Dell Force10 MXL Blade Configuration manual

Dell Networking Configuration Guide for the MXL 10/40GbE Switch I/O Module

9.5(0.1)

Notes, Cautions, and Warnings

NOTE: A NOTE indicates important information that helps you make better use of your computer.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

intellectual property laws. Dell™ and the Dell logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

2014 - 07

Rev. A00

Contents

1 About this Guide................................................................................................. 32

Audience..............................................................................................................................................32

Conventions........................................................................................................................................ 32

Information Symbols...........................................................................................................................32

Related Documents............................................................................................................................ 33

2 Configuration Fundamentals........................................................................... 34

Accessing the Command Line............................................................................................................34

CLI Modes............................................................................................................................................34

Navigating CLI Modes................................................................................................................... 36

The do Command...............................................................................................................................39

Undoing Commands...........................................................................................................................39

Obtaining Help....................................................................................................................................40

Entering and Editing Commands....................................................................................................... 40

Command History............................................................................................................................... 41

Filtering show Command Outputs.....................................................................................................42

Multiple Users in Configuration Mode............................................................................................... 43

3 Getting Started................................................................................................... 44

Console Access...................................................................................................................................45

Serial Console................................................................................................................................45

External Serial Port with a USB Connector...................................................................................47

Accessing the CLI Interface and Running Scripts Using SSH............................................................ 47

Entering CLI commands Using an SSH Connection....................................................................47

Executing Local CLI Scripts Using an SSH Connection...............................................................47

Boot Process....................................................................................................................................... 48

Default Configuration......................................................................................................................... 50

Configuring a Host Name...................................................................................................................50

Accessing the System Remotely.........................................................................................................51

Accessing the MXL Switch Remotely............................................................................................51

Configure the Management Port IP Address................................................................................51

Configure a Management Route...................................................................................................51

Configuring a Username and Password.......................................................................................52

Configuring the Enable Password...................................................................................................... 52

Configuration File Management.........................................................................................................53

Copy Files to and from the System.............................................................................................. 53

Save the Running-Configuration..................................................................................................54

Viewing Files.................................................................................................................................. 55

Managing the File System...................................................................................................................56

View the Command History................................................................................................................57

Using HTTP for File Transfers............................................................................................................. 58

Upgrading and Downgrading the Dell Networking OS.....................................................................58

Using Hashes to Validate Software Images........................................................................................58

4 Management....................................................................................................... 60

Configuring Privilege Levels............................................................................................................... 60

Creating a Custom Privilege Level............................................................................................... 60

Customizing a Privilege Level....................................................................................................... 61

Applying a Privilege Level to a Username.................................................................................... 62

Applying a Privilege Level to a Terminal Line...............................................................................63

Configuring Logging...........................................................................................................................63

Audit and Security Logs.................................................................................................................63

Configuring Logging Format ...................................................................................................... 65

Setting Up a Secure Connection to a Syslog Server....................................................................66

Display the Logging Buffer and the Logging Configuration..............................................................67

Log Messages in the Internal Buffer...................................................................................................68

Configuration Task List for System Log Management................................................................ 68

Disabling System Logging.................................................................................................................. 68

Sending System Messages to a Syslog Server................................................................................... 68

Configuring a UNIX System as a Syslog Server............................................................................68

Changing System Logging Settings................................................................................................... 69

Display the Logging Buffer and the Logging Configuration............................................................. 70

Configuring a UNIX Logging Facility Level.........................................................................................70

Synchronizing Log Messages..............................................................................................................72

Enabling Timestamp on Syslog Messages..........................................................................................72

File Transfer Services...........................................................................................................................73

Configuration Task List for File Transfer Services........................................................................ 73

Enabling the FTP Server.................................................................................................................73

Configuring FTP Server Parameters..............................................................................................73

Configuring FTP Client Parameters.............................................................................................. 74

Terminal Lines..................................................................................................................................... 74

Denying and Permitting Access to a Terminal Line..................................................................... 74

Configuring Login Authentication for Terminal Lines..................................................................75

Setting Time Out of EXEC Privilege Mode......................................................................................... 76

Using Telnet to get to Another Network Device................................................................................77

Lock CONFIGURATION Mode............................................................................................................ 77

Viewing the Configuration Lock Status........................................................................................78

Recovering from a Forgotten Password............................................................................................ 78

Recovering from a Forgotten Enable Password................................................................................ 79

Recovering from a Failed Start........................................................................................................... 80

5 802.1X................................................................................................................... 81

The Port-Authentication Process.......................................................................................................83

EAP over RADIUS...........................................................................................................................85

Configuring 802.1X............................................................................................................................. 85

Related Configuration Tasks.........................................................................................................85

Important Points to Remember......................................................................................................... 86

Enabling 802.1X...................................................................................................................................86

Configuring Request Identity Re-Transmissions......................................................................... 88

Configuring a Quiet Period after a Failed Authentication........................................................... 88

Forcibly Authorizing or Unauthorizing a Port....................................................................................89

Re-Authenticating a Port....................................................................................................................90

Configuring Timeouts......................................................................................................................... 91

Configuring Dynamic VLAN Assignment with Port Authentication..................................................92

Guest and Authentication-Fail VLANs.......................................................................................... 93

Configuring a Guest VLAN............................................................................................................94

Configuring an Authentication-Fail VLAN....................................................................................94

6 Access Control List (ACL) VLAN Groups and Content Addressable

Memory (CAM)........................................................................................................96

Optimizing CAM Utilization During the Attachment of ACLs to VLANs...........................................96

Guidelines for Configuring ACL VLAN groups................................................................................... 97

Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters..........................98

Configuring ACL VLAN Groups.................................................................................................... 98

Configuring FP Blocks for VLAN Parameters............................................................................... 99

Viewing CAM Usage..........................................................................................................................100

Allocating FP Blocks for VLAN Processes.........................................................................................101

7 Access Control Lists (ACLs).............................................................................103

IP Access Control Lists (ACLs).......................................................................................................... 103

Implementing ACL on the Dell Networking OS.............................................................................. 104

ACLs and VLANs................................................................................................................................104

ACL Optimization..............................................................................................................................104

Determine the Order in which ACLs are Used to Classify Traffic...................................................104

Example of the order Keyword to Determine ACL Sequence...................................................105

IP Fragment Handling....................................................................................................................... 105

IP Fragments ACL Examples............................................................................................................. 105

Layer 4 ACL Rules Examples.............................................................................................................106

Configure a Standard IP ACL............................................................................................................ 107

Configuring a Standard IP ACL Filter................................................................................................108

Configure an Extended IP ACL.........................................................................................................109

Configuring Filters with a Sequence Number..................................................................................109

Configuring Filters Without a Sequence Number............................................................................110

Established Flag................................................................................................................................. 110

Configure Layer 2 and Layer 3 ACLs................................................................................................. 111

Assign an IP ACL to an Interface....................................................................................................... 111

Applying an IP ACL.............................................................................................................................112

Counting ACL Hits............................................................................................................................. 112

Configure Ingress ACLs..................................................................................................................... 113

Configure Egress ACLs...................................................................................................................... 113

Applying Egress Layer 3 ACLs (Control-Plane).................................................................................114

IP Prefix Lists...................................................................................................................................... 115

Implementation Information.......................................................................................................115

Configuration Task List for Prefix Lists..............................................................................................115

Creating a Prefix List..........................................................................................................................116

Creating a Prefix List Without a Sequence Number.........................................................................117

Viewing Prefix Lists............................................................................................................................ 117

Applying a Prefix List for Route Redistribution.................................................................................118

Applying a Filter to a Prefix List (OSPF)............................................................................................. 119

ACL Resequencing............................................................................................................................ 119

Resequencing an ACL or Prefix List..................................................................................................120

Route Maps........................................................................................................................................ 121

Implementation Information.......................................................................................................122

Important Points to Remember........................................................................................................122

Configuration Task List for Route Maps........................................................................................... 122

Creating a Route Map....................................................................................................................... 122

Configure Route Map Filters.............................................................................................................124

Configuring Match Routes................................................................................................................125

Configuring Set Conditions.............................................................................................................. 126

Configure a Route Map for Route Redistribution............................................................................ 126

Configure a Route Map for Route Tagging...................................................................................... 127

Continue Clause................................................................................................................................127

Logging of ACL Processes................................................................................................................ 128

Guidelines for Configuring ACL Logging......................................................................................... 129

Configuring ACL Logging................................................................................................................. 130

Flow-Based Monitoring Support for ACLs.......................................................................................130

Behavior of Flow-Based Monitoring........................................................................................... 131

Enabling Flow-Based Monitoring..................................................................................................... 132

8 Bidirectional Forwarding Detection (BFD).................................................. 134

How BFD Works................................................................................................................................ 134

BFD Packet Format......................................................................................................................135

BFD Sessions................................................................................................................................137

BFD Three-Way Handshake........................................................................................................ 137

Session State Changes................................................................................................................ 138

Important Points to Remember........................................................................................................139

Configure BFD...................................................................................................................................139

Configure BFD for Physical Ports............................................................................................... 140

Enabling BFD Globally.................................................................................................................140

Establishing a Session on Physical Ports.....................................................................................141

Changing Physical Port Session Parameters..............................................................................142

Disabling and Re-Enabling BFD..................................................................................................143

Configure BFD for Static Routes.......................................................................................................143

Related Configuration Tasks.......................................................................................................144

Establishing Sessions for Static Routes...................................................................................... 144

Changing Static Route Session Parameters............................................................................... 145

Disabling BFD for Static Routes.................................................................................................. 145

Configure BFD for OSPF................................................................................................................... 145

Related Configuration Tasks.......................................................................................................145

Establishing Sessions with OSPF Neighbors.............................................................................. 146

Changing OSPF Session Parameters.......................................................................................... 147

Disabling BFD for OSPF...............................................................................................................147

Configure BFD for OSPFv3............................................................................................................... 148

Related Configuration Tasks.......................................................................................................148

Establishing Sessions with OSPFv3 Neighbors...........................................................................148

Changing OSPFv3 Session Parameters...................................................................................... 148

Disabling BFD for OSPFv3...........................................................................................................149

Configure BFD for BGP.....................................................................................................................149

Prerequisites................................................................................................................................ 149

Establishing Sessions with BGP Neighbors................................................................................ 150

Disabling BFD for BGP.................................................................................................................152

Use BFD in a BGP Peer Group.................................................................................................... 152

Displaying BFD for BGP Information.......................................................................................... 152

Configure BFD for VRRP................................................................................................................... 156

Related Configuration Tasks....................................................................................................... 157

Establishing Sessions with All VRRP Neighbors..........................................................................157

Establishing VRRP Sessions on VRRP Neighbors....................................................................... 158

Changing VRRP Session Parameters.......................................................................................... 159

Disabling BFD for VRRP...............................................................................................................159

Configure BFD for VLANs................................................................................................................. 159

Related Configuration Task........................................................................................................ 160

Establish Sessions with VLAN Neighbors................................................................................... 160

Changing VLAN Session Parameters...........................................................................................161

Disabling BFD for VLANs............................................................................................................. 161

Configure BFD for Port-Channels.................................................................................................... 161

Related Configuration Tasks.......................................................................................................162

Establish Sessions on Port-Channels......................................................................................... 162

Changing Physical Port Session Parameters..............................................................................163

Disabling BFD for Port-Channels................................................................................................163

Configuring Protocol Liveness......................................................................................................... 163

Troubleshooting BFD........................................................................................................................163

9 Border Gateway Protocol IPv4 (BGPv4).......................................................165

Autonomous Systems (AS)................................................................................................................165

Sessions and Peers............................................................................................................................ 167

Establish a Session.......................................................................................................................168

Route Reflectors................................................................................................................................169

Communities...............................................................................................................................169

BGP Attributes................................................................................................................................... 170

Best Path Selection Criteria.........................................................................................................170

Weight.......................................................................................................................................... 172

Local Preference..........................................................................................................................172

Multi-Exit Discriminators (MEDs)................................................................................................ 173

Origin........................................................................................................................................... 174

AS Path......................................................................................................................................... 175

Next Hop......................................................................................................................................175

Multiprotocol BGP.............................................................................................................................175

Implement BGP with the Dell Networking OS.................................................................................176

Additional Path (Add-Path) Support............................................................................................176

Advertise IGP Cost as MED for Redistributed Routes................................................................ 176

Ignore Router-ID for Some Best-Path Calculations.................................................................. 177

Four-Byte AS Numbers................................................................................................................177

AS4 Number Representation.......................................................................................................178

AS Number Migration.................................................................................................................. 179

BGP4 Management Information Base (MIB)...............................................................................181

Important Points to Remember.................................................................................................. 181

Configuration Information................................................................................................................182

BGP Configuration............................................................................................................................ 182

Enabling BGP...............................................................................................................................183

Enabling MBGP Configurations...................................................................................................217

BGP Regular Expression Optimization............................................................................................. 218

Debugging BGP.................................................................................................................................218

Storing Last and Bad PDUs......................................................................................................... 219

PDU Counters..............................................................................................................................219

Sample Configurations.....................................................................................................................220

10 Content Addressable Memory (CAM).........................................................229

CAM Allocation................................................................................................................................. 229

Test CAM Usage................................................................................................................................230

View CAM-ACL Settings................................................................................................................... 230

CAM Optimization.............................................................................................................................231

11 Control Plane Policing (CoPP)..................................................................... 232

Configure Control Plane Policing.................................................................................................... 233

Configuring CoPP for Protocols................................................................................................ 234

Configuring CoPP for CPU Queues...........................................................................................236

Show Commands........................................................................................................................237

12 Data Center Bridging (DCB)......................................................................... 239

Ethernet Enhancements in Data Center Bridging........................................................................... 239

Priority-Based Flow Control.......................................................................................................240

Enhanced Transmission Selection..............................................................................................241

Data Center Bridging Exchange Protocol (DCBx)..................................................................... 242

Data Center Bridging in a Traffic Flow.......................................................................................243

Enabling Data Center Bridging.........................................................................................................243

QoS dot1p Traffic Classification and Queue Assignment...............................................................244

Configuring Priority-Based Flow Control........................................................................................245

Configuring Lossless Queues..................................................................................................... 247

Configuring the PFC Buffer in a Switch Stack........................................................................... 248

Configure Enhanced Transmission Selection................................................................................. 249

ETS Prerequisites and Restrictions............................................................................................. 249

Creating a QoS ETS Output Policy.............................................................................................250

Creating an ETS Priority Group...................................................................................................251

Applying an ETS Output Policy for a Priority Group to an Interface.........................................252

ETS Operation with DCBx...........................................................................................................254

Configuring Bandwidth Allocation for DCBx CIN..................................................................... 254

Applying DCB Policies in a Switch Stack..........................................................................................255

Applying DCB Policies with an ETS Configuration..........................................................................256

Configure a DCBx Operation........................................................................................................... 256

DCBx Operation.......................................................................................................................... 257

DCBx Port Roles..........................................................................................................................257

DCB Configuration Exchange.................................................................................................... 259

Configuration Source Election...................................................................................................259

Propagation of DCB Information...............................................................................................260

Auto-Detection and Manual Configuration of the DCBx Version............................................260

DCBx Example.............................................................................................................................261

DCBx Prerequisites and Restrictions..........................................................................................262

Configuring DCBx.......................................................................................................................262

Verifying the DCB Configuration..................................................................................................... 266

PFC and ETS Configuration Examples............................................................................................. 276

Using PFC and ETS to Manage Data Center Traffic...................................................................276

Using PFC and ETS to Manage Converged Ethernet Traffic in a Switch Stack........................280

Hierarchical Scheduling in ETS Output Policies........................................................................280

Configuring DCB Maps and its Attributes........................................................................................ 281

DCB Map: Configuration Procedure.......................................................................................... 281

Important Points to Remember................................................................................................. 282

Applying a DCB Map on a Port...................................................................................................282

Configuring PFC without a DCB Map........................................................................................ 283

Configuring Lossless Queues.....................................................................................................283

Priority-Based Flow Control Using Dynamic Buffer Method..........................................................284

Pause and Resume of Traffic......................................................................................................284

Buffer Sizes for Lossless or PFC Packets....................................................................................285

Interworking of DCB Map With DCB Buffer Threshold Settings.................................................... 286

Configuring the Dynamic Buffer Method........................................................................................286

13 Debugging and Diagnostics.........................................................................288

Offline Diagnostics........................................................................................................................... 288

Important Points to Remember................................................................................................. 288

Running Offline Diagnostics.......................................................................................................288

Trace Logs......................................................................................................................................... 291

Auto Save on Crash or Rollover..................................................................................................291

Using the Show Hardware Commands........................................................................................... 292

Enabling Environmental Monitoring................................................................................................ 293

Recognize an Over-Temperature Condition............................................................................ 294

Troubleshoot an Over-Temperature Condition........................................................................295

Recognize an Under-Voltage Condition................................................................................... 296

Troubleshoot an Under-Voltage Condition.............................................................................. 296

Buffer Tuning.....................................................................................................................................297

Deciding to Tune Buffers............................................................................................................298

Using a Pre-Defined Buffer Profile............................................................................................. 301

Sample Buffer Profile Configuration.......................................................................................... 301

Troubleshooting Packet Loss...........................................................................................................302

Displaying Drop Counters.......................................................................................................... 302

Dataplane Statistics.....................................................................................................................303

Display Stack Port Statistics........................................................................................................304

Display Stack Member Counters................................................................................................305

Enabling Application Core Dumps...................................................................................................305

Mini Core Dumps..............................................................................................................................306

Enabling TCP Dumps........................................................................................................................307

14 Dynamic Host Configuration Protocol (DHCP)........................................308

DHCP Packet Format and Options..................................................................................................308

Assign an IP Address using DHCP.............................................................................................. 310

Implementation Information.............................................................................................................311

Configure the System to be a DHCP Server.................................................................................... 312

Configuring the Server for Automatic Address Allocation.........................................................312

Configuration Tasks.....................................................................................................................313

Specifying a Default Gateway..................................................................................................... 314

Enabling the DHCP Server.......................................................................................................... 314

Configure a Method of Hostname Resolution...........................................................................315

Creating Manual Binding Entries.................................................................................................315

Debugging the DHCP Server...................................................................................................... 316

Using DHCP Clear Commands...................................................................................................316

Configure the System to be a Relay Agent...................................................................................... 316

Configure the System to be a DHCP Client.....................................................................................318

Configuring the DHCP Client System........................................................................................ 319

DHCP Client on a Management Interface................................................................................. 322

DHCP Client Operation with Other Features.............................................................................323

Configure Secure DHCP...................................................................................................................324

Option 82.................................................................................................................................... 324

DHCP Snooping.......................................................................................................................... 325

Drop DHCP Packets on Snooped VLANs Only.......................................................................... 327

Dynamic ARP Inspection.............................................................................................................327

Configuring Dynamic ARP Inspection........................................................................................328

Source Address Validation..........................................................................................................329

15 Equal Cost Multi-Path (ECMP)..................................................................... 332

ECMP for Flow-Based Affinity.......................................................................................................... 332

Enabling Deterministic ECMP Next Hop....................................................................................332

Link Bundle Monitoring.................................................................................................................... 332

Managing ECMP Group Paths.......................................................................................................... 333

16 FCoE Transit.................................................................................................... 334

Fibre Channel over Ethernet............................................................................................................ 334

Ensure Robustness in a Converged Ethernet Network...................................................................334

FIP Snooping on Ethernet Bridges................................................................................................... 336

FIP Snooping in a Switch Stack........................................................................................................ 338

Using FIP Snooping...........................................................................................................................338

Important Points to Remember................................................................................................. 338

Enabling the FCoE Transit Feature.............................................................................................339

Enable FIP Snooping on VLANs..................................................................................................339

Configure the FC-MAP Value..................................................................................................... 339

