Dell Force10 Z9000 Addendum

Addendum for Dell Networking OS 9.3(0.0)

Notes, Cautions, and Warnings

NOTE: A NOTE indicates important information that helps you make better use of your computer.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

Trademarks used in this text: Dell™, the Dell logo, Dell Boomi™, Dell Precision™ , OptiPlex™, Latitude™, PowerEdge™, PowerVault™, PowerConnect™, OpenManage™, EqualLogic™, Compellent™, KACE™, FlexAddress™, Force10™, Venue and Vostro™ are trademarks of Dell Inc. Intel®, Pentium®, Xeon®, Core® and Celeron® are registered trademarks of Intel Corporation in the U.S. and other countries. AMD® is a registered trademark and AMD Opteron™, AMD Phenom and AMD Sempron™ are trademarks of Advanced Micro Devices, Inc. Microsoft®, Windows®, Windows Server®, Internet Explorer®, MS-DOS®, Windows Vista® and Active Directory® are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Red Hat® and Red Hat® Enterprise Linux® are registered trademarks of Red Hat, Inc. in the United States and/or other countries. Novell® and SUSE® are registered trademarks of Novell Inc. in the United States and other countries. Oracle® is a registered trademark of Oracle Corporation and/or its affiliates. Citrix®, Xen®, XenServer® and XenMotion® are either registered trademarks or trademarks of Citrix Systems, Inc. in the United States and/or other countries. VMware®, vMotion®, vCenter®, vCenter SRM™ and vSphere® are registered trademarks or trademarks of VMware, Inc. in the United States or other countries. IBM® is a registered trademark of International Business Machines Corporation.

2014 - 02

Rev. A00

™

Contents

1 About this Document.............................................................................................23

Audience..............................................................................................................................................23

Conventions........................................................................................................................................ 23

Related Documents............................................................................................................................ 24

2 802.1X on the MXL 10/40GbE Switch............................................................... 25

3 ACL VLAN Groups and Content Addressable Memory (CAM)..................... 27

Optimizing CAM Utilization During the Attachment of ACLs to VLANs........................................... 27

Guidelines for Configuring ACL VLAN groups...................................................................................28

Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters..........................29

Configuring ACL VLAN Groups.....................................................................................................29

Configuring FP Blocks for VLAN Parameters............................................................................... 30

Viewing CAM Usage............................................................................................................................ 31

Allocating FP Blocks for VLAN Processes...........................................................................................32

member vlan........................................................................................................................................33

ip access-group.................................................................................................................................. 34

show acl-vlan-group ......................................................................................................................... 34

show cam-acl-vlan.............................................................................................................................36

cam-acl-vlan....................................................................................................................................... 37

show cam-usage................................................................................................................................ 38

show running config acl-vlan-group................................................................................................. 41

acl-vlan-group.....................................................................................................................................41

show acl-vlan-group detail................................................................................................................ 42

description (ACL VLAN Group)........................................................................................................... 43

4 Access Control Lists...............................................................................................45

Logging of ACL Processes..................................................................................................................45

Guidelines for Configuring ACL Logging...........................................................................................46

Configuring ACL Logging................................................................................................................... 47

deny (for Standard IP ACLs)................................................................................................................48

deny (for Extended IP ACLs)............................................................................................................... 49

seq (for Standard IPv4 ACLs).............................................................................................................. 50

deny tcp (for Extended IP ACLs)......................................................................................................... 51

deny udp (for Extended IP ACLs)........................................................................................................52

deny arp (for Extended MAC ACLs).................................................................................................... 53

deny icmp (for Extended IP ACLs)......................................................................................................54

deny ether-type (for Extended MAC ACLs)........................................................................................56

deny (for Standard MAC ACLs)............................................................................................................57

deny (for Extended MAC ACLs).......................................................................................................... 58

permit arp (for Extended MAC ACLs)................................................................................................. 59

permit ether-type (for Extended MAC ACLs).....................................................................................60

permit icmp (for Extended IP ACLs)....................................................................................................61

permit udp (for Extended IP ACLs)..................................................................................................... 62

permit (for Extended IP ACLs).............................................................................................................63

permit (for Standard MAC ACLs).........................................................................................................65

seq (for Standard MAC ACLs)............................................................................................................. 66

permit tcp (for Extended IP ACLs)...................................................................................................... 67

seq arp (for Extended MAC ACLs)...................................................................................................... 68

seq ether-type (for Extended MAC ACLs)..........................................................................................69

seq (for IP ACLs).................................................................................................................................. 70

seq (for IPv6 ACLs)...............................................................................................................................71

permit udp (for IPv6 ACLs)..................................................................................................................72

permit tcp (for IPv6 ACLs)................................................................................................................... 73

permit icmp (for IPv6 ACLs)................................................................................................................ 75

permit (for IPv6 ACLs)......................................................................................................................... 76

deny udp (for IPv6 ACLs).....................................................................................................................77

deny tcp (for IPv6 ACLs)......................................................................................................................78

deny icmp (for Extended IPv6 ACLs).................................................................................................. 79

deny (for IPv6 ACLs)............................................................................................................................80

Flow-Based Monitoring Support for ACLs......................................................................................... 81

Behavior of Flow-Based Monitoring.............................................................................................82

Enabling Flow-Based Monitoring.......................................................................................................84

5 Bare Metal Provisioning (BMP)............................................................................85

Support for BMP on the S6000 Switch..............................................................................................85

Enhanced Behavior of the stop bmp Command...............................................................................85

Removal of the Deprecated User-Defined String Parameter With reload-type Command............85

Inclusion of Service Tag Information in the Option 60 String.......................................................... 85

Replacement of stop jump-start Command With the stop bmp Command...................................86

6 Data Center Bridging (DCB).................................................................................87

Configuring DCB Maps and its Attributes.......................................................................................... 87

DCB Map: Configuration Procedure............................................................................................ 87

Important Points to Remember....................................................................................................88

Applying a DCB Map on a Port.....................................................................................................88

Configuring PFC without a DCB Map.......................................................................................... 89

Configuring Lossless Queues.......................................................................................................89

Data Center Bridging: Default Configuration.................................................................................... 90

Configuring PFC and ETS in a DCB Map............................................................................................ 91

PFC Configuration Notes.............................................................................................................. 91

PFC Prerequisites and Restrictions...............................................................................................92

ETS Configuration Notes.............................................................................................................. 92

ETS Prerequisites and Restrictions............................................................................................... 93

dcb-map..............................................................................................................................................94

S4810, S6000, and FC Flex IO Modules with MXL and I/O Aggregator..................................... 94

priority-pgid.........................................................................................................................................95

S4810, S6000, and FC Flex IO Modules with MXL and I/O Aggregator......................................95

pfc mode on........................................................................................................................................96

priority-group bandwidth pfc.............................................................................................................97

S4810, S6000, and FC Flex IO Modules with MXL and I/O Aggregator......................................97

dcb-map stack-unit all stack-ports all...............................................................................................98

S4810, S6000, and FC Flex IO Modules with MXL and I/O Aggregator..................................... 98

show qos dcb-map.............................................................................................................................99

S4810, S6000, and FC Flex IO Modules with MXL and I/O Aggregator..................................... 99

Priority-Based Flow Control Using Dynamic Buffer Method..........................................................100

Pause and Resume of Traffic......................................................................................................100

Buffer Sizes for Lossless or PFC Packets....................................................................................100

Interworking of DCB Map With DCB Buffer Threshold Settings..................................................... 101

Configuring the Dynamic Buffer Method........................................................................................ 102

Applying a DCB Map in a Switch Stack ........................................................................................... 103

dcb pfc-shared-buffer-size..............................................................................................................103

S6000 S4810 S4820T MXL......................................................................................................... 103

dcb-buffer-threshold .......................................................................................................................104

S6000 S4810 S4820T MXL......................................................................................................... 104

priority................................................................................................................................................105

S6000 S4810 S4820T MXL......................................................................................................... 105

qos-policy-buffer..............................................................................................................................106

S6000 S4810 S4820T MXL......................................................................................................... 106

dcb-policy buffer-threshold (Interface Configuration)...................................................................108

S6000 S4810 S4820T MXL......................................................................................................... 108

dcb-policy dcb-buffer-threshold (Global Configuration)...............................................................109

S4810 S4820T MXL..................................................................................................................... 109

show qos dcb-buffer-threshold.......................................................................................................109

show hardware stack-unit buffer-stats-snapshot (With Polling and History)................................ 110

dcb pfc-total-buffer-size.................................................................................................................. 117

S6000........................................................................................................................................... 117

show running-config dcb-buffer-threshold.................................................................................... 117

dcb pfc-queues................................................................................................................................. 119

7 Egress Interface Selection (EIS) for HTTP and IGMP Applications........... 121

Protocol Separation...........................................................................................................................121

Enabling and Disabling Management Egress Interface Selection................................................... 122

Handling of Management Route Configuration.............................................................................. 123

Handling of Switch-Initiated Traffic................................................................................................. 124

Handling of Switch-Destined Traffic................................................................................................ 125

Handling of Transit Traffic (Traffic Separation)................................................................................ 125

Mapping of Management Applications and Traffic Type.................................................................126

Behavior of Various Applications for Switch-Initiated Traffic .........................................................127

Behavior of Various Applications for Switch-Destined Traffic ....................................................... 128

Interworking of EIS With Various Applications.................................................................................128

application (for HTTP and ICMP)......................................................................................................129

Z9000 S4810 S4820T................................................................................................................. 129

8 Flex Hash and Optimized Boot-Up...................................................................131

Flex Hash Capability Overview..........................................................................................................131

load-balance ingress-port enable....................................................................................................132

load-balance flexhash.......................................................................................................................132

Configuring the Flex Hash Mechanism............................................................................................ 134

Configuring Fast Boot and LACP Fast Switchover...........................................................................135

reload-type fastboot......................................................................................................................... 135

S6000...........................................................................................................................................135

lacp fast-switchover..........................................................................................................................136

S6000...........................................................................................................................................136

Optimizing the Boot Time................................................................................................................ 136

Booting Process When Optimized Boot Time Mechanism is Enabled..................................... 137

Guidelines for Configuring Optimized Booting Mechanism..................................................... 137

Interoperation of Applications with Fast Boot and System States.................................................. 138

LACP and IPv4 Routing............................................................................................................... 139

LACP and IPv6 Routing............................................................................................................... 139

BGP Graceful Restart.................................................................................................................. 140

Cold Boot Caused by Power Cycling the System..................................................................... 140

Unexpected Reload of the System.............................................................................................140

Software Upgrade....................................................................................................................... 140

LACP Fast Switchover..................................................................................................................141

Changes to BGP Multipath..........................................................................................................141

Minimized Connection Setup Time............................................................................................ 141

Faster Local Route Aadvertisements...........................................................................................141

Delayed Installation of ECMP Routes Into BGP......................................................................... 142

Changes for BGP Graceful Restart Processes............................................................................142

Operation of LACP...................................................................................................................... 142

Operation of FIB.......................................................................................................................... 143

RDMA Over Converged Ethernet (RoCE) Overview........................................................................ 143

Preserving 802.1Q VLAN Tag Value for Lite Subinterfaces............................................................. 144

encapsulation dot1q..........................................................................................................................145

9 Interfaces................................................................................................................ 147

Enabling the Management Address TLV on All Interfaces of an Aggregator..................................147

Enhanced Validation of Interface Ranges........................................................................................ 147

10 IPv4 Routing........................................................................................................ 149

IPv4 Path MTU Discovery Overview.................................................................................................149

Using the Configured Source IP Address in ICMP Messages..........................................................150

Configuring the ICMP Source Interface.....................................................................................150

Working of the Traceroute Utility...............................................................................................150

ip icmp source-interface...................................................................................................................151

ipv6 icmp source-interface...............................................................................................................152

Configuring the Duration to Establish a TCP Connection.............................................................. 154

ip tcp initial-time............................................................................................................................... 154

show ip tcp initial-time..................................................................................................................... 155

11 Link Aggregation Groups (LAGs)..................................................................... 157

Configuring the Minimum Number of Links to be Up for Uplink LAGs to be Active......................157

Optimizing Traffic Disruption Over LAG Interfaces On IOA Switches in VLT Mode...................... 158

Preserving LAG and Port Channel Settings in Nonvolatile Storage................................................ 158

Enabling the Verification of Member Links Utilization in a LAG Bundle......................................... 159

Monitoring the Member Links of a LAG Bundle...............................................................................159

show link-bundle-distribution port-channel...................................................................................160

Setting Up a Threshold for Utilization of High-Gigabit Port Channels........................................... 161

Guidelines for Configuring the Mechanism to Monitor High-Gigabit Port Channels..............162

Enabling the Verification of Member Links Utilization in a High-Gigabit Port Channel................ 163

hg-link-bundle-monitor...................................................................................................................164

hg-link-bundle-monitor trigger-threshold .....................................................................................165

hg-link-bundle-monitor rate-interval..............................................................................................165

show hg-link-bundle-distribution....................................................................................................166

snmp-server enable traps (for High-Gigabit Port Channel)............................................................ 167

show hardware stack-unit (for high-Gigabit Ethernet ports)..........................................................167

Z9000 ......................................................................................................................................... 168

clear hardware stack-unit (for high-Gigabit Ethernet ports).......................................................... 169

Z9000.......................................................................................................................................... 169

Viewing Buffer Utilization and Queue Statistics on High-Gigabit Ethernet Backplane Ports........170

12 Miscellaneous Settings...................................................................................... 173

Setting a Threshold for Switching to the SPT...................................................................................173

ip pim spt-threshold..........................................................................................................................173

S6000...........................................................................................................................................173

ip route bfd (for S6000).................................................................................................................... 174

S6000...........................................................................................................................................174

Configure BFD for Static Routes.......................................................................................................175

Related Configuration Tasks....................................................................................................... 175

Changing Static Route Session Parameters................................................................................175

Establishing Sessions for Static Routes.......................................................................................176

Disabling BFD for Static Routes.................................................................................................. 176

source (port monitoring for 40-Gigabit Ethernet)........................................................................... 177

13 Microsoft Network Load Balancing............................................................... 179

NLB Unicast Mode Scenario............................................................................................................. 179

NLB Multicast Mode Scenario.......................................................................................................... 180

Limitations With Enabling NLB on Switches.................................................................................... 180

Benefits and Working of Microsoft Clustering.................................................................................180

Enable and Disable VLAN Flooding .................................................................................................180

Configuring a Switch for NLB .......................................................................................................... 181

......................................................................................................................................................181

arp (for Multicast MAC Address)........................................................................................................181

mac-address-table static (for Multicast MAC Address)................................................................... 182

ip vlan-flooding.................................................................................................................................184

14 Quality of Service (QoS)....................................................................................185

Specifying Policy-Based Rate Shaping in Packets Per Second....................................................... 185

Configuring Policy-Based Rate Shaping..........................................................................................186

Configuring Weights and ECN for WRED ....................................................................................... 186

Global Service Pools With WRED and ECN Settings..................................................................187

Configuring WRED and ECN Attributes........................................................................................... 188

Classifying Layer 2 Traffic on Layer 3 Interfaces .............................................................................189

Managing Hardware Buffer Statistics......................................................................................... 190

Enabling Buffer Statistics Tracking ...................................................................................................191

Classifying Packets Based on a Combination of DSCP Code Points and VLAN IDs.......................191

rate shape.......................................................................................................................................... 192

S6000...........................................................................................................................................192

buffer-stats-snapshot....................................................................................................................... 194

S6000.......................................................................................................................................... 194

service-class buffer shared-threshold-weight................................................................................ 195

S6000Z9000............................................................................................................................... 195

wred weight.......................................................................................................................................197

S6000Z9000................................................................................................................................197

service-class wred.............................................................................................................................197

Z9000...........................................................................................................................................197

service-pool wred.............................................................................................................................199

S6000Z9000............................................................................................................................... 199

service-class wred......................................................................................................................200

service-class wred ecn..................................................................................................................... 201

Z9000 ......................................................................................................................................... 201

show hardware stack-unit buffer.....................................................................................................202

show hardware stack-unit buffer-stats-snapshot ......................................................................... 204

show hardware stack-unit buffer-stats-snapshot (Total Buffer Information)............................... 206

15 Management Port Media Converter..............................................................209

Management Port Media Converter Components......................................................................... 209

Working of the Management Port Media Converter.......................................................................210

Online Insertion and Removal (OIR) of the Management Optic.....................................................212

16 Security for M I/O Aggregator.........................................................................215

aaa authentication enable.................................................................................................................215

aaa authentication login................................................................................................................... 216

access-class.......................................................................................................................................217

Authorization and Privilege Commands.......................................................................................... 218

banner exec.......................................................................................................................................218

banner login...................................................................................................................................... 219

banner motd..................................................................................................................................... 220

debug radius......................................................................................................................................221

debug tacacs+...................................................................................................................................221

enable secret..................................................................................................................................... 221

exec-banner......................................................................................................................................222

ip radius source-interface................................................................................................................ 223

ip tacacs source-interface................................................................................................................223

login authentication..........................................................................................................................224

motd-banner.....................................................................................................................................225

password-attributes..........................................................................................................................225

privilege level (CONFIGURATION mode).........................................................................................226

privilege level (LINE mode)............................................................................................................... 227

RADIUS Commands.......................................................................................................................... 227

radius-server deadtime.....................................................................................................................227

radius-server host.............................................................................................................................228

radius-server retransmit................................................................................................................... 229

radius-server timeout....................................................................................................................... 229

radius-server key.............................................................................................................................. 230

show privilege....................................................................................................................................231

Suppressing AAA Accounting for Null Username Sessions............................................................. 231

TACACS+ Commands.......................................................................................................................231

tacacs-server host.............................................................................................................................231

tacacs-server key..............................................................................................................................232

timeout login response.....................................................................................................................233

Understanding Banner Settings........................................................................................................233

AAA Authentication...........................................................................................................................234

Configuration Task List for AAA Authentication........................................................................ 234

RADIUS.............................................................................................................................................. 236

