Dell Force10 Z9000 Manual de usuario

Dell Configuration Guide for the Z9000 System9.5(0.1)

Configuring the Hash Algorithm... 268Enabling Determinist

10.1.1.1./32 fragmentsDell(conf-ext-nacl)Example of Denying Second and Subsequent FragmentsTo deny the second/subsequent fragments, use the same rules

Dell(conf-ext-nacl)#permit udp any any fragmentDell(conf-ext-nacl)#deny ip any any logDell(conf-ext-nacl)When configuring ACLs with the fragments keyw

!ip access-list standard dilling seq 15 permit tcp 10.3.0.0/16 any seq 25 deny ip host 10.5.0.0 any logDell(config-std-nacl)#To delete a filter, use

seq 30 deny tcp any any range 12345 12346 seq 35 permit udp host 10.21.126.225 10.4.5.0 /28 seq 40 permit udp host 10.21.126.226 10.4.5.0 /28 seq

Configure Filters, TCP PacketsTo create a filter for UDP packets with a specified sequence number, use the following commands.1. Create an extended IP

CONFIG-EXT-NACL mode{deny | permit} udp {source mask | any | host ip-address}} [count [byte]] [order] [fragments]When you use the log keyword, the CP

L2 ACL Behavior L3 ACL Behavior Decision on Targeted TrafficPermit Deny L3 ACL denies.Permit Permit L3 ACL permits.NOTE: If you configure an interface

4. Apply rules to the new ACL.INTERFACE modeip access-list [standard | extended] nameTo view which IP ACL is applied to an interface, use the show con

Dell#configure terminalDell(conf)#ip access-list extended abcdDell(config-ext-nacl)#permit tcp any anyDell(config-ext-nacl)#deny icmp any anyDell(conf

Dell#configure terminalDell(conf)#interface te 0/0Dell(conf-if-te-0/0)#ip vrf forwarding blueDell(conf-if-te-0/0)#show config!interface TenGigabitEthe

Configure a GARP Timer...29118 Interne

A route prefix is an IP address pattern that matches on bits within the IP address. The format of a route prefix is A.B.C.D/X where A.B.C.D is a dotte

ip prefix-list prefix-name2. Create a prefix list with a sequence number and a deny or permit action.CONFIG-NPREFIXL modeseq sequence-number {deny | p

• ge min-prefix-length: is the minimum prefix length to be matched (0 to 32).• le max-prefix-length: is the maximum prefix length to be matched (0 to

ip prefix-list filter_in:count: 3, range entries: 3, sequences: 5 - 10ip prefix-list filter_ospf:count: 4, range entries: 1, sequences: 5 - 10Dell>

distribute-list prefix-list-name in [interface]• Apply a configured prefix list to incoming routes. You can specify which type of routes are affected.

Resequencing an ACL or Prefix ListResequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs.To resequence an ACL or prefix list, us

ip access-list extended testremark 4 XYZremark 5 this remark corresponds to permit any host 1.1.1.1seq 5 permit ip any host 1.1.1.1remark 9 ABCremark

Configuration Task List for Route MapsConfigure route maps in ROUTE-MAP mode and apply the maps in various commands in ROUTER RIP and ROUTER OSPF mode

Set clauses: tag 35 level stub-areaDell#To delete all instances of that route map, use the no route-map map-name command. To delete just one i

Example of the match Command to Match All Specified ValuesIn the next example, there is a match only if a route has both of the specified characterist

View Basic Interface Information... 316Enabling a Ph

– For a 10-Gigabit Ethernet interface, enter the keyword tengigabitEthernet then the slot/port information.– For a VLAN, enter the keyword vlan then a

Configuring Set ConditionsTo configure a set condition, use the following commands.• Add an AS-PATH number to the beginning of the AS-PATH.CONFIG-ROUT

To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the nu

redistribute ospf 34 metric 1 route-map torip!route-map torip permit 10 match route-type internal set tag 34!Continue ClauseNormally, when a match

entries. You can enable logging separately for each of these FP entries, which relate to each of the ACL entries configured in an ACL. Dell Networking

packets that exceeded the logging threshold value during that interval is logged when the subsequent log record (in the next interval) is generated fo

The port mirroring application maintains and performs all the monitoring operations on the chassis. ACL information is sent to the ACL manager, which

configuration to the ACL agent whenever the ACL agent is registered with the port mirroring application or when flow-based monitoring is enabled.The s

CONFIGURATION modeip access-listFor more information, see Access Control Lists (ACLs).3. Apply the ACL to the monitored port.INTERFACE modeip access-g

8Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)This chapter describes the access control list (ACL) VLAN group and content

Splitting QSFP Ports to SFP+ Ports... 339Converting a Q

for the ACL VLAN groups present on the system, an appropriate error message is displayed. The ACL manager application verifies the following parameter

• The maximum number of VLANs that you can configure as a member of ACL VLAN groups is limited to 512 on the Z9000 switch if two slices are allocated.

CONFIGURATION (conf-acl-vl-grp) modemember vlan {VLAN-range}5. Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by nam

EXEC Privilege modeDell#show cam-usage switch Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM========|========|=========

The following sample output displays the CAM space utilization when Layer 2 and Layer 3 ACLs are configured:Dell#show cam-usage aclLinecard|Portpipe|

You can configure only two of these features at a time.• To allocate the number of FP blocks for VLAN open flow operations, use the cam-acl-vlan vlano

9Bidirectional Forwarding Detection (BFD)Bidirectional forwarding detection (BFD) is supported only on the Z9000 platform.BFD is a protocol that is us

NOTE: A session state change from Up to Down is the only state change that triggers a link state change in the routing protocol client.BFD Packet Form

Field Descriptionsystem clears the poll bit and sets the final bit in its response. The poll and final bits are used during the handshake and in Deman

BFD SessionsBFD must be enabled on both sides of a link in order to establish a session.The two participating systems can assume either of two roles:A

ARP...

handshake. Now the discriminator values have been exchanged and the transmit intervals have been negotiated.4. The passive system receives the control

receives a Down status notification from the remote system, the session state on the local system changes to Init.Figure 10. Session State ChangesImpo

• Configure BFD for IS-IS• Configure BFD for BGP• Configure BFD for VRRP• Configuring Protocol Liveness• Troubleshooting BFDConfigure BFD for Physical

Establishing a Session on Physical PortsTo establish a session, enable BFD at the interface level on both ends of the link, as shown in the following

Remote Addr: 2.2.2.2Remote MAC Addr: 00:01:e8:06:95:a2Int: GigabitEthernet 4/24State: UpConfigured parameters: TX: 100ms, RX: 100ms, Multiplier: 3Nei

Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 7Disabling and Re-Enabling BFDBFD is

Establishing Sessions for Static RoutesSessions are established for all neighbors that are the next hop of a static route.Figure 12. Establishing Sess

• Change parameters for all static route sessions.CONFIGURATION modeip route bfd interval milliseconds min_rx milliseconds multiplier value role [acti

Establishing Sessions with OSPF NeighborsBFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neigh

INTERFACE modeip ospf bfd all-neighborsExample of Verifying Sessions with OSPF NeighborsTo view the established sessions, use the show bfd neighbors c

Configuration Tasks for IPv6... 392Adjusting

• Disable BFD sessions with all OSPF neighbors.ROUTER-OSPF modeno bfd all-neighbors• Disable BFD sessions with all OSPF neighbors on an interface.INTE

To view session parameters, use the show bfd neighbors detail command, as shown in the example in Displaying BFD for BGP Information.• Change paramete

Establishing Sessions with IS-IS NeighborsBFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neigh

The bold line shows that IS-IS BFD sessions are enabled.R2(conf-router_isis)#bfd all-neighborsR2(conf-router_isis)#do show bfd neighbors* - Active

INTERFACE moseisis bfd all-neighbors disableConfigure BFD for BGPBidirectional forwarding detection (BFD) for BGP is supported on the Z9000 platform.I

Figure 15. Establishing Sessions with BGP NeighborsThe sample configuration shows alternative ways to establish a BFD session with a BGP neighbor:• By

typical response is to terminate the peering session for the routing protocol and reconverge by bypassing the failed neighboring router. A log message

ROUTER BGP modeneighbor {ip-address | peer-group-name} bfd disable• Remove the disabled state of a BFD for BGP session with a specified neighbor.ROUTE

Examples of the BFD show CommandsThe following example shows verifying a BGP configuration.R2# show running-config bgp!router bgp 2 neighbor 1.1.1.2

Number of messages from IFA about port state change: 0Number of messages communicated b/w Manager and Agent: 5Session Discriminator: 10Neighbor Discri

Configuring LACP Commands...426LACP Configuration Task

Down : 0Admin Down : 2The following example shows viewing BFD summary information.The bold line shows the message displayed when you e

Connections established 1; dropped 0 Last reset neverLocal host: 2.2.2.3, Local port: 63805Foreign host: 2.2.2.2, Foreign port: 179E1200i_ExaScale#

Establishing Sessions with All VRRP NeighborsBFD sessions can be established for all VRRP neighbors at once, or a session can be established with a pa

The bold line shows that VRRP BFD sessions are enabled.Dell(conf-if-gi-4/25)#vrrp bfd all-neighborsDell(conf-if-gi-4/25)#do show bfd neighbor* - A

Disabling BFD for VRRPIf you disable any or all VRRP sessions, the sessions are torn down.A final Admin Down control packet is sent to all neighbors a

Down for neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0) 00:54:38 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24 TX packet dump:

10Border Gateway Protocol IPv4 (BGPv4)Border gateway protocol IPv4 (BGPv4) version 4 (BGPv4) is supported on the Z9000 platform.This chapter provides

Figure 17. Internal BGPBGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol —

Figure 18. BGP Routers in Full MeshThe number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes

Establish a SessionInformation exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies.In order to

Protocol Data Units...459Optional TL

Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection

• Next HopNOTE: There are no hard coded limits on the number of attributes that are supported in the BGP. Taking into account other constraints such a

Figure 20. BGP Best Path SelectionBest Path Selection Details1. Prefer the path with the largest WEIGHT attribute.2. Prefer the path with the largest

c. Paths with no MED are treated as “worst” and assigned a MED of 4294967295.7. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP

and AS300. This is advertised to all routers within AS100, causing all BGP speakers to prefer the path through Router B.Figure 21. BGP Local Preferenc

Figure 22. Multi-Exit DiscriminatorsNOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound E

*> 7.0.0.0/30 10.114.8.33 0 0 18508 ?*> 9.2.0.0/16 10.114.8.33 10 0 18508 701 iAS PathThe AS path is the list of

Multiprotocol BGPMultiprotocol extensions for BGP (MBGP) is defined in IETF RFC 2858. MBGP allows different types of address families to be distribute

internal configured, BGP advertises the metric configured in the redistribute command as MED.• If BGP peer outbound route-map has metric configured, a

Configure 4-byte AS numbers with the four-octet-support command.AS4 Number RepresentationDell Networking OS supports multiple representations of 4-byt

Clearing the Source-Active Cache...493Enabling the Rejected

!router bgp 100bgp asnotation asdot+bgp four-octet-as-supportneighbor 172.30.1.250 local-as 65057<output truncated>Dell(conf-router_bgp)#do show

appear as if it still belongs to Router B’s old network (AS 200) as far as communicating with Router C is concerned.Figure 23. Before and After AS Num

3. Prepend "65001 65002" to as-path.Local-AS is prepended before the route-map to give an impression that update passed through a router in

• The f10BgpM2[Cfg]PeerReflectorClient field is populated based on the assumption that route-reflector clients are not in a full mesh if you enable BG

By default, Dell Networking OS compares the MED attribute on different paths from within the same AS (the bgp always-compare-med command is not enable

NOTE: Sample Configurations for enabling BGP routers are found at the end of this chapter.1. Assign an AS number and enter ROUTER BGP mode.CONFIGURATI

CONFIG-ROUTER-BGP modeneighbor {ip-address | peer-group-name} no shutdownExamples of the show ip bgp CommandsNOTE: When you change the configuration o

For the router’s identifier, Dell Networking OS uses the highest IP address of the Loopback interfaces configured. Because Loopback interfaces are vir

Connections established 0; dropped 0 Last reset never No active TCP connectionDell#The following example shows verifying the BGP configuration usi

bgp asnotation asplainNOTE: ASPLAIN is the default method Dell Networking OS uses and does not appear in the configuration display.• Enable ASDOT AS N

Implementation Information...526First Packet

Configuring Peer GroupsTo configure multiple BGP neighbors at one time, create and populate a BGP peer group.An advantage of peer groups is that membe

To add an internal BGP (IBGP) neighbor, configure the as-number parameter with the same BGP as-number configured in the router bgp as-number command.E

neighbor 10.1.1.1 shutdown neighbor 10.14.8.60 remote-as 18505 neighbor 10.14.8.60 no shutdownDell(conf-router_bgp)#To disable a peer group, use t

When you enable fall-over, BGP tracks IP reachability to the peer remote address and the peer local address. Whenever either address becomes unreachab

Notification History 'Connection Reset' Sent : 5 Recv: 0Local host: 200.200.200.200, Local port: 65519Foreign host: 100.100.100.100, Foreig

CONFIG-ROUTER-BGP modeneighbor peer-group-name subnet subnet-number maskThe peer group responds to OPEN messages sent on this subnet.3. Enable the pee

network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Lau

neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loo

• Set maximum time to retain the restarting peer’s stale paths.CONFIG-ROUTER-BGP modebgp graceful-restart [stale-path-time time-in-seconds]The default

to affect interdomain routing. By identifying certain ASN in the AS_PATH, you can permit or deny routes based on the number in its AS_PATH.AS-PATH ACL

