Dell Networking Configuration Guide for the
Z9500 Switch
9.7(0.0)
Notes, Cautions, and Warnings
NOTE: A NOTE indicates important information that helps you make better use of your computer.
CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you
how to avoid the problem.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
Copyright © 2015 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. Dell™ and the Dell logo are trademarks of Dell Inc. in the United States and/or other
jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
2015 - 01
Rev. A00
Contents
1 About this Guide................................................................................................. 33
Audience..............................................................................................................................................33
Conventions........................................................................................................................................ 33
Related Documents............................................................................................................................ 33
2 Configuration Fundamentals........................................................................... 34
Accessing the Command Line............................................................................................................34
CLI Modes............................................................................................................................................34
Navigating CLI Modes................................................................................................................... 35
The do Command...............................................................................................................................38
Undoing Commands...........................................................................................................................39
Obtaining Help....................................................................................................................................40
Entering and Editing Commands....................................................................................................... 40
Command History............................................................................................................................... 41
Filtering show Command Outputs..................................................................................................... 41
Multiple Users in Configuration Mode............................................................................................... 43
3 Getting Started................................................................................................... 44
Console Access...................................................................................................................................44
Serial Console................................................................................................................................44
Default Configuration......................................................................................................................... 45
Configuring a Host Name...................................................................................................................45
Accessing the System Remotely........................................................................................................ 46
Accessing the Z9500 Remotely....................................................................................................46
Configure the Management Port IP Address............................................................................... 46
Configure a Management Route.................................................................................................. 47
Configuring a Username and Password.......................................................................................47
Configuring the Enable Password...................................................................................................... 47
Manage Configuration Files................................................................................................................48
File Storage....................................................................................................................................48
Copy Files to and from the System.............................................................................................. 48
Save the Running-Configuration..................................................................................................50
Configure the Overload Bit for a Startup Scenario......................................................................50
Viewing Files..................................................................................................................................50
Changes in Configuration Files..................................................................................................... 51
Enabling Software Features on Devices Using a Command Option................................................ 52
View Command History......................................................................................................................53
Upgrading the Dell Networking OS....................................................................................................53
Using Hashes to Validate Software Images........................................................................................53
4 Switch Management.......................................................................................... 55
Configuring Privilege Levels................................................................................................................55
Creating a Custom Privilege Level................................................................................................55
Removing a Command from EXEC Mode....................................................................................55
Moving a Command from EXEC Privilege Mode to EXEC Mode................................................ 55
Allowing Access to CONFIGURATION Mode Commands.......................................................... 56
Allowing Access to the Following Modes.................................................................................... 56
Applying a Privilege Level to a Username.................................................................................... 58
Applying a Privilege Level to a Terminal Line...............................................................................58
Configuring Logging...........................................................................................................................58
Audit and Security Logs.................................................................................................................59
Configuring Logging Format ...................................................................................................... 60
Setting Up a Secure Connection to a Syslog Server.................................................................... 61
Log Messages in the Internal Buffer...................................................................................................62
Configuration Task List for System Log Management.................................................................62
Disabling System Logging...................................................................................................................62
Sending System Messages to a Syslog Server....................................................................................63
Configuring a UNIX System as a Syslog Server............................................................................63
Display the Logging Buffer and the Logging Configuration............................................................. 63
Changing System Logging Settings................................................................................................... 64
Configuring a UNIX Logging Facility Level.........................................................................................65
Synchronizing Log Messages............................................................................................................. 66
Enabling Timestamp on Syslog Messages......................................................................................... 66
File Transfer Services...........................................................................................................................67
Configuration Task List for File Transfer Services........................................................................ 67
Enabling the FTP Server................................................................................................................ 67
Configuring FTP Server Parameters............................................................................................. 68
Configuring FTP Client Parameters..............................................................................................68
Terminal Lines.....................................................................................................................................69
Denying and Permitting Access to a Terminal Line.....................................................................69
Configuring Login Authentication for Terminal Lines................................................................. 70
Setting Time Out of EXEC Privilege Mode..........................................................................................71
Using Telnet to Access Another Network Device.............................................................................. 71
Lock CONFIGURATION Mode............................................................................................................72
Viewing the Configuration Lock Status........................................................................................ 72
Recovering from a Forgotten Password on the Z9500.....................................................................73
Ignoring the Startup Configuration and Booting from the Factory-Default Configuration............ 73
Recovering from a Failed Start on the Z9500....................................................................................74
Restoring Factory-Default Settings.................................................................................................... 74
Important Points to Remember....................................................................................................74
Restoring Factory-Default Boot Environment Variables..............................................................75
5 802.1X................................................................................................................... 78
The Port-Authentication Process.......................................................................................................79
EAP over RADIUS........................................................................................................................... 81
Configuring 802.1X..............................................................................................................................81
Related Configuration Tasks......................................................................................................... 81
Important Points to Remember..........................................................................................................82
Enabling 802.1X...................................................................................................................................82
Configuring Request Identity Re-Transmissions...............................................................................84
Configuring a Quiet Period after a Failed Authentication........................................................... 84
Forcibly Authorizing or Unauthorizing a Port....................................................................................85
Re-Authenticating a Port....................................................................................................................86
Configuring Timeouts......................................................................................................................... 87
Configuring Dynamic VLAN Assignment with Port Authentication..................................................88
Guest and Authentication-Fail VLANs................................................................................................89
Configuring a Guest VLAN............................................................................................................90
Configuring an Authentication-Fail VLAN....................................................................................90
6 Access Control Lists (ACLs)...............................................................................92
IP Access Control Lists (ACLs)............................................................................................................ 93
CAM Usage.................................................................................................................................... 93
Implementing ACLs ......................................................................................................................94
IP Fragment Handling......................................................................................................................... 96
IP Fragments ACL Examples......................................................................................................... 96
Layer 4 ACL Rules Examples.........................................................................................................96
Configure a Standard IP ACL.............................................................................................................. 97
Configuring a Standard IP ACL Filter............................................................................................99
Configure an Extended IP ACL.........................................................................................................100
Configuring Filters with a Sequence Number............................................................................100
Configuring Filters Without a Sequence Number...................................................................... 101
Configure Layer 2 and Layer 3 ACLs................................................................................................ 102
Using ACL VLAN Groups...................................................................................................................103
Guidelines for Configuring ACL VLAN Groups.......................................................................... 103
Configuring an ACL VLAN Group...............................................................................................104
Allocating ACL VLAN CAM..........................................................................................................105
Applying an IP ACL to an Interface...................................................................................................105
Configure Ingress ACLs.............................................................................................................. 106
Configure Egress ACLs................................................................................................................107
Applying Egress Layer 3 ACLs (Control-Plane).......................................................................... 107
Counting ACL Hits.......................................................................................................................108
IP Prefix Lists..................................................................................................................................... 108
Implementation Information...................................................................................................... 109
Configuration Task List for Prefix Lists....................................................................................... 109
ACL Resequencing.............................................................................................................................113
Resequencing an ACL or Prefix List............................................................................................ 113
Route Maps........................................................................................................................................ 115
Implementation Information.......................................................................................................115
Important Points to Remember........................................................................................................ 115
Configuration Task List for Route Maps......................................................................................115
Configuring Match Routes.......................................................................................................... 118
Configuring Set Conditions.........................................................................................................119
Configure a Route Map for Route Redistribution...................................................................... 120
Configure a Route Map for Route Tagging................................................................................ 121
Continue Clause.......................................................................................................................... 121
7 Bare Metal Provisioning (BMP)....................................................................... 123
Enhanced Behavior of the stop bmp Command.............................................................................123
Removal of User-Defined String Parameter in the reload-type Command...................................123
Service Tag Information in the Option 60 String.............................................................................123
8 Bidirectional Forwarding Detection (BFD).................................................. 124
How BFD Works................................................................................................................................ 124
BFD Packet Format......................................................................................................................125
BFD Sessions................................................................................................................................127
BFD Three-Way Handshake........................................................................................................ 127
Session State Changes................................................................................................................ 128
Important Points to Remember........................................................................................................129
Configure BFD...................................................................................................................................129
Configure BFD for Static Routes.................................................................................................130
Configure BFD for OSPF..............................................................................................................131
Configure BFD for OSPFv3..........................................................................................................135
Configure BFD for IS-IS...............................................................................................................136
Configure BFD for BGP............................................................................................................... 139
Configure BFD for VRRP............................................................................................................. 146
Configuring Protocol Liveness................................................................................................... 149
9 Border Gateway Protocol IPv4 (BGPv4).......................................................150
Autonomous Systems (AS)................................................................................................................150
Sessions and Peers............................................................................................................................ 152
Establish a Session.......................................................................................................................153
Route Reflectors................................................................................................................................153
Communities............................................................................................................................... 154
BGP Attributes................................................................................................................................... 154
Best Path Selection Criteria.........................................................................................................155
Weight.......................................................................................................................................... 157
Local Preference..........................................................................................................................157
Multi-Exit Discriminators (MEDs)................................................................................................ 158
Origin........................................................................................................................................... 159
AS Path.........................................................................................................................................160
Next Hop..................................................................................................................................... 160
