Dell PowerSwitch S6010-ON User Manual

Dell Conguration Guide for the S6010–ON System

9.14.0.0

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

trademarks may be trademarks of their respective owners.

2018 - 07

Rev. A00

Contents

1 About this Guide...........................................................................................................................................36

Audience........................................................................................................................................................................... 36

Conventions......................................................................................................................................................................36

Related Documents......................................................................................................................................................... 36

2 Conguration Fundamentals........................................................................................................................ 37

Accessing the Command Line........................................................................................................................................ 37

CLI Modes.........................................................................................................................................................................37

Navigating CLI Modes...............................................................................................................................................39

The do Command............................................................................................................................................................ 42

Undoing Commands........................................................................................................................................................ 42

Obtaining Help..................................................................................................................................................................43

Entering and Editing Commands....................................................................................................................................43

Command History............................................................................................................................................................ 44

Filtering show Command Outputs.................................................................................................................................44

Example of the grep Keyword..................................................................................................................................44

Multiple Users in Conguration Mode...........................................................................................................................45

3 Getting Started............................................................................................................................................46

Console Access................................................................................................................................................................ 47

Serial Console............................................................................................................................................................. 47

Default Conguration...................................................................................................................................................... 48

Conguring a Host Name............................................................................................................................................... 48

Accessing the System Remotely....................................................................................................................................48

Accessing the System Remotely..............................................................................................................................49

Congure the Management Port IP Address.........................................................................................................49

Congure a Management Route..............................................................................................................................49

Conguring a Username and Password..................................................................................................................49

Conguring the Enable Password..................................................................................................................................50

Conguration File Management......................................................................................................................................51

Copy Files to and from the System..........................................................................................................................51

Mounting an NFS File System..................................................................................................................................52

Save the Running-Conguration..............................................................................................................................53

Congure the Overload Bit for a Startup Scenario............................................................................................... 54

Viewing Files...............................................................................................................................................................54

Managing the File System.............................................................................................................................................. 55

View Command History.................................................................................................................................................. 55

Upgrading Dell EMC Networking OS............................................................................................................................ 56

Using HTTP for File Transfers........................................................................................................................................56

Verify Software Images Before Installation...................................................................................................................57

4 Management............................................................................................................................................... 58

Contents

Conguring Privilege Levels........................................................................................................................................... 58

Creating a Custom Privilege Level...........................................................................................................................59

Removing a Command from EXEC Mode..............................................................................................................59

Moving a Command from EXEC Privilege Mode to EXEC Mode........................................................................59

Allowing Access to CONFIGURATION Mode Commands....................................................................................59

Allowing Access to Dierent Modes........................................................................................................................59

Applying a Privilege Level to a Username................................................................................................................61

Applying a Privilege Level to a Terminal Line...........................................................................................................61

Conguring Logging......................................................................................................................................................... 61

Audit and Security Logs............................................................................................................................................62

Conguring Logging Format ...................................................................................................................................63

Setting Up a Secure Connection to a Syslog Server.............................................................................................63

Log Messages in the Internal Buer..............................................................................................................................65

Conguration Task List for System Log Management..........................................................................................65

Disabling System Logging...............................................................................................................................................65

Sending System Messages to a Syslog Server............................................................................................................65

Conguring a UNIX System as a Syslog Server.....................................................................................................65

Track Login Activity......................................................................................................................................................... 66

Restrictions for Tracking Login Activity.................................................................................................................. 66

Conguring Login Activity Tracking......................................................................................................................... 66

Display Login Statistics..............................................................................................................................................67

Limit Concurrent Login Sessions....................................................................................................................................68

Restrictions for Limiting the Number of Concurrent Sessions............................................................................ 68

Conguring Concurrent Session Limit.....................................................................................................................68

Enabling the System to Clear Existing Sessions....................................................................................................69

Enabling Secured CLI Mode........................................................................................................................................... 70

Changing System Logging Settings...............................................................................................................................70

Display the Logging Buer and the Logging Conguration.........................................................................................71

Conguring a UNIX Logging Facility Level.....................................................................................................................71

Synchronizing Log Messages......................................................................................................................................... 72

Enabling Timestamp on Syslog Messages.................................................................................................................... 73

File Transfer Services.......................................................................................................................................................73

Conguration Task List for File Transfer Services.................................................................................................. 74

Enabling the FTP Server........................................................................................................................................... 74

Conguring FTP Server Parameters........................................................................................................................74

Conguring FTP Client Parameters.........................................................................................................................75

Terminal Lines................................................................................................................................................................... 75

Denying and Permitting Access to a Terminal Line................................................................................................ 75

Conguring Login Authentication for Terminal Lines.............................................................................................76

Setting Timeout for EXEC Privilege Mode....................................................................................................................77

Using Telnet to get to Another Network Device..........................................................................................................78

Lock CONFIGURATION Mode....................................................................................................................................... 78

Viewing the Conguration Lock Status...................................................................................................................78

Restoring the Factory Default Settings.........................................................................................................................79

Important Points to Remember................................................................................................................................79

Contents

Restoring Factory Default Environment Variables.................................................................................................80

Viewing the Reason for Last System Reboot............................................................................................................... 81

5 802.1X..........................................................................................................................................................82

Port-Authentication Process..........................................................................................................................................84

EAP over RADIUS......................................................................................................................................................84

Conguring 802.1X...........................................................................................................................................................85

Related Conguration Tasks..................................................................................................................................... 85

Important Points to Remember......................................................................................................................................85

Enabling 802.1X................................................................................................................................................................ 86

Conguring Request Identity Re-Transmissions...........................................................................................................87

Conguring a Quiet Period after a Failed Authentication..................................................................................... 88

Forcibly Authorizing or Unauthorizing a Port............................................................................................................... 89

Re-Authenticating a Port................................................................................................................................................89

Conguring Timeouts......................................................................................................................................................90

Conguring Dynamic VLAN Assignment with Port Authentication........................................................................... 91

Guest and Authentication-Fail VLANs.......................................................................................................................... 92

Conguring a Guest VLAN....................................................................................................................................... 93

Conguring an Authentication-Fail VLAN...............................................................................................................93

6 Access Control Lists (ACLs)........................................................................................................................ 95

IP Access Control Lists (ACLs)...................................................................................................................................... 96

CAM Usage.................................................................................................................................................................97

Implementing ACLs on Dell EMC Networking OS..................................................................................................97

Important Points to Remember......................................................................................................................................99

Conguration Task List for Route Maps..................................................................................................................99

Conguring Match Routes.......................................................................................................................................101

Conguring Set Conditions..................................................................................................................................... 103

Congure a Route Map for Route Redistribution.................................................................................................104

Congure a Route Map for Route Tagging........................................................................................................... 104

Continue Clause....................................................................................................................................................... 105

IP Fragment Handling.................................................................................................................................................... 105

IP Fragments ACL Examples...................................................................................................................................105

Layer 4 ACL Rules Examples...................................................................................................................................106

Congure a Standard IP ACL........................................................................................................................................106

Conguring a Standard IP ACL Filter..................................................................................................................... 107

Congure an Extended IP ACL..................................................................................................................................... 108

Conguring Filters with a Sequence Number.......................................................................................................108

Conguring Filters Without a Sequence Number................................................................................................. 110

Congure Layer 2 and Layer 3 ACLs............................................................................................................................. 111

Assign an IP ACL to an Interface................................................................................................................................... 111

Applying an IP ACL.......................................................................................................................................................... 111

Counting ACL Hits.....................................................................................................................................................112

Congure Ingress ACLs..................................................................................................................................................112

Congure Egress ACLs...................................................................................................................................................113

Applying Egress Layer 3 ACLs (Control-Plane).....................................................................................................114

Contents

IP Prex Lists...................................................................................................................................................................114

Implementation Information..................................................................................................................................... 115

Conguration Task List for Prex Lists...................................................................................................................115

ACL Remarks...................................................................................................................................................................118

Conguring a Remark...............................................................................................................................................119

Deleting a Remark.....................................................................................................................................................119

ACL Resequencing.........................................................................................................................................................120

Resequencing an ACL or Prex List.......................................................................................................................120

Route Maps.....................................................................................................................................................................122

Implementation Information.................................................................................................................................... 122

Flow-Based Monitoring..................................................................................................................................................122

Behavior of Flow-Based Monitoring.......................................................................................................................122

Enabling Flow-Based Monitoring............................................................................................................................124

Conguring IP Mirror Access Group............................................................................................................................ 125

Sample Conguration...............................................................................................................................................125

Example of viewing IP mirror–access–group applied to an Interface................................................................126

7 Bidirectional Forwarding Detection (BFD)...................................................................................................127

How BFD Works..............................................................................................................................................................127

BFD Packet Format..................................................................................................................................................128

BFD Sessions............................................................................................................................................................ 129

BFD Three-Way Handshake....................................................................................................................................130

Session State Changes............................................................................................................................................132

Important Points to Remember.................................................................................................................................... 132

Congure BFD................................................................................................................................................................ 132

Congure BFD for Physical Ports...........................................................................................................................133

Congure BFD for Static Routes............................................................................................................................134

Congure BFD for IPv6 Static Routes...................................................................................................................138

Congure BFD for OSPF.........................................................................................................................................140

Congure BFD for OSPFv3.....................................................................................................................................146

Congure BFD for IS-IS...........................................................................................................................................149

Congure BFD for BGP............................................................................................................................................151

Congure BFD for VRRP.........................................................................................................................................159

Conguring Protocol Liveness.................................................................................................................................161

8 Border Gateway Protocol (BGP)................................................................................................................ 162

Border Gateway Protocol version 4 (BGPv4).............................................................................................................162

Autonomous Systems (AS)........................................................................................................................................... 162

AS4 Number Representation.................................................................................................................................. 164

Four-Byte AS Numbers........................................................................................................................................... 166

Multiprotocol BGP..........................................................................................................................................................166

MBGP for IPv4 MulticastBGP Address Family modelIPv4 and IPv6 address family........................................167

Sessions and Peers.........................................................................................................................................................167

Establish a Session................................................................................................................................................... 167

Implementing BGP global and address family.............................................................................................................168

BGP global conguration default values................................................................................................................169

Contents

BGP Attributes for selecting Best Path.......................................................................................................................169

Best Path Selection Criteria....................................................................................................................................170

Weight.........................................................................................................................................................................171

Local Preference.......................................................................................................................................................172

Multi-Exit Discriminators (MEDs)...........................................................................................................................172

Origin..........................................................................................................................................................................173

AS Path...................................................................................................................................................................... 174

Next Hop....................................................................................................................................................................174

Implement BGP with Dell EMC Networking OS.........................................................................................................175

Additional Path (Add-Path) Support......................................................................................................................175

Advertise IGP Cost as MED for Redistributed Routes........................................................................................ 175

Ignore Router-ID in Best-Path Calculation............................................................................................................ 176

AS Number Migration...............................................................................................................................................176

BGP4 Management Information Base (MIB)........................................................................................................ 177

Important Points to Remember...............................................................................................................................177

Conguration Information..............................................................................................................................................178

Conguring a basic BGP network................................................................................................................................ 178

Enabling BGP............................................................................................................................................................ 178

Conguring a BGP peer............................................................................................................................................181

Conguring AS4 Number Representations........................................................................................................... 182

Conguring a BGP VRF address family.................................................................................................................183

Route-refresh and Soft-reconguration................................................................................................................185

Aggregating Routes..................................................................................................................................................188

Filtering BGP Routes................................................................................................................................................188

Filtering BGP Routes Using Route Maps.............................................................................................................. 190

Filtering BGP Routes Using AS-PATH Information.............................................................................................. 190

Conguring Peer Groups..........................................................................................................................................191

Conguring BGP Fast Fall-Over.............................................................................................................................199

Conguring Passive Peering...................................................................................................................................200

Maintaining Existing AS Numbers During an AS Migration.................................................................................201

Allowing an AS Number to Appear in its Own AS Path...................................................................................... 202

Enabling Graceful Restart.......................................................................................................................................203

Filtering on an AS-Path Attribute.......................................................................................................................... 204

Regular Expressions as Filters................................................................................................................................205

Redistributing Routes..............................................................................................................................................206

Enabling Additional Paths........................................................................................................................................207

Conguring IP Community Lists.............................................................................................................................207

Conguring an IP Extended Community List.......................................................................................................208

Filtering Routes with Community Lists................................................................................................................. 209

Manipulating the COMMUNITY Attribute.............................................................................................................210

Changing MED Attributes........................................................................................................................................211

Changing the LOCAL_PREFERENCE Attribute...................................................................................................212

Conguring the local System or a Dierent System to be the Next Hop for BGP-Learned Routes............. 212

Changing the WEIGHT Attribute............................................................................................................................213

Enabling Multipath....................................................................................................................................................213

Contents

Route Reectors.......................................................................................................................................................214

Conguring BGP Confederations...........................................................................................................................215

Enabling Route Flap Dampening.............................................................................................................................215

Changing BGP Timers..............................................................................................................................................218

Setting the extended timer.....................................................................................................................................218

Enabling or disabling BGP neighbors..................................................................................................................... 219

Route Map Continue...............................................................................................................................................220

Enabling MBGP Congurations.................................................................................................................................... 221

MBGP support for IPv6.................................................................................................................................................221

Conguring IPv6 MBGP between peers..................................................................................................................... 221

Example-Conguring IPv4 and IPv6 neighbors......................................................................................................... 222

Congure IPv6 NH Automatically for IPv6 Prex Advertised over IPv4 Neighbor............................................... 224

BGP Regular Expression Optimization........................................................................................................................226

Debugging BGP............................................................................................................................................................. 226

Storing Last and Bad PDUs....................................................................................................................................227

Capturing PDUs....................................................................................................................................................... 228

PDU Counters..........................................................................................................................................................229

9 Content Addressable Memory (CAM)........................................................................................................ 230

CAM Allocation.............................................................................................................................................................. 230

Test CAM Usage............................................................................................................................................................ 232

View CAM Proles.........................................................................................................................................................232

View CAM-ACL Settings.............................................................................................................................................. 233

View CAM Usage...........................................................................................................................................................234

Conguring CAM Threshold and Silence Period........................................................................................................235

Setting CAM Threshold and Silence Period......................................................................................................... 235

CAM Optimization......................................................................................................................................................... 236

Troubleshoot CAM Proling..........................................................................................................................................236

QoS CAM Region Limitation...................................................................................................................................237

Syslog Error When the Table is Full........................................................................................................................237

Syslog Warning Upon 90 Percent Utilization of CAM......................................................................................... 237

Syslog Warning for Discrepancies Between Congured Extended Prexes.................................................... 237

Unied Forwarding Table (UFT) Modes...................................................................................................................... 237

Conguring UFT Modes..........................................................................................................................................238

10 Control Plane Policing (CoPP)................................................................................................................. 239

Congure Control Plane Policing................................................................................................................................. 240

Conguring CoPP for Protocols............................................................................................................................. 241

Conguring CoPP for CPU Queues...................................................................................................................... 243

Displaying CoPP Conguration ............................................................................................................................. 244

11 Data Center Bridging (DCB)......................................................................................................................246

Ethernet Enhancements in Data Center Bridging..................................................................................................... 246

Priority-Based Flow Control....................................................................................................................................247

Enhanced Transmission Selection..........................................................................................................................248

Data Center Bridging Exchange Protocol (DCBx)...............................................................................................249

Contents

Data Center Bridging in a Trac Flow.................................................................................................................. 250

Enabling Data Center Bridging.....................................................................................................................................250

DCB Maps and its Attributes.................................................................................................................................. 251

Data Center Bridging: Default Conguration..............................................................................................................252

Conguring Priority-Based Flow Control.................................................................................................................... 252

Conguring Lossless Queues................................................................................................................................. 253

Conguring PFC in a DCB Map................................................................................................................................... 254

PFC Conguration Notes........................................................................................................................................254

PFC Prerequisites and Restrictions.......................................................................................................................255

Applying a DCB Map on a Port....................................................................................................................................256

Conguring PFC without a DCB Map.........................................................................................................................256

Conguring Lossless QueuesExample:..................................................................................................................257

Priority-Based Flow Control Using Dynamic Buer Method....................................................................................258

Pause and Resume of Trac..................................................................................................................................258

Buer Sizes for Lossless or PFC Packets............................................................................................................ 258

Behavior of Tagged Packets.........................................................................................................................................259

Conguration Example for DSCP and PFC Priorities................................................................................................259

SNMP Support for PFC and Buer Statistics Tracking........................................................................................... 260

Performing PFC Using DSCP Bits Instead of 802.1p Bits.........................................................................................260

PFC and ETS Conguration Examples........................................................................................................................ 261

Using PFC to Manage Converged Ethernet Trac................................................................................................... 261

Operations on Untagged Packets.................................................................................................................................261

Generation of PFC for a Priority for Untagged Packets...........................................................................................262

Congure Enhanced Transmission Selection..............................................................................................................262

ETS Prerequisites and Restrictions....................................................................................................................... 262

Creating an ETS Priority Group..............................................................................................................................262

ETS Operation with DCBx......................................................................................................................................264

Conguring Bandwidth Allocation for DCBx CIN.................................................................................................264

Conguring ETS in a DCB Map..............................................................................................................................265

Hierarchical Scheduling in ETS Output Policies......................................................................................................... 266

Using ETS to Manage Converged Ethernet Trac................................................................................................... 267

Applying DCB Policies in a Switch Stack.................................................................................................................... 267

Congure a DCBx Operation........................................................................................................................................ 267

DCBx Operation....................................................................................................................................................... 267

DCBx Port Roles......................................................................................................................................................268

DCB Conguration Exchange................................................................................................................................ 269

Conguration Source Election............................................................................................................................... 269

Propagation of DCB Information............................................................................................................................270

Auto-Detection and Manual Conguration of the DCBx Version.......................................................................270

DCBx Example.......................................................................................................................................................... 271

DCBx Prerequisites and Restrictions......................................................................................................................271

Conguring DCBx.....................................................................................................................................................271

Verifying the DCB Conguration..................................................................................................................................275

QoS dot1p Trac Classication and Queue Assignment..........................................................................................283

Conguring the Dynamic Buer Method....................................................................................................................284

Contents

Sample DCB Conguration...........................................................................................................................................285

PFC and ETS Conguration Command Examples...............................................................................................287

12 Dynamic Host Conguration Protocol (DHCP).........................................................................................288

DHCP Packet Format and Options............................................................................................................................. 288

Assign an IP Address using DHCP...............................................................................................................................290

Implementation Information.......................................................................................................................................... 291

Congure the System to be a DHCP Server.............................................................................................................. 291

Conguring the Server for Automatic Address Allocation..................................................................................292

Specifying a Default Gateway................................................................................................................................293

Congure a Method of Hostname Resolution..................................................................................................... 293

Using DNS for Address Resolution........................................................................................................................293

Using NetBIOS WINS for Address Resolution..................................................................................................... 294

Creating Manual Binding Entries............................................................................................................................294

Debugging the DHCP Server.................................................................................................................................294

Using DHCP Clear Commands.............................................................................................................................. 295

Congure the System to be a DHCP Client...............................................................................................................295

Conguring the DHCP Client System...................................................................................................................295

DHCP Client on a Management Interface............................................................................................................ 297

DHCP Client Operation with Other Features....................................................................................................... 297

DHCP Relay When DHCP Server and Client are in Dierent VRFs........................................................................ 298

Conguring Route Leaking between VRFs on DHCP Relay Agent................................................................... 298

Congure the System for User Port Stacking (Option 230)................................................................................... 300

Congure Secure DHCP...............................................................................................................................................300

Option 82..................................................................................................................................................................300

DHCP Snooping........................................................................................................................................................301

Drop DHCP Packets on Snooped VLANs Only....................................................................................................305

Dynamic ARP Inspection........................................................................................................................................ 306

Conguring Dynamic ARP Inspection................................................................................................................... 307

Source Address Validation............................................................................................................................................308

Enabling IP Source Address Validation..................................................................................................................308

DHCP MAC Source Address Validation................................................................................................................ 309

Enabling IP+MAC Source Address Validation.......................................................................................................309

Viewing the Number of SAV Dropped Packets.................................................................................................... 310

Clearing the Number of SAV Dropped Packets....................................................................................................310

13 Equal Cost Multi-Path (ECMP)................................................................................................................. 311

ECMP for Flow-Based Anity.......................................................................................................................................311

Conguring the Hash Algorithm..............................................................................................................................311

Enabling Deterministic ECMP Next Hop................................................................................................................311

Conguring the Hash Algorithm Seed................................................................................................................... 312

Link Bundle Monitoring.................................................................................................................................................. 312

Managing ECMP Group Paths................................................................................................................................313

Creating an ECMP Group Bundle...........................................................................................................................313

Modifying the ECMP Group Threshold................................................................................................................. 313

Support for /128 IPv6 and /32 IPv4 Prexes in Layer 3 Host Table and LPM Table.......................................314

Contents

Support for ECMP in host table.............................................................................................................................315

Support for moving /128 IPv6 Prexes and /32 IPv4 Prexes .........................................................................315

14 FIP Snooping............................................................................................................................................ 316

Fibre Channel over Ethernet.........................................................................................................................................316

Ensure Robustness in a Converged Ethernet Network.............................................................................................316

FIP Snooping on Ethernet Bridges...............................................................................................................................318

FIP Snooping in a Switch Stack...................................................................................................................................320

Using FIP Snooping....................................................................................................................................................... 320

FIP Snooping Prerequisites.....................................................................................................................................320

Important Points to Remember............................................................................................................................. 320

Enabling the FCoE Transit Feature.........................................................................................................................321

Enable FIP Snooping on VLANs.............................................................................................................................322

Congure the FC-MAP Value................................................................................................................................ 322

Congure a Port for a Bridge-to-Bridge Link....................................................................................................... 322

Congure a Port for a Bridge-to-FCF Link...........................................................................................................322

Impact on Other Software Features..................................................................................................................... 322

FIP Snooping Restrictions...................................................................................................................................... 323

Conguring FIP Snooping.......................................................................................................................................323

Displaying FIP Snooping Information...........................................................................................................................324

FCoE Transit Conguration Example...........................................................................................................................329

15 Flex Hash and Optimized Boot-Up............................................................................................................ 331

Flex Hash Capability Overview..................................................................................................................................... 331

Conguring the Flex Hash Mechanism........................................................................................................................331

Conguring Fast Boot and LACP Fast Switchover...................................................................................................332

Optimizing the Boot Time.............................................................................................................................................332

Booting Process When Optimized Boot Time Mechanism is Enabled..............................................................332

Guidelines for Conguring Optimized Booting Mechanism................................................................................333

Interoperation of Applications with Fast Boot and System States..........................................................................334

LACP and IPv4 Routing.......................................................................................................................................... 334

LACP and IPv6 Routing.......................................................................................................................................... 334

BGP Graceful Restart............................................................................................................................................. 335

Cold Boot Caused by Power Cycling the System................................................................................................335

Unexpected Reload of the System........................................................................................................................335

Software Upgrade................................................................................................................................................... 335

LACP Fast Switchover............................................................................................................................................335

Changes to BGP Multipath.................................................................................................................................... 336

Delayed Installation of ECMP Routes Into BGP...................................................................................................336

RDMA Over Converged Ethernet (RoCE) Overview............................................................................................... 336

Preserving 802.1Q VLAN Tag Value for Lite Subinterfaces...................................................................................... 337

16 Force10 Resilient Ring Protocol (FRRP)................................................................................................... 338

Protocol Overview.........................................................................................................................................................338

Ring Status...............................................................................................................................................................339

Multiple FRRP Rings............................................................................................................................................... 339

Contents

Important FRRP Points...........................................................................................................................................340

Important FRRP Concepts......................................................................................................................................341

Implementing FRRP.......................................................................................................................................................342

FRRP Conguration.......................................................................................................................................................342

Creating the FRRP Group.......................................................................................................................................342

Conguring the Control VLAN...............................................................................................................................343

Conguring and Adding the Member VLANs.......................................................................................................344

Setting the FRRP Timers........................................................................................................................................345