Configure a Port for a Bridge-to-Bridge Link............................................................................339

Configure a Port for a Bridge-to-FCF Link................................................................................340

Impact on Other Software Features.......................................................................................... 340

FIP Snooping Prerequisites.........................................................................................................340

FIP Snooping Restrictions........................................................................................................... 341

Configuring FIP Snooping...........................................................................................................341

Displaying FIP Snooping Information.............................................................................................. 342

FCoE Transit Configuration Example...............................................................................................347

17 FIPS Cryptography......................................................................................... 350

Preparing the System........................................................................................................................350

Enabling FIPS Mode.......................................................................................................................... 350

Generating Host-Keys.......................................................................................................................351

Monitoring FIPS Mode Status............................................................................................................351

Disabling FIPS Mode......................................................................................................................... 352

18 Force10 Resilient Ring Protocol (FRRP)..................................................... 353

Protocol Overview............................................................................................................................ 353

Ring Status...................................................................................................................................354

Multiple FRRP Rings.................................................................................................................... 355

Important FRRP Points................................................................................................................356

Important FRRP Concepts.......................................................................................................... 357

Implementing FRRP.......................................................................................................................... 358

FRRP Configuration.......................................................................................................................... 358

Creating the FRRP Group........................................................................................................... 359

Configuring the Control VLAN................................................................................................... 359

Configuring and Adding the Member VLANs............................................................................ 360

Setting the FRRP Timers............................................................................................................. 362

Clearing the FRRP Counters.......................................................................................................362

Viewing the FRRP Configuration................................................................................................362

Viewing the FRRP Information................................................................................................... 362

Troubleshooting FRRP......................................................................................................................363

Configuration Checks.................................................................................................................363

Sample Configuration and Topology...............................................................................................363

19 GARP VLAN Registration Protocol (GVRP)................................................366

Important Points to Remember....................................................................................................... 366

Configure GVRP................................................................................................................................366

Related Configuration Tasks.......................................................................................................367

Enabling GVRP Globally....................................................................................................................367

Enabling GVRP on a Layer 2 Interface............................................................................................. 368

Configure GVRP Registration...........................................................................................................368

Configure a GARP Timer.................................................................................................................. 369

20 Internet Group Management Protocol (IGMP).........................................371

IGMP Protocol Overview...................................................................................................................371

IGMP Version 2............................................................................................................................ 371

IGMP Version 3............................................................................................................................373

IGMP Snooping................................................................................................................................. 376

IGMP Snooping Implementation Information........................................................................... 376

Configuring IGMP Snooping.......................................................................................................377

Enabling IGMP Immediate-Leave............................................................................................... 377

Disabling Multicast Flooding.......................................................................................................378

Specifying a Port as Connected to a Multicast Router..............................................................378

Configuring the Switch as Querier.............................................................................................378

Fast Convergence after MSTP Topology Changes..........................................................................379

Designating a Multicast Router Interface.........................................................................................379

21 Interfaces.........................................................................................................380

Basic Interface Configuration.......................................................................................................... 380

Advanced Interface Configuration...................................................................................................380

Interface Types..................................................................................................................................381

View Basic Interface Information..................................................................................................... 381

Enabling a Physical Interface............................................................................................................383

Physical Interfaces............................................................................................................................ 384

Configuration Task List for Physical Interfaces......................................................................... 384

Overview of Layer Modes...........................................................................................................384

Configuring Layer 2 (Data Link) Mode....................................................................................... 385

Configuring Layer 2 (Interface) Mode........................................................................................ 385

Configuring Layer 3 (Network) Mode.........................................................................................385

Configuring Layer 3 (Interface) Mode........................................................................................386

Management Interfaces....................................................................................................................387

Configuring Management Interfaces on the XML Switch......................................................... 387

VLAN Interfaces................................................................................................................................ 389

Loopback Interfaces.........................................................................................................................390

Null Interfaces...................................................................................................................................390

Port Channel Interfaces....................................................................................................................390

Port Channel Definition and Standards......................................................................................391

Port Channel Benefits................................................................................................................. 391

Port Channel Implementation.................................................................................................... 391

100/1000/10000 Mbps Interfaces in Port Channels.................................................................392

Configuration Tasks for Port Channel Interfaces...................................................................... 392

Creating a Port Channel............................................................................................................. 392

Adding a Physical Interface to a Port Channel.......................................................................... 393

Reassigning an Interface to a New Port Channel......................................................................395

Configuring the Minimum Oper Up Links in a Port Channel....................................................395

Adding or Removing a Port Channel from a VLAN................................................................... 396

Assigning an IP Address to a Port Channel................................................................................396

Deleting or Disabling a Port Channel.........................................................................................397

Server Ports....................................................................................................................................... 397

Default Configuration without Start-up Config.........................................................................397

Bulk Configuration............................................................................................................................398

Interface Range...........................................................................................................................398

Bulk Configuration Examples..................................................................................................... 398

Defining Interface Range Macros.................................................................................................... 400

Define the Interface Range........................................................................................................ 400

Choosing an Interface-Range Macro........................................................................................400

Monitoring and Maintaining Interfaces............................................................................................401

Maintenance Using TDR.............................................................................................................402

Splitting QSFP Ports to SFP+ Ports.................................................................................................. 402

Merging SFP+ Ports to QSFP 40G Ports....................................................................................403

Configure the MTU Size on an Interface...................................................................................404

Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port............................................................404

Important Points to Remember................................................................................................. 405

Support for LM4 Optics.............................................................................................................. 405

Example Scenarios......................................................................................................................405

Layer 2 Flow Control Using Ethernet Pause Frames.......................................................................409

Enabling Pause Frames............................................................................................................... 410

Configure MTU Size on an Interface................................................................................................ 411

Port-Pipes..........................................................................................................................................412

Auto-Negotiation on Ethernet Interfaces........................................................................................ 412

Setting the Speed and Duplex Mode of Ethernet Interfaces..................................................... 412

View Advanced Interface Information..............................................................................................414

Configuring the Interface Sampling Size....................................................................................415

Dynamic Counters...................................................................................................................... 416

Enhanced Validation of Interface Ranges........................................................................................ 417

22 Internet Protocol Security (IPSec).............................................................. 419

Configuring IPSec ............................................................................................................................ 419

23 IPv4 Routing....................................................................................................421

IP Addresses.......................................................................................................................................421

Implementation Information...................................................................................................... 421

Configuration Tasks for IP Addresses.........................................................................................421

IPv4 Path MTU Discovery Overview.................................................................................................424

Using the Configured Source IP Address in ICMP Messages..........................................................425

Configuring the ICMP Source Interface.....................................................................................425

Configuring the Duration to Establish a TCP Connection..............................................................426

Enabling Directed Broadcast............................................................................................................426

Resolution of Host Names............................................................................................................... 426

Enabling Dynamic Resolution of Host Names...........................................................................427

Specifying the Local System Domain and a List of Domains....................................................427

Configuring DNS with Traceroute............................................................................................. 428

ARP.................................................................................................................................................... 429

Configuration Tasks for ARP.......................................................................................................429

ARP Learning via Gratuitous ARP......................................................................................................431

ARP Learning via ARP Request..........................................................................................................431

Configuring ARP Retries................................................................................................................... 432

ICMP.................................................................................................................................................. 433

Configuration Tasks for ICMP.................................................................................................... 433

UDP Helper....................................................................................................................................... 433

Configure UDP Helper................................................................................................................433

Important Points to Remember................................................................................................. 433

Enabling UDP Helper.................................................................................................................. 434

Configurations Using UDP Helper................................................................................................... 434

UDP Helper with Broadcast-All Addresses................................................................................ 434

UDP Helper with Subnet Broadcast Addresses..........................................................................435

UDP Helper with Configured Broadcast Addresses.................................................................. 436

UDP Helper with No Configured Broadcast Addresses............................................................ 436

Troubleshooting UDP Helper...........................................................................................................437

24 IPv6 Addressing..............................................................................................438

Protocol Overview............................................................................................................................438

Extended Address Space............................................................................................................ 438

Stateless Autoconfiguration....................................................................................................... 438

IPv6 Header Fields............................................................................................................................440

Version (4 bits)............................................................................................................................ 440

Traffic Class (8 bits).....................................................................................................................440

Flow Label (20 bits).....................................................................................................................440

Payload Length (16 bits)............................................................................................................. 440

Next Header (8 bits)....................................................................................................................440

Hop Limit (8 bits)......................................................................................................................... 441

Source Address (128 bits)............................................................................................................441

Destination Address (128 bits).....................................................................................................441

Extension Header Fields....................................................................................................................441

Hop-by-Hop Options Header....................................................................................................442

Addressing.........................................................................................................................................442

Link-local Addresses...................................................................................................................443

Static and Dynamic Addressing..................................................................................................443

Implementing IPv6 with the Dell Networking OS...........................................................................444

ICMPv6..............................................................................................................................................446

Path MTU Discovery......................................................................................................................... 447

IPv6 Neighbor Discovery..................................................................................................................447

IPv6 Neighbor Discovery of MTU Packets.................................................................................448

Configuring the IPv6 Recursive DNS Server..............................................................................448

Debugging IPv6 RDNSS Information Sent to the Host ............................................................ 449

Displaying IPv6 RDNSS Information...........................................................................................450

IPv6 Multicast....................................................................................................................................450

Secure Shell (SSH) Over an IPv6 Transport...................................................................................... 451

Configuration Task List for IPv6........................................................................................................451

Adjusting Your CAM-Profile........................................................................................................451

Assigning an IPv6 Address to an Interface.................................................................................452

Assigning a Static IPv6 Route..................................................................................................... 453

Configuring Telnet with IPv6......................................................................................................453

SNMP over IPv6...........................................................................................................................454

Showing IPv6 Information..........................................................................................................454

Showing an IPv6 Interface..........................................................................................................454

Showing IPv6 Routes.................................................................................................................. 455

Showing the Running-Configuration for an Interface.............................................................. 456

Clearing IPv6 Routes...................................................................................................................457

25 iSCSI Optimization.........................................................................................458

iSCSI Optimization Overview........................................................................................................... 458

Monitoring iSCSI Traffic Flows...................................................................................................460

Information Monitored in iSCSI Traffic Flows........................................................................... 460

Detection and Auto-Configuration for Dell EqualLogic Arrays................................................460

Configuring Detection and Ports for Dell Compellent Arrays...................................................461

iSCSI Optimization: Operation................................................................................................... 461

Default iSCSI Optimization Values..............................................................................................461

Displaying iSCSI Optimization Information..................................................................................... 462

26 Intermediate System to Intermediate System..........................................464

IS-IS Protocol Overview...................................................................................................................464

IS-IS Addressing................................................................................................................................464

Multi-Topology IS-IS........................................................................................................................ 465

Transition Mode..........................................................................................................................466

Interface Support........................................................................................................................466

Adjacencies................................................................................................................................. 466

Graceful Restart................................................................................................................................466

Timers..........................................................................................................................................467

Implementation Information............................................................................................................467

Configuration Information............................................................................................................... 468

Configuration Tasks for IS-IS..................................................................................................... 468

IS-IS Metric Styles.............................................................................................................................484

Configure Metric Values...................................................................................................................484

Maximum Values in the Routing Table...................................................................................... 485

Change the IS-IS Metric Style in One Level Only......................................................................485

Leaks from One Level to Another.............................................................................................. 487

Sample Configurations..................................................................................................................... 487

27 Link Aggregation Control Protocol (LACP)...............................................492

Introduction to Dynamic LAGs and LACP....................................................................................... 492

Important Points to Remember................................................................................................. 492

LACP Modes................................................................................................................................493

Configuring LACP Commands...................................................................................................493

LACP Configuration Tasks................................................................................................................494

Creating a LAG............................................................................................................................494

Configuring the LAG Interfaces as Dynamic............................................................................. 495

Setting the LACP Long Timeout.................................................................................................495

Shared LAG State Tracking...............................................................................................................496

Configuring Shared LAG State Tracking.......................................................................................... 497

Important Points about Shared LAG State Tracking..................................................................498

LACP Basic Configuration Example.................................................................................................499

Configure a LAG on ALPHA........................................................................................................499

28 Layer 2..............................................................................................................508

Manage the MAC Address Table......................................................................................................508

Clearing the MAC Address Table................................................................................................508

Setting the Aging Time for Dynamic Entries..............................................................................508

Configuring a Static MAC Address............................................................................................. 509

Displaying the MAC Address Table............................................................................................ 509

MAC Learning Limit.......................................................................................................................... 509

Setting the MAC Learning Limit.................................................................................................. 510

mac learning-limit Dynamic....................................................................................................... 510

mac learning-limit station-move................................................................................................510

Learning Limit Violation Actions..................................................................................................511

Setting Station Move Violation Actions.......................................................................................511

Recovering from Learning Limit and Station Move Violations...................................................511

NIC Teaming......................................................................................................................................512

MAC Move Optimization.............................................................................................................514

29 Link Layer Discovery Protocol (LLDP)........................................................ 515

802.1AB (LLDP) Overview..................................................................................................................515

Protocol Data Units..................................................................................................................... 515

Optional TLVs.................................................................................................................................... 516

Management TLVs.......................................................................................................................516

TIA-1057 (LLDP-MED) Overview...................................................................................................... 518

TIA Organizationally Specific TLVs............................................................................................. 519

Extended Power via MDI TLV......................................................................................................523

Configure LLDP.................................................................................................................................523

Related Configuration Tasks.......................................................................................................523

Important Points to Remember................................................................................................. 524

LLDP Compatibility..................................................................................................................... 524

CONFIGURATION versus INTERFACE Configurations....................................................................524

Enabling LLDP................................................................................................................................... 525

Disabling and Undoing LLDP......................................................................................................525

Advertising TLVs................................................................................................................................525

Viewing the LLDP Configuration......................................................................................................526

Viewing Information Advertised by Adjacent LLDP Agents.............................................................527

Configuring LLDPDU Intervals......................................................................................................... 528

Configuring Transmit and Receive Mode........................................................................................ 529

Configuring a Time to Live...............................................................................................................530

Debugging LLDP...............................................................................................................................530

Relevant Management Objects.........................................................................................................531

30 Microsoft Network Load Balancing............................................................538

NLB Unicast Mode Scenario.............................................................................................................538

NLB Multicast Mode Scenario.......................................................................................................... 539

Limitations With Enabling NLB on Switches....................................................................................539

Benefits and Working of Microsoft Clustering.................................................................................539

Enable and Disable VLAN Flooding .................................................................................................540

Configuring a Switch for NLB ......................................................................................................... 540

.....................................................................................................................................................540

31 Multicast Source Discovery Protocol (MSDP)........................................... 541

Protocol Overview............................................................................................................................ 541

Anycast RP.........................................................................................................................................543

Implementation Information............................................................................................................543

Configure the Multicast Source Discovery Protocol.......................................................................543

Related Configuration Tasks.......................................................................................................543

Enabling MSDP..................................................................................................................................547

Manage the Source-Active Cache...................................................................................................548

Viewing the Source-Active Cache............................................................................................. 548

Limiting the Source-Active Cache............................................................................................. 549

Clearing the Source-Active Cache.............................................................................................549

Enabling the Rejected Source-Active Cache.............................................................................549

Accept Source-Active Messages that Fail the RFP Check.............................................................. 549

Specifying Source-Active Messages.................................................................................................553

Limiting the Source-Active Messages from a Peer......................................................................... 554

Preventing MSDP from Caching a Local Source.............................................................................554

Preventing MSDP from Caching a Remote Source.........................................................................555

Preventing MSDP from Advertising a Local Source.........................................................................556

Logging Changes in Peership States................................................................................................ 557

Terminating a Peership..................................................................................................................... 557

Clearing Peer Statistics......................................................................................................................557

Debugging MSDP..............................................................................................................................558

MSDP with Anycast RP......................................................................................................................558

Configuring Anycast RP....................................................................................................................560

Reducing Source-Active Message Flooding..............................................................................560

Specifying the RP Address Used in SA Messages...................................................................... 560

MSDP Sample Configurations.......................................................................................................... 563

32 Multiple Spanning Tree Protocol (MSTP).................................................. 566

Protocol Overview............................................................................................................................566

Spanning Tree Variations..................................................................................................................567

Implementation Information............................................................................................................ 567

Configure Multiple Spanning Tree Protocol....................................................................................567

Related Configuration Tasks.......................................................................................................567

Enable Multiple Spanning Tree Globally..........................................................................................568

Creating Multiple Spanning Tree Instances.....................................................................................568

Influencing MSTP Root Selection.................................................................................................... 569

Interoperate with Non-Dell Networking OS Bridges...................................................................... 570

Changing the Region Name or Revision..........................................................................................570

Modifying Global Parameters............................................................................................................571

Enable BPDU Filtering Globally.........................................................................................................572

Modifying the Interface Parameters.................................................................................................573

Configuring an EdgePort.................................................................................................................. 573

Flush MAC Addresses after a Topology Change............................................................................. 574

MSTP Sample Configurations........................................................................................................... 575

Router 1 Running-ConfigurationRouter 2 Running-ConfigurationRouter 3 Running-

ConfigurationSFTOS Example Running-Configuration.............................................................575

Debugging and Verifying MSTP Configurations.............................................................................. 578

33 Multicast Features.......................................................................................... 581

Enabling IP Multicast.........................................................................................................................581

Multicast with ECMP......................................................................................................................... 581

Implementation Information............................................................................................................582

First Packet Forwarding for Lossless Multicast................................................................................ 583

Multicast Policies.............................................................................................................................. 583

IPv4 Multicast Policies...................................................................................................................... 583

Limiting the Number of Multicast Routes..................................................................................583

Preventing a Host from Joining a Group...................................................................................584

Rate Limiting IGMP Join Requests............................................................................................. 587

Preventing a PIM Router from Forming an Adjacency.............................................................. 587

Preventing a Source from Registering with the RP................................................................... 587

Preventing a PIM Router from Processing a Join......................................................................590

34 Open Shortest Path First (OSPFv2 and OSPFv3).......................................591

Protocol Overview............................................................................................................................ 591

Autonomous System (AS) Areas..................................................................................................591

Area Types...................................................................................................................................592

Networks and Neighbors............................................................................................................593

Router Types............................................................................................................................... 593

Link-State Advertisements (LSAs)............................................................................................... 595

Router Priority and Cost............................................................................................................. 596

OSPF with the Dell Networking OS..................................................................................................597

Graceful Restart.......................................................................................................................... 598

Fast Convergence (OSPFv2, IPv4 Only)..................................................................................... 599

Multi-Process OSPFv2 (IPv4 only)..............................................................................................599

RFC-2328 Compliant OSPF Flooding........................................................................................600

OSPF ACK Packing...................................................................................................................... 601

Setting OSPF Adjacency with Cisco Routers............................................................................. 601

Configuration Information............................................................................................................... 602

Configuration Task List for OSPFv2 (OSPF for IPv4)................................................................. 602

Troubleshooting OSPFv2............................................................................................................ 615

Configuration Task List for OSPFv3 (OSPF for IPv6)........................................................................619

Enabling IPv6 Unicast Routing....................................................................................................619

Assigning IPv6 Addresses on an Interface................................................................................. 620

Assigning Area ID on an Interface..............................................................................................620

Assigning OSPFv3 Process ID and Router ID Globally.............................................................. 620

Configuring Stub Areas............................................................................................................... 621

Configuring Passive-Interface.................................................................................................... 621

Redistributing Routes..................................................................................................................622

Configuring a Default Route.......................................................................................................622

Enabling OSPFv3 Graceful Restart............................................................................................. 622

Displaying Graceful Restart........................................................................................................ 623

OSPFv3 Authentication Using IPsec...........................................................................................625

35 Policy-based Routing (PBR)......................................................................... 634

Overview........................................................................................................................................... 634