Multiprotocol BGP............................................................................................................................ 160
Implement BGP ................................................................................................................................ 161
Additional Path (Add-Path) Support............................................................................................161
Advertise IGP Cost as MED for Redistributed Routes.................................................................161
Ignore Router-ID for Some Best-Path Calculations..................................................................162
Four-Byte AS Numbers............................................................................................................... 162
AS4 Number Representation...................................................................................................... 162
AS Number Migration..................................................................................................................164
BGP4 Management Information Base (MIB).............................................................................. 166
Important Points to Remember..................................................................................................166
Configuration Information................................................................................................................167
BGP Configuration............................................................................................................................ 167
Enabling BGP...............................................................................................................................168
Configuring AS4 Number Representations................................................................................ 172
Configuring Peer Groups............................................................................................................ 173
Configuring BGP Fast Fail-Over..................................................................................................176
Configuring Passive Peering....................................................................................................... 178
Maintaining Existing AS Numbers During an AS Migration........................................................ 179
Allowing an AS Number to Appear in its Own AS Path..............................................................180
Enabling Neighbor Graceful Restart...........................................................................................180
Filtering on an AS-Path Attribute................................................................................................ 181
Regular Expressions as Filters..................................................................................................... 183
Redistributing Routes..................................................................................................................184
Enabling Additional Paths............................................................................................................185
Configuring IP Community Lists.................................................................................................185
Configuring an IP Extended Community List.............................................................................187
Filtering Routes with Community Lists.......................................................................................188
Manipulating the COMMUNITY Attribute...................................................................................188
Changing MED Attributes........................................................................................................... 190
Changing the LOCAL_PREFERENCE Attribute.......................................................................... 190
Changing the NEXT_HOP Attribute............................................................................................191
Changing the WEIGHT Attribute.................................................................................................192
Enabling Multipath.......................................................................................................................192
Filtering BGP Routes....................................................................................................................192
Filtering BGP Routes Using Route Maps.................................................................................... 194
Filtering BGP Routes Using AS-PATH Information.................................................................... 194
Configuring BGP Route Reflectors.............................................................................................195
Aggregating Routes.....................................................................................................................196
Configuring BGP Confederations...............................................................................................196
Enabling Route Flap Dampening................................................................................................ 197
Changing BGP Timers................................................................................................................ 200
Enabling BGP Neighbor Soft-Reconfiguration..........................................................................200
Route Map Continue...................................................................................................................201
Enabling MBGP Configurations........................................................................................................202
BGP Regular Expression Optimization.............................................................................................203
Debugging BGP................................................................................................................................ 203
Storing Last and Bad PDUs.........................................................................................................204
Capturing PDUs.......................................................................................................................... 205
PDU Counters.............................................................................................................................206
Sample Configurations.....................................................................................................................206
10 Content Addressable Memory (CAM)......................................................... 216
CAM Allocation..................................................................................................................................216
Test CAM Usage................................................................................................................................ 218
View CAM-ACL Settings....................................................................................................................218
View CAM Usage............................................................................................................................... 219
Return to the Default CAM Configuration.......................................................................................220
CAM Optimization............................................................................................................................ 220
Applications for CAM Profiling..........................................................................................................221
LAG HashingLAG Hashing Based on Bidirectional Flow............................................................221
Unified Forwarding Table (UFT) Modes............................................................................................221
Configuring UFT Modes.............................................................................................................. 221
11 Control Plane Policing (CoPP)..................................................................... 223
Z9500 CoPP Implementation.......................................................................................................... 223
Protocol-based Control Plane Policing..................................................................................... 223
Queue-based Control Plane Policing........................................................................................224
CoPP Example...................................................................................................................................225
Configure Control Plane Policing.................................................................................................... 226
Configuring CoPP for Protocols................................................................................................ 226
Examples of Configuring CoPP for Protocols............................................................................227
Configuring CoPP for CPU Queues...........................................................................................229
Examples of Configuring CoPP for CPU Queues......................................................................229
Displaying CoPP Configuration..................................................................................................230
Troubleshooting CoPP Operation................................................................................................... 234
Enabling CPU Traffic Statistics................................................................................................... 234
Viewing CPU Traffic Statistics.....................................................................................................234
Troubleshooting CPU Packet Loss.............................................................................................234
Viewing Per-Protocol CoPP Counters.......................................................................................237
Viewing Per-Queue CoPP Counters..........................................................................................239
12 Data Center Bridging (DCB)..........................................................................241
Ethernet Enhancements in Data Center Bridging............................................................................241
Priority-Based Flow Control.......................................................................................................242
Enhanced Transmission Selection............................................................................................. 243
Data Center Bridging Exchange Protocol (DCBx)..................................................................... 244
Data Center Bridging in a Traffic Flow.......................................................................................245
Enabling Data Center Bridging.........................................................................................................245
QoS dot1p Traffic Classification and Queue Assignment...............................................................246
SNMP Support for PFC and Buffer Statistics Tracking.................................................................... 246
DCB Maps and its Attributes.............................................................................................................247
DCB Map: Configuration Procedure.......................................................................................... 247
Important Points to Remember................................................................................................. 248
Applying a DCB Map on a Port...................................................................................................248
Configuring PFC without a DCB Map........................................................................................ 249
Configuring Lossless Queues.....................................................................................................249
Data Center Bridging: Default Configuration..................................................................................250
Configuring PFC and ETS in a DCB Map.......................................................................................... 251
PFC Configuration Notes............................................................................................................ 251
PFC Prerequisites and Restrictions.............................................................................................252
ETS Configuration Notes............................................................................................................ 252
ETS Prerequisites and Restrictions............................................................................................. 253
Configuring Priority-Based Flow Control........................................................................................254
Configuring Lossless Queues..................................................................................................... 255
Configure Enhanced Transmission Selection..................................................................................256
ETS Prerequisites and Restrictions............................................................................................. 256
Creating an ETS Priority Group.................................................................................................. 256
ETS Operation with DCBx...........................................................................................................257
Configuring Bandwidth Allocation for DCBx CIN..................................................................... 258
Applying the DCB Policies on Linecard........................................................................................... 259
Applying DCB Policies on SFM Ports............................................................................................... 259
Configure a DCBx Operation........................................................................................................... 259
DCBx Operation..........................................................................................................................260
DCBx Port Roles......................................................................................................................... 260
DCB Configuration Exchange.................................................................................................... 262
Configuration Source Election...................................................................................................262
Propagation of DCB Information............................................................................................... 263
Auto-Detection and Manual Configuration of the DCBx Version............................................ 263
Behavior of Tagged Packets.......................................................................................................264
Configuration Example for DSCP and PFC Priorities................................................................ 264
DCBx Example.............................................................................................................................265
DCBx Prerequisites and Restrictions..........................................................................................265
Configuring DCBx.......................................................................................................................266
Verifying the DCB Configuration......................................................................................................270
Generation of PFC for a Priority for Untagged Packets...................................................................281
Operations on Untagged Packets.................................................................................................... 281
Performing PFC Using DSCP Bits Instead of 802.1p Bits.................................................................281
PFC and ETS Configuration Examples............................................................................................. 282
Using PFC and ETS to Manage Data Center Traffic........................................................................ 282
PFC and ETS Configuration Command Examples.................................................................... 284
Using PFC and ETS to Manage Converged Ethernet Traffic.....................................................284
Hierarchical Scheduling in ETS Output Policies........................................................................284
Priority-Based Flow Control Using Dynamic Buffer Method..........................................................285
Pause and Resume of Traffic......................................................................................................285
Buffer Sizes for Lossless or PFC Packets................................................................................... 286
Configuring the Dynamic Buffer Method........................................................................................286
Sample Configurations.....................................................................................................................289
.....................................................................................................................................................289
13 Debugging and Diagnostics......................................................................... 293
Offline Diagnostics........................................................................................................................... 293
Important Points to Remember................................................................................................. 293
Running Offline Diagnostics.......................................................................................................293
Examples of Running Offline Diagnostics..................................................................................295
TRACE Logs.......................................................................................................................................302
Auto Save on Reload, Crash, or Rollover................................................................................... 303
Last Restart Reason...........................................................................................................................303
Line Card Restart Causes and Reasons......................................................................................303
show hardware Commands.............................................................................................................303
Environmental Monitoring................................................................................................................305
Display Power Supply Status...................................................................................................... 305
Display Fan Status....................................................................................................................... 306
Display Transceiver Type............................................................................................................306
Recognize an Over-Temperature Condition............................................................................ 308
Troubleshoot an Over-Temperature Condition........................................................................309
Troubleshooting Packet Loss............................................................................................................311
Displaying Drop Counters........................................................................................................... 311
Displaying Dataplane Statistics................................................................................................... 313
Displaying Line-Card Counters.................................................................................................. 314
Accessing Application Core Dumps................................................................................................. 315
Mini Core Dumps.............................................................................................................................. 316
Full Kernel Core Dumps....................................................................................................................316
Enabling TCP Dumps.........................................................................................................................317
14 Dynamic Host Configuration Protocol (DHCP)........................................318
DHCP Packet Format and Options...................................................................................................318
Assign an IP Address using DHCP....................................................................................................320
Implementation Information............................................................................................................ 321
Configure the System to be a DHCP Server.................................................................................... 322
Configuring the Server for Automatic Address Allocation........................................................ 322
Specifying a Default Gateway.....................................................................................................324
Configure a Method of Hostname Resolution.......................................................................... 324
Using DNS for Address Resolution.............................................................................................324
Using NetBIOS WINS for Address Resolution............................................................................324
Creating Manual Binding Entries................................................................................................ 325
Debugging the DHCP Server......................................................................................................325
