Dell PowerSwitch S4048T-ON User Manual

Dell EMC Configuration Guide for the S4048T–ON System
9.14.2.4
Notes, cautions, and warnings
NOTE: A NOTE indicates important information that helps you make better use of your product.
CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the
problem.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
Other trademarks may be trademarks of their respective owners.
2019 - 11
Rev. A00
Contents
1 About this Guide......................................................................................................................... 33
Audience............................................................................................................................................................................... 33
Conventions......................................................................................................................................................................... 33
Related Documents.............................................................................................................................................................33
2 Configuration Fundamentals....................................................................................................... 34
Accessing the Command Line............................................................................................................................................34
CLI Modes............................................................................................................................................................................ 34
Navigating CLI Modes...................................................................................................................................................36
The do Command................................................................................................................................................................38
Undoing Commands............................................................................................................................................................39
Obtaining Help..................................................................................................................................................................... 39
Entering and Editing Commands....................................................................................................................................... 39
Command History................................................................................................................................................................40
Filtering show Command Outputs.................................................................................................................................... 40
Multiple Users in Configuration Mode............................................................................................................................... 41
3 Getting Started..........................................................................................................................42
Console Access....................................................................................................................................................................42
Serial Console.................................................................................................................................................................42
Accessing the CLI Interface and Running Scripts Using SSH....................................................................................... 43
Default Configuration..........................................................................................................................................................44
Configuring a Host Name................................................................................................................................................... 44
Accessing the System Remotely.......................................................................................................................................44
Configure the Management Port IP Address.............................................................................................................44
Configure a Management Route................................................................................................................................. 45
Configuring a Username and Password..................................................................................................................... 45
Configuring the Enable Password..................................................................................................................................... 46
Configuration File Management........................................................................................................................................ 46
Copy Files to and from the System.............................................................................................................................46
Mounting an NFS File System......................................................................................................................................47
Save the Running-Configuration................................................................................................................................. 48
Configure the Overload Bit for a Startup Scenario...................................................................................................49
Viewing Files...................................................................................................................................................................49
Compressing Configuration Files.................................................................................................................................50
Managing the File System..................................................................................................................................................52
Enabling Software Features on Devices Using a Command Option.............................................................................52
View Command History......................................................................................................................................................53
Upgrading Dell EMC Networking OS................................................................................................................................54
Verify Software Images Before Installation......................................................................................................................54
Using HTTP for File Transfers...........................................................................................................................................55
4 Management..............................................................................................................................57
Configuring Privilege Levels............................................................................................................................................... 57
Contents 3
Removing a Command from EXEC Mode..................................................................................................................58
Moving a Command from EXEC Privilege Mode to EXEC Mode........................................................................... 58
Allowing Access to CONFIGURATION Mode Commands....................................................................................... 58
Allowing Access to Different Modes...........................................................................................................................58
Applying a Privilege Level to a Username...................................................................................................................60
Applying a Privilege Level to a Terminal Line............................................................................................................. 60
Configuring Logging............................................................................................................................................................60
Audit and Security Logs................................................................................................................................................60
Configuring Logging Format ................................................................................................................................ 62
Display the Logging Buffer and the Logging Configuration.....................................................................................62
Setting Up a Secure Connection to a Syslog Server.......................................................................................63
Sending System Messages to a Syslog Server..........................................................................................................64
Track Login Activity............................................................................................................................................................ 64
Restrictions for Tracking Login Activity......................................................................................................................64
Configuring Login Activity Tracking............................................................................................................................ 64
Display Login Statistics................................................................................................................................................. 65
Limit Concurrent Login Sessions.......................................................................................................................................66
Restrictions for Limiting the Number of Concurrent Sessions................................................................................66
Configuring Concurrent Session Limit........................................................................................................................ 66
Enabling the System to Clear Existing Sessions........................................................................................................67
Enabling Secured CLI Mode...............................................................................................................................................67
Log Messages in the Internal Buffer.................................................................................................................................68
Disabling System Logging...................................................................................................................................................68
Sending System Messages to a Syslog Server............................................................................................................... 68
Configuring a UNIX System as a Syslog Server........................................................................................................ 68
Changing System Logging Settings..................................................................................................................................69
Display the Logging Buffer and the Logging Configuration...........................................................................................69
Configuring a UNIX Logging Facility Level....................................................................................................................... 70
Synchronizing Log Messages............................................................................................................................................. 71
Enabling Timestamp on Syslog Messages.........................................................................................................................71
File Transfer Services..........................................................................................................................................................74
Enabling the FTP Server...............................................................................................................................................74
Configuring FTP Server Parameters...........................................................................................................................74
Configuring FTP Client Parameters............................................................................................................................ 75
Terminal Lines...................................................................................................................................................................... 75
Denying and Permitting Access to a Terminal Line...................................................................................................75
Configuring Login Authentication for Terminal Lines................................................................................................76
Setting Timeout for EXEC Privilege Mode.......................................................................................................................77
Using Telnet to get to Another Network Device.............................................................................................................78
Lock CONFIGURATION Mode...........................................................................................................................................78
LPC Bus Quality Degradation.............................................................................................................................................79
Restoring the Factory Default Settings............................................................................................................................79
Restoring Factory Default Environment Variables.................................................................................................... 80
Viewing the Reason for Last System Reboot...................................................................................................................81
5 802.1X.......................................................................................................................................82
Port-Authentication Process............................................................................................................................................. 83
EAP over RADIUS..........................................................................................................................................................84
Configuring 802.1X..............................................................................................................................................................84
Important Points to Remember.........................................................................................................................................85
4
Contents
Enabling 802.1X................................................................................................................................................................... 85
Configuring Request Identity Re-Transmissions............................................................................................................. 86
Configuring a Quiet Period after a Failed Authentication.........................................................................................87
Forcibly Authorizing or Unauthorizing a Port...................................................................................................................88
Re-Authenticating a Port................................................................................................................................................... 88
Configuring Timeouts..........................................................................................................................................................89
Configuring Dynamic VLAN Assignment with Port Authentication..............................................................................90
Guest and Authentication-Fail VLANs...............................................................................................................................91
Configuring a Guest VLAN............................................................................................................................................91
Configuring an Authentication-Fail VLAN................................................................................................................... 91
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)..........................93
Optimizing CAM Utilization During the Attachment of ACLs to VLANs......................................................................93
Guidelines for Configuring ACL VLAN Groups................................................................................................................ 93
Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters................................................... 94
Configuring ACL VLAN Groups................................................................................................................................... 94
Configuring FP Blocks for VLAN Parameters............................................................................................................95
Viewing CAM Usage........................................................................................................................................................... 95
Allocating FP Blocks for VLAN Processes....................................................................................................................... 97
Unified Forwarding Table (UFT) Modes...........................................................................................................................97
Configuring UFT Modes................................................................................................................................................97
7 Access Control Lists (ACLs)........................................................................................................98
IP Access Control Lists (ACLs)......................................................................................................................................... 99
CAM Usage.................................................................................................................................................................... 99
Implementing ACLs on Dell EMC Networking OS................................................................................................... 100
Important Points to Remember........................................................................................................................................ 101
Configuration Task List for Route Maps....................................................................................................................101
Configuring Match Routes..........................................................................................................................................103
Configuring Set Conditions.........................................................................................................................................104
Configure a Route Map for Route Redistribution....................................................................................................105
Configure a Route Map for Route Tagging.............................................................................................................. 106
Continue Clause........................................................................................................................................................... 106
IP Fragment Handling........................................................................................................................................................106
IP Fragments ACL Examples...................................................................................................................................... 106
Layer 4 ACL Rules Examples...................................................................................................................................... 107
Configure a Standard IP ACL........................................................................................................................................... 108
Configuring a Standard IP ACL Filter........................................................................................................................ 108
Configure an Extended IP ACL........................................................................................................................................ 109
Configuring Filters with a Sequence Number...........................................................................................................109
Configuring Filters Without a Sequence Number.....................................................................................................110
Configure Layer 2 and Layer 3 ACLs................................................................................................................................ 111
Assign an IP ACL to an Interface.......................................................................................................................................111
Applying an IP ACL............................................................................................................................................................. 112
Counting ACL Hits........................................................................................................................................................ 112
Configure Ingress ACLs..................................................................................................................................................... 112
Configure Egress ACLs...................................................................................................................................................... 113
Applying Egress Layer 3 ACLs (Control-Plane)........................................................................................................ 114
IP Prefix Lists.......................................................................................................................................................................114
Contents
5
Configuration Task List for Prefix Lists......................................................................................................................115
ACL Remarks.......................................................................................................................................................................118
Configuring a Remark...................................................................................................................................................118
Deleting a Remark.........................................................................................................................................................118
ACL Resequencing............................................................................................................................................................. 119
Resequencing an ACL or Prefix List...........................................................................................................................119
Route Maps........................................................................................................................................................................ 120
Logging of ACL Processes................................................................................................................................................ 121
Guidelines for Configuring ACL Logging.................................................................................................................... 121
Configuring ACL Logging............................................................................................................................................ 122
Flow-Based Monitoring..................................................................................................................................................... 122
Enabling Flow-Based Monitoring................................................................................................................................124
Configuring UDF ACL........................................................................................................................................................ 124
Configuring IP Mirror Access Group................................................................................................................................127
Sample Configuration...................................................................................................................................................127
Example of viewing IP mirror–access–group applied to an Interface...................................................................127
8 Bidirectional Forwarding Detection (BFD)................................................................................... 129
How BFD Works.................................................................................................................................................................129
BFD Packet Format..................................................................................................................................................... 130
BFD Sessions.................................................................................................................................................................131
BFD Three-Way Handshake....................................................................................................................................... 132
Session State Changes................................................................................................................................................133
Important Points to Remember........................................................................................................................................133
Configure BFD....................................................................................................................................................................133
Configure BFD for Physical Ports.............................................................................................................................. 134
Configure BFD for Static Routes...............................................................................................................................135
Configure BFD for IPv6 Static Routes...................................................................................................................... 138
Configure BFD for OSPF............................................................................................................................................ 140
Configure BFD for OSPFv3........................................................................................................................................ 145
Configure BFD for IS-IS...............................................................................................................................................147
Configure BFD for BGP...............................................................................................................................................149
Configure BFD for VRRP............................................................................................................................................ 156
Configuring Protocol Liveness....................................................................................................................................158
9 Border Gateway Protocol (BGP)................................................................................................ 159
BGP IP version 4 (BGPv4) Overview............................................................................................................................. 159
BGP Autonomous Systems........................................................................................................................................ 159
AS4 Number Representation.......................................................................................................................................161
Four-Byte AS Numbers...............................................................................................................................................163
BGP router ID............................................................................................................................................................... 163
Sessions and Peers...................................................................................................................................................... 163
Establish a Session.......................................................................................................................................................163
BGP Attributes for selecting Best Path.................................................................................................................... 164
Multiprotocol BGP....................................................................................................................................................... 169
BGP global and address family configuration........................................................................................................... 170
Implement BGP with Dell EMC Networking OS....................................................................................................... 171
Configuration Information........................................................................................................................................... 174
Basic BGP configuration tasks......................................................................................................................................... 174
6
Contents
Prerequisite for configuring a BGP network.............................................................................................................174
Restrictions................................................................................................................................................................... 174
Enabling BGP................................................................................................................................................................ 174
Enabling four-byte autonomous system numbers................................................................................................... 176
Changing a BGP router ID...........................................................................................................................................177
Configuring AS4 Number Representations............................................................................................................... 177
Configuring a BGP peer...............................................................................................................................................178
Example-Configuring BGP routing between peers..................................................................................................179
BGP peer group............................................................................................................................................................180
Advanced BGP configuration tasks................................................................................................................................. 187
Route-refresh and Soft-reconfiguration................................................................................................................... 187
Aggregating Routes..................................................................................................................................................... 189
Filtering BGP..................................................................................................................................................................191
Configuring BGP Fast Fall-Over.................................................................................................................................196
Configuring Passive Peering....................................................................................................................................... 197
Enabling Graceful Restart........................................................................................................................................... 198
Redistributing Routes.................................................................................................................................................. 199
Redistributing iBGP Routes into IGP......................................................................................................................... 199
Enabling Additional Paths........................................................................................................................................... 202
Configuring IP Community Lists................................................................................................................................202
Configuring an IP Extended Community List...........................................................................................................203
Configure BGP attributes...........................................................................................................................................204
Enabling Multipath.......................................................................................................................................................207
Route Reflectors......................................................................................................................................................... 208
Enabling Route Flap Dampening................................................................................................................................209
Changing BGP keepalive and hold timers.................................................................................................................. 211
Setting the extended timer.........................................................................................................................................212
Enabling or disabling BGP neighbors......................................................................................................................... 212
Route Map Continue....................................................................................................................................................213
Configuring BGP Confederations...............................................................................................................................214
Configuring a BGP VRF address family.....................................................................................................................214
Maintaining Existing AS Numbers During an AS Migration.....................................................................................215
Allowing an AS Number to Appear in its Own AS Path...........................................................................................216
Enabling MBGP Configurations.................................................................................................................................. 217
MBGP support for IPv6...............................................................................................................................................217
Configuring IPv6 MBGP between peers................................................................................................................... 217
Example-Configuring IPv4 and IPv6 neighbors........................................................................................................218
Configure IPv6 NH Automatically for IPv6 Prefix Advertised over IPv4 Neighbor............................................ 220
BGP Regular Expression Optimization......................................................................................................................222
Debugging BGP........................................................................................................................................................... 222
10 Content Addressable Memory (CAM)........................................................................................224
CAM Allocation.................................................................................................................................................................. 224
Test CAM Usage...............................................................................................................................................................225
View CAM-ACL Settings..................................................................................................................................................226
View CAM Usage...............................................................................................................................................................227
Configuring CAM Threshold and Silence Period........................................................................................................... 228
CAM Optimization.............................................................................................................................................................229
Troubleshoot CAM Profiling.............................................................................................................................................229
QoS CAM Region Limitation...................................................................................................................................... 229
Contents
7
11 Control Plane Policing (CoPP).................................................................................................. 230
Configure Control Plane Policing..................................................................................................................................... 231
Configuring CoPP for Protocols................................................................................................................................232
Configuring CoPP for CPU Queues..........................................................................................................................233
CoPP for OSPFv3 Packets........................................................................................................................................ 234
Configuring CoPP for OSPFv3..................................................................................................................................236
Displaying CoPP Configuration .................................................................................................................................237
12 Data Center Bridging (DCB)..................................................................................................... 239
Ethernet Enhancements in Data Center Bridging.........................................................................................................239
Priority-Based Flow Control.......................................................................................................................................240
Enhanced Transmission Selection..............................................................................................................................241
Data Center Bridging Exchange Protocol (DCBx)..................................................................................................242
Data Center Bridging in a Traffic Flow..................................................................................................................... 242
Enabling Data Center Bridging.........................................................................................................................................242
DCB Maps and its Attributes..................................................................................................................................... 243
Data Center Bridging: Default Configuration.................................................................................................................243
Configuring Priority-Based Flow Control....................................................................................................................... 244
Configuring Lossless Queues..................................................................................................................................... 244
Configuring PFC in a DCB Map.......................................................................................................................................246
Applying a DCB Map on a Port........................................................................................................................................247
Configuring PFC without a DCB Map.............................................................................................................................247
Priority-Based Flow Control Using Dynamic Buffer Method.......................................................................................249
Behavior of Tagged Packets............................................................................................................................................249
Configuration Example for DSCP and PFC Priorities...................................................................................................250
Using PFC to Manage Converged Ethernet Traffic......................................................................................................251
Configure Enhanced Transmission Selection................................................................................................................. 251
ETS Prerequisites and Restrictions........................................................................................................................... 251
Creating an ETS Priority Group..................................................................................................................................251
ETS Operation with DCBx..........................................................................................................................................252
Configuring Bandwidth Allocation for DCBx CIN.................................................................................................... 253
Configuring ETS in a DCB Map................................................................................................................................. 253
Hierarchical Scheduling in ETS Output Policies............................................................................................................ 254
Using ETS to Manage Converged Ethernet Traffic..................................................................................................... 255
Applying DCB Policies in a Switch Stack....................................................................................................................... 255
Configure a DCBx Operation...........................................................................................................................................255
DCBx Operation...........................................................................................................................................................255
DCBx Port Roles..........................................................................................................................................................255
DCB Configuration Exchange.................................................................................................................................... 257
Configuration Source Election................................................................................................................................... 257
Propagation of DCB Information............................................................................................................................... 257
Auto-Detection and Manual Configuration of the DCBx Version......................................................................... 258
DCBx Example............................................................................................................................................................. 258
DCBx Prerequisites and Restrictions........................................................................................................................259
Configuring DCBx........................................................................................................................................................259
Verifying the DCB Configuration.....................................................................................................................................262
QoS dot1p Traffic Classification and Queue Assignment.............................................................................................270
Configuring the Dynamic Buffer Method........................................................................................................................271
8
Contents
Sample DCB Configuration.............................................................................................................................................. 272
13 Dynamic Host Configuration Protocol (DHCP)........................................................................... 275
DHCP Packet Format and Options.................................................................................................................................275
Assign an IP Address using DHCP...................................................................................................................................276
Implementation Information............................................................................................................................................. 277
Configure the System to be a DHCP Server.................................................................................................................278
Configuring the Server for Automatic Address Allocation..................................................................................... 278
Specifying a Default Gateway....................................................................................................................................279
Configure a Method of Hostname Resolution......................................................................................................... 279
Using DNS for Address Resolution............................................................................................................................279
Using NetBIOS WINS for Address Resolution.........................................................................................................280
Creating Manual Binding Entries............................................................................................................................... 280
Debugging the DHCP Server.....................................................................................................................................280
Using DHCP Clear Commands.................................................................................................................................. 280
Configure the System to be a Relay Agent.................................................................................................................... 281
Configure the System to be a DHCP Client.................................................................................................................. 282
Configuring the DHCP Client System.......................................................................................................................282
DHCP Client on a Management Interface................................................................................................................283
DHCP Client Operation with Other Features.......................................................................................................... 284
DHCP Relay When DHCP Server and Client are in Different VRFs...........................................................................285
Configuring Route Leaking between VRFs on DHCP Relay Agent...................................................................... 285
Non-default VRF configuration for DHCPv6 helper address...................................................................................... 286
Configuring DHCP relay source interface......................................................................................................................286
Global DHCP relay source IPv4 or IPv6 configuration .......................................................................................... 286
Interface level DHCP relay source IPv4 or IPv6 configuration .............................................................................287
Configure the System for User Port Stacking (Option 230)...................................................................................... 288
Configure Secure DHCP.................................................................................................................................................. 288
Option 82 (DHCPv4 relay options)...........................................................................................................................288
DHCPv6 relay agent options..................................................................................................................................... 289
DHCP Snooping...........................................................................................................................................................289
Drop DHCP Packets on Snooped VLANs Only....................................................................................................... 293
Dynamic ARP Inspection............................................................................................................................................ 294
Configuring Dynamic ARP Inspection.......................................................................................................................294
Source Address Validation............................................................................................................................................... 295
Enabling IP Source Address Validation..................................................................................................................... 295
DHCP MAC Source Address Validation................................................................................................................... 296
Enabling IP+MAC Source Address Validation..........................................................................................................296
Viewing the Number of SAV Dropped Packets.......................................................................................................297
Clearing the Number of SAV Dropped Packets...................................................................................................... 297
14 Equal Cost Multi-Path (ECMP).................................................................................................298
ECMP for Flow-Based Affinity........................................................................................................................................298
Configuring the Hash Algorithm................................................................................................................................ 298
Enabling Deterministic ECMP Next Hop..................................................................................................................298
Configuring the Hash Algorithm Seed...................................................................................................................... 298
Link Bundle Monitoring.....................................................................................................................................................299
Managing ECMP Group Paths.................................................................................................................................. 299
Creating an ECMP Group Bundle............................................................................................................................. 300
Contents
9
Modifying the ECMP Group Threshold....................................................................................................................300
RTAG7................................................................................................................................................................................. 301
Flow-based Hashing for ECMP.......................................................................................................................................302
15 FIP Snooping.......................................................................................................................... 305
Fibre Channel over Ethernet........................................................................................................................................... 305
Ensure Robustness in a Converged Ethernet Network............................................................................................... 305
FIP Snooping on Ethernet Bridges..................................................................................................................................306
FIP Snooping in a Switch Stack...................................................................................................................................... 308
Using FIP Snooping...........................................................................................................................................................308
FIP Snooping Prerequisites........................................................................................................................................ 308
Important Points to Remember.................................................................................................................................308
Enabling the FCoE Transit Feature...........................................................................................................................309
Enable FIP Snooping on VLANs................................................................................................................................ 309
Configure the FC-MAP Value.....................................................................................................................................310
Configure a Port for a Bridge-to-Bridge Link...........................................................................................................310
Configure a Port for a Bridge-to-FCF Link...............................................................................................................310
Impact on Other Software Features......................................................................................................................... 310
FIP Snooping Restrictions...........................................................................................................................................310
Configuring FIP Snooping............................................................................................................................................ 311
Displaying FIP Snooping Information................................................................................................................................311
FCoE Transit Configuration Example.............................................................................................................................. 316
16 FIPS Cryptography.................................................................................................................. 318
Configuration Tasks...........................................................................................................................................................318
Preparing the System........................................................................................................................................................318
Enabling FIPS Mode...........................................................................................................................................................318
Generating Host-Keys.......................................................................................................................................................319
Monitoring FIPS Mode Status..........................................................................................................................................319
Disabling FIPS Mode..........................................................................................................................................................319
17 Force10 Resilient Ring Protocol (FRRP).....................................................................................321
Protocol Overview............................................................................................................................................................. 321
Ring Status...................................................................................................................................................................322
Multiple FRRP Rings................................................................................................................................................... 322
Important FRRP Points...............................................................................................................................................323
Important FRRP Concepts.........................................................................................................................................324
Implementing FRRP.......................................................................................................................................................... 324
FRRP Configuration..........................................................................................................................................................325
Creating the FRRP Group.......................................................................................................................................... 325
Configuring the Control VLAN...................................................................................................................................325
Configuring and Adding the Member VLANs.......................................................................................................... 326
Setting the FRRP Timers............................................................................................................................................327
Clearing the FRRP Counters......................................................................................................................................327
Viewing the FRRP Configuration...............................................................................................................................327
Viewing the FRRP Information.................................................................................................................................. 327
Troubleshooting FRRP......................................................................................................................................................328
Sample Configuration and Topology...............................................................................................................................328
FRRP Support on VLT......................................................................................................................................................329
10
Contents
18 GARP VLAN Registration Protocol (GVRP)................................................................................332
Configure GVRP................................................................................................................................................................333
Enabling GVRP Globally....................................................................................................................................................333
Enabling GVRP on a Layer 2 Interface........................................................................................................................... 334
Configure GVRP Registration..........................................................................................................................................334
Configure a GARP Timer..................................................................................................................................................335
RPM Redundancy............................................................................................................................................................. 335
19 High Availability (HA).............................................................................................................. 336
Component Redundancy..................................................................................................................................................336
Automatic and Manual Stack Unit Failover..............................................................................................................336
Synchronization between Management and Standby Units..................................................................................337
Forcing a Stack Unit Failover..................................................................................................................................... 337
Specifying an Auto-Failover Limit..............................................................................................................................337
Disabling Auto-Reboot................................................................................................................................................ 337
Pre-Configuring a Stack Unit Slot...................................................................................................................................338
Removing a Provisioned Logical Stack Unit.................................................................................................................. 338
Hitless Behavior.................................................................................................................................................................338
Graceful Restart................................................................................................................................................................ 338
Software Resiliency...........................................................................................................................................................339
Software Component Health Monitoring.................................................................................................................339
System Health Monitoring......................................................................................................................................... 339
Failure and Event Logging..........................................................................................................................................339
Hot-Lock Behavior............................................................................................................................................................340
20 Internet Group Management Protocol (IGMP)........................................................................... 341
IGMP Protocol Overview..................................................................................................................................................341
IGMP Version 2............................................................................................................................................................ 341
IGMP Version 3............................................................................................................................................................342
Configure IGMP.................................................................................................................................................................345
Viewing IGMP Enabled Interfaces...................................................................................................................................345
Selecting an IGMP Version.............................................................................................................................................. 346
Viewing IGMP Groups.......................................................................................................................................................347
Adjusting Timers................................................................................................................................................................ 347
Adjusting Query and Response Timers..................................................................................................................... 347
Preventing a Host from Joining a Group........................................................................................................................348
Enabling IGMP Immediate-Leave....................................................................................................................................350
IGMP Snooping.................................................................................................................................................................. 351
Configuring IGMP Snooping....................................................................................................................................... 351
Removing a Group-Port Association......................................................................................................................... 351
Disabling Multicast Flooding.......................................................................................................................................352
Specifying a Port as Connected to a Multicast Router..........................................................................................352
Configuring the Switch as Querier............................................................................................................................352
Fast Convergence after MSTP Topology Changes......................................................................................................353
Egress Interface Selection (EIS) for HTTP and IGMP Applications...........................................................................353
Designating a Multicast Router Interface...................................................................................................................... 359
21 Interfaces...............................................................................................................................360
Contents
11
Interface Types.................................................................................................................................................................. 361
View Basic Interface Information.....................................................................................................................................361
Resetting an Interface to its Factory Default State..................................................................................................... 363
Enabling a Physical Interface........................................................................................................................................... 363
Physical Interfaces............................................................................................................................................................ 363
Configuration Task List for Physical Interfaces.......................................................................................................364
Overview of Layer Modes..........................................................................................................................................364
Configuring Layer 2 (Data Link) Mode..................................................................................................................... 364
Configuring Layer 2 (Interface) Mode......................................................................................................................365
Configuring Layer 3 (Network) Mode...................................................................................................................... 365
Configuring Layer 3 (Interface) Mode......................................................................................................................365
Automatic recovery of an Err-disabled interface..........................................................................................................366
Configuring an automatic recovery for an Err-disabled interface.........................................................................366
Egress Interface Selection (EIS)..................................................................................................................................... 367
Configuring EIS............................................................................................................................................................ 367
Management Interfaces................................................................................................................................................... 368
Configuring Management Interfaces........................................................................................................................368
Configuring a Management Interface on an Ethernet Port...................................................................................369
VLAN Interfaces................................................................................................................................................................ 370
Loopback Interfaces......................................................................................................................................................... 370
Null Interfaces.....................................................................................................................................................................371
Configuring Port Delay...................................................................................................................................................... 371
Port Channel Interfaces.................................................................................................................................................... 371
Port Channel Definition and Standards..................................................................................................................... 371
Port Channel Benefits.................................................................................................................................................372
Port Channel Implementation.................................................................................................................................... 372
Interfaces in Port Channels........................................................................................................................................372
Configuration Tasks for Port Channel Interfaces....................................................................................................372
Creating a Port Channel............................................................................................................................................. 373
Adding a Physical Interface to a Port Channel........................................................................................................ 373
Reassigning an Interface to a New Port Channel................................................................................................... 375
Configuring the Minimum Oper Up Links in a Port Channel.................................................................................. 375
Adding or Removing a Port Channel from a VLAN.................................................................................................375
