Dell PowerSwitch S5048F-ON User Manual

Download

Dell EMC Networking OS Configuration Guide for the S5048F–ON System

9.14.2.4

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the

problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

Other trademarks may be trademarks of their respective owners.

2019 - 11

Rev. A00

Contents

1 About this Guide..........................................................................................................................31

Audience................................................................................................................................................................................31

Conventions.......................................................................................................................................................................... 31

Related Documents..............................................................................................................................................................31

2 Configuration Fundamentals....................................................................................................... 32

Accessing the Command Line............................................................................................................................................32

CLI Modes............................................................................................................................................................................ 32

Navigating CLI Modes...................................................................................................................................................34

The do Command................................................................................................................................................................36

Undoing Commands............................................................................................................................................................ 37

Obtaining Help......................................................................................................................................................................37

Entering and Editing Commands....................................................................................................................................... 38

Command History................................................................................................................................................................38

Filtering show Command Outputs.................................................................................................................................... 39

Multiple Users in Configuration Mode.............................................................................................................................. 40

Configuring alias command................................................................................................................................................ 40

Viewing alias configuration............................................................................................................................................41

3 Getting Started..........................................................................................................................42

Console Access....................................................................................................................................................................42

Serial Console.................................................................................................................................................................42

Micro USB-B Access.....................................................................................................................................................43

Default Configuration..........................................................................................................................................................44

Configuring a Host Name................................................................................................................................................... 44

Accessing the System Remotely.......................................................................................................................................44

Configure the Management Port IP Address.............................................................................................................44

Configure a Management Route................................................................................................................................. 45

Configuring a Username and Password..................................................................................................................... 45

Configuring the Enable Password..................................................................................................................................... 45

Configuration File Management........................................................................................................................................ 46

Copy Files to and from the System.............................................................................................................................46

Mounting an NFS File System......................................................................................................................................47

Save the Running-Configuration................................................................................................................................. 49

Configure the Overload Bit for a Startup Scenario...................................................................................................49

Viewing Files...................................................................................................................................................................49

Managing the File System...................................................................................................................................................51

View Command History.......................................................................................................................................................51

Upgrading Dell EMC Networking OS................................................................................................................................52

Using HTTP for File Transfers........................................................................................................................................... 52

Verify Software Images Before Installation......................................................................................................................53

4 Management..............................................................................................................................54

Configuring Privilege Levels...............................................................................................................................................54

Contents 3

Removing a Command from EXEC Mode..................................................................................................................55

Moving a Command from EXEC Privilege Mode to EXEC Mode...........................................................................55

Allowing Access to CONFIGURATION Mode Commands....................................................................................... 55

Allowing Access to Different Modes...........................................................................................................................55

Applying a Privilege Level to a Username...................................................................................................................56

Applying a Privilege Level to a Terminal Line............................................................................................................. 56

Configuring Logging............................................................................................................................................................ 57

Audit and Security Logs................................................................................................................................................57

Configuring Logging Format ................................................................................................................................ 58

Setting Up a Secure Connection to a Syslog Server.......................................................................................59

Log Messages in the Internal Buffer.................................................................................................................................60

Disabling System Logging.................................................................................................................................................. 60

Sending System Messages to a Syslog Server............................................................................................................... 60

Configuring a UNIX System as a Syslog Server........................................................................................................ 60

Track Login Activity............................................................................................................................................................. 61

Restrictions for Tracking Login Activity...................................................................................................................... 61

Configuring Login Activity Tracking.............................................................................................................................61

Display Login Statistics..................................................................................................................................................61

Limit Concurrent Login Sessions.......................................................................................................................................63

Restrictions for Limiting the Number of Concurrent Sessions................................................................................63

Configuring Concurrent Session Limit........................................................................................................................ 63

Enabling the System to Clear Existing Sessions........................................................................................................63

Enabling Secured CLI Mode...............................................................................................................................................64

Changing System Logging Settings..................................................................................................................................64

Display the Logging Buffer and the Logging Configuration...........................................................................................65

Configuring a UNIX Logging Facility Level.......................................................................................................................68

Synchronizing Log Messages............................................................................................................................................ 68

Enabling Timestamp on Syslog Messages....................................................................................................................... 69

File Transfer Services..........................................................................................................................................................70

Enabling the FTP Server...............................................................................................................................................70

Configuring FTP Server Parameters............................................................................................................................71

Configuring FTP Client Parameters............................................................................................................................. 71

Terminal Lines...................................................................................................................................................................... 72

Denying and Permitting Access to a Terminal Line................................................................................................... 72

Configuring Login Authentication for Terminal Lines................................................................................................73

Setting Timeout for EXEC Privilege Mode.......................................................................................................................73

Using Telnet to get to Another Network Device.............................................................................................................74

Lock CONFIGURATION Mode...........................................................................................................................................74

Reloading the system..........................................................................................................................................................75

Restoring the Factory Default Settings............................................................................................................................76

Restoring Factory Default Environment Variables.................................................................................................... 76

5 802.1X....................................................................................................................................... 78

Port-Authentication Process............................................................................................................................................. 79

EAP over RADIUS..........................................................................................................................................................80

Configuring 802.1X..............................................................................................................................................................80

Important Points to Remember..........................................................................................................................................81

Enabling 802.1X.................................................................................................................................................................... 81

Configuring dot1x Profile ................................................................................................................................................... 82

Configuring the Static MAB and MAB Profile ................................................................................................................ 83

Contents

Configuring Critical VLAN ................................................................................................................................................. 84

Configuring MAC addresses for a do1x Profile................................................................................................................84

Configuring Request Identity Re-Transmissions............................................................................................................. 85

Configuring a Quiet Period after a Failed Authentication.........................................................................................85

Forcibly Authorizing or Unauthorizing a Port...................................................................................................................86

Re-Authenticating a Port................................................................................................................................................... 86

Configuring Timeouts..........................................................................................................................................................87

Configuring Dynamic VLAN Assignment with Port Authentication..............................................................................88

Guest and Authentication-Fail VLANs..............................................................................................................................89

Configuring a Guest VLAN...........................................................................................................................................90

Configuring an Authentication-Fail VLAN.................................................................................................................. 90

6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)..........................92

Optimizing CAM Utilization During the Attachment of ACLs to VLANs......................................................................92

Guidelines for Configuring ACL VLAN Groups................................................................................................................ 92

Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters................................................... 93

Configuring ACL VLAN Groups................................................................................................................................... 93

Configuring FP Blocks for VLAN Parameters............................................................................................................94

Viewing CAM Usage........................................................................................................................................................... 94

Allocating FP Blocks for VLAN Processes....................................................................................................................... 97

ACL Optimization to Increase Number of Supported IPv4 ACLs..................................................................................97

Optimizing ACL for More Number of IPv4 ACL Rules..............................................................................................97

7 Access Control Lists (ACLs)........................................................................................................99

IP Access Control Lists (ACLs)........................................................................................................................................100

CAM Usage...................................................................................................................................................................100

Implementing ACLs on Dell EMC Networking OS.................................................................................................... 101

Configure ACL Range Profiles..........................................................................................................................................102

Important Points to Remember....................................................................................................................................... 103

Configuration Task List for Route Maps...................................................................................................................103

Configuring Match Routes..........................................................................................................................................105

Configuring Set Conditions.........................................................................................................................................106

Configure a Route Map for Route Redistribution.................................................................................................... 107

Configure a Route Map for Route Tagging.............................................................................................................. 108

Continue Clause........................................................................................................................................................... 108

IP Fragment Handling........................................................................................................................................................108

IP Fragments ACL Examples...................................................................................................................................... 109

Layer 4 ACL Rules Examples...................................................................................................................................... 109

Configure a Standard IP ACL............................................................................................................................................110

Configuring a Standard IP ACL Filter.......................................................................................................................... 111

Configure an Extended IP ACL..........................................................................................................................................111

Configuring Filters with a Sequence Number............................................................................................................ 111

Configuring Filters Without a Sequence Number.....................................................................................................115

Configure Layer 2 and Layer 3 ACLs............................................................................................................................... 115

Assign an IP ACL to an Interface......................................................................................................................................116

Applying an IP ACL............................................................................................................................................................. 116

Counting ACL Hits........................................................................................................................................................ 117

Configure Ingress ACLs......................................................................................................................................................117

Configure Egress ACLs...................................................................................................................................................... 117

Contents

Applying Egress Layer 3 ACLs (Control-Plane)........................................................................................................ 118

Configuring UDF ACL.........................................................................................................................................................119

IP Prefix Lists......................................................................................................................................................................122

Configuration Task List for Prefix Lists.....................................................................................................................122

ACL Resequencing.............................................................................................................................................................125

Resequencing an ACL or Prefix List.......................................................................................................................... 126

Route Maps.........................................................................................................................................................................127

8 Bidirectional Forwarding Detection (BFD)................................................................................... 128

How BFD Works.................................................................................................................................................................128

BFD Packet Format..................................................................................................................................................... 129

BFD Sessions................................................................................................................................................................130

BFD Three-Way Handshake........................................................................................................................................131

Session State Changes................................................................................................................................................132

Important Points to Remember........................................................................................................................................132

Configure BFD....................................................................................................................................................................132

Configure BFD for Physical Ports.............................................................................................................................. 133

Configure BFD for Static Routes............................................................................................................................... 134

Configure BFD for OSPF............................................................................................................................................ 136

Configure BFD for OSPFv3.........................................................................................................................................141

Configure BFD for IS-IS...............................................................................................................................................144

Configure BFD for BGP...............................................................................................................................................145

Configure BFD for VRRP.............................................................................................................................................151

Configuring Protocol Liveness....................................................................................................................................154

Troubleshooting BFD...................................................................................................................................................154

9 Border Gateway Protocol (BGP)................................................................................................ 155

BGP IP version 4 (BGPv4) Overview............................................................................................................................. 155

BGP Autonomous Systems........................................................................................................................................ 155

AS4 Number Representation......................................................................................................................................157

Four-Byte AS Numbers...............................................................................................................................................159

BGP router ID............................................................................................................................................................... 159

Sessions and Peers...................................................................................................................................................... 159

Establish a Session.......................................................................................................................................................159

BGP Attributes for selecting Best Path....................................................................................................................160

Multiprotocol BGP....................................................................................................................................................... 165

BGP global and address family configuration........................................................................................................... 166

Implement BGP with Dell EMC Networking OS.......................................................................................................167

Configuration Information........................................................................................................................................... 170

Basic BGP configuration tasks......................................................................................................................................... 170

Prerequisite for configuring a BGP network.............................................................................................................170

Restrictions................................................................................................................................................................... 170

Enabling BGP................................................................................................................................................................ 170

Enabling four-byte autonomous system numbers................................................................................................... 172

Changing a BGP router ID...........................................................................................................................................173

Configuring AS4 Number Representations...............................................................................................................173

Configuring a BGP peer...............................................................................................................................................174

Example-Configuring BGP routing between peers..................................................................................................175

BGP peer group............................................................................................................................................................176

Contents

Advanced BGP configuration tasks.................................................................................................................................183

Route-refresh and Soft-reconfiguration...................................................................................................................183

Aggregating Routes.....................................................................................................................................................185

Filtering BGP.................................................................................................................................................................187

Configuring BGP Fast Fall-Over.................................................................................................................................192

Configuring Passive Peering.......................................................................................................................................193

Enabling Graceful Restart........................................................................................................................................... 194

Redistributing Routes.................................................................................................................................................. 195

Enabling Additional Paths............................................................................................................................................195

Configuring IP Community Lists.................................................................................................................................196

Configuring an IP Extended Community List............................................................................................................197

Configure BGP attributes........................................................................................................................................... 198

Enabling Multipath....................................................................................................................................................... 201

Route Reflectors......................................................................................................................................................... 202

Enabling Route Flap Dampening................................................................................................................................203

Changing BGP keepalive and hold timers................................................................................................................ 205

Setting the extended timer........................................................................................................................................205

Enabling or disabling BGP neighbors........................................................................................................................ 206

Route Map Continue...................................................................................................................................................207

Configuring BGP Confederations..............................................................................................................................207

Configuring a BGP VRF address family....................................................................................................................208

Maintaining Existing AS Numbers During an AS Migration....................................................................................209

Allowing an AS Number to Appear in its Own AS Path...........................................................................................210

Enabling MBGP Configurations...................................................................................................................................211

MBGP support for IPv6............................................................................................................................................... 211

Configuring IPv6 MBGP between peers....................................................................................................................211

Example-Configuring IPv4 and IPv6 neighbors........................................................................................................212

Configure IPv6 NH Automatically for IPv6 Prefix Advertised over IPv4 Neighbor............................................. 214

BGP Regular Expression Optimization...................................................................................................................... 215

Debugging BGP............................................................................................................................................................216

10 Content Addressable Memory (CAM)........................................................................................ 218

CAM Allocation...................................................................................................................................................................218

Test CAM Usage...............................................................................................................................................................220

View CAM-ACL Settings..................................................................................................................................................220

View CAM Usage............................................................................................................................................................... 221

CAM Optimization.............................................................................................................................................................222

Troubleshoot CAM Profiling.............................................................................................................................................222

QoS CAM Region Limitation...................................................................................................................................... 222

Syslog Error When the Table is Full.......................................................................................................................... 222

Syslog Warning Upon 90 Percent Utilization of CAM............................................................................................223

Syslog Warning for Discrepancies Between Configured Extended Prefixes.......................................................223

Unified Forwarding Table (UFT) Modes.........................................................................................................................223

Configuring UFT Modes............................................................................................................................................. 223

11 Control Plane Policing (CoPP).................................................................................................. 225

Configure Control Plane Policing.....................................................................................................................................226

Configuring CoPP for Protocols................................................................................................................................ 227

Configuring CoPP for CPU Queues..........................................................................................................................228

Contents

Protocol to CPU Queue Mapping............................................................................................................................. 229

Configuring Protocol to CPU Queue Mapping........................................................................................................ 230

Displaying CoPP Configuration .................................................................................................................................230

12 Data Center Bridging (DCB)..................................................................................................... 233

Ethernet Enhancements in Data Center Bridging.........................................................................................................233

Priority-Based Flow Control.......................................................................................................................................234

Enhanced Transmission Selection.............................................................................................................................235

Data Center Bridging Exchange Protocol (DCBx)..................................................................................................236

Data Center Bridging in a Traffic Flow..................................................................................................................... 237

Buffer Organization.....................................................................................................................................................237

Enabling Data Center Bridging........................................................................................................................................ 240

DCB Maps and its Attributes..................................................................................................................................... 240

Data Center Bridging: Default Configuration..................................................................................................................241

Configuring Priority-Based Flow Control........................................................................................................................ 241

Configuring Lossless Queues..................................................................................................................................... 242

Configuring PFC in a DCB Map.......................................................................................................................................243

Applying a DCB Map on a Port........................................................................................................................................244

Configuring PFC without a DCB Map............................................................................................................................ 245

Priority-Based Flow Control Using Dynamic Buffer Method.......................................................................................246

Shared headroom for lossless or PFC packets..............................................................................................................247

Configuring Shared Head Room Buffer....................................................................................................................249

Viewing Shared Head Room Usage.......................................................................................................................... 249

Monitoring Buffer Statistics for Tracking Purposes............................................................................................... 249

Behavior of Tagged Packets........................................................................................................................................... 250

Configuration Example for DSCP and PFC Priorities...................................................................................................250

SNMP Support for PFC and Buffer Statistics Tracking...............................................................................................251

Performing PFC Using DSCP Bits Instead of 802.1p Bits............................................................................................ 251

PFC and ETS Configuration Examples...........................................................................................................................253

Using PFC to Manage Converged Ethernet Traffic.....................................................................................................253

Operations on Untagged Packets...................................................................................................................................253

Generation of PFC for a Priority for Untagged Packets..............................................................................................253

Configure Enhanced Transmission Selection................................................................................................................ 253

Creating an ETS Priority Group.................................................................................................................................253

ETS Operation with DCBx..........................................................................................................................................254

Configuring ETS in a DCB Map................................................................................................................................. 255

Hierarchical Scheduling in ETS Output Policies............................................................................................................ 256

Using ETS to Manage Converged Ethernet Traffic..................................................................................................... 256

Applying DCB Policies in a Switch Stack....................................................................................................................... 256

Configure a DCBx Operation........................................................................................................................................... 257

DCBx Operation...........................................................................................................................................................257

DCBx Port Roles..........................................................................................................................................................257

DCB Configuration Exchange....................................................................................................................................258

Configuration Source Election...................................................................................................................................259

Propagation of DCB Information...............................................................................................................................259

Auto-Detection and Manual Configuration of the DCBx Version......................................................................... 259

DCBx Example............................................................................................................................................................. 260

DCBx Prerequisites and Restrictions........................................................................................................................260

Configuring DCBx........................................................................................................................................................260

Verifying the DCB Configuration.....................................................................................................................................263

Contents

QoS dot1p Traffic Classification and Queue Assignment..............................................................................................271

Configuring the Dynamic Buffer Method........................................................................................................................271

Sample DCB Configuration.............................................................................................................................................. 272

13 Dynamic Host Configuration Protocol (DHCP)........................................................................... 274

DHCP Packet Format and Options.................................................................................................................................274

Assign an IP Address using DHCP.................................................................................................................................. 275

Implementation Information............................................................................................................................................. 276

Configure the System to be a DHCP Server................................................................................................................. 277

Configuring the Server for Automatic Address Allocation..................................................................................... 277

Specifying a Default Gateway....................................................................................................................................278

Configure a Method of Hostname Resolution......................................................................................................... 278

Using DNS for Address Resolution............................................................................................................................278

Using NetBIOS WINS for Address Resolution......................................................................................................... 279

Creating Manual Binding Entries............................................................................................................................... 279

Debugging the DHCP Server.....................................................................................................................................279

Using DHCP Clear Commands.................................................................................................................................. 279

Configure the System to be a DHCP Client.................................................................................................................. 280

Configuring the DHCP Client System.......................................................................................................................280

DHCP Client on a Management Interface................................................................................................................ 281

DHCP Client Operation with Other Features.......................................................................................................... 282

Configuring DHCP relay source interface......................................................................................................................282

Global DHCP relay source IPv4 or IPv6 configuration ...........................................................................................282

Interface level DHCP relay source IPv4 or IPv6 configuration .............................................................................283

Configure Secure DHCP.................................................................................................................................................. 284

Option 82 (DHCPv4 relay options)...........................................................................................................................284

DHCPv6 relay agent options..................................................................................................................................... 285

DHCP Snooping...........................................................................................................................................................285

Drop DHCP Packets on Snooped VLANs Only....................................................................................................... 289

Dynamic ARP Inspection............................................................................................................................................ 289

Configuring Dynamic ARP Inspection.......................................................................................................................290

Source Address Validation................................................................................................................................................ 291

Enabling IP Source Address Validation......................................................................................................................291

DHCP MAC Source Address Validation................................................................................................................... 292

Enabling IP+MAC Source Address Validation..........................................................................................................292

Viewing the Number of SAV Dropped Packets.......................................................................................................292

Clearing the Number of SAV Dropped Packets...................................................................................................... 293

14 Equal Cost Multi-Path (ECMP).................................................................................................294

ECMP for Flow-Based Affinity........................................................................................................................................294

Configuring the Hash Algorithm................................................................................................................................ 294

Enabling Deterministic ECMP Next Hop..................................................................................................................294

Configuring the Hash Algorithm Seed...................................................................................................................... 294

Link Bundle Monitoring.....................................................................................................................................................295

Managing ECMP Group Paths.................................................................................................................................. 295

Creating an ECMP Group Bundle............................................................................................................................. 296

Modifying the ECMP Group Threshold.................................................................................................................... 296

Support for /128 IPv6 and /32 IPv4 Prefixes in Layer 3 Host Table and LPM Table........................................ 297

Support for ECMP in host table................................................................................................................................ 297

Contents

Support for moving /128 IPv6 Prefixes and /32 IPv4 Prefixes ............................................................................297

15 FIP Snooping.......................................................................................................................... 298

Fibre Channel over Ethernet............................................................................................................................................298

Ensure Robustness in a Converged Ethernet Network............................................................................................... 298

FIP Snooping on Ethernet Bridges..................................................................................................................................299

Using FIP Snooping............................................................................................................................................................301

FIP Snooping Prerequisites.........................................................................................................................................301

Important Points to Remember..................................................................................................................................301

Enabling the FCoE Transit Feature...........................................................................................................................303

Enable FIP Snooping on VLANs.................................................................................................................................303

Configure the FC-MAP Value....................................................................................................................................303

Configure a Port for a Bridge-to-Bridge Link.......................................................................................................... 303

Configure a Port for a Bridge-to-FCF Link.............................................................................................................. 303

Impact on Other Software Features.........................................................................................................................304

FIP Snooping Restrictions.......................................................................................................................................... 304

Configuring FIP Snooping...........................................................................................................................................304

Displaying FIP Snooping Information.............................................................................................................................. 305

FCoE Transit Configuration Example............................................................................................................................. 309

16 Flex Hash and Optimized Boot-Up..............................................................................................311

Flex Hash Capability Overview..........................................................................................................................................311

Configuring the Flex Hash Mechanism............................................................................................................................ 311

RDMA Over Converged Ethernet (RoCE) Overview....................................................................................................312

Preserving 802.1Q VLAN Tag Value for Lite Subinterfaces......................................................................................... 312

17 Force10 Resilient Ring Protocol (FRRP).....................................................................................314

Protocol Overview............................................................................................................................................................. 314

Ring Status....................................................................................................................................................................315

Multiple FRRP Rings....................................................................................................................................................315

Important FRRP Points............................................................................................................................................... 316

Important FRRP Concepts..........................................................................................................................................317

Implementing FRRP........................................................................................................................................................... 317

FRRP Configuration...........................................................................................................................................................318

Creating the FRRP Group...........................................................................................................................................318

Configuring the Control VLAN................................................................................................................................... 318

Configuring and Adding the Member VLANs........................................................................................................... 319

Setting the FRRP Timers........................................................................................................................................... 320

Clearing the FRRP Counters......................................................................................................................................320

Viewing the FRRP Configuration.............................................................................................................................. 320

Viewing the FRRP Information.................................................................................................................................. 320

Troubleshooting FRRP...................................................................................................................................................... 321

Sample Configuration and Topology................................................................................................................................321

FRRP Support on VLT......................................................................................................................................................322

18 GARP VLAN Registration Protocol (GVRP)................................................................................325

Configure GVRP................................................................................................................................................................325

Enabling GVRP Globally....................................................................................................................................................326

Enabling GVRP on a Layer 2 Interface........................................................................................................................... 327

Contents

Configure GVRP Registration..........................................................................................................................................327

Configure a GARP Timer.................................................................................................................................................. 327

19 Internet Group Management Protocol (IGMP)........................................................................... 329

IGMP Protocol Overview................................................................................................................................................. 329

IGMP Version 2............................................................................................................................................................329

IGMP Version 3............................................................................................................................................................330

Configure IGMP.................................................................................................................................................................333

Viewing IGMP Enabled Interfaces...................................................................................................................................333

Selecting an IGMP Version.............................................................................................................................................. 334

Viewing IGMP Groups...................................................................................................................................................... 334

Adjusting Timers................................................................................................................................................................335

Adjusting Query and Response Timers.....................................................................................................................335

Enabling IGMP Immediate-Leave....................................................................................................................................335

IGMP Snooping..................................................................................................................................................................336

Configuring IGMP Snooping...................................................................................................................................... 336

Removing a Group-Port Association.........................................................................................................................337

Disabling Multicast Flooding.......................................................................................................................................337

Specifying a Port as Connected to a Multicast Router..........................................................................................337

Configuring the Switch as Querier............................................................................................................................ 337

Fast Convergence after MSTP Topology Changes......................................................................................................338

Egress Interface Selection (EIS) for HTTP and IGMP Applications...........................................................................338

Designating a Multicast Router Interface...................................................................................................................... 344

20 Interfaces.............................................................................................................................. 345

Interface Types..................................................................................................................................................................346

View Basic Interface Information.................................................................................................................................... 346

Resetting an Interface to its Factory Default State..................................................................................................... 348

Enabling a Physical Interface........................................................................................................................................... 348

Physical Interfaces............................................................................................................................................................ 349

Configuration Task List for Physical Interfaces.......................................................................................................349

Overview of Layer Modes..........................................................................................................................................349

Configuring Layer 2 (Data Link) Mode..................................................................................................................... 349

Configuring Layer 2 (Interface) Mode......................................................................................................................350

Configuring Layer 3 (Network) Mode......................................................................................................................350

Configuring Layer 3 (Interface) Mode......................................................................................................................350

Egress Interface Selection (EIS)......................................................................................................................................351

Configuring EIS.............................................................................................................................................................351

Management Interfaces................................................................................................................................................... 352

Configuring Management Interfaces........................................................................................................................352

Configuring a Management Interface on an Ethernet Port...................................................................................352

VLAN Interfaces................................................................................................................................................................353

Loopback Interfaces......................................................................................................................................................... 353

Null Interfaces....................................................................................................................................................................354

Configuring Port Delay..................................................................................................................................................... 354

Port Channel Interfaces................................................................................................................................................... 354

Port Channel Definition and Standards.................................................................................................................... 355

Port Channel Benefits................................................................................................................................................ 355

Port Channel Implementation.................................................................................................................................... 355

Contents

Interfaces in Port Channels........................................................................................................................................355

Configuration Tasks for Port Channel Interfaces................................................................................................... 356

Creating a Port Channel.............................................................................................................................................356

Adding a Physical Interface to a Port Channel........................................................................................................356

Reassigning an Interface to a New Port Channel................................................................................................... 358

Configuring the Minimum Oper Up Links in a Port Channel..................................................................................358

Adding or Removing a Port Channel from a VLAN.................................................................................................359

Assigning an IP Address to a Port Channel..............................................................................................................359

Deleting or Disabling a Port Channel.........................................................................................................................360

Load Balancing Through Port Channels...................................................................................................................360

Load-Balancing Method............................................................................................................................................. 360

Changing the Hash Algorithm....................................................................................................................................360

Bulk Configuration..............................................................................................................................................................361

Interface Range............................................................................................................................................................361

Bulk Configuration Examples..................................................................................................................................... 362

Defining Interface Range Macros................................................................................................................................... 363

Define the Interface Range........................................................................................................................................363

Choosing an Interface-Range Macro........................................................................................................................364

Monitoring and Maintaining Interfaces...........................................................................................................................364

Maintenance Using TDR.............................................................................................................................................365

Non Dell-Qualified Transceivers...................................................................................................................................... 365

Splitting 100G Ports..........................................................................................................................................................366

Link Dampening................................................................................................................................................................. 366

Enabling Link Dampening............................................................................................................................................369

Link Bundle Monitoring.....................................................................................................................................................370

Using Ethernet Pause Frames for Flow Control............................................................................................................370

Enabling Pause Frames................................................................................................................................................371

