How it Works
Dell
Loading...
Networking S3100
User Manual
1653 pgs6.41 Mb0
User Manual
1062 pgs21.31 Mb0
User Manual
1703 pgs8.75 Mb0
User Manual
1799 pgs40.26 Mb0
User Manual
1920 pgs41 Mb0
User Manual
975 pgs32.25 Mb0
User Manual
1727 pgs39.02 Mb0
User Manual
1796 pgs40.88 Mb0
User Manual
1037 pgs32.9 Mb0
User Manual
1108 pgs33.35 Mb0
User Manual
1040 pgs32.96 Mb0
User Manual
50 pgs2.07 Mb0
User Manual
1902 pgs42.67 Mb0
User Manual
1806 pgs40.38 Mb0
User Manual
1070 pgs33.7 Mb0
User Manual
1148 pgs34.08 Mb0
User Manual
1116 pgs33.52 Mb0
User Manual
1943 pgs41.52 Mb0
User Manual
1127 pgs33.76 Mb0
User Manual
1947 pgs41.56 Mb0
User Manual
1009 pgs21.29 Mb0
User Manual
1877 pgs37.73 Mb0
User Manual
1492 pgs7.68 Mb0
User Manual
26 pgs788.23 Kb0
Table of contents
Loading...

Dell Networking S3100 User Manual

Download
Dell Conguration Guide for the S3100 Series
9.11(2.1)
Notes, cautions, and warnings
NOTE: A NOTE indicates important information that helps you make better use of your product.
CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
Copyright © 2017 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other
2017 - 06
Rev. A00
Contents
1 About this Guide...........................................................................................................................................33
Audience............................................................................................................................................................................33
Conventions......................................................................................................................................................................33
Related Documents......................................................................................................................................................... 33
2 Conguration Fundamentals........................................................................................................................34
Accessing the Command Line........................................................................................................................................34
CLI Modes.........................................................................................................................................................................34
Navigating CLI Modes...............................................................................................................................................36
The do Command............................................................................................................................................................ 39
Undoing Commands........................................................................................................................................................ 39
Obtaining Help..................................................................................................................................................................40
Entering and Editing Commands................................................................................................................................... 40
Command History.............................................................................................................................................................41
Filtering show Command Outputs..................................................................................................................................41
Example of the grep Keyword...................................................................................................................................41
Multiple Users in Conguration Mode...........................................................................................................................42
3 Getting Started............................................................................................................................................44
Console Access................................................................................................................................................................45
Serial Console.............................................................................................................................................................45
Accessing the CLI Interface and Running Scripts Using SSH....................................................................................46
Entering CLI commands Using an SSH Connection..............................................................................................46
Executing Local CLI Scripts Using an SSH Connection........................................................................................46
Default Conguration.......................................................................................................................................................47
Conguring a Host Name................................................................................................................................................47
Accessing the System Remotely....................................................................................................................................47
Accessing the System Remotely..............................................................................................................................47
Congure the Management Port IP Address.........................................................................................................48
Congure a Management Route..............................................................................................................................48
Conguring a Username and Password..................................................................................................................48
Conguring the Enable Password..................................................................................................................................49
Conguration File Management.....................................................................................................................................49
Copy Files to and from the System......................................................................................................................... 49
Mounting an NFS File System..................................................................................................................................50
Save the Running-Conguration..............................................................................................................................52
Congure the Overload Bit for a Startup Scenario............................................................................................... 52
Viewing Files...............................................................................................................................................................52
Compressing Conguration Files............................................................................................................................. 53
Managing the File System.............................................................................................................................................. 56
Enabling Software Features on Devices Using a Command Option......................................................................... 56
View Command History...................................................................................................................................................57
Contents
3
Upgrading Dell Networking OS.......................................................................................................................................57
Verify Software Images Before Installation...................................................................................................................57
Using HTTP for File Transfers........................................................................................................................................ 58
4 Management............................................................................................................................................... 60
Conguring Privilege Levels........................................................................................................................................... 60
Creating a Custom Privilege Level...........................................................................................................................60
Removing a Command from EXEC Mode...............................................................................................................61
Moving a Command from EXEC Privilege Mode to EXEC Mode........................................................................ 61
Allowing Access to CONFIGURATION Mode Commands.....................................................................................61
Allowing Access to Dierent Modes........................................................................................................................ 61
Applying a Privilege Level to a Username............................................................................................................... 63
Applying a Privilege Level to a Terminal Line.......................................................................................................... 63
Conguring Logging........................................................................................................................................................ 63
Audit and Security Logs............................................................................................................................................64
Conguring Logging Format ...................................................................................................................................65
Display the Logging Buer and the Logging Conguration..................................................................................66
Setting Up a Secure Connection to a Syslog Server.............................................................................................66
Sending System Messages to a Syslog Server......................................................................................................68
Track Login Activity......................................................................................................................................................... 68
Restrictions for Tracking Login Activity...................................................................................................................68
Conguring Login Activity Tracking......................................................................................................................... 68
Display Login Statistics..............................................................................................................................................69
Limit Concurrent Login Sessions....................................................................................................................................70
Restrictions for Limiting the Number of Concurrent Sessions.............................................................................70
Conguring Concurrent Session Limit.....................................................................................................................70
Enabling the System to Clear Existing Sessions.....................................................................................................71
Enabling Secured CLI Mode............................................................................................................................................72
Log Messages in the Internal Buer..............................................................................................................................72
Conguration Task List for System Log Management.......................................................................................... 72
Disabling System Logging............................................................................................................................................... 72
Sending System Messages to a Syslog Server............................................................................................................ 73
Conguring a UNIX System as a Syslog Server.....................................................................................................73
Changing System Logging Settings...............................................................................................................................73
Display the Logging Buer and the Logging Conguration........................................................................................ 74
Conguring a UNIX Logging Facility Level.................................................................................................................... 74
Synchronizing Log Messages......................................................................................................................................... 75
Enabling Timestamp on Syslog Messages.................................................................................................................... 76
File Transfer Services.......................................................................................................................................................76
Conguration Task List for File Transfer Services.................................................................................................. 77
Enabling the FTP Server........................................................................................................................................... 77
Conguring FTP Server Parameters........................................................................................................................77
Conguring FTP Client Parameters.........................................................................................................................78
Terminal Lines................................................................................................................................................................... 78
Denying and Permitting Access to a Terminal Line................................................................................................ 78
Conguring Login Authentication for Terminal Lines.............................................................................................79
Contents
4
Setting Timeout for EXEC Privilege Mode...................................................................................................................80
Using Telnet to get to Another Network Device...........................................................................................................81
Lock CONFIGURATION Mode........................................................................................................................................ 81
Viewing the Conguration Lock Status................................................................................................................... 81
5 802.1X..........................................................................................................................................................83
Port-Authentication Process..........................................................................................................................................85
EAP over RADIUS......................................................................................................................................................85
Conguring 802.1X...........................................................................................................................................................86
Related Conguration Tasks..................................................................................................................................... 86
Important Points to Remember......................................................................................................................................86
Enabling 802.1X.................................................................................................................................................................87
Conguring dot1x Prole ................................................................................................................................................88
Conguring MAC addresses for a do1x Prole.............................................................................................................89
Conguring the Static MAB and MAB Prole .............................................................................................................89
Conguring Critical VLAN ..............................................................................................................................................90
Conguring Request Identity Re-Transmissions............................................................................................................91
Conguring a Quiet Period after a Failed Authentication......................................................................................91
Forcibly Authorizing or Unauthorizing a Port............................................................................................................... 92
Re-Authenticating a Port................................................................................................................................................93
Conguring Timeouts......................................................................................................................................................94
Conguring Dynamic VLAN Assignment with Port Authentication.......................................................................... 95
Guest and Authentication-Fail VLANs.......................................................................................................................... 96
Conguring a Guest VLAN....................................................................................................................................... 96
Conguring an Authentication-Fail VLAN...............................................................................................................96
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)....................................98
Optimizing CAM Utilization During the Attachment of ACLs to VLANs...................................................................98
Guidelines for Conguring ACL VLAN Groups.............................................................................................................99
Conguring ACL VLAN Groups and Conguring FP Blocks for VLAN Parameters................................................99
Conguring ACL VLAN Groups................................................................................................................................99
Conguring FP Blocks for VLAN Parameters.......................................................................................................100
Viewing CAM Usage.......................................................................................................................................................101
Allocating FP Blocks for VLAN Processes.................................................................................................................. 102
7 Access Control Lists (ACLs)....................................................................................................................... 104
IP Access Control Lists (ACLs).....................................................................................................................................105
CAM Usage...............................................................................................................................................................106
Implementing ACLs on Dell Networking OS..........................................................................................................106
Important Points to Remember.................................................................................................................................... 108
Conguration Task List for Route Maps................................................................................................................ 108
Conguring Match Routes.......................................................................................................................................110
Conguring Set Conditions.......................................................................................................................................111
Congure a Route Map for Route Redistribution..................................................................................................112
Congure a Route Map for Route Tagging............................................................................................................ 113
Continue Clause........................................................................................................................................................ 113
Contents
5
IP Fragment Handling..................................................................................................................................................... 114
IP Fragments ACL Examples....................................................................................................................................114
Layer 4 ACL Rules Examples................................................................................................................................... 114
Congure a Standard IP ACL.........................................................................................................................................115
Conguring a Standard IP ACL Filter......................................................................................................................116
Congure an Extended IP ACL...................................................................................................................................... 117
Conguring Filters with a Sequence Number........................................................................................................117
Conguring Filters Without a Sequence Number................................................................................................. 118
Congure Layer 2 and Layer 3 ACLs............................................................................................................................ 119
Assign an IP ACL to an Interface..................................................................................................................................120
Applying an IP ACL.........................................................................................................................................................120
Counting ACL Hits.....................................................................................................................................................121
Congure Ingress ACLs..................................................................................................................................................121
Congure Egress ACLs...................................................................................................................................................121
Applying Egress Layer 3 ACLs (Control-Plane).................................................................................................... 122
IP Prex Lists.................................................................................................................................................................. 123
Implementation Information.................................................................................................................................... 123
Conguration Task List for Prex Lists.................................................................................................................. 123
ACL Resequencing......................................................................................................................................................... 127
Resequencing an ACL or Prex List.......................................................................................................................127
Route Maps.....................................................................................................................................................................129
Implementation Information.................................................................................................................................... 129
Logging of ACL Processes............................................................................................................................................ 129
Guidelines for Conguring ACL Logging................................................................................................................130
Conguring ACL Logging........................................................................................................................................ 130
Flow-Based Monitoring Support for ACLs...................................................................................................................131
Behavior of Flow-Based Monitoring....................................................................................................................... 131
Enabling Flow-Based Monitoring............................................................................................................................132
8 Bidirectional Forwarding Detection (BFD).................................................................................................. 134
How BFD Works.............................................................................................................................................................134
BFD Packet Format..................................................................................................................................................135
BFD Sessions............................................................................................................................................................ 136
BFD Three-Way Handshake.................................................................................................................................... 137
Session State Changes............................................................................................................................................139
Important Points to Remember.................................................................................................................................... 139
Congure BFD................................................................................................................................................................ 139
Congure BFD for Physical Ports...........................................................................................................................140
Congure BFD for Static Routes.............................................................................................................................141
Congure BFD for OSPF.........................................................................................................................................144
Congure BFD for OSPFv3.....................................................................................................................................148
Congure BFD for IS-IS............................................................................................................................................151
Congure BFD for BGP...........................................................................................................................................153
Congure BFD for VRRP.........................................................................................................................................160
Conguring Protocol Liveness................................................................................................................................ 163
Troubleshooting BFD................................................................................................................................................163
Contents
6
9 Border Gateway Protocol IPv4 (BGPv4).................................................................................................... 165
Autonomous Systems (AS)...........................................................................................................................................165
Sessions and Peers.........................................................................................................................................................167
Establish a Session................................................................................................................................................... 167
Route Reectors.............................................................................................................................................................168
BGP Attributes................................................................................................................................................................169
Best Path Selection Criteria....................................................................................................................................169
Weight.........................................................................................................................................................................171
Local Preference........................................................................................................................................................171
Multi-Exit Discriminators (MEDs)...........................................................................................................................172
Origin..........................................................................................................................................................................173
AS Path...................................................................................................................................................................... 174
Next Hop....................................................................................................................................................................174
Multiprotocol BGP.......................................................................................................................................................... 174
Implement BGP with Dell Networking OS...................................................................................................................175
Additional Path (Add-Path) Support......................................................................................................................175
Advertise IGP Cost as MED for Redistributed Routes........................................................................................ 175
Ignore Router-ID in Best-Path Calculation............................................................................................................ 176
Four-Byte AS Numbers............................................................................................................................................176
AS4 Number Representation.................................................................................................................................. 176
AS Number Migration...............................................................................................................................................178
BGP4 Management Information Base (MIB)........................................................................................................ 179
Important Points to Remember.............................................................................................................................. 179
Conguration Information..............................................................................................................................................180
BGP Conguration......................................................................................................................................................... 180
Enabling BGP.............................................................................................................................................................181
Conguring AS4 Number Representations........................................................................................................... 184
Conguring Peer Groups.........................................................................................................................................186
Conguring BGP Fast Fall-Over.............................................................................................................................188
Conguring Passive Peering...................................................................................................................................190
Maintaining Existing AS Numbers During an AS Migration.................................................................................190
Allowing an AS Number to Appear in its Own AS Path........................................................................................ 191
Enabling Graceful Restart........................................................................................................................................192
Enabling Neighbor Graceful Restart.......................................................................................................................193
Filtering on an AS-Path Attribute........................................................................................................................... 193
Regular Expressions as Filters.................................................................................................................................195
Redistributing Routes.............................................................................................................................................. 196
Enabling Additional Paths........................................................................................................................................ 197
Conguring IP Community Lists............................................................................................................................. 197
Conguring an IP Extended Community List........................................................................................................198
Filtering Routes with Community Lists..................................................................................................................199
Manipulating the COMMUNITY Attribute............................................................................................................200
Changing MED Attributes....................................................................................................................................... 201
Changing the LOCAL_PREFERENCE Attribute.................................................................................................. 201
Conguring the local System or a Dierent System to be the Next Hop for BGP-Learned Routes............ 202
Contents
7
Changing the WEIGHT Attribute...........................................................................................................................203
Enabling Multipath...................................................................................................................................................203
Filtering BGP Routes...............................................................................................................................................203
Filtering BGP Routes Using Route Maps..............................................................................................................205
Filtering BGP Routes Using AS-PATH Information............................................................................................. 205
Conguring BGP Route Reectors....................................................................................................................... 206
Aggregating Routes................................................................................................................................................. 207
Conguring BGP Confederations...........................................................................................................................207
Enabling Route Flap Dampening............................................................................................................................208
Changing BGP Timers............................................................................................................................................. 210
Enabling BGP Neighbor Soft-Reconguration..................................................................................................... 210
Enabling or disabling BGP neighbors...................................................................................................................... 211
Route Map Continue................................................................................................................................................213
Enabling MBGP Congurations.................................................................................................................................... 213
Congure IPv6 NH Automatically for IPv6 Prex Advertised over IPv4 Neighbor..........................................214
BGP Regular Expression Optimization.........................................................................................................................214
Debugging BGP.............................................................................................................................................................. 214
Storing Last and Bad PDUs.....................................................................................................................................215
Capturing PDUs........................................................................................................................................................216
PDU Counters...........................................................................................................................................................217
Sample Congurations...................................................................................................................................................217
10 Content Addressable Memory (CAM).......................................................................................................224
CAM Allocation...............................................................................................................................................................224
Test CAM Usage............................................................................................................................................................226
View CAM-ACL Settings.............................................................................................................................................. 226
View CAM Usage...........................................................................................................................................................228
CAM Optimization......................................................................................................................................................... 228
Troubleshoot CAM Proling..........................................................................................................................................228
CAM Prole Mismatches........................................................................................................................................ 228
QoS CAM Region Limitation...................................................................................................................................229
11 Control Plane Policing (CoPP).................................................................................................................. 230
Congure Control Plane Policing.................................................................................................................................. 231
Conguring CoPP for Protocols............................................................................................................................ 232
Conguring CoPP for CPU Queues...................................................................................................................... 234
CoPP for OSPFv3 Packets.....................................................................................................................................235
Conguring CoPP for OSPFv3.............................................................................................................................. 238
Displaying CoPP Conguration .............................................................................................................................238
12 Dynamic Host Conguration Protocol (DHCP)..........................................................................................241
DHCP Packet Format and Options.............................................................................................................................. 241
Assign an IP Address using DHCP...............................................................................................................................243
Implementation Information..........................................................................................................................................244
Congure the System to be a DHCP Server..............................................................................................................244
Conguring the Server for Automatic Address Allocation..................................................................................245
Contents
8
Specifying a Default Gateway................................................................................................................................ 246
Congure a Method of Hostname Resolution......................................................................................................246
Using DNS for Address Resolution........................................................................................................................246
Using NetBIOS WINS for Address Resolution......................................................................................................247
Creating Manual Binding Entries............................................................................................................................247
Debugging the DHCP Server................................................................................................................................. 247
Using DHCP Clear Commands...............................................................................................................................248
Congure the System to be a Relay Agent................................................................................................................ 248
Congure the System to be a DHCP Client...............................................................................................................250
Conguring the DHCP Client System...................................................................................................................250
DHCP Client on a Management Interface.............................................................................................................251
DHCP Client Operation with Other Features....................................................................................................... 252
Congure the System for User Port Stacking (Option 230)....................................................................................253
Congure Secure DHCP...............................................................................................................................................253
Option 82..................................................................................................................................................................253
DHCP Snooping.......................................................................................................................................................254
Drop DHCP Packets on Snooped VLANs Only....................................................................................................257
Dynamic ARP Inspection........................................................................................................................................ 258
Conguring Dynamic ARP Inspection................................................................................................................... 259
Source Address Validation............................................................................................................................................260
Enabling IP Source Address Validation..................................................................................................................260
DHCP MAC Source Address Validation.................................................................................................................261
Enabling IP+MAC Source Address Validation....................................................................................................... 261
Viewing the Number of SAV Dropped Packets....................................................................................................262
Clearing the Number of SAV Dropped Packets................................................................................................... 262
13 Equal Cost Multi-Path (ECMP)................................................................................................................263
ECMP for Flow-Based Anity..................................................................................................................................... 263
Conguring the Hash Algorithm............................................................................................................................ 263
Enabling Deterministic ECMP Next Hop.............................................................................................................. 263
Conguring the Hash Algorithm Seed.................................................................................................................. 264
Link Bundle Monitoring................................................................................................................................................. 264
Managing ECMP Group Paths...............................................................................................................................265
Creating an ECMP Group Bundle..........................................................................................................................265
Modifying the ECMP Group Threshold................................................................................................................ 265
14 FIPS Cryptography...................................................................................................................................267
Conguration Tasks....................................................................................................................................................... 267
Preparing the System....................................................................................................................................................267
Enabling FIPS Mode...................................................................................................................................................... 268
Generating Host-Keys................................................................................................................................................... 268
Monitoring FIPS Mode Status......................................................................................................................................268
Disabling FIPS Mode..................................................................................................................................................... 269
15 Force10 Resilient Ring Protocol (FRRP)................................................................................................... 270
Protocol Overview......................................................................................................................................................... 270
Contents
9
Ring Status................................................................................................................................................................271
Multiple FRRP Rings................................................................................................................................................ 271
Important FRRP Points........................................................................................................................................... 272
Important FRRP Concepts..................................................................................................................................... 273
Implementing FRRP....................................................................................................................................................... 274
FRRP Conguration.......................................................................................................................................................274
Creating the FRRP Group....................................................................................................................................... 274
Conguring the Control VLAN...............................................................................................................................275
Conguring and Adding the Member VLANs.......................................................................................................276
Setting the FRRP Timers........................................................................................................................................ 277
Clearing the FRRP Counters.................................................................................................................................. 277
Viewing the FRRP Conguration........................................................................................................................... 277
Viewing the FRRP Information...............................................................................................................................277
Troubleshooting FRRP...................................................................................................................................................278
Conguration Checks..............................................................................................................................................278
Sample Conguration and Topology............................................................................................................................ 278
16 GARP VLAN Registration Protocol (GVRP)..............................................................................................280
Important Points to Remember................................................................................................................................... 280
Congure GVRP............................................................................................................................................................. 281
Related Conguration Tasks....................................................................................................................................281
Enabling GVRP Globally................................................................................................................................................ 282
Enabling GVRP on a Layer 2 Interface........................................................................................................................282
Congure GVRP Registration.......................................................................................................................................282
Congure a GARP Timer.............................................................................................................................................. 283
RPM Redundancy..........................................................................................................................................................283
17 High Availability (HA)............................................................................................................................... 285
Component Redundancy..............................................................................................................................................285
Automatic and Manual Stack Unit Failover.......................................................................................................... 285
Synchronization between Management and Standby Units..............................................................................286
Forcing a Stack Unit Failover................................................................................................................................. 286
Disabling Auto-Reboot.............................................................................................................................................287
Manually Synchronizing Management and Standby Units..................................................................................287
Pre-Conguring a Stack Unit Slot................................................................................................................................287
Removing a Provisioned Logical Stack Unit............................................................................................................... 288
Hitless Behavior............................................................................................................................................................. 288
Graceful Restart.............................................................................................................................................................288
Software Resiliency....................................................................................................................................................... 289
Software Component Health Monitoring............................................................................................................. 289
System Health Monitoring......................................................................................................................................289
Failure and Event Logging.......................................................................................................................................289
Hot-Lock Behavior.........................................................................................................................................................290
18 Internet Group Management Protocol (IGMP)..........................................................................................291
IGMP Implementation Information............................................................................................................................... 291
10
Contents
IGMP Protocol Overview...............................................................................................................................................291
IGMP Version 2.........................................................................................................................................................291
IGMP Version 3........................................................................................................................................................293
Congure IGMP.............................................................................................................................................................296
Related Conguration Tasks...................................................................................................................................296
Viewing IGMP Enabled Interfaces............................................................................................................................... 297
Selecting an IGMP Version........................................................................................................................................... 297
Viewing IGMP Groups...................................................................................................................................................297
Adjusting Timers............................................................................................................................................................ 298
Adjusting Query and Response Timers.................................................................................................................298
Preventing a Host from Joining a Group.................................................................................................................... 299
Enabling IGMP Immediate-Leave.................................................................................................................................302
IGMP Snooping..............................................................................................................................................................302
IGMP Snooping Implementation Information....................................................................................................... 302
Conguring IGMP Snooping...................................................................................................................................302
Removing a Group-Port Association.....................................................................................................................303
Disabling Multicast Flooding...................................................................................................................................303
Specifying a Port as Connected to a Multicast Router...................................................................................... 304
Conguring the Switch as Querier........................................................................................................................304
Fast Convergence after MSTP Topology Changes...................................................................................................305
Egress Interface Selection (EIS) for HTTP and IGMP Applications........................................................................305
Protocol Separation.................................................................................................................................................305
Enabling and Disabling Management Egress Interface Selection......................................................................306
Handling of Management Route Conguration................................................................................................... 307
Handling of Switch-Initiated Trac....................................................................................................................... 308
Handling of Switch-Destined Trac......................................................................................................................308
Handling of Transit Trac (Trac Separation).................................................................................................... 309
Mapping of Management Applications and Trac Type.....................................................................................309
Behavior of Various Applications for Switch-Initiated Trac .............................................................................310
Behavior of Various Applications for Switch-Destined Trac ............................................................................ 311
Interworking of EIS With Various Applications......................................................................................................312
Designating a Multicast Router Interface....................................................................................................................312
19 Interfaces..................................................................................................................................................314
Basic Interface Conguration........................................................................................................................................314
Advanced Interface Conguration................................................................................................................................314
Interface Types............................................................................................................................................................... 315
Optional Modules............................................................................................................................................................315
View Basic Interface Information..................................................................................................................................316
Resetting an Interface to its Factory Default State....................................................................................................317
Enabling Energy Ecient Ethernet.............................................................................................................................. 318
View EEE Information.................................................................................................................................................... 318
Clear EEE Counters.......................................................................................................................................................322
Enabling a Physical Interface........................................................................................................................................323
Physical Interfaces.........................................................................................................................................................323
Conguration Task List for Physical Interfaces.................................................................................................... 324
Contents
11
Overview of Layer Modes.......................................................................................................................................324
Conguring Layer 2 (Data Link) Mode..................................................................................................................324
Conguring Layer 2 (Interface) Mode.................................................................................................................. 325
Conguring Layer 3 (Network) Mode...................................................................................................................325
Conguring Layer 3 (Interface) Mode.................................................................................................................. 326
Egress Interface Selection (EIS).................................................................................................................................. 326
Important Points to Remember............................................................................................................................. 326
Conguring EIS.........................................................................................................................................................327
Management Interfaces................................................................................................................................................327
Conguring Management Interfaces.....................................................................................................................327
Conguring a Management Interface on an Ethernet Port................................................................................329
VLAN Interfaces............................................................................................................................................................ 329
Loopback Interfaces...................................................................................................................................................... 330
Null Interfaces................................................................................................................................................................330
Port Channel Interfaces................................................................................................................................................330
Port Channel Denition and Standards..................................................................................................................331
Port Channel Benets..............................................................................................................................................331
Port Channel Implementation................................................................................................................................. 331
Interfaces in Port Channels.................................................................................................................................... 332
Conguration Tasks for Port Channel Interfaces.................................................................................................332
Creating a Port Channel..........................................................................................................................................332
Adding a Physical Interface to a Port Channel.....................................................................................................333
Reassigning an Interface to a New Port Channel................................................................................................ 334
Conguring the Minimum Oper Up Links in a Port Channel.............................................................................. 335
Adding or Removing a Port Channel from a VLAN............................................................................................. 335
Assigning an IP Address to a Port Channel.......................................................................................................... 336
Deleting or Disabling a Port Channel..................................................................................................................... 337
Load Balancing Through Port Channels................................................................................................................ 337
Load-Balancing Method..........................................................................................................................................337
Changing the Hash Algorithm................................................................................................................................338
Bulk Conguration......................................................................................................................................................... 339
Interface Range........................................................................................................................................................339
Bulk Conguration Examples..................................................................................................................................339