Notes, Cautions, and WarningsNOTE: A NOTE indicates important information that helps you make better use of your computer.CAUTION: A CAUTION indicates

Overview...57

0x6cc18d4 0 1 18508 701 2914 4713 17935 i0x5982e44 0 162 18508 209 i0x67d4a14 0 2 18508 701 19878 ?0x559972c 0 31

The following example applies access list Eagle to routes inbound from BGP peer 10.5.5.2. Access list Eagle uses a regular expression to deny routes o

redistribute isis [level-1 | level-1-2 | level-2] [metric value] [route-map map-name]Configure the following parameters:– level-1, level-1-2, or level

IETF RFC 1997 defines the COMMUNITY attribute and the predefined communities of INTERNET, NO_EXPORT_SUBCONFED, NO_ADVERTISE, and NO_EXPORT. All BGP ro

deny 701:667 deny 702:667 deny 703:667 deny 704:666 deny 705:666 deny 14551:666Dell#Configuring an IP Extended Community ListTo configure an IP

Filtering Routes with Community ListsTo use an IP community list or IP extended community list to filter routes, you must apply a match community filt

To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode.If you want to remove or add a specific COMMUNITY number f

Dell>show ip bgp communityBGP table version is 3762622, local router ID is 10.114.8.48Status codes: s suppressed, d damped, h history, * valid, >

CONFIG-ROUTER-BGP modebgp default local-preference value– value: the range is from 0 to 4294967295.The default is 100.To view the BGP configuration, u

set next-hop ip-addressChanging the WEIGHT AttributeTo change how the WEIGHT attribute is used, enter the first command. You can also use route maps t

Configuring the Sample Remote Port Mirroring... 607Configuring the Encapsulated Re

For inbound and outbound updates the order of preference is:• prefix lists (using the neighbor distribute-list command)• AS-PATH ACLs (using the neigh

• If the prefix list contains no filters, all routes are permitted.• If none of the routes match any of the filters in the prefix list, the route is d

Filtering BGP Routes Using AS-PATH InformationTo filter routes based on AS-PATH information, use these commands.1. Create a AS-PATH ACL and assign it

• Assign an ID to a router reflector cluster.CONFIG-ROUTER-BGP modebgp cluster-id cluster-idYou can have multiple clusters in an AS.• Configure the lo

Configuring BGP ConfederationsAnother way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations.As wi

• history entry — an entry that stores information on a downed route• dampened path — a path that is no longer advertised• penalized path — a path tha

show ip bgp flap-statistics [ip-address [mask]] [filter-list as-path-name] [regexp regular-expression]– ip-address [mask]: enter the IP address and ma

Dampening enabled. 0 history paths, 0 dampened paths, 0 penalized pathsNeighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd10.114.8

To reset a BGP connection using BGP soft reconfiguration, use the clear ip bgp command in EXEC Privilege mode at the system prompt.When you enable sof

Route Map ContinueThe BGP route map continue feature, continue [sequence-number], (in ROUTE-MAP mode) allows movement from one route-map entry to a sp

Create Policy Maps... 646Enabling Qo

• When exchanging updates with the peer, BGP sends and receives IPv4 multicast routes if the peer is marked as supporting that AFI/SAFI.• Exchange of

EXEC Privilege modedebug ip bgp [ip-address | peer-group peer-group-name] notifications [in | out]• View information about BGP updates and filter by p

Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128)For address family: IPv4 UnicastB

00000000 00000000 00000000 00000000 0181a1e4 0181a25c 41af92c0 00000000 00000000 00000000 00000000 00000001 0181a1e4 0181a25c 41af9400 00000000

Sample ConfigurationsThe following example configurations show how to enable BGP and set up some peer groups. These examples are not comprehensive dir

no shutdownR1(conf-if-lo-0)#int te 1/21R1(conf-if-te-1/21)#ip address 10.0.1.21/24R1(conf-if-te-1/21)#no shutdownR1(conf-if-te-1/21)#show config!inter

R2(conf-router_bgp)#network 192.168.128.0/24R2(conf-router_bgp)#neighbor 192.168.128.1 remote 99R2(conf-router_bgp)#neighbor 192.168.128.1 no shutR2(c

R1(conf-router_bgp)# neighbor 192.168.128.3 peer-group BBBR1(conf-router_bgp)#R1(conf-router_bgp)#show config!router bgp 99network 192.168.128.0/24nei

Minimum time between advertisement runs is 30 secondsMinimum time before advertisements start is 0 secondsExample of Enabling Peer Groups (Router 2)R2

BGP-RIB over all using 207 bytes of memory2 BGP path attribute entrie(s) using 128 bytes of memory2 BGP AS-PATH entrie(s) using 90 bytes of memory2 ne

Configuring Interfaces for Layer 2 Mode...685Enabling Rapid Span

11Content Addressable Memory (CAM)Content addressable memory (CAM) is supported on the Z9000 platform.CAM is a type of memory that stores information

CAM Allocation SettingOpenflow 0fedgovacl 0The following additional CAM allocation settings are supported on the S6000, S4810 or S4820T platforms only

EXEC Privilege modecam-acl {default | l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt number ipmacacl number vman-qos | vm

IPv4Flow : 24K entries : 24K entriesEgL2ACL : 1K entries : 1K entriesEgIPv4ACL : 1K entries : 1K entriesReserved

L2PT : 0 0IpMacAcl : 0 0VmanQos : 0

-- Stack unit 7 -- Current Settings(in block sizes) 1 block = 128 entriesL2Acl : 6Ipv4Acl : 4I

Troubleshoot CAM ProfilingThe following section describes CAM profiling troubleshooting.CAM Profile MismatchesThe CAM profile on all cards must match

12Control Plane Policing (CoPP)Control plane policing (CoPP) is supported on the Z9000 platform.Control plane policing (CoPP) uses access control list

Figure 26. CoPP Implemented Versus CoPP Not ImplementedConfigure Control Plane PolicingFor example, border gateway protocol (BGP) and internet control

CoPP policies are configured by creating extended ACL rules and specifying rate-limits through QoS policies. The ACLs and QoS policies are assigned as

VTY MAC-SA Filter Support...723Role-Based Access

Examples of Configuring CoPP for Different ProtocolsThe following example shows creating the IP/IPv6/MAC extended ACL.Dell(conf)#ip access-list extend

The following example shows creating the control plane service policy.Dell(conf)#control-plane-cpuqosDell(conf-control-cpuqos)#service-policy rate-lim

The following example shows creating the control plane service policy.Dell#confDell(conf)#control-planeDell(conf-control-plane)#service-policy rate-li

streams which is acceptable but the well-known protocol streams must not be mixed with the data streams on queues 0 – 3 in back-plane ports.Increased

NDP PacketsNeighbor discovery protocol has 4 types of packets NS, NA, RA, RS. These packets need to be taken to CPU for neighbor discovery.• Unicast N

CPU QueueWeights Rate (pps) Protocol4 127 2000 IPC/IRC, VLT Control frames5 16 300 ARP Request, NS, RS, iSCSI OPT Snooping6 16 400 ICMP, ARP Reply, NT

To configure control-plane policing, perform the following:1. Create an IPv6 ACL for control-plane traffic policing for ospfv3.CONFIGURATION modeDell(

Q7 1100Dell#Example of Viewing Queue MappingTo view the queue mapping for each configured protocol, use the show ip protocol-queue-mapping

13Dynamic Host Configuration Protocol (DHCP)Dynamic host configuration protocol (DHCP) is available on the Z9000 platform.DHCP is an application layer

Option Number and DescriptionSubnet Mask Option 1Specifies the client’s subnet mask.Router Option 3Specifies the router IP addresses that may serve as

Configuring Specify Collectors...757Changing the

Option Number and DescriptionIdentifiers a user-defined string used by the Relay Agent to forward DHCP client packets to a specific server.L2 DHCP Sno

Figure 28. Client and Server MessagingImplementation InformationThe following describes DHCP implementation.• Dell Networking implements DHCP based on

Configure the System to be a DHCP ServerConfiguring the system to be a DHCP server is supported only on the Z9000 platform.A DHCP server is a network

3. Specify the range of IP addresses from which the DHCP server may assign addresses.DHCP <POOL> modenetwork network/prefix-length• network: the

lease {days [hours] [minutes] | infinite}The default is 24 hours.Specifying a Default GatewayThe IP address of the default router should be on the sam

Creating Manual Binding EntriesAn address binding is a mapping between the IP address and the media access control (MAC) address of a client.The DHCP

Configure the System to be a Relay AgentThis feature is available on the Z-Series platform.DHCP clients and servers request and offer configuration in

Figure 29. Configuring a Relay AgentTo view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privileg

ICMP redirects are not sentICMP unreachables are not sentConfigure the System to be a DHCP ClientA DHCP client is a network device that requests an IP

• To reinstall management routes added by the DHCP client that is removed or replaced by the same statically configured management routes, release the

47 Storm Control... 785Configure Storm Control...

Virtual Router Redundancy Protocol (VRRP)Do not enable the DHCP client on an interface and set the priority to 255 or assign the same DHCP interface I

• track the number of address requests per relay agent. Restricting the number of addresses available per relay agent can harden a server against addr

Dell Networking OS Behavior: Binding table entries are deleted when a lease expires or when the relay agent encounters a DHCPRELEASE. Line cards maint

Example of the show ip dhcp snooping CommandView the DHCP snooping statistics with the show ip dhcp snooping command.Dell#show ip dhcp snoopingIP DHCP

receives an ARP message for which a relevant entry already exists in its ARP cache, it overwrites the existing entry with the new information.The lack

Configuring Dynamic ARP InspectionTo enable dynamic ARP inspection, use the following commands.1. Enable DHCP snooping.2. Validate ARP frames against

Source Address ValidationUsing the DHCP binding table, Dell Networking OS can perform three types of source address validation (SAV).Table 11. Three T

CONFIGURATION modeip dhcp snooping verify mac-addressEnabling IP+MAC Source Address ValidationThe following feature is available on the Z9000 platform

14Equal Cost Multi-Path (ECMP)Equal cost multi-path (ECMP) is supported on theZ9000 platform.ECMP for Flow-Based AffinityECMP for flow-based affinity

CONFIGURATION mode.ipv6 ecmp-deterministicConfiguring the Hash Algorithm SeedDeterministic ECMP sorts ECMPs in order even though RTM provides them in

Setting the Timezone...810Set Daylight

NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when the user configures multipath routes to the same network. The sys

Creating an ECMP Group BundleWithin each ECMP group, you can specify an interface.If you enable monitoring for the ECMP group, the utilization calcula

Dell(conf-ecmp-group-5)#show config!ecmp-group 5 interface tengigabitethernet 0/2 interface tengigabitethernet 0/3 link-bundle-monitor enableDell(c

15Enabling FIPS CryptographyFederal information processing standard (FIPS) cryptography is supported on the Z9000 platform.This chapter describes how

Enabling FIPS ModeTo enable or disable FIPS mode, use the console port.Secure the host attached to the console port against unauthorized access. Any a

Monitoring FIPS Mode StatusTo view the status of the current FIPS mode (enabled/disabled), use the following commands.• Use either command to view the

• New 1024–bit RSA and RSA1 host key-pairs are created.To disable FIPS mode, use the following command.• To disable FIPS mode from a console port.CONF

16Force10 Resilient Ring Protocol (FRRP)Force10 resilient ring protocol (FRRP) is supported on the Z9000 platform.FRRP provides fast network convergen

The Member VLAN is the VLAN used to transmit data as described earlier.The Control VLAN is used to perform the health checks on the ring. The Control

Multiple FRRP RingsUp to 255 rings are allowed per system and multiple rings can be run on one system.More than the recommended number of rings may ca

VLT Port Delayed Restoration... 836PIM-Sparse Mode Su

Concept ExplanationControl VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used onl

Concept ExplanationThere is no periodic transmission of TCRHFs. The TCRHFs are sent on triggered events of ring failure or ring restoration only.Imple

Configuring the Control VLANControl and member VLANS are configured normally for Layer 2. Their status as control or member is determined at the FRRP

• For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information.• For a SONET interface, enter the keyword sonet

• Slot/Port, range: Slot and Port ID for the interface. The range is entered Slot/Port-Port.• For a 10/100/1000 Ethernet interface, enter the keyword

• Enter the desired intervals for Hello-Interval or Dead-Interval times.CONFIG-FRRP mode.timer {hello-interval|dead-interval} milliseconds– Hello-Inte

Troubleshooting FRRPTo troubleshoot FRRP, use the following information.Configuration Checks• Each Control Ring must use a unique VLAN ID.• Only two i

no ip address switchport no shutdown!interface Vlan 101 no ip address tagged GigabitEthernet 2/14,31 no shutdown!interface Vlan 201 no ip addr

17GARP VLAN Registration Protocol (GVRP)GARP VLAN registration protocol (GVRP) is supported on the Z9000 platform.Typical virtual local area network (

Configure GVRPTo begin, enable GVRP.To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface

VRRP Configuration...882Configu

• Configure a GARP TimerEnabling GVRP GloballyTo configure GVRP globally, use the following command.• Enable GVRP for the entire switch.CONFIGURATION

not be unconfigured when it receives a Leave PDU. Therefore, the registration mode on that interface is FIXED.• Forbidden Mode — Disables the port to

LeaveAll Timer 5000Dell(conf)#Dell Networking OS displays this message if an attempt is made to configure an invalid GARP timer: Dell(conf)#garp time

18Internet Group Management Protocol (IGMP)Internet group management protocol (IGMP) is supported on the Z9000 platform.Multicast is premised on ident

Figure 31. IGMP Messages in IP PacketsJoin a Multicast GroupThere are two ways that a host may join a multicast group: it may respond to a general que

response, the querier removes the group from the list associated with forwarding port and stops forwarding traffic for that group to the subnet.IGMP V

Figure 33. IGMP Version 3–Capable Multicast Routers Address StructureJoining and Filtering Groups and SourcesThe following illustration shows how mult

Figure 34. Membership Reports: Joining and FilteringLeaving and Staying in GroupsThe following illustration shows how multicast routers track and refr

Figure 35. Membership Queries: Leaving and StayingConfigure IGMPConfiguring IGMP is a two-step process.1. Enable multicast routing using the ip multic

• Fast Convergence after MSTP Topology Changes• Designating a Multicast Router InterfaceViewing IGMP Enabled InterfacesInterfaces that are enabled wit

Contents1 About this Guide...31Audience...