Implementing Policy-based Routing with Dell Networking OS.....................................................636

Configuration Task List for Policy-based Routing.......................................................................... 636

PBR Exceptions (Permit)............................................................................................................. 639

Sample Configuration.......................................................................................................................641

Create the Redirect-List GOLDAssign Redirect-List GOLD to Interface 2/11View

Redirect-List GOLD.................................................................................................................... 642

36 PIM Sparse-Mode (PIM-SM).........................................................................644

Implementation Information............................................................................................................644

Protocol Overview............................................................................................................................644

Requesting Multicast Traffic.......................................................................................................644

Refuse Multicast Traffic.............................................................................................................. 645

Send Multicast Traffic................................................................................................................. 645

Configuring PIM-SM.........................................................................................................................646

Related Configuration Tasks...................................................................................................... 646

Enable PIM-SM................................................................................................................................. 646

Configuring S,G Expiry Timers......................................................................................................... 647

Configuring a Static Rendezvous Point...........................................................................................648

Overriding Bootstrap Router Updates....................................................................................... 649

Configuring a Designated Router.................................................................................................... 649

Creating Multicast Boundaries and Domains..................................................................................650

Enabling PIM-SM Graceful Restart...................................................................................................650

37 PIM Source-Specific Mode (PIM-SSM)........................................................651

Configure PIM-SMM......................................................................................................................... 651

Related Configuration Tasks.......................................................................................................651

Implementation Information............................................................................................................ 651

Important Points to Remember................................................................................................. 652

Enabling PIM-SSM.............................................................................................................................652

Use PIM-SSM with IGMP Version 2 Hosts........................................................................................652

Configuring PIM-SSM with IGMPv2........................................................................................... 653

38 Port Monitoring..............................................................................................655

Important Points to Remember....................................................................................................... 655

Configuring Port Monitoring............................................................................................................656

Enabling Flow-Based Monitoring.....................................................................................................657

Remote Port Mirroring......................................................................................................................658

Remote Port Mirroring Example.................................................................................................659

Configuring Remote Port Mirroring...........................................................................................660

Displaying Remote-Port Mirroring Configurations....................................................................661

Configuring the Sample Remote Port Mirroring....................................................................... 662

Configuring the Encapsulated Remote Port Mirroring................................................................... 665

Configuration steps for ERPM ................................................................................................... 665

ERPM Behavior on a typical Dell Networking OS ...........................................................................666

Decapsulation of ERPM packets at the Destination IP/ Analyzer..............................................667

39 Private VLANs (PVLAN)..................................................................................669

Private VLAN Concepts.................................................................................................................... 669

Using the Private VLAN Commands...........................................................................................670

Configuration Task List................................................................................................................671

Private VLAN Configuration Example.........................................................................................675

40 Per-VLAN Spanning Tree Plus (PVST+)......................................................679

Protocol Overview............................................................................................................................679

Implementation Information......................................................................................................680

Configure Per-VLAN Spanning Tree Plus........................................................................................680

Related Configuration Tasks...................................................................................................... 680

Enabling PVST+................................................................................................................................ 680

Disabling PVST+................................................................................................................................681

Influencing PVST+ Root Selection............................................................................................. 681

Modifying Global PVST+ Parameters...............................................................................................683

Modifying Interface PVST+ Parameters...........................................................................................684

Configuring an EdgePort..................................................................................................................685

PVST+ in Multi-Vendor Networks....................................................................................................686

Enabling PVST+ Extend System ID.................................................................................................. 686

PVST+ Sample Configurations......................................................................................................... 687

Enable BPDU Filtering globally.........................................................................................................689

41 Quality of Service (QoS)................................................................................690

Implementation Information............................................................................................................ 691

Port-Based QoS Configurations...................................................................................................... 692

Setting dot1p Priorities for Incoming Traffic..............................................................................692

Honoring dot1p Priorities on Ingress Traffic..............................................................................693

Configuring Port-Based Rate Policing.......................................................................................694

Configuring Port-Based Rate Shaping.......................................................................................694

Guidelines for Configuring ECN for Classifying and Color-Marking Packets................................694

Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class..........695

Classifying Incoming Packets Using ECN and Color-Marking................................................. 695

Sample configuration to mark non-ecn packets as “yellow” with single traffic class............. 698

Policy-Based QoS Configurations................................................................................................... 699

DSCP Color Maps....................................................................................................................... 700

Classify Traffic............................................................................................................................. 702

Create a QoS Policy....................................................................................................................706

Create Policy Maps..................................................................................................................... 709

Enabling QoS Rate Adjustment.........................................................................................................714

Enabling Strict-Priority Queueing.....................................................................................................714

Weighted Random Early Detection.................................................................................................. 715

Creating WRED Profiles...............................................................................................................716

Applying a WRED Profile to Traffic............................................................................................. 716

Displaying Default and Configured WRED Profiles....................................................................716

Displaying WRED Drop Statistics.................................................................................................717

Classifying Layer 2 Traffic on Layer 3 Interfaces ....................................................................... 717

Classifying Packets Based on a Combination of DSCP Code Points and VLAN IDs.................718

42 Routing Information Protocol (RIP)........................................................... 720

Protocol Overview............................................................................................................................720

RIPv1............................................................................................................................................ 720

RIPv2............................................................................................................................................720

Implementation Information.............................................................................................................721

Configuration Information................................................................................................................721

Configuration Task List................................................................................................................721

RIP Configuration Example.........................................................................................................728

43 Remote Monitoring (RMON)........................................................................ 733

Implementation Information............................................................................................................ 733

Fault Recovery...................................................................................................................................733

Setting the rmon Alarm...............................................................................................................734

Configuring an RMON Event...................................................................................................... 735

Configuring RMON Collection Statistics....................................................................................735

Configuring the RMON Collection History................................................................................ 736

Enabling an RMON MIB Collection History Group.................................................................... 737

44 Rapid Spanning Tree Protocol (RSTP)........................................................738

Protocol Overview............................................................................................................................ 738

Configuring Rapid Spanning Tree.................................................................................................... 738

Related Configuration Tasks.......................................................................................................738

Important Points to Remember..................................................................................................739

Configuring Interfaces for Layer 2 Mode.........................................................................................739

Enabling Rapid Spanning Tree Protocol Globally............................................................................739

Adding and Removing Interfaces..................................................................................................... 742

Modifying Global Parameters........................................................................................................... 743

Enable BPDU Filtering Globally........................................................................................................ 744

Modifying Interface Parameters....................................................................................................... 745

Configuring an EdgePort.................................................................................................................. 745

Influencing RSTP Root Selection..................................................................................................... 746

SNMP Traps for Root Elections and Topology Changes.................................................................747

Configuring Fast Hellos for Link State Detection............................................................................ 747

45 Security............................................................................................................ 748

AAA Accounting................................................................................................................................ 748

Configuration Task List for AAA Accounting..............................................................................748

AAA Authentication...........................................................................................................................750

Configuration Task List for AAA Authentication.........................................................................751

AAA Authorization............................................................................................................................. 753

Privilege Levels Overview............................................................................................................753

Configuration Task List for Privilege Levels............................................................................... 754

RADIUS.............................................................................................................................................. 758

RADIUS Authentication and Authorization.................................................................................758

Configuration Task List for RADIUS............................................................................................759

TACACS+...........................................................................................................................................762

Configuration Task List for TACACS+........................................................................................ 762

Choosing TACACS+ as the Authentication Method..................................................................763

Monitoring TACACS+..................................................................................................................764

TACACS+ Remote Authentication and Authorization...............................................................764

Specifying a TACACS+ Server Host............................................................................................765

Command Authorization............................................................................................................766

Protection from TCP Tiny and Overlapping Fragment Attacks...................................................... 766

Enabling SCP and SSH...................................................................................................................... 766

Using SCP with SSH to Copy a Software Image........................................................................ 767

Removing the RSA Host Keys and Zeroizing Storage ...............................................................768

Configuring When to Re-generate an SSH Key ........................................................................768

Configuring the SSH Server Key Exchange Algorithm...............................................................769

Configuring the HMAC Algorithm for the SSH Server...............................................................769

Configuring the SSH Server Cipher List......................................................................................770

Secure Shell Authentication........................................................................................................770

Troubleshooting SSH.................................................................................................................. 773

Telnet.................................................................................................................................................773

VTY Line and Access-Class Configuration.......................................................................................774

VTY Line Local Authentication and Authorization..................................................................... 774

VTY Line Remote Authentication and Authorization................................................................. 775

VTY MAC-SA Filter Support.........................................................................................................775

Role-Based Access Control..............................................................................................................776

Overview of RBAC.......................................................................................................................776

User Roles....................................................................................................................................779

AAA Authentication and Authorization for Roles.......................................................................783

Role Accounting..........................................................................................................................786

Display Information About User Roles....................................................................................... 787

46 Service Provider Bridging.............................................................................789

VLAN Stacking...................................................................................................................................789

Important Points to Remember................................................................................................. 790

Configure VLAN Stacking........................................................................................................... 790

Creating Access and Trunk Ports................................................................................................791

Enable VLAN-Stacking for a VLAN..............................................................................................792

Configuring the Protocol Type Value for the Outer VLAN Tag.................................................792

Configuring Options for Trunk Ports......................................................................................... 792

Debugging VLAN Stacking..........................................................................................................793

VLAN Stacking in Multi-Vendor Networks................................................................................. 794

VLAN Stacking Packet Drop Precedence.........................................................................................798

Enabling Drop Eligibility..............................................................................................................798

Honoring the Incoming DEI Value............................................................................................. 799

Marking Egress Packets with a DEI Value...................................................................................799

Dynamic Mode CoS for VLAN Stacking.......................................................................................... 800

Mapping C-Tag to S-Tag dot1p Values......................................................................................801

Layer 2 Protocol Tunneling..............................................................................................................802

Implementation Information......................................................................................................804

Enabling Layer 2 Protocol Tunneling.........................................................................................805

Specifying a Destination MAC Address for BPDUs....................................................................805

Setting Rate-Limit BPDUs...........................................................................................................805

Debugging Layer 2 Protocol Tunneling.................................................................................... 806

Provider Backbone Bridging............................................................................................................ 806

47 sFlow................................................................................................................ 807

Overview........................................................................................................................................... 807

Implementation Information............................................................................................................807

Important Points to Remember.................................................................................................808

Enabling and Disabling sFlow.......................................................................................................... 808

Enabling and Disabling sFlow on an Interface.......................................................................... 808

sFlow Show Commands.................................................................................................................. 808

Displaying Show sFlow Global...................................................................................................809

Displaying Show sFlow on an Interface.....................................................................................809

Displaying Show sFlow on a Stack Unit.....................................................................................809

Configuring Specify Collectors........................................................................................................ 810

Changing the Polling Intervals......................................................................................................... 810

Changing the Sampling Rate............................................................................................................810

Sub-Sampling...............................................................................................................................811

Back-Off Mechanism........................................................................................................................ 811

sFlow on LAG ports...........................................................................................................................812

Enabling Extended sFlow..................................................................................................................812

48 Simple Network Management Protocol (SNMP)......................................814

Implementation Information............................................................................................................ 814

Configuration Task List for SNMP...............................................................................................814

Important Points to Remember..................................................................................................815

SNMPv3 Compliance With FIPS........................................................................................................815

Set up SNMP......................................................................................................................................816

Creating a Community................................................................................................................817

Setting Up User-Based Security (SNMPv3).......................................................................................817

Reading Managed Object Values..................................................................................................... 819

Writing Managed Object Values.......................................................................................................820

Configuring Contact and Location Information using SNMP........................................................ 820

Subscribing to Managed Object Value Updates using SNMP......................................................... 821

Enabling a Subset of SNMP Traps.................................................................................................... 822

Copy Configuration Files Using SNMP............................................................................................ 824

Copying a Configuration File........................................................................................................... 826

Copying Configuration Files via SNMP............................................................................................ 827

Copying the Startup-Config Files to the Running-Config..............................................................827

Copying the Startup-Config Files to the Server via FTP................................................................. 828

Copying the Startup-Config Files to the Server via TFTP............................................................... 828

Copying a Binary File to the Startup-Configuration........................................................................829

Additional MIB Objects to View Copy Statistics.............................................................................. 829

Obtaining a Value for MIB Objects.................................................................................................. 830

Manage VLANs using SNMP..............................................................................................................831

Creating a VLAN.......................................................................................................................... 831

Assigning a VLAN Alias................................................................................................................ 831

Displaying the Ports in a VLAN....................................................................................................831

Add Tagged and Untagged Ports to a VLAN..............................................................................833

Enabling and Disabling a Port using SNMP..................................................................................... 834

Fetch Dynamic MAC Entries using SNMP........................................................................................834

Deriving Interface Indices.................................................................................................................836

Monitor Port-Channels.....................................................................................................................837

BMP Functionality Using SNMP SET................................................................................................ 838

Entity MIBS........................................................................................................................................ 839

Physical Entity............................................................................................................................. 839

Containment Tree.......................................................................................................................839

Troubleshooting SNMP Operation.................................................................................................. 840

49 Stacking........................................................................................................... 841

Stacking MXL 10/40GbE Switches....................................................................................................841

Stack Management Roles........................................................................................................... 842

Stack Master Election................................................................................................................. 843

Failover Roles..............................................................................................................................844

MAC Addressing..........................................................................................................................844

Stacking LAG...............................................................................................................................844

Supported Stacking Topologies.................................................................................................844

Stack Group/Port Numbers..............................................................................................................846

Configuring a Switch Stack.............................................................................................................. 847

Stacking Prerequisites.................................................................................................................847

Cabling Stacked Switches.......................................................................................................... 848

Accessing the CLI....................................................................................................................... 848

Configuring and Bringing Up a Stack.........................................................................................849

Removing a Switch from a Stack................................................................................................852

Adding a Stack Unit.....................................................................................................................852

Merging Two Stacks....................................................................................................................853

Splitting a Stack...........................................................................................................................854

Managing Redundant Stack Management.................................................................................854

Resetting a Unit on a Stack.........................................................................................................854

Verify a Stack Configuration.............................................................................................................855

Using Show Commands............................................................................................................. 855

Troubleshooting a Switch Stack...................................................................................................... 858

Failure Scenarios...............................................................................................................................859

Stack Member FailsUnplugged Stacking CableMaster Switch FailsStack-Link Flapping

ErrorMaster Switch Recovers from FailureStack Unit in Card-Problem State Due to

Incorrect Dell Networking OS VersionStack Unit in Card-Problem State Due to

Configuration Mismatch.............................................................................................................859

Upgrading a Switch Stack.................................................................................................................862

Upgrading a Single Stack Unit..........................................................................................................863

50 Storm Control.................................................................................................865

Configure Storm Control................................................................................................................. 865

Configuring Storm Control from INTERFACE Mode.................................................................865

Configuring Storm Control from CONFIGURATION Mode......................................................865

51 Spanning Tree Protocol (STP)......................................................................866

Protocol Overview............................................................................................................................866

Configure Spanning Tree................................................................................................................. 866

Related Configuration Tasks...................................................................................................... 866

Important Points to Remember................................................................................................. 867

Configuring Interfaces for Layer 2 Mode.........................................................................................867

Enabling Spanning Tree Protocol Globally......................................................................................868

Adding an Interface to the Spanning Tree Group........................................................................... 870

Removing an Interface from the Spanning Tree Group.................................................................. 871

Modifying Global Parameters........................................................................................................... 871

Modifying Interface STP Parameters................................................................................................872

Enabling PortFast.............................................................................................................................. 873

Prevent Network Disruptions with BPDU Guard....................................................................... 873

Global BPDU Filtering....................................................................................................................... 876

Interface BPDU Filtering............................................................................................................. 876

Selecting STP Root............................................................................................................................877

STP Root Guard................................................................................................................................ 878

Root Guard Scenario.................................................................................................................. 878

Configuring Root Guard............................................................................................................. 879

SNMP Traps for Root Elections and Topology Changes................................................................880

Displaying STP Guard Configuration...............................................................................................880

52 System Time and Date...................................................................................881

Network Time Protocol.................................................................................................................... 881

Protocol Overview......................................................................................................................882

Configure the Network Time Protocol......................................................................................883

Enabling NTP...............................................................................................................................883

Setting the Hardware Clock with the Time Derived from NTP.................................................883

Configuring NTP Broadcasts......................................................................................................884

Disabling NTP on an Interface................................................................................................... 884

Configuring a Source IP Address for NTP Packets....................................................................884

Configuring NTP Authentication................................................................................................885

Dell Networking OS Time and Date.................................................................................................887

Configuration Task List .............................................................................................................. 887

Set Daylight Saving Time............................................................................................................889

53 Tunneling ........................................................................................................892

Configuring a Tunnel........................................................................................................................892

Configuring Tunnel keepalive.......................................................................................................... 893

Configuring the ip and ipv6 unnumbered.......................................................................................894

Configuring the Tunnel allow-remote............................................................................................ 894

Configuring the tunnel source anylocal..........................................................................................895

54 Uplink Failure Detection (UFD)................................................................... 896

Feature Description.......................................................................................................................... 896

How Uplink Failure Detection Works...............................................................................................897

UFD and NIC Teaming..................................................................................................................... 898

Important Points to Remember.......................................................................................................898

Configuring Uplink Failure Detection.............................................................................................. 899

Clearing a UFD-Disabled Interface.................................................................................................. 901

Displaying Uplink Failure Detection.................................................................................................902

Sample Configuration: Uplink Failure Detection............................................................................ 904

55 Upgrade Procedures..................................................................................... 906

Get Help with Upgrades...................................................................................................................906

56 Virtual LANs (VLANs)......................................................................................907

Default VLAN.....................................................................................................................................907

Port-Based VLANs...................................................................................................................... 908

VLANs and Port Tagging.............................................................................................................908

Configuration Task List...............................................................................................................909

Configuring Native VLANs...........................................................................................................913

Enabling Null VLAN as the Default VLAN......................................................................................... 914

57 Virtual Link Trunking (VLT)........................................................................... 915

Overview............................................................................................................................................915

Multi-domain VLT........................................................................................................................916

VLT Terminology............................................................................................................................... 917

Configure Virtual Link Trunking........................................................................................................917

Important Points to Remember..................................................................................................917

Configuration Notes....................................................................................................................918

RSTP and VLT.............................................................................................................................. 922

VLT Bandwidth Monitoring.........................................................................................................922

VLT and IGMP Snooping.............................................................................................................923

VLT Port Delayed Restoration.................................................................................................... 923

PIM-Sparse Mode Support on VLT.............................................................................................923

VLT Multicast...............................................................................................................................925

VLT Unicast Routing................................................................................................................... 926

Non-VLT ARP Sync..................................................................................................................... 927

RSTP Configuration...........................................................................................................................927

Preventing Forwarding Loops in a VLT Domain........................................................................928

Sample RSTP Configuration....................................................................................................... 928

Configuring VLT..........................................................................................................................929

Configuring a VLT Interconnect.................................................................................................929

Configuring a VLT Backup Link..................................................................................................930

Configuring a VLT Port Delay Period.........................................................................................930

Reconfiguring the Default VLT Settings (Optional) .................................................................. 930

Connecting a VLT Domain to an Attached Access Device (Switch or Server)......................... 931

Configuring a VLT VLAN Peer-Down (Optional)....................................................................... 932

Configure Multi-domain VLT (mVLT) (Optional)....................................................................... 933

Verifying a VLT Configuration.....................................................................................................935

Connecting a VLT Domain......................................................................................................... 939

mVLT Configuration Example.......................................................................................................... 943

In Domain 1, configure the VLT domain and VLTi on Peer 1Configure mVLT on Peer 1Add links to the mVLT port-channel on Peer 1Next, configure the VLT domain and VLTi on Peer 2Configure mVLT on Peer 2Add links to the mVLT port-channel on Peer 2In Domain 2, configure the VLT domain and VLTi on Peer 3Configure mVLT on Peer 3Add links to the mVLT port-channel on Peer 3Configure the VLT domain and VLTi on Peer