RADIUS Authentication and Authorization.................................................................................237

Configuration Task List for RADIUS............................................................................................238

TACACS+...........................................................................................................................................241

Configuration Task List for TACACS+........................................................................................ 241

TACACS+ Remote Authentication and Authorization...............................................................242

Command Authorization............................................................................................................244

Protection from TCP Tiny and Overlapping Fragment Attacks...................................................... 244

Enabling SCP and SSH......................................................................................................................244

Using SCP with SSH to Copy a Software Image........................................................................245

Secure Shell Authentication....................................................................................................... 246

Troubleshooting SSH..................................................................................................................248

Telnet................................................................................................................................................ 249

VTY Line and Access-Class Configuration...................................................................................... 249

VTY Line Local Authentication and Authorization.....................................................................249

VTY Line Remote Authentication and Authorization.................................................................250

VTY MAC-SA Filter Support.........................................................................................................251

17 Simple Network Management Protocol (SNMP)........................................ 253

SNMPv3 Compliance With FIPS........................................................................................................253

snmp-server user (for AES128-CFB Encryption)............................................................................. 254

Z-Series S4810 S4820T S6000 MXL I/O Aggregator................................................................ 254

18 Stacking.................................................................................................................257

Configuring the Uplink Speed of Interfaces as 40 Gigabit Ethernet...............................................257

stack-unit iom-mode uplink-speed.................................................................................................258

show system stack-unit iom-uplink-speed.....................................................................................259

stack-unit priority............................................................................................................................. 260

stack-unit renumber.........................................................................................................................260

19 Virtual Link Trunking (VLT).............................................................................. 263

Specifying VLT Nodes in a PVLAN....................................................................................................263

Association of VLTi as a Member of a PVLAN............................................................................264

MAC Synchronization for VLT Nodes in a PVLAN..................................................................... 264

PVLAN Operations When One VLT Peer is Down..................................................................... 265

PVLAN Operations When a VLT Peer is Restarted.....................................................................265

Interoperation of VLT Nodes in a PVLAN with ARP Requests...................................................265

Scenarios for VLAN Membership and MAC Synchrnoization With VLT Nodes in PVLAN........265

Configuring a VLT VLAN or LAG in a PVLAN....................................................................................267

Creating a VLT LAG or a VLT VLAN............................................................................................ 267

Associating the VLT LAG or VLT VLAN in a PVLAN....................................................................268

show vlt private-vlan........................................................................................................................ 269

Proxy ARP Capability on VLT Peer Nodes........................................................................................270

Working of Proxy ARP for VLT Peer Nodes................................................................................270

VLT Nodes as Rendezvous Points for Multicast Resiliency..............................................................271

20 Documentation Updates..................................................................................273

Configuring the Commands Without a Separate User Account for the

PMUX Mode of the I/O Aggregator.................................................................. 277

21 Data Center Bridging (DCB).............................................................................279

advertise dcbx-appln-tlv...................................................................................................................279

advertise dcbx-tlv..............................................................................................................................279

bandwidth-percentage.................................................................................................................... 280

dcb-enable........................................................................................................................................ 281

dcb-input.......................................................................................................................................... 282

dcb-output........................................................................................................................................282

dcb-policy input............................................................................................................................... 283

dcb-policy input stack-unit stack-ports all.....................................................................................284

dcb-policy output.............................................................................................................................284

dcb-policy output stack-unit stack-ports all...................................................................................285

dcb stack-unit all pfc-buffering pfc-port-count pfc-queues........................................................ 286

dcb stack-unit pfc-buffering pfc-port-count pfc-queues............................................................. 287

dcbx port-role...................................................................................................................................287

dcbx version......................................................................................................................................288

debug dcbx....................................................................................................................................... 289

description........................................................................................................................................ 290

ets mode on......................................................................................................................................290

fcoe priority-bits................................................................................................................................291

iscsi priority-bits................................................................................................................................ 291

pfc link-delay.................................................................................................................................... 292

pfc mode on......................................................................................................................................292

pfc no-drop queues..........................................................................................................................293

pfc priority.........................................................................................................................................294

priority-group................................................................................................................................... 294

priority-group qos-policy.................................................................................................................295

priority-list.........................................................................................................................................296

qos-policy-output ets.......................................................................................................................297

scheduler...........................................................................................................................................297

set-pgid.............................................................................................................................................298

show dcb...........................................................................................................................................299

show interface dcbx detail............................................................................................................... 299

show interface ets............................................................................................................................ 302

show interface pfc............................................................................................................................305

show interface pfc statistics.............................................................................................................308

show qos dcb-input......................................................................................................................... 309

show qos dcb-output.......................................................................................................................309

show qos priority-groups................................................................................................................. 310

show stack-unit stack-ports ets details........................................................................................... 310

show stack-unit stack-ports pfc details........................................................................................... 311

22 FIP Snooping........................................................................................................313

clear fip-snooping database interface vlan......................................................................................313

clear fip-snooping statistics..............................................................................................................313

feature fip-snooping......................................................................................................................... 314

fip-snooping enable..........................................................................................................................314

fip-snooping fc-map.........................................................................................................................315

fip-snooping port-mode fcf............................................................................................................. 315

23 High Availability (HA)......................................................................................... 317

redundancy force-failover................................................................................................................ 317

Z9000 S4810 S4820T..................................................................................................................317

show redundancy..............................................................................................................................318

Z9000 S4810 S4820T................................................................................................................. 318

24 iSCSI Optimization.............................................................................................323

advertise dcbx-app-tlv......................................................................................................................323

iscsi aging time..................................................................................................................................323

iscsi cos............................................................................................................................................. 324

iscsi enable........................................................................................................................................ 325

iscsi priority-bits................................................................................................................................325

iscsi profile-compellant....................................................................................................................325

iscsi target port................................................................................................................................. 326

iSCSI Optimization Prerequisites......................................................................................................326

Configuring iSCSI Optimization....................................................................................................... 327

25 Interfaces..............................................................................................................331

Basic Interface Commands...............................................................................................................331

clear counters....................................................................................................................................331

description.........................................................................................................................................332

flowcontrol........................................................................................................................................333

interface.............................................................................................................................................335

interface ManagementEthernet....................................................................................................... 336

interface range.................................................................................................................................. 337

interface vlan.....................................................................................................................................339

keepalive........................................................................................................................................... 340

mtu....................................................................................................................................................340

negotiation auto................................................................................................................................341

portmode hybrid...............................................................................................................................343

stack-unit portmode.........................................................................................................................345

Port Channel Commands.................................................................................................................346

channel-member..............................................................................................................................346

interface port-channel..................................................................................................................... 348

minimum-links..................................................................................................................................349

26 Internet Group Management Protocol (IGMP)...........................................351

IGMP Commands.............................................................................................................................. 351

Important Points to Remember..................................................................................................351

ip igmp group-join-limit............................................................................................................. 351

ip igmp last-member-query-interval......................................................................................... 352

ip igmp querier-timeout............................................................................................................. 353

ip igmp query-interval................................................................................................................ 354

ip igmp query-max-resp-time................................................................................................... 354

ip igmp version............................................................................................................................355

IGMP Snooping Commands.............................................................................................................356

Important Points to Remember for IGMP Snooping.................................................................356

Important Points to Remember for IGMP Querier.................................................................... 356

ip igmp snooping enable............................................................................................................ 357

ip igmp snooping fast-leave.......................................................................................................358

ip igmp snooping last-member-query-interval.........................................................................359

ip igmp snooping mrouter..........................................................................................................359

ip igmp snooping querier............................................................................................................361

27 Layer 2...................................................................................................................363

MAC Addressing Commands........................................................................................................... 363

mac-address-table aging-time........................................................................................................363

mac-address-table static................................................................................................................. 364

mac-address-table station-move refresh-arp................................................................................ 364

28 Link Aggregation Control Protocol (LACP).................................................367

lacp long-timeout.............................................................................................................................367

lacp port-priority...............................................................................................................................367

port-channel mode.......................................................................................................................... 368

port-channel-protocol lacp.............................................................................................................369

Configuration Tasks for Port Channel Interfaces............................................................................369

Creating a Port Channel................................................................................................................... 370

Adding a Physical Interface to a Port Channel................................................................................ 370

Reassigning an Interface to a New Port Channel............................................................................372

Configuring the Minimum Oper Up Links in a Port Channel.......................................................... 373

Adding or Removing a Port Channel from a VLAN..........................................................................373

Configuring VLAN Tags for Member Interfaces.........................................................................374

Deleting or Disabling a Port Channel...............................................................................................374

29 Link Layer Discovery Protocol (LLDP)...........................................................375

advertise dot1-tlv...............................................................................................................................375

advertise dot3-tlv..............................................................................................................................376

advertise management-tlv................................................................................................................376

clear lldp counters.............................................................................................................................377

clear lldp neighbors...........................................................................................................................377

debug lldp interface..........................................................................................................................378

disable................................................................................................................................................379

hello...................................................................................................................................................379

mode.................................................................................................................................................380

multiplier........................................................................................................................................... 380

Configure LLDP................................................................................................................................. 381

Related Configuration Tasks.......................................................................................................381

Important Points to Remember..................................................................................................381

LLDP Compatibility......................................................................................................................381

CONFIGURATION versus INTERFACE Configurations.................................................................... 381

Enabling LLDP...................................................................................................................................382

Disabling and Undoing LLDP......................................................................................................382

Enabling LLDP on Management Ports............................................................................................. 383

Disabling and Undoing LLDP on Management Ports................................................................383

Advertising TLVs................................................................................................................................383

Viewing the LLDP Configuration......................................................................................................385

Viewing Information Advertised by Adjacent LLDP Agents.............................................................385

Configuring LLDPDU Intervals......................................................................................................... 386

Configuring Transmit and Receive Mode........................................................................................ 387

Configuring a Time to Live...............................................................................................................388

30 Quality of Service (QoS)...................................................................................389

Per-Port QoS Commands................................................................................................................389

dot1p-priority....................................................................................................................................389

rate shape..........................................................................................................................................390

service-class dynamic dot1p............................................................................................................390

service-class dot1p-mapping...........................................................................................................392

Z9000 S4810 S4820T.................................................................................................................392

service-class bandwidth-percentage.............................................................................................. 392

Policy-Based QoS Commands.........................................................................................................393

bandwidth-percentage.....................................................................................................................393

clear qos statistics.............................................................................................................................394

description........................................................................................................................................ 395

policy-aggregate...............................................................................................................................395

policy-map-output...........................................................................................................................396

qos-policy-output............................................................................................................................ 397

rate police..........................................................................................................................................397

rate shape..........................................................................................................................................398

service-policy output....................................................................................................................... 399

service-queue................................................................................................................................... 399

set......................................................................................................................................................400

show qos policy-map.......................................................................................................................401

show qos policy-map-output..........................................................................................................402

show qos qos-policy-output...........................................................................................................402

show qos statistics............................................................................................................................403

show qos wred-profile.....................................................................................................................404

wred.................................................................................................................................................. 405

wred-profile......................................................................................................................................406

31 reload-type.......................................................................................................... 407

Z9000 S4810 S4820TS6000............................................................................................................407

32 Simple Network Management Protocol (SNMP) and Syslog...................411

SNMP Commands............................................................................................................................. 411

Important Points to Remember.................................................................................................. 411

snmp-server enable traps............................................................................................................411

snmp-server host........................................................................................................................ 413

Syslog Commands............................................................................................................................ 416

clear logging................................................................................................................................416

logging......................................................................................................................................... 417

logging buffered..........................................................................................................................418

logging console...........................................................................................................................419

logging monitor..........................................................................................................................420

logging source-interface............................................................................................................ 421

show logging...............................................................................................................................422

show logging driverlog stack-unit............................................................................................. 424

terminal monitor.........................................................................................................................424

33 Storm Control..................................................................................................... 427

Important Points to Remember....................................................................................................... 427

show storm-control unknown-unicast........................................................................................... 427

Z-Series S4810 S4820TS6000....................................................................................................427

storm-control broadcast (Configuration)........................................................................................428

Z-Series S4810 S4820TS6000................................................................................................... 428

storm-control multicast (Configuration).........................................................................................429

Z-SeriesS4810 S4820TS6000.................................................................................................... 429

storm-control broadcast (Interface)................................................................................................430

Z-Series S4810 S4820TS6000................................................................................................... 430

34 Uplink Failure Detection (UFD).......................................................................433

clear ufd-disable............................................................................................................................... 433

S4810 S4820T............................................................................................................................. 433

debug uplink-state-group................................................................................................................434

S4810 S4820T.............................................................................................................................434

description........................................................................................................................................ 435

S4810 S4820T............................................................................................................................. 435

downstream......................................................................................................................................436

S4810 S4820T.............................................................................................................................436

downstream auto-recover............................................................................................................... 437

S4810 S4820T............................................................................................................................. 437

downstream disable links................................................................................................................. 438

S4810 S4820T.............................................................................................................................438

enable................................................................................................................................................439

S4810 S4820T.............................................................................................................................439

show running-config uplink-state-group....................................................................................... 439

S4810 S4820T.............................................................................................................................439

show uplink-state-group................................................................................................................. 440

S4810 S4820T.............................................................................................................................440

uplink-state-group........................................................................................................................... 442

S4810 S4820T.............................................................................................................................442

upstream........................................................................................................................................... 443

S4810 S4820T.............................................................................................................................443

35 Virtual Link Trunking (VLT)..............................................................................445

back-up destination..........................................................................................................................445

Z9000 S4810 S4820T.................................................................................................................445

clear vlt statistics...............................................................................................................................446

Z9000 S4810 S4820T.................................................................................................................446

delay-restore.....................................................................................................................................447

Z-Series S4810 S4820T.............................................................................................................. 447

lacp ungroup member-independent...............................................................................................448

Z-Series S4810 S4820T.............................................................................................................. 448

peer-link port-channel.....................................................................................................................449

Z-Series S4810 S4820T.............................................................................................................. 449

primary-priority.................................................................................................................................450

S4810 S4820T.............................................................................................................................450

show vlt mismatch............................................................................................................................ 451

Z9000 S4810 S4820TS6000...................................................................................................... 451

system-mac.......................................................................................................................................451

Z-Series S4810 S4820T...............................................................................................................451

unit-id................................................................................................................................................452

Z-Series S4810S4820T............................................................................................................... 452

vlt domain......................................................................................................................................... 453

Z-Series S4810 S4820T.............................................................................................................. 453

vlt-peer-lag port-channel................................................................................................................454

Z-Series S4810 S4820T.............................................................................................................. 454

Overview........................................................................................................................................... 454

VLT on Core Switches.................................................................................................................455

Enhanced VLT............................................................................................................................. 456

VLT Terminology.............................................................................................................................. 456

Configure Virtual Link Trunking........................................................................................................457

Important Points to Remember..................................................................................................457

Configuration Notes................................................................................................................... 458

Primary and Secondary VLT Peers..............................................................................................461

VLT Bandwidth Monitoring.........................................................................................................462

VLT and Stacking.........................................................................................................................462

VLT and IGMP Snooping.............................................................................................................462

VLT IPv6.......................................................................................................................................462

VLT Port Delayed Restoration.................................................................................................... 463

PIM-Sparse Mode Support on VLT.............................................................................................463

VLT Routing ................................................................................................................................465

Non-VLT ARP Sync..................................................................................................................... 467

Verifying a VLT Configuration.......................................................................................................... 467

Additional VLT Sample Configurations.............................................................................................471

Configuring Virtual Link Trunking (VLT Peer 1)Configuring Virtual Link Trunking (VLT Peer

2)Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access

Switch)..........................................................................................................................................471

Troubleshooting VLT........................................................................................................................ 473

FC Flex IO Modules..............................................................................................475

36 Understanding and Working of the FC Flex IO Modules......................... 477

FC Flex IO Modules Overview.......................................................................................................... 477

FC Flex IO Module Capabilities and Operations..............................................................................478

Guidelines for Working with FC Flex IO Modules............................................................................479

Port Numbering for FC Flex IO Modules................................................................................... 480

Installing the Optics.................................................................................................................... 481

Processing of Data Traffic.................................................................................................................481

Operation of the FIP Application................................................................................................ 481

Operation of the NPIV Proxy Gateway...................................................................................... 482

Installing and Configuring the Switch..............................................................................................482

Installing and Configuring Flowchart for FC Flex IO Modules..................................................483

Installation...................................................................................................................................484

Unpacking the Switch.................................................................................................................484

Interconnectivity of FC Flex IO Modules with Cisco MDS Switches.............................................. 485

37 Data Center Bridging (DCB) for FC Flex IO Modules.................................487

Interworking of DCB Map With DCB Buffer Threshold Settings.....................................................487

dcb-map..................................................................................................................................... 488

priority-pgid................................................................................................................................ 489

priority-group bandwidth pfc.................................................................................................... 490

dcb-map stack-unit all stack-ports all.......................................................................................491

show qos dcb-map.....................................................................................................................492

DCB Command................................................................................................................................ 493

dcb-enable..................................................................................................................................493

DCBX Commands.............................................................................................................................493

advertise dcbx-appln-tlv............................................................................................................ 494

advertise dcbx-tlv....................................................................................................................... 494

dcbx port-role.............................................................................................................................495

dcbx version................................................................................................................................496

debug dcbx................................................................................................................................. 496

fcoe priority-bits......................................................................................................................... 497

iscsi priority-bits..........................................................................................................................498

show interface dcbx detail......................................................................................................... 498

ETS Commands.................................................................................................................................501

bandwidth-percentage............................................................................................................... 501

clear ets counters....................................................................................................................... 502

dcb-map......................................................................................................................................502

dcb-output..................................................................................................................................503

dcb-policy output.......................................................................................................................504

dcb-policy output stack-unit stack-ports all............................................................................ 504

description...................................................................................................................................505

ets mode on................................................................................................................................ 505

priority-group............................................................................................................................. 506

priority-group bandwidth pfc.....................................................................................................507

priority-group qos-policy...........................................................................................................508

priority-list...................................................................................................................................509

qos-policy-output ets................................................................................................................ 509

scheduler..................................................................................................................................... 510

set-pgid........................................................................................................................................ 511

show interface ets........................................................................................................................511

show qos dcb-output..................................................................................................................515

show qos priority-groups............................................................................................................515

show stack-unit stack-ports ets details......................................................................................516