Border Gateway Protocol (BGP)...927Open Shortest Path Fi

IGMP version is 3Dell(conf-if-gi-1/13)#Viewing IGMP GroupsTo view both learned and statically configured IGMP groups, use the following command.• Vi

INTERFACE modeip igmp query-interval• Adjust the maximum response time.INTERFACE modeip igmp query-max-resp-time• Adjust the last member query interva

Enabling IGMP Immediate-LeaveIf the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robus

• View the configuration.CONFIGURATION modeshow running-config• Disable snooping on a VLAN.INTERFACE VLAN modeno ip igmp snoopingRelated Configuration

• Configure the switch to only forward unregistered packets to ports on a VLAN that are connected to mrouter ports.CONFIGURATION modeno ip igmp snoopi

ip igmp snooping last-member-query-intervalFast Convergence after MSTP Topology ChangesThe following describes the fast convergence feature.When a por

routes. If SSH is specified as a management application, SSH links to and from an unknown destination uses the management default route.Protocol Separ

can configure two default routes, one configured on the management port and the other on the front-end port.Two tables, namely, Egress Interface Selec

When the feature is disabled using the no management egress-interface-selection command, the following operations are performed:• All management appli

the show management application pkt-drop-cntr command. This counter is cleared using clear management application pkt-drop-cntr command.• Packets whos

1About this GuideThis guide describes the protocols and features the Dell Networking Operating System (OS) supports and provides configuration instruc

traffic for such end-user-originated sessions destined to management port ip1 is handled using the EIS route lookup.Handling of Transit Traffic (Traff

This phenomenon occurs where traffic is transiting the switch. Traffic has not originated from the switch and is not terminating on the switch.• Drop

Protocol Behavior when EIS is Enabled Behavior when EIS is Disableddns EIS Behavior Default Behaviorftp EIS Behavior Default Behaviorntp EIS Behavior

Default Behavior: Route lookup is done in the default routing table and appropriate egress port is selected.Protocol Behavior when EIS is Enabled Beha

Designating a Multicast Router InterfaceTo designate an interface as a multicast router interface, use the following command.Dell Networking OS also h

19InterfacesThis chapter describes interface types, both physical and logical, and how to configure them with Dell Networking Operating System (OS).•

Interface TypesThe following table describes different interface types.Interface Type Modes Possible Default Mode Requires Creation Default StatePhysi

Hardware is Force10Eth, address is 00:01:e8:05:f3:6a Current address is 00:01:e8:05:f3:6aPluggable media present, XFP type is 10GBASE-LR. Medium is

interface GigabitEthernet 9/7 no ip address shutdown!interface GigabitEthernet 9/8 no ip address shutdown!interface GigabitEthernet 9/9 no ip add

Configuration Task List for Physical InterfacesBy default, all interfaces are operationally disabled and traffic does not pass through them.The follow

2Configuration FundamentalsThe Dell Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure i

Example of a Basic Layer 2 Interface ConfigurationDell(conf-if)#show config!interface Port-channel 1 no ip address switchport no shutdownDell(conf-

no ip address switchport no shutdownDell(conf-if)#ip address 10.10.1.1 /24% Error: Port is in Layer 2 mode Gi 1/2.Dell(conf-if)#To determine the c

attacks on front-end ports. The following protocols support EIS: DNS, FTP, NTP, RADIUS, sFlow, SNMP, SSH, Syslog, TACACS, Telnet, and TFTP. This featu

• Enter the slot and the port (0) to configure a Management interface.CONFIGURATION modeinterface managementethernet interfaceThe slot range is 0.• Co

Gateway of last resort is 10.11.131.254 to network 0.0.0.0 Destination Gateway Dist/Metric Last Change ----------- ----

Loopback InterfacesA Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally

Port Channel Definition and StandardsLink aggregation is defined by IEEE 802.3ad as a method of grouping multiple physical interfaces into a single lo

at 1000 Mbps are kept up, and all 10/100/1000 interfaces that are not set to 1000 speed or auto negotiate are disabled.Dell Networking OS brings up 10

Creating a Port ChannelYou can create up to 128 port channels with eight port members per group on the Z9000 .To configure a port channel, use the fol

INTERFACE PORT-CHANNEL modechannel-member interfaceThe interface variable is the physical interface type and slot/port information.2. Double check tha

• EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug op

sends protocol data units (PDUs). An asterisk in the show interfaces port-channel brief command indicates the primary port.As soon as a physical inter

Dell(conf-if-po-3)#sho conf!interface Port-channel 3 no ip address channel-member TenGigabitEthernet 0/8 shutdownDell(conf-if-po-3)#Configuring the

VLT taggedName: TenGigabitEthernet 0/1802.1QTagged: TrueVlan membership:Q VlansT 2-5,100,4010Dell#Assigning an IP Address to a Port Channe

NOTE: Hash-based load-balancing on multi-protocol label switching (MPLS) does not work when you enable packet-based hashing (load-balance ip-selection

hash-algorithm | [ecmp{crc16|crc16cc|crc32LSB|crc32MSB|crc-upper|dest-ip |lsb |xor1| xor2| xor4| xor8| xor16}|lag{crc16|crc16cc|crc32LSB|crc32MSB|xor1

Bulk ConfigurationBulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces.In

Create a Multiple-RangeThe following is an example of multiple range.Example of the interface range Command (Multiple Ranges)Dell(conf)#interface rang

Add RangesThe following example shows how to use commas to add VLAN and port-channel interfaces to the range.Example of Adding VLAN and Port-Channel I

Monitoring and Maintaining InterfacesMonitor interface statistics with the monitor interface command. This command displays an ongoing list of the int

Output throttles: 0 0 pps 0m - Change mode c - Clear screenl - Page up a - Page downT - Increase r

MONITOR SESSION MULTIPLE SPANNING TREE OPENFLOW INSTANCE PVST PORT-CHANNEL FAILOVER-GROUP

NOTE: When you split a 40G port (such as fo 0/4) into four 10G ports, the 40G interface configuration is available in the startup configuration when y

Similarly, you can enable the fan-out mode to configure the QSFP port on a device to act as an SFP or SFP+ port. As the QSA enables a QSFP or QSFP+ po

Example ScenariosConsider the following scenarios:• QSFP port 0 is connected to a QSA with SFP+ optical cables plugged in.• QSFP port 4 is connected t

SFP 0 Serial ID Base FieldsSFP 0 Id = 0x0dSFP 0 Ext Id = 0x00SFP 0 Connector = 0x23SFP 0 Transc

QSFP 0 Rx Power measurement type = OMA===================================QSFP 0 Temp High Alarm threshold = 0.000CQSFP 0 Voltage High Al

Current address is 90:b1:1c:f4:9a:faPluggable media present, SFP type is 1GBASE……………………LineSpeed 1000 MbitDell#show interfaces tengigabitethernet

Link DampeningInterface state changes occur when interfaces are administratively brought up or down or if an interface state changes.Every time an int

Gi 0/0Up005750250020Gi 0/1Up21200205001500300Gi 0/2Down4850306002000120To view a dampening summary for the entire system, use the show interfaces damp

Transmission MediaMTU Range (in bytes)Ethernet594-12000 = link MTU576-9234 = IP MTULink Bundle MonitoringLink bundle monitoring is supported only on t

Control how the system responds to and generates 802.3x pause frames on Ethernet interfaces. The default is rx off tx off. INTERFACE mode. flowcontrol

CLI Command Mode Prompt Access CommandAS-PATH ACLDell(config-as-path)# ip as-path access-listGigabit Ethernet InterfaceDell(conf-if-gi-0/0)#interface

The flow control sender and receiver must be on the same port-pipe. Flow control is not supported across different port-pipes.To enable pause frames,

• All members must have the same link MTU value and the same IP MTU value.• The port channel link MTU and IP MTU must be less than or equal to the lin

Setting the Speed and Duplex Mode of Ethernet InterfacesTo discover whether the remote and local interface requires manual speed synchronization, and

Gi 0/3 Down Auto Auto --Gi 0/4 Force10Port Up 1000 Mbit Auto 30-130Gi 0/5 Down Auto Auto --Gi 0/6

• Change the default interval between keepalive messages.INTERFACE modekeepalive [seconds]• View the new setting.INTERFACE modeshow configView Advance

Configuring the Interface Sampling SizeAlthough you can enter any value between 30 and 299 seconds (the default), software polling is done once every

0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pktsReceived 0 input symbol

– For a Port Channel interface, enter the keywords port-channel then a number.– For the management interface on the RPM, enter the keyword ManagementE

20Internet Protocol Security (IPSec)Internet protocol security (IPSec) is available on the Z9000 platform.IPSec is an end-to-end security scheme for p

Configuring IPSec The following sample configuration shows how to configure FTP and telnet for IPSec.1. Define the transform set.CONFIGURATION modecry

CLI Command Mode Prompt Access CommandROUTER BGPDell(conf-router_bgp)# router bgpBGP ADDRESS-FAMILYDell(conf-router_bgp_af)# (for IPv4)Dell(conf-route

21IPv4 RoutingIPv4 routing is supported on the Z9000 platform.The Dell Networking Operating System (OS) supports various IP addressing features. This

• Assigning IP Addresses to an Interface (mandatory)• Configuring Static Routes (optional)• Configure Static Routes for the Management Interface (opti

interface GigabitEthernet 0/0 ip address 10.11.1.1/24 no shutdown!Dell(conf-if)#Dell(conf-if)#show conf!interface GigabitEthernet 0/0ip address 10.1

S 6.1.2.7/32 via 6.1.20.2, Te 5/0 1/0 00:02:30S 6.1.2.8/32 via 6.1.20.2, Te 5/0 1/0 00:02:30S 6.1.2.9/32 via 6.1.20.2, Te 5/

S 6.1.2.9/32 via 6.1.20.2, Te 5/0 1/0 00:02:30S 6.1.2.10/32 via 6.1.20.2, Te 5/0 1/0 00:02:30S 6.1.2.11/32 via 6.1.20.2, Te 5/0

Using the Configured Source IP Address in ICMP MessagesThis feature is supported on the Z9000 platform.ICMP error or unreachable messages are now sent

CONFIGURATION modeDell(conf)#ip tcp reduced-syn-ack-wait <9-75> You can use the no ip tcp reduced-syn-ack-wait command to restore the default be

The order you entered the servers determines the order of their use.Example of the show hosts CommandTo view current bindings, use the show hosts comm

• Specify up to six name servers.CONFIGURATION modeip name-server ip-address [ip-address2 ... ip-address6]The order you entered the servers determines

For more information about Proxy ARP, refer to RFC 925, Multi-LAN Address Resolution, and RFC 1027, Using ARP to Implement Transparent Subnet Gateways

CLI Command Mode Prompt Access CommandMONITOR SESSIONDell(conf-mon-sess-sessionID)#monitor sessionOPENFLOW INSTANCEDell(conf-of-instance-of-id)#openfl

• Re-enable Proxy ARP.INTERFACE modeip proxy-arpTo view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it

In Dell Networking OS versions prior to 8.3.1.0, if a gratuitous ARP is received some time after an ARP request is sent, only RP2 installs the ARP inf

Figure 37. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP EnabledWhether you enable or disable ARP learning via gratuitous ARP, the

ICMPFor diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redire

2. Configure a broadcast address on interfaces that will receive UDP broadcast traffic. Refer to Configuring a Broadcast Address.Important Points to R

untagged GigabitEthernet 1/2no shutdownTo view the configured broadcast address for an interface, use show interfaces command.R1_E600(conf)#do show in

Figure 38. UDP Helper with Broadcast-All AddressesUDP Helper with Subnet Broadcast AddressesWhen the destination IP address of an incoming packet matc

UDP Helper with Configured Broadcast AddressesIncoming packets with a destination IP address matching the configured broadcast address of any interfac

When using the IP helper and UDP helper on the same interface, use the debug ip dhcp command.Example Output from the debug ip dhcp CommandPacket 0.0.0

22IPv6 RoutingInternet protocol version 6 (IPv6) routing is supported on the Z9000 platform.NOTE: The IPv6 basic commands are supported on all platfor

---- 0 Management online S4810 S4810 9.4(0.0) 64 1 Member not present 2 Member not present 3

NOTE: Dell Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS). B

IPv6 Header FieldsThe 40 bytes of the IPv6 header are ordered, as shown in the following illustration.Figure 41. IPv6 Header FieldsVersion (4 bits)The

The following lists the Next Header field values.Value Description0 Hop-by-Hop option header4 IPv46 TCP8 Exterior Gateway Protocol (EGP)41 IPv643 Rout

However, if the Destination Address is a Hop-by-Hop options header, the Extension header is examined by every forwarding router along the packet’s rou

of double colons is supported in a single address. Any number of consecutive 0000 groups may be reduced to two colons, as long as there is only one do

Implementing IPv6 with Dell Networking OSDell Networking OS supports both IPv4 and IPv6 and both may be used simultaneously in your system.The followi