Assigning an IP Address to a Port Channel..............................................................................................................376
Deleting or Disabling a Port Channel......................................................................................................................... 377
Load Balancing Through Port Channels....................................................................................................................377
Changing the Hash Algorithm.................................................................................................................................... 377
Bulk Configuration.............................................................................................................................................................378
Interface Range........................................................................................................................................................... 378
Bulk Configuration Examples......................................................................................................................................378
Defining Interface Range Macros....................................................................................................................................379
Define the Interface Range........................................................................................................................................380
Choosing an Interface-Range Macro........................................................................................................................380
Monitoring and Maintaining Interfaces...........................................................................................................................380
Maintenance Using TDR..............................................................................................................................................381
Non Dell-Qualified Transceivers.......................................................................................................................................381
Splitting 40G Ports without Reload................................................................................................................................ 382
Splitting QSFP Ports to SFP+ Ports.............................................................................................................................. 383
Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port..................................................................................... 384
Link Dampening................................................................................................................................................................. 386
12
Contents
Enabling Link Dampening............................................................................................................................................388
Link Bundle Monitoring.....................................................................................................................................................389
Using Ethernet Pause Frames for Flow Control........................................................................................................... 389
Enabling Pause Frames...............................................................................................................................................390
Configure the MTU Size on an Interface.......................................................................................................................390
Port-Pipes...........................................................................................................................................................................391
Auto-Negotiation on Ethernet Interfaces.......................................................................................................................391
Setting the Speed of Ethernet Interfaces................................................................................................................392
Set Auto-Negotiation Options................................................................................................................................... 393
View Advanced Interface Information............................................................................................................................393
Configuring the Interface Sampling Size..................................................................................................................394
Configuring the Traffic Sampling Size Globally............................................................................................................. 395
Dynamic Counters.............................................................................................................................................................396
Clearing Interface Counters....................................................................................................................................... 397
Discard Counters...............................................................................................................................................................397
Display discard counters.............................................................................................................................................397
22 Internet Protocol Security (IPSec)...........................................................................................399
Configuring IPSec ............................................................................................................................................................ 399
23 IPv4 Routing...........................................................................................................................401
IP Addresses...................................................................................................................................................................... 402
Configuration Tasks for IP Addresses............................................................................................................................ 402
Assigning IP Addresses to an Interface..........................................................................................................................402
Configuring Static Routes................................................................................................................................................403
Adding description for IPv4 and IPv6 static routes................................................................................................ 404
Configure Static Routes for the Management Interface.............................................................................................404
IPv4 Path MTU Discovery Overview..............................................................................................................................405
Using the Configured Source IP Address in ICMP Messages.....................................................................................405
Configuring the Duration to Establish a TCP Connection........................................................................................... 406
Enabling Directed Broadcast........................................................................................................................................... 406
Resolution of Host Names............................................................................................................................................... 406
Enabling Dynamic Resolution of Host Names................................................................................................................407
Specifying the Local System Domain and a List of Domains.......................................................................................407
Configuring DNS with Traceroute...................................................................................................................................407
ARP..................................................................................................................................................................................... 408
Configuration Tasks for ARP........................................................................................................................................... 408
Configuring Static ARP Entries....................................................................................................................................... 408
Enabling Proxy ARP.......................................................................................................................................................... 409
Clearing ARP Cache..........................................................................................................................................................409
ARP Learning via Gratuitous ARP...................................................................................................................................409
Enabling ARP Learning via Gratuitous ARP....................................................................................................................410
ARP Learning via ARP Request....................................................................................................................................... 410
Configuring ARP Retries....................................................................................................................................................411
ICMP.....................................................................................................................................................................................411
Configuration Tasks for ICMP...........................................................................................................................................411
Enabling ICMP Unreachable Messages........................................................................................................................... 411
ICMP Redirects.................................................................................................................................................................. 412
UDP Helper......................................................................................................................................................................... 412
Contents
13
Enabling UDP Helper......................................................................................................................................................... 413
Configuring a Broadcast Address.................................................................................................................................... 413
Configurations Using UDP Helper....................................................................................................................................414
UDP Helper with Broadcast-All Addresses.....................................................................................................................414
UDP Helper with Subnet Broadcast Addresses.............................................................................................................415
UDP Helper with Configured Broadcast Addresses......................................................................................................415
UDP Helper with No Configured Broadcast Addresses................................................................................................416
Troubleshooting UDP Helper............................................................................................................................................416
24 IPv6 Routing........................................................................................................................... 417
Protocol Overview............................................................................................................................................................. 417
Extended Address Space............................................................................................................................................ 417
Stateless Autoconfiguration........................................................................................................................................417
IPv6 Headers................................................................................................................................................................ 418
IPv6 Header Fields....................................................................................................................................................... 418
Extension Header Fields............................................................................................................................................. 420
Addressing.....................................................................................................................................................................421
Implementing IPv6 with Dell EMC Networking OS....................................................................................................... 421
ICMPv6...............................................................................................................................................................................423
Path MTU discovery......................................................................................................................................................... 423
IPv6 Neighbor Discovery..................................................................................................................................................424
IPv6 Neighbor Discovery of MTU Packets.............................................................................................................. 425
Configuration Task List for IPv6 RDNSS....................................................................................................................... 425
Configuring the IPv6 Recursive DNS Server...........................................................................................................425
Debugging IPv6 RDNSS Information Sent to the Host .........................................................................................426
Displaying IPv6 RDNSS Information......................................................................................................................... 426
Secure Shell (SSH) Over an IPv6 Transport................................................................................................................. 427
Configuration Tasks for IPv6........................................................................................................................................... 427
Adjusting Your CAM-Profile....................................................................................................................................... 427
Assigning an IPv6 Address to an Interface.............................................................................................................. 428
Assigning a Static IPv6 Route....................................................................................................................................428
Configuring Telnet with IPv6..................................................................................................................................... 429
SNMP over IPv6..........................................................................................................................................................429
Displaying IPv6 Information........................................................................................................................................429
Displaying an IPv6 Interface Information..................................................................................................................430
Showing IPv6 Routes..................................................................................................................................................430
Showing the Running-Configuration for an Interface............................................................................................. 431
Clearing IPv6 Routes...................................................................................................................................................432
Disabling ND Entry Timeout....................................................................................................................................... 432
Configuring IPv6 RA Guard..............................................................................................................................................432
Configuring IPv6 RA Guard on an Interface............................................................................................................ 434
Monitoring IPv6 RA Guard......................................................................................................................................... 434
14
25 iSCSI Optimization................................................................................................................. 435
iSCSI Optimization Overview...........................................................................................................................................435
Monitoring iSCSI Traffic Flows..................................................................................................................................436
Application of Quality of Service to iSCSI Traffic Flows........................................................................................ 436
Information Monitored in iSCSI Traffic Flows..........................................................................................................437
Detection and Auto-Configuration for Dell EqualLogic Arrays.............................................................................. 437
Contents
Configuring Detection and Ports for Dell Compellent Arrays................................................................................ 438
Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer.................................................................. 438
Enable and Disable iSCSI Optimization.....................................................................................................................439
Default iSCSI Optimization Values.................................................................................................................................. 439
iSCSI Optimization Prerequisites.....................................................................................................................................439
Configuring iSCSI Optimization.......................................................................................................................................440
Displaying iSCSI Optimization Information......................................................................................................................441
26 Intermediate System to Intermediate System........................................................................... 443
IS-IS Protocol Overview...................................................................................................................................................443
IS-IS Addressing................................................................................................................................................................ 443
Multi-Topology IS-IS......................................................................................................................................................... 444
Transition Mode...........................................................................................................................................................444
Interface Support........................................................................................................................................................ 444
Adjacencies...................................................................................................................................................................444
Graceful Restart................................................................................................................................................................445
Timers........................................................................................................................................................................... 445
Implementation Information.............................................................................................................................................445
Configuration Information................................................................................................................................................ 446
Configuration Tasks for IS-IS.....................................................................................................................................446
Configuring the Distance of a Route........................................................................................................................ 453
Changing the IS-Type.................................................................................................................................................453
Redistributing IPv4 Routes........................................................................................................................................ 455
Redistributing IPv6 Routes........................................................................................................................................ 455
Configuring Authentication Passwords.................................................................................................................... 456
Setting the Overload Bit.............................................................................................................................................456
Debugging IS-IS........................................................................................................................................................... 457
IS-IS Metric Styles............................................................................................................................................................ 458
Configure Metric Values...................................................................................................................................................458
Maximum Values in the Routing Table..................................................................................................................... 458
Change the IS-IS Metric Style in One Level Only................................................................................................... 458
Leaks from One Level to Another.............................................................................................................................460
Sample Configurations..................................................................................................................................................... 460
27 Link Aggregation Control Protocol (LACP)................................................................................463
Introduction to Dynamic LAGs and LACP......................................................................................................................463
Important Points to Remember.................................................................................................................................463
LACP Modes................................................................................................................................................................463
Configuring LACP Commands...................................................................................................................................464
LACP Configuration Tasks...............................................................................................................................................464
Creating a LAG............................................................................................................................................................ 464
Configuring the LAG Interfaces as Dynamic............................................................................................................465
Setting the LACP Long Timeout............................................................................................................................... 465
Monitoring and Debugging LACP..............................................................................................................................466
Shared LAG State Tracking............................................................................................................................................. 466
Configuring Shared LAG State Tracking.................................................................................................................. 467
Important Points about Shared LAG State Tracking..............................................................................................468
LACP Basic Configuration Example................................................................................................................................468
Configure a LAG on ALPHA.......................................................................................................................................468
Contents
15
28 Layer 2...................................................................................................................................476
Manage the MAC Address Table.................................................................................................................................... 476
Clearing the MAC Address Table.............................................................................................................................. 476
Setting the Aging Time for Dynamic Entries............................................................................................................476
Configuring a Static MAC Address........................................................................................................................... 476
Displaying the MAC Address Table............................................................................................................................477
MAC Learning Limit...........................................................................................................................................................477
Setting the MAC Learning Limit................................................................................................................................ 477
mac learning-limit Dynamic.........................................................................................................................................478
mac learning-limit mac-address-sticky..................................................................................................................... 478
mac learning-limit station-move................................................................................................................................ 478
mac learning-limit no-station-move.......................................................................................................................... 478
Learning Limit Violation Actions.................................................................................................................................479
Setting Station Move Violation Actions....................................................................................................................479
Recovering from Learning Limit and Station Move Violations...............................................................................479
Enabling port security................................................................................................................................................. 480
NIC Teaming...................................................................................................................................................................... 480
Configure Redundant Pairs...............................................................................................................................................481
Far-End Failure Detection................................................................................................................................................ 484
FEFD State Changes.................................................................................................................................................. 484
Configuring FEFD........................................................................................................................................................485
Enabling FEFD on an Interface.................................................................................................................................. 486
Debugging FEFD..........................................................................................................................................................486
29 Link Layer Discovery Protocol (LLDP).......................................................................................488
802.1AB (LLDP) Overview...............................................................................................................................................488
Protocol Data Units.....................................................................................................................................................488
Optional TLVs.................................................................................................................................................................... 489
Management TLVs......................................................................................................................................................489
TIA-1057 (LLDP-MED) Overview...................................................................................................................................490
TIA Organizationally Specific TLVs............................................................................................................................ 491
Configure LLDP................................................................................................................................................................. 494
CONFIGURATION versus INTERFACE Configurations............................................................................................... 494
Enabling LLDP................................................................................................................................................................... 495
Disabling and Undoing LLDP......................................................................................................................................495
Enabling LLDP on Management Ports........................................................................................................................... 495
Disabling and Undoing LLDP on Management Ports..............................................................................................496
Advertising TLVs............................................................................................................................................................... 496
Storing and Viewing Unrecognized LLDP TLVs............................................................................................................ 497
Viewing the LLDP Configuration.....................................................................................................................................498
Viewing Information Advertised by Adjacent LLDP Neighbors...................................................................................498
Examples of Viewing Information Advertised by Neighbors..................................................................................498
Configuring LLDPDU Intervals......................................................................................................................................... 501
Configuring LLDP Notification Interval........................................................................................................................... 501
Configuring LLDP Notification Interval.......................................................................................................................... 502
Configuring Transmit and Receive Mode.......................................................................................................................502
Configuring the Time to Live Value................................................................................................................................ 503
Debugging LLDP............................................................................................................................................................... 503
16
Contents
Relevant Management Objects.......................................................................................................................................504
30 Microsoft Network Load Balancing...........................................................................................509
Configuring a Switch for NLB .........................................................................................................................................510
Enabling a Switch for Multicast NLB.........................................................................................................................510
31 Multicast Source Discovery Protocol (MSDP)............................................................................ 512
Anycast RP......................................................................................................................................................................... 513
Implementation Information..............................................................................................................................................514
Configure Multicast Source Discovery Protocol............................................................................................................514
Related Configuration Tasks.......................................................................................................................................514
Enable MSDP......................................................................................................................................................................518
Manage the Source-Active Cache.................................................................................................................................. 519
Viewing the Source-Active Cache.............................................................................................................................519
Limiting the Source-Active Cache.............................................................................................................................519
Clearing the Source-Active Cache............................................................................................................................ 519
Enabling the Rejected Source-Active Cache.......................................................................................................... 520
Accept Source-Active Messages that Fail the RFP Check.........................................................................................520
Specifying Source-Active Messages.............................................................................................................................. 522
Limiting the Source-Active Messages from a Peer......................................................................................................523
Preventing MSDP from Caching a Local Source..........................................................................................................523
Preventing MSDP from Caching a Remote Source..................................................................................................... 523
Preventing MSDP from Advertising a Local Source.....................................................................................................524
Logging Changes in Peership States..............................................................................................................................525
Terminating a Peership.....................................................................................................................................................525
Clearing Peer Statistics.................................................................................................................................................... 525
Debugging MSDP..............................................................................................................................................................526
MSDP with Anycast RP................................................................................................................................................... 526
Configuring Anycast RP................................................................................................................................................... 527
Reducing Source-Active Message Flooding............................................................................................................ 528
Specifying the RP Address Used in SA Messages..................................................................................................528
MSDP Sample Configurations.........................................................................................................................................530
32 Multicast Listener Discovery Protocol...................................................................................... 533
MLD timers........................................................................................................................................................................ 536
Reducing Host Response Burstiness........................................................................................................................536
Configuring MLD Version.................................................................................................................................................536
Clearing MLD groups........................................................................................................................................................ 537
Debugging MLD.................................................................................................................................................................537
Explicit Tracking.................................................................................................................................................................537
Reducing Leave Latency.................................................................................................................................................. 537
Displaying MLD groups table........................................................................................................................................... 537
Displaying MLD Interfaces............................................................................................................................................... 538
33 Multiple Spanning Tree Protocol (MSTP)................................................................................. 539
Spanning Tree Variations................................................................................................................................................. 540
Implementation Information.......................................................................................................................................540
Configure Multiple Spanning Tree Protocol...................................................................................................................540
Related Configuration Tasks......................................................................................................................................540
Contents
17
Enable Multiple Spanning Tree Globally.......................................................................................................................... 541
Adding and Removing Interfaces.....................................................................................................................................541
Creating Multiple Spanning Tree Instances....................................................................................................................541
Influencing MSTP Root Selection................................................................................................................................... 542
Interoperate with Non-Dell Bridges................................................................................................................................ 543
Changing the Region Name or Revision.........................................................................................................................543
Modifying Global Parameters.......................................................................................................................................... 543
Modifying the Interface Parameters...............................................................................................................................544
Setting STP path cost as constant................................................................................................................................ 545
Configuring an EdgePort..................................................................................................................................................545
Flush MAC Addresses after a Topology Change.......................................................................................................... 546
MSTP Sample Configurations......................................................................................................................................... 546
Debugging and Verifying MSTP Configurations........................................................................................................... 550
34 Multicast Features..................................................................................................................552
Enabling IP Multicast........................................................................................................................................................ 552
Implementation Information.............................................................................................................................................552
Multicast Policies...............................................................................................................................................................553
IPv4 Multicast Policies................................................................................................................................................553
Understanding Multicast Traceroute (mtrace).............................................................................................................559
Printing Multicast Traceroute (mtrace) Paths..............................................................................................................559
Supported Error Codes..................................................................................................................................................... 561
mtrace Scenarios............................................................................................................................................................... 561
35 Multicast Listener Discovery Protocol...................................................................................... 567
MLD timers........................................................................................................................................................................ 570
Reducing Host Response Burstiness........................................................................................................................570
Clearing MLD groups........................................................................................................................................................ 570
Debugging MLD..................................................................................................................................................................571
Explicit Tracking................................................................................................................................................................. 571
Reducing Leave Latency...................................................................................................................................................571
Displaying MLD groups table............................................................................................................................................ 571
Displaying MLD Interfaces................................................................................................................................................ 571
MLD Snooping................................................................................................................................................................... 572
Enable MLD Snooping.................................................................................................................................................572
Disable MLD Snooping................................................................................................................................................572
Configure the switch as a querier............................................................................................................................. 572
Specify port as connected to multicast router........................................................................................................573
Enable Snooping Explicit Tracking.............................................................................................................................573
Display the MLD Snooping Table...............................................................................................................................573
36 Object Tracking...................................................................................................................... 574
Object Tracking Overview................................................................................................................................................574
Track Layer 2 Interfaces.............................................................................................................................................575
Track Layer 3 Interfaces.............................................................................................................................................575
Track IPv4 and IPv6 Routes...................................................................................................................................... 575
Set Tracking Delays.....................................................................................................................................................576
VRRP Object Tracking................................................................................................................................................ 577
Object Tracking Configuration.........................................................................................................................................577
18
Contents
Tracking a Layer 2 Interface.......................................................................................................................................577
Tracking a Layer 3 Interface...................................................................................................................................... 578
Track an IPv4/IPv6 Route......................................................................................................................................... 579
Displaying Tracked Objects..............................................................................................................................................582
37 Open Shortest Path First (OSPFv2 and OSPFv3)...................................................................... 584
Protocol Overview............................................................................................................................................................ 584
Autonomous System (AS) Areas.............................................................................................................................. 584
Area Types................................................................................................................................................................... 585
Networks and Neighbors............................................................................................................................................586
Router Types............................................................................................................................................................... 586
Designated and Backup Designated Routers...........................................................................................................587
Link-State Advertisements (LSAs)........................................................................................................................... 587
Router Priority and Cost.............................................................................................................................................588
OSPF with Dell EMC Networking OS.............................................................................................................................589
Graceful Restart..........................................................................................................................................................589
Fast Convergence (OSPFv2, IPv4 Only).................................................................................................................590
Multi-Process OSPFv2 with VRF............................................................................................................................. 590
OSPF ACK Packing......................................................................................................................................................591
Setting OSPF Adjacency with Cisco Routers.......................................................................................................... 591
Configuration Information.................................................................................................................................................591
Configuration Task List for OSPFv2 (OSPF for IPv4)........................................................................................... 592
OSPFv3 NSSA.............................................................................................................................................................603
Configuration Task List for OSPFv3 (OSPF for IPv6)...........................................................................................604
MIB Support for OSPFv3................................................................................................................................................. 615
Viewing the OSPFv3 MIB........................................................................................................................................... 615
Configuration Task List for OSPFv3 (OSPF for IPv6)..................................................................................................616
Enabling IPv6 Unicast Routing................................................................................................................................... 616
Applying cost for OSPFv3.......................................................................................................................................... 616
Assigning IPv6 Addresses on an Interface................................................................................................................617
Assigning Area ID on an Interface.............................................................................................................................. 617
Assigning OSPFv3 Process ID and Router ID Globally............................................................................................ 617
Assigning OSPFv3 Process ID and Router ID to a VRF.......................................................................................... 618
Configuring Stub Areas............................................................................................................................................... 618
Configuring Passive-Interface....................................................................................................................................618
Redistributing Routes.................................................................................................................................................. 619
Configuring a Default Route....................................................................................................................................... 619
Enabling OSPFv3 Graceful Restart........................................................................................................................... 619
OSPFv3 Authentication Using IPsec......................................................................................................................... 621
Troubleshooting OSPFv3........................................................................................................................................... 627
38 Policy-based Routing (PBR).................................................................................................... 628
Overview............................................................................................................................................................................ 628
Implementing PBR.............................................................................................................................................................629
Configuration Task List for Policy-based Routing........................................................................................................ 629
Create a Redirect List.................................................................................................................................................630
Create a Rule for a Redirect-list................................................................................................................................630
Apply a Redirect-list to an Interface using a Redirect-group................................................................................. 631
Sample Configuration....................................................................................................................................................... 634
Contents
19
39 PIM Sparse-Mode (PIM-SM)................................................................................................... 638
Implementation Information.............................................................................................................................................638
Protocol Overview............................................................................................................................................................ 638
Requesting Multicast Traffic......................................................................................................................................638
Refuse Multicast Traffic.............................................................................................................................................638
Send Multicast Traffic................................................................................................................................................ 639
Configuring PIM-SM.........................................................................................................................................................639
Related Configuration Tasks......................................................................................................................................639
Enable PIM-SM................................................................................................................................................................. 639
Configuring S,G Expiry Timers......................................................................................................................................... 641
Configuring a Static Rendezvous Point......................................................................................................................... 642
Overriding Bootstrap Router Updates......................................................................................................................642
Configuring a Designated Router....................................................................................................................................643
Creating Multicast Boundaries and Domains.................................................................................................................644
Electing an RP using the BSR Mechanism.................................................................................................................... 644
40 PIM Source-Specific Mode (PIM-SSM).................................................................................... 646
Implementation Information.............................................................................................................................................646
Configure PIM-SSM......................................................................................................................................................... 646
Enabling PIM-SSM............................................................................................................................................................ 647
Use PIM-SSM with IGMP Version 2 Hosts................................................................................................................... 647
Electing an RP using the BSR Mechanism.................................................................................................................... 649
Enabling RP to Server Specific Multicast Groups.................................................................................................. 650
41 Port Monitoring.......................................................................................................................651
Important Points to Remember....................................................................................................................................... 651
Port Monitoring..................................................................................................................................................................651
Configuring Port Monitoring............................................................................................................................................654
Configuring Monitor Multicast Queue............................................................................................................................655
Enabling Flow-Based Monitoring.................................................................................................................................... 655
Remote Port Mirroring..................................................................................................................................................... 656
Remote Port Mirroring Example................................................................................................................................657
Configuring Remote Port Mirroring.......................................................................................................................... 657
Displaying Remote-Port Mirroring Configurations..................................................................................................659
Configuration procedure for Remote Port Mirroring..............................................................................................659
Encapsulated Remote Port Monitoring..........................................................................................................................663
ERPM Behavior on a typical Dell EMC Networking OS ..............................................................................................665
Port Monitoring on VLT................................................................................................................................................... 666
42 Private VLANs (PVLAN).......................................................................................................... 669
Private VLAN Concepts...................................................................................................................................................669
Using the Private VLAN Commands...............................................................................................................................670
Configuration Task List......................................................................................................................................................671
Creating PVLAN ports.................................................................................................................................................671
Creating a Primary VLAN............................................................................................................................................ 671
Creating a Community VLAN.....................................................................................................................................672
Creating an Isolated VLAN......................................................................................................................................... 673
Private VLAN Configuration Example.............................................................................................................................674
20
Contents
Inspecting the Private VLAN Configuration...................................................................................................................675
43 Per-VLAN Spanning Tree Plus (PVST+).................................................................................... 677
Protocol Overview.............................................................................................................................................................677
Implementation Information............................................................................................................................................. 678
Configure Per-VLAN Spanning Tree Plus...................................................................................................................... 678
Enabling PVST+.................................................................................................................................................................678
Disabling PVST+................................................................................................................................................................ 678
Influencing PVST+ Root Selection..................................................................................................................................679
Modifying Global PVST+ Parameters.............................................................................................................................680
Modifying Interface PVST+ Parameters.........................................................................................................................681
Configuring an EdgePort...................................................................................................................................................681
PVST+ in Multi-Vendor Networks.................................................................................................................................. 682
Enabling PVST+ Extend System ID................................................................................................................................ 682
PVST+ Sample Configurations........................................................................................................................................683
44 Quality of Service (QoS)......................................................................................................... 685
Implementation Information............................................................................................................................................. 687
Port-Based QoS Configurations......................................................................................................................................687
Setting dot1p Priorities for Incoming Traffic............................................................................................................687
Honoring dot1p Priorities on Ingress Traffic.............................................................................................................688
Configuring Port-Based Rate Policing......................................................................................................................688
Configuring Port-Based Rate Shaping..................................................................................................................... 688
Policy-Based QoS Configurations...................................................................................................................................689
Classify Traffic.............................................................................................................................................................689
Create a QoS Policy....................................................................................................................................................692
Create Policy Maps.....................................................................................................................................................694
DSCP Color Maps............................................................................................................................................................. 697
Creating a DSCP Color Map...................................................................................................................................... 697
Displaying DSCP Color Maps.....................................................................................................................................698
Displaying a DSCP Color Policy Configuration ....................................................................................................... 698
Enabling QoS Rate Adjustment.......................................................................................................................................699
Enabling Strict-Priority Queueing....................................................................................................................................699
Weighted Random Early Detection.................................................................................................................................699
Creating WRED Profiles............................................................................................................................................. 700
Applying a WRED Profile to Traffic...........................................................................................................................700
Displaying Default and Configured WRED Profiles.................................................................................................. 701
Displaying WRED Drop Statistics............................................................................................................................... 701
Displaying egress–queue Statistics............................................................................................................................701
Pre-Calculating Available QoS CAM Space....................................................................................................................701
Configuring Weights and ECN for WRED .....................................................................................................................702
Configuring WRED and ECN Attributes.........................................................................................................................704
Guidelines for Configuring ECN for Classifying and Color-Marking Packets............................................................ 704
Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class.................................... 705
Classifying Incoming Packets Using ECN and Color-Marking...............................................................................705
Sample configuration to mark non-ecn packets as “yellow” with single traffic class.........................................707
Applying Layer 2 Match Criteria on a Layer 3 Interface...............................................................................................708
Applying DSCP and VLAN Match Criteria on a Service Queue.................................................................................. 708
Classifying Incoming Packets Using ECN and Color-Marking.....................................................................................709
Contents
21
Guidelines for Configuring ECN for Classifying and Color-Marking Packets............................................................. 710
Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class............................................711
Sample configuration to mark non-ecn packets as “yellow” with single traffic class................................................711
Enabling Buffer Statistics Tracking .................................................................................................................................712
45 Routing Information Protocol (RIP).......................................................................................... 715
Protocol Overview............................................................................................................................................................. 715
RIPv1.............................................................................................................................................................................. 715
RIPv2............................................................................................................................................................................. 715
Implementation Information..............................................................................................................................................715
Configuration Information................................................................................................................................................. 716
Configuration Task List................................................................................................................................................716
RIP Configuration Example......................................................................................................................................... 721
46 Remote Monitoring (RMON)....................................................................................................726
Implementation Information............................................................................................................................................. 726
Fault Recovery...................................................................................................................................................................726
Setting the RMON Alarm........................................................................................................................................... 726