PFC Commands.................................................................................................................................517

clear pfc counters........................................................................................................................517

dcb stack-unit pfc-buffering pfc-port-count pfc-queues........................................................517

dcb-input.....................................................................................................................................518

dcb-policy input..........................................................................................................................519

dcb-policy input stack-unit stack-ports all............................................................................... 520

description.................................................................................................................................. 520

pfc link-delay............................................................................................................................... 521

pfc mode on................................................................................................................................ 521

pfc no-drop queues....................................................................................................................522

pfc priority................................................................................................................................... 523

show dcb..................................................................................................................................... 523

show interface pfc...................................................................................................................... 524

show interface pfc statistics........................................................................................................527

show qos dcb-input....................................................................................................................527

show stack-unit stack-ports pfc details.....................................................................................528

38 Data Center Bridging (DCB)............................................................................ 529

Ethernet Enhancements in Data Center Bridging........................................................................... 529

Priority-Based Flow Control.......................................................................................................530

Enhanced Transmission Selection..............................................................................................531

Configuring DCB Maps and its Attributes.................................................................................. 533

Data Center Bridging: Default Configuration............................................................................ 536

Configuring PFC and ETS in a DCB Map....................................................................................536

Applying a DCB Map in a Switch Stack ..................................................................................... 539

Data Center Bridging Exchange Protocol (DCBx)..................................................................... 539

Data Center Bridging in a Traffic Flow.......................................................................................540

Enabling Data Center Bridging.........................................................................................................540

QoS dot1p Traffic Classification and Queue Assignment............................................................... 541

Configure Enhanced Transmission Selection..................................................................................542

ETS Operation with DCBx...........................................................................................................542

Configuring Bandwidth Allocation for DCBx CIN..................................................................... 543

Configure a DCBx Operation........................................................................................................... 544

DCBx Operation..........................................................................................................................544

DCBx Port Roles..........................................................................................................................544

DCB Configuration Exchange.................................................................................................... 546

Configuration Source Election...................................................................................................546

Propagation of DCB Information............................................................................................... 547

Auto-Detection and Manual Configuration of the DCBx Version............................................ 547

DCBx Example............................................................................................................................ 548

DCBx Prerequisites and Restrictions..........................................................................................548

Configuring DCBx.......................................................................................................................549

Verifying the DCB Configuration......................................................................................................553

PFC and ETS Configuration Examples.............................................................................................564

Using PFC and ETS to Manage Data Center Traffic........................................................................ 564

PFC and ETS Configuration Command Examples.................................................................... 566

Using PFC and ETS to Manage Converged Ethernet Traffic in a Switch Stack........................ 567

Hierarchical Scheduling in ETS Output Policies........................................................................ 567

39 Fibre Channel over Ethernet for FC Flex IO Modules...............................569

40 NPIV Proxy Gateway for FC Flex IO Modules..............................................571

dcb-map............................................................................................................................................ 571

M I/O Aggregator and MXL 10/40GbE Switch with the FC Flex IO module............................. 571

description (for FCoE maps)............................................................................................................. 572

M I/O Aggregator and MXL 10/40GbE Switch with the FC Flex IO module.............................572

fabric..................................................................................................................................................572

M I/O Aggregator and MXL 10/40GbE Switch with the FC Flex IO module.............................572

fabric-id vlan..................................................................................................................................... 573

M I/O Aggregator and MXL 10/40GbE Switch with the FC Flex IO module.............................573

fcf-priority......................................................................................................................................... 574

M I/O Aggregator and MXL 10/40GbE Switch with the FC Flex IO module.............................574

fc-map...............................................................................................................................................575

M I/O Aggregator and MXL 10/40GbE Switch with the FC Flex IO module.............................575

fcoe priority-bits............................................................................................................................... 576

fcoe-map...........................................................................................................................................576

M I/O Aggregator and MXL 10/40GbE Switch with the FC Flex IO module.............................576

fka-adv-period.................................................................................................................................. 577

M I/O Aggregator and MXL 10/40GbE Switch with the FC Flex IO module.............................577

interface vlan (NPIV proxy gateway)................................................................................................ 578

M I/O Aggregator and MXL 10/40GbE Switch with the FC Flex IO module.............................578

keepalive............................................................................................................................................579

M I/O Aggregator and MXL 10/40GbE Switch with the FC Flex IO module.............................579

priority-group bandwidth pfc...........................................................................................................579

M I/O Aggregator and MXL 10/40GbE Switch with the FC Flex IO module.............................579

show fcoe-map.................................................................................................................................581

M I/O Aggregator and MXL 10/40GbE Switch with the FC Flex IO module.............................581

show npiv devices.............................................................................................................................583

M I/O Aggregator and MXL 10/40GbE Switch with the FC Flex IO module.............................583

NPIV Proxy Gateway Configuration on FC Flex IO Modules ......................................................... 586

NPIV Proxy Gateway Operations and Capabilities.......................................................................... 586

NPIV Proxy Gateway Operation .................................................................................................587

NPIV Proxy Gateway: Protocol Services.................................................................................... 587

NPIV Proxy Gateway Functionality.............................................................................................588

NPIV Proxy Gateway: Terms and Definitions.............................................................................588

Configuring an NPIV Proxy Gateway...............................................................................................590

Enabling Fibre Channel Capability on the Switch..................................................................... 590

Creating a DCB map ..................................................................................................................590

Applying a DCB map on server-facing Ethernet ports .............................................................592

Creating an FCoE VLAN..............................................................................................................592

Creating an FCoE map ...............................................................................................................592

Applying an FCoE map on server-facing Ethernet ports...........................................................593

Applying an FCoE Map on fabric-facing FC ports.....................................................................594

Sample Configuration.................................................................................................................595

Displaying NPIV Proxy Gateway Information.................................................................................. 595

show interfaces status Command Example.............................................................................. 596

show fcoe-map Command Examples ...................................................................................... 597

show qos dcb-map Command Examples ................................................................................ 598

show npiv devices brief Command Example............................................................................ 598

show npiv devices Command Example ....................................................................................599

show fc switch Command Example .........................................................................................600

22

1

About this Document

This document describes the new functionalities and enhancements in the Dell Networking OS Release version 9.3.0.0. All of the behavioral-changes and new features are covered in this single, consolidated Addendum. Use this document in conjunction with the hardware and software manuals of Release

9.2.0.0, which contains comprehensive information on the working and usage of the different platforms and their associated functionalities. You can obtain a copy of the latest documents of Release 9.2.0.0 from the technical documentation website at http://www.dell.com/manuals

We are not publishing the entire documentation set for Release version 9.3.0.0. Instead, this document presents the new and changed hardware and software processes for this release. It supplements the Release version 9.2.0.0 set of documents and allows you to locate information in an easy, streamlined way.

For topics that highlight the syntax and usage of commands, only the parameters that have been introduced or modified from the previous release are included in this document. However, the newly introduced commands, are however, covered in depth. For a complete description of all commands that have been enhanced or modified in Release 9.3.0.0 and were present in Release 9.2.0.0, refer the respective Command Line Reference Guide of the applicable platform.

For topics that provide a conceptual overview of new functionalities, and configuration procedures, only the enhancements and changes that have been implemented in Release 9.3.0.0 are mentioned in this Addendum. For complete information about such features that have been only enhanced and are not newly introduced in this release, refer the respective Configuration Guide of the applicable platform of Release 9.2.0.0.

NOTE: Although information that describes functionalites on the S4810 and S4820T platforms is included in this document, Dell Networking OS Release 9.3(0.0) is not supported on the S4810 and S4820T platforms.

Audience

This document is intended for system administrators who are responsible for configuring and maintaining networks and assumes knowledge in Layer 2 and Layer 3 networking technologies.

Conventions

This guide uses the following conventions to describe command syntax.

Keyword

parameter Parameters are in italics and require a number or word to be entered in the CLI.

{X} Keywords and parameters within braces must be entered in the CLI.

[X] Keywords and parameters within brackets are optional.

x|y Keywords and parameters separated by a bar require you to choose one option.

About this Document

Keywords are in Courier (a monospaced font) and must be entered in the CLI as listed.

23

x||y Keywords and parameters separated by a double bar allows you to choose any or

all of the options.

802.1X on the MXL 10/40GbE Switch

In Dell Networking OS Release 9.3(0.0), the MXL 10/40GbE Switch supports 802.1X port authentication.

802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). For details on the command syntaxes and the keywords, refer the

802.1X chapter of the MXL Command Reference Guide of Release 9.2(0.2). For details on the conceptual overview and step-wise procedures to enable and configure 802.1X settings, refer the 802.1X chapter of the MXL Configuration Guide of Release 9.2(0.2).

802.1X on the MXL 10/40GbE Switch

25

26

3

ACL VLAN Groups and Content Addressable Memory (CAM)

This chapter describes the ACL VLAN group and CAM enhancements, and contains the following sections:

• Optimizing CAM Utilization During the Attachment of ACLs to VLANs

• Allocating FP Blocks for VLAN Processes

Optimizing CAM Utilization During the Attachment of ACLs to VLANs

This functionality is supported on the S4810, S4820T, Z9000, I/O Aggregator and MXL platforms.

You can enable and configure the access control list (ACL) content addressable memory (CAM) optimization functionality to minimize the number of entries in CAM while ACLs are applied on a VLAN or a set of VLANs and also while ACLS are applied on a set of ports. This capability enables effective usage of CAM space when Layer 3 ACLs are applied to a set of VLANs and when Layer 2 or Layer 3 ACLs are applied on a set of ports.

In releases of Dell Networking OS that does not support the CAM optimization functionality to reduce the usage of CAM area for application of ACLs, when an ACL is applied on a VLAN, the rules of the ACL are configured in the ACL region with the rule-specific parameters along with the Vlan as additional attributes. Therefore, when the ACL is applied on multiple VLAN interfaces, the consumption of CAM area increases proportionally. For example, when an ACL with ‘n’ number of rules is applied on ‘m’ number of VLAN interfaces, totally (n*m) entries are configured in the CAM region that is allocated for ACLs. Similarly, when an L2 or L3 ACL is applied on a set of ports, the same problem with large usage of CAM area occurs because a port is used as a parameter to be saved in CAM.

To avoid this problem of excessive consumption of CAM area, you can configure ACL VLAN groups that combines all the VLANs that are applied with the same ACL in a single group. A class identifier (Class ID) for each of ACL attached to the VLAN is assigned and this Class ID is used as an identifier or locator in the CAM area instead of the VLAN id. This method of processing signficiantly reduces the number of entries in the CAM area and saves memory space by using the class ID as filtering criterion in CAM instead of the VLAN ID.

You can create an ACL VLAN group and attach the ACL with the VLAN members. The optimization is applicable only when you create an ACL VLAN group. If you apply an ACL separately on the VLAN interface, each ACL has a mapping with the VLAN and increased CAM space utilization occurs. Attaching an ACL individually to VLAN interfaces is similar to the behavior of ACL-VLAN mapping storage in CAM prior to the implementation of the ACL VLAN group functionality.

The ACL manager application on router processor (RP1) contains all the state information about all the Acl Vlan groups that are present. The ACL handler on control processor (CP) and the ACL agent on line cards do not contain any stateful information about the group. The ACL manager application performs all the validation after you enter an acl-vlan-group command. If the command is valid, it is processed and sent to the agent if required. If a configuration error is found or if the maximum limit is exceeded for

ACL VLAN Groups and Content Addressable Memory (CAM)

27

the ACL VLAN groups present on the system, an appropriate error message is displayed. The ACL manager application processes the following parameters when you enter an acl-vlan-group command:

• Whether the CAM profile is set in VFP

• Whether the maximum number of groups in the system is exceeded

• Whether the maximum number of VLAN numbers permitted per ACL group is exceeded

• When a VLAN member that is being added is already a part of another ACL group

After these verification steps are performed, the ACL manager considers the command as valid and sends the information to the ACL agent on the line card as applicable. The ACL manager notifies the ACL agent in the following cases:

• A VLAN member is added or removed from a group and previously associated VLANs exist in the group

• Egress ACL is applied or removed from the group and the group contains VLAN members VLAN members are added or deleted from a vlan, which itself is a group member.

• A line card returns to the active state after going down and this line card contains a VLAN that is a member of an ACL group

• The ACL VLAN group is deleted and it contains VLAN members

The ACL manager does not notify the ACL agent in the following cases:

• The ACL VLAN group is created.

• The ACL VLAN group is deleted and it does not contain any VLAN members.

• The ACL is applied or removed from a group, and the ACL group does not contain a VLAN member.

• The description of the ACL group is added or removed.

Guidelines for Configuring ACL VLAN groups

This functionality is supported on the S4810, S4820T, Z9000, I/O Aggregator and MXL platforms.

Keep the following points in mind when you configure ACL VLAN groups:

• The interfaces to which the ACL VLAN group are applied function as restricted interfaces. The ACL VLAN group name is used to identify the group of VLANs that is used to perform hierarchical filtering.

• You can add only one ACL to an interface at a point in time.

• When you attempt to attach an ACL VLAN group to the same interface, a validation is performed to determine whether an ACL is applied directly to an interface. If you previously applied an ACL separately to the interface, an error occurs when you attempt to attach an ACL VLAN group to the same interface.

The limitation on the maximum number of members that can be part of the ACL VLAN group is

• determined by the type of switch and its hardware capabilities. This scaling limit depends on the number of slices that are allocated for ACL CAM optimization. If one slice is allocated, the maximum number of VLAN members is 256 for all ACL VLAN groups. If two slices are allocated, the maximum number of VLAN members is 512 for all ACL VLAN groups.

• The maximum number of VLAN groups that you can configure also depends on the hardware specifications of the switch. Each VLAN group is mapped to a unique ID in the hardware. The maximum number of ACL VLAN groups supported is 31. Only a maximum two components (iSCSI

28

ACL VLAN Groups and Content Addressable Memory (CAM)

counters, Open Flow, ACL optimization) can be allocated virtual flow processing slices at a point in time.

• The maximum number of VLANs that you can configure as a member of ACL VLAN groups is limited to 512 on the S4180, Z9000, and MXL switches if two slices are allocated. If only one virtual flow processing slice is allocated, the maximum number of VLANs that you can configure as a member of an ACL VLAN group is 256 for the S4810, Z9000, and MXL switches.

• Port ACL optimization is applicable only for ACLs that are applied without the VLAN range.

• You cannot view the statistical details of ACL rules per VLAN and per interface if you enable the ACL VLAN group capability because this type of statistical information is available only for ACLs that are separately applied to VLANs. You can view the counters per ACL only.

• To display information using a particular ACL name, although you cannot display this detail using a specified interface name, you can use the show ip accounting access list command.

• Within a port, you can apply Layer 2 ACLs on a VLAN or a set of VLANs. In this case, CAM optimization is not applied.

• To enable optimization of CAM space for Layer 2 or Layer 3 ACLs that are applied to ports, the port number is removed as a qualifier for ACL application on ports, and port bits are used. When you apply the same ACL to a set of ports, the port bitmap is set when the ACL flow processor entry is added. When you remove the ACL from a port, the port bitmap is removed.

• If you do not attach an ACL to any of the ports, the flow processor entries are deleted. In this manner, when the same ACL is applied on set of ports, only one set of entries is installed in the flow processor (FP), thereby effectively saving CAM space. The optimization is enabled only if you specify the optimized option with the ip access-group command. This option is not valid for VLAN and LAG interfaces.

Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters

. This section contains the following topics that describe how to configure ACL VLAN groups that you can attach to VLAN interfaces to optimize the utilization of CAM blocks and also how to configure flow processor (FP) blocks for different VLAN operations.

Configuring ACL VLAN Groups

You can create an ACL VLAN group and attach the ACL with the VLAN members. The optimization is applicable only when you create an ACL VLAN group. If you apply an ACL separately on the VLAN interface, each ACL has a mapping with the VLAN and increased CAM space utilization occurs. Attaching an ACL individually to VLAN interfaces is similar to the behavior of ACL-VLAN mapping storage in CAM prior to the implementation of the ACL VLAN group functionality.

1. Create an ACL VLAN group

CONFIGURATION mode

acl-vlan-group {group name}

You can have up to eight different ACL VLAN groups at any given time.

2. Add a description to the ACL VLAN group.

CONFIGURATION (conf-acl-vl-grp) mode

description description

ACL VLAN Groups and Content Addressable Memory (CAM)

29

3. Apply an egress IP ACL to the ACL VLAN group.

CONFIGURATION (conf-acl-vl-grp) mode

ip access-group {group name} out implicit-permit

4. Add VLAN member(s) to an ACL VLAN group.

CONFIGURATION (conf-acl-vl-grp) mode

member vlan {VLAN-range}

5. Display all the ACL VLAN Groups or display a specific ACL VLAN Group, identified by name.

CONFIGURATION (conf-acl-vl-grp) mode

show acl-vlan-group {group name | detail}

Dell#show acl-vlan-group detail

Group Name : TestGroupSeventeenTwenty Egress IP Acl : SpecialAccessOnlyExpertsAllowed Vlan Members : 100,200,300

Group Name : CustomerNumberIdentificationEleven Egress IP Acl : AnyEmployeeCustomerElevenGrantedAccess Vlan Members : 2-10,99

Group Name : HostGroup Egress IP Acl : Group5 Vlan Members : 1,1000 Dell#

Configuring FP Blocks for VLAN Parameters

You can use the cam-acl-vlan command to allocate the number of FP blocks for the various VLAN processes on the system. You can use the no version of this command to reset the number of FP blocks to default. By default, 0 groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by default, and you need to allocate the slices for CAM optimization.