Using DHCP Clear Commands...................................................................................................325
Configure the System to be a Relay Agent......................................................................................326
Configure the System to be a DHCP Client.................................................................................... 328
DHCP Client on a Management Interface................................................................................. 328
DHCP Client Operation with Other Features............................................................................ 329
Configure Secure DHCP...................................................................................................................329
Option 82.................................................................................................................................... 330
DHCP Snooping..........................................................................................................................330
Drop DHCP Packets on Snooped VLANs Only..........................................................................334
Dynamic ARP Inspection............................................................................................................ 334
Configuring Dynamic ARP Inspection........................................................................................335
Source Address Validation................................................................................................................336
Enabling IP Source Address Validation.......................................................................................337
DHCP MAC Source Address Validation...................................................................................... 337
Enabling IP+MAC Source Address Validation............................................................................ 337
Viewing the Number of SAV Dropped Packets..........................................................................338
Clearing the Number of SAV Dropped Packets.........................................................................338
15 Equal Cost Multi-Path (ECMP)..................................................................... 339
ECMP for Flow-Based Affinity.......................................................................................................... 339
Enabling Deterministic ECMP Next Hop....................................................................................339
Configuring the Hash Algorithm Seed....................................................................................... 339
Link Bundle Monitoring.................................................................................................................... 340
Managing ECMP Group Paths....................................................................................................340
Creating an ECMP Group Bundle............................................................................................... 341
Modifying the ECMP Group Threshold...................................................................................... 341
ECMP Support in L3 Host and LPM Tables......................................................................................342
16 FCoE Transit....................................................................................................344
Fibre Channel over Ethernet............................................................................................................ 344
Ensure Robustness in a Converged Ethernet Network...................................................................344
FIP Snooping on Ethernet Bridges...................................................................................................346
Using FIP Snooping...........................................................................................................................348
FIP Snooping Prerequisites.........................................................................................................348
Important Points to Remember................................................................................................. 349
Enabling the FCoE Transit Feature.............................................................................................350
Enable FIP Snooping on VLANs..................................................................................................350
Configure the FC-MAP Value.....................................................................................................350
Configure a Port for a Bridge-to-Bridge Link............................................................................350
Configure a Port for a Bridge-to-FCF Link.................................................................................351
Impact on Other Software Features........................................................................................... 351
FIP Snooping Restrictions........................................................................................................... 351
Configuring FIP Snooping...........................................................................................................351
FCoE Transit Configuration Example...............................................................................................353
Displaying FIP Snooping Information.............................................................................................. 354
17 Enabling FIPS Cryptography.........................................................................361
Configuration Tasks.......................................................................................................................... 361
Preparing the System........................................................................................................................ 361
Enabling FIPS Mode.......................................................................................................................... 362
Generating Host-Keys...................................................................................................................... 362
Monitoring FIPS Mode Status........................................................................................................... 363
Disabling FIPS Mode......................................................................................................................... 363
18 Flex Hash..........................................................................................................365
Flex Hash Capability Overview......................................................................................................... 365
Configuring the Flex Hash Mechanism............................................................................................365
RDMA Over Converged Ethernet (RoCE) Overview........................................................................366
Preserving 802.1Q VLAN Tag Value for Lite Subinterfaces............................................................. 367
19 Force10 Resilient Ring Protocol (FRRP).....................................................368
Protocol Overview............................................................................................................................368
Ring Status...................................................................................................................................369
Multiple FRRP Rings.................................................................................................................... 370
Important FRRP Points................................................................................................................370
Important FRRP Concepts..........................................................................................................370
Implementing FRRP.......................................................................................................................... 372
FRRP Configuration...........................................................................................................................372
Creating the FRRP Group............................................................................................................372
Configuring the Control VLAN................................................................................................... 373
Configuring and Adding the Member VLANs.............................................................................374
Setting the FRRP Timers..............................................................................................................375
Clearing the FRRP Counters....................................................................................................... 375
Viewing the FRRP Configuration................................................................................................ 376
Viewing the FRRP Information....................................................................................................376
Troubleshooting FRRP......................................................................................................................376
Configuration Checks.................................................................................................................376
Sample Configuration and Topology...............................................................................................376
20 GARP VLAN Registration Protocol (GVRP)................................................379
Important Points to Remember....................................................................................................... 379
Configure GVRP................................................................................................................................380
Related Configuration Tasks...................................................................................................... 380
Enabling GVRP Globally....................................................................................................................381
Enabling GVRP on a Layer 2 Interface..............................................................................................381
Configure GVRP Registration........................................................................................................... 381
Configure a GARP Timer.................................................................................................................. 382
21 Internet Group Management Protocol (IGMP).........................................384
IGMP Implementation Information..................................................................................................384
IGMP Protocol Overview..................................................................................................................384
IGMP Version 2........................................................................................................................... 384
IGMP Version 3............................................................................................................................386
Configure IGMP................................................................................................................................ 389
Related Configuration Tasks...................................................................................................... 389
Viewing IGMP Enabled Interfaces....................................................................................................390
Selecting an IGMP Version...............................................................................................................390
Viewing IGMP Groups.......................................................................................................................391
Adjusting Timers................................................................................................................................391
Adjusting Query and Response Timers...................................................................................... 391
Adjusting the IGMP Querier Timeout Value...............................................................................392
Configuring a Static IGMP Group.....................................................................................................392
Enabling IGMP Immediate-Leave.....................................................................................................393
IGMP Snooping.................................................................................................................................393
IGMP Snooping Implementation Information........................................................................... 393
Configuring IGMP Snooping...................................................................................................... 393
Removing a Group-Port Association......................................................................................... 394
Disabling Multicast Flooding...................................................................................................... 394
Specifying a Port as Connected to a Multicast Router..............................................................395
Configuring the Switch as Querier.............................................................................................395
Fast Convergence after MSTP Topology Changes......................................................................... 396
Designating a Multicast Router Interface........................................................................................ 396
22 Interfaces......................................................................................................... 397
Basic Interface Configuration...........................................................................................................397
Advanced Interface Configuration...................................................................................................397
Port Numbering Convention............................................................................................................397
Interface Types................................................................................................................................. 398
View Basic Interface Information.....................................................................................................398
Enabling a Physical Interface........................................................................................................... 400
Physical Interfaces............................................................................................................................ 401
Port Pipes.....................................................................................................................................401
Network Processing Units (NPUs).............................................................................................. 401
Configuration Task List for Physical Interfaces......................................................................... 402
Overview of Layer Modes...........................................................................................................402
Configuring Layer 2 (Data Link) Mode....................................................................................... 402
Configuring Layer 2 (Interface) Mode........................................................................................403
Configuring Layer 3 (Network) Mode........................................................................................ 403
Configuring Layer 3 (Interface) Mode........................................................................................404
Egress Interface Selection (EIS)........................................................................................................405
Important Points to Remember................................................................................................. 405
Configuring EIS........................................................................................................................... 405
Management Interfaces................................................................................................................... 406
Configuring a Dedicated Management Interface .....................................................................406
Configuring a Management Interface on an Ethernet Port...................................................... 407
VLAN Interfaces................................................................................................................................ 408
Loopback Interfaces.........................................................................................................................409
Null Interfaces...................................................................................................................................409
Port Channel Interfaces....................................................................................................................410
Port Channel Definition and Standards......................................................................................410
Port Channel Benefits................................................................................................................. 410
Port Channel Implementation....................................................................................................410
10/40 Gbps Interfaces in Port Channels.....................................................................................411
Configuration Tasks for Port Channel Interfaces.......................................................................411
Creating a Port Channel..............................................................................................................412
Adding a Physical Interface to a Port Channel...........................................................................412
Reassigning an Interface to a New Port Channel...................................................................... 414
Configuring the Minimum Oper Up Links in a Port Channel.................................................... 415
Adding or Removing a Port Channel from a VLAN....................................................................415
Assigning an IP Address to a Port Channel................................................................................ 416
Deleting or Disabling a Port Channel.........................................................................................416
Load Balancing Through Port Channels.................................................................................... 416
Load-Balancing Methods............................................................................................................417
Changing the Hash Algorithm.................................................................................................... 417
Bulk Configuration............................................................................................................................418
Interface Range........................................................................................................................... 418
Bulk Configuration Examples..................................................................................................... 418
Defining Interface Range Macros.................................................................................................... 420
Define the Interface Range......................................................................................................... 421
Choosing an Interface-Range Macro.........................................................................................421
Monitoring and Maintaining Interfaces............................................................................................ 421
Displaying Traffic Statistics on HiGig Ports......................................................................................422
Link Bundle Monitoring.................................................................................................................... 423
Monitoring HiGig Link Bundles........................................................................................................ 423
Guidelines for Monitoring HiGig Link-Bundles .........................................................................424
Enabling HiGig Link-Bundle Monitoring.................................................................................... 425
Fanning out 40G Ports Dynamically................................................................................................ 425
Splitting QSFP Ports to SFP+ Ports.................................................................................................. 426
Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port...................................................... 426
Link Dampening................................................................................................................................ 431
Important Points to Remember................................................................................................. 432
Enabling Link Dampening...........................................................................................................432
Using Ethernet Pause Frames for Flow Control.............................................................................. 433
Enabling Pause Frames...............................................................................................................434
Configure the MTU Size on an Interface......................................................................................... 435
Auto-Negotiation on Ethernet Interfaces........................................................................................436
Set Auto-Negotiation Options................................................................................................... 436