Configuring an RMON Event..................................................................................................................................... 727
Configuring RMON Collection Statistics.................................................................................................................. 728
Configuring the RMON Collection History...............................................................................................................728
47 Rapid Spanning Tree Protocol (RSTP)...................................................................................... 729
Protocol Overview............................................................................................................................................................ 729
Configuring Rapid Spanning Tree....................................................................................................................................729
Important Points to Remember.......................................................................................................................................729
RSTP and VLT............................................................................................................................................................. 730
Configuring Interfaces for Layer 2 Mode.......................................................................................................................730
Enabling Rapid Spanning Tree Protocol Globally...........................................................................................................730
Adding and Removing Interfaces.................................................................................................................................... 732
Modifying Global Parameters...........................................................................................................................................732
Enabling SNMP Traps for Root Elections and Topology Changes........................................................................733
Modifying Interface Parameters......................................................................................................................................734
Enabling SNMP Traps for Root Elections and Topology Changes............................................................................. 734
Influencing RSTP Root Selection.................................................................................................................................... 734
Configuring an EdgePort.................................................................................................................................................. 734
Configuring Fast Hellos for Link State Detection..........................................................................................................735
48 Software-Defined Networking (SDN)....................................................................................... 737
49 Security................................................................................................................................. 738
AAA Accounting.................................................................................................................................................................738
Configuration Task List for AAA Accounting........................................................................................................... 738
RADIUS Accounting.................................................................................................................................................... 740
AAA Authentication...........................................................................................................................................................745
Configuration Task List for AAA Authentication..................................................................................................... 745
Obscuring Passwords and Keys.......................................................................................................................................747
AAA Authorization............................................................................................................................................................. 748
Privilege Levels Overview...........................................................................................................................................748
22
Contents
Configuration Task List for Privilege Levels.............................................................................................................748
RADIUS...............................................................................................................................................................................752
RADIUS Authentication.............................................................................................................................................. 752
Configuration Task List for RADIUS..........................................................................................................................753
Support for Change of Authorization and Disconnect Messages packets..........................................................756
TACACS+...........................................................................................................................................................................765
Configuration Task List for TACACS+......................................................................................................................765
TACACS+ Remote Authentication............................................................................................................................766
Command Authorization............................................................................................................................................. 767
Protection from TCP Tiny and Overlapping Fragment Attacks..................................................................................768
Enabling SCP and SSH..................................................................................................................................................... 768
Using SCP with SSH to Copy a Software Image.................................................................................................... 768
Removing the RSA Host Keys and Zeroizing Storage ...........................................................................................769
Configuring When to Re-generate an SSH Key .....................................................................................................769
Configuring the SSH Server Key Exchange Algorithm...........................................................................................770
Configuring the HMAC Algorithm for the SSH Server...........................................................................................770
Configuring the SSH Server Cipher List....................................................................................................................771
Configuring DNS in the SSH Server.......................................................................................................................... 771
Secure Shell Authentication....................................................................................................................................... 772
Troubleshooting SSH.................................................................................................................................................. 774
Telnet.................................................................................................................................................................................. 774
VTY Line and Access-Class Configuration..................................................................................................................... 774
VTY Line Local Authentication and Authorization...................................................................................................775
VTY Line Remote Authentication and Authorization.............................................................................................. 775
VTY MAC-SA Filter Support...................................................................................................................................... 775
Role-Based Access Control..............................................................................................................................................776
Overview of RBAC...................................................................................................................................................... 776
User Roles.....................................................................................................................................................................778
AAA Authentication and Authorization for Roles..................................................................................................... 781
Role Accounting...........................................................................................................................................................783
Display Information About User Roles.......................................................................................................................784
Two Factor Authentication (2FA)...................................................................................................................................785
Handling Access-Challenge Message....................................................................................................................... 785
Configuring Challenge Response Authentication for SSHv2.................................................................................785
SMS-OTP Mechanism................................................................................................................................................786
Configuring the System to Drop Certain ICMP Reply Messages............................................................................... 786
Dell EMC Networking OS Security Hardening...............................................................................................................788
Dell EMC Networking OS Image Verification...........................................................................................................788
Startup Configuration Verification............................................................................................................................ 789
Configuring the root User Password........................................................................................................................ 790
Locking Access to GRUB Interface.......................................................................................................................... 790
Enabling User Lockout for Failed Login Attempts................................................................................................... 791
50 Service Provider Bridging........................................................................................................792
VLAN Stacking...................................................................................................................................................................792
Configure VLAN Stacking...........................................................................................................................................793
Creating Access and Trunk Ports..............................................................................................................................794
Enable VLAN-Stacking for a VLAN...........................................................................................................................794
Configuring the Protocol Type Value for the Outer VLAN Tag............................................................................ 795
Configuring Dell EMC Networking OS Options for Trunk Ports........................................................................... 795
Contents
23
Debugging VLAN Stacking.........................................................................................................................................796
VLAN Stacking in Multi-Vendor Networks.............................................................................................................. 796
VLAN Stacking Packet Drop Precedence..................................................................................................................... 800
Enabling Drop Eligibility...............................................................................................................................................800
Honoring the Incoming DEI Value............................................................................................................................. 800
Marking Egress Packets with a DEI Value................................................................................................................ 801
Dynamic Mode CoS for VLAN Stacking......................................................................................................................... 801
Mapping C-Tag to S-Tag dot1p Values.................................................................................................................... 803
Layer 2 Protocol Tunneling.............................................................................................................................................. 803
Enabling Layer 2 Protocol Tunneling........................................................................................................................ 805
Specifying a Destination MAC Address for BPDUs................................................................................................806
Setting Rate-Limit BPDUs......................................................................................................................................... 806
Debugging Layer 2 Protocol Tunneling.................................................................................................................... 806
Provider Backbone Bridging............................................................................................................................................ 806
51 sFlow..................................................................................................................................... 808
Overview............................................................................................................................................................................ 808
Implementation Information.............................................................................................................................................808
Enabling Extended sFlow................................................................................................................................................. 809
Enabling and Disabling sFlow on an Interface................................................................................................................ 810
Enabling sFlow Max-Header Size Extended...................................................................................................................810
sFlow Show Commands.................................................................................................................................................... 811
Displaying Show sFlow Global..................................................................................................................................... 811
Displaying Show sFlow on an Interface......................................................................................................................811
Displaying Show sFlow on a Stack-unit.....................................................................................................................812
Configuring Specify Collectors.........................................................................................................................................812
Changing the Polling Intervals..........................................................................................................................................812
Back-Off Mechanism........................................................................................................................................................ 813
sFlow on LAG ports........................................................................................................................................................... 813
Enabling Extended sFlow.................................................................................................................................................. 813
Important Points to Remember..................................................................................................................................814
24
52 Simple Network Management Protocol (SNMP)........................................................................ 815
Protocol Overview.............................................................................................................................................................816
Implementation Information..............................................................................................................................................816
SNMPv3 Compliance With FIPS......................................................................................................................................816
Configuration Task List for SNMP...................................................................................................................................817
Important Points to Remember........................................................................................................................................817
Set up SNMP......................................................................................................................................................................817
Creating a Community.................................................................................................................................................818
Setting Up User-Based Security (SNMPv3)............................................................................................................818
Enable SNMPv3 traps................................................................................................................................................. 819
Reading Managed Object Values.....................................................................................................................................819
Writing Managed Object Values......................................................................................................................................820
Configuring Contact and Location Information using SNMP......................................................................................820
Subscribing to Managed Object Value Updates using SNMP..................................................................................... 821
Enabling a Subset of SNMP Traps.................................................................................................................................. 821
Enabling an SNMP Agent to Notify Syslog Server Failure...........................................................................................823
Copy Configuration Files Using SNMP...........................................................................................................................824
Contents
Copying a Configuration File......................................................................................................................................825
Copying Configuration Files via SNMP.....................................................................................................................826
Copying the Startup-Config Files to the Running-Config......................................................................................826
Copying the Startup-Config Files to the Server via FTP....................................................................................... 827
Copying the Startup-Config Files to the Server via TFTP.....................................................................................827
Copy a Binary File to the Startup-Configuration.....................................................................................................827
Additional MIB Objects to View Copy Statistics..................................................................................................... 828
Obtaining a Value for MIB Objects............................................................................................................................828
MIB Support to Display Reason for Last System Reboot............................................................................................829
Viewing the Reason for Last System Reboot Using SNMP.................................................................................. 829
MIB Support for Power Monitoring................................................................................................................................829
MIB Support to Display the Available Memory Size on Flash......................................................................................830
Viewing the Available Flash Memory Size................................................................................................................830
MIB Support to Display the Software Core Files Generated by the System............................................................ 830
Viewing the Software Core Files Generated by the System..................................................................................831
MIB Support to Display the Available Partitions on Flash.............................................................................................831
Viewing the Available Partitions on Flash.................................................................................................................832
MIB Support to Display Egress Queue Statistics..........................................................................................................833
MIB Support to ECMP Group Count..............................................................................................................................833
Viewing the ECMP Group Count Information......................................................................................................... 833
MIB Support for entAliasMappingTable ........................................................................................................................ 836
Viewing the entAliasMappingTable MIB...................................................................................................................836
MIB Support for LAG........................................................................................................................................................836
Viewing the LAG MIB..................................................................................................................................................837
MIB Support to Display Unrecognized LLDP TLVs...................................................................................................... 838
MIB Support to Display Reserved Unrecognized LLDP TLVs............................................................................... 838
MIB Support to Display Organizational Specific Unrecognized LLDP TLVs........................................................839
MIB Support for LLDP Notification Interval.................................................................................................................. 839
MIB support for Port Security.........................................................................................................................................840
Global MIB objects for port security.........................................................................................................................840
MIB support for interface level port security...........................................................................................................840
MIB objects for configuring MAC addresses............................................................................................................841
MIB objects for configuring MAC addresses...........................................................................................................842
Manage VLANs using SNMP...........................................................................................................................................843
Creating a VLAN..........................................................................................................................................................843
Assigning a VLAN Alias............................................................................................................................................... 843
Displaying the Ports in a VLAN..................................................................................................................................843
Add Tagged and Untagged Ports to a VLAN.......................................................................................................... 844
Managing Overload on Startup....................................................................................................................................... 845
Enabling and Disabling a Port using SNMP....................................................................................................................845
Fetch Dynamic MAC Entries using SNMP.....................................................................................................................846
Example of Deriving the Interface Index Number......................................................................................................... 847
MIB Objects for Viewing the System Image on Flash Partitions...........................................................................847
Monitoring BGP sessions via SNMP...............................................................................................................................847
Monitor Port-Channels.....................................................................................................................................................849
Enabling an SNMP Agent to Notify Syslog Server Failure.......................................................................................... 850
Troubleshooting SNMP Operation.................................................................................................................................. 851
Transceiver Monitoring..................................................................................................................................................... 851
Configuring SNMP context name...................................................................................................................................852
Contents
25
53 Stacking................................................................................................................................ 854
Stacking Overview............................................................................................................................................................854
Stack Management Roles.......................................................................................................................................... 854
Stack Master Election................................................................................................................................................ 855
Virtual IP....................................................................................................................................................................... 856
Failover Roles...............................................................................................................................................................857
MAC Addressing on Stacks........................................................................................................................................857
Stacking LAG............................................................................................................................................................... 858
Supported Stacking Topologies.................................................................................................................................858
High Availability on Stacks......................................................................................................................................... 858
Management Access on Stacks................................................................................................................................859
Mixed-mode Stacking.................................................................................................................................................860
Important Points to Remember....................................................................................................................................... 861
Stacking Installation Tasks................................................................................................................................................861
Create a Stack..............................................................................................................................................................861
Add Units to an Existing Stack.................................................................................................................................. 865
Split a Stack................................................................................................................................................................. 867
Stacking Configuration Tasks.......................................................................................................................................... 867
Assigning Unit Numbers to Units in an Stack.......................................................................................................... 867
Creating a Virtual Stack Unit on a Stack..................................................................................................................868
Displaying Information about a Stack....................................................................................................................... 868
Influencing Management Unit Selection on a Stack............................................................................................... 870
Managing Redundancy on a Stack.............................................................................................................................871
Resetting a Unit on a Stack........................................................................................................................................ 871
Enabling Mixed-mode Stacking.................................................................................................................................. 871
Verify a Stack Configuration............................................................................................................................................872
Displaying the Status of Stacking Ports................................................................................................................... 872
Remove Units or Front End Ports from a Stack........................................................................................................... 873
Removing a Unit from a Stack...................................................................................................................................873
Removing Front End Port Stacking.......................................................................................................................... 874
Troubleshoot a Stack........................................................................................................................................................874
Recover from Stack Link Flaps..................................................................................................................................875
Recover from a Card Problem State on a Stack.....................................................................................................875
26
54 Storm Control.........................................................................................................................877
Configure Storm Control.................................................................................................................................................. 877
Configuring Storm Control from INTERFACE Mode.............................................................................................. 877
Configuring Storm Control from CONFIGURATION Mode................................................................................... 878
55 Spanning Tree Protocol (STP)................................................................................................. 879
Protocol Overview............................................................................................................................................................ 879
Configure Spanning Tree..................................................................................................................................................879
Important Points to Remember.......................................................................................................................................880
Configuring Interfaces for Layer 2 Mode.......................................................................................................................880
Enabling Spanning Tree Protocol Globally...................................................................................................................... 881
Adding an Interface to the Spanning Tree Group.........................................................................................................883
Modifying Global Parameters.......................................................................................................................................... 883
Modifying Interface STP Parameters.............................................................................................................................884
Contents
Enabling PortFast..............................................................................................................................................................884
Prevent Network Disruptions with BPDU Guard....................................................................................................885
Selecting STP Root...........................................................................................................................................................887
STP Root Guard................................................................................................................................................................ 887
Root Guard Scenario...................................................................................................................................................887
Configuring Root Guard..............................................................................................................................................888
Enabling SNMP Traps for Root Elections and Topology Changes.............................................................................889
Configuring Spanning Trees as Hitless...........................................................................................................................889
STP Loop Guard................................................................................................................................................................889
Configuring Loop Guard............................................................................................................................................. 890
Displaying STP Guard Configuration............................................................................................................................... 891
56 SupportAssist........................................................................................................................ 892
Configuring SupportAssist Using a Configuration Wizard........................................................................................... 892
Configuring SupportAssist Manually...............................................................................................................................893
Configuring SupportAssist Activity.................................................................................................................................894
Configuring SupportAssist Company............................................................................................................................. 896
Configuring SupportAssist Person..................................................................................................................................896
Configuring SupportAssist Server...................................................................................................................................897
Viewing SupportAssist Configuration.............................................................................................................................898
57 System Time and Date............................................................................................................ 900
Network Time Protocol....................................................................................................................................................900
Protocol Overview....................................................................................................................................................... 901
Configure the Network Time Protocol......................................................................................................................901
Enabling NTP................................................................................................................................................................901
Configuring NTP Broadcasts.....................................................................................................................................902
Disabling NTP on an Interface................................................................................................................................... 902
Configuring a Source IP Address for NTP Packets................................................................................................ 902
Configuring NTP Authentication............................................................................................................................... 903
Configuring NTP control key password................................................................................................................... 905
Configuring the NTP Step-Threshold...................................................................................................................... 905
Dell EMC Networking OS Time and Date...................................................................................................................... 905
Configuration Task List ............................................................................................................................................. 905
Setting the Time and Date for the Switch Software Clock...................................................................................905
Setting the Timezone................................................................................................................................................. 906
Set Daylight Saving Time........................................................................................................................................... 906
Setting Daylight Saving Time Once.......................................................................................................................... 906
Setting Recurring Daylight Saving Time...................................................................................................................907
58 Tunneling...............................................................................................................................909
Configuring a Tunnel.........................................................................................................................................................909
Configuring Tunnel Keepalive Settings........................................................................................................................... 910
Configuring a Tunnel Interface.........................................................................................................................................910
Configuring Tunnel Allow-Remote Decapsulation.......................................................................................................... 911
Configuring the Tunnel Source Anylocal..........................................................................................................................911
59 Uplink Failure Detection (UFD).................................................................................................912
Feature Description........................................................................................................................................................... 912
Contents
27
How Uplink Failure Detection Works...............................................................................................................................913
UFD and NIC Teaming.......................................................................................................................................................914
Important Points to Remember....................................................................................................................................... 914
Configuring Uplink Failure Detection...............................................................................................................................915
Clearing a UFD-Disabled Interface.................................................................................................................................. 916
Displaying Uplink Failure Detection.................................................................................................................................. 917
Sample Configuration: Uplink Failure Detection.............................................................................................................918
60 Upgrade Procedures............................................................................................................... 920
61 Virtual LANs (VLANs)...............................................................................................................921
Default VLAN......................................................................................................................................................................921
Port-Based VLANs............................................................................................................................................................922
VLANs and Port Tagging..................................................................................................................................................922
Configuration Task List.....................................................................................................................................................923
Creating a Port-Based VLAN.....................................................................................................................................923
Assigning Interfaces to a VLAN.................................................................................................................................923
Moving Untagged Interfaces..................................................................................................................................... 924
Assigning an IP Address to a VLAN.......................................................................................................................... 925
Configuring Native VLANs...............................................................................................................................................926
Enabling Null VLAN as the Default VLAN...................................................................................................................... 926
62 Virtual Link Trunking (VLT)......................................................................................................927
Overview............................................................................................................................................................................ 927
VLT Terminology......................................................................................................................................................... 929
Layer-2 Traffic in VLT Domains.................................................................................................................................929
Interspersed VLANs....................................................................................................................................................930
VLT on Core Switches.................................................................................................................................................931
Enhanced VLT.............................................................................................................................................................. 931
Configure Virtual Link Trunking....................................................................................................................................... 932
Important Points to Remember.................................................................................................................................932
Configuration Notes....................................................................................................................................................933
Primary and Secondary VLT Peers........................................................................................................................... 936
RSTP and VLT............................................................................................................................................................. 936
VLT Bandwidth Monitoring........................................................................................................................................ 937
VLT and Stacking........................................................................................................................................................ 937
VLT and IGMP Snooping............................................................................................................................................ 937
VLT IPv6....................................................................................................................................................................... 937
VLT Port Delayed Restoration................................................................................................................................... 937
PIM-Sparse Mode Support on VLT.......................................................................................................................... 938
VLT Routing ................................................................................................................................................................ 939
Non-VLT ARP Sync.................................................................................................................................................... 942
RSTP Configuration.......................................................................................................................................................... 942
Preventing Forwarding Loops in a VLT Domain......................................................................................................942
Sample RSTP configuration....................................................................................................................................... 943
Configuring VLT...........................................................................................................................................................943
PVST+ Configuration........................................................................................................................................................952
Peer Routing Configuration Example............................................................................................................................. 953
Dell-1 Switch Configuration........................................................................................................................................953
28
Contents
Dell-2 Switch Configuration....................................................................................................................................... 957
R1 Configuration..........................................................................................................................................................960
Access Switch A1 Configurations and Verification.................................................................................................. 961
eVLT Configuration Example...........................................................................................................................................962
PIM-Sparse Mode Configuration Example.................................................................................................................... 964
Verifying a VLT Configuration......................................................................................................................................... 964
Additional VLT Sample Configurations........................................................................................................................... 967
Troubleshooting VLT........................................................................................................................................................ 969
Reconfiguring Stacked Switches as VLT.......................................................................................................................970
Specifying VLT Nodes in a PVLAN................................................................................................................................. 970
Configuring a VLT VLAN or LAG in a PVLAN................................................................................................................973
Creating a VLT LAG or a VLT VLAN.........................................................................................................................973
Associating the VLT LAG or VLT VLAN in a PVLAN.............................................................................................. 974
Proxy ARP Capability on VLT Peer Nodes.....................................................................................................................975
VLT Nodes as Rendezvous Points for Multicast Resiliency........................................................................................ 976
Configuring VLAN-Stack over VLT.................................................................................................................................976
IPv6 Peer Routing in VLT Domains Overview............................................................................................................... 979
Configure BFD in VLT Domain.........................................................................................................................................983
Sample BFD configuration in VLT domain................................................................................................................983
VXLAN on VLT.................................................................................................................................................................. 987
63 VLT Proxy Gateway.................................................................................................................989
Proxy Gateway in VLT Domains......................................................................................................................................989
LLDP VLT Proxy Gateway in a Square VLT Topology........................................................................................... 992
Configuring a Static VLT Proxy Gateway...................................................................................................................... 993
Configuring an LLDP VLT Proxy Gateway.....................................................................................................................993
VLT Proxy Gateway Sample Topology...........................................................................................................................993
VLT Domain Configuration.........................................................................................................................................994
Dell-1 VLT Configuration.............................................................................................................................................994
Dell-2 VLT Configuration............................................................................................................................................995
Dell-3 VLT Configuration............................................................................................................................................996
Dell-4 VLT Configuration............................................................................................................................................997
64 Virtual Extensible LAN (VXLAN)...............................................................................................998
advertise-local-mac.......................................................................................................................................................... 999
Components of VXLAN network.................................................................................................................................... 999
Functional Overview of VXLAN Gateway....................................................................................................................1000
VXLAN Frame Format.................................................................................................................................................... 1000
Limitations on VXLAN .....................................................................................................................................................1001
Configuring and Controlling VXLAN from the NSX Controller GUI.......................................................................... 1002
Configuring and Controling VXLAN from Nuage Controller GUI.............................................................................. 1006
Configuring VxLAN Gateway......................................................................................................................................... 1007
Connecting to an NVP Controller............................................................................................................................1007
Advertising VXLAN Access Ports to Controller.....................................................................................................1008
Displaying VXLAN Configurations................................................................................................................................. 1008
VXLAN Service nodes for BFD......................................................................................................................................1009
Static Virtual Extensible LAN (VXLAN).........................................................................................................................1010
Configuring Static VXLAN.........................................................................................................................................1010
Displaying Static VXLAN Configurations..................................................................................................................1011
Contents
29
Disabling MAC Address Learning on Static VXLAN Tunnels.................................................................................1011
Preserving 802.1 p value across VXLAN tunnels..........................................................................................................1012
VXLAN Scenario............................................................................................................................................................... 1012
Routing in and out of VXLAN tunnels............................................................................................................................1013
Configuring VXLAN RIOT.......................................................................................................................................... 1014
VLT Scenario...............................................................................................................................................................1015
NSX Controller-based VXLAN for VLT......................................................................................................................... 1016
Important Points to Remember................................................................................................................................ 1016
Configure NSX Controller-based VxLAN in VLT Setup.........................................................................................1017
Configuring BFD and UFD for VXLAN..................................................................................................................... 1017
Configuring NSX-based VxLAN on VLT Peer Devices.......................................................................................... 1017
Configuring VLT for NSX-based VxLAN................................................................................................................. 1018
Configuring and Controlling VXLAN from the NSX Controller GUI.....................................................................1022
65 Virtual Routing and Forwarding (VRF).....................................................................................1027
VRF Overview.................................................................................................................................................................. 1027
VRF Configuration Notes............................................................................................................................................... 1028
DHCP...........................................................................................................................................................................1029
VRF Configuration...........................................................................................................................................................1029
Loading VRF CAM..................................................................................................................................................... 1029
Creating a Non-Default VRF Instance.................................................................................................................... 1029
Assigning an Interface to a VRF.............................................................................................................................. 1030
Assigning a Front-end Port to a Management VRF..............................................................................................1030
View VRF Instance Information............................................................................................................................... 1030
Assigning an OSPF Process to a VRF Instance.....................................................................................................1030
Configuring VRRP on a VRF Instance......................................................................................................................1031
Configuring Management VRF................................................................................................................................. 1031
Configuring a Static Route....................................................................................................................................... 1032
Sample VRF Configuration............................................................................................................................................. 1032
Route Leaking VRFs........................................................................................................................................................1038
Dynamic Route Leaking.................................................................................................................................................. 1038
Configuring Route Leaking without Filtering Criteria............................................................................................1039
Configuring Route Leaking with Filtering................................................................................................................ 1041
30
66 Virtual Router Redundancy Protocol (VRRP)........................................................................... 1044
VRRP Overview............................................................................................................................................................... 1044
VRRP Benefits................................................................................................................................................................. 1045
VRRP Implementation.....................................................................................................................................................1045
VRRP Configuration........................................................................................................................................................ 1046
Configuration Task List............................................................................................................................................. 1046
Setting VRRP Initialization Delay............................................................................................................................. 1054
Sample Configurations....................................................................................................................................................1054
VRRP in a VRF Configuration.................................................................................................................................. 1058
VRRP for IPv6 Configuration................................................................................................................................... 1063
Proxy Gateway with VRRP............................................................................................................................................ 1066
67 Debugging and Diagnostics..................................................................................................... 1071
Offline Diagnostics............................................................................................................................................................1071
Important Points to Remember................................................................................................................................ 1071
Contents
Running Offline Diagnostics...................................................................................................................................... 1071
Trace Logs........................................................................................................................................................................ 1074
Auto Save on Crash or Rollover.....................................................................................................................................1074
Last Restart Reason........................................................................................................................................................1074
Hardware Watchdog Timer............................................................................................................................................ 1074
Using the Show Hardware Commands.........................................................................................................................1074
Enabling Environmental Monitoring...............................................................................................................................1075
Recognize an Overtemperature Condition.............................................................................................................1076
Troubleshoot an Over-temperature Condition.......................................................................................................1077
Recognize an Under-Voltage Condition..................................................................................................................1077
Troubleshoot an Under-Voltage Condition............................................................................................................. 1077
Troubleshooting Packet Loss.........................................................................................................................................1078
Displaying Drop Counters..........................................................................................................................................1078
Dataplane Statistics....................................................................................................................................................1081
Display Stack Port Statistics.................................................................................................................................... 1082
Display Stack Member Counters............................................................................................................................. 1083
Enabling Application Core Dumps..................................................................................................................................1085
Mini Core Dumps............................................................................................................................................................. 1086
Enabling TCP Dumps.......................................................................................................................................................1086
68 Standards Compliance........................................................................................................... 1088
IEEE Compliance..............................................................................................................................................................1088
RFC and I-D Compliance................................................................................................................................................ 1089
General Internet Protocols....................................................................................................................................... 1089
General IPv4 Protocols............................................................................................................................................. 1090
General IPv6 Protocols.............................................................................................................................................. 1091
Border Gateway Protocol (BGP).............................................................................................................................1092
Open Shortest Path First (OSPF)...........................................................................................................................1093
Intermediate System to Intermediate System (IS-IS)...........................................................................................1093
Routing Information Protocol (RIP)........................................................................................................................ 1094
Multicast..................................................................................................................................................................... 1094
Network Management..............................................................................................................................................1095
MIB Location.................................................................................................................................................................... 1099
69 X.509v3.................................................................................................................................1101
Introduction to X.509v3 certificates.............................................................................................................................. 1101
X.509v3 support in ..........................................................................................................................................................1102
Information about installing CA certificates.................................................................................................................. 1103
Installing CA certificate.............................................................................................................................................. 1104
Information about Creating Certificate Signing Requests (CSR).............................................................................. 1104
Creating Certificate Signing Requests (CSR)........................................................................................................ 1104
Information about installing trusted certificates...........................................................................................................1105
Installing trusted certificates.....................................................................................................................................1105
Transport layer security (TLS)....................................................................................................................................... 1105
Syslog over TLS..........................................................................................................................................................1106
Online Certificate Status Protocol (OSCP).................................................................................................................. 1106
Configuring OCSP setting on CA............................................................................................................................. 1106
Configuring OCSP behavior...................................................................................................................................... 1106
Configuring Revocation Behavior............................................................................................................................. 1107
Contents
31
Configuring OSCP responder preference................................................................................................................1107
Verifying certificates........................................................................................................................................................ 1107
Verifying Server certificates......................................................................................................................................1107
Verifying Client Certificates.......................................................................................................................................1107
Event logging.....................................................................................................................................................................1107
32 Contents
1