1. Allocate the number of FP blocks for VLAN Open Flow operations.

CONFIGURATION mode

cam-acl-vlan vlanopenflow <0-2>

2. Allocate the number of FP blocks for VLAN iSCSI counters.

CONFIGURATION mode

cam-acl-vlan vlaniscsi <0-2>

3. Allocate the number of FP blocks for ACL VLAN optimization feature.

CONFIGURATION mode

cam-acl-vlan vlanaclopt <0-2>

30

ACL VLAN Groups and Content Addressable Memory (CAM)

4. View the number of flow processor (FP) blocks that is allocated for the different VLAN services.

EXEC Privilege mode

Dell#show cam-usage switch

Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============| ============== 11 | 0 | IN-L2 ACL | 7152 | 0 | 7152 | | IN-L2 FIB | 32768 | 1081 | 31687 | | OUT-L2 ACL | 0 | 0 | 0 11 | 1 | IN-L2 ACL | 7152 | 0 | 7152 | | IN-L2 FIB | 32768 | 1081 | 31687 | | OUT-L2 ACL | 0 | 0 | 0

Viewing CAM Usage

This functionality is supported on the S4810, S4820T, Z9000, I/O Aggregator, and MXL platforms.

View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub- partitions) using the show cam-usage command from EXEC Privilege mode

Display Layer 2, Layer 3, ACL, or all CAM usage statistics. EXCE Privilege mode

show cam usage [acl | router | switch]

The following sample output shows the consumption of CAM blocks for Layer 2 and Layer 3 ACLs, in addition to other processes that use CAM space:

Dell#show cam-usage Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 1 | 0 | IN-L2 ACL | 1008 | 320 | 688 | | IN-L2 FIB | 32768 | 1132 | 31636 | | IN-L3 ACL | 12288 | 2 | 12286 | | IN-L3 FIB | 262141 | 14 | 262127 | | IN-L3-SysFlow | 2878 | 45 | 2833 | | IN-L3-TrcList | 1024 | 0 | 1024 | | IN-L3-McastFib | 9215 | 0 | 9215 | | IN-L3-Qos | 8192 | 0 | 8192 | | IN-L3-PBR | 1024 | 0 | 1024 | | IN-V6 ACL | 0 | 0 | 0 | | IN-V6 FIB | 0 | 0 | 0 | | IN-V6-SysFlow | 0 | 0 | 0 | | IN-V6-McastFib | 0 | 0 | 0 | | OUT-L2 ACL | 1024 | 0 | 1024 | | OUT-L3 ACL | 1024 | 0 | 1024 | | OUT-V6 ACL | 0 | 0 | 0 1 | 1 | IN-L2 ACL | 320 | 0 | 320 | | IN-L2 FIB | 32768 | 1136 | 31632 | | IN-L3 ACL | 12288 | 2 | 12286 | | IN-L3 FIB | 262141 | 14 | 262127 | | IN-L3-SysFlow | 2878 | 44 | 2834

--More--

ACL VLAN Groups and Content Addressable Memory (CAM)

31

The following sample output displays the CAM space utilization when Layer 2 and Layer 3 ACLs are configured:

Dell#show cam-usage acl Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============ 11 | 0 | IN-L2 ACL | 1008 | 0 | 1008 | | IN-L3 ACL | 12288 | 2 | 12286 | | OUT-L2 ACL | 1024 | 2 | 1022 | | OUT-L3 ACL | 1024 | 0 | 1024

The following sample output displays the CAM space utilization for Layer 2 ACLs:

Dell#show cam-usage switch

Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 11 | 0 | IN-L2 ACL | 7152 | 0 | 7152 | | IN-L2 FIB | 32768 | 1081 | 31687 | | OUT-L2 ACL | 0 | 0 | 0 11 | 1 | IN-L2 ACL | 7152 | 0 | 7152 | | IN-L2 FIB | 32768 | 1081 | 31687 | | OUT-L2 ACL | 0 | 0 | 0

The following sample output displays the CAM space utilization for Layer 3 ACLs:

Dell#show cam-usage router Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 11 | 0 | IN-L3 ACL | 8192 | 3 | 8189 | | IN-L3 FIB | 196607 | 1 | 196606 | | IN-L3-SysFlow | 2878 | 0 | 2878 | | IN-L3-TrcList | 1024 | 0 | 1024 | | IN-L3-McastFib | 9215 | 0 | 9215 | | IN-L3-Qos | 8192 | 0 | 8192 | | IN-L3-PBR | 1024 | 0 | 1024 | | OUT-L3 ACL | 16384 | 0 | 16384 11 | 1 | IN-L3 ACL | 8192 | 3 | 8189 | | IN-L3 FIB | 196607 | 1 | 196606 | | IN-L3-SysFlow | 2878 | 0 | 2878 | | IN-L3-TrcList | 1024 | 0 | 1024 | | IN-L3-McastFib | 9215 | 0 | 9215 | | IN-L3-Qos | 8192 | 0 | 8192 | | IN-L3-PBR | 1024 | 0 | 1024 | | OUT-L3 ACL | 16384 | 0 | 16384

Allocating FP Blocks for VLAN Processes

This functionality is supported on the S4810, S4820T, Z9000, I/O Aggregator, and MXL platforms.

The VLAN ContentAware Processor (VCAP) application is a pre-ingress CAP that modifies the VLAN settings before packets are forwarded. To support the ACL CAM optimization functionality, the CAM carving feature is enhanced. A total of four VACP groups are present, of which two are for fixed groups and the other two are for dynamic groups. Out of the total of two dynamic groups, you can allocate zero, one, or two FP blocks to iSCSI Counters, OpenFlow and ACL Optimization.

You can configure only two of these features at a point in time.

• To allocate the number of FP blocks for VLAN open flow operations, use the cam-acl-vlan

vlanopenflow <0-2>

32

command.

ACL VLAN Groups and Content Addressable Memory (CAM)

• To allocate the number of FP blocks for VLAN iSCSI counters , use the cam-acl-vlan vlaniscsi <0-2> command.

• To allocate the number of FP blocks for ACL VLAN optimization feature, use the cam-acl-vlan vlanaclopt <0-2> command.

You can use the no version of these commands to reset the number of FP blocks to default. By default, 0 groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by default, and you need to allocate the slices for CAM optimization.

To display the number of FP blocks that is allocated for the different VLAN services, you can use the show cam-acl-vlan command. After CAM configuration for ACL VLAN groups is performed, you must reboot the system to enable the settings to be stored in nonvolatile storage. During the initialization of CAM, the chassis manager reads the NVRAM and allocates the dynamic VCAP regions.

member vlan

Add VLAN members to an ACL VLAN group.

Syntax

Parameters

Default None

Command Modes

Command History

Usage Information

member vlan {VLAN-range}

VLAN-range

CONFIGURATION (conf-acl-vl-grp)

Version 9.3.0.0 Introduced on the S4810, S4820T, Z9000, I/O Aggregator,

At a maximum, there can be only 32 VLAN members in all ACL VLAN groups. A VLAN can belong to only one group at any given time.

You can create an ACL VLAN group and attach the ACL with the VLAN members. The optimization is applicable only when you create an ACL VLAN group. If you apply an ACL separately on the VLAN interface, each ACL has a mapping with the VLAN and increased CAM space utilization occurs.

Enter the member VLANs using comma-separated VLAN IDs, a range of VLAN IDs, a single VLAN ID, or a combination. For example:

Comma-separated: 3, 4, 6 Range: 5-10 Combination: 3, 4, 5-10, 8

and MXL platforms

Attaching an ACL individually to VLAN interfaces is similar to the behavior of ACLVLAN mapping storage in CAM prior to the implementation of the ACL VLAN group functionality.

ACL VLAN Groups and Content Addressable Memory (CAM)

33

ip access-group

Apply an egress IP ACL to the ACL VLAN group.

Syntax

Parameters

Default None

Command Modes

Command History

Usage Information

ip access-group {group name} out implicit-permit

group-name Enter the name of the ACL VLAN group where you want the

out Enter the keyword out to apply the ACL to outgoing traffic.

implicit-permit

CONFIGURATION (conf-acl-vl-grp)

Version 9.3.0.0 Introduced on the S4810, S4820T, Z9000, I/O Aggregator,

You can apply only an egress IP ACL on an ACL VLAN group.

show acl-vlan-group

egress IP ACLs applied, up to 140 characters.

Enter the keyword implicit-permit to change the default action of the ACL from implicit-deny to implicit-permit (that is, if the traffic does not match the filters in the ACL, the traffic is permitted instead of dropped).

and MXL platforms

Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.

Syntax

Parameters

Default No default behavior or values

Command Modes

Command History

34

show acl-vlan-group {group-name | detail}

group-name (Optional) Display only the ACL VLAN group that is specified,

up to 140 characters.

detail

EXEC EXEC Privilege

Version 9.3.0.0 Introduced on the S4810, S4820T, Z9000, I/O Aggregator,

Display information in a line-by-line format to display the names in their entirety.

Without the detail option, the output displays in a table style and information may be truncated.

and MXL platforms

ACL VLAN Groups and Content Addressable Memory (CAM)

Usage Information

When an ACL-VLAN-Group name or the Access List Group Name contains more than 30 characters, the name is truncated in the show acl-vlan-group command output.

Examples The following sample illustrates the output of the show acl-vlan-group

command.

NOTE: Some group names and some access list names are truncated.

Dell#show acl-vlan-group Group Name Egress IP Acl Vlan Members TestGroupSeventeenTwenty SpecialAccessOnlyExperts 100,200,300 CustomerNumberIdentifica AnyEmployeeCustomerEleve 2-10,99 HostGroup Group5 1,1000

Dell#

The following sample output is displayed when using the show acl-vlan-group

group-name option.

NOTE: The access list name is truncated.

Dell#show acl-vlan-group TestGroupSeventeenTwenty Group Name Egress IP Acl Vlan Members TestGroupSeventeenTwenty SpecialAccessOnlyExperts 100,200,300

Dell#

The following sample output shows the line-by-line style display when using the show acl-vlan-group detail option.

NOTE: No group or access list names are truncated

Dell#show acl-vlan-group detail

Group Name : TestGroupSeventeenTwenty Egress IP Acl : SpecialAccessOnlyExpertsAllowed Vlan Members : 100,200,300

Group Name : CustomerNumberIdentificationEleven Egress IP Acl : AnyEmployeeCustomerElevenGrantedAccess Vlan Members : 2-10,99

Group Name : HostGroup Egress IP Acl : Group5 Vlan Members : 1,1000

ACL VLAN Groups and Content Addressable Memory (CAM)

35

Dell#

show cam-acl-vlan

Display the number of flow processor (FP) blocks that is allocated for the different VLAN services.

Syntax

Command Modes

Command History

Usage Information

show cam-acl-vlan

EXEC Privilege

Version 9.3.0.0 Introduced on the S4810, S4820T, Z9000, I/O Aggregator

and MXL platforms.

After CAM configuration for ACL VLAN groups is performed, you must reboot the system to enable the settings to be stored in nonvolatile storage. During the initialization of CAM, the chassis manager reads the NVRAM and allocates the dynamic VCAP regions.

The following table describes the output fields of this show command:

Field Description

Chassis Vlan Cam ACL Details about the CAM blocks allocated

for ACLs for various VLAN operations at a system-wide, global level.

Stack Unit <number> Details about the CAM blocks allocated

for ACLs for various VLAN operations for a particular stack unit.

Current Settings(in block sizes) Information about the number of FP

blocks that are currently in use or allocated.

Example

36

VlanOpenFlow Number of FP blocks for VLAN open

flow operations.

VlanIscsi Number of FP blocks for VLAN internet

small computer system interface (iSCSI) counters.

VlanHp Number of FP blocks for VLAN high

performance processes.

VlanFcoe Number of FP blocks for VLAN Fiber

Channel over Ethernet (FCoE) operations.

VlanAclOpt Number of FP blocks for ACL VLAN

optimzation feature.

Dell#show cam-acl-vlan

-- Chassis Vlan Cam ACL - Current Settings(in block sizes)

ACL VLAN Groups and Content Addressable Memory (CAM)

VlanOpenFlow : 0 VlanIscsi : 2 VlanHp : 1 VlanFcoe : 1 VlanAclOpt : 0

-- Stack unit 0 - Current Settings(in block sizes) VlanOpenFlow : 0 VlanIscsi : 2 VlanHp : 1 VlanFcoe : 1 VlanAclOpt : 0

cam-acl-vlan

Allocate the number of flow processor (FP) blocks or entries for VLAN services and processes.

Syntax

Parameters

Default If you use the default keyword with the cam-acl-vlan command, the FP blocks

Command Modes

Command History

cam-acl-vlan { default | vlanopenflow <0-2> | vlaniscsi <0-2> | vlanaclopt <0-2>

default Reset the number of FP blocks to default. By default, 0

groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by default, and you need to allocate the slices for CAM optimization.

vlanopenflow <0-2>

vlaniscsi <0-2> Allocate the number of FP blocks for VLAN iSCSI counters.

vlanaclopt <0-2>

allocated for VLAN processes are restored to their default values. No FP blocks or dynamic VLAN ContentAware Processor (VCAP) groups are allocated for VLAN operations by default.

CONFIGURATION

Version 9.3.0.0 Introduced on the S4810 and Z9000 platforms.

Allocate the number of FP blocks for VLAN open flow operations.

Allocate the number of FP blocks for the ACL VLAN optimization feature.

Usage Information

ACL VLAN Groups and Content Addressable Memory (CAM)

The VLAN ContentAware Processor (VCAP) application is a pre-ingress CAP that modifies the VLAN settings before packets are forwarded. To support the ACL CAM optimization functionality, the CAM carving feature is enhanced. A total of four VACP groups are present, of which two are for fixed groups and the other two are for dynamic groups. Out of the total of two dynamic groups, you can allocate zero, one, or two flow processor (FP) blocks to iSCSI Counters, OpenFlow and ACL Optimization. You can configure only two of these features at a point in time.

37

show cam-usage

View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub-partitions).

Syntax

Parameters

Command Modes

Command History

Usage Information

show cam-usage [acl | router | switch]

acl

router

switch

EXEC

EXEC Privilege

Version 9.3.0.0 Introduced on the S4810, S4820T, Z9000, I/O Aggregator

The following regions must be provided in the show cam-usage output:

• L3AclCam

• L2AclCam

• V6AclCam

(OPTIONAL) Enter the keyword acl to display Layer 2 and Layer 3 ACL CAM usage.

(OPTIONAL) Enter the keyword router to display Layer 3 CAM usage.

(OPTIONAL) Enter the keyword switch to display Layer 2 CAM usage.

and MXL platforms.

38

The following table describes the output fields of this show command:

Field Description

LineCard Number of the line card that contains

information on ACL VLAN groups

Portpipe The hardware path that packets follow

through a system for ACL optimization

CAM-Region Type of area in the CAM block that is

used for ACL VLAN groups

Total CAM space Total amount of space in the CAM

block

Used CAM Amount of CAM space that is currently

in use

Available CAM Amount of CAM space that is free and

remaining to be allocated for ACLs

ACL VLAN Groups and Content Addressable Memory (CAM)

Example 1: Output of the show camusage Command

Dell#show cam-usage Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============| =============|============== 1 | 0 | IN-L2 ACL | 1008 | 320 | 688 | | IN-L2 FIB | 32768 | 1132 | 31636 | | IN-L3 ACL | 12288 | 2 | 12286 | | IN-L3 FIB | 262141 | 14 | 262127 | | IN-L3-SysFlow | 2878 | 45 | 2833 | | IN-L3-TrcList | 1024 | 0 | 1024 | | IN-L3-McastFib | 9215 | 0 | 9215 | | IN-L3-Qos | 8192 | 0 | 8192 | | IN-L3-PBR | 1024 | 0 | 1024 | | IN-V6 ACL | 0 | 0 | 0 | | IN-V6 FIB | 0 | 0 | 0 | | IN-V6-SysFlow | 0 | 0 | 0 | | IN-V6-McastFib | 0 | 0 | 0 | | OUT-L2 ACL | 1024 | 0 | 1024 | | OUT-L3 ACL | 1024 | 0 | 1024 | | OUT-V6 ACL | 0 | 0 | 0 1 | 1 | IN-L2 ACL | 320 | 0 | 320 | | IN-L2 FIB | 32768 | 1136 | 31632 | | IN-L3 ACL | 12288 | 2 | 12286 | | IN-L3 FIB | 262141 | 14 | 262127 | | IN-L3-SysFlow | 2878 | 44 | 2834

--More--

Example 2: Output of the show camusage acl Command

Dell#show cam-usage acl Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============| =============|============ 11 | 0 | IN-L2 ACL | 1008 | 0 | 1008 | | IN-L3 ACL | 12288 | 2 | 12286 | | OUT-L2 ACL | 1024 | 2 | 1022

ACL VLAN Groups and Content Addressable Memory (CAM)

39

| | OUT-L3 ACL | 1024 | 0 | 1024

Example 3: Output of the show camusage router Command

Dell#show cam-usage router Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============| =============|============== 11 | 0 | IN-L3 ACL | 8192 | 3 | 8189 | | IN-L3 FIB | 196607 | 1 | 196606 | | IN-L3-SysFlow | 2878 | 0 | 2878 | | IN-L3-TrcList | 1024 | 0 | 1024 | | IN-L3-McastFib | 9215 | 0 | 9215 | | IN-L3-Qos | 8192 | 0 | 8192 | | IN-L3-PBR | 1024 | 0 | 1024 | | OUT-L3 ACL | 16384 | 0 | 16384 11 | 1 | IN-L3 ACL | 8192 | 3 | 8189 | | IN-L3 FIB | 196607 | 1 | 196606 | | IN-L3-SysFlow | 2878 | 0 | 2878 | | IN-L3-TrcList | 1024 | 0 | 1024 | | IN-L3-McastFib | 9215 | 0 | 9215 | | IN-L3-Qos | 8192 | 0 | 8192 | | IN-L3-PBR | 1024 | 0 | 1024 | | OUT-L3 ACL | 16384 | 0 | 16384

Example 4: Output of the show camusage switch Command

40

Dell#show cam-usage switch

Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============| =============|============== 11 | 0 | IN-L2 ACL | 7152 | 0 | 7152 | | IN-L2 FIB | 32768 | 1081 | 31687 | | OUT-L2 ACL | 0 | 0 | 0 11 | 1 | IN-L2 ACL | 7152 | 0 | 7152 | | IN-L2 FIB | 32768 | 1081 | 31687 | | OUT-L2 ACL | 0 | 0 | 0

ACL VLAN Groups and Content Addressable Memory (CAM)

show running config acl-vlan-group

Display the running configuration of all or a given ACL VLAN group.