View Advanced Interface Information............................................................................................. 437
Configuring the Interface Sampling Size................................................................................... 437
Dynamic Counters............................................................................................................................439
Clearing Interface Counters....................................................................................................... 439
23 Internet Protocol Security (IPSec).............................................................. 441
Configuring IPSec ............................................................................................................................442
24 IPv4 Routing................................................................................................... 443
IP Addresses......................................................................................................................................443
Implementation Information......................................................................................................443
Configuration Tasks for IP Addresses.............................................................................................. 443
Assigning IP Addresses to an Interface............................................................................................444
Configuring Static Routes................................................................................................................ 445
Configure Static Routes for the Management Interface.................................................................446
Enabling Directed Broadcast............................................................................................................446
Resolution of Host Names............................................................................................................... 447
Enabling Dynamic Resolution of Host Names................................................................................ 447
Specifying the Local System Domain and a List of Domains......................................................... 448
Configuring DNS with Traceroute................................................................................................... 448
ARP....................................................................................................................................................449
Configuration Tasks for ARP............................................................................................................ 449
Configuring Static ARP Entries.........................................................................................................450
Enabling Proxy ARP.......................................................................................................................... 450
Clearing ARP Cache......................................................................................................................... 450
ARP Learning via Gratuitous ARP......................................................................................................451
Enabling ARP Learning via Gratuitous ARP...................................................................................... 451
ARP Learning via ARP Request..........................................................................................................451
Configuring ARP Retries................................................................................................................... 452
ICMP.................................................................................................................................................. 453
Configuration Tasks for ICMP.......................................................................................................... 453
Enabling ICMP Unreachable Messages............................................................................................453
UDP Helper....................................................................................................................................... 454
Configure UDP Helper................................................................................................................454
Important Points to Remember................................................................................................. 454
Enabling UDP Helper........................................................................................................................454
Configuring a Broadcast Address.....................................................................................................455
Configurations Using UDP Helper................................................................................................... 455
UDP Helper with Broadcast-All Addresses...................................................................................... 455
UDP Helper with Subnet Broadcast Addresses............................................................................... 456
UDP Helper with Configured Broadcast Addresses........................................................................ 457
UDP Helper with No Configured Broadcast Addresses.................................................................. 457
Troubleshooting UDP Helper...........................................................................................................458
25 IPv6 Routing....................................................................................................459
Protocol Overview............................................................................................................................459
Extended Address Space............................................................................................................ 459
Stateless Autoconfiguration....................................................................................................... 459
IPv6 Headers...............................................................................................................................460
IPv6 Header Fields.......................................................................................................................461
Extension Header Fields............................................................................................................. 462
IPv6 Addressing...........................................................................................................................463
IPv6 Implementation on the Dell Networking OS...........................................................................465
Configuring the LPM Table for IPv6 Extended Prefixes.................................................................. 467
ICMPv6.............................................................................................................................................. 467
Path MTU Discovery......................................................................................................................... 467
IPv6 Neighbor Discovery..................................................................................................................468
IPv6 Neighbor Discovery of MTU Packets.................................................................................469
Configuring the IPv6 Recursive DNS Server..............................................................................469
Secure Shell (SSH) Over an IPv6 Transport...................................................................................... 471
Configuration Tasks for IPv6.............................................................................................................471
Adjusting Your CAM Profile.........................................................................................................472
Assigning an IPv6 Address to an Interface................................................................................. 472
Assigning a Static IPv6 Route......................................................................................................473
Configuring Telnet with IPv6......................................................................................................474
SNMP over IPv6...........................................................................................................................474
Displaying IPv6 Information....................................................................................................... 474
Displaying an IPv6 Configuration............................................................................................... 475
Displaying IPv6 Routes................................................................................................................475
Displaying the Running Configuration for an Interface.............................................................477
Clearing IPv6 Routes...................................................................................................................477
26 iSCSI Optimization.........................................................................................478
iSCSI Optimization Overview........................................................................................................... 478
Default iSCSI Optimization Values...................................................................................................480
iSCSI Optimization Prerequisites..................................................................................................... 480
Configuring iSCSI Optimization.......................................................................................................480
Displaying iSCSI Optimization Information..................................................................................... 483
Enable and Disable iSCSI Optimization........................................................................................... 484
Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer..............................................485
Monitoring iSCSI Traffic Flows......................................................................................................... 485
Information Monitored in iSCSI Traffic Flows..................................................................................485
Detection and Auto-Configuration for Dell EqualLogic Arrays......................................................486
Configuring Detection and Ports for Dell Compellent Arrays........................................................486
Application of Quality of Service to iSCSI Traffic Flows..................................................................487
27 Intermediate System to Intermediate System..........................................488
IS-IS Protocol Overview...................................................................................................................488
IS-IS Addressing................................................................................................................................488
Multi-Topology IS-IS........................................................................................................................ 489
Transition Mode..........................................................................................................................489
Interface Support........................................................................................................................490
Adjacencies.................................................................................................................................490
Graceful Restart................................................................................................................................490
Timers..........................................................................................................................................490
Implementation Information............................................................................................................ 491
Configuration Information............................................................................................................... 492
Configuration Tasks for IS-IS......................................................................................................492
Configuring the Distance of a Route..........................................................................................501
Changing the IS-Type................................................................................................................. 501
Redistributing IPv4 Routes......................................................................................................... 504
Redistributing IPv6 Routes..........................................................................................................505
Configuring Authentication Passwords..................................................................................... 506
Setting the Overload Bit............................................................................................................. 506
Debugging IS-IS.......................................................................................................................... 507
IS-IS Metric Styles.............................................................................................................................508
Configure Metric Values...................................................................................................................508
Maximum Values in the Routing Table...................................................................................... 509
Change the IS-IS Metric Style in One Level Only......................................................................509
Leaks from One Level to Another............................................................................................... 511
Sample Configurations......................................................................................................................511
28 Link Aggregation Control Protocol (LACP)...............................................514
Introduction to Dynamic LAGs and LACP........................................................................................514
Important Points to Remember..................................................................................................514
LACP Modes.................................................................................................................................515
Configuring LACP Commands....................................................................................................515
LACP Configuration Tasks................................................................................................................ 516
Creating a LAG.............................................................................................................................516
Configuring the LAG Interfaces as Dynamic.............................................................................. 517
Setting the LACP Long Timeout..................................................................................................517
Monitoring and Debugging LACP...............................................................................................518
Shared LAG State Tracking............................................................................................................... 518
Configuring Shared LAG State Tracking.....................................................................................519
Important Points about Shared LAG State Tracking..................................................................520
LACP Basic Configuration Example..................................................................................................521
Configure a LAG on ALPHA.........................................................................................................521
29 Layer 2..............................................................................................................529
Manage the MAC Address Table...................................................................................................... 529
Clearing the MAC Address Table................................................................................................529
Setting the Aging Time for Dynamic Entries..............................................................................529
Configuring a Static MAC Address............................................................................................. 530
Displaying the MAC Address Table.............................................................................................530
MAC Learning Limit.......................................................................................................................... 530
Setting the MAC Learning Limit.................................................................................................. 531
mac learning-limit Dynamic....................................................................................................... 531
mac learning-limit mac-address-sticky..................................................................................... 531
mac learning-limit station-move............................................................................................... 532
mac learning-limit no-station-move......................................................................................... 532
Learning Limit Violation Actions.................................................................................................533
Setting Station Move Violation Actions...................................................................................... 533
Recovering from Learning Limit and Station Move Violations..................................................533
NIC Teaming..................................................................................................................................... 534
Configure Redundant Pairs...............................................................................................................535
Important Points about Configuring Redundant Pairs.............................................................. 537
Far-End Failure Detection................................................................................................................ 538
FEFD State Changes....................................................................................................................539
Configuring FEFD........................................................................................................................540
Enabling FEFD on an Interface....................................................................................................541
Debugging FEFD......................................................................................................................... 542
30 Link Layer Discovery Protocol (LLDP)........................................................544
802.1AB (LLDP) Overview.................................................................................................................544
Protocol Data Units.................................................................................................................... 544
Optional TLVs....................................................................................................................................545
Management TLVs...................................................................................................................... 545
TIA-1057 (LLDP-MED) Overview...................................................................................................... 547
TIA Organizationally Specific TLVs.............................................................................................548
Configure LLDP.................................................................................................................................552
Related Configuration Tasks.......................................................................................................552
Important Points to Remember..................................................................................................553
LLDP Compatibility......................................................................................................................553
CONFIGURATION versus INTERFACE Configurations....................................................................553
Enabling LLDP................................................................................................................................... 554
Disabling and Undoing LLDP......................................................................................................554
Enabling LLDP on Management Ports............................................................................................. 554
Disabling and Undoing LLDP on Management Ports................................................................554
Advertising TLVs................................................................................................................................555
Viewing the LLDP Configuration......................................................................................................556
Viewing Information Advertised by Adjacent LLDP Agents.............................................................557
Configuring LLDPDU Intervals......................................................................................................... 558
Configuring Transmit and Receive Mode........................................................................................ 558
Configuring a Time to Live............................................................................................................... 559
Debugging LLDP...............................................................................................................................560
Relevant Management Objects........................................................................................................ 561