About this Guide

This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system.
The S4048–ON platform is available with Dell EMC Networking OS version 9.7.(0.1) and beyond.S4048–ON stacking is supported with Dell EMC Networking OS version 9.7(0.1) and beyond.
Though this guide contains information about protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell EMC Networking systems. For complete information about protocols, see the related documentation, including Internet Engineering Task Force (IETF) requests for comments (RFCs). The instructions in this guide cite relevant RFCs. The
Standards Compliance chapter contains a complete list of the supported RFCs and management information base files (MIBs).
Topics:
Audience
Conventions
Related Documents

Audience

This document is intended for system administrators who are responsible for configuring and maintaining networks and assumes knowledge in Layer 2 (L2) and Layer 3 (L3) networking technologies.

Conventions

This guide uses the following conventions to describe command syntax.
Keyword
parameter
{X} Keywords and parameters within braces must be entered in the CLI.
[X] Keywords and parameters within brackets are optional.
x|y Keywords and parameters separated by a bar require you to choose one option.
x||y Keywords and parameters separated by a double bar allows you to choose any or all of the options.
Keywords are in Courier (a monospaced font) and must be entered in the CLI as listed.
Parameters are in italics and require a number or word to be entered in the CLI.

Related Documents

For more information about the Dell EMC Networking switches, see the following documents:
Dell EMC Networking OS Command Line Reference Guide
Dell EMC Networking OS Installation Guide
Dell EMC Networking OS Quick Start Guide
Dell EMC Networking OS Release Notes
About this Guide 33
2

Configuration Fundamentals

The Dell EMC Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols.
The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
In the Dell EMC Networking OS, after you enter a command, the command is added to the running configuration file. You can view the current configuration for the whole system or for a particular CLI mode. To save the current configuration, copy the running configuration to another location.
NOTE: Due to differences in hardware architecture and continued system development, features may occasionally differ
between the platforms. Differences are noted in each CLI description and related documentation.
Topics:
Accessing the Command Line
CLI Modes
The do Command
Undoing Commands
Obtaining Help
Entering and Editing Commands
Command History
Filtering show Command Outputs
Multiple Users in Configuration Mode

Accessing the Command Line

Access the CLI through a serial console port or a Telnet session.
When the system successfully boots, enter the command line in EXEC mode.
NOTE:
you must use a console connection when connecting to the system for the first time.
telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'. Login: username Password: DellEMC>
You must have a password configured on a virtual terminal line before you can Telnet into the system. Therefore,

CLI Modes

Different sets of commands are available in each mode.
A command found in one mode cannot be executed from another mode (except for EXEC mode commands with a preceding do command (refer to the do Command section).
You can set user access rights to commands and command modes using privilege levels.
For more information about privilege levels and security options, refer to the Privilege Levels Overview section in the Security chapter.
The Dell EMC Networking OS CLI is divided into three major mode levels:
EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information.
34 Configuration Fundamentals
EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password section in the Getting Started chapter.
CONFIGURATION mode allows you to configure security features, time settings, set logging and SNMP functions, configure static ARP and MAC addresses, and set line cards on the system.
Beneath CONFIGURATION mode are submodes that apply to interfaces, protocols, and features. The following example shows the submode command structure. Two sub-CONFIGURATION modes are important when configuring the chassis for the first time:
INTERFACE submode is the mode in which you configure Layer 2 and Layer 3 protocols and IP services specific to an interface. An interface can be physical (Management interface, 1 Gigabit Ethernet, 10 Gigabit Ethernet, 25 Gigabit Ethernet, 40 Gigabit Ethernet, 50 Gigabit Ethernet, or 100 Gigabit Ethernet) or logical (Loopback, Null, port channel, or virtual local area network [VLAN]).
LINE submode is the mode in which you to configure the console and virtual terminal lines.
NOTE: At any time, entering a question mark (?) displays the available command options. For example, when you are in
CONFIGURATION mode, entering the question mark first lists all available commands, including the possible submodes.
The CLI modes are:
EXEC EXEC Privilege CONFIGURATION AS-PATH ACL CONTROL-PLANE CLASS-MAP DCB POLICY DHCP DHCP POOL ECMP-GROUP EXTENDED COMMUNITY FRRP INTERFACE GROUP GIGABIT ETHERNET 10 GIGABIT ETHERNET 40 GIGABIT ETHERNET INTERFACE RANGE LOOPBACK MANAGEMENT ETHERNET NULL PORT-CHANNEL TUNNEL VLAN VRRP IP IPv6 IP COMMUNITY-LIST IP ACCESS-LIST STANDARD ACCESS-LIST EXTENDED ACCESS-LIST MAC ACCESS-LIST LINE AUXILLIARY CONSOLE VIRTUAL TERMINAL LLDP LLDP MANAGEMENT INTERFACE MONITOR SESSION MULTIPLE SPANNING TREE OPENFLOW INSTANCE PVST PORT-CHANNEL FAILOVER-GROUP PREFIX-LIST PRIORITY-GROUP PROTOCOL GVRP QOS POLICY RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY
Configuration Fundamentals
35
ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE SUPPORTASSIST TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP uBoot

Navigating CLI Modes

The Dell EMC Networking OS prompt changes to indicate the CLI mode.
The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves you up one command mode level.
NOTE: Sub-CONFIGURATION modes all have the letters conf in the prompt with more modifiers to identify the mode
and slot/port[/subport] information.
Table 1. Dell EMC Networking OS Command Modes
CLI Command Mode Prompt Access Command
EXEC
EXEC Privilege
DellEMC>
DellEMC#
Access the router through the console or terminal line.
From EXEC mode, enter the enable command.
From any other mode, use the end command.
CONFIGURATION
NOTE: Access all of the following
modes from CONFIGURATION mode.
AS-PATH ACL
10 Gigabit Ethernet Interface
40 Gigabit Ethernet Interface
Interface Group
Interface Range
Loopback Interface
Management Ethernet Interface
Null Interface
Port-channel Interface
Tunnel Interface
VLAN Interface
STANDARD ACCESS-LIST
DellEMC(conf)#
DellEMC(config-as-path)# ip as-path access-list
DellEMC(conf-if-te-1/1)#
DellEMC(conf-if-fo-1/52)#
DellEMC(conf-if-group)# interface(INTERFACE modes)
DellEMC(conf-if-range)#
DellEMC(conf-if-lo-0)#
DellEMC(conf-if-ma-1/1)#
DellEMC(conf-if-nu-0)#
DellEMC(conf-if-po-1)#
DellEMC(conf-if-tu-1)#
DellEMC(conf-if-vl-1)#
DellEMC(config-std-nacl)#
From EXEC privilege mode, enter the configure command.
From every mode except EXEC and EXEC Privilege, enter the exit command.
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
ip access-list standard (IP
ACCESS-LIST Modes)
36 Configuration Fundamentals
CLI Command Mode Prompt Access Command
EXTENDED ACCESS-LIST
IP COMMUNITY-LIST
AUXILIARY
CONSOLE
VIRTUAL TERMINAL
STANDARD ACCESS-LIST
EXTENDED ACCESS-LIST
MULTIPLE SPANNING TREE
Per-VLAN SPANNING TREE Plus
PREFIX-LIST
RAPID SPANNING TREE
REDIRECT
ROUTE-MAP
ROUTER BGP
BGP ADDRESS-FAMILY
DellEMC(config-ext-nacl)#
DellEMC(config-community-list)# ip community-list
DellEMC(config-line-aux)#
DellEMC(config-line-console)#
DellEMC(config-line-vty)#
DellEMC(config-std-macl)#
DellEMC(config-ext-macl)#
DellEMC(config-mstp)# protocol spanning-tree mstp
DellEMC(config-pvst)# protocol spanning-tree pvst
DellEMC(conf-nprefixl)# ip prefix-list
DellEMC(config-rstp)# protocol spanning-tree rstp
DellEMC(conf-redirect-list)# ip redirect-list
DellEMC(config-route-map)# route-map
DellEMC(conf-router_bgp)# router bgp
DellEMC(conf-router_bgp_af)#
(for IPv4)
DellEMC(conf-routerZ_bgpv6_af)#
(for IPv6)
ip access-list extended (IP ACCESS-LIST Modes)
line (LINE Modes)
line (LINE Modes)
line (LINE Modes)
mac access-list standard (MAC
ACCESS-LIST Modes)
mac access-list extended (MAC ACCESS-LIST Modes)
address-family {ipv4 multicast | ipv6 unicast} (ROUTER BGP
Mode)
ROUTER ISIS
ISIS ADDRESS-FAMILY
ROUTER OSPF
ROUTER OSPFV3
ROUTER RIP
SPANNING TREE
TRACE-LIST
CLASS-MAP
CONTROL-PLANE
DHCP
DHCP POOL
ECMP
EIS
FRRP
LLDP DellEMC(conf-lldp)# or
LLDP MANAGEMENT INTERFACE
DellEMC(conf-router_isis)# router isis
DellEMC(conf-router_isis­af_ipv6)#
DellEMC(conf-router_ospf)# router ospf
DellEMC(conf-ipv6router_ospf)# ipv6 router ospf
DellEMC(conf-router_rip)# router rip
DellEMC(config-span)# protocol spanning-tree 0
DellEMC(conf-trace-acl)# ip trace-list
DellEMC(config-class-map)# class-map
DellEMC(conf-control-cpuqos)# control-plane-cpuqos
DellEMC(config-dhcp)# ip dhcp server
DellEMC(config-dhcp-pool-name)#
DellEMC(conf-ecmp-group-ecmp- group-id)#
DellEMC(conf-mgmt-eis)# management egress-interface-
DellEMC(conf-frrp-ring-id)# protocol frrp
DellEMC(conf-if—interface­lldp)#
DellEMC(conf-lldp-mgmtIf)#
address-family ipv6 unicast
(ROUTER ISIS Mode)
pool (DHCP Mode)
ecmp-group
selection
protocol lldp (CONFIGURATION or
INTERFACE Modes)
management-interface (LLDP Mode)
LINE DellEMC(config-line-console) or
DellEMC(config-line-vty)
line console orline vty
Configuration Fundamentals 37
CLI Command Mode Prompt Access Command
MONITOR SESSION
OPENFLOW INSTANCE
PORT-CHANNEL FAILOVER-GROUP
PRIORITY GROUP
PROTOCOL GVRP
QOS POLICY
SUPPORTASSIST
VLT DOMAIN
VRRP
u-Boot
UPLINK STATE GROUP
DellEMC(conf-mon-sess­sessionID)#
DellEMC(conf-of-instance-of- id)#
DellEMC(conf-po-failover-grp)# port-channel failover-group
DellEMC(conf-pg)# priority-group
DellEMC(config-gvrp)# protocol gvrp
DellEMC(conf-qos-policy-out­ets)#
DellEMC(support-assist)# support-assist
DellEMC(conf-vlt-domain)# vlt domain
DellEMC(conf-if-interface-type­slot/port-vrid-vrrp-group-id)#
Dell=>
DellEMC(conf-uplink-state­group-groupID)#
monitor session
openflow of-instance
qos-policy-output
vrrp-group
Press any key when the following line appears on the console during a system boot: Hit any key to stop
autoboot:
uplink-state-group
The following example shows how to change the command mode from CONFIGURATION mode to PROTOCOL SPANNING TREE.
Example of Changing Command Modes
DellEMC(conf)#protocol spanning-tree 0 DellEMC(config-span)#

The do Command

You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode by preceding the EXEC mode command with the do command.
The following example shows the output of the do command.
DellEMC(conf)#do show system brief
Stack MAC : 34:17:eb:f2:c2:c4 Reload-Type : normal-reload [Next boot : normal-reload]
-- Stack Info -­Unit UnitType Status ReqTyp CurTyp Version Ports
-----------------------------------------------------------------------­ 1 Management online S4048-ON S4048-ON 1-0(0-3932) 72 2 Member not present 3 Member not present 4 Member not present 5 Member not present 6 Member not present
-- Power Supplies -­Unit Bay Status Type FanStatus FanSpeed(rpm)
--------------------------------------------------------------­ 1 1 up AC absent 0 1 2 absent absent 0
-- Fan Status -­Unit Bay TrayStatus Fan0 Speed Fan1 Speed
------------------------------------------------------------------­ 1 1 up up 0 up 0
38
Configuration Fundamentals
1 2 up up 0 up 0 1 3 up up 0 up 0
Speed in RPM

Undoing Commands

When you enter a command, the command line is added to the running configuration file (running-config).
To disable a command and remove it from the running-config, enter the no command, then the original command. For example, to delete an IP address configured on an interface, use the no ip address ip-address command.
NOTE: Use the help or ? command as described in Obtaining Help.
Example of Viewing Disabled Commands
DellEMC(conf)#interface tengigabitethernet 2/17 DellEMC(conf-if-te-2/17)#ip address 192.168.10.1/24 DellEMC(conf-if-te-2/17)#show config ! interface TenGigabitEthernet 2/17 ip address 192.168.10.1/24 no shutdown DellEMC(conf-if-te-2/17)#no ip address DellEMC(conf-if-te-2/17)#show config ! interface TenGigabitEthernet 2/17 no ip address no shutdown
Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter
no disable to enable Spanning Tree.

Obtaining Help

Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command:
To list the keywords available in the current mode, enter ? at the prompt or after a keyword.
Enter ? after a command prompt to list all of the available keywords. The output of this command is the same as the help command.
DellEMC#? bmp BMP commands cd Change current directory clear Reset functions clock Manage the system clock
Enter ? after a partial keyword lists all of the keywords that begin with the specified letters.
DellEMC(conf)#cl? class-map clock DellEMC(conf)#cl
Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword.
DellEMC(conf)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone DellEMC(conf)#clock

Entering and Editing Commands

Notes for entering commands.
The CLI is not case-sensitive.
You can enter partial CLI keywords.
Configuration Fundamentals
39
Enter the minimum number of letters to uniquely identify a command. For example, you cannot enter cl as a partial keyword because both the clock and class-map commands begin with the letters “cl.” You can enter clo, however, as a partial keyword because only one command begins with those three letters.
The TAB key auto-completes keywords in commands. Enter the minimum number of letters to uniquely identify a command.
The UP and DOWN arrow keys display previously entered commands (refer to Command History).
The BACKSPACE and DELETE keys erase the previous letter.
Key combinations are available to move quickly across the command line. The following table describes these short-cut key combinations.
Short-Cut Key
Action
Combination
CNTL-A Moves the cursor to the beginning of the command line.
CNTL-B Moves the cursor back one character.
CNTL-D Deletes character at cursor.
CNTL-E Moves the cursor to the end of the line.
CNTL-F Moves the cursor forward one character.
CNTL-I Completes a keyword.
CNTL-K Deletes all characters from the cursor to the end of the command line.
CNTL-L Re-enters the previous command.
CNTL-N Return to more recent commands in the history buffer after recalling commands with CTRL-P or the UP arrow
key.
CNTL-P Recalls commands, beginning with the last command.
CNTL-R Re-enters the previous command.
CNTL-U Deletes the line.
CNTL-W Deletes the previous word.
CNTL-X Deletes the line.
CNTL-Z Ends continuous scrolling of command outputs.
Esc B Moves the cursor back one word.
Esc F Moves the cursor forward one word.
Esc D Deletes all characters from the cursor to the end of the word.

Command History

The Dell EMC Networking OS maintains a history of previously-entered commands for each mode. For example:
When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC mode commands.
When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered CONFIGURATION mode commands.

Filtering show Command Outputs

Filter the output of a show command to display specific information by adding | [except | find | grep | no-more | save] specified_text after the command.
The variable specified_text is the text for which you are filtering and it IS case sensitive unless you use the ignore-case sub­option.
Starting with Dell EMC Networking OS version 7.8.1.0, the grep command accepts an ignore-case sub-option that forces the search to case-insensitive. For example, the commands:
show run | grep Ethernet returns a search result with instances containing a capitalized “Ethernet,” such as interface TenGigabitEthernet.
40
Configuration Fundamentals
show run | grep ethernet does not return that search result because it only searches for instances containing a non­capitalized “ethernet.”
show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and “ethernet.”
The grep command displays only the lines containing specified text. The following example shows this command used in combination with
show system brief command.
the
Example of the grep Keyword
DellEMC(conf)#do show system brief | grep 0 0 not present
NOTE: Dell EMC Networking OS accepts a space or no space before and after the pipe. To filter a phrase with spaces,
underscores, or ranges, enclose the phrase with double quotation marks.
The except keyword displays text that does not match the specified text. The following example shows this command used in combination with the show system brief command.
Example of the except Keyword
DellEMC#show system brief | except 1
Stack MAC : 4c:76:25:e5:49:40 Reload-Type : normal-reload [Next boot : normal-reload]
The find keyword displays the output of the show command beginning from the first occurrence of specified text. The following example shows this command used in combination with the
Example of the find Keyword
The display command displays additional configuration information.
The no-more command displays the output all at once rather than one screen at a time. This is similar to the terminal length command except that the no-more option affects the output of the specified command only.
The save command copies the output to a file for future reference.
show system brief command.
NOTE:
example: DellEMC# command | grep regular-expression | except regular-expression | grep other- regular-expression | find regular-expression | save.
You can filter a single command output multiple times. The save option must be the last option entered. For

Multiple Users in Configuration Mode

Dell EMC Networking OS notifies all users when there are multiple users logged in to CONFIGURATION mode.
A warning message indicates the username, type of connection (console or VTY), and in the case of a VTY connection, the IP address of the terminal on which the connection was established. For example:
On the system that telnets into the switch, this message appears:
% Warning: The following users are currently configuring the system: User "<username>" on line console0
On the system that is connected over the console, this message appears:
% Warning: User "<username>" on line vty0 "10.11.130.2" is in configuration mode
If either of these messages appears, Dell EMC Networking recommends coordinating with the users listed in the message so that you do not unintentionally overwrite each other’s configuration changes.
Configuration Fundamentals
41

Getting Started

This chapter describes how you start configuring your system.
When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption.
When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
For details about using the command line interface (CLI), refer to the Accessing the Command Line section in the Configuration
Fundamentals chapter.
Topics:
Console Access
Accessing the CLI Interface and Running Scripts Using SSH
Default Configuration
Configuring a Host Name
Accessing the System Remotely
Configuring the Enable Password
Configuration File Management
Managing the File System
Enabling Software Features on Devices Using a Command Option
View Command History
Upgrading Dell EMC Networking OS
Verify Software Images Before Installation
Using HTTP for File Transfers
3

Console Access

The device has one RJ-45/RS-232 console port, an out-of-band (OOB) Ethernet port, and a micro USB-B console port.

Serial Console

The RJ-45/RS-232 console port is labeled on the upper right-hand side, as you face the PSU side of the chassis.
Figure 1. RJ-45 Console Port
1. RJ-45 management Ethernet port.
2. RS-232 console port.
42 Getting Started
Accessing the Console Port
To access the console port, follow these steps:
For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter.
1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the console port to a terminal server.
2. Connect the other end of the cable to the DTE terminal server.
3. Terminal settings on the console port cannot be changed in the software and are set as follows:
115200 baud rate
No parity
8 data bits
1 stop bit
No flow control
Pin Assignments
You can connect to the console using a RJ-45 to RJ-45 rollover cable and a RJ-45 to DB-9 female DTE adapter to a terminal server (for example, a PC).
The pin assignments between the console and a DTE terminal server are as follows:
Table 2. Pin Assignments Between the Console and a DTE Terminal Server
Console Port RJ-45 to RJ-45
Rollover Cable
Signal RJ-45 Pinout RJ-45 Pinout DB-9 Pin Signal
RTS 1 8 8 CTS
NC 2 7 6 DSR
TxD 3 6 2 RxD
GND 4 5 5 GND
GND 5 4 5 GND
RxD 6 3 3 TxD
NC 7 2 4 DTR
CTS 8 1 7 RTS
RJ-45 to RJ-45 Rollover Cable
RJ-45 to DB-9 Adapter Terminal Server Device

Accessing the CLI Interface and Running Scripts Using SSH

In addition to the capability to access a device using a console connection or a Telnet session, you can also use SSH for secure, protected communication with the device. You can open an SSH session and run commands or script files. This method of connectivity is supported with S4810, S4048–ON, S3048–ON, S4820T, and Z9000 switches and provides a reliable, safe communication mechanism.
Entering CLI commands Using an SSH Connection
You can run CLI commands by entering any one of the following syntax to connect to a switch using the preconfigured user credentials using SSH:
ssh username@hostname <CLI Command>
or
echo <CLI Command> | ssh admin@hostname
The SSH server transmits the terminal commands to the CLI shell and the results are displayed on the screen non-interactively.
Getting Started
43
Executing Local CLI Scripts Using an SSH Connection
You can execute CLI commands by entering a CLI script in one of the following ways:
ssh username@hostname <CLIscript.file>
or
cat < CLIscript.file > | ssh admin@hostname
The script is run and the actions contained in the script are performed.
Following are the points to remember, when you are trying to establish an SSH session to the device to run commands or script files:
There is an upper limit of 10 concurrent sessions in SSH. Therefore, you might expect a failure in executing SSH-related scripts.
To avoid denial of service (DoS) attacks, a rate-limit of 10 concurrent sessions per minute in SSH is devised. Therefore, you might experience a failure in executing SSH-related scripts when multiple short SSH commands are executed.
If you issue an interactive command in the SSH session, the behavior may not really be interactive.
In some cases, when you use an SSH session, when certain show commands such as show tech-support produce large volumes of output, sometimes few characters from the output display are truncated and not displayed. This may cause one of the commands to fail for syntax error. In such cases, if you add few newline characters before the failed command, the output displays completely.
Execution of commands on CLI over SSH does not notice the errors that have occurred while executing the command. As a result, you cannot identify, whether a command has failed to be processed. The console output though is redirected back over SSH.

Default Configuration

Although a version of Dell EMC Networking OS is pre-loaded onto the system, the system is not configured when you power up the system first time (except for the default hostname, which is DellEMC). You must configure the system using the CLI.

Configuring a Host Name

The host name appears in the prompt. The default host name is DellEMC.
Host names must start with a letter and end with a letter or digit.
Characters within the string can be letters, digits, and hyphens.
To create a host name, use the hostname name command in Configuration mode.
DellEMC(conf)#hostname R1 R1(conf)#

Accessing the System Remotely

You can configure the system to access it remotely by Telnet or secure shell (SSH).
The platform has a dedicated management port and a management routing table that is separate from the IP routing table.
You can manage all Dell EMC Networking products in-band via the front-end data ports through interfaces assigned an IP address as well.
Accessing the System Remotely
Configuring the system for remote access is a three-step process, as described in the following topics:
1. Configure an IP address for the management port. Configure the Management Port IP Address
2. Configure a management route with a default gateway. Configure a Management Route
3. Configure a username and password. Configure a Username and Password

Configure the Management Port IP Address

To access the system remotely, assign IP addresses to the management ports.
1. Enter INTERFACE mode for the Management port.
44
Getting Started
CONFIGURATION mode
interface ManagementEthernet slot/port
2. Assign an IP address to the interface. INTERFACE mode
ip address ip-address/mask
ip-address: an address in dotted-decimal format (A.B.C.D).
mask: a subnet mask in /prefix-length format (/ xx).
3. Enable the interface. INTERFACE mode
no shutdown

Configure a Management Route

Define a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port.
To configure a management route, use the following command.
Configure a management route to the network from which you are accessing the system. CONFIGURATION mode
management route ip-address/mask gateway
ip-address: the network address in dotted-decimal format (A.B.C.D).
mask: a subnet mask in /prefix-length format (/ xx).
gateway: the next hop for network traffic originating from the management port.

