Dell Force10 Z9000 Configuration manual

Dell Configuration Guide for the Z9000
System

9.5(0.1)

Notes, Cautions, and Warnings

NOTE: A NOTE indicates important information that helps you make better use of your computer.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you
how to avoid the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

Copyright © 2014 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and

intellectual property laws. Dell™ and the Dell logo are trademarks of Dell Inc. in the United States and/or other
jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

2014 - 07

Rev. A00

Contents

1 About this Guide..................................................................................................31

Audience.............................................................................................................................................. 31

Conventions.........................................................................................................................................31

Related Documents.............................................................................................................................31

2 Configuration Fundamentals........................................................................... 32

Accessing the Command Line............................................................................................................32

CLI Modes............................................................................................................................................32

Navigating CLI Modes................................................................................................................... 34

The do Command............................................................................................................................... 37

Undoing Commands...........................................................................................................................38

Obtaining Help.................................................................................................................................... 39

Entering and Editing Commands....................................................................................................... 39

Command History.............................................................................................................................. 40

Filtering show Command Outputs.....................................................................................................40

Multiple Users in Configuration Mode............................................................................................... 42

3 Data Center Bridging (DCB)..............................................................................43

SNMP Support for PFC and Buffer Statistics Tracking.......................................................................43

4 Getting Started................................................................................................... 44

Console Access...................................................................................................................................44

Serial Console................................................................................................................................44

Accessing the CLI Interface and Running Scripts Using SSH............................................................45

Z9000 ........................................................................................................................................... 45

Entering CLI commands Using an SSH Connection................................................................... 46

Executing Local CLI Scripts Using an SSH Connection...............................................................46

Default Configuration......................................................................................................................... 47

Configuring a Host Name...................................................................................................................47

Accessing the System Remotely.........................................................................................................47

Accessing the Z-Series and Remotely..........................................................................................47

Configure the Management Port IP Address............................................................................... 47

Configure a Management Route..................................................................................................48

Configuring a Username and Password.......................................................................................48

Configuring the Enable Password......................................................................................................48

Configuration File Management.........................................................................................................49

Copy Files to and from the System.............................................................................................. 49

Save the Running-Configuration..................................................................................................50

Configure the Overload Bit for a Startup Scenario...................................................................... 51

Viewing Files...................................................................................................................................51

Managing the File System................................................................................................................... 52

Enabling Software Features on Devices Using a Command Option................................................ 53

View Command History......................................................................................................................54

Upgrading Dell Networking OS.......................................................................................................... 54

Using HTTP for File Transfers............................................................................................................. 55

Using Hashes to Validate Software Images........................................................................................55

5 Management........................................................................................................57

Configuring Privilege Levels................................................................................................................57

Creating a Custom Privilege Level................................................................................................57

Removing a Command from EXEC Mode....................................................................................57

Moving a Command from EXEC Privilege Mode to EXEC Mode................................................ 57

Allowing Access to CONFIGURATION Mode Commands.......................................................... 58

Allowing Access to the Following Modes.................................................................................... 58

Applying a Privilege Level to a Username.................................................................................... 60

Applying a Privilege Level to a Terminal Line...............................................................................60

Configuring Logging...........................................................................................................................60

Audit and Security Logs.................................................................................................................61

Configuring Logging Format ...................................................................................................... 62

Setting Up a Secure Connection to a Syslog Server....................................................................63

Log Messages in the Internal Buffer...................................................................................................64

Configuration Task List for System Log Management................................................................ 64

Disabling System Logging.................................................................................................................. 64

Sending System Messages to a Syslog Server....................................................................................65

Configuring a UNIX System as a Syslog Server............................................................................65

Changing System Logging Settings....................................................................................................65

Display the Logging Buffer and the Logging Configuration............................................................. 66

Configuring a UNIX Logging Facility Level.........................................................................................67

Synchronizing Log Messages............................................................................................................. 68

Enabling Timestamp on Syslog Messages......................................................................................... 68

File Transfer Services.......................................................................................................................... 69

Configuration Task List for File Transfer Services........................................................................69

Enabling the FTP Server................................................................................................................ 69

Configuring FTP Server Parameters............................................................................................. 70

Configuring FTP Client Parameters..............................................................................................70

Terminal Lines......................................................................................................................................71

Denying and Permitting Access to a Terminal Line......................................................................71

Configuring Login Authentication for Terminal Lines..................................................................72

Setting Time Out of EXEC Privilege Mode..........................................................................................73

Using Telnet to get to Another Network Device................................................................................73

Lock CONFIGURATION Mode............................................................................................................74

Viewing the Configuration Lock Status........................................................................................ 74

Recovering from a Forgotten Password on the Z9000 System........................................................75

Recovering from a Forgotten Enable Password on the Z9000.................................................. 76

Recovering from a Failed Start on the Z9000 System.......................................................................77

Restoring the Factory Default Settings...............................................................................................78

Z9000MXL Switch......................................................................................................................... 78

Important Points to Remember....................................................................................................78

Restoring Factory Default Environment Variables....................................................................... 78

6 802.1X................................................................................................................... 81

The Port-Authentication Process.......................................................................................................82

EAP over RADIUS...........................................................................................................................84

Configuring 802.1X............................................................................................................................. 84

Related Configuration Tasks.........................................................................................................84

Important Points to Remember..........................................................................................................85

Enabling 802.1X...................................................................................................................................85

Configuring Request Identity Re-Transmissions............................................................................... 87

Configuring a Quiet Period after a Failed Authentication........................................................... 87

Forcibly Authorizing or Unauthorizing a Port....................................................................................88

Re-Authenticating a Port....................................................................................................................89

Configuring Timeouts.........................................................................................................................90

Configuring Dynamic VLAN Assignment with Port Authentication.................................................. 91

Guest and Authentication-Fail VLANs................................................................................................92

Configuring a Guest VLAN............................................................................................................93

Configuring an Authentication-Fail VLAN....................................................................................93

7 Access Control Lists (ACLs)...............................................................................95

IP Access Control Lists (ACLs)............................................................................................................ 96

CAM Usage....................................................................................................................................96

Implementing ACLs on Dell Networking OS............................................................................... 98

IP Fragment Handling......................................................................................................................... 99

IP Fragments ACL Examples......................................................................................................... 99

Layer 4 ACL Rules Examples.......................................................................................................100

Configure a Standard IP ACL............................................................................................................ 101

Configuring a Standard IP ACL Filter..........................................................................................102

Configure an Extended IP ACL......................................................................................................... 103

Configuring Filters with a Sequence Number............................................................................103

Configuring Filters Without a Sequence Number......................................................................104

Configure Layer 2 and Layer 3 ACLs................................................................................................ 105

Assign an IP ACL to an Interface...................................................................................................... 106

Applying an IP ACL............................................................................................................................106

Counting ACL Hits.......................................................................................................................107

Configure Ingress ACLs.....................................................................................................................107

Configure Egress ACLs..................................................................................................................... 108

Applying Egress Layer 3 ACLs (Control-Plane).......................................................................... 109

IP Prefix Lists......................................................................................................................................109

Implementation Information.......................................................................................................110

Configuration Task List for Prefix Lists........................................................................................110

ACL Resequencing............................................................................................................................ 114

Resequencing an ACL or Prefix List............................................................................................ 115

Route Maps........................................................................................................................................ 116

Implementation Information.......................................................................................................116

Important Points to Remember........................................................................................................ 116

Configuration Task List for Route Maps......................................................................................117

Configuring Match Routes.......................................................................................................... 119

Configuring Set Conditions.........................................................................................................121

Configure a Route Map for Route Redistribution...................................................................... 122

Configure a Route Map for Route Tagging................................................................................ 122

Continue Clause..........................................................................................................................123

Logging of ACL Processes................................................................................................................ 123

Guidelines for Configuring ACL Logging......................................................................................... 124

Configuring ACL Logging................................................................................................................. 125

Flow-Based Monitoring Support for ACLs....................................................................................... 125

Behavior of Flow-Based Monitoring...........................................................................................126

Enabling Flow-Based Monitoring..................................................................................................... 127

8 Access Control List (ACL) VLAN Groups and Content Addressable

Memory (CAM)......................................................................................................129

Optimizing CAM Utilization During the Attachment of ACLs to VLANs......................................... 129

Guidelines for Configuring ACL VLAN groups.................................................................................130

Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters.........................131

Configuring ACL VLAN Groups................................................................................................... 131

Configuring FP Blocks for VLAN Parameters............................................................................. 132

Viewing CAM Usage.......................................................................................................................... 133

Allocating FP Blocks for VLAN Processes.........................................................................................134

9 Bidirectional Forwarding Detection (BFD)...................................................136

How BFD Works................................................................................................................................ 136

BFD Packet Format......................................................................................................................137

BFD Sessions................................................................................................................................139

BFD Three-Way Handshake........................................................................................................139

Session State Changes................................................................................................................140

Important Points to Remember........................................................................................................ 141

Configure BFD................................................................................................................................... 141

Configure BFD for Physical Ports............................................................................................... 142

Configure BFD for Static Routes.................................................................................................145

Configure BFD for OSPF..............................................................................................................147

Configure BFD for OSPFv3......................................................................................................... 150

Configure BFD for IS-IS............................................................................................................... 151

Configure BFD for BGP............................................................................................................... 154

Configure BFD for VRRP..............................................................................................................161

Configuring Protocol Liveness................................................................................................... 164

Troubleshooting BFD..................................................................................................................164

10 Border Gateway Protocol IPv4 (BGPv4).................................................... 166

Autonomous Systems (AS)................................................................................................................166

Sessions and Peers............................................................................................................................168

Establish a Session.......................................................................................................................169

Route Reflectors................................................................................................................................169

BGP Attributes................................................................................................................................... 170

Best Path Selection Criteria......................................................................................................... 171

Weight.......................................................................................................................................... 173

Local Preference..........................................................................................................................173

Multi-Exit Discriminators (MEDs)................................................................................................ 174

Origin............................................................................................................................................175

AS Path......................................................................................................................................... 176

Next Hop......................................................................................................................................176

Multiprotocol BGP............................................................................................................................. 177

Implement BGP with Dell Networking OS........................................................................................177

Additional Path (Add-Path) Support............................................................................................177

Advertise IGP Cost as MED for Redistributed Routes.................................................................177

Ignore Router-ID for Some Best-Path Calculations..................................................................178

Four-Byte AS Numbers................................................................................................................178

AS4 Number Representation.......................................................................................................179

AS Number Migration..................................................................................................................180

BGP4 Management Information Base (MIB).............................................................................. 182

Important Points to Remember..................................................................................................182

Configuration Information................................................................................................................183

BGP Configuration............................................................................................................................ 183

Enabling BGP...............................................................................................................................184

Configuring AS4 Number Representations................................................................................188

Configuring Peer Groups............................................................................................................190

Configuring BGP Fast Fall-Over..................................................................................................192

Configuring Passive Peering....................................................................................................... 194

Maintaining Existing AS Numbers During an AS Migration........................................................195

Allowing an AS Number to Appear in its Own AS Path..............................................................196

Enabling Graceful Restart............................................................................................................197

Enabling Neighbor Graceful Restart...........................................................................................198

Filtering on an AS-Path Attribute................................................................................................198

Regular Expressions as Filters.................................................................................................... 200

Redistributing Routes..................................................................................................................201

Enabling Additional Paths...........................................................................................................202

Configuring IP Community Lists................................................................................................ 202

Configuring an IP Extended Community List............................................................................ 204

Filtering Routes with Community Lists...................................................................................... 205

Manipulating the COMMUNITY Attribute.................................................................................. 205

Changing MED Attributes........................................................................................................... 207

Changing the LOCAL_PREFERENCE Attribute.......................................................................... 207

Changing the NEXT_HOP Attribute...........................................................................................208

Changing the WEIGHT Attribute................................................................................................209

Enabling Multipath......................................................................................................................209

Filtering BGP Routes...................................................................................................................209

Filtering BGP Routes Using Route Maps.....................................................................................211

Filtering BGP Routes Using AS-PATH Information.................................................................... 212

Configuring BGP Route Reflectors.............................................................................................212

Aggregating Routes.....................................................................................................................213

Configuring BGP Confederations...............................................................................................214

Enabling Route Flap Dampening................................................................................................ 214

Changing BGP Timers................................................................................................................. 217

Enabling BGP Neighbor Soft-Reconfiguration...........................................................................217

Route Map Continue...................................................................................................................219

Enabling MBGP Configurations........................................................................................................ 219

BGP Regular Expression Optimization.............................................................................................220

Debugging BGP................................................................................................................................ 220

Storing Last and Bad PDUs..........................................................................................................221

Capturing PDUs...........................................................................................................................222

PDU Counters............................................................................................................................. 223

Sample Configurations..................................................................................................................... 224

11 Content Addressable Memory (CAM)......................................................... 230

CAM Allocation................................................................................................................................. 230

Test CAM Usage................................................................................................................................232

View CAM Profiles.............................................................................................................................232

View CAM-ACL Settings................................................................................................................... 233

View CAM Usage...............................................................................................................................235

CAM Optimization.............................................................................................................................235

Troubleshoot CAM Profiling.............................................................................................................236

CAM Profile Mismatches.............................................................................................................236

QoS CAM Region Limitation.......................................................................................................236

12 Control Plane Policing (CoPP)..................................................................... 237

Configure Control Plane Policing.................................................................................................... 238

Configuring CoPP for Protocols................................................................................................ 239

Configuring CoPP for CPU Queues........................................................................................... 241

CoPP for OSPFv3 Packets...........................................................................................................242

Configuring CoPP for OSPFv3....................................................................................................245

Show Commands....................................................................................................................... 246

13 Dynamic Host Configuration Protocol (DHCP)........................................248

DHCP Packet Format and Options.................................................................................................. 248

Assign an IP Address using DHCP....................................................................................................250

Implementation Information............................................................................................................ 251

Configure the System to be a DHCP Server.................................................................................... 252

Configuring the Server for Automatic Address Allocation........................................................ 252

Specifying a Default Gateway.....................................................................................................254

Configure a Method of Hostname Resolution.......................................................................... 254

Using DNS for Address Resolution.............................................................................................254

Using NetBIOS WINS for Address Resolution............................................................................ 254

Creating Manual Binding Entries................................................................................................ 255

Debugging the DHCP Server......................................................................................................255

Using DHCP Clear Commands...................................................................................................255

Configure the System to be a Relay Agent......................................................................................256

Configure the System to be a DHCP Client.................................................................................... 258

DHCP Client on a Management Interface................................................................................. 258

DHCP Client Operation with Other Features............................................................................ 259

Configure the System for User Port Stacking (Option 230)........................................................... 260

Configure Secure DHCP.................................................................................................................. 260

Option 82....................................................................................................................................260

DHCP Snooping.......................................................................................................................... 261

Drop DHCP Packets on Snooped VLANs Only..........................................................................263

Dynamic ARP Inspection............................................................................................................ 263

Configuring Dynamic ARP Inspection........................................................................................265

Source Address Validation................................................................................................................266

Enabling IP Source Address Validation...................................................................................... 266

DHCP MAC Source Address Validation......................................................................................266

Enabling IP+MAC Source Address Validation............................................................................ 267

14 Equal Cost Multi-Path (ECMP).....................................................................268

ECMP for Flow-Based Affinity..........................................................................................................268

Configuring the Hash Algorithm................................................................................................ 268

Enabling Deterministic ECMP Next Hop....................................................................................268

Configuring the Hash Algorithm Seed.......................................................................................269

Link Bundle Monitoring.................................................................................................................... 269

Managing ECMP Group Paths.................................................................................................... 270

Creating an ECMP Group Bundle............................................................................................... 271

Modifying the ECMP Group Threshold.......................................................................................271

15 Enabling FIPS Cryptography.........................................................................273

Configuration Tasks.......................................................................................................................... 273

Preparing the System........................................................................................................................273

Enabling FIPS Mode.......................................................................................................................... 274

Generating Host-Keys...................................................................................................................... 274

Monitoring FIPS Mode Status........................................................................................................... 275

Disabling FIPS Mode..........................................................................................................................275

16 Force10 Resilient Ring Protocol (FRRP)..................................................... 277

Protocol Overview............................................................................................................................ 277

Ring Status...................................................................................................................................278

Multiple FRRP Rings.................................................................................................................... 279

Important FRRP Points................................................................................................................279

Important FRRP Concepts.......................................................................................................... 279

Implementing FRRP.......................................................................................................................... 281

FRRP Configuration...........................................................................................................................281

Creating the FRRP Group............................................................................................................281

Configuring the Control VLAN................................................................................................... 282

Configuring and Adding the Member VLANs.............................................................................283

Setting the FRRP Timers............................................................................................................. 284

Clearing the FRRP Counters.......................................................................................................285

Viewing the FRRP Configuration................................................................................................285

Viewing the FRRP Information................................................................................................... 285

Troubleshooting FRRP......................................................................................................................286

Configuration Checks.................................................................................................................286

Sample Configuration and Topology.............................................................................................. 286

17 GARP VLAN Registration Protocol (GVRP)................................................ 288

Important Points to Remember....................................................................................................... 288

Configure GVRP................................................................................................................................289

Related Configuration Tasks...................................................................................................... 289

Enabling GVRP Globally................................................................................................................... 290

Enabling GVRP on a Layer 2 Interface.............................................................................................290

Configure GVRP Registration...........................................................................................................290

Configure a GARP Timer...................................................................................................................291

18 Internet Group Management Protocol (IGMP).........................................293

IGMP Implementation Information..................................................................................................293

IGMP Protocol Overview..................................................................................................................293

IGMP Version 2............................................................................................................................293

IGMP Version 3............................................................................................................................295

Configure IGMP................................................................................................................................ 298

Related Configuration Tasks...................................................................................................... 298

Viewing IGMP Enabled Interfaces....................................................................................................299

Selecting an IGMP Version............................................................................................................... 299

Viewing IGMP Groups...................................................................................................................... 300

Adjusting Timers...............................................................................................................................300

Adjusting Query and Response Timers......................................................................................300

Adjusting the IGMP Querier Timeout Value...............................................................................301

Configuring a Static IGMP Group.....................................................................................................301

Enabling IGMP Immediate-Leave.................................................................................................... 302

IGMP Snooping.................................................................................................................................302

IGMP Snooping Implementation Information...........................................................................302

Configuring IGMP Snooping...................................................................................................... 302

Removing a Group-Port Association......................................................................................... 303

Disabling Multicast Flooding...................................................................................................... 303

Specifying a Port as Connected to a Multicast Router............................................................. 304

Configuring the Switch as Querier.............................................................................................304

Fast Convergence after MSTP Topology Changes......................................................................... 305

Egress Interface Selection (EIS) for HTTP and IGMP Applications..................................................305

Protocol Separation....................................................................................................................306

Enabling and Disabling Management Egress Interface Selection.............................................307

Handling of Management Route Configuration........................................................................308

Handling of Switch-Initiated Traffic...........................................................................................308

Handling of Switch-Destined Traffic......................................................................................... 309

Handling of Transit Traffic (Traffic Separation).......................................................................... 310

Mapping of Management Applications and Traffic Type...........................................................310

Behavior of Various Applications for Switch-Initiated Traffic ................................................... 311

Behavior of Various Applications for Switch-Destined Traffic ................................................. 312

Interworking of EIS With Various Applications...........................................................................313

Designating a Multicast Router Interface.........................................................................................314

19 Interfaces..........................................................................................................315

Basic Interface Configuration........................................................................................................... 315

Advanced Interface Configuration................................................................................................... 315

Interface Types..................................................................................................................................316

View Basic Interface Information..................................................................................................... 316

Enabling a Physical Interface............................................................................................................318

Physical Interfaces.............................................................................................................................318

Configuration Task List for Physical Interfaces.......................................................................... 319

Overview of Layer Modes........................................................................................................... 319

Configuring Layer 2 (Data Link) Mode........................................................................................319

Configuring Layer 2 (Interface) Mode........................................................................................320

Configuring Layer 3 (Network) Mode........................................................................................ 320

Configuring Layer 3 (Interface) Mode.........................................................................................321

Egress Interface Selection (EIS).........................................................................................................321

Important Points to Remember..................................................................................................322

Configuring EIS........................................................................................................................... 322

Management Interfaces....................................................................................................................322

Configuring Management Interfaces......................................................................................... 322

Configuring Management Interfaces on the S-Series...............................................................323

VLAN Interfaces................................................................................................................................ 324

Loopback Interfaces......................................................................................................................... 325

Null Interfaces................................................................................................................................... 325

Port Channel Interfaces....................................................................................................................325

Port Channel Definition and Standards......................................................................................326

Port Channel Benefits.................................................................................................................326

Port Channel Implementation....................................................................................................326

10/100/1000 Mbps Interfaces in Port Channels........................................................................327

Configuration Tasks for Port Channel Interfaces...................................................................... 327

Creating a Port Channel............................................................................................................. 328