Configure the MTU Size on an Interface........................................................................................................................ 371

Configuring wavelength for 10–Gigabit SFP+ optics................................................................................................... 372

Port-Pipes.......................................................................................................................................................................... 372

CR4 Auto-Negotiation...................................................................................................................................................... 372

Setting the Speed of Ethernet Interfaces......................................................................................................................373

Speed Setting on 25G Interfaces....................................................................................................................................374

Configuring 10G speed on 25G ports............................................................................................................................. 375

FEC Configuration.............................................................................................................................................................376

View Advanced Interface Information............................................................................................................................ 378

Configuring the Interface Sampling Size.................................................................................................................. 378

Configuring the Traffic Sampling Size Globally............................................................................................................. 379

Dynamic Counters..............................................................................................................................................................381

Clearing Interface Counters........................................................................................................................................381

Enhanced Validation of Interface Ranges...................................................................................................................... 382

Compressing Configuration Files.....................................................................................................................................382

OUI on 25G and 50G Interfaces......................................................................................................................................384

Configuring OUI on 25G and 50G Interfaces.......................................................................................................... 384

21 IPv4 Routing...........................................................................................................................385

IP Addresses...................................................................................................................................................................... 386

Configuration Tasks for IP Addresses............................................................................................................................ 386

Assigning IP Addresses to an Interface..........................................................................................................................386

Configuring Static Routes................................................................................................................................................ 387

Contents

Adding description for IPv4 and IPv6 static routes................................................................................................ 388

Configure Static Routes for the Management Interface.............................................................................................388

Using the Configured Source IP Address in ICMP Messages.....................................................................................389

Configuring the Duration to Establish a TCP Connection........................................................................................... 389

Enabling Directed Broadcast........................................................................................................................................... 390

Resolution of Host Names............................................................................................................................................... 390

Enabling Dynamic Resolution of Host Names............................................................................................................... 390

Specifying the Local System Domain and a List of Domains....................................................................................... 391

Configuring DNS with Traceroute................................................................................................................................... 391

ARP..................................................................................................................................................................................... 392

Configuration Tasks for ARP........................................................................................................................................... 392

Configuring Static ARP Entries....................................................................................................................................... 392

Enabling Proxy ARP.......................................................................................................................................................... 392

Clearing ARP Cache..........................................................................................................................................................393

ARP Learning via Gratuitous ARP...................................................................................................................................393

Enabling ARP Learning via Gratuitous ARP................................................................................................................... 393

ARP Learning via ARP Request.......................................................................................................................................393

Configuring ARP Retries.................................................................................................................................................. 394

ICMP...................................................................................................................................................................................395

Configuration Tasks for ICMP.........................................................................................................................................395

Enabling ICMP Unreachable Messages..........................................................................................................................395

ICMP Redirects................................................................................................................................................................. 395

UDP Helper........................................................................................................................................................................ 396

Enabling UDP Helper.........................................................................................................................................................397

Configuring a Broadcast Address....................................................................................................................................397

Configurations Using UDP Helper...................................................................................................................................398

UDP Helper with Broadcast-All Addresses....................................................................................................................398

UDP Helper with Subnet Broadcast Addresses............................................................................................................399

UDP Helper with Configured Broadcast Addresses..................................................................................................... 399

UDP Helper with No Configured Broadcast Addresses...............................................................................................400

Troubleshooting UDP Helper...........................................................................................................................................400

22 IPv6 Routing...........................................................................................................................401

Protocol Overview.............................................................................................................................................................401

Extended Address Space............................................................................................................................................ 401

Path MTU discovery....................................................................................................................................................401

Stateless Autoconfiguration.......................................................................................................................................402

IPv6 Headers................................................................................................................................................................403

Longest Prefix Match (LPM) Table and IPv6 /65 – /128 support...................................................................... 403

IPv6 Header Fields...................................................................................................................................................... 403

Extension Header Fields............................................................................................................................................. 404

Addressing....................................................................................................................................................................405

Implementing IPv6 with Dell EMC Networking OS...................................................................................................... 406

ICMPv6.............................................................................................................................................................................. 406

Path MTU discovery.........................................................................................................................................................406

IPv6 Neighbor Discovery..................................................................................................................................................407

IPv6 Neighbor Discovery of MTU Packets..............................................................................................................408

Configuring the IPv6 Recursive DNS Server...........................................................................................................408

Debugging IPv6 RDNSS Information Sent to the Host ........................................................................................ 409

Displaying IPv6 RDNSS Information......................................................................................................................... 409

Contents

Secure Shell (SSH) Over an IPv6 Transport..................................................................................................................410

Configuration Tasks for IPv6............................................................................................................................................410

Adjusting Your CAM-Profile........................................................................................................................................410

Assigning an IPv6 Address to an Interface................................................................................................................411

Assigning a Static IPv6 Route..................................................................................................................................... 411

Configuring Telnet with IPv6......................................................................................................................................412

SNMP over IPv6.......................................................................................................................................................... 412

Displaying IPv6 Information.........................................................................................................................................412

Displaying an IPv6 Interface Information.................................................................................................................. 412

Showing IPv6 Routes.................................................................................................................................................. 413

Showing the Running-Configuration for an Interface............................................................................................. 414

Clearing IPv6 Routes................................................................................................................................................... 415

Configuring IPv6 RA Guard.............................................................................................................................................. 415

23 iSCSI Optimization.................................................................................................................. 417

iSCSI Optimization Overview............................................................................................................................................417

Monitoring iSCSI Traffic Flows...................................................................................................................................418

Application of Quality of Service to iSCSI Traffic Flows.........................................................................................418

Information Monitored in iSCSI Traffic Flows.......................................................................................................... 419

Detection and Auto-Configuration for Dell EqualLogic Arrays...............................................................................419

Configuring Detection and Ports for Dell Compellent Arrays................................................................................ 420

Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer.................................................................. 420

Enable and Disable iSCSI Optimization......................................................................................................................421

Default iSCSI Optimization Values...................................................................................................................................421

iSCSI Optimization Prerequisites..................................................................................................................................... 421

Configuring iSCSI Optimization....................................................................................................................................... 422

Displaying iSCSI Optimization Information.....................................................................................................................423

24 Intermediate System to Intermediate System........................................................................... 425

IS-IS Protocol Overview...................................................................................................................................................425

IS-IS Addressing................................................................................................................................................................ 425

Multi-Topology IS-IS......................................................................................................................................................... 426

Transition Mode...........................................................................................................................................................426

Interface Support........................................................................................................................................................ 426

Adjacencies...................................................................................................................................................................426

Graceful Restart................................................................................................................................................................ 427

Timers............................................................................................................................................................................427

Implementation Information............................................................................................................................................. 427

Configuration Information................................................................................................................................................ 428

Configuration Tasks for IS-IS.....................................................................................................................................428

Configuring the Distance of a Route........................................................................................................................ 435

Changing the IS-Type.................................................................................................................................................435

Redistributing IPv4 Routes.........................................................................................................................................437

Redistributing IPv6 Routes.........................................................................................................................................438

Configuring Authentication Passwords.................................................................................................................... 438

Setting the Overload Bit.............................................................................................................................................439

Debugging IS-IS...........................................................................................................................................................439

IS-IS Metric Styles............................................................................................................................................................ 440

Configure Metric Values...................................................................................................................................................440

Contents

Maximum Values in the Routing Table..................................................................................................................... 440

Change the IS-IS Metric Style in One Level Only................................................................................................... 440

Leaks from One Level to Another............................................................................................................................. 442

Sample Configurations......................................................................................................................................................442

25 Link Aggregation Control Protocol (LACP)................................................................................445

Introduction to Dynamic LAGs and LACP......................................................................................................................445

Important Points to Remember.................................................................................................................................445

LACP Modes................................................................................................................................................................445

Configuring LACP Commands...................................................................................................................................446

LACP Configuration Tasks...............................................................................................................................................446

Creating a LAG............................................................................................................................................................ 446

Configuring the LAG Interfaces as Dynamic............................................................................................................447

Setting the LACP Long Timeout............................................................................................................................... 447

Monitoring and Debugging LACP..............................................................................................................................448

Shared LAG State Tracking............................................................................................................................................. 448

Configuring Shared LAG State Tracking..................................................................................................................449

Important Points about Shared LAG State Tracking..............................................................................................450

LACP Basic Configuration Example................................................................................................................................450

Configure a LAG on ALPHA.......................................................................................................................................450

26 Layer 2.................................................................................................................................. 458

Manage the MAC Address Table.................................................................................................................................... 458

Clearing the MAC Address Table.............................................................................................................................. 458

Setting the Aging Time for Dynamic Entries........................................................................................................... 458

Configuring a Static MAC Address........................................................................................................................... 458

Displaying the MAC Address Table...........................................................................................................................459

MAC Learning Limit.......................................................................................................................................................... 459

Setting the MAC Learning Limit................................................................................................................................459

mac learning-limit Dynamic........................................................................................................................................ 460

mac learning-limit mac-address-sticky.....................................................................................................................460

mac learning-limit station-move................................................................................................................................460

mac learning-limit no-station-move.......................................................................................................................... 460

Learning Limit Violation Actions................................................................................................................................. 461

Setting Station Move Violation Actions.................................................................................................................... 461

Recovering from Learning Limit and Station Move Violations............................................................................... 461

Disabling MAC Address Learning on the System..........................................................................................................462

Enabling port security....................................................................................................................................................... 462

NIC Teaming...................................................................................................................................................................... 462

Configure Redundant Pairs..............................................................................................................................................463

Far-End Failure Detection................................................................................................................................................ 466

FEFD State Changes.................................................................................................................................................. 466

Configuring FEFD........................................................................................................................................................ 467

Enabling FEFD on an Interface.................................................................................................................................. 468

Debugging FEFD..........................................................................................................................................................468

27 Link Layer Discovery Protocol (LLDP).......................................................................................470

802.1AB (LLDP) Overview...............................................................................................................................................470

Protocol Data Units.....................................................................................................................................................470

Contents

Optional TLVs..................................................................................................................................................................... 471

Management TLVs.......................................................................................................................................................471

TIA-1057 (LLDP-MED) Overview................................................................................................................................... 472

TIA Organizationally Specific TLVs............................................................................................................................473

Configure LLDP................................................................................................................................................................. 475

CONFIGURATION versus INTERFACE Configurations............................................................................................... 476

Enabling LLDP....................................................................................................................................................................477

Disabling and Undoing LLDP...................................................................................................................................... 477

Enabling LLDP on Management Ports............................................................................................................................477

Disabling and Undoing LLDP on Management Ports.............................................................................................. 477

Advertising TLVs............................................................................................................................................................... 478

Viewing the LLDP Configuration..................................................................................................................................... 478

Viewing Information Advertised by Adjacent LLDP Neighbors................................................................................... 479

Examples of Viewing Information Advertised by Neighbors.................................................................................. 479

Configuring LLDPDU Intervals......................................................................................................................................... 481

Configuring Transmit and Receive Mode....................................................................................................................... 481

Configuring the Time to Live Value.................................................................................................................................482

Debugging LLDP................................................................................................................................................................483

Relevant Management Objects.......................................................................................................................................484

28 Microsoft Network Load Balancing...........................................................................................488

Configuring a Switch for NLB ........................................................................................................................................ 489

Enabling a Switch for Multicast NLB........................................................................................................................489

29 Multicast Source Discovery Protocol (MSDP)............................................................................491

Anycast RP.........................................................................................................................................................................492

Implementation Information.............................................................................................................................................493

Configure Multicast Source Discovery Protocol...........................................................................................................493

Related Configuration Tasks......................................................................................................................................493

Enable MSDP.....................................................................................................................................................................497

Manage the Source-Active Cache..................................................................................................................................498

Viewing the Source-Active Cache............................................................................................................................ 498

Limiting the Source-Active Cache............................................................................................................................ 498

Clearing the Source-Active Cache............................................................................................................................498

Enabling the Rejected Source-Active Cache...........................................................................................................499

Accept Source-Active Messages that Fail the RFP Check.........................................................................................499

Specifying Source-Active Messages...............................................................................................................................501

Limiting the Source-Active Messages from a Peer......................................................................................................502

Preventing MSDP from Caching a Local Source..........................................................................................................502

Preventing MSDP from Caching a Remote Source..................................................................................................... 502

Preventing MSDP from Advertising a Local Source.................................................................................................... 503

Logging Changes in Peership States..............................................................................................................................504

Terminating a Peership.....................................................................................................................................................504

Clearing Peer Statistics.................................................................................................................................................... 504

Debugging MSDP..............................................................................................................................................................505

MSDP with Anycast RP................................................................................................................................................... 505

Configuring Anycast RP...................................................................................................................................................506

Reducing Source-Active Message Flooding............................................................................................................ 507

Specifying the RP Address Used in SA Messages..................................................................................................507

Contents

MSDP Sample Configurations.........................................................................................................................................509

30 Multicast Listener Discovery Protocol.......................................................................................512

MLD timers......................................................................................................................................................................... 515

Reducing Host Response Burstiness.........................................................................................................................515

Configuring MLD Version..................................................................................................................................................516

Clearing MLD groups.........................................................................................................................................................516

Debugging MLD................................................................................................................................................................. 516

Explicit Tracking................................................................................................................................................................. 516

Reducing Leave Latency...................................................................................................................................................516

Displaying MLD groups table............................................................................................................................................516

Displaying MLD Interfaces................................................................................................................................................ 517

MLD Snooping....................................................................................................................................................................517

Enable MLD Snooping................................................................................................................................................. 517

Disable MLD Snooping.................................................................................................................................................517

Configure the switch as a querier..............................................................................................................................518

Specify port as connected to multicast router........................................................................................................ 518

Enable Snooping Explicit Tracking............................................................................................................................. 518

Display the MLD Snooping Table............................................................................................................................... 518

31 Multiple Spanning Tree Protocol (MSTP).................................................................................. 519

Spanning Tree Variations................................................................................................................................................. 520

Implementation Information.......................................................................................................................................520

Configure Multiple Spanning Tree Protocol...................................................................................................................520

Related Configuration Tasks......................................................................................................................................520

Enable Multiple Spanning Tree Globally.......................................................................................................................... 521

Adding and Removing Interfaces.....................................................................................................................................521

Creating Multiple Spanning Tree Instances....................................................................................................................521

Influencing MSTP Root Selection................................................................................................................................... 523

Interoperate with Non-Dell Bridges................................................................................................................................ 523

Changing the Region Name or Revision.........................................................................................................................523

Modifying Global Parameters.......................................................................................................................................... 524

Modifying the Interface Parameters...............................................................................................................................525

Setting STP path cost as constant................................................................................................................................ 525

Configuring an EdgePort..................................................................................................................................................526

Flush MAC Addresses after a Topology Change.......................................................................................................... 526

MSTP Sample Configurations..........................................................................................................................................527

Debugging and Verifying MSTP Configurations............................................................................................................ 531

32 Multicast Features..................................................................................................................533

Enabling IP Multicast........................................................................................................................................................ 533

Implementation Information.............................................................................................................................................533

Multicast Policies...............................................................................................................................................................534

IPv4 Multicast Policies................................................................................................................................................534

Understanding Multicast Traceroute (mtrace)..............................................................................................................541

Printing Multicast Traceroute (mtrace) Paths...............................................................................................................541

Supported Error Codes.................................................................................................................................................... 543

mtrace Scenarios.............................................................................................................................................................. 543

Contents

33 Object Tracking......................................................................................................................549

Object Tracking Overview............................................................................................................................................... 549

Track Layer 2 Interfaces............................................................................................................................................ 550

Track Layer 3 Interfaces............................................................................................................................................ 550

Track IPv4 and IPv6 Routes...................................................................................................................................... 550

Set Tracking Delays..................................................................................................................................................... 551

VRRP Object Tracking................................................................................................................................................552

Object Tracking Configuration........................................................................................................................................ 552

Tracking a Layer 2 Interface...................................................................................................................................... 552

Tracking a Layer 3 Interface...................................................................................................................................... 553

Track an IPv4/IPv6 Route......................................................................................................................................... 554

Displaying Tracked Objects..............................................................................................................................................557

34 Open Shortest Path First (OSPFv2 and OSPFv3)...................................................................... 559

Protocol Overview............................................................................................................................................................ 559

Autonomous System (AS) Areas.............................................................................................................................. 559

Area Types................................................................................................................................................................... 560

Networks and Neighbors............................................................................................................................................ 561

Router Types................................................................................................................................................................ 561

Designated and Backup Designated Routers.......................................................................................................... 562

Link-State Advertisements (LSAs)...........................................................................................................................562

Router Priority and Cost.............................................................................................................................................563

OSPF with Dell EMC Networking OS.............................................................................................................................564

Graceful Restart.......................................................................................................................................................... 564

Fast Convergence (OSPFv2, IPv4 Only).................................................................................................................565

Multi-Process OSPFv2 with VRF............................................................................................................................. 565

OSPF ACK Packing.....................................................................................................................................................566

Setting OSPF Adjacency with Cisco Routers..........................................................................................................566

Configuration Information................................................................................................................................................566

Configuration Task List for OSPFv2 (OSPF for IPv4)........................................................................................... 567

Configuration Task List for OSPFv3 (OSPF for IPv6)................................................................................................. 578

Enabling IPv6 Unicast Routing...................................................................................................................................579

Assigning IPv6 Addresses on an Interface............................................................................................................... 579

Assigning Area ID on an Interface............................................................................................................................. 579

Assigning OSPFv3 Process ID and Router ID Globally........................................................................................... 580

Assigning OSPFv3 Process ID and Router ID to a VRF......................................................................................... 580

Configuring Stub Areas.............................................................................................................................................. 580

Configuring Passive-Interface....................................................................................................................................581

Redistributing Routes.................................................................................................................................................. 581

Configuring a Default Route....................................................................................................................................... 581

Applying cost for OSPFv3..........................................................................................................................................582

Enabling OSPFv3 Graceful Restart...........................................................................................................................582

OSPFv3 Authentication Using IPsec........................................................................................................................ 584

Troubleshooting OSPFv3...........................................................................................................................................589

MIB Support for OSPFv3.................................................................................................................................................590

Viewing the OSPFv3 MIB........................................................................................................................................... 591

35 Policy-based Routing (PBR).................................................................................................... 592

Contents

Overview............................................................................................................................................................................ 592

Implementing PBR............................................................................................................................................................ 593

Configuration Task List for Policy-based Routing........................................................................................................ 593

Create a Redirect List.................................................................................................................................................594

Create a Rule for a Redirect-list................................................................................................................................594

Apply a Redirect-list to an Interface using a Redirect-group................................................................................ 595

Sample Configuration....................................................................................................................................................... 597

36 PIM Sparse-Mode (PIM-SM)................................................................................................... 602

Implementation Information.............................................................................................................................................602

Protocol Overview............................................................................................................................................................ 602

Requesting Multicast Traffic..................................................................................................................................... 602

Refuse Multicast Traffic.............................................................................................................................................602

Send Multicast Traffic................................................................................................................................................ 603

Configuring PIM-SM.........................................................................................................................................................603

Related Configuration Tasks......................................................................................................................................603

Enable PIM-SM................................................................................................................................................................. 603

Configuring S,G Expiry Timers........................................................................................................................................ 604

Configuring a Static Rendezvous Point......................................................................................................................... 605

Overriding Bootstrap Router Updates..................................................................................................................... 605

Configuring a Designated Router....................................................................................................................................605

Creating Multicast Boundaries and Domains.................................................................................................................606

Electing an RP using the BSR Mechanism.................................................................................................................... 606

37 PIM Source-Specific Mode (PIM-SSM).................................................................................... 608

Implementation Information.............................................................................................................................................608

Configure PIM-SSM......................................................................................................................................................... 608

Enabling PIM-SSM............................................................................................................................................................609

Use PIM-SSM with IGMP Version 2 Hosts................................................................................................................... 609

Electing an RP using the BSR Mechanism..................................................................................................................... 610

Enabling RP to Server Specific Multicast Groups.................................................................................................... 611

38 Port Monitoring...................................................................................................................... 613

Important Points to Remember....................................................................................................................................... 613

Port Monitoring..................................................................................................................................................................613

Configuring Port Monitoring.............................................................................................................................................615

Configuring Monitor Multicast Queue.............................................................................................................................616

Flow-Based Monitoring..................................................................................................................................................... 617

Enabling Flow-Based Monitoring............................................................................................................................... 618

Remote Port Mirroring..................................................................................................................................................... 620

Remote Port Mirroring Example................................................................................................................................620

Configuring Remote Port Mirroring...........................................................................................................................621

Displaying Remote-Port Mirroring Configurations..................................................................................................622

Configuration procedure for Remote Port Mirroring..............................................................................................622

Encapsulated Remote Port Monitoring..........................................................................................................................626

ERPM Behavior on a typical Dell EMC Networking OS ..............................................................................................628

Port Monitoring on VLT................................................................................................................................................... 629

39 Private VLANs (PVLAN).......................................................................................................... 632

Contents

Private VLAN Concepts................................................................................................................................................... 632

Using the Private VLAN Commands...............................................................................................................................633

Configuration Task List.....................................................................................................................................................634

Creating PVLAN ports................................................................................................................................................634

Creating a Primary VLAN........................................................................................................................................... 634

Creating a Community VLAN.................................................................................................................................... 635

Creating an Isolated VLAN.........................................................................................................................................636

Private VLAN Configuration Example.............................................................................................................................637

Inspecting the Private VLAN Configuration.................................................................................................................. 638

40 Per-VLAN Spanning Tree Plus (PVST+)....................................................................................640

Protocol Overview............................................................................................................................................................ 640

Implementation Information..............................................................................................................................................641

Configure Per-VLAN Spanning Tree Plus.......................................................................................................................641

Enabling PVST+................................................................................................................................................................. 641

Disabling PVST+.................................................................................................................................................................641

Influencing PVST+ Root Selection..................................................................................................................................642

Modifying Global PVST+ Parameters.............................................................................................................................643

Modifying Interface PVST+ Parameters........................................................................................................................644

Configuring an EdgePort..................................................................................................................................................644

PVST+ in Multi-Vendor Networks..................................................................................................................................645

Enabling PVST+ Extend System ID................................................................................................................................ 645

PVST+ Sample Configurations........................................................................................................................................646

41 Quality of Service (QoS).......................................................................................................... 648

Implementation Information.............................................................................................................................................650

Port-Based QoS Configurations..................................................................................................................................... 650

Setting dot1p Priorities for Incoming Traffic............................................................................................................650

Honoring dot1p Priorities on Ingress Traffic............................................................................................................. 651

Configuring Port-Based Rate Policing.......................................................................................................................651

Configuring Port-Based Rate Shaping......................................................................................................................651

Policy-Based QoS Configurations...................................................................................................................................652

Classify Traffic.............................................................................................................................................................652

Dot1p to Queue Mapping Requirement....................................................................................................................655

Create a QoS Policy....................................................................................................................................................656

DSCP Color Maps....................................................................................................................................................... 658

Create Policy Maps.....................................................................................................................................................659

Enabling QoS Rate Adjustment....................................................................................................................................... 662

Enabling Strict-Priority Queueing....................................................................................................................................662

Queue Classification Requirements for PFC Functionality.......................................................................................... 663

Support for marking dot1p value in L3 Input Qos Policy.............................................................................................. 663

Weighted Random Early Detection.................................................................................................................................664

Enabling and Disabling WRED Globally..................................................................................................................... 664

Creating WRED Profiles............................................................................................................................................. 665

Applying a WRED Profile to Traffic...........................................................................................................................665

Displaying Default and Configured WRED Profiles................................................................................................. 665

Displaying WRED Drop Statistics..............................................................................................................................665

Displaying egress–queue Statistics...........................................................................................................................666

Pre-Calculating Available QoS CAM Space...................................................................................................................666

Contents

Specifying Policy-Based Rate Shaping in Packets Per Second.................................................................................. 667

Configuring Policy-Based Rate Shaping.........................................................................................................................667

Configuring Weights and ECN for WRED .....................................................................................................................668

Configuring WRED and ECN Attributes.........................................................................................................................669

Guidelines for Configuring ECN for Classifying and Color-Marking Packets............................................................ 670

Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class.................................... 670

Classifying Incoming Packets Using ECN and Color-Marking................................................................................671

Sample configuration to mark non-ecn packets as “yellow” with single traffic class.........................................672

Applying Layer 2 Match Criteria on a Layer 3 Interface...............................................................................................673

Managing Hardware Buffer Statistics...................................................................................................................... 673

Enabling Buffer Statistics Tracking ................................................................................................................................674

42 Routing Information Protocol (RIP)..........................................................................................676

Protocol Overview............................................................................................................................................................ 676

RIPv1............................................................................................................................................................................. 676

RIPv2.............................................................................................................................................................................676

Implementation Information............................................................................................................................................. 676

Configuration Information.................................................................................................................................................677

Configuration Task List............................................................................................................................................... 677

RIP Configuration Example........................................................................................................................................ 682

43 Remote Monitoring (RMON)....................................................................................................687

Implementation Information............................................................................................................................................. 687

Fault Recovery...................................................................................................................................................................687

Setting the RMON Alarm........................................................................................................................................... 687

Configuring an RMON Event.....................................................................................................................................688

Configuring RMON Collection Statistics..................................................................................................................689

Configuring the RMON Collection History...............................................................................................................689

44 Rapid Spanning Tree Protocol (RSTP)......................................................................................690

Protocol Overview............................................................................................................................................................ 690

Configuring Rapid Spanning Tree................................................................................................................................... 690

Important Points to Remember.......................................................................................................................................690

RSTP and VLT..............................................................................................................................................................691

Configuring Interfaces for Layer 2 Mode....................................................................................................................... 691

Enabling Rapid Spanning Tree Protocol Globally........................................................................................................... 691

Adding and Removing Interfaces.................................................................................................................................... 693

Modifying Global Parameters.......................................................................................................................................... 693

Enabling SNMP Traps for Root Elections and Topology Changes....................................................................... 695

Modifying Interface Parameters..................................................................................................................................... 695

Enabling SNMP Traps for Root Elections and Topology Changes.............................................................................695

Influencing RSTP Root Selection....................................................................................................................................695

Configuring an EdgePort..................................................................................................................................................696

Configuring Fast Hellos for Link State Detection......................................................................................................... 696

45 Software-Defined Networking (SDN)....................................................................................... 698

46 Security.................................................................................................................................699

AAA Accounting................................................................................................................................................................ 699

Contents

Configuration Task List for AAA Accounting...........................................................................................................699

RADIUS Accounting.....................................................................................................................................................701

AAA Authentication...........................................................................................................................................................706

Configuration Task List for AAA Authentication..................................................................................................... 706

Obscuring Passwords and Keys...................................................................................................................................... 708

AAA Authorization.............................................................................................................................................................709

Privilege Levels Overview.......................................................................................................................................... 709

Configuration Task List for Privilege Levels.............................................................................................................709

