z-Series Remotely Configuring the system for Telnet is a three-step process: 1.
Note: Assign different IP addresses to each RPM’s management port. To configure the management port IP address: Step Task Command Syntax Command Mode Enter INTERFACE mode for the interface ManagementEthernet slot/port CONFIGURATION Management port. • slot range: 0 to 1 •...
7 is for inputting a password that is already encrypted using a Type 7 hash. Obtaining the encrypted password from the configuration of another Dell Force10 system. Access the S-Series Remotely The S-Series does not have a dedicated management port nor a separate management routing table.
Flash memory. It has a space limitation but does not limit the number of files it can contain. Note: Using flash memory cards in the system that have not been approved by Dell Force10 can cause unexpected system behavior, including a reboot.
Table 3-2. file-destination • To copy a remote file to Dell Force10 system, combine the syntax for a remote file location file-origin with the syntax for a local file location shown in Table 3-2.
26292881 bytes successfully copied Save the Running-configuration The running-configuration contains the current system configuration. Dell Force10 recommends that you copy your running-configuration to the startup-configuration. The system uses the startup-configuration during boot-up to configure the system. The startup-configuration is stored in the internal flash on the primary RPM by default, but it can be saved onto an external flash (on an RPM) or a remote server.
Task Command Syntax Command Mode Save the running-configuration to: the startup-configuration on the copy running-config startup-config internal flash of the primary RPM the internal flash on an RPM copy running-config rpm{0|1}flash://filename Note: The internal flash memories on the RPMs are synchronized whenever there is a change, but only if the RPMs are running the same version of FTOS.
View Files File information and content can only be viewed on local file systems. To view a list of files on the internal or external Flash: Step Task Command Syntax Command Mode View a list of files on: the internal flash of an RPM EXEC Privilege dir flash: the external flash of an RPM...
--More-- File System Management The Dell Force10 system can use the internal Flash, external Flash, or remote devices to store files. It stores files on the internal Flash by default but can be configured to store files elsewhere. To view file system information:...
To change the default storage location: Task Command Syntax Command Mode Change the default directory. EXEC Privilege cd directory In the example below, the default storage location is changed to the external Flash of the primary RPM. File management commands then apply to the external Flash rather than the internal Flash. FTOS#cd slot0: FTOS#copy running-config test FTOS#copy run test...
Management e c sz Management is supported on platforms: This chapter explains the different protocols or services used to manage the Dell Force10 system including: • Configure Privilege Levels • Configure Logging • File Transfer Services • Terminal Lines •...
Removing a command from EXEC mode Remove a command from the list of available commands in EXEC mode for a specific privilege level using the command from CONFIGURATION mode. In the command, specify a level greater privilege exec than the level given to a user or terminal line, followed by the first keyword of each command to be restricted.
Page 55
Task Command Syntax Command Mode Allow access to INTERFACE, LINE, ROUTE-MAP, privilege configure level level CONFIGURATION and/or ROUTER mode. Specify all keywords in the interface line route-map command. ||...|| router command-keyword command-keyword Allow access to a CONFIGURATION, INTERFACE, privilege configure interface line CONFIGURATION...
Exit from configuration mode exit Exit from configuration mode interface Select an interface to configure line Configure a terminal line linecard Set line card type FTOS(conf)#interface ? fastethernet Fast Ethernet interface gigabitethernet Gigabit Ethernet interface loopback Loopback interface managementethernet Management Ethernet interface null Null interface port-channel...
Note: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt is hostname#, rather than hostname>. Configure Logging FTOS tracks changes in the system using event and error messages. By default, FT OS logs these messages •...
Disable System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, console, and syslog servers. Enable and disable system logging using the following commands: Task Command Syntax Command Mode Disable all logging except on the console. CONFIGURATION no logging on Disable logging to the logging buffer.
Change System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged.
syslog logging: enabled Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM. %RPM-2-MSG:CP1 %POLLMGR-2-MMC_STATE: External flash disk missing in 'slot0:' %CHMGR-5-CARDDETECTED: Line card 0 present %CHMGR-5-CARDDETECTED: Line card 2 present %CHMGR-5-CARDDETECTED: Line card 4 present...
Page 61
To configure a UNIX logging facility level, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose logging facility [ CONFIGURATION Specify one of the following parameters. facility-type • auth (for authorization messages) • cron (for system scheduler messages) •...
Synchronize log messages You can configure FTOS to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system. To synchronize log messages, use these commands in the following sequence starting in the CONFIGURATION mode: Step...
For more information on FTP, refer to 959, File Transfer Protocol. Note: To transmit large files, Dell Force10 recommends configuring the switch as an FTP server. Configuration Task List for File Transfer Services The following list includes the configuration tasks for file transfer services: •...
To configure FTP server parameters, use any or all of the following commands in the CONFIGURA TION mode: Command Syntax Command Mode Purpose CONFIGURATION Specify the directory for users using FTP to reach the ftp-server topdir system. The default is the internal flash directory. CONFIGURATION Specify a user name for all FTP users and configure either ftp-server username...
The auxiliary line (aux) connects secondary devices such as modems. Deny and Permit Access to a Terminal Line Dell Force10 recommends applying only standard ACLs to deny and permit access to VTY lines. • Layer 3 ACL deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with no rules does not deny any traffic.
Page 66
• —Prompt for the enable password. enable • —Prompt for the e password you assigned to the terminal line. You must configure a password for line the terminal line to which you assign a method list that contains the authentication method. line Configure a password using the command password from LINE mode.
Time out of EXEC Privilege Mode EXEC timeout is a basic security feature that returns FTOS to the EXEC mode after a period of inactivity on terminal lines. To change the timeout period or disable EXEC timeout. Task Command Syntax Command Mode Set the number of minutes and seconds.
Login: Login: admin Password: FTOS>exit FTOS#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin FTOS# Lock CONFIGURATION mode FTOS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message A two types of locks can be set: auto and manual.
Note: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you configure a lock and then exit CONFIGURATION mode, and another user enters CONFIGURATION mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though you are the one that configured the lock.
Step Task Command Syntax Command Mode Save the running-config. copy running-config startup-config EXEC Privilege Set the system parameters to use the setenv stconfigignore false uBoot startup configuration file when the system reloads. Save the running-config. EXEC Privilege copy running-config startup-config Recovering from a Forgotten Enable Password on the S4810 If you forget the enable password: Step...
Page 71
Step Task Command Syntax Command Mode Assign the new location to the FTOS uBoot setenv [primary_image f10boot location | image to be used when the system secondary_image f10boot location | reloads. default_image f10boot location Assign an IP address to the uBoot ipaddre address setenv...
802.1ag 802.1ag is available only on platform: Ethernet Operations, Administration, and Maintenance (OAM) is a set of tools used to install, monitor, troubleshoot and manage Ethernet infrastructure deployments. Ethernet OAM consists of three main areas: 1. Service Layer OAM: IEEE 802.1ag Connectivity Fault Management (CFM) 2.
There is a need for Layer 2 equivalents to manage and troubleshoot native Layer 2 Ethernet networks. With these tools, you can identify, isolate, and repair faults quickly and easily , which reduces operational cost of running the network. OAM also increases availability and reduces mean time to recovery , which allows for tighter service level agreements, resulting in increased revenue for the service provider.
MEPs defined in 802.1ag for an 802.1 bridge: • Up-MEP: monitors the forwarding path internal to an bridge on the customer or provider edge; on Dell Force10 systems the internal forwarding path is effectively the switch fabric and forwarding engine. •...
Implementation Information • Since the S-Series has a single MAC address for all physical/LAG interfaces, only one MEP is allowed per MA (per VLAN or per MD level). Configure CFM Configuring CFM is a five-step process: 1. Configure the ecfmacl CAM region using the command.
Enable Ethernet CFM Task Command Syntax Command Mode Spawn the CFM process. No CFM configuration is CONFIGURATION ethernet cfm allowed until the CFM process is spawned. Disable Ethernet CFM without stopping the CFM ETHERNET CFM disable process. Create a Maintenance Domain Connectivity Fault Management (CFM) divides a network into hierarchical maintenance domains, as shown in the illustration in Maintenance...
MEPs defined in 802.1ag for an 802.1 bridge: • Up-MEP: monitors the forwarding path internal to an bridge on the customer or provider edge; on Dell Force10 systems the internal forwarding path is effectively the switch fabric and forwarding engine. •...
Task Command Syntax Command Mode FTOS#show ethernet cfm maintenance-points local mep ------------------------------------------------------------------------------- MPID Domain Name Level Type Port CCM-Status MA Name VLAN ------------------------------------------------------------------------------- cfm0 Gi 4/10 Enabled test0 DOWN 00:01:e8:59:23:45 cfm1 Gi 4/10 Enabled test1 DOWN 00:01:e8:59:23:45 cfm2 Gi 4/10 Enabled test2 DOWN...
• MIP Database (MIP-DB): Every MIP must maintain a database of all other MEPs in the MA that have announced their presence via CCM Task Command Syntax Command Mode Display the MEP Database. EXEC Privilege show ethernet cfm maintenance-points remote detail active domain expired...
MEPs and MIPs filter CCMs from higher and lower domain levels as described in Table 5-1, "Continuity Check Message Processing," in 802.1ag. Table 5-1. Continuity Check Message Processing Frames at Frames from UP-MEP Action Down-MEP Action MIP Action Less than my level Bridge-relay side or Wire side Drop Drop...
Enable Cross-checking Task Command Syntax Command Mode Enable cross-checking. ETHERNET CFM mep cross-check enable Default: Disabled Start the cross-check operation for an MEP. ETHERNET CFM mep cross-check mep-id Configure the amount of time the system waits for a ETHERNET CFM mep cross-check start-delay number remote MEP to come up before the cross-check operation is started.
Link trace messages carry a unicast target address (the MAC address of an MIP or MEP) inside a multicast frame. The destination group address is based on the MD level of the transmitting MEP (01:80:C2:00:00:3[8 to F]). The MPs on the path to the tar get MAC address reply to the L TM with an LTR, and relays the LTM towards the target MAC until the target MAC is reached or TTL equals 0.
Enable CFM SNMP Traps. Task Command Syntax Command Mode Enable SNMP trap messages for CONFIGURATION snmp-server enable traps ecfm Ethernet CFM. A Trap is sent only when one of the five highest priority defects occur, as shown in Table 5-2, "ECFM SNMP Traps,"...
(typically RADIUS) via a mandatory intermediary network access device, in this case, a Dell Force10 switch. The network access device mediates all communication between the end-user device and the authentication server so that the network remains secure. The network access device uses EAP over Ethernet (EAPOL) to communicate with the end-user device and EAP over RADIUS to communicate with the server.
The authenticator changes the port state to authorized if the server can authenticate the supplicant. In this state, network traffic can be forwarded normally. Note: The Dell Force10 switches place 802.1X-enabled ports in the unauthorized state by default. The Port-authentication Process...
1. When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request Frame. 2. The supplicant responds with its identity in an EAP Response Identity frame. 3. The authenticator decapsulates the EAP Response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame, and forwards the frame to the authentication server.
(Supplicant Requested Credentials) 3: Access-Reject 11: Access-Challenge fnC0034mp RADIUS Attributes for 802.1 Support Dell Force10 systems includes the following RADIUS attributes in all 802.1X-triggered Access-Request messages: • Attribute 31—Calling-station-id: relays the supplicant MAC address to the authentication server. • Attribute 41—NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet.
Important Points to Remember • FTOS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. • All platforms support only RADIUS as the authentication server. • If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if configured.
no ip address dot1x authentication no shutdown FTOS# View 802.1X configuration information for an interface using the command , as show dot1x interface shown in the example below. FTOS#show dot1x interface TenGigabitEthernet 2/1 802.1x information on Te 2/1: ----------------------------- Dot1x Status: Enable Port Control: AUTO...
To configure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame: Step Task Command Syntax Command Mode Configure the amount of time that the authenticator INTERFACE dot1x tx-period number waits before re-transmitting an EAP Request Identity Range: 1 - 65535 (1 year) frame.
To configure a maximum number of re-authentications: Step Task Command Syntax Command Mode Configure the maximum number of INTERFACE dot1x reauth-max number times that the supplicant can be Range: 1-10 reauthenticated. Default: 2 FTOS(conf-if-Te-0/0)#dot1x reauthentication interval 7200 FTOS(conf-if-Te-0/0)#dot1x reauth-max 10 FTOS(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0 802.1x information on Te 0/0: -----------------------------...
Page 97
To terminate the authentication process due to an unresponsive authentication server: Step Task Command Syntax Command Mode Terminate the authentication process due to an INTERFACE dot1x server-timeout seconds unresponsive authentication server. Range: 1-300 Default: 30 The example below shows configuration information for a port for which the authenticator terminates the authentication process for an unresponsive supplicant or server after 15 seconds.
RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure: 1) the host sends a dot1x packet to the Dell Force10system, 2) the system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number, and 3) the RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN assignment using Tunnel-Private-Group-ID.
Guest and Authentication-fail VLANs Typically, the authenticator (Dell Force10 system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured, or the VLAN that the authentication server indicates in the authentication data.
Configuring an Authentication-fail VLAN If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time (30 seconds by default, see Configuring a Quiet Period after a Failed Authentication). You can configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
Access Control Lists (ACLs) This chapter describes the Access Control Lists (ACLs), prefix lists, and route-maps. e c s z Access Control Lists (ACLs) are supported on platforms: e c s z Ingress IP and MAC ACLs are supported on platforms: e s z Egress IP and MAC ACLs are supported on platforms: Overview...
IP Access Control Lists (ACLs) In the Dell Force10 switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the following criteria (for more information on ACL supported options see the FTOS Command Reference): •...
Page 105
CAM Profiling CAM optimization is supported on platforms The default CAM profile has 1K Layer 2 ingress ACL entries. If you need more memory for Layer 2 ingress ACLs, select the profile l2-ipv4-inacl. When budgeting your CAM allocations for ACLs and QoS configurations, remember that ACL and QoS rules might consume more than one CAM entry depending on complexity.
• L3 ACL (ipv4acl): 6 • L2 ACL(l2acl): 5 • IPv6 L3 ACL (ipv6acl): 0 • L3 QoS (ipv4qos): 1 • L2 QoS (l2qos): 1 allocation must be entered as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use ipv6acl either even or odd numbered ranges.
Implementing ACLs on FTOS One IP ACL can be assigned per interface with FTOS. If an IP ACL is not assigned to an interface, it is not used by the software in any other capacity. The number of entries allowed per ACL is hardware-dependent. Refer to your line card documentation for detailed specification on entries allowed per ACL.
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8. Therefore, (without the keyword ) packets within the range 20.1.1.0/24 match positive against cmap1 order and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be buffered in queue 4.
• Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the fragments option and apply it to a loopback interface, the command is accepted, but the ACL entries are not actually installed the offending rule in CAM. IP fragments ACL examples The following configuration permits all packets (both fragmented &...
FTOS(conf-ext-nacl) Note the following when configuring ACLs with the keyword. fragments When an ACL filters packets it looks at the Fragment Offset (FO) to determine whether or not it is a fragment. • FO = 0 means it is either the first fragment or the packet is a non-fragment. •...
Page 111
Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or another number. When you use the keyword, CP processor logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’...
Page 112
To configure a filter without a specified sequence number, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose CONFIGURATION Create a standard IP ACL and assign it a ip access-list standard unique name.
Configure an extended IP ACL Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. Since traffic passes through the filter in the order of the filter’s sequence, you can configure the extended IP ACL by first entering the IP ACCESS LIST mode and then assigning a sequence number to the filter.
Page 114
TCP packets: To create a filter for TCP packets with a specified sequence number, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose CONFIGURATION Create an extended IP ACL and assign it a ip access-list extended unique name.
Page 115
The following example illustrates how the command orders the filters according to the sequence number assigned. In the example, filter 15 was configured before filter 5, but the command show config displays the filters in the correct order. FTOS(config-ext-nacl)#seq 15 deny ip host 112.45.0.0 any log FTOS(config-ext-nacl)#seq 5 permit tcp 12.1.3.45 0.0.255.255 any FTOS(config-ext-nacl)#show confi ip access-list extended dilling...
FTOS(config-ext-nacl)#show config ip access-list extended nimule seq 5 deny tcp host 123.55.34.0 any seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0 FTOS(config-ext-nacl)# To view all configured IP ACLs and the number of packets processed through the ACL, use the show ip command in the EXEC Privilege mode as shown in the first example in Configure accounting access-list...
Table 7-2. L2 and L3 ACL Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Permit Deny Denied by L3 ACL Permit Permit Permitted by L3 ACL Note: If an interface is configured as a vlan-stack access port, the packets are filtered by an L2 ACL only. The L3 ACL applied to such a port does not affect traffic.
Step Command Syntax Command Mode Purpose INTERFACE Apply an IP ACL to traffic entering or exiting an ip access-group access-list-name { in | out } [ implicit-permit ] [ vlan interface. • out: configure the ACL to filter outgoing vlan-range traffic.
Configuring Ingress ACLs Ingress ACLs are applied to interfaces and to traffic entering the system.These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation. To create an ingress ACLs, use the command in the EXEC Privilege mode as shown ip access-group...
To create an egress ACLs, use the command in the EXEC Privilege mode as shown in the ip access-group example below. This example also shows viewing the configuration, applying rules to the newly created access group, and viewing the access list: FTOS(conf)#interface gige 0/0 FTOS(conf-if-gige0/0)#ip access-group abcd FTOS(conf-if-gige0/0)#show config...
FTOS Behavior: VRRP hellos and IGMP packets are not affected when egress ACL filtering for CPU traffic is enabled. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface MAC address instead of VRRP virtual MAC address. Configuring ACLs to Loopback ACLs can be supplied on Loopback interfaces supported on platform...
To apply ACLs on loopback, use the command in the INTERFACE mode as shown in the ip access-group example below. This example also shows the interface configuration status, adding rules to the access group, and displaying the list of rules in the ACL: FTOS(conf)#interface loopback 0 FTOS(conf-if-lo-0)#ip access-group abcd FTOS(conf-if-lo-0)#show config...
• To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8 • To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8 le 12 • To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24 •...
Page 124
Step Command Syntax Command Mode Purpose { deny | CONFIG-NPREFIXL Create a prefix list with a sequence number sequence-number permit } [ ge and a deny or permit action. The optional ip-prefix ] [ le parameters are: min-prefix-length • is the minimum max-prefix-length min-prefix-length: prefix length to be matched (0 to 32).
Page 125
Step Command Syntax Command Mode Purpose { deny | permit } [ ge CONFIG-NPREFIXL Create a prefix list filter with a deny or ip-prefix ] [ le permit action. The optional parameters are: min-prefix-length • is the minimum max-prefix-length min-prefix-length: prefix length to be matched (0 to 32).
FTOS> FTOS>show ip prefix summary Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 FTOS> Use a prefix list for route redistribution To pass traffic through a configured prefix list, you must use the prefix list in a route redistribution command.
Command Syntax Command Mode Purpose distribute-list CONFIG-ROUTER-OSPF Apply a configured prefix list to incoming prefix-list-name routes. You can specify an interface. interface If you enter the name of a non-existent prefix list, all routes are forwarded. CONFIG-ROUTER-OSPF Apply a configured prefix list to incoming distribute-list prefix-list-name [ connected | rip | static ]...
Table 7-3. ACL Resequencing Example (Insert New Rules) seq 7 permit any host 1.1.1.3 seq 10 permit any host 1.1.1.4 Table 7-4. ACL Resequencing Example (Resequenced) seq 5 permit any host 1.1.1.1 seq 10 permit any host 1.1.1.2 seq 15 permit any host 1.1.1.3 seq 20 permit any host 1.1.1.4 Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs and prefix lists and MAC ACLs.
Page 129
ip access-list extended test remark remark this remark corresponds to permit any host 1.1.1.1 permit ip any host 1.1.1.1 remark this remark has no corresponding rule remark this remark corresponds to permit ip any host 1.1.1.2 permit ip any host 1.1.1.2 permit ip any host 1.1.1.3 permit ip any host 1.1.1.4 Remarks and rules that originally have the same sequence number have the same sequence number after...
Route Maps c e s z Route-maps are supported on platforms: Like ACLs and prefix lists, route maps are composed of a series of commands that contain a matching criterion and an action, yet route maps can change the packets meeting the criterion. ACLs and prefix lists can only drop or forward the packet or traffic.
Create a route map Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route map filters are do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters match certain routes and set or specify values.
FTOS#show route-map route-map zakho, permit, sequence 20 Match clauses: interface GigabitEthernet 0/1 Set clauses: level stub-area FTOS# The following text shows an example of a route map with multiple instances. The command show config displays only the configuration of the current route map instance. To view all instances of a specific route map, use the command.
Page 133
FTOS(config-route-map)#match metric 2000 In the above route-map, only if a route has both the characteristics mentioned in the route-map, it is matched. Explaining further, the route must have a tag value of 1000 and a metric value of 2000. Only then is there a match.
Page 134
Command Syntax Command Mode Purpose CONFIG-ROUTE-MAP Match routes whose next hop is a specific match interface interface interface. The parameters are: • For a Fast Ethernet interface, enter the keyword FastEthernet followed by the slot/ port information. • For a 1-Gigabit Ethernet interface, enter the keyword gigabitEthernet followed by the slot/port information.
Command Syntax Command Mode Purpose match tag CONFIG-ROUTE-MAP Match routes with a specific tag. tag-value To configure a set condition, use any or all of the following commands in the ROUTE-MAP mode: Command Syntax Command Mode Purpose [... CONFIG-ROUTE-MAP Add an AS-PATH number to the beginning of set as-path prepend as-number the AS-PATH...
Route maps add to that redistribution capability by allowing you to match specific routes and set or change more attributes when redistributing those routes. In the following example, the command calls the route map static ospf to redistribute redistribute only certain static routes into OSPF. According to the route map static ospf, only routes that have a next hop of Gigabitethernet interface 0/0 and that have a metric of 255 will be redistributed into the OSPF backbone area.
Page 137
Note: If the continue clause is configured without specifying a module, the next sequential module is processed. route-map test permit 10 match commu comm-list1 set community 1:1 1:2 1:3 set as-path prepend 1 2 3 4 5 continue 30! Access Control Lists (ACLs) | 137...
BFD also carries less overhead than routing protocol hello mechanisms. Control packets can be encapsulated in any form that is convenient, and, on Dell Force10 routers, sessions are maintained by BFD Agents that reside on the line card, which frees resources on the RPM. Only session state changes are reported to the BFD Manager (on the RPM), which in turn notifies the routing protocols that are registered with it.
How BFD Works Two neighboring systems running BFD establish a session using a three-way handshake. After the session has been established, the systems exchange control packets at agreed upon intervals. In addition, systems send a control packet anytime there is a state change or change in a session parameter; these control packets are sent without regard to transmit and receive intervals.
Page 141
Figure 8-1. BFD in IPv4 Packet Format Bidirectional Forwarding Detection (BFD) | 141...
Table 8-1. BFD Packet Fields Field Description Diagnostic Code The reason that the last session failed. State The current local session state. See sessions. Flag A bit that indicates packet function. If the poll bit is set, the receiving system must respond as soon as possible, without regard to its transmit interval.
Page 143
• Active—The active system initiates the BFD session. Both systems can be active for the same session. • Passive—The passive system does not initiate a session. It only responds to a request for session initialization from the active system. A BFD session has two modes: •...
Page 144
4. The passive system receives the control packet, changes its state to Up. Both systems agree that a session has been established. However, since both members must send a control packet—that requires a response—anytime there is a state change or change in a session parameter , the passive system sends a final response indicating the state change.
Important Points to Remember • BFD for line card ports is hitless, but is not hitless for VLANs since they are instantiated on the RPM. • FTOS supports a maximum of 100 sessions per BFD agent on C-Series and E-Series. Each linecard processor has a BFD Agent, so the limit translates to 100 BFD sessions per linecard (plus, on the E-Series, 100 BFD sessions on RP2, which handles LAG and VLANs).
Page 146
2. Establish a session with a next-hop neighbor. Related configuration tasks • Viewing physical port session parameters. • Disabling and re-enabling BFD. Enabling BFD globally BFD must be enabled globally on both routers, as shown in the illustration in Establishing a session on physical ports.
R2: ACTIVE Role R1: ACTIVE Role 4/24 FTOS(config)# bfd enable FTOSconfig)# interface gigabitethernet 2/1 FTOS(conf-if-gi-2/1)# ip address 2.2.2.2/24 FTOS(conf-if-gi-2/1)# bfd neighbor 2.2.2.1 FTOS(config)# bfd enable FTOS(config)# interface gigabitethernet 4/24 FTOS(conf-if-gi-2/1)# ip address 2.2.2.1/24 fnC0038mp FTOS(conf-if-gi-2/1)# bfd neighbor 2.2.2.2 To establish a session: Step Task Command Syntax...
Page 148
00:36:02: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Up for neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0) Viewing physical port session parameters BFD sessions are configured with default intervals and a default role (active). Dell Force10 recommends maintaining the default values. View session parameters using the command.
Delete session on Down: False Client Registered: CLI Uptime: 00:09:06 Statistics: Number of packets received from neighbor: 4092 Number of packets sent to neighbor: 4093 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 7 Disabling and re-enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured.
Configuring BFD for static routes is a three-step process: Enabling BFD globally. 2. On the local system, establish a session with the next hop of a static route. Refer to Configuring BFD for Static Routes. 3. On the remote system, establish a session with the physical port that is the origin of the static route. Refer to Establishing a session on physical ports.
- ISIS - OSPF - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 2.2.2.2 Gi 4/24 View detailed session information using the command , as shown in the example show bfd neighbors detail Verifying BFD sessions with BGP neighbors using show bfd neighbors detail.
Configuring BFD for OSPF is a two-step process: Enabling BFD globally. Establishing sessions with OSPF neighbors. Related configuration tasks • Changing OSPF session parameters. • Disabling BFD for OSPF. Establishing sessions with OSPF neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface.
Page 153
To establish BFD for all OSPF neighbors on a single interface: Step Task Command Syntax Command Mode Establish sessions with all OSPF neighbors on a INTERFACE ip ospf bfd all-neighbors single interface. View the established sessions using the command , as shown in the example below. show bfd neighbors R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors...
Disabling BFD for OSPF If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the remote system are placed in a Down state (Message 3).
Page 156
Changing IS-IS session parameters BFD sessions are configured with default intervals and a default role. The parameters that can be configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface; if you change a parameter globally, the change affects all IS-IS neighbors sessions.
To disable BFD sessions with all IS-IS neighbors out of an interface: Step Task Command Syntax Command Mode Disable BFD sessions with all IS-IS INTERFACE isis bfd all-neighbors disable neighbors out of an interface. Configuring BFD for BGP BFD for BGP is only supported on platforms: In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence.
Page 159
As long as each BFD for BGP neighbor receives a BFD control packet within the configured BFD interval for failure detection, the BFD session remains up and BGP maintains its adjacencies. If a BFD for BGP neighbor does not receive a control packet within the detection interval, the router informs any clients of the BFD session (other routing protocols) about the failure.
Page 160
To remove the disabled state of a BFD for BGP session with a specified neighbor, enter the no neighbor command in configuration mode. The BGP link {ip-address | peer-group-name} bfd disable ROUTER BGP with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the command or configured for the peer group to which the neighbor belongs.
Page 161
Verifying a BFD for BGP Configuration R2# show running-config bgp router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors Verifying BFD sessions with BGP neighbors using show bfd neighbors R2# show bfd neighbors - Active session role Ad Dn...
Page 162
Delete session on Down: True Client Registered: BGP Uptime: 00:07:55 Statistics: Number of packets received from neighbor: 4762 Number of packets sent to neighbor: 4490 Number of state changes: 2 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 5 Session Discriminator: 10 Neighbor Discriminator: 11...
Page 163
Protocol BGP Messages: Registration De-registration Init Down Admin Down Interface TenGigabitEthernet 6/2 Protocol BGP Messages: Registration De-registration Init Down Admin Down Displaying BFD for BGP status R2# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 2 BGP table version is 0, main routing table version 0 BFD is enabled, Interval 100 Min_rx 100 Multiplier 3 Role Active 3 neighbor(s) using 24168 bytes of memory Neighbor...
Page 164
Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Neighbor is using BGP global mode BFD configuration For address family: IPv4 Unicast BGP table version 0, neighbor version 0 Prefixes accepted 0 (consume 0 bytes), withdrawn 0 by peer, martian prefixes ignored 0 Prefixes advertised 0, denied 0, withdrawn 0 from peer Connections established 1;...
Configuring BFD for VRRP BFD for VRRP is only supported on platforms: When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the RPM. BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred.
Page 167
- CLI - ISIS - OSPF - Static Route (RTM) - VRRP LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.5.1 2.2.5.2 Gi 4/25 Down 1000 1000 Session state information is also shown in the command output, as shown in the following show vrrp example.
Configuring BFD for VLANs is supported on platforms BFD on Dell Force10 systems is a Layer 3 protocol. Therefore, BFD is used with routed VLANs. BFD on VLANs is analogous to BFD on physical ports. If no routing protocol is enabled, and a remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
Related configuration tasks • Establishing sessions with OSPF neighbors. Establishing sessions with VLAN neighbors To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the illustration below. The session parameters do not need to match. VLAN 200 4/25 FTOS(config-if-gi-4/25)# switchport...
Page 170
Configuring BFD for port-channels is a two-step process: Enabling BFD globally. Establishing sessions on port-channels. Related configuration tasks • Disabling BFD for port-channels. Establishing sessions on port-channels To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the example below.
Configuring Protocol Liveness Protocol Liveness is a feature that notifies the BFD Manager when a client protocol is disabled. When a client is disabled, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state (Message To enable Protocol Liveness: Step...
Page 172
20 c0 03 18 00 00 00 05 00 00 00 04 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:14 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24 The output for the command is the same as the log messages that appear on the console by debug bfd event default.
Border Gateway Protocol Platforms support BGP according to the following table: FTOS version Platform support IPv4: 8.3.11.2 Z9000 IPv6: 9.0.0.0 8.3.7.0 S4810 8.1.1.0 E-Series ExaScale 7.8.1.0 S-Series 7.7.1.0. C-Series pre-7.7.1.0 E-Series TeraScale This chapter is intended to provide a general description of Border Gateway Protocol version 4 (BGPv4) as it is supported in the Force10 Operating System (FTOS).
• Multiprotocol BGP • Implementing BGP with FTOS • Additional Path (Add-Path) support • Advertise IGP cost as MED for redistributed routes • Ignore Router-ID for some best-path calculations • 4-Byte AS Numbers • AS4 Number Representation • AS Number Migration •...
Page 175
A multihomed AS is one that maintains connections to more than one other AS. This allows the AS to remain connected to the internet in the event of a complete failure of one of their connections. However, this type of AS does not allow traffic from one AS to pass through on its way to another AS. A simple example of this is seen in Figure 9-1.
Since each BGP router talking to another router is a session, a BGP network needs to be in “full mesh”. This is a topology that has every router directly connected to every other router . Each BGP router within an AS must have iBGP sessions with all other BGP routers in the AS.
Establishing a session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established.
Route Reflectors Route Reflectors reorganize the iBGP core into a hierarchy and allows some route advertisement rules. Note: Route Reflectors (RRs) should not be used in the forwarding path. In iBGP, hierarchal RRs maintaining forwarding plane RRs could create routing loops. Route reflection divides iBGP peers into two groups: client peers and nonclient peers.