Clearing the FRRP Counters..................................................................................................................................345

Viewing the FRRP Conguration...........................................................................................................................345

Viewing the FRRP Information.............................................................................................................................. 345

Troubleshooting FRRP.................................................................................................................................................. 346

Conguration Checks..............................................................................................................................................346

Sample Conguration and Topology............................................................................................................................ 346

FRRP Support on VLT...................................................................................................................................................347

Example Scenario.................................................................................................................................................... 348

Important Points to Remember............................................................................................................................. 349

17 GARP VLAN Registration Protocol (GVRP)..............................................................................................350

Important Points to Remember................................................................................................................................... 350

Congure GVRP............................................................................................................................................................. 351

Related Conguration Tasks....................................................................................................................................351

Enabling GVRP Globally................................................................................................................................................ 352

Enabling GVRP on a Layer 2 Interface........................................................................................................................352

Congure GVRP Registration...................................................................................................................................... 352

Congure a GARP Timer.............................................................................................................................................. 353

18 Internet Group Management Protocol (IGMP)......................................................................................... 354

IGMP Implementation Information.............................................................................................................................. 354

IGMP Protocol Overview..............................................................................................................................................354

IGMP Version 2........................................................................................................................................................354

IGMP Version 3........................................................................................................................................................356

Congure IGMP.............................................................................................................................................................359

Related Conguration Tasks...................................................................................................................................359

Viewing IGMP Enabled Interfaces...............................................................................................................................360

Selecting an IGMP Version...........................................................................................................................................360

Viewing IGMP Groups....................................................................................................................................................361

Adjusting Timers............................................................................................................................................................. 361

Adjusting Query and Response Timers..................................................................................................................361

Enabling IGMP Immediate-Leave.................................................................................................................................362

IGMP Snooping..............................................................................................................................................................363

IGMP Snooping Implementation Information....................................................................................................... 363

Conguring IGMP Snooping...................................................................................................................................363

Removing a Group-Port Association.....................................................................................................................364

Disabling Multicast Flooding...................................................................................................................................364

Specifying a Port as Connected to a Multicast Router...................................................................................... 364

Contents

Conguring the Switch as Querier........................................................................................................................365

Fast Convergence after MSTP Topology Changes................................................................................................... 365

Egress Interface Selection (EIS) for HTTP and IGMP Applications........................................................................365

Protocol Separation................................................................................................................................................. 366

Enabling and Disabling Management Egress Interface Selection...................................................................... 367

Handling of Management Route Conguration................................................................................................... 368

Handling of Switch-Initiated Trac....................................................................................................................... 368

Handling of Switch-Destined Trac......................................................................................................................369

Handling of Transit Trac (Trac Separation).....................................................................................................370

Mapping of Management Applications and Trac Type.....................................................................................370

Behavior of Various Applications for Switch-Initiated Trac ............................................................................. 371

Behavior of Various Applications for Switch-Destined Trac ...........................................................................372

Interworking of EIS With Various Applications..................................................................................................... 372

Designating a Multicast Router Interface................................................................................................................... 373

19 Interfaces................................................................................................................................................. 374

Basic Interface Conguration....................................................................................................................................... 374

Advanced Interface Conguration............................................................................................................................... 374

Interface Types............................................................................................................................................................... 375

View Basic Interface Information.................................................................................................................................375

Resetting an Interface to its Factory Default State................................................................................................... 377

Enabling a Physical Interface........................................................................................................................................378

Physical Interfaces.........................................................................................................................................................378

Conguration Task List for Physical Interfaces.................................................................................................... 378

40G to 1G Breakout Cable Adaptor....................................................................................................................... 378

Overview of Layer Modes.......................................................................................................................................379

Conguring Layer 2 (Data Link) Mode..................................................................................................................380

Conguring Layer 2 (Interface) Mode.................................................................................................................. 380

Conguring Layer 3 (Network) Mode...................................................................................................................380

Conguring Layer 3 (Interface) Mode................................................................................................................... 381

Automatic recovery of an Err-disabled interface.......................................................................................................382

Conguring an automatic recovery for an Err-disabled interface......................................................................382

Egress Interface Selection (EIS).................................................................................................................................. 383

Important Points to Remember............................................................................................................................. 383

Conguring EIS........................................................................................................................................................ 383

Management Interfaces................................................................................................................................................384

Conguring Management Interfaces.....................................................................................................................384

Conguring a Management Interface on an Ethernet Port............................................................................... 385

VLAN Interfaces............................................................................................................................................................ 386

Loopback Interfaces...................................................................................................................................................... 387

Null Interfaces.................................................................................................................................................................387

Port Channel Interfaces................................................................................................................................................ 387

Port Channel Denition and Standards.................................................................................................................388

Port Channel Benets.............................................................................................................................................388

Port Channel Implementation.................................................................................................................................388

Interfaces in Port Channels.................................................................................................................................... 389

Contents

Conguration Tasks for Port Channel Interfaces.................................................................................................389

Creating a Port Channel......................................................................................................................................... 389

Adding a Physical Interface to a Port Channel.....................................................................................................390

Reassigning an Interface to a New Port Channel.................................................................................................391

Conguring the Minimum Oper Up Links in a Port Channel.............................................................................. 392

Adding or Removing a Port Channel from a VLAN............................................................................................. 392

Assigning an IP Address to a Port Channel.......................................................................................................... 394

Deleting or Disabling a Port Channel.....................................................................................................................394

Load Balancing Through Port Channels................................................................................................................394

Changing the Hash Algorithm................................................................................................................................394

Bulk Conguration.........................................................................................................................................................396

Interface Range....................................................................................................................................................... 396

Bulk Conguration Examples..................................................................................................................................396

Dening Interface Range Macros................................................................................................................................ 398

Dene the Interface Range.................................................................................................................................... 398

Choosing an Interface-Range Macro.................................................................................................................... 398

Monitoring and Maintaining Interfaces....................................................................................................................... 398

Maintenance Using TDR.........................................................................................................................................399

Non Dell-Qualied Transceivers...................................................................................................................................400

Splitting 40G Ports without Reload............................................................................................................................ 400

Splitting QSFP Ports to SFP+ Ports........................................................................................................................... 402

Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port..................................................................................403

Important Points to Remember............................................................................................................................. 403

Example Scenarios.................................................................................................................................................. 404

Link Dampening............................................................................................................................................................. 405

Important Points to Remember............................................................................................................................. 405

Conguration Example of Link Dampening.......................................................................................................... 406

Enabling Link Dampening........................................................................................................................................408

Link Bundle Monitoring................................................................................................................................................. 409

Using Ethernet Pause Frames for Flow Control.........................................................................................................410

Enabling Pause Frames............................................................................................................................................410

Congure the MTU Size on an Interface..................................................................................................................... 411

Port-Pipes........................................................................................................................................................................412

Auto-Negotiation on Ethernet Interfaces....................................................................................................................412

Setting the Speed of Ethernet Interfaces.............................................................................................................412

Set Auto-Negotiation Options................................................................................................................................ 414

View Advanced Interface Information..........................................................................................................................414

Conguring the Interface Sampling Size............................................................................................................... 415

Conguring the Trac Sampling Size Globally........................................................................................................... 416

Dynamic Counters..........................................................................................................................................................418

Clearing Interface Counters.................................................................................................................................... 418

Compressing Conguration Files..................................................................................................................................419

Discard Counters............................................................................................................................................................ 421

Display discard counters......................................................................................................................................... 422

20 IPv4 Routing............................................................................................................................................424

Contents

IP Addresses...................................................................................................................................................................425

Implementation Information....................................................................................................................................425

Conguration Tasks for IP Addresses..........................................................................................................................425

Assigning IP Addresses to an Interface.......................................................................................................................425

Conguring Static Routes.............................................................................................................................................426

Congure Static Routes for the Management Interface.......................................................................................... 427

IPv4 Path MTU Discovery Overview.......................................................................................................................... 428

Packet handling during MTU mismatch................................................................................................................428

Using the Congured Source IP Address in ICMP Messages..................................................................................428

Conguring the ICMP Source Interface............................................................................................................... 428

Conguring the Duration to Establish a TCP Connection........................................................................................ 429

Enabling Directed Broadcast........................................................................................................................................ 429

Resolution of Host Names............................................................................................................................................429

Enabling Dynamic Resolution of Host Names............................................................................................................430

Specifying the Local System Domain and a List of Domains................................................................................... 430

Conguring DNS with Traceroute................................................................................................................................ 431

ARP.................................................................................................................................................................................. 431

Conguration Tasks for ARP........................................................................................................................................ 432

Conguring Static ARP Entries....................................................................................................................................432

Enabling Proxy ARP.......................................................................................................................................................432

Clearing ARP Cache...................................................................................................................................................... 433

ARP Learning via Gratuitous ARP................................................................................................................................433

Enabling ARP Learning via Gratuitous ARP................................................................................................................ 433

ARP Learning via ARP Request................................................................................................................................... 433

Conguring ARP Retries...............................................................................................................................................434

ICMP............................................................................................................................................................................... 435

Conguration Tasks for ICMP...................................................................................................................................... 435

Enabling ICMP Unreachable Messages...................................................................................................................... 435

UDP Helper.....................................................................................................................................................................435

Congure UDP Helper.............................................................................................................................................435

Important Points to Remember............................................................................................................................. 436

Enabling UDP Helper.....................................................................................................................................................436

Congurations Using UDP Helper............................................................................................................................... 436

UDP Helper with Broadcast-All Addresses.................................................................................................................436

UDP Helper with Subnet Broadcast Addresses......................................................................................................... 437

UDP Helper with Congured Broadcast Addresses.................................................................................................. 437

UDP Helper with No Congured Broadcast Addresses............................................................................................438

Troubleshooting UDP Helper........................................................................................................................................438

21 IPv6 Routing............................................................................................................................................ 439

Protocol Overview.........................................................................................................................................................439

Extended Address Space........................................................................................................................................440

Stateless Autoconguration................................................................................................................................... 440

IPv6 Headers............................................................................................................................................................440

Longest Prex Match (LPM) Table and IPv6 /65 – /128 support.................................................................... 441

IPv6 Header Fields...................................................................................................................................................442

Contents

Extension Header Fields..........................................................................................................................................444

Addressing................................................................................................................................................................445

Implementing IPv6 with Dell EMC Networking OS...................................................................................................446

ICMPv6........................................................................................................................................................................... 447

Path MTU discovery......................................................................................................................................................448

IPv6 Neighbor Discovery.............................................................................................................................................. 448

IPv6 Neighbor Discovery of MTU Packets...........................................................................................................449

Conguring the IPv6 Recursive DNS Server....................................................................................................... 449

Debugging IPv6 RDNSS Information Sent to the Host .....................................................................................450

Displaying IPv6 RDNSS Information......................................................................................................................450

Secure Shell (SSH) Over an IPv6 Transport............................................................................................................... 451

Conguration Tasks for IPv6......................................................................................................................................... 451

Adjusting Your CAM-Prole.....................................................................................................................................451

Assigning an IPv6 Address to an Interface...........................................................................................................452

Assigning a Static IPv6 Route................................................................................................................................453

Conguring Telnet with IPv6..................................................................................................................................453

SNMP over IPv6......................................................................................................................................................454

Displaying IPv6 Information....................................................................................................................................454

Displaying an IPv6 Interface Information.............................................................................................................. 454

Showing IPv6 Routes..............................................................................................................................................455

Showing the Running-Conguration for an Interface.........................................................................................456

Clearing IPv6 Routes...............................................................................................................................................457

Disabling ND Entry Timeout................................................................................................................................... 457

Conguring IPv6 RA Guard.......................................................................................................................................... 457

Conguring IPv6 RA Guard on an Interface.........................................................................................................459

Monitoring IPv6 RA Guard..................................................................................................................................... 460

22 iSCSI Optimization................................................................................................................................... 461

iSCSI Optimization Overview........................................................................................................................................461

Monitoring iSCSI Trac Flows...............................................................................................................................463

Application of Quality of Service to iSCSI Trac Flows..................................................................................... 463

Information Monitored in iSCSI Trac Flows.......................................................................................................463

Detection and Auto-Conguration for Dell EqualLogic Arrays........................................................................... 464

Conguring Detection and Ports for Dell Compellent Arrays............................................................................. 464

Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer.................................................................465

Enable and Disable iSCSI Optimization.................................................................................................................465

Default iSCSI Optimization Values...............................................................................................................................466

iSCSI Optimization Prerequisites................................................................................................................................. 466

Conguring iSCSI Optimization................................................................................................................................... 466

Displaying iSCSI Optimization Information................................................................................................................. 468

23 Intermediate System to Intermediate System...........................................................................................470

IS-IS Protocol Overview................................................................................................................................................470

IS-IS Addressing.............................................................................................................................................................470

Multi-Topology IS-IS....................................................................................................................................................... 471

Transition Mode........................................................................................................................................................ 471

Contents

Interface Support.....................................................................................................................................................472

Adjacencies...............................................................................................................................................................472

Graceful Restart.............................................................................................................................................................472

Timers........................................................................................................................................................................472

Implementation Information..........................................................................................................................................472

Conguration Information............................................................................................................................................. 473

Conguration Tasks for IS-IS.................................................................................................................................. 474

Conguring the Distance of a Route......................................................................................................................481

Changing the IS-Type.............................................................................................................................................. 482

Redistributing IPv4 Routes.....................................................................................................................................484

Redistributing IPv6 Routes.....................................................................................................................................485

Conguring Authentication Passwords.................................................................................................................486

Setting the Overload Bit.........................................................................................................................................486

Debugging IS-IS....................................................................................................................................................... 487

IS-IS Metric Styles.........................................................................................................................................................488

Congure Metric Values............................................................................................................................................... 488

Maximum Values in the Routing Table.................................................................................................................. 488

Change the IS-IS Metric Style in One Level Only................................................................................................488

Leaks from One Level to Another..........................................................................................................................490

Sample Congurations...................................................................................................................................................491

24 Link Aggregation Control Protocol (LACP).............................................................................................. 493

Introduction to Dynamic LAGs and LACP.................................................................................................................. 493

Important Points to Remember............................................................................................................................. 493

LACP Modes............................................................................................................................................................ 494

Conguring LACP Commands............................................................................................................................... 494

LACP Conguration Tasks............................................................................................................................................ 495

Creating a LAG.........................................................................................................................................................495

Conguring the LAG Interfaces as Dynamic........................................................................................................495

Setting the LACP Long Timeout........................................................................................................................... 496

Monitoring and Debugging LACP..........................................................................................................................496

Shared LAG State Tracking...........................................................................................................................................497

Conguring Shared LAG State Tracking............................................................................................................... 497

Important Points about Shared LAG State Tracking...........................................................................................499

LACP Basic Conguration Example............................................................................................................................ 499

Congure a LAG on ALPHA...................................................................................................................................499

25 Layer 2.................................................................................................................................................... 508

Manage the MAC Address Table................................................................................................................................. 508

Clearing the MAC Address Table........................................................................................................................... 508

Setting the Aging Time for Dynamic Entries........................................................................................................508

Conguring a Static MAC Address........................................................................................................................509

Displaying the MAC Address Table........................................................................................................................509

MAC Learning Limit.......................................................................................................................................................509

Setting the MAC Learning Limit............................................................................................................................. 510

mac learning-limit Dynamic..................................................................................................................................... 510

Contents

mac learning-limit mac-address-sticky..................................................................................................................510

mac learning-limit station-move..............................................................................................................................511

mac learning-limit no-station-move........................................................................................................................511

Learning Limit Violation Actions...............................................................................................................................511

Setting Station Move Violation Actions.................................................................................................................512

Recovering from Learning Limit and Station Move Violations............................................................................512

NIC Teaming....................................................................................................................................................................513

Congure Redundant Pairs........................................................................................................................................... 514

Important Points about Conguring Redundant Pairs.........................................................................................516

Far-End Failure Detection.............................................................................................................................................. 517

FEFD State Changes................................................................................................................................................518

Conguring FEFD.....................................................................................................................................................519

Enabling FEFD on an Interface............................................................................................................................... 519

Debugging FEFD......................................................................................................................................................520

26 Link Layer Discovery Protocol (LLDP)..................................................................................................... 522

802.1AB (LLDP) Overview............................................................................................................................................522

Protocol Data Units................................................................................................................................................. 522

Optional TLVs.................................................................................................................................................................523

Management TLVs...................................................................................................................................................523

TIA-1057 (LLDP-MED) Overview................................................................................................................................ 525

TIA Organizationally Specic TLVs........................................................................................................................ 525

Congure LLDP............................................................................................................................................................. 529

Related Conguration Tasks...................................................................................................................................529

Important Points to Remember............................................................................................................................. 529

LLDP Compatibility..................................................................................................................................................530

CONFIGURATION versus INTERFACE Congurations............................................................................................530

Enabling LLDP................................................................................................................................................................530

Disabling and Undoing LLDP...................................................................................................................................531

Enabling LLDP on Management Ports.........................................................................................................................531

Disabling and Undoing LLDP on Management Ports...........................................................................................531

Advertising TLVs.............................................................................................................................................................531

Storing and Viewing Unrecognized LLDP TLVs......................................................................................................... 533

Reserved Unrecognized LLDP TLVs..................................................................................................................... 533

Organizational Specic Unrecognized LLDP TLVs.............................................................................................. 533

Viewing Unrecognized LLDP TLVs........................................................................................................................533

Viewing the LLDP Conguration................................................................................................................................. 534

Viewing Information Advertised by Adjacent LLDP Neighbors................................................................................534

Examples of Viewing Information Advertised by Neighbors...............................................................................534

Conguring LLDPDU Intervals.....................................................................................................................................536

Conguring LLDP Notication Interval....................................................................................................................... 537

Conguring Transmit and Receive Mode....................................................................................................................537

Conguring the Time to Live Value............................................................................................................................. 538

Debugging LLDP............................................................................................................................................................539

Relevant Management Objects................................................................................................................................... 540

Contents

27 Microsoft Network Load Balancing.......................................................................................................... 545

NLB Unicast Mode Scenario........................................................................................................................................545

NLB Multicast Mode Scenario.....................................................................................................................................545

Limitations of the NLB Feature....................................................................................................................................546

Microsoft Clustering......................................................................................................................................................546

Enable and Disable VLAN Flooding ............................................................................................................................ 546

Conguring a Switch for NLB .....................................................................................................................................546

Enabling a Switch for Multicast NLB.................................................................................................................... 547

28 Multicast Source Discovery Protocol (MSDP)......................................................................................... 548

Protocol Overview.........................................................................................................................................................548

Anycast RP.....................................................................................................................................................................549

Implementation Information......................................................................................................................................... 550

Congure Multicast Source Discovery Protocol........................................................................................................550

Related Conguration Tasks...................................................................................................................................550

Enable MSDP.................................................................................................................................................................554

Manage the Source-Active Cache..............................................................................................................................555

Viewing the Source-Active Cache........................................................................................................................ 555

Limiting the Source-Active Cache........................................................................................................................ 555

Clearing the Source-Active Cache........................................................................................................................556

Enabling the Rejected Source-Active Cache.......................................................................................................556

Accept Source-Active Messages that Fail the RFP Check..................................................................................... 556

Specifying Source-Active Messages...........................................................................................................................559

Limiting the Source-Active Messages from a Peer...................................................................................................560

Preventing MSDP from Caching a Local Source.......................................................................................................560

Preventing MSDP from Caching a Remote Source...................................................................................................561

Preventing MSDP from Advertising a Local Source.................................................................................................. 561

Logging Changes in Peership States...........................................................................................................................562

Terminating a Peership..................................................................................................................................................562

Clearing Peer Statistics.................................................................................................................................................563

Debugging MSDP..........................................................................................................................................................563

MSDP with Anycast RP................................................................................................................................................564

Conguring Anycast RP............................................................................................................................................... 565

Reducing Source-Active Message Flooding........................................................................................................ 566

Specifying the RP Address Used in SA Messages..............................................................................................566

MSDP Sample Congurations..................................................................................................................................... 568

32 Multicast Listener Discovery Protocol...................................................................................................... 571

MLD Version 1.................................................................................................................................................................571

MLD Querier Router.......................................................................................................................................................571

Joining a Multicast Group.............................................................................................................................................572

Leaving a Multicast Group............................................................................................................................................ 572

MLD version 2................................................................................................................................................................ 572

MLD timers..................................................................................................................................................................... 574

Reducing Host Response Burstiness.................................................................................................................... 575

Contents

Clearing MLD groups.....................................................................................................................................................575

Debugging MLD............................................................................................................................................................. 575

Explicit Tracking............................................................................................................................................................. 575

Reducing Leave Latency...............................................................................................................................................575

Displaying MLD groups table........................................................................................................................................576

Displaying MLD Interfaces............................................................................................................................................ 576

30 Multiple Spanning Tree Protocol (MSTP)................................................................................................. 577

Protocol Overview......................................................................................................................................................... 577

Spanning Tree Variations...............................................................................................................................................578

Implementation Information....................................................................................................................................578

Congure Multiple Spanning Tree Protocol................................................................................................................ 578

Related Conguration Tasks................................................................................................................................... 579

Enable Multiple Spanning Tree Globally.......................................................................................................................579

Adding and Removing Interfaces................................................................................................................................. 579

Creating Multiple Spanning Tree Instances................................................................................................................580

Inuencing MSTP Root Selection................................................................................................................................ 581

Interoperate with Non-Dell Bridges............................................................................................................................. 582

Changing the Region Name or Revision.....................................................................................................................582

Modifying Global Parameters....................................................................................................................................... 582

Modifying the Interface Parameters........................................................................................................................... 584

Conguring an EdgePort..............................................................................................................................................585

Flush MAC Addresses after a Topology Change....................................................................................................... 585

MSTP Sample Congurations......................................................................................................................................586

Router 1 Running-CongurationRouter 2 Running-CongurationRouter 3 Running-

CongurationSFTOS Example Running-Conguration.......................................................................................586

Debugging and Verifying MSTP Congurations........................................................................................................590

31 Multicast Features....................................................................................................................................592

Enabling IP Multicast.....................................................................................................................................................592

Implementation Information..........................................................................................................................................592

Multicast Policies...........................................................................................................................................................593

IPv4 Multicast Policies............................................................................................................................................ 593

Understanding Multicast Traceroute (mtrace)..........................................................................................................600

Important Points to Remember.............................................................................................................................. 601

Printing Multicast Traceroute (mtrace) Paths............................................................................................................601

Supported Error Codes.................................................................................................................................................602

mtrace Scenarios...........................................................................................................................................................603

32 Multicast Listener Discovery Protocol..................................................................................................... 609

MLD Version 1................................................................................................................................................................609

MLD Querier Router......................................................................................................................................................609

Joining a Multicast Group..............................................................................................................................................610

Leaving a Multicast Group............................................................................................................................................ 610

MLD version 2.................................................................................................................................................................610

MLD timers......................................................................................................................................................................612

Contents

Reducing Host Response Burstiness.....................................................................................................................613

Clearing MLD groups..................................................................................................................................................... 613

Debugging MLD..............................................................................................................................................................613

Explicit Tracking.............................................................................................................................................................. 613

Reducing Leave Latency................................................................................................................................................613

Displaying MLD groups table.........................................................................................................................................614

Displaying MLD Interfaces.............................................................................................................................................614

MLD Snooping................................................................................................................................................................ 614

Enable MLD Snooping............................................................................................................................................. 614

Disable MLD Snooping.............................................................................................................................................615

Congure the switch as a querier.......................................................................................................................... 615

Specify port as connected to multicast router..................................................................................................... 615

Enable Snooping Explicit Tracking..........................................................................................................................616

Display the MLD Snooping Table............................................................................................................................616

33 Object Tracking........................................................................................................................................ 617

Object Tracking Overview............................................................................................................................................. 617

Track Layer 2 Interfaces.......................................................................................................................................... 618

Track Layer 3 Interfaces.......................................................................................................................................... 618

Track IPv4 and IPv6 Routes....................................................................................................................................619

Set Tracking Delays................................................................................................................................................. 620

VRRP Object Tracking............................................................................................................................................ 620