RADIUS................................................................................................................................................................................712

RADIUS Authentication............................................................................................................................................... 713

Configuration Task List for RADIUS.......................................................................................................................... 714

TACACS+............................................................................................................................................................................716

Configuration Task List for TACACS+.......................................................................................................................716

TACACS+ Remote Authentication.............................................................................................................................718

Command Authorization..............................................................................................................................................719

Protection from TCP Tiny and Overlapping Fragment Attacks...................................................................................719

Enabling SCP and SSH......................................................................................................................................................719

Using SCP with SSH to Copy a Software Image.................................................................................................... 720

Removing the RSA Host Keys and Zeroizing Storage ............................................................................................721

Configuring When to Re-generate an SSH Key ......................................................................................................721

Configuring the SSH Server Key Exchange Algorithm............................................................................................721

Configuring the HMAC Algorithm for the SSH Server...........................................................................................722

Configuring the HMAC Algorithm for the SSH Client............................................................................................ 722

Configuring the SSH Server Cipher List...................................................................................................................723

Configuring the SSH Client Cipher List.................................................................................................................... 723

Secure Shell Authentication....................................................................................................................................... 723

Troubleshooting SSH.................................................................................................................................................. 725

Telnet.................................................................................................................................................................................. 726

VTY Line and Access-Class Configuration.....................................................................................................................726

VTY Line Local Authentication and Authorization...................................................................................................726

VTY Line Remote Authentication and Authorization...............................................................................................727

VTY MAC-SA Filter Support...................................................................................................................................... 727

Role-Based Access Control..............................................................................................................................................728

Overview of RBAC...................................................................................................................................................... 728

User Roles.................................................................................................................................................................... 730

AAA Authentication and Authorization for Roles.....................................................................................................733

Role Accounting...........................................................................................................................................................735

Display Information About User Roles.......................................................................................................................736

Two Factor Authentication (2FA)................................................................................................................................... 737

Handling Access-Challenge Message....................................................................................................................... 737

Configuring Challenge Response Authentication for SSHv2................................................................................. 737

SMS-OTP Mechanism................................................................................................................................................738

Configuring the System to Drop Certain ICMP Reply Messages............................................................................... 738

SSH Lockout Settings...................................................................................................................................................... 740

47 Service Provider Bridging.........................................................................................................741

VLAN Stacking................................................................................................................................................................... 741

Configure VLAN Stacking...........................................................................................................................................742

Creating Access and Trunk Ports..............................................................................................................................743

Enable VLAN-Stacking for a VLAN...........................................................................................................................743

Contents

Configuring the Protocol Type Value for the Outer VLAN Tag.............................................................................744

Configuring Dell EMC Networking OS Options for Trunk Ports........................................................................... 744

Debugging VLAN Stacking.........................................................................................................................................745

VLAN Stacking in Multi-Vendor Networks.............................................................................................................. 745

VLAN Stacking Packet Drop Precedence......................................................................................................................748

Enabling Drop Eligibility............................................................................................................................................... 748

Honoring the Incoming DEI Value..............................................................................................................................749

Marking Egress Packets with a DEI Value................................................................................................................749

Dynamic Mode CoS for VLAN Stacking.........................................................................................................................750

Mapping C-Tag to S-Tag dot1p Values.....................................................................................................................751

Layer 2 Protocol Tunneling............................................................................................................................................... 751

Enabling Layer 2 Protocol Tunneling.........................................................................................................................753

Specifying a Destination MAC Address for BPDUs................................................................................................ 754

Setting Rate-Limit BPDUs..........................................................................................................................................754

Debugging Layer 2 Protocol Tunneling.....................................................................................................................754

Provider Backbone Bridging.............................................................................................................................................754

48 sFlow.....................................................................................................................................756

Overview............................................................................................................................................................................ 756

Implementation Information.............................................................................................................................................756

Enabling Extended sFlow..................................................................................................................................................757

Important Points to Remember.................................................................................................................................758

Enabling and Disabling sFlow on an Interface................................................................................................................758

Enabling sFlow Max-Header Size Extended..................................................................................................................759

sFlow Show Commands...................................................................................................................................................759

Displaying Show sFlow Global....................................................................................................................................760

Displaying Show sFlow on an Interface.................................................................................................................... 760

Displaying Show sFlow on a .......................................................................................................................................761

Configuring Specify Collectors.........................................................................................................................................761

Changing the Polling Intervals.......................................................................................................................................... 761

Back-Off Mechanism.........................................................................................................................................................761

sFlow on LAG ports...........................................................................................................................................................762

49 Simple Network Management Protocol (SNMP)........................................................................ 763

Protocol Overview............................................................................................................................................................ 764

Implementation Information............................................................................................................................................. 764

SNMPv3 Compliance With FIPS..................................................................................................................................... 764

Configuration Task List for SNMP..................................................................................................................................765

Important Points to Remember.......................................................................................................................................765

Set up SNMP.....................................................................................................................................................................765

Creating a Community................................................................................................................................................ 766

Setting Up User-Based Security (SNMPv3)........................................................................................................... 766

Enable SNMPv3 traps.................................................................................................................................................767

Reading Managed Object Values.....................................................................................................................................767

Writing Managed Object Values......................................................................................................................................768

Configuring Contact and Location Information using SNMP...................................................................................... 768

Subscribing to Managed Object Value Updates using SNMP.....................................................................................769

Enabling a Subset of SNMP Traps..................................................................................................................................769

Enabling an SNMP Agent to Notify Syslog Server Failure...........................................................................................770

Contents

Copy Configuration Files Using SNMP............................................................................................................................771

Copying a Configuration File...................................................................................................................................... 772

Copying Configuration Files via SNMP..................................................................................................................... 773

Copying the Startup-Config Files to the Running-Config......................................................................................773

Copying the Startup-Config Files to the Server via FTP........................................................................................773

Copying the Startup-Config Files to the Server via TFTP..................................................................................... 774

Copy a Binary File to the Startup-Configuration..................................................................................................... 774

Additional MIB Objects to View Copy Statistics......................................................................................................774

Obtaining a Value for MIB Objects............................................................................................................................775

MIB Support for Power Monitoring................................................................................................................................ 775

MIB Support for 25G, 40G, 50G, 100G Optical Transceiver or DAC cable IDPROM user info.............................. 776

MIB Support to Display the Available Memory Size on Flash...................................................................................... 777

Viewing the Available Flash Memory Size.................................................................................................................777

MIB Support to Display the Software Core Files Generated by the System.............................................................778

Viewing the Software Core Files Generated by the System................................................................................. 778

MIB Support for PFC Storm Control.............................................................................................................................. 779

MIB Support for PFC no-drop-priority L2Dlf Drop....................................................................................................... 780

MIB Support for Monitoring the overall buffer usage for lossy and lossless traffic per XPE.................................. 781

SNMP Support for WRED Green/Yellow/Red Drop Counters...................................................................................782

MIB Support to Display the Available Partitions on Flash............................................................................................ 783

Viewing the Available Partitions on Flash................................................................................................................. 783

MIB Support to Display the ECN Marked Packets ...................................................................................................... 784

MIB Support to Display Egress Queue Statistics.......................................................................................................... 784

MIB Support to ECMP Group Count..............................................................................................................................784

Viewing the ECMP Group Count Information......................................................................................................... 785

............................................................................................................................................................................................. 787

Viewing the FEC BER Details.....................................................................................................................................788

MIB Support for entAliasMappingTable ........................................................................................................................ 790

Viewing the entAliasMappingTable MIB...................................................................................................................790

MIB Support for LAG.........................................................................................................................................................791

Viewing the LAG MIB..................................................................................................................................................792

MIB Support for CAM.......................................................................................................................................................792

Viewing the CAM MIB................................................................................................................................................ 793

MIB support for MAC notification traps.........................................................................................................................793

MIB support for Port Security......................................................................................................................................... 794

Global MIB objects for port security......................................................................................................................... 794

MIB support for interface level port security...........................................................................................................794

MIB objects for configuring MAC addresses...........................................................................................................795

MIB objects for configuring MAC addresses...........................................................................................................796

Configuring SNMP traps for new MAC learning or station–move.............................................................................796

Manage VLANs using SNMP........................................................................................................................................... 797

Creating a VLAN.......................................................................................................................................................... 797

Assigning a VLAN Alias................................................................................................................................................797

Displaying the Ports in a VLAN.................................................................................................................................. 797

Add Tagged and Untagged Ports to a VLAN...........................................................................................................797

Managing Overload on Startup....................................................................................................................................... 798

Enabling and Disabling a Port using SNMP....................................................................................................................799

Fetch Dynamic MAC Entries using SNMP.....................................................................................................................799

Example of Deriving the Interface Index Number.........................................................................................................800

MIB Objects for Viewing the System Image on Flash Partitions.......................................................................... 800

Contents

Monitor Port-Channels..................................................................................................................................................... 801

Troubleshooting SNMP Operation..................................................................................................................................802

Transceiver Monitoring.................................................................................................................................................... 802

Configuring SNMP context name...................................................................................................................................803

50 Storm Control........................................................................................................................ 804

Configure Storm Control..................................................................................................................................................804

Configuring Storm Control from INTERFACE Mode..............................................................................................804

Configuring Storm Control from CONFIGURATION Mode...................................................................................805

PFC Storm......................................................................................................................................................................... 805

Detect PFC Storm...................................................................................................................................................... 805

Restore Queue Drop State........................................................................................................................................ 806

View Details of Storm Control PFC.......................................................................................................................... 806

51 Spanning Tree Protocol (STP)................................................................................................. 808

Protocol Overview............................................................................................................................................................ 808

Configure Spanning Tree................................................................................................................................................. 808

Important Points to Remember.......................................................................................................................................809

Configuring Interfaces for Layer 2 Mode.......................................................................................................................809

Enabling Spanning Tree Protocol Globally...................................................................................................................... 810

Adding an Interface to the Spanning Tree Group..........................................................................................................812

Modifying Global Parameters........................................................................................................................................... 812

Modifying Interface STP Parameters..............................................................................................................................813

Enabling PortFast...............................................................................................................................................................813

Prevent Network Disruptions with BPDU Guard.....................................................................................................814

Selecting STP Root........................................................................................................................................................... 816

STP Root Guard.................................................................................................................................................................816

Root Guard Scenario................................................................................................................................................... 816

Configuring Root Guard...............................................................................................................................................817

Enabling SNMP Traps for Root Elections and Topology Changes..............................................................................818

Configuring Spanning Trees as Hitless............................................................................................................................818

STP Loop Guard.................................................................................................................................................................818

Configuring Loop Guard.............................................................................................................................................. 819

Displaying STP Guard Configuration.............................................................................................................................. 820

52 SupportAssist......................................................................................................................... 821

Configuring SupportAssist Using a Configuration Wizard............................................................................................ 821

Configuring SupportAssist Manually...............................................................................................................................822

Configuring SupportAssist Activity.................................................................................................................................823

Configuring SupportAssist Company..............................................................................................................................825

Configuring SupportAssist Person..................................................................................................................................825

Configuring SupportAssist Server...................................................................................................................................826

Viewing SupportAssist Configuration............................................................................................................................. 827

53 System Time and Date............................................................................................................ 829

Network Time Protocol.................................................................................................................................................... 829

Protocol Overview...................................................................................................................................................... 830

Configure the Network Time Protocol..................................................................................................................... 830

Enabling NTP............................................................................................................................................................... 830

Contents

Configuring NTP Broadcasts......................................................................................................................................831

Disabling NTP on an Interface....................................................................................................................................831

Configuring a Source IP Address for NTP Packets................................................................................................. 831

Configuring NTP Authentication............................................................................................................................... 832

Configuring NTP control key password....................................................................................................................834

Configuring the NTP Step-Threshold.......................................................................................................................834

Configuring a Custom-defined Period for NTP time Synchronization................................................................. 834

Dell EMC Networking OS Time and Date...................................................................................................................... 835

Configuration Task List ..............................................................................................................................................835

Setting the Time and Date for the Switch Software Clock...................................................................................835

Setting the Timezone................................................................................................................................................. 835

Set Daylight Saving Time........................................................................................................................................... 836

Setting Daylight Saving Time Once.......................................................................................................................... 836

Setting Recurring Daylight Saving Time...................................................................................................................836

54 Tunneling...............................................................................................................................838

Configuring a Tunnel.........................................................................................................................................................838

Configuring Tunnel Keepalive Settings...........................................................................................................................839

Configuring a Tunnel Interface........................................................................................................................................839

Configuring Tunnel Allow-Remote Decapsulation.........................................................................................................840

Configuring Tunnel source anylocal Decapsulation.......................................................................................................840

Guidelines for Configuring Multipoint Receive-Only Tunnels.......................................................................................841

Multipoint Receive-Only Tunnels..................................................................................................................................... 841

55 Uplink Failure Detection (UFD)................................................................................................ 842

Feature Description...........................................................................................................................................................842

How Uplink Failure Detection Works.............................................................................................................................. 843

UFD and NIC Teaming......................................................................................................................................................844

Important Points to Remember.......................................................................................................................................844

Configuring Uplink Failure Detection.............................................................................................................................. 845

Clearing a UFD-Disabled Interface..................................................................................................................................846

Displaying Uplink Failure Detection................................................................................................................................. 847

Sample Configuration: Uplink Failure Detection............................................................................................................848

56 Upgrade Procedures............................................................................................................... 850

57 Virtual LANs (VLANs).............................................................................................................. 851

Default VLAN......................................................................................................................................................................851

Port-Based VLANs............................................................................................................................................................852

VLANs and Port Tagging................................................................................................................................................. 852

Configuration Task List.....................................................................................................................................................853

Creating a Port-Based VLAN.....................................................................................................................................853

Assigning Interfaces to a VLAN.................................................................................................................................853

Moving Untagged Interfaces..................................................................................................................................... 854

Assigning an IP Address to a VLAN.......................................................................................................................... 855

Configuring Native VLANs...............................................................................................................................................856

Enabling Null VLAN as the Default VLAN...................................................................................................................... 856

58 Virtual Link Trunking (VLT)..................................................................................................... 857

Contents

Overview............................................................................................................................................................................ 857

VLT Terminology......................................................................................................................................................... 859

Layer-2 Traffic in VLT Domains.................................................................................................................................859

Interspersed VLANs....................................................................................................................................................860

VLT on Core Switches.................................................................................................................................................861

Enhanced VLT.............................................................................................................................................................. 861

Configure Virtual Link Trunking....................................................................................................................................... 862

Important Points to Remember.................................................................................................................................862

Configuration Notes....................................................................................................................................................863

Primary and Secondary VLT Peers........................................................................................................................... 866

RSTP and VLT............................................................................................................................................................. 866

VLT Bandwidth Monitoring........................................................................................................................................ 867

VLT and Stacking........................................................................................................................................................ 867

VLT and IGMP Snooping............................................................................................................................................ 867

VLT IPv6.......................................................................................................................................................................867

VLT Port Delayed Restoration................................................................................................................................... 867

PIM-Sparse Mode Support on VLT.......................................................................................................................... 868

VLT Routing ................................................................................................................................................................869

Non-VLT ARP Sync.....................................................................................................................................................872

RSTP Configuration.......................................................................................................................................................... 872

Preventing Forwarding Loops in a VLT Domain...................................................................................................... 872

Sample RSTP configuration....................................................................................................................................... 873

Configuring VLT...........................................................................................................................................................873

PVST+ Configuration........................................................................................................................................................ 881

Peer Routing Configuration Example..............................................................................................................................882

Dell-1 Switch Configuration........................................................................................................................................883

Dell-2 Switch Configuration....................................................................................................................................... 887

R1 Configuration.......................................................................................................................................................... 890

Access Switch A1 Configurations and Verification.................................................................................................. 891

eVLT Configuration Example............................................................................................................................................891

PIM-Sparse Mode Configuration Example.................................................................................................................... 894

Verifying a VLT Configuration......................................................................................................................................... 894

Additional VLT Sample Configurations........................................................................................................................... 897

Troubleshooting VLT........................................................................................................................................................ 899

Reconfiguring Stacked Switches as VLT.......................................................................................................................900

Specifying VLT Nodes in a PVLAN.................................................................................................................................900

Configuring a VLT VLAN or LAG in a PVLAN............................................................................................................... 903

Creating a VLT LAG or a VLT VLAN.........................................................................................................................903

Associating the VLT LAG or VLT VLAN in a PVLAN..............................................................................................904

Proxy ARP Capability on VLT Peer Nodes.................................................................................................................... 905

VLT Nodes as Rendezvous Points for Multicast Resiliency........................................................................................906

Configuring VLAN-Stack over VLT................................................................................................................................ 906

IPv6 Peer Routing in VLT Domains Overview...............................................................................................................909

Configure BFD in VLT Domain......................................................................................................................................... 913

Sample BFD configuration in VLT domain................................................................................................................ 913

59 VLT Proxy Gateway................................................................................................................. 918

Proxy Gateway in VLT Domains.......................................................................................................................................918

LLDP VLT Proxy Gateway in a Square VLT Topology............................................................................................ 921

Configuring a Static VLT Proxy Gateway...................................................................................................................... 922

Contents

Configuring an LLDP VLT Proxy Gateway.....................................................................................................................922

VLT Proxy Gateway Sample Topology...........................................................................................................................922

VLT Domain Configuration.........................................................................................................................................923

Dell-1 VLT Configuration.............................................................................................................................................923

Dell-2 VLT Configuration............................................................................................................................................924

Dell-3 VLT Configuration............................................................................................................................................925

Dell-4 VLT Configuration............................................................................................................................................926

60 Virtual Extensible LAN (VXLAN)...............................................................................................927

Components of VXLAN network.................................................................................................................................... 928

Functional Overview of VXLAN Gateway......................................................................................................................928

VXLAN Frame Format......................................................................................................................................................929

Configuring and Controlling VXLAN from the NSX Controller GUI............................................................................930

Configuring VxLAN Gateway...........................................................................................................................................934

Connecting to an NVP Controller............................................................................................................................. 934

Advertising VXLAN Access Ports to Controller...................................................................................................... 935

Displaying VXLAN Configurations...................................................................................................................................935

Static Virtual Extensible LAN (VXLAN)......................................................................................................................... 936

Configuring Static VXLAN......................................................................................................................................... 936

Limitations on VXLAN ................................................................................................................................................937

Displaying Static VXLAN Configurations..................................................................................................................937

Disabling MAC Address Learning on Static VXLAN Tunnels.................................................................................938

Preserving 802.1 p value across VXLAN tunnels.......................................................................................................... 939

RIOT....................................................................................................................................................................................939

61 Virtual Routing and Forwarding (VRF)...................................................................................... 940

VRF Overview................................................................................................................................................................... 940

VRF Configuration Notes..................................................................................................................................................941

DHCP............................................................................................................................................................................ 942

VRF Configuration.............................................................................................................................................................942

Loading VRF CAM.......................................................................................................................................................942

Creating a Non-Default VRF Instance......................................................................................................................942

Assigning an Interface to a VRF................................................................................................................................ 943

Assigning a Front-end Port to a Management VRF............................................................................................... 943

View VRF Instance Information.................................................................................................................................943

Assigning an OSPF Process to a VRF Instance.......................................................................................................943

Configuring VRRP on a VRF Instance...................................................................................................................... 944

Configuring Management VRF..................................................................................................................................944

Configuring a Static Route.........................................................................................................................................945

Sample VRF Configuration...............................................................................................................................................945

Route Leaking VRFs......................................................................................................................................................... 950

Dynamic Route Leaking....................................................................................................................................................950

Configuring Route Leaking without Filtering Criteria.............................................................................................. 951

Configuring Route Leaking with Filtering................................................................................................................. 953

62 Virtual Router Redundancy Protocol (VRRP)............................................................................ 956

VRRP Overview................................................................................................................................................................ 956

VRRP Benefits...................................................................................................................................................................957

VRRP Implementation...................................................................................................................................................... 957

Contents

VRRP Configuration......................................................................................................................................................... 958

Configuration Task List...............................................................................................................................................958

Setting VRRP Initialization Delay...............................................................................................................................965

Sample Configurations..................................................................................................................................................... 966

VRRP in a VRF Configuration.................................................................................................................................... 970

VRRP for IPv6 Configuration.....................................................................................................................................975

63 Debugging and Diagnostics......................................................................................................979

Offline Diagnostics............................................................................................................................................................ 979

Important Points to Remember.................................................................................................................................979

Running Offline Diagnostics....................................................................................................................................... 979

Trace Logs......................................................................................................................................................................... 980

Auto Save on Crash or Rollover...................................................................................................................................... 980

Hardware Watchdog Timer............................................................................................................................................. 980

Enabling Environmental Monitoring................................................................................................................................980

Recognize an Overtemperature Condition.............................................................................................................. 982

Troubleshoot an Over-temperature Condition........................................................................................................982

Recognize an Under-Voltage Condition................................................................................................................... 982

Troubleshoot an Under-Voltage Condition.............................................................................................................. 983

Buffer Tuning.....................................................................................................................................................................983

Troubleshooting Packet Loss.......................................................................................................................................... 984

Displaying Drop Counters...........................................................................................................................................984

Dataplane Statistics.................................................................................................................................................... 985

Display Stack Member Counters...............................................................................................................................986

Enabling Application Core Dumps................................................................................................................................... 988

Mini Core Dumps...............................................................................................................................................................988

Enabling TCP Dumps........................................................................................................................................................989

64 Standards Compliance.............................................................................................................991

IEEE Compliance................................................................................................................................................................ 991

RFC and I-D Compliance..................................................................................................................................................992

General Internet Protocols.........................................................................................................................................992

General IPv4 Protocols...............................................................................................................................................993

General IPv6 Protocols...............................................................................................................................................994

Border Gateway Protocol (BGP)..............................................................................................................................995

Open Shortest Path First (OSPF)............................................................................................................................ 996

Intermediate System to Intermediate System (IS-IS)............................................................................................996

Routing Information Protocol (RIP).......................................................................................................................... 997

Multicast.......................................................................................................................................................................997

Network Management................................................................................................................................................998

MIB Location.................................................................................................................................................................... 1002

65 X.509v3................................................................................................................................1004

Introduction to X.509v3 certificates.............................................................................................................................1004

X.509v3 support in .........................................................................................................................................................1005

Information about installing CA certificates................................................................................................................. 1006

Installing CA certificate............................................................................................................................................. 1007

Information about Creating Certificate Signing Requests (CSR)............................................................................. 1007

Creating Certificate Signing Requests (CSR)........................................................................................................1007

Contents

Information about installing trusted certificates..........................................................................................................1008

Installing trusted certificates....................................................................................................................................1008

Transport layer security (TLS).......................................................................................................................................1008

Syslog over TLS.........................................................................................................................................................1009

Online Certificate Status Protocol (OSCP)................................................................................................................. 1009

Configuring OCSP setting on CA............................................................................................................................ 1009

Configuring OCSP behavior..................................................................................................................................... 1009

Configuring Revocation Behavior.............................................................................................................................1010

Configuring OSCP responder preference............................................................................................................... 1010

Verifying certificates........................................................................................................................................................1010

Verifying Server certificates......................................................................................................................................1010

Verifying Client Certificates...................................................................................................................................... 1010

Event logging.................................................................................................................................................................... 1010

30 Contents

About this Guide

This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system.

The S5048F-ON platform is available with Dell EMC Networking OS version 9.12(1.0) and beyond.

Though this guide contains information about protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell EMC Networking systems. For complete information about protocols, see the related documentation, including Internet Engineering Task Force (IETF) requests for comments (RFCs). The instructions in this guide cite relevant RFCs. The

Standards Compliance chapter contains a complete list of the supported RFCs and management information base files (MIBs).

Topics:

• Audience

• Conventions

• Related Documents

Audience

This document is intended for system administrators who are responsible for configuring and maintaining networks and assumes knowledge in Layer 2 (L2) and Layer 3 (L3) networking technologies.

Conventions

This guide uses the following conventions to describe command syntax.

Keyword

parameter

{X} Keywords and parameters within braces must be entered in the CLI.

[X] Keywords and parameters within brackets are optional.

x|y Keywords and parameters separated by a bar require you to choose one option.

x||y Keywords and parameters separated by a double bar allows you to choose any or all of the options.

Keywords are in Courier (a monospaced font) and must be entered in the CLI as listed.

Parameters are in italics and require a number or word to be entered in the CLI.

Configuration Fundamentals

The Dell EMC Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols.

The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.

In the Dell EMC Networking OS, after you enter a command, the command is added to the running configuration file. You can view the current configuration for the whole system or for a particular CLI mode. To save the current configuration, copy the running configuration to another location.

NOTE: Due to differences in hardware architecture and continued system development, features may occasionally differ

between the platforms. Differences are noted in each CLI description and related documentation.

Topics:

• Accessing the Command Line

• CLI Modes

• The do Command

• Undoing Commands

• Obtaining Help

• Entering and Editing Commands

• Command History

• Filtering show Command Outputs

• Multiple Users in Configuration Mode

• Configuring alias command

Accessing the Command Line

Access the CLI through a serial console port or a Telnet session.

When the system successfully boots, enter the command line in EXEC mode.

NOTE:

you must use a console connection when connecting to the system for the first time.

telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'. Login: username Password: DellEMC>

You must have a password configured on a virtual terminal line before you can Telnet into the system. Therefore,

CLI Modes

Different sets of commands are available in each mode.

A command found in one mode cannot be executed from another mode (except for EXEC mode commands with a preceding do command (refer to the do Command section).

You can set user access rights to commands and command modes using privilege levels.

The Dell EMC Networking OS CLI is divided into three major mode levels:

• EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information.

32 Configuration Fundamentals

• EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password section in the Getting Started chapter.

• CONFIGURATION mode allows you to configure security features, time settings, set logging and SNMP functions, configure static ARP and MAC addresses, and set line cards on the system.

Beneath CONFIGURATION mode are submodes that apply to interfaces, protocols, and features. The following example shows the submode command structure. Two sub-CONFIGURATION modes are important when configuring the chassis for the first time:

• INTERFACE submode is the mode in which you configure Layer 2 and Layer 3 protocols and IP services specific to an interface. An interface can be physical (Management interface, 1 Gigabit Ethernet, 10 Gigabit Ethernet, 25 Gigabit Ethernet, 40 Gigabit Ethernet, 50 Gigabit Ethernet, or 100 Gigabit Ethernet) or logical (Loopback, Null, port channel, or virtual local area network [VLAN]).

• LINE submode is the mode in which you to configure the console and virtual terminal lines.

NOTE: At any time, entering a question mark (?) displays the available command options. For example, when you are in

CONFIGURATION mode, entering the question mark first lists all available commands, including the possible submodes.