Dening Interface Range Macros................................................................................................................................. 341
Dene the Interface Range.....................................................................................................................................341
Choosing an Interface-Range Macro..................................................................................................................... 341
Monitoring and Maintaining Interfaces........................................................................................................................342
Maintenance Using TDR.........................................................................................................................................343
Link Dampening..............................................................................................................................................................343
Important Points to Remember..............................................................................................................................343
Enabling Link Dampening........................................................................................................................................344
Link Bundle Monitoring................................................................................................................................................. 345
Using Ethernet Pause Frames for Flow Control........................................................................................................346
Enabling Pause Frames...........................................................................................................................................346
Congure the MTU Size on an Interface....................................................................................................................347
12
Contents
Port-Pipes.......................................................................................................................................................................348
Auto-Negotiation on Ethernet Interfaces...................................................................................................................348
Setting the Speed of Ethernet Interfaces............................................................................................................ 348
Set Auto-Negotiation Options............................................................................................................................... 350
Provisioning Combo Ports.............................................................................................................................................351
View Advanced Interface Information..........................................................................................................................351
Conguring the Interface Sampling Size.............................................................................................................. 352
Conguring the Trac Sampling Size Globally...........................................................................................................353
Dynamic Counters......................................................................................................................................................... 354
Clearing Interface Counters................................................................................................................................... 355
20 Internet Protocol Security (IPSec).......................................................................................................... 356
Conguring IPSec .........................................................................................................................................................356
21 IPv4 Routing............................................................................................................................................ 358
IP Addresses...................................................................................................................................................................359
Implementation Information....................................................................................................................................359
Conguration Tasks for IP Addresses......................................................................................................................... 359
Assigning IP Addresses to an Interface.......................................................................................................................359
Conguring Static Routes............................................................................................................................................ 360
Congure Static Routes for the Management Interface...........................................................................................361
IPv4 Path MTU Discovery Overview.......................................................................................................................... 362
Using the Congured Source IP Address in ICMP Messages..................................................................................362
Conguring the ICMP Source Interface............................................................................................................... 362
Conguring the Duration to Establish a TCP Connection........................................................................................ 363
Enabling Directed Broadcast........................................................................................................................................ 363
Resolution of Host Names............................................................................................................................................363
Enabling Dynamic Resolution of Host Names............................................................................................................364
Specifying the Local System Domain and a List of Domains................................................................................... 364
Conguring DNS with Traceroute............................................................................................................................... 365
ARP................................................................................................................................................................................. 365
Conguration Tasks for ARP........................................................................................................................................ 366
Conguring Static ARP Entries....................................................................................................................................366
Enabling Proxy ARP.......................................................................................................................................................366
Clearing ARP Cache...................................................................................................................................................... 367
ARP Learning via Gratuitous ARP................................................................................................................................367
Enabling ARP Learning via Gratuitous ARP................................................................................................................ 367
ARP Learning via ARP Request................................................................................................................................... 367
Conguring ARP Retries...............................................................................................................................................368
ICMP............................................................................................................................................................................... 369
Conguration Tasks for ICMP...................................................................................................................................... 369
Enabling ICMP Unreachable Messages......................................................................................................................369
UDP Helper.....................................................................................................................................................................369
Congure UDP Helper............................................................................................................................................ 369
Important Points to Remember..............................................................................................................................370
Enabling UDP Helper..................................................................................................................................................... 370
Contents
13
Conguring a Broadcast Address................................................................................................................................ 370
Congurations Using UDP Helper................................................................................................................................ 371
UDP Helper with Broadcast-All Addresses..................................................................................................................371
UDP Helper with Subnet Broadcast Addresses......................................................................................................... 372
UDP Helper with Congured Broadcast Addresses.................................................................................................. 372
UDP Helper with No Congured Broadcast Addresses............................................................................................373
Troubleshooting UDP Helper........................................................................................................................................ 373
22 IPv6 Routing............................................................................................................................................ 374
Protocol Overview......................................................................................................................................................... 374
Extended Address Space........................................................................................................................................375
Stateless Autoconguration....................................................................................................................................375
IPv6 Headers............................................................................................................................................................375
IPv6 Header Fields...................................................................................................................................................376
Extension Header Fields..........................................................................................................................................378
Addressing................................................................................................................................................................ 379
Implementing IPv6 with Dell Networking OS.............................................................................................................380
ICMPv6............................................................................................................................................................................381
Path MTU Discovery.....................................................................................................................................................382
IPv6 Neighbor Discovery.............................................................................................................................................. 382
IPv6 Neighbor Discovery of MTU Packets...........................................................................................................383
Conguration Task List for IPv6 RDNSS.................................................................................................................... 383
Conguring the IPv6 Recursive DNS Server....................................................................................................... 383
Debugging IPv6 RDNSS Information Sent to the Host ..................................................................................... 384
Displaying IPv6 RDNSS Information......................................................................................................................385
Secure Shell (SSH) Over an IPv6 Transport.............................................................................................................. 385
Conguration Tasks for IPv6........................................................................................................................................ 386
Adjusting Your CAM-Prole....................................................................................................................................386
Assigning an IPv6 Address to an Interface........................................................................................................... 387
Assigning a Static IPv6 Route................................................................................................................................ 387
Conguring Telnet with IPv6..................................................................................................................................388
SNMP over IPv6......................................................................................................................................................388
Displaying IPv6 Information....................................................................................................................................388
Displaying an IPv6 Interface Information.............................................................................................................. 389
Showing IPv6 Routes..............................................................................................................................................389
Showing the Running-Conguration for an Interface..........................................................................................391
Clearing IPv6 Routes................................................................................................................................................391
Disabling ND Entry Timeout....................................................................................................................................391
Conguring IPv6 RA Guard.......................................................................................................................................... 392
Conguring IPv6 RA Guard on an Interface.........................................................................................................393
Monitoring IPv6 RA Guard......................................................................................................................................394
23 iSCSI Optimization.................................................................................................................................. 395
iSCSI Optimization Overview.......................................................................................................................................395
Monitoring iSCSI Trac Flows............................................................................................................................... 397
Application of Quality of Service to iSCSI Trac Flows......................................................................................397
14
Contents
Information Monitored in iSCSI Trac Flows....................................................................................................... 397
Detection and Auto-Conguration for Dell EqualLogic Arrays........................................................................... 398
Conguring Detection and Ports for Dell Compellent Arrays............................................................................. 398
Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer.................................................................399
Enable and Disable iSCSI Optimization.................................................................................................................399
Default iSCSI Optimization Values...............................................................................................................................400
iSCSI Optimization Prerequisites................................................................................................................................. 400
Conguring iSCSI Optimization................................................................................................................................... 400
Displaying iSCSI Optimization Information..................................................................................................................402
24 Intermediate System to Intermediate System.......................................................................................... 404
IS-IS Protocol Overview............................................................................................................................................... 404
IS-IS Addressing.............................................................................................................................................................404
Multi-Topology IS-IS...................................................................................................................................................... 405
Transition Mode....................................................................................................................................................... 405
Interface Support.................................................................................................................................................... 406
Adjacencies...............................................................................................................................................................406
Graceful Restart............................................................................................................................................................ 406
Timers....................................................................................................................................................................... 406
Implementation Information......................................................................................................................................... 406
Conguration Information.............................................................................................................................................407
Conguration Tasks for IS-IS..................................................................................................................................408
Conguring the Distance of a Route......................................................................................................................415
Changing the IS-Type............................................................................................................................................... 416
Redistributing IPv4 Routes......................................................................................................................................418
Redistributing IPv6 Routes......................................................................................................................................419
Conguring Authentication Passwords.................................................................................................................420
Setting the Overload Bit.........................................................................................................................................420
Debugging IS-IS........................................................................................................................................................421
IS-IS Metric Styles.........................................................................................................................................................422
Congure Metric Values................................................................................................................................................422
Maximum Values in the Routing Table...................................................................................................................422
Change the IS-IS Metric Style in One Level Only................................................................................................422
Leaks from One Level to Another..........................................................................................................................424
Sample Congurations..................................................................................................................................................425
25 Link Aggregation Control Protocol (LACP)...............................................................................................427
Introduction to Dynamic LAGs and LACP...................................................................................................................427
Important Points to Remember..............................................................................................................................427
LACP Modes............................................................................................................................................................ 428
Conguring LACP Commands............................................................................................................................... 428
LACP Conguration Tasks............................................................................................................................................ 429
Creating a LAG.........................................................................................................................................................429
Conguring the LAG Interfaces as Dynamic........................................................................................................429
Setting the LACP Long Timeout............................................................................................................................430
Monitoring and Debugging LACP..........................................................................................................................430
Contents
15
Shared LAG State Tracking...........................................................................................................................................431
Conguring Shared LAG State Tracking................................................................................................................431
Important Points about Shared LAG State Tracking...........................................................................................433
LACP Basic Conguration Example.............................................................................................................................433
Congure a LAG on ALPHA................................................................................................................................... 433
26 Layer 2.....................................................................................................................................................442
Manage the MAC Address Table................................................................................................................................. 442
Clearing the MAC Address Table........................................................................................................................... 442
Setting the Aging Time for Dynamic Entries........................................................................................................442
Conguring a Static MAC Address........................................................................................................................443
Displaying the MAC Address Table........................................................................................................................443
MAC Learning Limit.......................................................................................................................................................443
Setting the MAC Learning Limit.............................................................................................................................444
mac learning-limit Dynamic.....................................................................................................................................444
mac learning-limit mac-address-sticky................................................................................................................. 444
mac learning-limit station-move............................................................................................................................ 445
mac learning-limit no-station-move...................................................................................................................... 445
Learning Limit Violation Actions.............................................................................................................................445
Setting Station Move Violation Actions................................................................................................................ 446
Recovering from Learning Limit and Station Move Violations........................................................................... 446
Disabling MAC Address Learning on the System.................................................................................................447
NIC Teaming................................................................................................................................................................... 447
Congure Redundant Pairs...........................................................................................................................................448
Important Points about Conguring Redundant Pairs........................................................................................450
Far-End Failure Detection..............................................................................................................................................451
FEFD State Changes...............................................................................................................................................452
Conguring FEFD.................................................................................................................................................... 453
Enabling FEFD on an Interface...............................................................................................................................453
Debugging FEFD......................................................................................................................................................454
27 Link Layer Discovery Protocol (LLDP)..................................................................................................... 456
802.1AB (LLDP) Overview............................................................................................................................................456
Protocol Data Units................................................................................................................................................. 456
Optional TLVs................................................................................................................................................................. 457
Management TLVs...................................................................................................................................................457
TIA-1057 (LLDP-MED) Overview................................................................................................................................ 459
TIA Organizationally Specic TLVs........................................................................................................................ 459
Congure LLDP..............................................................................................................................................................463
Related Conguration Tasks...................................................................................................................................463
Important Points to Remember............................................................................................................................. 463
LLDP Compatibility..................................................................................................................................................464
CONFIGURATION versus INTERFACE Congurations............................................................................................ 464
Enabling LLDP................................................................................................................................................................464
Disabling and Undoing LLDP..................................................................................................................................465
Enabling LLDP on Management Ports........................................................................................................................465
16
Contents
Disabling and Undoing LLDP on Management Ports..........................................................................................465
Advertising TLVs............................................................................................................................................................465
Viewing the LLDP Conguration................................................................................................................................. 466
Viewing Information Advertised by Adjacent LLDP Agents......................................................................................467
Conguring LLDPDU Intervals.....................................................................................................................................468
Conguring Transmit and Receive Mode....................................................................................................................469
Conguring the Time to Live Value............................................................................................................................. 469
Debugging LLDP............................................................................................................................................................ 470
Relevant Management Objects.................................................................................................................................... 471
28 Microsoft Network Load Balancing.......................................................................................................... 476
NLB Unicast Mode Scenario........................................................................................................................................ 476
NLB Multicast Mode Scenario..................................................................................................................................... 476
Limitations of the NLB Feature.................................................................................................................................... 477
Microsoft Clustering......................................................................................................................................................477
Enable and Disable VLAN Flooding .............................................................................................................................477
Conguring a Switch for NLB ..................................................................................................................................... 477
Enabling a Switch for Multicast NLB.....................................................................................................................478
29 Multicast Source Discovery Protocol (MSDP)......................................................................................... 479
Protocol Overview......................................................................................................................................................... 479
Anycast RP.....................................................................................................................................................................480
Implementation Information.......................................................................................................................................... 481
Congure Multicast Source Discovery Protocol.........................................................................................................481
Related Conguration Tasks....................................................................................................................................481
Enable MSDP................................................................................................................................................................. 485
Manage the Source-Active Cache.............................................................................................................................. 486
Viewing the Source-Active Cache.........................................................................................................................486
Limiting the Source-Active Cache.........................................................................................................................486
Clearing the Source-Active Cache........................................................................................................................ 487
Enabling the Rejected Source-Active Cache........................................................................................................487
Accept Source-Active Messages that Fail the RFP Check......................................................................................487
Specifying Source-Active Messages...........................................................................................................................490
Limiting the Source-Active Messages from a Peer....................................................................................................491
Preventing MSDP from Caching a Local Source........................................................................................................491
Preventing MSDP from Caching a Remote Source.................................................................................................. 492
Preventing MSDP from Advertising a Local Source..................................................................................................492
Logging Changes in Peership States...........................................................................................................................493
Terminating a Peership..................................................................................................................................................493
Clearing Peer Statistics.................................................................................................................................................494
Debugging MSDP.......................................................................................................................................................... 494
MSDP with Anycast RP................................................................................................................................................495
Conguring Anycast RP................................................................................................................................................496
Reducing Source-Active Message Flooding.........................................................................................................497
Specifying the RP Address Used in SA Messages...............................................................................................497
MSDP Sample Congurations......................................................................................................................................499
Contents
17
30 Multiple Spanning Tree Protocol (MSTP)................................................................................................ 502
Protocol Overview.........................................................................................................................................................502
Spanning Tree Variations.............................................................................................................................................. 503
Implementation Information................................................................................................................................... 503
Congure Multiple Spanning Tree Protocol................................................................................................................503
Related Conguration Tasks...................................................................................................................................504
Enable Multiple Spanning Tree Globally...................................................................................................................... 504
Adding and Removing Interfaces.................................................................................................................................504
Creating Multiple Spanning Tree Instances................................................................................................................505
Inuencing MSTP Root Selection............................................................................................................................... 506
Interoperate with Non-Dell Bridges.............................................................................................................................506
Changing the Region Name or Revision..................................................................................................................... 507
Modifying Global Parameters....................................................................................................................................... 507
Modifying the Interface Parameters........................................................................................................................... 508
Conguring an EdgePort..............................................................................................................................................509
Flush MAC Addresses after a Topology Change........................................................................................................ 510
MSTP Sample Congurations.......................................................................................................................................510
Router 1 Running-CongurationRouter 2 Running-CongurationRouter 3 Running-
CongurationSFTOS Example Running-Conguration.........................................................................................511
Debugging and Verifying MSTP Congurations.........................................................................................................514
31 Multicast Features.................................................................................................................................... 516
Enabling IP Multicast......................................................................................................................................................516
Implementation Information.......................................................................................................................................... 516
Multicast Policies............................................................................................................................................................517
IPv4 Multicast Policies............................................................................................................................................. 517
Understanding Multicast Traceroute (mtrace).....................................................................................................524
Printing Multicast Traceroute (mtrace) Paths..................................................................................................... 525
Supported Error Codes...........................................................................................................................................526
mtrace Scenarios..................................................................................................................................................... 527
32 Object Tracking........................................................................................................................................533
Object Tracking Overview............................................................................................................................................ 533
Track Layer 2 Interfaces..........................................................................................................................................534
Track Layer 3 Interfaces..........................................................................................................................................534
Track IPv4 and IPv6 Routes...................................................................................................................................535
Set Tracking Delays................................................................................................................................................. 536
VRRP Object Tracking............................................................................................................................................ 536
Object Tracking Conguration..................................................................................................................................... 536
Tracking a Layer 2 Interface................................................................................................................................... 536
Tracking a Layer 3 Interface................................................................................................................................... 537
Track an IPv4/IPv6 Route......................................................................................................................................539
Displaying Tracked Objects...........................................................................................................................................542
33 Open Shortest Path First (OSPFv2 and OSPFv3)....................................................................................544
18
Contents
Protocol Overview.........................................................................................................................................................544
Autonomous System (AS) Areas........................................................................................................................... 544
Area Types................................................................................................................................................................ 545
Networks and Neighbors........................................................................................................................................546
Router Types............................................................................................................................................................ 546
Designated and Backup Designated Routers.......................................................................................................548
Link-State Advertisements (LSAs)........................................................................................................................548
Router Priority and Cost.........................................................................................................................................549
OSPF with Dell Networking OS...................................................................................................................................550
Graceful Restart....................................................................................................................................................... 551
Fast Convergence (OSPFv2, IPv4 Only)..............................................................................................................552
Multi-Process OSPFv2 with VRF..........................................................................................................................552
OSPF ACK Packing.................................................................................................................................................552
Setting OSPF Adjacency with Cisco Routers...................................................................................................... 552
Conguration Information.............................................................................................................................................553
Conguration Task List for OSPFv2 (OSPF for IPv4)........................................................................................ 553
Conguration Task List for OSPFv3 (OSPF for IPv6)...............................................................................................567
Enabling IPv6 Unicast Routing...............................................................................................................................568
Applying cost for OSPFv3......................................................................................................................................568
Assigning IPv6 Addresses on an Interface........................................................................................................... 569
Assigning Area ID on an Interface..........................................................................................................................569
Assigning OSPFv3 Process ID and Router ID Globally........................................................................................569
Assigning OSPFv3 Process ID and Router ID to a VRF......................................................................................570
Conguring Stub Areas...........................................................................................................................................570
Conguring Passive-Interface.................................................................................................................................571
Redistributing Routes...............................................................................................................................................571
Conguring a Default Route....................................................................................................................................571
Enabling OSPFv3 Graceful Restart....................................................................................................................... 572
OSPFv3 Authentication Using IPsec..................................................................................................................... 574
Troubleshooting OSPFv3........................................................................................................................................580
34 Policy-based Routing (PBR).................................................................................................................... 582
Overview.........................................................................................................................................................................582
Implementing PBR.........................................................................................................................................................583
Conguration Task List for Policy-based Routing......................................................................................................583
PBR Exceptions (Permit)....................................................................................................................................... 583
Create a Redirect List..............................................................................................................................................584
Create a Rule for a Redirect-list.............................................................................................................................584
Apply a Redirect-list to an Interface using a Redirect-group............................................................................. 586
Sample Conguration....................................................................................................................................................588
Create the Redirect-List GOLDAssign Redirect-List GOLD to Interface 2/11View Redirect-List GOLD..... 589
35 PIM Sparse-Mode (PIM-SM).................................................................................................................. 592
Implementation Information..........................................................................................................................................592
Protocol Overview.........................................................................................................................................................592
Requesting Multicast Trac...................................................................................................................................592
Contents
19
Refuse Multicast Trac..........................................................................................................................................593
Send Multicast Trac............................................................................................................................................. 593
Conguring PIM-SM..................................................................................................................................................... 593
Related Conguration Tasks...................................................................................................................................594
Enable PIM-SM..............................................................................................................................................................594
Conguring S,G Expiry Timers..................................................................................................................................... 594
Conguring a Static Rendezvous Point......................................................................................................................595
Overriding Bootstrap Router Updates.................................................................................................................. 595
Conguring a Designated Router................................................................................................................................ 596
Creating Multicast Boundaries and Domains............................................................................................................. 596
36 PIM Source-Specic Mode (PIM-SSM).................................................................................................. 597
Implementation Information..........................................................................................................................................597
Important Points to Remember..............................................................................................................................597
Congure PIM-SSM......................................................................................................................................................598
Related Conguration Tasks...................................................................................................................................598
Enabling PIM-SSM........................................................................................................................................................ 598
Use PIM-SSM with IGMP Version 2 Hosts................................................................................................................598
Conguring PIM-SSM with IGMPv2.................................................................................................................... 599
Electing an RP using the BSR Mechanism.................................................................................................................600
Enabling RP to Server Specic Multicast Groups...............................................................................................600
37 Power over Ethernet (PoE)..................................................................................................................... 602
Conguring PoE or PoE+..............................................................................................................................................602
Enable PoE/PoE+....................................................................................................................................................603
Upgrading the PoE Controller................................................................................................................................ 603
Manage Ports using Power Priority and Power Budget...........................................................................................604
Determine the Power Priority................................................................................................................................ 604
Manage Inline Power...............................................................................................................................................605
Set the Threshold Limit for the PoE Power Budget........................................................................................... 605
Manage Power Priorities........................................................................................................................................ 606
Power Allocation to Ports.......................................................................................................................................606
Power Allocation to Additional Ports.....................................................................................................................607
Manage Legacy Devices...............................................................................................................................................607
Suspend Power Delivery on a Port..............................................................................................................................607
Restore Power Delivery on a Port............................................................................................................................... 608
Display the Power Details............................................................................................................................................. 608
38 Port Monitoring.......................................................................................................................................609
Important Points to Remember................................................................................................................................... 609
Port Monitoring.............................................................................................................................................................. 610
Conguring Port Monitoring......................................................................................................................................... 612
Conguring Monitor Multicast Queue......................................................................................................................... 613
Enabling Flow-Based Monitoring..................................................................................................................................614
Remote Port Mirroring...................................................................................................................................................615
Remote Port Mirroring Example............................................................................................................................. 615
20
Contents
Conguring Remote Port Mirroring........................................................................................................................616
Displaying Remote-Port Mirroring Congurations................................................................................................618
Conguring the Sample Remote Port Mirroring...................................................................................................618
Encapsulated Remote Port Monitoring....................................................................................................................... 621
ERPM Behavior on a typical Dell Networking OS .....................................................................................................623
Decapsulation of ERPM packets at the Destination IP/ Analyzer..................................................................... 623
Port Monitoring on VLT.................................................................................................................................................624
VLT Non-fail over Scenario.....................................................................................................................................624
VLT Fail-over Scenario............................................................................................................................................ 625
RPM over VLT Scenarios........................................................................................................................................625
39 Private VLANs (PVLAN).......................................................................................................................... 627
Private VLAN Concepts................................................................................................................................................627
Using the Private VLAN Commands...........................................................................................................................628
Conguration Task List..................................................................................................................................................629
Creating PVLAN ports............................................................................................................................................ 629
Creating a Primary VLAN....................................................................................................................................... 630
Creating a Community VLAN..................................................................................................................................631
Creating an Isolated VLAN...................................................................................................................................... 631
Private VLAN Conguration Example.........................................................................................................................633
Inspecting the Private VLAN Conguration............................................................................................................... 634
40 Per-VLAN Spanning Tree Plus (PVST+)................................................................................................... 636
Protocol Overview.........................................................................................................................................................636
Implementation Information..........................................................................................................................................637
Congure Per-VLAN Spanning Tree Plus....................................................................................................................637
Related Conguration Tasks................................................................................................................................... 637
Enabling PVST+..............................................................................................................................................................637
Disabling PVST+.............................................................................................................................................................638
Inuencing PVST+ Root Selection...............................................................................................................................638
Modifying Global PVST+ Parameters..........................................................................................................................640
Modifying Interface PVST+ Parameters......................................................................................................................641
Conguring an EdgePort.............................................................................................................................................. 642
PVST+ in Multi-Vendor Networks............................................................................................................................... 642
Enabling PVST+ Extend System ID............................................................................................................................. 642
PVST+ Sample Congurations.....................................................................................................................................643
41 Quality of Service (QoS).......................................................................................................................... 646
Implementation Information..........................................................................................................................................648
Port-Based QoS Congurations.................................................................................................................................. 648
Setting dot1p Priorities for Incoming Trac......................................................................................................... 648
Honoring dot1p Priorities on Ingress Trac..........................................................................................................649
Conguring Port-Based Rate Policing.................................................................................................................. 650
Conguring Port-Based Rate Shaping..................................................................................................................650
Policy-Based QoS Congurations................................................................................................................................ 651
Classify Trac...........................................................................................................................................................651
Contents
21
Create a QoS Policy................................................................................................................................................ 654
Create Policy Maps..................................................................................................................................................657
DSCP Color Maps......................................................................................................................................................... 660
Creating a DSCP Color Map...................................................................................................................................661
Displaying DSCP Color Maps................................................................................................................................. 662
Displaying a DSCP Color Policy Conguration .................................................................................................... 662
Enabling QoS Rate Adjustment....................................................................................................................................663
Enabling Strict-Priority Queueing................................................................................................................................663
Weighted Random Early Detection..............................................................................................................................663
Creating WRED Proles..........................................................................................................................................664
Applying a WRED Prole to Trac........................................................................................................................665
Displaying Default and Congured WRED Proles..............................................................................................665
Displaying WRED Drop Statistics...........................................................................................................................665
Displaying egress–queue Statistics.......................................................................................................................666
Pre-Calculating Available QoS CAM Space................................................................................................................666
Conguring Weights and ECN for WRED ..................................................................................................................667
Global Service Pools With WRED and ECN Settings..........................................................................................668
Conguring WRED and ECN Attributes..................................................................................................................... 669
Guidelines for Conguring ECN for Classifying and Color-Marking Packets.........................................................669
Sample conguration to mark non-ecn packets as “yellow” with Multiple trac class..................................670
Classifying Incoming Packets Using ECN and Color-Marking............................................................................670
Sample conguration to mark non-ecn packets as “yellow” with single trac class......................................672
Applying Layer 2 Match Criteria on a Layer 3 Interface............................................................................................673
Applying DSCP and VLAN Match Criteria on a Service Queue............................................................................... 674
Classifying Incoming Packets Using ECN and Color-Marking..................................................................................675
Guidelines for Conguring ECN for Classifying and Color-Marking Packets......................................................... 676
Sample conguration to mark non-ecn packets as “yellow” with Multiple trac class........................................ 677
Sample conguration to mark non-ecn packets as “yellow” with single trac class............................................ 677
42 Routing Information Protocol (RIP)......................................................................................................... 679