4Configure mVLT on Peer 4Add links to the mVLT port-channel on Peer 4..........................944

PIM-Sparse Mode Configuration Example...................................................................................... 945

Additional VLT Sample Configurations............................................................................................946

Configuring Virtual Link Trunking (VLT Peer 1)Configuring Virtual Link Trunking (VLT Peer

2)Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access

Switch).........................................................................................................................................946

Troubleshooting VLT........................................................................................................................948

Specifying VLT Nodes in a PVLAN....................................................................................................950

Association of VLTi as a Member of a PVLAN............................................................................ 951

MAC Synchronization for VLT Nodes in a PVLAN......................................................................951

PVLAN Operations When One VLT Peer is Down..................................................................... 952

PVLAN Operations When a VLT Peer is Restarted.....................................................................952

Interoperation of VLT Nodes in a PVLAN with ARP Requests...................................................952

Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN........953

Configuring a VLT VLAN or LAG in a PVLAN................................................................................... 954

Creating a VLT LAG or a VLT VLAN............................................................................................954

Associating the VLT LAG or VLT VLAN in a PVLAN....................................................................955

Proxy ARP Capability on VLT Peer Nodes........................................................................................956

Working of Proxy ARP for VLT Peer Nodes................................................................................957

58 Virtual Router Redundancy Protocol (VRRP)........................................... 959

VRRP Overview................................................................................................................................. 959

VRRP Benefits................................................................................................................................... 960

VRRP Implementation...................................................................................................................... 960

VRRP Configuration.......................................................................................................................... 961

Configuration Task List............................................................................................................... 961

Setting VRRP Initialization Delay................................................................................................ 970

Sample Configurations......................................................................................................................971

VRRP for an IPv4 Configuration..................................................................................................971

59 Standards Compliance..................................................................................974

IEEE Compliance...............................................................................................................................974

RFC and I-D Compliance..................................................................................................................975

General Internet Protocols............................................................................................................... 975

General IPv4 Protocols..................................................................................................................... 975

Border Gateway Protocol (BGP).......................................................................................................976

Open Shortest Path First (OSPF).......................................................................................................977

Routing Information Protocol (RIP)..................................................................................................977

Network Management...................................................................................................................... 977

MIB Location..................................................................................................................................... 981

60 FC Flex IO Modules........................................................................................982

FC Flex IO Modules...........................................................................................................................982

Understanding and Working of the FC Flex IO Modules................................................................ 982

FC Flex IO Modules Overview.................................................................................................... 982

FC Flex IO Module Capabilities and Operations........................................................................984

Guidelines for Working with FC Flex IO Modules..................................................................... 984

Processing of Data Traffic.......................................................................................................... 986

Installing and Configuring the Switch........................................................................................987

Interconnectivity of FC Flex IO Modules with Cisco MDS Switches........................................ 990

Data Center Bridging (DCB)..............................................................................................................991

Ethernet Enhancements in Data Center Bridging......................................................................991

Enabling Data Center Bridging...................................................................................................999

QoS dot1p Traffic Classification and Queue Assignment.......................................................1000

Configure Enhanced Transmission Selection..........................................................................1001

Configure a DCBx Operation................................................................................................... 1003

Verifying the DCB Configuration..............................................................................................1013

PFC and ETS Configuration Examples..................................................................................... 1023

Using PFC and ETS to Manage Data Center Traffic.................................................................1023

Fibre Channel over Ethernet for FC Flex IO Modules................................................................... 1028

NPIV Proxy Gateway for FC Flex IO Modules................................................................................1028

NPIV Proxy Gateway Configuration on FC Flex IO Modules ................................................. 1028

NPIV Proxy Gateway Operations and Capabilities.................................................................. 1029

Configuring an NPIV Proxy Gateway....................................................................................... 1033

Displaying NPIV Proxy Gateway Information.......................................................................... 1039

About this Guide

This guide describes the supported protocols and software features, and provides configuration instructions and examples, for the Dell Networking MXL 10/40GbE Switch IO Module.

The MXL 10/40GbE Switch IO Module is installed in a Dell PowerEdge M1000e Enclosure. For information about how to install and perform the initial switch configuration, refer to the Getting Started Guides on the Dell Support website at http://support.dell.com/manuals.

Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Networking systems. For complete information about protocols, refer to related documentation, including IETF requests for comments (RFCs). The instructions in this guide cite relevant RFCs. The Standards Compliance chapter contains a complete list of the supported RFCs and management information base files (MIBs).

Audience

This document is intended for system administrators who are responsible for configuring and maintaining networks and assumes knowledge in Layer 2 and Layer 3 networking technologies.

Conventions

This guide uses the following conventions to describe command syntax.

Keyword

parameter Parameters are in italics and require a number or word to be entered in the CLI.

{X} Keywords and parameters within braces must be entered in the CLI.

[X] Keywords and parameters within brackets are optional.

x|y Keywords and parameters separated by a bar require you to choose one option.

x||y Keywords and parameters separated by a double bar allows you to choose any or

Keywords are in Courier (a monospaced font) and must be entered in the CLI as listed.

all of the options.

Information Symbols

This book uses the following information symbols.

NOTE: The Note icon signals important operational information.

CAUTION: The Caution icon signals information about situations that could result in equipment damage or loss of data.

WARNING: The Warning icon signals information about hardware handling that could result in injury.

About this Guide

* (Exception). This symbol is a note associated with additional text on the page that is marked with an asterisk.

Configuration Fundamentals

The Dell Networking operating system command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols.

The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.

In the Dell Networking OS, after you enable a command, it is entered into the running configuration file. You can view the current configuration for the whole system or for a particular CLI mode. To save the current configuration, copy the running configuration to another location. For more information, refer to

Save the Running-Configuration.

NOTE: You can use the chassis management controller (CMC) out-of-band management interface to access and manage an MXL Switch using the CLI. For information about how to access the CMC to configure an MXL Switch, refer to the Dell Chassis Management Controller (CMC) User's Guide on the Dell Support website.

Accessing the Command Line

Access the CLI through a serial console port or a Telnet session. When the system successfully boots, enter the command line in EXEC mode.

telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'. Login: username Password: Dell>

CLI Modes

Different sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (except for EXEC mode

commands with a preceding do command (refer to The do Command section).

You can set user access rights to commands and command modes using privilege levels; for more information about privilege levels and security options, refer to the Privilege Levels Overview section in the Security chapter.

The CLI is divided into three major mode levels:

• EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a

limited selection of commands is available, notably the show commands, which allow you to view system information.

Configuration Fundamentals

• EXEC Privilege mode has commands to view configurations, clear counters, manage configuration

files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password section in the Getting Started chapter.

• CONFIGURATION mode allows you to configure security features, time settings, set logging and

SNMP functions, configure static ARP and MAC addresses, and set line cards on the system.

Beneath CONFIGURATION mode are submodes that apply to interfaces, protocols, and features. The following example shows the submode command structure. Two sub-CONFIGURATION modes are important when configuring the chassis for the first time:

• INTERFACE sub-mode is the mode in which you configure Layer 2 and Layer 3 protocols and IP

services specific to an interface. An interface can be physical (Management interface, 10 Gigabit Ethernet, 40 Gigabit Ethernet, or synchronous optical network technologies [SONET]) or logical (Loopback, Null, port channel, or virtual local area network [VLAN]).

• LINE sub-mode is the mode in which you to configure the console and virtual terminal lines.

NOTE: At any time, entering a question mark (?) displays the available command options. For example, when you are in CONFIGURATION mode, entering the question mark first lists all available commands, including the possible submodes.

The CLI modes are:

EXEC EXEC Privilege CONFIGURATION INTERFACE TEN GIGABIT ETHERNET FORTY GIGABIT ETHERNET INTERFACE RANGE LOOPBACK MANAGEMENT ETHERNET MONITOR SESSION NULL PORT-CHANNEL VLAN IP IP ACCESS-LIST STANDARD ACCESS-LIST EXTENDED ACCESS-LIST LINE CONSOLE VIRTUAL TERMINAL MAC ACCESS-LIST MONITOR SESSION MULTIPLE SPANNING TREE PROTOCOL GVRP PROTOCOL LLDP PER-VLAN SPANNING TREE RAPID SPANNING TREE ROUTE-MAP ROUTER OSPF ROUTER RIP SPANNING TREE

Configuration Fundamentals

Navigating CLI Modes

The Dell Networking OS prompt changes to indicate the CLI mode.

The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves you up one command mode level.

NOTE: Sub-CONFIGURATION modes all have the letters “conf” in the prompt with more modifiers to identify the mode and slot/port information.

Table 1. Dell Networking OS Command Modes

CLI Command Mode Prompt Access Command

EXEC

EXEC Privilege

CONFIGURATION

NOTE: Access all of the following modes from CONFIGURATION mode.

AS-PATH ACL

Gigabit Ethernet Interface

10 Gigabit Ethernet Interface

Interface Range

Loopback Interface

Dell>

Dell#

Dell(conf)#

Dell(config-as-path)# ip as-path access-list

Dell(conf-if-gi-0/0)#

Dell(conf-if-te-0/0)#

Dell(conf-if-range)#

Dell(conf-if-lo-0)#

Access the router through the console or Telnet.

• From EXEC mode, enter the enable command.

• From any other mode, use the end command.

• From EXEC privilege mode, enter the configure command.

• From every mode except EXEC and EXEC Privilege, enter the exit command.

interface (INTERFACE modes)

Management Ethernet Interface

Null Interface

Port-channel Interface

Tunnel Interface

VLAN Interface

STANDARD ACCESS-LIST

Dell(conf-if-ma-0/0)#

Dell(conf-if-nu-0)#

Dell(conf-if-po-0)#

Dell(conf-if-tu-0)#

Dell(conf-if-vl-0)#

Dell(config-std-nacl)#

interface (INTERFACE modes)

ip access-list standard (IP

ACCESS-LIST Modes)

Configuration Fundamentals

CLI Command Mode Prompt Access Command

EXTENDED ACCESS-LIST

IP COMMUNITY-LIST

AUXILIARY

CONSOLE

VIRTUAL TERMINAL

STANDARD ACCESS-LIST

EXTENDED ACCESS-LIST

MULTIPLE SPANNING TREE

Per-VLAN SPANNING TREE Plus

PREFIX-LIST

RAPID SPANNING TREE

Dell(config-ext-nacl)#

ip access-list extended (IP

ACCESS-LIST Modes)

Dell(config-community-

ip community-list

list)#

Dell(config-line-aux)#

Dell(config-line-

line (LINE Modes)

console)#

Dell(config-line-vty)#

line (LINE Modes)

Dell(config-std-macl)# mac access-list standard

(MAC ACCESS-LIST Modes)

Dell(config-ext-macl)# mac access-list extended

(MAC ACCESS-LIST Modes)

Dell(config-mstp)# protocol spanning-tree

mstp

Dell(config-pvst)# protocol spanning-tree

pvst

Dell(conf-nprefixl)# ip prefix-list

Dell(config-rstp)# protocol spanning-tree

rstp

REDIRECT

ROUTE-MAP

ROUTER BGP

BGP ADDRESS-FAMILY

ROUTER ISIS

ISIS ADDRESS-FAMILY

ROUTER OSPF

ROUTER OSPFV3

ROUTER RIP

SPANNING TREE

TRACE-LIST

CLASS-MAP

Dell(conf-redirect-list)# ip redirect-list

Dell(config-route-map)# route-map

Dell(conf-router_bgp)# router bgp

Dell(conf-router_bgp_af)#

(for IPv4)

Dell(conf-

address-family {ipv4 multicast | ipv6 unicast}

(ROUTER BGP Mode)

routerZ_bgpv6_af)# (for IPv6)

Dell(conf-router_isis)# router isis

Dell(conf-router_isisaf_ipv6)#

address-family ipv6 unicast (ROUTER ISIS Mode)

Dell(conf-router_ospf)# router ospf

Dell(conf-

ipv6 router ospf

ipv6router_ospf)#

Dell(conf-router_rip)# router rip

Dell(config-span)# protocol spanning-tree 0

Dell(conf-trace-acl)# ip trace-list

Dell(config-class-map)# class-map

Configuration Fundamentals

CLI Command Mode Prompt Access Command

CONTROL-PLANE

Dell(conf-controlcpuqos)#

DCB POLICY Dell(conf-dcb-in)# (for input

policy) Dell(conf-dcb-out)# (for

output policy)

DHCP

DHCP POOL

Dell(config-dhcp)# ip dhcp server

Dell(config-dhcp-pool- name)#

ECMP

Dell(conf-ecmp-groupecmp-group-id)#

EIS

FRRP

Dell(conf-mgmt-eis)# management egress-

Dell(conf-frrp-ring-id)# protocol frrp

LLDP Dell(conf-lldp)# or

Dell(conf-if—interfacelldp)#

LLDP MANAGEMENT INTERFACE

LINE

Dell(conf-lldp-mgmtIf)#

Dell(config-line-console) or Dell(config-line-vty)

control-plane-cpuqos

dcb-input for input policy dcb-output for output policy

pool (DHCP Mode)

ecmp-group

interface-selection

protocol lldp

(CONFIGURATION or INTERFACE Modes)

management-interface (LLDP Mode)

line console orline vty

MONITOR SESSION

OPENFLOW INSTANCE

PORT-CHANNEL FAILOVERGROUP

PRIORITY GROUP

PROTOCOL GVRP

QOS POLICY

VLT DOMAIN

VRRP

u-Boot

Dell(conf-mon-sess-

monitor session

sessionID)#

Dell(conf-of-instance-of-

openflow of-instance

id)#

Dell(conf-po-failovergrp)#

port-channel failovergroup

Dell(conf-pg)# priority-group

Dell(config-gvrp)# protocol gvrp

Dell(conf-qos-policy-out-

qos-policy-output

ets)#

Dell(conf-vlt-domain)# vlt domain

Dell(conf-if-interface-

vrrp-group

type-slot/port-vrid-vrrpgroup-id)#

Dell(=>)#

Press any key when the following line appears on the console

Configuration Fundamentals

CLI Command Mode Prompt Access Command

during a system boot: Hit any key to stop autoboot:

UPLINK STATE GROUP

The following example shows how to change the command mode from CONFIGURATION mode to PROTOCOL SPANNING TREE.

Example of Changing Command Modes

Dell(conf)#protocol spanning-tree 0 Dell(config-span)#

Dell(conf-uplink-stategroup-groupID)#

uplink-state-group

The do Command

You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode by preceding the EXEC mode command with the

The following example shows the output of the do command: enable, disable, exit, and configure.

Dell(conf)#do show system brief

Stack MAC : 00:1e:c9:f1:04:22

Reload Type : normal-reload [Next boot : normal-reload]

-- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports

--------------------------------------------------------------------0 Management online MXL-10/40GbE MXL-10/40GbE 8-3-16-47 56 1 Member not present 2 Member not present 3 Member not present 4 Member not present 5 Member not present

do command.

Undoing Commands

When you enter a command, the command line is added to the running configuration file (runningconfig).

To disable a command and remove it from the running-config, enter the no command, then the original command. For example, to delete an IP address configured on an interface, use the ip-address command.

NOTE: Use the help or ? command as described in Obtaining Help.

The first bold line shows the assigned IP address, the second bold line shows the no form of the IP address command, and the last bold line shows the IP address removed.

Configuration Fundamentals

no ip address

Example of Viewing Disabled Commands

Dell(conf)#interface gigabitethernet 4/17 Dell(conf-if-gi-4/17)#ip address 192.168.10.1/24 Dell(conf-if-gi-4/17)#show config ! interface GigabitEthernet 4/17 ip address 192.168.10.1/24 no shutdown Dell(conf-if-gi-4/17)#no ip address Dell(conf-if-gi-4/17)#show config ! interface GigabitEthernet 4/17 no ip address no shutdown

Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter

no disable to enable Spanning Tree.

Obtaining Help

Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command:

• To list the keywords available in the current mode, enter ? at the prompt or after a keyword.

• Enter ? after a prompt lists all of the available keywords. The output of this command is the same for the help command.

Dell#? start Start Shell capture Capture Packet cd Change current directory clear Reset functions clock Manage the system clock configure Configuring from terminal copy Copy from one file to another

--More--

• Enter ? after a partial keyword lists all of the keywords that begin with the specified letters.

Dell(conf)#cl? class-map clock Dell(conf)#cl

• Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword.

Dell(conf)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone Dell(conf)#clock

Entering and Editing Commands

Notes for entering commands.

• The CLI is not case-sensitive.

• You can enter partial CLI keywords.

– Enter the minimum number of letters to uniquely identify a command. For example, you cannot

enter cl as a partial keyword because both the clock and class-map commands begin with the letters “cl.” You can enter with those three letters.

clo, however, as a partial keyword because only one command begins

Configuration Fundamentals

• The TAB key auto-completes keywords in commands. Enter the minimum number of letters to uniquely identify a command.

• The UP and DOWN arrow keys display previously entered commands (refer to Command History).

• The BACKSPACE and DELETE keys erase the previous letter.

• Key combinations are available to move quickly across the command line. The following list describes these short-cut key combinations.

Short-Cut Key Combination

CNTL-A Moves the cursor to the beginning of the command line.

CNTL-B Moves the cursor back one character.

CNTL-D Deletes character at cursor.

CNTL-E Moves the cursor to the end of the line.

CNTL-F Moves the cursor forward one character.

CNTL-I Completes a keyword.

CNTL-K Deletes all characters from the cursor to the end of the command line.

CNTL-L Re-enters the previous command.

CNTL-N Return to more recent commands in the history buffer after recalling commands

CNTL-P Recalls commands, beginning with the last command.

CNTL-R Re-enters the previous command.

CNTL-U Deletes the line.

CNTL-W Deletes the previous word.

CNTL-X Deletes the line.

Action

with CTRL-P or the UP arrow key.

CNTL-Z Ends continuous scrolling of command outputs.

Esc B Moves the cursor back one word.

Esc F Moves the cursor forward one word.

Esc D Deletes all characters from the cursor to the end of the word.

Command History

The Dell Networking OS maintains a history of previously-entered commands for each mode. For example:

• When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC mode commands.

• When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered CONFIGURATION mode commands.

Configuration Fundamentals

Filtering show Command Outputs

The variable specified_text is the text for which you are filtering and it IS case sensitive unless you use the ignore-case sub-option.

Starting with the Dell Networking OS version 7.8.1.0, the grep command accepts an ignore-case suboption that forces the search to case-insensitive. For example, the commands:

• show run | grep Ethernet returns a search result with instances containing a capitalized “Ethernet,” such as

• show run | grep ethernet does not return that search result because it only searches for instances containing a non-capitalized “ethernet.”

• show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and “ethernet.”

The grep command displays only the lines containing specified text. The following shows this command used in combination with the command.

Dell(conf)#do show stack-unit all stack-ports all pfc details | grep 0 stack unit 0 stack-port all 0 Pause Tx pkts, 0 Pause Rx pkts 0 Pause Tx pkts, 0 Pause Rx pkts 0 Pause Tx pkts, 0 Pause Rx pkts 0 Pause Tx pkts, 0 Pause Rx pkts 0 Pause Tx pkts, 0 Pause Rx pkts 0 Pause Tx pkts, 0 Pause Rx pkts

interface GigabitEthernet 0/0.

do show stack-unit all stack-ports pfc details | grep 0

NOTE: The Dell Networking OS accepts a space or no space before and after the pipe. To filter a phrase with spaces, underscores, or ranges, enclose the phrase with double quotation marks.