31 Microsoft Network Load Balancing............................................................ 567
NLB Unicast and Multicast Modes....................................................................................................567
NLB Unicast Mode Example....................................................................................................... 567
NLB Multicast Mode Example.....................................................................................................568
NLB Benefits......................................................................................................................................568
NLB Restrictions................................................................................................................................568
NLB VLAN Flooding.......................................................................................................................... 569
Configuring NLB on a Switch...........................................................................................................569
..................................................................................................................................................... 569
32 Multicast Source Discovery Protocol (MSDP)...........................................570
Protocol Overview............................................................................................................................ 570
Anycast RP.........................................................................................................................................572
Implementation Information............................................................................................................ 572
Configure Multicast Source Discovery Protocol............................................................................. 572
Related Configuration Tasks.......................................................................................................572
Enable MSDP..................................................................................................................................... 576
Manage the Source-Active Cache....................................................................................................577
Viewing the Source-Active Cache..............................................................................................577
Limiting the Source-Active Cache............................................................................................. 578
Clearing the Source-Active Cache.............................................................................................578
Enabling the Rejected Source-Active Cache.............................................................................578
Accept Source-Active Messages that Fail the RFP Check...............................................................578
Specifying Source-Active Messages................................................................................................ 582
Limiting the Source-Active Messages from a Peer......................................................................... 583
Preventing MSDP from Caching a Local Source.............................................................................583
Preventing MSDP from Caching a Remote Source.........................................................................584
Preventing MSDP from Advertising a Local Source.........................................................................585
Logging Changes in Peership States................................................................................................586
Terminating a Peership.....................................................................................................................586
Clearing Peer Statistics..................................................................................................................... 586
Debugging MSDP..............................................................................................................................587
MSDP with Anycast RP......................................................................................................................587
Configuring Anycast RP....................................................................................................................589
Reducing Source-Active Message Flooding..............................................................................589
Specifying the RP Address Used in SA Messages.......................................................................589
MSDP Sample Configurations.......................................................................................................... 592
33 Multiple Spanning Tree Protocol (MSTP).................................................. 595
Protocol Overview............................................................................................................................595
Spanning Tree Variations..................................................................................................................596
Implementation Information......................................................................................................596
Configure Multiple Spanning Tree Protocol....................................................................................596
Related Configuration Tasks...................................................................................................... 596
Enable Multiple Spanning Tree Globally.......................................................................................... 597
Adding and Removing Interfaces..................................................................................................... 597
Creating Multiple Spanning Tree Instances..................................................................................... 597
Influencing MSTP Root Selection.................................................................................................... 599
Interoperate with Non-Dell Bridges................................................................................................ 599
Changing the Region Name or Revision.........................................................................................600
Modifying Global Parameters.......................................................................................................... 600
Modifying the Interface Parameters.................................................................................................601
Configuring an EdgePort..................................................................................................................602
Flush MAC Addresses after a Topology Change.............................................................................603
MSTP Sample Configurations.......................................................................................................... 603
Router 1 Running-ConfigurationRouter 2 Running-ConfigurationRouter 3 Running-
ConfigurationExample Running-Configuration........................................................................604
Debugging and Verifying MSTP Configurations..............................................................................607
34 Multicast Features..........................................................................................610
Enabling IP Multicast.........................................................................................................................610
Multicast with ECMP.........................................................................................................................610
Implementation Information.............................................................................................................611
First Packet Forwarding for Lossless Multicast................................................................................ 612
Multicast Policies...............................................................................................................................612
IPv4 Multicast Policies.................................................................................................................612
35 Open Shortest Path First (OSPFv2 and OSPFv3)...................................... 620
Protocol Overview............................................................................................................................620
Autonomous System (AS) Areas.................................................................................................620
Area Types................................................................................................................................... 621
Networks and Neighbors............................................................................................................622
Router Types............................................................................................................................... 622
Designated and Backup Designated Routers............................................................................ 624
Link-State Advertisements (LSAs)...............................................................................................624
Virtual Links................................................................................................................................. 626
Router Priority and Cost............................................................................................................. 626
OSPF Implementation.......................................................................................................................627
Fast Convergence (OSPFv2, IPv4 Only)..................................................................................... 627
Multi-Process OSPFv2 (IPv4 only).............................................................................................. 627
RFC-2328 Compliant OSPF Flooding........................................................................................ 628
OSPF ACK Packing......................................................................................................................629
Setting OSPF Adjacency with Cisco Routers............................................................................. 629
Configuration Information............................................................................................................... 630
Configuration Task List for OSPFv2 (OSPF for IPv4)................................................................. 630
Sample Configurations for OSPFv2................................................................................................. 645
Basic OSPFv2 Router Topology................................................................................................. 645
OSPF Area 0 — Te 1/1 and 1/2....................................................................................................645
OSPF Area 0 — Te 3/1 and 3/2...................................................................................................646
OSPF Area 0 — Te 2/1 and 2/2...................................................................................................646
Configuration Task List for OSPFv3 (OSPF for IPv6)....................................................................... 646
Enabling IPv6 Unicast Routing................................................................................................... 647
Assigning IPv6 Addresses on an Interface..................................................................................647
Assigning Area ID on an Interface.............................................................................................. 647
Assigning OSPFv3 Process ID and Router ID Globally.............................................................. 648
Configuring Stub Areas...............................................................................................................648
Configuring Passive-Interface....................................................................................................648
Redistributing Routes................................................................................................................. 649
Configuring a Default Route...................................................................................................... 649
OSPFv3 Authentication Using IPsec...........................................................................................650
Troubleshooting OSPFv3............................................................................................................657
36 Pay As You Grow ........................................................................................... 659
Installing a License............................................................................................................................659
Displaying License Information........................................................................................................662
37 PIM Sparse-Mode (PIM-SM)......................................................................... 664
Implementation Information............................................................................................................664
Protocol Overview............................................................................................................................664
Requesting Multicast Traffic.......................................................................................................664
Refuse Multicast Traffic.............................................................................................................. 665
Send Multicast Traffic................................................................................................................. 665
Configuring PIM-SM.........................................................................................................................666
Related Configuration Tasks...................................................................................................... 666
Enable PIM-SM................................................................................................................................. 666
Configuring S,G Expiry Timers......................................................................................................... 667
Configuring a Static Rendezvous Point...........................................................................................668
Overriding Bootstrap Router Updates....................................................................................... 669
Configuring a Designated Router.................................................................................................... 669
Creating Multicast Boundaries and Domains.................................................................................. 670
Enabling PIM-SM Graceful Restart...................................................................................................670
38 PIM Source-Specific Mode (PIM-SSM)....................................................... 671
Implementation Information............................................................................................................ 671
Important Points to Remember..................................................................................................671
Configure PIM-SMM......................................................................................................................... 672
Related Configuration Tasks.......................................................................................................672
Enabling PIM-SSM.............................................................................................................................672
Use PIM-SSM with IGMP Version 2 Hosts........................................................................................672
Configuring PIM-SSM with IGMPv2........................................................................................... 673
39 Policy-based Routing (PBR)......................................................................... 675
Overview............................................................................................................................................675
Implementing Policy-based Routing with Dell Networking OS......................................................677
Configuration Task List for Policy-based Routing...........................................................................677
PBR Exceptions (Permit).............................................................................................................680
Sample Configuration.......................................................................................................................683
Create the Redirect-List GOLDAssign Redirect-List GOLD to Interface 2/11View
Redirect-List GOLD.................................................................................................................... 684
40 Port Monitoring............................................................................................. 686
Local Port Monitoring.......................................................................................................................686
Important Points to Remember................................................................................................. 686
Examples of Port Monitoring..................................................................................................... 686
Configuring Port Monitoring......................................................................................................688
Remote Port Mirroring..................................................................................................................... 689
Remote Port Mirroring Example................................................................................................ 689
Configuring Remote Port Mirroring...........................................................................................690
Displaying a Remote-Port Mirroring Configuration..................................................................692
Configuring Remote Port Monitoring........................................................................................692
Encapsulated Remote-Port Monitoring.......................................................................................... 696
41 Private VLANs (PVLAN)..................................................................................698
Private VLAN Concepts.................................................................................................................... 698
Using the Private VLAN Commands................................................................................................ 699
Configuration Task List.....................................................................................................................700
Creating PVLAN ports.................................................................................................................700
Creating a Primary VLAN.............................................................................................................701
Creating a Community VLAN..................................................................................................... 702
Creating an Isolated VLAN..........................................................................................................703
Private VLAN Configuration Example.............................................................................................. 704
Inspecting the Private VLAN Configuration..................................................................................... 705
42 Per-VLAN Spanning Tree Plus (PVST+)......................................................708
Protocol Overview............................................................................................................................708
Implementation Information............................................................................................................709
Configure Per-VLAN Spanning Tree Plus........................................................................................ 709
Related Configuration Tasks.......................................................................................................709
Enabling PVST+.................................................................................................................................709
Disabling PVST+................................................................................................................................ 710
Influencing PVST+ Root Selection................................................................................................... 710
Modifying Global PVST+ Parameters................................................................................................712
Modifying Interface PVST+ Parameters............................................................................................713
Configuring an EdgePort.................................................................................................................. 714
PVST+ in Multi-Vendor Networks.....................................................................................................715
Enabling PVST+ Extend System ID................................................................................................... 715
PVST+ Sample Configurations..........................................................................................................716
43 Quality of Service (QoS)................................................................................ 718
Implementation Information............................................................................................................ 718
Port-Based QoS Configurations.......................................................................................................719