Protocol Overview......................................................................................................................................................... 679
RIPv1..........................................................................................................................................................................679
RIPv2.........................................................................................................................................................................679
Implementation Information......................................................................................................................................... 680
Conguration Information.............................................................................................................................................680
Conguration Task List............................................................................................................................................680
RIP Conguration Example.....................................................................................................................................686
43 Remote Monitoring (RMON)................................................................................................................... 692
Implementation Information..........................................................................................................................................692
Fault Recovery...............................................................................................................................................................692
Setting the RMON Alarm....................................................................................................................................... 693
Conguring an RMON Event................................................................................................................................. 693
Conguring RMON Collection Statistics.............................................................................................................. 694
Conguring the RMON Collection History...........................................................................................................694
22
Contents
44 Rapid Spanning Tree Protocol (RSTP)..................................................................................................... 696
Protocol Overview.........................................................................................................................................................696
Conguring Rapid Spanning Tree................................................................................................................................ 696
Related Conguration Tasks...................................................................................................................................696
Important Points to Remember................................................................................................................................... 696
RSTP and VLT.......................................................................................................................................................... 697
Conguring Interfaces for Layer 2 Mode....................................................................................................................697
Enabling Rapid Spanning Tree Protocol Globally........................................................................................................698
Adding and Removing Interfaces................................................................................................................................. 700
Modifying Global Parameters....................................................................................................................................... 700
Enabling SNMP Traps for Root Elections and Topology Changes..................................................................... 702
Modifying Interface Parameters...................................................................................................................................702
Enabling SNMP Traps for Root Elections and Topology Changes........................................................................... 702
Inuencing RSTP Root Selection.................................................................................................................................702
Conguring an EdgePort.............................................................................................................................................. 703
Conguring Fast Hellos for Link State Detection.......................................................................................................704
45 Software-Dened Networking (SDN)......................................................................................................705
46 Security................................................................................................................................................... 706
AAA Accounting.............................................................................................................................................................706
Conguration Task List for AAA Accounting........................................................................................................ 706
AAA Authentication....................................................................................................................................................... 708
Conguration Task List for AAA Authentication.................................................................................................. 709
Obscuring Passwords and Keys....................................................................................................................................712
AAA Authorization.......................................................................................................................................................... 712
Privilege Levels Overview........................................................................................................................................712
Conguration Task List for Privilege Levels...........................................................................................................713
RADIUS............................................................................................................................................................................ 717
RADIUS Authentication............................................................................................................................................717
Conguration Task List for RADIUS....................................................................................................................... 718
TACACS+........................................................................................................................................................................ 722
Conguration Task List for TACACS+................................................................................................................... 722
TACACS+ Remote Authentication.........................................................................................................................723
Command Authorization......................................................................................................................................... 725
Protection from TCP Tiny and Overlapping Fragment Attacks............................................................................... 725
Enabling SCP and SSH..................................................................................................................................................725
Using SCP with SSH to Copy a Software Image.................................................................................................726
Removing the RSA Host Keys and Zeroizing Storage ........................................................................................727
Conguring When to Re-generate an SSH Key ..................................................................................................727
Conguring the SSH Server Key Exchange Algorithm....................................................................................... 728
Conguring the HMAC Algorithm for the SSH Server....................................................................................... 728
Conguring the SSH Server Cipher List...............................................................................................................729
Secure Shell Authentication................................................................................................................................... 729
Troubleshooting SSH............................................................................................................................................... 732
Contents
23
Telnet............................................................................................................................................................................... 732
VTY Line and Access-Class Conguration................................................................................................................. 732
VTY Line Local Authentication and Authorization............................................................................................... 733
VTY Line Remote Authentication and Authorization...........................................................................................733
VTY MAC-SA Filter Support...................................................................................................................................734
Role-Based Access Control..........................................................................................................................................734
Overview of RBAC...................................................................................................................................................735
User Roles.................................................................................................................................................................737
AAA Authentication and Authorization for Roles.................................................................................................740
Role Accounting....................................................................................................................................................... 743
Display Information About User Roles................................................................................................................... 743
Two Factor Authentication (2FA).................................................................................................................................745
Handling Access-Challenge Message....................................................................................................................745
Conguring Challenge Response Authentication for SSHv2............................................................................. 745
SMS-OTP Mechanism............................................................................................................................................ 746
Conguring the System to Drop Certain ICMP Reply Messages............................................................................ 746
47 Service Provider Bridging.........................................................................................................................748
VLAN Stacking............................................................................................................................................................... 748
Important Points to Remember..............................................................................................................................749
Congure VLAN Stacking.......................................................................................................................................749
Creating Access and Trunk Ports.......................................................................................................................... 750
Enable VLAN-Stacking for a VLAN........................................................................................................................751
Conguring the Protocol Type Value for the Outer VLAN Tag........................................................................... 751
Conguring Dell Networking OS Options for Trunk Ports................................................................................... 751
Debugging VLAN Stacking..................................................................................................................................... 752
VLAN Stacking in Multi-Vendor Networks........................................................................................................... 753
VLAN Stacking Packet Drop Precedence...................................................................................................................757
Enabling Drop Eligibility............................................................................................................................................757
Honoring the Incoming DEI Value..........................................................................................................................758
Marking Egress Packets with a DEI Value............................................................................................................758
Dynamic Mode CoS for VLAN Stacking.....................................................................................................................759
Mapping C-Tag to S-Tag dot1p Values...................................................................................................................760
Layer 2 Protocol Tunneling............................................................................................................................................ 761
Implementation Information....................................................................................................................................762
Enabling Layer 2 Protocol Tunneling......................................................................................................................763
Specifying a Destination MAC Address for BPDUs.............................................................................................763
Setting Rate-Limit BPDUs......................................................................................................................................763
Debugging Layer 2 Protocol Tunneling..................................................................................................................764
Provider Backbone Bridging.........................................................................................................................................764
48 sFlow....................................................................................................................................................... 765
Overview.........................................................................................................................................................................765
Implementation Information..........................................................................................................................................765
Important Points to Remember..............................................................................................................................766
Enabling and Disabling sFlow on an Interface............................................................................................................ 766
24
Contents
Enabling sFlow Max-Header Size Extended...............................................................................................................766
sFlow Show Commands................................................................................................................................................767
Displaying Show sFlow Global................................................................................................................................768
Displaying Show sFlow on an Interface.................................................................................................................768
Displaying Show sFlow on a Stack-unit................................................................................................................ 769
Conguring Specify Collectors.....................................................................................................................................769
Changing the Polling Intervals......................................................................................................................................769
Back-O Mechanism.....................................................................................................................................................770
sFlow on LAG ports....................................................................................................................................................... 770
Enabling Extended sFlow..............................................................................................................................................770
Important Points to Remember...............................................................................................................................771
49 Simple Network Management Protocol (SNMP)......................................................................................772
Protocol Overview......................................................................................................................................................... 773
Implementation Information..........................................................................................................................................773
SNMPv3 Compliance With FIPS..................................................................................................................................773
Conguration Task List for SNMP................................................................................................................................774
Related Conguration Tasks....................................................................................................................................774
Important Points to Remember....................................................................................................................................775
Set up SNMP................................................................................................................................................................. 775
Creating a Community.............................................................................................................................................775
Setting Up User-Based Security (SNMPv3)........................................................................................................775
Reading Managed Object Values................................................................................................................................. 777
Writing Managed Object Values................................................................................................................................... 777
Conguring Contact and Location Information using SNMP...................................................................................778
Subscribing to Managed Object Value Updates using SNMP..................................................................................778
Enabling a Subset of SNMP Traps...............................................................................................................................779
Enabling an SNMP Agent to Notify Syslog Server Failure........................................................................................ 781
Copy Conguration Files Using SNMP........................................................................................................................782
Copying a Conguration File...................................................................................................................................783
Copying Conguration Files via SNMP................................................................................................................. 784
Copying the Startup-Cong Files to the Running-Cong.................................................................................. 785
Copying the Startup-Cong Files to the Server via FTP....................................................................................785
Copying the Startup-Cong Files to the Server via TFTP................................................................................. 785
Copy a Binary File to the Startup-Conguration................................................................................................. 786
Additional MIB Objects to View Copy Statistics..................................................................................................786
Obtaining a Value for MIB Objects.........................................................................................................................787
MIB Support for Power Monitoring............................................................................................................................. 787
MIB Support to Display the Available Memory Size on Flash...................................................................................788
Viewing the Available Flash Memory Size.............................................................................................................788
MIB Support to Display the Software Core Files Generated by the System..........................................................789
Viewing the Software Core Files Generated by the System..............................................................................789
SNMP Support for WRED Green/Yellow/Red Drop Counters................................................................................790
MIB Support to Display the Available Partitions on Flash..........................................................................................791
Viewing the Available Partitions on Flash.............................................................................................................. 791
MIB Support to Display Egress Queue Statistics.......................................................................................................792
Contents
25
MIB Support to Display Egress Queue Statistics.......................................................................................................792
Viewing the ECMP Group Count Information...................................................................................................... 792
MIB Support for entAliasMappingTable ..................................................................................................................... 795
Viewing the entAliasMappingTable MIB................................................................................................................795
MIB Support for LAG.................................................................................................................................................... 796
Viewing the LAG MIB.............................................................................................................................................. 797
Manage VLANs using SNMP....................................................................................................................................... 797
Creating a VLAN...................................................................................................................................................... 797
Assigning a VLAN Alias............................................................................................................................................797
Displaying the Ports in a VLAN.............................................................................................................................. 798
Add Tagged and Untagged Ports to a VLAN....................................................................................................... 799
Managing Overload on Startup....................................................................................................................................800
Enabling and Disabling a Port using SNMP................................................................................................................800
Fetch Dynamic MAC Entries using SNMP..................................................................................................................801
Deriving Interface Indices............................................................................................................................................. 802
Monitor Port-Channels................................................................................................................................................. 803
Enabling an SNMP Agent to Notify Syslog Server Failure.......................................................................................804
Troubleshooting SNMP Operation...............................................................................................................................805
Transceiver Monitoring................................................................................................................................................. 805
50 Stacking.................................................................................................................................................. 807
Stacking Overview.........................................................................................................................................................807
Cross Platform Stacking......................................................................................................................................... 807
Stack Management Roles.......................................................................................................................................808
Stack Master Election.............................................................................................................................................808
Virtual IP.................................................................................................................................................................... 812
Failover Roles............................................................................................................................................................812
MAC Addressing on Stacks.....................................................................................................................................812
Stacking LAG............................................................................................................................................................ 815
Supported Stacking Topologies.............................................................................................................................. 815
High Availability on Stacks.......................................................................................................................................816
Management Access on Stacks............................................................................................................................. 817
Important Points to Remember.................................................................................................................................... 818
Stacking Installation Tasks............................................................................................................................................. 818
Create a Stack.......................................................................................................................................................... 818
Add Units to an Existing Stack............................................................................................................................... 821
Split a Stack..............................................................................................................................................................823
Stacking Conguration Tasks....................................................................................................................................... 824
Assigning Unit Numbers to Units in an Stack.......................................................................................................824
Creating a Virtual Stack Unit on a Stack...............................................................................................................824
Displaying Information about a Stack....................................................................................................................825
Inuencing Management Unit Selection on a Stack........................................................................................... 828
Managing Redundancy on a Stack........................................................................................................................829
Resetting a Unit on a Stack....................................................................................................................................829
Verify a Stack Conguration........................................................................................................................................ 830
Displaying the Status of Stacking Ports............................................................................................................... 830
26
Contents
Removing a Unit from a Stack......................................................................................................................................831
Troubleshoot a Stack.....................................................................................................................................................833
Recover from Stack Link Flaps.............................................................................................................................. 833
Recover from a Card Problem State on a Stack..................................................................................................833
51 Storm Control.......................................................................................................................................... 835
Congure Storm Control...............................................................................................................................................835
Conguring Storm Control from INTERFACE Mode...........................................................................................835
Conguring Storm Control from CONFIGURATION Mode................................................................................836
52 Spanning Tree Protocol (STP)................................................................................................................. 837
Protocol Overview......................................................................................................................................................... 837
Congure Spanning Tree...............................................................................................................................................838
Related Conguration Tasks...................................................................................................................................838
Important Points to Remember................................................................................................................................... 838
Conguring Interfaces for Layer 2 Mode....................................................................................................................839
Enabling Spanning Tree Protocol Globally...................................................................................................................840
Adding an Interface to the Spanning Tree Group...................................................................................................... 842
Modifying Global Parameters....................................................................................................................................... 842
Modifying Interface STP Parameters..........................................................................................................................843
Enabling PortFast.......................................................................................................................................................... 843
Prevent Network Disruptions with BPDU Guard.................................................................................................844
Selecting STP Root.......................................................................................................................................................845
STP Root Guard.............................................................................................................................................................846
Root Guard Scenario...............................................................................................................................................846
Conguring Root Guard..........................................................................................................................................847
Enabling SNMP Traps for Root Elections and Topology Changes...........................................................................848
Conguring Spanning Trees as Hitless........................................................................................................................848
STP Loop Guard.............................................................................................................................................................848
Conguring Loop Guard..........................................................................................................................................849
Displaying STP Guard Conguration...........................................................................................................................850
53 SupportAssist...........................................................................................................................................851
Conguring SupportAssist Using a Conguration Wizard........................................................................................ 852
Conguring SupportAssist Manually........................................................................................................................... 852
Conguring SupportAssist Activity............................................................................................................................. 854
Conguring SupportAssist Company..........................................................................................................................855
Conguring SupportAssist Person.............................................................................................................................. 856
Conguring SupportAssist Server...............................................................................................................................856
Viewing SupportAssist Conguration..........................................................................................................................857
54 System Time and Date.............................................................................................................................859
Network Time Protocol.................................................................................................................................................859
Protocol Overview...................................................................................................................................................860
Congure the Network Time Protocol..................................................................................................................860
Enabling NTP............................................................................................................................................................ 861
Contents
27
Conguring NTP Broadcasts..................................................................................................................................861
Disabling NTP on an Interface................................................................................................................................862
Conguring a Source IP Address for NTP Packets.............................................................................................862
Conguring NTP Authentication............................................................................................................................862
Dell Networking OS Time and Date.............................................................................................................................865
Conguration Task List .......................................................................................................................................... 865
Setting the Time and Date for the Switch Software Clock............................................................................... 865
Setting the Timezone..............................................................................................................................................865
Set Daylight Saving Time........................................................................................................................................866
Setting Daylight Saving Time Once.......................................................................................................................866
Setting Recurring Daylight Saving Time................................................................................................................867
Conguring a Custom-dened Period for NTP time Synchronization..............................................................868
55 Tunneling................................................................................................................................................. 869
Conguring a Tunnel......................................................................................................................................................869
Conguring Tunnel Keepalive Settings........................................................................................................................870
Conguring a Tunnel Interface..................................................................................................................................... 870
Conguring Tunnel Allow-Remote Decapsulation.......................................................................................................871
Conguring the Tunnel Source Anylocal...................................................................................................................... 871
56 Uplink Failure Detection (UFD)................................................................................................................ 873
Feature Description........................................................................................................................................................873
How Uplink Failure Detection Works............................................................................................................................874
UFD and NIC Teaming...................................................................................................................................................875
Important Points to Remember....................................................................................................................................875
Conguring Uplink Failure Detection........................................................................................................................... 876
Clearing a UFD-Disabled Interface...............................................................................................................................877
Displaying Uplink Failure Detection.............................................................................................................................. 878
Sample Conguration: Uplink Failure Detection.........................................................................................................880
57 Upgrade Procedures................................................................................................................................ 882
Get Help with Upgrades............................................................................................................................................... 882
58 Virtual LANs (VLANs)..............................................................................................................................883
Default VLAN................................................................................................................................................................. 884
Port-Based VLANs........................................................................................................................................................ 884
VLANs and Port Tagging.............................................................................................................................................. 885
Conguration Task List..................................................................................................................................................885
Creating a Port-Based VLAN.................................................................................................................................885
Assigning Interfaces to a VLAN............................................................................................................................. 886
Moving Untagged Interfaces.................................................................................................................................. 887
Assigning an IP Address to a VLAN.......................................................................................................................888
Conguring Native VLANs........................................................................................................................................... 888
Enabling Null VLAN as the Default VLAN...................................................................................................................889
59 Virtual Link Trunking (VLT)...................................................................................................................... 890
28
Contents
Overview........................................................................................................................................................................ 890
VLT Terminology.......................................................................................................................................................893
Layer-2 Trac in VLT Domains...............................................................................................................................894
Interspersed VLANs................................................................................................................................................ 895
VLT on Core Switches............................................................................................................................................ 895
Enhanced VLT.......................................................................................................................................................... 896
Congure Virtual Link Trunking.................................................................................................................................... 897
Important Points to Remember..............................................................................................................................897
Conguration Notes................................................................................................................................................ 898
Primary and Secondary VLT Peers.........................................................................................................................901
RSTP and VLT.......................................................................................................................................................... 901
VLT Bandwidth Monitoring.....................................................................................................................................902
VLT and Stacking.....................................................................................................................................................902
VLT and IGMP Snooping........................................................................................................................................ 902
VLT IPv6................................................................................................................................................................... 902
VLT Port Delayed Restoration................................................................................................................................903
PIM-Sparse Mode Support on VLT.......................................................................................................................903
VLT Routing .............................................................................................................................................................905
Non-VLT ARP Sync................................................................................................................................................. 908
RSTP Conguration...................................................................................................................................................... 909
Preventing Forwarding Loops in a VLT Domain................................................................................................... 909
Sample RSTP Conguration...................................................................................................................................909
Conguring VLT........................................................................................................................................................910
PVST+ Conguration.....................................................................................................................................................920
Sample PVST+ Conguration.................................................................................................................................920
Peer Routing Conguration Example...........................................................................................................................921
Dell-1 Switch Conguration.....................................................................................................................................922
Dell-2 Switch Conguration....................................................................................................................................926
R1 Conguration.......................................................................................................................................................929
Access Switch A1 Congurations and Verication.............................................................................................. 930
eVLT Conguration Example.........................................................................................................................................931
eVLT Conguration Step Examples........................................................................................................................931
PIM-Sparse Mode Conguration Example.................................................................................................................933
Verifying a VLT Conguration.......................................................................................................................................934
Additional VLT Sample Congurations........................................................................................................................ 937
Troubleshooting VLT......................................................................................................................................................939
Reconguring Stacked Switches as VLT....................................................................................................................940
Specifying VLT Nodes in a PVLAN..............................................................................................................................940
Association of VLTi as a Member of a PVLAN..................................................................................................... 941
MAC Synchronization for VLT Nodes in a PVLAN............................................................................................... 941
PVLAN Operations When One VLT Peer is Down...............................................................................................942
PVLAN Operations When a VLT Peer is Restarted.............................................................................................942
Interoperation of VLT Nodes in a PVLAN with ARP Requests..........................................................................942
Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN............................ 942
Conguring a VLT VLAN or LAG in a PVLAN............................................................................................................ 944
Contents
29
Creating a VLT LAG or a VLT VLAN......................................................................................................................944
Associating the VLT LAG or VLT VLAN in a PVLAN...........................................................................................945
Proxy ARP Capability on VLT Peer Nodes..................................................................................................................946
Working of Proxy ARP for VLT Peer Nodes......................................................................................................... 946
VLT Nodes as Rendezvous Points for Multicast Resiliency......................................................................................947
Conguring VLAN-Stack over VLT..............................................................................................................................947
IPv6 Peer Routing in VLT Domains Overview.............................................................................................................951
IPv6 Peer Routing.................................................................................................................................................... 951
Synchronization of IPv6 ND Entries in a VLT Domain......................................................................................... 951
Synchronization of IPv6 ND Entries in a Non-VLT Domain................................................................................ 952
Tunneling IPv6 ND in a VLT Domain......................................................................................................................952
Sample Conguration of IPv6 Peer Routing in a VLT Domain........................................................................... 953
60 VLT Proxy Gateway..................................................................................................................................957
Proxy Gateway in VLT Domains................................................................................................................................... 957
Guidelines for Enabling the VLT Proxy Gateway..................................................................................................958
Enable VLT Proxy Gateway.................................................................................................................................... 959
LLDP Organizational TLV for Proxy Gateway...................................................................................................... 959
LLDP VLT Proxy Gateway in a Square VLT Topology.......................................................................................... 961
Conguring a Static VLT Proxy Gateway................................................................................................................... 962
Conguring an LLDP VLT Proxy Gateway.................................................................................................................. 962
VLT Proxy Gateway Sample Topology.........................................................................................................................962
VLT Domain Conguration......................................................................................................................................963
Dell-1 VLT Conguration..........................................................................................................................................963
Dell-2 VLT Conguration.........................................................................................................................................964
Dell-3 VLT Conguration.........................................................................................................................................965
Dell-4 VLT Conguration........................................................................................................................................ 966
61 Virtual Routing and Forwarding (VRF)......................................................................................................967
VRF Overview................................................................................................................................................................ 967
VRF Conguration Notes............................................................................................................................................. 968
DHCP.........................................................................................................................................................................970
VRF Conguration......................................................................................................................................................... 970
Loading VRF CAM................................................................................................................................................... 970
Creating a Non-Default VRF Instance...................................................................................................................970
Assigning an Interface to a VRF..............................................................................................................................971
Assigning a Front-end Port to a Management VRF............................................................................................. 971
View VRF Instance Information.............................................................................................................................. 971
Assigning an OSPF Process to a VRF Instance...................................................................................................972
Conguring VRRP on a VRF Instance...................................................................................................................972
Conguring Management VRF...............................................................................................................................973
Conguring a Static Route......................................................................................................................................973
Sample VRF Conguration............................................................................................................................................974
Route Leaking VRFs......................................................................................................................................................979
Dynamic Route Leaking................................................................................................................................................ 980
Conguring Route Leaking without Filtering Criteria..........................................................................................980
30
Contents
Conguring Route Leaking with Filtering..............................................................................................................983
62 Virtual Router Redundancy Protocol (VRRP)...........................................................................................986
VRRP Overview.............................................................................................................................................................986
VRRP Benets................................................................................................................................................................987
VRRP Implementation...................................................................................................................................................987
VRRP Conguration......................................................................................................................................................988
Conguration Task List............................................................................................................................................988
Setting VRRP Initialization Delay............................................................................................................................997
Sample Congurations..................................................................................................................................................998
VRRP for an IPv4 Conguration............................................................................................................................998
VRRP in a VRF Conguration................................................................................................................................1001
VRRP for IPv6 Conguration............................................................................................................................... 1006
63 Debugging and Diagnostics.....................................................................................................................1010
Oine Diagnostics........................................................................................................................................................1010
Important Points to Remember.............................................................................................................................1010
Running Oine Diagnostics...................................................................................................................................1010
Trace Logs...................................................................................................................................................................... 1011
Auto Save on Crash or Rollover................................................................................................................................... 1011
Last Restart Reason......................................................................................................................................................1011
Hardware Watchdog Timer..........................................................................................................................................1012
Using the Show Hardware Commands...................................................................................................................... 1012
Enabling Environmental Monitoring............................................................................................................................ 1013
Recognize an Overtemperature Condition.......................................................................................................... 1013
Troubleshoot an Over-temperature Condition.....................................................................................................1014
Recognize an Under-Voltage Condition............................................................................................................... 1014
Troubleshoot an Under-Voltage Condition...........................................................................................................1014
Troubleshooting Packet Loss.......................................................................................................................................1015
Displaying Drop Counters.......................................................................................................................................1016
Dataplane Statistics................................................................................................................................................1019
Display Stack Port Statistics.................................................................................................................................1020
Display Stack Member Counters..........................................................................................................................1020
Enabling Application Core Dumps.............................................................................................................................. 1022
Mini Core Dumps..........................................................................................................................................................1022
Enabling TCP Dumps................................................................................................................................................... 1023
64 Standards Compliance............................................................................................................................1024
IEEE Compliance.......................................................................................................................................................... 1024
RFC and I-D Compliance.............................................................................................................................................1025
General Internet Protocols.................................................................................................................................... 1025
General IPv4 Protocols.......................................................................................................................................... 1026
General IPv6 Protocols.......................................................................................................................................... 1027
Border Gateway Protocol (BGP)..........................................................................................................................1029
Open Shortest Path First (OSPF)........................................................................................................................1029
Intermediate System to Intermediate System (IS-IS)........................................................................................1030
Contents
31
Routing Information Protocol (RIP)..................................................................................................................... 1030
Multicast.................................................................................................................................................................. 1031
MIB Location..................................................................................................................................................................1031
65 X.509v3................................................................................................................................................. 1032
Introduction to X.509v3 certication.........................................................................................................................1032
X.509v3 certicates...............................................................................................................................................1032
Certicate authority (CA)......................................................................................................................................1032
Certicate signing requests (CSR)...................................................................................................................... 1032
How certicates are requested............................................................................................................................ 1032
Advantages of X.509v3 certicates.................................................................................................................... 1033
X.509v3 support in Dell Networking OS................................................................................................................... 1033
Information about installing CA certicates..............................................................................................................1035
Installing CA certicate..........................................................................................................................................1035
Information about Creating Certicate Signing Requests (CSR).......................................................................... 1035
Creating Certicate Signing Requests (CSR).................................................................................................... 1036
Information about installing trusted certicates.......................................................................................................1037
Installing trusted certicates.................................................................................................................................1037
Transport layer security (TLS)....................................................................................................................................1037
Syslog over TLS......................................................................................................................................................1038
Online Certicate Status Protocol (OSCP).............................................................................................................. 1038
Conguring OCSP setting on CA.........................................................................................................................1038
Conguring OCSP behavior..................................................................................................................................1039
Conguring Revocation Behavior.........................................................................................................................1039
Conguring OSCP responder preference........................................................................................................... 1039
Verifying certicates.................................................................................................................................................... 1039
Verifying Server certicates................................................................................................................................. 1040
Verifying Client Certicates..................................................................................................................................1040
Event logging................................................................................................................................................................1040
32
Contents
1