The except keyword displays text that does not match the specified text. The following example shows this command used in combination with the do show stack-unit all stack-ports all pfc

details | except 0

Example of the except Keyword

Example of the find Keyword

Dell(conf)#do show stack-unit all stack-ports all pfc details | except 0

Admin mode is On Admin is enabled Local is enabled Link Delay 45556 pause quantum

stack unit 1 stack-port all

Admin mode is On Admin is enabled

The find keyword displays the output of the show command beginning from the first occurrence of specified text.

command.

Configuration Fundamentals

Dell(conf)#do show stack-unit all stack-ports all pfc details | find 0 stack unit 0 stack-port all Admin mode is On Admin is enabled Local is enabled Link Delay 45556 pause quantum 0 Pause Tx pkts, 0 Pause Rx pkts

stack unit 1 stack-port all

The no-more command displays the output all at once rather than one screen at a time. This is similar to the terminal length command except that the no-more option affects the output of the specified command only.

The save command copies the output to a file for future reference.

NOTE: You can filter a single command output multiple times. The save option must be the last option entered. For example:

regular-expression | grep other-regular-expression | find regular-expression | save.

Dell# command | grep regular-expression | except

Multiple Users in Configuration Mode

Dell Networking OS notifies all users when there are multiple users logged in to CONFIGURATION mode.

A warning message indicates the username, type of connection (console or VTY), and in the case of a VTY connection, the IP address of the terminal on which the connection was established. For example:

• On the system that telnets into the switch, this message appears:

% Warning: The following users are currently configuring the system: User "<username>" on line console0

• On the system that is connected over the console, this message appears:

% Warning: User "<username>" on line vty0 "10.11.130.2" is in configuration mode

If either of these messages appears, Dell Networking recommends coordinating with the users listed in the message so that you do not unintentionally overwrite each other’s configuration changes.

Configuration Fundamentals

Getting Started

This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) during which the route

processor module (RPM), switch fabric module (SFM), and line card status light emitting diodes (LEDs) blink green. The system then loads the Dell Networking operating system. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption.

When the boot process completes, the RPM and line card status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.

For details about using the command line interface (CLI), refer to the Accessing the Command Line section in the Configuration Fundamentals chapter.

Getting Started

Console Access

The MXL 10/40GbE Switch IO Module has two management ports available for system access: a serial console port and an out-of-bounds (OOB) port.

Serial Console

A universal serial bus (USB) (A-Type) connector is located at the front panel. The USB can be defined as an External Serial Console (RS-232) port, and is labeled on the MXL 10/40GbE Switch IO Module chassis. The USB is present on the lower side, as you face the I/O side of the chassis, as shown.

Getting Started

Serial Console

Getting Started

External Serial Port with a USB Connector

The following table listes the pin assignments.

Table 2. Pin Assignments

USB Pin Number Signal Name

Pin 1 RTS

Pin 2 RX

Pin 3 TX

Pin 4 CTS

Pin 5, 6 GND

RxD Chassis GND

Accessing the CLI Interface and Running Scripts Using SSH

In addition to the capability to access a device using a console connection or a Telnet session, you can also use SSH for secure, protected communication with the device. You can open an SSH session and run commands or script files. This method of connectivity is supported with MXL switch and provides a reliable, safe communication mechanism.

Entering CLI commands Using an SSH Connection

You can run CLI commands by entering any one of the following syntax to connect to a switch using the preconfigured user credentials using SSH:

ssh username@hostname <CLI Command>

echo <CLI Command> | ssh admin@hostname

The SSH server transmits the terminal commands to the CLI shell and the results are displayed on the screen non-interactively.

Executing Local CLI Scripts Using an SSH Connection

You can execute CLI commands by entering a CLI script in one of the following ways:

ssh username@hostname <CLIscript.file>

cat < CLIscript.file > | ssh admin@hostname

The script is run and the actions contained in the script are performed.

Getting Started

Following are the points to remember, when you are trying to establish an SSH session to the device to run commands or script files:

• There is an upper limit of 10 concurrent sessions in SSH. Therefore, you might expect a failure in executing SSH-related scripts.

• To avoid denial of service (DoS) attacks, a rate-limit of 10 concurrent sessions per minute in SSH is devised. Therefore, you might experience a failure in executing SSH-related scripts when multiple short SSH commands are executed.

• If you issue an interactive command in the SSH session, the behavior may not really be interactive.

• In some cases, when you use an SSH session, when certain show commands such as show tech- support produce large volumes of output, sometimes few characters from the output display are truncated and not displayed. This may cause one of the commands to fail for syntax error. In such cases, if you add few newline characters before the failed command, the output displays completely.

Execution of commands on CLI over SSH does not notice the errors that have occurred while executing the command. As a result, you cannot identify, whether a command has failed to be processed. The console output though is redirected back over SSH.

Boot Process

After you follow the Installation Procedure in the Getting Started Guide, the MXL switch boots up.

The MXL switch with the Dell Networking OS version 8.3.16.1 requires boot flash version 4.0.1.0 and boot selector version 4.0.0.0. The following example shows the completed boot process.

syncing disks... done unmounting file systems... unmounting /f10/flash (/dev/ld0e)... unmounting /usr (mfs:31)... unmounting /lib (mfs:23)... unmounting /f10 (mfs:20)... unmounting /tmp (mfs:15)... unmounting /kern (kernfs)... unmounting / (/dev/md0a)... done rebooting...

NetLogic XLP Stage 1 Loader Built by build at tools-sjc-01 on Thu May 31 23:53:38 2012 IOM Boot Selector Label 4.0.0.0

Nodes online: 1 GPIO 22 init'ed as an output GPIO 23 init'ed as an output I2C0 speed = 30 KHz, prescaler = 0x0377. Initialized I2C0 Controller. I2C1 speed = 100 KHz, prescaler = 0x0109. Initialized I2C1 Controller. DDR SPD: Node 0 Channel 0 Mem size = 2048 MB DDR SPD: Node 0 DRAM frequency 666 MHz DDR SPD: Node 0 CPU frequency 1200 MHz RTT Norm:44 NBU0 DRAM BAR0 base: 00000000 limit: 0013f000 xlate: 00000001 node: 00000000 ( 0 MB -> 320 MB , size: 320 MB) NBU0 DRAM BAR1 base: 001d0000 limit: 0088f000 xlate: 00090001 node: 00000000 ( 464 MB -> 2192 MB , size: 1728 MB)

Getting Started

Modifying Default Flash Address map..Done Initialized eMMC Host Controller Detected SD Card BLC is 1 (preset 10) Hit any key to stop autoboot: 0 Boot Image selection Reading the Boot Block Info...Passed !! Images are OK A:0x0 B:0x0 Boot Selector set to Bootflash Partition A image... Verifying Copyright Information..success for Image - 0 Boot Selector: Booting Bootflash Partition A image... Copying stage-2 loader from 0xb6120000 to 0x8c100000(size = 0x100000) Boot Image selection DONE. ## Starting application at 0x8C100000 ...

U-Boot 2010.03-rc1(Dell Force10) Built by build at tools-sjc-01 on Thu May 31 23:53:38 2012 IOM Boot Label 4.0.1.0

DRAM: 2 GB Initialized CPLD on CS3 Detected [XLP308 (Lite+) Rev A0] Initializing I2C0: speed = 30 KHz, prescaler = 0x0377 -- done. Initializing I2C1: speed = 100 KHz, prescaler = 0x0109 -- done. Initialized eMMC Host Controller Detected SD Card Now running in RAM - U-Boot [N64 ABI, Big-Endian] at: ffffffff8c100000 Flash: 256 MB PCIE (B0:D01:F0) : Link up. PCIE (B0:D01:F1) : No Link. In: serial Out: serial Err: serial Net: nae-0: PHY is Broadcom BCM54616S

--More--

SOFTWARE IMAGE HEADER DATA :

----------------------------

--More--

Starting Dell Networking application

Welcome to Dell Easy Setup Wizard

The setup wizard guides you through the initial switch configuration, and gets you up and running as quickly as possible. You can skip the setup wizard, and enter CLI mode to manually configure the switch. You must respond to the next question to run the setup wizard within 60 seconds, otherwise the system will continue with normal operation using the default system configuration. Note: You can exit the setup wizard at any point by entering [ctrl+c].

Would you like to run the setup wizard (you must answer this question within 60 seconds)? [Y/N]: N 00:00:40: %STKUNIT0-M:CP %IFMGR-5-ASTATE_UP: Changed interface Admin state to up: Vl 1 00:00:42: %STKUNIT0-M:CP %IFMGR-5-IFM_ISCSI_ENABLE: iSCSI has been enabled causing flow control to be enabled on all interfaces. EQL detection and enabling iscsi profile-compellent on an interface may cause some automatic

Getting Started

configurations to occur like jumbo frames on all ports and no storm control and spanning tree port-fast on the port of detection 00:00:42: %STKUNIT0-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user on line console Dell>en Password:

Default Configuration

A version of the Dell Networking OS is pre-loaded onto the chassis; however, the system is not configured when you power up for the first time (except for the default hostname, which is Dell). You must configure the system using the CLI.

Configuring a Host Name

The host name appears in the prompt. The default host name is Dell.

• Host names must start with a letter and end with a letter or digit.

• Characters within the string can be letters, digits, and hyphens.

To create a host name, use the following command.

• Create a host name. CONFIGURATION mode

hostname name

Example of the hostname Command

Dell(conf)#hostname R1 R1(conf)#

Configuring a Host Name

The host name appears in the prompt. The default host name is Dell.

• Host names must start with a letter and end with a letter or digit.

• Characters within the string can be letters, digits, and hyphens.

To create a host name, use the following command.

• Create a host name. CONFIGURATION mode

hostname name

Example of the hostname Command

Dell(conf)#hostname R1 R1(conf)#

Getting Started

Accessing the System Remotely

You can configure the system to access it remotely by Telnet or SSH. The MXL 10/40GbE switch IO module has a dedicated management port and a management routing

table that is separate from the IP routing table.

Accessing the MXL Switch Remotely

Configuring the system for Telnet is a three-step process, as described in the following topics:

1. Configure an IP address for the management port. Configure the Management Port IP Address

2. Configure a management route with a default gateway. Configure a Management Route

3. Configure a username and password. Configure a Username and Password

Configure the Management Port IP Address

To access the system remotely, assign IP addresses to the management ports.

1. Enter INTERFACE mode for the Management port.

CONFIGURATION mode

interface ManagementEthernet slot/port

• slot: the range is 0.

• port: the range is 0.

2. Assign an IP address to the interface.

INTERFACE mode

ip address ip-address/mask

• ip-address: an address in dotted-decimal format (A.B.C.D).

• mask: a subnet mask in /prefix-length format (/ xx).

3. Enable the interface.

INTERFACE mode

no shutdown

Configure a Management Route

Define a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port. To configure a management route, use the following command.

• Configure a management route to the network from which you are accessing the system. CONFIGURATION mode

management route ip-address/mask gateway

– ip-address: the network address in dotted-decimal format (A.B.C.D).

Getting Started

– mask: a subnet mask in /prefix-length format (/ xx). – gateway: the next hop for network traffic originating from the management port.

Configuring a Username and Password

To access the system remotely, configure a system username and password. To configure a system username and password, use the following command.

• Configure a username and password to access the system remotely. CONFIGURATION mode

username username password [encryption-type] password

– encryption-type: specifies how you are inputting the password, is 0 by default, and is not

required.

* 0 is for inputting the password in clear text. * 7 is for inputting a password that is already encrypted using a Type 7 hash. Obtaining the

encrypted password from the configuration of another Dell Networking system.

Configuring the Enable Password

Access EXEC Privilege mode using the enable command. EXEC Privilege mode is unrestricted by default. Configure a password as a basic security measure.

There are two types of enable passwords:

• enable password stores the password in the running/startup configuration using a DES encryption method.

• enable secret is stored in the running/startup configuration in using a stronger, MD5 encryption method.

Dell Networking recommends using the enable secret password.

To configure an enable password, use the following command.

• Create a password to access EXEC Privilege mode. CONFIGURATION mode

enable [password | secret] [level level] [encryption-type] password

– level: is the privilege level, is 15 by default, and is not required

– encryption-type: specifies how you are inputting the password, is 0 by default, and is not

required.

* 0 is for inputting the password in clear text. * 7 is for inputting a password that is already encrypted using a DES hash. Obtain the encrypted

password from the configuration file of another Dell Networking system. You can only use this for the enable password.

* 5 is for inputting a password that is already encrypted using an MD5 hash. Obtain the

encrypted password from the configuration file of another Dell Networking system. You can only use this for the enable secret password.

Getting Started

Configuration File Management

Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode.

NOTE: Using flash memory cards in the system that have not been approved by Dell Networking can cause unexpected system behavior, including a reboot.

Copy Files to and from the System

The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url.

NOTE: For a detailed description of the copy command, refer to the Dell Networking OS Command Line Reference Guide.

• To copy a local file to a remote system, combine the file-origin syntax for a local file location with the

• To copy a remote file to Dell Networking system, combine the file-origin syntax for a remote file location with the

Table 3. Forming a copy Command

Location source-file-url Syntax destination-file-url Syntax

file-destination syntax for a remote file location.

file-destination syntax for a local file location.

Internal flash: flash

USB flash: usbflash

For a remote file location: FTP server

For a remote file location: TFTP server

For a remote file location: SCP server

copy flash://filename flash://filename

usbflash://filename usbflash://filename

copy ftp://

username:password@{hostip | hostname}/filepath/ filename

copy tftp://{hostip | hostname}/filepath/ filename

copy scp://{hostip | hostname}/filepath/ filename

ftp:// username:password@{hostip | hostname}/ filepath/ filename

tftp://{hostip | hostname}/filepath/ filename

scp://{hostip | hostname}/filepath/ filename

Important Points to Remember

• You may not copy a file from one remote system to another.

• You may not copy a file from one location to the same location.

• When copying to a server, you can only use a hostname if you configured a domain name server (DNS) server.

Getting Started

NOTE: If all of the following conditions are true, the Portmode Hybrid configuration is not applied, because of the configuration process for server ports as switch ports by default:

• The running configuration is saved in flash.

• The startup configuration is deleted.

• The switch is reloaded.

• The saved configuration is copied to the running configuration.

To avoid this scenario, delete the switch port configuration from the running configuration before copying the saved configuration to the running configuration.

Example of Copying a File to an FTP Server

Example of Importing a File to the Local System

The bold flash shows the local location and the bold ftp shows the remote location.

Dell#copy flash://FTOS-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10/ /FTOS/FTOS-EF-8.2.1.0 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 27952672 bytes successfully copied

core1#$//copy ftp://myusername:mypassword@10.10.10.10//FTOS/ FTOS-EF-8.2.1.0.bin flash:// Destination file name [FTOS-EF-8.2.1.0.bin.bin]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 26292881 bytes successfully copied

Save the Running-Configuration

The running-configuration contains the current system configuration. Dell Networking recommends coping your running-configuration to the startup-configuration. The system uses the startup-configuration during boot-up to configure the system. The startupconfiguration is stored in the internal flash on the IOM by default, but you can save it to a USB flash device or a remote server. The commands in this section follow the same format as those commands in theCopy Files to and from

the System section but use the filenames startup-config and running-config. These commands assume

that current directory is the internal flash, which is the system default.

• Save the running-config to the startup-configuration on the internal flash. EXEC Privilege mode

copy running-config startup-config

• Save the running-configuration on the IOM. EXEC Privilege mode

copy running-config usbflash://filename

• Save the running-configuration to an FTP server. EXEC Privilege mode

copy running-config ftp:// username:password@{hostip | hostname}/filepath/ filename

• Save the running-configuration to a TFTP server. EXEC Privilege mode

Getting Started

copy running-config tftp://{hostip | hostname}/ filepath/filename

• Save the running-configuration to an SCP server. EXEC Privilege mode

copy running-config scp://{hostip | hostname}/ filepath/filename

NOTE: When copying to a server, you can only use a host name if you have configured a DNS server.

• Save the running-configuration to the startup-configuration on the internal flash of the primary RPM. Then copy the new startup-config file to the external flash of the primary RPM.

EXEC Privilege mode

copy running-config startup-config duplicate

Dell Networking OS Behavior: If you create a startup-configuration on an RPM and then move the RPM to another chassis, the startup-configuration is stored as a backup file (with the extension .bak), and a new, empty startup-configuration file is created. To restore your original startup-configuration in this situation, overwrite the new startup-configuration with the original one using the copy startup- config.bak startup-config command.

Viewing Files

You can only view file information and content on local file systems. To view a list of files or the contents of a file, use the following commands.

• View a list of files on the internal flash. EXEC Privilege mode

dir flash:

• View a list of files on the usbflash. EXEC Privilege mode

dir usbflash:

• View the contents of a file in the internal flash. EXEC Privilege mode

show file flash://filename

• View the contents of a file in the usb flash. EXEC Privilege mode

show file usbflash://filename

• View the running-configuration. EXEC Privilege mode

show running-config

• View the startup-configuration. EXEC Privilege mode

show startup-config

Getting Started

Example of the dir Command

The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.

Dell#dir Directory of flash:

1 drwx 4096 Jan 01 1980 00:00:00 +00:00 . 2 drwx 2048 May 10 2011 14:45:15 +00:00 .. 3 drwx 4096 Feb 17 2011 00:28:00 +00:00 TRACE_LOG_DIR 4 drwx 4096 Feb 17 2011 00:28:02 +00:00 CORE_DUMP_DIR 5 d--- 4096 Feb 17 2011 00:28:02 +00:00 ADMIN_DIR 6 -rwx 1272 Apr 29 2011 16:15:14 +00:00 startup-config 7 -rwx 10093 Feb 17 2011 20:48:02 +00:00 abhi-jan26.cfg 8 -rwx 217155 Feb 22 2011 23:14:34 +00:00 show-tech-cfg.txt 9 -rwx 5162 Mar 02 2011 04:02:58 +00:00 runn-feb6 10 -rwx 10507 Mar 03 2011 01:17:16 +00:00 abhi-feb7.cfg 11 -rwx 4 May 06 2011 22:05:06 +00:00 dhcpBindConflict 12 -rwx 6900 Feb 17 2011 04:43:12 +00:00 startup-config.bak 13 -rwx 1244038 Feb 13 2011 04:27:16 +00:00 f10cp_sysd_110213042625.acore.gz

flash: 2143281152 bytes total (2123755520 bytes free)

--More--

View Configuration Files

Configuration files have three commented lines at the beginning of the file, as shown in the following example, to help you track the last time any user made a change to the file, which user made the changes, and when the file was last saved to the startup-configuration.

In the running-configuration file, if there is a difference between the timestamp on the “Last configuration change,” and “Startup-config last updated,” you have made changes that have not been saved and will not be preserved after a system reboot.

Example of the show running-config Command

Dell#show running-config Current Configuration ... Current Configuration ... ! Version E8-3-16-0 ! Last configuration change at Tue Mar 6 11:51:50 2012 by default ! Startup-config last updated at Tue Mar 6 07:41:23 2012 by default ! boot system stack-unit 5 primary tftp://10.11.200.241/dt-m1000e-3-a2 boot system stack-unit 5 secondary system: B: boot system stack-unit 5 default tftp://10.11.200.241/dt-m1000e-3-b2 boot system gateway 10.11.209.254

--More--

Managing the File System

The Dell Networking system can use the internal Flash, USB Flash, or remote devices to store files. The system stores files on the internal Flash by default but you can configure the system to store files

elsewhere.

To view file system information, use the following command.

• View information about each file system.

Getting Started

EXEC Privilege mode

show file-systems

The output of the show file-systems command in the following example shows the total capacity, amount of free memory, file structure, media type, read/write privileges for each storage device in use.