Feature and FunctionalityDell Networking OS Release IntroductionDocumentation and Chapter LocationZ9000IS-IS for IPv6 8.3.11 Intermediate System to In

Feature and FunctionalityDell Networking OS Release IntroductionDocumentation and Chapter LocationZ9000(outbound SSH) Layer 3 onlySecure Shell (SSH) s

Figure 42. Path MTU Discovery ProcessIPv6 Neighbor DiscoveryIPv6 neighbor discovery protocol (NDP) is supported on the Z9000 platform.NDP is a top-lev

Figure 43. NDP Router RedirectIPv6 Neighbor Discovery of MTU PacketsYou can set the MTU advertised through the RA packets to incoming routers, without

Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter

The DNS server address does not allow the following:• link local addresses• loopback addresses• prefix addresses• multicast addresses• invalid host ad

Displaying IPv6 RDNSS InformationTo display IPv6 interface information, including IPv6 RDNSS information, use the show ipv6 interface command in EXEC

Secure Shell (SSH) Over an IPv6 TransportIPv6 secure shell (SSH) is supported on the Z9000 platform.Dell Networking OS supports both inbound and outbo

The total space allocated must equal 13.The ipv6acl range must be a factor of 2.• Show the current CAM settings.EXEC mode or EXEC Privilege modeshow c

– prefix: IPv6 route prefix– type {slot/port}: interface type and slot/port– forwarding router: forwarding router’s address– tag: route tagEnter the k

• snmp-server group ipv6• snmp-server group access-list-name ipv6Showing IPv6 InformationAll of the following show commands are supported on the Z9000

Example of the show ipv6 interface Command ()Dell#show ipv6 int man 1/0ManagementEthernet 1/0 is up, line protocol is up IPV6 is enabled Stateless a

Examples of the show ipv6 route CommandsThe following example shows the show ipv6 route summary command.Dell#show ipv6 route summaryRoute Source Activ

– For the Management interface on the RPM, enter the keyword ManagementEthernet then the slot/port information.– For a 10-Gigabit Ethernet interface,

23Intermediate System to Intermediate SystemIntermediate system to intermediate system (Is-IS) is supported on the Z9000 platform.• IS-IS is supported

Configure the Overload Bit for a Startup Scenario... 51Viewing Files...

Short-Cut Key CombinationActionCNTL-B Moves the cursor back one character.CNTL-D Deletes character at cursor.CNTL-E Moves the cursor to the end of the

The NET length is variable, with a maximum of 20 bytes and a minimum of 8 bytes. It is composed of the following:• area address — within your routing

Transition ModeAll routers in the area or domain must use the same type of IPv6 support, either single-topology or multi-topology. A router operating

A new TLV (the Restart TLV) is introduced in the IIH PDUs, indicating that the router supports graceful restart.TimersThree timers are used to support

• Accepts external IPv6 information and advertises this information in the PDUs.The following table lists the default IS-IS values.Table 15. IS-IS Def

Enabling IS-ISBy default, IS-IS is not enabled.The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process an

The IP address must be on the same subnet as other IS-IS neighbors, but the IP address does not need to relate to the NET address.5. Enter an IPv6 Add

IS-IS: Level-2 Hellos (sent/rcvd) : 4272/1538 IS-IS: PTP Hellos (sent/rcvd) : 0/0 IS-IS: Level-1 LSPs sourced (new/refresh) : 0/0 IS-IS: Level-2

Use this command for IPv6 route computation only when you enable multi-topology. If using single-topology mode, to apply to both IPv4 and IPv6 route c

– level-1, level-2: identifies the database instance type to which the wait interval applies.The range is from 5 to 120 seconds.The default is 30 seco

To view all interfaces configured with IS-IS routing along with the defaults, use the show isis interface command in EXEC Privilege mode.Dell#show isi

• show run | grep Ethernet returns a search result with instances containing a capitalized “Ethernet,” such as interface GigabitEthernet 0/0.• show ru

max-lsp-lifetime seconds– seconds: the range is from 1 to 65535.The default is 1200 seconds.Example of Viewing IS-IS Configuration (ROUTER ISIS Mode)T

• Set the metric style for the IS-IS process.ROUTER ISIS modemetric-style {narrow [transition] | transition | wide [transition]} [level-1 | level-2]Th

The default level is level-1.For more information about this command, refer to Configuring the IS-IS Metric Style.The following table describes the co

Dell#show isis databaseIS-IS Level-1 Link State DatabaseLSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OLB233.00-00 0x00000003 0x

distribute-list prefix-list-name in [interface]– Enter the type of interface and slot/port information:– For a 1-Gigabit Ethernet interface, enter the

– For a VLAN, enter the keyword vlan then a number from 1 to 4094.• Apply a configured prefix list to all outgoing IPv6 IS-IS routes.ROUTER ISIS-AF IP

– process-id the range is from 1 to 65535.– level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2.– metri

Configuring Authentication PasswordsYou can assign an authentication password for routers in Level 1 and for routers in Level 2.Because Level 1 and Le

Example of Viewing the Overload Bit SettingWhen the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload

– interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only.• View the events that triggered I

NOTE: You can filter a single command output multiple times. The save option must be the last option entered. For example: Dell# command | grep regula

Metric Style Correct Value Range for the isis metric Commandwide transition 0 to 16777215narrow transition 0 to 63transition 0 to 63Maximum Values in

Beginning Metric Style Final Metric Style Resulting IS-IS Metric Valuetransition narrow original valuetransition narrow original valuetransition wide

Leaks from One Level to AnotherIn the following scenarios, each IS-IS level is configured with a different metric style.Table 19. Metric Value with Di

NOTE: Whenever you make IS-IS configuration changes, clear the IS-IS process (re-started) using the clear isis command. The clear isis command must in

ipv6 address 24:3::1/76ip router isisipv6 router isisno shutdownDell (conf-if-te-3/17)#Dell (conf-router_isis)#show config!router isismetric-style wid

24Link Aggregation Control Protocol (LACP)Link aggregation control protocol (LACP) is supported on the Z9000 platform.Introduction to Dynamic LAGs and

• There is a difference between the shutdown and no interface port-channel commands:– The shutdown command on LAG “xyz” disables the LAG and retains t

• Configure LACP mode.LACP mode[no] port-channel number mode [active | passive | off]– number: cannot statically contain any links.The default is LACP

Configuring the LAG Interfaces as DynamicAfter creating a LAG, configure the dynamic LAG interfaces.To configure the dynamic LAG interfaces, use the f

Dell(conf-if-po-32)#switchportDell(conf-if-po-32)#lacp long-timeoutDell(conf-if-po-32)#endDell# show lacp 32Port-channel 32 admin up, oper up, mode la

3Data Center Bridging (DCB)Data center bridging (DCB) is supported on the platform.NOTE: SNMP Support for PFC and Buffer Statistics TrackingBuffer Sta

Figure 46. Shared LAG State TrackingTo avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). Dell Networking OS has the ab

As shown in the following illustration, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down after the failure. This ef

• If a LAG that is part of a failover group is deleted, the failover group is deleted.• If a LAG moves to the Down state due to this feature, its memb

ARP type: ARPA, ARP Timeout 04:00:00Last clearing of "show interface" counters 00:02:11Queueing strategy: fifoInput statistics: 132 pack

Figure 50. Inspecting Configuration of LAG 10 on ALPHA434Link Aggregation Control Protocol (LACP)

Figure 51. Verifying LAG 10 Status on ALPHA Using the show lacp CommandSummary of the LAG Configuration on AlphaAlpha(conf-if-po-10)#int gig 2/31Alpha

interface GigabitEthernet 2/31no ip addressSummary of the LAG Configuration on BravoBravo(conf-if-gi-3/21)#int port-channel 10Bravo(conf-if-po-10)#no

Figure 52. Inspecting a LAG Port on BRAVO Using the show interface CommandLink Aggregation Control Protocol (LACP)437

Figure 53. Inspecting LAG 10 Using the show interfaces port-channel Command438Link Aggregation Control Protocol (LACP)

Figure 54. Inspecting the LAG Status Using the show lacp commandThe point-to-point protocol (PPP) is a connection-oriented protocol that enables layer

4Getting StartedThis chapter describes how you start configuring your system.When you power up the chassis, the system performs a power-on self test (

The Dell Networking OS already contains the functionality to monitor the performance and traffic handling of virtual interfaces created as LAG bundles

Guidelines for Monitoring High-Gigabit Port ChannelsKeep the following points in mind when you activate and examine the utilization and working-effici

Enabling the Verification of Member Links Utilization in a High-Gigabit Port ChannelThis procedure is supported on the Z9000 platform.To examine the w

spine NPU units, they range from 1-16. In a Card Type (slot), NPUT units are always indexed starting with the leaf NPU units, and then proceeding to t

25Layer 2Layer 2 features are supported on the Z9000 platform.Manage the MAC Address TableDell Networking OS provides the following management activit

The range is from 10 to 1000000.Configuring a Static MAC AddressA static entry is one that is not subject to aging. Enter static entries manually.To c

interface) before the system verifies that sufficient CAM space exists. If the CAM check fails, a message is displayed:%E90MH:5 %ACL_AGENT-2-ACL_AGENT

mac learning-limit mac-address-stickyUsing sticky MAC addresses allows you to associate a specific port with MAC addresses from trusted devices. If yo

no ip address switchport mac learning-limit 1 dynamic no-station-move mac learning-limit station-move-violation log no shutdownLearning Limit Vi

Recovering from Learning Limit and Station Move ViolationsAfter a learning-limit or station-move violation shuts down an interface, you must manually

Accessing the Console PortTo access the console port, follow these steps:For the console port pinout, refer to Accessing the RJ-45 Console Port with a

When you use NIC teaming, consider that the server MAC address is originally learned on Port 0/1 of the switch (shown in the following) and Port 0/5 i

Apply all other configurations to each interface in the redundant pair such that their configurations are identical, so that transition to the backup

LACP) port-channel interface as either the primary or backup link in a redundant pair with a physical interface.To ensure that existing network applic

inactive: Vl 100:24:55: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Gi 3/4200:24:55: %RPM0-P:CP %IFMGR-5-ACTIVE: Changed Vlan interf

Figure 58. Configuring Far-End Failure DetectionThe report consists of several packets in SNAP format that are sent to the nearest known MAC address.I

4. If the FEFD enabled system is configured to use FEFD in Normal mode and neighboring echoes are not received after three intervals, (you can set eac

To report interval frequency and mode adjustments, use the following commands.1. Setup two or more connected interfaces for Layer 2 or Layer 3.INTERFA

To set up and activate two or more connected interfaces, use the following commands.1. Setup two or more connected interfaces for Layer 2 or Layer 3.I

Sender state -- Bi-directional Sender info -- Mgmt Mac(00:01:e8:14:89:25), Slot-Port(Gi 1/0) Peer info -- Mgmt Mac (00:01:e8:14:89:25), Slot-Po

26Link Layer Discovery Protocol (LLDP)The link layer discovery protocol (LLDP) is supported on the Z9000 platform.802.1AB (LLDP) OverviewLLDP — define

Entering CLI commands Using an SSH ConnectionYou can run CLI commands by entering any one of the following syntax to connect to a switch using the pre

Table 21. Type, Length, Value (TLV) TypesType TLV Description0 End of LLDPDU Marks the end of an LLDPDU.1 Chassis ID An administratively assigned name

Figure 61. Organizationally Specific TLVIEEE Organizationally Specific TLVsEight TLV types have been defined by the IEEE 802.1 and 802.3 working group

Type TLV Description127 Protocol Identity Indicates the protocols that the port can process. Dell Networking OS does not currently support this TLV.IE

Regarding connected endpoint devices, LLDP-MED provides network connectivity devices with the ability to:• manage inventory• manage Power over Etherne

Type SubType TLV DescriptionNone or all TLVs must be supported. Dell Networking OS does not currently support these TLVs.127 5 Inventory — Hardware Re

Figure 62. LLDP-MED Capabilities TLVTable 24. Dell Networking OS LLDP-MED CapabilitiesBit Position TLV Dell Networking OS Support0 LLDP-MED Capabiliti

NOTE: As shown in the following table, signaling is a series of control packets that are exchanged between an endpoint device and a network connectivi

Extended Power via MDI TLVThe extended power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices.A

Important Points to Remember• LLDP is enabled by default.• Dell Networking systems support up to eight neighbors per interface.• Dell Networking syste

Enabling LLDPLLDP is enabled by default. Enable and disable LLDP globally or per interface. If you enable LLDP globally, all UP interfaces send period

Default ConfigurationA version of Dell Networking OS is pre-loaded onto the chassis; however, the system is not configured when you power up for the f

3. Enter the disable command.LLDP-MANAGEMENT-INTERFACE mode.To undo an LLDP management port configuration, precede the relevant command with the keywo

Figure 65. Configuring LLDPViewing the LLDP ConfigurationTo view the LLDP configuration, use the following command.• Display the LLDP configuration.CO

Viewing Information Advertised by Adjacent LLDP AgentsTo view brief information about adjacent devices or to view all the information that neighbors a

Configuring LLDPDU IntervalsLLDPDUs are transmitted periodically; the default interval is 30 seconds.To configure LLDPDU intervals, use the following

• Return to the default setting.CONFIGURATION mode or INTERFACE modeno modeExample of Configuring a Single ModeR1(conf)#protocol lldpR1(conf-lldp)#sho

advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-descri

Figure 66. The debug lldp detail Command — LLDPDU Packet DissectionRelevant Management ObjectsDell Networking OS supports all IEEE 802.1AB MIB objects