About this Guide

This guide describes the protocols and features the Dell Networking Operating System (OS) supports and provides conguration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell Command Line Reference Guide for your system.
The S3100 series consists of S3124, S3124F, S3148, S3124P, S3148P platforms. The S3124, S3124F, S3124P, S3148P platforms are available with Dell Networking OS version 9.8(2.0) and later. The S3148 platform is available with Dell Networking OS version 9.10(0.0) and later.
Though this guide contains information about protocols, it is not intended to be a complete reference. This guide is a reference for conguring protocols on Dell Networking systems. For complete information about protocols, see the related documentation, including Internet Engineering Task Force (IETF) requests for comments (RFCs). The instructions in this guide cite relevant RFCs. The Standards
Compliance chapter contains a complete list of the supported RFCs and management information base les (MIBs).
Topics:
Audience
Conventions
Related Documents

Audience

This document is intended for system administrators who are responsible for conguring and maintaining networks and assumes knowledge in Layer 2 (L2) and Layer 3 (L3) networking technologies.

Conventions

This guide uses the following conventions to describe command syntax.
Keyword
parameter Parameters are in italics and require a number or word to be entered in the CLI.
{X} Keywords and parameters within braces must be entered in the CLI.
[X] Keywords and parameters within brackets are optional.
x|y Keywords and parameters separated by a bar require you to choose one option.
x||y Keywords and parameters separated by a double bar allows you to choose any or all of the options.
Keywords are in Courier (a monospaced font) and must be entered in the CLI as listed.

Related Documents

For more information about the Dell Networking switches, see the following documents:
Dell Networking OS Command Line Reference Guide
Dell Networking OS Installation Guide
Dell Networking OS Quick Start Guide
Dell Networking OS Release Notes
About this Guide 33
2
Conguration Fundamentals
The Dell Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to congure interfaces and protocols.
The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Dierent sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
In the Dell Networking OS, after you enter a command, the command is added to the running conguration le. You can view the current conguration for the whole system or for a particular CLI mode. To save the current conguration, copy the running conguration to another location.
NOTE: Due to dierences in hardware architecture and continued system development, features may occasionally dier between
the platforms. Dierences are noted in each CLI description and related documentation.
Topics:
Accessing the Command Line
CLI Modes
The do Command
Undoing Commands
Obtaining Help
Entering and Editing Commands
Command History
Filtering show Command Outputs
Multiple Users in Conguration Mode

Accessing the Command Line

Access the CLI through a serial console port or a Telnet session. When the system successfully boots, enter the command line in EXEC mode.
: You must have a password congured on a virtual terminal line before you can Telnet into the system. Therefore, you must
NOTE
use a console connection when connecting to the system for the rst time.
telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'. Login: username Password: Dell>

CLI Modes

Dierent sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (except for EXEC mode commands with a preceding do command
(refer to the do Command section).
34 Conguration Fundamentals
You can set user access rights to commands and command modes using privilege levels.
For more information about privilege levels and security options, refer to the Privilege Levels Overview section in the Security chapter.
The Dell Networking OS CLI is divided into three major mode levels:
EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information.
EXEC Privilege mode has commands to view congurations, clear counters, manage conguration les, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can congure a password for this mode; refer to the Congure the Enable Password section in the Getting Started chapter.
CONFIGURATION mode allows you to congure security features, time settings, set logging and SNMP functions, congure static ARP and MAC addresses, and set line cards on the system.
Beneath CONFIGURATION mode are submodes that apply to interfaces, protocols, and features. The following example shows the submode command structure. Two sub-CONFIGURATION modes are important when conguring the chassis for the rst time:
INTERFACE submode is the mode in which you congure Layer 2 and Layer 3 protocols and IP services specic to an interface. An interface can be physical (Management interface, 1 Gigabit Ethernet, 10 Gigabit Ethernet, 25 Gigabit Ethernet, 40 Gigabit Ethernet, 50 Gigabit Ethernet, or 100 Gigabit Ethernet) or logical (Loopback, Null, port channel, or virtual local area network [VLAN]).
LINE submode is the mode in which you to congure the console and virtual terminal lines.
NOTE: At any time, entering a question mark (?) displays the available command options. For example, when you are in
CONFIGURATION mode, entering the question mark rst lists all available commands, including the possible submodes.
The CLI modes are:
EXEC EXEC Privilege CONFIGURATION AS-PATH ACL CONTROL-PLANE CLASS-MAP DHCP DHCP POOL ECMP-GROUP EXTENDED COMMUNITY FRRP INTERFACE GROUP GIGABIT ETHERNET 10 GIGABIT ETHERNET INTERFACE RANGE LOOPBACK MANAGEMENT ETHERNET NULL PORT-CHANNEL TUNNEL VLAN VRRP IP IPv6 IP COMMUNITY-LIST IP ACCESS-LIST STANDARD ACCESS-LIST EXTENDED ACCESS-LIST MAC ACCESS-LIST LINE AUXILLIARY CONSOLE VIRTUAL TERMINAL LLDP LLDP MANAGEMENT INTERFACE MONITOR SESSION MULTIPLE SPANNING TREE OPENFLOW INSTANCE PVST
Conguration
Fundamentals 35
PORT-CHANNEL FAILOVER-GROUP PREFIX-LIST PRIORITY-GROUP PROTOCOL GVRP QOS POLICY RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP uBoot

Navigating CLI Modes

The Dell Networking OS prompt changes to indicate the CLI mode.
The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves you up one command mode level.
NOTE
: Sub-CONFIGURATION modes all have the letters conf in the prompt with more modiers to identify the mode and slot/
port information.
Table 1. Dell Networking OS Command Modes
CLI Command Mode Prompt Access Command
EXEC
EXEC Privilege
CONFIGURATION
NOTE: Access all of the following
modes from CONFIGURATION mode.
AS-PATH ACL
Dell>
Dell#
Dell(conf)#
Dell(config-as-path)# ip as-path access-list
Access the router through the console or terminal line.
From EXEC mode, enter the enable command.
From any other mode, use the end command.
From EXEC privilege mode, enter the configure command.
From every mode except EXEC and EXEC Privilege, enter the exit command.
Gigabit Ethernet Interface
10 Gigabit Ethernet Interface
36 Conguration Fundamentals
Dell(conf-if-gi-1/1)#
Dell(conf-if-te-1/49)#
interface (INTERFACE modes)
interface (INTERFACE modes)
CLI Command Mode Prompt Access Command
40 Gigabit Ethernet Interface interface (INTERFACE modes)
Interface Group
Interface Range
Loopback Interface
Management Ethernet Interface
Null Interface
Port-channel Interface
Tunnel Interface
VLAN Interface
STANDARD ACCESS-LIST
EXTENDED ACCESS-LIST
IP COMMUNITY-LIST
AUXILIARY
CONSOLE
VIRTUAL TERMINAL
STANDARD ACCESS-LIST
Dell(conf-if-group)# interface(INTERFACE modes)
Dell(conf-if-range)#
Dell(conf-if-lo-0)#
Dell(conf-if-ma-1/1)#
Dell(conf-if-nu-0)#
Dell(conf-if-po-1)#
Dell(conf-if-tu-1)#
Dell(conf-if-vl-1)#
Dell(config-std-nacl)#
Dell(config-ext-nacl)#
Dell(config-community-list)# ip community-list
Dell(config-line-aux)#
Dell(config-line-console)#
Dell(config-line-vty)#
Dell(config-std-macl)#
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
ip access-list standard (IP
ACCESS-LIST Modes)
ip access-list extended (IP ACCESS-LIST Modes)
line (LINE Modes)
line (LINE Modes)
line (LINE Modes)
mac access-list standard (MAC
ACCESS-LIST Modes)
EXTENDED ACCESS-LIST
MULTIPLE SPANNING TREE
Per-VLAN SPANNING TREE Plus
PREFIX-LIST
RAPID SPANNING TREE
REDIRECT
ROUTE-MAP
ROUTER BGP
BGP ADDRESS-FAMILY Dell(conf-router_bgp_af)# (for
ROUTER ISIS
ISIS ADDRESS-FAMILY
ROUTER OSPF
ROUTER OSPFV3
Dell(config-ext-macl)#
Dell(config-mstp)# protocol spanning-tree mstp
Dell(config-pvst)# protocol spanning-tree pvst
Dell(conf-nprefixl)# ip prefix-list
Dell(config-rstp)# protocol spanning-tree rstp
Dell(conf-redirect-list)# ip redirect-list
Dell(config-route-map)# route-map
Dell(conf-router_bgp)# router bgp
IPv4) Dell(conf-routerZ_bgpv6_af)# (for
IPv6)
Dell(conf-router_isis)# router isis
Dell(conf-router_isis-af_ipv6)# address-family ipv6 unicast
Dell(conf-router_ospf)# router ospf
Dell(conf-ipv6router_ospf)# ipv6 router ospf
mac access-list extended (MAC
ACCESS-LIST Modes)
address-family {ipv4 multicast | ipv6 unicast} (ROUTER BGP
Mode)
(ROUTER ISIS Mode)
Conguration Fundamentals 37
CLI Command Mode Prompt Access Command
ROUTER RIP
Dell(conf-router_rip)# router rip
SPANNING TREE
TRACE-LIST
CLASS-MAP
CONTROL-PLANE
DHCP
DHCP POOL
ECMP
EIS
FRRP
LLDP Dell(conf-lldp)# or Dell(conf-if
LLDP MANAGEMENT INTERFACE
LINE Dell(config-line-console) or
MONITOR SESSION
OPENFLOW INSTANCE
Dell(config-span)# protocol spanning-tree 0
Dell(conf-trace-acl)# ip trace-list
Dell(config-class-map)# class-map
Dell(conf-control-cpuqos)# control-plane-cpuqos
Dell(config-dhcp)# ip dhcp server
Dell(config-dhcp-pool-name)#
Dell(conf-ecmp-group-ecmp- group-id)#
Dell(conf-mgmt-eis)# management egress-interface-
Dell(conf-frrp-ring-id)# protocol frrp
interface-lldp)#
Dell(conf-lldp-mgmtIf)#
Dell(config-line-vty)
Dell(conf-mon-sess-sessionID)# monitor session
Dell(conf-of-instance-of-id)# openflow of-instance
pool (DHCP Mode)
ecmp-group
selection
protocol lldp (CONFIGURATION or
INTERFACE Modes)
management-interface (LLDP Mode)
line console orline vty
PORT-CHANNEL FAILOVER-GROUP
PRIORITY GROUP
PROTOCOL GVRP
QOS POLICY
SUPPORTASSIST
VLT DOMAIN
VRRP
UPLINK STATE GROUP
The following example shows how to change the command mode from CONFIGURATION mode to PROTOCOL SPANNING TREE.
Example of Changing Command Modes
Dell(conf)#protocol spanning-tree 0 Dell(config-span)#
Dell(conf-po-failover-grp)# port-channel failover-group
Dell(conf-pg)# priority-group
Dell(config-gvrp)# protocol gvrp
Dell(conf-qos-policy-out-ets)# qos-policy-output
Dell(support-assist)# support-assist
Dell(conf-vlt-domain)# vlt domain
Dell(conf-if-interface-type­slot/port-vrid-vrrp-group-id)#
Dell(conf-uplink-state-group­groupID)#
vrrp-group
uplink-state-group
38
Conguration Fundamentals

The do Command

You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode by preceding the EXEC mode command with the
The following example shows the output of the do command.
Dell#do show system brief
Stack MAC : f8:b1:56:7b:cd:69 Reload-Type : normal-reload [Next boot : normal-reload]
-- Stack Info -­Unit UnitType Status ReqTyp CurTyp Version Ports
-----------------------------------------------------------------------­ 1 Member not present S3124 2 Management online S3124 S3124 9-8(2-65) 30 3 Member not present 4 Member not present 5 Member not present 6 Member not present
-- Module Info -­Unit Module No Status Module Type Ports
-----------------------------------------------------------------­ 2 0 not present No Module 0
-- Power Supplies -­Unit Bay Status Type FanStatus FanSpeed(rpm)
-----------------------------------------------------------­ 2 1 up UNKNOWN up NA 2 2 absent absent NA
do command.
-- Fan Status -­Unit Bay TrayStatus Fan0 Speed Fan1 Speed
--------------------------------------------------------­ 2 1 up up 6956 up 6956
Speed in RPM

Undoing Commands

When you enter a command, the command line is added to the running conguration le (running-cong).
To disable a command and remove it from the running-cong, enter the no command, then the original command. For example, to delete an IP address congured on an interface, use the no ip address ip-address command.
NOTE
: Use the help or ? command as described in Obtaining Help.
Example of Viewing Disabled Commands
Dell(conf)#interface tengigabitethernet 4/17 Dell(conf-if-gi-4/17)#ip address 192.168.10.1/24 Dell(conf-if-gi-4/17)#show config ! interface GigabitEthernet 4/17 ip address 192.168.10.1/24 no shutdown Dell(conf-if-gi-4/17)#no ip address Dell(conf-if-gi-4/17)#show config ! interface GigabitEthernet 4/17 no ip address no shutdown
Conguration
Fundamentals 39
Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.