Adding a Physical Interface to a Port Channel.......................................................................... 328

Reassigning an Interface to a New Port Channel......................................................................330

Configuring the Minimum Oper Up Links in a Port Channel.....................................................331

......................................................................................................................................................331

Assigning an IP Address to a Port Channel................................................................................ 332

Deleting or Disabling a Port Channel.........................................................................................332

Load Balancing Through Port Channels.................................................................................... 332

Load-Balancing on the S- Series................................................................................................333

Changing the Hash Algorithm.................................................................................................... 333

Bulk Configuration............................................................................................................................335

Interface Range........................................................................................................................... 335

Bulk Configuration Examples..................................................................................................... 335

Defining Interface Range Macros.....................................................................................................337

Define the Interface Range.........................................................................................................337

Choosing an Interface-Range Macro.........................................................................................337

Monitoring and Maintaining Interfaces............................................................................................338

Maintenance Using TDR............................................................................................................. 339

Splitting QSFP Ports to SFP+ Ports.................................................................................................. 339

Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port............................................................340

Important Points to Remember..................................................................................................341

Support for LM4 Optics...............................................................................................................341

Example Scenarios......................................................................................................................342

Link Dampening................................................................................................................................346

Important Points to Remember................................................................................................. 346

Enabling Link Dampening...........................................................................................................346

Link Bundle Monitoring.................................................................................................................... 348

Using Ethernet Pause Frames for Flow Control.............................................................................. 348

Threshold Settings...................................................................................................................... 349

Enabling Pause Frames...............................................................................................................349

Configure the MTU Size on an Interface......................................................................................... 350

Port-Pipes..........................................................................................................................................351

Auto-Negotiation on Ethernet Interfaces........................................................................................ 351

Setting the Speed and Duplex Mode of Ethernet Interfaces.....................................................352

Set Auto-Negotiation Options....................................................................................................353

View Advanced Interface Information............................................................................................. 354

Configuring the Interface Sampling Size................................................................................... 355

Dynamic Counters............................................................................................................................356

Clearing Interface Counters....................................................................................................... 356

Enhanced Validation of Interface Ranges........................................................................................ 357

20 Internet Protocol Security (IPSec).............................................................. 358

Configuring IPSec ............................................................................................................................ 359

21 IPv4 Routing....................................................................................................360

IP Addresses......................................................................................................................................360

Implementation Information......................................................................................................360

Configuration Tasks for IP Addresses.............................................................................................. 360

Assigning IP Addresses to an Interface.............................................................................................361

Configuring Static Routes.................................................................................................................362

Configure Static Routes for the Management Interface.................................................................363

IPv4 Path MTU Discovery Overview.................................................................................................364

Using the Configured Source IP Address in ICMP Messages..........................................................365

Configuring the ICMP Source Interface.....................................................................................365

Configuring the Duration to Establish a TCP Connection..............................................................365

Enabling Directed Broadcast............................................................................................................366

Resolution of Host Names............................................................................................................... 366

Enabling Dynamic Resolution of Host Names................................................................................ 366

Specifying the Local System Domain and a List of Domains..........................................................367

Configuring DNS with Traceroute....................................................................................................367

ARP.................................................................................................................................................... 368

Configuration Tasks for ARP............................................................................................................ 369

Configuring Static ARP Entries......................................................................................................... 369

Enabling Proxy ARP...........................................................................................................................369

Clearing ARP Cache..........................................................................................................................370

ARP Learning via Gratuitous ARP..................................................................................................... 370

Enabling ARP Learning via Gratuitous ARP.......................................................................................371

ARP Learning via ARP Request..........................................................................................................371

Configuring ARP Retries....................................................................................................................372

ICMP.................................................................................................................................................. 373

Configuration Tasks for ICMP...........................................................................................................373

Enabling ICMP Unreachable Messages............................................................................................373

UDP Helper........................................................................................................................................373

Configure UDP Helper................................................................................................................ 373

Important Points to Remember..................................................................................................374

Enabling UDP Helper........................................................................................................................ 374

Configuring a Broadcast Address.....................................................................................................374

Configurations Using UDP Helper....................................................................................................375

UDP Helper with Broadcast-All Addresses...................................................................................... 375

UDP Helper with Subnet Broadcast Addresses................................................................................376

UDP Helper with Configured Broadcast Addresses.........................................................................377

UDP Helper with No Configured Broadcast Addresses...................................................................377

Troubleshooting UDP Helper........................................................................................................... 377

22 IPv6 Routing....................................................................................................379

Protocol Overview............................................................................................................................ 379

Extended Address Space.............................................................................................................379

Stateless Autoconfiguration........................................................................................................379

IPv6 Headers............................................................................................................................... 380

IPv6 Header Fields.......................................................................................................................381

Extension Header Fields..............................................................................................................382

Addressing...................................................................................................................................383

Implementing IPv6 with Dell Networking OS..................................................................................385

ICMPv6.............................................................................................................................................. 387

Path MTU Discovery..........................................................................................................................387

IPv6 Neighbor Discovery..................................................................................................................388

IPv6 Neighbor Discovery of MTU Packets.................................................................................389

Configuration Task List for IPv6 RDNSS.......................................................................................... 389

Configuring the IPv6 Recursive DNS Server.............................................................................. 389

Debugging IPv6 RDNSS Information Sent to the Host ............................................................ 390

Displaying IPv6 RDNSS Information........................................................................................... 391

Secure Shell (SSH) Over an IPv6 Transport......................................................................................392

Configuration Tasks for IPv6............................................................................................................ 392

Adjusting Your CAM-Profile........................................................................................................392

Assigning an IPv6 Address to an Interface.................................................................................393

Assigning a Static IPv6 Route..................................................................................................... 393

Configuring Telnet with IPv6......................................................................................................394

SNMP over IPv6...........................................................................................................................394

Showing IPv6 Information.......................................................................................................... 395

Showing an IPv6 Interface..........................................................................................................395

Showing IPv6 Routes..................................................................................................................396

Showing the Running-Configuration for an Interface.............................................................. 397

Clearing IPv6 Routes...................................................................................................................398

23 Intermediate System to Intermediate System.......................................... 399

IS-IS Protocol Overview................................................................................................................... 399

IS-IS Addressing................................................................................................................................399

Multi-Topology IS-IS........................................................................................................................400

Transition Mode.......................................................................................................................... 401

Interface Support........................................................................................................................ 401

Adjacencies..................................................................................................................................401

Graceful Restart................................................................................................................................ 401

Timers..........................................................................................................................................402

Implementation Information............................................................................................................402

Configuration Information............................................................................................................... 403

Configuration Tasks for IS-IS..................................................................................................... 403

Configuring the Distance of a Route..........................................................................................412

Changing the IS-Type................................................................................................................. 412

Redistributing IPv4 Routes..........................................................................................................415

Redistributing IPv6 Routes..........................................................................................................416

Configuring Authentication Passwords......................................................................................417

Setting the Overload Bit.............................................................................................................. 417

Debugging IS-IS.......................................................................................................................... 418

IS-IS Metric Styles..............................................................................................................................419

Configure Metric Values................................................................................................................... 419

Maximum Values in the Routing Table...................................................................................... 420

Change the IS-IS Metric Style in One Level Only......................................................................420

Leaks from One Level to Another.............................................................................................. 422

Sample Configurations..................................................................................................................... 422

24 Link Aggregation Control Protocol (LACP)...............................................425

Introduction to Dynamic LAGs and LACP....................................................................................... 425

Important Points to Remember................................................................................................. 425

LACP Modes................................................................................................................................426

Configuring LACP Commands...................................................................................................426

LACP Configuration Tasks................................................................................................................ 427

Creating a LAG............................................................................................................................ 427

Configuring the LAG Interfaces as Dynamic............................................................................. 428

Setting the LACP Long Timeout.................................................................................................428

Monitoring and Debugging LACP.............................................................................................. 429

Shared LAG State Tracking...............................................................................................................429

Configuring Shared LAG State Tracking.................................................................................... 430

Important Points about Shared LAG State Tracking.................................................................. 431

LACP Basic Configuration Example................................................................................................. 432

Configure a LAG on ALPHA........................................................................................................ 432

Setting Up a Threshold for Utilization of High-Gigabit Port Channels.......................................... 439

Guidelines for Monitoring High-Gigabit Port Channels............................................................441

Enabling the Verification of Member Links Utilization in a High-Gigabit Port Channel................442

Viewing Buffer Utilization and Queue Statistics on High-Gigabit Ethernet Backplane Ports....... 442

25 Layer 2..............................................................................................................444

Manage the MAC Address Table......................................................................................................444

Clearing the MAC Address Table............................................................................................... 444

Setting the Aging Time for Dynamic Entries..............................................................................444

Configuring a Static MAC Address............................................................................................. 445

Displaying the MAC Address Table............................................................................................ 445

MAC Learning Limit.......................................................................................................................... 445

Setting the MAC Learning Limit................................................................................................. 446

mac learning-limit Dynamic.......................................................................................................446

mac learning-limit mac-address-sticky.....................................................................................447

mac learning-limit station-move............................................................................................... 447

mac learning-limit no-station-move.........................................................................................447

Learning Limit Violation Actions................................................................................................ 448

Setting Station Move Violation Actions......................................................................................448

Recovering from Learning Limit and Station Move Violations................................................. 449

NIC Teaming.....................................................................................................................................449

Configure Redundant Pairs.............................................................................................................. 450

Important Points about Configuring Redundant Pairs..............................................................452

Far-End Failure Detection................................................................................................................ 453

FEFD State Changes....................................................................................................................454

Configuring FEFD........................................................................................................................455

Enabling FEFD on an Interface...................................................................................................456

Debugging FEFD......................................................................................................................... 457

26 Link Layer Discovery Protocol (LLDP)........................................................459

802.1AB (LLDP) Overview.................................................................................................................459

Protocol Data Units.....................................................................................................................459

Optional TLVs................................................................................................................................... 460

Management TLVs......................................................................................................................460

TIA-1057 (LLDP-MED) Overview......................................................................................................462

TIA Organizationally Specific TLVs.............................................................................................463

Configure LLDP.................................................................................................................................467

Related Configuration Tasks.......................................................................................................467

Important Points to Remember................................................................................................. 468

LLDP Compatibility..................................................................................................................... 468

CONFIGURATION versus INTERFACE Configurations................................................................... 468

Enabling LLDP...................................................................................................................................469

Disabling and Undoing LLDP......................................................................................................469

Enabling LLDP on Management Ports.............................................................................................469

Disabling and Undoing LLDP on Management Ports................................................................469

Advertising TLVs................................................................................................................................470

Viewing the LLDP Configuration...................................................................................................... 471

Viewing Information Advertised by Adjacent LLDP Agents.............................................................472

Configuring LLDPDU Intervals..........................................................................................................473

Configuring Transmit and Receive Mode........................................................................................ 473

Configuring a Time to Live............................................................................................................... 474

Debugging LLDP............................................................................................................................... 475

Relevant Management Objects........................................................................................................476

27 Microsoft Network Load Balancing............................................................482

NLB Unicast Mode Scenario.............................................................................................................482

NLB Multicast Mode Scenario..........................................................................................................483

Limitations With Enabling NLB on Switches....................................................................................483

Benefits and Working of Microsoft Clustering................................................................................ 483

Enable and Disable VLAN Flooding .................................................................................................484

Configuring a Switch for NLB ......................................................................................................... 484

.....................................................................................................................................................484

28 Multicast Source Discovery Protocol (MSDP).......................................... 485

Protocol Overview............................................................................................................................485

Anycast RP.........................................................................................................................................487

Implementation Information............................................................................................................487

Configure Multicast Source Discovery Protocol............................................................................. 487

Related Configuration Tasks.......................................................................................................487

Enable MSDP..................................................................................................................................... 491

Manage the Source-Active Cache...................................................................................................492

Viewing the Source-Active Cache............................................................................................. 492

Limiting the Source-Active Cache............................................................................................. 493

Clearing the Source-Active Cache.............................................................................................493

Enabling the Rejected Source-Active Cache.............................................................................493

Accept Source-Active Messages that Fail the RFP Check.............................................................. 493

Specifying Source-Active Messages................................................................................................ 497

Limiting the Source-Active Messages from a Peer......................................................................... 498

Preventing MSDP from Caching a Local Source.............................................................................498

Preventing MSDP from Caching a Remote Source.........................................................................499

Preventing MSDP from Advertising a Local Source........................................................................ 500

Logging Changes in Peership States................................................................................................501

Terminating a Peership..................................................................................................................... 501

Clearing Peer Statistics..................................................................................................................... 501

Debugging MSDP..............................................................................................................................502

MSDP with Anycast RP..................................................................................................................... 502

Configuring Anycast RP....................................................................................................................504

Reducing Source-Active Message Flooding..............................................................................504

Specifying the RP Address Used in SA Messages...................................................................... 504

MSDP Sample Configurations.......................................................................................................... 507

29 Multiple Spanning Tree Protocol (MSTP).................................................. 510

Protocol Overview............................................................................................................................ 510

Spanning Tree Variations...................................................................................................................511

Implementation Information.......................................................................................................511

Configure Multiple Spanning Tree Protocol.....................................................................................511

Related Configuration Tasks........................................................................................................511

Enable Multiple Spanning Tree Globally...........................................................................................512

Adding and Removing Interfaces......................................................................................................512

Creating Multiple Spanning Tree Instances......................................................................................512

Influencing MSTP Root Selection.....................................................................................................514

Interoperate with Non-Dell Networking OS Bridges.......................................................................514

Changing the Region Name or Revision.......................................................................................... 515

Modifying Global Parameters........................................................................................................... 515

Modifying the Interface Parameters................................................................................................. 516

Configuring an EdgePort...................................................................................................................517

Flush MAC Addresses after a Topology Change..............................................................................518

MSTP Sample Configurations........................................................................................................... 518

Router 1 Running-ConfigurationRouter 2 Running-ConfigurationRouter 3 Running-

ConfigurationSFTOS Example Running-Configuration.............................................................519

Debugging and Verifying MSTP Configurations.............................................................................. 522

30 Multicast Features..........................................................................................525

Enabling IP Multicast.........................................................................................................................525

Multicast with ECMP......................................................................................................................... 525

Implementation Information............................................................................................................526

First Packet Forwarding for Lossless Multicast................................................................................ 527

Multicast Policies...............................................................................................................................527

IPv4 Multicast Policies.................................................................................................................527

31 Open Shortest Path First (OSPFv2 and OSPFv3).......................................535

Protocol Overview............................................................................................................................ 535

Autonomous System (AS) Areas................................................................................................. 535

Area Types...................................................................................................................................536

Networks and Neighbors............................................................................................................ 537

Router Types................................................................................................................................537

Designated and Backup Designated Routers............................................................................ 539

Link-State Advertisements (LSAs)............................................................................................... 539

Router Priority and Cost..............................................................................................................541

OSPF with Dell Networking OS........................................................................................................ 541

Graceful Restart.......................................................................................................................... 542

Fast Convergence (OSPFv2, IPv4 Only)..................................................................................... 543

Multi-Process OSPFv2 (IPv4 only)..............................................................................................543

RFC-2328 Compliant OSPF Flooding........................................................................................ 544

OSPF ACK Packing...................................................................................................................... 545

Setting OSPF Adjacency with Cisco Routers............................................................................. 545

Configuration Information............................................................................................................... 546

Configuration Task List for OSPFv2 (OSPF for IPv4)..................................................................546

Sample Configurations for OSPFv2..................................................................................................561

Basic OSPFv2 Router Topology..................................................................................................561

OSPF Area 0 — Gl 1/1 and 1/2.....................................................................................................561

OSPF Area 0 — Gl 3/1 and 3/2....................................................................................................562

OSPF Area 0 — Gl 2/1 and 2/2....................................................................................................562

Configuration Task List for OSPFv3 (OSPF for IPv6)........................................................................562

Enabling IPv6 Unicast Routing................................................................................................... 563

Assigning IPv6 Addresses on an Interface................................................................................. 563

Assigning Area ID on an Interface.............................................................................................. 563

Assigning OSPFv3 Process ID and Router ID Globally.............................................................. 564

Configuring Stub Areas...............................................................................................................564

Configuring Passive-Interface....................................................................................................565

Redistributing Routes..................................................................................................................565

Configuring a Default Route...................................................................................................... 566

Enabling OSPFv3 Graceful Restart............................................................................................. 566

OSPFv3 Authentication Using IPsec...........................................................................................568

Troubleshooting OSPFv3............................................................................................................576

32 Policy-based Routing (PBR)......................................................................... 578

Overview............................................................................................................................................578

Implementing Policy-based Routing with Dell Networking OS.....................................................580

Configuration Task List for Policy-based Routing.......................................................................... 580

PBR Exceptions (Permit)............................................................................................................. 583

Sample Configuration.......................................................................................................................585

Create the Redirect-List GOLDAssign Redirect-List GOLD to Interface 2/11View

Redirect-List GOLD.....................................................................................................................586

33 PIM Sparse-Mode (PIM-SM)......................................................................... 588

Implementation Information............................................................................................................588

Protocol Overview............................................................................................................................588

Requesting Multicast Traffic.......................................................................................................588

Refuse Multicast Traffic.............................................................................................................. 589

Send Multicast Traffic................................................................................................................. 589

Configuring PIM-SM.........................................................................................................................590

Related Configuration Tasks...................................................................................................... 590

Enable PIM-SM................................................................................................................................. 590

Configuring S,G Expiry Timers..........................................................................................................591

Configuring a Static Rendezvous Point........................................................................................... 592

Overriding Bootstrap Router Updates........................................................................................593

Configuring a Designated Router.................................................................................................... 593

Creating Multicast Boundaries and Domains.................................................................................. 594

Enabling PIM-SM Graceful Restart...................................................................................................594

34 PIM Source-Specific Mode (PIM-SSM).......................................................595

Implementation Information............................................................................................................595

Important Points to Remember..................................................................................................595

Configure PIM-SMM.........................................................................................................................596

Related Configuration Tasks...................................................................................................... 596

Enabling PIM-SSM............................................................................................................................ 596

Use PIM-SSM with IGMP Version 2 Hosts....................................................................................... 596

Configuring PIM-SSM with IGMPv2............................................................................................597

35 Port Monitoring..............................................................................................599

Important Points to Remember....................................................................................................... 599

Port Monitoring................................................................................................................................ 600

Configuring Port Monitoring............................................................................................................ 601

Enabling Flow-Based Monitoring.................................................................................................... 603

Remote Port Mirroring..................................................................................................................... 604

Remote Port Mirroring Example................................................................................................ 604

Configuring Remote Port Mirroring...........................................................................................605

Displaying Remote-Port Mirroring Configurations................................................................... 607

Configuring the Sample Remote Port Mirroring....................................................................... 607

Configuring the Encapsulated Remote Port Mirroring.................................................................... 611

Configuration steps for ERPM ....................................................................................................611

ERPM Behavior on a typical Dell Networking OS ........................................................................... 613

Decapsulation of ERPM packets at the Destination IP/ Analyzer..............................................613

36 Private VLANs (PVLAN).................................................................................. 615

Private VLAN Concepts.....................................................................................................................615

Using the Private VLAN Commands.................................................................................................616

Configuration Task List......................................................................................................................617

Creating PVLAN ports..................................................................................................................617

Creating a Primary VLAN.............................................................................................................618

Creating a Community VLAN..................................................................................................... 619

Creating an Isolated VLAN..........................................................................................................620

Private VLAN Configuration Example...............................................................................................621

Inspecting the Private VLAN Configuration.....................................................................................622

37 Per-VLAN Spanning Tree Plus (PVST+)...................................................... 625

Protocol Overview............................................................................................................................625

Implementation Information............................................................................................................626

Configure Per-VLAN Spanning Tree Plus........................................................................................ 626

Related Configuration Tasks...................................................................................................... 626

Enabling PVST+.................................................................................................................................626

Disabling PVST+................................................................................................................................627

Influencing PVST+ Root Selection................................................................................................... 627

Modifying Global PVST+ Parameters...............................................................................................629

Modifying Interface PVST+ Parameters...........................................................................................630

Configuring an EdgePort.................................................................................................................. 631

PVST+ in Multi-Vendor Networks....................................................................................................632

Enabling PVST+ Extend System ID...................................................................................................632

PVST+ Sample Configurations......................................................................................................... 633

38 Quality of Service (QoS)................................................................................635

Implementation Information............................................................................................................ 637

Port-Based QoS Configurations.......................................................................................................637

Setting dot1p Priorities for Incoming Traffic..............................................................................638

Honoring dot1p Priorities on Ingress Traffic..............................................................................638

Configuring Port-Based Rate Policing.......................................................................................639

Configuring Port-Based Rate Shaping.......................................................................................639

Policy-Based QoS Configurations...................................................................................................640

Classify Traffic............................................................................................................................. 641

Create a QoS Policy....................................................................................................................644

Create Policy Maps..................................................................................................................... 646