Confederations Communities BGP communities are sets of routes with one or more common attributes. This is a way to assign common attributes to multiple routes at the same time. BGP Attributes Routes learned via BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination.
Page 180
Note: In 8.3.11.4, the bgp bestpath as-path multipath-relax command is disabled by default, preventing BGP from load-balancing a learned route across two or more eBGP peers. To enable load-balancing across Syste different eBGP peers, enable the bgp bestpath as-path multipath-relax command. A system error will result if the bgp bestpath as-path ignore command and the bgp bestpath as-path multipath-relax command are configured at the same time.
Page 181
Best Path selection details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a command, command or network redistribute command. aggregate-address • Routes originated with the commands are preferred over routes originated network...
11. Prefer the external path originated from the BGP router with the lowest router ID. If both paths are external, prefer the oldest path (first received path). For paths containing a Route Reflector (RR) attribute, the originator ID is substituted for the router ID. 12.
Figure 9-5. LOCAL_PREF Example Set Local Preference to 100 Router A AS 100 T1 Link Router C AS 200 Router B Router E Set Local Preference to 200 OC3 Link Router E Router D AS 300 Router F Multi-Exit Discriminators (MEDs) If two Autonomous Systems (AS) connect in more than one place, a Multi-Exit Discriminator (MED) can be used to assign a preference to a preferred path.
Figure 9-6. MED Route Example Set MED to 100 Router A AS 100 T1 Link Router C AS 200 Router B Router E OC3 Link Router D Set MED to 50 Note: With FTOS Release 8.3.1.0, configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes.
Page 185
Figure 9-7. Origin attribute reported FTOS#show ip bgp BGP table version is 0, local router ID is 10.101.15.13 Status codes: s suppressed, d damped, h history, * valid, > best Path source: I - internal, a - aggregate, c - confed-external, r - redistributed, n - network Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop...
Next Hop The Next Hop is the IP address used to reach the advertising router. For EBGP neighbors, the Next-Hop address is the IP address of the connection between the neighbors. For IBGP, the EBGP Next-Hop address is carried into the local AS. A Next Hop attribute is set when a BGP speaker advertises itself to another BGP speaker outside its local AS.
Advertise IGP cost as MED for redistributed routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value.
4-Byte AS Numbers FTOS Version 7.7.1 and later support 4-Byte (32-bit) format when configuring Autonomous System Numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message. If a 4-Byte BGP speaker has sent and received this capability from another speaker, all the messages will be 4-octet.
Page 189
ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by a decimal point (.): <high-order 16 bit value>.<low-order 16 bit value>. Some examples are shown in Table 9-2. • All AS Numbers between 0-65535 are represented as a decimal number, when entered in the CLI as well as when displayed in the show command outputs.
Page 190
Figure 9-9. Dynamic changes of the bgp asnotation command in the show running config ASDOT FTOS(conf-router_bgp)#bgp asnotation asdot FTOS(conf-router_bgp)#show conf router bgp 100 bgp asnotation asdot bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057 <output truncated> FTOS(conf-router_bgp)#do show ip bgp BGP table version is 24901, local router ID is 172.30.1.57 <output truncated>...
Figure 9-10. Dynamic changes when bgp asnotation command is disabled in the show running config AS NOTATION DISABLED FTOS(conf-router_bgp)#no bgp asnotation FTOS(conf-router_bgp)#sho conf router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057 <output truncated> FTOS(conf-router_bgp)#do sho ip bgp BGP table version is 28093, local router ID is 172.30.1.57 AS4 SUPPORT DISABLED FTOS(conf-router_bgp)#no bgp four-octet-as-support...
Figure 9-11. Local-AS Scenario Router A AS 100 Router C AS 300 Router B AS 200 Before Migration Router A AS 100 Router C AS 100 AS 300 Router B Local AS After Migration, with Local-AS enabled When you complete your migration, and you have reconfigured your network with the new information you must disable this feature.
SNMP objects and notifications (traps) defined in the draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell Force10 website, www.force10networks.com. Note: See the Dell Force10 iSupport webpage for the Force10-BGP4-V2-MIB and other MIB documentation. Important Points to Remember •...
To avoid SNMP timeouts with a large-scale configuration (large number of BGP neighbors and a large BGP Loc-RIB), Dell Force10 recommends setting the timeout and retry count values to a relatively higher number. e.g. t = 60 or r = 5.
BGP Configuration To enable the BGP process and begin exchanging information, you must assign an AS number and use commands in the ROUTER BGP mode to configure a BGP neighbor. Defaults By default, BGP is disabled. By default, FTOS compares the MED attribute on different paths from within the same AS (the command is not enabled).
Configuration Task List for BGP The following list includes the configuration tasks for BGP: • Enable BGP • Configure AS4 Number Representations • Configure Peer Groups • BGP fast fall-over • Configure passive peering • Maintain existing AS numbers during an AS migration •...
Page 197
In BGP, neighbor routers or peers can be classified as internal or external. External BGP peers must be connected physically to one another (unless you enable the EBGP multihop feature), while internal BGP peers do not need to be directly connected. The IP address of an EBGP neighbor is usually the IP address of the interface directly connected to the router .
Page 198
Step Command Syntax Command Mode Purpose You must Configure Peer Groups before assigning it a remote AS. neighbor {ip-address | CONFIG-ROUTER-BGP Enable the BGP neighbor. peer-group-name} no shutdown Note: When you change the configuration of a BGP neighbor, always reset it by entering the clear ip bgp command in EXEC Privilege mode.
Page 199
Figure 9-13. Command example: show ip bgp summary (4-Byte AS Number displayed) R2#show ip bgp summary 4-Byte AS Number BGP router identifier 192.168.10.2, local AS number 48735.59224 BGP table version is 1, main routing table version 1 1 network entrie(s) using 132 bytes of memory 1 paths using 72 bytes of memory BGP-RIB over all using 73 bytes of memory 1 BGP path attribute entrie(s) using 72 bytes of memory...
Page 200
Figure 9-14. Command example: show ip bgp neighbors FTOS#show ip bgp neighbors External BGP neighbor BGP neighbor is 10.114.8.60, remote AS 18508, external link BGP version 4, remote router ID 10.20.20.20 BGP state ESTABLISHED, in this state for 00:01:58 Last read 00:00:14, hold time is 90, keepalive interval is 30 seconds Received 18552 messages, 0 notifications, 0 in queue Sent 11568 messages, 0 notifications, 0 in queue Received 18549 updates, Sent 11562 updates...
Page 202
Only one form of AS Number Representation is supported at a time. You cannot combine the types of representations within an AS. Task Command Syntax Command Mode Enable ASPLAIN AS Number CONFIG-ROUTER-BGP bgp asnotation asplain representation. Figure 9-16 Note: ASPLAIN is the default method FTOS uses and does not appear in the configuration display.
Page 206
Figure 9-21. Command example: show ip bgp peer-group FTOS>show ip bgp peer-group Peer-group zanzibar, remote AS 65535 BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is zanzibar, peer-group internal, Number of peers in this group 26 Peer-group members (* - outbound optimized): 10.68.160.1 10.68.161.1...
Page 207
BGP fast fall-over By default, a BGP session is governed by the hold time. BGP routers typically carry lar ge routing tables, so frequent session resets are not desirable. The BGP fast fall-over feature reduces the convergence time while maintaining stability. The connection to a BGP peer is immediately reset if a link to a directly connected external peer fails.
Page 208
Figure 9-22. Command example: show ip bgp neighbors FTOS#sh ip bgp neighbors BGP neighbor is 100.100.100.100, remote AS 65517, internal link Member of peer-group test for session parameters BGP version 4, remote router ID 30.30.30.5 BGP state ESTABLISHED, in this state for 00:19:15 Last read 00:00:15, last write 00:00:06 Hold time is 180, keepalive interval is 60 seconds Received 52 messages, 0 notifications, 0 in queue...
Page 209
Figure 9-23. Command example: show ip bgp peer-group FTOS#sh ip bgp peer-group Peer-group test Fall-over enabled BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.100* FTOS#...
Page 210
Use these commands in the following sequence, starting in the CONFIGURATION ROUTER BGP mode to configure passive peering. Step Command Syntax Command Mode Purpose CONFIG-ROUTER-BGP Configure a peer group that does not initiate TCP neighbor peer-group-name connections with other peers. Enter the limit peer-group passive limit keyword to restrict the number of sessions accepted.
Page 211
Disable this feature, using the command in CONFIGURATION ROUTER BGP no neighbor local-as mode. Figure 9-24. Local-as information shown R2(conf-router_bgp)#show conf router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123...
Page 213
• Save all FIB and CAM entries on the line card and continue forwarding traffic while the secondary RPM is coming online. • Advertise to all BGP neighbors and peer-groups that the forwarding state of all routes has been saved. This prompts all peers to continue saving the routes they receive from your E-Series and to continue forwarding traffic.
Page 214
Command Syntax Command Mode Purpose neighbor {ip-address | CONFIG-ROUTER-BGP Set maximum time to retain the restarting neighbor’s or peer-group’s stale paths. Default peer-group-name} graceful-restart [ stale-path-time time-in-seconds] is 360 seconds. Filter on an AS-Path attribute The BGP attribute, AS_PATH, can be used to manipulate routing policies. The AS_PATH attribute contains a sequence of AS numbers representing the route’s path.
Page 215
Use these commands in the following sequence, starting in the CONFIGURATION mode to configure an AS-PATH ACL to filter a specific AS_PATH value. Step Command Syntax Command Mode Purpose ip as-path access-list CONFIGURATION Assign a name to a AS-PATH ACL and enter AS-PATH ACL mode.
Page 216
Figure 9-27. Filtering with Regular Expression FTOS(config)#router bgp 99 FTOS(conf-router_bgp)#neigh AAA peer-group FTOS(conf-router_bgp)#neigh AAA no shut FTOS(conf-router_bgp)#show conf router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown FTOS(conf-router_bgp)#neigh 10.155.15.2 filter-list 1 in FTOS(conf-router_bgp)#ex Create the Access List and Filter FTOS(conf)#ip as-path access-list Eagle...
Table 9-4. Regular Expressions Regular Expression Definition + (plus) Matches 1 or more sequences of the immediately previous character or pattern. ? (question) Matches 0 or 1 sequence of the immediately previous character or pattern. ( ) (parenthesis) Specifies patterns for multiple use when followed by one of the multiplier metacharacters: asterisk *, plus sign +, or question mark ? [ ] (brackets) Matches any enclosed character;...
Page 218
Command Syntax Command Mode Purpose ROUTER BGP or Include specific OSPF routes in IS-IS. Configure redistribute ospf process-id [ match external { 1 | 2 } | match CONF-ROUTER_BGPv6_AF the following parameters: internal ] [ metric-type { external | • process-id range: 1 to 65535 internal }] [ route-map •...
Page 219
• All routes with the NO_EXPORT_SUBCONFED (0xFFFFFF03) community attribute are not sent to CONFED-EBGP or EBGP peers, but are sent to IBGP peers within CONFED-SUB-AS. • All routes with the NO_ADVERTISE (0xFFFFFF02) community attribute must not be advertised. • All routes with the NO_EXPORT (0xFFFFFF01) community attribute must not be advertised outside a BGP confederation boundary, but are sent to CONFED-EBGP and IBGP peers.
Page 220
Step Command Syntax Command Mode Purpose { permit | deny } {{ rt | soo } CONFIG-COMMUNITY- Two types of extended communities are {ASN:NN | IPADDR:N} | LIST supported. Filter routes based on the type of regex REGEX-LINE} extended communities they carry using one of the following keywords: •...
Page 221
Use these commands in the following sequence, starting in the CONFIGURATION mode, To use an IP Community list or Extended Community List to filter routes, you must apply a filter to match community a route map and then apply that route map to a BGP neighbor or peer group. Step Command Syntax Command Mode...
Page 222
If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route map with one or both of the following statements in the route map. Then apply that route map to a BGP neighbor or peer group.
Page 223
Figure 9-29. Command example: show ip bgp community (Partial) FTOS>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.48 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric...
Page 224
Change MED attribute By default, FTOS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the same AS. Use any or all of the following commands in the CONFIGURA TION ROUTER BGP mode to change how the MED attribute is used. Command Syntax Command Mode Purpose...
Page 225
Step Command Syntax Command Mode Purpose set local-preference value CONFIG-ROUTE-MAP Change LOCAL_PREF value for routes meeting the criteria of this route map. exit CONFIG-ROUTE-MAP Return to the CONFIGURATION mode. router bgp as-number CONFIGURATION Enter the ROUTER BGP mode. neighbor {ip-address | CONFIG-ROUTER-BGP Apply the route map to the neighbor or peer peer-group-name} route-map...
Page 226
Use the command in CONFIGURATION ROUTER BGP mode or the show config show running-config command in EXEC Privilege mode to view BGP configuration. You can also use route maps to change this and other BGP attributes. For example, you can include the following command in a route map to specify the next hop address: Command Syntax Command Mode...
Page 227
• AS-PATH ACLs (using command) neighbor filter-list • route maps (using command) neighbor route-map Prior to filtering BGP routes, you must create the prefix list, AS-PATH ACL, or route map to be used. Refer to Chapter 6, “Access Control Lists (ACLs),” on page 89 for configuration information on prefix lists, AS-PATH ACLs, and route maps.
Page 228
To view the BGP configuration, use the command in the ROUTER BGP mode. To view a show config prefix list configuration, use the commands in show ip prefix-list detail show ip prefix-list summary EXEC Privilege mode. Use these commands in the following sequence, starting in the CONFIGURATION mode to filter routes using a route map.
Page 229
Step Command Syntax Command Mode Purpose neighbor {ip-address | CONFIG-ROUTER-BGP Filter routes based on the criteria in the configured route map. Configure the following peer-group-name} filter-list as-path-name { in | out } parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name.
Page 230
When you enable a route reflector, FTOS automatically enables route reflection to all clients. To disable route reflection between all clients in this reflector, use the command in no bgp client-to-client reflection CONFIGURATION ROUTER BGP mode. All clients should be fully meshed before you disable route reflection.
Page 231
Configure BGP confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, BGP confederations are recommended only for IBGP peering involving a large number of IBGP peering sessions per router. Basically, when you configure BGP confederations, you break the AS into smaller sub-AS, and to those outside your network, the confederations appear as one AS.
Page 232
When dampening is applied to a route, its path is described by one of the following terms: • history entry—an entry that stores information on a downed route • dampened path—a path that is no longer advertised • penalized path—a path that is assigned a penalty The CLI example below shows configuring values to start reusing or restarting a route, as well as their default values.
Page 233
To view the BGP configuration, use in the CONFIGURATION ROUTER BGP mode or show config in EXEC Privilege mode. show running-config bgp To set dampening parameters via a route map, use the following command in CONFIGURATION ROUTE-MAP mode: Command Syntax Command Mode Purpose set dampening half-life reuse...
Page 234
To view which routes are dampened (non-active), use the command in show ip bgp dampened-routes EXEC Privilege mode. Use the following command in EXEC Privilege mode to clear information on route dampening and return suppressed routes to active state. Command Syntax Command Mode Purpose clear ip bgp dampening...
Page 235
Change BGP timers Use either or both of the following commands in the CONFIGURATION ROUTER BGP mode to configure BGP timers. Command Syntax Command Mode Purpose neighbors {ip-address | CONFIG-ROUTER-BGP Configure timer values for a BGP neighbor or peer group. peer-group-name} timers •...
Page 236
Use the command in EXEC Privilege mode at the system prompt to reset a BGP connection clear ip bgp using BGP soft reconfiguration. Command Syntax Command Mode Purpose EXEC Privilege Clear all information or only specific details. clear ip bgp {* | neighbor-address | AS Numbers *: Clear all peers | ipv4 | peer-group-name } [soft...
Page 237
Route map continue The BGP route map feature (in ROUTE-MAP mode) allows movement from one route-map continue entry to a specific route-map entry (the ). If the sequence number is not specified, the sequence number continue feature moves to the next sequence number (also known as an implied continue). If a match clause exists, the feature executes only after a successful match occurs.
MBGP Configuration MBGP for IPv6 unicast is supported on platforms MBGP for IPv4 Multicast is supported on platform MBGP is not supported on the E-Series ExaScale x platform. Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing.
BGP Regular Expression Optimization BGP policies that contain regular expressions to match against as-paths and communities might take a lot of CPU processing time, thus affect BGP routing convergence. Also, commands that get filtered show bgp through regular expressions can to take a lot of CPU cycles, especially when the database is large. FTOS optimizes processing time when using regular expressions by caching and re-using regular expression evaluated results, at the expense of some memory in RP1 processor.
to disable all BGP debugging. no debug ip bgp to disable all debugging. undebug all Storing Last and Bad PDUs FTOS stores the last notification sent/received, and the last bad PDU received on per peer basis. The last bad PDU is the one that causes a notification to be issued. These PDUs are shown in the output of the command , as shown in Figure...
Capturing PDUs Capture incoming and outgoing PDUs on a per-peer basis using the command capture bgp-pdu neighbor Disable capturing using the no form of this command. direction. The buffer size supports a maximum value between 40 MB (the default) and 100 MB. The capture buffers are cyclic and reaching the limit prompts the system to overwrite the oldest PDUs when new ones are received for a given neighbor or direction.
• New PDU are captured and there is no more space to store them • The max buffer size is reduced. (This may cause PDUs to be cleared depending upon the buffer space consumed and the new limit.) With full internet feed (205K) captured, approximately 11.8MB is required to store all of the PDUs, as shown in Figure 9-36.
Page 243
Figure 9-37 is a graphic illustration of the configurations shown on the following pages. These configurations show how to create BGP areas using physical and virtual links. They include setting up the interfaces and peers groups with each other. Figure 9-37. Sample Configuration Illustration Physical Links AS 99 Virtual Links...
Page 248
Figure 9-42. Enable Peer Groups - Router 1 continued Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1, neighbor version 1 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer...
Page 249
Figure 9-43. Enable Peer Groups - Router 2 R2#conf R2(conf)#router bgp 99 R2(conf-router_bgp)# neighbor CCC peer-group R2(conf-router_bgp)# neighbor CC no shutdown R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.3 no shut R2(conf-router_bgp)#show conf...
Page 251
Figure 9-45. Enable Peer Groups - Router 3 continued Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 2, neighbor version 2 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer...
Bare Metal Provisioning 3.0 (BMP 3.0) Bare Metal Provisioning 3.0 (BMP 3.0) is included as part of the FTOS image. It is supported on platforms Overview Bare Metal Provisioning (BMP) is a feature that improves operational efficiency to the system by automatically loading pre-defined configurations and FTOS images using standard protocols such as DHCP and common file transfer mechanisms.
Configuration Tasks • Script Examples Prerequisites Before you use BMP 3.0 to auto-configure a supported Dell Force10 switch, you must first configure: • An external Dynamic Host Configuration Protocol (DHCP) server (required) - a network device offering configuration parameters •...
1. Current (new) FTOS build image. 2. Configuration file or pre-configuration script (ZSH, TCL, or Expect script). 3. A list of checksums for all these components. Note: The configuration file is to maintain normal BMP functionality when a pre-configuration script is not sent.
Page 256
• User port stacking Note: BMP will eventually exit when the timeout occurs. DHCP Retry Mechanism BMP requests a different DHCP offer in the following scenarios: • If the command is enabled, the DHCP offer specifies both reload-type config-scr-download enable the boot image and the configuration file.
FTP URL with IP address option configfile "ftp://admin:admin@30.0.0.1/pt-s4810-12"; HTTP URL with DNS option configfile "http://Guest-1/pt-s4810-12"; TFTP option configfile "pt-s4810-12"; ##### bootfile-name could be given in the following way FTP URL with DNS option bootfile-name “ftp://admin:admin@Guest-1/ FTOS-SE-8.3.10.1.bin”; HTTP URL with IP address option bootfile-name "http://30.0.0.1/FTOS-SE-8.3.10.1.bin”;...
BMP mode is the default boot mode configured for a new system arriving from Dell Force10. This mode obtains the FTOS image and configuration file from a network source (DHCP and file servers). Use Normal mode to boot the switch up with the management port in a no shutdown mode. If the management IP address is present in the start-up configuration file, it will be assigned.
Normal Mode When reloaded in Normal mode, the switch boots up with the management port in a no shutdown mode. If the management IP address is present in the start-up configuration file, it will be assigned. If the management IP address is not present in the start-up configuration file, no IP address will be assigned to the management interface.
Post-configuration Scripts In BMP 3.0, after the pre-configuration script has completed and the configuration is loaded, you can run a post-configuration script if one is present in the configuration file. Use the post-configuration script to check the status of configured ports or protocols which can then be sent as a status report to a central repository for your network administrators.
Configuration Tasks When the system boots up in BMP mode all ports, including management ports, are placed in L3 mode in state. The system acts as a DHCP client on these ports for a period of time (dhcp-timeout). This no shut allows the system time to send out a DHCP DISCOVER on all the ports to the DHCP Server interface up...
System boot and set-up behavior in BMP Mode 1. System begins boot up process in BMP mode (default mode). 2. The system sends DHCP Discover on all the interface up ports. 00:01:31: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Ma 0/0. 00:01:31: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Te 0/0.
• If there is a mismatch between the build images, the system upgrades to the downloaded version and reloads. 00:03:06: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_RELEASE_HEADER_INFO: Downloaded Image Major Version 00:03:06: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_RELEASE_HEADER_INFO: Downloaded Image Minor Version 00:03:06: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_RELEASE_HEADER_INFO: Downloaded Image Main Version 00:03:06: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_RELEASE_HEADER_INFO: Downloaded Image Patch Version 00:03:06: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_RELEASE_HEADER_INFO:...
Page 264
Reload without a DHCP Server Offer A switch configured to reload in BMP mode and if the DHCP server cannot be reached, the system keeps on sending DISCOVER messages. 00:01:44: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Te 0/50. 00:01:44: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Te 0/51. 00:01:44: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Ma 0/0.
Page 265
2. The system receives a DHCP offer from a DHCP server with the following parameters: 13:23:47: %STKUNIT0-M:CP %JUMPSTART-5-BOOT_OFFER: DHCP acquired IP 10.16.134.167 mask 255.255.0.0 server IP 10.16.134.207. 13:23:48: %STKUNIT0-M:CP %JUMPSTART-5-BOOT_OFFER: DHCP tftp IP NIL sname NIL dns IP NIL router IP NIL. 13:23:48: %STKUNIT0-M:CP %JUMPSTART-5-BOOT_OFFER: DHCP image file tftp://10.16.127.53/mxl.bin.
Page 266
The first line of the script must contain one of the following: #!/usr/bin/expect #!/usr/bin/tclsh #!/usr/bin/zsh 2. After the first line, but before the actual start of the script, the script must contain the signature “#/ DELL-FORCE10”. Bare Metal Provisioning 3.0 (BMP 3.0)
The auto-execution script can be written in Expect, TCLSH, or ZSH. If the SmartScripts package is already installed, the post-configuration script can also be written in PERL or Python. • No restraints are required for the auto-execution script, such as the signature “#/DELL-FORCE10” that is required for the pre-configuration script. •...
/f10 (mfs:21)... unmounting /kern (kernfs)... unmounting / (/dev/md0a)... done rebooting þ Starting Dell Force10 application 00:00:13: %STKUNIT1-M:CP %RAM-6-ELECTION_ROLE: Stack unit 1 is transitioning to Management unit. 00:00:15: %STKUNIT1-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit 1 present Bare Metal Provisioning 3.0 (BMP 3.0)
Page 269
Dell Force10 Real Time Operating System Software Dell Force10 Operating System Version: 2.0 Dell Force10 Application Software Version: 1-0(0-338) Copyright (c) 1999-2012 by Dell Inc. All Rights Reserved. Build Time: Thu Dec 27 21:32:28 2012 Build Path: /sites/sjc/work/build/buildSpaces/build06/FIT-INDUS-1-0-0/SW/SRC System image file is "dt-maa-s4810-72"...
Page 270
The following line indicates the successful completion of the auto-execution script. 00:00:49: %STKUNIT1-M:CP %JUMPSTART-5-AUTOEXEC_SUCCESS: The AutoExec Script execution returned Success. The following line indicates that the Configuration file is loaded into the switch. FTOS#00:00:51: %STKUNIT1-M:CP %SYS-5-CONFIG_LOAD: Loading configuration file 00:00:52: %STKUNIT1-M:CP %IFMGR-5-ASTATE_UP: Changed interface Admin state to up: Te 0/36 00:00:53: %STKUNIT1-M:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Ma 0/0 Bare Metal Provisioning 3.0 (BMP 3.0)
Content Addressable Memory (CAM) is a type of memory that stores information in the form of a lookup table. On Dell Force10 systems, the CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACL), flows, and routing policies. On Dell Force10 systems, there are one or two CAM (Dual-CAM) modules per port-pipe depending on the type of line card.
Either ExaScale 10G or 40G CAM line cards can be used in a system. CAM Profiles Dell Force10 systems partition each CAM module so that it can store the different types of information. The size of each partition is specified in the CAM profile. A CAM profile is stored on every card, including each RPM.
Microcode Microcode is a compiled set of instructions for a CPU. On Dell Force10 systems, the microcode controls how packets are handled. There is a default microcode, and several other microcodes are available, so that you can adjust packet handling according to your application.
Table 11-3. Microcode Descriptions Microcode Description default Distributes CAM space for a typical deployment For applications that require the same hashing for bi-directional traffic (for lag-hash-align example, VoIP call or P2P file sharing). For port-channels, this microcode maps both directions of a bi-directional flow to the same output link. lag-hash-mpls For hashing based on MPLS labels (up to five labels deep).
You can re-configure the amount of space, in percentage, allocated to each sub-partition As with the IPv4Flow partition, you can configure the Layer 2 ACL partition from EXEC Privilege mode or CONFIGURATION mode. The amount of space that you can distribute to the sub-partitions is equal to the amount of CAM space that the selected CAM profile allocates to the Layer 2 ACL partition.
Example: EF Line Card with EG Chassis Profile (Card Problem) R1#show linecard 1 brief Line card 1 -- Status : card problem - mismatch cam profile Next Boot : online Required Type : E48TF - 48-port 10/100/1000Base-T line card with RJ-45 interfaces (EF) Current Type : E48TF - 48-port 10/100/1000Base-T line card with RJ-45 interfaces (EF) Hardware Rev...
Important Points to Remember • CAM Profiling is available on the E-Series TeraScale with FTOS versions 6.3.1.1 and later. • All line cards within a single system must have the same CAM profile; this profile must match the system CAM profile (the profile on the primary RPM). •...
Step Task Command Syntax Command Mode Verify that the new CAM profile will be EXEC Privilege show cam-profile summary written to the CAM on the next boot. Reload the system. EXEC Privilege reload CAM Allocation User Configurable CAM Allocations is available on platforms: Allocate space for IPV4 ACLs and QoS regions, and IPv6 6 ACLs and QoS regions on the C-Series and S-Series by using the command in CONFIGURATION mode.
To configure the IPv4 and IPv6 ACLs and Qos regions on the entire system: Step Task Command Syntax Command Mode cam-acl [ default l2acl Select a cam-acl action CONFIGURATION Note: Selecting resets the CAM entries to the default settings. Select to allocate space for default l2acl...
L2Acl Ipv4Acl Ipv6Acl Ipv4Qos L2Qos L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl FTOS# View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub-partitions) using the command from EXEC Privilege mode, as shown in show cam-usage the following example.
Page 285
The IPv4Flow CAM partitions have sub-partitions for several types of information. Table 11-5 lists the types of information stored in this partition and the number of entries that FTOS allocates to each type. Table 11-5. IPv4Flow CAM Sub-partition Sizes Space Allocated Space Allocated Space Allocated Partition...
Page 286
FTOS(conf)#cam-ipv4flow default FTOS#copy running-config startup-config File with same name already exist. Proceed to copy the file [confirm yes/no]: yes 3914 bytes successfully copied FTOS#sh cam-ipv4flow -- Chassis Cam Ipv4Flow -- Current Settings Next Boot Multicast Fib/Acl : System Flow Trace Lists -- Line card 0 -- Current Settings Next Boot...
Configure Ingress Layer 2 ACL Sub-partitions IPv4Flow sub-partitions are supported on platform The Ingress Layer 2 ACL CAM partition has sub-partitions for several types of information. Table 11-6 lists the sub-partition and the percentage of the Ingress Layer 2 ACL CAM partition that FTOS allocates to each by default.
Page 288
To re-allocate CAM space within the Ingress Layer 2 ACL partition on the entire system as shown in the following example. : Step Task Command Syntax Command Mode Re-allocate CAM space within the Ingress CONFIGURATION cam-l2acl Layer 2 ACL partition. Save the running-configuration.
Return to the Default CAM Configuration Return to the default CAM Profile, microcode, IPv4Flow, or Layer 2 ACL configuration using the keyword from EXEC Privilege mode or from CONFIGURA TION mode, as shown in the following default example. FTOS(conf)#cam-profile ? default Enable default CAM profile eg-default...
In this case, manually adjust the CAM configuration on the card to match the system configuration. Dell Force10 recommends the following to prevent mismatches: • Use the eg-default CAM profile in a chassis that has only EG Series line cards. If this profile is used in a chassis with non-EG line cards, the non-EG line cards enter a problem state.
• Change to the default profile if downgrading to and FTOS version earlier than 6.3.1.1. • Use the CONFIGURATION mode commands so that the profile is change throughout the system. • Use the EXEC Privilege mode commands to match the profile of a component to the profile of the target system.
Control Plane Policing (CoPP) Control Plane Policing (CoPP) is supported on platforms: Overview Control Plane Policing (CoPP) uses ACL rules and QoS policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Hardware Queue OPSF flood CPU at 1100 PPS Rate Limiting ICMP fails 1100 PPS 400 PPS No CoPP Rules ICMP PING Packets Q7 receives STP at 1100 pps due to network storm/loop. The CPU is hit with the entire 1100 pps and the PING attemp fails intermittently. Hardware Queue CoPP Rule Rate Limiting...
The CoPP policies are configured by creating extended ACL rules and specifying rate-limits through QoS policies. The ACLs and QoS policies are assigned as service-policies. Configure CoPP for protocols This section lists the commands necessary to create and enable the service-policies for CoPP. Refer to Access Control Lists (ACLs) Quality of Service (QoS) for complete information about creating ACLs...
Match QoS Class Map to QoS Policy FTOS(conf)#policy-map-input egressFP_rate_policy cpu-qos FTOS(conf-policy-map-in-cpuqos)#class-map class_ospf qos-policy rate_limit_500k FTOS(conf-policy-map-in-cpuqos)#class-map class_bgp qos-policy rate_limit_400k FTOS(conf-policy-map-in-cpuqos)#class-map class_lacp qos-policy rate_limit_200k FTOS(conf-policy-map-in-cpuqos)#class-map class-ipv6 qos-policy rate_limit_200k FTOS(conf-policy-map-in-cpuqos)#exit Create Control Plane Service Policy FTOS(conf)#control-plane-cpuqos FTOS(conf-control-cpuqos)#service-policy rate-limit-protocols egressFP_rate_policy FTOS(conf-control-cpuqos)#exit Configure CoPP for CPU queues Controlling traffic on the CPU queues does not require ACL rules, but does require QoS policies.