Setting dot1p Priorities for Incoming Traffic.............................................................................. 719
Honoring dot1p Priorities on Ingress Traffic..............................................................................720
Configuring Port-Based Rate Policing.......................................................................................720
Configuring Port-Based Rate Shaping........................................................................................721
Policy-Based QoS Configurations....................................................................................................722
Classify Traffic............................................................................................................................. 722
Create a QoS Policy.................................................................................................................... 728
Create Policy Maps......................................................................................................................731
DSCP Color Maps..............................................................................................................................735
Creating a DSCP Color Map....................................................................................................... 735
Displaying DSCP Color Maps......................................................................................................736
Displaying a DSCP Color Policy Configuration .........................................................................736
Enabling QoS Rate Adjustment.........................................................................................................737
Enabling Strict-Priority Queueing.................................................................................................... 738
Weighted Random Early Detection..................................................................................................738
Creating WRED Profiles.............................................................................................................. 739
Applying a WRED Profile to Traffic.............................................................................................740
Displaying Default and Configured WRED Profiles................................................................... 740
Displaying WRED Drop Statistics................................................................................................740
Explicit Congestion Notification.......................................................................................................741
ECN Packet Classification........................................................................................................... 741
Example: Color-marking non-ECN Packets in One Traffic Class.............................................742
Example: Color-marking non-ECN Packets in Different Traffic Classes..................................742
Using A Configurable Weight for WRED and ECN.......................................................................... 743
Benefits of Using a Configurable Weight for WRED with ECN................................................. 744
Setting Average Queue Size using a Weight..............................................................................744
Global Service-Pools for WRED with ECN.................................................................................745
Configuring a Weight for WRED and ECN Operation............................................................... 746
Pre-Calculating Available QoS CAM Space..................................................................................... 747
SNMP Support for Buffer Statistics Tracking................................................................................... 748
44 Routing Information Protocol (RIP)...........................................................749
Protocol Overview............................................................................................................................749
RIPv1............................................................................................................................................ 749
RIPv2............................................................................................................................................749
Implementation Information............................................................................................................750
Configuration Information............................................................................................................... 750
Configuration Task List............................................................................................................... 750
RIP Configuration Example.........................................................................................................757
45 Remote Monitoring (RMON)........................................................................763
Implementation Information............................................................................................................ 763
Fault Recovery...................................................................................................................................763
Setting the RMON Alarm............................................................................................................ 764
Configuring an RMON Event...................................................................................................... 765
Configuring RMON Collection Statistics....................................................................................765
Configuring the RMON Collection History................................................................................766
46 Rapid Spanning Tree Protocol (RSTP)........................................................767
Protocol Overview............................................................................................................................ 767
Configuring Rapid Spanning Tree.................................................................................................... 767
Related Configuration Tasks.......................................................................................................767
Important Points to Remember........................................................................................................767
RSTP and VLT.............................................................................................................................. 768
Configuring Interfaces for Layer 2 Mode.........................................................................................768
Enabling Rapid Spanning Tree Protocol Globally............................................................................769
Adding and Removing Interfaces......................................................................................................771
Modifying Global Parameters........................................................................................................... 772
Enabling SNMP Traps for Root Elections and Topology Changes............................................773
Modifying Interface Parameters........................................................................................................773
Influencing RSTP Root Selection......................................................................................................774
Configuring an EdgePort.................................................................................................................. 774
Configuring Fast Hellos for Link State Detection.............................................................................775
47 Security.............................................................................................................777
Role-Based Access Control.............................................................................................................. 777
Overview of RBAC....................................................................................................................... 777
User Roles................................................................................................................................... 780
AAA Authentication and Authorization for Roles.......................................................................784
Role Accounting..........................................................................................................................787
Display Information About User Roles.......................................................................................788
AAA Accounting................................................................................................................................ 789
Configuration Task List for AAA Accounting..............................................................................789
AAA Authentication........................................................................................................................... 791
Configuration Task List for AAA Authentication.........................................................................791
Obscuring Passwords and Keys....................................................................................................... 794
AAA Authorization............................................................................................................................. 795
Privilege Levels Overview............................................................................................................795
Configuration Task List for Privilege Levels............................................................................... 795
RADIUS..............................................................................................................................................800
RADIUS Authentication and Authorization................................................................................800
Configuration Task List for RADIUS............................................................................................801
TACACS+.......................................................................................................................................... 804
Configuration Task List for TACACS+........................................................................................804
TACACS+ Remote Authentication and Authorization.............................................................. 806
Command Authorization............................................................................................................807
Protection from TCP Tiny and Overlapping Fragment Attacks......................................................808
Enabling SCP and SSH......................................................................................................................808
Using SCP with SSH to Copy a Software Image........................................................................809
Removing the RSA Host Keys and Zeroizing Storage ...............................................................810
Configuring When to Re-generate an SSH Key ........................................................................810
Configuring the SSH Server Cipher List......................................................................................810
Configuring the HMAC Algorithm for the SSH Server................................................................811
Configuring the SSH Server Cipher List......................................................................................812
Secure Shell Authentication........................................................................................................812
Troubleshooting SSH.................................................................................................................. 815
Telnet.................................................................................................................................................815
VTY Line and Access-Class Configuration.......................................................................................816
VTY Line Local Authentication and Authorization..................................................................... 816
VTY Line Remote Authentication and Authorization................................................................. 817
VTY MAC-SA Filter Support.........................................................................................................817
48 Service Provider Bridging.............................................................................819
VLAN Stacking................................................................................................................................... 819
Important Points to Remember................................................................................................. 820
Configure VLAN Stacking............................................................................................................821
Creating Access and Trunk Ports................................................................................................821
Enable VLAN-Stacking for a VLAN............................................................................................. 822
Configuring the Protocol Type Value for the Outer VLAN Tag................................................ 822
Configuring Options for Trunk Ports......................................................................................... 822
Debugging VLAN Stacking..........................................................................................................823
VLAN Stacking in Multi-Vendor Networks.................................................................................824
VLAN Stacking Packet Drop Precedence.........................................................................................827
Enabling Drop Eligibility.............................................................................................................. 827
Honoring the Incoming DEI Value.............................................................................................828
Marking Egress Packets with a DEI Value.................................................................................. 829
Dynamic Mode CoS for VLAN Stacking...........................................................................................829
Mapping C-Tag to S-Tag dot1p Values......................................................................................831
Layer 2 Protocol Tunneling.............................................................................................................. 831
Implementation Information......................................................................................................833
Enabling Layer 2 Protocol Tunneling.........................................................................................833
Specifying a Destination MAC Address for BPDUs....................................................................834
Setting Rate-Limit BPDUs...........................................................................................................834
Debugging Layer 2 Protocol Tunneling.....................................................................................835
Provider Backbone Bridging.............................................................................................................835
49 sFlow................................................................................................................ 836
Overview........................................................................................................................................... 836
Implementation Information............................................................................................................836
Important Points to Remember..................................................................................................837
Enabling and Disabling sFlow...........................................................................................................837
Enabling and Disabling sFlow on an Interface.................................................................................837
Enabling sFlow Max-Header Size Extended.................................................................................... 837
sFlow Show Commands...................................................................................................................839
Displaying Show sFlow Global................................................................................................... 839
Displaying Show sFlow on an Interface.....................................................................................839
Displaying Show sFlow on a Line Card......................................................................................840
Configuring Specify Collectors........................................................................................................840
Changing the Polling Intervals.........................................................................................................840
Back-Off Mechanism........................................................................................................................841
sFlow on LAG ports...........................................................................................................................841
Enabling Extended sFlow..................................................................................................................841
Important Points to Remember................................................................................................. 842
50 Simple Network Management Protocol (SNMP)..................................... 844
Protocol Overview............................................................................................................................844
Implementation Information............................................................................................................844
Configuration Task List for SNMP....................................................................................................844
Related Configuration Tasks...................................................................................................... 845
Important Points to Remember....................................................................................................... 845
Set up SNMP..................................................................................................................................... 845
Creating a Community............................................................................................................... 845
Setting Up User-Based Security (SNMPv3)................................................................................ 846
Reading Managed Object Values..................................................................................................... 847
Writing Managed Object Values...................................................................................................... 848
Configuring Contact and Location Information using SNMP........................................................ 848
Subscribing to Managed Object Value Updates using SNMP.........................................................849
Enabling a Subset of SNMP Traps....................................................................................................850
Copy Configuration Files Using SNMP.............................................................................................852
Copying a Configuration File..................................................................................................... 854
Copying Configuration Files via SNMP...................................................................................... 855
Copying the Startup-Config Files to the Running-Config........................................................855
Copying the Startup-Config Files to the Server via FTP............................................................856
Copying the Startup-Config Files to the Server via TFTP..........................................................856
Copy a Binary File to the Startup-Configuration....................................................................... 857
Additional MIB Objects to View Copy Statistics.........................................................................857
Obtaining a Value for MIB Objects.............................................................................................858
MIB Support to Display the Available Memory Size on Flash..........................................................859
Viewing the Available Flash Memory Size..................................................................................859
MIB Support to Display the Software Core Files Generated by the System...................................859
Viewing the Software Core Files Generated by the System..................................................... 860
Manage VLANs using SNMP.............................................................................................................860
Creating a VLAN..........................................................................................................................860
Assigning a VLAN Alias................................................................................................................ 861
Displaying the Ports in a VLAN................................................................................................... 861
Add Tagged and Untagged Ports to a VLAN..............................................................................861
Managing Overload on Startup........................................................................................................862
Enabling and Disabling a Port using SNMP..................................................................................... 863