The CLI modes are:

EXEC EXEC Privilege CONFIGURATION AS-PATH ACL CONTROL-PLANE CLASS-MAP DCB POLICY DHCP DHCP POOL ECMP-GROUP EXTENDED COMMUNITY FRRP INTERFACE GIGABIT ETHERNET 10 GIGABIT ETHERNET 40 GIGABIT ETHERNET 25 Gigabit Ethernet 50 Gigabit Ethernet 100 Gigabit Ethernet INTERFACE RANGE LOOPBACK MANAGEMENT ETHERNET NULL PORT-CHANNEL TUNNEL VLAN VRRP IP IPv6 IP COMMUNITY-LIST IP ACCESS-LIST STANDARD ACCESS-LIST EXTENDED ACCESS-LIST MAC ACCESS-LIST LINE AUXILLIARY CONSOLE VIRTUAL TERMINAL LLDP LLDP MANAGEMENT INTERFACE MONITOR SESSION MULTIPLE SPANNING TREE OPENFLOW INSTANCE PVST PORT-CHANNEL FAILOVER-GROUP PREFIX-LIST PRIORITY-GROUP PROTOCOL GVRP QOS POLICY RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY

Configuration Fundamentals

ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP GRUB

Navigating CLI Modes

The Dell EMC Networking OS prompt changes to indicate the CLI mode.

The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves you up one command mode level.

NOTE: Sub-CONFIGURATION modes all have the letters conf in the prompt with more modifiers to identify the mode

and slot/port/subport information.

Table 1. Dell EMC Networking OS Command Modes

CLI Command Mode Prompt Access Command

EXEC

EXEC Privilege

DellEMC>

DellEMC#

Access the router through the console or terminal line.

• From EXEC mode, enter the enable command.

• From any other mode, use the end command.

CONFIGURATION

NOTE: Access all of the following

modes from CONFIGURATION mode.

AS-PATH ACL

10 Gigabit Ethernet Interface

25 Gigabit Ethernet Interface

40 Gigabit Ethernet Interface

50 Gigabit Ethernet Interface

100 Gigabit Ethernet Interface

Interface Group

Interface Range

Loopback Interface

Management Ethernet Interface

Null Interface

Port-channel Interface

Tunnel Interface

DellEMC(conf)#

DellEMC(config-as-path)# ip as-path access-list

DellEMC(conf-if-te-1/49/1)#

DellEMC(conf-if-tf-1/1)#

DellEMC(conf-if-fo-1/49/1)#

DellEMC(conf-if-fi-1/49/1)#

DellEMC(conf-if-hu-1/49)#

DellEMC(conf-if-group)# interface(INTERFACE modes)

DellEMC(conf-if-range)#

DellEMC(conf-if-lo-0)#

DellEMC(conf-if-ma-1/1)#

DellEMC(conf-if-nu-0)#

DellEMC(conf-if-po-1)#

DellEMC(conf-if-tu-1)#

• From EXEC privilege mode, enter the configure command.

• From every mode except EXEC and EXEC Privilege, enter the exit command.

interface (INTERFACE modes)

interface(INTERFACE modes)

interface (INTERFACE modes)

interface(INTERFACE modes)

interface (INTERFACE modes)

34 Configuration Fundamentals

CLI Command Mode Prompt Access Command

VLAN Interface

STANDARD ACCESS-LIST

EXTENDED ACCESS-LIST

IP COMMUNITY-LIST

AUXILIARY

CONSOLE

VIRTUAL TERMINAL

STANDARD ACCESS-LIST

EXTENDED ACCESS-LIST

MULTIPLE SPANNING TREE

Per-VLAN SPANNING TREE Plus

PREFIX-LIST

RAPID SPANNING TREE

REDIRECT

ROUTE-MAP

ROUTER BGP

BGP ADDRESS-FAMILY

DellEMC(conf-if-vl-1)#

DellEMC(config-std-nacl)#

DellEMC(config-ext-nacl)#

DellEMC(config-community-list)# ip community-list

DellEMC(config-line-aux)#

DellEMC(config-line-console)#

DellEMC(config-line-vty)#

DellEMC(config-std-macl)#

DellEMC(config-ext-macl)#

DellEMC(config-mstp)# protocol spanning-tree mstp

DellEMC(config-pvst)# protocol spanning-tree pvst

DellEMC(conf-nprefixl)# ip prefix-list

DellEMC(config-rstp)# protocol spanning-tree rstp

DellEMC(conf-redirect-list)# ip redirect-list

DellEMC(config-route-map)# route-map

DellEMC(conf-router_bgp)# router bgp

DellEMC(conf-router_bgp_af)#

(for IPv4)

DellEMC(conf-routerZ_bgpv6_af)#

(for IPv6)

interface (INTERFACE modes)

ip access-list standard (IP

ACCESS-LIST Modes)

ip access-list extended (IP ACCESS-LIST Modes)

line (LINE Modes)

mac access-list standard (MAC

ACCESS-LIST Modes)

mac access-list extended (MAC ACCESS-LIST Modes)

address-family {ipv4 multicast | ipv6 unicast} (ROUTER BGP

Mode)

ROUTER ISIS

ISIS ADDRESS-FAMILY

ROUTER OSPF

ROUTER OSPFV3

ROUTER RIP

SPANNING TREE

TRACE-LIST

CLASS-MAP

CONTROL-PLANE

DHCP

DHCP POOL

ECMP

EIS

FRRP

LLDP DellEMC(conf-lldp)# or

DellEMC(conf-router_isis)# router isis

DellEMC(conf-router_isisaf_ipv6)#

DellEMC(conf-router_ospf)# router ospf

DellEMC(conf-ipv6router_ospf)# ipv6 router ospf

DellEMC(conf-router_rip)# router rip

DellEMC(config-span)# protocol spanning-tree 0

DellEMC(conf-trace-acl)# ip trace-list

DellEMC(config-class-map)# class-map

DellEMC(conf-control-cpuqos)# control-plane-cpuqos

DellEMC(config-dhcp)# ip dhcp server

DellEMC(config-dhcp-pool-name)#

DellEMC(conf-ecmp-group-ecmp- group-id)#

DellEMC(conf-mgmt-eis)# management egress-interface-

DellEMC(conf-frrp-ring-id)# protocol frrp

DellEMC(conf-if—interfacelldp)#

address-family ipv6 unicast

(ROUTER ISIS Mode)

pool (DHCP Mode)

ecmp-group

selection

protocol lldp (CONFIGURATION or

INTERFACE Modes)

Configuration Fundamentals 35

CLI Command Mode Prompt Access Command

LLDP MANAGEMENT INTERFACE

DellEMC(conf-lldp-mgmtIf)#

management-interface (LLDP Mode)

LINE DellEMC(config-line-console) or

DellEMC(config-line-vty)

MONITOR SESSION

OPENFLOW INSTANCE

PORT-CHANNEL FAILOVER-GROUP

PRIORITY GROUP

PROTOCOL GVRP

QOS POLICY

SUPPORTASSIST

VLT DOMAIN

VRRP

UPLINK STATE GROUP

The following example shows how to change the command mode from CONFIGURATION mode to PROTOCOL SPANNING TREE.

Example of Changing Command Modes

DellEMC(conf-mon-sesssessionID)#

DellEMC(conf-of-instance-of- id)#

DellEMC(conf-po-failover-grp)# port-channel failover-group

DellEMC(conf-pg)# priority-group

DellEMC(config-gvrp)# protocol gvrp

DellEMC(conf-qos-policy-outets)#

DellEMC(support-assist)# support-assist

DellEMC(conf-vlt-domain)# vlt domain

DellEMC(conf-if-interface-typeslot/port-vrid-vrrp-group-id)#

DellEMC(conf-uplink-stategroup-groupID)#

line console orline vty

monitor session

openflow of-instance

qos-policy-output

vrrp-group

uplink-state-group

DellEMC(conf)#protocol spanning-tree 0 DellEMC(config-span)#

The do Command

You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode by preceding the EXEC mode command with the do command.

The following example shows the output of the do command.

DellEMC(conf)#do show system brief

Stack MAC : 34:17:eb:37:2d:00 Reload-Type : normal-reload [Next boot : normal-reload]

-- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports

----------------------------------------------------------------------------------- 1 Management online S5048F-ON S5048F-ON 9-12(1-28) 72 2 Member not present 3 Member not present 4 Member not present 5 Member not present 6 Member not present

-- Power Supplies -Unit Bay Status Type FanStatus FanSpeed Power AvgPower AvgPowerStartTime

------------------------------------------------------------------------------------------- 1 1 up AC up 26144 119 119 10/08/2017-16:11 1 2 up AC up 26848 133 133 10/08/2017-16:11

-- Fan Status -Unit Bay TrayStatus Fan1 Speed Fan2 Speed

----------------------------------------------------------------------------------- 1 1 up up 21370 up 22341

Configuration Fundamentals

1 2 up up 21254 up 21967 1 3 up up 21605 up 22090 1 4 up up 21487 up 22090

Speed in RPM

Undoing Commands

When you enter a command, the command line is added to the running configuration file (running-config).

To disable a command and remove it from the running-config, enter the no command, then the original command. For example, to delete an IP address configured on an interface, use the no ip address ip-address command.

NOTE: Use the help or ? command as described in Obtaining Help.

Example of Viewing Disabled Commands

DellEMC(conf)#interface twentyFiveGigE 1/17 DellEMC(conf-if-tf-1/17)#ip address 192.168.10.1/24 DellEMC(conf-if-tf-1/17)#show config ! interface twentyFiveGigE 1/17 ip address 192.168.10.1/24 no shutdown DellEMC(conf-if-tf-1/17)#no ip address DellEMC(conf-if-tf-1/17)#show config ! interface twentyFiveGigE 1/17 no ip address no shutdown

Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.

Obtaining Help

Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command:

• To list the keywords available in the current mode, enter ? at the prompt or after a keyword.

• Enter ? after a command prompt to list all of the available keywords. The output of this command is the same as the help command.

DellEMC#? bmp BMP commands cd Change current directory clear Reset functions clock Manage the system clock

• Enter ? after a partial keyword lists all of the keywords that begin with the specified letters.

DellEMC(conf)#cl? class-map clock DellEMC(conf)#cl

• Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword.

DellEMC(conf)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone DellEMC(conf)#clock

Configuration Fundamentals

Entering and Editing Commands

Notes for entering commands.

• The CLI is not case-sensitive.

• You can enter partial CLI keywords.

• Enter the minimum number of letters to uniquely identify a command. For example, you cannot enter cl as a partial keyword because both the clock and class-map commands begin with the letters “cl.” You can enter clo, however, as a partial keyword because only one command begins with those three letters.

• The TAB key auto-completes keywords in commands. Enter the minimum number of letters to uniquely identify a command.

• The UP and DOWN arrow keys display previously entered commands (refer to Command History).

• The BACKSPACE and DELETE keys erase the previous letter.

• Key combinations are available to move quickly across the command line. The following table describes these short-cut key combinations.

Short-Cut Key

Action

Combination

CNTL-A Moves the cursor to the beginning of the command line.

CNTL-B Moves the cursor back one character.

CNTL-D Deletes character at cursor.

CNTL-E Moves the cursor to the end of the line.

CNTL-F Moves the cursor forward one character.

CNTL-I Completes a keyword.

CNTL-K Deletes all characters from the cursor to the end of the command line.

CNTL-L Re-enters the previous command.

CNTL-N Return to more recent commands in the history buffer after recalling commands with CTRL-P or the UP arrow

key.

CNTL-P Recalls commands, beginning with the last command.

CNTL-R Re-enters the previous command.

CNTL-U Deletes the line.

CNTL-W Deletes the previous word.

CNTL-X Deletes the line.

CNTL-Z Ends continuous scrolling of command outputs.

Esc B Moves the cursor back one word.

Esc F Moves the cursor forward one word.

Esc D Deletes all characters from the cursor to the end of the word.

Command History

The Dell EMC Networking OS maintains a history of previously-entered commands for each mode. For example:

• When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC mode commands.

• When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered CONFIGURATION mode commands.

Configuration Fundamentals

Filtering show Command Outputs

The variable specified_text is the text for which you are filtering and it IS case sensitive unless you use the ignore-case suboption.

Starting with Dell EMC Networking OS version 7.8.1.0, the grep command accepts an ignore-case sub-option that forces the search to case-insensitive. For example, the commands:

show run | grep Ethernet returns a search result with instances containing a capitalized “Ethernet,” such as interface

• TenGigabitEthernet 1/49/1.

• show run | grep ethernet does not return that search result because it only searches for instances containing a noncapitalized “ethernet.”

• show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and “ethernet.”

The grep command displays only the lines containing specified text. The following example shows this command used in combination with the show system brief command.

Example of the grep Keyword

DellEMC(conf)#do show system brief | grep 2 2 not present

DellEMC(conf)#do show system brief | grep 0 0 not present

DellEMC#show system brief | grep Management 1 Management online S5048F-ON S5048F-ON 9.12(1.0) 72 DellEMC#

NOTE:

underscores, or ranges, enclose the phrase with double quotation marks.

The except keyword displays text that does not match the specified text. The following example shows this command used in combination with the show system brief command.

Example of the except Keyword

DellEMC#show system brief | except 1

Stack MAC : 4c:76:25:e5:49:40 Reload-Type : normal-reload [Next boot : normal-reload]

The find keyword displays the output of the show command beginning from the first occurrence of specified text. The following example shows this command used in combination with the

Example of the find Keyword

DellEMC#show system brief | find Management 1 Management online S5048F-ON S5048F-ON 9-12(1-28) 72 2 Member not present 3 Member not present 4 Member not present 5 Member not present 6 Member not present

Dell EMC Networking OS accepts a space or no space before and after the pipe. To filter a phrase with spaces,

show system brief command.

-- Power Supplies -Unit Bay Status Type FanStatus FanSpeed Power AvgPower AvgPowerStartTime

------------------------------------------------------------------------------------------- 1 1 up AC up 26144 119 119 10/08/2017-16:11 1 2 up AC up 26816 133 133 10/08/2017-16:11

-- Fan Status --

Configuration Fundamentals

Unit Bay TrayStatus Fan1 Speed Fan2 Speed

----------------------------------------------------------------------------------- 1 1 up up 21370 up 22215 1 2 up up 21254 up 21967 1 3 up up 21605 up 22090 1 4 up up 21487 up 22215

Speed in RPM

The display command displays additional configuration information.

The no-more command displays the output all at once rather than one screen at a time. This is similar to the terminal length command except that the no-more option affects the output of the specified command only.

The save command copies the output to a file for future reference.

NOTE: You can filter a single command output multiple times. The save option must be the last option entered. For

Multiple Users in Configuration Mode

Dell EMC Networking OS notifies all users when there are multiple users logged in to CONFIGURATION mode.

A warning message indicates the username, type of connection (console or VTY), and in the case of a VTY connection, the IP address of the terminal on which the connection was established. For example:

• On the system that telnets into the switch, this message appears:

% Warning: The following users are currently configuring the system: User "<username>" on line console0

• On the system that is connected over the console, this message appears:

% Warning: User "<username>" on line vty0 "10.11.130.2" is in configuration mode

If either of these messages appears, Dell EMC Networking recommends coordinating with the users listed in the message so that you do not unintentionally overwrite each other’s configuration changes.

Configuring alias command

You can configure shorter alias names for single–line command input using the alias command.

To configure the alias name, perform the following steps:

1. Configure the terminal to enter the Global Configuration mode. EXEC Privilege mode

DellEMC#configure terminal

2. Configure the system to enter the alias-definition mode. CONFIGURATION mode

DellEMC(conf)#alias-definition

3. Create the alias name followed by the single–line CLI. ALIAS DEFINITION CONFIGURATION mode

DellEMC(conf-alias-definition)#alias sr show running-config

4. Display the aliases and its definition. EXEC Privilege mode

show alias

Example of the show alias Command

DellEMC# configure terminal DellEMC(config)# alias-definition DellEMC(conf-alias-definition)# alias ns no shutdown DellEMC(conf-alias-definition)# alias 10gint interface wentyFiveGigE $1

Configuration Fundamentals

Viewing alias configuration

To view the Alias configurations, use the following commands:

1. Display the complete list of aliases and its definitions. EXEC Privilege mode

DellEMC#show alias

DellEMC# show alias

----------------------------------------------------------------Alias Name Definition

----------------------------------------------------------------showipbr10 show ip interface brief | …. showipbr40 show ip interface brief | …. shboot show bootvar… cr-vlan interface vlan $1 ..

----------------------------------------------------------------Total Alias Configured : 4

-----------------------------------------------------------------

NOTE: The alias definition displays upto 40 characters and you can view the detailed list of definitions using the

details option.

2. Display the details of all the aliases that are configured on the system. EXEC Privilege mode

DellEMC#show alias details

DellEMC# show alias details

-----------------------------------------------------------------Name: showipbr10 Definition: show ip interface brief | grep tengig ignore-case

------------------------------------------------------------------

-----------------------------------------------------------------Name: showipbr40 Definition: show ip interface brief | grep fortygig ignore-case

-----------------------------------------------------------------DellEMC#

3. Display the details of a specific alias. EXEC Privilege mode

DellEMC#show alias details showipbr10

DellEMC# show alias details showipbr10

-----------------------------------------------------------------Name: showipbr10 Definition: show ip interface brief | grep tengig ignore-case

-----------------------------------------------------------------DellEMC#

Configuration Fundamentals

Getting Started

This chapter describes how you start configuring your system.

When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption.

When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.

For details about using the command line interface (CLI), refer to the Accessing the Command Line section in the Configuration

Fundamentals chapter.

Topics:

• Console Access

• Default Configuration

• Configuring a Host Name

• Accessing the System Remotely

• Configuring the Enable Password

• Configuration File Management

• Managing the File System

• View Command History

• Upgrading Dell EMC Networking OS

• Using HTTP for File Transfers

• Verify Software Images Before Installation

Console Access

The device has one RJ-45/RS-232 console port, an out-of-band (OOB) Ethernet port, and a micro USB-B console port.

Serial Console

The management ports are on the middle of the system as you face the I/O side of the chassis, as shown in the following illustration. The upper port is the management ethernet port and the lower port is the RS-232 console port.

Figure 1. RJ-45 Console Port

1. RJ-45 management port.

Accessing the Console Port

To access the console port, follow these steps:

For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter.

42 Getting Started

1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the console port to a terminal server.

2. Connect the other end of the cable to the DTE terminal server.

3. Terminal settings on the console port cannot be changed in the software and are set as follows:

• 115200 baud rate

• No parity

• 8 data bits

• 1 stop bit

• No flow control

Pin Assignments

You can connect to the console using a RJ-45 to RJ-45 rollover cable and a RJ-45 to DB-9 female DTE adapter to a terminal server (for example, a PC).

The pin assignments between the console and a DTE terminal server are as follows:

Table 2. Pin Assignments Between the Console and a DTE Terminal Server

Console Port RJ-45 to RJ-45

Rollover Cable

Signal RJ-45 Pinout RJ-45 Pinout DB-9 Pin Signal

RTS 1 8 8 CTS

NC 2 7 6 DSR

TxD 3 6 2 RxD

GND 4 5 5 GND

GND 5 4 5 GND

RxD 6 3 3 TxD

NC 7 2 4 DTR

CTS 8 1 7 RTS

RJ-45 to RJ-45 Rollover Cable

RJ-45 to DB-9 Adapter Terminal Server Device

Micro USB-B Access

The Micro USB type B console port is on the I/O side.

The terminal settings are the same for the serial console port and the RS-232/RJ-45 console port:

• 115200 baud rate

• No parity

• 8 data bits

• 1 stop bit

• No flow control

When you connect the micro USB-B port, it becomes the primary connection and, while connected, all messages are sent to the micro USB-B port.

NOTE:

You need to install the appropriate drivers to support the micro USB-B port. For assistance, contact https://

www.dell.com/support to download the drivers.

To access the micro USB-B console port, follow these steps.

1. Power on the PC.

2. Connect the USB-A end of cable into an available USB port on the PC.

3. Connect the micro USB-B end of cable into the micro USB-B console port on the system.

4. Power on the system.

5. Install the necessary USB device drivers. (To download the drivers, go to https://www.dell.com/support.) For assistance, contact Dell EMC Networking Technical Support.

6. Open your terminal software emulation program to access the system.

Before starting this procedure, be sure that you have a terminal emulation program already installed on your PC.

Getting Started

7. Confirm that the terminal settings on your terminal software emulation program are as follows:

• 115200 baud rate

• No parity

• 8 data bits

• 1 stop bit

• No flow control

Default Configuration

Although a version of Dell EMC Networking OS is pre-loaded onto the system, the system is not configured when you power up the system first time (except for the default hostname, which is DellEMC). You must configure the system using the CLI.

Configuring a Host Name

The host name appears in the prompt. The default host name is DellEMC.

• Host names must start with a letter and end with a letter or digit.

• Characters within the string can be letters, digits, and hyphens.

To create a host name, use the hostname name command in Configuration mode.

DellEMC(conf)#hostname R1 R1(conf)#

Accessing the System Remotely

You can configure the system to access it remotely by Telnet or secure shell (SSH).

• The platform has a dedicated management port and a management routing table that is separate from the IP routing table.

• You can manage all Dell EMC Networking products in-band via the front-end data ports through interfaces assigned an IP address as well.

Accessing the System Remotely

Configuring the system for remote access is a three-step process, as described in the following topics:

1. Configure an IP address for the management port. Configure the Management Port IP Address

2. Configure a management route with a default gateway. Configure a Management Route

3. Configure a username and password. Configure a Username and Password

Configure the Management Port IP Address

To access the system remotely, assign IP addresses to the management ports.

1. Enter INTERFACE mode for the Management port. CONFIGURATION mode

interface ManagementEthernet slot/port

2. Assign an IP address to the interface. INTERFACE mode

ip address ip-address/mask

• ip-address: an address in dotted-decimal format (A.B.C.D).

• mask: a subnet mask in /prefix-length format (/ xx).

3. Enable the interface. INTERFACE mode

no shutdown

Getting Started

Configure a Management Route

Define a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port.

To configure a management route, use the following command.

• Configure a management route to the network from which you are accessing the system. CONFIGURATION mode

management route ip-address/mask gateway

• ip-address: the network address in dotted-decimal format (A.B.C.D).

• mask: a subnet mask in /prefix-length format (/ xx).

• gateway: the next hop for network traffic originating from the management port.

Configuring a Username and Password

To access the system remotely, configure a system username and password.

To configure a system username and password, use the following command.

• Configure a username and password to access the system remotely. CONFIGURATION mode

username name [access-class access-list-name] [nopassword | {password | secret | sha256– password} [encryption-type] password [dynamic-salt]] [privilege level] [role role-name]

• name: Enter a text string upto 63 characters long.

• access-class access-list-name: Enter the name of a configured IP ACL.

• nopassword: Allows you to configure an user without the password.

• password: Allows you to configure an user with a password.

• secret: Specify a secret string for an user.

• sha256–password: Uses sha256–based encryption method for password.

• encryption-type: Enter the encryption type for securing an user password. There are four encryption types.

• 0 — input the password in clear text.

• 5 — input the password that is already encrypted using MD5 encryption method.

• 7 — input the password that is already encrypted using DES encryption method.

• 8 — input the password that is already encrypted using sha256–based encryption method.

• password: Enter the password string for the user.

• dynamic-salt: Generates an additional random input to password encryption process whenever the password is configured.

• privilege level: Assign a privilege levels to the user. The range is from 0 to 15.

• role role-name: Assign a role name for the user.

Dell EMC Networking OS encrypts type 5 secret and type 7 password based on dynamic-salt option such that the encrypted password is different when an user is configured with the same password.

NOTE:

dynamic-salt option is shown only with secret and password options.

In dynamic-salt configuration, the length of type 5 secret and type 7 password is 32 and 16 characters more compared to the secret and password length without dynamic-salt configuration. An error message appears if the maximum length, which is 256 characters.

The dynamic-salt support for the user configuration is added in REST API. For more information on REST support, see Dell EMC Networking Open Automation guide.

username command reaches the

Configuring the Enable Password

Access EXEC Privilege mode using the enable command. EXEC Privilege mode is unrestricted by default. Configure a password as a basic security measure.

There are three types of enable passwords:

Getting Started

• enable password is stored in the running/startup configuration using a DES encryption method.

• enable secret is stored in the running/startup configuration using MD5 encryption method.

• enable sha256-password is stored in the running/startup configuration using sha256-based encryption method (PBKDF2).

Dell EMC Networking recommends using the enable sha256-password password.

To configure an enable password, use the following command.

• Create a password to access EXEC Privilege mode. CONFIGURATION mode

enable [password | secret | sha256-password] [level level] [encryption-type] password

level: is the privilege level, is 15 by default, and is not required.

•

• encryption-type: specifies how you input the password, is 0 by default, and is not required.

• 0 is to input the password in clear text.

• 5 is to input a password that is already encrypted using MD5 encryption method. Obtain the encrypted password from the configuration file of another device.

• 7 is to input a password that is already encrypted using DES encryption method. Obtain the encrypted password from the configuration file of another device.

• 8 is to input a password that is already encrypted using sha256-based encryption method. Obtain the encrypted password from the configuration file of another device.

Configuration File Management

Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode.

Copy Files to and from the System

The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url.

NOTE:

• To copy a local file to a remote system, combine the file-origin syntax for a local file location with the file-destination syntax for a remote file location.

• To copy a remote file to Dell EMC Networking system, combine the file-origin syntax for a remote file location with the file-destination syntax for a local file location.

Table 3. Forming a

Location

For a remote file location:

FTP server

For a remote file location:

TFTP server

For a remote file location:

SCP server

For a detailed description of the copy command, refer to the

copy Command

source-file-url

copy ftp:// username:password@{hostip | hostname}/filepath/filename

copy tftp://{hostip | hostname}/filepath/ filename

copy scp://{hostip | hostname}/ filepath/ filename

Syntax

Important Points to Remember

Dell EMC Networking OS Command Reference

destination-file-url

ftp://username:password@{hostip | hostname}/ filepath/filename

tftp://{hostip | hostname}/ filepath/filename

scp://{hostip | hostname}/ filepath/filename

Syntax

• You may not copy a file from one remote system to another.

• You may not copy a file from one location to the same location.

• When copying to a server, you can only use a hostname if a domain name server (DNS) server is configured.

• The usbflash command is supported on the device. Refer to your system’s Release Notes for a list of approved USB vendors.