Object Tracking Conguration..................................................................................................................................... 620

Tracking a Layer 2 Interface................................................................................................................................... 620

Tracking a Layer 3 Interface....................................................................................................................................621

Track an IPv4/IPv6 Route...................................................................................................................................... 623

Displaying Tracked Objects...........................................................................................................................................626

34 Open Shortest Path First (OSPFv2 and OSPFv3)....................................................................................628

Protocol Overview.........................................................................................................................................................628

Autonomous System (AS) Areas........................................................................................................................... 628

Area Types................................................................................................................................................................ 629

Networks and Neighbors........................................................................................................................................630

Router Types............................................................................................................................................................ 630

Designated and Backup Designated Routers.......................................................................................................632

Link-State Advertisements (LSAs)........................................................................................................................632

Router Priority and Cost.........................................................................................................................................633

OSPF with Dell EMC Networking OS.........................................................................................................................634

Graceful Restart...................................................................................................................................................... 635

Fast Convergence (OSPFv2, IPv4 Only)..............................................................................................................636

Multi-Process OSPFv2 with VRF..........................................................................................................................636

RFC-2328 Compliant OSPF Flooding................................................................................................................... 636

OSPF ACK Packing..................................................................................................................................................637

Setting OSPF Adjacency with Cisco Routers.......................................................................................................637

Conguration Information.............................................................................................................................................638

Conguration Task List for OSPFv2 (OSPF for IPv4)........................................................................................ 638

Contents

OSPFv3 NSSA...............................................................................................................................................................652

NSSA Options.......................................................................................................................................................... 652

Conguration Task List for OSPFv3 (OSPF for IPv6).............................................................................................. 653

Enabling IPv6 Unicast Routing...............................................................................................................................653

Applying cost for OSPFv3......................................................................................................................................654

Assigning IPv6 Addresses on an Interface........................................................................................................... 654

Assigning Area ID on an Interface..........................................................................................................................654

Assigning OSPFv3 Process ID and Router ID Globally........................................................................................655

Assigning OSPFv3 Process ID and Router ID to a VRF......................................................................................655

Conguring Stub Areas...........................................................................................................................................656

Conguring Passive-Interface................................................................................................................................656

Redistributing Routes..............................................................................................................................................656

Conguring a Default Route................................................................................................................................... 657

Enabling OSPFv3 Graceful Restart....................................................................................................................... 657

OSPFv3 Authentication Using IPsec.....................................................................................................................659

Troubleshooting OSPFv3........................................................................................................................................665

35 Policy-based Routing (PBR).................................................................................................................... 667

Overview.........................................................................................................................................................................667

Implementing PBR.........................................................................................................................................................668

Conguration Task List for Policy-based Routing......................................................................................................668

PBR Exceptions (Permit)....................................................................................................................................... 669

Create a Redirect List............................................................................................................................................. 669

Create a Rule for a Redirect-list.............................................................................................................................669

Apply a Redirect-list to an Interface using a Redirect-group.............................................................................. 671

Sample Conguration....................................................................................................................................................673

Create the Redirect-List GOLDAssign Redirect-List GOLD to Interface 2/11View Redirect-List GOLD...... 674

36 PIM Sparse-Mode (PIM-SM).................................................................................................................. 678

Implementation Information..........................................................................................................................................678

Protocol Overview......................................................................................................................................................... 678

Requesting Multicast Trac...................................................................................................................................678

Refuse Multicast Trac.......................................................................................................................................... 679

Send Multicast Trac............................................................................................................................................. 679

Conguring PIM-SM..................................................................................................................................................... 679

Related Conguration Tasks...................................................................................................................................680

Enable PIM-SM..............................................................................................................................................................680

Conguring S,G Expiry Timers..................................................................................................................................... 682

Conguring a Static Rendezvous Point...................................................................................................................... 682

Overriding Bootstrap Router Updates.................................................................................................................. 683

Conguring a Designated Router.................................................................................................................................683

Creating Multicast Boundaries and Domains............................................................................................................. 685

37 PIM Source-Specic Mode (PIM-SSM).................................................................................................. 686

Implementation Information......................................................................................................................................... 686

Important Points to Remember............................................................................................................................. 686

Contents

Congure PIM-SSM......................................................................................................................................................687

Related Conguration Tasks................................................................................................................................... 687

Enabling PIM-SSM........................................................................................................................................................ 687

Use PIM-SSM with IGMP Version 2 Hosts................................................................................................................ 687

Conguring PIM-SSM with IGMPv2.....................................................................................................................688

Electing an RP using the BSR Mechanism.................................................................................................................689

Enabling RP to Server Specic Multicast Groups...............................................................................................689

38 Port Monitoring........................................................................................................................................691

Important Points to Remember.................................................................................................................................... 691

Port Monitoring..............................................................................................................................................................692

Conguring Port Monitoring........................................................................................................................................ 693

Conguring Monitor Multicast Queue........................................................................................................................ 694

Enabling Flow-Based Monitoring.................................................................................................................................695

Remote Port Mirroring.................................................................................................................................................. 696

Remote Port Mirroring Example............................................................................................................................ 696

Conguring Remote Port Mirroring.......................................................................................................................697

Displaying Remote-Port Mirroring Congurations...............................................................................................699

Conguring the Sample Remote Port Mirroring..................................................................................................699

Encapsulated Remote Port Monitoring.......................................................................................................................702

ERPM Behavior on a typical Dell EMC Networking OS ...........................................................................................704

Decapsulation of ERPM packets at the Destination IP/ Analyzer..................................................................... 704

Port Monitoring on VLT.................................................................................................................................................705

VLT Non-fail over Scenario.....................................................................................................................................705

VLT Fail-over Scenario............................................................................................................................................ 706

RPM over VLT Scenarios........................................................................................................................................706

39 Per-VLAN Spanning Tree Plus (PVST+)................................................................................................... 708

Protocol Overview......................................................................................................................................................... 708

Implementation Information..........................................................................................................................................709

Congure Per-VLAN Spanning Tree Plus....................................................................................................................709

Related Conguration Tasks................................................................................................................................... 709

Enabling PVST+............................................................................................................................................................. 709

Disabling PVST+............................................................................................................................................................. 710

Inuencing PVST+ Root Selection............................................................................................................................... 710

Modifying Global PVST+ Parameters...........................................................................................................................712

Modifying Interface PVST+ Parameters...................................................................................................................... 713

Conguring an EdgePort............................................................................................................................................... 714

PVST+ in Multi-Vendor Networks................................................................................................................................ 714

Enabling PVST+ Extend System ID.............................................................................................................................. 714

PVST+ Sample Congurations......................................................................................................................................715

40 Quality of Service (QoS).......................................................................................................................... 718

Implementation Information..........................................................................................................................................720

Port-Based QoS Congurations.................................................................................................................................. 720

Setting dot1p Priorities for Incoming Trac......................................................................................................... 720

Contents

Honoring dot1p Priorities on Ingress Trac...........................................................................................................721

Conguring Port-Based Rate Policing...................................................................................................................722

Conguring Port-Based Rate Shaping.................................................................................................................. 722

Policy-Based QoS Congurations................................................................................................................................ 723

Classify Trac.......................................................................................................................................................... 723

Dot1p to Queue Mapping Requirement................................................................................................................. 727

Create a QoS Policy................................................................................................................................................. 727

DSCP Color Maps....................................................................................................................................................730

Create Policy Maps.................................................................................................................................................. 732

Enabling QoS Rate Adjustment....................................................................................................................................735

Enabling Strict-Priority Queueing................................................................................................................................ 736

Queue Classication Requirements for PFC Functionality.......................................................................................736

Support for marking dot1p value in L3 Input Qos Policy...........................................................................................736

Weighted Random Early Detection.............................................................................................................................. 737

Creating WRED Proles.......................................................................................................................................... 738

Applying a WRED Prole to Trac........................................................................................................................ 738

Displaying Default and Congured WRED Proles.............................................................................................. 739

Displaying WRED Drop Statistics...........................................................................................................................739

Displaying egress–queue Statistics....................................................................................................................... 739

Pre-Calculating Available QoS CAM Space................................................................................................................ 740

Specifying Policy-Based Rate Shaping in Packets Per Second................................................................................ 741

Conguring Policy-Based Rate Shaping...................................................................................................................... 741

Conguring Weights and ECN for WRED ..................................................................................................................742

Global Service Pools With WRED and ECN Settings..........................................................................................742

Conguring WRED and ECN Attributes......................................................................................................................743

Guidelines for Conguring ECN for Classifying and Color-Marking Packets......................................................... 744

Sample conguration to mark non-ecn packets as “yellow” with Multiple trac class.................................. 745

Classifying Incoming Packets Using ECN and Color-Marking............................................................................745

Sample conguration to mark non-ecn packets as “yellow” with single trac class...................................... 747

Applying Layer 2 Match Criteria on a Layer 3 Interface............................................................................................748

Managing Hardware Buer Statistics....................................................................................................................748

Enabling Buer Statistics Tracking ............................................................................................................................. 749

41 Routing Information Protocol (RIP).......................................................................................................... 752

Protocol Overview......................................................................................................................................................... 752

RIPv1..........................................................................................................................................................................752

RIPv2.........................................................................................................................................................................752

Implementation Information..........................................................................................................................................753

Conguration Information.............................................................................................................................................753

Conguration Task List............................................................................................................................................753

RIP Conguration Example.....................................................................................................................................760

42 Remote Monitoring (RMON)................................................................................................................... 765

Implementation Information..........................................................................................................................................765

Fault Recovery...............................................................................................................................................................765

Setting the RMON Alarm........................................................................................................................................766

Contents

Conguring an RMON Event................................................................................................................................. 766

Conguring RMON Collection Statistics...............................................................................................................767

Conguring the RMON Collection History............................................................................................................767

43 Rapid Spanning Tree Protocol (RSTP)..................................................................................................... 769

Protocol Overview......................................................................................................................................................... 769

Conguring Rapid Spanning Tree.................................................................................................................................769

Related Conguration Tasks................................................................................................................................... 769

Important Points to Remember....................................................................................................................................769

RSTP and VLT.......................................................................................................................................................... 770

Conguring Interfaces for Layer 2 Mode.................................................................................................................... 770

Enabling Rapid Spanning Tree Protocol Globally.........................................................................................................771

Adding and Removing Interfaces................................................................................................................................. 773

Modifying Global Parameters........................................................................................................................................773

Enabling SNMP Traps for Root Elections and Topology Changes..................................................................... 775

Modifying Interface Parameters...................................................................................................................................775

Enabling SNMP Traps for Root Elections and Topology Changes........................................................................... 775

Inuencing RSTP Root Selection.................................................................................................................................775

Conguring an EdgePort...............................................................................................................................................776

Conguring Fast Hellos for Link State Detection.......................................................................................................777

44 Software-Dened Networking (SDN)...................................................................................................... 778

45 Security................................................................................................................................................... 779

AAA Accounting............................................................................................................................................................. 779

Conguration Task List for AAA Accounting........................................................................................................ 779

AAA Authentication........................................................................................................................................................ 781

Conguration Task List for AAA Authentication...................................................................................................782

Obscuring Passwords and Keys...................................................................................................................................785

AAA Authorization......................................................................................................................................................... 785

Privilege Levels Overview.......................................................................................................................................785

Conguration Task List for Privilege Levels..........................................................................................................786

RADIUS........................................................................................................................................................................... 790

RADIUS Authentication...........................................................................................................................................790

Conguration Task List for RADIUS....................................................................................................................... 791

Support for Change of Authorization and Disconnect Messages packets...................................................... 795

TACACS+........................................................................................................................................................................806

Conguration Task List for TACACS+................................................................................................................... 806

TACACS+ Remote Authentication........................................................................................................................ 808

Command Authorization.........................................................................................................................................809

Protection from TCP Tiny and Overlapping Fragment Attacks............................................................................... 809

Enabling SCP and SSH................................................................................................................................................. 809

Using SCP with SSH to Copy a Software Image................................................................................................. 810

Removing the RSA Host Keys and Zeroizing Storage .........................................................................................811

Conguring When to Re-generate an SSH Key ...................................................................................................811

Conguring the SSH Server Key Exchange Algorithm........................................................................................812

Contents

Conguring the HMAC Algorithm for the SSH Server........................................................................................812

Conguring the SSH Server Cipher List................................................................................................................813

Conguring DNS in the SSH Server...................................................................................................................... 813

Secure Shell Authentication....................................................................................................................................814

Troubleshooting SSH................................................................................................................................................816

Telnet................................................................................................................................................................................816

VTY Line and Access-Class Conguration.................................................................................................................. 817

VTY Line Local Authentication and Authorization................................................................................................ 817

VTY Line Remote Authentication and Authorization........................................................................................... 818

VTY MAC-SA Filter Support...................................................................................................................................818

Role-Based Access Control...........................................................................................................................................818

Overview of RBAC...................................................................................................................................................819

User Roles................................................................................................................................................................. 821

AAA Authentication and Authorization for Roles.................................................................................................824

Role Accounting....................................................................................................................................................... 827

Display Information About User Roles...................................................................................................................828

Two Factor Authentication (2FA)................................................................................................................................ 829

Handling Access-Challenge Message................................................................................................................... 829

Conguring Challenge Response Authentication for SSHv2............................................................................. 829

SMS-OTP Mechanism............................................................................................................................................830

Conguring the System to Drop Certain ICMP Reply Messages............................................................................830

Dell EMC Networking OS Security Hardening...........................................................................................................832

Dell EMC Networking OS Image Verication.......................................................................................................832

Startup Conguration Verication......................................................................................................................... 833

Conguring the root User Password.....................................................................................................................834

Locking Access to GRUB Interface.......................................................................................................................835

Enabling User Lockout for Failed Login Attempts............................................................................................... 836

46 Service Provider Bridging........................................................................................................................ 837

VLAN Stacking............................................................................................................................................................... 837

Important Points to Remember............................................................................................................................. 838

Congure VLAN Stacking.......................................................................................................................................838

Creating Access and Trunk Ports.......................................................................................................................... 839

Enable VLAN-Stacking for a VLAN.......................................................................................................................840

Conguring the Protocol Type Value for the Outer VLAN Tag.......................................................................... 840

Conguring Dell EMC Networking OS Options for Trunk Ports........................................................................ 840

Debugging VLAN Stacking......................................................................................................................................841

VLAN Stacking in Multi-Vendor Networks........................................................................................................... 842

VLAN Stacking Packet Drop Precedence.................................................................................................................. 845

Enabling Drop Eligibility........................................................................................................................................... 845

Honoring the Incoming DEI Value..........................................................................................................................846

Marking Egress Packets with a DEI Value............................................................................................................ 847

Dynamic Mode CoS for VLAN Stacking..................................................................................................................... 847

Mapping C-Tag to S-Tag dot1p Values...................................................................................................................848

Layer 2 Protocol Tunneling........................................................................................................................................... 849

Implementation Information.................................................................................................................................... 851

Contents

Enabling Layer 2 Protocol Tunneling...................................................................................................................... 851

Specifying a Destination MAC Address for BPDUs.............................................................................................852

Setting Rate-Limit BPDUs......................................................................................................................................852

Debugging Layer 2 Protocol Tunneling..................................................................................................................853

Provider Backbone Bridging.........................................................................................................................................853

47 sFlow....................................................................................................................................................... 854

Overview.........................................................................................................................................................................854

Implementation Information..........................................................................................................................................854

Important Points to Remember............................................................................................................................. 855

Enabling Extended sFlow..............................................................................................................................................855

Enabling and Disabling sFlow on an Interface............................................................................................................856

Enabling sFlow Max-Header Size Extended.............................................................................................................. 856

sFlow Show Commands............................................................................................................................................... 857

Displaying Show sFlow Global................................................................................................................................857

Displaying Show sFlow on an Interface................................................................................................................ 858

Displaying Show sFlow on a Stack-unit................................................................................................................ 858

Conguring Specify Collectors.................................................................................................................................... 859

Changing the Polling Intervals......................................................................................................................................859

Back-O Mechanism.................................................................................................................................................... 859

sFlow on LAG ports.......................................................................................................................................................860

Enabling Extended sFlow..............................................................................................................................................860

Important Points to Remember.............................................................................................................................. 861

48 Simple Network Management Protocol (SNMP)..................................................................................... 862

Protocol Overview.........................................................................................................................................................863

Implementation Information..........................................................................................................................................863

SNMPv3 Compliance With FIPS................................................................................................................................. 863

Conguration Task List for SNMP...............................................................................................................................864

Related Conguration Tasks...................................................................................................................................864

Important Points to Remember................................................................................................................................... 865

Set up SNMP.................................................................................................................................................................865

Creating a Community............................................................................................................................................865

Setting Up User-Based Security (SNMPv3)....................................................................................................... 865

Reading Managed Object Values................................................................................................................................. 867

Writing Managed Object Values...................................................................................................................................867

Conguring Contact and Location Information using SNMP...................................................................................868

Subscribing to Managed Object Value Updates using SNMP................................................................................. 868

Enabling a Subset of SNMP Traps.............................................................................................................................. 869

Enabling an SNMP Agent to Notify Syslog Server Failure........................................................................................873

Copy Conguration Files Using SNMP........................................................................................................................874

Copying a Conguration File...................................................................................................................................875

Copying Conguration Files via SNMP................................................................................................................. 876

Copying the Startup-Cong Files to the Running-Cong.................................................................................. 876

Copying the Startup-Cong Files to the Server via FTP.................................................................................... 877

Copying the Startup-Cong Files to the Server via TFTP..................................................................................877

Contents

Copy a Binary File to the Startup-Conguration..................................................................................................878

Additional MIB Objects to View Copy Statistics.................................................................................................. 878

Obtaining a Value for MIB Objects.........................................................................................................................879

MIB Support to Display Reason for Last System Reboot.........................................................................................879

Viewing the Reason for Last System Reboot Using SNMP...............................................................................880

MIB Support for Power Monitoring.............................................................................................................................880

MIB Support to Display the Available Memory Size on Flash................................................................................... 881

Viewing the Available Flash Memory Size............................................................................................................. 881

MIB Support to Display the Software Core Files Generated by the System.......................................................... 881

Viewing the Software Core Files Generated by the System..............................................................................882

SNMP Support for WRED Green/Yellow/Red Drop Counters................................................................................882

MIB Support to Display the Available Partitions on Flash.........................................................................................883

Viewing the Available Partitions on Flash............................................................................................................. 884

MIB Support to Display Egress Queue Statistics.......................................................................................................885

MIB Support to ECMP Group Count..........................................................................................................................885

Viewing the ECMP Group Count Information......................................................................................................885

MIB Support for entAliasMappingTable ..................................................................................................................... 888

Viewing the entAliasMappingTable MIB................................................................................................................888

MIB Support for LAG.................................................................................................................................................... 888

Viewing the LAG MIB..............................................................................................................................................890

MIB Support to Display Unrecognized LLDP TLVs................................................................................................... 890

MIB Support to Display Reserved Unrecognized LLDP TLVs............................................................................890

MIB Support to Display Organizational Specic Unrecognized LLDP TLVs......................................................891

MIB Support to Display Unrecognized LLDP TLVs....................................................................................................892

Viewing the Details of Reserved Unrecognized LLDP TLVs.............................................................................. 892

MIB Support for LLDP Notication Interval............................................................................................................... 893

Manage VLANs using SNMP....................................................................................................................................... 893

Creating a VLAN......................................................................................................................................................893

Assigning a VLAN Alias........................................................................................................................................... 893

Displaying the Ports in a VLAN..............................................................................................................................894

Add Tagged and Untagged Ports to a VLAN....................................................................................................... 894

Managing Overload on Startup....................................................................................................................................895

Enabling and Disabling a Port using SNMP................................................................................................................895

Fetch Dynamic MAC Entries using SNMP................................................................................................................. 896

Example of Deriving the Interface Index Number......................................................................................................897

MIB Objects for Viewing the System Image on Flash Partitions....................................................................... 897

Monitoring BGP sessions via SNMP........................................................................................................................... 897

Monitor Port-Channels.................................................................................................................................................899

Troubleshooting SNMP Operation.............................................................................................................................. 900

Transceiver Monitoring.................................................................................................................................................. 901

49 Stacking.................................................................................................................................................. 903

Stacking Overview........................................................................................................................................................ 903

Stack Management Roles.......................................................................................................................................903

Stack Master Election.............................................................................................................................................904

Virtual IP................................................................................................................................................................... 905

Contents

Failover Roles...........................................................................................................................................................905

MAC Addressing on Stacks....................................................................................................................................905

Stacking LAG........................................................................................................................................................... 906

Supported Stacking Topologies............................................................................................................................. 906

High Availability on Stacks......................................................................................................................................907

Management Access on Stacks.............................................................................................................................907

Important Points to Remember................................................................................................................................... 908

Stacking Installation Tasks............................................................................................................................................ 908

Create a Stack......................................................................................................................................................... 908

Add Units to an Existing Stack............................................................................................................................... 912

Split a Stack.............................................................................................................................................................. 914

Stacking Conguration Tasks........................................................................................................................................914

Assigning Unit Numbers to Units in an Stack.......................................................................................................915

Creating a Virtual Stack Unit on a Stack...............................................................................................................915

Displaying Information about a Stack.....................................................................................................................915

Inuencing Management Unit Selection on a Stack............................................................................................ 917

Managing Redundancy on a Stack.........................................................................................................................917

Resetting a Unit on a Stack.................................................................................................................................... 918

Verify a Stack Conguration......................................................................................................................................... 918

Displaying the Status of Stacking Ports................................................................................................................ 918

Remove Units or Front End Ports from a Stack.........................................................................................................919

Removing a Unit from a Stack................................................................................................................................919

Removing Front End Port Stacking....................................................................................................................... 919

Troubleshoot a Stack.....................................................................................................................................................920

Recover from Stack Link Flaps.............................................................................................................................. 920

Recover from a Card Problem State on a Stack..................................................................................................920

50 Storm Control.......................................................................................................................................... 921

Congure Storm Control............................................................................................................................................... 921

Conguring Storm Control from INTERFACE Mode............................................................................................921

Conguring Storm Control from CONFIGURATION Mode................................................................................922

Detect PFC Storm.........................................................................................................................................................922

Restore Queue Drop State........................................................................................................................................... 923

PFC Storm......................................................................................................................................................................923

View Details of Storm Control PFC.............................................................................................................................923

51 Spanning Tree Protocol (STP)..................................................................................................................925

Protocol Overview.........................................................................................................................................................925

Congure Spanning Tree...............................................................................................................................................926

Related Conguration Tasks...................................................................................................................................926

Important Points to Remember................................................................................................................................... 926

Conguring Interfaces for Layer 2 Mode....................................................................................................................927

Enabling Spanning Tree Protocol Globally...................................................................................................................928

Adding an Interface to the Spanning Tree Group...................................................................................................... 930

Modifying Global Parameters.......................................................................................................................................930

Modifying Interface STP Parameters...........................................................................................................................931

Contents

Enabling PortFast........................................................................................................................................................... 931

Prevent Network Disruptions with BPDU Guard.................................................................................................932

Selecting STP Root....................................................................................................................................................... 934

STP Root Guard.............................................................................................................................................................934

Root Guard Scenario...............................................................................................................................................934

Conguring Root Guard..........................................................................................................................................935

Enabling SNMP Traps for Root Elections and Topology Changes...........................................................................936

Conguring Spanning Trees as Hitless........................................................................................................................936

STP Loop Guard.............................................................................................................................................................936

Conguring Loop Guard..........................................................................................................................................938

Displaying STP Guard Conguration........................................................................................................................... 938

52 SupportAssist..........................................................................................................................................940

Conguring SupportAssist Using a Conguration Wizard.........................................................................................941

Conguring SupportAssist Manually............................................................................................................................941

Conguring SupportAssist Activity............................................................................................................................. 943

Conguring SupportAssist Company..........................................................................................................................944

Conguring SupportAssist Person.............................................................................................................................. 945

Conguring SupportAssist Server...............................................................................................................................945

Viewing SupportAssist Conguration......................................................................................................................... 946