Enabling QoS Rate Adjustment........................................................................................................ 652

Enabling Strict-Priority Queueing.................................................................................................... 653

Weighted Random Early Detection..................................................................................................653

Creating WRED Profiles.............................................................................................................. 654

Applying a WRED Profile to Traffic.............................................................................................654

Displaying Default and Configured WRED Profiles................................................................... 655

Displaying WRED Drop Statistics................................................................................................655

Pre-Calculating Available QoS CAM Space..................................................................................... 655

Configuring Weights and ECN for WRED .......................................................................................656

Global Service Pools With WRED and ECN Settings..................................................................657

Configuring WRED and ECN Attributes........................................................................................... 658

Guidelines for Configuring ECN for Classifying and Color-Marking Packets................................660

Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class......... 660

Classifying Incoming Packets Using ECN and Color-Marking..................................................661

Sample configuration to mark non-ecn packets as “yellow” with single traffic class............. 663

Applying Layer 2 Match Criteria on a Layer 3 Interface..................................................................664

Applying DSCP and VLAN Match Criteria on a Service Queue.......................................................665

39 Routing Information Protocol (RIP)........................................................... 666

Protocol Overview............................................................................................................................666

RIPv1............................................................................................................................................666

RIPv2............................................................................................................................................666

Implementation Information............................................................................................................667

Configuration Information............................................................................................................... 667

Configuration Task List............................................................................................................... 667

RIP Configuration Example.........................................................................................................674

40 Remote Monitoring (RMON)....................................................................... 680

Implementation Information........................................................................................................... 680

Fault Recovery.................................................................................................................................. 680

Setting the rmon Alarm...............................................................................................................681

Configuring an RMON Event......................................................................................................682

Configuring RMON Collection Statistics................................................................................... 682

Configuring the RMON Collection History................................................................................683

41 Rapid Spanning Tree Protocol (RSTP)........................................................684

Protocol Overview............................................................................................................................684

Configuring Rapid Spanning Tree....................................................................................................684

Related Configuration Tasks...................................................................................................... 684

Important Points to Remember....................................................................................................... 685

RSTP and VLT..............................................................................................................................685

Configuring Interfaces for Layer 2 Mode.........................................................................................685

Enabling Rapid Spanning Tree Protocol Globally........................................................................... 686

Adding and Removing Interfaces.....................................................................................................688

Modifying Global Parameters...........................................................................................................689

Enabling SNMP Traps for Root Elections and Topology Changes...........................................690

Modifying Interface Parameters.......................................................................................................690

Enabling SNMP Traps for Root Elections and Topology Changes................................................. 691

Influencing RSTP Root Selection......................................................................................................691

Configuring an EdgePort.................................................................................................................. 691

Configuring Fast Hellos for Link State Detection............................................................................692

42 Software-Defined Networking (SDN)........................................................ 694

43 Security............................................................................................................ 695

AAA Accounting................................................................................................................................695

Configuration Task List for AAA Accounting............................................................................. 695

AAA Authentication...........................................................................................................................697

Configuration Task List for AAA Authentication........................................................................698

AAA Authorization.............................................................................................................................700

Privilege Levels Overview........................................................................................................... 700

Configuration Task List for Privilege Levels................................................................................701

RADIUS.............................................................................................................................................. 706

RADIUS Authentication...............................................................................................................706

Configuration Task List for RADIUS............................................................................................707

TACACS+...........................................................................................................................................710

Configuration Task List for TACACS+........................................................................................ 710

TACACS+ Remote Authentication..............................................................................................712

Command Authorization.............................................................................................................713

Protection from TCP Tiny and Overlapping Fragment Attacks.......................................................713

Enabling SCP and SSH.......................................................................................................................713

Using SCP with SSH to Copy a Software Image.........................................................................714

Removing the RSA Host Keys and Zeroizing Storage ............................................................... 715

Configuring When to Re-generate an SSH Key .........................................................................715

Configuring the SSH Server Key Exchange Algorithm............................................................... 716

Configuring the HMAC Algorithm for the SSH Server................................................................717

Configuring the SSH Server Cipher List...................................................................................... 717

Secure Shell Authentication........................................................................................................718

Troubleshooting SSH...................................................................................................................721

Telnet................................................................................................................................................. 721

VTY Line and Access-Class Configuration....................................................................................... 721

VTY Line Local Authentication and Authorization..................................................................... 722

VTY Line Remote Authentication and Authorization.................................................................722

VTY MAC-SA Filter Support.........................................................................................................723

Role-Based Access Control..............................................................................................................723

Overview of RBAC.......................................................................................................................724

User Roles....................................................................................................................................726

AAA Authentication and Authorization for Roles.......................................................................730

Role Accounting..........................................................................................................................733

Display Information About User Roles....................................................................................... 734

44 Service Provider Bridging.............................................................................736

VLAN Stacking...................................................................................................................................736

Important Points to Remember..................................................................................................737

Configure VLAN Stacking............................................................................................................738

Creating Access and Trunk Ports............................................................................................... 738

Enable VLAN-Stacking for a VLAN..............................................................................................739

Configuring the Protocol Type Value for the Outer VLAN Tag.................................................739

Configuring Dell Networking OS Options for Trunk Ports........................................................739

Debugging VLAN Stacking..........................................................................................................740

VLAN Stacking in Multi-Vendor Networks..................................................................................741

VLAN Stacking Packet Drop Precedence.........................................................................................744

Enabling Drop Eligibility..............................................................................................................744

Honoring the Incoming DEI Value............................................................................................. 745

Marking Egress Packets with a DEI Value...................................................................................746

Dynamic Mode CoS for VLAN Stacking........................................................................................... 746

Mapping C-Tag to S-Tag dot1p Values......................................................................................748

Layer 2 Protocol Tunneling..............................................................................................................748

Implementation Information...................................................................................................... 750

Enabling Layer 2 Protocol Tunneling..........................................................................................751

Specifying a Destination MAC Address for BPDUs.....................................................................751

Setting Rate-Limit BPDUs............................................................................................................751

Debugging Layer 2 Protocol Tunneling..................................................................................... 752

Provider Backbone Bridging............................................................................................................. 752

45 sFlow.................................................................................................................753

Overview............................................................................................................................................753

Implementation Information............................................................................................................ 753

Important Points to Remember..................................................................................................754

Enabling Extended sFlow..................................................................................................................754

Enabling and Disabling sFlow on an Interface.................................................................................755

sFlow Show Commands................................................................................................................... 755

Displaying Show sFlow Global....................................................................................................755

Displaying Show sFlow on an Interface..................................................................................... 756

Displaying Show sFlow on a Stack-unit..................................................................................... 756

Configuring Specify Collectors.........................................................................................................757

Changing the Polling Intervals..........................................................................................................757

Back-Off Mechanism........................................................................................................................ 757

sFlow on LAG ports...........................................................................................................................758

Enabling Extended sFlow..................................................................................................................758

Important Points to Remember..................................................................................................759

46 Simple Network Management Protocol (SNMP)......................................761

Protocol Overview.............................................................................................................................761

Implementation Information............................................................................................................ 761

SNMPv3 Compliance With FIPS........................................................................................................761

Configuration Task List for SNMP.................................................................................................... 763

Related Configuration Tasks.......................................................................................................763

Important Points to Remember....................................................................................................... 763

Set up SNMP......................................................................................................................................763

Creating a Community............................................................................................................... 764

Setting Up User-Based Security (SNMPv3)................................................................................ 764

Reading Managed Object Values..................................................................................................... 765

Writing Managed Object Values.......................................................................................................766

Configuring Contact and Location Information using SNMP.........................................................767

Subscribing to Managed Object Value Updates using SNMP.........................................................768

Enabling a Subset of SNMP Traps.................................................................................................... 769

Copy Configuration Files Using SNMP............................................................................................. 771

Copying a Configuration File...................................................................................................... 773

Copying Configuration Files via SNMP.......................................................................................773

Copying the Startup-Config Files to the Running-Config........................................................ 774

Copying the Startup-Config Files to the Server via FTP............................................................ 774

Copying the Startup-Config Files to the Server via TFTP.......................................................... 775

Copy a Binary File to the Startup-Configuration....................................................................... 775

Additional MIB Objects to View Copy Statistics.........................................................................776

Obtaining a Value for MIB Objects............................................................................................. 776

Manage VLANs using SNMP..............................................................................................................777

Creating a VLAN...........................................................................................................................777

Assigning a VLAN Alias.................................................................................................................777

Displaying the Ports in a VLAN....................................................................................................778

Add Tagged and Untagged Ports to a VLAN..............................................................................778

Managing Overload on Startup........................................................................................................ 779

Enabling and Disabling a Port using SNMP......................................................................................779

Fetch Dynamic MAC Entries using SNMP........................................................................................780

Deriving Interface Indices.................................................................................................................782

Monitor Port-Channels.....................................................................................................................783

Troubleshooting SNMP Operation...................................................................................................784

47 Storm Control................................................................................................. 785

Configure Storm Control..................................................................................................................785

Configuring Storm Control from INTERFACE Mode................................................................. 785

Configuring Storm Control from CONFIGURATION Mode...................................................... 785

48 Spanning Tree Protocol (STP)..................................................................... 786

Protocol Overview............................................................................................................................786

Configure Spanning Tree................................................................................................................. 786

Related Configuration Tasks.......................................................................................................786

Important Points to Remember........................................................................................................787

Configuring Interfaces for Layer 2 Mode.........................................................................................787

Enabling Spanning Tree Protocol Globally......................................................................................788

Adding an Interface to the Spanning Tree Group........................................................................... 790

Modifying Global Parameters........................................................................................................... 791

Modifying Interface STP Parameters................................................................................................792

Enabling PortFast.............................................................................................................................. 792

Prevent Network Disruptions with BPDU Guard....................................................................... 793

Selecting STP Root............................................................................................................................795

STP Root Guard.................................................................................................................................796

Root Guard Scenario...................................................................................................................796

Configuring Root Guard............................................................................................................. 797

Enabling SNMP Traps for Root Elections and Topology Changes................................................. 798

Configuring Spanning Trees as Hitless............................................................................................ 798

STP Loop Guard................................................................................................................................799

Configuring Loop Guard............................................................................................................ 800

Displaying STP Guard Configuration................................................................................................801

49 System Time and Date.................................................................................. 802

Network Time Protocol....................................................................................................................802

Protocol Overview......................................................................................................................803

Configure the Network Time Protocol......................................................................................804

Enabling NTP.............................................................................................................................. 804

Setting the Hardware Clock with the Time Derived from NTP................................................ 804

Configuring NTP Broadcasts......................................................................................................805

Disabling NTP on an Interface................................................................................................... 805

Configuring a Source IP Address for NTP Packets....................................................................805

Configuring NTP Authentication................................................................................................806

Dell Networking OS Time and Date................................................................................................ 809

Configuration Task List ..............................................................................................................809

Setting the Time and Date for the Switch Hardware Clock......................................................809

Setting the Time and Date for the Switch Software Clock.......................................................809

Setting the Timezone..................................................................................................................810

Set Daylight Saving Time............................................................................................................ 810

Setting Daylight Saving Time Once............................................................................................810

Setting Recurring Daylight Saving Time......................................................................................811

50 Tunneling ........................................................................................................813

Configuring a Tunnel........................................................................................................................ 813

Configuring Tunnel Keepalive Settings............................................................................................ 814

Configuring a Tunnel Interface........................................................................................................ 815

Configuring Tunnel allow-remote Decapsulation...........................................................................815

Configuring Tunnel source anylocal Decapsulation.......................................................................816

Guidelines for Configuring Multipoint Receive-Only Tunnels........................................................816

Multipoint Receive-Only Type and IP Unnumbered Interfaces for Tunnels.................................. 817

51 Upgrade Procedures...................................................................................... 818

Get Help with Upgrades................................................................................................................... 818

52 Virtual LANs (VLANs)......................................................................................819

Default VLAN..................................................................................................................................... 819

Port-Based VLANs............................................................................................................................ 820

VLANs and Port Tagging.................................................................................................................. 820

Configuration Task List..................................................................................................................... 821

Creating a Port-Based VLAN.......................................................................................................821

Assigning Interfaces to a VLAN...................................................................................................822

Moving Untagged Interfaces...................................................................................................... 823

Assigning an IP Address to a VLAN.............................................................................................825

Configuring Native VLANs................................................................................................................825

Enabling Null VLAN as the Default VLAN.........................................................................................826

53 Virtual Link Trunking (VLT)...........................................................................827

Overview............................................................................................................................................827

VLT on Core Switches................................................................................................................ 828

Enhanced VLT............................................................................................................................. 828

VLT Terminology.............................................................................................................................. 829

Configure Virtual Link Trunking....................................................................................................... 830

Important Points to Remember................................................................................................. 830

Configuration Notes....................................................................................................................831

Primary and Secondary VLT Peers............................................................................................. 834

RSTP and VLT.............................................................................................................................. 835

VLT Bandwidth Monitoring.........................................................................................................835

VLT and IGMP Snooping.............................................................................................................836

VLT IPv6.......................................................................................................................................836

VLT Port Delayed Restoration.................................................................................................... 836

PIM-Sparse Mode Support on VLT.............................................................................................836

VLT Routing ................................................................................................................................838

Non-VLT ARP Sync.....................................................................................................................840

RSTP Configuration...........................................................................................................................841

Preventing Forwarding Loops in a VLT Domain........................................................................ 841

Sample RSTP Configuration........................................................................................................841

Configuring VLT..........................................................................................................................842

eVLT Configuration Example............................................................................................................853

eVLT Configuration Step Examples............................................................................................854

PIM-Sparse Mode Configuration Example...................................................................................... 856

Verifying a VLT Configuration.......................................................................................................... 857

Additional VLT Sample Configurations............................................................................................860

Configuring Virtual Link Trunking (VLT Peer 1)Configuring Virtual Link Trunking (VLT Peer

2)Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access

Switch)......................................................................................................................................... 861

Troubleshooting VLT........................................................................................................................863

Reconfiguring Stacked Switches as VLT..........................................................................................864

Specifying VLT Nodes in a PVLAN....................................................................................................865

Association of VLTi as a Member of a PVLAN............................................................................866

MAC Synchronization for VLT Nodes in a PVLAN..................................................................... 866

PVLAN Operations When One VLT Peer is Down..................................................................... 866

PVLAN Operations When a VLT Peer is Restarted.....................................................................867

Interoperation of VLT Nodes in a PVLAN with ARP Requests...................................................867

Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN........867

Configuring a VLT VLAN or LAG in a PVLAN................................................................................... 869

Creating a VLT LAG or a VLT VLAN............................................................................................869

Associating the VLT LAG or VLT VLAN in a PVLAN....................................................................870

Proxy ARP Capability on VLT Peer Nodes........................................................................................ 871

Working of Proxy ARP for VLT Peer Nodes................................................................................872

VLT Nodes as Rendezvous Points for Multicast Resiliency.............................................................873

54 VLT Proxy Gateway........................................................................................874

Proxy Gateway in VLT Domains....................................................................................................... 874

LLDP organizational TLV for proxy gateway..............................................................................876

Sample Configuration Scenario for VLT Proxy Gateway...........................................................877

Configuring an LLDP VLT Proxy Gateway....................................................................................... 879

55 Virtual Router Redundancy Protocol (VRRP)........................................... 880

VRRP Overview.................................................................................................................................880

VRRP Benefits....................................................................................................................................881

VRRP Implementation.......................................................................................................................881

VRRP Configuration..........................................................................................................................882

Configuration Task List...............................................................................................................882

Setting VRRP Initialization Delay................................................................................................ 892

Sample Configurations.....................................................................................................................893

VRRP for an IPv4 Configuration................................................................................................. 893

VRRP in a VRF Configuration......................................................................................................898

56 Z-Series Debugging and Diagnostics.........................................................904

Offline Diagnostics........................................................................................................................... 904

Important Points to Remember................................................................................................. 904

Running Offline Diagnostics...................................................................................................... 904

TRACE Logs...................................................................................................................................... 908

Auto Save on Crash or Rollover.................................................................................................908

Last Restart Reason.......................................................................................................................... 909

Line Card Restart Causes and Reasons..................................................................................... 909

Hardware Watchdog Timer..............................................................................................................909

show hardware Commands.............................................................................................................909

Environmental Monitoring................................................................................................................912

......................................................................................................................................................912

Recognize an Over-Temperature Condition.............................................................................912

Troubleshoot an Over-Temperature Condition........................................................................ 912

Recognize an Under-Voltage Condition....................................................................................913

Troubleshoot an Under-Voltage Condition...............................................................................913

Buffer Tuning.....................................................................................................................................914

Buffer Tuning Points....................................................................................................................915

Decide to Tune Buffers............................................................................................................... 915

Using the Buffer Tuning Commands..........................................................................................915

Sample Buffer Profile Configuration.......................................................................................... 918

Troubleshooting Packet Loss........................................................................................................... 918

Displaying Drop Counters...........................................................................................................919

Displaying Dataplane Statistics................................................................................................... 919

Displaying Stack Member Counters........................................................................................... 921

Enabling Application Core Dumps................................................................................................... 921

Mini Core Dumps..............................................................................................................................922

Enabling TCP Dumps........................................................................................................................922

57 Standards Compliance..................................................................................924

IEEE Compliance.............................................................................................................................. 924

RFC and I-D Compliance................................................................................................................. 925

General Internet Protocols......................................................................................................... 925

General IPv4 Protocols...............................................................................................................926

General IPv6 Protocols............................................................................................................... 927

Border Gateway Protocol (BGP).................................................................................................927

Open Shortest Path First (OSPF).................................................................................................928

Intermediate System to Intermediate System (IS-IS).................................................................929

Routing Information Protocol (RIP)........................................................................................... 929

Multicast......................................................................................................................................930

Network Management................................................................................................................930

MIB Location..................................................................................................................................... 937

1

About this Guide

This guide describes the protocols and features the Dell Networking Operating System (OS) supports and
provides configuration instructions and examples for implementing them. This guide supports the Z9000
platform.

The Z9000 platform is available with Dell Networking OS version 8.3.11.1 and beyond.

Though this guide contains information on protocols, it is not intended to be a complete reference. This
guide is a reference for configuring protocols on Dell Networking systems. For complete information
about protocols, refer to related documentation, including IETF requests for comments (RFCs). The
instructions in this guide cite relevant RFCs. The Standards Compliance chapter contains a complete list
of the supported RFCs and management information base files (MIBs).

Audience

This document is intended for system administrators who are responsible for configuring and maintaining
networks and assumes knowledge in Layer 2 and Layer 3 networking technologies.

Conventions

This guide uses the following conventions to describe command syntax.

Keyword

parameter Parameters are in italics and require a number or word to be entered in the CLI.

{X} Keywords and parameters within braces must be entered in the CLI.

[X] Keywords and parameters within brackets are optional.

x|y Keywords and parameters separated by a bar require you to choose one option.

x||y Keywords and parameters separated by a double bar allows you to choose any or

Keywords are in Courier (a monospaced font) and must be entered in the CLI as
listed.

all of the options.

Related Documents

• Dell Networking OS Command Reference

• Installing the System

• Dell Quick Start Guide

• Dell Networking OS Release Notes

About this Guide

31

2

Configuration Fundamentals

The Dell Networking Operating System (OS) command line interface (CLI) is a text-based interface you
can use to configure interfaces and protocols.

The CLI is largely the same for the Z9000, S6000, S4810, and S4820T except for some commands and
command outputs. The CLI is structured in modes for security and management purposes. Different sets
of commands are available in each mode, and you can limit user access to modes using privilege levels.

In Dell Networking OS, after you enable a command, it is entered into the running configuration file. You
can view the current configuration for the whole system or for a particular CLI mode. To save the current
configuration, copy the running configuration to another location.

NOTE: Due to differences in hardware architecture and continued system development, features
may occasionally differ between the platforms. Differences are noted in each CLI description and
related documentation.

Accessing the Command Line

Access the CLI through a serial console port or a Telnet session.
When the system successfully boots, enter the command line in EXEC mode.

NOTE: You must have a password configured on a virtual terminal line before you can Telnet into
the system. Therefore, you must use a console connection when connecting to the system for the
first time.

telnet 172.31.1.53
Trying 172.31.1.53...
Connected to 172.31.1.53.
Escape character is '^]'.
Login: username
Password:
Dell>

CLI Modes

Different sets of commands are available in each mode.
A command found in one mode cannot be executed from another mode (except for EXEC mode

commands with a preceding do command (refer to the do Command section).

You can set user access rights to commands and command modes using privilege levels;

The Dell Networking OS CLI is divided into three major mode levels:

• EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a
limited selection of commands is available, notably the show commands, which allow you to view
system information.

32

Configuration Fundamentals

• EXEC Privilege mode has commands to view configurations, clear counters, manage configuration
files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is
unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password
section in the Getting Started chapter.

• CONFIGURATION mode allows you to configure security features, time settings, set logging and
SNMP functions, configure static ARP and MAC addresses, and set line cards on the system.