FTOS(conf)#qos-policy-input cpuq_2 FTOS(conf-qos-policy-in)#rate-police 5000 80 peak 600 50 FTOS(conf-qos-policy-in)#exit Assign QoS Policy to Queues FTOS(conf)#policy-map-input cpuq_rate_policy cpu-qos FTOS(conf-qos-policy-in)#service-queue 5 qos-policy cpuq_1 FTOS(conf-qos-policy-in)#service-queue 6 qos-policy cpuq_2 FTOS(conf-qos-policy-in)#service-queue 7 qos-policy cpuq_1 Create Control Plane Service Policy FTOS#conf FTOS(conf)#control-plane FTOS(conf-control-plane)#service-policy rate-limit-cpu-queues cpuq_rate_policy Show commands Use the command to view the rates for each queue.
Page 299
FTOS# Use the command to view the queue mapping for the MAC protocols. show mac protocol-queue-mapping FTOS#show mac protocol-queue-mapping Protocol Destination Mac EtherType Queue EgPort Rate (kbps) -------- ---------------- ----------- ----- ------ ----------- 0x0806 Q5/Q6 FRRP 01:01:e8:00:00:10/11 LACP 01:80:c2:00:00:02 0x8809 LLDP 0x88cc GVRP...
Data Center Bridging (DCB) The data center bridging (DCB) features are supported on the . and 4820 This chapter describes the following data center bridging topics: • Ethernet Enhancements in Data Center Bridging • Enabling Data Center Bridging • Configuring Priority-Based Flow Control •...
DCB-enabled network is required in a data center. The Dell Force10 switches that support a unified fabric and consolidate multiple network infrastructures use a single input/output (I/O) device called a converged network adapter (CNA).
Page 303
PFC handles traffic congestion by pausing the transmission of incoming traffic with dot1p priority 4. Figure 13-1. Priority-Based Flow Control PFC is implemented as follows in the Dell Force10 operating software (FTOS): • PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface.
Enhanced Transmission Selection Enhanced transmission selection (ETS) supports optimized bandwidth allocation between traffic types in multiprotocol (Ethernet, FCoE, SCSI) links. ETS allows you to divide traffic according to its 802.1p priority into different priority groups (traffic classes) and configure bandwidth allocation and queue scheduling for each group to ensure that each traffic type is correctly prioritized and receives its required bandwidth.
• Bandwidth allocated by the ETS algorithm is made available after strict-priority groups are serviced. If a priority group does not use its allocated bandwidth, the unused bandwidth is made available to other priority groups. • For ETS traffic selection, an algorithm is applied to priority groups using: •...
Figure 13-3. DCB PFC and ETS Traffic Handling Enabling Data Center Bridging Data center bridging (DCB) is automatically configured when FCoE or iSCSI Optimization are configured. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network. DCB is disabled by default. It must be enabled to support CEE. •...
(refer to Policy-based QoS Configurations). Note: Dell Force10 does not recommend mapping all ingress traffic to a single queue when using PFC and ETS. Ingress traffic classification using the service-class dynamic dot1p...
Table 13-1. dot1p Priority-Queue Assignment dot1p Value in Incoming Frame Egress Queue Assignment Configuring Priority-Based Flow Control Priority-based flow control (PFC) provides a flow control mechanism based on the 802.1p priorities in converged Ethernet traffic received on an interface and is enabled by default when DCB is enabled. As an enhancement to the existing Ethernet pause mechanism, PFC stops traffic transmission for specified priorities (CoS values) without impacting other priority classes.
Page 309
Step Task Command Command Mode Configure the CoS traffic to be stopped for the specified DCB INPUT POLICY pfc priority priority-range delay. Enter the 802.1p values of the frames to be paused. Range: 0-7. Default: None. Maximum number of loss less queues supported on the switch: 2.
Page 310
FTOS Behavior: As soon as you apply a DCB policy with PFC enabled on an interface, DCBx starts exchanging information with PFC-enabled peers. The IEEE802.1Qbb, CEE and CIN versions of PFC TLV are supported. DCBx also validates PFC configurations that are received in TLVs from peer devices. By applying a DCB input policy with PFC enabled, you enable PFC operation on ingress port traffic.
A DCB input policy for PFC applied to an interface may become invalid if dot1p-queue mapping is reconfigured (refer to Create Input Policy Maps Chapter 38, Quality of Service (QoS)). This situation occurs when the new dot1p-queue assignment exceeds the maximum number (2) of lossless queues supported globally on the switch.
FTOS Behavior: By default, no lossless queues are configured on a port. A limit of two lossless queues are supported on a port. If the amount of priority traffic that you configure to be paused exceeds the two lossless queues, an error message is displayed. You must reconfigure the input policy using a smaller number of PFC priorities.
DCB and Switch Stacking Caveats for the S4820T The following is a list of behaviors and limitations regarding the use of DCB over S4820T ports involved in switch stacking: • You can enable DCB only on 40 Gig (QSPF+) ports. •...
• When allocating bandwidth or configuring a queue scheduler for dot1p priorities in a priority group on a DCBx CIN interface, take into account the CIN bandwidth allocation (Configuring Bandwidth Allocation for DCBx CIN) and dot1p-queue mapping (Table 13-1). • Although an ETS output policy does not support WRED, ECN, rate shaping, and rate limiting because these parameters are not negotiated by DCBx with peer devices, you can apply a QoS output policy with WRED and/or rate shaping on a DCBx CIN-enabled interface (refer to...
Page 315
Step Task Command Command Mode (Optional) Configure the bandwidth percentage POLICY-MAP-OUT-ETS bandwidth-percentage allocated to priority traffic in port queues. percentage Percentage range: 1 to 100% in units of 1%. The sum of bandwidth percentage assigned to dot1p priorities/queues in a priority group should be 100%.
Page 316
FTOS Behavior: Traffic in priority groups is assigned to strict-queue or WERR scheduling in an ETS output policy and is managed using the ETS bandwidth-assignment algorithm. FTOS de-queues all frames of strict-priority traffic before servicing any other queues. A queue with strict-priority traffic can starve other queues in the same port.
Creating an ETS Priority Group An ETS priority group specifies the range of 802.1p priority traf f ic to which a QoS output policy with ETS settings is applied on an egress interface. You can associate a priority group to more than one ETS output policy on different interfaces.
Applying an ETS Output Policy for a Priority Group to an Interface To apply ETS on egress port traffic, you must associate a priority group with an ETS output policy which has scheduling and bandwidth configuration in a DCB output policy , and then apply the output policy to an interface.
FTOS Behavior: Create a DCB output policy to associate a priority group with an ETS output policy with scheduling and bandwidth configuration. You can apply a DCB output policy on multiple egress ports. The ETS configuration associated with 802.1p priority traffic in a DCB output policy is used in DCBx negotiation with ETS peers.
- The priority group for strict-priority scheduling ( command; Creating a QoS ETS scheduler strict Output Policy) If you configure only the priority group in an ETS output policy or only the dot1p priority for strict-priority scheduling, the flow is handled with group strict priority. Configuring Bandwidth Allocation for DCBx CIN After you apply an ETS output policy to an interface, if the DCBx version used in your data center network is CIN, you may need to configure a QoS output policy to overwrite the default CIN bandwidth allocation.
Applying DCB Policies in a Switch Stack Note: The S4820T does not support DCB on any of the 48 RJ-45 10 Gigabit stacking links. You can apply a DCB input policy with PFC configuration to all stacked ports in a switch stack or on a stacked switch.
Configuring DCBx Operation The data center bridging exchange protocol (DCBx) is used by DCB devices to exchange configuration information with directly connected peers using the link layer discovery protocol (LLDP) protocol. DCBx can detect the mis-configuration of a peer DCB device, and optionally, configure peer DCB devices with DCB feature settings to ensure consistent operation in a data center network.
Page 323
On a DCBx port in a manual role, all PFC, application priority, ETS recommend, and ETS configuration TLVs are enabled. When making a configuration change to a DCBx port in a Manual role, Dell Force10 recommends that you shut down the interface using the...
Default DCBx port role: Manual. Note: On a DCBx port, application priority TLV advertisements are handled as follows: - The application priority TLV is transmitted only if the priorities in the advertisement match the configured PFC priorities on the port. - On auto-upstream and auto-downstream ports: - If a configuration source is elected, the ports send an application priority TLV based on the application priority TLV received on the configuration-source port.
• The port is enabled with link up and DCBx enabled. • The port has performed a DCBx exchange with a DCBx peer. • The switch is capable of supporting the received DCB configuration values through either a symmetric or asymmetric parameter exchange. A newly elected configuration source propagates configuration changes received from a peer to the other auto-configuration ports.
If you configure a DCBx port to operate with a specific version ( DCBx version {cee | cin | ieee-v2.5} command in the DCBx Configuration Procedure), DCBx operations are performed according to the configured version, including fast and slow transmit timers and message formats. If a DCBx frame with a different version is received, a syslog message is generated and the peer version is recorded in the peer status table.
Page 327
Figure 13-4. DCBx Sample Topology Data Center Bridging (DCB) | 327...
DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • DCBx requires LLDP in both send (TX) and receive (RX) mode to be enabled on a port interface command; refer to the example in CONFIGURATION versus INTERFACE protocol lldp mode Configurations...
Page 329
Step Task Command Command Mode Configure the DCBx version used on the interface, where: PROTOCOL LLDP [no] DCBx version {auto | configures the port to operate using the DCBx version cee | cin | ieee-v2.5} auto received from a peer. •...
DCBx Error Messages An error in DCBx operation is displayed using the syslog messages: LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface. DSM_DCBx_PEER_VERSION_CONFLICT: A local port expected to receive the IEEE, CIN, or CEE version in a DCBx TLV from a remote peer but received a different, conflicting DCBx version.
Verifying DCB Configuration Use the commands in Table 13-2 to display DCB configurations. show Table 13-2. Displaying DCB Configurations Command Output Displays the current 802.1p priority-queue mapping. show dot1p-queue mapping t unit-number] Displays data center bridging status, number of PFC-enabled ports, and show dcb [stack-uni number of PFC-enabled queues.
Page 334
Figure 13-7. show qos dcb-input Command Example FTOS(conf)# show qos dcb-input dcb-input pfc-profile pfc link-delay 32 pfc priority 0-1 dcb-input pfc-profile1 no pfc mode on pfc priority 6-7 Figure 13-8. show qos dcb-output Command Example FTOS# show qos dcb-output dcb-output ets priority-group san qos-policy san priority-group ipc qos-policy ipc priority-group lan qos-policy lan...
Page 335
Figure 13-10. show interfaces pfc summary Command Example FTOS# show interfaces tengigabitethernet 0/49 pfc summary Interface TenGigabitEthernet 0/49 Admin mode is on Admin is enabled Remote is enabled, Priority list is 4 Remote Willing Status is enabled Local is enabled Oper status is Recommended PFC DCBx Oper status is Up State Machine Type is Feature...
Page 336
Table 13-3. show interface pfc summary Command Description Field Description Remote is enabled, Priority list Operational status (enabled or disabled) of peer device for DCBx exchange of Remote Willing Status is PFC configuration with a list of the configured PFC priorities. enabled Willing status of peer device for DCBx exchange (W illing bit received in PFC TLV): enabled or disabled.
Page 337
Table 13-3. show interface pfc summary Command Description Field Description PFC TLV Statistics: Number of PFC pause frames received Pause Rx pkts Figure 13-11. show interface pfc statistics Command Example FTOS#show interfaces te 0/0 pfc statistics Interface TenGigabitEthernet 0/0 Priority Received PFC Frames Transmitted PFC Frames -------- ------------------- ---------------------- Data Center Bridging (DCB) | 337...
Page 338
Figure 13-12. show interface ets summary Command Example FTOS(conf-qos-policy-out-ets)#do sho int te 0/3 ets de Interface TenGigabitEthernet 0/3 Max Supported TC Groups is 4 Number of Traffic Classes is 8 Admin mode is on Admin Parameters : ------------------ Admin is enabled TC-grp Priority# Bandwidth...
Page 339
FTOS(conf)# show interfaces tengigabitethernet 0/0 ets detail Interface TenGigabitEthernet 0/0 Max Supported TC Groups is 4 Number of Traffic Classes is 8 Admin mode is on Admin Parameters : ------------------ Admin is enabled TC-grp Priority# Bandwidth TSA 0 0,1,2,3,4,5,6,7 100% ETS 1 0% ETS 2 0% ETS 3 0% ETS...
Page 340
Figure 13-13. show interface ets detail Command Example FTOS(conf)# show interfaces tengigabitethernet 0/0 ets detail Interface TenGigabitEthernet 0/0 Max Supported TC Groups is 4 Number of Traffic Classes is 8 Admin mode is on Admin Parameters : ------------------ Admin is enabled TC-grp Priority# Bandwidth...
Page 341
Table 13-4. show interface ets detail Command Description Field Description Interface Interface type with stack-unit and port number. Max Supported TC Group Maximum number of priority groups supported. Number of Traffic Classes Number of 802.1p priorities currently configured. Admin mode ETS mode: on or off.
Page 342
Figure 13-14. show stack-unit all stack-ports all pfc details Command Example FTOS(conf)# show stack-unit all stack-ports all pfc details stack unit 0 stack-port all Admin mode is On Admin is enabled, Priority list is 4-5 Local is enabled, Priority list is 4-5 Link Delay 45556 pause quantum 0 Pause Tx pkts, 0 Pause Rx pkts stack unit 1 stack-port all...
Page 343
Figure 13-16. show interface DCBx detail for ieee Command Example FTOS(conf-if-te-0/17-lldp)#do sho int te 2/12 dc d E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Application priority for iSCSI enabled...
Page 344
Figure 13-17. show interface DCBx detail for legacy cee Command Example FTOS(conf-if-te-0/17-lldp)#do sho int te 1/14 dc d E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Application priority for iSCSI enabled...
Page 345
Table 13-5. show interface DCBx detail Command Description Field Description Local DCBx Compatibility DCBx version accepted in a DCB configuration as compatible. In mode auto-upstream mode, a port can only received a DCBx version supported on the remote peer. Local DCBx Configured mode DCBx version configured on the port: CEE, CIN, IEEE v2.5, or Auto (port auto-configures to use the DCBx version received from a peer).
PFC and ETS Configuration Examples This section contains examples of how to configure and apply DCB input and output policies on an interface. Using PFC and ETS to Manage Data Center Traffic In the following example: • Incoming SAN traffic is configured for priority-based flow control. •...
Page 347
Figure 13-18. Example: PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The command has been used in Global service-class dynamic dot1p Configuration mode to map ingress dot1p frames to the queues shown in Table 13-6.
Page 348
Table 13-6. Example: dot1p-Queue Assignment dot1p Value in Incoming Frame Queue Assignment Lossless SAN traffic with dot1p priority 3 is assigned to queue 1. Other traffic types are assigned the 802.1p priorities shown in Table 13-7 and the bandwidth allocations shown in Table 13-8.
Page 349
Figure 13-19. PFC and ETS Configuration Command Example Configure QoS priority-queue assignment to honor dot1p priorities or use L2 class maps to mark and map ingress traffic to output queues; for example: FTOS(conf)# service-class dynamic dot1p FTOS(conf)# interface tengigabitethernet 0/1 FTOS(conf-if-te-0/1)# service-class dynamic dot1p Configure a DCB input policy for applying PFC to lossless SAN priority traffic:...
Figure 13-20. Example: DCB PFC and ETS Configuration (Continued) Configure a DCB output policy for applying ETS (bandwidth allocation and scheduling) to IPC, SAN, and LAN priority traffic: FTOS(conf)# dcb-output ets FTOS(conf-dcb-out)# priority-group san qos-policy san FTOS(conf-dcb-out)# priority-group lan qos-policy lan FTOS(conf-dcb-out)# priority-group ipc qos-policy ipc Apply DCB input and output policies to a port interface: FTOS(conf)# interface tengigabitethernet 0/1...
Hierarchical Scheduling in ETS Output Policies ETS supports up to three levels of hierarchical scheduling. For example, you can apply ETS output policies with the following configurations: • Priority group 1 assigns traffic to one priority queue with 20% of the link bandwidth and strict-priority scheduling.
S-Series Debugging and Diagnostics The chapter contains the following major sections: • Offline diagnostics • Trace logs • Last restart reason • show hardware commands • Environmental monitoring • Buffer tuning • Troubleshooting packet loss • Application core dumps • Mini core dumps •...
Important Points to Remember • You can only perform offline diagnostics on an offline standalone unit or offline member unit of a stack of three or more. You cannot perform diagnostics on the management or standby unit in a stack of two or more (Message Message 1 Offline Diagnostics on Master/Standby Error...
Page 355
Figure 14-2. Verifying the Offline/Online Status of an S-Series Stack Unit FTOS#show system brief | no-more Stack MAC : 00:01:e8:d6:02:39 Stack Info Unit UnitType Status ReqTyp CurTyp Version Ports --------------------------------------------------------------------------- 0 Standby online S25V S25V 4.7.7.220 Management offline S50N S50N 4.7.7.220 Member online...
Page 356
Figure 14-3. Running Offline Diagnostics on an S-Series Standalone Unit FTOS#diag stack-unit 1 alllevels Warning - diagnostic execution will cause multiple link flaps on the peer side - advisable to shut directly connected ports Proceed with Diags [confirm yes/no]: yes 00:03:35: %S50N:1 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on stack unit 1 00:03:35 : Approximate time to complete these Diags ...
4. View the results of the diagnostic tests using the command from EXEC Privilege mode, show file flash:// as shown in Figure 14-5. Figure 14-5. Viewing the Results of Offline Diagnostics on a Standalone Unit FTOS#show file flash://TestReport-SU-0.txt **********************************S-Series Diagnostics******************** Stack Unit Board Serial Number : DL267160098 CPU Version : MPC8541, Version: 1.1 PLD Version : 5...
Auto Save on Crash or Rollover Exception information on for master or standby units is stored in the flash:/TRACE_LOG_DIR directory. This directory contains files that save trace information when there has been a task crash or timeout. On a master unit, the TRACE_LOG_DIR files can be reached by FTP or by using the command show file from the flash://TRACE_LOG_DIR directory.
Table 14-3 lists the commands available as of the latest FTOS version on the S4810. show hardware Note: The commands should only be used under the guidance of Dell Force10 Technical show hardware Assistance Center. Table 14-3. show hardware Commands Command...
Table 14-3. show hardware Commands Command Description View the Multicast IPMC replication table from the bShell. show hardware stack-unit {0-11} unit {0-1} ipmc-replication View the internal statistics for each port-pipe (unit) on per port basis. show hardware stack-unit {0-11} unit {0-1} port-stats [detail] View the stack-unit internal registers for each port-pipe.
EXEC mode to bring the line card back online. power-on In addition, Dell Force10 requires that you install blanks in all slots without a line card to control airflow for adequate system cooling. Note: Exercise care when removing a card; if it has exceeded the major or shutdown thresholds, the card...
Troubleshoot an under-voltage condition To troubleshoot an under-voltage condition, check that the correct number of power supplies are installed and their Status LEDs are lit. The SNMP traps and OIDs in Table 14-4 provide information on S-Series environmental monitoring hardware and hardware components. Table 14-4.
Page 363
Table 14-5 describes the type and number of ASICs per platform. Table 14-5. ASICS by Platform Hardware S50N, S50V S25V, S25P, S25N You can tune buffers at three locations, as shown in Figure 14-8. 1. CSF – Output queues going from the CSF. 2.
Front-end Links Deciding to tune buffers Dell Force10 recommends exercising caution when configuring any non-default buffer settings, as tuning can significantly affect system performance. The default values work for most cases. As a guideline, consider tuning buffers if traffic is very bursty (and coming from several interfaces). In this case: •...
Buffer tuning commands Task Command Command Mode Define a buffer profile for the FP queues. CONFIGURATION buffer-profile fp fsqueue Define a buffer profile for the CSF queues. CONFIGURATION buffer-profile csf csqueue Change the dedicated buffers on a physical 1G BUFFER PROFILE buffer dedicated interface.
If the default buffer profile (4Q) is active, FTOS displays an error message instructing you to remove the default configuration using the command no buffer-profile global Sample buffer profile configuration The two general types of network environments are sustained data transfers and voice/data. Dell Force10 recommends a single-queue approach for data transfers, as shown in Figure 14-11.
Page 369
Figure 14-12. Displaying Drop Counter Statistics FTOS#show hardware stack-unit 0 drops UNIT No: 0 Total Ingress Drops :0 Total IngMac Drops :0 Total Mmu Drops :0 Total EgMac Drops :0 Total Egress Drops :0 UNIT No: 1 Total Ingress Drops :0 Total IngMac Drops :0 Total Mmu Drops :0 Total EgMac Drops :0...
Application core dumps Application core dumps are disabled by default. A core dump file can be very large. Due to memory requirements the file can only be sent directly to an FTP server. It is not stored on the local flash. Enable full application core dumps with the following: Task Command Syntax...
Skippy812 Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol (DHCP) is available on platforms: e c s z This chapter contains the following sections: • Protocol Overview • Implementation Information • Configuration Tasks • Configure the System to be a DHCP Server •...
DHCP Packet Format and Options DHCP uses UDP as its transport protocol. The server listens on port 67 and transmits to port 68; the client listens on port 68 and dhcp snoopingtransmits to port 67. The configuration parameters are carried as options in the DHCP packet in Type, Length, Value (TLV) format;...
Assigning an IP Address using DHCP When a client joins a network: 1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters.
Implementation Information • The Dell Force10 implementation of DHCP is based on RFC 2131 and RFC 3046. • IP Source Address Validation is a sub-feature of DHCP Snooping; FTOS uses ACLs internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP Source Address Validation.
IP address ranges, lease length specifications, and configuration data that DHCP hosts need. Configuring the Dell Force10 system to be a DHCP server is a 3-step process: Configure the Server for Automatic Address Allocation Specify a Default Gateway...
Create an IP Address Pool An address pool is a range of IP addresses that may be assigned by the DHCP server. Address pools are indexed by subnet number. To create an address pool: Step Task Command Syntax Command Mode Access the DHCP server CLI context.
Display the current DHCP configuration. show config DHCP In the illustration below, an IP phone is powered by PoE and has acquired an IP address from the Dell Force10 system, which is advertising LLDP-MED. The leased IP address is displayed using show ip dhcp...
Configure a Method of Hostname Resolution Dell Force10 systems are capable of providing DHCP clients with parameters for two methods of hostname resolution. Address Resolution using DNS A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses.
Routers do not forward broadcasts, so if there are no DHCP servers on the subnet, the client does not receive a response to its request and therefore cannot access the network. You can configure an interface on the Dell Force10 system to relay the DHCP messages to a specific DHCP server using the command...
Page 386
When is configured, the system listens for DHCP broadcast messages on port 67. The ip helper-address system rewrites packets received from the client and forwards it via unicast; the system rewrites the destination IP address and writes its own address as the relay device. Responses from the server are unicast back to the relay agent on port 68 and the relay agent rewrites the destination address and forwards the packet to the client subnet via broadcast.
Configure the System for User Port Stacking When you set the DHCP offer on the DHCP server, you can set the stacking-option variable to provide the stack-port detail so a stack can be formed when the units are connected. Configure Secure DHCP The following feature is available on platforms: c e s (except where noted).
The relay agent strips Option 82 from DHCP responses before forwarding them to the client. Task Command Syntax Command Mode Insert Option 82 into DHCP packets. For routers CONFIGURATION ip dhcp relay information-option between the relay agent and the DHCP server, enter trust-downstream option.
View the DHCP Snooping statistics with the command. show ip dhcp snooping FTOS#show ip dhcp snooping IP DHCP Snooping : Enabled. IP DHCP Snooping Mac Verification : Disabled. IP DHCP Relay Information-option : Disabled. IP DHCP Relay Trust Downstream : Disabled. Database write-delay (In minutes) DHCP packets information Relay Information-option packets...
View the number of entries in the table with the command. This output show ip dhcp snooping binding displays the snooping binding table created using the ACK packets from the trusted port. FTOS#show ip dhcp snooping binding Codes : S - Static D - Dynamic IP Address MAC Address Expires(Sec)
Page 392
• denial of service—an attacker can send a fraudulent ARP messages to a client to associate a false MAC address with the gateway address, which would blackhole all internet-bound packets from the client. Note: DAI uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM entry is required for every DAI-enabled VLAN.
The DHCP binding table associates addresses assigned by the DHCP servers, with the port on which the requesting client is attached. When IP Source Address Validation is enabled on a port, the system verifies that the source IP address is one that is associated with the incoming port. If an attacker is impostering as a legitimate client the source address appears on the wrong ingress port, and the system drops the packet.
Page 395
Step Task Command Syntax Command Mode Enable IP+MAC Source Address ip dhcp source-address-validation ipmac INTERFACE Validation. FTOS creates an ACL entry for each IP+MAC address pair in the binding table and applies it to the interface. Task Command Syntax Command Mode Display the IP+MAC ACL for an EXEC Privilege show ip dhcp snooping source-address-validation...
Equal Cost Multi-Path (ECMP) e c s Equal Cost Multi-Path (ECMP) is supported on platforms: ECMP for Flow-based Affinity ECMP for Flow-based Affinity is available on platforms The hashing algorithm on E-Series TeraScale and E-Series ExaScale are different. Hashing on ExaScale is based on CRC, checksum, or XOR, and the algorithm on TeraScale is based on checksum only.
FTOS Behavior: In FTOS versions prior to 8.2.1.2, the ExaScale default hash-algorithm is 0. Beginning with version 8.2.1.2, the default hash-algorithm is 24. Deterministic ECMP Next Hop Deterministic ECMP Next Hop arranges all ECMPs in order before writing them into the CAM. For example, suppose the RTM learns 8 ECMPs in the order that the protocols and interfaces came up.
In the illustration below, Core Router 1 is an E-Series TeraScale and Core Router 2 is an E-Series ExaScale. They have similar configurations and have routes for prefix P with two possible next-hops. When Deterministic ECMP is enabled and the hash algorithm and seed are configured the same, each flow is consistently sent to the same next hop even though they are routed through two different chassis.
Enable link bundle monitoring using the command. ecmp-group Note: An ecmp-group index is generated automatically for each unique ecmp-group when the user configures multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indexes are generated in even numbers (0, 2, 4, 6... 1022) and are for information only.
Disabling the FIPS Mode Preparing the System Before you enable FIPS mode on the S4810, Dell Force10 recommends making the following steps to your system: • disable the Telnet server (only SSH (Secure Shell) should be used to access the system).
To enable FIPS mode: Task Command Syntax Command Mode Enable FIPS mode from a console port. CONFIG fips mode enable When the FIPS mode is enabled, the following actions are taken: • If enabled, the SSH server will be disabled. •...
Monitoring FIPS Mode Status The status of the current FIPS mode (Enabled/Disabled) can be viewed directly using either the command or show fips status the show system command as shown below. FTOS#show fips status FIPS Mode : Enabled for the system using the show system command. FTOS#show system Stack MAC : 00:01:e8:8a:ff:0c Reload Type : normal-reload [Next boot : normal-reload]...
FIP Snooping FIP snooping is supported on the following platforms: This chapter describes the FIP snooping concepts and configuration procedures: • Fibre Channel over Ethernet • Ensuring Robustness in a Converged Ethernet Network • FIP Snooping on Ethernet Bridges • FIP Snooping in a Switch Stack •...
Page 406
To ensure similar Fibre Channel robustness and security with FCoE in an Ethernet cloud network, the Fibre Channel over Ethernet initialization protocol (FIP) establishes virtual point-to-point links between FCoE end-devices (server ENodes and target storage devices) and FCoE forwarders (FCFs) over transit FCoE-enabled bridges.
Figure 18-1. FIP discovery and login between an ENode and an FCF FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF.
Page 408
• Port-based ACLs are applied on all three port modes: on ports directly connected to an FCF, server-facing ENode ports, and bridge-to-bridge links. • Port-based ACLs take precedence over global ACLs. • FCoE-generated ACLs take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames.
The following sections describe how to configure the FIP snooping feature on a switch that functions as a FIP snooping bridge so that it can perform the following functions: • Allocate CAM resources for FCoE (optional in FTOS version 9.1.(0.0)). •...
Enabling the FIP Snooping Feature Note: FIP Snooping is disabled by default. To enable this feature, you must follow the Configuration Procedure. As soon as you enable the FIP snooping feature on a switch-bridge, existing VLAN-specific and FIP snooping configurations are applied. The FCoE database is populated when the switch connects to a converged network adapter (CNA) or FCF port and compatible DCB configurations are synchronized.
S4810 FTOS Configuration Guide Dell Force10 recommends that you also enable ETS; ETS is recommended but not required. If you enable DCBX and PFC mode is on (PFC is operationally up) in a port configuration, FIP snooping is operational on the port. If the PFC parameters in a DCBX exchange with a peer are not synchronized, FIP and FCoE frames are dropped on the port after you enable the FIP snooping feature.
• VLAN membership: • You must create the VLANs on the switch which handles FCoE traffic ( command). interface vlan • You must configure each FIP snooping port to operate in Hybrid mode so that it accepts both tagged and untagged VLAN frames ( command).
Displaying FIP Snooping Information Use the commands in Table 18-1 to display information on FIP snooping. show Table 18-1. Displaying FIP Snooping Information Command Output Displays information on FIP-snooped sessions on all VLANs or a specified show fip-snooping sessions [interface vlan VLAN, including the ENode interface and MAC address, the FCF vlan-id interface and MAC address, VLAN ID, FCoE MAC address and FCoE...
Page 414
Table 18-2. sessions Command Description show fip-snooping Field Description ENode MAC MAC address of the ENode. ENode Interface Slot/ port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. FCF Interface Slot/ port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session.
Page 415
Table 18-4. Command Description show fip-snooping fcf Field Description FCF MAC MAC address of the FCF. FCF Interface Slot/port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FC-MAP FC-Map value advertised by the FCF. ENode Interface Slot/ number of the interface connected to the ENode.
Page 416
Figure 18-7. show fip-snooping statistics (VLAN and port) Command Example FTOS# show fip-snooping statistics interface vlan 100 Number of Vlan Requests Number of Vlan Notifications Number of Multicast Discovery Solicits Number of Unicast Discovery Solicits Number of FLOGI Number of FDISC Number of FLOGO Number of Enode Keep Alive :9021...
Page 417
Figure 18-8. (port channel) Command Example show fip-snooping statistics FTOS# show fip-snooping statistics interface port-channel 22 Number of Vlan Requests Number of Vlan Notifications Number of Multicast Discovery Solicits Number of Unicast Discovery Solicits Number of FLOGI Number of FDISC Number of FLOGO Number of Enode Keep Alive Number of VN Port Keep Alive...
Table 18-5. show fip-snooping statistics Command Descriptions Field Description Number of FDISC Rejects Number of FIP FDISC reject frames received on the interface. Number of FLOGO Accepts Number of FIP FLOGO accept frames received on the interface. Number of FLOGO Rejects Number of FIP FLOGO reject frames received on the interface.
Page 419
Figure 18-11. Configuration Example: FIP Snooping on an S4810 Switch Figure 18-11, DCBX and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch. On the FIP snooping bridge, DCBX is configured as follows: • A server-facing port is configured for DCBX in an auto-downstream role. •...