53 System Time and Date.............................................................................................................................948

Network Time Protocol................................................................................................................................................. 948

Protocol Overview...................................................................................................................................................949

Congure the Network Time Protocol..................................................................................................................949

Enabling NTP........................................................................................................................................................... 950

Conguring NTP Broadcasts................................................................................................................................. 950

Disabling NTP on an Interface................................................................................................................................ 951

Conguring a Source IP Address for NTP Packets..............................................................................................951

Conguring NTP Authentication............................................................................................................................ 951

Conguring NTP control key password................................................................................................................954

Dell EMC Networking OS Time and Date...................................................................................................................954

Conguration Task List .......................................................................................................................................... 954

Setting the Time and Date for the Switch Software Clock............................................................................... 954

Setting the Timezone..............................................................................................................................................955

Set Daylight Saving Time........................................................................................................................................955

Setting Daylight Saving Time Once.......................................................................................................................955

Setting Recurring Daylight Saving Time............................................................................................................... 956

54 Tunneling................................................................................................................................................. 958

Conguring a Tunnel..................................................................................................................................................... 958

Conguring Tunnel Keepalive Settings........................................................................................................................959

Conguring a Tunnel Interface.....................................................................................................................................960

Conguring Tunnel Allow-Remote Decapsulation......................................................................................................960

Conguring Tunnel source anylocal Decapsulation.................................................................................................... 961

Guidelines for Conguring Multipoint Receive-Only Tunnels.................................................................................... 961

Contents

Multipoint Receive-Only Tunnels..................................................................................................................................961

55 Uplink Failure Detection (UFD)................................................................................................................962

Feature Description.......................................................................................................................................................962

How Uplink Failure Detection Works...........................................................................................................................963

UFD and NIC Teaming...................................................................................................................................................964

Important Points to Remember................................................................................................................................... 964

Conguring Uplink Failure Detection........................................................................................................................... 965

Clearing a UFD-Disabled Interface..............................................................................................................................966

Displaying Uplink Failure Detection..............................................................................................................................967

Sample Conguration: Uplink Failure Detection.........................................................................................................969

56 Upgrade Procedures................................................................................................................................. 971

Get Help with Upgrades................................................................................................................................................ 971

57 Virtual LANs (VLANs).............................................................................................................................. 972

Default VLAN..................................................................................................................................................................973

Port-Based VLANs........................................................................................................................................................ 973

VLANs and Port Tagging...............................................................................................................................................974

Conguration Task List.................................................................................................................................................. 974

Creating a Port-Based VLAN..................................................................................................................................974

Assigning Interfaces to a VLAN............................................................................................................................. 975

Moving Untagged Interfaces.................................................................................................................................. 976

Assigning an IP Address to a VLAN.......................................................................................................................977

Conguring Native VLANs............................................................................................................................................977

Enabling Null VLAN as the Default VLAN...................................................................................................................978

58 Virtual Link Trunking (VLT)...................................................................................................................... 979

Overview.........................................................................................................................................................................979

VLT Terminology.......................................................................................................................................................982

Layer-2 Trac in VLT Domains...............................................................................................................................983

Interspersed VLANs................................................................................................................................................ 984

VLT on Core Switches.............................................................................................................................................984

Enhanced VLT.......................................................................................................................................................... 985

Congure Virtual Link Trunking.................................................................................................................................... 986

Important Points to Remember............................................................................................................................. 986

Conguration Notes.................................................................................................................................................987

Primary and Secondary VLT Peers........................................................................................................................990

RSTP and VLT...........................................................................................................................................................991

VLT Bandwidth Monitoring..................................................................................................................................... 991

VLT and Stacking......................................................................................................................................................991

VLT and IGMP Snooping......................................................................................................................................... 991

VLT IPv6................................................................................................................................................................... 992

VLT Port Delayed Restoration................................................................................................................................992

PIM-Sparse Mode Support on VLT.......................................................................................................................992

VLT Routing .............................................................................................................................................................994

Contents

Non-VLT ARP Sync................................................................................................................................................. 997

RSTP Conguration...................................................................................................................................................... 998

Preventing Forwarding Loops in a VLT Domain................................................................................................... 998

Sample RSTP conguration................................................................................................................................... 998

Conguring VLT....................................................................................................................................................... 999

PVST+ Conguration...................................................................................................................................................1009

Sample PVST+ Conguration................................................................................................................................1010

Peer Routing Conguration Example......................................................................................................................... 1010

Dell-1 Switch Conguration.....................................................................................................................................1011

Dell-2 Switch Conguration...................................................................................................................................1015

R1 Conguration......................................................................................................................................................1018

Access Switch A1 Congurations and Verication..............................................................................................1019

eVLT Conguration Example...................................................................................................................................... 1020

eVLT Conguration Step Examples..................................................................................................................... 1020

PIM-Sparse Mode Conguration Example................................................................................................................1022

Verifying a VLT Conguration..................................................................................................................................... 1023

Additional VLT Sample Congurations.......................................................................................................................1026

Troubleshooting VLT.................................................................................................................................................... 1028

Reconguring Stacked Switches as VLT...................................................................................................................1029

Specifying VLT Nodes in a PVLAN............................................................................................................................ 1029

Association of VLTi as a Member of a PVLAN................................................................................................... 1030

MAC Synchronization for VLT Nodes in a PVLAN.............................................................................................1030

PVLAN Operations When One VLT Peer is Down..............................................................................................1031

PVLAN Operations When a VLT Peer is Restarted............................................................................................ 1031

Interoperation of VLT Nodes in a PVLAN with ARP Requests..........................................................................1031

Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN............................1031

Conguring a VLT VLAN or LAG in a PVLAN...........................................................................................................1033

Creating a VLT LAG or a VLT VLAN.................................................................................................................... 1033

Associating the VLT LAG or VLT VLAN in a PVLAN......................................................................................... 1034

Proxy ARP Capability on VLT Peer Nodes................................................................................................................1035

Working of Proxy ARP for VLT Peer Nodes....................................................................................................... 1035

VLT Nodes as Rendezvous Points for Multicast Resiliency....................................................................................1036

Conguring VLAN-Stack over VLT............................................................................................................................1036

IPv6 Peer Routing in VLT Domains Overview.......................................................................................................... 1040

IPv6 Peer Routing..................................................................................................................................................1040

Synchronization of IPv6 ND Entries in a VLT Domain....................................................................................... 1040

Synchronization of IPv6 ND Entries in a Non-VLT Domain............................................................................... 1041

Tunneling IPv6 ND in a VLT Domain.....................................................................................................................1041

Sample Conguration of IPv6 Peer Routing in a VLT Domain..........................................................................1042

VXLAN on VLT............................................................................................................................................................. 1045

Static VXLAN Conguration in a VLT setup....................................................................................................... 1046

59 VLT Proxy Gateway................................................................................................................................ 1048

Proxy Gateway in VLT Domains..................................................................................................................................1048

Guidelines for Enabling the VLT Proxy Gateway................................................................................................1049

Enable VLT Proxy Gateway...................................................................................................................................1050

Contents

LLDP Organizational TLV for Proxy Gateway.....................................................................................................1050

LLDP VLT Proxy Gateway in a Square VLT Topology........................................................................................ 1052

Conguring a Static VLT Proxy Gateway..................................................................................................................1053

Conguring an LLDP VLT Proxy Gateway................................................................................................................ 1053

VLT Proxy Gateway Sample Topology....................................................................................................................... 1053

VLT Domain Conguration.................................................................................................................................... 1054

Dell-1 VLT Conguration........................................................................................................................................ 1054

Dell-2 VLT Conguration....................................................................................................................................... 1055

Dell-3 VLT Conguration.......................................................................................................................................1056

Dell-4 VLT Conguration....................................................................................................................................... 1057

60 Virtual Extensible LAN (VXLAN)............................................................................................................ 1058

Overview.......................................................................................................................................................................1058

Components of VXLAN network...............................................................................................................................1059

Components of VXLAN network.........................................................................................................................1059

Functional Overview of VXLAN Gateway.................................................................................................................1060

VXLAN Frame Format.................................................................................................................................................1060

Components of VXLAN Frame Format................................................................................................................1061

Limitations on VXLAN ................................................................................................................................................ 1062

Conguring and Controlling VXLAN from the NSX Controller GUI.......................................................................1062

Conguring and Controling VXLAN from Nuage Controller GUI........................................................................... 1065

Conguring VxLAN Gateway......................................................................................................................................1066

Connecting to an NVP Controller........................................................................................................................ 1066

Advertising VXLAN Access Ports to Controller..................................................................................................1067

Displaying VXLAN Congurations..............................................................................................................................1067

VXLAN Service nodes for BFD.................................................................................................................................. 1069

Examples of the show bfd neighbors command................................................................................................1069

Static Virtual Extensible LAN (VXLAN).................................................................................................................... 1069

Conguring Static VXLAN....................................................................................................................................1069

Displaying Static VXLAN Congurations.............................................................................................................1070

Preserving 802.1 p value across VXLAN tunnels.......................................................................................................1071

Routing in and out of VXLAN tunnels........................................................................................................................ 1071

Physical Loopback for VXLAN RIOTInternal Loopback for VXLAN RIOT........................................................1071

Restrictions............................................................................................................................................................. 1073

Conguring VXLAN RIOT......................................................................................................................................1074

VLT Scenario........................................................................................................................................................... 1074

NSX Controller-based VXLAN for VLT......................................................................................................................1075

Important Points to Remember............................................................................................................................ 1076

Congure NSX Controller-based VxLAN in VLT Setup..................................................................................... 1076

Conguring BFD and UFD for VXLAN.................................................................................................................1077

Conguring NSX-based VxLAN on VLT Peer Devices.......................................................................................1077

Conguring VLT for NSX-based VxLAN..............................................................................................................1078

Conguring and Controlling VXLAN from the NSX Controller GUI.................................................................1083

61 Virtual Routing and Forwarding (VRF).................................................................................................... 1086

VRF Overview.............................................................................................................................................................. 1086

Contents

VRF Conguration Notes............................................................................................................................................ 1087

DHCP.......................................................................................................................................................................1089

VRF Conguration....................................................................................................................................................... 1089

Loading VRF CAM................................................................................................................................................. 1089

Creating a Non-Default VRF Instance.................................................................................................................1089

Assigning an Interface to a VRF...........................................................................................................................1090

Assigning a Front-end Port to a Management VRF.......................................................................................... 1090

View VRF Instance Information............................................................................................................................1090

Assigning an OSPF Process to a VRF Instance..................................................................................................1091

Conguring VRRP on a VRF Instance..................................................................................................................1091

Conguring Management VRF.............................................................................................................................1092

Conguring a Static Route....................................................................................................................................1093

Sample VRF Conguration..........................................................................................................................................1093

Route Leaking VRFs.................................................................................................................................................... 1098

Dynamic Route Leaking...............................................................................................................................................1099

Conguring Route Leaking without Filtering Criteria.........................................................................................1099

Conguring Route Leaking with Filtering.............................................................................................................1102

62 Virtual Router Redundancy Protocol (VRRP)..........................................................................................1105

VRRP Overview............................................................................................................................................................ 1105

VRRP Benets.............................................................................................................................................................. 1106

VRRP Implementation..................................................................................................................................................1106

VRRP Conguration......................................................................................................................................................1107

Conguration Task List........................................................................................................................................... 1107

Setting VRRP Initialization Delay........................................................................................................................... 1116

Sample Congurations.................................................................................................................................................. 1117

VRRP for an IPv4 Conguration............................................................................................................................1117

VRRP in a VRF Conguration................................................................................................................................1120

VRRP for IPv6 Conguration................................................................................................................................ 1125

Proxy Gateway with VRRP..........................................................................................................................................1129

63 Debugging and Diagnostics..................................................................................................................... 1134

Oine Diagnostics........................................................................................................................................................ 1134

Important Points to Remember.............................................................................................................................1134

Running Oine Diagnostics...................................................................................................................................1134

Trace Logs......................................................................................................................................................................1138

Auto Save on Crash or Rollover.................................................................................................................................. 1138

Hardware Watchdog Timer.......................................................................................................................................... 1138

Enabling Environmental Monitoring............................................................................................................................ 1138

Recognize an Overtemperature Condition.......................................................................................................... 1139

Troubleshoot an Over-temperature Condition.....................................................................................................1140

Recognize an Under-Voltage Condition............................................................................................................... 1140

Troubleshoot an Under-Voltage Condition...........................................................................................................1140

Buer Tuning.................................................................................................................................................................. 1141

Troubleshooting Packet Loss.......................................................................................................................................1142

Displaying Drop Counters....................................................................................................................................... 1142

Contents

Dataplane Statistics................................................................................................................................................1145

Display Stack Port Statistics..................................................................................................................................1146

Display Stack Member Counters...........................................................................................................................1147

Enabling Application Core Dumps...............................................................................................................................1149

Mini Core Dumps.......................................................................................................................................................... 1150

Enabling TCP Dumps....................................................................................................................................................1150

64 Standards Compliance............................................................................................................................ 1152

IEEE Compliance...........................................................................................................................................................1152

RFC and I-D Compliance..............................................................................................................................................1153

General Internet Protocols.....................................................................................................................................1153

General IPv4 Protocols...........................................................................................................................................1155

General IPv6 Protocols...........................................................................................................................................1156

Border Gateway Protocol (BGP)...........................................................................................................................1157

Open Shortest Path First (OSPF)........................................................................................................................ 1158

Intermediate System to Intermediate System (IS-IS)........................................................................................ 1158

Routing Information Protocol (RIP)......................................................................................................................1159

Multicast.................................................................................................................................................................. 1160

Network Management...........................................................................................................................................1160

MIB Location................................................................................................................................................................. 1166

65 X.509v3.................................................................................................................................................. 1167

Introduction to X.509v3 certication..........................................................................................................................1167

X.509v3 certicates................................................................................................................................................1167

Certicate authority (CA).......................................................................................................................................1167

Certicate signing requests (CSR)....................................................................................................................... 1167

How certicates are requested............................................................................................................................. 1167

Advantages of X.509v3 certicates..................................................................................................................... 1168

X.509v3 support in ......................................................................................................................................................1168

Information about installing CA certicates...............................................................................................................1170

Installing CA certicate...........................................................................................................................................1170

Information about Creating Certicate Signing Requests (CSR)........................................................................... 1170

Creating Certicate Signing Requests (CSR)...................................................................................................... 1171

Information about installing trusted certicates........................................................................................................1172

Installing trusted certicates..................................................................................................................................1172

Transport layer security (TLS).....................................................................................................................................1172

Syslog over TLS.......................................................................................................................................................1173

Online Certicate Status Protocol (OSCP)................................................................................................................1173

Conguring OCSP setting on CA..........................................................................................................................1173

Conguring OCSP behavior...................................................................................................................................1174

Conguring Revocation Behavior..........................................................................................................................1174

Conguring OSCP responder preference.............................................................................................................1174

Verifying certicates..................................................................................................................................................... 1174

Verifying Server certicates.................................................................................................................................. 1175

Verifying Client Certicates................................................................................................................................... 1175

Event logging.................................................................................................................................................................1175

Contents

About this Guide

This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides conguration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system.

The S6000–ON platform is available with Dell EMC Networking OS version 9.7(0.0) and beyond.

Though this guide contains information about protocols, it is not intended to be a complete reference. This guide is a reference for conguring protocols on Dell EMC Networking systems. For complete information about protocols, see the related documentation, including Internet Engineering Task Force (IETF) requests for comments (RFCs). The instructions in this guide cite relevant RFCs. The

Standards Compliance chapter contains a complete list of the supported RFCs and management information base les (MIBs).

Topics:

• Audience

• Conventions

• Related Documents

Audience

This document is intended for system administrators who are responsible for conguring and maintaining networks and assumes knowledge in Layer 2 (L2) and Layer 3 (L3) networking technologies.

Conventions

This guide uses the following conventions to describe command syntax.

Keyword

parameter Parameters are in italics and require a number or word to be entered in the CLI.

{X} Keywords and parameters within braces must be entered in the CLI.

[X] Keywords and parameters within brackets are optional.

x|y Keywords and parameters separated by a bar require you to choose one option.

x||y Keywords and parameters separated by a double bar allows you to choose any or all of the options.

Keywords are in Courier (a monospaced font) and must be entered in the CLI as listed.

Accessing the Command Line

Access the CLI through a serial console port or a Telnet session. When the system successfully boots, enter the command line in EXEC mode.

: You must have a password congured on a virtual terminal line before you can Telnet into the system. Therefore, you must

NOTE

use a console connection when connecting to the system for the rst time.

telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'. Login: username Password: DellEMC>

CLI Modes

Dierent sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (except for EXEC mode commands with a preceding do command

(refer to the do Command section).

Conguration Fundamentals 37

You can set user access rights to commands and command modes using privilege levels.

The Dell EMC Networking OS CLI is divided into three major mode levels:

• EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information.

• EXEC Privilege mode has commands to view congurations, clear counters, manage conguration les, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can congure a password for this mode; refer to the Congure the Enable Password section in the Getting Started chapter.

• CONFIGURATION mode allows you to congure security features, time settings, set logging and SNMP functions, congure static ARP and MAC addresses, and set line cards on the system.

Beneath CONFIGURATION mode are submodes that apply to interfaces, protocols, and features. The following example shows the submode command structure. Two sub-CONFIGURATION modes are important when conguring the chassis for the rst time:

• INTERFACE submode is the mode in which you congure Layer 2 and Layer 3 protocols and IP services specic to an interface. An interface can be physical (Management interface, 1 Gigabit Ethernet, 10 Gigabit Ethernet, 25 Gigabit Ethernet, 40 Gigabit Ethernet, 50 Gigabit Ethernet, or 100 Gigabit Ethernet) or logical (Loopback, Null, port channel, or virtual local area network [VLAN]).

• LINE submode is the mode in which you to congure the console and virtual terminal lines.

NOTE: At any time, entering a question mark (?) displays the available command options. For example, when you are in

CONFIGURATION mode, entering the question mark rst lists all available commands, including the possible submodes.

The CLI modes are:

EXEC EXEC Privilege CONFIGURATION AS-PATH ACL CONTROL-PLANE CLASS-MAP DCB POLICY DHCP DHCP POOL ECMP-GROUP EXTENDED COMMUNITY FRRP INTERFACE GROUP GIGABIT ETHERNET 10 GIGABIT ETHERNET 40 GIGABIT ETHERNET INTERFACE RANGE LOOPBACK MANAGEMENT ETHERNET NULL PORT-CHANNEL TUNNEL VLAN VRRP IP IPv6 IP COMMUNITY-LIST IP ACCESS-LIST STANDARD ACCESS-LIST EXTENDED ACCESS-LIST MAC ACCESS-LIST LINE AUXILLIARY CONSOLE VIRTUAL TERMINAL LLDP LLDP MANAGEMENT INTERFACE MONITOR SESSION MULTIPLE SPANNING TREE OPENFLOW INSTANCE PVST

Conguration Fundamentals

PORT-CHANNEL FAILOVER-GROUP PREFIX-LIST PRIORITY-GROUP PROTOCOL GVRP QOS POLICY RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE SUPPORTASSIST TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP uBoot

Navigating CLI Modes

The Dell EMC Networking OS prompt changes to indicate the CLI mode.

The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves you up one command mode level.

NOTE

: Sub-CONFIGURATION modes all have the letters conf in the prompt with more modiers to identify the mode and slot/

port/subport information.

Table 1. Dell EMC Networking OS Command Modes

CLI Command Mode Prompt Access Command

EXEC

EXEC Privilege

CONFIGURATION

NOTE: Access all of the following

modes from CONFIGURATION mode.

AS-PATH ACL

DellEMC>

DellEMC#

DellEMC(conf)#

DellEMC(config-as-path)# ip as-path access-list

Access the router through the console or terminal line.

• From EXEC mode, enter the enable command.

• From any other mode, use the end command.

• From EXEC privilege mode, enter the configure command.

• From every mode except EXEC and EXEC Privilege, enter the exit command.

10 Gigabit Ethernet Interface

40 Gigabit Ethernet Interface

DellEMC(conf-if-te-1/1/1)#

DellEMC(conf-if-fo-1/1/1)#

interface (INTERFACE modes)

Conguration Fundamentals 39

CLI Command Mode Prompt Access Command

Interface Group

DellEMC(conf-if-group)# interface(INTERFACE modes)

Interface Range

Loopback Interface

Management Ethernet Interface

Null Interface

Port-channel Interface

Tunnel Interface

VLAN Interface

STANDARD ACCESS-LIST

EXTENDED ACCESS-LIST

IP COMMUNITY-LIST

AUXILIARY

CONSOLE

VIRTUAL TERMINAL

STANDARD ACCESS-LIST

DellEMC(conf-if-range)#

DellEMC(conf-if-lo-0)#

DellEMC(conf-if-ma-1/1)#

DellEMC(conf-if-nu-0)#

DellEMC(conf-if-po-1)#

DellEMC(conf-if-tu-1)#

DellEMC(conf-if-vl-1)#

DellEMC(config-std-nacl)#

DellEMC(config-ext-nacl)#

DellEMC(config-community-list)# ip community-list

DellEMC(config-line-aux)#

DellEMC(config-line-console)#

DellEMC(config-line-vty)#

DellEMC(config-std-macl)#

interface (INTERFACE modes)

ip access-list standard (IP

ACCESS-LIST Modes)

ip access-list extended (IP ACCESS-LIST Modes)

line (LINE Modes)

mac access-list standard (MAC

ACCESS-LIST Modes)

EXTENDED ACCESS-LIST

MULTIPLE SPANNING TREE

Per-VLAN SPANNING TREE Plus

PREFIX-LIST

RAPID SPANNING TREE

REDIRECT

ROUTE-MAP

ROUTER BGP

BGP ADDRESS-FAMILY DellEMC(conf-router_bgp_af)# (for

ROUTER ISIS

ISIS ADDRESS-FAMILY

ROUTER OSPF

ROUTER OSPFV3

DellEMC(config-ext-macl)#

DellEMC(config-mstp)# protocol spanning-tree mstp

DellEMC(config-pvst)# protocol spanning-tree pvst

DellEMC(conf-nprefixl)# ip prefix-list

DellEMC(config-rstp)# protocol spanning-tree rstp

DellEMC(conf-redirect-list)# ip redirect-list

DellEMC(config-route-map)# route-map

DellEMC(conf-router_bgp)# router bgp

IPv4)

DellEMC(conf-routerZ_bgpv6_af)#

(for IPv6)

DellEMC(conf-router_isis)# router isis

DellEMC(conf-router_isisaf_ipv6)#

DellEMC(conf-router_ospf)# router ospf

DellEMC(conf-ipv6router_ospf)# ipv6 router ospf

mac access-list extended (MAC

ACCESS-LIST Modes)

address-family {ipv4 multicast | ipv6 unicast} (ROUTER BGP

Mode)

address-family ipv6 unicast

(ROUTER ISIS Mode)

ROUTER RIP

40 Conguration Fundamentals

DellEMC(conf-router_rip)# router rip

CLI Command Mode Prompt Access Command

SPANNING TREE

DellEMC(config-span)# protocol spanning-tree 0

TRACE-LIST

CLASS-MAP

CONTROL-PLANE

DHCP

DHCP POOL

ECMP

EIS

FRRP

LLDP DellEMC(conf-lldp)# or

LLDP MANAGEMENT INTERFACE

LINE DellEMC(config-line-console) or

MONITOR SESSION

DellEMC(conf-trace-acl)# ip trace-list

DellEMC(config-class-map)# class-map

DellEMC(conf-control-cpuqos)# control-plane-cpuqos

DellEMC(config-dhcp)# ip dhcp server

DellEMC(config-dhcp-pool-name)#

DellEMC(conf-ecmp-group-ecmp- group-id)#

DellEMC(conf-mgmt-eis)# management egress-interface-

DellEMC(conf-frrp-ring-id)# protocol frrp

DellEMC(conf-if—interfacelldp)#

DellEMC(conf-lldp-mgmtIf)#

DellEMC(config-line-vty)

DellEMC(conf-mon-sesssessionID)#

pool (DHCP Mode)

ecmp-group

selection

protocol lldp (CONFIGURATION or

INTERFACE Modes)

management-interface (LLDP Mode)

line console orline vty

monitor session

OPENFLOW INSTANCE

PORT-CHANNEL FAILOVER-GROUP

PRIORITY GROUP

PROTOCOL GVRP

QOS POLICY

SUPPORTASSIST

VLT DOMAIN

VRRP

UPLINK STATE GROUP

The following example shows how to change the command mode from CONFIGURATION mode to PROTOCOL SPANNING TREE.