MIB Object CategoryLLDP Variable LLDP MIB Object DescriptionmsgTxInterval lldpMessageTxInterval Transmit Interval value.rxInfoTTL lldpRxInfoTTL Time t

Table 28. LLDP System MIB ObjectsTLV Type TLV Name TLV Variable System LLDP MIB Object1 Chassis ID chassis ID subtype Local lldpLocChassisIdSubtypeRem

TLV Type TLV Name TLV Variable System LLDP MIB Objectinterface numbering subtypeLocal lldpLocManAddrIfSubtypeRemote lldpRemManAddrIfSubtypeinterface n

• port: the range is 0.2. Assign an IP address to the interface.INTERFACE modeip address ip-address/mask• ip-address: an address in dotted-decimal for

Table 30. LLDP-MED System MIB ObjectsTLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object1 LLDP-MED CapabilitiesLLDP-MED CapabilitiesLocallld

TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object3 Location Identifier Location Data FormatLocal lldpXMedLocLocationSubtypeRemote lldpXMed

27Microsoft Network Load BalancingThis functionality is supported on the Z9000 platform.Network Load Balancing (NLB) is a clustering functionality tha

• With NLB feature enabled, after learning the NLB ARP entry, all the subsequent traffic is flooded on all ports in VLAN1.With NLB, the data frame is

flooded out of all member ports. Since all the servers in the cluster receive traffic, failover and balancing are preserved.Enable and Disable VLAN Fl

28Multicast Source Discovery Protocol (MSDP)Multicast source discovery protocol (MSDP) is supported on the Z9000 platform.Protocol OverviewMSDP is a L

Figure 67. Multicast Source Discovery Protocol (MSDP)RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of T

Anycast RPUsing MSDP, anycast RP provides load sharing and redundancy in PIM-SM networks. Anycast RP allows two or more rendezvous points (RPs) to sha

• Accept Source-Active Messages that Fail the RFP Check• Specifying Source-Active Messages• Limiting the Source-Active Cache• Preventing MSDP from Cac

Figure 70. Configuring OSPF and BGP for MSDPMulticast Source Discovery Protocol (MSDP)489

• enable password stores the password in the running/startup configuration using a DES encryption method.• enable secret is stored in the running/star

Figure 71. Configuring PIM in Multiple Routing Domains490Multicast Source Discovery Protocol (MSDP)

Figure 72. Configuring MSDPEnable MSDPEnable MSDP by peering RPs in different administrative domains.1. Enable MSDP.CONFIGURATION modeip multicast-msd

Examples of Configuring and Viewing MSDP R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.1 connect-source Loopback 0 R3_

Limiting the Source-Active CacheSet the upper limit of the number of active sources that the Dell Networking OS caches.The default active source limit

Figure 73. MSDP Default Peer, Scenario 1494Multicast Source Discovery Protocol (MSDP)

Figure 74. MSDP Default Peer, Scenario 2Multicast Source Discovery Protocol (MSDP)495

Figure 75. MSDP Default Peer, Scenario 3496Multicast Source Discovery Protocol (MSDP)

Figure 76. MSDP Default Peer, Scenario 4Specifying Source-Active MessagesTo specify messages, use the following command.• Specify the forwarding-peer

Dell(conf)#ip access-list standard fiftyDell(conf)#seq 5 permit host 200.0.0.50Dell#ip msdp sa-cacheMSDP Source-Active Cache - 3 entriesGroupAddr So

Example of Verifying the System is not Caching Local SourcesWhen you apply this filter, the SA cache is not affected immediately. When sources that ar

Lock CONFIGURATION Mode...74Viewing the Confi

Location source-file-url Syntax destination-file-url SyntaxFor a remote file location:SCP servercopy scp://{hostip | hostname}/filepath/ filenamescp:/

R3_E600(conf)#do show ip msdp sa-cacheR3_E600(conf)#R3_E600(conf)#do show ip msdp peerPeer Addr: 192.168.0.1 Local Addr: 0.0.0.0(639) Connect Sourc

Logging Changes in Peership StatesTo log changes in peership states, use the following command.• Log peership state changes.CONFIGURATION modeip msdp

Example of the clear ip msdp peer Command and Verifying Statistics are ClearedR3_E600(conf)#do show ip msdp peerPeer Addr: 192.168.0.1 Local Addr:

technique is less effective as traffic increases because preemptive load balancing requires prior knowledge of traffic distributions.• lack of scalabl

Configuring Anycast RPTo configure anycast RP, use the following commands.1. In each routing domain that has multiple RPs serving a group, create a Lo

CONFIGURATION modeip msdp originator-idExamples of R1, R2, and R3 Configuration for MSDP with Anycast RPThe following example shows an R1 configuratio

no shutdown!interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown!interface Loopback 1 ip address 192.168.0.22/32 no sh

neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22

interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown!interface GigabitEthernet 2/11 ip pim sparse-mode ip address

redistribute connected redistribute bgp 200!router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-mult

• Save the running-configuration to an SCP server.EXEC Privilege modecopy running-config scp://{hostip | hostname}/ filepath/filenameNOTE: When copyin

29Multiple Spanning Tree Protocol (MSTP)Multiple spanning tree protocol (MSTP) is supported on the Z9000 platform.Protocol OverviewMSTP — specified in

Spanning Tree VariationsThe Dell Networking OS supports four variations of spanning tree, as shown in the following table.Table 31. Spanning Tree Vari

• Enabling SNMP Traps for Root Elections and Topology Changes• Configuring Spanning Trees as HitlessEnable Multiple Spanning Tree GloballyMSTP is not

Specify the keyword vlan then the VLANs that you want to participate in the MSTI.Examples of Configuring and Viewing MSTIThe following examples shows

Influencing MSTP Root SelectionMSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it bec

NOTE: Some non-Dell Networking OS equipment may implement a non-null default region name. SFTOS, for example, uses the Bridge ID, while others may use

The default is 15 seconds.2. Change the hello-time parameter.PROTOCOL MSTP modehello-time secondsNOTE: With large configurations (especially those con

• Port priority influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.The follo

• Enable EdgePort on an interface.INTERFACE modespanning-tree mstp edge-port [bpduguard | shutdown-on-violation]Dell Networking OS Behavior: Regarding

Figure 79. MSTP with Three VLANs Mapped to Two Spanning Tree InstancesRouter 1 Running-ConfigurationThis example uses the following steps:1. Enable MS

View Configuration FilesConfiguration files have three commented lines at the beginning of the file, as shown in the following example, to help you tr

no shutdown!interface Vlan 300 no ip address tagged GigabitEthernet 1/21,31 no shutdownRouter 2 Running-ConfigurationThis example uses the follow

name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300!(Step 2)interface GigabitEthernet 3/11 no ip address switchport no shutdown!inter

(Step 3)interface vlan 100 tagged 1/0/31 tagged 1/0/32exitinterface vlan 200 tagged 1/0/31 tagged 1/0/32exitinterface vlan 300 tagged 1/0/31 tag

– Are there “extra” MSTP instances in the Sending or Received logs? This may mean that an additional MSTP instance was configured on one router but no

INST 2: Flags: 0x70, Reg Root: 32768:0001.e8d5.cbbd, Int Root Cost Brg/Port Prio: 32768/128, Rem Hops: 20524Multiple Spanning Tree Protocol (MSTP)

30Multicast FeaturesMulticast features are supported on the Z9000 platform.NOTE: Multicast is supported on secondary IP addresses on the platform.NOTE

Figure 80. Multicast with ECMPImplementation InformationBecause protocol control traffic in Dell Networking OS is redirected using the MAC address, an

Protocol Ethernet AddressPIM-SM 01:00:5e:00:00:0d• The Dell Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-trace

• If the limit is decreased after it is reached, Dell Networking OS does not clear the existing sessions. Entries are cleared after a timeout (you may

no access list limiting Receiver 1, so both IGMP reports are accepted, and two corresponding entries are created in the routing table.Figure 81. Preve

- - - network rw tftp: - - - network rw scp:You can change the default file system so that file manag

Location Description• no shutdown1/31• Interface GigabitEthernet 1/31• ip pim sparse-mode• ip address 10.11.13.1/24• no shutdown2/1• Interface Gigabit

Location Description• ip igmp access-group igmpjoinfilR2G2• no shutdownRate Limiting IGMP Join RequestsIf you expect a burst of IGMP Joins, protect th

Figure 82. Preventing a Source from Transmitting to a GroupTable 34. Preventing a Source from Transmitting to a Group — DescriptionLocation Descriptio

Location Description• no shutdown2/1• Interface GigabitEthernet 2/1• ip pim sparse-mode• ip address 10.11.1.1/24• no shutdown2/11• Interface GigabitEt

Preventing a PIM Router from Processing a JoinTo permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the foll

31Open Shortest Path First (OSPFv2 and OSPFv3)Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on the Z9000

Areas allow you to further organize your routers within in the AS. One or more areas are required within the AS. Areas are valuable in that they allow

The backbone is the only area with a default area number. All other areas can have their Area ID assigned in the configuration.In the previous example

Figure 84. OSPF Routing ExamplesBackbone Router (BR)A backbone router (BR) is part of the OSPF Backbone, Area 0.This includes all ABRs. It can also in

An ABR can connect to many areas in an AS, and is considered a member of each area it connects to.Autonomous System Border Router (ASBR)The autonomous

To enable the VRF feature and cause all VRF-related commands to be available or viewable in the CLI interface, use the following command. You must ena

available. An ABR floods the information for the router (for example, the ASBR where the Type 5 advertisement originated. The link-state ID for Type 4

Router Priority and CostRouter priority and cost is the method the system uses to “rate” the routers.For example, if not assigned, the system selects

Dell Networking OS supports stub areas, totally stub (no summary) and not so stubby areas (NSSAs) and supports the following LSAs, as described earlie

OSPFv2 supports helper-only and restarting-only roles. By default, both helper and restarting roles are enabled. OSPFv2 supports the helper-reject rol

example, if you create five OSPFv2 processes on a system, there must be at least five interfaces assigned in Layer 3 mode.Each OSPFv2 process is indep

LSType:Type-5 AS External(5) Age:1 Seq:0x8000000c id:170.1.2.0 Adv:6.1.0.0 Netmask:255.255.255.0 fwd:0.0.0.0 E2, tos:0 metric:0To confirm

Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 1.1.1.1 (Backup Designated Router)Dell (conf-if-gi-2/2)#Configuration Info

If implementing multi-process OSPF, create an equal number of Layer 3 enabled interfaces and OSPF process IDs. For example, if you create four OSPFv2

• Reset the OSPFv2 process.EXEC Privilege modeclear ip ospf process-id• View the current OSPFv2 status.EXEC modeshow ip ospf process-idExample of View

If you try to enable more OSPF processes than available Layer 3 interfaces, the following message displays:C300(conf)#router ospf 1% Error: No router

Using HTTP for File TransfersStating with Release 9.3(0.1), you can use HTTP to copy files or configuration details to a remote server. Use the copy s

Dell(conf)#router ospf 1Dell(conf-router_ospf-1)#network 1.2.3.4/24 area 0Dell(conf-router_ospf-1)#network 10.10.10.10/24 area 1Dell(conf-router_ospf-

Loopback 0 is up, line protocol is up Internet Address 10.168.253.2/32, Area 0.0.0.1 Process ID 1, Router ID 10.168.253.2, Network Type LOOPBACK, Co

Enabling Passive InterfacesA passive interface is one that does not send or receive routing information.Enabling passive interface suppresses routing

GigabitEthernet 0/1 is up, line protocol is down Internet Address 10.1.3.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.100, Network Type BROA

The following examples shows how to disable fast-convergence.Dell#(conf-router_ospf-1)#no fast-convergeDell#(conf-router_ospf-1)#exDell#(conf)#exDell#

NOTE: Be sure to write down or otherwise record the key. You cannot learn the key after it is configured. You must be careful when changing this key.N

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:06 Neighbor Count is 0, Adjacent neighbor count is 0Dell

graceful-restart grace-period secondsThe seconds range is from 40 and 3000.This setting is the time that an OSPFv2 router’s neighbors advertises it as

graceful-restart grace-period 300 graceful-restart role helper-only graceful-restart mode unplanned-only graceful-restart helper-reject 10.1.1.1

• Specify which routes are redistributed into OSPF process.CONFIG-ROUTEROSPF-id moderedistribute {bgp | connected | isis | rip | static} [metric metri

• flash: (Optional) Specifies the flash drive. The default is to use the flash drive. You can just enter the image file name.• hash-value: (Optional).