Page 420
Figure 18-12. FIP Snooping Configuration Example Enable the FIP snooping feature on the switch (FIP snooping bridge): FTOS(conf)# feature fip-snooping Enable FIP snooping on FCoE VLAN 10: FTOS(conf)# interface vlan 10 FTOS(conf-if-vl-10)# fip-snooping enable Enable an FC-MAP value on VLAN 10: FTOS(conf-if-vl-10)# fip-snooping fc-map 0xOEFC01 Note: Configuring an FC-MAP value is only required if you do not use the default FC-MAP value (0x0EFC00).
Force10 Resilient Ring Protocol (FRRP) e c s z Force10 Resilient Ring Protocol (FRRP) is supported on platforms: Force10 Resilient Ring Protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a Metropolitan Area Network (MAN) or large campuses. FRRP is similar to what can be achieved with the Spanning Tree Protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
A Virtual LAN (VLAN) is configured on all node ports in the ring. All ring ports must be members of the Member VLAN and the Control VLAN. The Member VLAN is the VLAN used to transmit data as described earlier. The Control VLAN is used to perform the health checks on the ring.
During the time between the Transit node detecting that its link is restored and the Master node detecting that the ring is restored, the Master node’s Secondary port is still forwarding traffic. This can create a temporary loop in the topology. To prevent this, the Transit node places all the ring ports transiting the newly restored port into a temporary blocked state.
• Ring Health Frames (RHF) • Hello RHF — Sent at 500ms (hello interval) — Transmitted and processed by Master node only • Topology Change RHF — Triggered updates — Processed at all nodes Important FRRP Concepts Table 19-1, "FRRP Components," in Force10 Resilient Ring Protocol (FRRP) lists some important FRRP concepts.
• FRRP is media and speed independent. • FRRP is a Dell Force10 proprietary protocol that does not interoperate with any other vendor. • Spanning Tree must be disabled on both Primary and Secondary interfaces before FRRP is enabled. •...
Page 426
• Configure Primary and Secondary ports • Configure the Master node • Configure a Transit node • Set FRRP Timers (optional) • Enable FRRP Other FRRP related commands are: • Clear FRRP counters Create the FRRP group The FRRP group must be created on each switch in the ring. Use the commands in the following sequence to create the FRRP group.
Page 427
Step Command Syntax Command Mode Purpose tagged interface slot/ CONFIG-INT-VLAN Tag the specified interface or range of interfaces to this VLAN. port {range} Interface: • For a 10/100/1000 Ethernet interface, enter the keyword keyword GigabitEthernet followed by the slot/port information. •...
Page 428
Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • Control VLAN ports must be tagged. Member VLAN ports except the Primary/Secondary interface can be tagged or untagged. • The Control VLAN must be the same for all nodes on the ring. Use the commands in the following sequence, on all of the Transit switches in the ring, to create the Members VLANs for this FRRP group.
Page 429
Step Command Syntax Command Mode Purpose mode transit CONFIG-FRRP Configure a Transit node member-vlan vlan-id CONFIG-FRRP Identify the Member VLANs for this FRRP group {range} VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. no disable CONFIG-FRRP Enable this FRRP group on this switch. Set FRRP Timers Step Command Syntax...
Show FRRP information Use one of the following commands show general FRRP information. Command Syntax Command Mode Purpose EXEC or EXEC Show the information for the identified FRRP show frrp ring-id PRIVELEGED group. Ring ID: 1-255 EXEC or EXEC Show the state of all FRRP groups. show frrp summary PRIVELEGED Ring ID: 1-255...
Page 431
no shutdown interface Vlan 201 no ip address tagged GigabitEthernet 1/24,34 no shutdown protocol frrp 101 interface primary GigabitEthernet 1/24 secondary GigabitEthernet 1/34 control-vlan 101 member-vlan 201 mode master no disable R2 TRANSIT interface GigabitEthernet 2/14 no ip address switchport no shutdown interface GigabitEthernet 2/31 no ip address...
GARP VLAN Registration Protocol (GVRP) e c s z GARP VLAN Registration Protocol (GVRP) is supported on platforms: Protocol Overview Typical VLAN implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GARP VLAN Registration Protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches.
• On the E-Series, C-Series, and non-S60/S55/S4810 S-Series, Per-VLAN Spanning Tree (PVST+) or MSTP and GVRP cannot be enabled at the same time, as shown in the example below. If Spanning Tree and GVRP are both required, implement RSTP. The S60, S55, and S4810 systems do support enabling GVRP and MSTP at the same time.
Basic GVRP configuration is a 2-step process: Enabling GVRP Globally. Enabling GVRP on a Layer 2 Interface. Related Configuration Tasks • Configuring GVRP Registration • Configuring a GARP Timer Enabling GVRP Globally Enable GVRP for the entire switch using the command in CONFIGURATION mode, as shown gvrp enable in the following example.
Configuring GVRP Registration • Fixed Registration Mode: Configuring a port in fixed registration mode allows for manual creation and registration of VLANs, prevents VLAN de-registration, and registers all VLANs known on other ports on the port. For example, if an interface is statically configured via the CLI to belong to a VLAN, it should not be un-configured when it receives a Leave PDU.
Page 437
• LeaveAll: Upon startup, a GARP device globally starts a LeaveAll timer. Upon expiration of this interval, it will send out a LeaveAll message so that other GARP devices can re-register all relevant attribute information. The device then restarts the LeaveAll timer to begin a new cycle. The LeaveAll timer must be greater than or equal to 5x of the Leave timer.
High Availability High Availability (HA) is supported on platforms: c e s Note: High Availability is not supported on the S60 system. High availability is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. To support all the features within the HA collection, you should have the latest boot code.
Component Redundancy Dell Force10 systems eliminate single points of failure by providing dedicated or load-balanced redundancy for each component. RPM Redundancy The current version of FTOS supports 1+1 hitless Route Processor Module (RPM) redundancy. The primary RPM performs all routing, switching, and control operations while the standby RPM monitors the primary RPM.
Page 441
Version compatibility between RPMs In general, the two RPMs should have the same FTOS version. However, FTOS tolerates some degree of difference between the two versions, as described in Table 21-1, "System Behavior with RPMs with Mismatched FTOS Versions," in High Availability.
Page 442
Automatic and manual RPM failover RPM failover is the process of the standby RPM becoming the primary RPM. FTOS fails over to the standby RPM when: 1. Communication is lost between the standby and primary RPMs 2. You request a failover via the CLI 3.
Page 443
C-Series RPMs have one CPU: Control Processor (CP). The CP on the RPM communicates with the LP via IPC. Like the E-Series, the CP monitors the health status of the other processors by sending a heartbeat message. If any CPU fails to acknowledge a consecutive number of heartbeat messages, or the CP itself fails to send heartbeat messages (IPC timeout), the primary RPM requests a failover to the standby RPM, and FTOS displays a message similar to Message...
Page 444
Table 21-2. Failover Behaviors Platform Failover Trigger Failover Behavior RP IPC timeout for a non-task CP on primary RPM detects the RP IPC timeout and notifies standby crash reason on the primary RPM RPM. Standby RPM initiates a failover. FTOS saves an RP application core dump, RP IPC-related system status, a CP trace log record, and the CP IPC-related system status.
Page 445
RPM synchronization Data between the two RPMs is synchronized immediately after bootup. Once the two RPMs have done an initial full synchronization (block sync), thereafter FTOS only updates changed data (incremental sync). The data that is synchronized consists of configuration data, operational data, state and status, and statistics depending on the FTOS version.
Linecard Online Insertion and Removal RPM Online Insertion and Removal Dell Force10 systems are functional with only one RPM. If a second RPM is inserted, it comes online as the standby RPM, as shown in the example below. High Availability...
On the C-Series, when a secondary RPM with a logical SFM is inserted or removed, the system must add or remove the backplane links to the switch fabric trunk. Any time such links are changed, traffic is disrupted. Use the command to avoid any traffic disruption when the secondary redundancy sfm standby RPM is inserted.
Pre-configure a line card slot You may also pre-configure an empty line card slot with a logical line card using the command linecard from CONFIGURATION mode. After creating the logical line card, you can configure the interfaces on the line card as if it is present, as shown in the example below. FTOS(conf)#do show linecard 0 Line card 0 -- Status...
Line cards Slot Status NxtBoot ReqTyp CurTyp Version Ports --------------------------------------------------------------------------- online online E48VB E48VB 7-5-1-71 [output omitted] Hitless Behavior Hitless Behavior is supported only on platforms: Hitless behavior is supported on S4810 with FTOS 8.3.12.0 and later or the E-Series ExaScale x with FTOS 8.2.1.0.
Graceful Restart Graceful Restart is supported on platforms: e c s Graceful restart (also called non-stop forwarding) is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets.
(CRC failures, packet loss, etc.) are measured, and upon exceeding a threshold can be used to initiate recovery mechanism. Failure and Event Logging Dell Force10 systems provide multiple options for logging failures and events. High Availability | 451...
Trace Log Developers interlace messages with software code to track a the execution of a program. These messages are called trace messages; they are primarily used for debugging and provide lower level information than event messages, which are primarily used by system administrators. FT OS retains executed trace messages for hardware and software and stores them in files (logs) on the internal flash.
• Hot-lock IP ACLs (supported on E-Series, C-Series, and S-Series) allow you to append rules to and delete rules from an Access Control List that is already written to CAM. This behavior is enabled by default and is available for both standard and extended ACLs on ingress and egress. For information on configuring ACLs, see Access Control Lists (ACLs).
SFM auto upgrade, you must reload the chassis to recover. The Dell Force10 system has the ability to boot the chassis using a cached FTOS image. FTOS stores the system image on the bootflash for each processor so that: •...
Page 455
Select the FTOS image that you want to cache using the command , as shown in the upgrade system-image example below. Dell Force10 recommends using the keyword with this command to avoid any mis-matched configurations. Note: The cache boot feature is not enabled by default; you must copy the running configuration to the...
Page 456
linecard 4 invalid 6.5.1.8 linecard 5 is not present. Note: [b] : booted [n] : next boot Upgrade cache boot image(4.7.5.427) for all cards [yes/no]: yes cache boot image downloading in progress... !!!!!!!!!!!!!!!!!!!!! cache boot upgrade in progress. Please do NOT power off the card. Note: Updating Flash Table of Contents...
SECONDARY IMAGE FILE = flash://FTOS-EF-7.7.1.0.bin DEFAULT IMAGE FILE = flash://FTOS-EF-7.6.1.0.bin LOCAL CONFIG FILE = variable does not exist PRIMARY HOST CONFIG FILE = variable does not exist SECONDARY HOST CONFIG FILE = variable does not exist PRIMARY NETWORK CONFIG FILE = variable does not exist SECONDARY NETWORK CONFIG FILE = variable does not exist...
Page 458
The restart time varies by process. In general, interface-related processes are hitless and can be restarted in seconds; if a restart is successful, traffic is not interrupted. Protocol tasks and line card processes are not hitless and take longer to restart. You can select which process may attempt to restart and the number of consecutive restart attempts before failover, but by default, every process fails over.
S4810, S55, and S60and an unlimited number of groups on all platforms. • Dell Force10 systems cannot serve as an IGMP host or an IGMP version 1 IGMP Querier. • FTOS automatically enables IGMP on interfaces on which you enable a multicast routing protocol.
To receive multicast traffic from a particular source, a host must join the multicast group to which the source is sending traffic. A host that is a member of a group is called a . A host may join many receiver groups, and may join or leave any group at any time.
2. The querier sends a Group-Specific Query to determine whether there are any remaining hosts in the group. There must be at least one receiver in a group on a subnet for a router to forward multicast traffic for that group to the subnet. 3.
Version Flags Frag Offset Protocol Header Src IP Addr Dest IP Addr Options Padding IGMP Packet Total Length (0xc0) (224.0.0.22) Checksum (Router Alert) Reserved Reserved Group Record 2 Type Checksum Number of Group Group Record 1 Group Record N Records Value used by IGMP to calculate multicast reception state Auxiliary Data...
Membership Queries: Leaving and Staying Non-Querier Querier Interface Multicast Group Filter Source Source Non-querier builds identical table Address Timer Mode Timer and waits Other Querier Present 224.1.1.1 Include Interval to assume Querier role 10.11.1.1 LQMT 10.11.1.2 LQMT 224.2.2.2 GMI Exclude None Queries retransmitted Last Member Type: 0x11 Query Count times at Last Member...
Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. View IGMP-enabled interfaces using the command in the EXEC Privilege mode. show ip igmp interface FTOS#show ip igmp interface gig 7/16 GigabitEthernet 7/16 is up, line protocol is up Internet address is 10.87.3.2/24 IGMP is enabled on interface IGMP query interval is 60 seconds...
Viewing IGMP Groups View both learned and statically configured IGMP groups using the command from show ip igmp groups EXEC Privilege mode. FTOS(conf-if-gi-1/0)#do sho ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224.1.1.1...
Adjusting the IGMP Querier Timeout Value If there is more than one multicast router on a subnet, only one is elected to be the querier, which is the router that sends queries to the subnet. 1. Routers send queries to the all multicast systems address, 224.0.0.1. Initially, all routers send queries. 2.
IGMP Snooping Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device. Switches forward multicast frames out of all ports in a VLAN by default, even though there may be only some interested hosts, which is a waste of bandwidth. IGMP Snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers.
Enabling IGMP Immediate-leave Configure the switch to remove a group-port association upon receiving an IGMP Leave message using the command from INTERFACE VLAN mode. View the configuration using the command ip igmp fast-leave from INTERFACE VLAN mode, as shown in the example below. show config FTOS(conf-if-vl-100)#show config interface Vlan 100...
• IGMP snooping Querier does not start if there is a statically configured multicast router interface in the VLAN. • The switch may lose the querier election if it does not have the lowest IP address of all potential queriers on the subnet. •...
Interfaces This chapter describes interface types, both physical and logical, and how to configure them with FTOS. 10/100/1000 Mbps Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet interfaces are supported on platforms: e c s z SONET interfaces are only supported on platform Basic Interface Configuration: •...
no ip address shutdown interface GigabitEthernet 9/7 no ip address shutdown interface GigabitEthernet 9/8 no ip address shutdown interface GigabitEthernet 9/9 no ip address shutdown Enable a Physical Interface After determining the type of physical interfaces available, the user may enter the INTERFACE mode by entering the command to enable and configure the interfaces.
Physical Interfaces The Management Ethernet interface is a single RJ-45 Fast Ethernet port on the Route Processor Module (RPM) of the C-Series and E-Series and on each unit of the S4810. It provides dedicated management access to the system. The other S-Series (non-S4810) systems supported by FTOS do not have this dedicated management interface, but you can use any Ethernet port configured with an IP address and route.
Configure Layer 3 (Network) Mode When you assign an IP address to a physical interface, you place it in Layer 3 mode. Use the ip address command and command in INTERFACE mode to enable Layer 3 mode on an individual no shutdown interface.
You can only configure one (1) primary IP address per interface. You can configure up to 255 secondary IP addresses on a single interface. To view all interfaces to see with an IP address assigned, use the command in the show ip interfaces brief EXEC mode as shown in View Basic Interface...
Page 479
To configure a Management interface, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose CONFIGURATION Enter the slot and the port (0). interface Managementethernet interface ON the E-Series and C-Series, dual RPMs can be in use. Slot range: C-Series, E-Series: 0-1 S4810: 0...
• Once the virtual IP address is removed, the system is accessible through the native IP address of the primary RPM’s management interface. • Primary and secondary management interface IP and virtual IP must be in the same subnet. Configure Management Interfaces on the S-Series The user can manage the S-Series from any port.
VLAN Interfaces VLANs are logical interfaces and are, by default, in Layer 2 mode. Physical interfaces and port channels can be members of VLANs. For more information on VLANs and Layer 2, refer to Layer 2 Virtual LANs (VLAN) Note: To monitor VLAN interfaces, use the Management Information Base for Network Management of TCP/IP-based internets: MIB-II (RFC 1213).
Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Since this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability. You can place Loopback interfaces in default Layer 3 mode. To configure a Loopback interface, use the following command in the CONFIGURATION mode: Command Syntax Command Mode...
• Port channel definition and standards • Port channel benefits • Port channel implementation • Configuration task list for port channel interfaces Port channel definition and standards Link aggregation is defined by IEEE 802.3ad as a method of grouping multiple physical interfaces into a single logical interface—a Link Aggregation Group (LAG) or port channel.
Page 484
Note: If you are using either 10G ports or 40G ports, the Z9000 supports 8 members per LAG As soon as a port channel is configured, FTOS treats it like a physical interface. For example, IEEE 802.1Q tagging is maintained while the physical interface is in the port channel. Member ports of a LAG are added and programmed into hardware in a predictable order based on the port ID, instead of in the order in which the ports come up.
Configuration task list for port channel interfaces To configure a port channel (LAG), you use the commands similar to those found in physical interfaces. By default, no port channels are configured in the startup configuration. • Create a port channel (mandatory) •...
Page 486
You can add any physical interface to a port channel if the interface configuration is minimal. Only the following commands can be configured on an interface if it is a member of a port channel: • description • shutdown no shutdown •...
Page 487
Hardware address is 00:01:e8:01:46:fa Internet address is 1.1.120.1/24 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 2000 Mbit Members in this channel: Gi 9/10 Gi 9/17 ARP type: ARPA, ARP timeout 04:00:00 Last clearing of "show interface" counters 00:00:00 Queueing strategy: fifo 1212627 packets input, 1539872850 bytes Input 1212448 IP Packets, 0 Vlans 0 MPLS 4857 64-byte pkts, 17570 over 64-byte pkts, 35209 over 127-byte pkts...
Reassign an interface to a new port channel An interface can be a member of only one port channel. If the interface is a member of a port channel, you must remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, FTOS recalculates the hash algorithm for the port channel.
Configure the minimum oper up links in a port channel (LAG) You can configure the minimum links in a port channel (LAG) that must be in “oper up” status for the port channel to be considered to be in “oper up” status. Use the following command in the INTERF ACE mode: Command Syntax Command Mode Purpose...
Assign an IP address to a port channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command in the INTERFACE mode: Command Syntax Command Mode Purpose...
Page 491
• IP destination address • Protocol type • TCP/UDP source port • TCP/UDP destination port Balancing may be applied to IPv4, switched IPv6, and non-IP traffic. For these traffic types, the IP-header-based hash and MAC-based hash may be applied to packets by using the following methods. Table 23-3.
Page 492
Table 23-4. 5-tuple and 3-tuple Keys Keys 5-tuple 3-tuple TCP/UDP source port TCP/UDP destination port Note: For IPV6, only the first 32 bits (LSB) of IP Source Address and IP Destination Address are used for hash generation. The following example shows the configuration and show command for packet-based hashing on the E-Series.
Page 493
C-Series and S-Series load-balancing For LAG hashing on C-Series and S-Series, the source IP, destination IP, source TCP/UDP port, and destination TCP/UDP port are used for hash computation by default. For packets without a Layer 3 header , FTOS automatically uses load-balance mac source-dest-mac IP hashing or MAC hashing should not be configured at the same time.
Page 494
For the E-Series TeraScale and ExaScale, you can select one of 47 possible hash algorithms (16 on EtherScale). Command Syntax Command Mode Purpose hash-algorithm {algorithm-number} | CONFIGURATION Change the default (0) to another algorithm and apply { ecmp { checksum|crc|xor } it to ECMP, LAG hashing, or a particular line card.
Bulk Configuration Bulk configuration enables you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range.
FTOS(config-ifrange-gi-5/1-23-te-1/1-2)# interface range Vlan 2 – 100 , Port 1 – 25 FTOS(config-if-range-gi-5/1-23-te-1/1-2-so-5/1-vl-2-100-po-1-25)# no shutdown FTOS(config-if-range)# Interface Range Macros The user can define an interface-range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface-range macro command string, you must define the macro.
Monitor and Maintain Interfaces Monitor interface statistics with the command. This command displays an ongoing list of monitor interface the interface status (up/down), number of packets, traffic statistics, etc. Command Syntax Command Mode Purpose EXEC Privilege View the interface’s statistics. Enter the type of interface and monitor interface interface slot/port information:...
FTOS# Maintenance using TDR The Time Domain Reflectometer (TDR) is supported on all Dell Force10 switch/routers. TDR is an assistance tool to resolve link issues that helps detect obvious open or short conditions within any of the four copper pairs. TDR sends a signal onto the physical cable and examines the reflection of the signal that returns.
To test the condition of cables on 10/100/1000 BASE-T modules, use the command: tdr-cable-test Step Command Syntax Command Mode Usage EXEC Privilege To test for cable faults on the GigabitEthernet tdr-cable-test gigabitethernet <slot>/ cable. <port> • Between two ports, the user must not start the test on both ends of the cable.
Link Debounce Timer Link Debounce Timer is supported on platform The Link Debounce Timer feature isolates upper layer protocols on Ethernet switches and routers from very short-term, possibly repetitive interface flaps often caused by network jitter on the DWDM equipment connecting the switch and other devices on a SONET ring.
Show debounce times in an interface [ type ] [ slot/port ] EXEC Privilege Show the debounce time for the specified interface. show interface debounce Enter the interface type keyword followed by the type of interface and slot/port information: • For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet followed by the slot/ port information.
Link Dampening Interface state changes occur when interfaces are administratively brought up or down or if an interface state changes. Every time an interface changes state or flaps, routing protocols are notified of the status of the routes that are affected by the change in state, and these protocols go through momentous task of re-converging.
Page 504
View the link dampening configuration on an interface using the command , or view show config dampening information on all or specific dampened interfaces using the command show interfaces from EXEC Privilege mode, as shown in the following example. dampening FTOS# show interfaces dampening InterfaceStateFlapsPenaltyHalf-LifeReuseSuppressMax-Sup Gi 0/0Up005750250020...
Configure MTU size on an Interface The E-Series supports a link Maximum Transmission Unit (MTU) of 12000 bytes and maximum IP MTU of 9234 bytes. The link MTU is the frame size of a packet, and the IP MTU size is used for IP fragmentation.
Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it. The destination sends a PAUSE frame back to the source, stopping the sender’s transmission for a period of time. The globally assigned 48-bit Multicast address 01-80-C2-00-00-01 is used to send and receive pause frames.
Note: The S4810 supports only the rx control option. The S4810 does not transmit pause frames. Note: If rx flow control is disabled, Dell Force10 recommends rebooting the system. Ethernet Pause Frames flow control must be enabled on all ports on a chassis or a line card. If not, the system may exhibit unpredictable behavior.
Configure MTU Size on an Interface If a packet includes a Layer 2 header, the difference in bytes between the link MTU and IP MTU must be enough to include the Layer 2 header. For example, for VLAN packets, if the IP MTU is 1400, the Link MTU must be no less than 1422: 1400-byte IP MTU + 22-byte VLAN Tag = 1422-byte link MTU The MTU range is 592-12000, with a default of 1500.
Port-pipes A port pipe is a Dell Force10 specific term for the hardware path that packets follow through a system. Port pipes travel through a collection of circuits (ASICs) built into line cards and RPMs on which various processing events for the packets occur. One or two port pipes process traffic for a given set of physical interfaces or a port-set.
Note: As a best practice, Dell Force10 recommends keeping auto-negotiation enabled. Auto-negotiation should only be disabled on switch ports that attach to devices not capable of supporting negotiation or where connectivity issues arise from interoperability issues.
Page 511
Note: The show interfaces status command displays link status, but not administrative status. For link and administrative status, use show ip interface [ interface | brief | linecard slot-number ] [ configuration ]. FTOS#show interfaces status Port Description Status Speed Duplex Vlan Gi 0/0 1000 Mbit...
FTOS(conf)# int gi 0/0 FTOS(conf-if)#neg auto FTOS(conf-if-autoneg)# ? Exit from configuration mode exit Exit from autoneg configuration mode mode Specify autoneg mode Negate a command or set its defaults show Show autoneg configuration information FTOS(conf-if-autoneg)#mode ? forced-master Force port to master mode forced-slave Force port to slave mode FTOS(conf-if-autoneg)#...
FTOS#show ip interface configured FTOS#show ip interface linecard 1 configured FTOS#show ip interface gigabitEthernet 1 configured FTOS#show ip interface br configured FTOS#show ip interface br linecard 1 configured FTOS#show ip interface br gigabitEthernet 1 configured FTOS#show running-config interfaces configured FTOS#show running-config interface gigabitEthernet 1 configured In EXEC mode, the command displays only interfaces in Layer 2 mode and show interfaces switchport...
Page 514
Although any value between 30 and 299 seconds (the default) can be entered, software polling is done once every 15 seconds. So, for example, if you enter “19”, you will actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG. The following example shows how to configure rate interval when changing the default value: FTOS#show interfaces TenGigabitEthernet 10/0 is down, line protocol is down...
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 100 seconds):...
Page 516
To clear the counters, use the following command in the EXEC Privilege mode: Command Syntax Command Mode Purpose clear counters [ EXEC Privilege Clear the counters used in the show interface commands for all interface [ vrrp [ ] | learning-limit ] VRRP groups, VLANs, and physical interfaces or selected ones.
IPv4 Routing e c s z IPv4 Routing is supported on platforms: FTOS supports various IP addressing features. This chapter explains the basics of Domain Name Service (DNS), Address Resolution Protocol (ARP), and routing principles and their implementation in FTOS. •...
For more information on IP addressing, refer to 791, Internet Protoco Implementation Information In FTOS, you can configure any IP address as a static route except IP addresses already assigned to interfaces. Note: FTOS versions 7.7.1.0 and later support 31-bit subnet masks (/31, or 255.255.255.254) as defined by RFC 3021.
Page 519
To assign an IP address to an interface, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose CONFIGURATION Enter the keyword interface followed by the type of interface interface interface and slot/port information: •...
To view the configuration, use the command in the INTERFACE mode as shown in the show config example below or in the EXEC privilege mode as shown in the second example. show ip interface FTOS(conf-if)#show conf interface GigabitEthernet 0/0 ip address 10.11.1.1/24 no shutdown FTOS(conf-if)# FTOS#show ip int gi 0/8...
To view the configured routes, use the command. show ip route static FTOS#show ip route static Destination Gateway Dist/Metric Last Change ----------- ------- ----------- ----------- 2.1.2.0/24 Direct, Nu 0 00:02:30 6.1.2.0/24 via 6.1.20.2, Te 5/0 00:02:30 6.1.2.2/32 via 6.1.20.2, Te 5/0 00:02:30 6.1.2.3/32 via 6.1.20.2, Te 5/0...
Command Syntax Command Mode Purpose CONFIGURATION Assign a static route to point to the management management route ip-address mask interface or forwarding router. forwarding-router-address ManagementEthernet slot/port To view the configured static routes for the management port, use the command show ip management-route in the EXEC privilege mode.
Resolution of Host Names Domain Name Service (DNS) maps host names to IP addresses. This feature simplifies such commands as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless the feature is enabled, the system resolves only host names entered into the host table with the command.
Specify local system domain and a list of domains If you enter a partial domain, FTOS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. FTOS searches the host table first to resolve the partial domain.
The following text is an example output of DNS using the command. traceroute FTOS#traceroute www.force10networks.com Translating "www.force10networks.com"...domain server (10.11.0.1) [OK] Type Ctrl-C to abort. ------------------------------------------------------------------------------------------ Tracing the route to www.force10networks.com (10.11.84.18), 30 hops max, 40 byte packets ------------------------------------------------------------------------------------------ TTL Hostname Probe1 Probe2 Probe3...
Configure static ARP entries ARP dynamically maps the MAC and IP addresses, and while most network host support dynamic mapping, you can configure an ARP entry (called a static ARP) for the ARP cache. To configure a static ARP entry, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose...
Clear ARP cache To clear the ARP cache of dynamically learnt ARP information, use the following command in the EXEC privilege mode: Command Syntax Command Mode Purpose | ip EXEC privilege Clear the ARP caches for all interfaces or for a specific clear arp-cache interface ip-address] [ no-refresh ]...
1. At time t=0 FTOS sends an ARP request for IP A.B.C.D 2. At time t=1 FTOS receives an ARP request for IP A.B.C.D 3. At time t=2 FTOS installs an ARP entry for A.B.C.D only on RP2. Beginning with version 8.3.1.0, when a Gratuitous ARP is received, FTOS installs an ARP entry on all 3 CPUs.
Configurable ARP Retries In FTOS versions prior to 8.3.1.0, the number of ARP retries is set to 5 and is not configurable. After 5 retries, FTOS backs off for 20 seconds before it sends a new request. Beginning with FTOS version 8.3.1.0, the number of ARP retries is configurable.
To reenable the creation of ICMP unreachable messages on the interface, use the following command in the INTERFACE mode: Command Syntax Command Mode Purpose ip unreachable INTERFACE Set FTOS to create and send ICMP unreachable messages on the interface. To view if ICMP unreachable messages are sent on the interface, use the command in the show config INTERFACE mode.
2. Configure a broadcast address on interfaces that will receive UDP broadcast traffic. Refer to Configuring a Broadcast Address. Important Points to Remember about UDP Helper • The existing command is rendered meaningless if UDP helper is enabled on the ip directed broadcast same interface.
Configuring a Broadcast Address Configure a broadcast address on an interface using the command , as shown in ip udp-broadcast-address the example below. FTOS(conf-if-vl-100)#ip udp-broadcast-address 1.1.255.255 FTOS(conf-if-vl-100)#show config interface Vlan 100 ip address 1.1.0.1/24 ip udp-broadcast-address 1.1.255.255 untagged GigabitEthernet 1/2 no shutdown View the configured broadcast address for an interface using the command , as shown in...
1. Packet 1 is dropped at ingress if no UDP helper address is configured. 2. If UDP helper (using the command ) is enabled, and the UDP destination port of ip udp-helper udp-port the packet matches the UDP port configured, the system changes the destination address to the configured broadcast 1.1.255.255 and routes the packet to VLANs 100 and 101.
Start Frame LLDPDU Preamble Destination MAC Ethernet Type Padding Source MAC Delimiter (01:80:C2:00:00:0E) (0x88CC) TLV 6 TLV 7 TLV 127 TLV 0 TLV 1 TLV 2 TLV 3 TLV 4 TLV 5 Chassis ID Port ID Port Description System Name System Description System Capabilities Management Addr...
Troubleshooting UDP Helper Display debugging information using the command , as shown in the example below. debug ip udp-helper FTOS(conf)# debug ip udp-helper 01:20:22: Pkt rcvd on Gi 5/0 with IP DA (0xffffffff) will be sent on Gi 5/1 Gi 5/2 Vlan 3 01:44:54: Pkt rcvd on Gi 7/0 is handed over for DHCP processing.
IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief discussion of the differences between IPv4 and IPv6, and the Dell Force10 support of IPv6. This chapter discusses the following, but is not intended to be a comprehensive discussion of IPv6.
• Stateless Autoconfiguration • Header Format Simplification • Improved Support for Options and Extensions Extended Address Space The address format is extended from 32 bits to 128 bits. This not only provides room for all anticipated needs, it allows for the use of a hierarchical address space structure to optimize global addressing. Stateless Autoconfiguration When a booting device comes up in IPv6 and asks for its network prefix, the device can get the prefix (or prefixes) from an IPv6 router on its link.