Fetch Dynamic MAC Entries using SNMP........................................................................................863
Deriving Interface Indices.................................................................................................................865
Monitor Port-Channels.................................................................................................................... 866
Troubleshooting SNMP Operation...................................................................................................867
51 Storm Control.................................................................................................868
Configure Storm Control................................................................................................................. 868
Configuring Storm Control from INTERFACE Mode.................................................................868
Configuring Storm Control from CONFIGURATION Mode......................................................868
52 Spanning Tree Protocol (STP)......................................................................869
Protocol Overview............................................................................................................................869
Configure Spanning Tree................................................................................................................. 869
Related Configuration Tasks...................................................................................................... 869
Important Points to Remember.......................................................................................................869
Configuring Interfaces for Layer 2 Mode.........................................................................................870
Enabling Spanning Tree Protocol Globally...................................................................................... 871
Adding an Interface to the Spanning Tree Group........................................................................... 873
Modifying Global Parameters...........................................................................................................874
Modifying Interface STP Parameters................................................................................................875
Enabling PortFast.............................................................................................................................. 875
Preventing Network Disruptions with BPDU Guard........................................................................876
Selecting STP Root........................................................................................................................... 878
STP Root Guard................................................................................................................................ 879
Root Guard Scenario.................................................................................................................. 879
Configuring Root Guard.............................................................................................................880
Enabling SNMP Traps for Root Elections and Topology Changes................................................. 881
STP Loop Guard................................................................................................................................ 881
Configuring Loop Guard............................................................................................................ 882
Displaying STP Guard Configuration............................................................................................... 883
53 System Time and Date...................................................................................885
Network Time Protocol....................................................................................................................885
Protocol Overview......................................................................................................................886
Configure the Network Time Protocol...................................................................................... 887
Enabling NTP...............................................................................................................................887
Configuring NTP Broadcasts...................................................................................................... 887
Disabling NTP on an Interface................................................................................................... 888
Configuring a Source IP Address for NTP Packets....................................................................888
Configuring NTP Authentication................................................................................................888
Time and Date...................................................................................................................................892
Configuration Task List ..............................................................................................................892
Setting the Time and Date for the Switch Software Clock....................................................... 892
Setting the Timezone................................................................................................................. 892
Set Daylight Saving Time............................................................................................................ 893
Setting Daylight Saving Time Once............................................................................................893
Setting Recurring Daylight Saving Time.................................................................................... 894
54 Tunneling ....................................................................................................... 896
Configuring a Tunnel........................................................................................................................896
Configuring Tunnel Keepalive Settings............................................................................................897
Configuring a Tunnel Interface........................................................................................................898
Configuring Tunnel allow-remote Decapsulation..........................................................................898
Configuring Tunnel source anylocal Decapsulation.......................................................................899
Multipoint Receive-Only Tunnels.................................................................................................... 899
Guidelines for Configuring Multipoint Receive-Only Tunnels................................................. 899
55 Upgrade Procedures......................................................................................901
Upgrade OverviewGet Help with Upgrades.....................................................................................901
Z9500 Bootup and Upgrades...........................................................................................................901
56 Uplink Failure Detection (UFD)....................................................................903
Feature Description.......................................................................................................................... 903
How Uplink Failure Detection Works.............................................................................................. 904
UFD and NIC Teaming......................................................................................................................905
Important Points to Remember....................................................................................................... 905
Configuring Uplink Failure Detection..............................................................................................906
Clearing a UFD-Disabled Interface..................................................................................................908
Displaying Uplink Failure Detection.................................................................................................909
Sample Configuration: Uplink Failure Detection..............................................................................911
57 Virtual LANs (VLANs)...................................................................................... 913
Default VLAN..................................................................................................................................... 913
Port-Based VLANs.............................................................................................................................914
VLANs and Port Tagging...................................................................................................................914
Configuration Task List..................................................................................................................... 915
Creating a Port-Based VLAN.......................................................................................................915
Assigning Interfaces to a VLAN...................................................................................................916
Moving Untagged Interfaces.......................................................................................................917
Assigning an IP Address to a VLAN.............................................................................................918
Configuring Native VLANs................................................................................................................ 919
Enabling Null VLAN as the Default VLAN.........................................................................................920
58 Virtual Routing and Forwarding (VRF)....................................................... 921
VRF Overview.................................................................................................................................... 921
VRF Configuration Notes..................................................................................................................922
DHCP...........................................................................................................................................925
VRF Configuration.............................................................................................................................925
Load VRF CAM.............................................................................................................................925
Creating a Non-Default VRF Instance........................................................................................925
Assigning an Interface to a VRF..................................................................................................925
Assigning a Front-end Port to a Management VRF...................................................................926
View VRF Instance Information..................................................................................................926
Assigning an OSPF Process to a VRF Instance...........................................................................927
Configuring VRRP on a VRF Instance.........................................................................................927
Configuring Management VRF...................................................................................................928
Configuring a Static Route......................................................................................................... 928
Sample VRF Configuration............................................................................................................... 929
Route Leaking VRFs.......................................................................................................................... 936
Dynamic Route Leaking................................................................................................................... 936
Configuring Route Leaking without Filtering Criteria................................................................936
Configuring Route Leaking with Filtering.................................................................................. 939
59 Virtual Link Trunking (VLT).......................................................................... 942
Overview........................................................................................................................................... 942
VLT on Core Switches................................................................................................................ 943
Enhanced VLT............................................................................................................................. 943
VLT Terminology.............................................................................................................................. 944
Configure Virtual Link Trunking....................................................................................................... 945
Important Points to Remember................................................................................................. 945
Configuration Notes...................................................................................................................946
Primary and Secondary VLT Peers............................................................................................. 949
RSTP and VLT..............................................................................................................................950
VLT Bandwidth Monitoring.........................................................................................................950
VLT and IGMP Snooping.............................................................................................................950
VLT IPv6.......................................................................................................................................950
VLT Port Delayed Restoration.....................................................................................................951
PIM-Sparse Mode Support on VLT............................................................................................. 951
VLT Routing ................................................................................................................................953
Non-VLT ARP Sync..................................................................................................................... 955
RSTP Configuration.......................................................................................................................... 956
Preventing Forwarding Loops in a VLT Domain........................................................................956
Sample RSTP Configuration....................................................................................................... 956
Configuring VLT.......................................................................................................................... 957
PVST+ Configuration........................................................................................................................968
Sample PVST+ Configuration.....................................................................................................968
eVLT Configuration Example........................................................................................................... 969
eVLT Configuration Step Examples............................................................................................970
PIM-Sparse Mode Configuration Example...................................................................................... 972
Verifying a VLT Configuration.......................................................................................................... 973
Additional VLT Sample Configurations............................................................................................ 976
Configuring Virtual Link Trunking (VLT Peer 1)Configuring Virtual Link Trunking (VLT Peer
2)Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access
Switch)......................................................................................................................................... 977
Troubleshooting VLT........................................................................................................................ 979
Reconfiguring Stacked Switches as VLT..........................................................................................980
Specifying VLT Nodes in a PVLAN....................................................................................................981
Association of VLTi as a Member of a PVLAN............................................................................982
MAC Synchronization for VLT Nodes in a PVLAN..................................................................... 982
PVLAN Operations When One VLT Peer is Down..................................................................... 982
PVLAN Operations When a VLT Peer is Restarted.....................................................................983
Interoperation of VLT Nodes in a PVLAN with ARP Requests...................................................983
Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN........983
Configuring a VLT VLAN or LAG in a PVLAN................................................................................... 985
Creating a VLT LAG or a VLT VLAN............................................................................................985
Associating the VLT LAG or VLT VLAN in a PVLAN................................................................... 986
Proxy ARP Capability on VLT Peer Nodes........................................................................................987
Working of Proxy ARP for VLT Peer Nodes............................................................................... 988
VLT Nodes as Rendezvous Points for Multicast Resiliency.............................................................989
Configuring VLAN-Stack over VLT...................................................................................................989
60 VLT Proxy Gateway....................................................................................... 994
Proxy Gateway in VLT Domains.......................................................................................................994
LLDP organizational TLV for proxy gateway..............................................................................996
Sample Configuration Scenario for VLT Proxy Gateway...........................................................997
Configuring an LLDP VLT Proxy Gateway....................................................................................... 999
61 Virtual Router Redundancy Protocol (VRRP)......................................... 1000
VRRP Overview...............................................................................................................................1000
VRRP Benefits..................................................................................................................................1001
VRRP Implementation.....................................................................................................................1001
VRRP Configuration........................................................................................................................1002
Configuration Task List.............................................................................................................1002
Setting VRRP Initialization Delay...............................................................................................1012
Sample Configurations................................................................................................................... 1013
VRRP for an IPv4 Configuration................................................................................................1013
VRRP in a VRF Configuration.................................................................................................... 1018
62 Standards Compliance................................................................................1024
IEEE Compliance............................................................................................................................ 1024
RFC and I-D Compliance............................................................................................................... 1025
General Internet Protocols....................................................................................................... 1025
Border Gateway Protocol (BGP)...............................................................................................1026
General IPv4 Protocols............................................................................................................. 1027
General IPv6 Protocols.............................................................................................................1028
Intermediate System to Intermediate System (IS-IS)...............................................................1029
Network Management.............................................................................................................. 1031
Multicast.................................................................................................................................... 1037
Open Shortest Path First (OSPF)...............................................................................................1038
Routing Information Protocol (RIP)......................................................................................... 1039
MIB Location...................................................................................................................................1039
1
About this Guide
This guide describes the protocols and features that the Dell Networking Operating Software (OS)
supports on the Z9500 system and provides configuration instructions and examples for implementing
them.