Beneath CONFIGURATION mode are submodes that apply to interfaces, protocols, and features. The
following example shows the submode command structure. Two sub-CONFIGURATION modes are
important when configuring the chassis for the first time:

• INTERFACE submode is the mode in which you configure Layer 2 and Layer 3 protocols and IP
services specific to an interface. An interface can be physical (Management interface, 1 Gigabit
Ethernet, or 10 Gigabit Ethernet, or synchronous optical network technologies [SONET]) or logical
(Loopback, Null, port channel, or virtual local area network [VLAN]).

• LINE submode is the mode in which you to configure the console and virtual terminal lines.

NOTE: At any time, entering a question mark (?) displays the available command options. For
example, when you are in CONFIGURATION mode, entering the question mark first lists all available
commands, including the possible submodes.

The CLI modes are:

EXEC
EXEC Privilege
CONFIGURATION
AS-PATH ACL
CONTROL-PLANE
CLASS-MAP
DCB POLICY
DHCP
DHCP POOL
ECMP-GROUP
EXTENDED COMMUNITY
FRRP
INTERFACE
GIGABIT ETHERNET
10 GIGABIT ETHERNET
40 GIGABIT ETHERNET
INTERFACE RANGE
LOOPBACK
MANAGEMENT ETHERNET
NULL
PORT-CHANNEL
TUNNEL
VLAN
VRRP
IP
IPv6
IP COMMUNITY-LIST
IP ACCESS-LIST
STANDARD ACCESS-LIST
EXTENDED ACCESS-LIST
MAC ACCESS-LIST
LINE
AUXILLIARY
CONSOLE
VIRTUAL TERMINAL
LLDP
LLDP MANAGEMENT INTERFACE

Configuration Fundamentals

33

MONITOR SESSION
MULTIPLE SPANNING TREE
OPENFLOW INSTANCE
PVST
PORT-CHANNEL FAILOVER-GROUP
PREFIX-LIST
PRIORITY-GROUP
PROTOCOL GVRP
QOS POLICY
RSTP
ROUTE-MAP
ROUTER BGP
BGP ADDRESS-FAMILY
ROUTER ISIS
ISIS ADDRESS-FAMILY
ROUTER OSPF
ROUTER OSPFV3
ROUTER RIP
SPANNING TREE
TRACE-LIST
VLT DOMAIN
VRRP
UPLINK STATE GROUP
GRUB

Navigating CLI Modes

The Dell Networking OS prompt changes to indicate the CLI mode.

The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI
mode. Move linearly through the command modes, except for the end command which takes you
directly to EXEC Privilege mode and the exit command which moves you up one command mode level.

NOTE: Sub-CONFIGURATION modes all have the letters “conf” in the prompt with more modifiers
to identify the mode and slot/port information.

Table 1. Dell Networking OS Command Modes

CLI Command Mode Prompt Access Command

EXEC

EXEC Privilege

CONFIGURATION

NOTE: Access all of the
following modes from
CONFIGURATION mode.

Dell>

Dell#

Dell(conf)#

Access the router through the
console or Telnet.

• From EXEC mode, enter the
enable command.

• From any other mode, use
the end command.

• From EXEC privilege mode,
enter the configure
command.

• From every mode except
EXEC and EXEC Privilege,
enter the exit command.

34

Configuration Fundamentals

CLI Command Mode Prompt Access Command

AS-PATH ACL

Gigabit Ethernet Interface

10 Gigabit Ethernet Interface

Interface Group

Interface Range

Loopback Interface

Management Ethernet Interface

Null Interface

Port-channel Interface

Tunnel Interface

VLAN Interface

STANDARD ACCESS-LIST

EXTENDED ACCESS-LIST

IP COMMUNITY-LIST

Dell(config-as-path)# ip as-path access-list

Dell(conf-if-gi-0/0)#

Dell(conf-if-te-0/1–2)#

interface (INTERFACE modes)

interface (INTERFACE modes)

Dell(conf-if-group)# interface(INTERFACE

modes)

Dell(conf-if-range)#

Dell(conf-if-lo-0)#

Dell(conf-if-ma-0/0)#

Dell(conf-if-nu-0)#

Dell(conf-if-po-1)#

Dell(conf-if-tu-1)#

Dell(conf-if-vl-1)#

Dell(config-std-nacl)#

interface (INTERFACE modes)

interface (INTERFACE modes)

interface (INTERFACE modes)

interface (INTERFACE modes)

interface (INTERFACE modes)

interface (INTERFACE modes)

interface (INTERFACE modes)

ip access-list standard (IP

ACCESS-LIST Modes)

Dell(config-ext-nacl)#

ip access-list extended (IP

ACCESS-LIST Modes)

Dell(config-community-

ip community-list

list)#

AUXILIARY

CONSOLE

VIRTUAL TERMINAL

STANDARD ACCESS-LIST

EXTENDED ACCESS-LIST

MULTIPLE SPANNING TREE

Per-VLAN SPANNING TREE Plus

PREFIX-LIST

RAPID SPANNING TREE

REDIRECT

ROUTE-MAP

Dell(config-line-aux)#

Dell(config-line-

line (LINE Modes)

line (LINE Modes)

console)#

Dell(config-line-vty)#

line (LINE Modes)

Dell(config-std-macl)# mac access-list standard

(MAC ACCESS-LIST Modes)

Dell(config-ext-macl)# mac access-list extended

(MAC ACCESS-LIST Modes)

Dell(config-mstp)# protocol spanning-tree

mstp

Dell(config-pvst)# protocol spanning-tree

pvst

Dell(conf-nprefixl)# ip prefix-list

Dell(config-rstp)# protocol spanning-tree

rstp

Dell(conf-redirect-list)# ip redirect-list

Dell(config-route-map)# route-map

Configuration Fundamentals

35

CLI Command Mode Prompt Access Command

ROUTER BGP

BGP ADDRESS-FAMILY

Dell(conf-router_bgp)# router bgp

Dell(conf-router_bgp_af)#

(for IPv4)

Dell(conf­routerZ_bgpv6_af)# (for IPv6)

ROUTER ISIS

ISIS ADDRESS-FAMILY

Dell(conf-router_isis)# router isis

Dell(conf-router_isis­af_ipv6)#

ROUTER OSPF

ROUTER OSPFV3

Dell(conf-router_ospf)# router ospf

Dell(conf­ipv6router_ospf)#

ROUTER RIP

SPANNING TREE

TRACE-LIST

CLASS-MAP

CONTROL-PLANE

Dell(conf-router_rip)# router rip

Dell(config-span)# protocol spanning-tree 0

Dell(conf-trace-acl)# ip trace-list

Dell(config-class-map)# class-map

Dell(conf-control­cpuqos)#

DCB POLICY Dell(conf-dcb-in)# (for input

policy)
Dell(conf-dcb-out)# (for

output policy)

address-family {ipv4
multicast | ipv6 unicast}

(ROUTER BGP Mode)

address-family ipv6
unicast (ROUTER ISIS Mode)

ipv6 router ospf

control-plane-cpuqos

dcb-input for input policy
dcb-output for output policy

DHCP

DHCP POOL

Dell(config-dhcp)# ip dhcp server

Dell(config-dhcp-pool-
name)#

ECMP

Dell(conf-ecmp-group­ecmp-group-id)#

EIS

FRRP

Dell(conf-mgmt-eis)# management egress-

Dell(conf-frrp-ring-id)# protocol frrp

LLDP Dell(conf-lldp)# or

Dell(conf-if—interface­lldp)#

LLDP MANAGEMENT INTERFACE

LINE

Dell(conf-lldp-mgmtIf)#

Dell(config-line-console)

or Dell(config-line-vty)

36

pool (DHCP Mode)

ecmp-group

interface-selection

protocol lldp

(CONFIGURATION or INTERFACE
Modes)

management-interface (LLDP
Mode)

line console orline vty

Configuration Fundamentals

CLI Command Mode Prompt Access Command

MONITOR SESSION

OPENFLOW INSTANCE

PORT-CHANNEL FAILOVER­GROUP

PRIORITY GROUP

PROTOCOL GVRP

QOS POLICY

VLT DOMAIN

VRRP

Grub grub> Press the Esc key when the

UPLINK STATE GROUP

Dell(conf-mon-sess­sessionID)#

Dell(conf-of-instance-of-
id)#

Dell(conf-po-failover­grp)#

Dell(conf-pg)# priority-group

Dell(config-gvrp)# protocol gvrp

Dell(conf-qos-policy-out­ets)#

Dell(conf-vlt-domain)# vlt domain

Dell(conf-if-interface-

type-slot/port-vrid-vrrp­group-id)#

Dell(conf-uplink-state­group-groupID)#

monitor session

openflow of-instance

port-channel failover­group

qos-policy-output

vrrp-group

following line appears on the
console during a system boot:

Hit any key to stop
autoboot:

uplink-state-group

The following example shows how to change the command mode from CONFIGURATION mode to
PROTOCOL SPANNING TREE.

Example of Changing Command Modes

Dell(conf)#protocol spanning-tree 0
Dell(config-span)#

The do Command

You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION,
INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode by preceding the EXEC
mode command with the

The following example shows the output of the do command.

Dell(conf)#do show system brief

Stack MAC : 00:01:e8:00:66:64
Reload-Type : normal-reload [Next boot : normal-reload]

-- Stack Info -­Unit UnitType Status ReqTyp CurTyp Version
Ports

--------------------------------------------------------------------------------

do command.

Configuration Fundamentals

37

---­ 0 Management online S4810 S4810 9.4(0.0) 64
1 Member not present
2 Member not present
3 Member not present
4 Member not present
5 Member not present
6 Member not present
7 Member not present
8 Member not present
9 Member not present
10 Member not present
11 Member not present

-- Power Supplies -­Unit Bay Status Type FanStatus

--------------------------------------------------------------------------­ 0 0 absent absent
0 1 up UNKNOWN up

-- Fan Status -­Unit Bay TrayStatus Fan0 Speed Fan1 Speed

--------------------------------------------------------------------------------

---­ 0 0 up up 9120 up 9120
0 1 up up 9120 up 9120

Speed in RPM

Dell(conf)#

Undoing Commands

When you enter a command, the command line is added to the running configuration file (running­config).

To disable a command and remove it from the running-config, enter the no command, then the original
command. For example, to delete an IP address configured on an interface, use the no ip address
ip-address command.

NOTE: Use the help or ? command as described in Obtaining Help.

Example of Viewing Disabled Commands

Dell(conf)#interface tengigabitethernet 4/17
Dell(conf-if-te-4/17)#ip address 192.168.10.1/24
Dell(conf-if-te-4/17)#show config
!
interface tenGigabitEthernet 4/17
ip address 192.168.10.1/24
no shutdown
Dell(conf-if-te-4/17)#no ip address
Dell(conf-if-te-4/17)#show config
!
interface tenGigabitEthernet 4/17
no ip address
no shutdown

38

Configuration Fundamentals

Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command.
For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.

Obtaining Help

Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using
the

? or help command:

• To list the keywords available in the current mode, enter ? at the prompt or after a keyword.

• Enter ? after a prompt lists all of the available keywords. The output of this command is the same for
the help command.

Dell#?
cd Change current directory
clear Reset functions
clock Manage the system clock
configure Configuring from terminal
copy Copy from one file to another
debug Debug functions

--More--

• Enter ? after a partial keyword lists all of the keywords that begin with the specified letters.

Dell(conf)#cl?
class-map
clock
Dell(conf)#cl

• Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword.

Dell(conf)#clock ?
summer-time Configure summer (daylight savings) time
timezone Configure time zone
Dell(conf)#clock

Entering and Editing Commands

Notes for entering commands.

• The CLI is not case-sensitive.

• You can enter partial CLI keywords.

– Enter the minimum number of letters to uniquely identify a command. For example, you cannot

enter cl as a partial keyword because both the clock and class-map commands begin with the
letters “cl.” You can enter clo, however, as a partial keyword because only one command begins
with those three letters.

• The TAB key auto-completes keywords in commands. Enter the minimum number of letters to
uniquely identify a command.

• The UP and DOWN arrow keys display previously entered commands (refer to Command History).

• The BACKSPACE and DELETE keys erase the previous letter.

• Key combinations are available to move quickly across the command line. The following table
describes these short-cut key combinations.

Short-Cut Key
Combination

CNTL-A Moves the cursor to the beginning of the command line.

Action

Configuration Fundamentals

39

Short-Cut Key
Combination

CNTL-B Moves the cursor back one character.

CNTL-D Deletes character at cursor.

CNTL-E Moves the cursor to the end of the line.

CNTL-F Moves the cursor forward one character.

CNTL-I Completes a keyword.

CNTL-K Deletes all characters from the cursor to the end of the command line.

CNTL-L Re-enters the previous command.

CNTL-N Return to more recent commands in the history buffer after recalling commands

CNTL-P Recalls commands, beginning with the last command.

CNTL-R Re-enters the previous command.

CNTL-U Deletes the line.

CNTL-W Deletes the previous word.

CNTL-X Deletes the line.

CNTL-Z Ends continuous scrolling of command outputs.

Action

with CTRL-P or the UP arrow key.

Esc B Moves the cursor back one word.

Esc F Moves the cursor forward one word.

Esc D Deletes all characters from the cursor to the end of the word.

Command History

Dell Networking OS maintains a history of previously-entered commands for each mode. For example:

• When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC
mode commands.

• When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered
CONFIGURATION mode commands.

Filtering show Command Outputs

Filter the output of a show command to display specific information by adding | [except | find |
grep | no-more | save]

The variable specified_text is the text for which you are filtering and it IS case sensitive unless you
use the ignore-case sub-option.

Starting with Dell Networking OS version 7.8.1.0, the grep command accepts an ignore-case sub­option that forces the search to case-insensitive. For example, the commands:

specified_text after the command.

40

Configuration Fundamentals

• show run | grep Ethernet returns a search result with instances containing a capitalized
“Ethernet,” such as interface GigabitEthernet 0/0.

• show run | grep ethernet does not return that search result because it only searches for
instances containing a non-capitalized “ethernet.”

• show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and
“ethernet.”

The grep command displays only the lines containing specified text. The following example shows this
command used in combination with the show linecard all command.

Dell(conf)#do show system brief | grep 0
0 not present

NOTE: Dell Networking OS accepts a space or no space before and after the pipe. To filter a phrase
with spaces, underscores, or ranges, enclose the phrase with double quotation marks.

The except keyword displays text that does not match the specified text. The following example shows
this command used in combination with the

show linecard all command.

Example of the except Keyword

Dell#show system brief | except 0

Slot Status NxtBoot ReqTyp CurTyp Version Ports

-----------------------------------------------------

2 not present
3 not present
4 not present
5 not present
6 not present

The find keyword displays the output of the show command beginning from the first occurrence of
specified text. The following example shows this command used in combination with the

show

linecard all command.

Example of the find Keyword

Dell(conf)#do show system brief | find 0
0 not present
1 not present
2 online online E48TB E48TB 1-1-463 48
3 not present
4 not present
5 online online E48VB E48VB 1-1-463 48
6 not present
7 not present

The display command displays additional configuration information.

The no-more command displays the output all at once rather than one screen at a time. This is similar to
the terminal length command except that the no-more option affects the output of the specified
command only.

The save command copies the output to a file for future reference.

Configuration Fundamentals

41

NOTE: You can filter a single command output multiple times. The save option must be the last
option entered. For example: Dell# command | grep regular-expression | except

regular-expression | grep other-regular-expression | find regular-expression

| save

.

Multiple Users in Configuration Mode

Dell Networking OS notifies all users when there are multiple users logged in to CONFIGURATION mode.

A warning message indicates the username, type of connection (console or VTY), and in the case of a VTY
connection, the IP address of the terminal on which the connection was established. For example:

• On the system that telnets into the switch, this message appears:

% Warning: The following users are currently configuring the system:
User "<username>" on line console0

• On the system that is connected over the console, this message appears:

% Warning: User "<username>" on line vty0 "10.11.130.2" is in configuration
mode

If either of these messages appears, Dell Networking recommends coordinating with the users listed in
the message so that you do not unintentionally overwrite each other’s configuration changes.

42

Configuration Fundamentals

3

Data Center Bridging (DCB)

Data center bridging (DCB) is supported on the platform.

NOTE:

SNMP Support for PFC and Buffer Statistics Tracking

Buffer Statistics Tracking (BST) feature provides a mechanism to aid in Resource Monitoring and Tuning
of Buffer Allocation. The support for Max Use Count mode in Buffer Statistics is introduced in Dell
Networking OS 9.3(0.). Max Use Count mode provides the maximum value of the counters accumulated
over a period of time. This feature is supported in Z9000.
Priority Flow Control (PFC) provides a link level flow control mechanism, which is controlled
independently for each frame priority. The goal of this mechanism is to ensure zero loss under
congestion in DCB networks.

The SNMP support for monitoring PFC and BST counters and statistics is introduced in Dell Networking
OS 9.3(0.1). The enhancement is made on F10-FPSTATS MIB with additional tables to display the PFC and
BST counters and statistics.

The following new tables are added in F10-FPSTATS MIB in Dell Networking OS 9.3(0.1):

• fpEgrQBuffSnapshotTable

• fpIngPgBuffSnapshotTable

• fpStatsPerPgTable

• pfcPerPrioTable

fpEgrQBuffSna
pshotTable

fpIngPgBuffSna
pshotTable

fpStatsPerPgTa
ble

pfcPerPrioTabl
e

Data Center Bridging (DCB)

This table fetches the BST statistics at Egress Port with respect to the buffer used.
This table displays the Snapshot of the Buffer cells used by Unicast and Multicast
Data and Control Queues.

This table fetches the BST statistics at the Ingress Port with respect to the Shared
Cells and the Headroom cells used per Priority Group. The snapshot of the Ingress
Shared cells used and the Ingress Headroom cells used per Priority Group, when
PFC is enabled, will be displayed in this table. This table is indexed by stack-unit
index, port number and the priority group number.

This table fetches the Allocated Min cells, Shared cells and Headroom cells per
Priority Group, the mode in which the buffer cells are allocated - Static or Dynamic
and the Used Min Cells, Shared cells and Headroom cells per Priority Group. The
table fetches a value of 0 if the mode of allocation is Static and a value of 1 if the
mode of allocation is Dynamic. This table is indexed by stack-unit number, port
number and priority group number.

This table fetches the number of PFC frames transmitted (PFC Requests) and the
number of PFC frames received (PFC Indications) per priority on a per port basis.
This table is indexed by the stack-unit index, port number and priority.

43

4

Getting Started

This chapter describes how you start configuring your system.
When you power up the chassis, the system performs a power-on self test (POST) during which the line

card status light emitting diodes (LEDs) blink green. The system then loads the Dell Networking Operating
System (OS). Boot messages scroll up the terminal window during this process. No user interaction is
required if the boot process proceeds without interruption.

When the boot process completes, the RPM and line card status LEDs remain online (green) and the
console monitor displays the EXEC mode prompt.

For details about using the command line interface (CLI), refer to the Accessing the Command Line
section in the Configuration Fundamentals chapter.

Console Access

The has two management ports available for system access: a serial console port and an out-of-bounds
(OOB) port. The Z9000 has a primary management (Ethernet) port and an RJ-45/RS-232 console port.

Serial Console

The RJ-45/RS-232 console port is labeled on the Z9000 chassis. It is in the upper right-hand side, as you
face the I/O side of the chassis.

Figure 1. RJ-45 Console Port

1. RJ-45 Console Port

44

Getting Started

Accessing the Console Port

To access the console port, follow these steps:
For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter.

1. Install an RJ-45 copper cable into the console port.Use a rollover (crossover) cable to connect the

S4810 console port to a terminal server.

2. Connect the other end of the cable to the DTE terminal server.

3. Terminal settings on the console port cannot be changed in the software and are set as follows:

• 9600 baud rate

• No parity

• 8 data bits

• 1 stop bit

• No flow control

Pin Assignments

You can connect to the console using a RJ-45 to RJ-45 rollover cable and a RJ-45 to DB-9 female DTE
adapter to a terminal server (for example, a PC).

The pin assignments between the console and a DTE terminal server are as follows:

Table 2. Pin Assignments Between the Console and a DTE Terminal Server

Console Port RJ-45 to RJ-45

Rollover Cable

Signal RJ-45 Pinout RJ-45 Pinout DB-9 Pin Signal

RTS 1 8 8 CTS

NC 2 7 6 DSR

TxD 3 6 2 RxD

GND 4 5 5 GND

GND 5 4 5 GND

RxD 6 3 3 TxD

NC 7 2 4 DTR

CTS 8 1 7 RTS

RJ-45 to RJ-45
Rollover Cable

RJ-45 to DB-9
Adapter

Terminal Server
Device

Accessing the CLI Interface and Running Scripts Using SSH

Z9000

In addition to the capability to access a device using a console connection or a Telnet session, you can
also use SSH for secure, protected communication with the device. You can open an SSH session and run
commands or script files. This method of connectivity is supported with S4810, S4820T, and Z9000
switches and provides a reliable, safe communication mechanism.