IPv6 Headers The IPv6 header has a fixed length of 40 bytes. This provides 16 bytes each for Source and Destination information and 8 bytes for general header information. The IPv6 header includes the following fields: • Version (4 bits) •...
Page 540
Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities. Routers understand the priority settings and handle them appropriately during conditions of congestion.
Note: This is not a comprehensive table of Next Header field values. Refer to the Internet Assigned Numbers Authority (IANA) web page at http://www.iana.org/assignments/ protocol-numbers for a complete and current listing. Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing. In IPv4, this is known as the Time to Live (TTL) field and uses seconds rather than hops.
Page 542
Hop-by-Hop Options header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero) (Table 25-1). When a Hop-by-Hop Options header is not included, the router knows that it does not have to process any router specific information and immediately processes the packet to its final destination.
Addressing IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab is a valid IPv6 address. If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons(::). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab can be shortened to 2001:0db8::1428:57ab.
Implementing IPv6 with FTOS FTOS supports both IPv4 and IPv6 and both may be used simultaneously in your system. Note: Dell Force10 recommends that you use FTOS version 7.6.1.0 or later when implementing IPv6 functionality on an E-Series system. Table 25-2 lists the FTOS Version in which an IPv6 feature became available for each platform.
Page 545
Table 25-2. FTOS and IPv6 Feature Support (continued) Route redistribution 7.4.1 8.2.1 7.8.1 8.4.2 8.3.10.0 OSPF, IS-IS, and IPv6 BGP chapters in the FTOS Command Line Reference Guide Multiprotocol BGP 7.4.1 8.2.1 7.8.1 8.4.2 8.3.10.0 IPv6 BGP in the FTOS Command Line extensions for IPv6 Reference Guide IPv6 BGP MD5...
Table 25-2. FTOS and IPv6 Feature Support (continued) IPv6 Access Control 7.4.1 8.2.1 7.8.1 8.2.1.0 8.3.10.0 IPv6 Access Control Lists in the FTOS Lists Command Line Reference Guide IPv6 Multicast PIM-SM for IPv6 7.4.1 8.2.1 8.4.2 8.4.2 IPv6 Multicast in this chapter; IPv6 PIM in the FTOS Command Line Reference Guide...
Path MTU Discovery c e s z IPv6 MTU Discovery is supported on platforms Path MTU (Maximum Transmission Unit), in accordance with RFC 1981, defines the largest packet size that can traverse a transmission path without suffering fragmentation. Path MTU for IPv6 uses ICMPv6 Type-2 messages to discover the largest MTU along the path from source to destination and avoid the need to fragment the packet.
IPv6 device to determine the relationship of the neighboring node. Note: To avoid problems with network discovery, Dell Force10 recommends configuring the static route last or assigning an IPv6 address to the interface and assigning an address to the peer (the forwarding router’s address) less than 10 seconds apart.
IPv6 Neighbor Discovery of MTU packets With FTOS 8.3.1.0, you can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The command sets the value advertised to ipv6 nd mtu routers.
SSH over an IPv6 Transport IPv6 SSH is supported on platforms c e s FTOS supports both inbound and outbound SSH sessions using IPv6 addressing. Inbound SSH supports accessing the system through the management interface as well as through a physical Layer 3 interface. Refer to the chapter in the document for SSH...
option sets the CAM Profile as follows: default • L3 ACL (ipv4acl): 6 • L2 ACL(l2acl) : 5 • IPv6 L3 ACL (ipv6acl): 0 • L3 QoS (ipv4qos): 1 • L2 QoS (l2qos): 1 Save the new CAM settings to the startup-config ( ) then reload the system for the write-mem copy run start...
One of the existing IPv6 addresses must be deleted before a new IPv6 address can be configured. Command Syntax Command Mode Purpose CONFIG-INTERFACE Enter the IPv6 Address for the device. ipv6 address ipv6 address/mask : x:x:x:x::x ipv6 address : prefix length 0 to 128 mask IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:).
Page 554
Note: After you configure a static IPv6 route ( command) and configure the forwarding router’s address ipv6 route (specified in the command) on a neighbor’s interface, the IPv6 neighbor is not displayed in the ipv6 route show ipv6 command output. route Command Syntax Command Mode...
Telnet with IPv6 IPv6 Telnet is supported on platforms c e s The Telnet client and server in FTOS support IPv6 connections. You can establish a Telnet session directly to the router using an IPv6 Telnet client, or an IPv6 Telnet connection can be initiated from the router. Note: Telnet to link local addresses is not supported.
Show IPv6 Information All of the following show commands are supported on platforms c e s View specific IPv6 configuration with the following commands. Command Syntax Command Mode Purpose EXEC List the IPv6 show options show ipv6 ? EXEC Privileged FTOS#show ipv6 ? accounting IPv6 accounting information...
Show an IPv6 Interface View the IPv6 configuration for a specific interface with the following command. Command Syntax Command Mode Purpose EXEC Show the currently running configuration for the specified show ipv6 interface interface type {slot/port} Enter the keyword followed by the type of interface interface and slot/port information: •...
Show IPv6 Routes View the global IPv6 routing information with the following command. Command Syntax Command Mode Purpose EXEC Show IPv6 routing information for the specified show ipv6 route type route type. Enter the keyword: • To display information about a network, enter (X:X:X:X::X).
Figure 25-10. Command Example: show running-config interface FTOS#show run int gi 2/2 interface GigabitEthernet 2/2 no ip address ipv6 address 3:4:5:6::8/24 shutdown FTOS# Clear IPv6 Routes Use the clear IPv6 route command to clear routes from the IPv6 routing table. Command Syntax Command Mode Purpose...
(SAN). iSCSI optimization enables the networking switch to auto-detect Dell’s iSCSI storage arrays and triggers a self-configuration of several key network configurations that enables the network to be optimized for better storage traffic throughput.
Page 562
• iSCSI QoS—A user-configured iSCSI class of service (CoS) profile is applied to all iSCSI traffic. Classifier rules are used to direct the iSCSI data traffic to queues that can be given preferential QoS treatment over other data passing through the switch. Preferential treatment helps to avoid session interruptions during times of congestion that would otherwise cause iSCSI packets to be dropped.
(refer to QoS dot1p Traffic Classification and Queue Assignment). Dell Force10 recommends setting the CoS dot1p priority-queue to 0 (zero). You can configure whether iSCSI frames are re-marked to contain the configured VLAN priority tag or IP DSCP when forwarded through the switch.
Chapter 30, Link Layer Discovery Protocol (LLDP). The following message is displayed the first time a Dell EqualLogic array is detected and describes the configuration changes that are automatically performed: %STKUNIT0-M:CP %IFMGR-5-IFM_ISCSI_AUTO_CONFIG: This switch is being configured for optimal conditions to support iSCSI traffic which will cause some automatic configuration to occur including jumbo frames and flow-control on all ports;...
The following message is displayed the first time you use the command to iscsi profile-compellent configure a port connected to a Dell Compellent storage array and describes the configuration changes that are automatically performed: %STKUNIT0-M:CP %IFMGR-5-IFM_ISCSI_AUTO_CONFIG: This switch is being configured for optimal conditions to support iSCSI traffic which will cause some automatic configuration to occur including jumbo frames and flow-control on all ports;...
Enabling and Disabling iSCSI Optimization Note: iSCSI monitoring is disabled by default. iSCSI auto-configuration and auto-detection is enabled by default. If iSCSI is enabled, flow control will be automatically enabled on all interfaces. To disable the flow control on all interfaces, enter the command “no flow control rx on tx off” and save the configuration. To disable iSCSI optimization, which can turn on flow control again on reboot, enter the command “no iscsi enable”...
Table 26-1. iSCSI Optimization: Default Parameters Parameter Default Value VLAN priority tag iSCSI flows are assigned by default to dot1p priority 4 without remark setting. DSCP None: user-configurable. Remark Not configured. iSCSI session aging time 10 minutes iSCSI optimization target ports iSCSI well-known ports 3260 and 860 are configured as default (with no IP address or name) but can be removed as any other configured target.
Page 568
Step Task Command Command Mode (Optional) Configure the iSCSI target ports and CONFIGURATION [no] iscsi target port optionally the IP addresses on which iSCSI tcp-port-1 [tcp-port-2...tcp-port-16] communication will be monitored, where: [address ip-address] • tcp-port-n is the TCP port number or a list of TCP port numbers on which the iSCSI target listens to requests.
Step Task Command Command Mode (Optional) Enter interface configuration mode to CONFIGURATION interface port-type slot port configure the auto-detection of Compellent disk arrays. (Optional) Configures the auto-detection of INTERFACE [no] iscsi profile-compellent Compellent arrays on a port. Default: Compellent disk arrays are not detected. Displaying iSCSI Optimization Information Use the commands in...
FTOS 9.0.0.0 Intermediate System to Intermediate System (IS-IS) protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Force10 supports both IPv4 and IPv6 versions of IS-IS, as it is detailed in this chapter. •...
IS-IS is organized hierarchally into routing domains, and each router or system resides in at least one area. In IS-IS, routers are designated as Level 1, Level 2 or Level 1-2 systems. Level 1 routers only route traf fic within an area, while Level 2 routers route traffic between areas. At its most basic, Level 1 systems route traffic within the area and any traffic destined for outside the area is sent to a Level 1-2 system.
Multi-Topology IS-IS FTOS 7.8.1.0 and later support Multi-Topology Routing IS-IS. E-Series ExaScale platform x supports Multi-Topology IS-IS with FTOS 8.2.1.0 and later. S-Series platform supports Multi-Topology IS-IS with FTOS 8.3.10.0 and later. Multi-Topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases.
Interface support MT IS-IS is supported on physical Ethernet interfaces, physical Sonet interfaces, port-channel interfaces (static & dynamic using LACP), and VLAN interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement Multi-Topology (MT) extensions. If a local router does not participate in certain MTs, it will not advertise those MT IDs in its IIHs and so will not include that neighbor within its LSPs.
By assigning a name to an IS-IS NET address, you can track IS-IS information on that address easier. FTOS does not support ISO CLNS routing; however, the ISO NET format is supported for addressing. To support IPv6, the Dell Force10 implementation of IS-IS performs the following tasks: •...
Table 27-1 displays the default values for IS-IS. Table 27-1. IS-IS Default Values IS-IS Parameter Default Value Complete Sequence Number PDU (CSNP) interval 10 seconds IS-to-IS hello PDU interval 10 seconds IS-IS interface metric Metric style Narrow Designated Router priority Circuit Type Level 1 and Level 2 IS Type...
Page 577
• Set the overload bit on page 593 • Debug IS-IS on page 594 Enable IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address. To exchange protocol information with neighbors, enable IS-IS on an interface, instead of on a network as with other routing protocols.
Page 578
Step Task Command Syntax Command Mode Enter the interface configuration mode. Enter the keyword CONFIGURATION interface interface followed by the type of interface and slot/port interface information: • For a 1-Gigabit Ethernet interface, enter the keyword followed by the slot/port information. GigabitEthernet •...
Page 579
Figure 27-2. Command Example: show isis protocol FTOS#show isis protocol IS-IS Router: <Null Tag> System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.0001 Interfaces supported by IS-IS: Vlan 2 GigabitEthernet 4/22 Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: level-1-2 Accept narrow metrics:...
Page 580
Configure Multi-Topology IS-IS (MT IS-IS) Step Task Command Syntax Command Mode Enable Multi-Topology IS-IS for ROUTER ISIS AF IPV6 multi-topology transition IPv6. Enter the keyword to allow transition an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.After every router has been configured with the transition keyword, and all the routers are in...
Page 581
Configure Multi-Topology IS-IS (MT IS-IS) Step Task Command Syntax Command Mode Enable Multi-Topology IS-IS for ROUTER ISIS AF IPV6 multi-topology transition IPv6. Enter the keyword to allow transition an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.After every router has been configured with the transition keyword, and all the routers are in...
Page 582
Command Syntax Command Mode Purpose ROUTER-ISIS Enable the Graceful Restart maximum wait time before graceful-restart restart-wait seconds a restarting peer comes up. Be sure to set the timer to adjacency on the restarting router when implementing this command. Range: 5-120 seconds Default: 30 seconds ROUTER-ISIS Configure the time that the Graceful Restart timer T1...
Page 583
Use the command in EXEC Privilege mode to view all Graceful Restart show isis graceful-restart detail related configuration. Figure 27-4. Command Example: show isis graceful-restart detail FTOS#show isis graceful-restart detail Configured Timer Value ====================== Graceful Restart : Enabled Interval/Blackout time : 1 min T3 Timer : Manual...
Page 584
Figure 27-5. Command Example: show isis interface FTOS#show isis interface G1/34 GigabitEthernet 2/10 is up, line protocol is up MTU 1497, Encapsulation SAP Routing Protocol: IS-IS Circuit Type: Level-1-2 Interface Index 0x62cc03a, Local circuit ID 1 Level-1 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.01 Hello Interval: 10, Hello Multiplier: 3, CSNP Interval: 10 Number of active level-1 adjacencies: 1 Level-2 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.01...
Page 585
Figure 27-6. Command Example: show running-config isis FTOS#show running-config isis router isis lsp-refresh-interval 902 net 47.0005.0001.000C.000A.4321.00 net 51.0005.0001.000C.000A.4321.00 FTOS# Configure IS-IS metric style and cost All IS-IS links or interfaces are associated with a cost that is used in the SPF calculations. The possible cost varies depending on the metric style supported.
Page 586
Figure 27-7. Command Example: show isis protocol FTOS#show isis protocol IS-IS Router: <Null Tag> System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.0001 Interfaces supported by IS-IS: Vlan 2 GigabitEthernet 4/22 Loopback 0 Redistributing: Distance: 115 IS-IS metrics settings Generate narrow metrics: level-1-2...
Table 27-3. Correct Value Range for the isis metric command Metric Style Correct Value Range narrow transition 0 to 63 transition 0 to 63 Configuring the distance of a route Configure the distance for a route using the command from ROUTER ISIS mode. distance Change the IS-type You can configure the system to act as one of the following:...
Page 589
Configure the prefix list in the PREFIX LIST mode prior to assigning it to the IS-IS process. For configuration information on prefix lists, see Chapter 6, Access Control Lists (ACLs). IPv4 routes Use the following commands in ROUTER ISIS mode to apply prefix lists to incoming or outgoing IPv4 routes.
IPv6 routes Use these commands in ADDRESS-FAMILY IPV6 mode to apply prefix lists to incoming or outgoing IPv6 routes. = These commands apply to IPv6 IS-IS only. Use the mode previously shown to apply Note: ROUTER ISIS prefix lists to IPv4 routes. Command Syntax Command Mode Purpose...
Page 591
Redistribute routes In addition to filtering routes, you can add routes from other routing instances or protocols to the IS-IS process. With the command syntax, you can include BGP, OSPF, RIP, static, or directly redistribute connected routes in the IS-IS process. Note: Do not route iBGP routes to IS-IS unless there are route-maps associated with the IS-IS redistribution.
Page 592
IPv6 routes Use any of the these commands in ROUTER ISIS ADDRESS-FAMILY IPV6 mode to add routes from other routing instances or protocols. These commands apply to IPv6 IS-IS only. Use the mode previously shown to apply Note: ROUTER ISIS prefix lists to IPv4 routes.
Page 593
Use either or both of the commands in ROUTER ISIS mode to configure a simple text password. Command Syntax Command Mode Purpose ROUTER ISIS Configure authentication password for an area. FTOS area-password [hmac-md5] supports HMAC-MD5 authentication. password This password is inserted in Level 1 LSPs, Complete SNPs, and Partial SNPs.
Page 594
Figure 27-9. Command Example: show isis database FTOS#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL when overload bit B233.00-00 0x00000003 0x07BF 1074 0/0/0 is set, 1 is listed in eljefe.00-00 * 0x0000000A 0xF963 1196 0/0/1...
Command Syntax Command Mode Purpose EXEC Privilege View sent and received LSPs. debug isis update-packets interface To view specific information, enter one of the following optional parameters: • Enter the type of interface and slot/port interface: information to view IS-IS information on that interface only.
For any level (Level-1, Level-2, or Level-1-2), the value range possible in the command in isis metric INTERFACE mode changes depending on the metric style. Table 27-4. Correct Value Range for the isis metric Command Metric Style Correct Value Range for the isis metric Command wide 0 to 16777215 narrow...
Page 597
Table 27-5. Metric Value when Metric Style Changes (continued) Beginning metric style Final metric style Resulting IS-IS metric value transition wide original value transition narrow original value transition narrow transition original value transition wide transition original value narrow transition wide original value narrow transition narrow...
Leaking from One Level to Another In the following scenarios, each IS-IS level is configured with a different metric style. Table 27-7. Metric Value with Different Levels Configured with Different Metric Styles Level-1 metric style Level-2 metric style Resulting isis metric value narrow wide original value...
Sample Configuration The following configurations are examples for enabling IPv6 IS-IS. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations. Note: Only one IS-IS process can run on the router, even if both IPv4 and IPv6 routing is being used.
Link Aggregation Control Protocol (LACP) e c s Link Aggregation Control Protocol (LACP) is supported on platforms: The major sections in the chapter are: • Introduction to Dynamic LAGs and LACP • LACP Configuration Tasks • Shared LAG State Tracking •...
Important Points to Remember • LACP enables you to add members to a port channel (LAG) as long as it has no static members. Conversely, if the LAG already contains a statically defined member ( command), channel-member command is not permitted. port-channel mode •...
LACP Configuration Commands If aggregated ports are configured with compatible LACP modes (Off, Active, Passive), LACP can automatically link them, as defined in IEEE 802.3, Section 43. The following commands configure LACP: Command Syntax Command Mode Purpose [no] lacp system-priority CONFIGURATION Configure the system priority.
The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the command tagged on the LAG as shown in the example below: FTOS(conf)#interface vlan 10 FTOS(conf-if-vl-10)#tagged port-channel 32 Configure the LAG interfaces as dynamic After creating a LAG, configure the dynamic LAG interfaces.
To configure the LACP long timeout as shown in the example below: Step Task Command Syntax Command Mode Set the LACP timeout value to 30 seconds. lacp long-timeout CONFIG-INT-PO FTOS(conf)# interface port-channel 32 FTOS(conf-if-po-32)#no shutdown FTOS(conf-if-po-32)#switchport FTOS(conf-if-po-32)#lacp long-timeout FTOS(conf-if-po-32)#end FTOS# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.a12b Partner System ID: Priority 32768, Address 0001.e801.45a5...
Shared LAG State Tracking Shared LAG State Tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG.
Page 609
R2#config R2(conf)#port-channel failover-group R2(conf-po-failover-grp)#group 1 port-channel 1 port-channel 2 View the failover group configuration using the show running-configuration po-failover-group command, as shown in the example below. R2#show running-config po-failover-group port-channel failover-group group 1 port-channel 1 port-channel 2 In the following illustration, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down upon the failure.
Configure LACP as Hitless is supported only on platforms: LACP on Dell Force10 systems can be configured to be hitless. When configured as hitless, there is no noticeable impact on dynamic LAG state upon an RPM failover. Critical LACP state information is synchronized between the two RPMs.
The sections are: • Configuring a LAG on ALPHA • Summary of the configuration on ALPHA • Summary of the configuration on BRAVO Port Channel 10 ALPHA BRAVO Gig 2/31 Gig 3/21 Gig 2/32 Gig 3/22 Gig 3/23 Gig 2/33 Configuring a LAG on ALPHA Creating a LAG on ALPHA.
Page 612
Interface Index is 109101113 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit, Mode full duplex, Slave Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface"...
Page 613
Shows the status of this physical nterface, and shows it is part of port channel 10. Alpha#sh int gig 2/31 GigabitEthernet 2/31 is up, line protocol is up Port is part of Port-channel 10 Hardware is Force10Eth, address is 00:01:e8:06:95:c0 Current address is 00:01:e8:06:95:c0 Interface index is 109101113 Port will not be disabled on partial SFM failure...
Page 614
Inspecting configuration of LAG 10 on ALPHA. Indicates the MAC address assigned to the LAG. This does NOT match any of the Alpha#show int port-channel 10 physical interface MAC addresses. Port-channel 10 is up, line protocol is up Created by LACP protocol Hardware address is 00:01:e8:06:96:63, Current address is 00:01:e8:06:96:63 Interface index is 1107755018 Confirms the number of links to bring up...
Using the command to verify LAG 10 status on ALPHA. show lacp Alpha#sho lacp 10 Port-channel 10 admin up, oper up, mode lacp Shows LAG status Actor System ID: Priority 32768, Address 0001.e806.953e Partner System ID: Priority 32768, Address 0001.e809.c24a Actor Admin Key 10, Oper Key 10, Partner Oper Key 10 LACP LAG 10 is an aggregatable link A - Active LACP, B - Passive LACP, C - Short Timeout, D - Long Timeout...
Summary of the configuration on ALPHA Summary of the configuration on ALPHA. Alpha(conf-if-po-10)#int gig 2/31 Alpha(conf-if-gi-2/31)#no ip address Alpha(conf-if-gi-2/31)#no switchport Alpha(conf-if-gi-2/31)#shutdown Alpha(conf-if-gi-2/31)#port-channel-protocol lacp Alpha(conf-if-gi-2/31-lacp)#port-channel 10 mode active Alpha(conf-if-gi-2/31-lacp)#no shut Alpha(conf-if-gi-2/31)#show config interface GigabitEthernet 2/31 no ip address port-channel-protocol LACP port-channel 10 mode active no shutdown Alpha(conf-if-gi-2/31)# interface Port-channel 10...
Summary of the configuration on BRAVO Summary of the configuration on BRAVO. Bravo(conf-if-gi-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config interface Port-channel 10 no ip address switchport no shutdown Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/21-lacp)#port-channel 10 mode active...
Using the command to inspect a LAG port on BRAVO. show INTERFACE Shows the status of this nterface. Also shows it is part of LAG 10. Bravo#show int gig 3/21 GigabitEthernet 3/21 is up, line protocol is up Port is part of Port-channel 10 Hardware is Force10Eth, address is 00:01:e8:09:c3:82 Current address is 00:01:e8:09:c3:82 Shows that this is a Layer 2 port.
Page 619
Using the ommand to inspect LAG 10. show interfaces port-channel c Indicates the MAC address assigned to the LAG. This does NOT match any of the physical interface MAC addresses. FTOS#sh int port 10 Port-channel 10 is up, line protocol is up Created by LACP protocol Hardware address is 00:01:e8:09:c4:ef, Current address is 00:01:e8:09:c4:ef Interface index is 1107755018...
Page 620
Using the command to inspect LAG status. show lacp FTOS#show lacp 10 Port-channel 10 admin up, oper up, mode lacp Shows LAG status Actor System ID: Priority 32768, Address 0001.e809.c24a Partner System ID: Priority 32768, Address 0001.e806.953e Actor Admin Key 10, Oper Key 10, Partner Oper Key 10 LACP LAG 10 is an aggregatable link A - Active LACP, B - Passive LACP, C - Short Timeout, D - Long Timeout E - Aggregatable Link, F - Individual Link, G - IN_SYNC, H - OUT_OF_SYNC...
Layer 2 e c s z Layer 2 features are supported on platforms: This chapter describes the following Layer 2 features: • Managing the MAC Address Table • MAC Learning Limit • NIC Teaming • Microsoft Clustering • Configuring Redundant Pairs •...
Set the Aging Time for Dynamic Entries Learned MAC addresses are entered in the table as dynamic entries, which means that they are subject to aging. For any dynamic entry, if no packet arrives on the switch with the MAC address as the source or destination address within the timer period, the address is removed from the table.
Display the MAC Address Table To display the contents of the MAC address table: Task Command Syntax Command Mode Display the contents of the MAC address table. EXEC Privilege show mac-address-table address • displays the specified entry. address aging-time vlan vlan-id count •...
MAC Address Learning Limit is a method of port security on Layer 2 port-channel and physical interfaces, and VLANs. It enables you to set an upper limit on the number of MAC addresses that learned on an interface/VLAN. After the limit is reached, the system drops all traffic from a device with an unlearned MAC address.
mac learning-limit mac-address-sticky Using sticky MAC addresses allows you to associate a specific port with MAC addresses from trusted devices. If sticky MAC is enabled, the specified port will retain any dynamically-learned addresses and prevent them from being transferred or learned on other ports. is configured and sticky MAC is enabled, all dynamically-learned addresses are mac-learning-limit converted to sticky MAC addresses for the selected port.
Station Move Violation Actions Station Move Violation Actions are supported only on platforms: S-Series (S25/S50) is the default behavior. You can configure the system to take an action if a station move no-station-move occurs using one the following options with the command:.
Per-VLAN MAC Learning Limit Per-VLAN MAC Learning Limit is available only on platform: An individual MAC learning limit can be configured for each VLAN using Per-VLAN MAC Learning Limit. One application of Per-VLAN MAC Learning Limit is on access ports. In the following illustration, an Internet Exchange Point (IXP) connects multiple Internet Service Provider (ISP).
Task Command Syntax Command Mode FTOS#show mac learning-limit Interface Vlan Learning Dynamic Static Unknown SA Slot/port Limit MAC count MAC count Drops Gi 5/84 Gi 5/84 Gi 5/85 Gi 5/85 FTOS#show mac learning-limit interface gig 5/84 Interface Vlan Learning Dynamic Static Unknown SA Slot/port...
(in the above example, this is Port 0/5 of the switch). To ensure the MAC address is disassociated with one port and re-associated with another port in the ARP table, you must configure the command on the Dell Force10 switch at the time that NIC teaming is mac-address-table station-move refresh-arp being configured on the server.
When an ARP request is sent to a server cluster, either the active server or all of the servers send a reply, depending on the cluster configuration. If the active server sends a reply , the Dell Force10 switch learns the active server’s MAC address.
As shown in Figure 29-5, the server MAC address is given in the Ethernet frame header of the ARP reply, while the virtual MAC address representing the cluster is given in the payload. The command vlan-flooding directs the system to discover that there are different MAC addresses in an ARP reply and associate the virtual MAC address with the VLAN connected to the cluster.
Configuring Redundant Pairs e c s Configuring Redundant Pairs is supported on platforms: Networks that employ switches that do not support Spanning Tree (STP) — for example, networks with Digital Subscriber Line Access Mutiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (Figure 29-6).
You configure a redundant pair by assigning a backup interface to a primary interface with the switchport command. Initially, the primary interface is active and transmits traffic and the backup backup interface interface remains down. If the primary fails for any reason, the backup transitions to an active UP state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
Page 634
Figure 29-7. CLI for Configuring Redundant Layer 2 Pairs without Spanning Tree FTOS(conf-if-range-gi-3/41-42)#switchport backup interface GigabitEthernet 3/42 FTOS(conf-if-range-gi-3/41-42)#show config interface GigabitEthernet 3/41 no ip address switchport switchport backup interface GigabitEthernet 3/42 no shutdown interface GigabitEthernet 3/42 no ip address switchport no shutdown FTOS(conf-if-range-gi-3/41-42)# FTOS(conf-if-range-gi-3/41-42)#do show ip int brief | find 3/41...
Restricting Layer 2 Flooding Restricting Layer 2 Flooding is supported only on platform: When Layer 2 multicast traffic must be forwarded on a VLAN that has multiple ports with different speeds on the same port-pipe, forwarding is limited to the speed of the slowest port. Restricted Layer 2 Flooding prevents slower ports from lowering the throughput of multicast traffic on faster ports by restricting flooding to ports with a speed equal to or above a link speed you specify.
Far-end Failure Detection Far-end Failure Detection is supported on platforms Far-end Failure Detection (FEFD) is a protocol that senses remote data link errors in a network. It responds by sending a unidirectional report that triggers an echoed response after a specified time interval. FEFD can be enabled globally or locally on an interface basis.
FEFD state changes FEFD has two operational modes, Normal and Aggressive. When Normal mode is enabled on an interface an a far-end failure is detected, no intervention is required to reset the interface to bring it back to an FEFD operational state.When Aggressive mode is enabled on an interface in the same state, manual intervention is required to reset the interface.
Important Points to Remember • FEFD enabled ports are subject to an 8 to 10 second delay during an RPM failover before becoming operational. • FEFD can be enabled globally or on a per interface basis. Interface FEFD configurations override global FEFD configurations.
Enable FEFD on an Interface Entering the command in INTERFACE mode enables FEFD on a per interface basis. To change the fefd FEFD mode, supplement the command in INTERFACE mode by entering the command fefd fefd mode aggressive normal To disable FEFD protocol on one interface, enter the command in INTERFACE mode.
Page 640
Figure 29-13. Debug FEFD events display FTOS#debug fefd events FTOS#config FTOS(conf)#int gi 1/0 FTOS(conf-if-gi-1/0)#shutdown 2w1d22h: %RPM0-P:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Gi 1/0 FTOS(conf-if-gi-1/0)#2w1d22h : FEFD state on Gi 1/0 changed from ANY to Unknown 2w1d22h: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Gi 1/0 2w1d22h: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Gi 4/0 2w1d22h: %RPM0-P:CP %IFMGR-5-INACTIVE: Changed Vlan interface state to inactive: Vl 1 2w1d22h : FEFD state on Gi 4/0 changed from Bi-directional to Unknown...
Link Layer Discovery Protocol (LLDP) e c s Link Layer Discovery Protocol (LLDP) is supported only on platforms: This chapter contains the following sections: • 802.1AB (LLDP) Overview • TIA-1057 (LLDP-MED) Overview • Configuring LLDP 802.1AB (LLDP) Overview Link Layer Discovery Protocol (LLDP)—defined by IEEE 802.1AB—is a protocol that enables a LAN device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Page 642
Figure 30-1. Type, Length, Value (TLV) Segment TLVs are encapsulated in a frame called an LLDP Data Unit (LLDPDU) (Figure 30-2), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements.
Figure 30-2. LLDPDU Frame Optional TLVs FTOS supports the following optional TLVs: • TLVs Management • IEEE 802.1 and 802.3 Organizationally Specific TLVs • TIA-1057 Organizationally Specific TLVs Management TLVs A Management TLV is an Optional TLVs sub-type. This kind of TLV contains essential management information about the sender.
Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups (Table 30-2) as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Force10 system to advertise any or all of these TLVs. Table 30-2. Optional TLV Types...
LLDP-MED is designed for, but not limited to, VoIP endpoints. TIA Organizationally Specific TLVs The Dell Force10 system is an LLDP-MED Network Connectivity Device (Device Type 4). Network connectivity devices are responsible for: • transmitting an LLDP-MED capabilities TLV to endpoint devices •...
Page 646
• The possible values of the LLDP-MED Device Type is listed in Table 30-5. The Dell Force10 system is a Network Connectivity device, which is Type 4. When you enable LLDP-MED in FTOS (using the command ) the system begins transmitting advertise med this TLV.
Page 647
Figure 30-4. LLDP-MED Capabilities TLV Table 30-4. FTOS LLDP-MED Capabilities Bit Position FTOS Support LLDP-MED Capabilities Network Policy Location Identification Extended Power via MDI-PSE Extended Power via MDI-PD Inventory 6-15 reserved Table 30-5. LLDP-MED Device Types Value Device Type Type Not Defined Endpoint Class 1 Endpoint Class 2 Endpoint Class 3...