Obtaining Help

Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command:
To list the keywords available in the current mode, enter ? at the prompt or after a keyword.
Enter ? after a command prompt to list all of the available keywords. The output of this command is the same as the help command.
Dell#? bmp BMP commands cd Change current directory clear Reset functions clock Manage the system clock
Enter ? after a partial keyword lists all of the keywords that begin with the specied letters.
Dell(conf)#cl? class-map clock Dell(conf)#cl
Enter [space]? after a keyword lists all of the keywords that can follow the specied keyword.
Dell(conf)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone Dell(conf)#clock

Entering and Editing Commands

Notes for entering commands.
The CLI is not case-sensitive.
You can enter partial CLI keywords.
Enter the minimum number of letters to uniquely identify a command. For example, you cannot enter cl as a partial keyword because both the clock and class-map commands begin with the letters “cl.” You can enter clo, however, as a partial keyword because only one command begins with those three letters.
The TAB key auto-completes keywords in commands. Enter the minimum number of letters to uniquely identify a command.
The UP and DOWN arrow keys display previously entered commands (refer to Command History).
The BACKSPACE and DELETE keys erase the previous letter.
Key combinations are available to move quickly across the command line. The following table describes these short-cut key combinations.
Short-Cut Key Combination
CNTL-A Moves the cursor to the beginning of the command line.
CNTL-B Moves the cursor back one character.
CNTL-D Deletes character at cursor.
CNTL-E Moves the cursor to the end of the line.
CNTL-F Moves the cursor forward one character.
Action
CNTL-I Completes a keyword.
CNTL-K Deletes all characters from the cursor to the end of the command line.
CNTL-L Re-enters the previous command.
40 Conguration Fundamentals
Short-Cut Key
Action
Combination
CNTL-N Return to more recent commands in the history buer after recalling commands with CTRL-P or the UP arrow key.
CNTL-P Recalls commands, beginning with the last command.
CNTL-R Re-enters the previous command.
CNTL-U Deletes the line.
CNTL-W Deletes the previous word.
CNTL-X Deletes the line.
CNTL-Z Ends continuous scrolling of command outputs.
Esc B Moves the cursor back one word.
Esc F Moves the cursor forward one word.
Esc D Deletes all characters from the cursor to the end of the word.

Command History

The Dell Networking OS maintains a history of previously-entered commands for each mode. For example:
When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC mode commands.
When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered CONFIGURATION mode commands.

Filtering show Command Outputs

Filter the output of a show command to display specic information by adding | [except | find | grep | no-more | save] specified_text after the command.
The variable specified_text is the text for which you are ltering and it IS case sensitive unless you use the ignore-case sub­option.
Starting with Dell Networking OS version 7.8.1.0, the grep command accepts an ignore-case sub-option that forces the search to case-insensitive. For example, the commands:
show run | grep Ethernet returns a search result with instances containing a capitalized “Ethernet,” such as interface
GigabitEthernet 1/1
show run | grep ethernet does not return that search result because it only searches for instances containing a non­capitalized “ethernet.”
show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and “ethernet.”
The grep command displays only the lines containing specied text. The following example shows this command used in combination with
show system brief command.
the

Example of the grep Keyword

Dell(conf)#do show system brief | grep 0 0 not present
.
: Dell Networking OS accepts a space or no space before and after the pipe. To lter a phrase with spaces, underscores, or
NOTE
ranges, enclose the phrase with double quotation marks.
Conguration Fundamentals 41
The except keyword displays text that does not match the specied text. The following example shows this command used in combination with the show system brief command.
Example of the except Keyword
Dell#show system brief | except 1
Stack MAC : 4c:76:25:e5:49:40 Reload-Type : normal-reload [Next boot : normal-reload]
The find keyword displays the output of the show command beginning from the rst occurrence of specied text. The following example shows this command used in combination with the show system brief command.
Example of the find Keyword
Dell#show system brief | find 0 2 Management online S3124 S3124 9-8(2-65) 30 3 Member not present 4 Member not present 5 Member not present 6 Member not present
-- Module Info --
Unit Module No Status Module Type Ports
---------------------------------------------------------------------------
2 0 not present No Module 0
-- Power Supplies --
Unit Bay Status Type FanStatus FanSpeed(rpm)
---------------------------------------------------------------------------
2 1 up UNKNOWN up NA 2 2 absent absent NA
-- Fan Status --
Unit Bay TrayStatus Fan0 Speed Fan1 Speed
--------------------------------------------------------------------------------
2 1 up up 7058 up 7164
Speed in RPM
The display command displays additional conguration information.
The no-more command displays the output all at once rather than one screen at a time. This is similar to the terminal length command except that the no-more option aects the output of the specied command only.
The save command copies the output to a le for future reference.
NOTE
: You can lter a single command output multiple times. The save option must be the last option entered. For example:
Dell# command | grep regular-expression | except regular-expression | grep other-regular­expression | find regular-expression | save.
Multiple Users in Conguration Mode
Dell Networking OS noties all users when there are multiple users logged in to CONFIGURATION mode.
A warning message indicates the username, type of connection (console or VTY), and in the case of a VTY connection, the IP address of the terminal on which the connection was established. For example:
On the system that telnets into the switch, this message appears:
% Warning: The following users are currently configuring the system: User "<username>" on line console0
42
Conguration Fundamentals
On the system that is connected over the console, this message appears:
% Warning: User "<username>" on line vty0 "10.11.130.2" is in configuration mode
If either of these messages appears, Dell Networking recommends coordinating with the users listed in the message so that you do not unintentionally overwrite each other’s conguration changes.
Conguration Fundamentals 43
3

Getting Started

This chapter describes how you start conguring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell Networking Operating
System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption.
When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
For details about using the command line interface (CLI), refer to the Accessing the Command Line section in the Conguration
Fundamentals chapter.
Topics:
Console Access
Accessing the CLI Interface and Running Scripts Using SSH
Default Conguration
Conguring a Host Name
Accessing the System Remotely
Conguring the Enable Password
Conguration File Management
Managing the File System
Enabling Software Features on Devices Using a Command Option
View Command History
Upgrading Dell Networking OS
Verify Software Images Before Installation
Using HTTP for File Transfers
44 Getting Started

Console Access

The device has one RJ-45/RS-232 console port, an out-of-band (OOB) Ethernet port, and a micro USB-B console port.

Serial Console

The RJ-45/RS-232 console port is labeled on the upper right-hand side, as you face the I/O side of the chassis.
Figure 1. RJ-45 Console Port
1
RJ-45 console port.
Accessing the Console Port
To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter.
1 Install an RJ-45 copper cable into the console port.Use a rollover (crossover) cable to connect the S4810 console port to a terminal
server. 2 Connect the other end of the cable to the DTE terminal server. 3 Terminal settings on the console port cannot be changed in the software and are set as follows:
No parity
8 data bits
1 stop bit
No ow control
Getting Started
45
Pin Assignments
You can connect to the console using a RJ-45 to RJ-45 rollover cable and a RJ-45 to DB-9 female DTE adapter to a terminal server (for example, a PC).
The pin assignments between the console and a DTE terminal server are as follows:
Table 2. Pin Assignments Between the Console and a DTE Terminal Server
Console Port RJ-45 to RJ-45 Rollover
Cable
Signal RJ-45 Pinout RJ-45 Pinout DB-9 Pin Signal
RTS 1 8 8 CTS
NC 2 7 6 DSR
TxD 3 6 2 RxD
GND 4 5 5 GND
GND 5 4 5 GND
RxD 6 3 3 TxD
NC 7 2 4 DTR
CTS 8 1 7 RTS
RJ-45 to RJ-45 Rollover Cable
RJ-45 to DB-9 Adapter Terminal Server Device

Accessing the CLI Interface and Running Scripts Using SSH

In addition to the capability to access a device using a console connection or a Telnet session, you can also use SSH for secure, protected communication with the device. You can open an SSH session and run commands or script les. This method of connectivity is supported with S4810, S4048–ON, S3048–ON, S4820T, and Z9000 switches and provides a reliable, safe communication mechanism.

Entering CLI commands Using an SSH Connection

You can run CLI commands by entering any one of the following syntax to connect to a switch using the precongured user credentials using SSH:
ssh username@hostname <CLI Command>
or
echo <CLI Command> | ssh admin@hostname
The SSH server transmits the terminal commands to the CLI shell and the results are displayed on the screen non-interactively.

Executing Local CLI Scripts Using an SSH Connection

You can execute CLI commands by entering a CLI script in one of the following ways:
ssh username@hostname <CLIscript.file>
or
46
Getting Started
cat < CLIscript.file > | ssh admin@hostname
The script is run and the actions contained in the script are performed.
Following are the points to remember, when you are trying to establish an SSH session to the device to run commands or script les:
There is an upper limit of 10 concurrent sessions in SSH. Therefore, you might expect a failure in executing SSH-related scripts.
To avoid denial of service (DoS) attacks, a rate-limit of 10 concurrent sessions per minute in SSH is devised. Therefore, you might
experience a failure in executing SSH-related scripts when multiple short SSH commands are executed.
If you issue an interactive command in the SSH session, the behavior may not really be interactive.
In some cases, when you use an SSH session, when certain show commands such as show tech-support produce large volumes
of output, sometimes few characters from the output display are truncated and not displayed. This may cause one of the commands to fail for syntax error. In such cases, if you add few newline characters before the failed command, the output displays completely.
Execution of commands on CLI over SSH does not notice the errors that have occurred while executing the command. As a result, you cannot identify, whether a command has failed to be processed. The console output though is redirected back over SSH.
Default Conguration
Although a version of Dell Networking OS is pre-loaded onto the system, the system is not congured when you power up the system rst time (except for the default hostname, which is Dell). You must congure the system using the CLI.
Conguring a Host Name
The host name appears in the prompt. The default host name is Dell.
Host names must start with a letter and end with a letter or digit.
Characters within the string can be letters, digits, and hyphens.
To create a host name, use the hostname name command in Conguration mode.
hostname command example
Dell(conf)#hostname R1 R1(conf)#

Accessing the System Remotely

You can congure the system to access it remotely by Telnet or secure shell (SSH).
The platform has a dedicated management port and a management routing table that is separate from the IP routing table.
You can manage all Dell Networking products in-band via the front-end data ports through interfaces assigned an IP address as well.

Accessing the System Remotely

Conguring the system for remote access is a three-step process, as described in the following topics:
1 Congure an IP address for the management port. Congure the Management Port IP Address 2 Congure a management route with a default gateway. Congure a Management Route 3 Congure a username and password. Congure a Username and Password
Getting Started
47
Congure the Management Port IP Address
To access the system remotely, assign IP addresses to the management ports.
1 Enter INTERFACE mode for the Management port.
CONFIGURATION mode
interface ManagementEthernet slot/port
2 Assign an IP address to the interface.
INTERFACE mode
ip address ip-address/mask
ip-address: an address in dotted-decimal format (A.B.C.D).
mask: a subnet mask in /prex-length format (/ xx).
3 Enable the interface.
INTERFACE mode
no shutdown
Congure a Management Route
Dene a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port. To congure a management route, use the following command.
Congure a management route to the network from which you are accessing the system.
CONFIGURATION mode
management route ip-address/mask gateway
ip-address: the network address in dotted-decimal format (A.B.C.D).
mask: a subnet mask in /prex-length format (/ xx).
gateway: the next hop for network trac originating from the management port.
Conguring a Username and Password
To access the system remotely, congure a system username and password. To congure a system username and password, use the following command.
Congure a username and password to access the system remotely.
CONFIGURATION mode
username username password [encryption-type] password
encryption-type: species how you are inputting the password, is 0 by default, and is not required.
0 is for inputting the password in clear text.
7 is for inputting a password that is already encrypted using a Type 7 hash. Obtaining the encrypted password from the conguration of another Dell Networking system.
48
Getting Started
Conguring the Enable Password
Access EXEC Privilege mode using the enable command. EXEC Privilege mode is unrestricted by default. Congure a password as a basic security measure.
There are three types of enable passwords:
enable password is stored in the running/startup conguration using a DES encryption method.
enable secret is stored in the running/startup conguration using MD5 encryption method.
enable sha256-password is stored in the running/startup conguration using sha256-based encryption method (PBKDF2).
Dell Networking recommends using the enable sha256-password password.
To congure an enable password, use the following command.
Create a password to access EXEC Privilege mode. CONFIGURATION mode
enable [password | secret | sha256-password] [level level] [encryption-type] password
level: is the privilege level, is 15 by default, and is not required.
encryption-type: species how you input the password, is 0 by default, and is not required.
0 is to input the password in clear text.
5 is to input a password that is already encrypted using MD5 encryption method. Obtain the encrypted password from the conguration le of another device.
7 is to input a password that is already encrypted using DES encryption method. Obtain the encrypted password from the conguration le of another device.
8 is to input a password that is already encrypted using sha256-based encryption method. Obtain the encrypted password from the conguration le of another device.
Conguration File Management
Files can be stored on and accessed from various storage media. Rename, delete, and copy les on the system from EXEC Privilege mode.

Copy Files to and from the System

The command syntax for copying les is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url.
NOTE
: For a detailed description of the copy command, refer to the
To copy a local le to a remote system, combine the le-origin syntax for a local le location with the le-destination syntax for a remote le location.
To copy a remote le to Dell Networking system, combine the le-origin syntax for a remote le location with the le-destination syntax for a local le location.
Table 3. Forming a
Location
For a remote le location:
copy Command
source-le-url
copy ftp:// username:password@{hostip | hostname}/filepath/filename
Syntax
Dell Networking OS Command Reference
destination-le-url
ftp://username:password@{hostip | hostname}/ filepath/filename
Syntax
.
Getting Started 49
Location
FTP server
source-le-url
Syntax
destination-le-url
Syntax
For a remote le location: TFTP server
For a remote le location: SCP server
copy tftp://{hostip | hostname}/filepath/ filename
copy scp://{hostip | hostname}/ filepath/ filename
tftp://{hostip | hostname}/ filepath/filename
scp://{hostip | hostname}/ filepath/filename
Important Points to Remember
You may not copy a le from one remote system to another.
You may not copy a le from one location to the same location.
When copying to a server, you can only use a hostname if a domain name server (DNS) server is congured.
Example of Copying a File to an FTP Server
Dell#copy flash://Dell-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10/ /Dell/Dell-EF-8.2.1.0 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 27952672 bytes successfully copied
Example of Importing a File to the Local System
core1#$//copy ftp://myusername:mypassword@10.10.10.10//Dell/ Dell-EF-8.2.1.0.bin flash:// Destination file name [Dell-EF-8.2.1.0.bin.bin]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 26292881 bytes successfully copied

Mounting an NFS File System

This feature enables you to quickly access data on an NFS mounted le system. You can perform le operations on an NFS mounted le system using supported le commands.
This feature allows an NFS mounted device to be recognized as a le system. This le system is visible on the device and you can execute all le commands that are available on conventional le systems such as a Flash le system.
Before executing any CLI command to perform le operations, you must rst mount the NFS le system to a mount-point on the device. Since multiple mount-points exist on a device, it is mandatory to specify the mount-point to which you want to load the system. The /f10/mnt/nfs directory is the root of all mount-points.
To mount an NFS le system, perform the following steps:
Table 4. Mounting an NFS File System
File Operation Syntax
To mount an NFS le system:
The foreign le system remains mounted as long as the device is up and does not reboot. You can run the le system commands without having to mount or un-mount the le system each time you run a command. When you save the conguration using the write command,
mount command is saved to the startup conguration. As a result, each time the device re-boots, the NFS le system is mounted
the during start up.
mount nfs rhost:path mount­point username password
50
Getting Started
Table 5. Forming a copy Command
Location
For a remote le location: NFS File System
source-le-url
copy nfsmount://{<mount­point>}/filepath/filename} username:password
Syntax
destination-le-url
tftp://{hostip | hostname}/ filepath/filename
Syntax
Important Points to Remember
You cannot copy a le from one remote system to another.
You cannot copy a le from one location to the same location.
When copying to a server, you can only use a hostname if a domain name server (DNS) server is congured.
Example of Copying a File to current File System
Dell#copy tftp://10.16.127.35/dv-maa-test nfsmount:// Destination file name [dv-maa-test]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!.! 44250499 bytes successfully copied Dell# Dell#copy ftp://10.16.127.35 nfsmount: Source file name []: test.c User name to login remote host: username
Example of Logging in to Copy from NFS Mount
Dell#copy nfsmount:///test flash: Destination file name [test]: test2 ! 5592 bytes successfully copied Dell# Dell#copy nfsmount:///test.txt ftp://10.16.127.35 Destination file name [test.txt]: User name to login remote host: username Password to login remote host: !
Example of Copying to NFS Mount
Dell#copy flash://test.txt nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied Dell#copy flash://test/capture.txt.pcap nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied Dell#copy flash://test/capture.txt.pcap nfsmount:///username/snoop.pcap ! 24 bytes successfully copied Dell# Dell#copy tftp://10.16.127.35/username/dv-maa-test ? flash: Copy to local file system ([flash://]filepath) nfsmount: Copy to nfs mount file system (nfsmount:///filepath) running-config remote host: Destination file name [test.c]: ! 225 bytes successfully copied Dell#
Getting Started
51
Save the Running-Conguration
The running-conguration contains the current system conguration. Dell Networking recommends coping your running-conguration to the startup-conguration. The commands in this section follow the same format as those commands in the Copy Files to and from the System section but use the lenames startup-conguration and running-conguration. These commands assume that current directory is the internal ash, which is the system default.
Save the running-conguration to the startup-conguration on the internal ash of the primary RPM. EXEC Privilege mode
copy running-config startup-config
Save the running-conguration to an FTP server. EXEC Privilege mode
copy running-config ftp:// username:password@{hostip | hostname}/filepath/ filename
Save the running-conguration to a TFTP server. EXEC Privilege mode
copy running-config tftp://{hostip | hostname}/ filepath/filename
Save the running-conguration to an SCP server. EXEC Privilege mode
copy running-config scp://{hostip | hostname}/ filepath/filename
NOTE
: When copying to a server, a host name can only be used if a DNS server is
congured.
NOTE: When you load the startup conguration or a conguration le from a network server such as TFTP to the running
conguration, the conguration is added to the running conguration. This does not replace the existing running conguration. Commands in the conguration le has precedence over commands in the running conguration.
Congure the Overload Bit for a Startup Scenario
For information about setting the router overload bit for a specic period of time after a switch reload is implemented, see the Intermediate System to Intermediate System (IS-IS) section in the Dell Command Line Reference Guide for your system.

Viewing Files

You can only view le information and content on local le systems. To view a list of les or the contents of a le, use the following commands.
View a list of les on the internal ash. EXEC Privilege mode
dir flash:
View the running-conguration. EXEC Privilege mode
show running-config
View the startup-conguration. EXEC Privilege mode
52
Getting Started
show startup-config
Example of the dir Command
The output of the dir command also shows the read/write privileges, size (in bytes), and date of modication for each le.
Dell#dir Directory of flash:
1 drw- 32768 Jan 01 1980 00:00:00 . 2 drwx 512 Jul 23 2007 00:38:44 .. 3 drw- 8192 Mar 30 1919 10:31:04 TRACE_LOG_DIR 4 drw- 8192 Mar 30 1919 10:31:04 CRASH_LOG_DIR 5 drw- 8192 Mar 30 1919 10:31:04 NVTRACE_LOG_DIR 6 drw- 8192 Mar 30 1919 10:31:04 CORE_DUMP_DIR 7 d--- 8192 Mar 30 1919 10:31:04 ADMIN_DIR 8 -rw- 33059550 Jul 11 2007 17:49:46 FTOS-EF-7.4.2.0.bin 9 -rw- 27674906 Jul 06 2007 00:20:24 FTOS-EF-4.7.4.302.bin 10 -rw- 27674906 Jul 06 2007 19:54:52 boot-image-FILE 11 drw- 8192 Jan 01 1980 00:18:28 diag 12 -rw- 7276 Jul 20 2007 01:52:40 startup-config.bak 13 -rw- 7341 Jul 20 2007 15:34:46 startup-config 14 -rw- 27674906 Jul 06 2007 19:52:22 boot-image 15 -rw- 27674906 Jul 06 2007 02:23:22 boot-flash
--More--
View Conguration Files
Conguration les have three commented lines at the beginning of the le, as shown in the following example, to help you track the last time any user made a change to the le, which user made the changes, and when the le was last saved to the startup-conguration.
In the running-conguration le, if there is a dierence between the timestamp on the “Last conguration change” and “Startup-cong last updated,” you have made changes that have not been saved and are preserved after a system reboot.
Example of the show running-config Command
Dell#show running-config Current Configuration ... ! Version 9.4(0.0) ! Last configuration change at Tue Mar 11 21:33:56 2014 by admin ! Startup-config last updated at Tue Mar 11 12:11:00 2014 by default ! <output truncated for brevity>
Compressing Conguration Files
You can optimize and reduce the sizes of the conguration les.
You can compress the running conguration by grouping all the VLANs and the physical interfaces with the same property. Support to store the operating conguration to the startup cong in the compressed mode and to perform an image downgrade without any conguration loss are provided.
You can create groups of VLANs using the interface group command. This command will create nonexistent VLANs specied in a range. On successful command execution, the CLI switches to the interface group context. The conguration commands inside the group context will be the similar to that of the existing range command.
Two existing exec mode CLIs are enhanced to display and store the running conguration in the compressed mode.
show running-config compressed and write memory compressed
The compressed conguration will group all the similar looking conguration thereby reducing the size of the conguration. For this release, the compression will be done only for interface related conguration (VLAN & physical interfaces)
Getting Started
53
The following table describes how the standard and the compressed conguration dier:
Table 6. Standard and Compressed Congurations
int vlan 2
no ip address
no shut
int te 1/1
no ip address
switchport
shut
Dell# show running-cong
<snip>
!
interface TenGigabitEthernet 1/1
no ip address
switchport
shutdown
int vlan 3
tagged te 1/1
no ip address
shut
int te 1/2
no ip address
shut
int vlan 4
tagged te 1/1
no ip address
shut
int te 1/3
no ip address
shut
int vlan 5
tagged te 1/1
no ip address
shut
int te 1/4
no ip address
shut
Dell# show
<snip>
!
interface TenGigabitEthernet 1/1
no ip address
switchport
shutdown
running-cong compressed
int vlan 100
no ip address
no shut
int te 1/10
no ip address
shut
int vlan 1000
ip address 1.1.1.1/16
no shut
int te 1/34
ip address 2.1.1.1/16
shut
!
interface TenGigabitEthernet 1/2
no ip address
shutdown
!
interface TenGigabitEthernet 1/3
no ip address
shutdown
!
interface TenGigabitEthernet 1/4
no ip address
shutdown
!
interface TenGigabitEthernet 1/10
no ip address
!
Interface group TenGigabitEthernet 1/2 – 4 , TenGigabitEthernet 1/10
no ip address
shutdown
!
interface TenGigabitEthernet 1/34
ip address 2.1.1.1/16
shutdown
!
interface group Vlan 2 , Vlan 100
no ip address
no shutdown
!
interface group Vlan 3 – 5
tagged te 1/1
54
Getting Started
shutdown
no ip address
!
interface TenGigabitEthernet 1/34
ip address 2.1.1.1/16
shutdown
!
interface Vlan 2
no ip address
no shutdown
!
interface Vlan 3
tagged te 1/1
no ip address
shutdown
!
interface Vlan 4
shutdown
!
interface Vlan 1000
ip address 1.1.1.1/16
no shutdown
!
<snip>
Compressed cong size – 27 lines.
tagged te 1/1
no ip address
shutdown
!
interface Vlan 5
tagged te 1/1
no ip address
shutdown
!
interface Vlan 100
no ip address
no shutdown
!
interface Vlan 1000
ip address 1.1.1.1/16
no shutdown
Getting Started 55
Uncompressed cong size – 52 lines
write memory compressed
The write memory compressed CLI will write the operating conguration to the startup-cong le in the compressed mode. In stacking scenario, it will also take care of syncing it to all the standby and member units.
The following is the sample output:
Dell#write memory compressed ! Jul 30 08:50:26: %STKUNIT0-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default
copy compressed-cong
Copy one le, after optimizing and reducing the size of the conguration le, to another location. Dell Networking OS supports IPv4 and IPv6 addressing for FTP, TFTP, and SCP (in the hostip eld).