Example of Changing Command Modes

DellEMC(conf)#protocol spanning-tree 0 DellEMC(config-span)#

DellEMC(conf-of-instance-of- id)#

DellEMC(conf-po-failover-grp)# port-channel failover-group

DellEMC(conf-pg)# priority-group

DellEMC(config-gvrp)# protocol gvrp

DellEMC(conf-qos-policy-outets)#

DellEMC(support-assist)# support-assist

DellEMC(conf-vlt-domain)# vlt domain

DellEMC(conf-if-interface-typeslot/port-vrid-vrrp-group-id)#

DellEMC(conf-uplink-stategroup-groupID)#

openflow of-instance

qos-policy-output

vrrp-group

uplink-state-group

Conguration

Fundamentals 41

The do Command

You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode by preceding the EXEC mode command with the

The following example shows the output of the do command.

DellEMC(conf)#do show system brief

Stack MAC : 34:17:eb:f2:c2:c4 Reload-Type : normal-reload [Next boot : normal-reload]

-- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports

----------------------------------------------------------------------- 1 Management online S6000-ON S6000-ON 1-0(0-3932) 128 2 Member not present 3 Member not present 4 Member not present 5 Member not present 6 Member not present

-- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm)

----------------------------------------------------------- 1 1 up AC absent 0 1 2 absent absent 0

-- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed

---------------------------------------------------------------- 1 1 up up 0 up 0 1 2 up up 0 up 0 1 3 up up 0 up 0

do command.

Speed in RPM

Undoing Commands

When you enter a command, the command line is added to the running conguration le (running-cong).

To disable a command and remove it from the running-cong, enter the no command, then the original command. For example, to delete an IP address congured on an interface, use the

NOTE

: Use the help or ? command as described in Obtaining Help.

Example of Viewing Disabled Commands

DellEMC(conf)#interface tengigabitethernet 1/17/1 DellEMC(conf-if-te-1/17/1)#ip address 192.168.10.1/24 DellEMC(conf-if-te-1/17/1)#show config ! interface tenGigabitEthernet 1/17/1 ip address 192.168.10.1/24 no shutdown DellEMC(conf-if-te-1/17/1)#no ip address DellEMC(conf-if-te-1/17/1)#show config ! interface TenGigabitEthernet 1/17/1 no ip address no shutdown

no ip address ip-address command.

Conguration Fundamentals

Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.

Obtaining Help

Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command:

To list the keywords available in the current mode, enter ? at the prompt or after a keyword.

•

• Enter ? after a command prompt to list all of the available keywords. The output of this command is the same as the help command.

DellEMC#? bmp BMP commands cd Change current directory clear Reset functions clock Manage the system clock

• Enter ? after a partial keyword lists all of the keywords that begin with the specied letters.

DellEMC(conf)#cl? class-map clock DellEMC(conf)#cl

• Enter [space]? after a keyword lists all of the keywords that can follow the specied keyword.

DellEMC(conf)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone DellEMC(conf)#clock

Entering and Editing Commands

Notes for entering commands.

• The CLI is not case-sensitive.

• You can enter partial CLI keywords. – Enter the minimum number of letters to uniquely identify a command. For example, you cannot enter cl as a partial keyword

because both the clock and class-map commands begin with the letters “cl.” You can enter clo, however, as a partial keyword because only one command begins with those three letters.

• The TAB key auto-completes keywords in commands. Enter the minimum number of letters to uniquely identify a command.

• The UP and DOWN arrow keys display previously entered commands (refer to Command History).

• The BACKSPACE and DELETE keys erase the previous letter.

• Key combinations are available to move quickly across the command line. The following table describes these short-cut key combinations.

Short-Cut Key Combination

CNTL-A Moves the cursor to the beginning of the command line.

CNTL-B Moves the cursor back one character.

CNTL-D Deletes character at cursor.

CNTL-E Moves the cursor to the end of the line.

CNTL-F Moves the cursor forward one character.

Action

CNTL-I Completes a keyword.

CNTL-K Deletes all characters from the cursor to the end of the command line.

CNTL-L Re-enters the previous command.

Conguration Fundamentals 43

Short-Cut Key

Action

Combination

CNTL-N Return to more recent commands in the history buer after recalling commands with CTRL-P or the UP arrow key.

CNTL-P Recalls commands, beginning with the last command.

CNTL-R Re-enters the previous command.

CNTL-U Deletes the line.

CNTL-W Deletes the previous word.

CNTL-X Deletes the line.

CNTL-Z Ends continuous scrolling of command outputs.

Esc B Moves the cursor back one word.

Esc F Moves the cursor forward one word.

Esc D Deletes all characters from the cursor to the end of the word.

Command History

The Dell EMC Networking OS maintains a history of previously-entered commands for each mode. For example:

• When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC mode commands.

• When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered CONFIGURATION mode commands.

Filtering show Command Outputs

The variable specified_text is the text for which you are ltering and it IS case sensitive unless you use the ignore-case suboption.

Starting with Dell EMC Networking OS version 7.8.1.0, the grep command accepts an ignore-case sub-option that forces the search to case-insensitive. For example, the commands:

• show run | grep Ethernet returns a search result with instances containing a capitalized “Ethernet,” such as interface

TenGigabitEthernet 1/1/1

• show run | grep ethernet does not return that search result because it only searches for instances containing a noncapitalized “ethernet.”

• show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and “ethernet.”

The grep command displays only the lines containing specied text. The following example shows this command used in combination with

show system brief command.

the

Example of the grep Keyword

DellEMC(conf)#do show system brief | grep 0 0 not present

: Dell EMC Networking OS accepts a space or no space before and after the pipe. To lter a phrase with spaces,

NOTE

underscores, or ranges, enclose the phrase with double quotation marks.

44 Conguration Fundamentals

The except keyword displays text that does not match the specied text. The following example shows this command used in combination with the show system brief command.

Example of the except Keyword

DellEMC#show system brief | except 1

Stack MAC : 4c:76:25:e5:49:40 Reload-Type : normal-reload [Next boot : normal-reload]

The find keyword displays the output of the show command beginning from the rst occurrence of specied text. The following example shows this command used in combination with the show system brief command.

Example of the find Keyword

The display command displays additional conguration information.

The no-more command displays the output all at once rather than one screen at a time. This is similar to the terminal length command except that the no-more option aects the output of the specied command only.

The save command copies the output to a le for future reference.

NOTE: You can lter a single command output multiple times. The save option must be the last option entered. For example:

Multiple Users in Conguration Mode

Dell EMC Networking OS noties all users when there are multiple users logged in to CONFIGURATION mode.

A warning message indicates the username, type of connection (console or VTY), and in the case of a VTY connection, the IP address of the terminal on which the connection was established. For example:

• On the system that telnets into the switch, this message appears:

% Warning: The following users are currently configuring the system: User "<username>" on line console0

• On the system that is connected over the console, this message appears:

% Warning: User "<username>" on line vty0 "10.11.130.2" is in configuration mode

If either of these messages appears, Dell EMC Networking recommends coordinating with the users listed in the message so that you do not unintentionally overwrite each other’s conguration changes.

Conguration

Fundamentals 45

Getting Started

This chapter describes how you start conguring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking

Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption.

When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.

For details about using the command line interface (CLI), refer to the Accessing the Command Line section in the Conguration

Fundamentals chapter.

Topics:

• Console Access

• Default Conguration

• Conguring a Host Name

• Accessing the System Remotely

• Conguring the Enable Password

• Conguration File Management

• Managing the File System

• View Command History

• Upgrading Dell EMC Networking OS

• Using HTTP for File Transfers

• Verify Software Images Before Installation

46 Getting Started

Console Access

The device has one RJ-45/RS-232 console port, an out-of-band (OOB) Ethernet port, and a micro USB-B console port.

Serial Console

The RJ-45/RS-232 console port is labeled on the upper right-hand side, as you face the I/O side of the chassis.

Figure 1. RJ-45 Console Port

1 RS-232 console port. 2 USB port.

Accessing the Console Port

To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter.

1 Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the console port to a terminal server. 2 Connect the other end of the cable to the DTE terminal server. 3 Terminal settings on the console port cannot be changed in the software and are set as follows:

• 115200 baud rate

• No parity

• 8 data bits

• 1 stop bit

• No ow control

Getting Started

Pin Assignments

You can connect to the console using a RJ-45 to RJ-45 rollover cable and a RJ-45 to DB-9 female DTE adapter to a terminal server (for example, a PC).

The pin assignments between the console and a DTE terminal server are as follows:

Table 2. Pin Assignments Between the Console and a DTE Terminal Server

Console Port RJ-45 to RJ-45 Rollover

Cable

Signal RJ-45 Pinout RJ-45 Pinout DB-9 Pin Signal

RTS 1 8 8 CTS

NC 2 7 6 DSR

TxD 3 6 2 RxD

GND 4 5 5 GND

GND 5 4 5 GND

RxD 6 3 3 TxD

NC 7 2 4 DTR

CTS 8 1 7 RTS

RJ-45 to RJ-45 Rollover Cable

RJ-45 to DB-9 Adapter Terminal Server Device

Default Conguration

Although a version of Dell EMC Networking OS is pre-loaded onto the system, the system is not congured when you power up the system rst time (except for the default hostname, which is DellEMC). You must congure the system using the CLI.

Conguring a Host Name

The host name appears in the prompt. The default host name is DellEMC.

• Host names must start with a letter and end with a letter or digit.

• Characters within the string can be letters, digits, and hyphens.

To create a host name, use the hostname name command in Conguration mode.

hostname command example

DellEMC(conf)#hostname R1 R1(conf)#

Accessing the System Remotely

You can congure the system to access it remotely by Telnet or secure shell (SSH).

• The platform has a dedicated management port and a management routing table that is separate from the IP routing table.

• You can manage all Dell EMC Networking products in-band via the front-end data ports through interfaces assigned an IP address as well.

Getting Started

Accessing the System Remotely

Conguring the system for remote access is a three-step process, as described in the following topics:

1 Congure an IP address for the management port. Congure the Management Port IP Address 2 Congure a management route with a default gateway. Congure a Management Route 3 Congure a username and password. Congure a Username and Password

Congure the Management Port IP Address

To access the system remotely, assign IP addresses to the management ports.

1 Enter INTERFACE mode for the Management port.

CONFIGURATION mode

interface ManagementEthernet slot/port

2 Assign an IP address to the interface.

INTERFACE mode

ip address ip-address/mask

• ip-address: an address in dotted-decimal format (A.B.C.D).

• mask: a subnet mask in /prex-length format (/ xx).

3 Enable the interface.

INTERFACE mode

no shutdown

Congure a Management Route

Dene a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port. To congure a management route, use the following command.

• Congure a management route to the network from which you are accessing the system. CONFIGURATION mode

management route ip-address/mask gateway

– ip-address: the network address in dotted-decimal format (A.B.C.D).

– mask: a subnet mask in /prex-length format (/ xx).

– gateway: the next hop for network trac originating from the management port.

Conguring a Username and Password

To access the system remotely, congure a system username and password. To congure a system username and password, use the following command.

• Congure a username and password to access the system remotely. CONFIGURATION mode

Getting Started

username name [access-class access-list-name] [nopassword | {password | secret | sha256– password} [encryption-type] password [dynamic-salt]] [privilege level] [role role-name]

– name: Enter a text string upto 63 characters long.

– access-class access-list-name: Enter the name of a congured IP ACL.

nopassword: Allows you to congure an user without the password.

–

– password: Allows you to congure an user with a password.

– secret: Specify a secret string for an user.

– sha256–password: Uses sha256–based encryption method for password.

– encryption-type: Enter the encryption type for securing an user password. There are four encryption types.

◦ 0 — input the password in clear text.

◦ 5 — input the password that is already encrypted using MD5 encryption method.

◦ 7 — input the password that is already encrypted using DES encryption method.

◦ 8 — input the password that is already encrypted using sha256–based encryption method.

– password: Enter the password string for the user.

– dynamic-salt: Generates an additional random input to password encryption process whenever the password is congured.

– privilege level: Assign a privilege levels to the user. The range is from 0 to 15.

– role role-name: Assign a role name for the user.

Dell EMC Networking OS encrypts type 5 secret and type 7 password based on dynamic-salt option such that the encrypted password is dierent when an user is congured with the same password.

NOTE

dynamic-salt option is shown only with secret and password options.

In dynamic-salt conguration, the length of type 5 secret and type 7 password is 32 and 16 characters more compared to the secret and password length without dynamic-salt conguration. An error message appears if the maximum length, which is 256 characters.

The dynamic-salt support for the user conguration is added in REST API. For more information on REST support, see Dell EMC

Networking Open Automation guide

username command reaches the

Conguring the Enable Password

Access EXEC Privilege mode using the enable command. EXEC Privilege mode is unrestricted by default. Congure a password as a basic security measure.

There are three types of enable passwords:

• enable password is stored in the running/startup conguration using a DES encryption method.

• enable secret is stored in the running/startup conguration using MD5 encryption method.

• enable sha256-password is stored in the running/startup conguration using sha256-based encryption method (PBKDF2).

Dell EMC Networking recommends using the enable sha256-password password.

To congure an enable password, use the following command.

• Create a password to access EXEC Privilege mode. CONFIGURATION mode

enable [password | secret | sha256-password] [level level] [encryption-type] password

Getting Started

– level: is the privilege level, is 15 by default, and is not required.

– encryption-type: species how you input the password, is 0 by default, and is not required.

◦ 0 is to input the password in clear text. ◦ 5 is to input a password that is already encrypted using MD5 encryption method. Obtain the encrypted password from the

conguration le of another device.

◦ 7 is to input a password that is already encrypted using DES encryption method. Obtain the encrypted password from the

conguration le of another device.

◦ 8 is to input a password that is already encrypted using sha256-based encryption method. Obtain the encrypted password from

the conguration le of another device.

Conguration File Management

Files can be stored on and accessed from various storage media. Rename, delete, and copy les on the system from EXEC Privilege mode.

Copy Files to and from the System

The command syntax for copying les is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url.

NOTE: For a detailed description of the copy command, refer to the

• To copy a local le to a remote system, combine the le-origin syntax for a local le location with the le-destination syntax for a remote le location.

• To copy a remote le to Dell EMC Networking system, combine the le-origin syntax for a remote le location with the le-destination syntax for a local le location.

Table 3. Forming a

Location

For a remote le location: FTP server

For a remote le location: TFTP server

For a remote le location: SCP server

copy Command

source-le-url

copy ftp:// username:password@{hostip | hostname}/filepath/filename

copy tftp://{hostip | hostname}/filepath/ filename

copy scp://{hostip | hostname}/ filepath/ filename

Syntax

Dell EMC Networking OS Command Reference

destination-le-url

ftp://username:password@{hostip | hostname}/ filepath/filename

tftp://{hostip | hostname}/ filepath/filename

scp://{hostip | hostname}/ filepath/filename

Syntax

Important Points to Remember

• You may not copy a le from one remote system to another.

• You may not copy a le from one location to the same location.

• When copying to a server, you can only use a hostname if a domain name server (DNS) server is congured.

• The usbflash command is supported on the device. Refer to your system’s Release Notes for a list of approved USB vendors.

Example of Copying a File to an FTP Server

DellEMC#copy flash://Dell-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10/ /Dell/Dell-EF-8.2.1.0 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 27952672 bytes successfully copied

Getting Started

Example of Importing a File to the Local System

core1#$//copy ftp://myusername:mypassword@10.10.10.10//Dell/ Dell-EF-8.2.1.0.bin flash:// Destination file name [Dell-EF-8.2.1.0.bin.bin]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 26292881 bytes successfully copied

Mounting an NFS File System

This feature enables you to quickly access data on an NFS mounted le system. You can perform le operations on an NFS mounted le system using supported le commands.

This feature allows an NFS mounted device to be recognized as a le system. This le system is visible on the device and you can execute all le commands that are available on conventional le systems such as a Flash le system.

Before executing any CLI command to perform le operations, you must rst mount the NFS le system to a mount-point on the device. Since multiple mount-points exist on a device, it is mandatory to specify the mount-point to which you want to load the system. The /f10/mnt/nfs directory is the root of all mount-points.

To mount an NFS le system, perform the following steps:

Table 4. Mounting an NFS File System

File Operation Syntax

To mount an NFS le system:

mount nfs rhost:path mountpoint username password

The foreign le system remains mounted as long as the device is up and does not reboot. You can run the le system commands without having to mount or un-mount the le system each time you run a command. When you save the conguration using the write command, the mount command is saved to the startup conguration. As a result, each time the device re-boots, the NFS le system is mounted during start up.

Table 5. Forming a

Location

For a remote le location: NFS File System

copy Command

source-le-url

copy nfsmount://{<mountpoint>}/filepath/filename} username:password

Syntax

destination-le-url

tftp://{hostip | hostname}/ filepath/filename

Syntax

Important Points to Remember

• You cannot copy a le from one remote system to another.

• You cannot copy a le from one location to the same location.

• When copying to a server, you can only use a hostname if a domain name server (DNS) server is congured.

• The usbflash command is supported on the device. Refer to your system’s Release Notes for a list of approved USB vendors.

Example of Copying a File to current File System

DellEMC#copy tftp://10.16.127.35/dv-maa-test nfsmount:// Destination file name [dv-maa-test]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!.! 44250499 bytes successfully copied DellEMC# DellEMC#copy ftp://10.16.127.35 nfsmount:

Getting Started

Source file name []: test.c User name to login remote host: username

Example of Logging in to Copy from NFS Mount

DellEMC#copy nfsmount:///test flash: Destination file name [test]: test2 ! 5592 bytes successfully copied DellEMC# DellEMC#copy nfsmount:///test.txt ftp://10.16.127.35 Destination file name [test.txt]: User name to login remote host: username Password to login remote host: !

Example of Copying to NFS Mount

DellEMC#copy flash://test.txt nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:///username/snoop.pcap ! 24 bytes successfully copied DellEMC# DellEMC#copy tftp://10.16.127.35/username/dv-maa-test ? flash: Copy to local file system ([flash://]filepath) nfsmount: Copy to nfs mount file system (nfsmount:///filepath) running-config remote host: Destination file name [test.c]: ! 225 bytes successfully copied DellEMC#

Save the Running-Conguration

The running-conguration contains the current system conguration. Dell EMC Networking recommends coping your running-conguration to the startup-conguration. The commands in this section follow the same format as those commands in the Copy Files to and from the System section but use the lenames startup-conguration and running-conguration. These commands assume that current directory is the internal ash, which is the system default.

• Save the running-conguration to the startup-conguration on the internal ash of the primary RPM. EXEC Privilege mode

copy running-config startup-config

• Save the running-conguration to an FTP server. EXEC Privilege mode

copy running-config ftp:// username:password@{hostip | hostname}/filepath/ filename

• Save the running-conguration to a TFTP server. EXEC Privilege mode

copy running-config tftp://{hostip | hostname}/ filepath/filename

• Save the running-conguration to an SCP server. EXEC Privilege mode

copy running-config scp://{hostip | hostname}/ filepath/filename

Getting Started

NOTE: When copying to a server, a host name can only be used if a DNS server is

congured.

NOTE: When you load the startup conguration or a conguration le from a network server such as TFTP to the running

conguration, the conguration is added to the running conguration. This does not replace the existing running conguration. Commands in the conguration le has precedence over commands in the running conguration.

Congure the Overload Bit for a Startup Scenario

For information about setting the router overload bit for a specic period of time after a switch reload is implemented, see the Intermediate System to Intermediate System (IS-IS) section in the Dell Command Line Reference Guide for your system.

Viewing Files

You can only view le information and content on local le systems. To view a list of les or the contents of a le, use the following commands.

• View a list of les on the internal ash. EXEC Privilege mode

dir flash:

• View the running-conguration. EXEC Privilege mode

show running-config

• View the startup-conguration. EXEC Privilege mode

show startup-config

Example of the dir Command

The output of the dir command also shows the read/write privileges, size (in bytes), and date of modication for each le.

DellEMC#dir Directory of flash:

1 drw- 32768 Jan 01 1980 00:00:00 . 2 drwx 512 Jul 23 2007 00:38:44 .. 3 drw- 8192 Mar 30 1919 10:31:04 TRACE_LOG_DIR 4 drw- 8192 Mar 30 1919 10:31:04 CRASH_LOG_DIR 5 drw- 8192 Mar 30 1919 10:31:04 NVTRACE_LOG_DIR 6 drw- 8192 Mar 30 1919 10:31:04 CORE_DUMP_DIR 7 d--- 8192 Mar 30 1919 10:31:04 ADMIN_DIR 8 -rw- 33059550 Jul 11 2007 17:49:46 FTOS-EF-7.4.2.0.bin 9 -rw- 27674906 Jul 06 2007 00:20:24 FTOS-EF-4.7.4.302.bin 10 -rw- 27674906 Jul 06 2007 19:54:52 boot-image-FILE 11 drw- 8192 Jan 01 1980 00:18:28 diag 12 -rw- 7276 Jul 20 2007 01:52:40 startup-config.bak 13 -rw- 7341 Jul 20 2007 15:34:46 startup-config 14 -rw- 27674906 Jul 06 2007 19:52:22 boot-image 15 -rw- 27674906 Jul 06 2007 02:23:22 boot-flash

--More--

Getting Started

View Conguration Files

Conguration les have three commented lines at the beginning of the le, as shown in the following example, to help you track the last time any user made a change to the le, which user made the changes, and when the le was last saved to the startup-conguration.

In the running-conguration le, if there is a dierence between the timestamp on the “Last conguration change” and “Startup-cong last updated,” you have made changes that have not been saved and are preserved after a system reboot.

Example of the show running-config Command

DellEMC#show running-config Current Configuration ... ! Version 9.4(0.0) ! Last configuration change at Tue Mar 11 21:33:56 2014 by admin ! Startup-config last updated at Tue Mar 11 12:11:00 2014 by default ! <output truncated for brevity>

Managing the File System

The Dell EMC Networking system can use the internal Flash, external Flash, or remote devices to store les. The system stores les on the internal Flash by default but can be congured to store les elsewhere.

To view le system information, use the following command.

• View information about each le system. EXEC Privilege mode

show file-systems

The output of the show file-systems command in the following example shows the total capacity, amount of free memory, le structure, media type, read/write privileges for each storage device in use.

DellEMC#show file-systems Size(b) Free(b) Feature Type Flags Prefixes 520962048 213778432 dosFs2.0 USERFLASH rw flash: 127772672 21936128 dosFs2.0 USERFLASH rw slot0:

- - - network rw ftp:

- - - network rw tftp:

- - - network rw scp:

You can change the default le system so that le management commands apply to a particular device or memory.

To change the default directory, use the following command.

• Change the default directory. EXEC Privilege mode

cd directory

View Command History

The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buer.

The system generates a trace message for each executed command. No password information is saved to the le.

To view the command-history trace, use the show command-history command.

Getting Started

Example of the show command-history Command

DellEMC#show command-history [12/5 10:57:8]: CMD-(CLI):service password-encryption [12/5 10:57:12]: CMD-(CLI):hostname Force10 [12/5 10:57:12]: CMD-(CLI):ip telnet server enable [12/5 10:57:12]: CMD-(CLI):line console 0 [12/5 10:57:12]: CMD-(CLI):line vty 0 9 [12/5 10:57:13]: CMD-(CLI):boot system rpm0 primary flash://FTOS-CB-1.1.1.2E2.bin

Upgrading Dell EMC Networking OS

To upgrade Dell EMC Networking Operating System (OS), refer to the Release Notes for the version you want to load on the system.