Page 648
The application type is a represented by an integer (the Type integer in Table 30-6), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED Network Policy TLV is generated for each application type that you specify with the FTOS CLI (Advertising TLVs on page 652).
802.3af powered, LLDP-MED endpoint device. Power Type: there are two possible power types: Power Sourcing Entity (PSE) or Power Device (PD). • The Dell Force10 system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification. •...
Dell Force10 systems support up to 8 neighbors per interface. • Dell Force10 systems support a maximum of 8000 total neighbors per system. If the number of interfaces multiplied by 8 exceeds the maximum, the system will not configure more than 8000.
Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. • If you configure the system globally, all interfaces will send LLDPDUs with the specified TLVs. • If you configure an interface, only the interface will send LLDPDUs with the specified TLVs. If LLDP is configured both globally and at interface level, the interface level configuration overrides the global configuration.
Figure 30-8. Configuring LLDP Viewing the LLDP Configuration Display the LLDP configuration using the command in either the CONFIGURATION or show config INTERFACE mode, as shown in Figure 30-9 Figure 30-10, respectively. Figure 30-9. Viewing LLDP Global Configurations R1(conf)#protocol lldp R1(conf-lldp)#show config protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id...
Figure 30-10. Viewing LLDP Interface Configurations R1(conf-lldp)#exit R1(conf)#interface gigabitethernet 1/31 R1(conf-if-gi-1/31)#show config interface GigabitEthernet 1/31 no ip address switchport no shutdown R1(conf-if-gi-1/31)#protocol lldp R1(conf-if-gi-1/31-lldp)#show config protocol lldp R1(conf-if-gi-1/31-lldp)# Viewing Information Advertised by Adjacent LLDP Agents Display brief information about adjacent devices using the command , as shown in show lldp neighbors Figure...
R1(conf-lldp)# Configuring Transmit and Receive Mode Once LLDP is enabled, Dell Force10 systems transmit receive LLDPDUs by default. You can configure the system—at CONFIGURATION level or INTERFACE level—to transmit only by executing the command , or receive only by executing the command .
TTL, Len: 2, Value: 120 1w1d19h : TLV: SYS_DESC, Len: 207, Value:Dell Force10 Networks Real Time Operating System Software. Dell Force10 Operating System Version: 1.0. Dell Force10 Application Software Version: 8.3.11.4. Copyright (c)1999-2011 Dell Inc. Time: Fri Oct 26 12:22:22 PDT 2007 1w1d19h :...
Page 660
Table 30-7. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether the local LLDP agent is enabled for transmit, receive, or both msgTxHold lldpMessageTxHoldMultiplier Multiplier value msgTxInterval lldpMessageTxInterval Transmit Interval value rxInfoTTL lldpRxInfoTTL Time to Live for received TLVs...
Page 661
Table 30-8. LLDP System MIB Objects TLV Type TLV Name TLV Variable System LLDP MIB Object Port ID port subtype Local lldpLocPortIdSubtype Remote lldpRemPortIdSubtype port ID Local lldpLocPortId Remote lldpRemPortId Port Description port description Local lldpLocPortDesc Remote lldpRemPortDesc System Name system name Local lldpLocSysName...
Page 662
Table 30-9. LLDP 802.1 Organizationally Specific TLV MIB Objects TLV Type TLV Name TLV Variable System LLDP MIB Object Port and Protocol port and protocol VLAN supported Local lldpXdot1LocProtoVlanSupported VLAN ID Remote lldpXdot1RemProtoVlanSupported port and protocol VLAN enabled Local lldpXdot1LocProtoVlanEnabled Remote lldpXdot1RemProtoVlanEnabled PPVID...
Page 663
Table 30-10. LLDP-MED System MIB Objects TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object Network Policy Application Type Local lldpXMedLocMediaPolicyApp Type Remote lldpXMedRemMediaPolicyAp pType Unknown Policy Flag Local lldpXMedLocMediaPolicyUnk nown Remote lldpXMedLocMediaPolicyUnk nown Tagged Flag Local lldpXMedLocMediaPolicyTag Remote lldpXMedLocMediaPolicyTag VLAN ID Local...
Page 664
Table 30-10. LLDP-MED System MIB Objects TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object Extended Power via Power Device Type Local lldpXMedLocXPoEDeviceTyp Remote lldpXMedRemXPoEDeviceTy Power Source Local lldpXMedLocXPoEPSEPower Source, lldpXMedLocXPoEPDPowerS ource Remote lldpXMedRemXPoEPSEPowe rSource, lldpXMedRemXPoEPDPower Source Power Priority Local lldpXMedLocXPoEPDPowerP riority,...
Multicast Source Discovery Protocol (MSDP) Multicast Source Discovery Protocol (MSDP) is supported on platform Protocol Overview Multicast Source Discovery Protocol (MSDP) is a Layer 3 protocol that connects IPv4 PIM-SM domains. A domain in the context of MSDP is contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as BGP.
RPs advertise each (S,G) in its domain in Type, Length, Value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 31-2.
Configuring Multicast Source Discovery Protocol Configuring MSDP is a three-step process: 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Figure 31-5 MSDP Sample Configurations on page 688 show the OSPF-BGP configuration used in this chapter for MSDP. Otherwise, see Chapter 34, Open Shortest Path First (OSPFv2) Chapter 9, Border Gateway Protocol.
Enable MSDP Enable MSDP by peering RPs in different administrative domains. Step Task Command Syntax Command Mode Enable MSDP. CONFIGURATION ip multicast-msdp PeerPIM systems in different CONFIGURATION ip msdp peer connect-source administrative domains. Figure 31-7. Configuring an MSDP Peer R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.1 connect-source Loopback 0 R3_E600(conf)#do show ip msdp summary Peer Addr...
• RPs can transmit SA messages periodically to prevent SA storms, and • only sources that are in the cache are advertised in the SA to prevent transmitting multiple copies of the same source information. View the Source-active Cache Task Command Syntax Command Mode View the SA cache.
• the peer RP is unreachable, • or because of an SA message format error. Task Command Syntax Command Mode Cache rejected sources. CONFIGURATION ip msdp cache-rejected-sa Accept Source-active Messages that fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check. •...
Page 675
Figure 31-10. MSDP Default Peer Scenario 1 Scenario 2 (S4, G4) (S4, G4) (S5, G5) (S5, G5) (S2, G2) (S2, G2) (S3, G3) (S3, G3) Interface A Interface B Interface B Interface A Group Source Peer Group Source Peer RP2 R2 R3 RPF-Fail RP3 R3 RP3 R3...
Task Command Syntax Command Mode Specify the forwarding-peer and originating-RP from CONFIGURATION ip msdp default-peer ip-address list which all active sources are accepted without regard for the RPF check. If you do not specify an access list, the peer accepts all sources advertised by that peer. All sources from RPs denied by the ACL are subjected to the normal RPF check.
Prevent MSDP from Caching a Local Source You can prevent MSDP from caching an active source based on source and/or group. Since the source is not cached, it is not advertised to remote RPs. Task Command Syntax Command Mode OPTIONAL: Cache sources that are denied by the CONFIGURATION ip msdp cache-rejected-sa redistribute list in the rejected SA cache.
Prevent MSDP from Caching a Remote Source Task Command Syntax Command Mode OPTIONAL: Cache sources that are denied by the CONFIGURATION ip msdp cache-rejected-sa SA filter in the rejected SA cache. Prevent the system from caching remote sources CONFIGURATION ip msdp sa-filter list out peer list ext-acl learned from a specific peer based on source and group.
Prevent MSDP from Advertising a Local Source Task Command Syntax Command Mode Prevent an RP from advertising a source in the SA CONFIGURATION ip msdp sa-filter list in peer list ext-acl cache. Figure 31-14, R1 stops advertising source 10.11.4.2. Since it is already in the SA cache of R3, the entry remains there until it expires.
Log Changes in Peership States Task Command Syntax Command Mode Log peership state changes. CONFIGURATION ip msdp log-adjacency-changes Terminate a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639. Task Command Syntax Command Mode...
Clear Peer Statistics Task Command Syntax Command Mode Reset the TCP connection to the peer and clear all peer CONFIGURATION clear ip msdp peer peer-address statistics. Figure 31-16. Clearing Peer Statistics R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.3(639) Connect Source: Lo 0 State: Established...
Figure 31-18. MSDP with Anycast RP (10.11.4.2, 239.0.0.1), uptime 00:00:52, expires 00:03:20, flags: Incoming interface: GigabitEthernet 2/1, RPF neighbor 0.0.0.0 Outgoing interface list: GigabitEthernet 2/11 Forward/Sparse 00:00:50/00:02:40 GigabitEthernet 2/31 Forward/Sparse 00:00:50/00:02:40 AS X PC 2 PC 3 Area 0 Source Receiver AS Y Area 0...
Reducing Source-active Message Flooding RPs flood source-active messages to all of their peers away from the RP . When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP , which violates the RFP rule.
Page 685
Figure 31-19. R1 Configuration for MSDP with Anycast RP ip multicast-routing interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32...
Page 686
Figure 31-20. R2 Configuration for MSDP with Anycast RP ip multicast-routing interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown interface Loopback 0 ip pim sparse-mode...
Page 687
Figure 31-21. R3 Configuration for MSDP with Anycast RP ip multicast-routing interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown router ospf 1 network 10.11.6.0/24 area 0...
MSDP Sample Configurations The following figures show the running-configurations for the routers shown in figures Figure 31-5, Figure 31-4, Figure 31-5, Figure 31-6. Figure 31-22. MSDP Sample Configuration: R1 Running-config ip multicast-routing interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown interface GigabitEthernet 1/2 ip address 10.11.2.1/24...
Page 689
Figure 31-23. MSDP Sample Configuration: R2 Running-config ip multicast-routing interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown interface Loopback 0 ip address 192.168.0.2/32...
Page 690
Figure 31-24. MSDP Sample Configuration: R3 Running-config ip multicast-routing interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown interface ManagementEthernet 0/0 ip address 10.11.80.3/24 no shutdown interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown...
Page 691
Figure 31-25. MSDP Sample Configuration: R4 Running-config ip multicast-routing interface GigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown interface GigabitEthernet 4/22 ip address 10.10.42.1/24 no shutdown interface GigabitEthernet 4/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown interface Loopback 0 ip address 192.168.0.4/32 no shutdown router ospf 1...
Multiple Spanning Tree Protocol (MSTP) e c s z Multiple Spanning Tree Protocol (MSTP) is supported on platforms: Protocol Overview Multiple Spanning Tree Protocol (MSTP)—specified in IEEE 802.1Q-2003—is an RSTP-based spanning tree variation that improves on PVST+. MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances.
FTOS supports three other variations of Spanning Tree, as shown in Table Table 32-1. FTOS Supported Spanning Tree Protocols Dell Force10 Term IEEE Specification Spanning Tree Protocol 802.1d Rapid Spanning Tree Protocol 802.1w Multiple Spanning Tree Protocol 802.1s Per-VLAN Spanning Tree Plus...
• Preventing Network Disruptions with BPDU Guard on page 1011 • SNMP Traps for Root Elections and Topology Changes on page 875 • Configuring Spanning Trees as Hitless on page 1017 Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP: Step Task Command Syntax...
Create Multiple Spanning Tree Instances A single MSTI provides no more benefit than RSTP. To take full advantage of MSTP you must create multiple MSTIs and map VLANs to them. Create an MSTI using the command from PROTOCOL MSTP mode. Specify the keyword msti vlan followed by the VLANs that you want to participate in the MSTI, as shown in...
Influence MSTP Root Selection MSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it will become the root bridge. To change the bridge priority: Task Command Syntax Command Mode Assign a number as the bridge priority. A lower number PROTOCOL MSTP msti instance bridge-priority priority increases the probability that the bridge becomes the root...
For a bridge to be in the same MSTP region as another , all three of these qualities must match exactly. The default values for name and revision will match on all Dell Force10 FTOS equipment. If you have non-FTOS equipment that will participate in MSTP, ensure these values to match on all the equipment.
Default: 15 seconds Change the hello-time parameter. PROTOCOL MSTP hello-time seconds Note: With large configurations (especially those with more ports) Dell Force10 recommends that you increase the hello-time. Range: 1 to 10 Default: 2 seconds Change the max-age parameter. PROTOCOL MSTP...
Table 32-2 lists the default values for port cost by interface. Table 32-2. MSTP Default Port Cost Values Port Cost Default Value 100-Mb/s Ethernet interfaces 200000 1-Gigabit Ethernet interfaces 20000 10-Gigabit Ethernet interfaces 2000 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000...
To enable EdgePort on an interface, use the following command: Task Command Syntax Command Mode Enable EdgePort on an interface. INTERFACE spanning-tree mstp edge-port bpduguard | shutdown-on-violation Verify that EdgePort is enabled on a port using the command from the INTERFACE mode, as show config shown in Figure...
MSTP Sample Configurations The running-configurations in Figure 32-10, Figure 32-11, and Figure 32-11 support the topology shown Figure 32-9. The configurations are from FTOS systems. An S50 system using SFTOS, configured as shown Figure 32-13, could be substituted for an FTOS router in this sample following topology and MSTP would function as designed.
Page 703
Figure 32-10. Router 1 Running-configuration protocol spanning-tree mstp no disable Enable MSTP globally name Tahiti Set Region Name and Revision revision 123 Map MSTP Instances to VLANs MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 interface GigabitEthernet 1/21 no ip address switchport Assign Layer-2 interfaces no shutdown...
Page 704
Figure 32-11. Router 2 Running-configuration protocol spanning-tree mstp no disable Enable MSTP globally name Tahiti Set Region Name and Revision revision 123 Map MSTP Instances to VLANs MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 interface GigabitEthernet 2/11 no ip address switchport no shutdown Assign Layer-2 interfaces...
Page 705
Figure 32-12. Router 3 Running-configuration protocol spanning-tree mstp no disable Enable MSTP globally name Tahiti Set Region Name and Revision revision 123 Map MSTP Instances to VLANs MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 interface GigabitEthernet 3/11 no ip address switchport no shutdown Assign Layer-2 interfaces...
Multicast Features e c s Multicast Features are supported on platforms: This chapter contains the following sections: • Enable IP Multicast on page 709 • Multicast with ECMP on page 710 • First Packet Forwarding for Lossless Multicast on page 711 •...
Multicast with ECMP Dell Force10 multicast uses Equal-cost Multi-path (ECMP) routing to load-balance multiple streams across equal cost links. When creating the shared-tree Protocol Independent Multicast (PIM) uses routes from all configured routing protocols to select the best route to the rendezvous point (RP). If there are multiple, equal-cost paths, the PIM selects the route with the least number of currently running multicast streams.
Both scenarios might be unacceptable depending on the multicast application. Beginning with the FTOS versions above, when the Dell Force10 system is the RP, and has receivers for a group G, it forwards all initial multicast packets for the group based on the (*,G) entry rather than discarding them until the (S,G) entry is created, making Dell Force10 systems suitable for applications sensitive to multicast packet loss.
Multicast Policies FTOS offers parallel Multicast features for IPv4 and IPv6. • IPv4 Multicast Policies on page 712 • IPv6 Multicast Policies on page 717 IPv4 Multicast Policies • Limit the Number of Multicast Routes on page 712 • Prevent a Host from Joining a Group on page 713 •...
Page 713
Note: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that is exists per port-pipe. Any software-configured limit might be superseded by this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit set by the is reached.
Page 714
Figure 33-2. Preventing a Host from Joining a Group Multicast Features...
Page 715
Rate Limit IGMP Join Requests If you expect a burst of IGMP Joins, protect the IGMP process from overload by limiting that rate at which new groups can be joined using the command from INTERFACE mode. Hosts whose ip igmp group-join-limit IGMP requests are denied will use the retry mechanism built-in to IGMP so that they’re membership is delayed rather than permanently denied.
Page 716
Figure 33-3. Preventing a Source from Transmitting to a Group Multicast Features...
PIM SM router from creating state based on multicast source and/ ip pim join-filter or group. Note: Dell Force10 recommends that you do not use the ip pim join-filter command on an interface between a source and the RP router. Use of this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
Page 718
Prevent an IPv6 Neighbor from Forming an Adjacency Task Command Syntax Command Mode Prevent a router from participating in PIM. CONFIGURATION ipv6 pim neighbor-filter access-list FTOS(conf)#ipv6 pim neighbor-filter NEIGH_ACL FTOS(conf)#ipv6 access-list NEIGH_ACL FTOS(conf-ipv6-acl)#show config ipv6 access-list NEIGH_ACL seq 5 deny ipv6 host fe80::201:e8ff:fe0a:5ad any seq 10 permit ipv6 any any FTOS(conf-ipv6-acl)# Prevent an IPv6 Source from Registering with the RP...
RPF neighbor. While computing the RPF neighbor, static mroutes and mBGP routes are preferred over unicast routes. When a Dell Force10 system is the last hop to the destination, FTOS sends a response to the query.
Open Shortest Path First (OSPFv2 and OSPFv3) c e s Z Open Shortest Path First version 2 (OSPF for IPv4) is supported on platforms c e Z Open Shortest Path First version 3 (OSPF for IPv6) is supported on platforms OSPF for IPv4 is supported on the E-Series ExaScale platform with FTOS 8.1.1.0;...
Protocol Overview Open Shortest Path First (OSPF) routing is a link-state routing protocol that calls for the sending of Link-State Advertisements (LSAs) to all other routers within the same Autonomous System (AS) Areas. Information on attached interfaces, metrics used, and other variables is included in OSPF LSAs. As OSPF routers accumulate link-state information, they use the SPF algorithm (Shortest Path First algorithm) to calculate the shortest path to each node.
Autonomous System Areas Figure 34-1. Area Types of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any Autonomous Backbone Areas can be defined in such a way that the System (AS). All other areas must connect to Area 0. backbone is not contiguous.
Each router has a unique ID, written in decimal format (A.B.C.D). The router ID does not have to be associated with a valid IP address. However, Dell Force10 recommends that the router ID and the router’s IP address reflect each other to make troubleshooting easier.
Page 725
OSPF Routing Examples Figure 34-2. Backbone Router (BR) A Backbone Router (BR) is part of the OSPF Backbone, Area 0. This includes all Area Border Routers (ABRs). It can also include any routers that connect only to the Backbone and another ABR, but are only part of Area 0, such as Router I in Figure 34-2 above.
Area Border Router (ABR) Within an AS, an Area Border (ABR) connects one or more areas to the Backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
OSPFv3 can treat LSAs as having link-local flooding scope, or store and flood them as if they are understood, while ignoring them in their own SPF algorithms. • OSPFv2 always discards unknown LSA types. The LSA types supported by Dell Force10 are defined as follows: • Type 1 - Router LSA •...
For all LSA types, there are 20-byte LSA headers. One of the fields of the LSA header is the Link-State ID. Each router link is defined as one of four types: type 1, 2, 3, or 4. The LSA includes a link ID field that identifies, by the network number and mask, the object to which this link connects.
Priority and Costs Example Figure 34-3. Implementing OSPF with FTOS FTOS supports up to 10,000 OSPF routes. Within that 10,000 up to 8,000 routes can be designated as external and up to 2,000 designated as inter/intra area routes. FTOS version 7.8.1.0 and later support multiple OSPF processes (OSPF MP). The S-Series supports up to 16 processes simultaneously.
LSAs, thereby notifying its neighbors that the restart is complete. This should happen before the grace period expires. Dell Force10 routers support the following OSPF graceful restart functionality: • Restarting role in which a router is enabled to perform its own graceful restart.
OSPFv3 supports “helper-only” and “restarting-only” roles. The “helper-only” role is enabled by default. To enable the restarting role in addition to the “helper-only” role, you must configure a grace period. You reconfigure OSPFv3 graceful restart to a “restarting-only” role when you enable the helper-reject role on an interface.
• The Z9000 supports up to 16 OSPFv2 processes. Each OSPFv2 process has a unique process ID and must have an associated Router ID. There must be an equal number of interfaces must be in Layer-3 mode for the number of processes created. For example, if 5 OSPFv2 processes are created on a system, there must be at least 5 interfaces assigned in Layer-3 mode.
OSPF Adjacency with Cisco Routers To establish an OSPF adjacency between Dell Force10 and Cisco routers, the hello interval and dead interval must be the same on both routers. In FTOS the OSPF dead interval value is, by default, set to 40 seconds, and is independent of the OSPF hello interval.
To ensure equal intervals between the routers, manually set the dead interval of the Dell Force10 router to match the Cisco configuration. Use the command in INTERFACE mode: ip ospf dead-interval <x> Command Example: ip ospf intervals Figure 34-6. FTOS(conf)#int gi 2/2...
2. Enable OSPF globally. Assign network area and neighbors. 3. Add interfaces or configure other attributes. The following configuration steps include two mandatory steps and several optional ones: • Enable OSPFv2 (mandatory) • Enable Multi-Process OSPF • Assign an OSPFv2 area (mandatory) •...
Page 736
% Error: No router ID available. In CONFIGURATION ROUTER OSPF mode, assign the Router ID. The Router ID is not required to be the router’s IP address. Dell Force10 recommends using the IP address as the Router ID for easier management and troubleshooting:...
Enable Multi-Process OSPF Multi-Process OSPF allows multiple OSPFv2 processes on a single router. For more information, see Multi-Process OSPF (OSPFv2, IPv4 only). Follow the same steps as above when configuring a single OSPF process. Repeat them as often as necessary for the desired number of processes. Once the process is created, all other configurations apply as usual.
In CONFIGURATION ROUTER OSPF mode, assign the Router ID. The Router ID is not required to be the router’s IP address. Dell Force10 recommends using the IP address as the Router ID for easier management and troubleshooting. Command Syntax Command Mode...
IP Address to an Area FTOS(conf-router_ospf-1)#network 20.20.20.20/24 area 2 FTOS(conf-router_ospf-1)# Dell Force10 recommends that the OSPFv2 Router ID be the interface IP addresses for easier management and troubleshooting. Use the command in CONFIGURATION ROUTER OSPF mode to view the configuration.
Page 740
Command Example: show ip ospf process-id interface Figure 34-10. FTOS>show ip ospf 1 interface GigabitEthernet 12/17 is up, line protocol is up Internet Address 10.2.2.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 11.1.2.1, Interface address 10.2.2.1 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.0 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5...
Configure stub areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas. Type 5 LSAs are not flooded into stub areas; the Area Border Router (ABR) advertises a default route into the stub area to which it is attached. Stub area routers use the default route to reach external destinations. To ensure connectivity in your OSPFv2 network, never configure the backbone area as a stub area.
Configure OSPF Stub-Router Advertisement Configure OSPF Stub-Router Advertisement is supported on platforms: When you bring a new router onto an OSPF network, you can configure the router to function as a stub area by globally reconfiguring the OSPF link cost so that other routers do not use a path that forwards traffic destined to other networks through the new router for a specified time until the router’s switching and routing functions are up and running, and the routing tables in network routers have converged.
Enable passive interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface will neither send nor receive routing updates, the network on that interface will still be included in OSPF updates sent via other interfaces.
34-15). Note: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements. Higher convergence levels should only be selected following consultation with Dell Force10 technical support. Open Shortest Path First (OSPFv2 and OSPFv3)
Figure 34-14 shows the convergence settings when fast-convergence is enabled and Figure 34-15 shows settings when fast-convergence is disabled. These displays appear with the command. show ip ospf Command Example: show ip ospf process-id (fast-convergence enabled ) Figure 34-14. FTOS(conf-router_ospf-1)#fast-converge 2 FTOS(conf-router_ospf-1)#ex FTOS(conf)#ex FTOS#show ip ospf 1...
Page 746
Use any or all of the following commands in CONFIGURATION INTERFACE mode to change OSPFv2 parameters on the interfaces: Command Syntax Command Mode Usage CONFIG-INTERFACE Change the cost associated with OSPF traffic on ip ospf cost the interface. Cost: 1 to 65535 (default depends on the interface speed).
Graceful Restart is enabled for the global OSPF process. Use these commands to configure OSPFv2 graceful restart. Refer to Graceful Restart for feature details. The Dell Force10 implementation of OSPFv2 graceful restart enables you to specify: • —the length of time the graceful restart process can last before OSPF terminates it. grace period...
Page 748
• —the router ID of each restart router that does not receive assistance from the helper-reject neighbors configured router. • —the situation or situations that trigger a graceful restart. mode • —the role or roles the configured router can perform. role By default, OSPFv2 graceful restart is disabled.
Command Example: show run ospf Figure 34-17. FTOS#show run ospf router ospf 1 graceful-restart grace-period 300 graceful-restart role helper-only graceful-restart mode unplanned-only graceful-restart helper-reject 10.1.1.1 graceful-restart helper-reject 20.1.1.1 network 10.0.2.0/24 area 0 Use the following command to disable OSPFv2 graceful-restart after you have enabled it. Command Syntax Command Mode Usage...
Use the following command in CONFIGURATION ROUTER OSPF mode to configure virtual links. Command Syntax Command Mode Usage CONFIG-ROUTER- Configure the optional parameters of a area area-id virtual-link router-id hello-interval OSPF-id virtual link: seconds | l seconds | retransmit-interva seconds | seconds | transmit-delay dead-interval...
Command Syntax Command Mode Usage Create a prefix list with a sequence CONFIG- PREFIX seq sequence-number {deny |permit} ip-prefix LIST number and a deny or permit action. The [ge min-prefix-length] [le max-prefix-length] optional parameters are: : is the minimum prefix ge min-prefix-length length to be matched (0 to 32).
To view the current OSPF configuration, use the command in the EXEC mode show running-config ospf or the command in the ROUTER OSPF mode. show config Command Example: show config Figure 34-19. FTOS(conf-router_ospf)#show config router ospf 34 network 10.1.2.32 0.0.0.255 area 2.2.2.2 network 10.1.3.24 0.0.0.255 area 3.3.3.3 distribute-list dilling in FTOS(conf-router_ospf)#...
Page 753
Use the command to see the state of all the enabled OSPFv2 processes. show running-config ospf Command Syntax Command Mode Usage show running-config ospf EXEC Privilege View the summary of all OSPF process IDs enables on the router. Command Example: show running-config ospf Figure 34-20.
Page 754
Use the following command in EXEC Privilege mode to configure the debugging options of an OSPFv2 process: Command Syntax Command Mode Usage EXEC Privilege View debug messages. debug ip ospf process-id [ event | packet | spf ] To view debug messages for a specific OSPF process ID, enter debug ip ospf process-id.
Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations. You can copy and paste from these examples to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, etc.
Configuration Task List for OSPFv3 (OSPF for IPv6) Open Shortest Path First version 3 (OSPF for IPv6) is supported on platforms The configuration options of OSPFv3 are the same as those for OSPFv2, but may be configured with differently labeled commands. Process IDs and areas need to be specified. Interfaces and addresses need to be included in the process.
Enable IPv6 Unicast Routing Command Syntax Command Mode Usage ipv6 unicast routing CONFIGURATION Enables IPv6 unicast routing globally. Assign IPv6 addresses on an interface Command Syntax Command Mode Usage ipv6 address ipv6 address CONF-INT-type slot/port Assign IPv6 address to the interface. IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon...
Assign OSPFv3 Process ID and Router ID Globally Command Syntax Command Mode Usage ipv6 router ospf {process ID} CONFIGURATION Enable the OSPFv3 process globally and enter OSPFv3 mode. Range: 0-65535 CONF-IPV6-ROUTER-OSPF Assign the Router ID for this OSPFv3 router-id {number} process number: IPv4 address Format: A.B.C.D...
Configure Passive-Interface Use the following command to suppress the interface’s participation on an OSPFv3 interface. This command stops the router from sending updates on that interface. Command Syntax Command Mode Usage passive-interface CONF-IPV6-ROUTER-OSPF Specify whether some or all some of the interfaces will be {type slot/port} passive.
Redistribute routes You can add routes from other routing instances or protocols to the OSPFv3 process. With the redistribute command syntax, you can include RIP, static, or directly connected routes in the OSPF process. Command Syntax Command Mode Usage redistribute { bgp | connected | CONF-IPV6-ROUTER-OSPF Specify which routes will be redistributed static } [ metric...
Enable OSPFv3 graceful restart Graceful Restart for OSPFv3 is supported on platforms . Refer to Graceful Restart for more information on the feature. By default, OSPFv3 graceful restart is disabled and functions only in a helper role to help restarting neighbor routers in their graceful restarts when it receives a Grace LSA.
Page 762
To display information on the use and configuration of OSPFv3 graceful restart, enter any of the following commands: Command Syntax Command Mode Usage show run ospf EXEC Privilege Display the graceful-restart configuration for OSPFv2 and (Figure 34-23) OSPFv3 show ipv6 ospf database EXEC Privilege Display the Type-11 Grace LSAs sent and received on an grace-lsa...
Page 763
Command Example: show ipv6 ospf database database-summary Figure 34-24. FTOS#show ipv6 ospf database database-summary OSPFv3 Router with ID (200.1.1.1) (Process ID 1) Process 1 database summary Type Count/Status Oper Status Admin Status Area Bdr Rtr Status AS Bdr Rtr Status AS Scope LSA Count AS Scope LSA Cksum sum Originate New LSAS...
OSPFv3 Authentication Using IPsec OSPFv3 Authentication Using IPsec is supported only on platforms: Starting in release 8.4.2.0, OSPFv3 uses the IP Security (IPsec) to provide authentication for OSPFv3 packets. IPsec authentication ensures security in the transmission of OSPFv3 packets between IPsec-enabled routers.
Page 765
OSPFv3 Authentication using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552, including: • To use IPsec, you configure an authentication (using AH) or encryption (using ESP) security policy on an interface or in an OSPFv3 area. Each security policy consists of a security policy index (SPI) and the key used to validate OSPFv3 packets.
Page 766
• Configuring IPsec Authentication for an OSPFv3 Area • Configuring IPsec Encryption for an OSPFv3 Area • Displaying OSPFv3 IPsec Security Policies Configuring IPsec Authentication on an Interface Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, you must first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (see Configuration Task List for OSPFv3 (OSPF for...
Page 767
Configuring IPsec Encryption on an Interface Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, you must first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (see Configuration Task List for OSPFv3 (OSPF for IPv6)).
Page 768
To remove an IPsec encryption policy from an interface, enter the no ipv6 ospf encryption ipsec spi number command. To remove null encryption on an interface to allow the interface to inherit the encryption policy configured for the OSPFv3 area, enter the command.
Page 769
To display the configuration of IPsec authentication policies on the router, enter the show crypto ipsec command. policy Configuring IPsec Encryption for an OSPFv3 Area Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, you must first enable OSPFv3 globally on the router (see Configuration Task List for OSPFv3 (OSPF for IPv6)).
Page 770
Note that when you configure encryption with the command, you enable both IPsec area encryption encryption and authentication. However, when you enable authentication on an area with the area command, you do not enable encryption at the same time. authentication If you have enabled IPsec authentication in an OSPFv3 area with the command, you area authentication...
Page 771
Command Example: show crypto ipsec policy Figure 34-26. FTOS#show crypto ipsec policy Crypto IPSec client security policy data In this encryption policy, the keys Policy name : OSPFv3-1-502 are not encrypted. Policy refcount Inbound ESP SPI : 502 (0x1F6) Outbound ESP SPI : 502 (0x1F6) Inbound ESP Auth Key...