Getting Started

45

Entering CLI commands Using an SSH Connection

You can run CLI commands by entering any one of the following syntax to connect to a switch using the
preconfigured user credentials using SSH:

ssh username@hostname <CLI Command>

or

echo <CLI Command> | ssh admin@hostname

The SSH server transmits the terminal commands to the CLI shell and the results are displayed on the
screen non-interactively.

Executing Local CLI Scripts Using an SSH Connection

You can execute CLI commands by entering a CLI script in one of the following ways:

ssh username@hostname <CLIscript.file>

or

cat < CLIscript.file > | ssh admin@hostname

The script is run and the actions contained in the script are performed.

Following are the points to remember, when you are trying to establish an SSH session to the device to
run commands or script files:

• There is an upper limit of 10 concurrent sessions in SSH. Therefore, you might expect a failure in
executing SSH-related scripts.

• To avoid denial of service (DoS) attacks, a rate-limit of 10 concurrent sessions per minute in SSH is
devised. Therefore, you might experience a failure in executing SSH-related scripts when multiple
short SSH commands are executed.

• If you issue an interactive command in the SSH session, the behavior may not really be interactive.

• In some cases, when you use an SSH session, when certain show commands such as show tech-

support

truncated and not displayed. This may cause one of the commands to fail for syntax error. In such
cases, if you add few newline characters before the failed command, the output displays completely.

Execution of commands on CLI over SSH does not notice the errors that have occurred while executing
the command. As a result, you cannot identify, whether a command has failed to be processed. The
console output though is redirected back over SSH.

produce large volumes of output, sometimes few characters from the output display are

46

Getting Started

Default Configuration

A version of Dell Networking OS is pre-loaded onto the chassis; however, the system is not configured
when you power up for the first time (except for the default hostname, which is Dell). You must
configure the system using the CLI.

Configuring a Host Name

The host name appears in the prompt. The default host name is Dell.

• Host names must start with a letter and end with a letter or digit.

• Characters within the string can be letters, digits, and hyphens.

To create a host name, use the following command.

• Create a host name.
CONFIGURATION mode

hostname name

Example of the hostname Command

Dell(conf)#hostname R1
R1(conf)#

Accessing the System Remotely

You can configure the system to access it remotely by Telnet or SSH.

• The Z9000 has a dedicated management port and a management routing table that is separate from
the IP routing table.

• You can manage all Dell Networking products in-band via the front-end data ports through interfaces
assigned an IP address as well.

Accessing the Z-Series and Remotely

Configuring the system for Telnet is a three-step process, as described in the following topics:

1. Configure an IP address for the management port. Configure the Management Port IP Address

2. Configure a management route with a default gateway. Configure a Management Route

3. Configure a username and password. Configure a Username and Password

Configure the Management Port IP Address

To access the system remotely, assign IP addresses to the management ports.

1. Enter INTERFACE mode for the Management port.

CONFIGURATION mode

interface ManagementEthernet slot/port

• slot: the range is from 0 to 7.

Getting Started

47

• port: the range is 0.

2. Assign an IP address to the interface.

INTERFACE mode

ip address ip-address/mask

• ip-address: an address in dotted-decimal format (A.B.C.D).

• mask: a subnet mask in /prefix-length format (/ xx).

3. Enable the interface.

INTERFACE mode

no shutdown

Configure a Management Route

Define a path from the system to the network from which you are accessing the system remotely.
Management routes are separate from IP routes and are only used to manage the system through the
management port.
To configure a management route, use the following command.

• Configure a management route to the network from which you are accessing the system.
CONFIGURATION mode

management route ip-address/mask gateway

– ip-address: the network address in dotted-decimal format (A.B.C.D).
– mask: a subnet mask in /prefix-length format (/ xx).
– gateway: the next hop for network traffic originating from the management port.

Configuring a Username and Password

To access the system remotely, configure a system username and password.
To configure a system username and password, use the following command.

• Configure a username and password to access the system remotely.
CONFIGURATION mode

username username password [encryption-type] password

– encryption-type: specifies how you are inputting the password, is 0 by default, and is not

required.

* 0 is for inputting the password in clear text.
* 7 is for inputting a password that is already encrypted using a Type 7 hash. Obtaining the

encrypted password from the configuration of another Dell Networking system.

Configuring the Enable Password

Access EXEC Privilege mode using the enable command. EXEC Privilege mode is unrestricted by default.
Configure a password as a basic security measure.

There are two types of enable passwords:

48

Getting Started

• enable password stores the password in the running/startup configuration using a DES encryption
method.

• enable secret is stored in the running/startup configuration in using a stronger, MD5 encryption
method.

Dell Networking recommends using the enable secret password.

To configure an enable password, use the following command.

• Create a password to access EXEC Privilege mode.
CONFIGURATION mode

enable [password | secret] [level level] [encryption-type] password

– level: is the privilege level, is 15 by default, and is not required

– encryption-type: specifies how you are inputting the password, is 0 by default, and is not

required.

* 0 is for inputting the password in clear text.
* 7 is for inputting a password that is already encrypted using a DES hash. Obtain the encrypted

password from the configuration file of another Dell Networking system.

* 5 is for inputting a password that is already encrypted using an MD5 hash. Obtain the

encrypted password from the configuration file of another Dell Networking system.

Configuration File Management

Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the
system from EXEC Privilege mode.

Copy Files to and from the System

The command syntax for copying files is similar to UNIX. The copy command uses the format copy
source-file-url destination-file-url.

NOTE: For a detailed description of the copy command, refer to the Dell Networking OS Command
Reference.

• To copy a local file to a remote system, combine the file-origin syntax for a local file location with the
file-destination syntax for a remote file location.

• To copy a remote file to Dell Networking system, combine the file-origin syntax for a remote file
location with the file-destination syntax for a local file location.

Table 3. Forming a copy Command

Location source-file-url Syntax destination-file-url Syntax

For a remote file location:
FTP server

For a remote file location:
TFTP server

copy ftp://
username:password@{hostip
| hostname}/filepath/
filename

copy tftp://{hostip |
hostname}/filepath/
filename

ftp://
username:password@{hostip
| hostname}/ filepath/
filename

tftp://{hostip |
hostname}/filepath/
filename

Getting Started

49

Location source-file-url Syntax destination-file-url Syntax

For a remote file location:
SCP server

copy scp://{hostip |
hostname}/filepath/
filename

scp://{hostip |
hostname}/filepath/
filename

Important Points to Remember

• You may not copy a file from one remote system to another.

• You may not copy a file from one location to the same location.

• When copying to a server, you can only use a hostname if a domain name server (DNS) server is
configured.

• The usbflash command is supported on Z9000. Refer to your system’s Release Notes for a list of
approved USB vendors.

Example of Copying a File to an FTP Server

Dell#copy flash://Dell-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10/
/Dell/Dell-EF-8.2.1.0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27952672 bytes successfully copied

Example of Importing a File to the Local System

core1#$//copy ftp://myusername:mypassword@10.10.10.10//Dell/
Dell-EF-8.2.1.0.bin flash://
Destination file name [Dell-EF-8.2.1.0.bin.bin]:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
26292881 bytes successfully copied

Save the Running-Configuration

The running-configuration contains the current system configuration. Dell Networking recommends
coping your running-configuration to the startup-configuration.
The commands in this section follow the same format as those commands in the Copy Files to and from

the System section but use the filenames startup-configuration and running-configuration. These

commands assume that current directory is the internal flash, which is the system default.

• Save the running-configuration to the startup-configuration on the internal flash of the primary RPM.
EXEC Privilege mode

copy running-config startup-config

• Save the running-configuration to the internal flash on an RPM.
EXEC Privilege mode

copy running-config rpm{0|1}flash://filename

• Save the running-configuration to an FTP server.
EXEC Privilege mode

copy running-config ftp:// username:password@{hostip | hostname}/filepath/
filename

• Save the running-configuration to a TFTP server.
EXEC Privilege mode

copy running-config tftp://{hostip | hostname}/ filepath/filename

50

Getting Started

• Save the running-configuration to an SCP server.
EXEC Privilege mode

copy running-config scp://{hostip | hostname}/ filepath/filename

NOTE: When copying to a server, a host name can only be used if a DNS server is configured.

Configure the Overload Bit for a Startup Scenario

For information about setting the router overload bit for a specific period of time after a switch reload is
implemented, refer to the Intermediate System to Intermediate System (IS-IS) section in the Dell
Networking OS Command Line Reference Guide.

Viewing Files

You can only view file information and content on local file systems.
To view a list of files or the contents of a file, use the following commands.

• View a list of files on the internal flash.
EXEC Privilege mode

dir flash:

• View the running-configuration.
EXEC Privilege mode

show running-config

• View the startup-configuration.
EXEC Privilege mode

show startup-config

Example of the dir Command

The output of the dir command also shows the read/write privileges, size (in bytes), and date of
modification for each file.

Dell#dir
Directory of flash:

1 drw- 32768 Jan 01 1980 00:00:00 .
2 drwx 512 Jul 23 2007 00:38:44 ..
3 drw- 8192 Mar 30 1919 10:31:04 TRACE_LOG_DIR
4 drw- 8192 Mar 30 1919 10:31:04 CRASH_LOG_DIR
5 drw- 8192 Mar 30 1919 10:31:04 NVTRACE_LOG_DIR
6 drw- 8192 Mar 30 1919 10:31:04 CORE_DUMP_DIR
7 d--- 8192 Mar 30 1919 10:31:04 ADMIN_DIR
8 -rw- 33059550 Jul 11 2007 17:49:46 FTOS-EF-7.4.2.0.bin
9 -rw- 27674906 Jul 06 2007 00:20:24 FTOS-EF-4.7.4.302.bin
10 -rw- 27674906 Jul 06 2007 19:54:52 boot-image-FILE
11 drw- 8192 Jan 01 1980 00:18:28 diag
12 -rw- 7276 Jul 20 2007 01:52:40 startup-config.bak
13 -rw- 7341 Jul 20 2007 15:34:46 startup-config
14 -rw- 27674906 Jul 06 2007 19:52:22 boot-image
15 -rw- 27674906 Jul 06 2007 02:23:22 boot-flash

--More--

Getting Started

51

View Configuration Files

Configuration files have three commented lines at the beginning of the file, as shown in the following
example, to help you track the last time any user made a change to the file, which user made the
changes, and when the file was last saved to the startup-configuration.

In the running-configuration file, if there is a difference between the timestamp on the “Last
configuration change” and “Startup-config last updated,” you have made changes that have not been
saved and are preserved after a system reboot.

Example of the show running-config Command

Dell#show running-config
Current Configuration ...
! Version 9.4(0.0)
! Last configuration change at Tue Mar 11 21:33:56 2014 by admin
! Startup-config last updated at Tue Mar 11 12:11:00 2014 by default
!
boot system stack-unit 0 primary system: B:
boot system stack-unit 0 secondary tftp://10.16.127.35/dt-maa-s4810-2
boot system stack-unit 0 default tftp://10.16.127.35/dt-maa-s4810-2
boot system gateway 10.16.130.254
!

Page 57 - Under Managing the File System, the word external Flash must be
removed

Page 57 - The output of show file-systems must be modified as follows.

Dell#show file-systems

Size(b) Free(b) Feature Type Flags Prefixes
2056916992 2056540160 FAT32 USERFLASH rw flash:

- - - network rw ftp:

- - - network rw tftp:

- - - network rw scp:

Dell#

Managing the File System

The Dell Networking system can use the internal Flash, external Flash, or remote devices to store files.
The system stores files on the internal Flash by default but can be configured to store files elsewhere.

To view file system information, use the following command.

• View information about each file system.
EXEC Privilege mode

show file-systems

The output of the show file-systems command in the following example shows the total capacity,
amount of free memory, file structure, media type, read/write privileges for each storage device in use.

Dell#show file-systems
Size(b) Free(b) Feature Type Flags Prefixes
520962048 213778432 dosFs2.0 USERFLASH rw flash:
127772672 21936128 dosFs2.0 USERFLASH rw slot0:

- - - network rw ftp:

52

Getting Started

- - - network rw tftp:

- - - network rw scp:

You can change the default file system so that file management commands apply to a particular device
or memory.

To change the default directory, use the following command.

• Change the default directory.
EXEC Privilege mode

cd directory

In the following example, the default storage location is changed to the external Flash of the primary
RPM. File management commands then apply to the external Flash rather than the internal Flash. The
bold lines show that no file system is specified and that the file is saved to an external flash.

Dell#cd slot0:
Dell#copy running-config test
Dell#copy run test
!
7419 bytes successfully copied
Dell#dir
Directory of slot0:

1 drw- 32768 Jan 01 1980 00:00:00 .
2 drwx 512 Jul 23 2007 00:38:44 ..
3 ---- 0 Jan 01 1970 00:00:00 DCIM

4 -rw- 7419 Jul 23 2007 20:44:40 test

5 ---- 0 Jan 01 1970 00:00:00 BT
6 ---- 0 Jan 01 1970 00:00:00 200702~1VSN
7 ---- 0 Jan 01 1970 00:00:00 G
8 ---- 0 Jan 01 1970 00:00:00 F
9 ---- 0 Jan 01 1970 00:00:00 F

slot0: 127772672 bytes total (21927936 bytes free)

Enabling Software Features on Devices Using a Command Option

This capability to activate software applications or components on a device using a command is
supported on the S4810, S4820T, and S6000, platforms.

Starting with Release 9.4(0.0), you can enable or disable specific software functionalities or applications
that need to run on a device by using a command attribute in the CLI interface. This capability enables
effective, streamlined management and administration of applications and utilities that run on a device.
You can employ this capability to perform an on-demand activation or turn-off of a software component
or protocol. A feature configuration file that is generated for each image contains feature names denotes
whether this enabling or disabling method is available for such features. In 9.4(0.0), you can enable or
disable the VRF application globally across the system by using this capability.

You can activate VRF application on a device by using the feature vrf command in CONFIGURATION
mode.

NOTE: The no feature vrf command is not supported on any of the platforms.

Getting Started

53

To enable the VRF feature and cause all VRF-related commands to be available or viewable in the CLI
interface, use the following command. You must enable the VRF feature before you can configure its
related attributes.

Dell(conf)# feature vrf

Based on whether VRF feature is identified as supported in the Feature Configuration file, configuration
command feature vrf becomes available for usage. This command will be stored in running-configuration
and will precede all other VRF-related configurations.

NOTE: The MXL and Z9000 platforms currently do not support VRF. These platforms support only
the management and default VRFs, which are available by default. As a result, the feature vrf
command is not available for these platforms.

To display the state of Dell Networking OS features:

Dell#show feature

Example of show feature output

For a particular target where VRF is enabled, the show output is similar to the following:

Feature State

------------------------------

VRF enabled

View Command History

The command-history trace feature captures all commands entered by all users of the system with a time
stamp and writes these messages to a dedicated trace log buffer.

The system generates a trace message for each executed command. No password information is saved
to the file.

To view the command-history trace, use the show command-history command.

Example of the show command-history Command

Dell#show command-history
[12/5 10:57:8]: CMD-(CLI):service password-encryption
[12/5 10:57:12]: CMD-(CLI):hostname Force10
[12/5 10:57:12]: CMD-(CLI):ip telnet server enable
[12/5 10:57:12]: CMD-(CLI):line console 0
[12/5 10:57:12]: CMD-(CLI):line vty 0 9
[12/5 10:57:13]: CMD-(CLI):boot system rpm0 primary flash://FTOS­CB-1.1.1.2E2.bin

Upgrading Dell Networking OS

NOTE: To upgrade Dell Networking Operating System (OS), refer to the Release Notes for the
version you want to load on the system.

54

Getting Started

Using HTTP for File Transfers

Stating with Release 9.3(0.1), you can use HTTP to copy files or configuration details to a remote server.
Use the copy source-file-url http://host[:port]/file-path command to transfer files to an external server.
This functionality to transport files using HTTP to a remote server is supported on MXL, I/O Aggregator,
S4810, S4820, S6000, and Z9000 platforms.
Enter the following source-file-url keywords and information:

• To copy a file from the internal FLASH, enter flash:// followed by the filename.

• To copy the running configuration, enter the keyword running-config.

• To copy the startup configuration, enter the keyword startup-config.

• To copy a file on the external FLASH, enter usbflash:// followed by the filename.

Using Hashes to Validate Software Images

You can use the MD5 message-digest algorithm or SHA256 Secure Hash Algorithm to validate the
software image on the flash drive, after the image has been transferred to the system, but before the
image has been installed. The validation calculates a hash value of the downloaded image file on system’s
flash drive, and, optionally, compares it to a Dell Networking published hash for that file.

The MD5 or SHA256 hash provides a method of validating that you have downloaded the original
software. Calculating the hash on the local image file, and comparing the result to the hash published for
that file on iSupport, provides a high level of confidence that the local copy is exactly the same as the
published software image. This validation procedure, and the verify {md5 | sha256} command to support
it, can prevent the installation of corrupted or modified images.

The verify {md5 | sha256} command calculates and displays the hash of any file on the specified local
flash drive. You can compare the displayed hash against the appropriate hash published on i-Support.
Optionally, the published hash can be included in the verify {md5 | sha256} command, which will display
whether it matches the calculated hash of the indicated file.

To validate a software image:

1. Download Dell Networking OS software image file from the iSupport page to the local (FTP or TFTP)

server. The published hash for that file is displayed next to the software image file on the iSupport
page.

2. Go on to the Dell Networking system and copy the software image to the flash drive, using the copy

command.

3. Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256

flash://FTOS-SE-9.5.0.0.bin

4. Compare the generated hash value to the expected hash value published on the iSupport page.

To validate the software image on the flash drive after the image has been transferred to the system, but
before the image has been installed, use the verify {md5 | sha256} [ flash://]img-file [hash-value]
command in EXEC mode.

• md5: MD5 message-digest algorithm

• sha256: SHA256 Secure Hash Algorithm

Getting Started

55

• flash: (Optional) Specifies the flash drive. The default is to use the flash drive. You can just enter the
image file name.

• hash-value: (Optional). Specify the relevant hash published on i-Support.

• img-file: Enter the name of the Dell Networking software image file to validate

Examples: Without Entering the Hash Value for Verification

MD5

Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin
MD5 hash for FTOS-SE-9.5.0.0.bin: 275ceb73a4f3118e1d6bcf7d75753459

SHA256

Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin
SHA256 hash for FTOS-SE-9.5.0.0.bin:
e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933

Examples: Entering the Hash Value for Verification

MD5

Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin 275ceb73a4f3118e1d6bcf7d75753459
MD5 hash VERIFIED for FTOS-SE-9.5.0.0.bin

SHA256

Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin
e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933
SHA256 hash VERIFIED for FTOS-SE-9.5.0.0.bin

56

Getting Started

5

Management

Management is supported on the Z9000 platform.
This chapter describes the different protocols or services used to manage the Dell Networking system.

Configuring Privilege Levels

Privilege levels restrict access to commands based on user or terminal line.

There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1.

Level Description

Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are

limited to enable, disable, and exit.

Level 1 Access to the system begins at EXEC mode, and all commands are available.

Level 15 Access to the system begins at EXEC Privilege mode, and all commands are

available.

Creating a Custom Privilege Level

Custom privilege levels start with the default EXEC mode command set. You can then customize privilege
levels 2-14 by:

• restricting access to an EXEC mode command

• moving commands from EXEC Privilege to EXEC mode

• restricting access

A user can access all commands at his privilege level and below.

Removing a Command from EXEC Mode

To remove a command from the list of available commands in EXEC mode for a specific privilege level,
use the privilege exec command from CONFIGURATION mode.

In the command, specify a level greater than the level given to a user or terminal line, then the first
keyword of each command you wish to restrict.

Moving a Command from EXEC Privilege Mode to EXEC Mode

To move a command from EXEC Privilege to EXEC mode for a privilege level, use the privilege exec
command from CONFIGURATION mode.

In the command, specify the privilege level of the user or terminal line and specify all keywords in the
command to which you want to allow access.

Management

57

Allowing Access to CONFIGURATION Mode Commands

To allow access to CONFIGURATION mode, use the privilege exec level level configure
command from CONFIGURATION mode.

A user that enters CONFIGURATION mode remains at his privilege level and has access to only two
commands, end and exit. You must individually specify each CONFIGURATION mode command you
want to allow access to using the privilege configure level level command. In the command,
specify the privilege level of the user or terminal line and specify all the keywords in the command to
which you want to allow access.

Allowing Access to the Following Modes

This section describes how to allow access to the INTERFACE, LINE, ROUTE-MAP, and ROUTER modes.
Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE, ROUTE-MAP,
and ROUTER modes, you must first allow access to the command that enters you into the mode. For
example, to allow a user to enter INTERFACE mode, use the privilege configure level level
interface gigabitethernet command.