Syntax

Parameters

Default None

Command Modes

Command History

Examples The following sample output shows the line-by-line style display when using the

show running config acl-vlan-group group name

group-name

EXEC EXEC Privilege

Version 9.3.0.0 Introduced on the S4810, S4820T, Z9000, I/O Aggregator,

show running-config acl-vlan-group option. Note that no group or access list names are truncated

Dell#show running-config acl-vlan-group ! acl-vlan-group group1 description Acl Vlan Group1 member vlan 1-10,400-410,500 ip access-group acl1 out implicit-permit ! acl-vlan-group group2 member vlan 20 ip access-group acl2 out Dell#

Display only the ACL VLAN group that is specified. The maximum group name is 140 characters.

and MXL platforms

Dell#show running-config acl-vlan-group group1 ! acl-vlan-group group1 description Acl Vlan Group1 member vlan 1-10,400-410,500 ip access-group acl1 out implicit-permit

Dell#

acl-vlan-group

Create an ACL VLAN group.

Syntax

Parameters

ACL VLAN Groups and Content Addressable Memory (CAM)

acl-vlan-group {group name}

To remove an ACL VLAN group, use the no acl-vlan-group {group name} command.

group-name Specify the name of the ACL VLAN group. The name can

contain a maximum 140 characters.

41

Default No default behavior or values

Command Modes

Command History

Usage Information

CONFIGURATION

Version 9.3.0.0 Introduced on the S4810, S4820T, Z9000, I/O Aggregator,

and MXL platforms

You can have up to eight different ACL VLAN groups at any given time. When you configure an ACL VLAN group, you enter the ACL VLAN Group Configuration mode.

To avoid the problem of excessive consumption of CAM area, you can configure ACL VLAN groups that combines all the VLANs that are applied with the same ACL in a single group. A unique identifier for each of ACL attached to the VLAN is used as a handle or locator in the CAM area instead of the VLAN id. This method of processing signficiantly reduces the number of entries in the CAM area and saves memory space in CAM.

You can create an ACL VLAN group and attach the ACL with the VLAN members. Optimization is applicable only when you create an ACL VLAN group. If you apply an ACL separately on the VLAN interface, each ACL maps with the VLAN and increased CAM space utilization occurs.

Attaching an ACL individually to VLAN interfaces is similar to the behavior of ACLVLAN mapping storage in CAM prior to the implementation of the ACL VLAN group functionality.

show acl-vlan-group detail

Display all the ACL VLAN Groups or display a specific ACL VLAN Group by name. To display the names in their entirety, the output displays in a line-by-line format.

Syntax

Parameters

Default No default behavior or values

Command Modes

Command History

Usage Information

show acl-vlan-group detail

detail

EXEC EXEC Privilege

Version 9.3.0.0 Introduced on the S4810, S4820T, Z9000, I/O Aggregator,

The output for this command displays in a line-by-line format. This allows the ACLVLAN-Group names (or the Access List Group Names) to display in their entirety.

Display information in a line-by-line format to display the names in their entirety.

Without the detail option, the output is displayed in a table style and information may be truncated.

and MXL platforms

42

ACL VLAN Groups and Content Addressable Memory (CAM)

Examples The following sample output shows the line-by-line style display when using the

show acl-vlan-group detail option. Note that no group or access list names are truncated

Dell#show acl-vlan-group detail

Group Name : TestGroupSeventeenTwenty Egress IP Acl : SpecialAccessOnlyExpertsAllowed Vlan Members : 100,200,300

Group Name : CustomerNumberIdentificationEleven Egress IP Acl : AnyEmployeeCustomerElevenGrantedAccess Vlan Members : 2-10,99

Group Name : HostGroup Egress IP Acl : Group5 Vlan Members : 1,1000 Dell#

description (ACL VLAN Group)

Add a description to the ACL VLAN group.

Syntax

Parameters

Default No default behavior or values

Command Modes

Command History

Usage Information

description description

description Enter a description to identify the ACL VLAN group (80

characters maximum).

CONFIGURATION (conf-acl-vl-grp)

Version 9.3.0.0 Introduced on the S4810, S4820T, Z9000, I/O Aggregator,

and MXL platforms

Enter a description for each ACL VLAN group that you create for effective and streamlined administrative and logging purposes.

ACL VLAN Groups and Content Addressable Memory (CAM)

43

44

4

Access Control Lists

This chapter describes the access control list (ACL) enhancements and contains the following sections:

• Logging of ACL Processes

Logging of ACL Processes

This functionality is supported on the S4810, S4820T, Z9000, I/O Aggregator and MXL platforms.

To assist in streamlined, robust administration and management of traffic that traverses the device after being validated by the configured ACLs, you can enable the generation of logs for access control list (ACL) processes. Although you can configure ACLs with the required permit or deny filters to provide access to the incoming packet or disallow access to a particular user, it is also necessary to monitor and examine the traffic that passes through the device. To enable such a mechanism to evaluate network traffic that is subjected to ACLs, you can configure the logs to be triggered for ACL operations. This functionality is primarily needed for network supervision and maintenance activities of the handled subscriber traffic.

If you configure logging of ACL activities, when a frame reaches an interface that is applied with an ACL and a match occurs against that ACL, that is installed with logging enabled, then whenever a frame that arrives at an interface hits a specific ACL entry, a log is generated to indicate details about the ACL entry that matched the packet.

A packet floe through a network path is defined by the source and destination IP addresses, protocols, and ports. Because the source port might differ for a new link between the same two hosts, instead of the same flow being used, a new flow might be created.

When you enable the generation of ACL log messages, at times, depending on the volume of traffic, it is possible that a large number of logs might be generated that can impact the system performance and efficiency. To avoid a storm of ACL logs from being recorded, you can configure a rate-limiting functionality to safeguard the system from an avalanche of ACL logs. You can specify the interval or frequency at which ACL logs must be triggered and also the threshold or the limit for the maximum number of logs to be generated. If you do not specify the frequency at which ACL logs must be generated, a default interval of 5 minutes is used. Similarly, if you do not specify the threshold for ACL logs, a default threshold of 10 is used, where this value refers to the number of packets that are matched against an ACL .

A Layer 2 or Layer 3 ACL contains a set of defined rules that are saved as flow processor (FP) entries. When you enable ACL logging for a particular ACL rule, a set of specific ACL rules translate to a set of FP entries. You can enable logging for each of these FP entries separately, which relates to each of the ACL entries configured in an ACL. For each ACL entry, the Dell Networking OS saves a table that maps each ACL entry that matches the received packet with the ACL name, sequence number of the rule, and the interface index in the database. When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

Access Control Lists

45

The ACL application sends the ACL logging configuration information and other details, such as the action, sequence number, and the ACL parameters that pertains to that ACL entry. The ACL service collects the ACL log records and records the following attributes per log message.

• For non-IP packets, the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses, EtherType, and ingress interface are the logged attributes.

• For IP Packets, the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses, source and destination IP addresses, the transport layer protocol used are the logged attributes.

• For IP packets that contain the transport layer protocol as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP), the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses, source and destination IP addresses, and the source and destination port (which are Layer 4 parameters) are also recorded.

If the packet contains an unidentified EtherType or transport layer protocol, the values for these parameters is saved as Unknown in the log message. If you also enable the count of packets for the ACL entry for which you configured logging, and if the logging is deactivated in a specific interval owing to the threshold being exceeded, the count of packets that exceeded the logging threshold value during that interval is logged when the subsequent log record is generated for that ACL entry in a different window or interval.

Guidelines for Configuring ACL Logging

This functionality is supported on the S4810, S4820T, Z9000, I/O Aggregator and MXL platforms.

Keep the following points in mind when you configure logging of ACL activities:

• During initialization, the ACL logging application tags the ACL rule indices for which a match condition exists as being in-use, which ensures that the same rule indices are not reused by ACL logging again.

• The ACL configuration information that the ACL logging application receives from the ACL manager causes the allocation and clearance of the match rule number. A unique match rule number is created for the combination of each ACL entry, sequence number, and interface parameters.

• A separate set of match indices is preserved by the ACL logging application for the permit and deny actions. Depending on the action of an ACL entry, the corresponding match index is allocated from the particular set that is maintained for permit and dent actions.

• The maximum number of ACL entries with permit action that can be logged is 125. The maximum number of ACL entries with deny action that can be logged is 126.

• For virtual ACL entries, the same match rule number is reused. Similarly, when an ACL entry is deleted that was previously enabled for ACL logging, the match rule number used by it is released back to the pool or set of match indices that is present so that it can be reused for subsequent allocations.

• The ACL logging application saves the allocated match rule number in the ACL entry itself so that it can be reused when the ACL entry is reprogrammed due to CAM changes.

• The allocated match rule number for an ACL entry is associated with an FP entry and saved in the system. A timer control starts when an FP entry is added to the system or CPU with the logging option, and the timer stops when the ACL entry is deleted. The ACL logger module obtains the ACL name, sequence number, and interface index from the match rule index contained in the packet.

• A maximum of 15 ACL entries or records can be saved in the space that is allocated for ACL logging.

46

Access Control Lists

• A timer control of 30 seconds is present in the ACL agent module, the expiry of which causes the log records that are collocted until that time are transmitted to the ACL manager for logging. An interprocess communication (IPC) message is sent to the ACL manager by the ACL agent when a maximum of 15 records are collected or the 30-second timer period is exceeded.

• If you enabled the count of packets for the ACL entry for which you configured logging, and if the logging is deactivated in a specific interval owing to the threshold being exceeded, the count of packets that exceeded the logging threshold value during that interval is logged when the subsequent log record is generated for that ACL entry in a different window or interval.

• When you delete an ACL entry, the logging settings associated with it are also removed.

• ACL logging is supported for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended MAC ACLs.

• For ACL entries applied on port-channel interfaces, one match index for every member interface of the port-channel interface is assigned. Therefore, the total available match indices of 251 are split (125 match indices for permit action and 126 match indices for the deny action).

• You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

• The total uniquely available match rule indices is 255 with four match indices used by other modules, leaving 51 indices available for ACL logging.

Configuring ACL Logging

This functionality is supported on the S4810, S4820T, Z9000, I/O Aggregator and MXL platforms.

To configure the maximum number of ACL log messages to be generated and the frequency at which these messages must be generated, perform the following:

NOTE: This example describes the configuration of ACL logging for standard IP access lists. You can enable the logging capability for standard and extended IPv4, IPv6, and standard and extended MAC ACLs.

1. Specify the maximum number of ACL logs or the threshold that can be generated by using the

threshold-in-msgs count option with the seq, permit, or deny commands. Upon exceeding the specified maximum limit, the generation of ACL logs is terminated. You can enter a threshold in the range of 1-100. By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

CONFIG-STD-NACL mode

seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [order] [fragments] [log [threshold-in-msgs count] ]

2. Specify the interval in minutes at which ACL logs must be generated. You can enter an interval in the

range of 1-10 minutes. The default frequency at which ACL logs are generated is 5 minutes. If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended MAC ACLs. Configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

CONFIG-STD-NACL mode

seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [order] [fragments] [log [interval minutes]]

Access Control Lists

47

deny (for Standard IP ACLs)

To drop packets with a certain IP address, configure a filter.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

deny {source | any | host {ip-address}}[count [byte]] [dscp value] [order] [fragments] [log [interval minutes] [threshold- in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no deny {source [mask] | any | host ip-address} command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Command Modes

Command History

Usage Information

48

The default frequency at which ACL logs are generated is 5 minutes.

CONFIGURATION-STANDARD-ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard

Access Control Lists

and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

Related Commands

ip access-list standard — configures a standard ACL. permit — configures a permit filter.

deny (for Extended IP ACLs)

Configure a filter that drops IP packets meeting the filter criteria.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

deny {ip | ip-protocol-number} {source mask | any | host ipaddress} {destination mask | any | host ip-address} [count

[byte]] [dscp value] [order] [monitor] [fragments] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no deny {ip | ip-protocol-number} {source mask | any |

host ip-address} {destination mask | any | host ip-address}

command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command Modes

Command History

Access Control Lists

CONFIGURATION-EXTENDED-ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

49

Usage Information

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

Related Commands

deny tcp — assigns a filter to deny TCP packets. deny udp — assigns a filter to deny UDP packets. ip access-list extended — creates an extended ACL.

seq (for Standard IPv4 ACLs)

Assign a sequence number to a deny or permit filter in an IP access list while creating the filter.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

seq sequence-number {deny | permit} {source [mask] | any | host ip-address}} [count [bytes]] [dscp value] [order] [fragments] [log [interval minutes] [threshold-in-msgs [count]]

To delete a filter, use the no seq sequence-number command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command Modes

50

CONFIGURATION-STANDARD-ACCESS-LIST

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Access Control Lists

Command History

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

Usage Information

Related Commands

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

deny — configures a filter to drop packets. permit — configures a filter to forward packets.

deny tcp (for Extended IP ACLs)

Configure a filter that drops transmission control protocol (TCP) packets meeting the filter criteria.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

deny tcp {source mask | any | host ip-address} [bit] [operator port [port]] {destination mask | any | host ip-address} [dscp]

[bit] [operator port [port]] [count [byte]] [order] [fragments] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

Parameters

Access Control Lists

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no deny tcp {source mask | any | host ip-address} {destination mask | any | host ip-address} command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

51

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Command Modes

Command History

Usage Information

Related Commands

CONFIGURATION-EXTENDED-ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

deny — assigns a filter to deny IP traffic. deny udp — assigns a filter to deny UDP traffic.

deny udp (for Extended IP ACLs)

To drop user datagram protocol (UDP) packets meeting the filter criteria, configure a filter.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective documentation set.

Syntax

52

Command Reference Guide of the applicable platform of the Release 9.2.0.0

deny udp {source mask | any | host ip-address} [operator port [port]] {destination mask | any | host ip-address} [dscp] [operator port [port]] [count [byte]] [order] [fragments] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no deny udp {source mask | any | host ip-address} {destination mask | any | host ip-address} command.

Access Control Lists

Parameters

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command Modes

Command History

Usage Information

CONFIGURATION-EXTENDED-ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

Related Commands

deny — assigns a filter to deny IP traffic. deny tcp — assigns a filter to deny TCP traffic.

deny arp (for Extended MAC ACLs)

Configure an egress filter that drops ARP packets on egress ACL supported line cards. (For more information, refer to your line card documentation).

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

deny arp {destination-mac-address mac-address-mask | any} vlan vlan-id {ip-address | any | opcode code-number} [count [byte]] [order] [log [interval minutes] [threshold-in-msgs [count]]

Access Control Lists

53

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no deny arp {destination-mac-address mac-address-mask

| any} vlan vlan-id {ip-address | any | opcode code-number}

command.

Parameters

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

Command Modes

Command History

Usage Information

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

The default frequency at which ACL logs are generated is 5 minutes.

CONFIGURATION-EXTENDED-ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

deny icmp (for Extended IP ACLs)

To drop all or specific internet control message protocol (ICMP) messages, configure a filter.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

54

Access Control Lists

Syntax

deny icmp {source mask | any | host ip-address} {destination mask | any | host ip-address} [dscp] [message-type] [count

[byte]] [order] [fragments] [log [interval minutes] [thresholdin-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no deny icmp {source mask | any | host ip-address} {destination mask | any | host ip-address} command.

Parameters

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

interval

minutes

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command

CONFIGURATION-EXTENDED-ACCESS-LIST

Modes

Command History

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

Usage Information

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

Access Control Lists

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

55

deny ether-type (for Extended MAC ACLs)

Configure an egress filter that drops specified types of Ethernet packets on egress ACL supported line cards. (For more information, refer to your line card documentation).

Syntax

Parameters

deny ether-type protocol-type-number {destination-mac-address mac-address-mask | any} vlan vlan-id {source-mac-address macaddress-mask | any} [count [byte]] [order] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no deny ether-type protocol-type-number {destination-

mac-address mac-address-mask | any} vlan vlan-id {sourcemac-address mac-address-mask | any} command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command Modes

Command History

Usage Information

56

CONFIGURATION-EXTENDED-ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are

Access Control Lists

applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

deny (for Standard MAC ACLs)

To drop packets with a the MAC address specified, configure a filter.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective documentation set.

Command Reference Guide of the applicable platform of the Release 9.2.0.0

Syntax

Parameters

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

deny {any | mac-source-address [mac-source-address-mask]} [count [byte]] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no deny {any | mac-source-address mac-source-address-

} command.

mask

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

The default frequency at which ACL logs are generated is 5 minutes.

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Command Modes

Command History

Usage Information

Access Control Lists

CONFIGURATION-MAC ACCESS LIST-STANDARD

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for

57

standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

Related Commands

permit — configures a MAC address filter to pass packets. seq — configures a MAC address filter with a specified sequence number.

deny (for Extended MAC ACLs)

To drop packets that match the filter criteria, configure a filter.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

deny {any | host mac-address | mac-source-address mac-sourceaddress-mask} {any | host mac-address | mac-destination-address mac-destination-address-mask} [ethertype-operator] [count [byte]][log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no deny {any | host mac-address | mac-source-address

mac-source-address-mask} {any | host mac-address | macdestination-address mac-destination-address-mask} command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command Modes

Command History

58

CONFIGURATION-MAC ACCESS LIST-EXTENDED

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

Access Control Lists

Usage Information

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

Related Commands

permit — configures a MAC address filter to pass packets. seq — configures a MAC address filter with a specified sequence number.

permit arp (for Extended MAC ACLs)

Configure a filter that forwards ARP packets meeting this criteria. This command is supported only on 12port GE line cards with SFP optics; refer to your line card documentation for specifications.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective documentation set.