Managing the File System

The Dell Networking system can use the internal Flash, external Flash, or remote devices to store les. The system stores les on the internal Flash by default but can be congured to store les elsewhere.
To view le system information, use the following command.
View information about each le system. EXEC Privilege mode
show file-systems
The output of the show file-systems command in the following example shows the total capacity, amount of free memory, le structure, media type, read/write privileges for each storage device in use.
Dell#show file-systems Size(b) Free(b) Feature Type Flags Prefixes 520962048 213778432 dosFs2.0 USERFLASH rw flash: 127772672 21936128 dosFs2.0 USERFLASH rw slot0:
- - - network rw ftp:
- - - network rw tftp:
- - - network rw scp:
You can change the default le system so that le management commands apply to a particular device or memory.
To change the default directory, use the following command.
Change the default directory. EXEC Privilege mode
cd directory

Enabling Software Features on Devices Using a Command Option

The capability to activate software applications or components on a device using a command is supported on this platform.
Starting with Release 9.4(0.0), you can enable or disable specic software features or applications that need to run on a device by using a command attribute in the CLI interface. This enables eective, streamlined management and administration of applications and utilities that
56
Getting Started
run on a device. You can employ this capability to perform an on-demand activation, or turn-o a software component or protocol. A feature conguration le generated for each image contains feature names, and denotes if this enabling or disabling method is available. You can enable or disable the VRF application globally across the system by using this capability.
Activate the VRF application on a device by using the feature vrf command in CONFIGURATION mode.
NOTE: The no feature vrf command is not supported on any of the platforms.
To enable the VRF feature and cause all VRF-related commands to be available or viewable in the CLI interface, use the following command. You must enable the VRF feature before you can congure its related attributes.
Dell(conf)# feature vrf
Based on if the VRF feature is identied as supported in the Feature Conguration le, conguration command feature vrf becomes available for usage. This command is stored in the running-conguration and precedes all other VRF-related congurations.
To display the state of Dell Networking OS features:
Dell# show feature
Example of show feature output
For a particular target where VRF is enabled, the show output is similar to the following:
Feature State
------------------------
VRF Enabled

View Command History

The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buer.
The system generates a trace message for each executed command. No password information is saved to the le.
To view the command-history trace, use the show command-history command.
Example of the show command-history Command
Dell#show command-history [12/5 10:57:8]: CMD-(CLI):service password-encryption [12/5 10:57:12]: CMD-(CLI):hostname Force10 [12/5 10:57:12]: CMD-(CLI):ip telnet server enable [12/5 10:57:12]: CMD-(CLI):line console 0 [12/5 10:57:12]: CMD-(CLI):line vty 0 9 [12/5 10:57:13]: CMD-(CLI):boot system rpm0 primary flash://FTOS-CB-1.1.1.2E2.bin

Upgrading Dell Networking OS

: To upgrade Dell Networking Operating System (OS), refer to the Release Notes for the version you want to load on the
NOTE
system.

Verify Software Images Before Installation

To validate the software image on the ash drive, you can use the MD5 message-digest algorithm or SHA256 Secure Hash Algorithm, after the image is transferred to the system but before the image is installed. The validation calculates a hash value of the downloaded image le on system’s ash drive, and, optionally, compares it to a Dell Networking published hash for that le.
The MD5 or SHA256 hash provides a method of validating that you have downloaded the original software. Calculating the hash on the local image le and comparing the result to the hash published for that le on iSupport provides a high level of condence that the local
Getting Started
57
copy is exactly the same as the published software image. This validation procedure, and the verify {md5 | sha256} command to support it, prevents the installation of corrupted or modied images.
The verify {md5 | sha256} command calculates and displays the hash of any le on the specied local ash drive. You can compare the displayed hash against the appropriate hash published on iSupport. Optionally, you can include the published hash in the verify {md5 | sha256} command, which displays whether it matches the calculated hash of the indicated le.
To validate a software image:
1 Download Dell Networking OS software image le from the iSupport page to the local (FTP or TFTP) server. The published hash for
that le displays next to the software image le on the iSupport page.
2 Go on to the Dell Networking system and copy the software image to the ash drive, using the copy command.
3 Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256
flash://FTOS-SE-9.5.0.0.bin
4 Compare the generated hash value to the expected hash value published on the iSupport page.
To validate the software image on the ash drive after the image is transferred to the system, but before you install the image, use the verify {md5 | sha256} [ flash://]img-file [hash-value] command in EXEC mode.
md5: MD5 message-digest algorithm
sha256: SHA256 Secure Hash Algorithm
flash: (Optional) Species the ash drive. The default uses the ash drive. You can enter the image le name.
hash-value: (Optional). Specify the relevant hash published on iSupport.
img-file: Enter the name of the Dell Networking software image le to validate
Examples: Without Entering the Hash Value for Verication
MD5
Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin MD5 hash for FTOS-SE-9.5.0.0.bin: 275ceb73a4f3118e1d6bcf7d75753459
SHA256
Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin SHA256 hash for FTOS-SE-9.5.0.0.bin: e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933
Examples: Entering the Hash Value for Verication
MD5
Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin 275ceb73a4f3118e1d6bcf7d75753459 MD5 hash VERIFIED for FTOS-SE-9.5.0.0.bin
SHA256
Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933 SHA256 hash VERIFIED for FTOS-SE-9.5.0.0.bin

Using HTTP for File Transfers

Stating with Release 9.3(0.1), you can use HTTP to copy les or conguration details to a remote server. To transfer les to an external server, use the copy source-le-url http://host[:port]/le-path command. Enter the following source-le-url keywords and information:
To copy a le from the internal FLASH, enter ash:// followed by the lename.
58
Getting Started
To copy the running conguration, enter the keyword running-cong.
To copy the startup conguration, enter the keyword startup-cong.
To copy a le on the USB device, enter usbash:// followed by the lename.
In the Dell Networking OS release 9.8(0.0), HTTP services support the VRF-aware functionality. If you want the HTTP server to use a VRF table that is attached to an interface, congure that HTTP server to use a specic routing table. You can use the ip http vrf command to inform the HTTP server to use a specic routing table. After you congure this setting, the VRF table is used to look up the destination address.
NOTE: To enable HTTP to be VRF-aware, as a prerequisite you must rst dene the
VRF.
You can specify either the management VRF or a nondefault VRF to congure the VRF awareness setting.
When you specify the management VRF, the copy operation that is used to transfer les to and from an HTTP server utilizes the VRF table corresponding to the Management VRF to look up the destination. When you specify a nondefault VRF, the VRF table corresponding to that nondefault VRF is used to look up the HTTP server.
However, these changes are backward-compatible and do not aect existing behavior; meaning, you can still use the ip http source- interface command to communicate with a particular interface even if no VRF is congured on that interface
NOTE: If the HTTP service is not VRF-aware, then it uses the global routing table to perform the look-up.
To enable an HTTP client to look up the VRF table corresponding to either management VRF or any nondefault VRF, use the ip http
command in CONFIGURATION mode.
vrf
Congure an HTTP client with a VRF that is used to connect to the HTTP server. CONFIGURATION MODE
Dell(conf)#ip http vrf {management | <vrf-name>}
Getting Started
59
This chapter describes the dierent protocols or services used to manage the Dell Networking system.
Topics:
Conguring Privilege Levels
Conguring Logging
Track Login Activity
Limit Concurrent Login Sessions
Enabling Secured CLI Mode
Log Messages in the Internal Buer
Disabling System Logging
Sending System Messages to a Syslog Server
Changing System Logging Settings
Display the Logging Buer and the Logging Conguration
Conguring a UNIX Logging Facility Level
Synchronizing Log Messages
Enabling Timestamp on Syslog Messages
File Transfer Services
Terminal Lines
Setting Timeout for EXEC Privilege Mode
Using Telnet to get to Another Network Device
Lock CONFIGURATION Mode
4

Management

Conguring Privilege Levels
Privilege levels restrict access to commands based on user or terminal line.
There are 16 privilege levels, of which three are pre-dened. The default privilege level is 1.
Level
Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and
Level 1 Access to the system begins at EXEC mode, and all commands are available.
Level 15 Access to the system begins at EXEC Privilege mode, and all commands are available.
For information about how access and authorization is controlled based on a user’s role, see Role-Based Access Control.

Creating a Custom Privilege Level

Custom privilege levels start with the default EXEC mode command set. You can then customize privilege levels 2-14 by:
60 Management
Description
exit.
restricting access to an EXEC mode command
moving commands from EXEC Privilege to EXEC mode
restricting access
A user can access all commands at his privilege level and below.

Removing a Command from EXEC Mode

To remove a command from the list of available commands in EXEC mode for a specic privilege level, use the privilege exec command from CONFIGURATION mode.
In the command, specify a level greater than the level given to a user or terminal line, then the rst keyword of each command you wish to restrict.

Moving a Command from EXEC Privilege Mode to EXEC Mode

To move a command from EXEC Privilege to EXEC mode for a privilege level, use the privilege exec command from CONFIGURATION mode.
In the command, specify the privilege level of the user or terminal line and specify all keywords in the command to which you want to allow access.

Allowing Access to CONFIGURATION Mode Commands

To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode.
A user that enters CONFIGURATION mode remains at his privilege level and has access to only two commands, end and exit. You must individually specify each CONFIGURATION mode command you want to allow access to using the privilege configure level level command. In the command, specify the privilege level of the user or terminal line and specify all the keywords in the command to which you want to allow access.
Allowing Access to Dierent Modes
This section describes how to allow access to the INTERFACE, LINE, ROUTE-MAP, and ROUTER modes. Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE, ROUTE-MAP, and ROUTER modes, you must rst allow access to the command that enters you into the mode. For example, to allow a user to enter INTERFACE mode, use the privilege configure level level interface tengigabitethernet command.
Next, individually identify the INTERFACE, LINE, ROUTE-MAP or ROUTER commands to which you want to allow access using the privilege {interface | line | route-map | router} level level command. In the command, specify the privilege level of the user or terminal line and specify
To remove, move or allow access, use the following commands.
The conguration in the following example creates privilege level 3. This level:
removes the resequence command from EXEC mode by requiring a minimum of privilege level 4
moves the capture bgp-pdu max-buffer-size command from EXEC Privilege to EXEC mode by requiring a minimum privilege level 3, which is the congured level for VTY 0
allows access to CONFIGURATION mode with the banner command
allows access to INTERFACE tengigabitethernet and LINE modes are allowed with no commands
all the keywords in the command to which you want to allow access.
Management
61
Remove a command from the list of available commands in EXEC mode. CONFIGURATION mode
privilege exec level level {command ||...|| command}
Move a command from EXEC Privilege to EXEC mode. CONFIGURATION mode
privilege exec level level {command ||...|| command}
Allow access to CONFIGURATION mode. CONFIGURATION mode
privilege exec level level configure
Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all the keywords in the command. CONFIGURATION mode
privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword}
Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode
privilege {configure |interface | line | route-map | router} level level {command ||...|| command}
Example of EXEC Privilege Commands
Dell(conf)#do show run priv ! privilege exec level 3 capture privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp-pdu privilege exec level 3 capture bgp-pdu max-buffer-size privilege configure level 3 line privilege configure level 3 interface Dell(conf)#do telnet 10.11.80.201 [telnet output omitted] Dell#show priv Current privilege level is 3. Dell#? capture Capture packet configure Configuring from terminal disable Turn off privileged commands enable Turn on privileged commands exit Exit from the EXEC ip Global IP subcommands monitor Monitoring feature mtrace Trace reverse multicast path from destination to source ping Send echo messages quit Exit from the EXEC show Show running system information [output omitted] Dell#config [output omitted] Dell(conf)#do show priv Current privilege level is 3. Dell(conf)#? end Exit from configuration mode exit Exit from configuration mode interface Select an interface to configure line Configure a terminal line Dell(conf)#interface ? fastethernet Fast Ethernet interface gigabitethernet Gigabit Ethernet interface loopback Loopback interface
62
Management
managementethernet Management Ethernet interface null Null interface port-channel Port-channel interface range Configure interface range sonet SONET interface tengigabitethernet TenGigabit Ethernet interface vlan VLAN interface Dell(conf)#interface tengigabitethernet 1/1 Dell(conf-if-gi-1/1)#? end Exit from configuration mode exit Exit from interface configuration mode Dell(conf-if-gi-1/1)#exit Dell(conf)#line ? aux Auxiliary line console Primary terminal line vty Virtual terminal Dell(conf)#line vty 0 Dell(config-line-vty)#? exit Exit from line configuration mode Dell(config-line-vty)# Dell(conf)#interface group ? gigabitethernet GigabitEthernet interface IEEE 802.3z tengigabitethernet TenGigabit Ethernet interface vlan VLAN keyword Dell(conf)# interface group vlan 1 - 2 , gigabitethernet 1/1 Dell(conf-if-group-vl-1-2,gi-1/1)# no shutdown Dell(conf-if-group-vl-1-2,gi-1/1)# end

Applying a Privilege Level to a Username

To set the user privilege level, use the following command.
Congure a privilege level for a user. CONFIGURATION mode
username username privilege level

Applying a Privilege Level to a Terminal Line

To set a privilege level for a terminal line, use the following command.
Congure a privilege level for a user. CONFIGURATION mode
username username privilege level
: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt is
NOTE
hostname#, rather than hostname>.
Conguring Logging
The Dell Networking OS tracks changes in the system using event and error messages. By default, Dell Networking OS logs these messages on:
the internal buer
console and terminal lines
any congured syslog servers
To disable logging, use the following commands.
Management
63
Disable all logging except on the console. CONFIGURATION mode
no logging on
Disable logging to the logging buer. CONFIGURATION mode
no logging buffer
Disable logging to terminal lines. CONFIGURATION mode
no logging monitor
Disable console logging. CONFIGURATION mode
no logging console

Audit and Security Logs

This section describes how to congure, display, and clear audit and security logs. The following is the conguration task list for audit and security logs:
Enabling Audit and Security Logs
Displaying Audit and Security Logs
Clearing Audit Logs
Enabling Audit and Security Logs
You enable audit and security logs to monitor conguration changes or determine if these changes aect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode.
This command is available with or without RBAC enabled. For information about RBAC, see Role-Based Access Control.
Audit Logs
The audit log contains conguration events and information. The types of information in this log consist of the following:
User logins to the switch.
System events for network issues or system issues.
Users making conguration changes. The switch logs who made the conguration changes and the date and time of the change. However, each specic change on the conguration is not logged. Only that the conguration was modied is logged with the user ID, date, and time of the change.
Uncontrolled shutdown.
Security Logs
The security log contains security events and information. RBAC restricts access to audit and security logs based on the CLI sessions’ user roles. The types of information in this log consist of the following:
Establishment of secure trac ows, such as SSH.
Violations on secure ows or certicate issues.
64
Management
Adding and deleting of users.
User access and conguration changes to the security and crypto parameters (not the key information but the crypto conguration)
Important Points to Remember
When you enabled RBAC and extended logging:
Only the system administrator user role can execute this command.
The system administrator and system security administrator user roles can view security events and system events.
The system administrator user roles can view audit, security, and system events.
Only the system administrator and security administrator user roles can view security logs.
The network administrator and network operator user roles can view system events.
NOTE: If extended logging is disabled, you can only view system events, regardless of RBAC user role.
Example of Enabling Audit and Security Logs
Dell(conf)#logging extended
Displaying Audit and Security Logs
To display audit logs, use the show logging auditlog command in Exec mode. To view these logs, you must rst enable the logging extended command. Only the RBAC system administrator user role can view the audit logs. Only the RBAC security administrator and system administrator user role can view the security logs. If extended logging is disabled, you can only view system events, regardless of RBAC user role. To view security logs, use the show logging command.
Example of the show logging auditlog Command
For information about the logging extended command, see Enabling Audit and Security Logs
Dell#show logging auditlog May 12 12:20:25: Dell#: %CLI-6-logging extended by admin from vty0 (10.14.1.98) May 12 12:20:42: Dell#: %CLI-6-configure terminal by admin from vty0 (10.14.1.98) May 12 12:20:42: Dell#: %CLI-6-service timestamps log datetime by admin from vty0 (10.14.1.98)
Example of the show logging Command for Security
For information about the logging extended command, see Enabling Audit and Security Logs
Dell#show logging Jun 10 04:23:40: %STKUNIT0-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 ( 10.14.1.91 )
Clearing Audit Logs
To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is enabled, only the system administrator user role can issue this command.
Example of the clear logging auditlog Command
Dell# clear logging auditlog
Conguring Logging Format
To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version {0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
Management
65
The following describes the two log messages formats:
0 – Displays syslog messages format as described in RFC 3164, The BSD syslog Protocol
1 – Displays syslog message format as described in RFC 5424, The SYSLOG Protocol
Example of Conguring the Logging Message Format
Dell(conf)#logging version ? <0-1> Select syslog version (default = 0) Dell(conf)#logging version 1
Display the Logging Buer and the Logging Conguration
To display the current contents of the logging buer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are ltered based on the user roles. Only the security administrator and system administrator can view the security logs.
Example of the show logging Command
Dell#show logging Syslog logging: enabled Console logging: level debugging Monitor logging: level debugging Buffer logging: level debugging, 389 Messages Logged, Size (40960 bytes) Trap logging: level informational
Oct 13 17:50:24: %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from vty0 by admin Oct 13 17:45:01: %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from vty0 by admin Oct 13 17:32:26: %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from vty0 by admin Oct 13 17:24:11: %STKUNIT1-M:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable authentication success on vty0 for user admin Oct 13 17:24:04: %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 Oct 12 21:44:20: %STKUNIT1-M:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line vty0 Oct 12 21:44:19: %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from vty0 by admin Oct 12 21:38:25: %STKUNIT1-M:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable authentication success on vty0 for user admin Oct 12 21:38:18: %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 Oct 12 21:28:55: %STKUNIT1-M:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line vty0 Oct 12 20:29:19: %STKUNIT1-M:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable authentication success on vty0 for user admin Oct 12 20:29:12: %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0
To view any changes made, use the show running-config logging command in EXEC privilege mode.

Setting Up a Secure Connection to a Syslog Server

You can use reverse tunneling with the port forwarding to securely connect to a syslog server.
66
Management
Figure 2. Setting Up a Secure Connection to a Syslog Server
Pre-requisites
To congure a secure connection from the switch to the syslog server:
1 On the switch, enable the SSH server
Dell(conf)#ip ssh server enable
2 On the syslog server, create a reverse SSH tunnel from the syslog server to the Dell OS switch, using following syntax:
ssh -R <remote port>:<syslog server>:<syslog server listen port> user@remote_host -nNf
In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is
10.16.131.141 and the listening port is 5140
ssh -R 5140:10.156.166.48:5141 admin@10.16.131.141 -nNf
3 Congure logging to a local host. locahost is “127.0.0.1” or “::1”.
If you do not, the system displays an error when you attempt to enable role-based only AAA authorization.
Dell(conf)# logging localhost tcp port Dell(conf)#logging 127.0.0.1 tcp 5140
Management
67

Sending System Messages to a Syslog Server

To send system messages to a specied syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.
Specify the server to which you want to send system messages. You can congure up to eight syslog servers. CONFIGURATION mode
logging {ip-address | ipv6-address | hostname} {{udp {port}} | {tcp {port}}}

Track Login Activity

Dell Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events. When you log in using the console or VTY line, the system displays the last successful login details of the current user and the number of
unsuccessful login attempts since your last successful login to the system, and whether the current user’s permissions have changed since the last login. The system stores the number of unsuccessful login attempts that have occurred in the last 30 days by default. You can change the default value to any number of days from 1 to 30. By default, login activity tracking is disabled. You can enable it using the login statistics enable command from the conguration mode.

Restrictions for Tracking Login Activity

These restrictions apply for tracking login activity:
Only the system and security administrators can congure login activity tracking and view the login activity details of other users.
Login statistics is not applicable for login sessions that do not use user names for authentication. For example, the system does not report login activity for a telnet session that prompts only a password.
Conguring Login Activity Tracking
To enable and congure login activity tracking, follow these steps:
1 Enable login activity tracking.
CONFIGURATION mode
login statistics enable
After enabling login statistics, the system stores the login activity details for the last 30 days.
2 (Optional) Congure the number of days for which the system stores the user login statistics. The range is from 1 to 30.
CONFIGURATION mode
login statistics time-period days
Example of Conguring Login Activity Tracking
The following example enables login activity tracking. The system stores the login activity details for the last 30 days.
Dell(config)#login statistics enable
68
Management
The following example enables login activity tracking and congures the system to store the login activity details for 12 days.
Dell(config)#login statistics enable Dell(config)#login statistics time-period 12

Display Login Statistics

To view the login statistics, use the show login statistics command.
Example of the show login statistics Command
The show login statistics command displays the successful and failed login details of the current user in the last 30 days or the custom dened time period.
Dell#show login statistics
------------------------------------------------------------------
User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.143 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 0 Successful login attempt(s) in last 30 day(s): 1
------------------------------------------------------------------
Example of the show login statistics all command
The show login statistics all command displays the successful and failed login details of all users in the last 30 days or the custom dened time period.
Dell#show login statistics all
------------------------------------------------------------------
User: admin Last login time: 08:54:28 UTC Wed Mar 23 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 4
------------------------------------------------------------------
------------------------------------------------------------------
User: admin1 Last login time: 12:49:19 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2
------------------------------------------------------------------
------------------------------------------------------------------
User: admin2 Last login time: 12:49:27 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2
------------------------------------------------------------------
------------------------------------------------------------------
User: admin3 Last login time: 13:18:42 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2
Management
69
Example of the show login statistics user user-id command
The show login statistics user user-id command displays the successful and failed login details of a specic user in the last 30 days or the custom dened time period.
Dell# show login statistics user admin
------------------------------------------------------------------
User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.143 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 0 Successful login attempt(s) in last 30 day(s): 1
------------------------------------------------------------------
The following is sample output of the show login statistics unsuccessful-attempts command.
Dell# show login statistics unsuccessful-attempts There were 3 unsuccessful login attempt(s) for user admin in last 30 day(s).
The following is sample output of the show login statistics unsuccessful-attempts time-period days command.
Dell# show login statistics unsuccessful-attempts time-period 15 There were 0 unsuccessful login attempt(s) for user admin in last 15 day(s).
The following is sample output of the show login statistics unsuccessful-attempts user login-id command.
Dell# show login statistics unsuccessful-attempts user admin There were 3 unsuccessful login attempt(s) for user admin in last 12 day(s).
The following is sample output of the show login statistics successful-attempts command.
Dell#show login statistics successful-attempts There were 4 successful login attempt(s) for user admin in last 30 day(s).