Page 772
To display the IPsec security associations (SAs) used on OSPFv3 interfaces, enter the following command: Command Syntax Command Mode Usage show crypto ipsec sa ipv6 EXEC Privilege Displays security associations set up for OSPFv3 links in IPsec [ interface interface ] authentication and encryption policies on the router.
Page 773
Command Example: show crypto ipsec sa ipv6 Figure 34-27. FTOS#show crypto ipsec sa ipv6 Interface: TenGigabitEthernet 0/0 Link Local address: fe80::201:e8ff:fe40:4d10 IPSecv6 policy name: OSPFv3-1-500 inbound ah sas spi : 500 (0x1f4) transform : ah-md5-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound ah sas...
Troubleshooting OSPFv3 FTOS has several tools to make troubleshooting easier. Be sure to check the following, as these are typical issues that interrupt the OSPFv3 process. Note that this is not a comprehensive list, just some examples of typical troubleshooting checks. •...
Page 775
Use the following command in EXEC Privilege mode to configure the debugging options of an OSPFv3 process: Command Syntax Command Mode Usage EXEC Privilege View debug messages for all OSPFv3 interfaces. debug ipv6 ospf event packet type slot • : View OSPF event messages. event port •...
Page 776
Open Shortest Path First (OSPFv2 and OSPFv3)
Implementation Information • The Dell Force10 implementation of PIM-SM is based on the IETF Internet Draft draft-ietf-pim-sm-v2-new-05. • C-Series supports a maximum of 31 PIM interfaces and 4K multicast entries including (*,G), and (S,G) entries.
Requesting Multicast Traffic A host requesting multicast traffic for a particular group sends an IGMP Join message to its gateway router. The gateway router is then responsible for joining the shared tree to the RP (RPT) so that the host can receive the requested traffic.
source, including the RP, create an (S,G) entry and list the interface on which the message was received as an outgoing interface, thus recreating a SPT to the source. 3. Once the RP starts receiving multicast traffic via the (S,G) it unicasts a Register-Stop message to the first-hop DR so that multicast packets are no longer encapsulated in PIM Register packets and unicast.
Enable PIM-SM You must enable PIM-SM on each participating interface: Step Task Command Command Mode Enable multicast routing on the system. CONFIGURATION ip multicast-routing Enable PIM-Sparse Mode INTERFACE ip pim sparse-mode Display which interfaces are enabled with PIM-SM using the command from EXEC show ip pim interface Privilege mode, as shown in...
Step Task Command Syntax Command Mode Set the expiry time for a CONFIGURATION seconds sg-list ip pim sparse-mode sg-expiry-timer specific (S,G) entry access-list-name Figure 35-4). Range 211-86400 seconds Default: 210 Note: The expiry time configuration is nullified, and the default global expiry time is used if: •...
Override Bootstrap Router Updates PIM-SM routers need to know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. If you have configured a static RP for a group, use the option with the command override ip pim rp-address...
FTOS supports graceful restart based on the GenID. A Dell Force10 PIM router announces its graceful restart capability to its neighbors up front as an option in its hello messages.
In helper-only mode, the system preserves the PIM states of a neighboring router while the neighbor gracefully restarts, but the Dell Force10 system allows itself to be taken off the forwarding path if it restarts. Enable this mode using the command .
Port Monitoring e c s z Port Monitoring is supported on platforms: Port Monitoring is a feature that copies all incoming or outgoing packets on one port and forwards (mirrors) them to another port. The source port is the monitored port (MD) and the destination port is the monitoring port (MG).
• The C-Series and S-Series may only have four destination ports per port-pipe. There is no limitation on the total number of monitoring sessions. Table 36-1 lists the maximum number of monitoring sessions per system. For the C-Series and S-Series, the total number of sessions is derived by consuming a unique destination port in each session, in each port-pipe.
On the E-Series TeraScale, FTOS supports a single source-destination statement in a monitor session (Message 2). E-Series TeraScale supports only one source and one destination port per port-pipe (Message 3). Therefore, the E-Series TeraScale supports as many monitoring sessions as there are port-pipes in the system.
Page 790
The number of source ports FTOS allows within a port-pipe is equal to the number of physical ports in the port-pipe (n). However, n number of ports may only have four different destination ports (Message Figure 36-2. Number of Monitoring Ports on the C-Series and S-Series FTOS#show mon session SessionID Source...
Page 791
Figure 36-4. Number of Monitoring Ports on the C-Series and S-Series FTOS(conf-mon-sess-300)#do show mon session SessionID Source Destination Direction Mode Type --------- ------ ----------- --------- ---- ---- Gi 0/13 Gi 0/1 interface Port-based Gi 0/14 Gi 0/2 interface Port-based Gi 0/15 Gi 0/3 interface Port-based...
Configuring Port Monitoring To configure port monitoring: Step Task Command Syntax Command Mode Verify that the intended monitoring port has no EXEC Privilege show interface configuration other than , as shown in no shutdown Figure 36-6. Create a monitoring session using the command monitor CONFIGURATION monitor session session from CONFIGURATION mode, as shown in...
Host Traffic Server Traffic Host Server FTOS(conf-if-gi-1/2)#show config interface GigabitEthernet 1/2 no ip address no shutdown Sniffer FTOS(conf )#monitor session 0 FTOS(conf-mon-sess-0)#source gig 1/1 destination gig 1/2 direction rx Port Monitoring 001 Flow-based Monitoring Flow-based Monitoring is supported only on platform Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead all traffic on the interface.
Page 794
Figure 36-8. Configuring Flow-based Monitoring FTOS(conf)#monitor session 0 FTOS(conf-mon-sess-0)#flow-based enable FTOS(conf)#ip access-list ext testflow FTOS(config-ext-nacl)#seq 5 permit icmp any any count bytes monitor FTOS(config-ext-nacl)#seq 10 permit ip 102.1.1.0/24 any count bytes monitor FTOS(config-ext-nacl)#seq 15 deny udp any any count bytes FTOS(config-ext-nacl)#seq 20 deny tcp any any count bytes FTOS(config-ext-nacl)#exit FTOS(conf)#interface gig 1/1...
Private VLANs (PVLAN) c s z Private VLANs (PVLAN) feature is supported on platforms For syntax details on the commands discussed in this chapter, see the Private VLANs Commands chapter in the FTOS Command Line Reference This chapter contains the following major sections: •...
Page 796
• Ports in a community VLAN can communicate with each other. • Ports in a community VLAN can communicate with all promiscuous ports in the primary VLAN. • A community VLAN can only contain ports configured as host Isolated VLAN — An is a type of secondary VLAN in a primary VLAN: isolated VLAN •...
Private VLAN Commands The commands dedicated to supporting the Private VLANs feature are: Table 37-1. Private VLAN Commands Task Command Syntax Command Mode Enable/disable Layer 3 communication between [no] ip local-proxy-arp INTERFACE VLAN Note: Even after ip-local-proxy-arp is disabled secondary VLANs. (no ip-local-proxy-arp) in a secondary VLAN, Layer 3 communication may happen between some secondary VLAN hosts, until the ARP...
Private VLAN Configuration Task List The following sections contain the procedures that configure a private VLAN: • Creating PVLAN ports • Creating a Primary VLAN on page 799 • Creating a Community VLAN on page 800 • Creating an Isolated VLAN on page 800 Creating PVLAN ports Private VLAN ports are those that will be assigned to the private VLAN (PVLAN).
Creating a Primary VLAN A primary VLAN is a port-based VLAN that is specifically enabled as a primary VLAN to contain the promiscuous ports and PVLAN trunk ports for the private VLAN. A primary VLAN also contains a mapping to secondary VLANs, which are comprised of community VLANs and isolated VLANs. Step Command Syntax Command Mode...
Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN. The ports in a community VLAN can talk to each other and with the promiscuous ports in the primary VLAN. Step Command Syntax Command Mode Purpose...
The result is that: • The ports in community VLAN 4001 can communicate directly with each other and with promiscuous ports. • The ports in community VLAN 4002 can communicate directly with each other and with promiscuous ports • The ports in isolated VLAN 4003 can only communicate with the promiscuous ports in the primary VLAN 4000.
Page 803
• : Display the primary-secondary VLAN mapping. See the example show vlan private-vlan mapping output from the S50V, above, in Figure 37-6. • commands revised to display PVLAN data are: show show arp • • See revised output in Figure 37-7.
Page 804
Figure 37-8. Example running-config Output of PVLAN Configuration from S50V interface GigabitEthernet 0/3 no ip address switchport switchport mode private-vlan promiscuous no shutdown interface GigabitEthernet 0/4 no ip address switchport switchport mode private-vlan host no shutdown interface GigabitEthernet 0/5 no ip address switchport switchport mode private-vlan host no shutdown...
2/12 1/22 1/32 FTOS supports three other variations of Spanning Tree, as shown in Table 38-1. Table 38-1. FTOS Supported Spanning Tree Protocols Dell Force10 Term IEEE Specification Spanning Tree Protocol (STP) 802.1d Rapid Spanning Tree Protocol 802.1w (RSTP) Per-VLAN Spanning Tree Plus (PVST+) | 805...
The FTOS implementation of PVST+ uses IEEE 802.1s costs as the default costs (Table 38-2). Other implementations use IEEE 802.1d costs as the default costs if you are using Dell Force10 systems in a multi-vendor network, verify that the costs are values you intended. •...
Default: 15 seconds Change the hello-time parameter. PROTOCOL PVST vlan hello-time Note: With large configurations (especially those with more ports) Dell Force10 recommends that you increase the hello-time. Range: 1 to 10 Default: 2 seconds Per-VLAN Spanning Tree Plus (PVST+) | 809...
Note: The FTOS implementation of PVST+ uses IEEE 802.1s costs as the default costs. Other implementations use IEEE 802.1d costs as the default costs if you are using Dell Force10 systems in a multi-vendor network, verify that the costs are values you intended.
Task Command Syntax Command Mode Change the port priority of an interface. INTERFACE spanning-tree pvst vlan priority Range: 0 to 240, in increments of 16 Default: 128 The values for interface PVST+ parameters are given in the output of the command show spanning-tree , as shown in Figure...
If PVST+ is enabled on the Dell Force10 switch in this network, P1 and P2 receive BPDUs from each other. Ordinarily, the Bridge ID in the frame matches the Root ID, a loop is detected, and the rules of convergence require that P2 move to blocking state because it has the lowest port ID.
VLAN unaware Dell Force10 System untagged in VLAN 10 untagged in VLAN 20 moves to blocking unless Extended System ID is enabled Task Command Syntax Command Mode Augment the Bridge ID with the VLAN ID. PROTOCOL PVST extend system-id FTOS(conf-pvst)#do show spanning-tree pvst vlan 5 brief...
Page 814
Figure 38-6. PVST+ Sample Configuration: R1 Running-configuration interface GigabitEthernet 1/22 no ip address switchport no shutdown interface GigabitEthernet 1/32 no ip address switchport no shutdown protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 interface Vlan 100 no ip address tagged GigabitEthernet 1/22,32 no shutdown interface Vlan 200...
Page 815
Figure 38-7. PVST+ Sample Configuration: R2 Running-configuration interface GigabitEthernet 2/12 no ip address switchport no shutdown interface GigabitEthernet 2/32 no ip address switchport no shutdown interface Vlan 100 no ip address tagged GigabitEthernet 2/12,32 no shutdown interface Vlan 200 no ip address tagged GigabitEthernet 2/12,32 no shutdown interface Vlan 300...
Quality of Service (QoS) e c s z Quality of Service (QoS) is supported on platforms: Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. The E-Series has eight unicast queues per port and 128 multicast queues per - port pipe. Traffic is queued on ingress and egress.
Page 818
Table 39-1. FTOS Support for Port-based, Policy-based, and Multicast QoS Features Feature Platform Direction Create an input QoS policy Ingress c e s Configure policy-based rate policing c e s Set a DSCP value for egress packets Set a dot1p value for egress packets c e s Create an output QoS policy Egress...
(WFQ Scheduling) (WRED) Implementation Information The Dell Force10 QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication. It also implements these Internet Engineering Task Force (IETF) documents: • RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 Headers •...
• Set dot1p Priorities for Incoming Traffic • Configure Port-based Rate Policing • Configure Port-based Rate Limiting • Configure Port-based Rate Shaping Set dot1p Priorities for Incoming Traffic Change the priority of incoming traffic on the interface using the command from dot1p-priority INTERFACE mode, as shown in...
On the C-Series and S-Series you can configure from CONFIGURATION service-class dynamic dot1p mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic entry supersedes any INTERFACE entries. See Mapping dot1p values to service queues on page 834.
Figure 39-5. Displaying your Rate Policing Configuration FTOS#show interfaces gigabitEthernet 1/2 rate police Rate police 300 (50) peak 800 (50) Traffic Monitor 0: normal 300 (50) peak 800 (50) Out of profile yellow 23386960 red 320605113 Traffic Monitor 1: normal NA peak NA Out of profile yellow 0 red 0 Traffic Monitor 2: normal NA peak NA Out of profile yellow 0 red 0...
Figure 39-7. Displaying How Your Rate Limiting Configuration Affects Traffic FTOS#show interfaces gigabitEthernet 1/1 rate limit Rate limit 300 (50) peak 800 (50) Traffic Monitor 0: normal 300 (50) peak 800 (50) Out of profile yellow 23386960 red 320605113 Traffic Monitor 1: normal NA peak NA Out of profile yellow 0 red 0 Traffic Monitor 2: normal NA peak NA Out of profile yellow 0 red 0...
2. Once you create a class-map, FTOS places you in CLASS MAP mode. From this mode, specify your match criteria using the command , as shown in Figure 39-10. Match-any class maps allow up match ip to five ACLs, and match-all class-maps allow only one ACL. 3.
In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use keyword to specify the order in which you want to apply ACL rules, as shown in Figure 39-10. order The order can range from 0 to 254. FTOS writes to the CAM ACL rules with lower order numbers (order numbers closer to 0) before rules with higher order numbers so that packets are matched as you intended.
Page 827
FTOS Behavior: An explicit “deny any" rule in a Layer 3 ACL used in a (match any or match all) class-map creates a "default to Queue 0" entry in the CAM, which causes unintended traffic classification. Below, traffic is classified in two Queues, 1 and 2.
Packets value shown in the "show qos statistics" command is reset. Note: To avoid issues caused by misconfiguration, Dell Force10 recommends configuring either DCBX or Egress QoS features, but not both simultaneously. If both DCBX and Egress QoS are enabled at the same time, the DCBX configuration will be applied and unexpected behavior will occur on the Egress QoS.
Set a DSCP value for egress packets based on ingress QoS classification, as shown in Figure 39-2. The 6 bits that are used for DSCP are also used to identify the queue in which traffic is buffered. When you set a DSCP value, FTOS displays an informational message advising you of the queue to which you should apply the QoS policy (using the command from POLICY-MAP-IN mode).
Page 830
Note: Dell Force10 recommends assigning bandwidth to all queues. If queues are left un-allocated, the remaining bandwidth is shared equally among the un-allocated queues. If the sum of the allocated bandwidth percentage exceeds 100% 1% from the allocated queues will be assigned to each un-allocated queues.
Specify WRED drop precedence Specify WRED drop precedence is supported only on platform Specify a WRED profile to yellow and/or green traffic using the command from QOS-POLICY-OUT wred mode. See Apply a WRED profile to traffic. Create Policy Maps There are two types of policy maps: input and output. Create Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2.
Page 832
Table 39-5. Default DSCP to Queue Mapping DSCP/CP E-Series C-Series S-Series range Traditional IP Internal Internal Internal DSCP/CP (XXX)xxx DSCP Definition Precedence Queue ID Queue ID Queue ID decimal 111XXX Network Control 48–63 110XXX Internetwork Control 101XXX EF (Expedited CRITIC/ECP Forwarding) 32–47 100XXX...
Page 833
When using QoS service policies with multiple class maps, you can configure FTOS to use the incoming DSCP or dot1p marking as a secondary option for packet queuing in the event that no match occurs in the class maps. When class-maps are used, traffic is matched against each class-map sequentially from first to last. The sequence is based on the priority of the rules, as follows: 1.
To enable Fall Back to trust diffserve or dot1p: Task Command Syntax Command Mode Classify packets according to their DSCP value as a secondary trust diffserve | dot1p fallback POLICY-MAP-IN option in case no match occurs against the configured class maps.
2. Once you create an output policy map, do one or more of the following: • Apply an output QoS policy to a queue • Specify an aggregate QoS policy • Apply an output policy map to an interface 3. Apply the policy map to an interface. See page Apply an output QoS policy to a queue Apply an output QoS policy to queues using the command...
QoS Rate Adjustment is disabled by default, and no is listed in the running-configuration. qos-rate-adjust Task Command Syntax Command Mode Include a specified number of bytes of packet overhead CONFIGURATION qos-rate-adjust overhead-bytes Default: Disabled to include in rate limiting, policing, and shaping C-Series and S-Series Range: 1-31 calculations.
Figure 39-13. Packet Drop Rate for WREDl All Pckts 0 Pckts Total Buffer Space Buffer Space fnC0045mp You can create a custom WRED profile or use on of the five pre-defined profiles. Table 39-7. Pre-defined WRED Profiles (E-Series) Default Profile Minimum Maximum Name...
FTOS assigns a color (also called drop precedence)—red, yellow, or green—to each packet based on it DSCP value before queuing it. DSCP is a 6 bit field. Dell Force10 uses the first three bits of this field (DP) to determine the drop precedence. DP values of 110 and 100 map to yellow, and all other values map to green.
Display WRED Drop Statistics Display the number of packets FTOS dropped by WRED Profile using the command show qos statistics from EXEC Privilege mode. Figure 39-16. show qos statistics Command Example (E-Series) FTOS#show qos statistics wred-profile Interface Gi 5/11 Queue# Drop-statistic WRED-name Dropped Pkts...
Pre-calculating Available QoS CAM Space c e s Pre-calculating Available QoS CAM Space is supported on platforms: Before version 7.3.1 there was no way to measure the number of CAM entries a policy-map would consume (the number of CAM entries that a rule uses is not predictable; 1 to 16 entries might be used per rule depending upon its complexity).
Page 841
• Exception indicates that the number of CAM entries required to write the policy-map to the CAM is greater than the number of available CAM entries, and therefore the policy-map cannot be applied to an interface in the specified port-pipe. Note: The command provides much of the same information as , but...
Routing Information Protocol (RIP) e c s z Routing Information Protocol (RIP) is supported only on platforms: Routing Information Protocol (RIP) is based on a distance-vector algorithm, it tracks distances or hop counts to nearby routers when establishing network connections. •...
RIPv2 RIPv2 adds support for subnet fields in the RIP routing updates, thus qualifying it as a classless routing protocol. The RIPv2 message format includes entries for route tags, subnet masks, and next hop addresses. Another enhancement included in RIPv2 is multicasting for route updates on IP multicast address 224.0.0.9.
• Control route metrics on page 851 (optional) • Summarize routes on page 850 (optional) • Control route metrics on page 851 • Debug RIP on page 851 For a complete listing of all commands related to RIP, refer to the FTOS Command Reference.
Figure 40-2. show ip rip database Command Example (Partial) FTOS#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 0/0 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 4.0.0.0/8 auto-summary...
Page 847
ROUTER RIP Define a specific router to exchange RIP information neighbor ip-address between it and the Dell Force10 system. You can use this command multiple times to exchange RIP information with as many RIP networks as you want. ROUTER RIP...
Page 848
Command Syntax Command Mode Purpose [ match external { 1 | 2 } | ROUTER RIP Include specific OSPF routes in RIP. redistribute ospf process-id match internal ] [ metric ] [ route-map Configure the following parameters: value • range: 1 to 65535 map-name process-id •...
Page 849
Figure 40-3. show ip protocols Command Example FTOS#show ip protocols Routing Protocols is RIP Sending updates every 30 seconds, next due in 23 Invalid after 180 seconds, hold down 180, flushed after 240 Output delay 8 milliseconds between packets Automatic network summarization is in effect Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is...
Figure 40-5. show ip protocols Command Example FTOS#show ip protocols Routing Protocols is RIP Sending updates every 30 seconds, next due in 11 Invalid after 180 seconds, hold down 180, flushed after 240 Output delay 8 milliseconds between packets Automatic network summarization is in effect Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is...
If you must perform routing between discontiguous subnets, disable automatic summarization. With automatic route summarization disabled, subnets are advertised. The command requires no other configuration commands. To disable automatic route autosummary summarization, in the ROUTER RIP mode, enter no autosummary Note: If the ip split-horizon command is enabled on an interface, then the system does not advertise the summarized address.
To enable RIP debugging, use the following command in the EXEC privilege mode: Command Syntax Command Mode Purpose debug ip rip [ | database | events | trigger ] EXEC privilege Enable debugging of RIP. interface Figure 40-6 shows the confirmation when the debug function is enabled. Figure 40-6.
Configuring RIPv2 on Core 2 Figure 40-8. Configuring RIPv2 on Core 2 Core2(conf-if-gi-2/31)# Core2(conf-if-gi-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config router rip network 10.0.0.0 version 2 Core2(conf-router_rip)# Core 2 Output The screenshots in this section are: •...
Page 854
Figure 40-10. Using show ip route Command to Show RIP Configuration on Core 2 Core2#show ip route Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1,...
RIP Configuration on Core 3 Figure 40-12. RIP Configuration on Core 3 Core3(conf-if-gi-3/21)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.20.0 Core3(conf-router_rip)#show config router rip network 10.0.0.0 network 192.168.1.0 network 192.168.2.0 version 2 Core3(conf-router_rip)# Core 3 RIP Output The screenshots in this section are: •...
Page 856
Figure 40-14. Using show ip routes for Core 3 RIP Setup Core3#show ip routes Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default,...
RIP Configuration Summary Figure 40-16. Summary of Core 2 RIP Configuration Using Output of show run Command interface GigabitEthernet 2/11 ip address 10.11.10.1/24 no shutdown interface GigabitEthernet 2/31 ip address 10.11.20.2/24 no shutdown interface GigabitEthernet 2/41 ip address 10.200.10.1/24 no shutdown interface GigabitEthernet 2/42 ip address 10.250.10.1/24 no shutdown...
Remote Monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Force10 Ethernet Interfaces. RMON operates with SNMP and monitors all nodes on a LAN segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
Chassis Down—When a chassis goes down, all sampled data is lost. But the RMON configurations are saved in the configuration file, and the sampling process continues after the chassis returns to operation. Platform Adaptation—RMON supports all Dell Force10 chassis and all Dell Force10 Ethernet Interfaces.
Page 861
Set rmon alarm To set an alarm on any MIB object, use the command in GLOBAL rmon alarm rmon hc-alarm CONFIGURATION mode. To disable the alarm, use the form of this command: Command Syntax Command Mode Purpose CONFIGURATION Set an alarm on any MIB object. Use the no form of [no] rmon alarm number variable this command to disable the alarm.
Figure 41-1. rmon alarm Command Example FTOS(conf)#rmon alarm 10 1.3.6.1.2.1.2.2.1.20.1 20 delta rising-threshold 15 1 falling-threshold 0 owner nms1 Alarm Number MIB Variable Monitor Interval Counter Value Limit Triggered Event The above example configures RMON alarm number 10. The alarm monitors the MIB variable 1.3.6.1.2.1.2.2.1.20.1 (ifEntry.ifOutErrors) once every 20 seconds until the alarm is disabled, and checks the rise or fall of the variable.
Figure 41-2. rmon event Command Example FTOS(conf)#rmon event 1 log trap eventtrap description “High ifOutErrors” owner nms1 The above configuration example creates RMON event number 1, with the description “High ifOutErrors”, and generates a log entry when the event is triggered by an alarm. The user nms1 owns the row that is created in the event table by this command.
Configure RMON collection history To enable the RMON MIB history group of statistics collection on an interface, use the rmon collection command in interface configuration mode. To remove a specified RMON history group of statistics history collection, use the form of this command. Command Syntax Command Mode Purpose...
STP and MSTP. FTOS supports three other variations of Spanning Tree, as shown in Table 42-1. Table 42-1. FTOS Supported Spanning Tree Protocols Dell Force10 Term IEEE Specification Spanning Tree Protocol (STP) 802.1d Rapid Spanning Tree Protocol 802.1w...
VLANs sends multiple messages to the RSTP task. When using the range command, Dell Force10 recommends limiting the range to 5 ports and 40 VLANs. RSTP and VLT VLT provides loop-free redundant topologies and does not require rapid spanning tree protocol (RSTP).
Configure Interfaces for Layer 2 Mode All interfaces on all bridges that will participate in Rapid Spanning Tree must be in Layer 2 and enabled. Figure 42-1. Configuring Interfaces for Layer 2 Mode R1(conf)# int range gi 1/1 - 4 R1(conf-if-gi-1/1-4)# switchport R1(conf-if-gi-1/1-4)# no shutdown R1(conf-if-gi-1/1-4)#show config...
Enable Rapid Spanning Tree Protocol Globally Rapid Spanning Tree Protocol must be enabled globally on all participating bridges; it is not enabled by default. To enable Rapid Spanning Tree globally for all Layer 2 interfaces: Step Task Command Syntax Command Mode Enter the PROTOCOL SPANNING TREE RSTP protocol spanning-tree rstp CONFIGURATIO...
Page 869
Figure 42-4. Rapid Spanning Tree Enabled Globally root Forwarding Blocking Port 684 (GigabitEthernet 4/43) is alternate Discarding Discarding Port path cost 20000, Port priority 128, Port Identifier 128.684 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.684, designated path cost 20000 Number of transitions to forwarding state 0 BPDU : sent 3, received 219...
Page 870
Figure 42-5. show spanning-tree rstp Command Example FTOS#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.cbb4 Configured hello time 2, max age 20, forward delay 15, max hops 0 We are the root Current root has priority 32768, Address 0001.e801.cbb4 Number of topology changes 4, last change occurred 00:02:17 ago on Gi 1/26...
Max-age is the length of time the bridge maintains configuration information before it refreshes that information by recomputing the RST topology. Note: Dell Force10 recommends that only experienced network administrators change the Rapid Spanning Tree group parameters. Poorly planned modification of the RSTG parameters can negatively impact network performance.
RSTP • Default: 15 seconds Change the hello-time parameter. PROTOCOL hello-time seconds Note: With large configurations (especially those with more ports) Dell SPANNING TREE Force10 recommends that you increase the hello-time. RSTP Range: 1 to 10 Default: 2 seconds Change the max-age parameter.
Verify that EdgePort is enabled on a port using the command from the EXEC show spanning-tree rstp privilege mode or the command from INTERFACE mode; Dell Force10 recommends using the show config command, as shown in Figure 42-7. show config...
FTOS Behavior: Regarding behavior: bpduguard shutdown-on-violation 1 If the interface to be shutdown is a port channel then all the member ports are disabled in the hardware. 2 When a physical port is added to a port channel already in error disable state, the new member port will also be disabled in the hardware.
Figure 42-8. bridge-priority Command Example FTOS(conf-rstp)#bridge-priority 4096 04:27:59: %RPM0-P:RP2 %SPANMGR-5-STP_ROOT_CHANGE: RSTP root changed. My Bridge ID: 4096:0001.e80b.88bd Old Root: 32768:0001.e801.cbb4 New Root: 4096:0001.e80b.88bd Old root bridge ID New root bridge ID SNMP Traps for Root Elections and Topology Changes Enable SNMP traps for RSTP, MSTP, and PVST+ collectively using the command snmp-server enable traps xstp Fast Hellos for Link State Detection...
Security e c s z Security features are supported on platforms: This chapter discusses several ways to provide access security to the Dell Force10 system. Platform-specific features are identified by the icons (as shown below). • AAA Accounting on page 877 •...
Configure Accounting of EXEC and privilege-level command usage The network access server monitors the accounting functions defined in the TACACS+ attribute/value (AV) pairs. In the following sample configuration, AAA accounting is set to track all usage of EXEC commands and commands on privilege level 15.
Accounting (AAA) to help secure networks against unauthorized access. In the Dell Force10 implementation, the Dell Force10 system acts as a RADIUS or TACACS+ client and sends authentication requests to a central RADIUS or TACACS+ server that contains all user authentication and network service access information.
LINE mode or the in the show config show running-config EXEC Privilege mode. Note: Dell Force10 recommends that you use the method only as a backup. This method none and enable methods do not work with SSH. does not authenticate users. The none You can create multiple method lists and assign them to different terminal lines.
Enable AAA Authentication To enable AAA authentication, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose CONFIGURATION • —Uses the listed authentication aaa authentication enable default methods that follow this argument as the [... default method-list-nam method1 default list of methods when a user logs in.
Server-side configuration TACACS+: When using TACACS+, Dell Force10 sends an initial packet with service type SVC_ENABLE, and then, a second packet with just the password. The TACACS server must have an entry for username $enable$. RADIUS: When using RADIUS authentication, FTOS sends an authentication packet with the following: Username: $enab15$ Password: <password-entered-by-user>...
By default, commands in FTOS are assigned to different privilege levels. You can access those commands only if you have access to that privilege level. For example, to reach the command, protocol spanning-tree you must log in to the router, enter the command for privilege level 15 (this is the default level for enable the command) and then enter the CONFIGURATION mode.
Configure the enable password command To configure FTOS, you must use the command to enter the EXEC Privilege level 15. After entering enable the command, FTOS requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. A password for any privilege level can always be changed.
Page 886
To assign commands and passwords to a custom privilege level, you must be in privilege level 15 and use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose CONFIGURATION Assign a user name and password. Configure the username name access-class optional and required parameters:...
Page 887
Figure 43-2. Configuring a Custom Privilege Level The user john is assigned privilege level FTOS(conf)#username john privilege 8 password john 8 and assigned a password. FTOS(conf)#enable password level 8 notjohn FTOS(conf)#privilege exec level 8 configure All other users are assigned a password FTOS(conf)#privilege config level 8 snmp-server to access privilege level 8 FTOS(conf)#end...
RADIUS server and a RADIUS client (the Dell Force10 system). The system sends user information to the RADIUS server and requests authentication of the user and password. The RADIUS server returns one of the following responses: •...
RADIUS Authentication and Authorization FTOS supports RADIUS for user authentication (text password) at login and can be specified as one of the login authentication methods in the command. aaa authentication login When configuring AAA authorization, you can configure to limit the attributes of services available to a user.
Auto-command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line. To do this, use the command . The auto-command is executed auto-command when the user is authenticated and before the prompt appears to the user. Set access to privilege levels through RADIUS Through the RADIUS server, you can use the command to configure a privilege level for the...
Command Syntax Command Mode Purpose CONFIGURATION Create methodlist with RADIUS and TACACS+ as aaa authorization exec authorization methods. Typical order of methods: default radius method-list-name tacacs+ RADIUS, TACACS+, Local, None. If authorization is denied by RADIUS, the session ends ( should not radius be the last method specified).
Page 892
To specify multiple RADIUS server hosts, configure the command multiple times. If radius-server host multiple RADIUS server hosts are configured, FTOS attempts to connect with them in the order in which they were configured. When FTOS attempts to authenticate a user, the software connects with the RADIUS server hosts one at a time, until a RADIUS server host responds with an accept or reject response.
To view the configuration of RADIUS communication parameters, use the command in show running-config the EXEC Privilege mode. Monitor RADIUS To view information on RADIUS transactions, use the following command in the EXEC Privilege mode: Command Syntax Command Mode Purpose EXEC Privilege View RADIUS transactions to troubleshoot debug radius...