Configuring a Username and Password

To access the system remotely, configure a system username and password.
To configure a system username and password, use the following command.
Configure a username and password to access the system remotely. CONFIGURATION mode
username name [access-class access-list-name] [nopassword | {password | secret | sha256– password} [encryption-type] password [dynamic-salt]] [privilege level] [role role-name]
name: Enter a text string upto 63 characters long.
access-class access-list-name: Enter the name of a configured IP ACL.
nopassword: Allows you to configure an user without the password.
password: Allows you to configure an user with a password.
secret: Specify a secret string for an user.
sha256–password: Uses sha256–based encryption method for password.
encryption-type: Enter the encryption type for securing an user password. There are four encryption types.
0 — input the password in clear text.
5 — input the password that is already encrypted using MD5 encryption method.
7 — input the password that is already encrypted using DES encryption method.
8 — input the password that is already encrypted using sha256–based encryption method.
password: Enter the password string for the user.
dynamic-salt: Generates an additional random input to password encryption process whenever the password is configured.
privilege level: Assign a privilege levels to the user. The range is from 0 to 15.
role role-name: Assign a role name for the user.
Dell EMC Networking OS encrypts type 5 secret and type 7 password based on dynamic-salt option such that the encrypted password is different when an user is configured with the same password.
NOTE:
dynamic-salt option is shown only with secret and password options.
Getting Started 45
In dynamic-salt configuration, the length of type 5 secret and type 7 password is 32 and 16 characters more compared to the secret and password length without dynamic-salt configuration. An error message appears if the username command reaches the maximum length, which is 256 characters.
The dynamic-salt support for the user configuration is added in REST API. For more information on REST support, see Dell EMC Networking Open Automation guide.

Configuring the Enable Password

Access EXEC Privilege mode using the enable command. EXEC Privilege mode is unrestricted by default. Configure a password as a basic security measure.
There are three types of enable passwords:
enable password is stored in the running/startup configuration using a DES encryption method.
enable secret is stored in the running/startup configuration using MD5 encryption method.
enable sha256-password is stored in the running/startup configuration using sha256-based encryption method (PBKDF2).
Dell EMC Networking recommends using the enable sha256-password password.
To configure an enable password, use the following command.
Create a password to access EXEC Privilege mode. CONFIGURATION mode
enable [password | secret | sha256-password] [level level] [encryption-type] password
level: is the privilege level, is 15 by default, and is not required.
encryption-type: specifies how you input the password, is 0 by default, and is not required.
0 is to input the password in clear text.
5 is to input a password that is already encrypted using MD5 encryption method. Obtain the encrypted password from the configuration file of another device.
7 is to input a password that is already encrypted using DES encryption method. Obtain the encrypted password from the configuration file of another device.
8 is to input a password that is already encrypted using sha256-based encryption method. Obtain the encrypted password from the configuration file of another device.

Configuration File Management

Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode.

Copy Files to and from the System

The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url.
NOTE:
To copy a local file to a remote system, combine the file-origin syntax for a local file location with the file-destination syntax for a remote file location.
To copy a remote file to Dell EMC Networking system, combine the file-origin syntax for a remote file location with the file-destination syntax for a local file location.
Table 3. Forming a
Location
For a remote file location:
FTP server
For a remote file location:
TFTP server
For a detailed description of the copy command, refer to the
copy Command
source-file-url
copy ftp:// username:password@{hostip | hostname}/filepath/filename
copy tftp://{hostip | hostname}/filepath/ filename
Syntax
Dell EMC Networking OS Command Reference
destination-file-url
ftp://username:password@{hostip | hostname}/ filepath/filename
tftp://{hostip | hostname}/ filepath/filename
Syntax
.
46 Getting Started
Location
For a remote file location:
SCP server
source-file-url
copy scp://{hostip | hostname}/ filepath/ filename
Syntax
destination-file-url
scp://{hostip | hostname}/ filepath/filename
Important Points to Remember
You may not copy a file from one remote system to another.
You may not copy a file from one location to the same location.
When copying to a server, you can only use a hostname if a domain name server (DNS) server is configured.
Example of Copying a File to an FTP Server
DellEMC#copy flash://Dell-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10/ /Dell/Dell-EF-8.2.1.0 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 27952672 bytes successfully copied
Example of Importing a File to the Local System
core1#$//copy ftp://myusername:mypassword@10.10.10.10//Dell/ Dell-EF-8.2.1.0.bin flash:// Destination file name [Dell-EF-8.2.1.0.bin.bin]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 26292881 bytes successfully copied
Syntax

Mounting an NFS File System

This feature enables you to quickly access data on an NFS mounted file system. You can perform file operations on an NFS mounted file system using supported file commands.
This feature allows an NFS mounted device to be recognized as a file system. This file system is visible on the device and you can execute all file commands that are available on conventional file systems such as a Flash file system.
Before executing any CLI command to perform file operations, you must first mount the NFS file system to a mount-point on the device. Since multiple mount-points exist on a device, it is mandatory to specify the mount-point to which you want to load the system. The /f10/mnt/nfs directory is the root of all mount-points.
To mount an NFS file system, perform the following steps:
Table 4. Mounting an NFS File System
File Operation Syntax
To mount an NFS file system:
The foreign file system remains mounted as long as the device is up and does not reboot. You can run the file system commands without having to mount or un-mount the file system each time you run a command. When you save the configuration using the the
mount command is saved to the startup configuration. As a result, each time the device re-boots, the NFS file system is mounted
during start up.
Table 5. Forming a
Location
For a remote file location:
NFS File System
copy Command
mount nfs rhost:path mount­point username password
source-file-url
copy nfsmount://{<mount­point>}/filepath/filename} username:password
Syntax
write command,
destination-file-url
tftp://{hostip | hostname}/ filepath/filename
Syntax
Important Points to Remember
You cannot copy a file from one remote system to another.
You cannot copy a file from one location to the same location.
When copying to a server, you can only use a hostname if a domain name server (DNS) server is configured.
Getting Started
47
Example of Copying a File to current File System
DellEMC#copy tftp://10.16.127.35/dv-maa-test nfsmount:// Destination file name [dv-maa-test]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!.! 44250499 bytes successfully copied DellEMC# DellEMC#copy ftp://10.16.127.35 nfsmount: Source file name []: test.c User name to login remote host: username
Example of Logging in to Copy from NFS Mount
DellEMC#copy nfsmount:///test flash: Destination file name [test]: test2 ! 5592 bytes successfully copied DellEMC# DellEMC#copy nfsmount:///test.txt ftp://10.16.127.35 Destination file name [test.txt]: User name to login remote host: username Password to login remote host: !
Example of Copying to NFS Mount
DellEMC#copy flash://test.txt nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:///username/snoop.pcap ! 24 bytes successfully copied DellEMC# DellEMC#copy tftp://10.16.127.35/username/dv-maa-test ? flash: Copy to local file system ([flash://]filepath) nfsmount: Copy to nfs mount file system (nfsmount:///filepath) running-config remote host: Destination file name [test.c]: ! 225 bytes successfully copied DellEMC#

Save the Running-Configuration

The running-configuration contains the current system configuration. Dell EMC Networking recommends coping your running­configuration to the startup-configuration.
The commands in this section follow the same format as those commands in the Copy Files to and from the System section but use the filenames startup-configuration and running-configuration. These commands assume that current directory is the internal flash, which is the system default.
Save the running-configuration to the startup-configuration on the internal flash of the primary RPM. EXEC Privilege mode
copy running-config startup-config
Save the running-configuration to an FTP server. EXEC Privilege mode
copy running-config ftp:// username:password@{hostip | hostname}/filepath/ filename
Save the running-configuration to a TFTP server. EXEC Privilege mode
copy running-config tftp://{hostip | hostname}/ filepath/filename
48
Getting Started
Save the running-configuration to an SCP server. EXEC Privilege mode
copy running-config scp://{hostip | hostname}/ filepath/filename
NOTE: When copying to a server, a host name can only be used if a DNS server is configured.
NOTE: When you load the startup configuration or a configuration file from a network server such as TFTP to the
running configuration, the configuration is added to the running configuration. This does not replace the existing running configuration. Commands in the configuration file has precedence over commands in the running configuration.

Configure the Overload Bit for a Startup Scenario

For information about setting the router overload bit for a specific period of time after a switch reload is implemented, see the Intermediate System to Intermediate System (IS-IS) section in the Dell Command Line Reference Guide for your system.

Viewing Files

You can only view file information and content on local file systems.
To view a list of files or the contents of a file, use the following commands.
View a list of files on the internal flash. EXEC Privilege mode
dir flash:
View the running-configuration. EXEC Privilege mode
show running-config
View the startup-configuration. EXEC Privilege mode
show startup-config
The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.
DellEMC#dir Directory of flash:
1 drw- 32768 Jan 01 1980 00:00:00 . 2 drwx 512 Jul 23 2007 00:38:44 .. 3 drw- 8192 Mar 30 1919 10:31:04 TRACE_LOG_DIR 4 drw- 8192 Mar 30 1919 10:31:04 CRASH_LOG_DIR 5 drw- 8192 Mar 30 1919 10:31:04 NVTRACE_LOG_DIR 6 drw- 8192 Mar 30 1919 10:31:04 CORE_DUMP_DIR 7 d--- 8192 Mar 30 1919 10:31:04 ADMIN_DIR 8 -rw- 33059550 Jul 11 2007 17:49:46 FTOS-EF-7.4.2.0.bin 9 -rw- 27674906 Jul 06 2007 00:20:24 FTOS-EF-4.7.4.302.bin 10 -rw- 27674906 Jul 06 2007 19:54:52 boot-image-FILE 11 drw- 8192 Jan 01 1980 00:18:28 diag 12 -rw- 7276 Jul 20 2007 01:52:40 startup-config.bak 13 -rw- 7341 Jul 20 2007 15:34:46 startup-config 14 -rw- 27674906 Jul 06 2007 19:52:22 boot-image 15 -rw- 27674906 Jul 06 2007 02:23:22 boot-flash
--More--
View Configuration Files
Configuration files have three commented lines at the beginning of the file, as shown in the following example, to help you track the last time any user made a change to the file, which user made the changes, and when the file was last saved to the startup-configuration.
In the running-configuration file, if there is a difference between the timestamp on the “Last configuration change” and “Startup-config last updated,” you have made changes that have not been saved and are preserved after a system reboot.
Getting Started
49
Example of the show running-config Command
DellEMC#show running-config Current Configuration ... ! Version 9.4(0.0) ! Last configuration change at Tue Mar 11 21:33:56 2014 by admin ! Startup-config last updated at Tue Mar 11 12:11:00 2014 by default ! <output truncated for brevity>

Compressing Configuration Files

You can optimize and reduce the sizes of the configuration files.
You can compress the running configuration by grouping all the VLANs and the physical interfaces with the same property. Support to store the operating configuration to the startup config in the compressed mode and to perform an image downgrade without any configuration loss are provided.
You can create groups of VLANs using the interface group command. This command will create nonexistent VLANs specified in a range. On successful command execution, the CLI switches to the interface group context. The configuration commands inside the group context will be the similar to that of the existing range command.
Two existing exec mode CLIs are enhanced to display and store the running configuration in the compressed mode.
show running-config compressed and write memory compressed
The compressed configuration will group all the similar looking configuration thereby reducing the size of the configuration. For this release, the compression will be done only for interface related configuration (VLAN & physical interfaces)
The following table describes how the standard and the compressed configuration differ:
Table 6. Standard and Compressed Configurations
Uncompressed Compressed
DellEMC# show running-config
<snip>
!
interface TenGigabitEthernet 1/1
no ip address
switchport
shutdown
!
interface TenGigabitEthernet 1/2
no ip address
shutdown
!
interface TenGigabitEthernet 1/3
no ip address
shutdown
!
interface TenGigabitEthernet 1/4
no ip address
shutdown
!
interface TenGigabitEthernet 1/10
no ip address
DellEMC# show running-config compressed
<snip>
!
interface TenGigabitEthernet 1/1
no ip address
switchport
shutdown
!
Interface group TenGigabitEthernet 1/2 – 4 , TenGigabitEthernet 1/10
no ip address
shutdown
!
interface TenGigabitEthernet 1/34
ip address 2.1.1.1/16
shutdown
!
interface group Vlan 2 , Vlan 100
no ip address
no shutdown
!
interface group Vlan 3 – 5
50
Getting Started
Uncompressed Compressed
shutdown
!
interface TenGigabitEthernet 1/34
ip address 2.1.1.1/16
shutdown
!
interface Vlan 2
no ip address
no shutdown
!
interface Vlan 3
tagged te 1/1
no ip address
shutdown
!
interface Vlan 4
tagged te 1/1
no ip address
shutdown
!
interface Vlan 5
tagged te 1/1
no ip address
shutdown
!
interface Vlan 100
no ip address
no shutdown
!
interface Vlan 1000
ip address 1.1.1.1/16
no shutdown
Uncompressed config size – 52 lines
tagged te 1/1
no ip address
shutdown
!
interface Vlan 1000
ip address 1.1.1.1/16
no shutdown
!
<snip>
Compressed config size – 27 lines.
write memory compressed
The write memory compressed CLI will write the operating configuration to the startup-config file in the compressed mode. In stacking scenario, it will also take care of syncing it to all the standby and member units.
The following is the sample output:
DellEMC#write memory compressed ! Jul 30 08:50:26: %STKUNIT0-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default
Getting Started
51
copy compressed-config
Copy one file, after optimizing and reducing the size of the configuration file, to another location. Dell EMC Networking OS supports IPv4 and IPv6 addressing for FTP, TFTP, and SCP (in the hostip field).

Managing the File System

The Dell EMC Networking system can use the internal Flash, external Flash, or remote devices to store files.
The system stores files on the internal Flash by default but can be configured to store files elsewhere.
To view file system information, use the following command.
View information about each file system.
EXEC Privilege mode
show file-systems
The output of the show file-systems command in the following example shows the total capacity, amount of free memory, file structure, media type, read/write privileges for each storage device in use.
DellEMC#show file-systems Size(b) Free(b) Feature Type Flags Prefixes 520962048 213778432 dosFs2.0 USERFLASH rw flash: 127772672 21936128 dosFs2.0 USERFLASH rw slot0:
- - - network rw ftp:
- - - network rw tftp:
- - - network rw scp:
You can change the default file system so that file management commands apply to a particular device or memory.
To change the default directory, use the following command.
Change the default directory.
EXEC Privilege mode
cd directory

Enabling Software Features on Devices Using a Command Option

The capability to activate software applications or components on a device using a command is supported on this platform.
Starting with Release 9.4(0.0), you can enable or disable specific software features or applications that need to run on a device by using a command attribute in the CLI interface. This enables effective, streamlined management and administration of applications and utilities that run on a device. You can employ this capability to perform an on-demand activation, or turn-off a software component or protocol. A feature configuration file generated for each image contains feature names, and denotes if this enabling or disabling method is available. You can enable or disable the VRF application globally across the system by using this capability.
Activate the VRF application on a device by using the feature vrf command in CONFIGURATION mode.
NOTE: The no feature vrf command is not supported on any of the platforms.
To enable the VRF feature and cause all VRF-related commands to be available or viewable in the CLI interface, use the following command. You must enable the VRF feature before you can configure its related attributes.
DellEMC(conf)# feature vrf
Based on if the VRF feature is identified as supported in the Feature Configuration file, configuration command feature vrf becomes available for usage. This command is stored in the running-configuration and precedes all other VRF-related configurations.
To display the state of Dell EMC Networking OS features:
DellEMC# show feature
Example of show feature output
52
Getting Started
For a particular target where VRF is enabled, the show output is similar to the following:
Feature State
-----------------------­VRF Enabled

View Command History

The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer.
The system generates a trace message for each executed command. No password information is saved to the file.
NOTE:
The timestamps display format of the show command history output changes based on the service timestamps log datetime configuration. The time format can be in uptime, local time zone time or UTC time.
If timestamp is disabled (no service timestamps log) then command history time format is shown with timestamp defaults (service timestamps log datetime localtime).
To view the command-history trace, use the show command-history command.
Example of the show command-history Command
Example 1: Default configuration service timestamps log datetime or service timestamps log datetime
localtime
DellEMC(conf)#service timestamps log datetime
DellEMC# show command-history
- Repeated 1 time. [May 17 15:38:55]: CMD-(CLI):[service timestamps log datetime]by default from console [May 17 15:41:40]: CMD-(CLI):[write memory]by default from console
- Repeated 1 time. [May 17 15:41:45]: CMD-(CLI):[interface tengigabitethernet 1/1]by default from console [May 17 15:41:47]: CMD-(CLI):[shutdown]by default from console [May 17 15:41:50]: CMD-(CLI):[no shutdown]by default from console [May 17 15:42:42]: CMD-(CLI):[show clock]by default from console [May 17 15:42:52]: CMD-(CLI):[write memory]by default from console
- Repeated 1 time. [May 17 15:43:08]: CMD-(CLI):[end]by default from console [May 17 15:43:16]: CMD-(CLI):[show logging]by default from console [May 17 15:43:22]: CMD-(CLI):[show command-history]by default from console DellEMC#
Example 2: service timestamps log datetime utc
DellEMC(conf)#service timestamps log datetime utc
DellEMC# show command-history
- Repeated 1 time. [May 17 15:46:44]: CMD-(CLI):[configure]by default from console
- Repeated 1 time. [May 17 10:16:53]: CMD-(CLI):[service timestamps log datetime utc]by default from console [May 17 10:17:05]: CMD-(CLI):[show clock]by default from console [May 17 10:17:20]: CMD-(CLI):[show running-config]by default from console [May 17 10:17:30]: CMD-(CLI):[interface tengigabitethernet 1/2]by default from console [May 17 10:17:32]: CMD-(CLI):[shutdown]by default from console [May 17 10:17:34]: CMD-(CLI):[no shutdown]by default from console [May 17 10:17:40]: CMD-(CLI):[write memory]by default from console
- Repeated 1 time. [May 17 10:17:46]: CMD-(CLI):[end]by default from console [May 17 10:17:50]: CMD-(CLI):[show logging]by default from console [May 17 10:17:56]: CMD-(CLI):[show command-history]by default from console
Example 3: service timestamps log uptime
Getting Started
53
DellEMC(conf)#service timestamps log uptime
DellEMC# show command-history
- Repeated 1 time. [May 17 10:20:37]: CMD-(CLI):[configure]by default from console
- Repeated 1 time. [1d0h24m]: CMD-(CLI):[service timestamps log uptime]by default from console [1d0h24m]: CMD-(CLI):[interface tengigabitethernet 1/1]by default from console [1d0h24m]: CMD-(CLI):[shutdown]by default from console [1d0h24m]: CMD-(CLI):[no shutdown]by default from console [1d0h25m]: CMD-(CLI):[end]by default from console [1d0h25m]: CMD-(CLI):[write memory]by default from console
- Repeated 1 time. [1d0h25m]: CMD-(CLI):[show clock]by default from console [1d0h25m]: CMD-(CLI):[show version]by default from console [1d0h25m]: CMD-(CLI):[show logging]by default from console [1d0h25m]: CMD-(CLI):[show command-history]by default from console
Example 4: no service timestamps log
DellEMC(conf)#no service timestamps log
DellEMC# show command-history
- Repeated 1 time. [1d0h26m]: CMD-(CLI):[configure]by default from console
- Repeated 1 time. [May 17 15:53:10]: CMD-(CLI):[no service timestamps log]by default from console [May 17 15:53:16]: CMD-(CLI):[write memory]by default from console
- Repeated 3 times. [May 17 15:53:22]: CMD-(CLI):[show logging]by default from console
- Repeated 1 time. [May 17 15:53:36]: CMD-(CLI):[write memory]by default from console
- Repeated 5 times. [May 17 15:53:44]: CMD-(CLI):[show logging]by default from console [May 17 15:53:53]: CMD-(CLI):[show command-history]by default from console [May 17 15:54:54]: CMD-(CLI):[end]by default from console [May 17 15:55:00]: CMD-(CLI):[show logging]by default from console [May 17 15:55:12]: CMD-(CLI):[show clock]by default from console [May 17 15:55:22]: CMD-(CLI):[show running-config]by default from console [May 17 15:55:27]: CMD-(CLI):[show command-history]by default from console

Upgrading Dell EMC Networking OS

To upgrade Dell EMC Networking Operating System (OS), refer to the Release Notes for the version you want to load on the system.
You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.

Verify Software Images Before Installation

To validate the software image on the flash drive, you can use the MD5 message-digest algorithm or SHA256 Secure Hash Algorithm, after the image is transferred to the system but before the image is installed. The validation calculates a hash value of the downloaded image file on system’s flash drive, and, optionally, compares it to a Dell EMC Networking published hash for that file.
The MD5 or SHA256 hash provides a method of validating that you have downloaded the original software. Calculating the hash on the local image file and comparing the result to the hash published for that file on iSupport provides a high level of confidence that the local copy is exactly the same as the published software image. This validation procedure, and the verify {md5 | sha256} command to support it, prevents the installation of corrupted or modified images.
The verify {md5 | sha256} command calculates and displays the hash of any file on the specified local flash drive. You can compare the displayed hash against the appropriate hash published on iSupport. Optionally, you can include the published hash in the verify {md5 | sha256} command, which displays whether it matches the calculated hash of the indicated file.
To validate a software image:
1. Download Dell EMC Networking OS software image file from the iSupport page to the local (FTP or TFTP) server. The published hash for that file displays next to the software image file on the iSupport page.
2. Go on to the Dell EMC Networking system and copy the software image to the flash drive, using the copy command.
54
Getting Started
3. Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256 flash://FTOS-SE-9.5.0.0.bin
4. Compare the generated hash value to the expected hash value published on the iSupport page.
To validate the software image on the flash drive after the image is transferred to the system, but before you install the image, use the verify {md5 | sha256} [ flash://]img-file [hash-value] command in EXEC mode.
md5: MD5 message-digest algorithm
sha256: SHA256 Secure Hash Algorithm
flash: (Optional) Specifies the flash drive. The default uses the flash drive. You can enter the image file name.
hash-value: (Optional). Specify the relevant hash published on iSupport.
img-file: Enter the name of the Dell EMC Networking software image file to validate
Examples: Without Entering the Hash Value for Verification
MD5
DellEMC# verify md5 flash:file-name
SHA256
DellEMC# verify sha256 flash://file-name
Examples: Entering the Hash Value for Verification
MD5
DellEMC# verify md5 flash://file-name 275ceb73a4f3118e1d6bcf7d75753459
SHA256
DellEMC# verify sha256 flash://file-name e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933

Using HTTP for File Transfers

Stating with Release 9.3(0.1), you can use HTTP to copy files or configuration details to a remote server. To transfer files to an external server, use the copy source-file-url http://host[:port]/file-path command.
Enter the following source-file-url keywords and information:
To copy a file from the internal FLASH, enter flash:// followed by the filename.
To copy the running configuration, enter the keyword running-config.
To copy the startup configuration, enter the keyword startup-config.
To copy a file on the USB device, enter usbflash:// followed by the filename.
In the Dell EMC Networking OS release 9.8(0.0), HTTP services support the VRF-aware functionality. If you want the HTTP server to use a VRF table that is attached to an interface, configure that HTTP server to use a specific routing table. You can use the command to inform the HTTP server to use a specific routing table. After you configure this setting, the VRF table is used to look up the destination address.
NOTE:
You can specify either the management VRF or a nondefault VRF to configure the VRF awareness setting.
When you specify the management VRF, the copy operation that is used to transfer files to and from an HTTP server utilizes the VRF table corresponding to the Management VRF to look up the destination. When you specify a nondefault VRF, the VRF table corresponding to that nondefault VRF is used to look up the HTTP server.
However, these changes are backward-compatible and do not affect existing behavior; meaning, you can still use the ip http source- interface command to communicate with a particular interface even if no VRF is configured on that interface
To enable HTTP to be VRF-aware, as a prerequisite you must first define the VRF.
ip http vrf
NOTE:
To enable an HTTP client to look up the VRF table corresponding to either management VRF or any nondefault VRF, use the ip http vrf command in CONFIGURATION mode.
If the HTTP service is not VRF-aware, then it uses the global routing table to perform the look-up.
Getting Started
55
Configure an HTTP client with a VRF that is used to connect to the HTTP server. CONFIGURATION MODE
DellEMC(conf)#ip http vrf {management | <vrf-name>}
56 Getting Started

Management

This chapter describes the different protocols or services used to manage the Dell EMC Networking system.
Topics:
Configuring Privilege Levels
Configuring Logging
Track Login Activity
Limit Concurrent Login Sessions
Enabling Secured CLI Mode
Log Messages in the Internal Buffer
Disabling System Logging
Sending System Messages to a Syslog Server
Changing System Logging Settings
Display the Logging Buffer and the Logging Configuration
Configuring a UNIX Logging Facility Level
Synchronizing Log Messages
Enabling Timestamp on Syslog Messages
File Transfer Services
Terminal Lines
Setting Timeout for EXEC Privilege Mode
Using Telnet to get to Another Network Device
Lock CONFIGURATION Mode
LPC Bus Quality Degradation
Restoring the Factory Default Settings
Viewing the Reason for Last System Reboot
4

Configuring Privilege Levels

Privilege levels restrict access to commands based on user or terminal line.
There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1.
Level
Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and
Level 1 Access to the system begins at EXEC mode, and all commands are available.
Level 15 Access to the system begins at EXEC Privilege mode, and all commands are available.
For information about how access and authorization is controlled based on a user’s role, see Role-Based Access Control.
Creating a Custom Privilege Level
Custom privilege levels start with the default EXEC mode command set. You can then customize privilege levels 2-14 by:
restricting access to an EXEC mode command
moving commands from EXEC Privilege to EXEC mode
restricting access
A user can access all commands at his privilege level and below.
Description
exit.
Management 57

Removing a Command from EXEC Mode

To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode.
In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.

Moving a Command from EXEC Privilege Mode to EXEC Mode

To move a command from EXEC Privilege to EXEC mode for a privilege level, use the privilege exec command from CONFIGURATION mode.
In the command, specify the privilege level of the user or terminal line and specify all keywords in the command to which you want to allow access.

Allowing Access to CONFIGURATION Mode Commands

To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode.
A user that enters CONFIGURATION mode remains at his privilege level and has access to only two commands, end and exit. You must individually specify each CONFIGURATION mode command you want to allow access to using the privilege configure level level command. In the command, specify the privilege level of the user or terminal line and specify all the keywords in the command to which you want to allow access.