You can download the release notes of your platform at http://www.force10networks.com. Use your login ID to log in to the website.

Using HTTP for File Transfers

Stating with Release 9.3(0.1), you can use HTTP to copy les or conguration details to a remote server. To transfer les to an external server, use the copy source-le-url http://host[:port]/le-path command. Enter the following source-le-url keywords and information:

• To copy a le from the internal FLASH, enter ash:// followed by the lename.

• To copy the running conguration, enter the keyword running-cong.

• To copy the startup conguration, enter the keyword startup-cong.

• To copy a le on the USB device, enter usbash:// followed by the lename.

In the Dell EMC Networking OS release 9.8(0.0), HTTP services support the VRF-aware functionality. If you want the HTTP server to use a VRF table that is attached to an interface, congure that HTTP server to use a specic routing table. You can use the ip http vrf command to inform the HTTP server to use a specic routing table. After you congure this setting, the VRF table is used to look up the destination address.

: To enable HTTP to be VRF-aware, as a prerequisite you must rst dene the VRF.

NOTE

You can specify either the management VRF or a nondefault VRF to congure the VRF awareness setting.

When you specify the management VRF, the copy operation that is used to transfer les to and from an HTTP server utilizes the VRF table corresponding to the Management VRF to look up the destination. When you specify a nondefault VRF, the VRF table corresponding to that nondefault VRF is used to look up the HTTP server.

However, these changes are backward-compatible and do not aect existing behavior; meaning, you can still use the ip http source-

interface

NOTE

To enable an HTTP client to look up the VRF table corresponding to either management VRF or any nondefault VRF, use the ip http vrf command in CONFIGURATION mode.

• Congure an HTTP client with a VRF that is used to connect to the HTTP server. CONFIGURATION MODE

DellEMC(conf)#ip http vrf {management | <vrf-name>}

command to communicate with a particular interface even if no VRF is congured on that interface

: If the HTTP service is not VRF-aware, then it uses the global routing table to perform the look-up.

Getting Started

Verify Software Images Before Installation

To validate the software image on the ash drive, you can use the MD5 message-digest algorithm or SHA256 Secure Hash Algorithm, after the image is transferred to the system but before the image is installed. The validation calculates a hash value of the downloaded image le on system’s ash drive, and, optionally, compares it to a Dell EMC Networking published hash for that le.

The MD5 or SHA256 hash provides a method of validating that you have downloaded the original software. Calculating the hash on the local image le and comparing the result to the hash published for that le on iSupport provides a high level of condence that the local copy is exactly the same as the published software image. This validation procedure, and the verify {md5 | sha256} command to support it, prevents the installation of corrupted or modied images.

The verify {md5 | sha256} command calculates and displays the hash of any le on the specied local ash drive. You can compare the displayed hash against the appropriate hash published on iSupport. Optionally, you can include the published hash in the verify {md5 | sha256} command, which displays whether it matches the calculated hash of the indicated le.

To validate a software image:

1 Download Dell EMC Networking OS software image le from the iSupport page to the local (FTP or TFTP) server. The published hash

for that le displays next to the software image le on the iSupport page.

2 Go on to the Dell EMC Networking system and copy the software image to the ash drive, using the copy command.

3 Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256

flash://FTOS-SE-9.5.0.0.bin

4 Compare the generated hash value to the expected hash value published on the iSupport page.

To validate the software image on the ash drive after the image is transferred to the system, but before you install the image, use the verify {md5 | sha256} [ flash://]img-file [hash-value] command in EXEC mode.

• md5: MD5 message-digest algorithm

• sha256: SHA256 Secure Hash Algorithm

• flash: (Optional) Species the ash drive. The default uses the ash drive. You can enter the image le name.

• hash-value: (Optional). Specify the relevant hash published on iSupport.

• img-file: Enter the name of the Dell EMC Networking software image le to validate

Examples: Without Entering the Hash Value for Verication

MD5

DellEMC# verify md5 flash:file-name

SHA256

DellEMC# verify sha256 flash://file-name

Examples: Entering the Hash Value for Verication

MD5

DellEMC# verify md5 flash://file-name 275ceb73a4f3118e1d6bcf7d75753459

SHA256

DellEMC# verify sha256 flash://file-name e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933

Getting Started

Management

This chapter describes the dierent protocols or services used to manage the Dell EMC Networking system.

Topics:

• Conguring Privilege Levels

• Conguring Logging

• Log Messages in the Internal Buer

• Disabling System Logging

• Sending System Messages to a Syslog Server

• Track Login Activity

• Limit Concurrent Login Sessions

• Enabling Secured CLI Mode

• Changing System Logging Settings

• Display the Logging Buer and the Logging Conguration

• Conguring a UNIX Logging Facility Level

• Synchronizing Log Messages

• Enabling Timestamp on Syslog Messages

• File Transfer Services

• Terminal Lines

• Setting Timeout for EXEC Privilege Mode

• Using Telnet to get to Another Network Device

• Lock CONFIGURATION Mode

• Restoring the Factory Default Settings

• Viewing the Reason for Last System Reboot

Conguring Privilege Levels

Privilege levels restrict access to commands based on user or terminal line.

There are 16 privilege levels, of which three are pre-dened. The default privilege level is 1.

Level

Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and

Level 1 Access to the system begins at EXEC mode, and all commands are available.

Level 15 Access to the system begins at EXEC Privilege mode, and all commands are available.

For information about how access and authorization is controlled based on a user’s role, see Role-Based Access Control.

58 Management

Description

exit.

Creating a Custom Privilege Level

Custom privilege levels start with the default EXEC mode command set. You can then customize privilege levels 2-14 by:

• restricting access to an EXEC mode command

• moving commands from EXEC Privilege to EXEC mode

• restricting access

A user can access all commands at his privilege level and below.

Removing a Command from EXEC Mode

To remove a command from the list of available commands in EXEC mode for a specic privilege level, use the privilege exec command from CONFIGURATION mode.

In the command, specify a level greater than the level given to a user or terminal line, then the rst keyword of each command you wish to restrict.

Moving a Command from EXEC Privilege Mode to EXEC Mode

To move a command from EXEC Privilege to EXEC mode for a privilege level, use the privilege exec command from CONFIGURATION mode.

In the command, specify the privilege level of the user or terminal line and specify all keywords in the command to which you want to allow access.

Allowing Access to CONFIGURATION Mode Commands

To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode.

A user that enters CONFIGURATION mode remains at his privilege level and has access to only two commands, end and exit. You must individually specify each CONFIGURATION mode command you want to allow access to using the privilege configure level level command. In the command, specify the privilege level of the user or terminal line and specify all the keywords in the command to which you want to allow access.

Allowing Access to Dierent Modes

This section describes how to allow access to the INTERFACE, LINE, ROUTE-MAP, and ROUTER modes. Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE, ROUTE-MAP, and ROUTER modes, you must rst allow access to the command that enters you into the mode. For example, to allow a user to enter INTERFACE mode, use the privilege configure level level interface tengigabitethernet command.

Next, individually identify the INTERFACE, LINE, ROUTE-MAP or ROUTER commands to which you want to allow access using the privilege {interface | line | route-map | router} level level command. In the command, specify the privilege level of the user or terminal line and specify all the keywords in the command to which you want to allow access.

To remove, move or allow access, use the following commands.

The conguration in the following example creates privilege level 3. This level:

Management

• removes the resequence command from EXEC mode by requiring a minimum of privilege level 4

• moves the capture bgp-pdu max-buffer-size command from EXEC Privilege to EXEC mode by requiring a minimum privilege level 3, which is the congured level for VTY 0

• allows access to CONFIGURATION mode with the banner command

• allows access to INTERFACE tengigabitethernet and LINE modes are allowed with no commands

• Remove a command from the list of available commands in EXEC mode. CONFIGURATION mode

privilege exec level level {command ||...|| command}

• Move a command from EXEC Privilege to EXEC mode. CONFIGURATION mode

privilege exec level level {command ||...|| command}

• Allow access to CONFIGURATION mode. CONFIGURATION mode

privilege exec level level configure

• Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all the keywords in the command. CONFIGURATION mode

privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword}

• Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode

privilege {configure |interface | line | route-map | router} level level {command ||...|| command}

Example of EXEC Privilege Commands

DellEMC#show running-config privilege ! privilege exec level 3 configure privilege exec level 4 resequence privilege configure level 3 line privilege configure level 3 interface tengigabitethernet DellEMC#telnet 10.11.80.201 DellEMC#? configure Configuring from terminal disable Turn off privileged commands enable Turn on privileged commands ethernet Ethernet commands exit Exit from the EXEC ip Global IP subcommands ipv6 Global IPv6 subcommands monitor Monitoring feature ping Send echo messages quit Exit from the EXEC show Show running system information DellEMC#config DellEMC(conf)#do show priv Current privilege level is 3. DellEMC(conf)#? end Exit from configuration mode exit Exit from configuration mode interface Select an interface to configure line Configure a terminal line DellEMC(conf)# DellEMC(conf)#interface ? tengigabitethernet TenGigabit Ethernet interface DellEMC(conf)# DellEMC(conf)#interface tengigabitethernet 1/26/1

Management

DellEMC(conf-if-te-1/26/1)#? end Exit from configuration mode exit Exit from interface configuration mode DellEMC(conf-if-te-1/26/1)#exit DellEMC(conf)# DellEMC(conf)#line ? console Primary terminal line vty Virtual terminal DellEMC(conf)#line vty 0 DellEMC(config-line-vty)#exit DellEMC(conf)#

Applying a Privilege Level to a Username

To set the user privilege level, use the following command.

• Congure a privilege level for a user. CONFIGURATION mode

username username privilege level

Applying a Privilege Level to a Terminal Line

To set a privilege level for a terminal line, use the following command.

• Congure a privilege level for a user. CONFIGURATION mode

username username privilege level

: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt is

NOTE

hostname#, rather than hostname>.

Conguring Logging

The Dell EMC Networking OS tracks changes in the system using event and error messages. By default, Dell EMC Networking OS logs these messages on:

• the internal buer

• console and terminal lines

• any congured syslog servers

To disable logging, use the following commands.

• Disable all logging except on the console. CONFIGURATION mode

no logging on

• Disable logging to the logging buer. CONFIGURATION mode

no logging buffer

• Disable logging to terminal lines. CONFIGURATION mode

no logging monitor

Management

• Disable console logging. CONFIGURATION mode

no logging console

Audit and Security Logs

This section describes how to congure, display, and clear audit and security logs. The following is the conguration task list for audit and security logs:

• Enabling Audit and Security Logs

• Displaying Audit and Security Logs

• Clearing Audit Logs

Enabling Audit and Security Logs

You enable audit and security logs to monitor conguration changes or determine if these changes aect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode.

Audit Logs

The audit log contains conguration events and information. The types of information in this log consist of the following:

• User logins to the switch.

• System events for network issues or system issues.

• Users making conguration changes. The switch logs who made the conguration changes and the date and time of the change. However, each specic change on the conguration is not logged. Only that the conguration was modied is logged with the user ID, date, and time of the change.

• Uncontrolled shutdown.

Security Logs

The security log contains security events and information. RBAC restricts access to audit and security logs based on the CLI sessions’ user roles. The types of information in this log consist of the following:

• Establishment of secure trac ows, such as SSH.

• Violations on secure ows or certicate issues.

• Adding and deleting of users.

• User access and conguration changes to the security and crypto parameters (not the key information but the crypto conguration)

Important Points to Remember

When you enabled RBAC and extended logging:

• Only the system administrator user role can execute this command.

• The system administrator and system security administrator user roles can view security events and system events.

• The system administrator user roles can view audit, security, and system events.

• Only the system administrator and security administrator user roles can view security logs.

• The network administrator and network operator user roles can view system events.

Management

NOTE: If extended logging is disabled, you can only view system events, regardless of RBAC user role.

Example of Enabling Audit and Security Logs

DellEMC(conf)#logging extended

Displaying Audit and Security Logs

To display audit logs, use the show logging auditlog command in Exec mode. To view these logs, you must rst enable the logging extended command. Only the RBAC system administrator user role can view the audit logs. Only the RBAC security administrator and system administrator user role can view the security logs. If extended logging is disabled, you can only view system events, regardless of RBAC user role. To view security logs, use the

Example of the show logging auditlog Command

For information about the logging extended command, see Enabling Audit and Security Logs

DellEMC#show logging auditlog May 12 12:20:25: DellEMC#: %CLI-6-logging extended by admin from vty0 (10.14.1.98) May 12 12:20:42: DellEMC#: %CLI-6-configure terminal by admin from vty0 (10.14.1.98) May 12 12:20:42: DellEMC#: %CLI-6-service timestamps log datetime by admin from vty0 (10.14.1.98)

Example of the show logging Command for Security

For information about the logging extended command, see Enabling Audit and Security Logs

DellEMC#show logging Jun 10 04:23:40: %STKUNIT0-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 ( 10.14.1.91 )

show logging command.

Clearing Audit Logs

To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is enabled, only the system administrator user role can issue this command.

Example of the clear logging auditlog Command

DellEMC# clear logging auditlog

Conguring Logging Format

To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version {0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.

The following describes the two log messages formats:

• 0 – Displays syslog messages format as described in RFC 3164, The BSD syslog Protocol

• 1 – Displays syslog message format as described in RFC 5424, The SYSLOG Protocol

Example of Conguring the Logging Message Format

DellEMC(conf)#logging version ? <0-1> Select syslog version (default = 0) DellEMC(conf)#logging version 1

Setting Up a Secure Connection to a Syslog Server

You can use reverse tunneling with the port forwarding to securely connect to a syslog server.

Management

Figure 2. Setting Up a Secure Connection to a Syslog Server

Pre-requisites

To congure a secure connection from the switch to the syslog server:

1 On the switch, enable the SSH server

DellEMC(conf)#ip ssh server enable

2 On the syslog server, create a reverse SSH tunnel from the syslog server to the Dell OS switch, using following syntax:

ssh -R <remote port>:<syslog server>:<syslog server listen port> user@remote_host -nNf

In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is

10.16.131.141 and the listening port is 5140

ssh -R 5140:10.156.166.48:5141 admin@10.16.131.141 -nNf

3 Congure logging to a local host. locahost is “127.0.0.1” or “::1”.

If you do not, the system displays an error when you attempt to enable role-based only AAA authorization.

DellEMC(conf)# logging localhost tcp port DellEMC(conf)#logging 127.0.0.1 tcp 5140

Management

Log Messages in the Internal Buer

All error messages, except those beginning with %BOOTUP (Message), are log in the internal buer.

For example, %BOOTUP:RPM0:CP %PORTPIPE-INIT-SUCCESS: Portpipe 0 enabled

Conguration Task List for System Log Management

There are two conguration tasks for system log management:

• Disable System Logging

• Send System Messages to a Syslog Server

Disabling System Logging

By default, logging is enabled and log messages are sent to the logging buer, all terminal lines, the console, and the syslog servers. To disable system logging, use the following commands.

• Disable all logging except on the console. CONFIGURATION mode

no logging on

• Disable logging to the logging buer. CONFIGURATION mode

no logging buffer

• Disable logging to terminal lines. CONFIGURATION mode

no logging monitor

• Disable console logging. CONFIGURATION mode

no logging console

Sending System Messages to a Syslog Server

To send system messages to a specied syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.

• Specify the server to which you want to send system messages. You can congure up to eight syslog servers. CONFIGURATION mode

logging {ip-address | ipv6-address | hostname} {{udp {port}} | {tcp {port}}}

You can export system logs to an external server that is connected through a dierent VRF.

Conguring a UNIX System as a Syslog Server

To congure a UNIX System as a syslog server, use the following command.

Management

• Congure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the UNIX system and assigning write permissions to the le.

– Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/ftos.log

– Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log

In the previous lines, local7 is the logging facility level and debugging is the severity level.

Track Login Activity

Dell EMC Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events. When you log in using the console or VTY line, the system displays the last successful login details of the current user and the number of

unsuccessful login attempts since your last successful login to the system, and whether the current user’s permissions have changed since the last login. The system stores the number of unsuccessful login attempts that have occurred in the last 30 days by default. You can change the default value to any number of days from 1 to 30. By default, login activity tracking is disabled. You can enable it using the login statistics enable command from the conguration mode.

Restrictions for Tracking Login Activity

These restrictions apply for tracking login activity:

• Only the system and security administrators can congure login activity tracking and view the login activity details of other users.

• Login statistics is not applicable for login sessions that do not use user names for authentication. For example, the system does not report login activity for a telnet session that prompts only a password.

Conguring Login Activity Tracking

To enable and congure login activity tracking, follow these steps:

1 Enable login activity tracking.

CONFIGURATION mode

After enabling login statistics, the system stores the login activity details for the last 30 days.

2 (Optional) Congure the number of days for which the system stores the user login statistics. The range is from 1 to 30.

CONFIGURATION mode

Example of Conguring Login Activity Tracking

The following example enables login activity tracking. The system stores the login activity details for the last 30 days.

DellEMC(config)#login statistics enable

The following example enables login activity tracking and congures the system to store the login activity details for 12 days.

DellEMC(config)#login statistics enable DellEMC(config)#login statistics time-period 12

Management

Display Login Statistics

To view the login statistics, use the show login statistics command.

Example of the show login statistics Command

The show login statistics command displays the successful and failed login details of the current user in the last 30 days or the custom dened time period.

DellEMC#show login statistics

------------------------------------------------------------------

User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.143 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 0 Successful login attempt(s) in last 30 day(s): 1

------------------------------------------------------------------

Example of the show login statistics all command

The show login statistics all command displays the successful and failed login details of all users in the last 30 days or the custom dened time period.

DellEMC#show login statistics all

------------------------------------------------------------------

User: admin Last login time: 08:54:28 UTC Wed Mar 23 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 4

------------------------------------------------------------------

User: admin1 Last login time: 12:49:19 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2

------------------------------------------------------------------

User: admin2 Last login time: 12:49:27 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2

------------------------------------------------------------------

User: admin3 Last login time: 13:18:42 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2

Management

Example of the show login statistics user user-id command

The show login statistics user user-id command displays the successful and failed login details of a specic user in the last 30 days or the custom dened time period.

DellEMC# show login statistics user admin

------------------------------------------------------------------

The following is sample output of the show login statistics unsuccessful-attempts command.

DellEMC# show login statistics unsuccessful-attempts There were 3 unsuccessful login attempt(s) for user admin in last 30 day(s).

The following is sample output of the show login statistics unsuccessful-attempts time-period days command.

DellEMC# show login statistics unsuccessful-attempts time-period 15 There were 0 unsuccessful login attempt(s) for user admin in last 15 day(s).

The following is sample output of the show login statistics unsuccessful-attempts user login-id command.

DellEMC# show login statistics unsuccessful-attempts user admin There were 3 unsuccessful login attempt(s) for user admin in last 12 day(s).

The following is sample output of the show login statistics successful-attempts command.

DellEMC#show login statistics successful-attempts There were 4 successful login attempt(s) for user admin in last 30 day(s).

Limit Concurrent Login Sessions

Dell EMC Networking OS enables you to limit the number of concurrent login sessions of users on VTY, auxiliary, and console lines. You can also clear any of your existing sessions when you reach the maximum permitted number of concurrent sessions.

By default, you can use all 10 VTY lines, one console line, and one auxiliary line. You can limit the number of available sessions using the

login concurrent-session limit command and so restrict users to that specic number of sessions. You can optionally congure the system to provide an option to the users to clear any of their existing sessions.

Restrictions for Limiting the Number of Concurrent Sessions

These restrictions apply for limiting the number of concurrent sessions:

• Only the system and security administrators can limit the number of concurrent sessions and enable the clear-line option.

• Users can clear their existing sessions only if the system is congured with the login concurrent-session clear-line enable command.

Conguring Concurrent Session Limit

To congure concurrent session limit, follow this procedure:

• Limit the number of concurrent sessions for all users. CONFIGURATION mode

Management

Example of Conguring Concurrent Session Limit

The following example limits the permitted number of concurrent login sessions to 4.

DellEMC(config)#login concurrent-session limit 4

Enabling the System to Clear Existing Sessions

To enable the system to clear existing login sessions, follow this procedure:

• Use the following command. CONFIGURATION mode

Example of Enabling the System to Clear Existing Sessions

The following example enables you to clear your existing login sessions.

DellEMC(config)#login concurrent-session clear-line enable

Example of Clearing Existing Sessions

When you try to log in, the following message appears with all your existing concurrent sessions, providing an option to close any one of the existing sessions:

$ telnet 10.11.178.14 Trying 10.11.178.14... Connected to 10.11.178.14. Escape character is '^]'. Login: admin Password: Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 Clear existing session? [line number/Enter to cancel]:

When you try to create more than the permitted number of sessions, the following message appears, prompting you to close one of the existing sessions. If you close any of the existing sessions, you are allowed to login.

$ telnet 10.11.178.17 Trying 10.11.178.17... Connected to 10.11.178.17. Escape character is '^]'. Login: admin Password:

Maximum concurrent sessions for the user reached. Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 4 vty 2 10.14.1.97 5 vty 3 10.14.1.97 Kill existing session? [line number/Enter to cancel]:

Management

Enabling Secured CLI Mode

The secured CLI mode prevents the users from enhancing the permissions or promoting the privilege levels.

• Enter the following command to enable the secured CLI mode: CONFIGURATION Mode

secure-cli enable

After entering the command, save the running-conguration. Once you save the running-conguration, the secured CLI mode is enabled.

If you do not want to enter the secured mode, do not save the running-conguration. Once saved, to disable the secured CLI mode, you need to manually edit the startup-conguration le and reboot the system.

Changing System Logging Settings

You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands,

you control the number of system messages logged.

To specify the system logging settings, use the following commands.

• Specify the minimum severity level for logging to the logging buer. CONFIGURATION mode

logging buffered level

• Specify the minimum severity level for logging to the console. CONFIGURATION mode

logging console level

• Specify the minimum severity level for logging to terminal lines. CONFIGURATION mode

logging monitor level

• Specify the minimum severity level for logging to a syslog server. CONFIGURATION mode

logging trap level

• Specify the minimum severity level for logging to the syslog history table. CONFIGURATION mode

logging history level

• Specify the size of the logging buer. CONFIGURATION mode

logging buffered size

: When you decrease the buer size, Dell EMC Networking OS deletes all messages stored in the buer. Increasing the

NOTE

buer size does not aect messages in the buer.

• Specify the number of messages that Dell EMC Networking OS saves to its logging history table. CONFIGURATION mode

logging history size size

Management

To view the logging buer and conguration, use the show logging command in EXEC privilege mode, as shown in the example for

Display the Logging Buer and the Logging Conguration.

To view the logging conguration, use the show running-config logging command in privilege mode, as shown in the example for

Congure a UNIX Logging Facility Level.

Display the Logging Buer and the Logging Conguration

To display the current contents of the logging buer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are ltered based on the user roles. Only the security administrator and system administrator can view the security logs.

Example of the show logging Command

DellEMC#show logging syslog logging: enabled Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM. %RPM-2-MSG:CP1 %POLLMGR-2-MMC_STATE: External flash disk missing in 'slot0:' %CHMGR-5-CARDDETECTED: Line card 0 present %CHMGR-5-CARDDETECTED: Line card 2 present %CHMGR-5-CARDDETECTED: Line card 4 present %CHMGR-5-CARDDETECTED: Line card 5 present %CHMGR-5-CARDDETECTED: Line card 8 present %CHMGR-5-CARDDETECTED: Line card 10 present %CHMGR-5-CARDDETECTED: Line card 12 present %TSM-6-SFM_DISCOVERY: Found SFM 0 %TSM-6-SFM_DISCOVERY: Found SFM 1 %TSM-6-SFM_DISCOVERY: Found SFM 2 %TSM-6-SFM_DISCOVERY: Found SFM 3 %TSM-6-SFM_DISCOVERY: Found SFM 4 %TSM-6-SFM_DISCOVERY: Found SFM 5 %TSM-6-SFM_DISCOVERY: Found SFM 6 %TSM-6-SFM_DISCOVERY: Found SFM 7 %TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: UP %TSM-6-SFM_DISCOVERY: Found SFM 8 %TSM-6-SFM_DISCOVERY: Found 9 SFMs %CHMGR-5-CHECKIN: Checkin from line card 5 (type EX1YB, 1 ports) %TSM-6-PORT_CONFIG: Port link status for LC 5 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 5 is up %CHMGR-5-CHECKIN: Checkin from line card 12 (type S12YC12, 12 ports) %TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 12 is up %IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8 %IFMGR-5-CSTATE_DN: changed interface Physical state to down: So 12/8

To view any changes made, use the show running-config logging command in EXEC privilege mode.