Next, individually identify the INTERFACE, LINE, ROUTE-MAP or ROUTER commands to which you want
to allow access using the privilege {interface | line | route-map | router} level
level command. In the command, specify the privilege level of the user or terminal line and specify all
the keywords in the command to which you want to allow access.

To remove, move or allow access, use the following commands.

The configuration in the following example creates privilege level 3. This level:

• removes the resequence command from EXEC mode by requiring a minimum of privilege level 4

• moves the capture bgp-pdu max-buffer-size command from EXEC Privilege to EXEC mode by
requiring a minimum privilege level 3, which is the configured level for VTY 0

• allows access to CONFIGURATION mode with the banner command

• allows access to INTERFACE and LINE modes are allowed with no commands

• Remove a command from the list of available commands in EXEC mode.
CONFIGURATION mode

privilege exec level level {command ||...|| command}

• Move a command from EXEC Privilege to EXEC mode.
CONFIGURATION mode

privilege exec level level {command ||...|| command}

• Allow access to CONFIGURATION mode.
CONFIGURATION mode

privilege exec level level configure

• Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all the keywords in
the command.

CONFIGURATION mode

privilege configure level level {interface | line | route-map | router}
{command-keyword ||...|| command-keyword}

58

Management

• Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode
command.

CONFIGURATION mode

privilege {configure |interface | line | route-map | router} level level
{command ||...|| command}

Example of EXEC Privilege Commands

Dell(conf)#do show run priv
!
privilege exec level 3 capture
privilege exec level 3 configure
privilege exec level 4 resequence
privilege exec level 3 capture bgp-pdu
privilege exec level 3 capture bgp-pdu max-buffer-size
privilege configure level 3 line
privilege configure level 3 interface
Dell(conf)#do telnet 10.11.80.201
[telnet output omitted]
Dell#show priv
Current privilege level is 3.
Dell#?
capture Capture packet
configure Configuring from terminal
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
ip Global IP subcommands
monitor Monitoring feature
mtrace Trace reverse multicast path from destination to source
ping Send echo messages
quit Exit from the EXEC
show Show running system information
[output omitted]
Dell#config
[output omitted]
Dell(conf)#do show priv
Current privilege level is 3.
Dell(conf)#?
end Exit from configuration mode
exit Exit from configuration mode
interface Select an interface to configure
line Configure a terminal line
linecard Set line card type
Dell(conf)#interface ?
fastethernet Fast Ethernet interface
gigabitethernet Gigabit Ethernet interface
loopback Loopback interface
managementethernet Management Ethernet interface
null Null interface
port-channel Port-channel interface
range Configure interface range
sonet SONET interface
tengigabitethernet TenGigabit Ethernet interface
vlan VLAN interface
Dell(conf)#interface gigabitethernet 1/1
Dell(conf-if-gi-1/1)#?
end Exit from configuration mode
exit Exit from interface configuration mode
Dell(conf-if-gi-1/1)#exit
Dell(conf)#line ?

Management

59

aux Auxiliary line
console Primary terminal line
vty Virtual terminal
Dell(conf)#line vty 0
Dell(config-line-vty)#?
exit Exit from line configuration mode
Dell(config-line-vty)#
Dell(conf)#interface group ?
fortyGigE FortyGigabit Ethernet interface
gigabitethernet GigabitEthernet interface IEEE 802.3z
tengigabitethernet TenGigabit Ethernet interface
vlan VLAN keyword
Dell(conf)# interface group vlan 1 - 2 , tengigabitethernet 0/0
Dell(conf-if-group-vl-1-2,te-0/0)# no shutdown
Dell(conf-if-group-vl-1-2,te-0/0)# end

Applying a Privilege Level to a Username

To set the user privilege level, use the following command.

• Configure a privilege level for a user.
CONFIGURATION mode

username username privilege level

Applying a Privilege Level to a Terminal Line

To set a privilege level for a terminal line, use the following command.

• Configure a privilege level for a user.
CONFIGURATION mode

username username privilege level

NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC
mode, but the prompt is

hostname#, rather than hostname>.

Configuring Logging

The Dell Networking OS tracks changes in the system using event and error messages.
By default, Dell Networking OS logs these messages on:

• the internal buffer

• console and terminal lines

• any configured syslog servers

To disable logging, use the following commands.

• Disable all logging except on the console.
CONFIGURATION mode

no logging on

• Disable logging to the logging buffer.
CONFIGURATION mode

no logging buffer

60

Management

• Disable logging to terminal lines.
CONFIGURATION mode

no logging monitor

• Disable console logging.
CONFIGURATION mode

no logging console

Audit and Security Logs

This section describes how to configure, display, and clear audit and security logs.
The following is the configuration task list for audit and security logs:

• Enabling Audit and Security Logs

• Displaying Audit and Security Logs

• Clearing Audit Logs

Enabling Audit and Security Logs

You enable audit and security logs to monitor configuration changes or determine if these changes affect
the operation of the system in the network. You log audit and security events to a system log server,
using the

Audit Logs

logging extended command in CONFIGURATION mode.

The audit log contains configuration events and information. The types of information in this log consist
of the following:

• User logins to the switch.

• System events for network issues or system issues.

• Users making configuration changes. The switch logs who made the configuration changes and the
date and time of the change. However, each specific change on the configuration is not logged. Only
that the configuration was modified is logged with the user ID, date, and time of the change.

• Uncontrolled shutdown.

Security Logs

The security log contains security events and information. RBAC restricts access to audit and security logs
based on the CLI sessions’ user roles. The types of information in this log consist of the following:

• Establishment of secure traffic flows, such as SSH.

• Violations on secure flows or certificate issues.

• Adding and deleting of users.

• User access and configuration changes to the security and crypto parameters (not the key
information but the crypto configuration)

Important Points to Remember

Management

61

When you enabled RBAC and extended logging:

• Only the system administrator user role can execute this command.

• The system administrator and system security administrator user roles can view security events and
system events.

• The system administrator user roles can view audit, security, and system events.

• Only the system administrator and security administrator user roles can view security logs.

• The network administrator and network operator user roles can view system events.

NOTE: If extended logging is disabled, you can only view system events, regardless of RBAC user
role.

Example of Enabling Audit and Security Logs

Dell(conf)#logging extended

Displaying Audit and Security Logs

To display audit logs, use the show logging auditlog command in Exec mode. To view these logs,
you must first enable the logging extended command. Only the RBAC system administrator user role can
view the audit logs. Only the RBAC security administrator and system administrator user role can view the
security logs. If extended logging is disabled, you can only view system events, regardless of RBAC user
role. To view security logs, use the

Example of the show logging auditlog Command

For information about the logging extended command, see Enabling Audit and Security Logs

show logging command.

Dell#show logging auditlog
May 12 12:20:25: Dell#: %CLI-6-logging extended by admin from vty0 (10.14.1.98)
May 12 12:20:42: Dell#: %CLI-6-configure terminal by admin from vty0
(10.14.1.98)
May 12 12:20:42: Dell#: %CLI-6-service timestamps log datetime by admin from
vty0 (10.14.1.98)

Example of the show logging Command for Security

For information about the logging extended command, see Enabling Audit and Security Logs

Dell#show logging
Jun 10 04:23:40: %STKUNIT0-M:CP
user admin on line vty0 ( 10.14.1.91 )

%SEC-5-LOGIN_SUCCESS: Login successful for

Clearing Audit Logs

To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is
enabled, only the system administrator user role can issue this command.

Example of the clear logging auditlog Command

Dell# clear logging auditlog

Configuring Logging Format

To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version [0 | 1}
command in CONFIGURATION mode. By default, the system log version is set to 0.

62

Management

The following describes the two log messages formats:

• 0 – Displays syslog messages format as described in RFC 3164, The BSD syslog Protocol

• 1 – Displays syslog message format as described in RFC 5424, The SYSLOG Protocol

Example of Configuring the Logging Message Format

Dell(conf)#logging version ?
<0-1> Select syslog version (default = 0)
Dell(conf)#logging version 1

Setting Up a Secure Connection to a Syslog Server

You can use reverse tunneling with the port forwarding to securely connect to a syslog server.

Pre-requisites

To configure a secure connection from the switch to the syslog server:

1. On the switch, enable the SSH server

Dell(conf)#ip ssh server enable

Management

63

2. On the syslog server, create a reverse SSH tunnel from the syslog server to FTOS switch, using

following syntax:

ssh -R <remote port>:<syslog server>:<syslog server listen port>
user@remote_host -nNf

In the following example the syslog server IP address is 10.156.166.48 and the listening port is

5141. The switch IP address is 10.16.131.141 and the listening port is 5140

ssh -R 5140:10.156.166.48:5141 admin@10.16.131.141 -nNf

3. Configure logging to a local host. locahost is “127.0.0.1” or “::1”.

If you do not, the system displays an error when you attempt to enable role-based only AAA
authorization.

Dell(conf)# logging localhost tcp port
Dell(conf)#logging 127.0.0.1 tcp 5140

Log Messages in the Internal Buffer

All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
For example, %BOOTUP:RPM0:CP %PORTPIPE-INIT-SUCCESS: Portpipe 0 enabled

Configuration Task List for System Log Management

There are two configuration tasks for system log management:

• Disable System Logging

• Send System Messages to a Syslog Server

Disabling System Logging

By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the
console, and the syslog servers.
To disable system logging, use the following commands.

• Disable all logging except on the console.
CONFIGURATION mode

no logging on

• Disable logging to the logging buffer.
CONFIGURATION mode

no logging buffer

• Disable logging to terminal lines.
CONFIGURATION mode

no logging monitor

• Disable console logging.
CONFIGURATION mode

no logging console

64

Management

Sending System Messages to a Syslog Server

To send system messages to a specified syslog server, use the following command. The following syslog
standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009,
obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.

• Specify the server to which you want to send system messages. You can configure up to eight syslog
servers.

CONFIGURATION mode

logging {ip-address | ipv6-address | hostname} {{udp {port}} | {tcp {port}}}

Configuring a UNIX System as a Syslog Server

To configure a UNIX System as a syslog server, use the following command.

• Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the
UNIX system and assigning write permissions to the file.

– Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/ftos.log

– Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log

In the previous lines, local7 is the logging facility level and debugging is the severity level.

Changing System Logging Settings

You can change the default settings of the system logging by changing the severity level and the storage
location.

The default is to log all messages up to debug level, that is, all system messages. By changing the severity
level in the logging commands, you control the number of system messages logged.

To specify the system logging settings, use the following commands.

• Specify the minimum severity level for logging to the logging buffer.
CONFIGURATION mode

logging buffered level

• Specify the minimum severity level for logging to the console.
CONFIGURATION mode

logging console level

• Specify the minimum severity level for logging to terminal lines.
CONFIGURATION mode

logging monitor level

• Specify the minimum severity level for logging to a syslog server.
CONFIGURATION mode

logging trap level

• Specify the minimum severity level for logging to the syslog history table.
CONFIGURATION mode

Management

65

logging history level

• Specify the size of the logging buffer.
CONFIGURATION mode

logging buffered size

NOTE: When you decrease the buffer size, Dell Networking OS deletes all messages stored in
the buffer. Increasing the buffer size does not affect messages in the buffer.

• Specify the number of messages that Dell Networking OS saves to its logging history table.
CONFIGURATION mode

logging history size size

To view the logging buffer and configuration, use the show logging command in EXEC privilege mode,
as shown in the example for

To view the logging configuration, use the show running-config logging command in privilege
mode, as shown in the example for Configure a UNIX Logging Facility Level.

Display the Logging Buffer and the Logging Configuration.

Display the Logging Buffer and the Logging Configuration

To display the current contents of the logging buffer and the logging settings for the system, use the
show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered
based on the user roles. Only the security administrator and system administrator can view the security
logs.

Example of the show logging Command

Dell#show logging
syslog logging: enabled
Console logging: level Debugging
Monitor logging: level Debugging
Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes)
Trap logging: level Informational
%IRC-6-IRC_COMMUP: Link to peer RPM is up
%RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
%RPM-2-MSG:CP1 %POLLMGR-2-MMC_STATE: External flash disk missing in 'slot0:'
%CHMGR-5-CARDDETECTED: Line card 0 present
%CHMGR-5-CARDDETECTED: Line card 2 present
%CHMGR-5-CARDDETECTED: Line card 4 present
%CHMGR-5-CARDDETECTED: Line card 5 present
%CHMGR-5-CARDDETECTED: Line card 8 present
%CHMGR-5-CARDDETECTED: Line card 10 present
%CHMGR-5-CARDDETECTED: Line card 12 present
%TSM-6-SFM_DISCOVERY: Found SFM 0
%TSM-6-SFM_DISCOVERY: Found SFM 1
%TSM-6-SFM_DISCOVERY: Found SFM 2
%TSM-6-SFM_DISCOVERY: Found SFM 3
%TSM-6-SFM_DISCOVERY: Found SFM 4
%TSM-6-SFM_DISCOVERY: Found SFM 5
%TSM-6-SFM_DISCOVERY: Found SFM 6
%TSM-6-SFM_DISCOVERY: Found SFM 7
%TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: UP
%TSM-6-SFM_DISCOVERY: Found SFM 8
%TSM-6-SFM_DISCOVERY: Found 9 SFMs
%CHMGR-5-CHECKIN: Checkin from line card 5 (type EX1YB, 1 ports)
%TSM-6-PORT_CONFIG: Port link status for LC 5 => portpipe 0: OK portpipe 1: N/A
%CHMGR-5-LINECARDUP: Line card 5 is up

66

Management

%CHMGR-5-CHECKIN: Checkin from line card 12 (type S12YC12, 12 ports)
%TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/A
%CHMGR-5-LINECARDUP: Line card 12 is up
%IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8
%IFMGR-5-CSTATE_DN: changed interface Physical state to down: So 12/8

To view any changes made, use the show running-config logging command in EXEC privilege
mode, as shown in the example for Configure a UNIX Logging Facility Level.

Configuring a UNIX Logging Facility Level

You can save system log messages with a UNIX system logging facility.
To configure a UNIX logging facility level, use the following command.

• Specify one of the following parameters.
CONFIGURATION mode

logging facility [facility-type]

– auth (for authorization messages)
– cron (for system scheduler messages)
– daemon (for system daemons)
– kern (for kernel messages)
– local0 (for local use)
– local1 (for local use)
– local2 (for local use)
– local3 (for local use)
– local4 (for local use)
– local5 (for local use)
– local6 (for local use)
– local7 (for local use)
– lpr (for line printer system messages)
– mail (for mail system messages)
– news (for USENET news messages)
– sys9 (system use)
– sys10 (system use)
– sys11 (system use)
– sys12 (system use)
– sys13 (system use)
– sys14 (system use)
– syslog (for syslog messages)
– user (for user programs)
– uucp (UNIX to UNIX copy protocol)

Example of the show running-config logging Command

To view nondefault settings, use the show running-config logging command in EXEC mode.

Management

67

Dell#show running-config logging
!
logging buffered 524288 debugging
service timestamps log datetime msec
service timestamps debug datetime msec
!
logging trap debugging
logging facility user
logging source-interface Loopback 0
logging 10.10.10.4
Dell#

Synchronizing Log Messages

You can configure Dell Networking OS to filter and consolidate the system messages for a specific line by
synchronizing the message output.

Only the messages with a severity at or below the set level appear. This feature works on the terminal and
console connections available on the system.

1. Enter LINE mode.

CONFIGURATION mode

line {console 0 | vty number [end-number] | aux 0}

Configure the following parameters for the virtual terminal lines:

• number: the range is from zero (0) to 8.

• end-number: the range is from 1 to 8.

You can configure multiple virtual terminals at one time by entering a number and an end-number.

2. Configure a level and set the maximum number of messages to print.

LINE mode

logging synchronous [level severity-level | all] [limit]

Configure the following optional parameters:

• level severity-level: the range is from 0 to 7. The default is 2. Use the all keyword to

include all messages.

• limit: the range is from 20 to 300. The default is 20.

To view the logging synchronous configuration, use the show config command in LINE mode.

Enabling Timestamp on Syslog Messages

By default, syslog messages do not include a time/date stamp stating when the error or message was
created.
To enable timestamp, use the following command.

• Add timestamp to syslog messages.
CONFIGURATION mode

68

Management

service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone]
| uptime]

Specify the following optional parameters:
– You can add the keyword localtime to include the localtime, msec, and show-timezone. If

you do not add the keyword localtime, the time is UTC.

– uptime: To view time since last boot.

If you do not specify a parameter, Dell Networking OS configures uptime.

To view the configuration, use the show running-config logging command in EXEC privilege mode.

To disable time stamping on syslog messages, use the no service timestamps [log | debug]
command.

File Transfer Services

With Dell Networking OS, you can configure the system to transfer files over the network using the file
transfer protocol (FTP).

One FTP application is copying the system image files over an interface on to the system; however, FTP is
not supported on virtual local area network (VLAN) interfaces.

For more information about FTP, refer to RFC 959, File Transfer Protocol.

NOTE: To transmit large files, Dell Networking recommends configuring the switch as an FTP
server.

Configuration Task List for File Transfer Services

The configuration tasks for file transfer services are:

• Enable FTP Server (mandatory)

• Configure FTP Server Parameters (optional)

• Configure FTP Client Parameters (optional)

Enabling the FTP Server

To enable the system as an FTP server, use the following command.
To view FTP configuration, use the show running-config ftp command in EXEC privilege mode.

• Enable FTP on the system.
CONFIGURATION mode

ftp-server enable

Example of Viewing FTP Configuration

Dell#show running ftp
!
ftp-server enable
ftp-server username nairobi password 0 zanzibar
Dell#

Management

69

Configuring FTP Server Parameters

After you enable the FTP server on the system, you can configure different parameters.
To specify the system logging settings, use the following commands.

• Specify the directory for users using FTP to reach the system.
CONFIGURATION mode

ftp-server topdir dir

The default is the internal flash directory.

• Specify a user name for all FTP users and configure either a plain text or encrypted password.
CONFIGURATION mode

ftp-server username username password [encryption-type] password

Configure the following optional and required parameters:
– username: enter a text string.

– encryption-type: enter 0 for plain text or 7 for encrypted text.

– password: enter a text string.

NOTE: You cannot use the change directory (cd) command until you have configured ftp-
server topdir.

To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode.

Configuring FTP Client Parameters

To configure FTP client parameters, use the following commands.

• Enter the following keywords and slot/port or number information:
– For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port

information.
– For a loopback interface, enter the keyword loopback then a number between 0 and 16383.

– For a port channel interface, enter the keywords port-channel then a number from 1 to 255 for

TeraScale and ExaScale.
– For a SONET interface, enter the keyword sonet then the slot/port information.

– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port

information.
– For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.

– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.

CONFIGURATION mode

ip ftp source-interface interface

• Configure a password.
CONFIGURATION mode

ip ftp password password

70

Management

• Enter a username to use on the FTP client.
CONFIGURATION mode

ip ftp username name

To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode,
as shown in the example for Enable FTP Server.

Terminal Lines

You can access the system remotely and restrict access to the system by creating user profiles.
Terminal lines on the system provide different means of accessing the system. The console line (console)

connects you through the console port in the route processor modules (RPMs). The virtual terminal lines
(VTYs) connect you through Telnet to the system. The auxiliary line (aux) connects secondary devices
such as modems.

Denying and Permitting Access to a Terminal Line

Dell Networking recommends applying only standard access control lists (ACLs) to deny and permit
access to VTY lines.

• Layer 3 ACLs deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with
no rules does not deny traffic.

• You cannot use the show ip accounting access-list command to display the contents of an
ACL that is applied only to a VTY line.

To apply an IP ACL to a line, Use the following command.

• Apply an ACL to a VTY line.
LINE mode

ip access-class access-list

Example of an ACL that Permits Terminal Access

To view the configuration, use the show config command in LINE mode.

Dell(config-std-nacl)#show config
!
ip access-list standard myvtyacl
seq 5 permit host 10.11.0.1
Dell(config-std-nacl)#line vty 0
Dell(config-line-vty)#show config
line vty 0
access-class myvtyacl

Dell Networking OS Behavior: Prior to Dell Networking OS version 7.4.2.0, in order to deny access on a
VTY line, apply an ACL and accounting, authentication, and authorization (AAA) to the line. Then users are
denied access only after they enter a username and password. Beginning in Dell Networking OS version

7.4.2.0, only an ACL is required, and users are denied access before they are prompted for a username

and password.

Management

71

Configuring Login Authentication for Terminal Lines

You can use any combination of up to six authentication methods to authenticate a user on a terminal
line.
A combination of authentication methods is called a method list. If the user fails the first authentication
method, Dell Networking OS prompts the next method until all methods are exhausted, at which point
the connection is terminated. The available authentication methods are:

enable

line

local

none

radius

tacacs+

1. Configure an authentication method list. You may use a mnemonic name or use the keyword

default. The default authentication method for terminal lines is local and the default method list is
empty.