Dell#show file-systems Size(b) Free(b) Feature Type Flags Prefixes 2143281152 2000785408 FAT32 USERFLASH rw flash: 15848660992 831594496 FAT32 USBFLASH rw usbflash:

- - - network rw ftp:

- - - network rw tftp:

- - - network rw scp:

You can change the default file system so that file management commands apply to a particular device or memory.

To change the default directory, use the following command.

• Change the default directory. EXEC Privilege mode

cd directory

You can change the default storage location to the USB Flash, as shown. File management commands then apply to the USB Flash rather than the internal Flash. The bold lines show that no file system is specified and that the file is saved to an USB Flash.

Dell#cd usbflash: Dell#copy running-config test ! 3998 bytes successfully copied

DellS#dir Directory of usbflash:

1 drwx 4096 Jan 01 1980 00:00:00 +00:00 . 2 drwx 2048 May 02 2012 07:05:06 +00:00 .. 3 -rwx 1272 Apr 29 2011 16:15:14 +00:00 startup-config 4 -rwx 3998

May 11 2011 23:36:12 +00:00 test

View the Command History

The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer.

The system generates a trace message for each executed command. No password information is saved to the file.

To view the command-history trace, use the show command-history command.

Example of the show command-history Command

Dell#show command-history [5/18 21:58:32]: CMD-(TEL0):[enable]by admin from vty0 (10.11.68.5)

Getting Started

[5/18 21:58:48]: CMD-(TEL0):[configure]by admin from vty0 (10.11.68.5)

- Repeated 1 time.

[5/18 21:58:57]: CMD-(TEL0):[interface port-channel 1]by admin from vty0 (10.11.68.5) [5/18 21:59:9]: CMD-(TEL0):[show config]by admin from vty0 (10.11.68.5) [5/18 22:4:32]: CMD-(TEL0):[exit]by admin from vty0 (10.11.68.5) [5/18 22:4:41]: CMD-(TEL0):[show interfaces port-channel brief]by admin from vty0 (10.11.68.5)

Using HTTP for File Transfers

Stating with Release 9.3(0.1), you can use HTTP to copy files or configuration details to a remote server. Use the copy source-file-url http://host[:port]/file-path command to transfer files to an external server. This functionality to transport files using HTTP to a remote server is supported on MXL, I/O Aggregator, S4810, S4820, S6000, and Z9000 platforms. Enter the following source-file-url keywords and information:

• To copy a file from the internal FLASH, enter flash:// followed by the filename.

• To copy the running configuration, enter the keyword running-config.

• To copy the startup configuration, enter the keyword startup-config.

• To copy a file on the external FLASH, enter usbflash:// followed by the filename.

Upgrading and Downgrading the Dell Networking OS

NOTE: To upgrade the Dell Networking OS, refer to the Release Notes for the version you want to load on the system.

Using Hashes to Validate Software Images

You can use the MD5 message-digest algorithm or SHA256 Secure Hash Algorithm to validate the software image on the flash drive, after the image has been transferred to the system, but before the image has been installed. The validation calculates a hash value of the downloaded image file on system’s flash drive, and, optionally, compares it to a Dell Networking published hash for that file.

The MD5 or SHA256 hash provides a method of validating that you have downloaded the original software. Calculating the hash on the local image file, and comparing the result to the hash published for that file on iSupport, provides a high level of confidence that the local copy is exactly the same as the published software image. This validation procedure, and the verify {md5 | sha256} command to support it, can prevent the installation of corrupted or modified images.

The verify {md5 | sha256} command calculates and displays the hash of any file on the specified local flash drive. You can compare the displayed hash against the appropriate hash published on i-Support. Optionally, the published hash can be included in the verify {md5 | sha256} command, which will display whether it matches the calculated hash of the indicated file.

To validate a software image:

1. Download Dell Networking OS software image file from the iSupport page to the local (FTP or TFTP)

server. The published hash for that file is displayed next to the software image file on the iSupport page.

Getting Started

2. Go on to the Dell Networking system and copy the software image to the flash drive, using the copy

command.

3. Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256

flash://FTOS-SE-9.5.0.0.bin

4. Compare the generated hash value to the expected hash value published on the iSupport page.

To validate the software image on the flash drive after the image has been transferred to the system, but before the image has been installed, use the verify {md5 | sha256} [ flash://]img-file [hash-value] command in EXEC mode.

• md5: MD5 message-digest algorithm

• sha256: SHA256 Secure Hash Algorithm

• flash: (Optional) Specifies the flash drive. The default is to use the flash drive. You can just enter the image file name.

• hash-value: (Optional). Specify the relevant hash published on i-Support.

• img-file: Enter the name of the Dell Networking software image file to validate

Examples: Without Entering the Hash Value for Verification

MD5

Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin MD5 hash for FTOS-SE-9.5.0.0.bin: 275ceb73a4f3118e1d6bcf7d75753459

SHA256

Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin SHA256 hash for FTOS-SE-9.5.0.0.bin: e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933

Examples: Entering the Hash Value for Verification

MD5

Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin 275ceb73a4f3118e1d6bcf7d75753459 MD5 hash VERIFIED for FTOS-SE-9.5.0.0.bin

SHA256

Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933 SHA256 hash VERIFIED for FTOS-SE-9.5.0.0.bin

Getting Started

Management

Management is supported on the Dell Networking MXL 10/40GbE Switch IO Module. This chapter describes the different protocols or services used to manage the Dell Networking system.

Configuring Privilege Levels

Privilege levels restrict access to commands based on user or terminal line.

There are 15 privilege levels, of which two are pre-defined. The default privilege level is 1.

• Level 1 — Access to the system begins at EXEC mode, and EXEC mode commands are limited to basic commands, some of which are enable, disable, and exit.

• Level 15 — To access all commands, enter EXEC Privilege mode. Normally, enter a password to enter this mode.

Creating a Custom Privilege Level

Custom privilege levels start with the default EXEC mode command set.

You can then customize privilege levels 2-14 by:

• removing commands from the EXEC mode commands

• moving commands from EXEC Privilege mode to EXEC mode

• allowing access to CONFIGURATION mode commands

• allowing access to INTERFACE, LINE, ROUTE-MAP, and ROUTER mode commands

You can access all commands at your privilege level and below.

Moving a Command from EXEC Privilege Mode to EXEC Mode

Remove a command from the list of available commands in EXEC mode for a specific privilege level using the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each restricted command.

Moving a Command from EXEC Privilege Mode to EXEC Mode

Move a command from EXEC Privilege to EXEC mode for a privilege level using the privilege exec command from CONFIGURATION mode. In the command, specify the privilege level of the user or terminal line, and specify all keywords in the command to which you want to allow access.

Allowing Access to CONFIGURATION Mode Commands

Allow access to CONFIGURATION mode using the privilege exec level level command configure from CONFIGURATION mode. A user that enters CONFIGURATION mode remains at his privilege level, and has access to only two commands, end and exit. Individually specify each CONFIGURATION mode command to which you want to allow access using the

privilege

Management

configure level level command. In the command, specify the privilege level of the user or terminal line, and specify all keywords in the command to which you want to allow access.

Allowing Access to INTERFACE, LINE, ROUTE-MAP, and ROUTER Mode

1. Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE, ROUTE-

MAP, and ROUTER modes, first allow access to the command that enters you into the mode. For example, allow a user to enter INTERFACE mode using the privilege configure level level interface gigabitethernet command.

2. Then, individually identify the INTERFACE, LINE, ROUTE-MAP or ROUTER commands to which you

want to allow access using the privilege {interface | line | route-map | router}

level

specify all keywords in the command to which you want to allow access.

level command. In the command, specify the privilege level of the user or terminal line and

Customizing a Privilege Level

to customize a privilege level, use the following commands.

1. Remove a command from the list of available commands in EXEC mode.

CONFIGURATION mode

privilege exec level level {command ||...|| command}

2. Move a command from EXEC Privilege to EXEC mode.

CONFIGURATION mode

privilege exec level level {command ||...|| command}

3. Allow access to CONFIGURATION mode.

CONFIGURATION mode

privilege exec configure level level

4. Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all keywords in the

command. CONFIGURATION mode

privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword}

5. Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode

command. CONFIGURATION mode

privilege {configure |interface | line | route-map | router} level level {command ||...|| command}

Create a Custom Privilege Level Apply a Privilege Level to a Username

The following configuration privilege level 3. This level:

• removes the resequence command from EXEC mode by requiring a minimum of privilege level 4

• moves the capture bgp-pdu max-buffer-size command from EXEC Privilege to EXEC mode by requiring a minimum privilege level 3, which is the configured level for VTY 0

• allows access to CONFIGURATION mode with the banner command

Management

• allows access to INTERFACE and LINE modes with the no command

Dell(conf)#do show run privilege ! Dell(conf)#privilege exec level 3 capture Dell(conf)#privilege exec level 3 configure Dell(conf)#privilege exec level 4 resequence Dell(conf)#privilege exec level 3 clear arp-cache Dell(conf)#privilege exec level 3 clear arp-cache max-buffer-size Dell(conf)#privilege configure level 3 line Dell(conf)#privilege configure level 3 interface Dell(conf)#do telnet 10.11.80.201 [telnet output omitted] Dell#show priv Current privilege level is 3. Dell#? capture Capture packet configure Configuring from terminal disable Turn off privileged commands enable Turn on privileged commands exit Exit from the EXEC ip Global IP subcommands monitor Monitoring feature mtrace Trace reverse multicast path from destination to source ping Send echo messages quit Exit from the EXEC show Show running system information [output omitted] Dell#config [output omitted] Dell(conf)#do show priv Current privilege level is 3. Dell(conf)#? end Exit from configuration mode exit Exit from configuration mode interface Select an interface to configure Dell(conf)#interface ? loopback Loopback interface managementethernet Management Ethernet interface null Null interface port-channel Port-channel interface range Configure interface range tengigabitethernet TenGigabit Ethernet interface vlan VLAN interface Dell(conf)#interface tengigabitethernet 1/1 Dell(conf-if-te-1/1)#? end Exit from configuration mode exit Exit from interface configuration mode Dell(conf-if-te-1/1)#exit Dell(conf)#line ? console Primary terminal line vty Virtual terminal Dell(conf)#line vty 0 Dell(conf-line-vty)#? exit Exit from line configuration mode Dell(conf-line-vty)#

Applying a Privilege Level to a Username

To set the user privilege level, use the following command.

• Configure a privilege level for a user.

Management

CONFIGURATION mode

username username privilege level

Applying a Privilege Level to a Terminal Line

To set a privilege level for a terminal line, use the following command.

• Configure a privilege level for a terminal line. Line mode

privilege levellevel

NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt is hostname#, rather than hostname>.

Configuring Logging

The Dell Networking operating system tracks changes in the system using event and error messages. By default, the system logs these messages on:

• the internal buffer

• console and terminal lines

• any configured syslog servers

To disable logging, use the following commands.

• Disable all logging except on the console. CONFIGURATION mode

no logging on

• Disable logging to the logging buffer. CONFIGURATION mode

no logging buffer

• Disable logging to terminal lines. CONFIGURATION mode

no logging monitor

• Disable console logging. CONFIGURATION mode

no logging console

Audit and Security Logs

This section describes how to configure, display, and clear audit and security logs. The following is the configuration task list for audit and security logs:

• Enabling Audit and Security Logs

• Displaying Audit and Security Logs

Management

• Clearing Audit Logs

Enabling Audit and Security Logs

You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode. This command is available with or without RBAC enabled. For information about RBAC, see Role-Based Access Control.

Audit Logs

The audit log contains configuration events and information. The types of information in this log consist of the following:

• User logins to the switch.

• System events for network issues or system issues.

• Users making configuration changes. The switch logs who made the configuration changes and the date and time of the change. However, each specific change on the configuration is not logged. Only that the configuration was modified is logged with the user ID, date, and time of the change.

• Uncontrolled shutdown.

Security Logs

The security log contains security events and information. RBAC restricts access to audit and security logs based on the CLI sessions’ user roles. The types of information in this log consist of the following:

• Establishment of secure traffic flows, such as SSH.

• Violations on secure flows or certificate issues.

• Adding and deleting of users.

• User access and configuration changes to the security and crypto parameters (not the key information but the crypto configuration)

Important Points to Remember

When you enabled RBAC and extended logging:

• Only the system administrator user role can execute this command.

• The system administrator and system security administrator user roles can view security events and system events.

• The system administrator user roles can view audit, security, and system events.

• Only the system administrator and security administrator user roles can view security logs.

• The network administrator and network operator user roles can view system events.

NOTE: If extended logging is disabled, you can only view system events, regardless of RBAC user role.

Example of Enabling Audit and Security Logs

Dell(conf)#logging extended

Management

Displaying Audit and Security Logs

To display audit logs, use the show logging auditlog command in Exec mode. To view these logs, you must first enable the logging extended command. Only the RBAC system administrator user role can view the audit logs. Only the RBAC security administrator and system administrator user role can view the security logs. If extended logging is disabled, you can only view system events, regardless of RBAC user role. To view security logs, use the

Example of the show logging auditlog Command

For information about the logging extended command, see Enabling Audit and Security Logs

Dell#show logging auditlog May 12 12:20:25: Dell#: %CLI-6-logging extended by admin from vty0 (10.14.1.98) May 12 12:20:42: Dell#: %CLI-6-configure terminal by admin from vty0 (10.14.1.98) May 12 12:20:42: Dell#: %CLI-6-service timestamps log datetime by admin from vty0 (10.14.1.98)

Example of the show logging Command for Security

For information about the logging extended command, see Enabling Audit and Security Logs

Dell#show logging Jun 10 04:23:40: %STKUNIT0-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 ( 10.14.1.91 )

show logging command.

Clearing Audit Logs

To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is enabled, only the system administrator user role can issue this command.

Example of the clear logging auditlog Command

Dell# clear logging auditlog

Configuring Logging Format

To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version [0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.

The following describes the two log messages formats:

• 0 – Displays syslog messages format as described in RFC 3164, The BSD syslog Protocol

• 1 – Displays syslog message format as described in RFC 5424, The SYSLOG Protocol

Example of Configuring the Logging Message Format

Dell(conf)#logging version ? <0-1> Select syslog version (default = 0) Dell(conf)#logging version 1

Management

Setting Up a Secure Connection to a Syslog Server

You can use reverse tunneling with the port forwarding to securely connect to a syslog server.

Pre-requisites

To configure a secure connection from the switch to the syslog server:

1. On the switch, enable the SSH server

Dell(conf)#ip ssh server enable

2. On the syslog server, create a reverse SSH tunnel from the syslog server to FTOS switch, using

following syntax:

ssh -R <remote port>:<syslog server>:<syslog server listen port> user@remote_host -nNf

In the following example the syslog server IP address is 10.156.166.48 and the listening port is

5141. The switch IP address is 10.16.131.141 and the listening port is 5140

ssh -R 5140:10.156.166.48:5141 admin@10.16.131.141 -nNf

Management

3. Configure logging to a local host. locahost is “127.0.0.1” or “::1”.

If you do not, the system displays an error when you attempt to enable role-based only AAA authorization.

Dell(conf)# logging localhost tcp port Dell(conf)#logging 127.0.0.1 tcp 5140

Display the Logging Buffer and the Logging Configuration

To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles. Only the security administrator and system administrator can view the security logs.

Example of the show logging Command

Dell#show logging syslog logging: enabled Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM. %RPM-2-MSG:CP1 %POLLMGR-2-MMC_STATE: External flash disk missing in 'slot0:' %CHMGR-5-CARDDETECTED: Line card 0 present %CHMGR-5-CARDDETECTED: Line card 2 present %CHMGR-5-CARDDETECTED: Line card 4 present %CHMGR-5-CARDDETECTED: Line card 5 present %CHMGR-5-CARDDETECTED: Line card 8 present %CHMGR-5-CARDDETECTED: Line card 10 present %CHMGR-5-CARDDETECTED: Line card 12 present %TSM-6-SFM_DISCOVERY: Found SFM 0 %TSM-6-SFM_DISCOVERY: Found SFM 1 %TSM-6-SFM_DISCOVERY: Found SFM 2 %TSM-6-SFM_DISCOVERY: Found SFM 3 %TSM-6-SFM_DISCOVERY: Found SFM 4 %TSM-6-SFM_DISCOVERY: Found SFM 5 %TSM-6-SFM_DISCOVERY: Found SFM 6 %TSM-6-SFM_DISCOVERY: Found SFM 7 %TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: UP %TSM-6-SFM_DISCOVERY: Found SFM 8 %TSM-6-SFM_DISCOVERY: Found 9 SFMs %CHMGR-5-CHECKIN: Checkin from line card 5 (type EX1YB, 1 ports) %TSM-6-PORT_CONFIG: Port link status for LC 5 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 5 is up %CHMGR-5-CHECKIN: Checkin from line card 12 (type S12YC12, 12 ports) %TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 12 is up %IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8 %IFMGR-5-CSTATE_DN: changed interface Physical state to down: So 12/8

To view any changes made, use the show running-config logging command in EXEC privilege mode, as shown in the example for Configure a UNIX Logging Facility Level.

Management

Log Messages in the Internal Buffer

All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer. For example, %BOOTUP:RPM0:CP %PORTPIPE-INIT-SUCCESS: Portpipe 0 enabled

Configuration Task List for System Log Management

There are two configuration tasks for system log management:

• Disabling System Logging

• Sending System Messages to a Syslog Server

Disabling System Logging

By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog servers. To disable system logging, use the following commands.

• Disable all logging except on the console. CONFIGURATION mode

no logging on

• Disable logging to the logging buffer. CONFIGURATION mode

no logging buffer

• Disable logging to terminal lines. CONFIGURATION mode

no logging monitor

• Disable console logging. CONFIGURATION mode

no logging console

Sending System Messages to a Syslog Server

To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R. Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog messages over UDP.

• Specify the server to which you want to send system messages. You can configure up to eight syslog servers.

CONFIGURATION mode

logging {ip-address | ipv6–address |hostname} {{udp {port}} | {tcp {port}}}

Configuring a UNIX System as a Syslog Server

To configure a UNIX System as a syslog server, use the following command.

Management

• Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the UNIX system and assigning write permissions to the file.

– Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/log7.log

– Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log

In the previous lines, local7 is the logging facility level and debugging is the severity level.

Changing System Logging Settings

You can change the default settings of the system logging by changing the severity level and the storage location.

The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged.

To specify the system logging settings, use the following commands.

• Specify the minimum severity level for logging to the logging buffer. CONFIGURATION mode

logging buffered level

• Specify the minimum severity level for logging to the console. CONFIGURATION mode

logging console level

• Specify the minimum severity level for logging to terminal lines. CONFIGURATION mode

logging monitor level

• Specify the minimum severity level for logging to a syslog server. CONFIGURATION mode

logging trap level

• Specify the minimum severity level for logging to the syslog history table. CONFIGURATION mode

logging history level

• Specify the size of the logging buffer. CONFIGURATION mode

logging buffered size

NOTE: When you decrease the buffer size, the system deletes all messages stored in the buffer. Increasing the buffer size does not affect messages in the buffer.

• Specify the number of messages that the system saves to its logging history table. CONFIGURATION mode

logging history size size

To view the logging buffer and configuration, use the show logging command in EXEC privilege mode, as shown in the example for Display the Logging Buffer and the Logging Configuration.

Management

To view the logging configuration, use the show running-config logging command in privilege mode, as shown in the example for Configuring a UNIX Logging Facility Level.

Display the Logging Buffer and the Logging Configuration

Example of the show logging Command

To view any changes made, use the show running-config logging command in EXEC privilege mode, as shown in the example for Configuring a UNIX Logging Facility Level.

Configuring a UNIX Logging Facility Level

You can save system log messages with a UNIX system logging facility. To configure a UNIX logging facility level, use the following command.

• Specify one of the following parameters.