• View the summary of all OSPF process IDs enables on the router.EXEC Privilege modeshow running-config ospf• View the summary information of the IP r

!router ospf 90 area 2 virtual-link 4.4.4.4 area 2 virtual-link 90.90.90.90 retransmit-interval 300!ipv6 router ospf 999 default-information origin

ip address 10.2.12.2/24 no shutdown!interface Loopback 10 ip address 192.168.100.100/24 no shutdownOSPF Area 0 — Gl 3/1 and 3/2router ospf 33333

The OSPFv3 ipv6 ospf area command enables OSPFv3 on the interface and places the interface in an area. With OSPFv2, two commands are required to accom

NOTE: The OSPFv2 network area command enables OSPFv2 on multiple interfaces with the single command. Use the OSPFv3 ipv6 ospf area command on each int

– Area ID: a number or IP address assigned when creating the area. You can represent the area ID as a number from 0 to 65536 if you assign a dotted de

Configuring a Default RouteTo generate a default external route into the OSPFv3 routing domain, configure Dell Networking OS.To specify the informatio

CONF-IPV6-ROUTER-OSPF modegraceful-restart mode [planned-only | unplanned-only]– Planned-only: the OSPFv3 router supports graceful restart only for pl

The following example shows the show ipv6 ospf database database-summary command.Dell#show ipv6 ospf database database-summary!OSPFv3 Router with ID (

• Tunnel mode — is more secure and encrypts both the header and payload. On the receiving side, an IPsec-compliant device decrypts each packet.NOTE: D

5ManagementManagement is supported on the Z9000 platform.This chapter describes the different protocols or services used to manage the Dell Networking

• Manual key configuration is supported in an authentication or encryption policy (dynamic key configuration using the internet key exchange [IKE] pro

– MD5 | SHA1: specifies the authentication type: Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1).– key-encryption-type: (optional) specifies

– key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication

• Display the configuration of IPSec authentication policies on the router.show crypto ipsec policyConfiguring IPsec Encryption for an OSPFv3 AreaTo c

Displaying OSPFv3 IPsec Security PoliciesTo display the configuration of IPsec authentication and encryption policies, use the following commands.• Di

Crypto IPSec client security policy dataPolicy name : OSPFv3-0-501Policy refcount : 1Inbound ESP SPI : 501 (0x1F5)Outbound

replay detection support : N STATUS : ACTIVETroubleshooting OSPFv3Dell Networking OS has several tools to make troubleshooting easier. Consider t

– For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information (for example, passive-interface gi 2/1).– For a p

32Policy-based Routing (PBR)Policy-based Routing (PBR) allows a switch to make routing decisions based on policies applied to an interface.This chapte

To enable a PBR, you create a redirect list. Redirect lists are defined by rules, or routing policies. The following parameters can be defined in the

Allowing Access to CONFIGURATION Mode CommandsTo allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGU

Implementing Policy-based Routing with Dell Networking OS• Non-contiguous bitmasks for PBR• Hot-Lock PBRNon-contiguous bitmasks for PBRNon-contiguous

The following example creates a redirect list by the name of “xyz.”Dell(conf)#ip redirect-list ?WORD Redirect-list name (max 16 chars) Dell(co

Dell(conf-redirect-list)#redirect 3.3.3.3 ?<0-255> An IP protocol number icmp

PBR Exceptions (Permit)Use the command permit to create an exception to a redirect list. Exceptions are used when a forwarding decision should be base

Applying a Redirect-list to an Interface Example:Dell(conf-if-te-2/0)#ip redirect-group xyz Dell(conf-if-te-2/0)#Applying a Redirect-list to an Interf

NOTE: If, the redirect-list is applied to an interface, the output of show ip redirect-list redirect-list-name command displays reachability and ARP s

Create the Redirect-List GOLDEDGE_ROUTER(conf-if-Te-2/23)#ip redirect-list GOLDEDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_G

View Redirect-List GOLDEDGE_ROUTER#show ip redirect-listIP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-ho

33PIM Sparse-Mode (PIM-SM)Protocol-independent multicast sparse-mode (PIM-SM) is supported on the Z9000 platform.PIM-SM is a multicast protocol that f

3. If a host on the same subnet as another multicast receiver sends an IGMP report for the same multicast group, the gateway takes no action. If a rou

• Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command.CONFIGURATION modeprivilege {configure |interface | line | r

Configuring PIM-SMConfiguring PIM-SM is a three-step process.1. Enable multicast routing (refer to the following step).2. Select a rendezvous point.3.

To display PIM neighbors for each interface, use the show ip pim neighbor command EXEC Privilege mode.Dell#show ip pim neighborNeighbor Interface

ip access-list extended access-list-name3. Specify the source and group to which the timer is applied using extended ACLs with permit rules only.CONFI

Dell#sh run pim!ip pim rp-address 1.1.1.1 group-address 224.0.0.0/4Overriding Bootstrap Router UpdatesPIM-SM routers must know the address of the RP f

Creating Multicast Boundaries and DomainsA PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a com

34PIM Source-Specific Mode (PIM-SSM)PIM source-specific mode (PIM-SSM) is supported on the Z9000 platform.PIM-SSM is a multicast protocol that forward

Configure PIM-SMMConfiguring PIM-SSM is a two-step process.1. Configure PIM-SMM.2. Enable PIM-SSM for a range of addresses.Related Configuration Tasks

• When you remove the mapping configuration, Dell Networking OS removes the corresponding (S,G) states that it created and re-establishes the original

Interface Vlan 400Group 239.0.0.1Uptime 00:00:05Expires NeverRouter mode INCLUDELas

35Port MonitoringPort monitoring is supported on the Z9000 platform.Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traf

Counting ACL Hits...107Configure I

aux Auxiliary lineconsole Primary terminal linevty Virtual terminalDell(conf)#line vty 0Dell(config-line-v

Port MonitoringThe Z9000 supports multiple source-destination statements in a single monitor session.The maximum number of source ports that can be su

Example of Viewing a Monitoring SessionIn the example below, 0/25 and 0/26 belong to Port-pipe 1. This port-pipe has the same restriction of only four

show interface2. Create a monitoring session using the command monitor session from CONFIGURATION mode, as shown in the following example.CONFIGURATIO

Figure 88. Port Monitoring ExampleEnabling Flow-Based MonitoringFlow-based monitoring is supported only on the S-Series platform.Flow-based monitoring

Example of the flow-based enable CommandTo view an access-list that you applied to an interface, use the show ip accounting access-list command from E

source session uses a separate reserved VLAN to transmit mirrored packets (mirrored source-session traffic is shown with an orange or green circle wit

• Mirrored traffic is transported across the network using 802.1Q-in-802.1Q tunneling. The source address, destination address and original VLAN ID of

RestrictionsWhen you configure remote port mirroring, the following restrictions apply:• You can configure the same source port to be used in multiple

destination switches), and a destination session (destination ports connected to analyzers on destination switches).Configuration Steps for RPMStep Co

Dell(conf)#inte te 0/30Dell(conf-if-te-0/30)#no shutdownDell(conf-if-te-0/30)#switchportDell(conf-if-te-0/30)#exitDell(conf)#interface vlan 30Dell(con

• Disable logging to terminal lines.CONFIGURATION modeno logging monitor• Disable console logging.CONFIGURATION modeno logging consoleAudit and Securi

Dell(conf)#monitor session 1 type rpmDell(conf-mon-sess-1)#source remote-vlan 10 dest te 0/3Dell(conf-mon-sess-1)#exitDell(conf)#monitor session 2 typ

Configuring the Encapsulated Remote Port MirroringThe ERPM session copies traffic from the source ports/lags or source VLANs and forwards the traffic

6<no> flow-based enable Specify flow-based enable for mirroring on a flow by flow basis and also for vlan as source.7no enable (Optional) No dis

ERPM Behavior on a typical Dell Networking OS The Dell Networking OS is designed to support only the Encapsulation of the data received / transmitted

39th byte in a given ERPM packet. The first 38/42 bytes of the header needs to be ignored/ chopped off.– Some tools support options to edit the captur

36Private VLANs (PVLAN)The private VLAN (PVLAN) feature is supported on the Z9000 platform.For syntax details about the commands described in this cha

– A primary VLAN has one or more secondary VLANs.– A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the sw

INTERFACE VLAN mode[no] private-vlan mapping secondary-vlan vlan-list• Display type and status of PVLAN interfaces.EXEC mode or EXEC Privilege modesho

4. Select the PVLAN mode.INTERFACE modeswitchport mode private-vlan {host | promiscuous | trunk}• host (isolated or community VLAN port)• promiscuous

INTERFACE VLAN modeprivate-vlan mapping secondary-vlan vlan-listThe list of secondary VLANs can be:• Specified in comma-delimited (VLAN-ID,VLAN-ID) or

When you enabled RBAC and extended logging:• Only the system administrator user role can execute this command.• The system administrator and system se

INTERFACE VLAN modetagged interface or untagged interfaceYou can enter the interfaces singly or in range format, either comma-delimited (slot/port,por

Private VLAN Configuration ExampleThe following example shows a private VLAN topology.Figure 89. Sample Private VLAN TopologyThe following configurati

• All the ports in the secondary VLANs (both community and isolated VLANs) can only communicate with ports in the other secondary VLANs of that PVLAN

show vlan private-vlan mappingThis command is specific to the PVLAN feature.Examples of Viewing a Private VLAN using the show CommandsThe show arp and

switchport switchport mode private-vlan host no shutdown!interface GigabitEthernet 0/5 no ip address switchport switchport mode private-vlan ho

37Per-VLAN Spanning Tree Plus (PVST+)Per-VLAN spanning tree plus (PVST+) is supported on the Z9000 platform.Protocol OverviewPVST+ is a variation of s

Table 35. Spanning Tree Variations Dell Networking OS SupportsDell Networking Term IEEE SpecificationSpanning Tree Protocol (STP) 802 .1dRapid Spannin

PROTOCOL PVST modeno disableDisabling PVST+To disable PVST+ globally or on an interface, use the following commands.• Disable PVST+ globally.PROTOCOL

Figure 91. Load Balancing with PVST+The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority

Root Identifier has priority 4096, Address 0001.e80d.b6d6Root Bridge hello time 2, max age 20, forward delay 15Bridge Identifier has priority 4096, Ad

The following describes the two log messages formats:• 0 – Displays syslog messages format as described in RFC 3164, The BSD syslog Protocol• 1 – Disp

PROTOCOL PVST modevlan max-ageThe range is from 6 to 40.The default is 20 seconds.The values for global PVST+ parameters are given in the output of th

The range is from 0 to 240, in increments of 16.The default is 128.The values for interface PVST+ parameters are given in the output of the show spann

PVST+ in Multi-Vendor NetworksSome non-Dell Networking systems which have hybrid ports participating in PVST+ transmit two kinds of BPDUs: an 802.1D B

Example of Viewing the Extend System ID in a PVST+ ConfigurationDell(conf-pvst)#do show spanning-tree pvst vlan 5 briefVLAN 5Executing IEEE compatible

no ip address tagged GigabitEthernet 2/12,32 no shutdown!interface Vlan 200 no ip address tagged GigabitEthernet 2/12,32 no shutdown!interface

38Quality of Service (QoS)Quality of service (QoS) is supported on the Z9000 platform.Differentiated service is accomplished by classifying and queuin

Feature DirectionConfigure a Scheduler to Queue EgressSpecify WRED Drop Precedence EgressCreate Policy Maps Ingress + EgressCreate Input Policy Maps I

Figure 93. Dell Networking QoS ArchitectureImplementation InformationThe Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bi

Setting dot1p Priorities for Incoming TrafficDell Networking OS places traffic marked with a priority in a queue based on the following table.If you s

Example of Configuring an Interface to Honor dot1p Priorities on Ingress TrafficDell#config tDell(conf)#interface tengigabitethernet 1/0Dell(conf-if)#

2. On the syslog server, create a reverse SSH tunnel from the syslog server to FTOS switch, using following syntax: ssh -R <remote port>:<sys

rate shape• Apply rate shaping to a queue.QoS Policy moderate-shapeExample of rate shape CommandDell#configDell(conf)#interface tengigabitethernet 1/0

Classify TrafficClass maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic.For both cla

Dell(conf)#policy-map-input pmapDell(conf-policy-map-in)#service-queue 3 class-map cmap1Dell(conf-policy-map-in)#service-queue 1 class-map cmap2Dell(c

ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8. Therefore (without the keyword order), packets w

seq 10 deny ip any any!ip access-list extended AF2 seq 5 permit ip host 23.64.0.5 any seq 10 deny ip any anyDell# show cam layer3-qos interface te

NOTE: To avoid issues misconfiguration causes, Dell Networking recommends configuring either DCBX or Egress QoS features, but not both simultaneously.

Configuring Policy-Based Rate ShapingTo configure policy-based rate shaping, use the following command.• Configure rate shape egress traffic.QOS-POLIC

Applying an Input QoS Policy to an Input Policy MapHonoring DSCP Values on Ingress PacketsHonoring dot1p Values on Ingress Packets3. Apply the input p

Honoring dot1p Values on Ingress PacketsDell Networking OS honors dot1p values on ingress packets with the Trust dot1p feature.The following table spe

Applying an Input Policy Map to an InterfaceTo apply an input policy map to an interface, use the following command.You can apply the same policy map

Sending System Messages to a Syslog ServerTo send system messages to a specified syslog server, use the following command. The following syslog standa

1. Create the color-aware map QoS DSCP color map. CONFIGURATION modeqos dscp-color-map color-map-name2. Create the color aware map profile.DSCP-COLOR-

Displaying a DSCP Color Policy Configuration To display the DSCP color policy configuration for one or all interfaces, use the show qos dscp-color-pol

service-queueSpecifying an Aggregate QoS PolicyTo specify an aggregate QoS policy, use the following command.• Specify an aggregate QoS policy.POLICY-

Enabling Strict-Priority QueueingStrict-priority means that Dell Networking OS de-queues all packets from the assigned queue before servicing any othe

Figure 95. Packet Drop Rate for WREDYou can create a custom WRED profile or use one of the five pre-defined profiles.Creating WRED ProfilesTo create W

wredDisplaying Default and Configured WRED ProfilesTo display the default and configured WRED profiles, use the following command.• Display default an

• Estimated CAM — the estimated number of CAM entries that the policy will consume when it is applied to an interface.• Status — indicates whether the

achieved. Also, the devices can respond to congestion before a queue overflows and packets are dropped, enabling improved queue management.When a pack

occurs to prevent system-level complexities in enabling this support for backplane ports. Also, WRED/ECN is not supported for multicast packets.The fo

QOS-POLICY-OUT modeDell(conf-qos-policy-out)#wred—profile weight number2. Configure a WRED profile, and specify the threshold and maximum drop rate.WR

logging history level• Specify the size of the logging buffer.CONFIGURATION modelogging buffered sizeNOTE: When you decrease the buffer size, Dell Net