Syntax

Parameters

Command Reference Guide of the applicable platform of the Release 9.2.0.0

permit arp {destination-mac-address mac-address-mask | any} vlan vlan-id {ip-address | any | opcode code-number} [count [byte]] [order] [fragments] [log [interval minutes] [thresholdin-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the {destination-mac-address mac-address-mask | any} vlan vlan-id {ip-address | any | opcode code-number} command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Access Control Lists

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

59

Command Modes

CONFIGURATION-EXTENDED-ACCESS-LIST

Command History

Usage Information

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

permit ether-type (for Extended MAC ACLs)

Configure a filter that allows traffic with specified types of Ethernet packets. This command is supported only on 12-port GE line cards with SFP optics. For specifications, refer to your line card documentation.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

60

permit ether-type protocol-type-number {destination-mac-address mac-address-mask | any} vlan vlan-id {source-mac-address macaddress-mask | any} [count [byte]] [order] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no permit ether-type protocol-type-number

{destination-mac-address mac-address-mask | any} vlan vlanid {source-mac-address mac-address-mask | any} command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

Access Control Lists

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Command Modes

Command History

Usage Information

CONFIGURATION-EXTENDED-ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

permit icmp (for Extended IP ACLs)

Configure a filter to allow all or specific ICMP messages.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

Access Control Lists

permit icmp {source mask | any | host ip-address} {destination mask | any | host ip-address} [dscp] [message-type] [count

[byte]] [order] [fragments] [log [interval minutes] [thresholdin-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no permit icmp {source mask | any | host ip-address} {destination mask | any | host ip-address} command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

61

threshold-in msgs count

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command Modes

Command History

Usage Information

CONFIGURATION-STANDARD-ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

permit udp (for Extended IP ACLs)

To pass UDP packets meeting the filter criteria, configure a filter.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

62

permit udp {source mask | any | host ip-address} [operator port [port]] {destination mask | any | host ip-address} [dscp] [operator port [port]] [count [byte]] [order] [fragments] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no permit udp {source mask | any | host ip-address} {destination mask | any | host ip-address command.

Access Control Lists

Parameters

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command Modes

Command History

Usage Information

CONFIGURATION-EXTENDED-ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

Related Commands

ip access-list extended — creates an extended ACL. permit — assigns a permit filter for IP packets. permit tcp — assigns a permit filter for TCP packets.

permit (for Extended IP ACLs)

To pass IP packets meeting the filter criteria, configure a filter.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Access Control Lists

63

Syntax

permit {source mask | any | host ip-address} {destination mask | any | host ip-address} [count [bytes]] [dscp value] [order] [fragments] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no deny {source mask | any | host ip-address} {destination mask | any | host ip-address} command.

Parameters

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

interval

minutes

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command

CONFIGURATION-EXTENDED-ACCESS-LIST

Modes

Command History

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

Usage Information

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

Related Commands

64

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

ip access-list extended — creates an extended ACL. permit tcp — assigns a permit filter for TCP packets. permit udp — assigns a permit filter for UDP packets.

Access Control Lists

permit (for Standard MAC ACLs)

To forward packets from a specific source MAC address, configure a filter.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

permit {any | mac-source-address [mac-source-address-mask]} [count [byte]] | [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no permit {any | mac-source-address mac-source- address-mask} command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Command Modes

Command History

Usage Information

Access Control Lists

The default frequency at which ACL logs are generated is 5 minutes.

CONFIGURATION-MAC ACCESS LIST-STANDARD

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard

65

and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

Related Commands

deny — configures a MAC ACL filter to drop packets. seq —configure a MAC ACL filter with a specified sequence number.

seq (for Standard MAC ACLs)

To a deny or permit filter in a MAC access list while creating the filter, assign a sequence number.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

seq sequence-number {deny | permit} {any | mac-source-address [mac-source-address-mask]} [count [byte]] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, use the no seq sequence-number command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command Modes

Command History

Usage Information

66

CONFIGURATION-MAC ACCESS LIST-STANDARD

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

Access Control Lists

standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

Related Commands

deny — configures a filter to drop packets. permit — configures a filter to forward packets.

permit tcp (for Extended IP ACLs)

To pass TCP packets meeting the filter criteria, configure a filter.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

permit tcp {source mask | any | host ip-address} [bit] [operator port [port]] {destination mask | any | host ip- address} [bit] [dscp] [operator port [port]] [count [byte]] [order] [fragments] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no permit tcp {source mask | any | host ip-address}

destination mask | any | host ip-address} command.

{

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command Modes

Command History

Access Control Lists

CONFIGURATION-EXTENDED-ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

67

Usage Information

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

Related Commands

ip access-list extended — creates an extended ACL. permit — assigns a permit filter for IP packets. permit udp — assigns a permit filter for UDP packets.

seq arp (for Extended MAC ACLs)

Configure an egress filter with a sequence number that filters ARP packets meeting this criteria. This command is supported only on 12-port GE line cards with SFP optics. For specifications, refer to your line card documentation.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

seq sequence-number {deny | permit} arp {destination-macaddress mac-address-mask | any} vlan vlan-id {ip-address | any | opcode code-number} [count [byte]] [order] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, use the no seq sequence-number command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

68

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Access Control Lists

Command Modes

CONFIGURATION-EXTENDED-ACCESS-LIST

Command History

Usage Information

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

seq ether-type (for Extended MAC ACLs)

Configure an egress filter with a specific sequence number that filters traffic with specified types of Ethernet packets. This command is supported only on 12-port GE line cards with SFP optics. For specifications, refer to your line card documentation.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

Access Control Lists

seq sequence-number {deny | permit} ether-type protocol-typenumber {destination-mac-address mac-address-mask | any} vlan vlan-id {source-mac-address mac-address-mask | any} [count

[byte]] [order] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, use the no seq sequence-number command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

69

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command Modes

Command History

Usage Information

CONFIGURATION-EXTENDED-ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

seq (for IP ACLs)

Assign a sequence number to a deny or permit filter in an extended IP access list while creating the filter.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

70

seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp | udp} {source mask | any | host ip-address} {destination mask | any | host ip-address} [operator port [port]] [count [byte]] [dscp value] [order] [fragments] [log [interval minutes] [threshold-in-msgs [count]]

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Access Control Lists

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command Modes

Command History

Usage Information

Related Commands

CONFIGURATION-EXTENDED-ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

deny — configures a filter to drop packets. permit — configures a filter to forward packets.

seq (for IPv6 ACLs)

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

Assign a sequence number to a deny or permit the filter in an IPv6 access list while creating the filter.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

Access Control Lists

seq sequence-number {deny | permit} {ipv6-protocol-number | icmp | ip | tcp | udp} {source address mask | any | host ipv6- address} {destination address | any | host ipv6-address} [operator port [port]] [count [byte]] [log [interval minutes] [threshold-in-msgs [count]]

To delete a filter, use the no seq sequence-number command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

71

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Command Modes

Command History

Usage Information

Related Commands

ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

deny – configures a filter to drop packets. permit – configures a filter to forward packets.

permit udp (for IPv6 ACLs)

Configure a filter to pass UDP packets meeting the filter criteria.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

72

permit udp {source address mask | any | host ipv6-address} [operator port [port]] {destination address | any | host ipv6-

address} [operator port [port]] [count [byte]] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no permit udp {source address mask | any | host ipv6-

address} {destination address | any | host ipv6-address}

command.

Access Control Lists

Parameters

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command Modes

Command History

Usage Information

ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

Related Commands

permit – assigns a permit filter for IP packets. permit tcp – assigns a permit filter for TCP packets.

permit tcp (for IPv6 ACLs)

Configure a filter to pass TCP packets that match the filter criteria.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Access Control Lists

permit tcp {source address mask | any | host ipv6-address} [operator port [port]] {destination address | any | host ipv6-

73

address} [bit] [operator port [port]] [count [byte]] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no permit tcp {source address mask | any | host ipv6-

address} {destination address | any | host ipv6-address}

command.

Parameters

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

interval

minutes

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command

ACCESS-LIST

Modes

Command History

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

Usage Information

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

Related Commands

74

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

permit – assigns a permit filter for IP packets. permit udp – assigns a permit filter for UDP packets.

Access Control Lists

permit icmp (for IPv6 ACLs)

To allow all or specific internet control message protocol (ICMP) messages, configure a filter.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

permit icmp {source address mask | any | host ipv6-address} {destination address | any | host ipv6-address} [message-type] [count [byte]] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no permit icmp {source address mask | any | host ipv6-

address} {destination address | any | host ipv6-address}

command.

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Command Modes

Command History

Usage Information

Access Control Lists

The default frequency at which ACL logs are generated is 5 minutes.

ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for

75

standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

permit (for IPv6 ACLs)

To configure a filter that matches the filter criteria, select an IPv6 protocol number, ICMP, IPv6, TCP, or UDP.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

permit {ipv6-protocol-number | icmp | ipv6 | tcp | udp} [count [byte]] [dscp value] [order] [fragments] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command syntax if you know the filter’s sequence number

• Use the no permit {ipv6-protocol-number | icmp | ipv6 | tcp | udp} command

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Command Modes

Command History

Usage Information

76

The default frequency at which ACL logs are generated is 5 minutes.

ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that

Access Control Lists

new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

deny udp (for IPv6 ACLs)

Configure a filter to drop user datagram protocol (UDP) packets meeting the filter criteria.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

deny udp {source address mask | any | host ipv6-address} [operator port [port]] {destination address | any | host ipv6-

address} [operator port [port]] [count [byte]] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command syntax if you know the filter’s sequence number

• Use the no deny udp {source address mask | any | host ipv6-

address} {destination address | any | host ipv6-address}

command

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command Modes

Access Control Lists

ACCESS-LIST

77

Command History

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

Usage Information

Related Commands

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

deny – assigns a filter to deny IP traffic. deny tcp – assigns a deny filter for TCP traffic.

deny tcp (for IPv6 ACLs)

Configure a filter that drops TCP packets that match the filter criteria.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Parameters

78

deny tcp {source address mask | any | host ipv6-address} [operator port [port]] {destination address | any | host ipv6- address} [bit] [operator port [port]] [count [byte]] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command syntax if you know the filter’s sequence number

• Use the no deny tcp {source address mask | any | host ipv6-

address} {destination address | any | host ipv6-address}

command

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

Access Control Lists

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Command Modes

Command History

Usage Information

Related Commands

ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

deny – assigns a filter to deny IP traffic. deny udp – assigns a filter to deny UDP traffic.

deny icmp (for Extended IPv6 ACLs)

Configure a filter to drop all or specific ICMP messages.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

Access Control Lists

deny icmp {source address mask | any | host ipv6-address} {destination address | any | host ipv6-address} [message-type] [count [byte]] | [log]

To remove this filter, you have two choices:

• Use the no seq sequence-number command syntax if you know the filter’s sequence number

• Use the no deny icmp {source address mask | any | host ipv6-

address} {destination address | any | host ipv6-address}

command

79

Parameters

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

The default frequency at which ACL logs are generated is 5 minutes.

Command Modes

Command History

Usage Information

ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

deny (for IPv6 ACLs)

Configure a filter that drops IPv6 packets that match the filter criteria.

NOTE: Only the options that have been newly introduced are described here. For a complete description on all of the keywords and variables that are available with this command, refer the respective Command Reference Guide of the applicable platform of the Release 9.2.0.0 documentation set.

Syntax

deny {ipv6-protocol-number | icmp | ipv6 | tcp | udp} [count [byte]] [dscp value] [order] [fragments] [log [interval minutes] [threshold-in-msgs [count]]

To remove this filter, you have two choices:

• Use the no seq sequence-number command syntax if you know the filter’s sequence number

80

Access Control Lists

• Use the no deny {ipv6-protocol-number | icmp | ipv6 | tcp | udp} command

Parameters

Defaults By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

Command Modes

Command History

Usage Information

log (OPTIONAL) Enter the keyword log to enable the triggering

of ACL log messages.

threshold-in msgs count

interval

minutes

The default frequency at which ACL logs are generated is 5 minutes.

ACCESS-LIST

Version 9.3.0.0 Added support for logging of ACLs on the S4810, S4820T,

When the configured maximum threshold is exceeded, generation of logs is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent, fresh interval timer is started and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold is exceeded, it is reenabled for this new interval.

(OPTIONAL) Enter the threshold-in-msgs keyword followed by a value to indicate the maximum number of ACL logs that can be generated, exceeding which the generation of ACL logs is terminated. with the seq, permit, or deny commands. You can enter a threshold in the range of 1-100.

(OPTIONAL) Enter the keyword interval followed by the time period in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes.

Z9000, M I/O Aggregator and MXL 10/40GbE Switch IO Module platforms.

If ACL logging is stopped because the configured threshold is exceeded, it is reenabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs. You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

Flow-Based Monitoring Support for ACLs

This functionality to enable flow-based monitoring is supported on the S4810, S4820T, S6000, Z9000, I/O Aggregator, and MXL platforms.

Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 2 and Layer 3 ingresss traffic. You may specify traffic using standard or extended access-lists. This mechanism copies all incoming packets on one port and forwards (mirrors) them to another port. The source port is the monitored port (MD) and the destination port is the monitoring port (MG).

The port mirroring application maintains and performs all the monitoring operations on the chassis. ACL information is sent to the ACL manager, which in turn notifies the ACL agent to add entries in the CAM area. Duplicate entries in the ACL are not saved.

Access Control Lists

81

When a packet arrives at a port that is being monitored, the packet is validated against the configured ACL rules. If the packet matches an ACL rule, the system examines corresponding flow processor to perform the action specified for that port. If mirroring action is set in the flow processor entry, the destination port details, which indicates the port on the device to which the mirrored information must be sent, are sent to the destination port.

When a stack unit is reset or a stack unit undergoes a failure, the ACL agent registers with the port mirroring application. The port mirroring utility downloads the monitoring configuration to the ACL agent. The interface manager notifies the port mirroring application about the removal of an interface when an interface to which an ACL entry is associated is deleted.

Behavior of Flow-Based Monitoring

You can enter activate flow-based monitoring for a monitoring session by entering the flow-based enable command in the Monitor Session mode. When you enable this capability, traffic with particular

flows that are traversing through the ingress interfaces are examined and, appropriate ACLs can be applied in the ingress direction. By default, flow-based monitoring is not enabled.

You must specify the monitor option with the permit, deny, or seq command for ACLs that are assigned to the source or the monitored port (MD) to enable the evaluation and replication of traffic that is destined to the source port to the destination port. Enter the keyword monitor with the seq, permit and deny ACL rules to allow or drop IPv4, IPv6, ARP, UDP, EtherType, ICMP, and TCP packets when the rule is describing the traffic that you want to monitor and the ACL in which you are creating the rule will be applied to the monitored interface. Flow monitoring is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs.

CONFIG-STD-NACL mode

seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [order] [fragments] [log [threshold-in-msgs count] ]

If the number of monitoring sessions increases, inter-process communication (IPC) bandwidth utilization will be high. ACL manager might require a large bandwidth when you assign an ACL with many entries to an interface.

The ACL agent module saves monitoring details in its local database and also in the CAM region to monitor packets which match the specified criterion. The ACL agent maintains data on the source port, destination port, and the endpoint to which the packet must be forwarded when a match occurs with the ACL entry.

If you configure the flow-based enable command and do not apply an ACL on the source port or the monitored port, both flow-based monitoring and port mirroring do not function. Flow-based monitoring is supported only for ingress traffic and not for egress packets.

The port mirroring application maintains database that contains all monitoring sessions (including port monitor sessions). It has information regarding the sessions that are enabled for flow-based monitoring and those sessions that are not enabled for flow-based monitoring. It downloads monitoring configuration to the ACL agent whenever the ACL agent is registered with the port mirroring application or when flow-based monitoring is enabled.

The show monitor session session-id command has been enhanced to display the Type field in the output, which indicates whether a particular session is enabled for flow-monitoring.

Example Output of the show Command

E1200-maa-01#show running-config monitor session ! monitor session 11 flow-based enable source GigabitEthernet 13/0 destination GigabitEthernet 13/1 direction both

82

Access Control Lists

The show running-config monitor session displays whether flow-based monitoring is enabled for a particular session.

Example Output of the show Command

E1200-maa-01#show running-config monitor session ! monitor session 11 flow-based enable source GigabitEthernet 13/0 destination GigabitEthernet 13/1 direction both

The show config command has been modified to display monitoring configuration in particular session.

Example Output of the show Command

E1200-maa-01(conf-mon-sess-11)#show config ! monitor session 11 flow-based enable source GigabitEthernet 13/0 destination GigabitEthernet 13/1 direction both

The show ip | mac | ipv6 accounting commands have been enhanced to display whether monitoring is enabled for traffic that match with the rule of the specific ACL rules.

Example Output of the show Command

Force10# show ip accounting access-list ! Extended Ingress IP access list kar on GigabitEthernet 10/0 Total cam count 1 seq 5 permit ip 192.168.20.0/24 173.168.20.0/24 monitor

Force10#show mac accounting access-list kar in gi 10/0 out Egress Extended mac access-list kar on GigabitEthernet 10/0 seq 5 permit host 11:11:11:11:11:11 host 22:22:22:22:22:22 monitor seq 10 permit host 22:22:22:22:22:22 any monitor seq 15 permit host 00:0f:fe:1e:de:9b host 0a:0c:fb:1d:fc:aa monitor

Force10#show ipv6 accounting access-list ! Ingress IPv6 access list kar on GigabitEthernet 10/0 Total cam count 1 seq 5 permit ipv6 22::/24 33::/24 monitor

Access Control Lists

83

Enabling Flow-Based Monitoring

Flow-based monitoring is supported on the S4810, S4820T, S6000, Z9000, I/O Aggregator, and MXL platforms.

Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 2 and Layer 3 ingress and egress traffic. You may specify traffic using standard or extended access-lists.

1. Enable flow-based monitoring for a monitoring session.

MONITOR SESSION mode

flow-based enable

2. Define in access-list rules that include the keyword monitor. FTOS only considers for port

monitoring traffic matching rules with the keyword monitor. CONFIGURATION mode

ip access-list

Refer to Access Control Lists (ACLs).

3. Apply the ACL to the monitored port.

INTERFACE mode

ip access-group access-list

To view an access-list that you applied to an interface, use the show ip accounting access-list command from EXEC Privilege mode.

Example of the flow-based enable Command

FTOS(conf)#monitor session 0 FTOS(conf-mon-sess-0)#flow-based enable FTOS(conf)# FTOS(config-ext-nacl)#seq 5 permit icmp any any count bytes monitor FTOS(config-ext-nacl)#seq 10 permit ip 102.1.1.0/24 any count bytes monitor FTOS(config-ext-nacl)#seq 15 deny udp any any count bytes FTOS(config-ext-nacl)#seq 20 deny tcp any any count bytes FTOS(config-ext-nacl)#exit FTOS(conf)#interface gig 1/1 FTOS(conf-if-gi-1/1)#ip access-group testflow in FTOS(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 ip address 10.11.1.254/24 ip access-group testflow in shutdown FTOS(conf-if-gi-1/1)#exit FTOS(conf)#do show ip accounting access-list testflow ! Extended Ingress IP access list testflow on GigabitEthernet 1/1 Total cam count 4 seq 5 permit icmp any any monitor count bytes (0 packets 0 bytes) seq 10 permit ip 102.1.1.0/24 any monitor count bytes (0 packets 0 bytes) seq 15 deny udp any any count bytes (0 packets 0 bytes) seq 20 deny tcp any any count bytes (0 packets 0 bytes) FTOS(conf)#do show monitor session 0 SessionID Source Destination Direction Mode Type

--------- ------ ----------- --------- ---- ---0 Gi 1/1 Gi 1/2 rx interface Flow-based

ip access-list ext testflow

84

Access Control Lists

5

Bare Metal Provisioning (BMP)

This chapter describes the Bare Metal Provisioning (BMP) enhancements that apply to the S4810, S4820T, S6000, Z9000, and MXL platforms

Support for BMP on the S6000 Switch

Starting with Dell Networking OS Release 9.3(0.0), BMP 3.1 is supported on the S6000 platform. For details about the commands and configuration procedures of BMP 3.1, refer the Open Automation Guide.

Enhanced Behavior of the stop bmp Command

The stop bmp command behaves as follows in different circumstances:

• While FTOS image upgrade is in-progress, aborts the BMP process once the FTOS image is upgraded.

• When applying configurations from file, aborts the BMP process after all configurations are applied in the system.

• When running pre-configuration or post-configuration scripts, stops execution of the script and aborts the BMP process immediately.

• While downloading the configuration or script file, aborts BMP process after download, neither applies configuration nor runs the script.

When you enter the CONFIGURATION mode during the BMP process, warning or error messages are displayed appropriately to avoid any configuration conflicts between user and the BMP process.

Removal of the Deprecated User-Defined String Parameter With reload-type Command

The user-defined-string parameter available with the reload-type command, which was deprecated in Dell Networking OS release 9.2(0.0) and earlier, is now removed. The

identifier parameter replaces the user-defined-string parameter.

vendor-class-

Inclusion of Service Tag Information in the Option 60 String

You can now configure the vendor class identifier up to a maximum of 128 characters. In the vendor class identifier (option 60) string, the User String field is also included with the Type, Hardware, Serial Number, Service Tag and OS Version fields.

Bare Metal Provisioning (BMP)

85

Replacement of stop jump-start Command With the stop bmp Command

The deprecated stop jump-start command is replaced by the stop bmp from BMP 3.1 onwards. However, in BMP 1.5 and 2.0, you can use the stop jump-start command to stop the device from restarting in BMP mode.

86

Bare Metal Provisioning (BMP)

6

Data Center Bridging (DCB)

This chapter describes the DCB enhancements and contains the following sections:

• Managing Hardware Buffer Statistics

• Configuring WRED and ECN Attributes

• Enabling Buffer Statistics Tracking

• Configuring DCB Maps and its Attributes

• Data Center Bridging: Default Configuration

• Configuring the Dynamic Buffer Method

• Priority-Based Flow Control Using Dynamic Buffer Method

Configuring DCB Maps and its Attributes

This topic contains the following sections that describe how to configure a DCB map, apply the configured DCB map to a port, configure PFC without a DCB map, and configure lossless queues. This functionality is supported S4810, S4820T, S6000, I/O Aggregator, and MXL platforms.

DCB Map: Configuration Procedure

A DCB map consists of PFC and ETS parameters. By default, PFC is not enabled on any 802.1p priority and ETS allocates equal bandwidth to each priority. To configure user-defined PFC and ETS settings, you must create a DCB map.

Step Task Command Command Mode

1

2

Data Center Bridging (DCB)

Enter global configuration mode to create a DCB map or edit PFC and ETS settings.

Configure the PFC setting (on or off) and the ETS bandwidth percentage allocated to traffic in each priority group or whether priority group traffic should be handled with strict priority scheduling. You can enable PFC on a maximum of two priority queues on an interface. Enabling PFC for dot1p priorities makes the corresponding port queue lossless. The sum of all allocated bandwidth percentages in all groups in the DCB map must be 100%. Strict-priority traffic is serviced first. Afterwards, bandwidth allocated to other priority groups is made available and allocated according to the specified percentages. If a priority group does not use its allocated bandwidth, the unused bandwidth is made available to other priority groups. Example: priority-group 0 bandwidth 60 pfc off priority-group 1 bandwidth 20 pfc on

dcb-map name CONFIGURATION

priority-group group_num {bandwidth percentage |

strict-priority} pfc {on | off}

DCB MAP

87

Step Task Command Command Mode

priority-group 2 bandwidth 20 pfc on priority-group 4 strict-priority pfc off

Repeat this step to configure PFC and ETS traffic handling for each priority group.

3

Specify the dot1p priority-to-priority group mapping for each priority. Priority-group range: 0 to 7. All priorities that map to the same queue must be in the same priority group.

Leave a space between each priority group number. For example: priority-pgid 0 0 0 1 2 4 4 4 in which priority group 0 maps to dot1p priorities 0, 1, and 2; priority group 1 maps to dot1p priority 3; priority group 2 maps to dot1p priority 4; priority group 4 maps to dot1p priorities 5, 6, and 7.

priority-pgid

dot1p0_group_num dot1p1_group_num dot1p2_group_num dot1p3_group_num dot1p4_group_num dot1p5_group_num dot1p6_group_num dot1p7_group_num

DCB MAP

Important Points to Remember

• If you remove a dot1p priority-to-priority group mapping from a DCB map (no priority pgid command), the PFC and ETS parameters revert to their default values on the interfaces on which the DCB map is applied. By default, PFC is not applied on specific 802.1p priorities; ETS assigns equal bandwidth to each 802.1p priority.

As a result, PFC and lossless port queues are disabled on 802.1p priorities, and all priorities are mapped to the same priority queue and equally share port bandwidth.

• To change the ETS bandwidth allocation configured for a priority group in a DCB map, do not modify the existing DCB map configuration. Instead, first create a new DCB map with the desired PFC and ETS settings and apply the new map to the interfaces to override the previous DCB map settings. Then delete the original dot1p priority-priority group mapping.

If you delete the dot1p priority-priority group mapping (no priority pgid command) before you apply the new DCB map, the default PFC and ETS parameters are applied on the interfaces. This change may create a DCB mismatch with peer DCB devices and interrupt network operation.

Applying a DCB Map on a Port

When you apply a DCB map with PFC enabled on an S6000 interface, a memory buffer for PFC-enabled priority traffic is automatically allocated. The buffer size is allocated according to the number of PFCenabled priorities in the assigned map.

To apply a DCB map to an Ethernet port, follow these steps:

Step Task Command Command Mode

88

1

2

Enter interface configuration mode on an Ethernet port.

Apply the DCB map on the Ethernet port to configure it with the PFC and ETS settings in the map; for example:

FTOS# interface tengigabitEthernet 0/0

interface {tengigabitEthernet slot/

port | fortygigabitEthernet slot/port}

dcb-map name INTERFACE

CONFIGURATION

Data Center Bridging (DCB)

Step Task Command Command Mode

FTOS(config-if-te-0/0)# dcb-map SAN_A_dcb_map1 Repeat Steps 1 and 2 to apply a DCB map to more than one port.

You cannot apply a DCB map on an interface which has been already configured for PFC using the pfc priority command or which is already configured for lossless queues (pfc no-

drop queues command).

Configuring PFC without a DCB Map

In a network topology that uses the default ETS bandwidth allocation (assigns equal bandwidth to each priority), you can also enable PFC for specified dot1p-priorities on individual interfaces without using a DCB map. This type of DCB configuration is useful on interfaces which require PFC for lossless traffic but do not transmit converged Ethernet traffic.

Step Task Command Command Mode

1 Enter interface configuration mode on an

Ethernet port.

2 Enable PFC on specified priorities. Range:

0-7. Default: None. Maximum number of loss less queues

supported on an Ethernet port: 2. Separate priority values with a comma.

Specify a priority range with a dash, for example: pfc priority 3,5-7

interface {tengigabitEthernet slot/ port | fortygigabitEthernet

slot/port}

pfc priority priority-range INTERFACE

CONFIGURATION

1. You cannot configure PFC using the pfc priority command on an interface on which a DCB map has been applied or which is already configured for lossless queues (pfc no-drop queues command).

Configuring Lossless Queues

DCB also supports the manual configuration of lossless queues on an interface after you disable PFC mode in a DCB map and apply the map on the interface. The configuration of no-drop queues provides flexibility for ports on which PFC is not needed but lossless traffic should egress from the interface.

Lossless traffic egresses out the no-drop queues. Ingress 802.1p traffic from PFC-enabled peers is automatically mapped to the no-drop egress queues.

When configuring lossless queues on a port interface, take into account:

• By default, no lossless queues are configured on a port.

• A limit of two lossless queues are supported on a port. If the number of lossless queues configured exceeds the maximum supported limit per port (two), an error message displays. You must reconfigure the value to a smaller number of queues.

• If you configure lossless queues on an interface that already has a DCB map with PFC enabled (pfc on), an error message displays.

Data Center Bridging (DCB)

89

Step Task Command Command Mode

1 Enter INTERFACE Configuration mode. interface

{tengigabitEthernet slot/port |

fortygigabitEthernet

slot/port}

2

3

4

5

6

Open a DCB map and enter DCB map configuration mode.

Disable PFC. no pfc mode on DCB MAP

Return to interface configuration mode. exit DCB MAP

Apply the DCB map created to disable PFC operation on the interface

Configure the port queues that still function as no-drop queues for lossless traffic. For the dot1p-queue assignments, see Table 131.

The maximum number of lossless queues globally supported on a port is 2.

You cannot configure PFC no-drop queues on an interface on which a DCB map with PFC enabled has been applied or which is already configured for PFC using the pfc priority command.

Range: 0-3. Separate queue values with a comma; specify a priority range with a dash; for example: pfc no-drop queues 1,3 or pfc no-drop queues 2-3 Default: No lossless queues are configured.

dcb-map name INTERFACE

dcb-map {name |

default} pfc no-drop queues

queue-range

CONFIGURATION

INTERFACE

Data Center Bridging: Default Configuration

This functionality is supported on the S6000 platform.

Before you configure PFC and ETS on an S5000 switch (see Configuring DCB Maps and its Attributes), take into account the following default settings:

DCB is enabled (see Enabling Data Center Bridging). The PFC memory buffer supports up to 64 PFC-enabled ports and two lossless queues per port. PFC and ETS are globally enabled by default: The default dot1p priority-queue assignments are applied as follows:

802.1p value in incoming frame: 0 1 2 3 4 5 6 7

Egress queue assignment 0 0 0 1 2 3 3 3

PFC is not applied on specific dot1p priorities. ETS: Equal bandwidth is assigned to each port queue and each dot1p priority in a priority group. To configure PFC and ETS parameters on an S5000 interface, you must specify a PFC mode and ETS

bandwidth allocation for a priority group and an 802.1p priority-to-priority group mapping in a DCB map (see Configuring PFC and ETS in a DCB Map). No default PFC and ETS settings are applied to Ethernet interfaces.

90

Data Center Bridging (DCB)

Configuring PFC and ETS in a DCB Map

An S6000 switch supports the use of a DCB map in which you configure priority-based flow control and enhanced transmission selection settings. To configure PFC and ETS parameters, you must apply a DCB map on an S6000 interface. This functionality is supported on the S6000 platform.

PFC Configuration Notes

Priority-based flow control (PFC) provides a flow control mechanism based on the 802.1p priorities in converged Ethernet traffic received on an interface and is enabled by default when you enable DCB. As an enhancement to the existing Ethernet pause mechanism, PFC stops traffic transmission for specified priorities (CoS values) without impacting other priority classes. Different traffic types are assigned to different priority classes.

When traffic congestion occurs, PFC sends a pause frame to a peer device with the CoS priority values of the traffic that needs to be stopped. DCBx provides the link-level exchange of PFC parameters between peer devices. PFC allows network administrators to create zero-loss links for SAN traffic that requires nodrop service, while at the same time retaining packet-drop congestion management for LAN traffic.

On an S6000 switch, PFC is enabled by default on Ethernet ports (pfc mode on command). You can configure PFC parameters using a DCB map or the pfc priority command in Interface configuration mode. For more information, see Configuring DCB Maps and its Attributes.

NOTE: DCB maps are supported only on physical Ethernet interfaces.

When you configure PFC in a DCB map:

• As soon as you apply a DCB map with PFC enabled on an interface, DCBx starts exchanging information with a peer. The IEEE802.1Qbb, CEE and CIN versions of PFC TLV are supported. DCBx also validates PFC configurations that are received in TLVs from peer devices.

By applying a DCB map with PFC enabled, you enable PFC operation on ingress port traffic. To achieve complete lossless handling of traffic, configure PFC priorities on all DCB egress ports.

• To remove a DCB map, including the PFC configuration it contains, use the no dcb map command in Interface configuration mode.

• To disable PFC operation on an interface, use the no pfc mode on command in DCB-Map configuration mode.

• Traffic may be interrupted when you reconfigure PFC no-drop priorities in a DCB map or re-apply the DCB map to an interface.

• For PFC to be applied, the configured priority traffic must be supported by a PFC peer (as detected by DCBx).

• If you apply a DCB map with PFC disabled (pfc off):

• You can enable link-level flow control on the interface (flowcontrol rx on tx on command; see Using Ethernet Pause Frames for Flow Control). To delete the DCB map, first disable link-level flow control. PFC is then automatically enabled on the interface because an interface is PFC-enabled by default.

• To ensure no-drop handling of lossless traffic, PFC allows you to configure lossless queues on a port (see Configuring DCB Maps and its Attributes).

• When you configure a DCB map, an error message displays if:

• The PFC dot1p priorities result in more than two lossless queues.

Data Center Bridging (DCB)

91

• When you apply a DCB map, an error message displays if:

• Link-level flow control is already enabled on an interface. You cannot enable PFC and link-level flow control at the same time on an interface.

• In a switch stack, configure all stacked ports with the same PFC configuration.

• FTOS allows you to change the default dot1p priority-queue assignments only if the change satisfies the following requirements in DCB maps already applied to S6000 interfaces:

• All 802.1p priorities mapped to the same queue must be in the same priority group.

• A maximum of two PFC-enabled, lossless queues are supported on an interface.

Otherwise the reconfiguration of a default dot1p-queue assignment is rejected.

• To ensure complete no-drop service, apply the same PFC parameters on all PFC-enabled peers.

PFC Prerequisites and Restrictions

On an S6000 switch, PFC is globally enabled by default, but not applied on specific 802.1p priorities. To enable PFC on 802.1p priorities, create a DCB map. For more information, see Configuring DCB Maps

and its Attributes.

The following prerequisites and restrictions apply when you configure PFC in a DCB map:

• You can enable PFC on a maximum of two priority queues on an interface. Enabling PFC for dot1p priorities configures the corresponding port queue as lossless.

• You cannot enable PFC and link-level flow control at the same time on an interface.

ETS Configuration Notes

ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs. Using ETS, you can create groups within an

802.1p priority class to configure different treatment for traffic with different bandwidth, latency, and

best-effort needs. When you configure ETS in a DCB map:

• The DCB map associates a priority group with a PFC operational mode (on or off) and an ETS scheduling and bandwidth allocation. You can apply a DCB map on multiple egress ports.

• Use the ETS configuration associated with 802.1p priority traffic in a DCB map in DCBx negotiation with ETS peers.

• Traffic in priority groups is assigned to strict-queue or weighted round-robin (WRR) scheduling in an ETS configuration and is managed using the ETS bandwidth-assignment algorithm. FTOS de-queues all frames of strict-priority traffic before servicing any other queues. A queue with strict-priority traffic can starve other queues in the same port.

• ETS-assigned bandwidth allocation and strict-priority scheduling apply only to data queues, not to control queues.

• FTOS supports hierarchical scheduling on an interface. FTOS control traffic is redirected to control queues as higher priority traffic with strict priority scheduling. After the control queues drain out, the remaining data traffic is scheduled to queues according to the bandwidth and scheduler configuration in the DCB map. The available bandwidth calculated by the ETS algorithm is equal to the link bandwidth after scheduling non-ETS higher-priority traffic.

92

Data Center Bridging (DCB)

• The configuration of bandwidth allocation and strict-queue scheduling is not supported at the same time for a priority group.

• Bandwidth assignment: By default, equal bandwidth is assigned to each dot1p priority in a priority group. To configure the bandwidth assigned to the port queues associated with dot1p priorities in a priority group, use the bandwidth percentage parameter. The sum of the bandwidth allocated to all priority groups in a DCB map must be 100% of the bandwidth on the link. You must allocate at least 1% of the total bandwidth to each priority group.