Getting Started

Example of Copying a File to an FTP Server

DellEMC#copy flash://FTOS-S5048F-ON-9.12.1.0.bin ftp://myusername:mypassword@10.10.10.10/ /Dell/FTOS-S5048F-ON-9.12.1.0.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 27952672 bytes successfully copied

DellEMC#copy flash://Dell-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10/ /Dell/Dell-EF-8.2.1.0 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 27952672 bytes successfully copied

DellEMC#copy flash://FTOS-S5048F-ON-9.12.1.0.bin ftp://myusername:mypassword@192.168.1.1/ file_path/FTOS-S5048F-ON-9.12.1.0.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 54238335 bytes successfully copied

Example of Importing a File to the Local System

core1#$//copy ftp://myusername:mypassword@10.10.10.10//Dell/ FTOS-S5048F-ON-9.12.1.0.bin flash:// Destination file name [FTOS-S5048F-ON-9.12.1.0.bin]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 26292881 bytes successfully copied

core1#$//copy ftp://myusername:mypassword@10.10.10.10//Dell/ Dell-EF-8.2.1.0.bin flash:// Destination file name [Dell-EF-8.2.1.0.bin.bin]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 26292881 bytes successfully copied

DellEMC#copy ftp://myusername:mypassword@192.168.1.1/file_path/FTOS-Z9100-ON-9.8.1.0.bin flash://FTOS-S5048F-ON-9.12.1.0.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 54238335 bytes successfully copied

Mounting an NFS File System

This feature enables you to quickly access data on an NFS mounted file system. You can perform file operations on an NFS mounted file system using supported file commands.

This feature allows an NFS mounted device to be recognized as a file system. This file system is visible on the device and you can execute all file commands that are available on conventional file systems such as a Flash file system.

Before executing any CLI command to perform file operations, you must first mount the NFS file system to a mount-point on the device. Since multiple mount-points exist on a device, it is mandatory to specify the mount-point to which you want to load the system.

/f10/mnt/nfs directory is the root of all mount-points.

The

To mount an NFS file system, perform the following steps:

Table 4. Mounting an NFS File System

File Operation Syntax

To mount an NFS file system:

The foreign file system remains mounted as long as the device is up and does not reboot. You can run the file system commands without having to mount or un-mount the file system each time you run a command. When you save the configuration using the write command, the

mount command is saved to the startup configuration. As a result, each time the device re-boots, the NFS file system is mounted

during start up.

mount nfs rhost:path mountpoint username password

Getting Started

Table 5. Forming a copy Command

Location

For a remote file location:

NFS File System

source-file-url

copy nfsmount://{<mountpoint>}/filepath/filename} username:password

Syntax

destination-file-url

tftp://{hostip | hostname}/ filepath/filename

Syntax

Important Points to Remember

• You cannot copy a file from one remote system to another.

• You cannot copy a file from one location to the same location.

• When copying to a server, you can only use a hostname if a domain name server (DNS) server is configured.

Example of Copying a File to current File System

DellEMC#copy tftp://10.16.127.35/dv-maa-test nfsmount:// Destination file name [dv-maa-test]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!.! 44250499 bytes successfully copied DellEMC# DellEMC#copy ftp://10.16.127.35 nfsmount: Source file name []: test.c User name to login remote host: username

Example of Logging in to Copy from NFS Mount

DellEMC#copy nfsmount:///test flash: Destination file name [test]: test2 ! 5592 bytes successfully copied DellEMC# DellEMC#copy nfsmount:///test.txt ftp://10.16.127.35 Destination file name [test.txt]: User name to login remote host: username Password to login remote host: !

Example of Copying to NFS Mount

DellEMC#copy flash://test.txt nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:///username/snoop.pcap ! 24 bytes successfully copied DellEMC# DellEMC#copy tftp://10.16.127.35/username/dv-maa-test ? flash: Copy to local file system ([flash://]filepath) nfsmount: Copy to nfs mount file system (nfsmount:///filepath) running-config remote host: Destination file name [test.c]: ! 225 bytes successfully copied DellEMC#

Getting Started

Save the Running-Configuration

The running-configuration contains the current system configuration. Dell EMC Networking recommends coping your runningconfiguration to the startup-configuration.

The commands in this section follow the same format as those commands in the Copy Files to and from the System section but use the filenames startup-configuration and running-configuration. These commands assume that current directory is the internal flash, which is the system default.

• Save the running-configuration to the startup-configuration on the internal flash of the primary RPM. EXEC Privilege mode

copy running-config startup-config

• Save the running-configuration to an FTP server. EXEC Privilege mode

copy running-config ftp:// username:password@{hostip | hostname}/filepath/ filename

• Save the running-configuration to a TFTP server. EXEC Privilege mode

copy running-config tftp://{hostip | hostname}/ filepath/filename

• Save the running-configuration to an SCP server. EXEC Privilege mode

copy running-config scp://{hostip | hostname}/ filepath/filename

NOTE:

NOTE: When you load the startup configuration or a configuration file from a network server such as TFTP to the

running configuration, the configuration is added to the running configuration. This does not replace the existing running configuration. Commands in the configuration file has precedence over commands in the running configuration.

When copying to a server, a host name can only be used if a DNS server is configured.

Configure the Overload Bit for a Startup Scenario

For information about setting the router overload bit for a specific period of time after a switch reload is implemented, see the Intermediate System to Intermediate System (IS-IS) section in the Dell Command Line Reference Guide for your system.

Viewing Files

You can only view file information and content on local file systems.

To view a list of files or the contents of a file, use the following commands.

• View a list of files on the internal flash. EXEC Privilege mode

dir flash:

• View the running-configuration. EXEC Privilege mode

show running-config

• View the startup-configuration. EXEC Privilege mode

show startup-config

The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.

DellEMC#dir Directory of flash:

Getting Started

8 -rw- 33059550 Jul 11 2007 17:49:46 FTOS-EF-7.4.2.0.bin 9 -rw- 27674906 Jul 06 2007 00:20:24 FTOS-EF-4.7.4.302.bin 10 -rw- 27674906 Jul 06 2007 19:54:52 boot-image-FILE 11 drw- 8192 Jan 01 1980 00:18:28 diag 12 -rw- 7276 Jul 20 2007 01:52:40 startup-config.bak 13 -rw- 7341 Jul 20 2007 15:34:46 startup-config 14 -rw- 27674906 Jul 06 2007 19:52:22 boot-image 15 -rw- 27674906 Jul 06 2007 02:23:22 boot-flash

--More--

DellEMC#dir Directory of flash:

1 drw- 32768 Jan 01 1980 00:00:00 . 2 drwx 512 Jul 23 2007 00:38:44 .. 3 drw- 8192 Mar 30 1919 10:31:04 TRACE_LOG_DIR 4 drw- 8192 Mar 30 1919 10:31:04 CRASH_LOG_DIR 5 drw- 8192 Mar 30 1919 10:31:04 NVTRACE_LOG_DIR 6 drw- 8192 Mar 30 1919 10:31:04 CORE_DUMP_DIR 7 d--- 8192 Mar 30 1919 10:31:04 ADMIN_DIR 8 -rw- 33059550 Jul 11 2007 17:49:46 FTOS-EF-7.4.2.0.bin 9 -rw- 27674906 Jul 06 2007 00:20:24 FTOS-EF-4.7.4.302.bin 10 -rw- 27674906 Jul 06 2007 19:54:52 boot-image-FILE 11 drw- 8192 Jan 01 1980 00:18:28 diag 12 -rw- 7276 Jul 20 2007 01:52:40 startup-config.bak 13 -rw- 7341 Jul 20 2007 15:34:46 startup-config 14 -rw- 27674906 Jul 06 2007 19:52:22 boot-image 15 -rw- 27674906 Jul 06 2007 02:23:22 boot-flash

--More--

DellEMC#dir flash: Directory of flash:

1 drwx 4096 Jan 01 1980 00:00:00 +00:00 . 2 drwx 3072 Sep 06 2015 12:41:26 +00:00 .. 3 d--- 4096 Aug 09 2015 06:52:28 +00:00 ADMIN_DIR 4 drwx 4096 Sep 04 2015 18:58:20 +00:00 CONFIG_TEMPLATE 5 drwx 4096 Aug 09 2015 06:56:32 +00:00 TRACE_LOG_DIR 6 drwx 4096 Aug 09 2015 06:56:32 +00:00 CONFD_LOG_DIR 7 drwx 4096 Aug 09 2015 06:56:32 +00:00 CORE_DUMP_DIR 8 drwx 4096 Aug 09 2015 06:56:32 +00:00 RUNTIME_PATCH_DIR 9 -rwx 53285 Sep 01 2015 18:08:54 +00:00 TestReport-SU-1.txt 10 -rwx 630 Sep 02 2015 17:53:14 +00:00 TestReportIndividual-SU-1.txt 11 -rwx 2760 Sep 04 2015 18:51:26 +00:00 startup-config 12 -rwx 294418 Sep 04 2015 18:51:36 +00:00 confd_cdb.tar.gz 13 -rwx 54238335 Sep 06 2017 13:04:58 +00:00 FTOS-S5048F-ON-9.12.1.0.bin

flash: 4286574592 bytes total (4170424320 bytes free)

View Configuration Files

Configuration files have three commented lines at the beginning of the file, as shown in the following example, to help you track the last time any user made a change to the file, which user made the changes, and when the file was last saved to the startup-configuration.

In the running-configuration file, if there is a difference between the timestamp on the “Last configuration change” and “Startup-config last updated,” you have made changes that have not been saved and are preserved after a system reboot.

Example of the show running-config Command

DellEMC#show running-config Current Configuration ... ! Version 9.12(1.0) ! Last configuration change at Tue Mar 11 21:33:56 2017 by admin ! Startup-config last updated at Tue Mar 11 12:11:00 2017 by default ! <output truncated for brevity>

DellEMC#show running-config Current Configuration ... ! Version 9.4(0.0)

Getting Started

! Last configuration change at Tue Mar 11 21:33:56 2014 by admin ! Startup-config last updated at Tue Mar 11 12:11:00 2014 by default ! <output truncated for brevity>

Managing the File System

The Dell EMC Networking system can use the internal Flash, external Flash, or remote devices to store files.

The system stores files on the internal Flash by default but can be configured to store files elsewhere.

To view file system information, use the following command.

• View information about each file system.

EXEC Privilege mode

show file-systems

The output of the show file-systems command in the following example shows the total capacity, amount of free memory, file structure, media type, read/write privileges for each storage device in use.

DellEMC#show file-systems

Size(b) Free(b) Feature Type Flags Prefixes 4286574592 4213125120 FAT32 USERFLASH rw flash:

- - unformatted USERFLASH rw fcmfs: 15345991680 15162228736 FAT32 USBFLASH rw usbflash: 283115520 53760000 Unknown NFSMOUNT rw nfsmount:

- - - network rw ftp:

- - - network rw tftp:

- - - network rw scp:

- - - network rw http:

- - - network rw https:

DellEMC#show file-systems Size(b) Free(b) Feature Type Flags Prefixes 520962048 213778432 dosFs2.0 USERFLASH rw flash: 127772672 21936128 dosFs2.0 USERFLASH rw slot0:

- - - network rw ftp:

- - - network rw tftp:

- - - network rw scp:

You can change the default file system so that file management commands apply to a particular device or memory.

To change the default directory, use the following command.

• Change the default directory.

EXEC Privilege mode

cd directory

View Command History

The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer.

The system generates a trace message for each executed command. No password information is saved to the file.

NOTE:

The timestamps display format of the show command history output changes based on the service timestamps log datetime configuration. The time format can be in uptime, local time zone time or UTC time.

If timestamp is disabled (no service timestamps log) then command history time format is shown with timestamp defaults (service timestamps log datetime localtime).

To view the command-history trace, use the show command-history command.

Getting Started

Example of the show command-history Command

Example 1: Default configuration service timestamps log datetime or service timestamps log datetime

localtime

DellEMC(conf)#service timestamps log datetime

Example 2: service timestamps log datetime utc

DellEMC(conf)#service timestamps log datetime utc

Example 3: service timestamps log uptime

DellEMC(conf)#service timestamps log uptime

Example 4: no service timestamps log

DellEMC(conf)#no service timestamps log

DellEMC# show command-history

- Repeated 1 time. [1d0h26m]: CMD-(CLI):[configure]by default from console

- Repeated 1 time. [May 17 15:53:10]: CMD-(CLI):[no service timestamps log]by default from console [May 17 15:53:16]: CMD-(CLI):[write memory]by default from console

- Repeated 3 times. [May 17 15:53:22]: CMD-(CLI):[show logging]by default from console

- Repeated 1 time. [May 17 15:53:36]: CMD-(CLI):[write memory]by default from console

- Repeated 5 times. [May 17 15:53:44]: CMD-(CLI):[show logging]by default from console [May 17 15:53:53]: CMD-(CLI):[show command-history]by default from console [May 17 15:54:54]: CMD-(CLI):[end]by default from console [May 17 15:55:00]: CMD-(CLI):[show logging]by default from console [May 17 15:55:12]: CMD-(CLI):[show clock]by default from console [May 17 15:55:22]: CMD-(CLI):[show running-config]by default from console [May 17 15:55:27]: CMD-(CLI):[show command-history]by default from console

Upgrading Dell EMC Networking OS

To upgrade Dell EMC Networking Operating System (OS), refer to the Release Notes for the version you want to load on the system.

You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.

Using HTTP for File Transfers

Stating with Release 9.3(0.1), you can use HTTP to copy files or configuration details to a remote server. To transfer files to an external server, use the copy source-file-url http://host[:port]/file-path command.

Enter the following source-file-url keywords and information:

• To copy a file from the internal FLASH, enter flash:// followed by the filename.

• To copy the running configuration, enter the keyword running-config.

• To copy the startup configuration, enter the keyword startup-config.

• To copy a file on the USB device, enter usbflash:// followed by the filename.

In the Dell EMC Networking OS release 9.8(0.0), HTTP services support the VRF-aware functionality. If you want the HTTP server to use a VRF table that is attached to an interface, configure that HTTP server to use a specific routing table. You can use the command to inform the HTTP server to use a specific routing table. After you configure this setting, the VRF table is used to look up the destination address.

NOTE:

You can specify either the management VRF or a nondefault VRF to configure the VRF awareness setting.

When you specify the management VRF, the copy operation that is used to transfer files to and from an HTTP server utilizes the VRF table corresponding to the Management VRF to look up the destination. When you specify a nondefault VRF, the VRF table corresponding to that nondefault VRF is used to look up the HTTP server.

To enable HTTP to be VRF-aware, as a prerequisite you must first define the VRF.

ip http vrf

Getting Started

However, these changes are backward-compatible and do not affect existing behavior; meaning, you can still use the ip http source- interface command to communicate with a particular interface even if no VRF is configured on that interface

NOTE: If the HTTP service is not VRF-aware, then it uses the global routing table to perform the look-up.

To enable an HTTP client to look up the VRF table corresponding to either management VRF or any nondefault VRF, use the ip http vrf command in CONFIGURATION mode.

• Configure an HTTP client with a VRF that is used to connect to the HTTP server. CONFIGURATION MODE

DellEMC(conf)#ip http vrf {management | <vrf-name>}

Verify Software Images Before Installation

To validate the software image on the flash drive, you can use the MD5 message-digest algorithm or SHA256 Secure Hash Algorithm, after the image is transferred to the system but before the image is installed. The validation calculates a hash value of the downloaded image file on system’s flash drive, and

The MD5 or SHA256 hash provides a method of validating that you have downloaded the original software. Calculating the hash on the local image file and comparing the result to the hash published for that file on iSupport provides a high level of confidence that the local copy is exactly the same as the published software image. This validation procedure, and the verify {md5 | sha256} command to support it, prevents the installation of corrupted or modified images.

The verify {md5 | sha256} command calculates and displays the hash of any file on the specified local flash drive. You can compare the displayed hash against the appropriate hash published on iSupport. Optionally, you can include the published hash in the verify {md5 | sha256} command, which displays whether it matches the calculated hash of the indicated file.

To validate a software image:

1. Download Dell EMC Networking OS software image file from the iSupport page to the local (FTP or TFTP) server. The published hash for that file displays next to the software image file on the iSupport page.

2. Go on to the Dell EMC Networking system and copy the software image to the flash drive, using the copy command.

3. Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256

flash://FTOS-SE-9.5.0.0.bin

4. Compare the generated hash value to the expected hash value published on the iSupport page.

To validate the software image on the flash drive after the image is transferred to the system, but before you install the image, use the verify {md5 | sha256} [ flash://]img-file [hash-value] command in EXEC mode.

• md5: MD5 message-digest algorithm

• sha256: SHA256 Secure Hash Algorithm

• flash: (Optional) Specifies the flash drive. The default uses the flash drive. You can enter the image file name.

• hash-value: (Optional). Specify the relevant hash published on iSupport.

• img-file: Enter the name of the Dell EMC Networking software image file to validate

Examples: Without Entering the Hash Value for Verification

MD5

, optionally, compares it to a Dell EMC Networking published hash for that file.

DellEMC# verify md5 flash:file-name

SHA256

DellEMC# verify sha256 flash://file-name

Examples: Entering the Hash Value for Verification

MD5

DellEMC# verify md5 flash://file-name 275ceb73a4f3118e1d6bcf7d75753459

SHA256

DellEMC# verify sha256 flash://file-name e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933

Getting Started

Management

This chapter describes the different protocols or services used to manage the Dell EMC Networking system.

Topics:

• Configuring Privilege Levels

• Configuring Logging

• Log Messages in the Internal Buffer

• Disabling System Logging

• Sending System Messages to a Syslog Server

• Track Login Activity

• Limit Concurrent Login Sessions

• Enabling Secured CLI Mode

• Changing System Logging Settings

• Display the Logging Buffer and the Logging Configuration

• Configuring a UNIX Logging Facility Level

• Synchronizing Log Messages

• Enabling Timestamp on Syslog Messages

• File Transfer Services

• Terminal Lines

• Setting Timeout for EXEC Privilege Mode

• Using Telnet to get to Another Network Device

• Lock CONFIGURATION Mode

• Reloading the system

• Restoring the Factory Default Settings

Configuring Privilege Levels

Privilege levels restrict access to commands based on user or terminal line.

There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1.

Level

Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and

Level 1 Access to the system begins at EXEC mode, and all commands are available.

Level 15 Access to the system begins at EXEC Privilege mode, and all commands are available.

For information about how access and authorization is controlled based on a user’s role, see Role-Based Access Control.

Creating a Custom Privilege Level

Custom privilege levels start with the default EXEC mode command set. You can then customize privilege levels 2-14 by:

• restricting access to an EXEC mode command

• moving commands from EXEC Privilege to EXEC mode

• restricting access

A user can access all commands at his privilege level and below.

Description

exit.

54 Management

Removing a Command from EXEC Mode

To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode.

In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.

Moving a Command from EXEC Privilege Mode to EXEC Mode

To move a command from EXEC Privilege to EXEC mode for a privilege level, use the privilege exec command from CONFIGURATION mode.

In the command, specify the privilege level of the user or terminal line and specify all keywords in the command to which you want to allow access.

Allowing Access to CONFIGURATION Mode Commands

To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode.

A user that enters CONFIGURATION mode remains at his privilege level and has access to only two commands, end and exit. You must individually specify each CONFIGURATION mode command you want to allow access to using the privilege configure level level command. In the command, specify the privilege level of the user or terminal line and specify all the keywords in the command to which you want to allow access.

Allowing Access to Different Modes

This section describes how to allow access to the INTERFACE, LINE, ROUTE-MAP, and ROUTER modes.

Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE, ROUTE-MAP, and ROUTER modes, you must first allow access to the command that enters you into the mode. For example, to allow a user to enter INTERFACE mode, use the privilege configure level level interface tengigabitethernet command.

Next, individually identify the INTERFACE, LINE, ROUTE-MAP or ROUTER commands to which you want to allow access using the privilege {interface | line | route-map | router} level level command. In the command, specify the privilege level of the user or terminal line and specify all the keywords in the command to which you want to allow access.

To remove, move or allow access, use the following commands.

The configuration in the following example creates privilege level 3. This level:

• removes the resequence command from EXEC mode by requiring a minimum of privilege level 4

• moves the capture bgp-pdu max-buffer-size command from EXEC Privilege to EXEC mode by requiring a minimum privilege level 3, which is the configured level for VTY 0

• allows access to CONFIGURATION mode with the banner command

• allows access to INTERFACE tengigabitethernet and LINE modes are allowed with no commands

• Remove a command from the list of available commands in EXEC mode. CONFIGURATION mode

privilege exec level level {command ||...|| command}

• Move a command from EXEC Privilege to EXEC mode. CONFIGURATION mode

privilege exec level level {command ||...|| command}

• Allow access to CONFIGURATION mode. CONFIGURATION mode

privilege exec level level configure

• Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all the keywords in the command. CONFIGURATION mode

Management

privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword}

• Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode

privilege {configure |interface | line | route-map | router} level level {command ||...|| command}

DellEMC#show running-config privilege ! privilege exec level 3 configure privilege exec level 4 resequence privilege configure level 3 line privilege configure level 3 interface tengigabitethernet DellEMC#telnet 10.11.80.201 DellEMC#? configure Configuring from terminal disable Turn off privileged commands enable Turn on privileged commands ethernet Ethernet commands exit Exit from the EXEC ip Global IP subcommands ipv6 Global IPv6 subcommands monitor Monitoring feature ping Send echo messages quit Exit from the EXEC show Show running system information DellEMC#config DellEMC(conf)#do show priv Current privilege level is 3. DellEMC(conf)#? end Exit from configuration mode exit Exit from configuration mode interface Select an interface to configure line Configure a terminal line DellEMC(conf)# DellEMC(conf)#interface ? tengigabitethernet TenGigabit Ethernet interface DellEMC(conf)# DellEMC(conf)#interface twentyFiveGigE 1/26 DellEMC(conf-if-tf-1/26)#? end Exit from configuration mode exit Exit from interface configuration mode DellEMC(conf-if-tf-1/26)#exit DellEMC(conf)# DellEMC(conf)#line ? console Primary terminal line vty Virtual terminal DellEMC(conf)#line vty 0 DellEMC(config-line-vty)#exit DellEMC(conf)#

Applying a Privilege Level to a Username

To set the user privilege level, use the following command.

• Configure a privilege level for a user. CONFIGURATION mode

username username privilege level

Applying a Privilege Level to a Terminal Line

To set a privilege level for a terminal line, use the following command.

• Configure a privilege level for a user. CONFIGURATION mode

Management

username username privilege level

NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt

is hostname#, rather than hostname>.

Configuring Logging

The Dell EMC Networking OS tracks changes in the system using event and error messages.

By default, Dell EMC Networking OS logs these messages on:

• the internal buffer

• console and terminal lines

• any configured syslog servers

To disable logging, use the following commands.

• Disable all logging except on the console. CONFIGURATION mode

no logging on

• Disable logging to the logging buffer. CONFIGURATION mode

no logging buffer

• Disable logging to terminal lines. CONFIGURATION mode

no logging monitor

• Disable console logging. CONFIGURATION mode

no logging console

Audit and Security Logs

This section describes how to configure, display, and clear audit and security logs.

The following is the configuration task list for audit and security logs:

• Enabling Audit and Security Logs

• Displaying Audit and Security Logs

• Clearing Audit Logs

Enabling Audit and Security Logs

You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode.

Audit Logs

The audit log contains configuration events and information. The types of information in this log consist of the following:

• User logins to the switch.

• System events for network issues or system issues.

• Users making configuration changes. The switch logs who made the configuration changes and the date and time of the change. However, each specific change on the configuration is not logged. Only that the configuration was modified is logged with the user ID, date, and time of the change.

• Uncontrolled shutdown.

Security Logs

The security log contains security events and information. RBAC restricts access to audit and security logs based on the CLI sessions’ user roles. The types of information in this log consist of the following:

• Establishment of secure traffic flows, such as SSH.

• Violations on secure flows or certificate issues.

• Adding and deleting of users.

Management

• User access and configuration changes to the security and crypto parameters (not the key information but the crypto configuration)

Important Points to Remember

When you enabled RBAC and extended logging:

• Only the system administrator user role can execute this command.

• The system administrator and system security administrator user roles can view security events and system events.

• The system administrator user roles can view audit, security, and system events.

• Only the system administrator and security administrator user roles can view security logs.

• The network administrator and network operator user roles can view system events.

NOTE: If extended logging is disabled, you can only view system events, regardless of RBAC user role.

Example of Enabling Audit and Security Logs

DellEMC(conf)#logging extended

Displaying Audit and Security Logs

To display audit logs, use the show logging auditlog command in Exec mode. To view these logs, you must first enable the logging extended command. Only the RBAC system administrator user role can view the audit logs. Only the RBAC security administrator and system administrator user role can view the security logs. If extended logging is disabled, you can only view system events, regardless of RBAC user role. To view security logs, use the

For information about the logging extended command, see Enabling Audit and Security Logs

Example of the show logging auditlog Command

show logging command.

DellEMC#show logging auditlog May 12 12:20:25: DellEMC#: %CLI-6-logging extended by admin from vty0 (10.14.1.98) May 12 12:20:42: DellEMC#: %CLI-6-configure terminal by admin from vty0 (10.14.1.98) May 12 12:20:42: DellEMC#: %CLI-6-service timestamps log datetime by admin from vty0 (10.14.1.98)

For information about the logging extended command, see Enabling Audit and Security Logs

Example of the show logging Command for Security

DellEMC#show logging Jun 10 04:23:40: %STKUNIT0-M:CP line vty0 ( 10.14.1.91 )

%SEC-5-LOGIN_SUCCESS: Login successful for user admin on

Clearing Audit Logs

To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is enabled, only the system administrator user role can issue this command.

Example of the clear logging auditlog Command

DellEMC# clear logging auditlog

Configuring Logging Format

To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version {0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.

The following describes the two log messages formats:

• 0 – Displays syslog messages format as described in RFC 3164, The BSD syslog Protocol

• 1 – Displays syslog message format as described in RFC 5424, The SYSLOG Protocol

Management

Example of Configuring the Logging Message Format

DellEMC(conf)#logging version ? <0-1> Select syslog version (default = 0) DellEMC(conf)#logging version 1

Setting Up a Secure Connection to a Syslog Server

You can use reverse tunneling with the port forwarding to securely connect to a syslog server.

Figure 2. Setting Up a Secure Connection to a Syslog Server

Pre-requisites

To configure a secure connection from the switch to the syslog server:

1. On the switch, enable the SSH server

DellEMC(conf)#ip ssh server enable

2. On the syslog server, create a reverse SSH tunnel from the syslog server to the Dell OS switch, using following syntax:

ssh -R <remote port>:<syslog server>:<syslog server listen port> user@remote_host -nNf

In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is

10.16.131.141 and the listening port is 5140

ssh -R 5140:10.156.166.48:5141 admin@10.16.131.141 -nNf

3. Configure logging to a local host. locahost is “127.0.0.1” or “::1”.

Management

If you do not, the system displays an error when you attempt to enable role-based only AAA authorization.

DellEMC(conf)# logging localhost tcp port DellEMC(conf)#logging 127.0.0.1 tcp 5140

Log Messages in the Internal Buffer

All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.

For example, %BOOTUP:RPM0:CP %PORTPIPE-INIT-SUCCESS: Portpipe 0 enabled

Configuration Task List for System Log Management

There are two configuration tasks for system log management:

• Disable System Logging

• Send System Messages to a Syslog Server

Disabling System Logging

By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog servers.

To disable system logging, use the following commands.