Limit Concurrent Login Sessions

Dell Networking OS enables you to limit the number of concurrent login sessions of users on VTY, auxiliary, and console lines. You can also clear any of your existing sessions when you reach the maximum permitted number of concurrent sessions.
By default, you can use all 10 VTY lines, one console line, and one auxiliary line. You can limit the number of available sessions using the
login concurrent-session limit command and so restrict users to that specic number of sessions. You can optionally congure the system to provide an option to the users to clear any of their existing sessions.

Restrictions for Limiting the Number of Concurrent Sessions

These restrictions apply for limiting the number of concurrent sessions:
Only the system and security administrators can limit the number of concurrent sessions and enable the clear-line option.
Users can clear their existing sessions only if the system is congured with the login concurrent-session clear-line enable command.
Conguring Concurrent Session Limit
To congure concurrent session limit, follow this procedure:
Limit the number of concurrent sessions for all users. CONFIGURATION mode
70
Management
login concurrent-session limit number-of-sessions
Example of Conguring Concurrent Session Limit
The following example limits the permitted number of concurrent login sessions to 4.
Dell(config)#login concurrent-session limit 4

Enabling the System to Clear Existing Sessions

To enable the system to clear existing login sessions, follow this procedure:
Use the following command. CONFIGURATION mode
login concurrent-session clear-line enable
Example of Enabling the System to Clear Existing Sessions
The following example enables you to clear your existing login sessions.
Dell(config)#login concurrent-session clear-line enable
Example of Clearing Existing Sessions
When you try to log in, the following message appears with all your existing concurrent sessions, providing an option to close any one of the existing sessions:
$ telnet 10.11.178.14 Trying 10.11.178.14... Connected to 10.11.178.14. Escape character is '^]'. Login: admin Password: Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 Clear existing session? [line number/Enter to cancel]:
When you try to create more than the permitted number of sessions, the following message appears, prompting you to close one of the existing sessions. If you close any of the existing sessions, you are allowed to login.
$ telnet 10.11.178.17 Trying 10.11.178.17... Connected to 10.11.178.17. Escape character is '^]'. Login: admin Password:
Maximum concurrent sessions for the user reached. Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 4 vty 2 10.14.1.97 5 vty 3 10.14.1.97 Kill existing session? [line number/Enter to cancel]:
Management
71

Enabling Secured CLI Mode

The secured CLI mode prevents the users from enhancing the permissions or promoting the privilege levels.
Enter the following command to enable the secured CLI mode: CONFIGURATION Mode
secure-cli enable
After entering the command, save the running-conguration. Once you save the running-conguration, the secured CLI mode is enabled.
If you do not want to enter the secured mode, do not save the running-conguration. Once saved, to disable the secured CLI mode, you need to manually edit the startup-conguration le and reboot the system.
Log Messages in the Internal Buer
All error messages, except those beginning with %BOOTUP (Message), are log in the internal buer.
For example, %BOOTUP:RPM0:CP %PORTPIPE-INIT-SUCCESS: Portpipe 0 enabled
Conguration Task List for System Log Management
There are two conguration tasks for system log management:
Disable System Logging
Send System Messages to a Syslog Server

Disabling System Logging

By default, logging is enabled and log messages are sent to the logging buer, all terminal lines, the console, and the syslog servers. To disable system logging, use the following commands.
Disable all logging except on the console. CONFIGURATION mode
no logging on
Disable logging to the logging buer. CONFIGURATION mode
no logging buffer
Disable logging to terminal lines. CONFIGURATION mode
no logging monitor
Disable console logging. CONFIGURATION mode
no logging console
72
Management

Sending System Messages to a Syslog Server

To send system messages to a specied syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.
Specify the server to which you want to send system messages. You can congure up to eight syslog servers. CONFIGURATION mode
logging {ip-address | ipv6-address | hostname} {{udp {port}} | {tcp {port}}}
Conguring a UNIX System as a Syslog Server
To congure a UNIX System as a syslog server, use the following command.
Congure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the UNIX system and assigning write permissions to the le.
Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/ftos.log
Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log
In the previous lines, local7 is the logging facility level and debugging is the severity level.

Changing System Logging Settings

You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands,
you control the number of system messages logged.
To specify the system logging settings, use the following commands.
Specify the minimum severity level for logging to the logging buer. CONFIGURATION mode
logging buffered level
Specify the minimum severity level for logging to the console. CONFIGURATION mode
logging console level
Specify the minimum severity level for logging to terminal lines. CONFIGURATION mode
logging monitor level
Specify the minimum severity level for logging to a syslog server. CONFIGURATION mode
logging trap level
Specify the minimum severity level for logging to the syslog history table. CONFIGURATION mode
logging history level
Specify the size of the logging buer. CONFIGURATION mode
Management
73
logging buffered size
NOTE: When you decrease the buer size, Dell Networking OS deletes all messages stored in the buer. Increasing the
buer size does not aect messages in the buer.
Specify the number of messages that Dell Networking OS saves to its logging history table. CONFIGURATION mode
logging history size size
To view the logging buer and conguration, use the show logging command in EXEC privilege mode, as shown in the example for
Display the Logging Buer and the Logging Conguration.
To view the logging conguration, use the show running-config logging command in privilege mode, as shown in the example for
Congure a UNIX Logging Facility Level.
Display the Logging Buer and the Logging Conguration
To display the current contents of the logging buer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are ltered based on the user roles. Only the security administrator and system administrator can view the security logs.
Example of the show logging Command
Dell#show logging Syslog logging: enabled Console logging: level debugging Monitor logging: level debugging Buffer logging: level debugging, 389 Messages Logged, Size (40960 bytes) Trap logging: level informational
Oct 13 17:50:24: %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from vty0 by admin Oct 13 17:45:01: %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from vty0 by admin Oct 13 17:32:26: %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from vty0 by admin Oct 13 17:24:11: %STKUNIT1-M:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable authentication success on vty0 for user admin Oct 13 17:24:04: %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 Oct 12 21:44:20: %STKUNIT1-M:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line vty0 Oct 12 21:44:19: %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from vty0 by admin Oct 12 21:38:25: %STKUNIT1-M:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable authentication success on vty0 for user admin Oct 12 21:38:18: %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 Oct 12 21:28:55: %STKUNIT1-M:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line vty0 Oct 12 20:29:19: %STKUNIT1-M:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable authentication success on vty0 for user admin Oct 12 20:29:12: %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0
To view any changes made, use the show running-config logging command in EXEC privilege mode.
Conguring a UNIX Logging Facility Level
You can save system log messages with a UNIX system logging facility. To congure a UNIX logging facility level, use the following command.
Specify one of the following parameters. CONFIGURATION mode
74
Management
logging facility [facility-type]
auth (for authorization messages)
cron (for system scheduler messages)
daemon (for system daemons)
kern (for kernel messages)
local0 (for local use)
local1 (for local use)
local2 (for local use)
local3 (for local use)
local4 (for local use)
local5 (for local use)
local6 (for local use)
local7 (for local use)
lpr (for line printer system messages)
mail (for mail system messages)
news (for USENET news messages)
sys9 (system use)
sys10 (system use)
sys11 (system use)
sys12 (system use)
sys13 (system use)
sys14 (system use)
syslog (for syslog messages)
user (for user programs)
uucp (UNIX to UNIX copy protocol)
Example of the show running-config logging Command
To view nondefault settings, use the show running-config logging command in EXEC mode.
Dell#show running-config logging ! logging buffered 524288 debugging service timestamps log datetime msec service timestamps debug datetime msec ! logging trap debugging logging facility user logging source-interface Loopback 0 logging 10.10.10.4 Dell#

Synchronizing Log Messages

You can congure Dell Networking OS to lter and consolidate the system messages for a specic line by synchronizing the message output.
Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system.
1 Enter LINE mode.
CONFIGURATION mode
line {console 0 | vty number [end-number] | aux 0}
Management
75
Congure the following parameters for the virtual terminal lines:
number: the range is from zero (0) to 8.
end-number: the range is from 1 to 8.
You can congure multiple virtual terminals at one time by entering a number and an end-number.
2 Congure a level and set the maximum number of messages to print.
LINE mode
logging synchronous [level severity-level | all] [limit]
Congure the following optional parameters:
level severity-level: the range is from 0 to 7. The default is 2. Use the all keyword to include all messages.
limit: the range is from 20 to 300. The default is 20.
To view the logging synchronous conguration, use the show config command in LINE mode.

Enabling Timestamp on Syslog Messages

By default, syslog messages do not include a time/date stamp stating when the error or message was created. To enable timestamp, use the following command.
Add timestamp to syslog messages. CONFIGURATION mode
service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] | uptime]
Specify the following optional parameters:
You can add the keyword localtime to include the localtime, msec, and show-timezone. If you do not add the keyword
localtime, the time is UTC.
uptime: To view time since last boot.
If you do not specify a parameter, Dell Networking OS congures uptime.
To view the conguration, use the show running-config logging command in EXEC privilege mode.
To disable time stamping on syslog messages, use the no service timestamps [log | debug] command.

File Transfer Services

With Dell Networking OS, you can congure the system to transfer les over the network using the le transfer protocol (FTP). One FTP application is copying the system image les over an interface on to the system; however, FTP is not supported on virtual local
area network (VLAN) interfaces.
If you want the FTP or TFTP server to use a VRF table that is attached to an interface, you must congure the FTP or TFTP server to use a specic routing table. You can use the ip ftp vrf vrf-name or ip tftp vrf vrf-name command to inform the FTP or TFTP server to use a specic routing table. After you congure this setting, the VRF table is used to look up the destination address. However, these changes are backward-compatible and do not aect existing behavior; meaning, you can still use the source-interface command to communicate with a particular interface even if no VRF is congured on that interface.
For more information about FTP, refer to RFC 959, File Transfer Protocol.
NOTE
: To transmit large les, Dell Networking recommends conguring the switch as an FTP
server.
76 Management
Conguration Task List for File Transfer Services
The conguration tasks for le transfer services are:
Enable FTP Server (mandatory)
Congure FTP Server Parameters (optional)
Congure FTP Client Parameters (optional)

Enabling the FTP Server

To enable the system as an FTP server, use the following command. To view FTP conguration, use the show running-config ftp command in EXEC privilege mode.
Enable FTP on the system. CONFIGURATION mode
ftp-server enable
Example of Viewing FTP Conguration
Dell#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar Dell#
Conguring FTP Server Parameters
After you enable the FTP server on the system, you can congure dierent parameters. To specify the system logging settings, use the following commands.
Specify the directory for users using FTP to reach the system. CONFIGURATION mode
ftp-server topdir dir
The default is the internal ash directory.
Specify a user name for all FTP users and congure either a plain text or encrypted password. CONFIGURATION mode
ftp-server username username password [encryption-type] password
Congure the following optional and required parameters:
username: enter a text string.
encryption-type: enter 0 for plain text or 7 for encrypted text.
password: enter a text string.
: You cannot use the change directory (cd) command until you have congured ftp-server topdir.
NOTE
To view the FTP conguration, use the show running-config ftp command in EXEC privilege mode.
Management
77
Conguring FTP Client Parameters
To congure FTP client parameters, use the following commands.
Enter the following keywords and the interface information:
For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information.
For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
For a Loopback interface, enter the keyword loopback then a number from 0 to 16383.
For a port channel interface, enter the keywords port-channel then a number.
For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
CONFIGURATION mode
ip ftp source-interface interface
Congure a password. CONFIGURATION mode
ip ftp password password
Enter a username to use on the FTP client. CONFIGURATION mode
ip ftp username name
To view the FTP conguration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for
Enable FTP Server.

Terminal Lines

You can access the system remotely and restrict access to the system by creating user proles. Terminal lines on the system provide dierent means of accessing the system. The console line (console) connects you through the console
port in the route processor modules (RPMs). The virtual terminal lines (VTYs) connect you through Telnet to the system. The auxiliary line (aux) connects secondary devices such as modems.

Denying and Permitting Access to a Terminal Line

Dell Networking recommends applying only standard access control lists (ACLs) to deny and permit access to VTY lines.
Layer 3 ACLs deny all trac that is not explicitly permitted, but in the case of VTY lines, an ACL with no rules does not deny trac.
You cannot use the show ip accounting access-list command to display the contents of an ACL that is applied only to a VTY line.
When you use the access-class access-list-name command without specifying the ipv4 or ipv6 attribute, both IPv4 as well as IPv6 rules that are dened in that ACL are applied to the terminal. This method is a generic way of conguring access restrictions.
To be able to lter access exclusively using either IPv4 or IPv6 rules, use either the ipv4 or ipv6 attribute along with the access- class access-list-name command. Depending on the attribute that you specify (ipv4 or ipv6), the ACL processes either IPv4 or IPv6 rules, but not both. Using this conguration, you can set up two dierent types of access classes with each class processing either IPv4 or IPv6 rules separately.
To apply an IP ACL to a line, Use the following command.
Apply an ACL to a VTY line. LINE mode
78
Management
access-class access-list-name [ipv4 | ipv6]
NOTE: If you already have congured generic IP ACL on a terminal line, then you cannot further apply IPv4 or IPv6
specic ltering on top of this conguration. Similarly, if you have congured either IPv4 or IPv6 specic ltering on a
terminal line, you cannot apply generic IP ACL on top of this conguration. Before applying any of these congurations, you must rst undo the existing conguration using the no access-class access-list-name [ipv4 | ipv6] command.
Example of an ACL that Permits Terminal Access
Example Conguration
To view the conguration, use the show config command in LINE mode.
Dell(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 Dell(config-std-nacl)#line vty 0 Dell(config-line-vty)#show config line vty 0 access-class myvtyacl
Dell(conf-ipv6-acl)#do show run acl ! ip access-list extended testdeny seq 10 deny ip 30.1.1.0/24 any seq 15 permit ip any any ! ip access-list extended testpermit seq 15 permit ip any any ! ipv6 access-list testv6deny seq 10 deny ipv6 3001::/64 any seq 15 permit ipv6 any any ! Dell(conf)# Dell(conf)#line vty 0 0 Dell(config-line-vty)#access-class testv6deny ipv6 Dell(config-line-vty)#access-class testvpermit ipv4 Dell(config-line-vty)#show c line vty 0 exec-timeout 0 0 access-class testpermit ipv4 access-class testv6deny ipv6 !
Conguring Login Authentication for Terminal Lines
You can use any combination of up to six authentication methods to authenticate a user on a terminal line. A combination of authentication methods is called a method list. If the user fails the rst authentication method, Dell Networking OS prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are:
enable
line
local
none
radius
Prompt for the enable password.
Prompt for the password you assigned to the terminal line. Congure a password for the terminal line to which you assign a method list that contains the line authentication method. Congure a password using the password command from LINE mode.
Prompt for the system username and password.
Do not authenticate the user.
Prompt for a username and password and use a RADIUS server to authenticate.
Management 79
tacacs+
1 Congure an authentication method list. You may use a mnemonic name or use the keyword default. The default authentication
method for terminal lines is local and the default method list is empty. CONFIGURATION mode
aaa authentication login {method-list-name | default} [method-1] [method-2] [method-3] [method-4] [method-5] [method-6]
2 Apply the method list from Step 1 to a terminal line.
CONFIGURATION mode
login authentication {method-list-name | default}
3 If you used the line authentication method in the method list you applied to the terminal line, congure a password for the terminal line.
LINE mode
password
Example of Terminal Line Authentication
In the following example, VTY lines 0-2 use a single authentication method, line.
Dell(conf)#aaa authentication login myvtymethodlist line Dell(conf)#line vty 0 2 Dell(config-line-vty)#login authentication myvtymethodlist Dell(config-line-vty)#password myvtypassword Dell(config-line-vty)#show config line vty 0 password myvtypassword login authentication myvtymethodlist line vty 1 password myvtypassword login authentication myvtymethodlist line vty 2 password myvtypassword login authentication myvtymethodlist Dell(config-line-vty)#
Prompt for a username and password and use a TACACS+ server to authenticate.

Setting Timeout for EXEC Privilege Mode

EXEC timeout is a basic security feature that returns Dell Networking OS to EXEC mode after a period of inactivity on the terminal lines. To set timeout, use the following commands.
Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the timeout period to
LINE mode
exec-timeout minutes [seconds]
Return to the default timeout values. LINE mode
no exec-timeout
Example of Setting the Timeout Period for EXEC Privilege Mode
The following example shows how to set the timeout period and how to view the conguration using the show config command from LINE mode.
Dell(conf)#line con 0 Dell(config-line-console)#exec-timeout 0 Dell(config-line-console)#show config line console 0
80
Management
0.
exec-timeout 0 0 Dell(config-line-console)#

Using Telnet to get to Another Network Device

To telnet to another device, use the following commands.
NOTE: The device allows 120 Telnet sessions per minute, allowing the login and logout of 10 Telnet sessions, 12 times in a minute.
If the system reaches this non-practical limit, the Telnet service is stopped for 10 minutes. You can use console and SSH service to access the system during downtime.
Telnet to a device with an IPv4 or IPv6 address.
• EXEC Privilege
telnet [ip-address]
If you do not enter an IP address, Dell Networking OS enters a Telnet dialog that prompts you for one.
Enter an IPv4 address in dotted decimal format (A.B.C.D).
Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported.
Example of the telnet Command for Device Access
Dell# telnet 10.11.80.203 Trying 10.11.80.203... Connected to 10.11.80.203. Exit character is '^]'. Login: Login: admin Password: Dell>exit Dell#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin Dell#

Lock CONFIGURATION Mode

Dell Networking OS allows multiple users to make congurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2).
You can set two types of lockst: auto and manual.
Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set auto­lock, every time a user is in CONFIGURATION mode, all other users are denied access. This means that you can exit to EXEC Privilege mode, and re-enter CONFIGURATION mode without having to set the lock again.
Set manual lock using the configure terminal lock command from CONFIGURATION mode. When you congure a manual lock, which is the default, you must enter this command each time you want to enter CONFIGURATION mode and deny access to others.
Viewing the Conguration Lock Status
If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which user has control of CONFIGURATION mode using the show configuration lock command from EXEC Privilege mode.
Management
81
You can then send any user a message using the send command from EXEC Privilege mode. Alternatively, you can clear any line using the clear command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode.
Example of Locking CONFIGURATION Mode for Single-User Access
Dell(conf)#configuration mode exclusive auto BATMAN(conf)#exit 3d23h35m: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console
Dell#config ! Locks configuration mode exclusively. Dell(conf)#
If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears on their terminal (message 1): % Error: User "" on line console0 is in exclusive configuration mode.
If any user is already in CONFIGURATION mode when while a lock is in place, the following appears on their terminal (message 2): % Error: Can't lock configuration mode exclusively since the following users are currently configuring the system: User "admin" on line vty1 ( 10.1.1.1 ).
NOTE: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you congure a lock and then
exit CONFIGURATION mode, and another user enters CONFIGURATION mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though you are the one that congured the lock.
NOTE: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is
uncongured.
82 Management
5

802.1X

802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN
or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is veried (through a username and password, for example).
802.1X employs Extensible Authentication Protocol (EAP) to transfer a device’s credentials to an authentication server (typically RADIUS)
using a mandatory intermediary network access device, in this case, a Dell Networking switch. The network access device mediates all communication between the end-user device and the authentication server so that the network remains secure. The network access device uses EAP-over-Ethernet (EAPOL) to communicate with the end-user device and EAP-over-RADIUS to communicate with the server.
NOTE: The Dell Networking Operating System (OS) supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0,
PEAPv1, and MS-CHAPv2 with PEAP.
The following gures show how the EAP frames are encapsulated in Ethernet and RADIUS frames.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS
802.1X 83
Figure 4. EAP Frames Encapsulated in Ethernet and RADUIS
The authentication process involves three devices:
The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests.
The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It translates and forwards requests and responses between the authentication server and the supplicant. The authenticator also changes the status of the port based on the results of the authentication process. The Dell Networking switch is the authenticator.
The authentication-server selects the authentication method, veries the information the supplicant provides, and grants it network access privileges.
Ports can be in one of two states:
Ports are in an unauthorized state by default. In this state, non-802.1X trac cannot be forwarded in or out of the port.
The authenticator changes the port state to authorized if the server can authenticate the supplicant. In this state, network trac can be forwarded normally.
: The Dell Networking switches place 802.1X-enabled ports in the unauthorized state by default.
NOTE
Topics:
Port-Authentication Process
Conguring 802.1X
Important Points to Remember
Enabling 802.1X
Conguring dot1x Prole
Conguring MAC addresses for a do1x Prole
Conguring the Static MAB and MAB Prole
Conguring Critical VLAN
Conguring Request Identity Re-Transmissions
Forcibly Authorizing or Unauthorizing a Port
Re-Authenticating a Port
84
802.1X
Conguring Timeouts
Conguring Dynamic VLAN Assignment with Port Authentication
Guest and Authentication-Fail VLANs

Port-Authentication Process

The authentication process begins when the authenticator senses that a link status has changed from down to up:
1 When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame. 2 The supplicant responds with its identity in an EAP Response Identity frame. 3 The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame and
forwards the frame to the authentication server.
4 The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests the supplicant to prove that
it is who it claims to be, using a specied method (an EAP-Method). The challenge is translated and forwarded to the supplicant by the authenticator.
5 The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant provides the Requested Challenge
information in an EAP response, which is translated and forwarded to the authentication server as another Access-Request frame.
6 If the identity information provided by the supplicant is valid, the authentication server sends an Access-Accept frame in which
network privileges are specied. The authenticator changes the port state to authorized and forwards an EAP Success frame. If the identity information is invalid, the server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator forwards an EAP Failure frame.
Figure 5. EAP Port-Authentication