• Scheduling of priority traffic: dot1p priority traffic on the switch is scheduled to the current queue mapping. dot1p priorities within the same queue must have the same traffic properties and scheduling method.

• ETS configuration error: If an error occurs in an ETS configuration, the configuration is ignored and the scheduler and bandwidth allocation settings are reset to the ETS default value: 100% of available bandwidth is allocated to priority group 0 and bandwidth is equally assigned to each dot1p priority.

If an error occurs when a port receives a peer’s ETS configuration, the port’s configuration resets to the ETS configuration in the previously configured DCB map. If no DCB map was previously applied, the port resets to the default ETS parameters.

ETS Prerequisites and Restrictions

On an S6000 switch, ETS is enabled by default on Ethernet ports; equal bandwidth is assigned to each

802.1p priority. You can change the default ETS configuration only by using a DCB map. For more

information, see Configuring DCB Maps and its Attributes. The following prerequisites and restrictions apply when you configure ETS bandwidth allocation or strict-

priority queuing in a DCB map:

• When allocating bandwidth or configuring strict-priority queuing for dot1p priorities in a priority group on a DCBx CIN interface, take into account the CIN bandwidth allocation (see Configuring Bandwidth

Allocation for DCBx CIN) and dot1p-queue mapping.

• Although ETS bandwidth allocation or strict-priority queuing does not support weighted random early detection (WRED), explicit congestion notification (ECN), rate shaping, and rate limiting because these parameters are not negotiated by DCBx with peer devices, you can apply a QoS output policy with WRED and/or rate shaping on a DCBx CIN-enabled interface (see Configuring Port-based Rate Shaping and Weighted Random Early Detection). In this case, the WRED or rate shaping configuration in the QoS output policy must take into account the bandwidth allocation or queue scheduler configured in the DCB map.

Priority-Group Configuration Notes When you configure priority groups in a DCB map:

• A priority group consists of 802.1p priority values that are grouped together for similar bandwidth allocation and scheduling, and that share the same latency and loss requirements. All 802.1p priorities mapped to the same queue must be in the same priority group.

• In a DCB map, each 802.1p priority must map to a priority group.

• The maximum number of priority groups supported in a DCB map on an interface is equal to the number of data queues (4) on the port. Each priority group can support more than one data queue.

• You can enable PFC on a maximum of two priority queues on an interface.

Data Center Bridging (DCB)

93

• If you configure more than one priority group as strict priority, the higher numbered priority queue is given preference when scheduling data traffic.

dcb-map

Create a DCB map to configure priority flow control (PFC) and enhanced transmission selection (ETS) on Ethernet ports that support converged Ethernet traffic. Apply the DCB map to an Ethernet interface.

S4810, S6000, and FC Flex IO Modules with MXL and I/O Aggregator

Syntax

Parameters

Defaults None. There are no pre-configured PFC and ETS settings on S5000 Ethernet

Command Modes

Command History

Usage Information

dcb-map map-name

map-name Enter a DCB map name. The maximum number of

alphanumeric characters is 32.

interfaces.

CONFIGURATION INTERFACE

Version 9.3.0.0 Introduced on the S4810 and S6000 platforms.

Version 9.3.0.0 Introduced on the FC Flex IO module installed in the M I/O

Aggregator and MXL 10/40GbE Switch.

A DCB map is a template used to configure DCB parameters and apply them on converged Ethernet interfaces. DCB parameters include priority-based flow control (PFC) and enhanced traffic selection (ETS).

To display the PFC and ETS settings in DCB maps, enter the show qos dcb-map command.

Use the dcb-map command to create a DCB map to specify PFC and ETS settings and apply it on Ethernet ports. After you apply a DCB map to an interface, the PFC and ETS settings in the map are applied when the Ethernet port is enabled. DCBx is enabled on Ethernet ports by default.

The dcb-map command is supported only on physical Ethernet interfaces. To remove a DCB map from an interface, enter the no dcb-map map-name

command in Interface configuration mode.

Related Commands

94

show qos dcb-map– displays the dcb-map profiles configured on the system. dcb-map stack-unit all stack-ports all– applies a DCB map on all ports of a switch

stack.

Data Center Bridging (DCB)

priority-pgid

Assign 802.1p priority traffic to a priority group in a DCB map.

S4810, S6000, and FC Flex IO Modules with MXL and I/O Aggregator

Syntax

Parameters

priority-pgid dot1p0_group-num dot1p1_group-num dot1p2_groupnum dot1p3_group-num dot1p4_group-num dot1p5_group-num dot1p6_group-num dot1p7_group-num

dot1p0_groupnum

dot1p1_groupnum

dot1p2_groupnum

dot1p3_groupnum

dot1p4_groupnum

dot1p5_groupnum

dot1p6_groupnum

dot1p7_groupnum

Enter the priority group number for each 802.1p class of traffic in a DCB map.

Defaults None

Command Modes

Command History

Usage Information

Data Center Bridging (DCB)

DCB MAP

Version 9.3.0.0 Introduced on the S4810 and S6000 platforms.

Version 9.3.0.0 Introduced on the FC Flex IO module installed in the M I/O

PFC and ETS settings are not pre-configured on Ethernet ports. You must use the dcb-map command to configure different groups of 802.1p priorities with PFC and ETS settings.

Using the priority-pgid command, you assign each 802.1p priority to one priority group. A priority group consists of 802.1p priority values that are grouped together for similar bandwidth allocation and scheduling, and that share latency and loss requirements. All 802.1p priorities mapped to the same queue must be in the same priority group. For example, the command creates the following groups of 802.1p priority traffic:

Aggregator and MXL 10/40GbE Switch.

priority-pgid 0 0 0 1 2 4 4 4

95

• Priority group 0 contains traffic with dot1p priorities 0, 1, and 2.

• Priority group 1 contains traffic with dot1p priority 3.

• Priority group 2 contains traffic with dot1p priority 4.

• Priority group 4 contains traffic with dot1p priority 5, 6, and 7.

To remove a priority-pgid configuration from a DCB map, enter the no priority-pgid command.

Related Commands

dcb-map — creates a DCB map to configure PFC and ETS parameters and applies

the PFC and ETS settings on Ethernet ports.

priority-group bandwidth pfc— configures the ETS bandwidth allocation and the

PFC setting used to manage the port traffic in an 802.1p priority group.

pfc mode on

Enable the PFC configuration on the port so that the priorities are included in DCBX negotiation with peer PFC devices.

Syntax

Defaults PFC mode is on.

Command Modes

Command History

Usage Information

pfc mode on

To disable the PFC configuration, use the no pfc mode on command.

DCB INPUT POLICY

Version 9.3.0.0 Introduced on the M I/O Aggregator and MXL 10/40GbE

Switch with the FC Flex IO module.

By applying a DCB input policy with PFC enabled, you enable PFC operation on ingress port traffic. To achieve complete lossless handling of traffic, also enable PFC on all DCB egress ports or configure the dot1p priority-queue assignment of PFC priorities to lossless queues (refer to pfc no-drop queues).

To disable PFC operation on an interface, enter the no pfc mode on command in DCB Input Policy Configuration mode. PFC is enabled and disabled as global DCB operation is enabled (dcb-enable) or disabled (no dcb-enable).

You cannot enable PFC and link-level flow control at the same time on an interface.

Related Commands

96

dcb-input — creates a DCB input policy.

Data Center Bridging (DCB)

priority-group bandwidth pfc

Configure the ETS bandwidth allocation and PFC mode used to manage port traffic in an 802.1p priority group.

S4810, S6000, and FC Flex IO Modules with MXL and I/O Aggregator

Syntax

Parameters

Defaults None

Command Modes

Command History

priority-group group-num {bandwidth percentage| strictpriority} pfc {on | off}

priority-group

group-num

bandwidth

percentage

strict-priority Configure the priority-group traffic to be handled with strict

pfc {on | off} Configure whether priority-based flow control is enabled

DCB MAP

Version 9.3.0.0 Introduced on the S4810 and S6000 platforms.

Version 9.3.0.0 Introduced on the FC Flex IO module installed in the M I/O

Enter the keyword priority-group followed by the number of an 802.1p priority group. Use the pgid command to create the priority groups in a DCB map.

Enter the keyword bandwidth followed by a bandwidth percentage allocated to the priority group. The range of valid values is 1 to 100. The sum of all allocated bandwidth percentages in priority groups in a DCB map must be 100%.

priority scheduling. Strict-priority traffic is serviced first, before bandwidth allocated to other priority groups is made available.

(on) or disabled (off) for port traffic in the priority group.

Aggregator and MXL 10/40GbE Switch.

priority-

Usage Information

Data Center Bridging (DCB)

Use the dcb-map command to configure priority groups with PFC and/or ETS settings and apply them to Ethernet interfaces.

Use the priority-pgid command to map 802.1p priorities to a priority group. You can assign each 802.1p priority to only one priority group. A priority group consists of 802.1p priority values that are grouped together for similar bandwidth allocation and scheduling, and that share latency and loss requirements. All 802.1p priorities mapped to the same queue must be in the same priority group.

Repeat the priority-group bandwidth pfc command to configure PFC and ETS traffic handling for each priority group in a DCB map.

You can enable PFC on a maximum of two priority queues. If you configure more than one priority group as strict priority, the higher

numbered priority queue is given preference when scheduling data traffic.

97

If a priority group does not use its allocated bandwidth, the unused bandwidth is made available to other priority groups.

To remove a priority-group configuration in a DCB map, enter the no priority- group bandwidth pfc command.

By default, equal bandwidth is assigned to each dot1p priority in a priority group. Use the bandwidth parameter to configure the bandwidth percentage assigned to a priority group. The sum of the bandwidth allocated to all priority groups in a DCB map must be 100% of the bandwidth on the link. You must allocate at least 1% of the total port bandwidth to each priority group.

Related Commands

dcb-map – creates a DCB map to configure PFC and ETS parameters and applies

the PFC and ETS settings on Ethernet ports.

priority-pgid – configures the 802.1p priority traffic in a priority group for a DCB

map.

dcb-map stack-unit all stack-ports all

Apply the specified DCB map on all ports of the switch stack.

S4810, S6000, and FC Flex IO Modules with MXL and I/O Aggregator

Syntax

Parameters

Defaults none

Command Modes

dcb-map stack-unit all stack-ports all dcb-map-name To remove the PFC and ETS settings in a DCB map from all stack units, use the no

dcb-map stack-unit all stack-ports all command.

dcb-mapname

CONFIGURATION

Enter the name of the DCB map.

Command History

Usage Information

Related Commands

98

Version 9.3.0.0 Introduced on the S4810 and S6000 platforms.

Version 9.3.0.0 Introduced on the FC Flex IO module installed in the M I/O

Aggregator and MXL 10/40GbE Switch.

The dcb-map stack-unit all stack-ports all command overwrites any previous DCB maps applied to stack ports.

dcb-map – creates a DCB map to configure PFC and ETS parameters and applies

the PFC and ETS settings on Ethernet ports.

Data Center Bridging (DCB)

show qos dcb-map

Display the DCB parameters configured in a specified DCB map.

S4810, S6000, and FC Flex IO Modules with MXL and I/O Aggregator

Syntax

Parameters

Command Modes

Command History

Usage Information

show qos dcb-map map-name

map-name Displays the PFC and ETS parameters configured in the

specified map.

• EXEC

• EXEC Privilege

Version 9.3.0.0 Introduced on the S4810 and S6000 platforms.

Version 9.3.0.0 Introduced on the FC Flex IO module installed in the M I/O

Aggregator and MXL 10/40GbE Switch.

Use the show qos dcb-map command to display the enhanced transmission selection (ETS) and priority-based flow control (PFC) parameters used to configure server-facing Ethernet ports. S5000 Ethernet ports are DCBx-enabled by default.

The following table describes the show qos dcb-map output shown in the example below.

Field Description

State Complete: All mandatory DCB parameters are correctly

configured. In progress: The DCB map configuration is not complete. Some mandatory parameters are not configured.

PFC Mode PFC configuration in DCB map: On (enabled) or Off.

PG Priority group configured in the DCB map.

TSA Transmission scheduling algorithm used by the priority

BW Percentage of bandwidth allocated to the priority group.

PFC PFC setting for the priority group: On (enabled) or Off.

Priorities 802.1p priorities configured in the priority group.

Example

Data Center Bridging (DCB)

FTOS# show qos dcb-map dcbmap2

State :Complete PfcMode:ON

-------------------PG:0 TSA:ETS BW:50 PFC:OFF Priorities:0 1 2 4 5 6 7

group: Enhanced Transmission Selection (ETS).

99

PG:1 TSA:ETS BW:50 PFC:ON Priorities:3

Related Commands

dcb-map — creates a DCB map to configure PFC and ETS parameters and applies

the PFC and ETS settings on Ethernet ports.

Priority-Based Flow Control Using Dynamic Buffer Method

Priority-based flow control using dynamic buffer spaces is supported on the S4810, S4820T, S6000, and MXL platforms.

In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion. When PFC detects congestion on a queue for a specified priority, it sends a pause frame for the 802.1p priority traffic to the transmitting device.

Pause and Resume of Traffic

The pause message is a mechanism that is used by the sending device to inform the receiving device regarding a congested, heavily-loaded traffic state that has been identified. When the interface of a sending device transmits a pause frame, the recipient acknowledges this frame by temporarily halting the transmission of data packets. The sending device requests the recipient to restart the transmission of data traffic when the congestion eases and reduces. The time period that is specified in the pause frame defines the duration for which the flow of data packets is halted. When the time period elapses, the transmission restarts. When a device sends a pause frame to another device, the time for which the sending of packets from the other device must be stopped is contained in the pause frame. The device that sent the pause frame empties the buffer to be less than the threshold value and restarts the acceptance of data packets. Dynamic ingress buffering enables the sending of pause frames at different thresholds based on the number of ports that experience congestion at a point in time. This behavior impacts the total buffer size used by a particular lossless priority on an interface. The pause and resume thresholds can also be configured dynamically. You can configure a buffer size, pause threshold, ingress shared threshold weight, and resume threshold to control and manage the total amount of buffers that are to be used in your network environment. All the PFC-related settings such as the DCB input and output policies or DCB maps are saved in the DCB application and the Differentiated Services Manager (DSM) application. All of these configurations can be modified only for interfaces that are enabled for DCB. The DCB buffer configurations are also saved in the DCB and DSM databases.

Buffer Sizes for Lossless or PFC Packets

You can configure up to a maximum of 4 lossless (PFC) queues. By configuring 4 lossless queues, you can configure 4 different priorities and assign a particular priority to each application that your network is used to process. For example, you can assign a higher priority for time-sensitive applications and a lower priority for other services, such as file transfers. You can configure the amount of buffer space to be allocated for each priority and the pause or resume thresholds for the buffer. This method of configuration enables you to effectively manage and administer the behavior of lossless queues. Although the system contains 9 MB of space for shared buffers, a minimum guaranteed buffer is provided to all the internal and external ports in the system for both unicast and multicast traffic. This minimum

100

Data Center Bridging (DCB)

Dell Force10 Z9000 Addendum

Specifications and Main Features

Frequently Asked Questions

User Manual

About this Document

Audience

Conventions

Related Documents

802.1X on the MXL 10/40GbE Switch

ACL VLAN Groups and Content Addressable Memory (CAM)

Optimizing CAM Utilization During the Attachment of ACLs to VLANs

Guidelines for Configuring ACL VLAN groups

Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters

Viewing CAM Usage

Allocating FP Blocks for VLAN Processes

member vlan

ip access-group

show acl-vlan-group

show cam-acl-vlan

cam-acl-vlan

show cam-usage

show running config acl-vlan-group

acl-vlan-group

show acl-vlan-group detail

description (ACL VLAN Group)

Access Control Lists

Logging of ACL Processes

Guidelines for Configuring ACL Logging

Configuring ACL Logging

deny (for Standard IP ACLs)

deny (for Extended IP ACLs)

seq (for Standard IPv4 ACLs)

deny tcp (for Extended IP ACLs)

deny udp (for Extended IP ACLs)

deny arp (for Extended MAC ACLs)

deny icmp (for Extended IP ACLs)

deny ether-type (for Extended MAC ACLs)

deny (for Standard MAC ACLs)

deny (for Extended MAC ACLs)

permit arp (for Extended MAC ACLs)

permit ether-type (for Extended MAC ACLs)

permit icmp (for Extended IP ACLs)

permit udp (for Extended IP ACLs)

permit (for Extended IP ACLs)

permit (for Standard MAC ACLs)

seq (for Standard MAC ACLs)

permit tcp (for Extended IP ACLs)

seq arp (for Extended MAC ACLs)

seq ether-type (for Extended MAC ACLs)

seq (for IP ACLs)

seq (for IPv6 ACLs)

permit udp (for IPv6 ACLs)

permit tcp (for IPv6 ACLs)

permit icmp (for IPv6 ACLs)

permit (for IPv6 ACLs)

deny udp (for IPv6 ACLs)

deny tcp (for IPv6 ACLs)

deny icmp (for Extended IPv6 ACLs)

deny (for IPv6 ACLs)

Flow-Based Monitoring Support for ACLs

Behavior of Flow-Based Monitoring

Enabling Flow-Based Monitoring

Bare Metal Provisioning (BMP)

Support for BMP on the S6000 Switch

Enhanced Behavior of the stop bmp Command

Removal of the Deprecated User-Defined String Parameter With reload-type Command

Inclusion of Service Tag Information in the Option 60 String

Replacement of stop jump-start Command With the stop bmp Command

Data Center Bridging (DCB)

Configuring DCB Maps and its Attributes

DCB Map: Configuration Procedure

Important Points to Remember

Applying a DCB Map on a Port

Configuring PFC without a DCB Map

Configuring Lossless Queues

Data Center Bridging: Default Configuration

Configuring PFC and ETS in a DCB Map

PFC Configuration Notes

PFC Prerequisites and Restrictions

ETS Configuration Notes