• Disable all logging except on the console. CONFIGURATION mode

no logging on

• Disable logging to the logging buffer. CONFIGURATION mode

no logging buffer

• Disable logging to terminal lines. CONFIGURATION mode

no logging monitor

• Disable console logging. CONFIGURATION mode

no logging console

Sending System Messages to a Syslog Server

To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.

• Specify the server to which you want to send system messages. You can configure up to eight syslog servers. CONFIGURATION mode

logging {ip-address | ipv6-address | hostname} {{udp {port}} | {tcp {port}}}

You can export system logs to an external server that is connected through a different VRF.

Configuring a UNIX System as a Syslog Server

To configure a UNIX System as a syslog server, use the following command.

• Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the UNIX system and assigning write permissions to the file.

• Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/ftos.log

• Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log

Management

In the previous lines, local7 is the logging facility level and debugging is the severity level.

Track Login Activity

Dell EMC Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events.

When you log in using the console or VTY line, the system displays the last successful login details of the current user and the number of unsuccessful login attempts since your last successful login to the system, and whether the current user’s permissions have changed since the last login. The system stores the number of unsuccessful login attempts that have occurred in the last 30 days by default. You can change the default value to any number of days from 1 to 30. By default, login activity tracking is disabled. You can enable it using the login statistics enable command from the configuration mode.

Restrictions for Tracking Login Activity

These restrictions apply for tracking login activity:

• Only the system and security administrators can configure login activity tracking and view the login activity details of other users.

• Login statistics is not applicable for login sessions that do not use user names for authentication. For example, the system does not report login activity for a telnet session that prompts only a password.

Configuring Login Activity Tracking

To enable and configure login activity tracking, follow these steps:

1. Enable login activity tracking. CONFIGURATION mode

After enabling login statistics, the system stores the login activity details for the last 30 days.

2. (Optional) Configure the number of days for which the system stores the user login statistics. The range is from 1 to 30. CONFIGURATION mode

The following example enables login activity tracking. The system stores the login activity details for the last 30 days.

DellEMC(config)#login statistics enable

The following example enables login activity tracking and configures the system to store the login activity details for 12 days.

DellEMC(config)#login statistics enable DellEMC(config)#login statistics time-period 12

Display Login Statistics

To view the login statistics, use the show login statistics command.

Example of the show login statistics Command

The show login statistics command displays the successful and failed login details of the current user in the last 30 days or the custom defined time period.

DellEMC#show login statistics

-----------------------------------------------------------------User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.143 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 0 Successful login attempt(s) in last 30 day(s): 1

------------------------------------------------------------------

Management

Example of the show login statistics all command

The show login statistics all command displays the successful and failed login details of all users in the last 30 days or the custom defined time period.

DellEMC#show login statistics all

-----------------------------------------------------------------User: admin Last login time: 08:54:28 UTC Wed Mar 23 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 4

------------------------------------------------------------------

-----------------------------------------------------------------User: admin1 Last login time: 12:49:19 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2

------------------------------------------------------------------

-----------------------------------------------------------------User: admin2 Last login time: 12:49:27 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2

------------------------------------------------------------------

-----------------------------------------------------------------User: admin3 Last login time: 13:18:42 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2

Example of the show login statistics user user-id command

The show login statistics user user-id command displays the successful and failed login details of a specific user in the last 30 days or the custom defined time period.

DellEMC# show login statistics user admin

------------------------------------------------------------------

The following is sample output of the show login statistics unsuccessful-attempts command.

DellEMC# show login statistics unsuccessful-attempts There were 3 unsuccessful login attempt(s) for user admin in last 30 day(s).

The following is sample output of the show login statistics unsuccessful-attempts time-period days command.

DellEMC# show login statistics unsuccessful-attempts time-period 15 There were 0 unsuccessful login attempt(s) for user admin in last 15 day(s).

Management

The following is sample output of the show login statistics unsuccessful-attempts user login-id command.

DellEMC# show login statistics unsuccessful-attempts user admin There were 3 unsuccessful login attempt(s) for user admin in last 12 day(s).

The following is sample output of the show login statistics successful-attempts command.

DellEMC#show login statistics successful-attempts There were 4 successful login attempt(s) for user admin in last 30 day(s).

Limit Concurrent Login Sessions

Dell EMC Networking OS enables you to limit the number of concurrent login sessions of users on VTY, auxiliary, and console lines. You can also clear any of your existing sessions when you reach the maximum permitted number of concurrent sessions.

By default, you can use all 10 VTY lines, one console line, and one auxiliary line. You can limit the number of available sessions using the login concurrent-session limit command and so restrict each user to that specific number of sessions. You can optionally configure the system to provide an option to the users to clear any of their existing sessions. To restrict the total amount of VTY lines using ACL, see the

Restrictions for Limiting the Number of Concurrent Sessions

These restrictions apply for limiting the number of concurrent sessions:

• Only the system and security administrators can limit the number of concurrent sessions and enable the clear-line option.

• Users can clear their existing sessions only if the system is configured with the login concurrent-session clear-line enable command.

Denying and Permitting Access to a Terminal Line section.

Configuring Concurrent Session Limit

To configure concurrent session limit, follow this procedure:

• Limit the number of concurrent sessions for each user. CONFIGURATION mode

The following example limits the permitted number of concurrent login sessions to 4.

DellEMC(config)#login concurrent-session limit 4

Enabling the System to Clear Existing Sessions

To enable the system to clear existing login sessions, follow this procedure:

• Use the following command. CONFIGURATION mode

NOTE:

following attempt will be unsuccessful and the system displays access denied message. It is not possible to attempt after clearing one of the existing sessions as user authentication has to happen first and before clearing the existing login sessions. During the next authentication attempt, the system does not allow any attempt to login since maximum VTY sessions have reached and hence no clear-line option.

NOTE: If the maximum number of VTY lines are more than the concurrent sessions and the same user is attempting

to login second time or more, the system displays the Maximum concurrent sessions for the user reached message. You are allowed to clear the existing session and login. If you do not want to clear any of the existing

If both concurrent sessions and the maximum number of VTY lines used are the same, the next or the

Management 63

session, the system does not allow any attempt to login since maximum concurrent sessions have reached even though more VTY lines are available. You are allowed to login as a different user as more VTY lines are available.

The following example enables you to clear your existing login sessions.

DellEMC(config)#login concurrent-session clear-line enable

Example of Clearing Existing Sessions

When you try to log in, the following message appears with all your existing concurrent sessions, providing an option to close any one of the existing sessions:

$ telnet 10.11.178.14 Trying 10.11.178.14... Connected to 10.11.178.14. Escape character is '^]'. Login: admin Password: Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 Clear existing session? [line number/Enter to cancel]:

When you try to create more than the permitted number of sessions, the following message appears, prompting you to close one of the existing sessions. If you close any of the existing sessions, you are allowed to login.

$ telnet 10.11.178.17 Trying 10.11.178.17... Connected to 10.11.178.17. Escape character is '^]'. Login: admin Password:

Maximum concurrent sessions for the user reached. Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 4 vty 2 10.14.1.97 5 vty 3 10.14.1.97 Kill existing session? [line number/Enter to cancel]:

Enabling Secured CLI Mode

The secured CLI mode prevents the users from enhancing the permissions or promoting the privilege levels.

• Enter the following command to enable the secured CLI mode: CONFIGURATION Mode

secure-cli enable

After entering the command, save the running-configuration. Once you save the running-configuration, the secured CLI mode is enabled.

If you do not want to enter the secured mode, do not save the running-configuration. Once saved, to disable the secured CLI mode, you need to manually edit the startup-configuration file and reboot the system.

Changing System Logging Settings

You can change the default settings of the system logging by changing the severity level and the storage location.

The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged.

To specify the system logging settings, use the following commands.

• Specify the minimum severity level for logging to the logging buffer. CONFIGURATION mode

Management

logging buffered level

• Specify the minimum severity level for logging to the console. CONFIGURATION mode

logging console level

• Specify the minimum severity level for logging to terminal lines. CONFIGURATION mode

logging monitor level

• Specify the minimum severity level for logging to a syslog server. CONFIGURATION mode

logging trap level

• Specify the minimum severity level for logging to the syslog history table. CONFIGURATION mode

logging history level

• Specify the size of the logging buffer. CONFIGURATION mode

logging buffered size

NOTE: When you decrease the buffer size, Dell EMC Networking OS deletes all messages stored in the buffer.

Increasing the buffer size does not affect messages in the buffer.

• Specify the number of messages that Dell EMC Networking OS saves to its logging history table. CONFIGURATION mode

logging history size size

To view the logging buffer and configuration, use the show logging command in EXEC privilege mode, as shown in the example for

Display the Logging Buffer and the Logging Configuration.

To view the logging configuration, use the show running-config logging command in privilege mode, as shown in the example for

Configure a UNIX Logging Facility Level.

Display the Logging Buffer and the Logging Configuration

To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles. Only the security administrator and system administrator can view the security logs.

Example of the show logging Command

DellEMC#show logging Syslog logging: enabled Console logging: level debugging Monitor logging: level debugging Buffer logging: level debugging, 75 Messages Logged, Size (40960 bytes) Trap logging: level informational Oct 10 10:43:47 %S5048F-ON:1 %POLLMGR-2-USER_FLASH_STATE: USB flash disk removed from 'usbflash:' Oct 10 10:43:46 %S5048F-ON:1 %KERN-2-INT: umass0: detached Oct 10 10:43:46 %S5048F-ON:1 %KERN-2-INT: scsibus0: detached Oct 10 10:43:46 %S5048F-ON:1 %KERN-2-INT: sd0: detached Oct 10 10:43:46 %S5048F-ON:1 %KERN-2-INT: sd0(umass0:0:0:0): generic HBA error Oct 10 10:43:45 %S5048F-ON:1 %KERN-2-INT: umass0: at uhub1 port 1 (addr 3) disconnected Oct 10 10:16:22 %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from vty0 ( 10.16.127.143 )by admin Oct 10 10:07:32 %STKUNIT1-M:CP %SEC-5-AUTHENTICATION_ENABLE_SUCCESS: Enable authentication success on vty0 ( 10.16.127.143 ) for user admin Oct 10 10:07:25 %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 ( 10.16.127.143 ) Oct 9 22:40:50 %STKUNIT1-M:CP %SEC-5-LOGOUT: Exec session is terminated on console (Reason : Idle TimeOut) Oct 9 22:30:46 %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful on console Oct 9 17:16:45 %S5048F-ON:1 %IFAGT-5-INSERT_OPTICS_PLUS: Optics SFP+ inserted in slot 1 port 1 Oct 9 17:16:41 %S5048F-ON:1 %IFAGT-5-INSERT_OPTICS_PLUS: Optics SFP+ inserted in slot 1 port 2

Management

Oct 9 17:14:56 %S5048F-ON:1 %IFAGT-5-REMOVED_OPTICS_PLUS: Optics SFP+ removed in slot 1 port 2 Oct 9 17:14:39 %S5048F-ON:1 %IFAGT-5-INSERT_OPTICS_PLUS: Optics SFP+ inserted in slot 1 port 2 Oct 9 17:10:47 %S5048F-ON:1 %IFAGT-5-REMOVED_OPTICS_PLUS: Optics SFP+ removed in slot 1 port 4 Oct 9 17:10:41 %S5048F-ON:1 %IFAGT-5-REMOVED_OPTICS_PLUS: Optics SFP+ removed in slot 1 port 2 Oct 9 17:09:33 %STKUNIT1-M:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line vty0 ( 10.16.127.143 ) (Reason : Idle TimeOut) Oct 9 16:44:33 %S5048F-ON:1 %IFAGT-5-REMOVED_OPTICS_SFP28: Optics SFP28 removed in slot 1 port 19 Oct 9 16:39:33 %STKUNIT1-M:CP %SEC-5-LOGOUT: Exec session is terminated on console (Reason : Idle TimeOut) Oct 9 16:29:32 %STKUNIT1-M:CP %SEC-5-AUTHENTICATION_ENABLE_SUCCESS: Enable authentication success on console Oct 9 16:29:28 %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful on console Oct 9 16:19:50 %STKUNIT1-M:CP %SEC-5-AUTHENTICATION_ENABLE_SUCCESS: Enable authentication success on vty0 ( 10.16.127.143 ) for user admin Oct 9 16:19:46 %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 ( 10.16.127.143 ) Oct 9 16:19:07 %STKUNIT1-M:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line vty0 ( 10.16.127.143 ) (Reason : Idle TimeOut) Oct 9 15:48:32 %STKUNIT1-M:CP %SEC-5-AUTHENTICATION_ENABLE_SUCCESS: Enable authentication success on vty0 ( 10.16.127.143 ) for user admin Oct 9 15:48:26 %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 ( 10.16.127.143 ) Oct 9 15:02:06 %STKUNIT1-M:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line vty0 ( 10.16.127.143 ) (Reason : Idle TimeOut) Oct 9 14:31:27 %STKUNIT1-M:CP %SEC-5-AUTHENTICATION_ENABLE_SUCCESS: Enable authentication success on vty0 ( 10.16.127.143 ) for user admin Oct 9 14:31:24 %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 ( 10.16.127.143 ) Oct 8 22:41:47 %STKUNIT1-M:CP %SEC-5-LOGOUT: Exec session is terminated on console (Reason : Idle TimeOut) Oct 8 22:31:44 %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful on console Oct 8 16:57:39 %STKUNIT1-M:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line vty0 ( 10.16.127.143 ) (Reason : Idle TimeOut) Oct 8 16:24:09 %STKUNIT1-M:CP %SEC-5-LOGOUT: Exec session is terminated on console (Reason : Idle TimeOut) Oct 8 16:17:48 %STKUNIT1-M:CP %SEC-5-AUTHENTICATION_ENABLE_SUCCESS: Enable authentication success on vty0 ( 10.16.127.143 ) for user admin Oct 8 16:17:33 %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 ( 10.16.127.143 ) Oct 8 16:12:14 %STKUNIT1-M:CP %SEC-5-AUTHENTICATION_ENABLE_SUCCESS: Enable authentication success on console Oct 8 16:12:01 %S5048F-ON:1 %CHMGR-2-FAN_SPEED_CHANGE: Fan speed changed to 90 % of the full speed Oct 8 16:11:57 %S5048F-ON:1 %CHMGR-2-PSU_FAN_SPEED_CHANGE: PSU_Fan speed changed to 100 % of the full speed Oct 8 16:11:56 %STKUNIT1-M:CP %CHMGR-5-PSU_FAN_STATUS: Fan 1 in PSU 2 of Unit 1 is up Oct 8 16:11:56 %STKUNIT1-M:CP %CHMGR-5-PSU_FAN_STATUS: Fan 1 in PSU 1 of Unit 1 is up Oct 8 16:11:56 %S5048F-ON:1 %CHMGR-2-FAN_SPEED_CHANGE: Fan speed changed to 72 % of the full speed Oct 8 16:11:53 %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful on console Oct 8 16:11:53 %STKUNIT1-M:CP %SUPPORT_ASSIST-3-SUPASSIST_PKG_INSTALLATION_ERROR: Required SMARTSCRIPTS Package(>= 9.7) not found, SupportAssist uninstalled. Oct 8 16:11:52 %STKUNIT1-M:CP %CLI-6-SECURE_CLI_NOT_ENABLED: CLI security mode not enabled Oct 8 16:11:52 %STKUNIT1-M:CP %SEC-5-USER_ACC_CREATION_SUCCESS: User account "admin" created or modified by default from console successfully Oct 8 16:11:52 %STKUNIT1-M:CP %CHMGR-5-FANTRAY_INSERTED: Fan tray 4 of Unit 1 is inserted Oct 8 16:11:52 %STKUNIT1-M:CP %SYS-5-CONFIG_LOAD: Loading configuration file Oct 8 16:11:52 %STKUNIT1-M:CP %CHMGR-5-FANTRAY_INSERTED: Fan tray 3 of Unit 1 is inserted Oct 8 16:11:44 %STKUNIT1-M:CP %CHMGR-5-FANTRAY_INSERTED: Fan tray 2 of Unit 1 is inserted Oct 8 16:11:42 %STKUNIT1-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Ma 1/1 Oct 8 16:11:42 %STKUNIT1-M:CP %CHMGR-5-FANTRAY_INSERTED: Fan tray 1 of Unit 1 is inserted Oct 8 16:11:41 %S5048F-ON:1 %IFAGT-5-INSERT_OPTICS_PLUS: Optics SFP+ inserted in slot 1 port 47 Oct 8 16:11:41 %S5048F-ON:1 %IFAGT-5-INSERT_OPTICS_PLUS: Optics SFP+ inserted in slot 1 port 38 Oct 8 16:11:41 %S5048F-ON:1 %IFAGT-5-INSERT_OPTICS_PLUS: Optics SFP+ inserted in slot 1 port 36 Oct 8 16:11:41 %S5048F-ON:1 %IFAGT-5-INSERT_OPTICS_PLUS: Optics SFP+ inserted in slot 1 port

Management

35 Oct 8 16:11:41 %S5048F-ON:1 %IFAGT-5-INSERT_OPTICS_PLUS: Optics SFP+ inserted in slot 1 port 26 Oct 8 16:11:41 %S5048F-ON:1 %IFAGT-5-INSERT_OPTICS_SFP28: Optics SFP28 inserted in slot 1 port 19 Oct 8 16:11:40 %S5048F-ON:1 %IFAGT-5-INSERT_OPTICS_PLUS: Optics SFP+ inserted in slot 1 port 4 Oct 8 16:11:40 %S5048F-ON:1 %IFAGT-5-INSERT_OPTICS_PLUS: Optics SFP+ inserted in slot 1 port 2 Oct 8 16:11:40 %STKUNIT1-M:CP %CHMGR-2-SYSTEM_READY: System ready Oct 8 16:11:40 %STKUNIT1-M:CP %CHMGR-0-PS_UP: Power supply 2 in unit 1 is up Oct 8 16:11:40 %STKUNIT1-M:CP %CHMGR-5-PEM_INSERTED: Power entry module 2 of unit 1 is inserted Oct 8 16:11:40 %STKUNIT1-M:CP %CHMGR-0-PS_UP: Power supply 1 in unit 1 is up Oct 8 16:11:40 %STKUNIT1-M:CP %CHMGR-5-PEM_INSERTED: Power entry module 1 of unit 1 is inserted Oct 8 16:11:38 %STKUNIT1-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Ma 1/1 Oct 8 16:11:38 %STKUNIT1-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Ma 1/1 Oct 8 16:11:38 %STKUNIT1-M:CP %CHMGR-5-STACKUNIT_UP: stack-unit 1 is up Oct 8 16:11:37 %STKUNIT1-M:CP %RAM-5-STACKUNIT_STATE: Stack-unit 1 is in Active State. Oct 8 16:11:32 %STKUNIT1-M:CP %CHMGR-5-CHECKIN: Checkin from stack-unit 1 (type S5048F-ON, 72 ports) Oct 8 16:11:32 %STKUNIT1-M:CP %CHMGR-5-LPM_CONFIG: Applying the default IPv6 LPM partition config Oct 8 16:11:32 %STKUNIT1-M:CP %CHMGR-5-STACKUNIT_DETECTED: stack-unit 1 present Oct 8 16:11:32 %STKUNIT1-M:CP %CRYPTO-5-FIPS_SELF_TEST_PASSED: [sysd] FIPS crypto module self-test passed Oct 8 16:11:31 %STKUNIT1-M:CP %RAM-6-ELECTION_ROLE: Stack-unit 1 is transitioning to Management Stack-unit. Oct 8 16:11:31 %S5048F-ON:1 %POLLMGR-6-USER_FLASH_INFO: model: SanDisk Ultra firmware: 1.00 serial no: 218891921

DellEMC#show logging syslog logging: enabled Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM. %RPM-2-MSG:CP1 %POLLMGR-2-MMC_STATE: External flash disk missing in 'slot0:' %CHMGR-5-CARDDETECTED: Line card 0 present %CHMGR-5-CARDDETECTED: Line card 2 present %CHMGR-5-CARDDETECTED: Line card 4 present %CHMGR-5-CARDDETECTED: Line card 5 present %CHMGR-5-CARDDETECTED: Line card 8 present %CHMGR-5-CARDDETECTED: Line card 10 present %CHMGR-5-CARDDETECTED: Line card 12 present %TSM-6-SFM_DISCOVERY: Found SFM 0 %TSM-6-SFM_DISCOVERY: Found SFM 1 %TSM-6-SFM_DISCOVERY: Found SFM 2 %TSM-6-SFM_DISCOVERY: Found SFM 3 %TSM-6-SFM_DISCOVERY: Found SFM 4 %TSM-6-SFM_DISCOVERY: Found SFM 5 %TSM-6-SFM_DISCOVERY: Found SFM 6 %TSM-6-SFM_DISCOVERY: Found SFM 7 %TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: UP %TSM-6-SFM_DISCOVERY: Found SFM 8 %TSM-6-SFM_DISCOVERY: Found 9 SFMs %CHMGR-5-CHECKIN: Checkin from line card 5 (type EX1YB, 1 ports) %TSM-6-PORT_CONFIG: Port link status for LC 5 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 5 is up %CHMGR-5-CHECKIN: Checkin from line card 12 (type S12YC12, 12 ports) %TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 12 is up %IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8 %IFMGR-5-CSTATE_DN: changed interface Physical state to down: So 12/8

To view any changes made, use the show running-config logging command in EXEC privilege mode.

Management

Configuring a UNIX Logging Facility Level

You can save system log messages with a UNIX system logging facility.

To configure a UNIX logging facility level, use the following command.

• Specify one of the following parameters. CONFIGURATION mode

logging facility [facility-type]

auth (for authorization messages)

•

• cron (for system scheduler messages)

• daemon (for system daemons)

• kern (for kernel messages)

• local0 (for local use)

• local1 (for local use)

• local2 (for local use)

• local3 (for local use)

• local4 (for local use)

• local5 (for local use)

• local6 (for local use)

• local7 (for local use)

• lpr (for line printer system messages)

• mail (for mail system messages)

• news (for USENET news messages)

• sys9 (system use)

• sys10 (system use)

• sys11 (system use)

• sys12 (system use)

• sys13 (system use)

• sys14 (system use)

• syslog (for syslog messages)

• user (for user programs)

• uucp (UNIX to UNIX copy protocol)

To view nondefault settings, use the show running-config logging command in EXEC mode.

DellEMC#show running-config logging ! logging buffered 524288 debugging service timestamps log datetime msec service timestamps debug datetime msec ! logging trap debugging logging facility user logging source-interface Loopback 0 logging 10.10.10.4 DellEMC#

Synchronizing Log Messages

You can configure Dell EMC Networking OS to filter and consolidate the system messages for a specific line by synchronizing the message output.

Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system.

1. Enter LINE mode. CONFIGURATION mode

line {console 0 | vty number [end-number] | aux 0}

Management

Configure the following parameters for the virtual terminal lines:

• number: the range is from zero (0) to 8.

• end-number: the range is from 1 to 8.

You can configure multiple virtual terminals at one time by entering a number and an end-number.

2. Configure a level and set the maximum number of messages to print. LINE mode

logging synchronous [level severity-level | all] [limit]

Configure the following optional parameters:

• level severity-level: the range is from 0 to 7. The default is 2. Use the all keyword to include all messages.

• limit: the range is from 20 to 300. The default is 20.

To view the logging synchronous configuration, use the show config command in LINE mode.

Enabling Timestamp on Syslog Messages

By default, syslog messages include a time/date stamp, taken from the datetime, stating when the error or message was created.

To enable timestamp, use the following command.

• Add timestamp to syslog messages. CONFIGURATION mode

service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] [utc] | uptime]

Specify the following optional parameters:

• datetime: To view the timestamp in system local time that includes the local time zone.

• localtime: You can add the keyword localtime to view timestamp in system local time that includes the local time zone.

• show-timezone: Enter the keyword to include the time zone information in the timestamp.

• msec: Enter the keyword msec to include milliseconds in the timestamp.

• uptime: To view time since last boot.

• utc: Enter the keyword utc to view timestamp in UTC time that excludes the local time zone.

If you do not specify a parameter, Dell EMC Networking OS configures datetime as localtime by default.

To view the configuration, use the show running-config logging command in EXEC privilege mode.

To disable time stamping on syslog messages, use the no service timestamps [log | debug] command.

Example 1: Default configuration service timestamps log datetime or service timestamps log datetime localtime

DellEMC(conf)#service timestamps log datetime

DellEMC#show clock 15:42:42.804 IST Fri May 17 2019

Example 2: service timestamps log datetime utc

DellEMC(conf)#service timestamps log datetime utc

DellEMC#show clock 15:47:05.661 IST Fri May 17 2019

Example 3: service timestamps log uptime

DellEMC(conf)#service timestamps log uptime

DellEMC#show clock 15:51:47.534 IST Fri May 17 2019

DellEMC# show version |grep uptime Dell EMC Networking OS uptime is 1 day(s), 0 hour(s), 25 minute(s)

Example 4: no service timestamps log

Management

DellEMC(conf)#no service timestamps log

DellEMC#show clock 15:55:12.246 IST Fri May 17 2019

DellEMC# show command-history [May 17 15:53:10]: CMD-(CLI):[no service timestamps log]by default from console [May 17 15:53:16]: CMD-(CLI):[write memory]by default from console

- Repeated 3 times. [May 17 15:53:22]: CMD-(CLI):[show logging]by default from console

- Repeated 1 time. [May 17 15:53:36]: CMD-(CLI):[write memory]by default from console

DellEMC# show logging Syslog logging: enabled Console logging: disabled Monitor logging: level debugging Buffer logging: level debugging, 3 Messages Logged, Size (40960 bytes) Trap logging: level informational Last logging buffer cleared: May 17 15:52:54 %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from console %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default - repeated 3 times %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default

File Transfer Services

With Dell EMC Networking OS, you can configure the system to transfer files over the network using the file transfer protocol (FTP).

One FTP application is copying the system image files over an interface on to the system; however, FTP is not supported on virtual local area network (VLAN) interfaces.

If you want the FTP or TFTP server to use a VRF table that is attached to an interface, you must configure the FTP or TFTP server to use a specific routing table. You can use the ip ftp vrf vrf-name or ip tftp vrf vrf-name command to inform the FTP or TFTP server to use a specific routing table. After you configure this setting, the VRF table is used to look up the destination address. However, these changes are backward-compatible and do not affect existing behavior; meaning, you can still use the source-interface command to communicate with a particular interface even if no VRF is configured on that interface.

For more information about FTP, refer to RFC 959, File Transfer Protocol.

NOTE:

Configuration Task List for File Transfer Services

The configuration tasks for file transfer services are:

• Enable FTP Server (mandatory)

• Configure FTP Server Parameters (optional)

• Configure FTP Client Parameters (optional)

Enabling the FTP Server

To transmit large files, Dell EMC Networking recommends configuring the switch as an FTP server.

To enable the system as an FTP server, use the following command.