Management

CONFIGURATION mode

logging facility [facility-type]

– auth (for authorization messages) – cron (for system scheduler messages) – daemon (for system daemons) – kern (for kernel messages) – local0 (for local use) – local1 (for local use) – local2 (for local use) – local3 (for local use) – local4 (for local use) – local5 (for local use) – local6 (for local use) – local7 (for local use) – lpr (for line printer system messages) – mail (for mail system messages) – news (for USENET news messages) – sys9 (system use) – sys10 (system use) – sys11 (system use) – sys12 (system use) – sys13 (system use) – sys14 (system use) – syslog (for syslog messages) – user (for user programs) – uucp (UNIX to UNIX copy protocol)

Example of the show running-config logging Command

To view nondefault settings, use the show running-config logging command in EXEC mode.

Dell#show running-config logging ! logging buffered 524288 debugging service timestamps log datetime msec service timestamps debug datetime msec ! logging trap debugging logging facility user logging source-interface Loopback 0 logging 10.10.10.4 Dell#

Management

Synchronizing Log Messages

You can configure the system to filter and consolidate the system messages for a specific line by synchronizing the message output.

Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system.

1. Enter LINE mode.

CONFIGURATION mode

line {console 0 | vty number [end-number]}

Configure the following parameters for the virtual terminal lines:

• number: the range is from zero (0) to 9.

• end-number: the range is from 1 to 8.

You can configure multiple virtual terminals at one time by entering a number and an end-number.

2. Configure a level and set the maximum number of messages to print.

LINE mode

logging synchronous [level severity-level | all] [limit]

Configure the following optional parameters:

• level severity-level: the range is from 0 to 7. The default is 2. Use the all keyword to

include all messages.

• limit: the range is from 20 to 300. The default is 20.

To view the logging synchronous configuration, use the show config command in LINE mode.

Enabling Timestamp on Syslog Messages

By default, syslog messages do not include a time/date stamp stating when the error or message was created. To enable timestamp, use the following command.

• Add timestamp to syslog messages. CONFIGURATION mode

service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] | uptime]

Specify the following optional parameters: – datetime: You can add the keyword localtime to include the localtime, msec, and show-

timezone

– uptime: To view time since last boot.

If you do not specify a parameter, the system configures uptime.

To view the configuration, use the show running-config logging command in EXEC privilege mode.

. If you do not add the keyword localtime, the time is UTC.

Management

To disable time stamping on syslog messages, use the no service timestamps [log | debug] command.

File Transfer Services

With the Dell Networking OS, you can configure the system to transfer files over the network using the file transfer protocol (FTP).

One FTP application is copying the system image files over an interface on to the system; however, FTP is not supported on virtual local area network (VLAN) interfaces.

For more information about FTP, refer to RFC 959, File Transfer Protocol.

Configuration Task List for File Transfer Services

The configuration tasks for file transfer services are:

• Enabling the FTP Server (mandatory)

• Configuring FTP Server Parameters (optional)

• Configuring FTP Client Parameters (optional)

Enabling the FTP Server

To enable the system as an FTP server, use the following command. To view FTP configuration, use the show running-config ftp command in EXEC privilege mode.

• Enable FTP on the system. CONFIGURATION mode

ftp-server enable

Example of Viewing FTP Configuration

Dell#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar Dell#

Configuring FTP Server Parameters

After you enable the FTP server on the system, you can configure different parameters. To specify the system logging settings, use the following commands.

• Specify the directory for users using FTP to reach the system. CONFIGURATION mode

ftp-server topdir dir

The default is the internal flash directory.

• Specify a user name for all FTP users and configure either a plain text or encrypted password. CONFIGURATION mode

ftp-server username username password [encryption-type] password

Management

Configure the following optional and required parameters:

– username: enter a text string.

– encryption-type: enter 0 for plain text or 7 for encrypted text.

– password: enter a text string.

NOTE: You cannot use the change directory (cd) command until you have configured ftp-

server topdir

To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode.

Configuring FTP Client Parameters

To configure FTP client parameters, use the following commands.

• Enter the following keywords and slot/port or number information: – For a Loopback interface, enter the keyword loopback then a number between 0 and 16383.

– For a port channel interface, enter the keywords port-channel then a number from 1 to 128.

– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port

information.

– For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.

– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.

CONFIGURATION mode

ip ftp source-interface interface

• Configure a password. CONFIGURATION mode

ip ftp password password

• Enter a username to use on the FTP client. CONFIGURATION mode

ip ftp username name

To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for

Enabling the FTP Server.

Terminal Lines

You can access the system remotely and restrict access to the system by creating user profiles. Terminal lines on the system provide different means of accessing the system. The virtual terminal lines

(VTYs) connect you through Telnet to the system.

Denying and Permitting Access to a Terminal Line

Dell Networking recommends applying only standard access control lists (ACLs) to deny and permit access to VTY lines.

• Layer 3 ACLs deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with no rules does not deny traffic.

Management

• You cannot use the show ip accounting access-list command to display the contents of an ACL that is applied only to a VTY line.

To apply an IP ACL to a line, Use the following command.

• Apply an ACL to a VTY line. LINE mode

ip access-class access-list

Example of an ACL that Permits Terminal Access

To view the configuration, use the show config command in LINE mode.

Dell(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 Dell(config-std-nacl)#line vty 0 Dell(config-line-vty)#show config line vty 0 access-class myvtyacl

Dell OS Behavior: Prior to Dell OS version 7.4.2.0, in order to deny access on a VTY line, apply an ACL and accounting, authentication, and authorization (AAA) to the line. Then users are denied access only after they enter a username and password. Beginning in Dell OS version 7.4.2.0, only an ACL is required, and users are denied access before they are prompted for a username and password.

Configuring Login Authentication for Terminal Lines

You can use any combination of up to six authentication methods to authenticate a user on a terminal line. A combination of authentication methods is called a method list. If the user fails the first authentication method, the system prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are:

enable

line

local

none

radius

tacacs+

1. Configure an authentication method list. You may use a mnemonic name or use the default

keyword. The default authentication method for terminal lines is local and the default method list is empty.

CONFIGURATION mode

Prompt for the enable password.

Prompt for the password you assigned to the terminal line. Configure a password for the terminal line to which you assign a method list that contains the line authentication method. Configure a password using the LINE mode.

Prompt for the system username and password.

Do not authenticate the user.

Prompt for a username and password and use a RADIUS server to authenticate.

Prompt for a username and password and use a TACACS+ server to authenticate.

password command from

Management

aaa authentication login {method-list-name | default} [method-1] [method-2] [method-3] [method-4] [method-5] [method-6]

2. Apply the method list from Step 1 to a terminal line.

CONFIGURATION mode

3. If you used the line authentication method in the method list you applied to the terminal line,

configure a password for the terminal line. LINE mode

password

Example of Terminal Line Authentication

In the following example, VTY lines 0-2 use a single authentication method, line.

Dell(conf)#aaa authentication login myvtymethodlist line Dell(conf)#line vty 0 2 Dell(config-line-vty)#login authentication myvtymethodlist Dell(config-line-vty)#password myvtypassword Dell(config-line-vty)#show config line vty 0 password myvtypassword login authentication myvtymethodlist line vty 1 password myvtypassword login authentication myvtymethodlist line vty 2 password myvtypassword login authentication myvtymethodlist Dell(config-line-vty)#

Setting Time Out of EXEC Privilege Mode

EXEC time-out is a basic security feature that returns the Dell Networking OS to EXEC mode after a period of inactivity on the terminal lines. To set time out, use the following commands.

• Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the time-out period to 0.

LINE mode

exec-timeout minutes [seconds]

• Return to the default time-out values. LINE mode

no exec-timeout

Example of Setting the Time Out Period for EXEC Privilege Mode

The following example shows how to set the time-out period and how to view the configuration using the show config command from LINE mode.

Dell(conf)#line con 0 Dell(config-line-console)#exec-timeout 0

Management

Dell(config-line-console)#show config line console 0 exec-timeout 0 0 Dell(config-line-console)#

Using Telnet to get to Another Network Device

To telnet to another device, use the following commands.

• Telnet to the stack-unit. You do not need to configure the management port on the stack-unit to be able to telnet to it.

EXEC Privilege mode

telnet-peer-stack-unit

• Telnet to a device with an IPv4 address. EXEC Privilege

telnet [ip-address]

If you do not enter an IP address, the system enters a Telnet dialog that prompts you for one.

Enter an IPv4 address in dotted decimal format (A.B.C.D).

Example of the telnet Command for Device Access

Dell# telnet 10.11.80.203 Trying 10.11.80.203... Connected to 10.11.80.203. Exit character is '^]'. Login: Login: admin Password: Dell>exit Dell#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin Dell#

Lock CONFIGURATION Mode

The systems allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message

2).

You can set two types of locks: auto and manual.

• Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set auto-lock, every time a user is in CONFIGURATION mode, all other users are denied access. This means that you can exit to EXEC Privilege mode, and re-enter CONFIGURATION mode without having to set the lock again.

Management

• Set manual lock using the configure terminal lock command from CONFIGURATION mode. When you configure a manual lock, which is the default, you must enter this command each time you want to enter CONFIGURATION mode and deny access to others.

Viewing the Configuration Lock Status

If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which user has control of CONFIGURATION mode using the show configuration lock command from EXEC Privilege mode.

You can then send any user a message using the send command from EXEC Privilege mode. Alternatively, you can clear any line using the clear command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode.

Example of Locking CONFIGURATION Mode for Single-User Access

Dell(conf)#configuration mode exclusive auto BATMAN(conf)#exit 3d23h35m: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console

Dell#config ! Locks configuration mode exclusively. Dell(conf)#

If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears on their terminal (message 1): % Error: User "" on line console0 is in exclusive

configuration mode

If any user is already in CONFIGURATION mode when while a lock is in place, the following appears on their terminal (message 2): % Error: Can't lock configuration mode exclusively since

the following users are currently configuring the system: User "admin" on line vty1 ( 10.1.1.1 ).

NOTE: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you configure a lock and then exit CONFIGURATION mode, and another user enters CONFIGURATION mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though you are the one that configured the lock.

NOTE: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is unconfigured.

Recovering from a Forgotten Password

If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter. Use the following commands if you forget your password.

1. Log onto the system using the console.

2. Power-cycle the chassis by switching off all of the power modules and then switching them back on.

3. Hit any key to abort the boot process. You enter uBoot immediately, as indicated by the => prompt.

(during bootup)

hit any key

Management

4. Set the system parameters to ignore the startup configuration file when the system reloads.

uBoot mode

setenv stconfigignore true

5. To save the changes, use the saveenv command.

uBoot mode

saveenv

6. Reload the system.

uBoot mode

reset

7. Copy startup-config.bak to the running config.

EXEC Privilege mode

copy flash://startup-config.bak running-config

8. Remove all authentication statements you might have for the console.

LINE mode

no authentication login no password

9. Save the running-config.

EXEC Privilege mode

copy running-config startup-config

10. Set the system parameters to use the startup configuration file when the system reloads.

uBoot mode

setenv stconfigignore false

11. Save the running-config.

EXEC Privilege mode

copy running-config startup-config

Recovering from a Forgotten Enable Password

Use the following commands if you forget the enable password.

1. Log onto the system using the console.

2. Power-cycle the chassis by switching off all of the power modules and then switching them back on.

3. Hit any key to abort the boot process. You enter uBoot immediately, as indicated by the => prompt.

(during bootup)

hit any key

4. Set the system parameters to ignore the enable password when the system reloads.

uBoot mode

setenv enablepwdignore true

5. Reload the system.

Management

uBoot mode

reset

6. Configure a new enable password.

CONFIGURATION mode

enable {secret | password}

7. Save the running-config to the startup-config.

EXEC Privilege mode

copy running-config startup-config

Recovering from a Failed Start

A system that does not start correctly might be attempting to boot from a corrupted Dell Networking OS image or from a mis-specified location. In this case, you can restart the system and interrupt the boot process to point the system to another boot location. Use the setenv command, as described in the following steps. For details about the setenv command, its supporting commands, and other commands that can help recover from a failed start, refer to the u-Boot chapter in the Dell Networking OS Command Line Reference Guide.

1. Power-cycle the chassis (pull the power cord and reinsert it).

2. Hit any key to abort the boot process. You enter uBoot immediately, the => prompt indicates

success. (during bootup)

press any key

3. Assign the new location to the Dell Networking OS image it uses when the system reloads.

uBoot mode

setenv [primary_image f10boot location | secondary_image f10boot location | default_image f10boot location]

4. Assign an IP address to the Management Ethernet interface.

uBoot mode

setenv ipaddre address

5. Assign an IP address as the default gateway for the system.

uBoot mode

setenv gatewayip address

6. Reload the system.

uBoot mode

reset

Management

802.1X

802.1X is a method of port security.

A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification.

802.1X employs extensible authentication protocol (EAP) to transfer a device’s credentials to an

authentication server (typically RADIUS) using a mandatory intermediary network access device, in this case, a Dell Networking switch. The network access device mediates all communication between the end-user device and the authentication server so that the network remains secure. The network access device uses EAP-over-Ethernet (EAPOL) to communicate with the end-user device and EAP-overRADIUS to communicate with the server.

NOTE: The Dell Networking operating system supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.

The following figures show how the EAP frames are encapsulated in Ethernet and RADIUS frames.

802.1X

Figure 1. EAP Frames Encapsulated in Ethernet and RADUIS

802.1X

Figure 2. EAP Frames Encapsulated in Ethernet and RADUIS

The authentication process involves three devices:

• The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests.

• The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It translates and forwards requests and responses between the authentication server and the supplicant. The authenticator also changes the status of the port based on the results of the authentication process. The Dell Networking switch is the authenticator.

• The authentication-server selects the authentication method, verifies the information the supplicant provides, and grants it network access privileges.

Ports can be in one of two states:

• Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in or out of the port.

• The authenticator changes the port state to authorized if the server can authenticate the supplicant. In this state, network traffic can be forwarded normally.

NOTE: The Dell Networking switches place 802.1X-enabled ports in the unauthorized state by default.

The Port-Authentication Process

The authentication process begins when the authenticator senses that a link status has changed from down to up:

1. When the authenticator senses a link state change, it requests that the supplicant identify itself using

an EAP Identity Request frame.

2. The supplicant responds with its identity in an EAP Response Identity frame.

802.1X

3. The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a

RADIUS Access-Request frame and forwards the frame to the authentication server.

4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame

requests that the supplicant prove that it is who it claims to be, using a specified method (an EAPMethod). The challenge is translated and forwarded to the supplicant by the authenticator.

5. The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant

provides the Requested Challenge information in an EAP response, which is translated and forwarded to the authentication server as another Access-Request frame.

6. If the identity information provided by the supplicant is valid, the authentication server sends an

Access-Accept frame in which network privileges are specified. The authenticator changes the port state to authorized and forwards an EAP Success frame. If the identity information is invalid, the server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator forwards an EAP Failure frame.

Figure 3. EAP Port-Authentication

802.1X

EAP over RADIUS

802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as

defined in RFC 3579.

EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79.

Figure 4. EAP Over RADIUS

RADIUS Attributes for 802.1 Support

Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages:

Attribute 5 NAS-Port: the physical port number by which the authenticator is connected to

the supplicant.

Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server.

Attribute 41 NAS-Port-Type: NAS-port physical port type. 5 indicates Ethernet.

Attribute 81 Tunnel-Private-Group-ID: associate a tunneled session with a particular group of

users.

Configuring 802.1X

Configuring 802.1X on a port is a two-step process.

1. Enable 802.1X globally (refer to Enabling 802.1X).

2. Enable 802.1X on an interface (refer to Enabling 802.1X).

Related Configuration Tasks

• Configuring Request Identity Re-transmissions

• Forcibly Authorizing or Unauthorizing a Port

• Re-authenticating a Port

• Configuring Timeouts

• Configuring a Guest VLAN

• Configuring an Authentication-fail VLAN

802.1X

Important Points to Remember

• The Dell Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.

• 802.1X is not supported on port-channels or port-channel members.

Enabling 802.1X

Enable 802.1X globally and at a interface level.

Figure 5. 802.1X Enabled

1. Enable 802.1X globally.

CONFIGURATION mode

dot1x authentication

2. Enter INTERFACE mode on an interface or a range of interfaces.

INTERFACE mode

802.1X

interface [range]

3. Enable 802.1X on an interface or a range of interfaces.

INTERFACE mode

dot1x authentication

Example of Verifying that 802.1X is Enabled Globally

Example of Verifying 802.1X is Enabled on an Interface

Verify that 802.1X is enabled globally and at the interface level using the show running-config |

find dot1x

command from EXEC Privilege mode.

The bold lines show that 802.1X is enabled.

Dell#show running-config | find dot1x

dot1x authentication

output omitted]

[ ! interface GigabitEthernet 2/1 ip address 2.2.2.2/24 dot1x authentication no shutdown ! interface GigabitEthernet 2/2 ip address 1.0.0.1/24 dot1x authentication no shutdown

--More--

View 802.1X configuration information for an interface using the show dot1x interface command.

The bold lines show that 802.1X is enabled on all ports unauthorized by default.

Dell#show dot1x interface TenGigabitEthernet 2/1

802.1x information on Te 2/1:

-----------------------------

Dot1x Status: Enable

Port Control: AUTO

Port Auth Status: UNAUTHORIZED

Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Disable Guest VLAN id: NONE Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Mac-Auth-Bypass: Disable Mac-Auth-Bypass Only: Disable Tx Period: 30 seconds Quiet Period: 60 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 2 Host Mode: SINGLE_HOST

802.1X

Auth PAE State: Initialize Backend State: Initialize

Configuring Request Identity Re-Transmissions

If the authenticator sends a Request Identity frame, but the supplicant does not respond, the authenticator waits 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator re-transmits are configurable.

NOTE: There are several reasons why the supplicant might fail to respond; for example, the supplicant might have been booting when the request arrived or there might be a physical layer problem.

To configure re-transmissions, use the following commands.

• Configure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame.

INTERFACE mode

dot1x tx-period number

The range is from 1 to 65535 (1 year)

The default is 30.

• Configure a maximum number of times the authenticator re-transmits a Request Identity frame. INTERFACE mode

dot1x max-eap-req number

The range is from 1 to 10.

The default is 2.

The example in Configuring a Quiet Period after a Failed Authentication shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits a maximum of 10 times.

Configuring a Quiet Period after a Failed Authentication

If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default, but you can configure this period.

NOTE: The quiet period (dot1x quiet-period) is a transmit interval for after a failed authentication; the Request Identity Re-transmit interval ( supplicant.

To configure a quiet period, use the following command.

• Configure the amount of time that the authenticator waits to re-transmit a Request Identity frame after a failed authentication.

INTERFACE mode

dot1x quiet-period seconds

dot1x tx-period) is for an unresponsive

The range is from 1 to 65535.

802.1X

The default is 60 seconds.

Example of Configuring and Verifying Port Authentication

The following example shows configuration information for a port for which the authenticator retransmits an EAP Request Identity frame:

• after 90 seconds and a maximum of 10 times for an unresponsive supplicant

• re-transmits an EAP Request Identity frame

The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions.

Dell(conf-if-range-Te-0/0)#dot1x tx-period 90 Dell(conf-if-range-Te-0/0)#dot1x max-eap-req 10 Dell(conf-if-range-Te-0/0)#dot1x quiet-period 120 Dell#show dot1x interface TenGigabitEthernet 2/1

802.1x information on Te 2/1:

-----------------------------

Dot1x Status: Enable Port Control: AUTO Port Auth Status: UNAUTHORIZED

Re-Authentication: Disable

Untagged VLAN id: None Tx Period: 90 seconds

Quiet Period: 120 seconds

ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds

Max-EAP-Req: 10

Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize

Forcibly Authorizing or Unauthorizing a Port

IEEE 802.1X requires that a port can be manually placed into any of three states:

• ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port.