Allowing Access to Different Modes

This section describes how to allow access to the INTERFACE, LINE, ROUTE-MAP, and ROUTER modes.
Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE, ROUTE-MAP, and ROUTER modes, you must first allow access to the command that enters you into the mode. For example, to allow a user to enter INTERFACE mode, use the privilege configure level level interface tengigabitethernet command.
Next, individually identify the INTERFACE, LINE, ROUTE-MAP or ROUTER commands to which you want to allow access using the privilege {interface | line | route-map | router} level level command. In the command, specify the privilege level of the user or terminal line and specify all the keywords in the command to which you want to allow access.
To remove, move or allow access, use the following commands.
The configuration in the following example creates privilege level 3. This level:
removes the resequence command from EXEC mode by requiring a minimum of privilege level 4
moves the capture bgp-pdu max-buffer-size command from EXEC Privilege to EXEC mode by requiring a minimum privilege level 3, which is the configured level for VTY 0
allows access to CONFIGURATION mode with the banner command
allows access to INTERFACE tengigabitethernet and LINE modes are allowed with no commands
Remove a command from the list of available commands in EXEC mode. CONFIGURATION mode
privilege exec level level {command ||...|| command}
Move a command from EXEC Privilege to EXEC mode. CONFIGURATION mode
privilege exec level level {command ||...|| command}
Allow access to CONFIGURATION mode. CONFIGURATION mode
privilege exec level level configure
Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all the keywords in the command. CONFIGURATION mode
58
Management
privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword}
Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode
privilege {configure |interface | line | route-map | router} level level {command ||...|| command}
DellEMC(conf)#do show run priv ! privilege exec level 3 capture privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp-pdu privilege exec level 3 capture bgp-pdu max-buffer-size privilege configure level 3 line privilege configure level 3 interface DellEMC(conf)#do telnet 10.11.80.201 [telnet output omitted] DellEMC#show priv Current privilege level is 3. DellEMC#? capture Capture packet configure Configuring from terminal disable Turn off privileged commands enable Turn on privileged commands exit Exit from the EXEC ip Global IP subcommands monitor Monitoring feature mtrace Trace reverse multicast path from destination to source ping Send echo messages quit Exit from the EXEC show Show running system information [output omitted] DellEMC#config [output omitted] DellEMC(conf)#do show priv Current privilege level is 3. DellEMC(conf)#? end Exit from configuration mode exit Exit from configuration mode interface Select an interface to configure line Configure a terminal line linecard Set line card type DellEMC(conf)#interface ? fastethernet Fast Ethernet interface gigabitethernet Gigabit Ethernet interface loopback Loopback interface managementethernet Management Ethernet interface null Null interface port-channel Port-channel interface range Configure interface range sonet SONET interface tengigabitethernet TenGigabit Ethernet interface vlan VLAN interface DellEMC(conf)#interface tengigabitethernet 1/1 DellEMC(conf-if-te-1/1)#? end Exit from configuration mode exit Exit from interface configuration mode DellEMC(conf-if-te-1/1)#exit DellEMC(conf)#line ? aux Auxiliary line console Primary terminal line vty Virtual terminal DellEMC(conf)#line vty 0 DellEMC(config-line-vty)#? exit Exit from line configuration mode DellEMC(config-line-vty)# DellEMC(conf)#interface group ? gigabitethernet GigabitEthernet interface IEEE 802.3z tengigabitethernet TenGigabit Ethernet interface vlan VLAN keyword
Management
59
DellEMC(conf)# interface group vlan 1 - 2 , tengigabitethernet 1/1 DellEMC(conf-if-group-vl-1-2,te-1/1)# no shutdown DellEMC(conf-if-group-vl-1-2,te-1/1)# end

Applying a Privilege Level to a Username

To set the user privilege level, use the following command.
Configure a privilege level for a user. CONFIGURATION mode
username username privilege level

Applying a Privilege Level to a Terminal Line

To set a privilege level for a terminal line, use the following command.
Configure a privilege level for a user. CONFIGURATION mode
username username privilege level
NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt
is hostname#, rather than hostname>.

Configuring Logging

The Dell EMC Networking OS tracks changes in the system using event and error messages.
By default, Dell EMC Networking OS logs these messages on:
the internal buffer
console and terminal lines
any configured syslog servers
To disable logging, use the following commands.
Disable all logging except on the console. CONFIGURATION mode
no logging on
Disable logging to the logging buffer. CONFIGURATION mode
no logging buffer
Disable logging to terminal lines. CONFIGURATION mode
no logging monitor
Disable console logging. CONFIGURATION mode
no logging console

Audit and Security Logs

This section describes how to configure, display, and clear audit and security logs.
The following is the configuration task list for audit and security logs:
Enabling Audit and Security Logs
Displaying Audit and Security Logs
Clearing Audit Logs
60
Management
Enabling Audit and Security Logs
You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode.
This command is available with or without RBAC enabled. For information about RBAC, see Role-Based Access Control.
Audit Logs
The audit log contains configuration events and information. The types of information in this log consist of the following:
User logins to the switch.
System events for network issues or system issues.
Users making configuration changes. The switch logs who made the configuration changes and the date and time of the change. However, each specific change on the configuration is not logged. Only that the configuration was modified is logged with the user ID, date, and time of the change.
Uncontrolled shutdown.
Security Logs
The security log contains security events and information. RBAC restricts access to audit and security logs based on the CLI sessions’ user roles. The types of information in this log consist of the following:
Establishment of secure traffic flows, such as SSH.
Violations on secure flows or certificate issues.
Adding and deleting of users.
User access and configuration changes to the security and crypto parameters (not the key information but the crypto configuration)
Important Points to Remember
When you enabled RBAC and extended logging:
Only the system administrator user role can execute this command.
The system administrator and system security administrator user roles can view security events and system events.
The system administrator user roles can view audit, security, and system events.
Only the system administrator and security administrator user roles can view security logs.
The network administrator and network operator user roles can view system events.
NOTE:
Example of Enabling Audit and Security Logs
DellEMC(conf)#logging extended
If extended logging is disabled, you can only view system events, regardless of RBAC user role.
Displaying Audit and Security Logs
To display audit logs, use the show logging auditlog command in Exec mode. To view these logs, you must first enable the logging extended command. Only the RBAC system administrator user role can view the audit logs. Only the RBAC security administrator and system administrator user role can view the security logs. If extended logging is disabled, you can only view system events, regardless of RBAC user role. To view security logs, use the show logging command.
For information about the logging extended command, see Enabling Audit and Security Logs
Example of the show logging auditlog Command
DellEMC#show logging auditlog May 12 12:20:25: DellEMC#: %CLI-6-logging extended by admin from vty0 (10.14.1.98) May 12 12:20:42: DellEMC#: %CLI-6-configure terminal by admin from vty0 (10.14.1.98) May 12 12:20:42: DellEMC#: %CLI-6-service timestamps log datetime by admin from vty0 (10.14.1.98)
For information about the logging extended command, see Enabling Audit and Security Logs
Example of the show logging Command for Security
DellEMC#show logging Jun 10 04:23:40: %STKUNIT0-M:CP
%SEC-5-LOGIN_SUCCESS: Login successful for user admin on
Management
61
line vty0 ( 10.14.1.91 )
Clearing Audit Logs
To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is enabled, only the system administrator user role can issue this command.
Example of the clear logging auditlog Command
DellEMC# clear logging auditlog

Configuring Logging Format

To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version {0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
The following describes the two log messages formats:
0 – Displays syslog messages format as described in RFC 3164, The BSD syslog Protocol
1 – Displays syslog message format as described in RFC 5424, The SYSLOG Protocol
Example of Configuring the Logging Message Format
DellEMC(conf)#logging version ? <0-1> Select syslog version (default = 0) DellEMC(conf)#logging version 1

Display the Logging Buffer and the Logging Configuration

To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles. Only the security administrator and system administrator can view the security logs.
Example of the show logging Command
DellEMC#show logging syslog logging: enabled Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM. %RPM-2-MSG:CP1 %POLLMGR-2-MMC_STATE: External flash disk missing in 'slot0:' %CHMGR-5-CARDDETECTED: Line card 0 present %CHMGR-5-CARDDETECTED: Line card 2 present %CHMGR-5-CARDDETECTED: Line card 4 present %CHMGR-5-CARDDETECTED: Line card 5 present %CHMGR-5-CARDDETECTED: Line card 8 present %CHMGR-5-CARDDETECTED: Line card 10 present %CHMGR-5-CARDDETECTED: Line card 12 present %TSM-6-SFM_DISCOVERY: Found SFM 0 %TSM-6-SFM_DISCOVERY: Found SFM 1 %TSM-6-SFM_DISCOVERY: Found SFM 2 %TSM-6-SFM_DISCOVERY: Found SFM 3 %TSM-6-SFM_DISCOVERY: Found SFM 4 %TSM-6-SFM_DISCOVERY: Found SFM 5 %TSM-6-SFM_DISCOVERY: Found SFM 6 %TSM-6-SFM_DISCOVERY: Found SFM 7 %TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: UP %TSM-6-SFM_DISCOVERY: Found SFM 8 %TSM-6-SFM_DISCOVERY: Found 9 SFMs %CHMGR-5-CHECKIN: Checkin from line card 5 (type EX1YB, 1 ports) %TSM-6-PORT_CONFIG: Port link status for LC 5 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 5 is up %CHMGR-5-CHECKIN: Checkin from line card 12 (type S12YC12, 12 ports)
62
Management
%TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 12 is up %IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8 %IFMGR-5-CSTATE_DN: changed interface Physical state to down: So 12/8
To view any changes made, use the show running-config logging command in EXEC privilege mode.

Setting Up a Secure Connection to a Syslog Server

You can use reverse tunneling with the port forwarding to securely connect to a syslog server.
Figure 2. Setting Up a Secure Connection to a Syslog Server
Pre-requisites
To configure a secure connection from the switch to the syslog server:
1. On the switch, enable the SSH server
DellEMC(conf)#ip ssh server enable
2. On the syslog server, create a reverse SSH tunnel from the syslog server to the Dell OS switch, using following syntax:
ssh -R <remote port>:<syslog server>:<syslog server listen port> user@remote_host -nNf
In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is
10.16.131.141 and the listening port is 5140
ssh -R 5140:10.156.166.48:5141 admin@10.16.131.141 -nNf
3. Configure logging to a local host. locahost is “127.0.0.1” or “::1”.
Management
63
If you do not, the system displays an error when you attempt to enable role-based only AAA authorization.
DellEMC(conf)# logging localhost tcp port DellEMC(conf)#logging 127.0.0.1 tcp 5140

Sending System Messages to a Syslog Server

To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.
Specify the server to which you want to send system messages. You can configure up to eight syslog servers. CONFIGURATION mode
logging {ip-address | ipv6-address | hostname} {{udp {port}} | {tcp {port}}}
You can export system logs to an external server that is connected through a different VRF.

Track Login Activity

Dell EMC Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events.
When you log in using the console or VTY line, the system displays the last successful login details of the current user and the number of unsuccessful login attempts since your last successful login to the system, and whether the current user’s permissions have changed since the last login. The system stores the number of unsuccessful login attempts that have occurred in the last 30 days by default. You can change the default value to any number of days from 1 to 30. By default, login activity tracking is disabled. You can enable it using the login statistics enable command from the configuration mode.

Restrictions for Tracking Login Activity

These restrictions apply for tracking login activity:
Only the system and security administrators can configure login activity tracking and view the login activity details of other users.
Login statistics is not applicable for login sessions that do not use user names for authentication. For example, the system does not report login activity for a telnet session that prompts only a password.

Configuring Login Activity Tracking

To enable and configure login activity tracking, follow these steps:
1. Enable login activity tracking. CONFIGURATION mode
login statistics enable
After enabling login statistics, the system stores the login activity details for the last 30 days.
2. (Optional) Configure the number of days for which the system stores the user login statistics. The range is from 1 to 30. CONFIGURATION mode
login statistics time-period days
The following example enables login activity tracking. The system stores the login activity details for the last 30 days.
DellEMC(config)#login statistics enable
The following example enables login activity tracking and configures the system to store the login activity details for 12 days.
DellEMC(config)#login statistics enable DellEMC(config)#login statistics time-period 12
64
Management

Display Login Statistics

To view the login statistics, use the show login statistics command.
Example of the show login statistics Command
The show login statistics command displays the successful and failed login details of the current user in the last 30 days or the custom defined time period.
DellEMC#show login statistics
-----------------------------------------------------------------­User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.143 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 0 Successful login attempt(s) in last 30 day(s): 1
------------------------------------------------------------------
Example of the show login statistics all command
The show login statistics all command displays the successful and failed login details of all users in the last 30 days or the custom defined time period.
DellEMC#show login statistics all
-----------------------------------------------------------------­User: admin Last login time: 08:54:28 UTC Wed Mar 23 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 4
------------------------------------------------------------------
-----------------------------------------------------------------­User: admin1 Last login time: 12:49:19 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2
------------------------------------------------------------------
-----------------------------------------------------------------­User: admin2 Last login time: 12:49:27 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2
------------------------------------------------------------------
-----------------------------------------------------------------­User: admin3 Last login time: 13:18:42 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2
Example of the show login statistics user user-id command
The show login statistics user user-id command displays the successful and failed login details of a specific user in the last 30 days or the custom defined time period.
DellEMC# show login statistics user admin
-----------------------------------------------------------------­User: admin
Management
65
Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.143 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 0 Successful login attempt(s) in last 30 day(s): 1
------------------------------------------------------------------
The following is sample output of the show login statistics unsuccessful-attempts command.
DellEMC# show login statistics unsuccessful-attempts There were 3 unsuccessful login attempt(s) for user admin in last 30 day(s).
The following is sample output of the show login statistics unsuccessful-attempts time-period days command.
DellEMC# show login statistics unsuccessful-attempts time-period 15 There were 0 unsuccessful login attempt(s) for user admin in last 15 day(s).
The following is sample output of the show login statistics unsuccessful-attempts user login-id command.
DellEMC# show login statistics unsuccessful-attempts user admin There were 3 unsuccessful login attempt(s) for user admin in last 12 day(s).
The following is sample output of the show login statistics successful-attempts command.
DellEMC#show login statistics successful-attempts There were 4 successful login attempt(s) for user admin in last 30 day(s).

Limit Concurrent Login Sessions

Dell EMC Networking OS enables you to limit the number of concurrent login sessions of users on VTY, auxiliary, and console lines. You can also clear any of your existing sessions when you reach the maximum permitted number of concurrent sessions.
By default, you can use all 10 VTY lines, one console line, and one auxiliary line. You can limit the number of available sessions using the login concurrent-session limit command and so restrict each user to that specific number of sessions. You can optionally configure the system to provide an option to the users to clear any of their existing sessions. To restrict the total amount of VTY lines using ACL, see the Denying and Permitting Access to a Terminal Line section.

Restrictions for Limiting the Number of Concurrent Sessions

These restrictions apply for limiting the number of concurrent sessions:
Only the system and security administrators can limit the number of concurrent sessions and enable the clear-line option.
Users can clear their existing sessions only if the system is configured with the login concurrent-session clear-line enable command.

Configuring Concurrent Session Limit

To configure concurrent session limit, follow this procedure:
Limit the number of concurrent sessions for each user. CONFIGURATION mode
login concurrent-session limit number-of-sessions
The following example limits the permitted number of concurrent login sessions to 4.
DellEMC(config)#login concurrent-session limit 4
66
Management

Enabling the System to Clear Existing Sessions

To enable the system to clear existing login sessions, follow this procedure:
Use the following command. CONFIGURATION mode
login concurrent-session clear-line enable
NOTE: If both concurrent sessions and the maximum number of VTY lines used are the same, the next or the
following attempt will be unsuccessful and the system displays access denied message. It is not possible to attempt after clearing one of the existing sessions as user authentication has to happen first and before clearing the existing login sessions. During the next authentication attempt, the system does not allow any attempt to login since maximum VTY sessions have reached and hence no clear-line option.
NOTE: If the maximum number of VTY lines are more than the concurrent sessions and the same user is attempting
to login second time or more, the system displays the Maximum concurrent sessions for the user reached message. You are allowed to clear the existing session and login. If you do not want to clear any of the existing session, the system does not allow any attempt to login since maximum concurrent sessions have reached even though more VTY lines are available. You are allowed to login as a different user as more VTY lines are available.
The following example enables you to clear your existing login sessions.
DellEMC(config)#login concurrent-session clear-line enable
Example of Clearing Existing Sessions
When you try to log in, the following message appears with all your existing concurrent sessions, providing an option to close any one of the existing sessions:
$ telnet 10.11.178.14 Trying 10.11.178.14... Connected to 10.11.178.14. Escape character is '^]'. Login: admin Password: Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 Clear existing session? [line number/Enter to cancel]:
When you try to create more than the permitted number of sessions, the following message appears, prompting you to close one of the existing sessions. If you close any of the existing sessions, you are allowed to login.
$ telnet 10.11.178.17 Trying 10.11.178.17... Connected to 10.11.178.17. Escape character is '^]'. Login: admin Password:
Maximum concurrent sessions for the user reached. Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 4 vty 2 10.14.1.97 5 vty 3 10.14.1.97 Kill existing session? [line number/Enter to cancel]:

Enabling Secured CLI Mode

The secured CLI mode prevents the users from enhancing the permissions or promoting the privilege levels.
Enter the following command to enable the secured CLI mode: CONFIGURATION Mode
Management
67
secure-cli enable
After entering the command, save the running-configuration. Once you save the running-configuration, the secured CLI mode is enabled.
If you do not want to enter the secured mode, do not save the running-configuration. Once saved, to disable the secured CLI mode, you need to manually edit the startup-configuration file and reboot the system.

Log Messages in the Internal Buffer

All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
For example, %BOOTUP:RPM0:CP %PORTPIPE-INIT-SUCCESS: Portpipe 0 enabled
Configuration Task List for System Log Management
There are two configuration tasks for system log management:
Disable System Logging
Send System Messages to a Syslog Server

Disabling System Logging

By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog servers.
To disable system logging, use the following commands.
Disable all logging except on the console. CONFIGURATION mode
no logging on
Disable logging to the logging buffer. CONFIGURATION mode
no logging buffer
Disable logging to terminal lines. CONFIGURATION mode
no logging monitor
Disable console logging. CONFIGURATION mode
no logging console

Sending System Messages to a Syslog Server

To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.
Specify the server to which you want to send system messages. You can configure up to eight syslog servers. CONFIGURATION mode
logging {ip-address | ipv6-address | hostname} {{udp {port}} | {tcp {port}}}
You can export system logs to an external server that is connected through a different VRF.

Configuring a UNIX System as a Syslog Server

To configure a UNIX System as a syslog server, use the following command.
Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the UNIX system and assigning write permissions to the file.
Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/ftos.log
Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log
68
Management
In the previous lines, local7 is the logging facility level and debugging is the severity level.

Changing System Logging Settings

You can change the default settings of the system logging by changing the severity level and the storage location.
The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged.
To specify the system logging settings, use the following commands.
Specify the minimum severity level for logging to the logging buffer. CONFIGURATION mode
logging buffered level
Specify the minimum severity level for logging to the console. CONFIGURATION mode
logging console level
Specify the minimum severity level for logging to terminal lines. CONFIGURATION mode
logging monitor level
Specify the minimum severity level for logging to a syslog server. CONFIGURATION mode
logging trap level
Specify the minimum severity level for logging to the syslog history table. CONFIGURATION mode
logging history level
Specify the size of the logging buffer. CONFIGURATION mode
logging buffered size
NOTE:
Increasing the buffer size does not affect messages in the buffer.
Specify the number of messages that Dell EMC Networking OS saves to its logging history table. CONFIGURATION mode
logging history size size
To view the logging buffer and configuration, use the show logging command in EXEC privilege mode, as shown in the example for
Display the Logging Buffer and the Logging Configuration.
To view the logging configuration, use the show running-config logging command in privilege mode, as shown in the example for
Configure a UNIX Logging Facility Level.
When you decrease the buffer size, Dell EMC Networking OS deletes all messages stored in the buffer.

Display the Logging Buffer and the Logging Configuration

To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles. Only the security administrator and system administrator can view the security logs.
Example of the show logging Command
DellEMC#show logging syslog logging: enabled Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM. %RPM-2-MSG:CP1 %POLLMGR-2-MMC_STATE: External flash disk missing in 'slot0:' %CHMGR-5-CARDDETECTED: Line card 0 present
Management
69
%CHMGR-5-CARDDETECTED: Line card 2 present %CHMGR-5-CARDDETECTED: Line card 4 present %CHMGR-5-CARDDETECTED: Line card 5 present %CHMGR-5-CARDDETECTED: Line card 8 present %CHMGR-5-CARDDETECTED: Line card 10 present %CHMGR-5-CARDDETECTED: Line card 12 present %TSM-6-SFM_DISCOVERY: Found SFM 0 %TSM-6-SFM_DISCOVERY: Found SFM 1 %TSM-6-SFM_DISCOVERY: Found SFM 2 %TSM-6-SFM_DISCOVERY: Found SFM 3 %TSM-6-SFM_DISCOVERY: Found SFM 4 %TSM-6-SFM_DISCOVERY: Found SFM 5 %TSM-6-SFM_DISCOVERY: Found SFM 6 %TSM-6-SFM_DISCOVERY: Found SFM 7 %TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: UP %TSM-6-SFM_DISCOVERY: Found SFM 8 %TSM-6-SFM_DISCOVERY: Found 9 SFMs %CHMGR-5-CHECKIN: Checkin from line card 5 (type EX1YB, 1 ports) %TSM-6-PORT_CONFIG: Port link status for LC 5 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 5 is up %CHMGR-5-CHECKIN: Checkin from line card 12 (type S12YC12, 12 ports) %TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 12 is up %IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8 %IFMGR-5-CSTATE_DN: changed interface Physical state to down: So 12/8
To view any changes made, use the show running-config logging command in EXEC privilege mode.

Configuring a UNIX Logging Facility Level

You can save system log messages with a UNIX system logging facility.
To configure a UNIX logging facility level, use the following command.
Specify one of the following parameters. CONFIGURATION mode
logging facility [facility-type]
auth (for authorization messages)
cron (for system scheduler messages)
daemon (for system daemons)
kern (for kernel messages)
local0 (for local use)
local1 (for local use)
local2 (for local use)
local3 (for local use)
local4 (for local use)
local5 (for local use)
local6 (for local use)
local7 (for local use)
lpr (for line printer system messages)
mail (for mail system messages)
news (for USENET news messages)
sys9 (system use)
sys10 (system use)
sys11 (system use)
sys12 (system use)
sys13 (system use)
sys14 (system use)
syslog (for syslog messages)
user (for user programs)
uucp (UNIX to UNIX copy protocol)
70
Management
To view nondefault settings, use the show running-config logging command in EXEC mode.
DellEMC#show running-config logging ! logging buffered 524288 debugging service timestamps log datetime msec service timestamps debug datetime msec ! logging trap debugging logging facility user logging source-interface Loopback 0 logging 10.10.10.4 DellEMC#

Synchronizing Log Messages

You can configure Dell EMC Networking OS to filter and consolidate the system messages for a specific line by synchronizing the message output.
Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system.
1. Enter LINE mode. CONFIGURATION mode
line {console 0 | vty number [end-number] | aux 0}
Configure the following parameters for the virtual terminal lines:
number: the range is from zero (0) to 8.
end-number: the range is from 1 to 8.
You can configure multiple virtual terminals at one time by entering a number and an end-number.
2. Configure a level and set the maximum number of messages to print. LINE mode
logging synchronous [level severity-level | all] [limit]
Configure the following optional parameters:
level severity-level: the range is from 0 to 7. The default is 2. Use the all keyword to include all messages.
limit: the range is from 20 to 300. The default is 20.
To view the logging synchronous configuration, use the show config command in LINE mode.