To view FTP configuration, use the show running-config ftp command in EXEC privilege mode.

Management

• Enable FTP on the system. CONFIGURATION mode

ftp-server enable

DellEMC#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar DellEMC#

Configuring FTP Server Parameters

After you enable the FTP server on the system, you can configure different parameters.

To specify the system logging settings, use the following commands.

• Specify the directory for users using FTP to reach the system. CONFIGURATION mode

ftp-server topdir dir

The default is the internal flash directory.

• Specify a user name for all FTP users and configure either a plain text or encrypted password. CONFIGURATION mode

ftp-server username username password [encryption-type] password

Configure the following optional and required parameters:

• username: enter a text string.

• encryption-type: enter 0 for plain text or 7 for encrypted text.

• password: enter a text string.

NOTE: You cannot use the change directory (cd) command until you have configured ftp-server topdir.

To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode.

Configuring FTP Client Parameters

To configure FTP client parameters, use the following commands.

• Enter the following keywords and the interface information:

• For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information.

• For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the slot/port/subport information.

• For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port/subport information.

• For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the slot/port/subport information.

• For a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the slot/port information.

• For a Loopback interface, enter the keyword loopback then a number from 0 to 16383.

• For a port channel interface, enter the keywords port-channel then a number.

• For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.

CONFIGURATION mode

ip ftp source-interface interface

• Configure a password. CONFIGURATION mode

ip ftp password password

• Enter a username to use on the FTP client. CONFIGURATION mode

ip ftp username name

To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for

Enable FTP Server.

Management

Terminal Lines

You can access the system remotely and restrict access to the system by creating user profiles.

Terminal lines on the system provide different means of accessing the system. The console line (console) connects you through the console port in the route processor modules (RPMs). The virtual terminal lines (VTYs) connect you through Telnet to the system. The auxiliary line (aux) connects secondary devices such as modems.

Denying and Permitting Access to a Terminal Line

Dell EMC Networking recommends applying only standard access control lists (ACLs) to deny and permit access to VTY lines.

• Layer 3 ACLs deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with no rules does not deny traffic.

• You cannot use the show ip accounting access-list command to display the contents of an ACL that is applied only to a VTY line.

• When you use the access-class access-list-name command without specifying the ipv4 or ipv6 attribute, both IPv4 as well as IPv6 rules that are defined in that ACL are applied to the terminal. This method is a generic way of configuring access restrictions.

• To be able to filter access exclusively using either IPv4 or IPv6 rules, use either the ipv4 or ipv6 attribute along with the access- class access-list-name command. Depending on the attribute that you specify (ipv4 or ipv6), the ACL processes either IPv4 or IPv6 rules, but not both. Using this configuration, you can set up two different types of access classes with each class processing either IPv4 or IPv6 rules separately.

To apply an IP ACL to a line, Use the following command.

• Apply an ACL to a VTY line. LINE mode

access-class access-list-name [ipv4 | ipv6]

NOTE:

specific filtering on top of this configuration. Similarly, if you have configured either IPv4 or IPv6 specific filtering on a terminal line, you cannot apply generic IP ACL on top of this configuration. Before applying any of these configurations, you must first undo the existing configuration using the no access-class access-list-name [ipv4 | ipv6] command.

If you already have configured generic IP ACL on a terminal line, then you cannot further apply IPv4 or IPv6

To view the configuration, use the show config command in LINE mode.

DellEMC(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 DellEMC(config-std-nacl)#line vty 0 DellEMC(config-line-vty)#show config line vty 0 access-class myvtyacl

DellEMC(conf-ipv6-acl)#do show run acl ! ip access-list extended testdeny seq 10 deny ip 30.1.1.0/24 any seq 15 permit ip any any ! ip access-list extended testpermit seq 15 permit ip any any ! ipv6 access-list testv6deny seq 10 deny ipv6 3001::/64 any seq 15 permit ipv6 any any ! DellEMC(conf)# DellEMC(conf)#line vty 0 0 DellEMC(config-line-vty)#access-class testv6deny ipv6 DellEMC(config-line-vty)#access-class testvpermit ipv4 DellEMC(config-line-vty)#show c line vty 0 exec-timeout 0 0

Management

access-class testpermit ipv4 access-class testv6deny ipv6 !

Configuring Login Authentication for Terminal Lines

You can use any combination of up to six authentication methods to authenticate a user on a terminal line.

A combination of authentication methods is called a method list. If the user fails the first authentication method, Dell EMC Networking OS prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are:

enable

line

local

none

radius

tacacs+

1. Configure an authentication method list. You may use a mnemonic name or use the keyword default. The default authentication method for terminal lines is

CONFIGURATION mode

aaa authentication login {method-list-name | default} [method-1] [method-2] [method-3] [method-4] [method-5] [method-6]

2. Apply the method list from Step 1 to a terminal line. CONFIGURATION mode

3. If you used the line authentication method in the method list you applied to the terminal line, configure a password for the terminal line. LINE mode

password

In the following example, VTY lines 0-2 use a single authentication method, line.

Prompt for the enable password.

Prompt for the password you assigned to the terminal line. Configure a password for the terminal line to which you assign a method list that contains the line authentication method. Configure a password using the password command from LINE mode.

Prompt for the system username and password.

Do not authenticate the user.

Prompt for a username and password and use a RADIUS server to authenticate.

Prompt for a username and password and use a TACACS+ server to authenticate.

local and the default method list is empty.

DellEMC(conf)#aaa authentication login myvtymethodlist line DellEMC(conf)#line vty 0 2 DellEMC(config-line-vty)#login authentication myvtymethodlist DellEMC(config-line-vty)#password myvtypassword DellEMC(config-line-vty)#show config line vty 0 password myvtypassword login authentication myvtymethodlist line vty 1 password myvtypassword login authentication myvtymethodlist line vty 2 password myvtypassword login authentication myvtymethodlist DellEMC(config-line-vty)#

Setting Timeout for EXEC Privilege Mode

EXEC timeout is a basic security feature that returns Dell EMC Networking OS to EXEC mode after a period of inactivity on the terminal lines.

To set timeout, use the following commands.

• Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the timeout period to 0.

LINE mode

Management

exec-timeout minutes [seconds]

• Return to the default timeout values. LINE mode

no exec-timeout

The following example shows how to set the timeout period and how to view the configuration using the show config command from LINE mode.

DellEMC(conf)#line con 0 DellEMC(config-line-console)#exec-timeout 0 DellEMC(config-line-console)#show config line console 0 exec-timeout 0 0 DellEMC(config-line-console)#

Using Telnet to get to Another Network Device

To telnet to another device, use the following commands.

NOTE: The device allows 120 Telnet sessions per minute, allowing the login and logout of 10 Telnet sessions, 12 times in

a minute. If the system reaches this non-practical limit, the Telnet service is stopped for 10 minutes. You can use console and SSH service to access the system during downtime.

• Telnet to a device with an IPv4 or IPv6 address. EXEC Privilege

telnet [ip-address]

If you do not enter an IP address, Dell EMC Networking OS enters a Telnet dialog that prompts you for one. Enter an IPv4 address in dotted decimal format (A.B.C.D). Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported.

DellEMC# telnet 10.11.80.203 Trying 10.11.80.203... Connected to 10.11.80.203. Exit character is '^]'. Login: Login: admin Password: DellEMC>exit DellEMC#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin DellEMC#

Lock CONFIGURATION Mode

Dell EMC Networking OS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2).

You can set two types of lockst: auto and manual.

• Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set autolock, every time a user is in CONFIGURATION mode, all other users are denied access. This means that you can exit to EXEC Privilege mode, and re-enter CONFIGURATION mode without having to set the lock again.

• Set manual lock using the configure terminal lock command from CONFIGURATION mode. When you configure a manual lock, which is the default, you must enter this command each time you want to enter CONFIGURATION mode and deny access to others.

Management

Viewing the Configuration Lock Status

If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which user has control of CONFIGURATION mode using the show configuration lock command from EXEC Privilege mode.

You can then send any user a message using the send command from EXEC Privilege mode. Alternatively, you can clear any line using the clear command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode.

Example of Locking CONFIGURATION Mode for Single-User Access

DellEMC(conf)#configuration mode exclusive auto BATMAN(conf)#exit 3d23h35m: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console

DellEMC#config ! Locks configuration mode exclusively. DellEMC(conf)#

If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears on their terminal (message 1): % Error: User "" on line console0 is in exclusive configuration mode.

If any user is already in CONFIGURATION mode when while a lock is in place, the following appears on their terminal (message 2): % Error: Can't lock configuration mode exclusively since the following users are currently configuring the system: User "admin" on line vty1 ( 10.1.1.1 ).

NOTE: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you configure a lock and

then exit CONFIGURATION mode, and another user enters CONFIGURATION mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though you are the one that configured the lock.

NOTE: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is unconfigured.

Reloading the system

You can reload the system using the reload command. To reload the system, follow these steps:

• Reload the system into Dell EMC Networking OS. EXEC Privilege mode

reload

• Reload the system if a configuration change to the NVRAM requires a device reload. EXEC Privilege mode

reload conditional nvram-cfg-change

• Reload the system into the Dell diagnostics mode. EXEC Privilege mode

reload dell-diag

• Reload the system into the ONIE mode. EXEC Privilege mode

reload onie [install | uninstall | rescue]

Use the install parameter to reload the system and enter the Install mode to install a networking OS.

Use the uninstall parameter to reload the system and enter the Uninstall mode to uninstall a networking OS.

Use the rescue parameter to reload the system and enter the Rescue mode to access the file system.

The following example shows how to reload the system:

DellEMC# reload Proceed with reload [confirm yes/no]: yes

The following example shows how to reload the system into Dell diagnostics mode:

DellEMC#reload dell-diag Proceed with reload [confirm yes/no]: yes

Management

The following example shows how to reload the system into ONIE mode:

DellEMC#reload onie Proceed with reload [confirm yes/no]: yes

The following example shows how to reload the system into ONIE prompt and enter the install mode directly:

DellEMC#reload onie install Proceed with reload [confirm yes/no]: yes

Restoring the Factory Default Settings

Restoring the factory-default settings deletes the existing NVRAM settings, startup configuration, and all configured settings such as, stacking or fanout.

To restore the factory default settings, use the restore factory-defaults stack-unit {stack—unit—number | all} {clear-all | nvram | bootvar} command in EXEC Privilege mode.

CAUTION:

Important Points to Remember

• When you restore all the units in a stack, these units are placed in standalone mode.

• When you restore a single unit in a stack, only that unit is placed in standalone mode. No other units in the stack are affected.

• When you restore the units in standalone mode, the units remain in standalone mode after the restoration.

• After the restore is complete, the units power cycle immediately.

The following example illustrates the restore factory-defaults command to restore the factory default settings.

There is no undo for this command.

DellEMC#restore factory-defaults stack-unit 1 nvram

*********************************************************************** * Warning - Restoring factory defaults will delete the existing * * persistent settings (stacking, fanout, etc.) * * After restoration the unit(s) will be powercycled immediately. * * Proceed with caution ! * ***********************************************************************

Proceed with factory settings? Confirm [yes/no]:yes

-- Restore status -Unit Nvram Config

----------------------- 1 Success

Power-cycling the unit(s).

....

Restoring Factory Default Environment Variables

The Boot line determines the location of the image that is used to boot up the chassis after restoring factory default settings. Ideally, these locations contain valid images, using which the chassis boots up.

When you restore factory-default settings, you can either use a flash boot procedure or a network boot procedure to boot the switch.

When you use the flash boot procedure to boot the device, the boot loader checks if the primary or the secondary partition contains a valid image. If the primary partition contains a valid image, then the primary boot line is set to A: and the secondary and default boot lines are set to a Null String. If the secondary partition contains a valid image, then the primary boot line is set to B: and the secondary and default boot lines are set to a Null String. If both the partitions contain invalid images, then primary, secondary, and default boot line values are set to a Null string.

When you use the Network boot procedure to boot the device, the boot loader checks if the primary partition contains a valid image. If a valid image exists on the primary partition and the secondary partition does not contain a valid image, then the primary boot line is set to A: and the secondary and default boot lines are set to a Null string. If the secondary partition also contains a valid image, then the primary

Management

boot line value is set to the partition that is configured to be used to boot the device in a network failure scenario. The secondary and default boot line values are set to a Null string.

Important Points to Remember

• The Chassis remains in boot prompt if none of the partitions contain valid images.

• To enable TFTP boot after restoring factory default settings, you must stop the boot process in BLI.

Management 77

802.1X

802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN

or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example).

802.1X employs Extensible Authentication Protocol (EAP) to transfer a device’s credentials to an authentication server (typically RADIUS)

using a mandatory intermediary network access device, in this case, a Dell EMC Networking switch. The network access device mediates all communication between the end-user device and the authentication server so that the network remains secure. The network access device uses EAP-over-Ethernet (EAPOL) to communicate with the end-user device and EAP-over-RADIUS to communicate with the server.

NOTE: The Dell EMC Networking Operating System (OS) supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-

TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.

The following figures show how the EAP frames are encapsulated in Ethernet and RADIUS frames.

Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS

Figure 4. EAP Frames Encapsulated in Ethernet and RADUIS

The authentication process involves three devices:

78 802.1X

• The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests.

• The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It translates and forwards requests and responses between the authentication server and the supplicant. The authenticator also changes the status of the port based on the results of the authentication process. The Dell EMC Networking switch is the authenticator.

• The authentication-server selects the authentication method, verifies the information the supplicant provides, and grants it network access privileges.

Ports can be in one of two states:

• Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in or out of the port.

• The authenticator changes the port state to authorized if the server can authenticate the supplicant. In this state, network traffic can be forwarded normally.

NOTE: The Dell EMC Networking switches place 802.1X-enabled ports in the unauthorized state by default.

Topics:

• Port-Authentication Process

• Configuring 802.1X

• Important Points to Remember

• Enabling 802.1X

• Configuring dot1x Profile

• Configuring the Static MAB and MAB Profile

• Configuring Critical VLAN

• Configuring MAC addresses for a do1x Profile

• Configuring Request Identity Re-Transmissions

• Forcibly Authorizing or Unauthorizing a Port

• Re-Authenticating a Port

• Configuring Timeouts

• Configuring Dynamic VLAN Assignment with Port Authentication

• Guest and Authentication-Fail VLANs

Port-Authentication Process

The authentication process begins when the authenticator senses that a link status has changed from down to up:

1. When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame.

2. The supplicant responds with its identity in an EAP Response Identity frame.

3. The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame and forwards the frame to the authentication server.

4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests the supplicant to prove that it is who it claims to be, using a specified method (an EAP-Method). The challenge is translated and forwarded to the supplicant by the authenticator.

5. The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant provides the Requested Challenge information in an EAP response, which is translated and forwarded to the authentication server as another Access-Request frame.

6. If the identity information provided by the supplicant is valid, the authentication server sends an Access-Accept frame in which network privileges are specified. The authenticator changes the port state to authorized and forwards an EAP Success frame. If the identity information is invalid, the server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator forwards an EAP Failure frame.

802.1X

Figure 5. EAP Port-Authentication

EAP over RADIUS

802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579.

EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79.

Figure 6. EAP Over RADIUS

RADIUS Attributes for 802.1X Support

Dell EMC Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages:

Attribute 31

Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet.

Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.

Attribute 81 Tunnel-Private-Group-ID: associate a tunneled session with a particular group of users.

Calling-station-id: relays the supplicant MAC address to the authentication server.

Configuring 802.1X

Configuring 802.1X on a port is a one-step process.

For more information, refer to Enabling 802.1X.

802.1X

Related Configuration Tasks

• Configuring Request Identity Re-Transmissions

• Forcibly Authorizing or Unauthorizing a Port

• Re-Authenticating a Port

• Configuring Timeouts

• Configuring a Guest VLAN

• Configuring an Authentication-Fail VLAN

Important Points to Remember

• Dell EMC Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.

• All platforms support only RADIUS as the authentication server.

• If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if configured.

• 802.1X is not supported on port-channels or port-channel members.

• The NAS-Port-Type attribute indicates the type of the physical port of the NAS which is authenticating the user. It is used in AccessRequest packets. The value of this attribute is set as Ethernet (15) for both EAP and MAB supplicants.

Enabling 802.1X

Enable 802.1X globally.

Figure 7. 802.1X Enabled

802.1X

1. Enable 802.1X globally. CONFIGURATION mode

dot1x authentication

2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode

interface [range]

3. Enable 802.1X on the supplicant interface only. INTERFACE mode

dot1x authentication

Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode.

In the following example, the bold lines show that 802.1X is enabled.

DellEMC#show running-config | find dot1x

dot1x authentication

! [output omitted] ! interface twentyFiveGigE 1/1 no ip address

dot1x authentication

no shutdown ! DellEMC#

To view 802.1X configuration information for an interface, use the show dot1x interface command.

In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default.

DellEMC#show dot1x interface twentyFiveGigE 1/1

802.1x information on Tf 1/1:

-----------------------------

Dot1x Status: Enable

Port Control: AUTO

Port Auth Status: UNAUTHORIZED

Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Disable Guest VLAN id: NONE Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Mac-Auth-Bypass: Disable Mac-Auth-Bypass Only: Disable Tx Period: 30 seconds Quiet Period: 60 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 2 Host Mode: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize

Configuring dot1x Profile

You can configure a dot1x profile for defining a list of trusted supplicant MAC addresses. A maximum of 10 dot1x profiles can be configured. The profile name length is limited to 32 characters. Thedot1x profile {profile-name} command sets the dot1x profile mode and you can enter profile-related commands, such as the

To configure a dot1x profile, use the following commands.

• Configure a dot1x profile.

802.1X

mac command.

CONFIGURATION mode

dot1x profile {profile-name}

profile—name — Enter the dot1x profile name. The profile name length is limited to 32 characters.

DellEMC(conf)#dot1x profile test DellEMC(conf-dot1x-profile)#

DellEMC#show dot1x profile

802.1x profile information

----------------------------Dot1x Profile test Profile MACs 00:00:00:00:01:11

Configuring the Static MAB and MAB Profile

Enable MAB (mac-auth-bypass) before using the dot1x static-mab command to enable static mab.

To enable static MAB and configure a static MAB profile, use the following commands.

• Configure static MAB and static MAB profile on dot1x interface. INTERFACE mode

dot1x static-mab profile profile-name

Eenter a name to configure the static MAB profile name. The profile name length is limited to a maximum of 32 characters.

DellEMC(conf-if-Tf-1/1)#dot1x static-mab profile sample DellEMC(conf-if-Tf-1/1))#show config ! interface twentyFiveGigE 21 switchport dot1x static-mab profile sample no shutdown DellEMC(conf-if-Tf-1/1))#show dot1x interface twentyFiveGigE 1/1

802.1x information on Tf 1/1:

-----------------------------

Dot1x Status: Enable Port Control: Auto Port Auth Status: AUTHORIZED(STATIC-MAB) Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Enable Guest VLAN id: 100 Auth-Fail VLAN: Enable Auth-Fail VLAN id: 200 Auth-Fail Max-Attempts:3 Critical VLAN: Enable Critical VLAN id: 300 Mac-Auth-Bypass Only: Disable Static-MAB: Enable Static-MAB Profile: Sample Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Authenticated Backend State: Idle

802.1X

Configuring Critical VLAN

By default, critical-VLAN is not configured. If authentication fails because of a server which is not reachable, user session is authenticated under critical-VLAN.

To configure a critical-VLAN for users or devices when authenticating server is not reachable, use the following command.

• Enable critical VLAN for users or devices INTERFACE mode dot1x critical-vlan [{vlan-id}]

Specify a VLAN interface identifier to be configured as a critical VLAN. The VLAN ID range is 1– 4094.

DellEMC(conf-if-Tf-1/2)#dot1x critical-vlan 300 DellEMC(conf-if-Tf 1/2)#show config ! interface twentyFiveGigE 1/2 switchport dot1x critical-vlan 300 no shutdown

DellEMC#show dot1x interface twentyFiveGigE 1/2

802.1x information on Tf 1/2:

-----------------------------------------------------Dot1x Status: Enable Port Control: AUTO Port Auth Status: AUTHORIZD(MAC-AUTH-BYPASS)

Critical VLAN Enable Critical VLAN id: 300

Re-Authentication: Disable Untagged VLAN id: 400 Guest VLAN: Enable Guest VLAN id: 100 Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Mac-Auth-Bypass: Enable Mac-Auth-Bypass Only: Enable Tx Period: 3 seconds Quiet Period: 60 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 2 Host Mode: SINGLE_HOST Auth PAE State: Authenticated Backend State: Idle

Configuring MAC addresses for a do1x Profile

To configure a list of MAC addresses for a dot1x profile, use the mac command. You can configure 1 to 6 MAC addresses.

• Configure a list of MAC addresses for a dot1x profile. DOT1X PROFILE CONFIG (conf-dot1x-profile)

mac mac-address

mac-address — Enter the keyword mac and type up to the 48– bit MAC addresses using the nn:nn:nn:nn:nn:nn format. A

maximum of 6 MAC addresses are allowed.

The following example configures 2 MAC addresses and then displays these addresses.

DellEMC(conf-dot1x-profile)#mac 00:50:56:AA:01:10 00:50:56:AA:01:11

DellEMC(conf-dot1x-profile)#show config dot1x profile sample mac 00:50:56:aa:01:10

802.1X

mac 00:50:56:aa:01:11 DellEMC(conf-dot1x-profile)# DellEMC(conf-dot1x-profile)#exit DellEMC(conf)#

Configuring Request Identity Re-Transmissions

When the authenticator sends a Request Identity frame and the supplicant does not respond, the authenticator waits for 30 seconds and then re-transmits the frame.

The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator retransmits can be configured.

NOTE: There are several reasons why the supplicant might fail to respond; for example, the supplicant might have been

booting when the request arrived or there might be a physical layer problem.

To configure re-transmissions, use the following commands.

• Configure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame. INTERFACE mode

dot1x tx-period number

The range is from 1 to 65535 (1 year) The default is 30.

• Configure the maximum number of times the authenticator re-transmits a Request Identity frame. INTERFACE mode

dot1x max-eap-req number

The range is from 1 to 10. The default is 2.

The example in Configuring a Quiet Period after a Failed Authentication shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits for 10 times.

Configuring a Quiet Period after a Failed Authentication

If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default. You can configure this period.

NOTE:

Identity Re-transmit interval (dot1x tx-period) is for an unresponsive supplicant.

To configure a quiet period, use the following command.

• Configure the amount of time that the authenticator waits to re-transmit a Request Identity frame after a failed authentication. INTERFACE mode

dot1x quiet-period seconds

The range is from 1 to 65535. The default is 60 seconds.

The following example shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame:

• after 90 seconds and a maximum of 10 times for an unresponsive supplicant

• re-transmits an EAP Request Identity frame

The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions.

DellEMC(conf-if-range-tf-1/1)#dot1x tx-period 90 DellEMC(conf-if-range-tf-1/1)#dot1x max-eap-req 10 DellEMC(conf-if-range-tf-1/1)#dot1x quiet-period 120 DellEMC#show dot1x interface twentyFiveGigE 1/1

802.1x information on Tf 1/1:

----------------------------Dot1x Status: Enable Port Control: AUTO Port Auth Status: UNAUTHORIZED

Re-Authentication: Disable

The quiet period (dot1x quiet-period) is the transmit interval after a failed authentication; the Request

802.1X

Untagged VLAN id: None Tx Period: 90 seconds

Quiet Period: 120 seconds

ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds

Max-EAP-Req: 10

Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize

Forcibly Authorizing or Unauthorizing a Port

The 802.1X ports can be placed into any of the three states:

• ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port.

• ForceUnauthorized — an unauthorized state. A device connected to a port in this state is never subjected to the authentication process and is not allowed to communicate on the network. Placing the port in this state is the same as shutting down the port. Any attempt by the supplicant to initiate authentication is ignored.

• Auto — an unauthorized state by default. A device connected to this port in this state is subjected to the authentication process. If the process is successful, the port is authorized and the connected device can communicate on the network. All ports are placed in the Auto state by default.

To set the port state, use the following command.

• Place a port in the ForceAuthorized, ForceUnauthorized, or Auto state. INTERFACE mode

dot1x port-control {force-authorized | force-unauthorized | auto}

The default state is auto.

The example shows configuration information for a port that has been force-authorized.

The bold line shows the new port-control state.

DellEMC(conf-if-tf-1/1)#dot1x port-control force-authorized DellEMC(conf-if-tf-1/1)#show dot1x interface twentyFiveGigE 1/1

802.1x information on Tf 1/1:

----------------------------Dot1x Status: Enable

Port Control: FORCE_AUTHORIZED

Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize

Re-Authenticating a Port

You can configure the authenticator for periodic re-authentication.

After the supplicant has been authenticated, and the port has been authorized, you can configure the authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the supplicant is required to re-authenticate every 3600 seconds by default, and you can configure this interval. You can configure the maximum number of re-authentications as well.

802.1X

To configure re-authentication time settings, use the following commands:

• Configure the authenticator to periodically re-authenticate the supplicant. INTERFACE mode

dot1x reauthentication [interval] seconds

The range is from 1 to 31536000. The default is 3600.

• Configure the maximum number of times the supplicant can be re-authenticated. INTERFACE mode

dot1x reauth-max number

The range is from 1 to 10. The default is 2.

The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period.

DellEMC(conf-if-tf-1/1)#dot1x reauthentication interval 7200 DellEMC(conf-if-tf-1/1)#dot1x reauth-max 10 DellEMC(conf-if-tf-1/1)#do show dot1x interface twentyFiveGigE 1/1

802.1x information on Tf 1/1:

----------------------------Dot1x Status: Enable Port Control: FORCE_AUTHORIZED

Port Auth Status: UNAUTHORIZED

Re-Authentication: Enable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds

ReAuth Max: 10

Supplicant Timeout: 30 seconds Server Timeout: 30 seconds

Re-Auth Interval: 7200 seconds

Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize

Configuring Timeouts

If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default. You can configure the amount of time the authenticator waits for a response.

To terminate the authentication process, use the following commands:

• Terminate the authentication process due to an unresponsive supplicant. INTERFACE mode

dot1x supplicant-timeout seconds

The range is from 1 to 300. The default is 30.

• Terminate the authentication process due to an unresponsive authentication server. INTERFACE mode

dot1x server-timeout seconds

The range is from 1 to 300. The default is 30.

The example shows configuration information for a port for which the authenticator terminates the authentication process for an unresponsive supplicant or server after 15 seconds.

The bold lines show the new supplicant and server timeouts.

DellEMC(conf-if-tf-1/1)#dot1x port-control force-authorized DellEMC(conf-if-tf-1/1)#do show dot1x interface twentyFiveGigE 1/1

802.1X

802.1x information on Tf 1/1:

----------------------------Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Disable Guest VLAN id: NONE Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10

Supplicant Timeout: 15 seconds Server Timeout: 15 seconds

Re-Auth Interval: 7200 seconds Max-EAP-Req: 10

Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize

Enter the tasks the user should do after finishing this task (optional).