Guidelines for Configuring ECN for Classifying and Color-Marking PacketsKeep the following points in mind while configuring the marking and mapping of

Applying this policy-map “ecn_0_pmap” will mark all the packets with ‘ecn == 0’ as yellow packets on queue0 (default queue).Classifying Incoming Packe

Until Release 9.3(0.0), the software has the capability to qualify only on the 6-bit DSCP part of the ToS field in IPv4 Header. You can now accept and

This marking action to set the color of the packet is allowed only on the ‘match-any’ logical operator of the class-map.This marking-action can be con

seq 15 permit any dscp 40 ecn 3!ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0!ip access-list standard dscp_40_non_ecn seq 5

Applying DSCP and VLAN Match Criteria on a Service QueueYou can configure Layer 3 class maps which contain both a Layer 3 Differentiated Services Code

39Routing Information Protocol (RIP)Routing information protocol (RIP) is supported on the Z9000 platform.RIP is based on a distance-vector algorithm;

Implementation InformationDell Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on i

Enabling RIP GloballyBy default, RIP is not enabled in Dell Networking OS.To enable RIP globally, use the following commands.1. Enter ROUTER RIP mode

192.162.2.0/24 [120/1] via 29.10.10.12, 00:01:21, Fa 0/0192.162.2.0/24 auto-summary192.161.1.0/24 [120/1] via 29.10.10.12, 00:00:27, Fa 0/019

%CHMGR-5-CHECKIN: Checkin from line card 12 (type S12YC12, 12 ports)%TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/

distribute-list prefix-list-name in• Assign a configured prefix list to all outgoing RIP routes.ROUTER RIP modedistribute-list prefix-list-name outTo

• Set the RIP versions received on that interface.INTERFACE modeip rip receive version [1] [2]• Set the RIP versions sent out on that interface.INTERF

Automatic network summarization is in effect Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution m

Controlling Route MetricsAs a distance-vector protocol, RIP uses hop counts to determine the best route, but sometimes the shortest hop count is a rou

Dell#debug ip ripRIP protocol debug is ONDell#To disable RIP, use the no debug ip rip command.RIP Configuration ExampleThe examples in this section sh

Core 2 RIP OutputThe examples in the section show the core 2 RIP output.Examples of the show ip Commands to View Core 2 Information• To display Core 2

The following example shows the show ip protocols command to show the RIP configuration activity on Core 2.Core2#show ip protocolsRouting Protocol is

Examples of the show ip Commands to View Learned RIP Routes on Core 3The following example shows the show ip rip database command to view the learned

GigabitEthernet 3/44 2 2 GigabitEthernet 3/43 2 2Routing for Networks: 10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0Rou

ip address 192.168.2.1/24 no shutdown!router ripversion 2network 10.11.20.0network 10.11.30.0network 192.168.1.0network 192.168.2.0Routing Informat

Dell#show running-config logging!logging buffered 524288 debuggingservice timestamps log datetime msecservice timestamps debug datetime msec!logging t

40Remote Monitoring (RMON)Remote monitoring (RMON) is supported on the Z9000 platform.RMON is an industry-standard implementation that monitors networ

the sampled data — the new master RPM provides the same sampled data as did the old master — as long as the master RPM had been running long enough to

Example of the rmon alarm CommandTo disable the alarm, use the no form of the command.The following example configures RMON alarm number 10. The alarm

[no] rmon collection statistics {controlEntry integer} [owner ownername]– controlEntry: specifies the RMON group of statistics using a value.– integer

41Rapid Spanning Tree Protocol (RSTP)Rapid spanning tree protocol (RSTP) is supported on the Z9000 platform.Protocol OverviewRSTP is a Layer 2 protoco

Important Points to Remember• RSTP is disabled by default.• Dell Networking OS supports only one Rapid Spanning Tree (RST) instance.• All interfaces i

INTERFACE modeno shutdownExample of Verifying an Interface is in Layer 2 Mode and EnabledTo verify that an interface is in Layer 2 mode and enabled, u

Figure 97. Rapid Spanning Tree Enabled GloballyTo view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privile

BPDU : sent 121, received 2The port is not in the Edge port modePort 379 (GigabitEthernet 2/3) is designated ForwardingPort path cost 20000, Port prio

Modifying Global ParametersYou can modify RSTP parameters.The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites th

service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] | uptime]Specify the following optional parameters:– You can add the key

NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time.The range is fr

To view the current values for interface parameters, use the show spanning-tree rstp command from EXEC privilege mode.Enabling SNMP Traps for Root Ele

• If the interface to be shut down is a port channel, all the member ports are disabled in the hardware.• When you add a physical port to a port chann

The range is from 50 to 950 milliseconds.Example of Verifying Hello-Time IntervalDell(conf-rstp)#do show spanning-tree rstp briefExecuting IEEE compat

42Software-Defined Networking (SDN)Dell Networking operating software supports Software-Defined Networking (SDN). For more information, refer to the S

43SecuritySecurity features are supported on the Z9000 platform.This chapter describes several ways to provide security to the Dell Networking system.

– system: sends accounting information of any other AAA configuration.– exec: sends accounting information when a user has logged in to EXEC mode.– co

CONFIG-LINE-VTY modeaccounting commands 15 com15accounting exec execAcctExample of Enabling AAA Accounting with a Named Method ListDell(config-line-vt

Configuration Task List for AAA AuthenticationThe following sections provide the configuration tasks.• Configure Login Authentication for Terminal Lin

To view the configuration, use the show config command in LINE mode or the show running-config in EXEC Privilege mode.NOTE: Dell Networking recommends

Configure BFD... 141Co

Configuring FTP Server ParametersAfter you enable the FTP server on the system, you can configure different parameters.To specify the system logging s

To use local authentication for enable secret on the console, while using remote authentication on VTY lines, issue the following commands.The followi

By default, commands in Dell Networking OS are assigned to different privilege levels. You can access those commands only if you have access to that p

To configure a password for a specific privilege level, use the following command.• Configure a password for a privilege level.CONFIGURATION modeenabl

enable password [level level] [encryption-mode] passwordConfigure the optional and required parameters:• level level: specify a level from 0 to 15. Le

The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8. In EXEC Pr

Enabling and Disabling Privilege LevelsTo enable and disable privilege levels, use the following commands.• Set a user’s security level.EXEC Privilege

Built by root at bsdlab on Thu_Aug_18_06:51:21_UTC_2011Z9000 Boot selector Label 3.0.1.1 NetBoot Label 0.0.0.0+-----------------------------+|Force10

ACL Configuration InformationThe RADIUS server can specify an ACL. If an ACL is configured on the RADIUS server, and if that ACL is present, the user

To view the configuration, use the show config in LINE mode or the show running-config command in EXEC Privilege mode.Defining a AAA Method List to be

radius-server host {hostname | ip-address} [auth-port port-number] [retransmit retries] [timeout seconds] [key [encryption-type] key]Configure the opt

• Enter a username to use on the FTP client.CONFIGURATION modeip ftp username nameTo view the FTP configuration, use the show running-config ftp comma

radius-server retransmit retries– retries: the range is from 0 to 100. Default is 3 retries.• Configure the time interval the system waits for a RADIU

Use this command multiple times to configure multiple TACACS+ server hosts.2. Enter a text string (up to 16 characters long) as the name of the method

on vty0 (10.11.9.209)%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable passwordauthentication success on vty0 ( 10.11.9.209 )Monitoring TACACS+T

To view the TACACS+ configuration, use the show running-config tacacs+ command in EXEC Privilege mode.To delete a TACACS+ server host, use the no taca

EXEC Privilege modessh {hostname} [-l username | -p port-number | -v {1 | 2}| -c encryption cipher | -m HMAC algorithmhostname is the IP address or ho

EXEC Privilege modeExample of Using SCP to Copy from an SSH Server on Another SwitchOther SSH-related commands include:• crypto key generate: generate

To configure the time or volume rekey threshold at which to re-generate the SSH key during an SSH session, use the ip ssh rekey [time rekey-interval]

Configuring the HMAC Algorithm for the SSH ServerTo configure the HMAC algorithm for the SSH server, use the ip ssh server mac hmac-algorithm command

• aes192-ctr• aes256-ctrThe default cipher list is 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctrExample of Configuring a

group1-sha1,diffie-hellman-group14-sha1.Password Authentication : enabled.Hostbased Authentication : disabled.RSA Authentication : disabled.

Configuring Login Authentication for Terminal LinesYou can use any combination of up to six authentication methods to authenticate a user on a termina

CONFIGURATION mode or EXEC Privilege modeno ip ssh password-authentication or no ip ssh rsa-authentication6. Enable host-based authentication.CONFIGUR

-l User name option-m HMAC algorithm to use (for v2 clients only)-p SSH server port opt

• VTY Line Remote Authentication and AuthorizationVTY Line Local Authentication and AuthorizationDell Networking OS retrieves the access class from th

Example of Configuring VTY Authorization Based on Access Class Retrieved from the Line (Per Network Address)Dell(conf)#ip access-list standard deny10D

• Role Accounting• Configuring AAA Authentication for Roles• Configuring AAA Authorization for Roles• Configuring an Accounting for Roles• Applying an

Configuring Role-based Only AAA AuthorizationYou can configure authorization so that access to commands is determined only by the user’s role. If the

line vty 0login authentication testauthorization exec testline vty 1login authentication testauthorization exec testTo enable role-based only AAA auth

• Modifying Command Permissions for Roles • Adding and Deleting Users from a RoleCreating a New User Role Instead of using the system defined user rol

Authorization Mode: role or privilegeRole Inheritance Modes netoperator

Example: Allow Security Administrator to Access Interface ModeThe following example allows the security administrator (secadmin) to access Interface m

login authentication myvtymethodlistDell(config-line-vty)#Setting Time Out of EXEC Privilege ModeEXEC time-out is a basic security feature that return

By default, the system defined role, secadmin, is not allowed to configure protocols. The following example first grants the secadmin role to configur

When role-based only AAA authorization is enabled, the enable, line, and none methods are not available. Each of these three methods allows users to b

aaa accounting commands role netadmin ucraaa start-stop tacacs+!The following configuration example applies a method list other than default to each V

“attribute” and “value” are an attribute-value (AV) pair defined in the Dell Network OS TACACS+ specification, and “sep” is “=”. These attributes allo

Applying an Accounting Method to a RoleTo apply an accounting method list to a role executed by a user with that user role, use the accounting command

Protocol MAC testadmin netadmin Exec Config Interface Line Router IP Routemap Protocol MACDisplaying Role Permissions Assigned t

44Service Provider BridgingService provider bridging is supported on the Z9000 platform.VLAN StackingVirtual local area network (VLAN) stacking is sup

Figure 98. VLAN Stacking in a Service Provider NetworkImportant Points to Remember• Interfaces that are members of the Default VLAN and are configured

Configure VLAN StackingConfiguring VLAN-Stacking is a three-step process.1. Creating Access and Trunk Ports2. Assign access and trunk ports to a VLAN

interface GigabitEthernet 7/12 no ip address switchport vlan-stack trunk no shutdownEnable VLAN-Stacking for a VLANTo enable VLAN-Stacking for a V

Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported.Example of the telnet Command for Device Ac

To configure trunk ports, use the following commands.1. Configure a trunk port to carry untagged, single-tagged, and double-tagged traffic by making i

• MT — stacked trunk• MU — stacked access port• T — 802.1Q trunk port• U — 802.1Q access port• NU — Native VLAN (untagged)Dell# debug member vlan 603v

Figure 99. Single and Double-Tag TPID Match742Service Provider Bridging

Figure 100. Single and Double-Tag First-byte TPID MatchService Provider Bridging743

Figure 101. Single and Double-Tag TPID MismatchVLAN Stacking Packet Drop PrecedenceVLAN stacking packet drop precedence is available on the Z9000 plat

Table 47. Drop Eligibility BehaviorIngress Egress DEI Disabled DEI EnabledNormal Port Normal Port Retain CFI Set CFI to 0.Trunk Port Trunk Port Retain

Marking Egress Packets with a DEI ValueOn egress, you can set the DEI value according to a different mapping than ingress.For ingress information, ref

• Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. In this case, you must have other dot1p QoS configurations; this opt

service-policy input in layer2 no shutdownMapping C-Tag to S-Tag dot1p ValuesTo map C-Tag dot1p values to S-Tag dot1p values and mark the frames ac

Figure 103. VLAN Stacking without L2PTYou might need to transport control traffic transparently through the intermediate network to the other region.