Enabling Timestamp on Syslog Messages

By default, syslog messages include a time/date stamp, taken from the datetime, stating when the error or message was created.
To enable timestamp, use the following command.
Add timestamp to syslog messages. CONFIGURATION mode
service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] [utc] | uptime]
Specify the following optional parameters:
datetime: To view the timestamp in system local time that includes the local time zone.
localtime: You can add the keyword localtime to view timestamp in system local time that includes the local time zone.
show-timezone: Enter the keyword to include the time zone information in the timestamp.
msec: Enter the keyword msec to include milliseconds in the timestamp.
uptime: To view time since last boot.
utc: Enter the keyword utc to view timestamp in UTC time that excludes the local time zone.
If you do not specify a parameter, Dell EMC Networking OS configures datetime as localtime by default.
To view the configuration, use the show running-config logging command in EXEC privilege mode.
To disable time stamping on syslog messages, use the no service timestamps [log | debug] command.
Management
71
Example 1: Default configuration service timestamps log datetime or service timestamps log datetime
localtime
DellEMC(conf)#service timestamps log datetime
DellEMC#show clock 15:42:42.804 IST Fri May 17 2019
DellEMC# show command-history [May 17 15:38:55]: CMD-(CLI):[service timestamps log datetime]by default from console [May 17 15:41:40]: CMD-(CLI):[write memory]by default from console
- Repeated 1 time. [May 17 15:41:45]: CMD-(CLI):[interface tengigabitethernet 1/1]by default from console [May 17 15:41:47]: CMD-(CLI):[shutdown]by default from console [May 17 15:41:50]: CMD-(CLI):[no shutdown]by default from console [May 17 15:42:42]: CMD-(CLI):[show clock]by default from console [May 17 15:42:52]: CMD-(CLI):[write memory]by default from console
- Repeated 1 time. [May 17 15:43:08]: CMD-(CLI):[end]by default from console [May 17 15:43:16]: CMD-(CLI):[show logging]by default from console [May 17 15:43:22]: CMD-(CLI):[show command-history]by default from console DellEMC#
DellEMC#show logging Syslog logging: enabled Console logging: disabled Monitor logging: level debugging Buffer logging: level debugging, 7 Messages Logged, Size (40960 bytes) Trap logging: level informational Last logging buffer cleared: May 17 15:38:38 May 17 15:43:08 %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from console May 17 15:42:52 %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default May 17 15:41:53 %STKUNIT1-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 1/1 May 17 15:41:50 %STKUNIT1-M:CP %IFMGR-5-ASTATE_UP: Changed interface Admin state to up: Te 1/1 May 17 15:41:47 %STKUNIT1-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 1/1 May 17 15:41:47 %STKUNIT1-M:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Te 1/1 May 17 15:41:40 %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default
Example 2: service timestamps log datetime utc
DellEMC(conf)#service timestamps log datetime utc
DellEMC#show clock 15:47:05.661 IST Fri May 17 2019
DellEMC# show command-history [May 17 10:16:53]: CMD-(CLI):[service timestamps log datetime utc]by default from console [May 17 10:17:05]: CMD-(CLI):[show clock]by default from console [May 17 10:17:20]: CMD-(CLI):[show running-config]by default from console [May 17 10:17:30]: CMD-(CLI):[interface tengigabitethernet 1/2]by default from console [May 17 10:17:32]: CMD-(CLI):[shutdown]by default from console [May 17 10:17:34]: CMD-(CLI):[no shutdown]by default from console [May 17 10:17:40]: CMD-(CLI):[write memory]by default from console
- Repeated 1 time. [May 17 10:17:46]: CMD-(CLI):[end]by default from console [May 17 10:17:50]: CMD-(CLI):[show logging]by default from console [May 17 10:17:56]: CMD-(CLI):[show command-history]by default from console
DellEMC# show logging Syslog logging: enabled Console logging: disabled Monitor logging: level debugging Buffer logging: level debugging, 6 Messages Logged, Size (40960 bytes) Trap logging: level informational Last logging buffer cleared: May 17 15:46:36 May 17 10:17:46 %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from console
72
Management
May 17 10:17:40 %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default May 17 10:17:37 %STKUNIT1-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 1/2 May 17 10:17:34 %STKUNIT1-M:CP %IFMGR-5-ASTATE_UP: Changed interface Admin state to up: Te 1/2 May 17 10:17:32 %STKUNIT1-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 1/2 May 17 10:17:32 %STKUNIT1-M:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Te 1/2
Example 3: service timestamps log uptime
DellEMC(conf)#service timestamps log uptime
DellEMC#show clock 15:51:47.534 IST Fri May 17 2019
DellEMC# show version |grep uptime Dell EMC Networking OS uptime is 1 day(s), 0 hour(s), 25 minute(s)
DellEMC# show command-history [1d0h24m]: CMD-(CLI):[service timestamps log uptime]by default from console [1d0h24m]: CMD-(CLI):[interface tengigabitethernet 1/1]by default from console [1d0h24m]: CMD-(CLI):[shutdown]by default from console [1d0h24m]: CMD-(CLI):[no shutdown]by default from console [1d0h25m]: CMD-(CLI):[end]by default from console [1d0h25m]: CMD-(CLI):[write memory]by default from console
- Repeated 1 time. [1d0h25m]: CMD-(CLI):[show clock]by default from console [1d0h25m]: CMD-(CLI):[show version]by default from console [1d0h25m]: CMD-(CLI):[show logging]by default from console [1d0h25m]: CMD-(CLI):[show command-history]by default from console
DellEMC# show logging Syslog logging: enabled Console logging: disabled Monitor logging: level debugging Buffer logging: level debugging, 6 Messages Logged, Size (40960 bytes) Trap logging: level informational Last logging buffer cleared: May 17 15:50:31 1d0h25m %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default 1d0h25m %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from console 1d0h24m %STKUNIT1-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 1/1 1d0h24m %STKUNIT1-M:CP %IFMGR-5-ASTATE_UP: Changed interface Admin state to up: Te 1/1 1d0h24m %STKUNIT1-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 1/1 1d0h24m %STKUNIT1-M:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Te 1/1
Example 4: no service timestamps log
DellEMC(conf)#no service timestamps log
DellEMC#show clock 15:55:12.246 IST Fri May 17 2019
DellEMC# show command-history [May 17 15:53:10]: CMD-(CLI):[no service timestamps log]by default from console [May 17 15:53:16]: CMD-(CLI):[write memory]by default from console
- Repeated 3 times. [May 17 15:53:22]: CMD-(CLI):[show logging]by default from console
- Repeated 1 time. [May 17 15:53:36]: CMD-(CLI):[write memory]by default from console
- Repeated 5 times. [May 17 15:53:44]: CMD-(CLI):[show logging]by default from console [May 17 15:53:53]: CMD-(CLI):[show command-history]by default from console [May 17 15:54:54]: CMD-(CLI):[end]by default from console [May 17 15:55:00]: CMD-(CLI):[show logging]by default from console [May 17 15:55:12]: CMD-(CLI):[show clock]by default from console
Management
73
[May 17 15:55:22]: CMD-(CLI):[show running-config]by default from console [May 17 15:55:27]: CMD-(CLI):[show command-history]by default from console
DellEMC# show logging Syslog logging: enabled Console logging: disabled Monitor logging: level debugging Buffer logging: level debugging, 3 Messages Logged, Size (40960 bytes) Trap logging: level informational Last logging buffer cleared: May 17 15:52:54 %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from console %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default - repeated 3 times %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default

File Transfer Services

With Dell EMC Networking OS, you can configure the system to transfer files over the network using the file transfer protocol (FTP).
One FTP application is copying the system image files over an interface on to the system; however, FTP is not supported on virtual local area network (VLAN) interfaces.
If you want the FTP or TFTP server to use a VRF table that is attached to an interface, you must configure the FTP or TFTP server to use a specific routing table. You can use the ip ftp vrf vrf-name or ip tftp vrf vrf-name command to inform the FTP or TFTP server to use a specific routing table. After you configure this setting, the VRF table is used to look up the destination address. However, these changes are backward-compatible and do not affect existing behavior; meaning, you can still use the source-interface command to communicate with a particular interface even if no VRF is configured on that interface.
For more information about FTP, refer to RFC 959, File Transfer Protocol.
NOTE:
To transmit large files, Dell EMC Networking recommends configuring the switch as an FTP server.
Configuration Task List for File Transfer Services
The configuration tasks for file transfer services are:
Enable FTP Server (mandatory)
Configure FTP Server Parameters (optional)
Configure FTP Client Parameters (optional)

Enabling the FTP Server

To enable the system as an FTP server, use the following command.
To view FTP configuration, use the show running-config ftp command in EXEC privilege mode.
Enable FTP on the system. CONFIGURATION mode
ftp-server enable
DellEMC#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar DellEMC#

Configuring FTP Server Parameters

After you enable the FTP server on the system, you can configure different parameters.
To specify the system logging settings, use the following commands.
Specify the directory for users using FTP to reach the system.
74
Management
CONFIGURATION mode
ftp-server topdir dir
The default is the internal flash directory.
Specify a user name for all FTP users and configure either a plain text or encrypted password. CONFIGURATION mode
ftp-server username username password [encryption-type] password
Configure the following optional and required parameters:
username: enter a text string.
encryption-type: enter 0 for plain text or 7 for encrypted text.
password: enter a text string.
NOTE: You cannot use the change directory (cd) command until you have configured ftp-server topdir.
To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode.

Configuring FTP Client Parameters

To configure FTP client parameters, use the following commands.
Enter the following keywords and the interface information:
For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport[/subport]
information.
For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
For a Loopback interface, enter the keyword loopback then a number from 0 to 16383.
For a port channel interface, enter the keywords port-channel then a number.
For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
CONFIGURATION mode
ip ftp source-interface interface
Configure a password. CONFIGURATION mode
ip ftp password password
Enter a username to use on the FTP client. CONFIGURATION mode
ip ftp username name
To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for
Enable FTP Server.

Terminal Lines

You can access the system remotely and restrict access to the system by creating user profiles.
Terminal lines on the system provide different means of accessing the system. The console line (console) connects you through the console port in the route processor modules (RPMs). The virtual terminal lines (VTYs) connect you through Telnet to the system. The auxiliary line (aux) connects secondary devices such as modems.

Denying and Permitting Access to a Terminal Line

Dell EMC Networking recommends applying only standard access control lists (ACLs) to deny and permit access to VTY lines.
Layer 3 ACLs deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with no rules does not deny traffic.
You cannot use the show ip accounting access-list command to display the contents of an ACL that is applied only to a VTY line.
When you use the access-class access-list-name command without specifying the ipv4 or ipv6 attribute, both IPv4 as well as IPv6 rules that are defined in that ACL are applied to the terminal. This method is a generic way of configuring access restrictions.
Management
75
To be able to filter access exclusively using either IPv4 or IPv6 rules, use either the ipv4 or ipv6 attribute along with the access­class access-list-name command. Depending on the attribute that you specify (ipv4 or ipv6), the ACL processes either
IPv4 or IPv6 rules, but not both. Using this configuration, you can set up two different types of access classes with each class processing either IPv4 or IPv6 rules separately.
To apply an IP ACL to a line, Use the following command.
Apply an ACL to a VTY line. LINE mode
access-class access-list-name [ipv4 | ipv6]
NOTE: If you already have configured generic IP ACL on a terminal line, then you cannot further apply IPv4 or IPv6
specific filtering on top of this configuration. Similarly, if you have configured either IPv4 or IPv6 specific filtering on a terminal line, you cannot apply generic IP ACL on top of this configuration. Before applying any of these configurations, you must first undo the existing configuration using the no access-class access-list-name [ipv4 | ipv6] command.
To view the configuration, use the show config command in LINE mode.
DellEMC(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 DellEMC(config-std-nacl)#line vty 0 DellEMC(config-line-vty)#show config line vty 0 access-class myvtyacl
DellEMC(conf-ipv6-acl)#do show run acl ! ip access-list extended testdeny seq 10 deny ip 30.1.1.0/24 any seq 15 permit ip any any ! ip access-list extended testpermit seq 15 permit ip any any ! ipv6 access-list testv6deny seq 10 deny ipv6 3001::/64 any seq 15 permit ipv6 any any ! DellEMC(conf)# DellEMC(conf)#line vty 0 0 DellEMC(config-line-vty)#access-class testv6deny ipv6 DellEMC(config-line-vty)#access-class testvpermit ipv4 DellEMC(config-line-vty)#show c line vty 0 exec-timeout 0 0 access-class testpermit ipv4 access-class testv6deny ipv6 !

Configuring Login Authentication for Terminal Lines

You can use any combination of up to six authentication methods to authenticate a user on a terminal line.
A combination of authentication methods is called a method list. If the user fails the first authentication method, Dell EMC Networking OS prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are:
enable
line
local
76 Management
Prompt for the enable password.
Prompt for the password you assigned to the terminal line. Configure a password for the terminal line to which you assign a method list that contains the line authentication method. Configure a password using the password command from LINE mode.
Prompt for the system username and password.
none
radius
tacacs+
1.
Configure an authentication method list. You may use a mnemonic name or use the keyword default. The default authentication method for terminal lines is
CONFIGURATION mode
aaa authentication login {method-list-name | default} [method-1] [method-2] [method-3] [method-4] [method-5] [method-6]
2. Apply the method list from Step 1 to a terminal line. CONFIGURATION mode
login authentication {method-list-name | default}
3. If you used the line authentication method in the method list you applied to the terminal line, configure a password for the terminal line. LINE mode
password
In the following example, VTY lines 0-2 use a single authentication method, line.
DellEMC(conf)#aaa authentication login myvtymethodlist line DellEMC(conf)#line vty 0 2 DellEMC(config-line-vty)#login authentication myvtymethodlist DellEMC(config-line-vty)#password myvtypassword DellEMC(config-line-vty)#show config line vty 0 password myvtypassword login authentication myvtymethodlist line vty 1 password myvtypassword login authentication myvtymethodlist line vty 2 password myvtypassword login authentication myvtymethodlist DellEMC(config-line-vty)#
Do not authenticate the user.
Prompt for a username and password and use a RADIUS server to authenticate.
Prompt for a username and password and use a TACACS+ server to authenticate.
local and the default method list is empty.

Setting Timeout for EXEC Privilege Mode

EXEC timeout is a basic security feature that returns Dell EMC Networking OS to EXEC mode after a period of inactivity on the terminal lines.
To set timeout, use the following commands.
Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the timeout period to 0.
LINE mode
exec-timeout minutes [seconds]
Return to the default timeout values. LINE mode
no exec-timeout
The following example shows how to set the timeout period and how to view the configuration using the show config command from LINE mode.
DellEMC(conf)#line con 0 DellEMC(config-line-console)#exec-timeout 0 DellEMC(config-line-console)#show config line console 0 exec-timeout 0 0 DellEMC(config-line-console)#
Management
77

Using Telnet to get to Another Network Device

To telnet to another device, use the following commands.
NOTE: The device allows 120 Telnet sessions per minute, allowing the login and logout of 10 Telnet sessions, 12 times in
a minute. If the system reaches this non-practical limit, the Telnet service is stopped for 10 minutes. You can use console and SSH service to access the system during downtime.
Telnet to a device with an IPv4 or IPv6 address.
• EXEC Privilege
telnet [ip-address]
If you do not enter an IP address, Dell EMC Networking OS enters a Telnet dialog that prompts you for one. Enter an IPv4 address in dotted decimal format (A.B.C.D). Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported.
DellEMC# telnet 10.11.80.203 Trying 10.11.80.203... Connected to 10.11.80.203. Exit character is '^]'. Login: Login: admin Password: DellEMC>exit DellEMC#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin DellEMC#

Lock CONFIGURATION Mode

Dell EMC Networking OS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2).
You can set two types of lockst: auto and manual.
Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set auto­lock, every time a user is in CONFIGURATION mode, all other users are denied access. This means that you can exit to EXEC Privilege mode, and re-enter CONFIGURATION mode without having to set the lock again.
Set manual lock using the configure terminal lock command from CONFIGURATION mode. When you configure a manual lock, which is the default, you must enter this command each time you want to enter CONFIGURATION mode and deny access to others.
Viewing the Configuration Lock Status
If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which user has control of CONFIGURATION mode using the show configuration lock command from EXEC Privilege mode.
You can then send any user a message using the send command from EXEC Privilege mode. Alternatively, you can clear any line using the clear command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode.
Example of Locking CONFIGURATION Mode for Single-User Access
DellEMC(conf)#configuration mode exclusive auto BATMAN(conf)#exit 3d23h35m: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console
DellEMC#config ! Locks configuration mode exclusively. DellEMC(conf)#
78
Management
If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears on their terminal (message 1): % Error: User "" on line console0 is in exclusive configuration mode.
If any user is already in CONFIGURATION mode when while a lock is in place, the following appears on their terminal (message 2): % Error: Can't lock configuration mode exclusively since the following users are currently configuring the system: User "admin" on line vty1 ( 10.1.1.1 ).
NOTE: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you configure a lock and
then exit CONFIGURATION mode, and another user enters CONFIGURATION mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though you are the one that configured the lock.
NOTE: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is unconfigured.

LPC Bus Quality Degradation

LPC Bus Quality Analyzer (LBQA) runs on the system that make use of the LPC bus. It constantly monitors the LPC bus and alerts or warns the user using following methods when it detects signal degradation:
1. The system displays a high priority syslog message. The text of this syslog is CPU Clock signal has degraded below
acceptable threshold on stack-unit <stack-unit-number> with service tag <service tag>. Please contact Technical Support. On chassis platforms, the text is CPU Clock signal has degraded below acceptable threshold on Line card <line card number> with service tag <service tag>. Please contact Technical Support. This syslog continues to show every 30 minutes. An SNMP trap with this information is also
generated every hour.
2. If SupportAssist is enabled - it sends the event message to the global SupportAssist server immediately and there after once in two days, so Dell can assist in pro-actively notifying and assisting customers.
3. System Status LED changes to an alarm state, blinking amber for S3048–ON, S6100–ON and Z9100–ON, and solid amber for C9000. It is not possible to suppress this LED pattern until the unit is switched off (for RMA).
4. The switch (control/management/data plane) continues to be active.
NOTE:
master or standby (as in case of S3048-ON).
This is true even if the unit is the master (in a HA chassis environment – as in the case of RPM) or a Stack
LBQA (LPC Bus Quality Analyzer) Failure Detection mode
The following functions are performed as a part of this mode:
1. The LBQA will be started as part of FTOS application init (typically as a poller in sysd).
2. The LBQA will run as a fast poller (typically 1 sec) in failure detection mode.
3. During every fast poll cycle, LBQA will be the first poller to run.
4. In failure detection mode, the LBQA will issue a single IOCTL for each poll interval, which may in-turn issue multiple LPC operations (write & read-back) to check the sanity of the LPC bus using the scratch register.
5. The LBQA will use an extended walking 1s/0s test along with a pattern based test (0x00, 0x55, 0xAA, 0xFF) that is staggered across several polls.
6. The LBQA will limit each sanity check to a maximum of 16 operations (read + write).
7. LBQA will use a variable number of sanity checks over time, it would perform at least 1 check during every poll interval but will perform 8 checks during a signal poll once in 5 seconds.
8. The LBQA can be disabled on a system wide basis (i.e all stack-units or line cards as applicable) through a CLI command.

Restoring the Factory Default Settings

Restoring the factory-default settings deletes the existing NVRAM settings, startup configuration, and all configured settings such as, stacking or fanout.
To restore the factory default settings, use the restore factory-defaults stack-unit {stack—unit—number | all} {clear-all | nvram | bootvar} command in EXEC Privilege mode.
CAUTION:
There is no undo for this command.
Management 79
Important Points to Remember
When you restore all the units in a stack, these units are placed in standalone mode.
When you restore a single unit in a stack, only that unit is placed in standalone mode. No other units in the stack are affected.
When you restore the units in standalone mode, the units remain in standalone mode after the restoration.
After the restore is complete, the units power cycle immediately.
The following example illustrates the restore factory-defaults command to restore the factory default settings.
DellEMC#restore factory-defaults stack-unit 1 nvram
*********************************************************************** * Warning - Restoring factory defaults will delete the existing * * persistent settings (stacking, fanout, etc.) * * After restoration the unit(s) will be powercycled immediately. * * Proceed with caution ! * ***********************************************************************
Proceed with factory settings? Confirm [yes/no]:yes
-- Restore status -­Unit Nvram Config
-----------------------­ 1 Success
Power-cycling the unit(s).
....

Restoring Factory Default Environment Variables

The Boot line determines the location of the image that is used to boot up the chassis after restoring factory default settings. Ideally, these locations contain valid images, using which the chassis boots up.
When you restore factory-default settings, you can either use a flash boot procedure or a network boot procedure to boot the switch.
When you use the flash boot procedure to boot the device, the boot loader checks if the primary or the secondary partition contains a valid image. If the primary partition contains a valid image, then the primary boot line is set to A: and the secondary and default boot lines are set to a Null String. If the secondary partition contains a valid image, then the primary boot line is set to B: and the secondary and default boot lines are set to a Null String. If both the partitions contain invalid images, then primary, secondary, and default boot line values are set to a Null string.
When you use the Network boot procedure to boot the device, the boot loader checks if the primary partition contains a valid image. If a valid image exists on the primary partition and the secondary partition does not contain a valid image, then the primary boot line is set to A: and the secondary and default boot lines are set to a Null string. If the secondary partition also contains a valid image, then the primary boot line value is set to the partition that is configured to be used to boot the device in a network failure scenario. The secondary and default boot line values are set to a Null string.
Important Points to Remember
The Chassis remains in boot prompt if none of the partitions contain valid images.
To enable TFTP boot after restoring factory default settings, you must stop the boot process in BLI.
In case the system fails to reload the image from the partition, perform the following steps:
1. Power-cycle the chassis (pull the power cord and reinsert it).
2. Hit any key to abort the boot process. You enter uBoot immediately, the => prompt indicates success.
(during bootup)
press any key
3. Assign the new location to the Dell EMC Networking OS image it uses when the system reloads.
uBoot mode
=> setenv primary_boot f10boot
Boot variable (f10boot) can take the following values:
flash0 — to boot from flash partition A.
80
Management
flash1 — to boot from flash partition B.
tftp://server-ip/image-file-name — to boot from the network.
4. Assign an IP address to the Management Ethernet interface.
uBoot mode
=> setenv ipaddr ip_address
For example, 10.16.150.105.
=> setenv netmask mask
For example, 255.255.0.0.
5. Assign an IP address as the default gateway for the system.
uBoot mode
=> setenv gatewayip gateway_ip_address
For example, 10.16.150.254.
6. Save the modified environmental variables.
uBoot mode
=> saveenv
7. Reload the system.
uBoot mode
reset

Viewing the Reason for Last System Reboot

You can view the reason for the last system reboot. To view the reason for the last system reboot, follow this procedure:
Use the following command to view the reason for the last system reboot: EXEC or EXEC Privilege mode
show reset-reason [stack-unit {unit-number | all}]
Enter the stack-unit keyword and the stack unit number to view the reason for the last system reboot for that stack unit.
Enter the stack-unit keyword and the keyword all to view the reason for the last system reboot of all stack units in the stack.
DellEMC#show reset-reason Cause : Reset by User through CLI command Reset Time: 11/05/2017-08:36
DellEMC# show reset-reason stack-unit 1 Cause : Reset by User through CLI command Reset Time: 11/05/2017-08:36
Management
81
5

802.1X

802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN
or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example).
802.1X employs Extensible Authentication Protocol (EAP) to transfer a device’s credentials to an authentication server (typically RADIUS)
using a mandatory intermediary network access device, in this case, a Dell EMC Networking switch. The network access device mediates all communication between the end-user device and the authentication server so that the network remains secure. The network access device uses EAP-over-Ethernet (EAPOL) to communicate with the end-user device and EAP-over-RADIUS to communicate with the server.
NOTE: The Dell EMC Networking Operating System (OS) supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-
TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.
The following figures show how the EAP frames are encapsulated in Ethernet and RADIUS frames.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS
Figure 4. EAP Frames Encapsulated in Ethernet and RADUIS
The authentication process involves three devices:
82 802.1X
The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests.
The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It translates and forwards requests and responses between the authentication server and the supplicant. The authenticator also changes the status of the port based on the results of the authentication process. The Dell EMC Networking switch is the authenticator.
The authentication-server selects the authentication method, verifies the information the supplicant provides, and grants it network access privileges.
Ports can be in one of two states:
Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in or out of the port.
The authenticator changes the port state to authorized if the server can authenticate the supplicant. In this state, network traffic can be forwarded normally.
NOTE: The Dell EMC Networking switches place 802.1X-enabled ports in the unauthorized state by default.
Topics:
Port-Authentication Process
Configuring 802.1X
Important Points to Remember
Enabling 802.1X
Configuring Request Identity Re-Transmissions
Forcibly Authorizing or Unauthorizing a Port
Re-Authenticating a Port
Configuring Timeouts
Configuring Dynamic VLAN Assignment with Port Authentication
Guest and Authentication-Fail VLANs

Port-Authentication Process

The authentication process begins when the authenticator senses that a link status has changed from down to up:
1. When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame.
2. The supplicant responds with its identity in an EAP Response Identity frame.
3. The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame and forwards the frame to the authentication server.
4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests the supplicant to prove that it is who it claims to be, using a specified method (an EAP-Method). The challenge is translated and forwarded to the supplicant by the authenticator.
5. The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant provides the Requested Challenge information in an EAP response, which is translated and forwarded to the authentication server as another Access-Request frame.
6. If the identity information provided by the supplicant is valid, the authentication server sends an Access-Accept frame in which network privileges are specified. The authenticator changes the port state to authorized and forwards an EAP Success frame. If the identity information is invalid, the server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator forwards an EAP Failure frame.
802.1X
83
Figure 5. EAP Port-Authentication

EAP over RADIUS

802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579.
EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79.
Figure 6. EAP Over RADIUS
RADIUS Attributes for 802.1X Support
Dell EMC Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages:
Attribute 31
Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet.
Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Attribute 81 Tunnel-Private-Group-ID: associate a tunneled session with a particular group of users.
Calling-station-id: relays the supplicant MAC address to the authentication server.

Configuring 802.1X

Configuring 802.1X on a port is a one-step process.
For more information, refer to Enabling 802.1X.
84
802.1X
Related Configuration Tasks
Configuring Request Identity Re-Transmissions
Forcibly Authorizing or Unauthorizing a Port
Re-Authenticating a Port
Configuring Timeouts
Configuring a Guest VLAN
Configuring an Authentication-Fail VLAN

Important Points to Remember

Dell EMC Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.
All platforms support only RADIUS as the authentication server.
If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if configured.
802.1X is not supported on port-channels or port-channel members.
The NAS-Port-Type attribute indicates the type of the physical port of the NAS which is authenticating the user. It is used in Access­Request packets. The value of this attribute is set as Ethernet (15) for both EAP and MAB supplicants.

Enabling 802.1X

Enable 802.1X globally.
Figure 7. 802.1X Enabled
802.1X
85
1. Enable 802.1X globally. CONFIGURATION mode
dot1x authentication
2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode
interface [range]
3. Enable 802.1X on the supplicant interface only. INTERFACE mode
dot1x authentication
Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode.
In the following example, the bold lines show that 802.1X is enabled.
DellEMC#show running-config | find dot1x
dot1x authentication
! [output omitted] ! interface TenGigabitEthernet 2/1 no ip address
dot1x authentication
no shutdown ! DellEMC#
To view 802.1X configuration information for an interface, use the show dot1x interface command.
In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default.
DellEMC#show dot1x interface TenGigabitEthernet 2/1/
802.1x information on Te 2/1/:
-----------------------------
Dot1x Status: Enable
Port Control: AUTO
Port Auth Status: UNAUTHORIZED
Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Disable Guest VLAN id: NONE Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Mac-Auth-Bypass: Disable Mac-Auth-Bypass Only: Disable Tx Period: 30 seconds Quiet Period: 60 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 2 Host Mode: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize

Configuring Request Identity Re-Transmissions

When the authenticator sends a Request Identity frame and the supplicant does not respond, the authenticator waits for 30 seconds and then re-transmits the frame.
The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator re­transmits can be configured.
86
802.1X
NOTE: There are several reasons why the supplicant might fail to respond; for example, the supplicant might have been
booting when the request arrived or there might be a physical layer problem.
To configure re-transmissions, use the following commands.
Configure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame. INTERFACE mode
dot1x tx-period number
The range is from 1 to 65535 (1 year) The default is 30.
Configure the maximum number of times the authenticator re-transmits a Request Identity frame. INTERFACE mode
dot1x max-eap-req number
The range is from 1 to 10. The default is 2.
The example in Configuring a Quiet Period after a Failed Authentication shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits for 10 times.