CONFIGURATION mode

aaa authentication login {method-list-name | default} [method-1] [method-2]
[method-3] [method-4] [method-5] [method-6]

2. Apply the method list from Step 1 to a terminal line.

CONFIGURATION mode

login authentication {method-list-name | default}

3. If you used the line authentication method in the method list you applied to the terminal line,

configure a password for the terminal line.
LINE mode

Prompt for the enable password.

Prompt for the password you assigned to the terminal line. Configure a password
for the terminal line to which you assign a method list that contains the line
authentication method. Configure a password using the password command from
LINE mode.

Prompt for the system username and password.

Do not authenticate the user.

Prompt for a username and password and use a RADIUS server to authenticate.

Prompt for a username and password and use a TACACS+ server to authenticate.

password

Example of Terminal Line Authentication

In the following example, VTY lines 0-2 use a single authentication method, line.

Dell(conf)#aaa authentication login myvtymethodlist line
Dell(conf)#line vty 0 2
Dell(config-line-vty)#login authentication myvtymethodlist
Dell(config-line-vty)#password myvtypassword
Dell(config-line-vty)#show config
line vty 0
password myvtypassword
login authentication myvtymethodlist
line vty 1
password myvtypassword
login authentication myvtymethodlist
line vty 2
password myvtypassword

72

Management

login authentication myvtymethodlist
Dell(config-line-vty)#

Setting Time Out of EXEC Privilege Mode

EXEC time-out is a basic security feature that returns Dell Networking OS to EXEC mode after a period of
inactivity on the terminal lines.
To set time out, use the following commands.

• Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes
on VTY. Disable EXEC time out by setting the time-out period to 0.

LINE mode

exec-timeout minutes [seconds]

• Return to the default time-out values.
LINE mode

no exec-timeout

Example of Setting the Time Out Period for EXEC Privilege Mode

The following example shows how to set the time-out period and how to view the configuration using
the show config command from LINE mode.

Dell(conf)#line con 0
Dell(config-line-console)#exec-timeout 0
Dell(config-line-console)#show config
line console 0
exec-timeout 0 0
Dell(config-line-console)#

Using Telnet to get to Another Network Device

To telnet to another device, use the following commands.

NOTE: On the Z9000 platform, the system allows 120 Telnet sessions per minute, allowing the login
and logout of 10 Telnet sessions, 12 times in a minute. If the system reaches this non-practical limit,
the Telnet service is stopped for 10 minutes. You can use console and SSH service to access the
system during downtime.

• Telnet to the peer RPM. You do not need to configure the management port on the peer RPM to be
able to telnet to it.

EXEC Privilege mode

telnet-peer-rpm

• Telnet to a device with an IPv4 or IPv6 address.
EXEC Privilege

telnet [ip-address]

If you do not enter an IP address, Dell Networking OS enters a Telnet dialog that prompts you for one.

Enter an IPv4 address in dotted decimal format (A.B.C.D).

Management

73

Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros
is supported.

Example of the telnet Command for Device Access

Dell# telnet 10.11.80.203
Trying 10.11.80.203...
Connected to 10.11.80.203.
Exit character is '^]'.
Login:
Login: admin
Password:
Dell>exit
Dell#telnet 2200:2200:2200:2200:2200::2201
Trying 2200:2200:2200:2200:2200::2201...
Connected to 2200:2200:2200:2200:2200::2201.
Exit character is '^]'.
FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1)
login: admin
Dell#

Lock CONFIGURATION Mode

Dell Networking OS allows multiple users to make configurations at the same time. You can lock
CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message

2).

You can set two types of lockst: auto and manual.

• Set auto-lock using the configuration mode exclusive auto command from
CONFIGURATION mode. When you set auto-lock, every time a user is in CONFIGURATION mode, all
other users are denied access. This means that you can exit to EXEC Privilege mode, and re-enter
CONFIGURATION mode without having to set the lock again.

• Set manual lock using the configure terminal lock command from CONFIGURATION mode.
When you configure a manual lock, which is the default, you must enter this command each time you
want to enter CONFIGURATION mode and deny access to others.

Viewing the Configuration Lock Status

If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which
user has control of CONFIGURATION mode using the show configuration lock command from
EXEC Privilege mode.

You can then send any user a message using the send command from EXEC Privilege mode.
Alternatively, you can clear any line using the
console session, the user is returned to EXEC mode.

Example of Locking CONFIGURATION Mode for Single-User Access

Dell(conf)#configuration mode exclusive auto
BATMAN(conf)#exit
3d23h35m: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console

Dell#config
! Locks configuration mode exclusively.
Dell(conf)#

clear command from EXEC Privilege mode. If you clear a

74

Management

If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears
on their terminal (message 1): % Error: User "" on line console0 is in exclusive
configuration mode.

If any user is already in CONFIGURATION mode when while a lock is in place, the following appears on
their terminal (message 2): % Error: Can't lock configuration mode exclusively since

the following users are currently configuring the system: User "admin" on line
vty1 ( 10.1.1.1 ).

NOTE: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you
configure a lock and then exit CONFIGURATION mode, and another user enters CONFIGURATION
mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though
you are the one that configured the lock.

NOTE: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is
unconfigured.

Recovering from a Forgotten Password on the Z9000 System

If you configure authentication for the console and you exit out of EXEC mode or your console session
times out, you are prompted for a password to re-enter.
If you forget your password, use the following commands.

1. Log onto the system using the console.

2. Power-cycle the chassis by disconnecting and.then reconnecting the power cord.

3. Press Esc when prompted to abort the boot process.

(during bootup)

hit any key

NOTE: You must enter the CLI commands. The system rejects them if they are copied and
pasted.

4. The Grub menu displays.

Enter c to get to the Grub boot load command line grub> prompt.

5. Set the system parameters to ignore the enable password when the system reloads and reboot the

environment.

grub>set stconfigignore=true

grub>save_env stconfigignore

grub>reboot

6. The Z9000 boots up with the factory default configuration. The default Dell Networking OS system

prompt displays when the system boot up is complete.

NOTE: Do not press any keys during the boot-up process.

7. Copy the startup-config into the running-config.

EXEC Privilege mode

copy flash://startup-config running-config

Management

75

8. Display the content of the startup-config.

EXEC Privilege mode

show running-config

9. Remove the previous authentication configuration.

config t

10. Set the new authentication parameters. The remainder of the previous configuration is preserved.

no enable password

enable password [newpassword]

exit

11. Save the running-config to the startup-config in flash by default.

write-mem

12. Save the running-config.

EXEC Privilege mode

copy running-config startup-config

Recovering from a Forgotten Enable Password on the Z9000

Use the following commands if you forget the enable password.

1. Log onto the system using the console.

2. Power-cycle the chassis by switching off all of the power modules and then switching them back on.

3. Press any key to abort the boot process. You enter grub on the Z9000, as indicated by the grub>

prompt.
(during bootup)

hit any key

NOTE: You must enter the CLI commands. The system rejects them if they are copied and
pasted.

4. The Grub menu displays. Enter c to get to the Grub boot load command line grub> prompt.

5. Set the system parameters to ignore the enable password when the system reloads and save the

environment.
uBoot mode

grub>setenv enablepwdignore=true

grub>save_env enablepwdignore

6. Reload the system.

uBoot mode

reset

7. Configure a new enable password.

CONFIGURATION mode

enable {secret | password}

76

Management

8. Save the running-config to the startup-config.

EXEC Privilege mode

copy running-config startup-config

Recovering from a Failed Start on the Z9000 System

A system that does not start correctly might be attempting to boot from a corrupted Dell Networking OS
image or from a mis-specified location.
In this case, you can restart the system and interrupt the boot process to point the system to another
boot location. Use the set command, as described in the following steps. For details about the set
command, its supporting commands, and other commands that can help recover from a failed start, the
GRUB chapter in the Dell Networking OS Command Line Reference Guide.

1. Power-cycle the chassis (pull the power cord and reinsert it).

2. Press the ESC key when the following message appears: Press Esc to stop autoboot...

(during bootup)

Press ESC key

3. Use the arrow keys to select “Force10 Boot” from the list, then press the “C” key to enter GRUB CLI

mode. The command prompt changes to
GRUB mode

4. Set the Primary Boot Parameter.

GRUB mode

grub>.

set primary_boot=’f10boot location’

5. (Optional) Set the Secondary and Default Boot parameters.

GRUB mode

set secondary_boot=’f10boot location’

set default_boot=’f10boot location’

6. Save all variables individually.

GRUB mode

save_env primary_boot

save_env secondary_boot

save_env default_boot

NOTE: This command must be used once for each environment variable. If this step is not
completed, the chassis reboots continually.

7. Reboot the chassis.

GRUB mode

reboot

Management

77

Restoring the Factory Default Settings

Restoring the factory-default settings deletes the existing NVRAM settings, startup configuration, and all
configured settings such as, stacking or fanout.

Z9000MXL Switch

To restore the factory default settings, use the restore factory-defaults stack-unit {0-5 |

all} {clear-all | nvram}

CAUTION: There is no undo for this command.

Important Points to Remember

• When you restore all the units in a stack, these units are placed in standalone mode.

• When you restore a single unit in a stack, only that unit is placed in standalone mode. No other units
in the stack are affected.

• When you restore the units in standalone mode, the units remain in standalone mode after the
restoration.

• After the restore is complete, the units power cycle immediately.

The following example illustrates the restore factory-defaults command to restore the factory default
settings.

Dell#restore factory-defaults stack-unit 0 nvram

command in EXEC Privilege mode.

***********************************************************************
* Warning - Restoring factory defaults will delete the existing *
* persistent settings (stacking, fanout, etc.) *
* After restoration the unit(s) will be powercycled immediately. *
* Proceed with caution ! *
***********************************************************************

Proceed with factory settings? Confirm [yes/no]:yes

-- Restore status --

Unit Nvram Config

------------------------

0 Success

Power-cycling the unit(s).

....

Restoring Factory Default Environment Variables

The Boot line determines the location of the image that is used to boot up the chassis after restoring
factory default settings. Ideally, these locations contain valid images, using which the chassis boots up.

While restoring factory-default settings, you can either use a flash boot procedure or a network boot
procedure to boot the device.

When you use the flash boot procedure to boot the device, the boot loader checks if the primary or the
secondary partition contains a valid image. If the primary partition contains a valid image, then the
primary boot line is set to A: and the secondary and default boot lines are set to a Null String. If the

78

Management

secondary partition contains a valid image, then the primary boot line is set to B: and the secondary and
default boot lines are set to a Null String. If both the partitions contain invalid images, then primary,
secondary, and default boot line values are set to a Null string.

When you use the Network boot procedure to boot the device, the boot loader checks if the primary
partition contains a valid image. If a valid image exists on the primary partition and the secondary partition
does not contain a valid image, then the primary boot line is set to A: and the secondary and default boot
lines are set to a Null string. If the secondary partition also contains a valid image, then the primary boot
line value is set to the partition that is configured to be used to boot the device in a network failure
scenario. The secondary and default boot line values are set to a Null string.

Important Points to Remember

• The Chassis remains in boot prompt if none of the partitions contain valid images.

• To enable TFTP boot after restoring factory default settings, you must stop the boot process in BLI.

In case the system fails to reload the image from the partition, perform the following steps:

1. Power-cycle the chassis (pull the power cord and reinsert it).

2. Press any key to abort the boot process (while the system prompts to).

3. Press c to get into the grub mode.

You immediately enter the grub mode, which is indicated by the grub> prompt.

4. Assign the new location of the FTOS image to be used when the system reloads.

To boot from flash partition A:

grub> set primary_boot="f10boot flash0"

To boot from flash partition B:

grub> set primary_boot="f10boot flash1"

To boot from network:

grub> set primary_boot="f10boot tftp://10.16.127.35/FTOS-ZB.bin"

5. Assign an IP address and netmask to the Management Ethernet interface.

grub> set ipaddr="10.16.151.239"

grub> set netmask="255.255.0.0"

6. Assign an IP address as the default gateway for the system.

grub> set gatewayip="10.16.151.254"

7. Save the modified environmental variables.

grub> save_env environment_variables

NOTE: Repeat this step for all the environment variables.

8. Reload the system.

Management

79

grub> reboot

80

Management

6

802.1X

802.1X is supported on the Z9000 platform.

802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is

disallowed from sending or receiving packets on the network until its identity can be verified (through a
username and password, for example). This feature is named for its IEEE specification.

802.1X employs extensible authentication protocol (EAP) to transfer a device’s credentials to an

authentication server (typically RADIUS) using a mandatory intermediary network access device, in this
case, a Dell Networking switch. The network access device mediates all communication between the
end-user device and the authentication server so that the network remains secure. The network access
device uses EAP-over-Ethernet (EAPOL) to communicate with the end-user device and EAP-over­RADIUS to communicate with the server.

NOTE: The Dell Networking Operating System (OS) supports 802.1X with EAP-MD5, EAP-OTP, EAP­TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.

The following figures show how the EAP frames are encapsulated in Ethernet and RADIUS frames.

Figure 2. EAP Frames Encapsulated in Ethernet and RADUIS

802.1X

81

Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS

The authentication process involves three devices:

• The device attempting to access the network is the supplicant. The supplicant is not allowed to
communicate on the network until the authenticator authorizes the port. It can only communicate
with the authenticator in response to 802.1X requests.

• The device with which the supplicant communicates is the authenticator. The authenticator is the
gate keeper of the network. It translates and forwards requests and responses between the
authentication server and the supplicant. The authenticator also changes the status of the port based
on the results of the authentication process. The Dell Networking switch is the authenticator.

• The authentication-server selects the authentication method, verifies the information the supplicant
provides, and grants it network access privileges.

Ports can be in one of two states:

• Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in
or out of the port.

• The authenticator changes the port state to authorized if the server can authenticate the supplicant.
In this state, network traffic can be forwarded normally.

NOTE: The Dell Networking switches place 802.1X-enabled ports in the unauthorized state by
default.

The Port-Authentication Process

The authentication process begins when the authenticator senses that a link status has changed from
down to up:

1. When the authenticator senses a link state change, it requests that the supplicant identify itself using

an EAP Identity Request frame.

2. The supplicant responds with its identity in an EAP Response Identity frame.

82

802.1X

3. The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a

RADIUS Access-Request frame and forwards the frame to the authentication server.

4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame

requests that the supplicant prove that it is who it claims to be, using a specified method (an EAP­Method). The challenge is translated and forwarded to the supplicant by the authenticator.

5. The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant

provides the Requested Challenge information in an EAP response, which is translated and
forwarded to the authentication server as another Access-Request frame.

6. If the identity information provided by the supplicant is valid, the authentication server sends an

Access-Accept frame in which network privileges are specified. The authenticator changes the port
state to authorized and forwards an EAP Success frame. If the identity information is invalid, the
server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator
forwards an EAP Failure frame.

Figure 4. EAP Port-Authentication

802.1X

83

EAP over RADIUS

802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as

defined in RFC 3579.

EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV)
format. The Type value for EAP messages is 79.

Figure 5. EAP Over RADIUS

RADIUS Attributes for 802.1 Support

Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request
messages:

Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server.

Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet.

Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to

the supplicant.

Attribute 81 Tunnel-Private-Group-ID: associate a tunneled session with a particular group of

users.

Configuring 802.1X

Configuring 802.1X on a port is a one-step process.

For more information, refer to Enabling 802.1X.

Related Configuration Tasks

• Configuring Request Identity Re-Transmissions

• Forcibly Authorizing or Unauthorizing a Port

• Re-Authenticating a Port

• Configuring Timeouts

• Configuring a Guest VLAN

• Configuring an Authentication-Fail VLAN

84

802.1X

Important Points to Remember

• Dell Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1,
and MS-CHAPv2 with PEAP.

• All platforms support only RADIUS as the authentication server.

• If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary
RADIUS server, if configured.

• 802.1X is not supported on port-channels or port-channel members.

Enabling 802.1X

Enable 802.1X globally.

Figure 6. 802.1X Enabled

1. Enable 802.1X globally.

CONFIGURATION mode

802.1X

85

dot1x authentication

2. Enter INTERFACE mode on an interface or a range of interfaces.

INTERFACE mode

interface [range]

3. Enable 802.1X on the supplicant interface only.

INTERFACE mode

dot1x authentication

Examples of Verifying that 802.1X is Enabled Globally and on an Interface

Verify that 802.1X is enabled globally and at the interface level using the show running-config |
find dot1x command from EXEC Privilege mode.

In the following example, the bold lines show that 802.1X is enabled.

Dell#show running-config | find dot1x

dot1x authentication

!
[output omitted]
!
interface TenGigabitEthernet 2/1
no ip address
dot1x authentication
no shutdown
!
Dell#

To view 802.1X configuration information for an interface, use the show dot1x interface command.

In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default.

Dell#show dot1x interface TenGigabitEthernet 2/1

802.1x information on Te 2/1:

-----------------------------

Dot1x Status: Enable

Port Control: AUTO

Port Auth Status: UNAUTHORIZED

Re-Authentication: Disable
Untagged VLAN id: None
Guest VLAN: Disable
Guest VLAN id: NONE
Auth-Fail VLAN: Disable
Auth-Fail VLAN id: NONE
Auth-Fail Max-Attempts: NONE
Mac-Auth-Bypass: Disable
Mac-Auth-Bypass Only: Disable
Tx Period: 30 seconds
Quiet Period: 60 seconds
ReAuth Max: 2
Supplicant Timeout: 30 seconds
Server Timeout: 30 seconds
Re-Auth Interval: 3600 seconds
Max-EAP-Req: 2
Host Mode: SINGLE_HOST
Auth PAE State: Initialize
Backend State: Initialize

86

802.1X

Configuring Request Identity Re-Transmissions

If the authenticator sends a Request Identity frame, but the supplicant does not respond, the
authenticator waits 30 seconds and then re-transmits the frame.
The amount of time that the authenticator waits before re-transmitting and the maximum number of
times that the authenticator re-transmits are configurable.

NOTE: There are several reasons why the supplicant might fail to respond; for example, the
supplicant might have been booting when the request arrived or there might be a physical layer
problem.

To configure re-transmissions, use the following commands.

• Configure the amount of time that the authenticator waits before re-transmitting an EAP Request
Identity frame.

INTERFACE mode

dot1x tx-period number

The range is from 1 to 65535 (1 year)

The default is 30.

• Configure a maximum number of times the authenticator re-transmits a Request Identity frame.
INTERFACE mode

dot1x max-eap-req number

The range is from 1 to 10.

The default is 2.

The example in Configuring a Quiet Period after a Failed Authentication shows configuration information
for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and
re-transmits a maximum of 10 times.

Configuring a Quiet Period after a Failed Authentication

If the supplicant fails the authentication process, the authenticator sends another Request Identity frame
after 30 seconds by default, but you can configure this period.

NOTE: The quiet period (dot1x quiet-period) is a transmit interval for after a failed
authentication; the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive
supplicant.

To configure a quiet period, use the following command.

• Configure the amount of time that the authenticator waits to re-transmit a Request Identity frame
after a failed authentication.

INTERFACE mode

dot1x quiet-period seconds

The range is from 1 to 65535.

The default is 60 seconds.

802.1X

87

Example of Configuring and Verifying Port Authentication

The following example shows configuration information for a port for which the authenticator re­transmits an EAP Request Identity frame:

• after 90 seconds and a maximum of 10 times for an unresponsive supplicant

• re-transmits an EAP Request Identity frame

The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions.

FTOS(conf-if-range-Te-0/0)#dot1x tx-period 90
FTOS(conf-if-range-Te-0/0)#dot1x max-eap-req 10
FTOS(conf-if-range-Te-0/0)#dot1x quiet-period 120
FTOS#show dot1x interface TenGigabitEthernet 2/1

802.1x information on Te 2/1:

-----------------------------

Dot1x Status: Enable
Port Control: AUTO
Port Auth Status: UNAUTHORIZED

Re-Authentication: Disable

Untagged VLAN id: None
Tx Period: 90 seconds

Quiet Period: 120 seconds

ReAuth Max: 2
Supplicant Timeout: 30 seconds
Server Timeout: 30 seconds
Re-Auth Interval: 3600 seconds

Max-EAP-Req: 10

Auth Type: SINGLE_HOST
Auth PAE State: Initialize
Backend State: Initialize

Forcibly Authorizing or Unauthorizing a Port

IEEE 802.1X requires that a port can be manually placed into any of three states:

• ForceAuthorized — an authorized state. A device connected to this port in this state is never
subjected to the authentication process, but is allowed to communicate on the network. Placing the
port in this state is same as disabling 802.1X on the port.

• ForceUnauthorized — an unauthorized state. A device connected to a port in this state is never
subjected to the authentication process and is not allowed to communicate on the network. Placing
the port in this state is the same as shutting down the port. Any attempt by the supplicant to initiate
authentication is ignored.

• Auto — an unauthorized state by default. A device connected to this port in this state is subjected to
the authentication process. If the process is successful, the port is authorized and the connected
device can communicate on the network. All ports are placed in the Auto state by default.