Conguring a UNIX Logging Facility Level

You can save system log messages with a UNIX system logging facility. To congure a UNIX logging facility level, use the following command.

• Specify one of the following parameters. CONFIGURATION mode

logging facility [facility-type]

Management

– auth (for authorization messages)

– cron (for system scheduler messages)

– daemon (for system daemons)

– kern (for kernel messages)

– local0 (for local use)

– local1 (for local use)

– local2 (for local use)

– local3 (for local use)

– local4 (for local use)

– local5 (for local use)

– local6 (for local use)

– local7 (for local use)

– lpr (for line printer system messages)

– mail (for mail system messages)

– news (for USENET news messages)

– sys9 (system use)

– sys10 (system use)

– sys11 (system use)

– sys12 (system use)

– sys13 (system use)

– sys14 (system use)

– syslog (for syslog messages)

– user (for user programs)

– uucp (UNIX to UNIX copy protocol)

Example of the show running-config logging Command

To view nondefault settings, use the show running-config logging command in EXEC mode.

DellEMC#show running-config logging ! logging buffered 524288 debugging service timestamps log datetime msec service timestamps debug datetime msec ! logging trap debugging logging facility user logging source-interface Loopback 0 logging 10.10.10.4 DellEMC#

Synchronizing Log Messages

You can congure Dell EMC Networking OS to lter and consolidate the system messages for a specic line by synchronizing the message output.

Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system.

1 Enter LINE mode.

CONFIGURATION mode

line {console 0 | vty number [end-number] | aux 0}

Congure the following parameters for the virtual terminal lines:

Management

• number: the range is from zero (0) to 8.

• end-number: the range is from 1 to 8.

You can congure multiple virtual terminals at one time by entering a number and an end-number.

2 Congure a level and set the maximum number of messages to print.

LINE mode

logging synchronous [level severity-level | all] [limit]

Congure the following optional parameters:

• level severity-level: the range is from 0 to 7. The default is 2. Use the all keyword to include all messages.

• limit: the range is from 20 to 300. The default is 20.

To view the logging synchronous conguration, use the show config command in LINE mode.

Enabling Timestamp on Syslog Messages

By default, syslog messages include a time/date stamp, taken from the datetime, stating when the error or message was created. To enable timestamp, use the following command.

• Add timestamp to syslog messages. CONFIGURATION mode

service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] | uptime]

Specify the following optional parameters:

– localtime: You can add the keyword localtime to include the localtime, msec, and show-timezone. If you do not add

the keyword

– uptime: To view time since last boot.

– datetime: To view the current date and time from the system BIOS.

If you do not specify a parameter, Dell EMC Networking OS congures datetime by default.

To view the conguration, use the show running-config logging command in EXEC privilege mode.

To disable time stamping on syslog messages, use the no service timestamps [log | debug] command.

localtime, the time is UTC.

File Transfer Services

With Dell EMC Networking OS, you can congure the system to transfer les over the network using the le transfer protocol (FTP). One FTP application is copying the system image les over an interface on to the system; however, FTP is not supported on virtual local

area network (VLAN) interfaces.

If you want the FTP or TFTP server to use a VRF table that is attached to an interface, you must congure the FTP or TFTP server to use a specic routing table. You can use the ip ftp vrf vrf-name or ip tftp vrf vrf-name command to inform the FTP or TFTP server to use a specic routing table. After you congure this setting, the VRF table is used to look up the destination address. However, these changes are backward-compatible and do not aect existing behavior; meaning, you can still use the source-interface command to communicate with a particular interface even if no VRF is congured on that interface.

For more information about FTP, refer to RFC 959, File Transfer Protocol.

NOTE

: To transmit large les, Dell EMC Networking recommends conguring the switch as an FTP server.

Management 73

Conguration Task List for File Transfer Services

The conguration tasks for le transfer services are:

• Enable FTP Server (mandatory)

• Congure FTP Server Parameters (optional)

• Congure FTP Client Parameters (optional)

Enabling the FTP Server

To enable the system as an FTP server, use the following command. To view FTP conguration, use the show running-config ftp command in EXEC privilege mode.

• Enable FTP on the system. CONFIGURATION mode

ftp-server enable

Example of Viewing FTP Conguration

DellEMC#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar DellEMC#

Conguring FTP Server Parameters

After you enable the FTP server on the system, you can congure dierent parameters. To specify the system logging settings, use the following commands.

• Specify the directory for users using FTP to reach the system. CONFIGURATION mode

ftp-server topdir dir

The default is the internal ash directory.

• Specify a user name for all FTP users and congure either a plain text or encrypted password. CONFIGURATION mode

ftp-server username username password [encryption-type] password

Congure the following optional and required parameters:

– username: enter a text string.

– encryption-type: enter 0 for plain text or 7 for encrypted text.

– password: enter a text string.

: You cannot use the change directory (cd) command until you have congured ftp-server topdir.

NOTE

To view the FTP conguration, use the show running-config ftp command in EXEC privilege mode.

Management

Conguring FTP Client Parameters

To congure FTP client parameters, use the following commands.

• Enter the following keywords and the interface information:

– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information.

– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.

– For a Loopback interface, enter the keyword loopback then a number from 0 to 16383.

– For a port channel interface, enter the keywords port-channel then a number.

– For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.

CONFIGURATION mode

ip ftp source-interface interface

• Congure a password. CONFIGURATION mode

ip ftp password password

• Enter a username to use on the FTP client. CONFIGURATION mode

ip ftp username name

To view the FTP conguration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for

Enable FTP Server.

Terminal Lines

You can access the system remotely and restrict access to the system by creating user proles. Terminal lines on the system provide dierent means of accessing the system. The console line (console) connects you through the console

port in the route processor modules (RPMs). The virtual terminal lines (VTYs) connect you through Telnet to the system. The auxiliary line (aux) connects secondary devices such as modems.

Denying and Permitting Access to a Terminal Line

Dell EMC Networking recommends applying only standard access control lists (ACLs) to deny and permit access to VTY lines.

• Layer 3 ACLs deny all trac that is not explicitly permitted, but in the case of VTY lines, an ACL with no rules does not deny trac.

• You cannot use the show ip accounting access-list command to display the contents of an ACL that is applied only to a VTY line.

• When you use the access-class access-list-name command without specifying the ipv4 or ipv6 attribute, both IPv4 as well as IPv6 rules that are dened in that ACL are applied to the terminal. This method is a generic way of conguring access restrictions.

• To be able to lter access exclusively using either IPv4 or IPv6 rules, use either the ipv4 or ipv6 attribute along with the access- class access-list-name command. Depending on the attribute that you specify (ipv4 or ipv6), the ACL processes either IPv4 or IPv6 rules, but not both. Using this conguration, you can set up two dierent types of access classes with each class processing either IPv4 or IPv6 rules separately.

To apply an IP ACL to a line, Use the following command.

• Apply an ACL to a VTY line. LINE mode

Management

access-class access-list-name [ipv4 | ipv6]

NOTE: If you already have congured generic IP ACL on a terminal line, then you cannot further apply IPv4 or IPv6 specic

ltering on top of this conguration. Similarly, if you have congured either IPv4 or IPv6 specic ltering on a terminal line,

you cannot apply generic IP ACL on top of this conguration. Before applying any of these congurations, you must rst undo the existing conguration using the no access-class access-list-name [ipv4 | ipv6] command.

Example of an ACL that Permits Terminal Access

Example Conguration

To view the conguration, use the show config command in LINE mode.

DellEMC(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 DellEMC(config-std-nacl)#line vty 0 DellEMC(config-line-vty)#show config line vty 0 access-class myvtyacl

DellEMC(conf-ipv6-acl)#do show run acl ! ip access-list extended testdeny seq 10 deny ip 30.1.1.0/24 any seq 15 permit ip any any ! ip access-list extended testpermit seq 15 permit ip any any ! ipv6 access-list testv6deny seq 10 deny ipv6 3001::/64 any seq 15 permit ipv6 any any ! DellEMC(conf)# DellEMC(conf)#line vty 0 0 DellEMC(config-line-vty)#access-class testv6deny ipv6 DellEMC(config-line-vty)#access-class testvpermit ipv4 DellEMC(config-line-vty)#show c line vty 0 exec-timeout 0 0 access-class testpermit ipv4 access-class testv6deny ipv6 !

Conguring Login Authentication for Terminal Lines

You can use any combination of up to six authentication methods to authenticate a user on a terminal line. A combination of authentication methods is called a method list. If the user fails the rst authentication method, Dell EMC Networking OS prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are:

enable

line

local

none

radius

76 Management

Prompt for the enable password.

Prompt for the password you assigned to the terminal line. Congure a password for the terminal line to which you assign a method list that contains the line authentication method. Congure a password using the password command from LINE mode.

Prompt for the system username and password.

Do not authenticate the user.

Prompt for a username and password and use a RADIUS server to authenticate.

tacacs+

1 Congure an authentication method list. You may use a mnemonic name or use the keyword default. The default authentication

method for terminal lines is local and the default method list is empty. CONFIGURATION mode

aaa authentication login {method-list-name | default} [method-1] [method-2] [method-3] [method-4] [method-5] [method-6]

2 Apply the method list from Step 1 to a terminal line.

CONFIGURATION mode

3 If you used the line authentication method in the method list you applied to the terminal line, congure a password for the terminal line.

LINE mode

password

Example of Terminal Line Authentication

In the following example, VTY lines 0-2 use a single authentication method, line.

DellEMC(conf)#aaa authentication login myvtymethodlist line DellEMC(conf)#line vty 0 2 DellEMC(config-line-vty)#login authentication myvtymethodlist DellEMC(config-line-vty)#password myvtypassword DellEMC(config-line-vty)#show config line vty 0 password myvtypassword login authentication myvtymethodlist line vty 1 password myvtypassword login authentication myvtymethodlist line vty 2 password myvtypassword login authentication myvtymethodlist DellEMC(config-line-vty)#

Prompt for a username and password and use a TACACS+ server to authenticate.

Setting Timeout for EXEC Privilege Mode

EXEC timeout is a basic security feature that returns Dell EMC Networking OS to EXEC mode after a period of inactivity on the terminal lines. To set timeout, use the following commands.

• Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the timeout period to 0.

LINE mode

exec-timeout minutes [seconds]

• Return to the default timeout values. LINE mode

no exec-timeout

Example of Setting the Timeout Period for EXEC Privilege Mode

The following example shows how to set the timeout period and how to view the conguration using the show config command from LINE mode.

DellEMC(conf)#line con 0 DellEMC(config-line-console)#exec-timeout 0 DellEMC(config-line-console)#show config

Management

line console 0 exec-timeout 0 0 DellEMC(config-line-console)#

Using Telnet to get to Another Network Device

To telnet to another device, use the following commands.

NOTE: The device allows 120 Telnet sessions per minute, allowing the login and logout of 10 Telnet sessions, 12 times in a minute.

If the system reaches this non-practical limit, the Telnet service is stopped for 10 minutes. You can use console and SSH service to access the system during downtime.

• Telnet to a device with an IPv4 or IPv6 address. EXEC Privilege

telnet [ip-address]

If you do not enter an IP address, Dell EMC Networking OS enters a Telnet dialog that prompts you for one.

Enter an IPv4 address in dotted decimal format (A.B.C.D).

Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported.

Example of the telnet Command for Device Access

DellEMC# telnet 10.11.80.203 Trying 10.11.80.203... Connected to 10.11.80.203. Exit character is '^]'. Login: Login: admin Password: DellEMC>exit DellEMC#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin DellEMC#

Lock CONFIGURATION Mode

Dell EMC Networking OS allows multiple users to make congurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2).

You can set two types of lockst: auto and manual.

• Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set autolock, every time a user is in CONFIGURATION mode, all other users are denied access. This means that you can exit to EXEC Privilege mode, and re-enter CONFIGURATION mode without having to set the lock again.

• Set manual lock using the configure terminal lock command from CONFIGURATION mode. When you congure a manual lock, which is the default, you must enter this command each time you want to enter CONFIGURATION mode and deny access to others.

Viewing the Conguration Lock Status

If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which user has control of CONFIGURATION mode using the show configuration lock command from EXEC Privilege mode.

Management

You can then send any user a message using the send command from EXEC Privilege mode. Alternatively, you can clear any line using the clear command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode.

Example of Locking CONFIGURATION Mode for Single-User Access

DellEMC(conf)#configuration mode exclusive auto BATMAN(conf)#exit 3d23h35m: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console

DellEMC#config ! Locks configuration mode exclusively. DellEMC(conf)#

If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears on their terminal (message 1): %

Error: User "" on line console0 is in exclusive configuration mode

If any user is already in CONFIGURATION mode when while a lock is in place, the following appears on their terminal (message 2): % Error: Can't lock configuration mode exclusively since the following users are currently configuring the system: User "admin" on line vty1 ( 10.1.1.1 ).

NOTE: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you congure a lock and then

exit CONFIGURATION mode, and another user enters CONFIGURATION mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though you are the one that congured the lock.

NOTE: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is uncongured.

Restoring the Factory Default Settings

Restoring the factory-default settings deletes the existing NVRAM settings, startup conguration, and all congured settings such as, stacking or fanout.

To restore the factory default settings, use the restore factory-defaults stack-unit {stack—unit—number | all}

{clear-all | nvram | bootvar}

CAUTION

: There is no undo for this command.

command in EXEC Privilege mode.

Important Points to Remember

• When you restore all the units in a stack, these units are placed in standalone mode.

• When you restore a single unit in a stack, only that unit is placed in standalone mode. No other units in the stack are aected.

• When you restore the units in standalone mode, the units remain in standalone mode after the restoration.

• After the restore is complete, the units power cycle immediately.

The following example illustrates the restore factory-defaults command to restore the factory default settings.

DellEMC#restore factory-defaults stack-unit 1 nvram

*********************************************************************** * Warning - Restoring factory defaults will delete the existing * * persistent settings (stacking, fanout, etc.) * * After restoration the unit(s) will be powercycled immediately. * * Proceed with caution ! * ***********************************************************************

Proceed with factory settings? Confirm [yes/no]:yes

-- Restore status --

Unit Nvram Config

------------------------

1 Success

Management

Power-cycling the unit(s).

....

Restoring Factory Default Environment Variables

The Boot line determines the location of the image that is used to boot up the chassis after restoring factory default settings. Ideally, these locations contain valid images, using which the chassis boots up.

When you restore factory-default settings, you can either use a ash boot procedure or a network boot procedure to boot the switch.

When you use the ash boot procedure to boot the device, the boot loader checks if the primary or the secondary partition contains a valid image. If the primary partition contains a valid image, then the primary boot line is set to A: and the secondary and default boot lines are set to a Null String. If the secondary partition contains a valid image, then the primary boot line is set to B: and the secondary and default boot lines are set to a Null String. If both the partitions contain invalid images, then primary, secondary, and default boot line values are set to a Null string.

When you use the Network boot procedure to boot the device, the boot loader checks if the primary partition contains a valid image. If a valid image exists on the primary partition and the secondary partition does not contain a valid image, then the primary boot line is set to A: and the secondary and default boot lines are set to a Null string. If the secondary partition also contains a valid image, then the primary boot line value is set to the partition that is congured to be used to boot the device in a network failure scenario. The secondary and default boot line values are set to a Null string.

Important Points to Remember

• The Chassis remains in boot prompt if none of the partitions contain valid images.

• To enable TFTP boot after restoring factory default settings, you must stop the boot process in BLI.

In case the system fails to reload the image from the partition, perform the following steps:

1 Power-cycle the chassis (pull the power cord and reinsert it).

2 Press esc key to abort the boot process (while the system prompts to)

You enter BLI immediately, as indicated by the BOOT_USER # prompt.

press any key

3 Assign the new location of the Dell EMC Networking OS image to be used when the system reloads.

To boot from ash partition A:

BOOT_USER # boot change primary

boot device : flash

file name : systema

BOOT_USER #

To boot from ash partition B:

BOOT_USER # boot change primary

boot device : flash

Management

file name : systemb

BOOT_USER #

To boot from network:

BOOT_USER # boot change primary

boot device : tftp

file name : FTOS-S6010-9.10.0.1.bin

Server IP address : 10.16.127.35

BOOT_USER #

4 Assign an IP address and netmask to the Management Ethernet interface.

BOOT_USER # interface management ethernet ip address ip_address_with_mask

For example, 10.16.150.106/16.

5 Assign an IP address as the default gateway for the system.

default-gateway gateway_ip_address

For example, 10.16.150.254.

6 The environment variables are auto saved.

7 Reload the system.

BOOT_USER # reload

Viewing the Reason for Last System Reboot

You can view the reason for the last system reboot. To view the reason for the last system reboot, follow this procedure:

• Use the following command to view the reason for the last system reboot: EXEC or EXEC Privilege mode

show reset-reason [stack-unit {unit-number | all}]

Enter the stack-unit keyword and the stack unit number to view the reason for the last system reboot for that stack unit.

Enter the stack-unit keyword and the keyword all to view the reason for the last system reboot of all stack units in the stack.

DellEMC#show reset-reason Cause : Reset by User through CLI command Reset Time: 11/05/2017-08:36

DellEMC# show reset-reason stack-unit 1 Cause : Reset by User through CLI command Reset Time: 11/05/2017-08:36

Management

802.1X

802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN

or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is veried (through a username and password, for example).

802.1X employs Extensible Authentication Protocol (EAP) to transfer a device’s credentials to an authentication server (typically RADIUS)

using a mandatory intermediary network access device, in this case, a Dell EMC Networking switch. The network access device mediates all communication between the end-user device and the authentication server so that the network remains secure. The network access device uses EAP-over-Ethernet (EAPOL) to communicate with the end-user device and EAP-over-RADIUS to communicate with the server.

NOTE: The Dell EMC Networking Operating System (OS) supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS,

PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.

The following gures show how the EAP frames are encapsulated in Ethernet and RADIUS frames.

Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS

82 802.1X

Figure 4. EAP Frames Encapsulated in Ethernet and RADUIS

The authentication process involves three devices:

• The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests.

• The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It translates and forwards requests and responses between the authentication server and the supplicant. The authenticator also changes the status of the port based on the results of the authentication process. The Dell EMC Networking switch is the authenticator.

• The authentication-server selects the authentication method, veries the information the supplicant provides, and grants it network access privileges.

Ports can be in one of two states:

• Ports are in an unauthorized state by default. In this state, non-802.1X trac cannot be forwarded in or out of the port.

• The authenticator changes the port state to authorized if the server can authenticate the supplicant. In this state, network trac can be forwarded normally.

: The Dell EMC Networking switches place 802.1X-enabled ports in the unauthorized state by default.

NOTE

Topics:

• Port-Authentication Process

• Conguring 802.1X

• Important Points to Remember

• Enabling 802.1X

• Conguring Request Identity Re-Transmissions

• Forcibly Authorizing or Unauthorizing a Port

• Re-Authenticating a Port

• Conguring Timeouts

• Conguring Dynamic VLAN Assignment with Port Authentication

• Guest and Authentication-Fail VLANs

802.1X

Port-Authentication Process

The authentication process begins when the authenticator senses that a link status has changed from down to up:

1 When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame. 2 The supplicant responds with its identity in an EAP Response Identity frame. 3 The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame and

forwards the frame to the authentication server.

4 The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests the supplicant to prove that

it is who it claims to be, using a specied method (an EAP-Method). The challenge is translated and forwarded to the supplicant by the authenticator.

5 The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant provides the Requested Challenge

information in an EAP response, which is translated and forwarded to the authentication server as another Access-Request frame.

6 If the identity information provided by the supplicant is valid, the authentication server sends an Access-Accept frame in which

network privileges are specied. The authenticator changes the port state to authorized and forwards an EAP Success frame. If the identity information is invalid, the server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator forwards an EAP Failure frame.

Figure 5. EAP Port-Authentication

EAP over RADIUS

802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as dened in RFC 3579.

EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79.

802.1X

Figure 6. EAP Over RADIUS

RADIUS Attributes for 802.1X Support

Dell EMC Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages:

Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server.

Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet.

Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.

Attribute 81 Tunnel-Private-Group-ID: associate a tunneled session with a particular group of users.

Conguring 802.1X

Conguring 802.1X on a port is a one-step process.

For more information, refer to Enabling 802.1X.

Related Conguration Tasks

• Conguring Request Identity Re-Transmissions

• Forcibly Authorizing or Unauthorizing a Port

• Re-Authenticating a Port

• Conguring Timeouts

• Conguring a Guest VLAN

• Conguring an Authentication-Fail VLAN

Important Points to Remember

• Dell EMC Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.

• All platforms support only RADIUS as the authentication server.

• If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if congured.

• 802.1X is not supported on port-channels or port-channel members.

• The NAS-Port-Type attribute indicates the type of the physical port of the NAS which is authenticating the user. It is used in AccessRequest packets. The value of this attribute is set as Ethernet (15) for both EAP and MAB supplicants.

802.1X

Enabling 802.1X

Enable 802.1X globally.

Figure 7. 802.1X Enabled

1 Enable 802.1X globally.

CONFIGURATION mode

dot1x authentication

2 Enter INTERFACE mode on an interface or a range of interfaces.

INTERFACE mode

interface [range]

3 Enable 802.1X on the supplicant interface only.

INTERFACE mode

dot1x authentication

Examples of Verifying that 802.1X is Enabled Globally and on an Interface

Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode.

802.1X

In the following example, the bold lines show that 802.1X is enabled.

DellEMC#show running-config | find dot1x

dot1x authentication

! [output omitted] ! interface TenGigabitEthernet 2/1/1 no ip address

dot1x authentication

no shutdown ! DellEMC#

To view 802.1X conguration information for an interface, use the show dot1x interface command.

In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default.

DellEMC#show dot1x interface TenGigabitEthernet 2/1/1

802.1x information on Te 2/1/1:

-----------------------------

Dot1x Status: Enable

Port Control: AUTO

Port Auth Status: UNAUTHORIZED

Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Disable Guest VLAN id: NONE Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Mac-Auth-Bypass: Disable Mac-Auth-Bypass Only: Disable Tx Period: 30 seconds Quiet Period: 60 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 2 Host Mode: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize

Conguring Request Identity Re-Transmissions

When the authenticator sends a Request Identity frame and the supplicant does not respond, the authenticator waits for 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator retransmits can be congured.

: There are several reasons why the supplicant might fail to respond; for example, the supplicant might have been booting

NOTE

when the request arrived or there might be a physical layer problem.

To congure re-transmissions, use the following commands.

• Congure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame. INTERFACE mode

dot1x tx-period number

The range is from 1 to 65535 (1 year)

The default is 30.

802.1X

• Congure the maximum number of times the authenticator re-transmits a Request Identity frame. INTERFACE mode

dot1x max-eap-req number

The range is from 1 to 10.

The default is 2.

The example in Conguring a Quiet Period after a Failed Authentication shows conguration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits for 10 times.

Conguring a Quiet Period after a Failed Authentication

If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default. You can congure this period.

NOTE: The quiet period (dot1x quiet-period) is the transmit interval after a failed authentication; the Request Identity Re-

transmit interval (dot1x tx-period) is for an unresponsive supplicant.

To congure a quiet period, use the following command.

• Congure the amount of time that the authenticator waits to re-transmit a Request Identity frame after a failed authentication. INTERFACE mode

dot1x quiet-period seconds

The range is from 1 to 65535.