Configuring a Quiet Period after a Failed Authentication

If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default. You can configure this period.
NOTE:
Identity Re-transmit interval (dot1x tx-period) is for an unresponsive supplicant.
To configure a quiet period, use the following command.
Configure the amount of time that the authenticator waits to re-transmit a Request Identity frame after a failed authentication. INTERFACE mode
dot1x quiet-period seconds
The range is from 1 to 65535. The default is 60 seconds.
The following example shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame:
after 90 seconds and a maximum of 10 times for an unresponsive supplicant
re-transmits an EAP Request Identity frame
The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions.
DellEMC(conf-if-range-Te-2/1)#dot1x tx-period 90 DellEMC(conf-if-range-Te-2/1)#dot1x max-eap-req 10 DellEMC(conf-if-range-Te-2/1)#dot1x quiet-period 120 DellEMC#show dot1x interface TenGigabitEthernet 2/1
802.1x information on Te 2/1:
----------------------------­Dot1x Status: Enable Port Control: AUTO Port Auth Status: UNAUTHORIZED
Re-Authentication: Disable
Untagged VLAN id: None Tx Period: 90 seconds
Quiet Period: 120 seconds
ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds
Max-EAP-Req: 10
Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize
The quiet period (dot1x quiet-period) is the transmit interval after a failed authentication; the Request
802.1X
87

Forcibly Authorizing or Unauthorizing a Port

The 802.1X ports can be placed into any of the three states:
ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port.
ForceUnauthorized — an unauthorized state. A device connected to a port in this state is never subjected to the authentication process and is not allowed to communicate on the network. Placing the port in this state is the same as shutting down the port. Any attempt by the supplicant to initiate authentication is ignored.
Auto — an unauthorized state by default. A device connected to this port in this state is subjected to the authentication process. If the process is successful, the port is authorized and the connected device can communicate on the network. All ports are placed in the Auto state by default.
To set the port state, use the following command.
Place a port in the ForceAuthorized, ForceUnauthorized, or Auto state. INTERFACE mode
dot1x port-control {force-authorized | force-unauthorized | auto}
The default state is auto.
The example shows configuration information for a port that has been force-authorized.
The bold line shows the new port-control state.
DellEMC(conf-if-Te-1/1)#dot1x port-control force-authorized DellEMC(conf-if-Te-1/1)#show dot1x interface TenGigabitEthernet 1/1
802.1x information on Te 1/1:
----------------------------­Dot1x Status: Enable
Port Control: FORCE_AUTHORIZED
Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize

Re-Authenticating a Port

You can configure the authenticator for periodic re-authentication.
After the supplicant has been authenticated, and the port has been authorized, you can configure the authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the supplicant is required to re-authenticate every 3600 seconds by default, and you can configure this interval. You can configure the maximum number of re-authentications as well.
To configure re-authentication time settings, use the following commands:
Configure the authenticator to periodically re-authenticate the supplicant. INTERFACE mode
dot1x reauthentication [interval] seconds
The range is from 1 to 31536000. The default is 3600.
Configure the maximum number of times the supplicant can be re-authenticated. INTERFACE mode
dot1x reauth-max number
88
802.1X
The range is from 1 to 10. The default is 2.
The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period.
DellEMC(conf-if-Te-1/1)#dot1x reauthentication interval 7200 DellEMC(conf-if-Te-1/1)#dot1x reauth-max 10 DellEMC(conf-if-Te-1/1)#do show dot1x interface TenGigabitEthernet 1/1
802.1x information on Te 1/1:
----------------------------­Dot1x Status: Enable Port Control: FORCE_AUTHORIZED
Port Auth Status: UNAUTHORIZED
Re-Authentication: Enable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds
ReAuth Max: 10
Supplicant Timeout: 30 seconds Server Timeout: 30 seconds
Re-Auth Interval: 7200 seconds
Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize

Configuring Timeouts

If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default. You can configure the amount of time the authenticator waits for a response.
To terminate the authentication process, use the following commands:
Terminate the authentication process due to an unresponsive supplicant. INTERFACE mode
dot1x supplicant-timeout seconds
The range is from 1 to 300. The default is 30.
Terminate the authentication process due to an unresponsive authentication server. INTERFACE mode
dot1x server-timeout seconds
The range is from 1 to 300. The default is 30.
The example shows configuration information for a port for which the authenticator terminates the authentication process for an unresponsive supplicant or server after 15 seconds.
The bold lines show the new supplicant and server timeouts.
DellEMC(conf-if-Te-1/1)#dot1x port-control force-authorized DellEMC(conf-if-Te-1/1)#do show dot1x interface TenGigabitEthernet 1/1
802.1x information on Te 1/1:
----------------------------­Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Disable Guest VLAN id: NONE Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE
802.1X
89
Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10
Supplicant Timeout: 15 seconds Server Timeout: 15 seconds
Re-Auth Interval: 7200 seconds Max-EAP-Req: 10
Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize
Enter the tasks the user should do after finishing this task (optional).

Configuring Dynamic VLAN Assignment with Port Authentication

Dell EMC Networking OS supports dynamic VLAN assignment when using 802.1X.
The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure:
1. The host sends a dot1x packet to the Dell EMC Networking system
2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number
3. The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN assignment using Tunnel­Private-Group-ID
The illustration shows the configuration on the Dell EMC Networking system before connecting the end user device in black and blue text, and after connecting the device in red text. The blue text corresponds to the preceding numbered steps on dynamic VLAN assignment with 802.1X.
Figure 8. Dynamic VLAN Assignment
90
802.1X
1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication).
2. Make the interface a switchport so that it can be assigned to a VLAN.
3. Create the VLAN to which the interface will be assigned.
4. Connect the supplicant to the port configured for 802.1X.
5. Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in Dynamic VLAN Assignment with
Port Authentication).

Guest and Authentication-Fail VLANs

Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured or the VLAN that the authentication server indicates in the authentication data.
NOTE:
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves. To be able to connect such devices, they must be allowed access the network without compromising network security.
The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices and the Authentication-fail VLAN
802.1X extension addresses this limitation with regard to external users.
If the supplicant fails authentication a specified number of times, the authenticator places the port in the Authentication-fail VLAN.
If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of the Guest VLAN and the authentication process begins.
Ports cannot be dynamically assigned to the default VLAN.

Configuring a Guest VLAN

If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN.
NOTE:
Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using the dot1x guest-vlan command from INTERFACE mode. View your configuration using the show config command from INTERFACE mode or using the show dot1x interface command from EXEC Privilege mode.
Example of Viewing Guest VLAN Configuration
DellEMC(conf-if-Te-2/1)#dot1x guest-vlan 200 DellEMC(conf-if-Te 2/1))#show config ! interface TenGigabitEthernet 2/1 switchport dot1x guest-vlan 200 no shutdown DellEMC(conf-if-Te 2/1))#
For more information about configuring timeouts, refer to Configuring Timeouts.

Configuring an Authentication-Fail VLAN

If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time.
NOTE:
Authentication.
For more information about authenticator re-attempts, refer to Configuring a Quiet Period after a Failed
You can configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
Configure a port to be placed in the VLAN after failing the authentication process as specified number of times using the dot1x auth- fail-vlan command from INTERFACE mode. Configure the maximum number of authentication attempts by the authenticator using the keyword
max-attempts with this command.
802.1X
91
Example of Configuring Maximum Authentication Attempts
DellEMC(conf-if-Te-2/1)#dot1x guest-vlan 200 DellEMC(conf-if-Te 2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 no shutdown DellEMC(conf-if-Te-2/1)#
DellEMC(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 DellEMC(conf-if-Te-2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown DellEMC(conf-if-Te-2/1)#
View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest
VLAN or using the show dot1x interface command from EXEC Privilege mode.
Example of Viewing Configured Authentication
802.1x information on Te 2/1:
----------------------------­Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None
Guest VLAN: Disabled Guest VLAN id: 200 Auth-Fail VLAN: Disabled Auth-Fail VLAN id: 100 Auth-Fail Max-Attempts: 5
Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 15 seconds Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST
Auth PAE State: Initialize Backend State: Initialize
92
802.1X
6
Access Control List (ACL) VLAN Groups and
Content Addressable Memory (CAM)

Optimizing CAM Utilization During the Attachment of ACLs to VLANs

To minimize the number of entries in CAM, enable and configure the ACL CAM feature. Use this feature when you apply ACLs to a VLAN (or a set of VLANs) and when you apply ACLs to a set of ports. The ACL CAM feature allows you to effectively use the Layer 3 CAM space with VLANs and Layer 2 and Layer 3 CAM space with ports.
To avoid using too much CAM space, configure ACL VLAN groups into a single group. A class identifier (Class ID) is assigned for each of the ACLs attached to the VLAN and this Class ID is used as an identifier or locator in the CAM space instead of the VLAN ID. This method of processing reduces the number of entries in the CAM area and saves memory space by using the Class ID for filtering in CAM instead of the VLAN ID.
When you apply an ACL separately on the VLAN interface, each ACL has a mapping with the VLAN and you use more CAM space. To maximize CAM space, create an ACL VLAN group and attach the ACL with the VLAN members.
The ACL manager application on the router processor (RP1) contains all the state information about all the ACL VLAN groups that are present. The ACL handler on the control processor (CP) and the ACL agent on the line cards do not contain any information about the group. After you enter the acl-vlan-group command, the ACL manager application performs the validation. If the command is valid, it is processed and sent to the agent, if required. If a configuration error is found or if the maximum limit has exceeded for the ACL VLAN groups present on the system, an error message displays. After you enter the acl-vlan-group command, the ACL manager application verifies the following parameters:
Whether the CAM profile is set in virtual flow processing (VFP).
Whether the maximum number of groups in the system is exceeded.
Whether the maximum number of VLAN numbers permitted per ACL group is exceeded.
When a VLAN member that is being added is already a part of another ACL group.
After these verification steps are performed, the ACL manager considers the command valid and sends the information to the ACL agent on the line card. The ACL manager notifies the ACL agent in the following cases:
A VLAN member is added or removed from a group and previously associated VLANs exist in the group.
The egress ACL is applied or removed from the group and the group contains VLAN members.
VLAN members are added or deleted from a VLAN, which itself is a group member.
A line card returns to the active state after going down and this line card contains a VLAN that is a member of an ACL group.
The ACL VLAN group is deleted and it contains VLAN members.
The ACL manager does not notify the ACL agent in the following cases:
The ACL VLAN group is created.
The ACL VLAN group is deleted and it does not contain VLAN members.
The ACL is applied or removed from a group and the ACL group does not contain a VLAN member.
The description of the ACL group is added or removed.

Guidelines for Configuring ACL VLAN Groups

Keep the following points in mind when you configure ACL VLAN groups:
The interfaces where you apply the ACL VLAN group function as restricted interfaces. The ACL VLAN group name identifies the group of VLANs that performs hierarchical filtering.
You can add only one ACL to an interface at a time.
When you attach an ACL VLAN group to the same interface, validation performs to determine whether the ACL is applied directly to an interface. If you previously applied an ACL separately to the interface, an error occurs when you attempt to attach an ACL VLAN group to the same interface.

Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) 93

The maximum number of members in an ACL VLAN group is determined by the type of switch and its hardware capabilities. This scaling limit depends on the number of slices that are allocated for ACL CAM optimization. If one slice is allocated, the maximum number of VLAN members is 256 for all ACL VLAN groups. If two slices are allocated, the maximum number of VLAN members is 512 for all ACL VLAN groups.
The maximum number of VLAN groups that you can configure also depends on the hardware specifications of the switch. Each VLAN group is mapped to a unique ID in the hardware. The maximum number of ACL VLAN groups supported is 31. Only a maximum of two components (iSCSI counters, Open Flow, ACL optimization, and so on) can be allocated virtual flow processing slices at a time.
Port ACL optimization is applicable only for ACLs that are applied without the VLAN range.
If you enable the ACL VLAN group capability, you cannot view the statistical details of ACL rules per VLAN and per interface. You can only view the counters per ACL only using the
Within a port, you can apply Layer 2 ACLs on a VLAN or a set of VLANs. In this case, CAM optimization is not applied.
To enable optimization of CAM space for Layer 2 or Layer 3 ACLs that are applied to ports, the port number is removed as a qualifier for ACL application on ports, and port bits are used. When you apply the same ACL to a set of ports, the port bitmap is set when the ACL flow processor (FP) entry is added. When you remove the ACL from a port, the port bitmap is removed.
If you do not attach an ACL to any of the ports, the FP entries are deleted. Similarly, when the same ACL is applied on a set of ports, only one set of entries is installed in the FP, thereby saving CAM space. Enable optimization using the optimized option in the
access-group command. This option is not valid for VLAN and link aggregation group (LAG) interfaces.
show ip accounting access list command.
ip

Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters

This section describes how to optimize CAM blocks by configuring ACL VLAN groups that you can attach to VLAN interfaces. It also describes how to configure FP blocks for different VLAN operations.

Configuring ACL VLAN Groups

You can create an ACL VLAN group and attach the ACL with the VLAN members. The optimization is applicable only when you create an ACL VLAN group.
1. Create an ACL VLAN group. CONFIGURATION mode
acl-vlan-group {group name}
2. Add a description to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode
description description
3. Add VLAN member(s) to an ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode
member vlan {VLAN-range}
4. Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name. CONFIGURATION (conf-acl-vl-grp) mode
show acl-vlan-group {group name | detail}
DellEMC#show acl-vlan-group detail
Group Name : TestGroupSeventeenTwenty
Vlan Members : 100,200,300
Group Name : CustomerNumberIdentificationEleven
Vlan Members : 2-10,99
Group Name : HostGroup
Vlan Members :
94
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)
1,1000 DellEMC#

Configuring FP Blocks for VLAN Parameters

To allocate the number of FP blocks for the various VLAN processes on the system, use the cam-acl-vlan command. To reset the number of FP blocks to the default, use the no version of this command. By default, 0 groups are allocated for the ACL in VLAN contentaware processor (VCAP). ACL VLAN groups or CAM optimization is not enabled by default. You also must allocate the slices for CAM optimization.
1. Allocate the number of FP blocks for VLAN operations. CONFIGURATION mode
cam-acl-vlan vlanopenflow <0-2>
2. Allocate the number of FP blocks for VLAN iSCSI counters. CONFIGURATION mode
cam-acl-vlan vlaniscsi <0-2>
3. Allocate the number of FP blocks for ACL VLAN optimization. CONFIGURATION mode
cam-acl-vlan vlanaclopt <0-2>
4. View the number of FP blocks that is allocated for the different VLAN services. EXEC Privilege mode
DellEMC#show cam-usage switch Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|============|============|============= 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 Codes: * - cam usage is above 90%.

Viewing CAM Usage

View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub- partitions) using
show cam-usage command in EXEC Privilege mode.
the
Display Layer 2, Layer 3, ACL, or all CAM usage statistics. EXCE Privilege mode
show cam usage [acl | router | switch]
The following output shows CAM blocks usage for Layer 2 and Layer 3 ACLs and other processes that use CAM space:
DellEMC#show cam-usage Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-L3 ECMP GRP | 1024 | 0 | 1024 | | IN-L3 FIB | 49152 | 3 | 49149 | | IN-V6 ACL | 0 | 0 | 0 | | IN-NLB ACL | 0 | 0 | 0 | | IPMAC ACL | 0 | 0 | 0 | | OUT-L2 ACL | 206 | 9 | 197 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 2 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-L3 FIB | 49152 | 3 | 49149 | | IN-V6 ACL | 0 | 0 | 0 | | IN-NLB ACL | 0 | 0 | 0 | | IPMAC ACL | 0 | 0 | 0 | | OUT-L2 ACL | 206 | 9 | 197 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 3 | 0 | IN-L2 ACL | 1536 | 0 | 1536
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)
95
| | IN-L3 ACL | 1024 | 1 | 1023 | | IN-L3 FIB | 49152 | 3 | 49149 | | IN-V6 ACL | 0 | 0 | 0 | | IN-NLB ACL | 0 | 0 | 0 | | IPMAC ACL | 0 | 0 | 0 | | OUT-L2 ACL | 206 | 9 | 197 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 Codes: * - cam usage is above 90%.
The following output displays CAM space usage when you configure Layer 2 and Layer 3 ACLs:
DellEMC#show cam-usage acl Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-L3 ECMP GRP | 1024 | 0 | 1024 | | IN-V6 ACL | 0 | 0 | 0 | | OUT-L2 ACL | 206 | 9 | 197 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 2 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-V6 ACL | 0 | 0 | 0 | | OUT-L2 ACL | 206 | 9 | 197 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 3 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-V6 ACL | 0 | 0 | 0 | | OUT-L2 ACL | 206 | 9 | 197 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 Codes: * - cam usage is above 90%.
The following output displays CAM space usage for Layer 2 ACLs:
DellEMC#show cam-usage switch Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 2 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 3 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 | | IN-L3 ECMP GRP | 1024 | 0 | 1024 Codes: * - cam usage is above 90%.
The following output displays CAM space usage for Layer 3 ACLs:
DellEMC#show cam-usage router Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 1 | 0 | IN-L3 FIB | 49152 | 3 | 49149 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-L3 ECMP GRP | 1024 | 0 | 1024 | | IN-V6 ACL | 0 | 0 | 0 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 2 | 0 | IN-L3 FIB | 49152 | 3 | 49149 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-V6 ACL | 0 | 0 | 0 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 3 | 0 | IN-L3 FIB | 49152 | 3 | 49149 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-V6 ACL | 0 | 0 | 0 | | OUT-L3 ACL | 178 | 9 | 169
96
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)
| | OUT-V6 ACL | 178 | 4 | 174 Codes: * - cam usage is above 90%.

Allocating FP Blocks for VLAN Processes

The VLAN contentaware processor (VCAP) application is a pre-ingress CAP that modifies the VLAN settings before packets are forwarded. To support ACL CAM optimization, the CAM carving feature is enhanced. A total of four VCAP groups are present: two fixed groups and two dynamic groups. Of the two dynamic groups, you can allocate zero, one, or two FP blocks to and ACL Optimization.
You can configure only two of these features at a time.
To allocate the number of FP blocks for VLAN open flow operations, use the cam-acl-vlan vlanopenflow <0-2> command.
To allocate the number of FP blocks for VLAN iSCSI counters, use the cam-acl-vlan vlaniscsi <0-2> command.
To allocate the number of FP blocks for ACL VLAN optimization, use the cam-acl-vlan vlanaclopt <0-2> command.
To reset the number of FP blocks to the default, use the no version of these commands. By default, zero groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by default. You must also allocate the slices for CAM optimization.
To display the number of FP blocks that is allocated for the different VLAN services, use the show cam-acl-vlan command. After you configure the ACL VLAN groups, reboot the system to store the settings in nonvolatile storage. During CAM initialization, the chassis manager reads the NVRAM and allocates the dynamic VCAP regions.
iSCSI Counters, Open Flow,

Unified Forwarding Table (UFT) Modes

Unified Forwarding Table (UFT) consolidates the resources of several search tables (Layer 2, Layer 3 Hosts, and Layer 3 Route [Longest Prefix Match — LPM]) into a single flexible resource. Dell EMC Networking OS supports several UFT modes to extract the forwarding tables, as required. By default, Dell EMC Networking OS initializes the table sizes to UFT mode 2 profile, since it provides a reasonable shared memory for all the tables. The other supported UFT modes are scaled-l3–hosts (UFT mode 3) and scaled-l3–routes (UFT mode
4).

Configuring UFT Modes

To configure the Unified Forwarding Table (UFT) modes, follow these steps.
1. Select a mode to initialize the maximum scalability size for L2 MAC table or L3 Host table or L3 Route table. CONFIGURATION
hardware forwarding-table mode
DellEMC(conf)#hardware forwarding-table mode ? scaled-l3-hosts Forwarding table mode for scaling L3 host entries scaled-l3-routes Forwarding table mode for scaling L3 route entries DellEMC(conf)# DellEMC(conf)#hardware forwarding-table mode scaled-l3-hosts Hardware forwarding-table mode is changed. Save the configuration and reload to take effect. DellEMC(conf)#end DellEMC#write mem ! 01:13:36: %STKUNIT0-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default
DellEMC(conf)# DellEMC(conf)#end DellEMC#01:13:44: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from console
DellEMC#
2. Display the hardware forwarding table mode in the current boot and in the next boot. EXEC Privilege
show hardware forwarding-table mode
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)
97
7

Access Control Lists (ACLs)

This chapter describes access control lists (ACLs), prefix lists, and route-maps.
At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
An ACL is essentially a filter containing some criteria to match (examine IP, transmission control protocol [TCP], or user datagram protocol [UDP] packets) and an action to take (permit or deny). ACLs are processed in sequence so that if a packet does not match the criterion in the first filter, the second filter (if configured) is applied. When a packet matches a filter, the switch drops or forwards the packet based on the filter’s specified action. If the packet does not match any of the filters in the ACL, the packet is dropped (implicit deny).
The number of ACLs supported on a system depends on your content addressable memory (CAM) size. For more information, refer to
User Configurable CAM Allocation and CAM Optimization. For complete CAM profiling information, refer to Content Addressable Memory (CAM).
You can configure ACLs on VRF instances. In addition to the existing qualifying parameters, Layer 3 ACLs also incorporate VRF ID as one of the parameters. Using this new capability, you can also configure VRF based ACLs on interfaces.
NOTE:
You can apply VRF-aware ACLs on:
VRF Instances
Interfaces
In order to configure VRF-aware ACLs on VRF instances, you must carve out a separate CAM region. You can use the cam-acl command for allocating CAM regions. As part of the enhancements to support VRF-aware ACLs, the cam-acl command now includes the following new parameter that enables you to allocate a CAM region: vrfv4acl.
The order of priority for configuring user-defined ACL CAM regions is as follows:
V4 ACL CAM
VRF V4 ACL CAM
L2 ACL CAM
With the inclusion of VRF based ACLs, the order of precedence of Layer 3 ACL rules is as follows:
Port/VLAN based PERMIT/DENY Rules
Port/VLAN based IMPLICIT DENY Rules
VRF based PERMIT/DENY Rules
VRF based IMPLICIT DENY Rules
NOTE:
permit option.
You can use the ip access-group command to configure VRF-aware ACLs on interfaces. Using the ip access-group command, in addition to a range of VLANs, you can also specify a range of VRFs as input for configuring ACLs on interfaces. The VRF range is from 1 to 511. These ACLs use the existing V4 ACL CAM region to populate the entries in the hardware and do not require you to carve out a separate CAM region.
You can apply Layer 3 VRF-aware ACLs only at the ingress level.
In order for the VRF ACLs to take effect, ACLs configured in the Layer 3 CAM region must have an implicit-
NOTE:
You can configure VRF-aware ACLs on interfaces either using a range of VLANs or a range of VRFs but not both.
Topics:
IP Access Control Lists (ACLs)
Important Points to Remember
IP Fragment Handling
Configure a Standard IP ACL
Configure an Extended IP ACL
Configure Layer 2 and Layer 3 ACLs
Assign an IP ACL to an Interface
98 Access Control Lists (ACLs)
Applying an IP ACL
Configure Ingress ACLs
Configure Egress ACLs
IP Prefix Lists
ACL Remarks
ACL Resequencing
Route Maps
Logging of ACL Processes
Flow-Based Monitoring
Configuring UDF ACL
Configuring IP Mirror Access Group

IP Access Control Lists (ACLs)

In Dell EMC Networking switch/routers, you can create two different types of IP ACLs: standard or extended.
A standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the following criteria:
IP protocol number
Source IP address
Destination IP address
Source TCP port number
Destination TCP port number
Source UDP port number
Destination UDP port number
For more information about ACL options, refer to the Dell EMC Networking OS Command Reference Guide.
For extended ACL, TCP, and UDP filters, you can match criteria on specific or ranges of TCP or UDP ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions.
When creating an access list, the sequence of the filters is important. You have a choice of assigning sequence numbers to the filters as you enter them, or the Dell EMC Networking Operating System (OS) assigns numbers in the order the filters are created. The sequence numbers are listed in the display output of the
Ingress and egress Hot Lock ACLs allow you to append or delete new rules into an existing ACL (already written into CAM) without disrupting traffic flow. Existing entries in the CAM are shuffled to accommodate the new entries. Hot lock ACLs are enabled by default and support both standard and extended ACLs and on all platforms.
show config and show ip accounting access-list commands.
NOTE:
Hot lock ACLs are supported for Ingress ACLs only.

CAM Usage

The following section describes CAM allocation and CAM optimization.
User Configurable CAM Allocation
CAM Optimization
User Configurable CAM Allocation
Allocate space for IPV6 ACLs by using the cam-acl command in CONFIGURATION mode.
The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP blocks. (There are 16 FP blocks, but System Flow requires three blocks that cannot be reallocated.)
Enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges.
If you want to configure ACL's on VRF instances, you must allocate a CAM region using the vrfv4acl option in the cam-acl command.
Save the new CAM settings to the startup-config (use write-mem or copy run start) then reload the system for the new settings to take effect.
Access Control Lists (ACLs)
99
CAM Optimization
When you enable this command, if a policy map containing classification rules (ACL and/or dscp/ ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only one FP entry is used). When you disable this command, the system behaves as described in this chapter.
Test CAM Usage
This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs.
To determine whether sufficient ACL CAM space is available to enable a service-policy, use this command. To verify the actual CAM space required, create a class map with all the required ACL rules, then execute the test cam-usage command in Privilege mode. The following example shows the output when executing this command. The status column indicates whether you can enable the policy.
Example of the test cam-usage Command
DellEMC#test cam-usage service-policy input asd stack-unit 1 port-set 0
Stack-unit|Portpipe|CAM Partition|Available CAM|Estimated CAM per Port|Status
-------------------------------------------------------------------------­ 1| 1| IPv4Flow| 232| 0|Allowed DellEMC#

Implementing ACLs on Dell EMC Networking OS

You can assign one IP ACL per interface. If you do not assign an IP ACL to an interface, it is not used by the software.
The number of entries allowed per ACL is hardware-dependent.
If counters are enabled on ACL rules that are already configured, those counters are reset when a new rule which is inserted or prepended or appended requires a hardware shift in the flow table. Resetting the counters to 0 is transient as the proginal counter values are retained after a few seconds. If there is no need to shift the flow in the hardware, the counters are not affected. This is applicable to the following features:
L2 Ingress Access list
L2 Egress Access list
In the Dell EMC Networking OS versions prior to 9.13(0.0), the system does not install any of your ACL rules if the available CAM space is lesser than what is required for your set of ACL rules. Effective with the Dell EMC Networking OS version 9.13(0.0), the system installs your ACL rules until all the allocated CAM memory is used. If there is no implicit permit in your rule, the Dell EMC Networking OS ensures that an implicit deny is installed at the end of your rule. This behavior is applicable for IPv4 and IPv6 ingress and egress ACLs.
NOTE:
packets destined for the local device which the CPU needs to process. The system access lists always override the user configured access lists. Even if you configure ACL to block certain hosts, control plane protocols such as, ARP, BGP, LACP, VLT, VRRP and so on, associated with such hosts cannot be blocked.
System access lists (system-flow entries) are pre-programmed in the system for lifting the control-plane
Assigning ACLs to VLANs
When you apply an ACL to a VLAN using single port-pipe, a copy of the ACL entries gets installed in the ACL CAM on the port-pipe. The entry looks for the incoming VLAN in the packet. When you apply an ACL on individual ports of a VLAN, separate copies of the ACL entries are installed for each port belonging to a port-pipe.
You can use the log keyword to log the details about the packets that match. The control processor becomes busy based on the number of packets that match the log entry and the rate at which the details are logged in. However, the route processor (RP) is unaffected. You can use this option for debugging issues related to control traffic.
ACL Optimization
If an access list contains duplicate entries, Dell EMC Networking OS deletes one entry to conserve CAM space.
Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM entries to identify whether the access list is a standard or extended ACL.
100
Access Control Lists (ACLs)
Loading...