If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears on their terminal (message 1): % Error: User &quo

the intermediate network because only Dell Networking OS could recognize the significance of the destination MAC address and rewrite it to the origina

Enabling Layer 2 Protocol TunnelingTo enable Layer 2 protocol tunneling, use the following command.1. Verify that the system is running the default CA

4. Set a maximum rate at which the RPM processes BPDUs for L2PT.VLAN STACKING modeprotocol-tunnel rate-limitThe default is: no rate limiting.The range

45sFlowConfiguring sFlow is supported on the Z9000 platform.OverviewThe Dell Networking Operating System (OS) supports sFlow version 5.sFlow is a stan

Important Points to Remember• The Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset.• Dell Networking recomm

69 sFlow samples dropped due to sub-samplingLinecard 1 Port set 0 H/W sampling rate 8192Gi 1/16: configured rate 8192, actual rate 8192, sub-sampling

Dell#show sflowsFlow services are enabledGlobal default sampling rate: 32768Global default counter polling interval: 201 collectors configuredCollecto

Example of Viewing sFlow Configuration (Line Card)Dell#show sflow stack-unit 1stack-unit 1 Samples rcvd from h/w :165 Samples dropped for

As a result of back-off, the actual sampling-rate of an interface may differ from its configured sampling rate. You can view the actual sampling-rate

0 UDP packets exported0 UDP packets dropped0 sFlow samples collected0 sFlow samples dropped due to sub-samplingImportant Points to Remember• To export

8. Display the content of the startup-config.EXEC Privilege modeshow running-config9. Remove the previous authentication configuration.config t10. Set

IP SA IP DA srcAS and srcPeerASdstAS and dstPeerASDescriptionwhere is source is reachable over ECMP.BGP BGP Exported Exported Extended gateway data is

46Simple Network Management Protocol (SNMP)Simple network management protocol (SNMP) is supported on the Z9000 platform.NOTE: On Dell Networking route

Configuration mode. When the FIPS mode is enabled on the system, SNMPv3 operates in a FIPS-compliant manner, and only the FIPS-approved algorithm opti

Configuration Task List for SNMPConfiguring SNMP version 1 or version 2 requires a single step.NOTE: The configurations in this chapter use a UNIX env

Creating a CommunityFor SNMPv1 and SNMPv2, create a community to enable the community-based security in Dell Networking OS.The management station gene

snmp-server group group-name 3 noauth auth read name write name• Configure an SNMPv3 view.CONFIGURATION modesnmp-server view view-name oid-tree {inclu

• Read the value of a single managed object.snmpget -v version -c community agent-ip {identifier.instance | descriptor.instance}• Read the value of th

Configuring Contact and Location Information using SNMPYou may configure system contact and location information from the Dell Networking system or fr

Subscribing to Managed Object Value Updates using SNMPBy default, the Dell Networking system displays some unsolicited SNMP messages (traps) upon cert

snmp coldstart SNMP_COLD_START: Agent Initialized - SNMP COLD_START. SNMP_WARM_START:Agent Initialized - SNMP WARM_START.s

8. Save the running-config to the startup-config.EXEC Privilege modecopy running-config startup-configRecovering from a Failed Start on the Z9000 Syst

envmon fan FAN_TRAY_BAD: Major alarm: fantray %d is missing or down FAN_TRAY_OK: Major alarm cleared: fan tray %d present FAN_BAD: Minor alarm: som

SNMP OID <oid> %RPM0-P:CP %SNMP-4-RMON_HC_RISING_THRESHOLD: STACKUNIT0 high-capacity rising threshold alarm from SNMP OID <oid>Copy C

MIB Object OID Object Values DescriptioncopySrcFileName is not required.copyDestFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.51 = Dell Networking OS file2 =

Copying a Configuration FileTo copy a configuration file, use the following commands.NOTE: In UNIX, enter the snmpset command for help using the follo

• Copy the running-config to the startup-config from the UNIX machine.snmpset -v 2c -c public force10system-ip-address copySrcFileType.index i 2 copyD

copyUserName.index s server-login-id copyUserPassword.index s server-login-password• precede server-ip-address by the keyword a.• precede the values f

myfilenamecopyServerAddress.10 a 172.16.1.56 copyUserName.10 s mylogin copyUserPassword.10 s mypassAdditional MIB Objects to View Copy StatisticsDell

index: the index value used in the snmpset command used to complete the copy operation.NOTE: You can use the entire OID rather than the object name. U

VLAN"SNMPv2-SMI::mib-2.17.7.1.4.3.1.1.1107787786 = STRING: "My VLAN"[Dell system output]Dell#show int vlan 10Vlan 10 is down, line prot

Example of Adding a Tagged Port to a VLAN using SNMPIn the following example, Port 0/2 is added as a tagged member of VLAN 10.>snmpset -v2c -c myco

Restoring the Factory Default SettingsRestoring the factory-default settings deletes the existing NVRAM settings, startup configuration, and all confi

CONFIGURATION modesnmp-server community2. From the Dell Networking system, identify the interface index of the port for which you want to change the a

In the following example, R1 has one dynamic MAC address, learned off of port TeGigabitEthernet 1/21, which a member of the default VLAN, VLAN 1. The

Deriving Interface IndicesDell Networking OS assigns an interface number to each (configured or unconfigured) physical and logical interface.The inter

Monitor Port-ChannelsTo check the status of a Layer 2 port-channel, use f10LinkAggMib (.1.3.6.1.4.1.6027.3.2). In the following example, Po 1 is a swi

SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_DN: Changed interface state to down: Po 1"2010-02-10 14:22:40 10.16.130.4 [10.16.

47Storm ControlStorm control is supported on the Z9000 platform.The storm control feature allows you to control unknown-unicast and broadcast traffic

48Spanning Tree Protocol (STP)The spanning tree protocol (STP) is supported on the Z9000 platform.Protocol OverviewSTP is a Layer 2 protocol — specifi

Important Points to Remember• STP is disabled by default.• The Dell Networking OS supports only one spanning tree instance (0). For multiple instances

To configure and enable the interfaces for Layer 2, use the following command.1. If the interface has been assigned an IP address, remove it.INTERFACE

Figure 106. Spanning Tree Enabled GloballyTo enable STP globally, use the following commands.1. Enter PROTOCOL SPANNING TREE mode.CONFIGURATION modepr

secondary partition contains a valid image, then the primary boot line is set to B: and the secondary and default boot lines are set to a Null String.

To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mod

spanning-tree 0Modifying Global ParametersYou can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time,

PROTOCOL SPANNING TREE modemax-age secondsThe range is from 6 to 40.The default is 20 seconds.To view the current values for global parameters, use th

CAUTION: Enable PortFast only on links connecting to an end station. PortFast can cause loops if it is enabled on an interface connected to a network.

• When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware.• When you r

• disables spanning tree on an interface• drops all BPDUs at the line card without generating a console messageExample of Blocked BPDUsDell(conf-if-gi

Root Bridge hello time 2, max age 20, forward delay 15Dell#STP Root GuardSTP root guard is supported on the platform.Use the STP root guard feature

Figure 108. STP Root Guard Prevents Bridging LoopsConfiguring Root GuardEnable STP root guard on a per-port or per-port-channel basis.Dell Networking

• Enable root guard on a port or port-channel interface.INTERFACE mode or INTERFACE PORT-CHANNEL modespanning-tree {0 | mstp | rstp | pvst} rootguard–

STP Loop GuardSTP loop guard is supported only on the platform.The STP loop guard feature provides protection against Layer 2 forwarding loops (STP lo

Allowing an AS Number to Appear in its Own AS Path...196Enabling Graceful Restart...

grub> reboot80Management

Figure 109. STP Loop Guard Prevents Forwarding LoopsConfiguring Loop GuardEnable STP loop guard on a per-port or per-port channel basis.Dell Networkin

• You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure loop guard on a port on which root guard

49System Time and DateSystem time and date settings and the network time protocol (NTP) are supported on the Z9000 platform.You can set system times a

time and adjust the local clock accordingly. In addition, the message includes information to calculate the expected timekeeping accuracy and reliabil

Configure the Network Time ProtocolConfiguring NTP is a one-step process.• Enabling NTPRelated Configuration Tasks• Configuring NTP Broadcasts• Settin

Example of Updating the System Clock Relative to NTPR5/R8(conf)#do show calendar06:31:02 UTC Mon Mar 13 1989R5/R8(conf)#ntp update-calendar 1R5/R8(con

– For a loopback interface, enter the keyword loopback then a number between 0 and 16383.– For a port channel interface, enter the keyword lag then a

CONFIGURATION modentp server ip-address [key keyid] [prefer] [version number]Configure the IP address of a server and the following optional parameter

NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time sca

Dell Networking OS Time and DateYou can set the time and date using the Dell Networking OS CLI.Configuration Task List The following is a configuratio

6802.1X802.1X is supported on the Z9000 platform.802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disa

– month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year.

– time-zone: enter the three-letter name for the time zone. This name displays in the show clock output.– start-month: enter the name of one of the 12

– start-day: Enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day

50Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213.DSCP, hop-limits, flow

ipv6 address 2::1/64tunnel destination 90.1.1.1tunnel source 60.1.1.1tunnel mode ipv6ip no shutdownThe following sample configuration shows a tunnel c

Configuring a Tunnel InterfaceYou can configure the tunnel interface using the ip unnumbered and ipv6 unnumbered commands.To configure the tunnel inte

Configuring Tunnel source anylocal DecapsulationThe tunnel source anylocal command allows a multipoint receive-only tunnel to decapsulate tunnel packe

Multipoint Receive-Only Type and IP Unnumbered Interfaces for TunnelsMultipoint receive-only type IP Tunnel is now supported in Z9000 platform. This i

51Upgrade ProceduresTo find the upgrade procedures, go to the Dell Networking OS Release Notes for your system type to see all the requirements needed

52Virtual LANs (VLANs)Virtual LANs (VLANs) are supported on the Z9000 platform.VLANs are a logical broadcast domain or logical grouping of interfaces

Figure 3. EAP Frames Encapsulated in Ethernet and RADUISThe authentication process involves three devices:• The device attempting to access the networ

By default, VLAN 1 is the Default VLAN. To change that designation, use the default vlan-id command in CONFIGURATION mode. You cannot delete the Defau

information is preserved as the frame moves through the network. The following example shows the structure of a frame with a tag header. The VLAN ID i

• Configure a port-based VLAN (if the VLAN-ID is different from the Default VLAN ID) and enter INTERFACE VLAN mode.CONFIGURATION modeinterface vlan vl

The following example shows the steps to add a tagged interface (in this case, port channel 1) to VLAN 4. To view the interface’s status. Interface (p

INTERFACE modeuntagged interfaceThis command is available only in VLAN interfaces.Move an Untagged Interface to Another VLANThe no untagged interface

Assigning an IP Address to a VLANVLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP add

INTERFACE mode2. Configure the interface for Hybrid mode.INTERFACE modeportmode hybrid3. Configure the interface for Switchport mode.INTERFACE modeswi

53Virtual Link Trunking (VLT)Virtual link trunking (VLT) is supported on the Z9000 platform.OverviewVLT allows physical links between two chassis to a

Figure 112. VLT on SwitchesVLT on Core SwitchesYou can also deploy VLT on core switches.Uplinks from servers to the access layer and from access layer

Figure 113. Enhanced VLTVLT TerminologyThe following are key VLT terms.• Virtual link trunk (VLT) — The combined port channel between an attached devi

3. The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame and forwards the frame to th

Configure Virtual Link TrunkingVLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on b

• In a scenario where one hundred hosts are connected to a Peer1 on a non-VLT domain and traffic flows through Peer1 to Peer2; when you move these hos

– The system automatically includes the required VLANs in VLTi. You do not need to manually select VLANs.– VLT peer switches operate as separate chass

– The chassis backup link does not carry control plane information or data traffic. Its use is restricted to health checks only.• Virtual link trunks

• Software features supported on VLT physical ports– In a VLT domain, the following software features are supported on VLT physical ports: 802.1p, LLD

MAC address is selected as the Primary Peer. You can configure another peer as the Primary Peer using the VLT domain domain-id role priority priority-

VLT and IGMP SnoopingWhen configuring IGMP Snooping with VLT, ensure the configurations on both sides of the VLT trunk are identical to get the same b

Figure 114. PIM-Sparse Mode Support on VLTOn each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is

To route traffic to and from the multicast source and receiver, enable PIM on the L3 side connected to the PIM router using the ip pim sparse-mode com

Layer 3 on the other node. Configuration mismatches are logged in the syslog and display in the show vlt mismatch command output.If you enable VLT uni

EAP over RADIUS802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579.EAP messages

• Optimal VLTi forwarding — Only one copy of the incoming multicast traffic is sent on the VLTi for routing or forwarding to any orphan ports, rather

NOTE: ARP entries learned on non-VLT, non-spanned VLANs are not synced with VLT peers.RSTP ConfigurationRSTP is supported in a VLT domain.Before you c

VLT switch determines the RSTP roles and states on VLT ports and ensures that the VLT interconnect link is never blocked.In the case of a primary VLT

NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned).2. Remove an IP address from the interface

peer-link port-channel id-number4. (Optional) Prevent a possible loop during the bootup of a VLT peer switch or a device that accesses the VLT domain.

delay-restore delay-restore-timeThe range is from 1 to 1200.The default is 90 seconds.Reconfiguring the Default VLT Settings (Optional) To reconfigure

Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots.C

Configuring a VLT VLAN Peer-Down (Optional)To configure a VLT VLAN peer-down, use the following commands.1. Enter VLT-domain configuration mode for a

The range of domain IDs is from 1 to 1000.4. Enter the port-channel number that acts as the interconnect trunk.VLT DOMAIN CONFIGURATION modepeer-link

INTERFACE PORT-CHANNEL modeswitchport10. Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an att

Important Points to Remember• Dell Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.• A

interface port-channel port-channel idNOTE: To benefit from the protocol negotiations, Dell Networking recommends configuring VLTs used as facing host

Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2.s4810-2(conf)#vlt domain 5s4810-2(conf-vlt-domain)#s4810-4(conf)#vlt domain 5s4

no ip address! port-channel-protocol LACP port-channel 2 mode active no shutdowns4810-2#configuring VLT peer lag in VLTs4810-2#show running-con

Verify VLT is up. Verify that the VLTi (ICL) link, backup link connectivity (heartbeat status), and VLT peer link (peer chassis) are all up.s4810-2#sh

Figure 115. eVLT Configuration ExampleeVLT Configuration Step ExamplesIn Domain 1, configure the VLT domain and VLTi on Peer 1.Domain_1_Peer1#configur

Domain_1_Peer2(conf-vlt-domain)# back-up destination 10.16.130.12Domain_1_Peer2(conf-vlt-domain)# system-mac mac-address 00:0a:00:0a:00:0aDomain_1_Pee