To set the port state, use the following command.

• Place a port in the ForceAuthorized, ForceUnauthorized, or Auto state.
INTERFACE mode

dot1x port-control {force-authorized | force-unauthorized | auto}

The default state is auto.

88

802.1X

Example of Placing a Port in Force-Authorized State and Viewing the Configuration

The example shows configuration information for a port that has been force-authorized.

The bold line shows the new port-control state.

Dell(conf-if-Te-0/0)#dot1x port-control force-authorized
Dell(conf-if-Te-0/0)#show dot1x interface TenGigabitEthernet 0/0

802.1x information on Te 0/0:

-----------------------------

Dot1x Status: Enable

Port Control: FORCE_AUTHORIZED

Port Auth Status: UNAUTHORIZED
Re-Authentication: Disable
Untagged VLAN id: None
Tx Period: 90 seconds
Quiet Period: 120 seconds
ReAuth Max: 2
Supplicant Timeout: 30 seconds
Server Timeout: 30 seconds
Re-Auth Interval: 3600 seconds
Max-EAP-Req: 10
Auth Type: SINGLE_HOST
Auth PAE State: Initialize
Backend State: Initialize
Auth PAE State: Initialize
Backend State: Initialize

Re-Authenticating a Port

You can configure the authenticator for periodic re-authentication.
After the supplicant has been authenticated, and the port has been authorized, you can configure the
authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the
supplicant is required to re-authenticate every 3600 seconds, but you can configure this interval. You can
configure a maximum number of re-authentications as well.

To configure re-authentication time settings, use the following commands.

• Configure the authenticator to periodically re-authenticate the supplicant.
INTERFACE mode

dot1x reauthentication [interval] seconds

The range is from 1 to 65535.

The default is 3600.

• Configure the maximum number of times that the supplicant can be re-authenticated.
INTERFACE mode

dot1x reauth-max number

The range is from 1 to 10.

The default is 2.

Example of Re-Authenticating a Port and Verifying the Configuration

802.1X

89

The bold lines show that re-authentication is enabled and the new maximum and re-authentication time
period.

Dell(conf-if-Te-0/0)#dot1x reauthentication interval 7200
Dell(conf-if-Te-0/0)#dot1x reauth-max 10
Dell(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0

802.1x information on Te 0/0:

-----------------------------

Dot1x Status: Enable
Port Control: FORCE_AUTHORIZED

Port Auth Status: UNAUTHORIZED

Re-Authentication: Enable
Untagged VLAN id: None
Tx Period: 90 seconds
Quiet Period: 120 seconds

ReAuth Max: 10

Supplicant Timeout: 30 seconds
Server Timeout: 30 seconds

Re-Auth Interval: 7200 seconds

Max-EAP-Req: 10
Auth Type: SINGLE_HOST
Auth PAE State: Initialize
Backend State: Initialize
Auth PAE State: Initialize
Backend State: Initialize

Configuring Timeouts

If the supplicant or the authentication server is unresponsive, the authenticator terminates the
authentication process after 30 seconds by default. You can configure the amount of time the
authenticator waits for a response.

To terminate the authentication process, use the following commands.

• Terminate the authentication process due to an unresponsive supplicant.
INTERFACE mode

dot1x supplicant-timeout seconds

The range is from 1 to 300.

The default is 30.

• Terminate the authentication process due to an unresponsive authentication server.
INTERFACE mode

dot1x server-timeout seconds

The range is from 1 to 300.

The default is 30.

Example of Viewing Configured Server Timeouts

The example shows configuration information for a port for which the authenticator terminates the
authentication process for an unresponsive supplicant or server after 15 seconds.

90

802.1X

The bold lines show the new supplicant and server timeouts.

Dell(conf-if-Te-0/0)#dot1x port-control force-authorized
Dell(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0

802.1x information on Te 0/0:

-----------------------------

Dot1x Status: Enable
Port Control: FORCE_AUTHORIZED
Port Auth Status: UNAUTHORIZED
Re-Authentication: Disable
Untagged VLAN id: None
Guest VLAN: Disable
Guest VLAN id: NONE
Auth-Fail VLAN: Disable
Auth-Fail VLAN id: NONE
Auth-Fail Max-Attempts: NONE
Tx Period: 90 seconds
Quiet Period: 120 seconds
ReAuth Max: 10

Supplicant Timeout: 15 seconds
Server Timeout: 15 seconds

Re-Auth Interval: 7200 seconds
Max-EAP-Req: 10

Auth Type: SINGLE_HOST
Auth PAE State: Initialize
Backend State: Initialize

Enter the tasks the user should do after finishing this task (optional).

Configuring Dynamic VLAN Assignment with Port Authentication

Dell Networking OS supports dynamic VLAN assignment when using 802.1X.
The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN
assignment uses the standard dot1x procedure:

1. The host sends a dot1x packet to the Dell Networking system

2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port

number

3. The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN

assignment using Tunnel-Private-Group-ID

The illustration shows the configuration on the Dell Networking system before connecting the end user
device in black and blue text, and after connecting the device in red text. The blue text corresponds to
the preceding numbered steps on dynamic VLAN assignment with 802.1X.

802.1X

91

Figure 7. Dynamic VLAN Assignment

1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations

(refer to the illustration inDynamic VLAN Assignment with Port Authentication).

2. Make the interface a switchport so that it can be assigned to a VLAN.

3. Create the VLAN to which the interface will be assigned.

4. Connect the supplicant to the port configured for 802.1X.

5. Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in

Dynamic VLAN Assignment with Port Authentication).

Guest and Authentication-Fail VLANs

Typically, the authenticator (the Dell system) denies the supplicant access to the network until the
supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and
places it in either the VLAN for which the port is configured or the VLAN that the authentication server
indicates in the authentication data.

NOTE: Ports cannot be dynamically assigned to the default VLAN.

92

802.1X

If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases
this behavior is not appropriate. External users of an enterprise network, for example, might not be able
to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network
printers, do not have 802.1X capability and therefore cannot authenticate themselves. To be able to
connect such devices, they must be allowed access the network without compromising network security.

The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices
and the Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users.

• If the supplicant fails authentication a specified number of times, the authenticator places the port in
the Authentication-fail VLAN.

• If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of
the Guest VLAN and the authentication process begins.

Configuring a Guest VLAN

If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the
system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN.

NOTE: For more information about configuring timeouts, refer to Configuring Timeouts.

Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using
the dot1x guest-vlan command from INTERFACE mode. View your configuration using the show
config command from INTERFACE mode or using the show dot1x interface command from EXEC
Privilege mode.

Example of Viewing Guest VLAN Configuration

Dell(conf-if-Te-2/1)#dot1x guest-vlan 200
Dell(conf-if-Te 2/1))#show config
!
interface TenGigabitEthernet 21
switchport
dot1x guest-vlan 200
no shutdown
Dell(conf-if-Te 2/1))#

Configuring an Authentication-Fail VLAN

If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified
amount of time.

NOTE: For more information about authenticator re-attempts, refer to Configuring a Quiet Period

after a Failed Authentication.

You can configure the maximum number of times the authenticator re-attempts authentication after a
failure (3 by default), after which the port is placed in the Authentication-fail VLAN.

Configure a port to be placed in the VLAN after failing the authentication process as specified number of
times using the dot1x auth-fail-vlan command from INTERFACE mode. Configure the maximum
number of authentication attempts by the authenticator using the keyword max-attempts with this
command.

Example of Configuring Maximum Authentication Attempts

Dell(conf-if-Te-2/1)#dot1x guest-vlan 200
Dell(conf-if-Te 2/1)#show config

802.1X

93

!
interface TenGigabitEthernet 2/1
switchport
dot1x authentication
dot1x guest-vlan 200
no shutdown
Dell(conf-if-Te-2/1)#

Dell(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5
Dell(conf-if-Te-2/1)#show config
!
interface TenGigabitEthernet 2/1
switchport
dot1x authentication
dot1x guest-vlan 200

dot1x auth-fail-vlan 100 max-attempts 5

no shutdown
Dell(conf-if-Te-2/1)#

Example of Viewing Configured Authentication

View your configuration using the show config command from INTERFACE mode, as shown in the
example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC
Privilege mode.

802.1x information on Te 2/1:

-----------------------------

Dot1x Status: Enable
Port Control: FORCE_AUTHORIZED
Port Auth Status: UNAUTHORIZED
Re-Authentication: Disable
Untagged VLAN id: None

Guest VLAN: Disabled
Guest VLAN id: 200
Auth-Fail VLAN: Disabled
Auth-Fail VLAN id: 100
Auth-Fail Max-Attempts: 5

Tx Period: 90 seconds
Quiet Period: 120 seconds
ReAuth Max: 10
Supplicant Timeout: 15 seconds
Server Timeout: 15 seconds
Re-Auth Interval: 7200 seconds
Max-EAP-Req: 10
Auth Type: SINGLE_HOST

Auth PAE State: Initialize
Backend State: Initialize

94

802.1X

7

Access Control Lists (ACLs)

This chapter describes access control lists (ACLs), prefix lists, and route-maps.

• Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on
the Z9000 platform.

At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on
MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps.
For MAC ACLS, refer to Layer 2.

An ACL is essentially a filter containing some criteria to match (examine IP, transmission control protocol
[TCP], or user datagram protocol [UDP] packets) and an action to take (permit or deny). ACLs are
processed in sequence so that if a packet does not match the criterion in the first filter, the second filter
(if configured) is applied. When a packet matches a filter, the switch drops or forwards the packet based
on the filter’s specified action. If the packet does not match any of the filters in the ACL, the packet is
dropped (implicit deny).

The number of ACLs supported on a system depends on your content addressable memory (CAM) size.
For more information, refer to User Configurable CAM Allocation and CAM Optimization. For complete
CAM profiling information, refer to Content Addressable Memory (CAM).

Starting from the release 9.4.(0.0), you can configure ACLs on VRF instances. In addition to the existing
qualifying parameters, Layer 3 ACLs also incorporate VRF ID as one of the parameters. Using this new
capability, you can also configure VRF based ACLs on interfaces.

NOTE: You can apply Layer 3 VRF-aware ACLs only at the ingress level.

You can apply VRF-aware ACLs on:

• VRF Instances

• Interfaces

In order to configure VRF-aware ACLs on VRF instances, you must carve out a separate CAM region. You
can use the cam-acl command for allocating CAM regions. As part of the enhancements to support
VRF-aware ACLs, the cam-acl command now includes the following new parameter that enables you to
allocate a CAM region:

The order of priority for configuring user-defined ACL CAM regions is as follows:

• V4 ACL CAM

• VRF V4 ACL CAM

• L2 ACL CAM

With the inclusion of VRF based ACLs, the order of precedence of Layer 3 ACL rules is as follows:

• Port/VLAN based PERMIT/DENY Rules

Access Control Lists (ACLs)

vrfv4acl.

95

• Port/VLAN based IMPLICIT DENY Rules

• VRF based PERMIT/DENY Rules

• VRF based IMPLICIT DENY Rules

NOTE: In order for the VRF ACLs to take effect, ACLs configured in the Layer 3 CAM region must
have an implicit-permit option.

You can use the ip access-group command to configure VRF-aware ACLs on interfaces. Using the ip

access-group

for configuring ACLs on interfaces. The VRF range is from 1 to 63. These ACLs use the existing V4 ACL
CAM region to populate the entries in the hardware and do not require you to carve out a separate CAM
region.

NOTE: You can configure VRF-aware ACLs on interfaces either using a range of VLANs or a range of
VRFs but not both.

command, in addition to a range of VLANs, you can also specify a range of VRFs as input

IP Access Control Lists (ACLs)

In Dell Networking switch/routers, you can create two different types of IP ACLs: standard or extended.
A standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the

following criteria:

• IP protocol number

• Source IP address

• Destination IP address

• Source TCP port number

• Destination TCP port number

• Source UDP port number

• Destination UDP port number

For more information about ACL options, refer to the Dell Networking OS Command Reference Guide.

For extended ACL, TCP, and UDP filters, you can match criteria on specific or ranges of TCP or UDP
ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions.

When creating an access list, the sequence of the filters is important. You have a choice of assigning
sequence numbers to the filters as you enter them, or the Dell Networking Operating System (OS) assigns
numbers in the order the filters are created. The sequence numbers are listed in the display output of the
show config and show ip accounting access-list commands.

Ingress and egress Hot Lock ACLs allow you to append or delete new rules into an existing ACL (already
written into CAM) without disrupting traffic flow. Existing entries in the CAM are shuffled to
accommodate the new entries. Hot lock ACLs are enabled by default and support both standard and
extended ACLs and on all platforms.

NOTE: Hot lock ACLs are supported for Ingress ACLs only.

CAM Usage

The following section describes CAM allocation and CAM optimization.

• User Configurable CAM Allocation

96

Access Control Lists (ACLs)

• CAM Optimization

User Configurable CAM Allocation

User configurable CAM allocations are supported on the Z9000 platform.

Allocate space for IPV6 ACLs by using the cam-acl command in CONFIGURATION mode.

The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP
blocks. (There are 16 FP blocks, but System Flow requires three blocks that cannot be reallocated.)

Enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either
even or odd numbered ranges.

If you want to configure ACL's on VRF instances, you must allocate a CAM region using the vrfv4acl
option in the cam-acl command.

Save the new CAM settings to the startup-config (use write-mem or copy run start) then reload the
system for the new settings to take effect.

CAM Optimization

The CAM optimization command is supported on the Z9000 platform.

When you enable this command, if a policy map containing classification rules (ACL and/or dscp/ ip­precedence rules) is applied to more than one physical interface on the same port-pipe, only a single
copy of the policy is written (only one FP entry is used). When you disable this command, the system
behaves as described in this chapter.

Test CAM Usage

The test cam-usage command is supported on the Z9000 platform.

This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS
optimization for IPv6 ACLs.

To determine whether sufficient ACL CAM space is available to enable a service-policy, use this
command. To verify the actual CAM space required, create a class map with all the required ACL rules,
then execute the test cam-usage command in Privilege mode. The following example shows the
output when executing this command. The status column indicates whether you can enable the policy.

Example of the test cam-usage Command

Dell#test cam-usage service-policy input TestPolicy linecard all

Linecard|Portpipe|CAM Partition|Available CAM|Estimated CAM per Port|Status

--------------------------------------------------------------------------

2| 1| IPv4Flow| 232| 0|Allowed
2| 1| IPv6Flow| 0| 0|Allowed
4| 0| IPv4Flow| 232| 0|Allowed
4| 0| IPv6Flow| 0| 0|Allowed
Dell#

Access Control Lists (ACLs)

97

Implementing ACLs on Dell Networking OS

You can assign one IP ACL per interface with Dell Networking OS. If you do not assign an IP ACL to an
interface, it is not used by the software in any other capacity.

The number of entries allowed per ACL is hardware-dependent. For detailed specification on entries
allowed per ACL, refer to your line card documentation.

If counters are enabled on ACL rules that are already configured, those counters are reset when a new
rule which is inserted or prepended or appended requires a hardware shift in the flow table. Resetting the
counters to 0 is transient as the proginal counter values are retained after a few seconds. If there is no
need to shift the flow in the hardware, the counters are not disturbed. This is applicable to the following
features:

• L2 Ingress Access list

• L2 Egress Access list

NOTE: IP ACLs are supported over VLANs in Dell Networking OS version 6.2.1.1 and higher.

ACLs and VLANs

There are some differences when assigning ACLs to a VLAN rather than a physical port.

For example, when using a single port-pipe, if you apply an ACL to a VLAN, one copy of the ACL entries is
installed in the ACL CAM on the port-pipe. The entry looks for the incoming VLAN in the packet. Whereas
if you apply an ACL on individual ports of a VLAN, separate copies of the ACL entries are installed for each
port belonging to a port-pipe.

When you use the log keyword, the CP has to log the details about the packets that match. Depending
on how many packets match the log entry and at what rate, the CP might become busy as it has to log
these packets’ details. However, the other processors (RP1 and RP2) are unaffected. This option is
typically useful when debugging some problem related to control traffic. We have used this option
numerous times in the field and have not encountered problems so far.

ACL Optimization

If an access list contains duplicate entries, Dell Networking OS deletes one entry to conserve CAM space.

Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM
entries whether it is identified as a standard or extended ACL.

Determine the Order in which ACLs are Used to Classify Traffic

When you link class-maps to queues using the service-queue command, Dell Networking OS matches
the class-maps according to queue priority (queue numbers closer to 0 have lower priorities).

As shown in the following example, class-map cmap2 is matched against ingress packets before cmap1.
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.

Therefore (without the keyword order), packets within the range 20.1.1.0/24 match positive against

cmap1 and are buffered in queue 7, though you intended for these packets to match positive against
cmap2 and be buffered in queue 4.

In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use
the order keyword to specify the order in which you want to apply ACL rules. The order can range from
0 to 254. Dell Networking OS writes to the CAM ACL rules with lower-order numbers (order numbers

98

Access Control Lists (ACLs)

closer to 0) before rules with higher-order numbers so that packets are matched as you intended. By
default, all ACL rules have an order of 255.

Example of the order Keyword to Determine ACL Sequence

Dell(conf)#ip access-list standard acl1
Dell(config-std-nacl)#permit 20.0.0.0/8
Dell(config-std-nacl)#exit
Dell(conf)#ip access-list standard acl2
Dell(config-std-nacl)#permit 20.1.1.0/24 order 0
Dell(config-std-nacl)#exit
Dell(conf)#class-map match-all cmap1
Dell(conf-class-map)#match ip access-group acl1
Dell(conf-class-map)#exit
Dell(conf)#class-map match-all cmap2
Dell(conf-class-map)#match ip access-group acl2
Dell(conf-class-map)#exit
Dell(conf)#policy-map-input pmap
Dell(conf-policy-map-in)#service-queue 7 class-map cmap1
Dell(conf-policy-map-in)#service-queue 4 class-map cmap2
Dell(conf-policy-map-in)#exit
Dell(conf)#interface te 10/0
Dell(conf-if-te-10/0)#service-policy input pmap

IP Fragment Handling

Dell Networking OS supports a configurable option to explicitly deny IP fragmented packets, particularly
second and subsequent packets.

It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable
to all Layer protocols (permit/deny ip/tcp/udp/icmp).

• Both standard and extended ACLs support IP fragments.

• Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these
fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the
packet as a whole cannot be reassembled.

• Implementing the required rules uses a significant number of CAM entries per TCP/UDP entry.

• For IP ACL, Dell Networking OS always applies implicit deny. You do not have to configure it.

• For IP ACL, Dell Networking OS applies implicit permit for second and subsequent fragment just prior
to the implicit deny.

• If you configure an explicit deny, the second and subsequent fragments do not hit the implicit permit
rule for fragments.

• Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL
with the fragments option and apply it to a Loopback interface, the command is accepted but the
ACL entries are not actually installed the offending rule in CAM.

IP Fragments ACL Examples

The following examples show how you can use ACL commands with the fragment keyword to filter
fragmented packets.

Example of Permitting All Packets on an Interface

The following configuration permits all packets (both fragmented and non-fragmented) with destination
IP 10.1.1.1. The second rule does not get hit at all.

Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32FTOS(conf-ext-nacl)#

deny ip any

Access Control Lists (ACLs)

99

10.1.1.1./32 fragments

Dell(conf-ext-nacl)

Example of Denying Second and Subsequent Fragments

To deny the second/subsequent fragments, use the same rules in a different order. These ACLs deny all
second and subsequent fragments with destination IP 10.1.1.1 but permit the first fragment and non­fragmented packets with destination IP 10.1.1.1.

Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments
Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32
Dell(conf-ext-nacl)

Layer 4 ACL Rules Examples

The following examples show the ACL commands for Layer 4 packet filtering.

Permit an ACL line with L3 information only, and the fragments keyword is present:

If a packet’s L3 information matches the L3 information in the ACL line, the packet's FO is checked.

• If a packet's FO > 0, the packet is permitted.

• If a packet's FO = 0, the next ACL entry is processed.

Deny ACL line with L3 information only, and the fragments keyword is present:

If a packet's L3 information does match the L3 information in the ACL line, the packet's FO is checked.

• If a packet's FO > 0, the packet is denied.

• If a packet's FO = 0, the next ACL line is processed.

Example of Permitting All Packets from a Specified Host

In this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted.
All others are denied.

Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
Dell(conf-ext-nacl)#
Dell(conf-ext-nacl)

Example of Permitting Only First Fragments and Non-Fragmented Packets from a Specified Host

In the following example, the TCP packets that are first fragments or non-fragmented from host 10.1.1.1
with TCP destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host

10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied.

Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragment
Dell(conf-ext-nacl)#deny ip any any fragment
Dell(conf-ext-nacl)

Example of Logging Denied Packets

To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/
UDP fragments, use a configuration similar to the following.

deny ip any any fragment

Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit tcp any any fragment

100

Access Control Lists (ACLs)