The default is 60 seconds.

Example of Conguring and Verifying Port Authentication

The following example shows conguration information for a port for which the authenticator re-transmits an EAP Request Identity frame:

• after 90 seconds and a maximum of 10 times for an unresponsive supplicant

• re-transmits an EAP Request Identity frame

The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions.

DellEMC(conf-if-range-Te-2/1/1)#dot1x tx-period 90 DellEMC(conf-if-range-Te-2/1/1)#dot1x max-eap-req 10 DellEMC(conf-if-range-Te-2/1/1)#dot1x quiet-period 120 DellEMC#show dot1x interface TenGigabitEthernet 2/1/1

802.1x information on Te 2/1/1:

-----------------------------

Dot1x Status: Enable Port Control: AUTO Port Auth Status: UNAUTHORIZED

Re-Authentication: Disable

Untagged VLAN id: None Tx Period: 90 seconds

Quiet Period: 120 seconds

ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds

Max-EAP-Req: 10

Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize

802.1X

Forcibly Authorizing or Unauthorizing a Port

The 802.1X ports can be placed into any of the three states:

• ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port.

• ForceUnauthorized — an unauthorized state. A device connected to a port in this state is never subjected to the authentication process and is not allowed to communicate on the network. Placing the port in this state is the same as shutting down the port. Any attempt by the supplicant to initiate authentication is ignored.

• Auto — an unauthorized state by default. A device connected to this port in this state is subjected to the authentication process. If the process is successful, the port is authorized and the connected device can communicate on the network. All ports are placed in the Auto state by default.

To set the port state, use the following command.

• Place a port in the ForceAuthorized, ForceUnauthorized, or Auto state. INTERFACE mode

dot1x port-control {force-authorized | force-unauthorized | auto}

The default state is auto.

Example of Placing a Port in Force-Authorized State and Viewing the Conguration

The example shows conguration information for a port that has been force-authorized.

The bold line shows the new port-control state.

DellEMC(conf-if-tf-1/1)#dot1x port-control force-authorized DellEMC(conf-if-tf-1/1)#show dot1x interface twentyFiveGigE 1/1

802.1x information on Tf 1/1:

-----------------------------

Dot1x Status: Enable

Port Control: FORCE_AUTHORIZED

Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize

Re-Authenticating a Port

You can congure the authenticator for periodic re-authentication. After the supplicant has been authenticated, and the port has been authorized, you can congure the authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the supplicant is required to re-authenticate every 3600 seconds by default, and you can congure this interval. You can congure the maximum number of re-authentications as well.

To congure re-authentication time settings, use the following commands:

• Congure the authenticator to periodically re-authenticate the supplicant. INTERFACE mode

802.1X

dot1x reauthentication [interval] seconds

The range is from 1 to 31536000.

The default is 3600.

• Congure the maximum number of times the supplicant can be re-authenticated. INTERFACE mode

dot1x reauth-max number

The range is from 1 to 10.

The default is 2.

Example of Re-Authenticating a Port and Verifying the Conguration

The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period.

DellEMC(conf-if-Te-1/1/1)#dot1x reauthentication interval 7200 DellEMC(conf-if-Te-1/1/1)#dot1x reauth-max 10 DellEMC(conf-if-Te-1/1/1)#do show dot1x interface TenGigabitEthernet 1/1/1

802.1x information on Te 1/1/1:

-----------------------------

Dot1x Status: Enable Port Control: FORCE_AUTHORIZED

Port Auth Status: UNAUTHORIZED

Re-Authentication: Enable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds

ReAuth Max: 10

Supplicant Timeout: 30 seconds Server Timeout: 30 seconds

Re-Auth Interval: 7200 seconds

Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize

Conguring Timeouts

If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default. You can congure the amount of time the authenticator waits for a response.

To terminate the authentication process, use the following commands:

• Terminate the authentication process due to an unresponsive supplicant. INTERFACE mode

dot1x supplicant-timeout seconds

The range is from 1 to 300.

The default is 30.

• Terminate the authentication process due to an unresponsive authentication server. INTERFACE mode

dot1x server-timeout seconds

The range is from 1 to 300.

802.1X

The default is 30.

Example of Viewing Congured Server Timeouts

The example shows conguration information for a port for which the authenticator terminates the authentication process for an unresponsive supplicant or server after 15 seconds.

The bold lines show the new supplicant and server timeouts.

DellEMC(conf-if-Te-1/1/1)#dot1x port-control force-authorized DellEMC(conf-if-Te-1/1/1)#do show dot1x interface TenGigabitEthernet 1/1/1

802.1x information on Te 1/1/1:

-----------------------------

Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Disable Guest VLAN id: NONE Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10

Supplicant Timeout: 15 seconds Server Timeout: 15 seconds

Re-Auth Interval: 7200 seconds Max-EAP-Req: 10

Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize

Enter the tasks the user should do after nishing this task (optional).

Conguring Dynamic VLAN Assignment with Port Authentication

Dell EMC Networking OS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure:

1 The host sends a dot1x packet to the Dell EMC Networking system 2 The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number 3 The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN assignment using Tunnel-

Private-Group-ID

The illustration shows the conguration on the Dell EMC Networking system before connecting the end user device in black and blue text, and after connecting the device in red text. The blue text corresponds to the preceding numbered steps on dynamic VLAN assignment with 802.1X.

802.1X

Figure 8. Dynamic VLAN Assignment

1 Congure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server congurations (refer to the illustration

inDynamic VLAN Assignment with Port Authentication). 2 Make the interface a switchport so that it can be assigned to a VLAN. 3 Create the VLAN to which the interface will be assigned. 4 Connect the supplicant to the port congured for 802.1X. 5 Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in Dynamic VLAN Assignment with

Port Authentication).

Guest and Authentication-Fail VLANs

Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is congured or the VLAN that the authentication server indicates in the authentication data.

NOTE

: Ports cannot be dynamically assigned to the default VLAN.

If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves. To be able to connect such devices, they must be allowed access the network without compromising network security.

802.1X

The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices and the Authentication-fail VLAN

802.1X extension addresses this limitation with regard to external users.

• If the supplicant fails authentication a specied number of times, the authenticator places the port in the Authentication-fail VLAN.

• If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of the Guest VLAN and the

authentication process begins.

Conguring a Guest VLAN

If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN.

NOTE: For more information about conguring timeouts, refer to Conguring Timeouts.

Congure a port to be placed in the Guest VLAN after failing to respond within the timeout period using the dot1x guest-vlan command from INTERFACE mode. View your conguration using the show config command from INTERFACE mode or using the show dot1x interface command from EXEC Privilege mode.

Example of Viewing Guest VLAN Conguration

DellEMC(conf-if-Te-2/1/1)#dot1x guest-vlan 200 DellEMC(conf-if-Te 2/1/1))#show config ! interface TenGigabitEthernet 2/1/1 switchport dot1x guest-vlan 200 no shutdown DellEMC(conf-if-Te 2/1/1))#

Conguring an Authentication-Fail VLAN

If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specied amount of time.

NOTE

: For more information about authenticator re-attempts, refer to Conguring a Quiet Period after a Failed Authentication.

You can congure the maximum number of times the authenticator re-attempts authentication after a failure (3 by default), after which the port is placed in the Authentication-fail VLAN.

Congure a port to be placed in the VLAN after failing the authentication process as specied number of times using the dot1x auth-

fail-vlan the keyword max-attempts with this command.

Example of Conguring Maximum Authentication Attempts

DellEMC(conf-if-Te-1/1/1)#dot1x guest-vlan 200 DellEMC(conf-if-Te-1/1/1)#show config ! interface TenGigabitEthernet 1/1/1 switchport dot1x authentication dot1x guest-vlan 200 no shutdown DellEMC(conf-if-Te-1/1/1)#

DellEMC(conf-if-Te-1/1/1)#dot1x auth-fail-vlan 100 max-attempts 5 DellEMC(conf-if-Te-1/1/1)#show config ! interface TenGigabitEthernet 1/1/1 switchport dot1x authentication dot1x guest-vlan 200

dot1x auth-fail-vlan 100 max-attempts 5

command from INTERFACE mode. Congure the maximum number of authentication attempts by the authenticator using

802.1X

no shutdown DellEMC(conf-if-Te-1/1/1)#

Example of Viewing Congured Authentication

View your conguration using the show config command from INTERFACE mode, as shown in the example in Conguring a Guest

VLAN or using the show dot1x interface command from EXEC Privilege mode.

802.1x information on Te 2/1/1:

----------------------------Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None

Guest VLAN: Disabled Guest VLAN id: 200 Auth-Fail VLAN: Disabled Auth-Fail VLAN id: 100 Auth-Fail Max-Attempts: 5

Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 15 seconds Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST

Auth PAE State: Initialize Backend State: Initialize

802.1X

Access Control Lists (ACLs)

This chapter describes access control lists (ACLs), prex lists, and route-maps. At their simplest, access control lists (ACLs), prex lists, and route-maps permit or deny trac based on MAC and/or IP addresses. This

chapter describes implementing IP ACLs, IP prex lists and route-maps. For MAC ACLS, refer to Layer 2.

An ACL is essentially a lter containing some criteria to match (examine IP, transmission control protocol [TCP], or user datagram protocol [UDP] packets) and an action to take (permit or deny). ACLs are processed in sequence so that if a packet does not match the criterion in the rst lter, the second lter (if congured) is applied. When a packet matches a lter, the switch drops or forwards the packet based on the lter’s specied action. If the packet does not match any of the lters in the ACL, the packet is dropped (implicit deny).

The number of ACLs supported on a system depends on your content addressable memory (CAM) size. For more information, refer to User

Congurable CAM Allocation and CAM Optimization. For complete CAM proling information, refer to Content Addressable Memory (CAM).

You can congure ACLs on VRF instances. In addition to the existing qualifying parameters, Layer 3 ACLs also incorporate VRF ID as one of the parameters. Using this new capability, you can also congure VRF based ACLs on interfaces.

: You can apply Layer 3 VRF-aware ACLs only at the ingress level.

NOTE

You can apply VRF-aware ACLs on:

• VRF Instances

• Interfaces

In order to congure VRF-aware ACLs on VRF instances, you must carve out a separate CAM region. You can use the cam-acl command for allocating CAM regions. As part of the enhancements to support VRF-aware ACLs, the cam-acl command now includes the following new parameter that enables you to allocate a CAM region:

The order of priority for conguring user-dened ACL CAM regions is as follows:

• V4 ACL CAM

• VRF V4 ACL CAM

• L2 ACL CAM

With the inclusion of VRF based ACLs, the order of precedence of Layer 3 ACL rules is as follows:

• Port/VLAN based PERMIT/DENY Rules

• Port/VLAN based IMPLICIT DENY Rules

• VRF based PERMIT/DENY Rules

• VRF based IMPLICIT DENY Rules

NOTE

: In order for the VRF ACLs to take eect, ACLs congured in the Layer 3 CAM region must have an implicit-permit option.

You can use the ip access-group command to congure VRF-aware ACLs on interfaces. Using the ip access-group command, in addition to a range of VLANs, you can also specify a range of VRFs as input for conguring ACLs on interfaces. The VRF range is from 1 to

63. These ACLs use the existing V4 ACL CAM region to populate the entries in the hardware and do not require you to carve out a separate CAM region.

vrfv4acl.

NOTE

: You can congure VRF-aware ACLs on interfaces either using a range of VLANs or a range of VRFs but not both.

Access Control Lists (ACLs) 95

Topics:

• IP Access Control Lists (ACLs)

• Important Points to Remember

• IP Fragment Handling

• Congure a Standard IP ACL

• Congure an Extended IP ACL

• Congure Layer 2 and Layer 3 ACLs

• Assign an IP ACL to an Interface

• Applying an IP ACL

• Congure Ingress ACLs

• Congure Egress ACLs

• IP Prex Lists

• ACL Remarks

• ACL Resequencing

• Route Maps

• Flow-Based Monitoring

• Conguring IP Mirror Access Group

IP Access Control Lists (ACLs)

In Dell EMC Networking switch/routers, you can create two dierent types of IP ACLs: standard or extended. A standard ACL lters packets based on the source IP packet. An extended ACL lters trac based on the following criteria:

• IP protocol number

• Source IP address

• Destination IP address

• Source TCP port number

• Destination TCP port number

• Source UDP port number

• Destination UDP port number

For more information about ACL options, refer to the Dell EMC Networking OS Command Reference Guide.

For extended ACL, TCP, and UDP lters, you can match criteria on specic or ranges of TCP or UDP ports. For extended ACL TCP lters, you can also match criteria on established TCP sessions.

When creating an access list, the sequence of the lters is important. You have a choice of assigning sequence numbers to the lters as you enter them, or the Dell EMC Networking Operating System (OS) assigns numbers in the order the lters are created. The sequence numbers are listed in the display output of the show config and show ip accounting access-list commands.

Ingress and egress Hot Lock ACLs allow you to append or delete new rules into an existing ACL (already written into CAM) without disrupting trac ow. Existing entries in the CAM are shued to accommodate the new entries. Hot lock ACLs are enabled by default and support both standard and extended ACLs and on all platforms.

NOTE

: Hot lock ACLs are supported for Ingress ACLs only.

96 Access Control Lists (ACLs)

CAM Usage

The following section describes CAM allocation and CAM optimization.

• User Congurable CAM Allocation

• CAM Optimization

User Congurable CAM Allocation

Allocate space for IPV6 ACLs by using the cam-acl command in CONFIGURATION mode.

The CAM space is allotted in lter processor (FP) blocks. The total space allocated must equal 13 FP blocks. (There are 16 FP blocks, but System Flow requires three blocks that cannot be reallocated.)

Enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10). All other prole allocations can use either even or odd numbered ranges.

If you want to congure ACL's on VRF instances, you must allocate a CAM region using the vrfv4acl option in the cam-acl command.

Save the new CAM settings to the startup-cong (use write-mem or copy run start) then reload the system for the new settings to take eect.

CAM Optimization

When you enable this command, if a policy map containing classication rules (ACL and/or dscp/ ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only one FP entry is used). When you disable this command, the system behaves as described in this chapter.

Test CAM Usage

This command applies to both IPv4 and IPv6 CAM proles, but is best used when verifying QoS optimization for IPv6 ACLs.

To determine whether sucient ACL CAM space is available to enable a service-policy, use this command. To verify the actual CAM space required, create a class map with all the required ACL rules, then execute the test cam-usage command in Privilege mode. The following example shows the output when executing this command. The status column indicates whether you can enable the policy.

Example of the test cam-usage Command

DellEMC#test cam-usage service-policy input asd stack-unit 1 port-set 0

------------------------------------------------------------------------- 1| 1| IPv4Flow| 232| 0|Allowed DellEMC#

Implementing ACLs on Dell EMC Networking OS

You can assign one IP ACL per interface. If you do not assign an IP ACL to an interface, it is not used by the software. The number of entries allowed per ACL is hardware-dependent.

Access Control Lists (ACLs)

If counters are enabled on ACL rules that are already congured, those counters are reset when a new rule which is inserted or prepended or appended requires a hardware shift in the ow table. Resetting the counters to 0 is transient as the proginal counter values are retained after a few seconds. If there is no need to shift the ow in the hardware, the counters are not aected. This is applicable to the following features:

• L2 Ingress Access list

• L2 Egress Access list In the Dell EMC Networking OS versions prior to 9.13(0.0), the system does not install any of your ACL rules if the available CAM space is

lesser than what is required for your set of ACL rules. Eective with the Dell EMC Networking OS version 9.13(0.0), the system installs your ACL rules until all the allocated CAM memory is used. If there is no implicit permit in your rule, the Dell EMC Networking OS ensures that an implicit deny is installed at the end of your rule. This behavior is applicable for IPv4 and IPv6 ingress and egress ACLs.

NOTE: System access lists (system-ow entries) are pre-programmed in the system for lifting the control-plane packets

destined for the local device which the CPU needs to process. The system access lists always override the user congured access lists. Even if you congure ACL to block certain hosts, control plane protocols such as, ARP, BGP, LACP, VLT, VRRP and so on, associated with such hosts cannot be blocked.

Assigning ACLs to VLANs

When you apply an ACL to a VLAN using single port-pipe, a copy of the ACL entries gets installed in the ACL CAM on the port-pipe. The entry looks for the incoming VLAN in the packet. When you apply an ACL on individual ports of a VLAN, separate copies of the ACL entries are installed for each port belonging to a port-pipe.

You can use the log keyword to log the details about the packets that match. The control processor becomes busy based on the number of packets that match the log entry and the rate at which the details are logged in. However, the route processor (RP) is unaected. You can use this option for debugging issues related to control trac.

ACL Optimization

If an access list contains duplicate entries, Dell EMC Networking OS deletes one entry to conserve CAM space.

Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM entries to identify whether the access list is a standard or extended ACL.

Determine the Order in which ACLs are Used to Classify Trac

When you link class-maps to queues using the service-queue command, Dell EMC Networking OS matches the class-maps according to queue priority (queue numbers closer to 0 have lower priorities).

As shown in the following example, class-map cmap2 is matched against ingress packets before cmap1.

ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8. Therefore (without the keyword order), packets within the range 20.1.1.0/24 match positive against cmap1 and are buered in queue 7, though you intended for these packets to match positive against

In cases where class-maps with overlapping ACL rules are applied to dierent queues, use the order keyword to specify the order in which you want to apply ACL rules. The order can range from 0 to 254. Dell EMC Networking OS writes to the CAM ACL rules with lowerorder numbers (order numbers closer to 0) before rules with higher-order numbers so that packets are matched as you intended. By default, all ACL rules have an order of

Example of the order Keyword to Determine ACL Sequence

DellEMC(conf)#ip access-list standard acl1 DellEMC(config-std-nacl)#permit 20.0.0.0/8 DellEMC(config-std-nacl)#exit DellEMC(conf)#ip access-list standard acl2 DellEMC(config-std-nacl)#permit 20.1.1.0/24 order 0

cmap2 and be buered in queue 4.

255.

Access Control Lists (ACLs)

DellEMC(config-std-nacl)#exit DellEMC(conf)#class-map match-all cmap1 DellEMC(conf-class-map)#match ip access-group acl1 DellEMC(conf-class-map)#exit DellEMC(conf)#class-map match-all cmap2 DellEMC(conf-class-map)#match ip access-group acl2 DellEMC(conf-class-map)#exit DellEMC(conf)#policy-map-input pmap DellEMC(conf-policy-map-in)#service-queue 7 class-map cmap1 DellEMC(conf-policy-map-in)#service-queue 4 class-map cmap2 DellEMC(conf-policy-map-in)#exit DellEMC(conf)#interface te 10/1/1 DellEMC(conf-if-te-10/1/1)#service-policy input pmap

Important Points to Remember

• For route-maps with more than one match clause:

– Two or more match clauses within the same route-map sequence have the same match commands (though the values are

dierent), matching a packet against these clauses is a logical OR operation.

– Two or more match clauses within the same route-map sequence have dierent match commands, matching a packet against

these clauses is a logical AND operation.

• If no match is found in a route-map sequence, the process moves to the next route-map sequence until a match is found, or there are

no more sequences.

• When a match is found, the packet is forwarded and no more route-map sequences are processed.

– If a continue clause is included in the route-map sequence, the next or a specied route-map sequence is processed after a match

is found.

Conguration Task List for Route Maps

Congure route maps in ROUTE-MAP mode and apply the maps in various commands in ROUTER RIP and ROUTER OSPF modes.

The following list includes the conguration tasks for route maps, as described in the following sections.

• Create a route map (mandatory)

• Congure route map lters (optional)

• Congure a route map for route redistribution (optional)

• Congure a route map for route tagging (optional)

Creating a Route Map

Route maps, ACLs, and prex lists are similar in composition because all three contain lters, but route map lters do not contain the permit and deny actions found in ACLs and prex lists. Route map lters match certain routes and set or specic values.

To create a route map, use the following command.

• Create a route map and assign it a unique name. The optional permit and deny keywords are the actions of the route map.

CONFIGURATION mode

route-map map-name [permit | deny] [sequence-number]

The default is permit.

The optional seq keyword allows you to assign a sequence number to the route map instance.

Access Control Lists (ACLs)

Congured Route Map Examples

The default action is permit and the default sequence number starts at 10. When you use the keyword deny in conguring a route map, routes that meet the match lters are not redistributed.

To view the conguration, use the show config command in ROUTE-MAP mode.

DellEMC(config-route-map)#show config ! route-map dilling permit 10 DellEMC(config-route-map)#

You can create multiple instances of this route map by using the sequence number option to place the route maps in the correct order. Dell EMC Networking OS processes the route maps with the lowest sequence number rst. When a congured route map is applied to a command, such as redistribute, trac passes through all instances of that route map until a match is found. The following is an example with two instances of a route map.

The following example shows matching instances of a route-map.

DellEMC#show route-map route-map zakho, permit, sequence 10 Match clauses: Set clauses: route-map zakho, permit, sequence 20 Match clauses: interface TenGigabitEthernet 1/1/1 Set clauses: tag 35 level stub-area DellEMC#

To delete all instances of that route map, use the no route-map map-name command. To delete just one instance, add the sequence number to the command syntax.

DellEMC(conf)#no route-map zakho 10 DellEMC(conf)#end DellEMC#show route-map route-map zakho, permit, sequence 20 Match clauses: interface TenGigabitEthernet 1/1/1 Set clauses: tag 35 level stub-area DellEMC#

The following example shows a route map with multiple instances. The show config command displays only the conguration of the current route map instance. To view all instances of a specic route map, use the

DellEMC#show route-map dilling route-map dilling, permit, sequence 10 Match clauses: Set clauses: route-map dilling, permit, sequence 15 Match clauses: interface Loopback 23 Set clauses: tag 3444 DellEMC#

To delete a route map, use the no route-map map-name command in CONFIGURATION mode.

show route-map command.

Access Control Lists (ACLs)

100

Dell PowerSwitch S6010-ON User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

About this Guide

Audience

Conventions

Related Documents

Accessing the Command Line

CLI Modes

Navigating CLI Modes

The do Command

Undoing Commands

Obtaining Help

Entering and Editing Commands

Command History

Filtering show Command Outputs

Example of the grep Keyword

Getting Started

Console Access

Serial Console

Accessing the System Remotely

Accessing the System Remotely

Copy Files to and from the System

Mounting an NFS File System

Viewing Files

Managing the File System

View Command History

Upgrading Dell EMC Networking OS

Using HTTP for File Transfers

Verify Software Images Before Installation

Management

Creating a Custom Privilege Level

Removing a Command from EXEC Mode

Moving a Command from EXEC Privilege Mode to EXEC Mode

Allowing Access to CONFIGURATION Mode Commands

Applying a Privilege Level to a Username

Applying a Privilege Level to a Terminal Line

Audit and Security Logs

Setting Up a Secure Connection to a Syslog Server

Disabling System Logging

Sending System Messages to a Syslog Server

Track Login Activity

Restrictions for Tracking Login Activity

Display Login Statistics

Limit Concurrent Login Sessions

Restrictions for Limiting the Number of Concurrent Sessions

Enabling the System to Clear Existing Sessions

Enabling Secured CLI Mode

Changing System Logging Settings

Synchronizing Log Messages

Enabling Timestamp on Syslog Messages

File Transfer Services

Enabling the FTP Server

Terminal Lines

Denying and Permitting Access to a Terminal Line

Setting Timeout for EXEC Privilege Mode

Using Telnet to get to Another Network Device

Lock CONFIGURATION Mode

Restoring the Factory Default Settings

Important Points to Remember

Restoring Factory Default Environment Variables

Viewing the Reason for Last System Reboot

802.1X

Port-Authentication Process

EAP over RADIUS

Important Points to Remember

Enabling 802.1X

Forcibly Authorizing or Unauthorizing a Port

Re-Authenticating a Port

Guest and Authentication-Fail VLANs

Access Control Lists (ACLs)

IP Access Control Lists (ACLs)

CAM Usage

Implementing ACLs on Dell EMC Networking OS

Important Points to Remember