EAP over RADIUS

802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as dened in RFC 3579.
EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79.
802.1X
85
Figure 6. EAP Over RADIUS
RADIUS Attributes for 802.1X Support
Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages:
Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server.
Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet.
Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Attribute 81 Tunnel-Private-Group-ID: associate a tunneled session with a particular group of users.
Conguring 802.1X
Conguring 802.1X on a port is a one-step process.
For more information, refer to Enabling 802.1X.
Related Conguration Tasks
Conguring Request Identity Re-Transmissions
Forcibly Authorizing or Unauthorizing a Port
Re-Authenticating a Port
Conguring Timeouts
Conguring a Guest VLAN
Conguring an Authentication-Fail VLAN

Important Points to Remember

Dell Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.
All platforms support only RADIUS as the authentication server.
If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if congured.
802.1X is not supported on port-channels or port-channel members.
86
802.1X

Enabling 802.1X

Enable 802.1X globally.
Figure 7. 802.1X Enabled
1 Enable 802.1X globally.
CONFIGURATION mode
dot1x authentication
2 Enter INTERFACE mode on an interface or a range of interfaces.
INTERFACE mode
interface [range]
3 Enable 802.1X on the supplicant interface only.
INTERFACE mode
dot1x authentication
Examples of Verifying that 802.1X is Enabled Globally and on an Interface
Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode.
802.1X
87
In the following example, the bold lines show that 802.1X is enabled.
Dell#show running-config | find dot1x
dot1x authentication
! [output omitted] ! interface GigabitEthernet 2/1 no ip address
dot1x authentication
no shutdown ! Dell#
To view 802.1X conguration information for an interface, use the show dot1x interface command.
In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default.
Dell#show dot1x interface GigabitEthernet 2/1/
802.1x information on Gi 2/1/:
-----------------------------
Dot1x Status: Enable
Port Control: AUTO
Port Auth Status: UNAUTHORIZED
Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Disable Guest VLAN id: NONE Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Mac-Auth-Bypass: Disable Mac-Auth-Bypass Only: Disable Tx Period: 30 seconds Quiet Period: 60 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 2 Host Mode: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize
Conguring dot1x Prole
You can congure a dot1x prole for dening a list of trusted supplicant MAC addresses. A maximum of 10 dot1x proles can be congured. The prole name length is limited to 32 characters. The you can enter prole-related commands, such as the To congure a dot1x prole, use the following commands.
Congure a dot1x prole. CONFIGURATION mode
dot1x profile {profile-name}
profile—name — Enter the dot1x prole name. The prole name length is limited to 32 characters.
Example of Conguring and Displaying a dot1x Prole
Dell(conf)#dot1x profile test Dell(conf-dot1x-profile)#
Dell#show dot1x profile
88
802.1X
dot1x profile {profile-name} command sets the dot1x prole mode and
mac command.
802.1x profile information
-----------------------------
Dot1x Profile test Profile MACs 00:00:00:00:01:11
Conguring MAC addresses for a do1x Prole
To congure a list of MAC addresses for a dot1x prole, use the mac command. You can congure 1 to 6 MAC addresses.
Congure a list of MAC addresses for a dot1x prole. DOT1X PROFILE CONFIG (conf-dot1x-prole)
mac mac-address
mac-address — Enter the keyword mac and type up to the 48– bit MAC addresses using the nn:nn:nn:nn:nn:nn format. A maximum
of 6 MAC addresses are allowed.
Example of Conguring a List of MAC Addresses for a dot1x Prole
The following example congures 2 MAC addresses and then displays these addresses.
Dell(conf-dot1x-profile)#mac 00:50:56:AA:01:10 00:50:56:AA:01:11
Dell(conf-dot1x-profile)#show config dot1x profile sample mac 00:50:56:aa:01:10 mac 00:50:56:aa:01:11 Dell(conf-dot1x-profile)# Dell(conf-dot1x-profile)#exit Dell(conf)#
Conguring the Static MAB and MAB Prole
Enable MAB (mac-auth-bypass) before using the dot1x static-mab command to enable static mab.
To enable static MAB and congure a static MAB prole, use the following commands.
Congure static MAB and static MAB prole on dot1x interface. INTERFACE mode
dot1x static-mab profile profile-name
Eenter a name to congure the static MAB prole name. The prole name length is limited to a maximum of 32 characters.
Example of Static MAB and MAB Prole for an Interface
Dell(conf-if-Te-2/1)#dot1x static-mab profile sample Dell(conf-if-Te 2/1))#show config ! interface TenGigabitEthernet 21 switchport dot1x static-mab profile sample no shutdown Dell(conf-if-Te 2/1))#show dot1x interface TenGigabitEthernet 2/1
802.1x information on Te 2/1:
-----------------------------
Dot1x Status: Enable Port Control: Auto Port Auth Status: AUTHORIZED(STATIC-MAB) Re-Authentication: Disable
802.1X
89
Untagged VLAN id: None Guest VLAN: Enable Guest VLAN id: 100 Auth-Fail VLAN: Enable Auth-Fail VLAN id: 200 Auth-Fail Max-Attempts:3 Critical VLAN: Enable Critical VLAN id: 300 Mac-Auth-Bypass Only: Disable Static-MAB: Enable Static-MAB Profile: Sample Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Authenticated Backend State: Idle
Conguring Critical VLAN
By default, critical-VLAN is not congured. If authentication fails because of a server which is not reachable, user session is authenticated under critical-VLAN. To congure a critical-VLAN for users or devices when authenticating server is not reachable, use the following command.
Enable critical VLAN for users or devices INTERFACE mode
dot1x critical-vlan [{vlan-id}]
Specify a VLAN interface identier to be congured as a critical VLAN. The VLAN ID range is 1– 4094.
Example of Conguring a Critical VLAN for an Interface
Dell(conf-if-Te-2/1)#dot1x critical-vlan 300 Dell(conf-if-Te 2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x critical-vlan 300 no shutdown
Dell#show dot1x interface tengigabitethernet 2/1
802.1x information on Te 2/1:
------------------------------------------------------
Dot1x Status: Enable Port Control: AUTO Port Auth Status: AUTHORIZD(MAC-AUTH-BYPASS)
Critical VLAN Enable Critical VLAN id: 300
Re-Authentication: Disable Untagged VLAN id: 400 Guest VLAN: Enable Guest VLAN id: 100 Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Mac-Auth-Bypass: Enable Mac-Auth-Bypass Only: Enable Tx Period: 3 seconds Quiet Period: 60 seconds ReAuth Max: 2
90
802.1X
Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 2 Host Mode: SINGLE_HOST Auth PAE State: Authenticated Backend State: Idle
Conguring Request Identity Re-Transmissions
When the authenticator sends a Request Identity frame and the supplicant does not respond, the authenticator waits for 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator re­transmits can be congured.
NOTE: There are several reasons why the supplicant might fail to respond; for example, the supplicant might have been booting
when the request arrived or there might be a physical layer problem.
To congure re-transmissions, use the following commands.
Congure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame. INTERFACE mode
dot1x tx-period number
The range is from 1 to 65535 (1 year)
The default is 30.
Congure the maximum number of times the authenticator re-transmits a Request Identity frame. INTERFACE mode
dot1x max-eap-req number
The range is from 1 to 10.
The default is 2.
The example in Conguring a Quiet Period after a Failed Authentication shows conguration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits for 10 times.
Conguring a Quiet Period after a Failed Authentication
If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default. You can congure this period.
: The quiet period (dot1x quiet-period) is the transmit interval after a failed authentication; the Request Identity Re-
NOTE
transmit interval (dot1x tx-period) is for an unresponsive supplicant.
To congure a quiet period, use the following command.
Congure the amount of time that the authenticator waits to re-transmit a Request Identity frame after a failed authentication. INTERFACE mode
dot1x quiet-period seconds
The range is from 1 to 65535.
The default is 60 seconds.
802.1X
91
Example of Conguring and Verifying Port Authentication
The following example shows conguration information for a port for which the authenticator re-transmits an EAP Request Identity frame:
after 90 seconds and a maximum of 10 times for an unresponsive supplicant
re-transmits an EAP Request Identity frame
The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions.
Dell(conf-if-range-gi-2/1)#dot1x tx-period 90 Dell(conf-if-range-gi-2/1)#dot1x max-eap-req 10 Dell(conf-if-range-gi-2/1)#dot1x quiet-period 120 Dell#show dot1x interface GigabitEthernet 2/1
802.1x information on Gi 2/1:
-----------------------------
Dot1x Status: Enable Port Control: AUTO Port Auth Status: UNAUTHORIZED
Re-Authentication: Disable
Untagged VLAN id: None Tx Period: 90 seconds
Quiet Period: 120 seconds
ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds
Max-EAP-Req: 10
Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize

Forcibly Authorizing or Unauthorizing a Port

The 802.1X ports can be placed into any of the three states:
ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port.
ForceUnauthorized — an unauthorized state. A device connected to a port in this state is never subjected to the authentication process and is not allowed to communicate on the network. Placing the port in this state is the same as shutting down the port. Any attempt by the supplicant to initiate authentication is ignored.
Auto — an unauthorized state by default. A device connected to this port in this state is subjected to the authentication process. If the process is successful, the port is authorized and the connected device can communicate on the network. All ports are placed in the Auto state by default.
To set the port state, use the following command.
Place a port in the ForceAuthorized, ForceUnauthorized, or Auto state. INTERFACE mode
dot1x port-control {force-authorized | force-unauthorized | auto}
The default state is auto.
Example of Placing a Port in Force-Authorized State and Viewing the Conguration
The example shows conguration information for a port that has been force-authorized.
The bold line shows the new port-control state.
Dell(conf-if-Gi-1/1)#dot1x port-control force-authorized Dell(conf-if-Gi-1/1)#show dot1x interface GigabitEthernet 1/1
802.1x information on Gi 1/1:
-----------------------------
Dot1x Status: Enable
92
802.1X
Port Control: FORCE_AUTHORIZED
Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize

Re-Authenticating a Port

You can congure the authenticator for periodic re-authentication. After the supplicant has been authenticated, and the port has been authorized, you can congure the authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the supplicant is required to re-authenticate every 3600 seconds by default, and you can congure this interval. You can congure the maximum number of re-authentications as well.
To congure re-authentication time settings, use the following commands:
Congure the authenticator to periodically re-authenticate the supplicant. INTERFACE mode
dot1x reauthentication [interval] seconds
The range is from 1 to 31536000.
The default is 3600.
Congure the maximum number of times the supplicant can be re-authenticated. INTERFACE mode
dot1x reauth-max number
The range is from 1 to 10.
The default is 2.
Example of Re-Authenticating a Port and Verifying the Conguration
The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period.
Dell(conf-if-gi-1/1)#dot1x reauthentication interval 7200 Dell(conf-if-gi-1/1)#dot1x reauth-max 10 Dell(conf-if-gi-1/1)#do show dot1x interface GigabitEthernet 1/1
802.1x information on Gi 1/1:
-----------------------------
Dot1x Status: Enable Port Control: FORCE_AUTHORIZED
Port Auth Status: UNAUTHORIZED
Re-Authentication: Enable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds
ReAuth Max: 10
Supplicant Timeout: 30 seconds Server Timeout: 30 seconds
Re-Auth Interval: 7200 seconds
Max-EAP-Req: 10
802.1X
93
Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize
Conguring Timeouts
If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default. You can congure the amount of time the authenticator waits for a response.
To terminate the authentication process, use the following commands:
Terminate the authentication process due to an unresponsive supplicant. INTERFACE mode
dot1x supplicant-timeout seconds
The range is from 1 to 300.
The default is 30.
Terminate the authentication process due to an unresponsive authentication server. INTERFACE mode
dot1x server-timeout seconds
The range is from 1 to 300.
The default is 30.
Example of Viewing Congured Server Timeouts
The example shows conguration information for a port for which the authenticator terminates the authentication process for an unresponsive supplicant or server after 15 seconds.
The bold lines show the new supplicant and server timeouts.
Dell(conf-if-Gi-1/1)#dot1x port-control force-authorized Dell(conf-if-Gi-1/1)#do show dot1x interface GigabitEthernet 1/1
802.1x information on Gi 1/1:
-----------------------------
Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Disable Guest VLAN id: NONE Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10
Supplicant Timeout: 15 seconds Server Timeout: 15 seconds
Re-Auth Interval: 7200 seconds Max-EAP-Req: 10
Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize
Enter the tasks the user should do after nishing this task (optional).
94
802.1X
Conguring Dynamic VLAN Assignment with Port Authentication
Dell Networking OS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure:
1 The host sends a dot1x packet to the Dell Networking system 2 The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number 3 The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN assignment using Tunnel-
Private-Group-ID
The illustration shows the conguration on the Dell Networking system before connecting the end user device in black and blue text, and after connecting the device in red text. The blue text corresponds to the preceding numbered steps on dynamic VLAN assignment with
802.1X.
Figure 8. Dynamic VLAN Assignment
1 Congure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server congurations (refer to the illustration
Dynamic VLAN Assignment with Port Authentication).
in 2 Make the interface a switchport so that it can be assigned to a VLAN. 3 Create the VLAN to which the interface will be assigned. 4 Connect the supplicant to the port congured for 802.1X.
802.1X
95
5 Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in Dynamic VLAN Assignment with
Port Authentication).

Guest and Authentication-Fail VLANs

Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is congured or the VLAN that the authentication server indicates in the authentication data.
NOTE: Ports cannot be dynamically assigned to the default VLAN.
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves. To be able to connect such devices, they must be allowed access the network without compromising network security.
The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices and the Authentication-fail VLAN
802.1X extension addresses this limitation with regard to external users.
If the supplicant fails authentication a specied number of times, the authenticator places the port in the Authentication-fail VLAN.
If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of the Guest VLAN and the
authentication process begins.
Conguring a Guest VLAN
If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN.
NOTE
: For more information about conguring timeouts, refer to Conguring
Timeouts.
Congure a port to be placed in the Guest VLAN after failing to respond within the timeout period using the dot1x guest-vlan command from INTERFACE mode. View your conguration using the show config command from INTERFACE mode or using the show
dot1x interface
Example of Viewing Guest VLAN Conguration
Dell(conf-if-gi-2/1)#dot1x guest-vlan 200 Dell(conf-if-gi 2/1))#show config ! interface GigabitEthernet 2/1 switchport dot1x guest-vlan 200 no shutdown Dell(conf-if-gi 2/1))#
command from EXEC Privilege mode.
Conguring an Authentication-Fail VLAN
If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specied amount of time.
: For more information about authenticator re-attempts, refer to Conguring a Quiet Period after a Failed
NOTE
Authentication.
You can congure the maximum number of times the authenticator re-attempts authentication after a failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
96
802.1X
Congure a port to be placed in the VLAN after failing the authentication process as specied number of times using the dot1x auth- fail-vlan command from INTERFACE mode. Congure the maximum number of authentication attempts by the authenticator using
the keyword
Example of Conguring Maximum Authentication Attempts
Dell(conf-if-gi-2/1)#dot1x guest-vlan 200 Dell(conf-if-gi 2/1)#show config ! interface GigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 no shutdown Dell(conf-if-gi-2/1)#
Dell(conf-if-gi-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 Dell(conf-if-gi-2/1)#show config ! interface GigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200
dot1x auth-fail-vlan 100 max-attempts 5
no shutdown Dell(conf-if-gi-2/1)#
Example of Viewing Congured Authentication
View your conguration using the show config command from INTERFACE mode, as shown in the example in Conguring a Guest
VLAN
max-attempts with this command.
or using the show dot1x interface command from EXEC Privilege mode.
802.1x information on Gi 2/1:
----------------------------­Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None
Guest VLAN: Disabled Guest VLAN id: 200 Auth-Fail VLAN: Disabled Auth-Fail VLAN id: 100 Auth-Fail Max-Attempts: 5
Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 15 seconds Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST
Auth PAE State: Initialize Backend State: Initialize
802.1X
97
6
Access Control List (ACL) VLAN Groups and
Content Addressable Memory (CAM)
This section describes the access control list (ACL) virtual local area network (VLAN) group, and content addressable memory (CAM) enhancements.

Optimizing CAM Utilization During the Attachment of ACLs to VLANs

To minimize the number of entries in CAM, enable and congure the ACL CAM feature. Use this feature when you apply ACLs to a VLAN (or a set of VLANs) and when you apply ACLs to a set of ports. The ACL CAM feature allows you to eectively use the Layer 3 CAM space with VLANs and Layer 2 and Layer 3 CAM space with ports.
To avoid using too much CAM space, congure ACL VLAN groups into a single group. A class identier (Class ID) is assigned for each of the ACLs attached to the VLAN and this Class ID is used as an identier or locator in the CAM space instead of the VLAN ID. This method of processing reduces the number of entries in the CAM area and saves memory space by using the Class ID for ltering in CAM instead of the VLAN ID.
When you apply an ACL separately on the VLAN interface, each ACL has a mapping with the VLAN and you use more CAM space. To maximize CAM space, create an ACL VLAN group and attach the ACL with the VLAN members.
The ACL manager application on the router processor (RP1) contains all the state information about all the ACL VLAN groups that are present. The ACL handler on the control processor (CP) and the ACL agent on the line cards do not contain any information about the group. After you enter the acl-vlan-group command, the ACL manager application performs the validation. If the command is valid, it is processed and sent to the agent, if required. If a conguration error is found or if the maximum limit has exceeded for the ACL VLAN groups present on the system, an error message displays. After you enter the acl-vlan-group command, the ACL manager application veries the following parameters:
Whether the CAM prole is set in virtual ow processing (VFP).
Whether the maximum number of groups in the system is exceeded.
Whether the maximum number of VLAN numbers permitted per ACL group is exceeded.
When a VLAN member that is being added is already a part of another ACL group.
After these verication steps are performed, the ACL manager considers the command valid and sends the information to the ACL agent on the line card. The ACL manager noties the ACL agent in the following cases:
A VLAN member is added or removed from a group and previously associated VLANs exist in the group.
The egress ACL is applied or removed from the group and the group contains VLAN members.
VLAN members are added or deleted from a VLAN, which itself is a group member.
A line card returns to the active state after going down and this line card contains a VLAN that is a member of an ACL group.
The ACL VLAN group is deleted and it contains VLAN members.
The ACL manager does not notify the ACL agent in the following cases:
The ACL VLAN group is created.

98 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)

The ACL VLAN group is deleted and it does not contain VLAN members.
The ACL is applied or removed from a group and the ACL group does not contain a VLAN member.
The description of the ACL group is added or removed.
Guidelines for Conguring ACL VLAN Groups
Keep the following points in mind when you congure ACL VLAN groups:
The interfaces where you apply the ACL VLAN group function as restricted interfaces. The ACL VLAN group name identies the group
of VLANs that performs hierarchical ltering.
You can add only one ACL to an interface at a time.
When you attach an ACL VLAN group to the same interface, validation performs to determine whether the ACL is applied directly to an
interface. If you previously applied an ACL separately to the interface, an error occurs when you attempt to attach an ACL VLAN group to the same interface.
The maximum number of members in an ACL VLAN group is determined by the type of switch and its hardware capabilities. This
scaling limit depends on the number of slices that are allocated for ACL CAM optimization. If one slice is allocated, the maximum number of VLAN members is 256 for all ACL VLAN groups. If two slices are allocated, the maximum number of VLAN members is 512 for all ACL VLAN groups.
The maximum number of VLAN groups that you can congure also depends on the hardware specications of the switch. Each VLAN
group is mapped to a unique ID in the hardware. The maximum number of ACL VLAN groups supported is 31. Only a maximum of two components
Port ACL optimization is applicable only for ACLs that are applied without the VLAN range.
If you enable the ACL VLAN group capability, you cannot view the statistical details of ACL rules per VLAN and per interface. You can
only view the counters per ACL only using the show ip accounting access list command.
Within a port, you can apply Layer 2 ACLs on a VLAN or a set of VLANs. In this case, CAM optimization is not applied.
To enable optimization of CAM space for Layer 2 or Layer 3 ACLs that are applied to ports, the port number is removed as a qualier for
ACL application on ports, and port bits are used. When you apply the same ACL to a set of ports, the port bitmap is set when the ACL ow processor (FP) entry is added. When you remove the ACL from a port, the port bitmap is removed.
If you do not attach an ACL to any of the ports, the FP entries are deleted. Similarly, when the same ACL is applied on a set of ports,
only one set of entries is installed in the FP, thereby saving CAM space. Enable optimization using the optimized option in the ip
access-group
(iSCSI counters, Open Flow, ACL optimization, and so on) can be allocated virtual ow processing slices at a time.
command. This option is not valid for VLAN and link aggregation group (LAG) interfaces.
Conguring ACL VLAN Groups and Conguring FP Blocks for VLAN Parameters
This section describes how to optimize CAM blocks by conguring ACL VLAN groups that you can attach to VLAN interfaces. It also describes how to congure FP blocks for dierent VLAN operations.
Conguring ACL VLAN Groups
You can create an ACL VLAN group and attach the ACL with the VLAN members. The optimization is applicable only when you create an ACL VLAN group.
1 Create an ACL VLAN group.
CONFIGURATION mode
acl-vlan-group {group name}
2 Add a description to the ACL VLAN group.
CONFIGURATION (conf-acl-vl-grp) mode
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)
99
description description
3 Apply an egress IP ACL to the ACL VLAN group.
CONFIGURATION (conf-acl-vl-grp) mode
ip access-group {group name} out implicit-permit
4 Add VLAN member(s) to an ACL VLAN group.
CONFIGURATION (conf-acl-vl-grp) mode
member vlan {VLAN-range}
5 Display all the ACL VLAN groups or display a specic ACL VLAN group, identied by name.
CONFIGURATION (conf-acl-vl-grp) mode
show acl-vlan-group {group name | detail}
Dell#show acl-vlan-group detail
Group Name :
TestGroupSeventeenTwenty
Egress IP Acl :
SpecialAccessOnlyExpertsAllowed
Vlan Members :
100,200,300
Group Name :
CustomerNumberIdentificationEleven
Egress IP Acl :
AnyEmployeeCustomerElevenGrantedAccess
Vlan Members :
2-10,99
Group Name :
HostGroup
Egress IP Acl :
Group5
Vlan Members :
1,1000
Dell#
Conguring FP Blocks for VLAN Parameters
To allocate the number of FP blocks for the various VLAN processes on the system, use the cam-acl-vlan command. To reset the number of FP blocks to the default, use the no version of this command. By default, 0 groups are allocated for the ACL in VLAN contentaware processor (VCAP). ACL VLAN groups or CAM optimization is not enabled by default. You also must allocate the slices for CAM optimization.
1 Allocate the number of FP blocks for VLAN operations.
CONFIGURATION mode
cam-acl-vlan vlanopenflow <0-2>
2 Allocate the number of FP blocks for ACL VLAN optimization.
CONFIGURATION mode
cam-acl-vlan vlanaclopt <0-2>
3 View the number of FP blocks that is allocated for the dierent VLAN services.
100
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use