• ForceUnauthorized — an unauthorized state. A device connected to a port in this state is never subjected to the authentication process and is not allowed to communicate on the network. Placing the port in this state is the same as shutting down the port. Any attempt by the supplicant to initiate authentication is ignored.

• Auto — an unauthorized state by default. A device connected to this port in this state is subjected to the authentication process. If the process is successful, the port is authorized and the connected device can communicate on the network. All ports are placed in the Auto state by default.

To set the port state, use the following command.

• Place a port in the ForceAuthorized, ForceUnauthorized, or Auto state. INTERFACE mode

dot1x port-control {force-authorized | force-unauthorized | auto}

The default state is auto.

802.1X

Example of Placing a Port in Force-Authorized State and Viewing the Configuration

The example shows configuration information for a port that has been force-authorized.

The bold line shows the new port-control state.

Dell(conf-if-gi-2/1)#dot1x port-control force-authorized Dell(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1

802.1x information on Gi 2/1:

-----------------------------

Dot1x Status: Enable

Port Control: FORCE_AUTHORIZED

Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST

Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize

Re-Authenticating a Port

You can configure the authenticator for periodic re-authentication. After the supplicant has been authenticated, and the port has been authorized, you can configure the authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the supplicant is required to re-authenticate every 3600 seconds, but you can configure this interval. You can configure a maximum number of re-authentications as well.

To configure re-authentication time settings, use the following commands.

• Configure the authenticator to periodically re-authenticate the supplicant. INTERFACE mode

dot1x reauthentication [interval] seconds

The range is from 1 to 65535.

The default is 3600.

• Configure the maximum number of times that the supplicant can be re-authenticated. INTERFACE mode

dot1x reauth-max number

The range is from 1 to 10.

The default is 2.

802.1X

Example of Re-Authenticating a Port and Verifying the Configuration

The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period.

Dell(conf-if-gi-2/1)#dot1x reauthentication interval 7200 Dell(conf-if-gi-2/1)#dot1x reauth-max 10 Dell(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1

802.1x information on Gi 2/1:

-----------------------------

Dot1x Status: Enable Port Control: FORCE_AUTHORIZED

Port Auth Status:UNAUTHORIZED

Re-Authentication: Enable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds

ReAuth Max: 10

Supplicant Timeout: 30 seconds Server Timeout: 30 seconds

Re-Auth Interval:7200 seconds

Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize

Configuring Timeouts

If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default. You can configure the amount of time the authenticator waits for a response.

To terminate the authentication process, use the following commands.

• Terminate the authentication process due to an unresponsive supplicant. INTERFACE mode

dot1x supplicant-timeout seconds

The range is from 1 to 300.

The default is 30.

• Terminate the authentication process due to an unresponsive authentication server. INTERFACE mode

dot1x server-timeout seconds

The range is from 1 to 300.

The default is 30.

Example of Viewing Configured Server Timeouts

The example shows configuration information for a port for which the authenticator terminates the authentication process for an unresponsive supplicant or server after 15 seconds.

802.1X

The bold lines show the new supplicant and server timeouts.

Dell(conf-if-gi-2/1)#dot1x port-control force-authorized Dell(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1

802.1x information on Gi 2/1:

-----------------------------

Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Disable Guest VLAN id: NONE Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10

Supplicant Timeout: 15 seconds

Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize

Enter the tasks the user should do after finishing this task (optional).

Configuring Dynamic VLAN Assignment with Port Authentication

The system supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure:

1. The host sends a dot1x packet to the Dell Networking system

2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port

number

3. The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN

assignment using Tunnel-Private-Group-ID

The illustration shows the configuration on the Dell Networking system before connecting the end user device in black and blue text, and after connecting the device in red text. The blue text corresponds to the preceding numbered steps on dynamic VLAN assignment with 802.1X.

802.1X

Figure 6. Dynamic VLAN Assignment

1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations

(refer to the illustration in Dynamic VLAN Assignment with Port Authentication).

2. Make the interface a switchport so that it can be assigned to a VLAN.

3. Create the VLAN to which the interface will be assigned.

4. Connect the supplicant to the port configured for 802.1X.

5. Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in

Dynamic VLAN Assignment with Port Authentication).

Guest and Authentication-Fail VLANs

Typically, the authenticator (the Dell Networking system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured or the VLAN that the authentication server indicates in the authentication data.

NOTE: Ports cannot be dynamically assigned to the default VLAN.

If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able

802.1X

to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves. To be able to connect such devices, they must be allowed access the network without compromising network security.

The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices and the Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users.

• If the supplicant fails authentication a specified number of times, the authenticator places the port in the Authentication-fail VLAN.

• If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of the Guest VLAN and the authentication process begins.

Configuring a Guest VLAN

If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * txperiod), the system assumes that the host does not have 802.1X capability and the port is placed in the

Guest VLAN.

NOTE: For more information about configuring timeouts, refer to Configuring Timeouts.

Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using the dot1x guest-vlan command from INTERFACE mode. View your configuration using the show config command from INTERFACE mode or using the show dot1x interface command from EXEC Privilege mode.

Example of Viewing Guest VLAN Configuration

Dell(conf-if-gi-1/2)#dot1x guest-vlan 200 Dell(conf-if-gi-1/2)#show config ! interface GigabitEthernet 1/2 switchport

dot1x guest-vlan 200

no shutdown Dell(conf-if-gi-1/2)#

Configuring an Authentication-Fail VLAN

If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time.

NOTE: For more information about authenticator re-attempts, refer to Configuring a Quiet Period

after a Failed Authentication

You can configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by default), after which the port is placed in the Authentication-fail VLAN.

Configure a port to be placed in the VLAN after failing the authentication process as specified number of times using the dot1x auth-fail-vlan command from INTERFACE mode. Configure the maximum number of authentication attempts by the authenticator using the keyword command.

Example of Configuring Maximum Authentication Attempts Example of Viewing Configured Authentication

Dell(conf-if-gi-1/2)#dot1x auth-fail-vlan 100 max-attempts 5 Dell(conf-if-gi-1/2)#show config

max-attempts with this

802.1X

! interface GigabitEthernet 1/2 switchport dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown Dell(conf-if-gi-1/2)#

View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC Privilege mode.

Dell(conf-if-gi-2/1)#dot1x port-control force-authorized Dell(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1

802.1x information on Gi 2/1:

-----------------------------

Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None

Guest VLAN: Enable Guest VLAN id: 200 Auth-Fail VLAN: Enable Auth-Fail VLAN id: 100 Auth-Fail Max-Attempts: 5

Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 15 seconds Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize

802.1X

Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)

This chapter describes the access control list (ACL) VLAN group and content addressable memory (CAM) enhancements.

Optimizing CAM Utilization During the Attachment of ACLs to VLANs

You can enable and configure the ACL CAM optimization functionality to minimize the number of entries in CAM while ACLs are applied on a VLAN or a set of VLANs, and also while ACLs are applied on a set of ports. This capability enables the effective usage of the CAM space when Layer 3 ACLs are applied to a set of VLANs and when Layer 2 or Layer 3 ACLs are applied on a set of ports.

In releases of Dell Networking OS that do not support the CAM optimization functionality, when an ACL is applied on a VLAN, the ACL rules are configured with the rule-specific parameters and the VLAN as additional attributes in the ACL region. When the ACL is applied on multiple VLAN interfaces, the consumption of the CAM space increases proportionally. For example, when an ACL with ‘n’ number of rules is applied on ‘m’ number of VLAN interfaces, a total of n*m entries are configured in the CAM region that is allocated for ACLs. Similarly, when an L2 or L3 ACL is applied on a set of ports, a large portion of the CAM space gets used because a port is saved as a parameter in CAM.

To avoid excessive consumption of the CAM space, configure ACL VLAN groups, which combine all the VLANs that are applied with the same ACL, into a single group. A class identifier (Class ID) is assigned for each of the ACLs attached to the VLAN and this Class ID is used as an identifier or locator in the CAM space instead of the VLAN ID. This method of processing reduces the number of entries in the CAM area significantly and saves memory space by using the class ID as a filtering criterion in CAM instead of the VLAN ID.

You can create an ACL VLAN group and attach the ACL with the VLAN members. The optimization is applicable only when you create an ACL VLAN group. If you apply an ACL separately on the VLAN interface, each ACL has a mapping with the VLAN and increased CAM space utilization occurs. Attaching an ACL individually to VLAN interfaces is similar to the behavior of ACL-VLAN mapping storage in CAM prior to the implementation of the ACL VLAN group functionality.

The ACL manager application on router processor (RP1) contains all the state information about all the ACL VLAN groups that are present. The ACL handler on control processor (CP) and the ACL agent on line cards do not contain any stateful information about the group. The ACL manager application performs the validation after you enter the acl-vlan-group command. If the command is valid, it is processed and sent to the agent, if required. If a configuration error is found or if the maximum limit has exceeded for the ACL VLAN groups present on the system, an appropriate error message is displayed. The ACL manager application verifies the following parameters when you enter the

• Whether the CAM profile is set in VFP

Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)

acl-vlan-group command:

• Whether the maximum number of groups in the system has exceeded

• Whether the maximum number of VLAN numbers permitted per ACL group has exceeded

• When a VLAN member that is being added is already a part of another ACL group

After these verification steps are performed, the ACL manager considers the command as valid and sends the information to the ACL agent on the line card. The ACL manager notifies the ACL agent in the following cases:

• A VLAN member is added or removed from a group, and previously associated VLANs exist in the group.

• The egress ACL is applied or removed from the group and the group contains VLAN members. VLAN members are added or deleted from a VLAN, which itself is a group member.

• A line card returns to the active state after going down, and this line card contains a VLAN that is a member of an ACL group.

• The ACL VLAN group is deleted and it contains VLAN members.

The ACL manager does not notify the ACL agent in the following cases:

• The ACL VLAN group is created.

• The ACL VLAN group is deleted and it does not contain any VLAN members.

• The ACL is applied or removed from a group, and the ACL group does not contain a VLAN member.

• The description of the ACL group is added or removed.

Guidelines for Configuring ACL VLAN groups

Keep the following points in mind when you configure ACL VLAN groups:

• The interfaces, to which the ACL VLAN group is applied, function as restricted interfaces. The ACL VLAN group name is used to identify the group of VLANs that is used to perform hierarchical filtering.

• You can add only one ACL to an interface at a time.

• When you attach an ACL VLAN group to the same interface, a validation is performed to determine whether an ACL is applied directly to an interface. If you previously applied an ACL separately to the interface, an error occurs when you attempt to attach an ACL VLAN group to the same interface.

• The maximum number of members in an ACL VLAN group is determined by the type of switch and its hardware capabilities. This scaling limit depends on the number of slices that are allocated for ACL CAM optimization. If one slice is allocated, the maximum number of VLAN members is 256 for all ACL VLAN groups. If two slices are allocated, the maximum number of VLAN members is 512 for all ACL VLAN groups.

• The maximum number of VLAN groups that you can configure also depends on the hardware specifications of the switch. Each VLAN group is mapped to a unique ID in the hardware. The maximum number of ACL VLAN groups supported is 31. Only a maximum of two components (iSCSI counters, Open Flow, ACL optimization) can be allocated virtual flow processing slices at a time.

• The maximum number of VLANs that you can configure as a member of ACL VLAN groups is limited to 512 on the MXL switch if two slices are allocated. If only one virtual flow processing slice is allocated, the maximum number of VLANs that you can configure as a member of an ACL VLAN group is 256 for the MXL switch.

Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)

• Port ACL optimization is applicable only for ACLs that are applied without the VLAN range.

• You cannot view the statistical details of ACL rules per VLAN and per interface if you enable the ACL VLAN group capability. You can view the counters per ACL only using the show ip accounting access list command.

• Within a port, you can apply Layer 2 ACLs on a VLAN or a set of VLANs. In this case, CAM optimization is not applied.

• To enable optimization of CAM space for Layer 2 or Layer 3 ACLs that are applied to ports, the port number is removed as a qualifier for ACL application on ports, and port bits are used. When you apply the same ACL to a set of ports, the port bitmap is set when the ACL flow processor (FP) entry is added. When you remove the ACL from a port, the port bitmap is removed.

• If you do not attach an ACL to any of the ports, the FP entries are deleted. Similarly, when the same ACL is applied on a set of ports, only one set of entries is installed in the FP, thereby effectively saving CAM space. The optimization is enabled only if you specify the optimized option with the ip access-group command. This option is not valid for VLAN and LAG interfaces.

Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters

This section describes how to optimize the utilization of CAM blocks by configuring ACL VLAN groups that you can attach to VLAN interfaces and also how to configure FP blocks for different VLAN operations.

Configuring ACL VLAN Groups

You can create an ACL VLAN group and attach the ACL with the VLAN members. The optimization is applicable only when you create an ACL VLAN group. If you apply an ACL separately on the VLAN interface, each ACL has a mapping with the VLAN and increases the CAM space utilization. Attaching an ACL individually to VLAN interfaces is similar to the behavior of ACL-VLAN mapping storage in CAM prior to the implementation of the ACL VLAN group functionality.

1. Create an ACL VLAN group

CONFIGURATION mode

acl-vlan-group {group name}

You can have up to eight different ACL VLAN groups at any given time.

2. Add a description to the ACL VLAN group.

CONFIGURATION (conf-acl-vl-grp) mode

description description

3. Apply an egress IP ACL to the ACL VLAN group.

CONFIGURATION (conf-acl-vl-grp) mode

ip access-group {group name} out implicit-permit

4. Add VLAN member(s) to an ACL VLAN group.

CONFIGURATION (conf-acl-vl-grp) mode

member vlan {VLAN-range}

5. Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.

Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)

CONFIGURATION (conf-acl-vl-grp) mode

show acl-vlan-group {group name | detail}

Dell#show acl-vlan-group detail

Group Name : TestGroupSeventeenTwenty Egress IP Acl : SpecialAccessOnlyExpertsAllowed Vlan Members : 100,200,300

Group Name : CustomerNumberIdentificationEleven Egress IP Acl : AnyEmployeeCustomerElevenGrantedAccess Vlan Members : 2-10,99

Group Name : HostGroup Egress IP Acl : Group5 Vlan Members : 1,1000 Dell#

Configuring FP Blocks for VLAN Parameters

Use the cam-acl-vlan command to allocate the number of FP blocks for the various VLAN processes on the system. You can use the By default, 0 groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by default, and you need to allocate the slices for CAM optimization.

1. Allocate the number of FP blocks for VLAN Open Flow operations.

CONFIGURATION mode

cam-acl-vlan vlanopenflow <0-2>

2. Allocate the number of FP blocks for VLAN iSCSI counters.

CONFIGURATION mode

cam-acl-vlan vlaniscsi <0-2>

3. Allocate the number of FP blocks for ACL VLAN optimization feature.

CONFIGURATION mode

cam-acl-vlan vlanaclopt <0-2>

4. View the number of flow processor (FP) blocks that is allocated for the different VLAN services.

EXEC Privilege mode

Dell#show cam-usage switch

Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============| ==============

no version of this command to reset the number of FP blocks to default.

Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)

11 | 0 | IN-L2 ACL | 7152 | 0 | 7152 | | IN-L2 FIB | 32768 | 1081 | 31687 | | OUT-L2 ACL | 0 | 0 | 0 11 | 1 | IN-L2 ACL | 7152 | 0 | 7152 | | IN-L2 FIB | 32768 | 1081 | 31687 | | OUT-L2 ACL | 0 | 0 | 0

Viewing CAM Usage

View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub- partitions) using the

Display Layer 2, Layer 3, ACL, or all CAM usage statistics. EXCE Privilege mode

show cam usage [acl | router | switch]

The following sample output shows the consumption of CAM blocks for Layer 2 and Layer 3 ACLs, in addition to other processes that use CAM space:

Dell#show cam-usage Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 1 | 0 | IN-L2 ACL | 1008 | 320 | 688 | | IN-L2 FIB | 32768 | 1132 | 31636 | | IN-L3 ACL | 12288 | 2 | 12286 | | IN-L3 FIB | 262141 | 14 | 262127 | | IN-L3-SysFlow | 2878 | 45 | 2833 | | IN-L3-TrcList | 1024 | 0 | 1024 | | IN-L3-McastFib | 9215 | 0 | 9215 | | IN-L3-Qos | 8192 | 0 | 8192 | | IN-L3-PBR | 1024 | 0 | 1024 | | IN-V6 ACL | 0 | 0 | 0 | | IN-V6 FIB | 0 | 0 | 0 | | IN-V6-SysFlow | 0 | 0 | 0 | | IN-V6-McastFib | 0 | 0 | 0 | | OUT-L2 ACL | 1024 | 0 | 1024 | | OUT-L3 ACL | 1024 | 0 | 1024 | | OUT-V6 ACL | 0 | 0 | 0 1 | 1 | IN-L2 ACL | 320 | 0 | 320 | | IN-L2 FIB | 32768 | 1136 | 31632 | | IN-L3 ACL | 12288 | 2 | 12286 | | IN-L3 FIB | 262141 | 14 | 262127 | | IN-L3-SysFlow | 2878 | 44 | 2834

--More--

show cam-usage command in EXEC Privilege mode

The following sample output displays the CAM space utilization when Layer 2 and Layer 3 ACLs are configured:

Dell#show cam-usage acl Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============ 11 | 0 | IN-L2 ACL | 1008 | 0 | 1008 | | IN-L3 ACL | 12288 | 2 | 12286

100

Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)

Dell Force10 MXL Blade Configuration manual

Specifications and Main Features

Frequently Asked Questions

User Manual

About this Guide

Audience

Conventions

Information Symbols

Related Documents

Configuration Fundamentals

Accessing the Command Line

CLI Modes

Navigating CLI Modes

The do Command

Undoing Commands

Obtaining Help

Entering and Editing Commands

Command History

Filtering show Command Outputs

Multiple Users in Configuration Mode

Getting Started

Console Access

Serial Console

External Serial Port with a USB Connector

Accessing the CLI Interface and Running Scripts Using SSH

Entering CLI commands Using an SSH Connection

Executing Local CLI Scripts Using an SSH Connection

Boot Process

Default Configuration

Configuring a Host Name

Configuring a Host Name

Accessing the System Remotely

Accessing the MXL Switch Remotely

Configure the Management Port IP Address

Configure a Management Route

Configuring a Username and Password

Configuring the Enable Password

Configuration File Management

Copy Files to and from the System

Save the Running-Configuration

Viewing Files

Managing the File System

View the Command History

Using HTTP for File Transfers

Upgrading and Downgrading the Dell Networking OS

Using Hashes to Validate Software Images

Management

Configuring Privilege Levels

Creating a Custom Privilege Level

Customizing a Privilege Level

Applying a Privilege Level to a Username

Applying a Privilege Level to a Terminal Line

Configuring Logging

Audit and Security Logs

Configuring Logging Format

Setting Up a Secure Connection to a Syslog Server

Display the Logging Buffer and the Logging Configuration

Log Messages in the Internal Buffer

Configuration Task List for System Log Management

Disabling System Logging

Sending System Messages to a Syslog Server

Configuring a UNIX System as a Syslog Server

Changing System Logging Settings

Display the Logging Buffer and the Logging Configuration

Configuring a UNIX Logging Facility Level

Synchronizing Log Messages

Enabling Timestamp on Syslog Messages

File Transfer Services

Configuration Task List for File Transfer Services

Enabling the FTP Server

Configuring FTP Server Parameters

Configuring FTP Client Parameters

Terminal Lines

Denying and Permitting Access to a Terminal Line

Configuring Login Authentication for Terminal Lines

Setting Time Out of EXEC Privilege Mode

Using Telnet to get to Another Network Device

Lock CONFIGURATION Mode

Viewing the Configuration Lock Status

Recovering from a Forgotten Password