Configuring Dynamic VLAN Assignment with Port Authentication

Dell EMC Networking OS supports dynamic VLAN assignment when using 802.1X.

The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure:

1. The host sends a dot1x packet to the Dell EMC Networking system

2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number

3. The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN assignment using TunnelPrivate-Group-ID

The illustration shows the configuration on the Dell EMC Networking system before connecting the end user device in black and blue text, and after connecting the device in red text. The blue text corresponds to the preceding numbered steps on dynamic VLAN assignment with 802.1X.

802.1X

Figure 8. Dynamic VLAN Assignment

1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration

Dynamic VLAN Assignment with Port Authentication).

2. Make the interface a switchport so that it can be assigned to a VLAN.

3. Create the VLAN to which the interface will be assigned.

4. Connect the supplicant to the port configured for 802.1X.

5. Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in Dynamic VLAN Assignment with

Port Authentication).

Guest and Authentication-Fail VLANs

Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured or the VLAN that the authentication server indicates in the authentication data.

NOTE:

If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves. To be able to connect such devices, they must be allowed access the network without compromising network security.

The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices and the Authentication-fail VLAN

802.1X extension addresses this limitation with regard to external users.

• If the supplicant fails authentication a specified number of times, the authenticator places the port in the Authentication-fail VLAN.

• If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of the Guest VLAN and the authentication process begins.

Ports cannot be dynamically assigned to the default VLAN.

802.1X

Configuring a Guest VLAN

If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN.

NOTE: For more information about configuring timeouts, refer to Configuring Timeouts.

Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using the dot1x guest-vlan command from INTERFACE mode. View your configuration using the show config command from INTERFACE mode or using the show dot1x interface command from EXEC Privilege mode.

Example of Viewing Guest VLAN Configuration

DellEMC(conf-if-tf-1/1)#dot1x guest-vlan 200 DellEMC(conf-if-tf-1/1))#show config ! interface twentyFiveGigE 1/1 switchport dot1x guest-vlan 200 no shutdown DellEMC(conf-if-tf-1/1))#

Configuring an Authentication-Fail VLAN

If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time.

NOTE:

Authentication.

You can configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by default), after which the port is placed in the Authentication-fail VLAN.

Configure a port to be placed in the VLAN after failing the authentication process as specified number of times using the dot1x auth- fail-vlan command from INTERFACE mode. Configure the maximum number of authentication attempts by the authenticator using the keyword max-attempts with this command.

Example of Configuring Maximum Authentication Attempts

DellEMC(conf-if-Tf-1/1)#dot1x guest-vlan 200 DellEMC(conf-if-Tf-1/1)#show config ! interface twentyFiveGigE 1/1 switchport dot1x authentication dot1x guest-vlan 200 no shutdown DellEMC(conf-if-Tf-1/1)#

DellEMC(conf-if-Tf-1/1)#dot1x auth-fail-vlan 100 max-attempts 5 DellEMC(conf-if-Tf-1/1)#show config ! interface twentyFiveGigE 1/1 switchport dot1x authentication dot1x guest-vlan 200

dot1x auth-fail-vlan 100 max-attempts 5

no shutdown DellEMC(conf-if-Tf-1/1)#

For more information about authenticator re-attempts, refer to Configuring a Quiet Period after a Failed

View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest

VLAN or using the show dot1x interface command from EXEC Privilege mode.

Example of Viewing Configured Authentication

802.1x information on Te 2/1/1:

----------------------------Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED

802.1X

Re-Authentication: Disable Untagged VLAN id: None

Guest VLAN: Disabled Guest VLAN id: 200 Auth-Fail VLAN: Disabled Auth-Fail VLAN id: 100 Auth-Fail Max-Attempts: 5

Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 15 seconds Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST

Auth PAE State: Initialize Backend State: Initialize

802.1X 91

Access Control List (ACL) VLAN Groups and

Content Addressable Memory (CAM)

Optimizing CAM Utilization During the Attachment of ACLs to VLANs

To minimize the number of entries in CAM, enable and configure the ACL CAM feature. Use this feature when you apply ACLs to a VLAN (or a set of VLANs) and when you apply ACLs to a set of ports. The ACL CAM feature allows you to effectively use the Layer 3 CAM space with VLANs and Layer 2 and Layer 3 CAM space with ports.

To avoid using too much CAM space, configure ACL VLAN groups into a single group. A class identifier (Class ID) is assigned for each of the ACLs attached to the VLAN and this Class ID is used as an identifier or locator in the CAM space instead of the VLAN ID. This method of processing reduces the number of entries in the CAM area and saves memory space by using the Class ID for filtering in CAM instead of the VLAN ID.

When you apply an ACL separately on the VLAN interface, each ACL has a mapping with the VLAN and you use more CAM space. To maximize CAM space, create an ACL VLAN group and attach the ACL with the VLAN members.

The ACL manager application on the router processor (RP1) contains all the state information about all the ACL VLAN groups that are present. The ACL handler on the control processor (CP) and the ACL agent on the line cards do not contain any information about the group. After you enter the acl-vlan-group command, the ACL manager application performs the validation. If the command is valid, it is processed and sent to the agent, if required. If a configuration error is found or if the maximum limit has exceeded for the ACL VLAN groups present on the system, an error message displays. After you enter the acl-vlan-group command, the ACL manager application verifies the following parameters:

• Whether the CAM profile is set in virtual flow processing (VFP).

• Whether the maximum number of groups in the system is exceeded.

• Whether the maximum number of VLAN numbers permitted per ACL group is exceeded.

• When a VLAN member that is being added is already a part of another ACL group.

After these verification steps are performed, the ACL manager considers the command valid and sends the information to the ACL agent on the line card. The ACL manager notifies the ACL agent in the following cases:

• A VLAN member is added or removed from a group and previously associated VLANs exist in the group.

• The egress ACL is applied or removed from the group and the group contains VLAN members.

• VLAN members are added or deleted from a VLAN, which itself is a group member.

• A line card returns to the active state after going down and this line card contains a VLAN that is a member of an ACL group.

• The ACL VLAN group is deleted and it contains VLAN members.

The ACL manager does not notify the ACL agent in the following cases:

• The ACL VLAN group is created.

• The ACL VLAN group is deleted and it does not contain VLAN members.

• The ACL is applied or removed from a group and the ACL group does not contain a VLAN member.

• The description of the ACL group is added or removed.

Guidelines for Configuring ACL VLAN Groups

Keep the following points in mind when you configure ACL VLAN groups:

• The interfaces where you apply the ACL VLAN group function as restricted interfaces. The ACL VLAN group name identifies the group of VLANs that performs hierarchical filtering.

• You can add only one ACL to an interface at a time.

• When you attach an ACL VLAN group to the same interface, validation performs to determine whether the ACL is applied directly to an interface. If you previously applied an ACL separately to the interface, an error occurs when you attempt to attach an ACL VLAN group to the same interface.

92 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)

• The maximum number of members in an ACL VLAN group is determined by the type of switch and its hardware capabilities. This scaling limit depends on the number of slices that are allocated for ACL CAM optimization. If one slice is allocated, the maximum number of VLAN members is 256 for all ACL VLAN groups. If two slices are allocated, the maximum number of VLAN members is 512 for all ACL VLAN groups.

• The maximum number of VLAN groups that you can configure also depends on the hardware specifications of the switch. Each VLAN group is mapped to a unique ID in the hardware. The maximum number of ACL VLAN groups supported is 31. Only a maximum of two components (iSCSI counters, Open Flow, ACL optimization, and so on) can be allocated virtual flow processing slices at a time.

• Port ACL optimization is applicable only for ACLs that are applied without the VLAN range.

• If you enable the ACL VLAN group capability, you cannot view the statistical details of ACL rules per VLAN and per interface. You can only view the counters per ACL only using the

• Within a port, you can apply Layer 2 ACLs on a VLAN or a set of VLANs. In this case, CAM optimization is not applied.

• To enable optimization of CAM space for Layer 2 or Layer 3 ACLs that are applied to ports, the port number is removed as a qualifier for ACL application on ports, and port bits are used. When you apply the same ACL to a set of ports, the port bitmap is set when the ACL flow processor (FP) entry is added. When you remove the ACL from a port, the port bitmap is removed.

• If you do not attach an ACL to any of the ports, the FP entries are deleted. Similarly, when the same ACL is applied on a set of ports, only one set of entries is installed in the FP, thereby saving CAM space. Enable optimization using the optimized option in the

access-group command. This option is not valid for VLAN and link aggregation group (LAG) interfaces.

show ip accounting access list command.

Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters

This section describes how to optimize CAM blocks by configuring ACL VLAN groups that you can attach to VLAN interfaces. It also describes how to configure FP blocks for different VLAN operations.

Configuring ACL VLAN Groups

You can create an ACL VLAN group and attach the ACL with the VLAN members. The optimization is applicable only when you create an ACL VLAN group.

1. Create an ACL VLAN group. CONFIGURATION mode

acl-vlan-group {group name}

2. Add a description to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode

description description

3. Add VLAN member(s) to an ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode

member vlan {VLAN-range}

4. Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name. CONFIGURATION (conf-acl-vl-grp) mode

show acl-vlan-group {group name | detail}

DellEMC#show acl-vlan-group detail

Group Name : TestGroupSeventeenTwenty

Vlan Members : 100,200,300

Group Name : CustomerNumberIdentificationEleven

Vlan Members : 2-10,99

Group Name : HostGroup

Vlan Members :

Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)

1,1000 DellEMC#

Configuring FP Blocks for VLAN Parameters

To allocate the number of FP blocks for the various VLAN processes on the system, use the cam-acl-vlan command. To reset the number of FP blocks to the default, use the no version of this command. By default, 0 groups are allocated for the ACL in VLAN contentaware processor (VCAP). ACL VLAN groups or CAM optimization is not enabled by default. You also must allocate the slices for CAM optimization.

1. Allocate the number of FP blocks for VLAN operations. CONFIGURATION mode

cam-acl-vlan vlanopenflow <0-2>

2. Allocate the number of FP blocks for ACL VLAN optimization. CONFIGURATION mode

cam-acl-vlan vlanaclopt <0-2>

3. View the number of FP blocks that is allocated for the different VLAN services. EXEC Privilege mode

DellEMC#show cam-usage switch Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|============|============|============= 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 Codes: * - cam usage is above 90%.

Viewing CAM Usage

View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub- partitions) using the show cam-usage command in EXEC Privilege mode.

Display Layer 2, Layer 3, ACL, or all CAM usage statistics. EXCE Privilege mode

show cam usage [acl | router | switch]

The following output shows CAM blocks usage for Layer 2 and Layer 3 ACLs and other processes that use CAM space:

In S5048F–ON, ACL filters support more than 200 egress ACL rules.

DellEMC#show cam-usage Stackunit|Portpipe|Pipeline| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|========|=================|=============|=============|============== 1 | 0 | 0 | IN-L2 ACL | 256 | 0 | 256 | | | IN-L3 ACL | 256 | 1 | 255 | | | IN-L3 ECMP GRP | 2048 | 0 | 2048 | | | IN-V6 ACL | 0 | 0 | 0 | | | IN-NLB ACL | 0 | 0 | 0 | | | IPMAC ACL | 256 | 0 | 256 | | | IN-L3-UDFMIRRACL | 0 | 0 | 0 | | | IN-L3-MIRR ACL | 0 | 0 | 0 | | | OUT-L2 ACL | 206 | 12 | 194 | | | OUT-L3 ACL | 172 | 8 | 164 | | | OUT-V6 ACL | 172 | 3 | 169 | | | IN-L3 QOS | 256 | 0 | 256 | | | IN-L3 FIB | 90112 | 3 | 90109 1 | 0 | 1 | IN-L2 ACL | 256 | 0 | 256 | | | IN-L3 ACL | 256 | 1 | 255 | | | IN-L3 ECMP GRP | 0 | 0 | 0 | | | IN-V6 ACL | 0 | 0 | 0 | | | IN-NLB ACL | 0 | 0 | 0 | | | IPMAC ACL | 256 | 0 | 256 | | | IN-L3-UDFMIRRACL | 0 | 0 | 0 | | | IN-L3-MIRR ACL | 0 | 0 | 0 | | | OUT-L2 ACL | 206 | 12 | 194 | | | OUT-L3 ACL | 172 | 8 | 164

Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)

| | | OUT-V6 ACL | 172 | 3 | 169 | | | IN-L3 QOS | 256 | 0 | 256 1 | 0 | 2 | IN-L2 ACL | 256 | 0 | 256 | | | IN-L3 ACL | 256 | 1 | 255 | | | IN-L3 ECMP GRP | 0 | 0 | 0 | | | IN-V6 ACL | 0 | 0 | 0 | | | IN-NLB ACL | 0 | 0 | 0 | | | IPMAC ACL | 256 | 0 | 256 | | | IN-L3-UDFMIRRACL | 0 | 0 | 0 | | | IN-L3-MIRR ACL | 0 | 0 | 0 | | | OUT-L2 ACL | 206 | 12 | 194 | | | OUT-L3 ACL | 172 | 8 | 164 | | | OUT-V6 ACL | 172 | 3 | 169 | | | IN-L3 QOS | 256 | 0 | 256 1 | 0 | 3 | IN-L2 ACL | 256 | 0 | 256 | | | IN-L3 ACL | 256 | 1 | 255 | | | IN-L3 ECMP GRP | 0 | 0 | 0 | | | IN-V6 ACL | 0 | 0 | 0 | | | IN-NLB ACL | 0 | 0 | 0 | | | IPMAC ACL | 256 | 0 | 256 | | | IN-L3-UDFMIRRACL | 0 | 0 | 0 | | | IN-L3-MIRR ACL | 0 | 0 | 0 | | | OUT-L2 ACL | 206 | 12 | 194 | | | OUT-L3 ACL | 172 | 8 | 164 | | | OUT-V6 ACL | 172 | 3 | 169 | | | IN-L3 QOS | 256 | 0 | 256 Codes: * - cam usage is above 90%.

DellEMC#show cam-usage Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-L3 ECMP GRP | 1024 | 0 | 1024 | | IN-L3 FIB | 49152 | 3 | 49149 | | IN-V6 ACL | 0 | 0 | 0 | | IN-NLB ACL | 0 | 0 | 0 | | IPMAC ACL | 0 | 0 | 0 | | OUT-L2 ACL | 206 | 9 | 197 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 2 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-L3 FIB | 49152 | 3 | 49149 | | IN-V6 ACL | 0 | 0 | 0 | | IN-NLB ACL | 0 | 0 | 0 | | IPMAC ACL | 0 | 0 | 0 | | OUT-L2 ACL | 206 | 9 | 197 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 3 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-L3 FIB | 49152 | 3 | 49149 | | IN-V6 ACL | 0 | 0 | 0 | | IN-NLB ACL | 0 | 0 | 0 | | IPMAC ACL | 0 | 0 | 0 | | OUT-L2 ACL | 206 | 9 | 197 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 Codes: * - cam usage is above 90%.

DellEMC#show cam-usage Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM =========|========|=================|=============|=============|============== 0 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-L3 ECMP GRP | 1024 | 0 | 1024 | | IN-V6 ACL | 0 | 0 | 0 | | IN-NLB ACL | 0 | 0 | 0 | | IPMAC ACL | 0 | 0 | 0 | | IN-L3-MIRR ACL | 0 | 0 | 0 | | OUT-L2 ACL | 206 | 12 | 194

Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)

| | OUT-L3 ACL | 236 | 8 | 228 | | OUT-V6 ACL | 236 | 3 | 203 | | IN-L3 FIB | 163840 | 3 | 163837 Codes: * - cam usage is above 90%. DellEMC#

The following output displays CAM space usage when you configure Layer 2 and Layer 3 ACLs:

DellEMC#show cam-usage acl Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-L3 ECMP GRP | 1024 | 0 | 1024 | | IN-V6 ACL | 0 | 0 | 0 | | OUT-L2 ACL | 206 | 9 | 197 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 2 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-V6 ACL | 0 | 0 | 0 | | OUT-L2 ACL | 206 | 9 | 197 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 3 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-V6 ACL | 0 | 0 | 0 | | OUT-L2 ACL | 206 | 9 | 197 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 Codes: * - cam usage is above 90%.

The following output displays CAM space usage for Layer 2 ACLs:

DellEMC#show cam-usage switch Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 2 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 3 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 | | IN-L3 ECMP GRP | 1024 | 0 | 1024 Codes: * - cam usage is above 90%.

The following output displays CAM space usage for Layer 3 ACLs:

DellEMC#show cam-usage router Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 1 | 0 | IN-L3 FIB | 49152 | 3 | 49149 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-L3 ECMP GRP | 1024 | 0 | 1024 | | IN-V6 ACL | 0 | 0 | 0 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 2 | 0 | IN-L3 FIB | 49152 | 3 | 49149 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-V6 ACL | 0 | 0 | 0 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 3 | 0 | IN-L3 FIB | 49152 | 3 | 49149 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-V6 ACL | 0 | 0 | 0 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 Codes: * - cam usage is above 90%.

Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)

Allocating FP Blocks for VLAN Processes

The VLAN contentaware processor (VCAP) application is a pre-ingress CAP that modifies the VLAN settings before packets are forwarded. To support ACL CAM optimization, the CAM carving feature is enhanced. A total of four VCAP groups are present: two fixed groups and two dynamic groups. Of the two dynamic groups, you can allocate zero, one, or two FP blocks to iSCSI Counters, Open Flow, and ACL Optimization.

You can configure only two of these features at a time.

• To allocate the number of FP blocks for VLAN open flow operations, use the cam-acl-vlan vlanopenflow <0-2> command.

• To allocate the number of FP blocks for VLAN iSCSI counters, use the cam-acl-vlan vlaniscsi <0-2> command.

• To allocate the number of FP blocks for ACL VLAN optimization, use the cam-acl-vlan vlanaclopt <0-2> command.

To reset the number of FP blocks to the default, use the no version of these commands. By default, zero groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by default. You must also allocate the slices for CAM optimization.

To display the number of FP blocks that is allocated for the different VLAN services, use the show cam-acl-vlan command. After you configure the ACL VLAN groups, reboot the system to store the settings in nonvolatile storage. During CAM initialization, the chassis manager reads the NVRAM and allocates the dynamic VCAP regions.

ACL Optimization to Increase Number of Supported IPv4 ACLs

You can configure the Dell EMC Networking OS to support more number of IPv4 ACLs.

Restrictions for ACL Optimization

After you enable ACL optimization, the system does not support the following features:

• Mirroring dropped packets

• Ability to specify filtering for routed traffic only

• ACLs applied on physical ports with VRF ranges

• ACLs with filter parameters such as DSCP and ECN

• PIM VLT

• Filtering noninitial fragments of a datagram

If your ACL rules contain the following keywords, the system accepts the configuration and shows a message stating that these features are not supported and ignores the configuration.

• ttl

• fragments

• no-drop

• dscp

• ecn

Optimizing ACL for More Number of IPv4 ACL Rules

To optimize ACL for more number of IPv4 ACL rules, follow these steps:

1. Carve the vlanaclopt CAM region. CONFIGURATION mode

cam-acl-vlan vlanopenflow 0 vlaniscsi 0 vlanaclopt 2

2. Enable the ACL optimized feature. CONFIGURATION mode

feature acloptimized

3. Reload the system EXEC Privilege

reload

Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)

After the system reloads, the Dell Networking OS enables the feature.

DellEMC(conf)#feature acloptimized Configuration change will be in effect after save and reload. ACL config containing TTL, layer3 and VRF conflicts with ACL Cam optimzation feature and these keywords would be discarded while applying the ACL.

Dell#show feature Feature State

------- ----VRF disabled UDF disabled Aclrange disabled Acloptimized enabled

98 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)

Access Control Lists (ACLs)

This chapter describes access control lists (ACLs), prefix lists, and route-maps.

At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.

An ACL is essentially a filter containing some criteria to match (examine IP, transmission control protocol [TCP], or user datagram protocol [UDP] packets) and an action to take (permit or deny). ACLs are processed in sequence so that if a packet does not match the criterion in the first filter, the second filter (if configured) is applied. When a packet matches a filter, the switch drops or forwards the packet based on the filter’s specified action. If the packet does not match any of the filters in the ACL, the packet is dropped (implicit deny).

The number of ACLs supported on a system depends on your content addressable memory (CAM) size. For more information, refer to

User Configurable CAM Allocation and CAM Optimization. For complete CAM profiling information, refer to Content Addressable Memory (CAM).

You can configure ACLs on VRF instances. In addition to the existing qualifying parameters, Layer 3 ACLs also incorporate VRF ID as one of the parameters. Using this new capability, you can also configure VRF based ACLs on interfaces.

NOTE:

You can apply VRF-aware ACLs on:

• VRF Instances

• Interfaces

In order to configure VRF-aware ACLs on VRF instances, you must carve out a separate CAM region. You can use the cam-acl command for allocating CAM regions. As part of the enhancements to support VRF-aware ACLs, the cam-acl command now includes the following new parameter that enables you to allocate a CAM region: vrfv4acl.

The order of priority for configuring user-defined ACL CAM regions is as follows:

• V4 ACL CAM

• VRF V4 ACL CAM

• L2 ACL CAM

With the inclusion of VRF based ACLs, the order of precedence of Layer 3 ACL rules is as follows:

• Port/VLAN based PERMIT/DENY Rules

• Port/VLAN based IMPLICIT DENY Rules

• VRF based PERMIT/DENY Rules

• VRF based IMPLICIT DENY Rules

NOTE:

permit option.

You can use the ip access-group command to configure VRF-aware ACLs on interfaces. Using the ip access-group command, in addition to a range of VLANs, you can also specify a range of VRFs as input for configuring ACLs on interfaces. The VRF range is from 1 to 511. These ACLs use the existing V4 ACL CAM region to populate the entries in the hardware and do not require you to carve out a separate CAM region.

You can apply Layer 3 VRF-aware ACLs only at the ingress level.

In order for the VRF ACLs to take effect, ACLs configured in the Layer 3 CAM region must have an implicit-

NOTE:

You can configure VRF-aware ACLs on interfaces either using a range of VLANs or a range of VRFs but not both.

Topics:

• IP Access Control Lists (ACLs)

• Configure ACL Range Profiles

• Important Points to Remember

• IP Fragment Handling

• Configure a Standard IP ACL

• Configure an Extended IP ACL

• Configure Layer 2 and Layer 3 ACLs

Access Control Lists (ACLs) 99

• Assign an IP ACL to an Interface

• Applying an IP ACL

• Configure Ingress ACLs

• Configure Egress ACLs

• Configuring UDF ACL

• IP Prefix Lists

• ACL Resequencing

• Route Maps

IP Access Control Lists (ACLs)

In Dell EMC Networking switch/routers, you can create two different types of IP ACLs: standard or extended.

A standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the following criteria:

• IP protocol number

• Source IP address

• Destination IP address

• Source TCP port number

• Destination TCP port number

• Source UDP port number

• Destination UDP port number

For more information about ACL options, refer to the Dell EMC Networking OS Command Reference Guide.

For extended ACL, TCP, and UDP filters, you can match criteria on specific or ranges of TCP or UDP ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions.

When creating an access list, the sequence of the filters is important. You have a choice of assigning sequence numbers to the filters as you enter them, or the Dell EMC Networking Operating System (OS) assigns numbers in the order the filters are created. The sequence numbers are listed in the display output of the show config and show ip accounting access-list commands.

Ingress and egress Hot Lock ACLs allow you to append or delete new rules into an existing ACL (already written into CAM) without disrupting traffic flow. Existing entries in the CAM are shuffled to accommodate the new entries. Hot lock ACLs are enabled by default and support both standard and extended ACLs and on all platforms.

NOTE:

Hot lock ACLs are supported for Ingress ACLs only.

CAM Usage

The following section describes CAM allocation and CAM optimization.

• User Configurable CAM Allocation

• CAM Optimization

User Configurable CAM Allocation

Allocate space for IPV6 ACLs by using the cam-acl command in CONFIGURATION mode.

The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP blocks. (There are 16 FP blocks, but System Flow requires three blocks that cannot be reallocated.)

The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 9 FP blocks. (There are 12 FP blocks, but System Flow requires three blocks that cannot be reallocated.)

Enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges.

Enter the ipv6acl allocation as a factor of 3 (3, 6, 9). All other profile allocations can use either even or odd numbered ranges.

If you want to configure ACL's on VRF instances, you must allocate a CAM region using the vrfv4acl option in the cam-acl command.

Save the new CAM settings to the startup-config (use write-mem or copy run start) then reload the system for the new settings to take effect.

100

Access Control Lists (ACLs)

Dell PowerSwitch S5048F-ON User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

About this Guide

Audience

Conventions

Related Documents

Configuration Fundamentals

Accessing the Command Line

CLI Modes

Navigating CLI Modes

The do Command

Undoing Commands

Obtaining Help

Entering and Editing Commands

Command History

Filtering show Command Outputs

Multiple Users in Configuration Mode

Configuring alias command

Viewing alias configuration

Getting Started

Console Access

Serial Console

Accessing the Console Port

Pin Assignments

Micro USB-B Access

Default Configuration

Configuring a Host Name

Accessing the System Remotely

Configure the Management Port IP Address

Configure a Management Route

Configuring a Username and Password

Configuring the Enable Password

Configuration File Management

Copy Files to and from the System

Mounting an NFS File System

Save the Running-Configuration

Configure the Overload Bit for a Startup Scenario

Viewing Files

View Configuration Files

Managing the File System

View Command History

Upgrading Dell EMC Networking OS

Using HTTP for File Transfers

Verify Software Images Before Installation

Management

Configuring Privilege Levels

Removing a Command from EXEC Mode

Moving a Command from EXEC Privilege Mode to EXEC Mode

Allowing Access to CONFIGURATION Mode Commands

Allowing Access to Different Modes

Applying a Privilege Level to a Username

Applying a Privilege Level to a Terminal Line

Configuring Logging

Audit and Security Logs

Enabling Audit and Security Logs

Displaying Audit and Security Logs

Clearing Audit Logs

Configuring Logging Format

Setting Up a Secure Connection to a Syslog Server

Log Messages in the Internal Buffer

Disabling System Logging

Sending System Messages to a Syslog Server

Configuring a UNIX System as a Syslog Server

Track Login Activity

Restrictions for Tracking Login Activity

Configuring Login Activity Tracking

Display Login Statistics

Limit Concurrent Login Sessions

Restrictions for Limiting the Number of Concurrent Sessions

Configuring Concurrent Session Limit

Enabling the System to Clear Existing Sessions

Enabling Secured CLI Mode

Changing System Logging Settings

Display the Logging Buffer and the Logging Configuration

Configuring a UNIX Logging Facility Level

Synchronizing Log Messages

Enabling Timestamp on Syslog Messages

File Transfer Services