Page 894
To select TACACS as the login authentication method, use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose CONFIGURATION Configure a TACACS+ server host. Enter tacacs-server host ip-address host the IP address or host name of the TACACS+ server.
Page 896
Figure 43-5 demonstrates how to configure the from a TACACS+ server. This causes the access-class configured access-class on the VTY line to be ignored. If you have configured a ACL on the deny10 TACACS+ server, FTOS downloads it and applies it. If the user is found to be coming from the 10.0.0.0 subnet, FTOS also immediately closes the T elnet connection.
To delete a TACACS+ server host, use the } command. no tacacs-server host hostname ip-address freebsd2# telnet 2200:2200:2200:2200:2200::2202 Trying 2200:2200:2200:2200:2200::2202... Connected to 2200:2200:2200:2200:2200::2202. Escape character is '^]'. Login: admin Password: FTOS# FTOS# Command Authorization The AAA command authorization feature configures FTOS to send each configuration command to a TACACS server for authorization before it is added to the running configuration.
Page 898
To enable the SSH server for version 1 or 2 only, use the following command: Command Syntax Command Mode Purpose Configure the Dell Force10 system as an SSH server that CONFIGURATION ip ssh server version uses only version 1 or 2.
Figure 43-6. Specifying an SSH version FTOS(conf)#ip ssh server version 2 FTOS(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. Authentication : disabled. To disable SSH server functions, enter no ip ssh server enable Using SCP with SSH to copy a software image To use Secure Copy (SCP) to copy a software image through an SSH connection from one switch to...
2, respectively. SSH Authentication by Password Authenticate an SSH client by prompting for a password when attempting to connect to the Dell Force10 system. This is the simplest methods of authentication and uses SSH version 1. Enable SSH password authentication using the command...
Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub. Copy the public key id_rsa.pub to the Dell Force10 system. Disable password authentication if enabled. CONFIGURATION no ip ssh password-authentication enable Enable RSA authentication.
Page 902
Figure 43-11. Creating rhosts admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.201 admin Copy the file shosts and rhosts to the Dell Force10 system. Disable password authentication and • CONFIGURATION • no ip ssh password-authentication • no ip ssh rsa-authentication RSA authentication, if configured •...
Message 2 RSA Authentication Error %Error: No username set for this term. • Host-based authentication must be enabled on the server (Dell Force10system) and the client (Unix machine). Message 3 appears if you attempt to log in via SSH and host-based is disabled on the client.
Trace Lists Trace Lists feature is supported only on the E-Series: You can log packet activity on a port to confirm the source of traf f ic attacking a system. Once the Trace list is enabled on the system, you view its traffic log to confirm the source address of the attacking traffic. In FTOS, Trace lists are similar to extended IP ACLs, except that Trace lists are not applied to an interface.
Page 905
Creating a trace list Trace lists filter and log traffic based on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. When configuring the Trace list filters, include the parameters so that any hits to that filter are logged. count bytes Since traffic passes through the filter in the order of the filter ’...
Page 906
Step Command Syntax Command Mode Purpose TRACE LIST Configure a trace list filter for TCP seq sequence-number deny permit packets. host ip-address source mask ]] { • : An IP address as the source IP operator port port destination mask source address for the filter to match.
Page 907
Figure 43-13. Trace list Using seq Command Example FTOS(config-trace-acl)#seq 15 deny ip host 12.45.0.0 any log FTOS(config-trace-acl)#seq 5 permit tcp 121.1.3.45 0.0.255.255 any FTOS(config-trace-acl)#show conf ip trace-list dilling seq 5 permit tcp 121.1.0.0 0.0.255.255 any seq 15 deny ip host 12.45.0.0 any log FTOS(config-trace-acl)# If you are creating a Trace list with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured.
Page 908
Command Syntax Command Mode Purpose TRACE LIST Configure a deny or permit filter to deny permit host source mask examine TCP packets. Configure the ]] { ip-address operator port port destination mask following required and optional host ip-address operator port port parameters: established...
Page 909
Figure 43-14. Trace List Example FTOS(config-trace-acl)#deny tcp host 123.55.34.0 any FTOS(config-trace-acl)#permit udp 154.44.123.34 0.0.255.255 host 34.6.0.0 FTOS(config-trace-acl)#show config ip trace-list nimule seq 5 deny tcp host 123.55.34.0 any seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0 To view all configured Trace lists and the number of packets processed through the Trace list, use the show command (Figure 110)
VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in FTOS. These depend on which authentication scheme you use — line, local, or remote: Table 43-1. VTY Access Username VTY access-class access-class Authentication Method support? support? Remote authorization support? Line Local...
FTOS retrieves the access class from the VTY line. The Dell Force10 OS takes the access class from the VTY line and applies it to ALL users. FTOS does not need to know the identity of the incoming user and can immediately apply the access class. If the authentication method is radius, TACACS+, or line, and you have configured an access class for the VTY line, FTOS immediately applies it.
Page 912
To apply a MAC ACL on a VTY line, use the same command as IP ACLs (Figure 43-18). access-class Figure 43-18 shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login prompt. Figure 43-18. Example Access Class Configuration Using TACACS+ Without Prompt FTOS(conf)#mac access-list standard sourcemac FTOS(config-std-mac)#permit 00:00:5e:00:01:01 FTOS(config-std-mac)#deny any...
Service Provider Bridging e c s z Service Provider Bridging is supported on platforms: This chapter contains the following major sections: • VLAN Stacking • VLAN Stacking Packet Drop Precedence • Dynamic Mode CoS for VLAN Stacking • Layer 2 Protocol Tunneling •...
To switch traffic, these interfaces must be added to a non-default VLAN-Stack-enabled VLAN. • Dell Force10 cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN. • You can ping across a trunk port only if both systems on the link are an E-Series. You cannot ping across the link if one or both of the systems is a C-Series or S-Series.
Create Access and Trunk Ports An access port is a port on the service provider edge that directly connects to the customer . An access port may belong to only one service provider VLAN. A trunk port is a port on a service provider bridge that connects to another service provider bridge and is a member of multiple service provider VLANs.
Display the status and members of a VLAN using the command from EXEC Privilege mode. show vlan Members of a VLAN-Stacking-enabled VLAN are marked with an M in column Q. Figure 44-3. Display the Members of a VLAN-Stacking-enabled VLAN FTOS#show vlan Codes: * - Default VLAN, G - GVRP VLANs Status Q Ports...
Step Task Command Syntax Command Mode Add the port to a 802.1Q VLAN as tagged or untagged. INTERFACE VLAN tagged untagged Figure 44-4 GigabitEthernet 0/1 a trunk port that is configured as a hybrid port and then added to VLAN 100 as untagged VLAN 101 as tagged, and VLAN 103, which is a stacking VLAN.
0x9100, and it is, so R2 forwards the frame. Given the matching-TPID requirement, there are limitations when you employ Dell Force10 systems at network edges, at which, frames are either double tagged on ingress (R4) or the outer tag is removed on egress (R3).
Page 919
Figure 44-6. TPID Match and First-byte Match on the E-Series TeraScale Building D TPID 0x9191 R3-E-Series TeraScale R2-E-Series TeraScale TPID: 0x9100 TPID: 0x9100 R1-E-Series TeraScale Building B TPID: 0x9191 TPID TPID (0x9100) (VLAN Purple) (0x8100) (VLAN Red) Building C R4-Non-Force10 System TPID TPID: 0x9100 (0x8100)
Page 920
Figure 44-7. TPID Mismatch and 0x8100 Match on the E-Series TeraScale Building D TPID 0x8100 TPID 0x9100 R3-E-Series TeraScale R2-E-Series TeraScale TPID: 0x8181 TPID: 0x8181 R1-E-Series TeraScale Building B TPID: 0x9100 TPID TPID (0x8100) (VLAN Purple) (0x8100) (VLAN Red) Building C R4-Non-Force10 System TPID TPID: 0x8100...
Page 921
Figure 44-8. First-byte TPID Match on the E-Series ExaScale Building D TPID 0x9191 R2-E-Series ExaScale TPID: 0x9100 R1-E-Series TeraScale TPID: 0x9191 Building C Table 44-1 details the outcome of matched and mis-matched TPIDs in a VLAN-stacking network with the E-Series. Table 44-1.
Page 922
You can configure the first eight bits of the TPID using the command vlan-stack protocol-type The TPID on the C-Series and S-Series systems is global. Ingress frames that do not match the system TPID are treated as untagged. This rule applies for both the outer tag TPID of a double-tagged frame and the TPID of a single-tagged frame.
Page 923
Figure 44-10. Single and Double-tag First-byte TPID Match on C-Series and S-Series TPID 0x8181 R2-C-Series w/ FTOS <8.2.1.0 TPID: 0x8181 R3-C-Series w/ FTOS >=8.2.1.0 TPID: 0x8181 R1-C-Series w/ FTOS <8.2.1.0 Building B TPID: 0x8181 R4-Non-Force10 System TPID: 0x8100 TPID (0x8100) (VLAN Red) Building A Figure 44-11.
Table 44-2 details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the C-Series and S-Series. Table 44-2. C-Series and S-Series Behaviors for Mis-matched TPID Network Incoming System Position Packet TPID TPID Match Type Pre-8.2.1.0 8.2.1.0+ Ingress Access Point untagged 0xUVWX —...
Enable Drop Eligibility You must enable Drop Eligibility globally before you can honor or mark the DEI value. Task Command Syntax Command Mode Make packets eligible for dropping based on their DEI value. By CONFIGURATION dei enable default, packets are colored green, and DEI is marked 0 on egress. When Drop Eligibility is enabled, DEI mapping or marking takes place according to the defaults.
Task Command Syntax Command Mode FTOS#show interface dei-honor Default Drop precedence: Green Interface CFI/DEI Drop precedence ------------------------------------------------------------- Gi 0/1 Green Gi 0/1 Yellow Gi 8/9 Gi 8/40 Yellow Mark Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress (see Honor the Incoming DEI Value).
Page 927
Figure 44-12. Statically and Dynamically Assigned dot1p for VLAN Stacking Untagged S-Tag with statically-assigned dot1p S-Tag DATA 0x0800 DATA 0x0800 0x9100 C-Tag C-Tag S-Tag 0x8100 0x8100 0x9100 C-Tagged S-Tag with mapped dot1p When configuring Dynamic Mode CoS, you have two options: mark the S-Tag dot1p and queue the frame according to the original C-T ag dot1p.
Page 928
FTOS Behavior: For Option A above, when there is a conflict between the queue selected by Dynamic Mode CoS ) and a QoS configuration, the queue selected by Dynamic Mode CoS takes precedence. vlan-stack dot1p-mapping However, rate policing for the queue is determined by QoS configuration. For example, the following access-port configuration maps all traffic to Queue 0: vlan-stack dot1p-mapping c-tag-dot1p 0-7 sp-tag-dot1p 1 However, if the following QoS configuration also exists on the interface, traffic is queued to Queue 0 but will be rate policed...
To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly: Step Task Command Syntax Command Mode Allocate CAM space to enable queuing CONFIGURATION cam-acl l2acl number ipv4acl number frames according to the C-Tag or the ipv6acl number ipv4qos number l2qos S-Tag.
Page 930
(Figure 44-14). FTOS Behavior: In FTOS versions prior to 8.2.1.0, the MAC address that Dell Force10 systems use to overwrite the Bridge Group Address on ingress was non-configurable. The value of the L2PT MAC address was the Dell Force10-unique MAC address, 01-01-e8-00-00-00. As such, with these FTOS versions, Dell Force10 systems are required at the egress edge of the intermediate network because only FTOS could recognize the significance of the destination MAC address and rewrite it to the original Bridge Group Address.
Figure 44-14. VLAN Stacking with L2PT BPDU w/ destination Building B MAC address: 01-80-C2-00-00-00 no spanning-tree no spanning-tree BPDU w/ destination MAC address: 01-01-e8-00-00-00 Non-Dell Force10 Non-Dell Force10 System R1-E-Series System BPDU w/ destination MAC address: 01-80-C2-00-00-00 Building A Implementation Information •...
Specify a Destination MAC Address for BPDUs By default, FTOS uses a Dell Force10-unique MAC address for tunneling BPDUs. You can configure another value. Task Command Syntax Command Mode Overwrite the BPDU with a user-specified destination CONFIGURATION protocol-tunnel destination-mac MAC address when BPDUs are tunneled across the provider network.
Debug Layer 2 Protocol Tunneling Task Command Syntax Command Mode Display debugging information for L2PT. EXEC Privilege debug protocol-tunnel Provider Backbone Bridging Provider Backbone Bridging is supported only on platforms: IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider.
sFlow e c s z Configuring sFlow is supported on platforms: • Enable and Disable sFlow • sFlow Show Commands • Specify Collectors • Polling Intervals • Sampling Rate • Back-off Mechanism • sFlow on LAG ports • Extended sFlow Overview FTOS supports sFlow version 5.
Implementation Information The Dell Force10 sFlow is designed so that the hardware sampling rate is per line card port-pipe and is decided based upon all the ports in that port-pipe. If sFlow is not enabled on any port specifically , then the global sampling rate is downloaded to that port and is to calculate the port-pipe’s lowest sampling rate.
• FTOS exports all sFlow packets to the collector. A small sampling rate can equate to a large number of exported packets. A backoff mechanism will automatically be applied to reduce this amount. Some sampled packets may be dropped when the exported packet rate is high and the backoff mechanism is about to or is starting to take effect.
sFlow Show Commands FTOS includes the following sFlow display commands: • Show sFlow Globally • Show sFlow on an Interface • Show sFlow on a Line Card Show sFlow Globally Use the following command to view sFlow statistics: Command Syntax Command Mode Purpose EXEC...
Figure 45-3. Command Example: show sflow interface FTOS#show sflow interface gigabitethernet 1/16 Gi 1/16 Configured sampling rate :8192 Actual sampling rate :8192 Sub-sampling rate Counter polling interval Samples rcvd from h/w Samples dropped for sub-sampling :6 The configuration, shown in Figure 45-2, is also displayed in the running configuration (Figure...
Specify Collectors command allows identification of sFlow Collectors to which sFlow datagrams are sflow collector forwarded. The user can specify up to two sFlow collectors. If two Collectors are specified, the samples are sent to both. Collection through Management interface is supported on platform: Command Syntax Command Mode Usage...
command, when issued in CONFIGURATION mode, changes the default sflow sample-rate sampling rate. By default, the sampling rate of an interface is set to the same value as the current global default sampling rate.If the value entered is not a correct power of 2, the command generates an error message with the previous and next power-of-2 value.
Back-off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until CPU condition is cleared.
The IP destination address has to be learned via BGP in order to export extended-gateway data, prior to FTOS version 7.8.1.0. • If the IP destination address is not learned via BGP the Dell Force10 system does not export extended-gateway data, prior to FTOS version 7.8.1.0. •...
Page 944
Table 45-1. Extended Gateway Summary srcAS and dstAS and IP SA IP DA srcPeerAS dstPeerAS Description static/connected/IGP static/connected/IGP — — Extended gateway data is not exported because there is no AS information. static/connected/IGP Exported src_as & src_peer_as are zero because there is no AS information for IGP.
SNMP is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Note: On Dell Force10 routers, standard and private SNMP MIBs are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
1. Create a community. See page 947. Configuring SNMP version 3 requires you to configure SNMP users in one of three methods. See Setting Up User-based Security (SNMPv3). Related Configuration Tasks The following list contains configuration tasks for SNMP: • Managing Overload on Startup •...
Create a Community For SNMPv1 and SNMPv2, you must create a community to enable the community-based security in FTOS. The management station generates requests to either retrieve or alter the value of a management object and is called the . A network element that processes SNMP requests is called an SNMP manager .
Page 948
Figure 46-2. Select a User-based Security Type FTOS(conf)#snmp-server host 1.1.1.1 traps {oid tree} version 3 ? auth Use the SNMPv3 authNoPriv Security Level noauth Use the SNMPv3 noAuthNoPriv Security Level priv Use the SNMPv3 authPriv Security Level FTOS(conf)#snmp-server host 1.1.1.1 traps {oid tree} version 3 noauth ? WORD SNMPv3 user name To set up a user with view privileges only (no password or privacy privileges):...
Read Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same community as the SNMP agent. Dell Force10 supports RFC 4001, that defines values Textual Conventions for Internet Work Addresses representing a type of internet address.
SNMPv2-MIB::sysName.0 = STRING: R5 Configure Contact and Location Information using SNMP You may configure system contact and location information from the Dell Force10 system or from the management station using SNMP. To configure system contact and location information from the Dell Force10 system:...
Subscribe to Managed Object Value Updates using SNMP By default, the Dell Force10 system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system.
Page 952
PORT_LINKDN:changed interface state to down:%d snmp linkup PORT_LINKUP:changed interface state to up:%d Enable a subset of Dell Force10 enterprise specific SNMP traps using one of the listed command options in Table 46-2 with the command . Note that the envmon option enables all...
Page 953
Table 46-2. Dell Force10 Enterprise-specific SNMP Traps Command Option Trap MINOR_SFM: MInor alarm: No working standby SFM MINOR_SFM_CLR: Minor alarm cleared: Working standby SFM present TASK SUSPENDED: SUSPENDED - svce:%d - inst:%d - task:%s RPM0-P:CP %CHMGR-2-CARD_PARITY_ERR ABNORMAL_TASK_TERMINATION: CRASH - task:%s %s CPU_THRESHOLD: Cpu %s usage above threshold.
Page 954
Table 46-2. Dell Force10 Enterprise-specific SNMP Traps Command Option Trap envmon supply PEM_PRBLM: Major alarm: problem with power entry module %s PEM_OK: Major alarm cleared: power entry module %s is good MAJOR_PS: Major alarm: insufficient power %s MAJOR_PS_CLR: major alarm cleared: sufficient power...
• copy the running-config file to the startup-config file, or • copy configuration files from the Dell Force10 system to a server • copy configuration files from a server to the Dell Force10 system All of these tasks can be performed using IPv4 or IPv6 addresses. The examples in this section use IPv4 addresses;...
Page 956
Create an SNMP community string with read/ CONFIGURATION snmp-server community write privileges. community-name rw Copy the f10-copy-config.mib MIB from the Dell Force10 iSupport webpage to the server to which you are copying the configuration file. Simple Network Management Protocol (SNMP)
Page 957
Step Task Command Syntax Command Mode On the server, use the command as shown: snmpset snmpset -v snmp-version -c community-name -m mib_path/f10-copy-config.mib force10system-ip-address mib-object.index object-value... • Every specified object must have an object value, which must be preceded by the keyword .
Page 958
Table 46-4. Copying Configuration Files via SNMP Task snmpset -v 2c -c public force10system-ip-address copySrcFileType.index i 2 copyDestFileType.index i 3 Figure 46-7 show the command syntax using MIB object names. Figure 46-8 shows the same command using the object OIDs. In both cases, the object is followed by a unique index number. Figure 46-7.
Page 959
3 copyDestFileName.4 s /home/myfilename copyServerAddress.4 a 11.11.11.11 Copy a binary file from the server to the startup-configuration on the Dell Force10 system via FTP using the following command: snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.index s filepath/filename copyDestFileType.index i 3...
Page 960
Dell Force10 provides additional MIB Objects to view copy statistics. These are provided in Table 46-5. Table 46-5. MIB Objects for Copying Configuration Files via SNMP MIB Object Values Description copyState .1.3.6.1.4.1.6027.3.5.1.1.1.1.11 1= running Specifies the state of the copy 2 = successful operation.
Figure 46-14 shows the command syntax using MIB object names, and Figure 46-15 shows the same command using the object OIDs. In both cases, the object is followed by same index number used in the command. snmpset Figure 46-14. Obtaining MIB Object Values for a Copy Operation using Object-name Syntax >...
Figure 46-17. Assign a VLAN Alias using SNMP [Unix system output] > snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.1.1107787786 s "My VLAN" SNMPv2-SMI::mib-2.17.7.1.4.3.1.1.1107787786 = STRING: "My VLAN" [FTOS system output] FTOS#show int vlan 10 Vlan 10 is down, line protocol is down Vlan alias name is: My VLAN Address is 00:01:e8:cc:cc:ce, Current address is 00:01:e8:cc:cc:ce Interface index is 1107787786...
Page 963
The table that the Dell Force10 system sends in response to the request is a table that contains snmpget hexadecimal (hex) pairs, each pair representing a group of eight ports. • On the E-Series, 12 hex pairs represents a line card. Twelve pairs accommodates the greatest currently available line card port density, 96 ports.
The value 40 is in the first set of 7 hex pairs, indicating that these ports are in Stack Unit 0. The hex value 40 is 0100 0000 in binary. As described above, the left-most position in the string represents Port 1. The next position from the left represents Port 2 and has a value of 1, indicating that Port 0/2 is in VLAN 10.
OID: Fetch Dynamic MAC Entries using SNMP Dell Force10 supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. Note: The 802.1q Q-BRIDGE MIB defines VLANs with regard to 802.1d, as 802.1d itself does not define them.
Page 967
Each object is comprised an OID concatenated with an instance number. In the case of these objects, the instance number is the decimal equivalent of the MAC address; derive the instance number by converting each hex pair to its decimal equivalent. For example, the decimal equivalent of E8 is 232, and so the instance number for MAC address 00:01:e8:06:95:ac is.0.1.232.6.149.172.
Deriving Interface Indices FTOS assigns an interface number to each (configured or unconfigured) physical and logical interface. Display the interface index number using the command from EXEC Privilege mode, as show interface shown in Figure 46-26. Figure 46-26. Display the Interface Index Number FTOS#show interface gig 1/21 GigabitEthernet 1/21 is up, line protocol is up Hardware is Force10Eth, address is 00:01:e8:0d:b7:4e...
Figure 46-28. Binary Representation of Interface Index For interface indexing, slot and port numbering begins with the binary one. If the Dell Force10 system begins slot and port numbering from 0, then the binary 1 represents slot and port 0. For example, the index...
IF-MIB::linkUp IF-MIB::ifIndex.1107755009 = INTEGER: 1107755009 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Po 1" Troubleshooting SNMP Operation When you use SNMP to retrieve management data from an SNMP agent on a Dell Force10 router, take into account the following behavior: •...
Stacking Stacking is supported on the following platforms: (S50/S25), Stacking is supported on the S4810 platform with FTOS version 8.3.7.1, version 8.3.10.2 and newer. Note: The S4810 commands accept Unit ID numbers 0-11, though the S4810 supports stacking up to 3 units only with FTOS version 8.3.7.1 and version 8.3.10.2.
FTOS presents all of the units like line cards; for example, to access GigabitEthernet Port 1 on Stack Unit 0, enter from CONFIGURATION mode. interface gigabitethernet 0/1 Stack Management Roles The stack elects the management units for the stack management: •...
• MAC address (in case of priority tie): The unit with the higher MAC value becomes the master unit. The stack takes the MAC address of the master unit and retains it unless it is reloaded. To view which switch is the stack master, enter the command.
Failover Roles If the stack master fails (e.g., is powered off), it is removed from the stack topology. The standby unit detects the loss of peering communication and takes ownership of the stack management, switching from the standby role to the master role. The distributed forwarding tables are retained during the failover, as is the stack MAC address.
Page 975
Figure 47-2. Adding a Standalone with a Lower MAC Address to a Stack— Before (S50-type) -------------------------------STANDALONE BEFORE CONNECTION---------------------------------- Standalone#show system brief Stack MAC : 00:01:e8:d5:ef:81 Stack Info Unit UnitType Status ReqTyp CurTyp Version Ports --------------------------------------------------------------------------- Management online S50V S50V 7.8.1.0 Member not present Member...
Shortest path selection inside the stack: If multiple paths exist between two units in the stack, the shortest path is used. Supported Stacking Topologies The S4810 supports stacking in a ring or a daisy chain topology. Dell Force10 recommends the ring topology when stacking S4810 switches to provide redundant connectivity. Stacking...
Figure 47-4. S4810 supported stacking topologies High Availability on S-Series Stacks S-Series stacks have master and standby management units analogous to Dell Force10 Route Processor Modules (Figure 47-5). The master unit synchronizes the running configuration and protocol states so that the system fails over in the event of a hardware or software fault on the master unit.
Figure 47-6. Accessing Non-Master Units on a Stack via the Console Port -------------------------------CONSOLE ACCESS ON THE STANDBY---------------------------------- 2-unit-stack(standby)#? Change current directory clear Reset functions copy Copy from one file to another delete Delete a file List files on a filesystem disable Turn off privileged commands enable...
S-Series Stacking Installation Tasks • Create an S-Series Stack • Add Units to an Existing S-Series Stack • Remove a Unit from an S-Series Stack • Split an S-Series Stack Create an S-Series Stack Stacking is enabled on the S4810 using the front end ports. No configuration is allowed on front end ports used for stacking.
Page 981
With FTOS 8.3.12.0, when a unit is added to a stack, the management unit performs a system check on the new unit to ensure the hardware type is compatible. A similar check is performed on the FTOS version. If the stack is running 8.3.12.0 and the new unit is running an earlier software version, the new unit is put into a card problem state.
Page 982
Task Command Syntax Command Mode Save the stacking configuration on the ports. EXEC Privilege write memory Reload the switch. FTOS automatically assigns a number EXEC Privilege reload to the new unit and adds it as member switch in the stack. The new unit synchronizes its running and startup configurations with the stack.
Page 983
Step Task Command Syntax Command Mode Configure the switch priority for each unit to stack-unit priority CONFIGURATION make management unit selection deterministic. Assign a stack group for each unit. Begin with the CONFIGURATION stack-unit id stack-group id first port on the management unit. Next, configure both ports on each subsequent unit.
Page 984
Configure the first stack group on unit 1: stack-unit 1 stack-group 13 Configure the stack groups on unit 2: stack-unit 2 stack-group 14 stack-unit 2 stack-group 15 Configure the stack groups on unit 3: stack-unit 3 stack-group 12 stack-unit 3 stack-group 13 Configure the stack groups on unit 4: stack-unit 4 stack-group 13 stack-unit 4 stack-group 14...
Member not present Member not present Power Supplies Unit Status Type FanStatus ---------------------------------------------------------------------------- absent absent down UNKNOWN down absent absent absent absent Status Unit Bay TrayStatus Fan0 Speed Fan1 Speed ---------------------------------------------------------------------------- 9360 9360 9360 9360 7680 7680 7920 7680 9360 9360 9360 9360...
Page 986
• by merging two stacks. If you are adding units to an existing stack, you can either: • allow FTOS to automatically assign the new unit a position in the stack, or • manually determine each units position in the stack by configuring each unit to correspond with the stack before connecting it.
Page 987
Member not present Member not present Member not present Member not present Member not present Member not present Member not present Member not present Figure 47-9. Adding an S4810 Stack Unit with a Conflicting Stack Number—After FTOS#show system brief Stack MAC : 00:01:e8:8a:df:e6 Reload Type : normal-reload Stack Info Unit...
Page 988
Step Task Command Syntax Command Mode Configure the ports on the added switch for CONFIGURATION stack-unit 0 stack-group stacking, where: group-number stack-unit 0 defines the default ID unit-number in the initial configuration of a switch. group-number configures a port for stack-group stacking.
Split an S-Series Stack To split a stack, unplug the desired stacking cables.You may do this at any time, whether the stack is powered or unpowered, and the units are online or of f line. Each portion of the split stack retains the startup and running configuration of the original stack.
Message 1 Renumbering the Stack Manager Renumbering master unit will reload the stack. WARNING: Interface configuration for current unit will be lost! Proceed to renumber [confirm yes/no]: yes Create a Virtual Stack Unit on an S-Series Stack Use virtual stack units to configure ports on the stack before adding a new unit. Task Command Syntax Command Mode...
Page 991
Burned In MAC : 00:01:e8:8a:df:e6 No Of MACs Power Supplies Unit Status Type FanStatus --------------------------------------------------------------------------- absent absent Status Unit Bay TrayStatus Fan0 Speed Fan1 Speed -------------------------------------------------------------------------------- 6960 6960 6720 6720 Speed in RPM Unit 1 -- Unit Type : Member Unit Status : not present Required Type...
Member not present Member not present Member not present Member not present Display information about an S4810 stack using the command. show system stack-ports FTOS#show system stack-ports Topology: Ring Interface Connection Link Speed Admin Link Trunk (Gb/s) Status Status Group ------------------------------------------------------------------ 0/56 3/56...
Manage Redundancy on an S-Series Stack Task Command Syntax Command Mode Reset the current management unit, and make redundancy force-failover stack-unit EXEC Privilege the standby unit the new master unit. A new standby is elected. When the former stack master comes back online, it becomes a member unit.
Display Status of Stacking Ports To display the status of the stacking ports, including the topology: Task Command Syntax Command Mode Display the stacking ports. show system stack-ports EXEC Privilege The following example shows four switches stacked together with two 40G links in a ring topology. FTOS#show system stack-ports Topology: Ring Interface...
Power Supplies Unit Status Type FanStatus ---------------------------------------------------------------------------- Unit Status Type FanStatus ---------------------------------------------------------------------------- absent absent Status Unit Bay TrayStatus Fan0 Speed Fan1 Speed ---------------------------------------------------------------------------- 7200 7200 7200 7440 Speed in RPM The following example shows three switches stacked together in a daisy chain topology. stack-2#show system stack-ports Topology: Daisy chain Interface...
To remove a stack member from the stack, disconnect the stacking cables from the unit. You may do this at any time, whether the unit is powered or unpowered, online or of f line. Note that if you remove a unit in the middle of the daisy chain stack, the stack will be split into multiple parts and each will form a new stack according to the stacking algorithm described throughout this chapter.
Task Command Syntax Command Mode After the units are reloaded, the system reboots. The units come up as standalone units after the reboot completes. Troubleshoot an S-Series Stack • Recover from Stack Link Flaps • Recover from a Card Problem State on an S-Series Stack •...
Page 998
Reload Type : normal-reload [Next boot : normal-reload] Stack Info Unit UnitType Status ReqTyp CurTyp Version Ports --------------------------------------------------------------------------- Standby card problem S4810 unknown Management online S4810 S4810 8-3-10-223 Member not present Member not present Member not present Member not present Member not present Member...
down down absent absent Status Unit Bay TrayStatus Fan0 Speed Fan1 Speed -------------------------------------------------------------------------------- 6960 6720 6720 6720 6960 6720 6720 6720 Speed in RPM stack-1# Recover from a Card Mismatch State on an S-Series Stack A card mismatch occurs if the stack has a provision for the lowest available stack number which does not match the model of a newly added unit.
Page 1000
01:38:34: %STKUNIT0-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit 2 present ----------------------------------------STACK AFTER------------------------------------------ 23:11:25: %STKUNIT1-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit 0 present 23:11:40: %STKUNIT1-M:CP %CHMGR-2-STACKUNIT_DOWN: Stack unit 0 down - card removed 23:12:25: %STKUNIT1-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit 0 present 23:12:34: %STKUNIT1-M:CP %CHMGR-5-CHECKIN: Checkin from Stack unit 0 (type S50V, 52 ports) 23:12:34: %STKUNIT1-M:CP %CHMGR-3-STACKUNIT_MISMATCH: Mismatch: Stack unit 0 is type S50V - type S25N required Stack#show system brief...