Though this guide contains information on protocols, it is not intended to be a complete reference. This
guide is a reference for configuring protocols on Dell Networking systems. For complete information
about protocols, refer to related documentation, including IETF requests for comments (RFCs). The
instructions in this guide cite relevant RFCs. The Standards Compliance chapter contains a complete list
of the supported RFCs and management information base files (MIBs).
Audience
This document is intended for system administrators who are responsible for configuring and maintaining
networks and assumes knowledge in Layer 2 and Layer 3 networking technologies.
Conventions
This guide uses the following conventions to describe command syntax.
Keyword
parameter Parameters are in italics and require a number or word to be entered in the CLI.
{X} Keywords and parameters within braces must be entered in the CLI.
[X] Keywords and parameters within brackets are optional.
x|y Keywords and parameters separated by a bar require you to choose one option.
x||y Keywords and parameters separated by a double bar allows you to choose any or
Keywords are in Courier (a monospaced font) and must be entered in the CLI as
listed.
all of the options.
Related Documents
For more information about the Dell Networking Z9500 system, refer to the following documents:
• Dell Networking Z9500 Getting Started Guide
• Dell Networking Z9500 Installation Guide
• Dell Networking Z9500 Command Line Reference Guide
• Dell Networking Z9500 Release Notes
About this Guide
33
2
Configuration Fundamentals
The Dell Networking OS command line interface (CLI) is a text-based interface you can use to configure
interfaces and protocols.
The CLI is structured in modes for security and management purposes. Different sets of commands are
available in each mode, and you can limit user access to modes using privilege levels.
After you enter a command, the command is added to the running configuration file. You can view the
current configuration for the whole system or for a particular CLI mode. To save the current
configuration, copy the running configuration to another location.
NOTE: Due to differences in hardware architecture and continued system development, features
may occasionally differ between the platforms. Differences are noted in each CLI description and
related documentation.
Accessing the Command Line
Access the CLI through a serial console port or a Telnet session.
When the system successfully boots, enter the command line in EXEC mode.
NOTE: You must have a password configured on a virtual terminal line before you can Telnet into
the system. Therefore, you must use a console connection when connecting to the system for the
first time.
telnet 172.31.1.53
Trying 172.31.1.53...
Connected to 172.31.1.53.
Escape character is '^]'.
Login: username
Password:
Dell>
CLI Modes
Different sets of commands are available in each mode.
A command found in one mode cannot be executed from another mode (except for EXEC mode
commands with a preceding do command (refer to the do Command section).
You can set user access rights to commands and command modes using privilege levels; for more
information about privilege levels and security options, refer to the Privilege Levels Overview section in
the Security chapter.
The CLI is divided into three major mode levels:
34
Configuration Fundamentals
• EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a
limited selection of commands is available, notably the show commands, which allow you to view
system information.
• EXEC Privilege mode has commands to view configurations, clear counters, manage configuration
files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is
unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password
section in the Getting Started chapter.
• CONFIGURATION mode allows you to configure security features, time settings, set logging and
SNMP functions, configure static ARP and MAC addresses, and set line cards on the system.
Beneath CONFIGURATION mode are submodes that apply to interfaces, protocols, and features. The
following example shows the submode command structure. Two sub-CONFIGURATION modes are
important when configuring the chassis for the first time:
• INTERFACE submode is the mode in which you configure Layer 2 and Layer 3 protocols and IP
services specific to an interface. An interface can be physical (Management interface, 10 Gigabit
Ethernet, or 40 Gigabit Ethernet, or logical (Loopback, Null, port channel, or virtual local area network
[VLAN]).
• LINE submode is the mode in which you to configure the console and virtual terminal lines.
NOTE: At any time, entering a question mark (?) displays the available command options. For
example, when you are in CONFIGURATION mode, entering the question mark first lists all available
commands, including the possible submodes.
The CLI modes are:
Navigating CLI Modes
The Dell Networking OS prompt changes to indicate the CLI mode.
The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI
mode. Move linearly through the command modes, except for the end command which takes you
directly to EXEC Privilege mode and the exit command which moves you up one command mode level.
NOTE: Sub-CONFIGURATION modes all have the letters “conf” in the prompt with more modifiers
to identify the mode and slot/port information.
Table 1. Command Modes
CLI Command Mode Prompt Access Command
EXEC
EXEC Privilege
CONFIGURATION
Dell>
Dell#
Dell(conf)#
Access the router through the
console or Telnet.
• From EXEC mode, enter the
enable command.
• From any other mode, use
the end command.
• From EXEC privilege mode,
enter the configure
command.
• From every mode except
EXEC and EXEC Privilege,
enter the exit command.
Configuration Fundamentals
35
CLI Command Mode Prompt Access Command
NOTE: Access all of the
following modes from
CONFIGURATION mode.
AS-PATH ACL
10 Gigabit Ethernet Interface
40 Gigabit Ethernet Interface
Interface Range
Loopback Interface
Management Ethernet Interface
Null Interface
Port-channel Interface
Tunnel Interface
VLAN Interface
STANDARD ACCESS-LIST
EXTENDED ACCESS-LIST
IP COMMUNITY-LIST
AUXILIARY
Dell(config-as-path)# ip as-path access-list
Dell(conf-if-te-0/0)#
Dell(conf-if-fo-0/0)#
Dell(conf-if-range)#
Dell(conf-if-lo-0)#
Dell(conf-if-ma-0/0)#
Dell(conf-if-nu-0)#
Dell(conf-if-po-0)#
Dell(conf-if-tu-0)#
Dell(conf-if-vl-0)#
Dell(config-std-nacl)#
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
interface (INTERFACE modes)
ip access-list standard (IP
ACCESS-LIST Modes)
Dell(config-ext-nacl)#
ip access-list extended (IP
ACCESS-LIST Modes)
Dell(config-community-
ip community-list
list)#
Dell(config-line-aux)#
line (LINE Modes)
CONSOLE
VIRTUAL TERMINAL
STANDARD ACCESS-LIST
EXTENDED ACCESS-LIST
MULTIPLE SPANNING TREE
Per-VLAN SPANNING TREE Plus
PREFIX-LIST
RAPID SPANNING TREE
REDIRECT
36
Dell(config-line-
line (LINE Modes)
console)#
Dell(config-line-vty)#
line (LINE Modes)
Dell(config-std-macl)# mac access-list standard
(MAC ACCESS-LIST Modes)
Dell(config-ext-macl)# mac access-list extended
(MAC ACCESS-LIST Modes)
Dell(config-mstp)# protocol spanning-tree
mstp
Dell(config-pvst)# protocol spanning-tree
pvst
Dell(conf-nprefixl)# ip prefix-list
Dell(config-rstp)# protocol spanning-tree
rstp
Dell(conf-redirect-list)# ip redirect-list
Configuration Fundamentals
CLI Command Mode Prompt Access Command
ROUTE-MAP
ROUTER BGP
BGP ADDRESS-FAMILY
ROUTER ISIS
ISIS ADDRESS-FAMILY
ROUTER OSPF
ROUTER OSPFV3
ROUTER RIP
SPANNING TREE
TRACE-LIST
CLASS-MAP
CONTROL-PLANE
Dell(config-route-map)# route-map
Dell(conf-router_bgp)# router bgp
Dell(conf-router_bgp_af)#
(for IPv4)
Dell(conf-
address-family {ipv4
multicast | ipv6 unicast}
(ROUTER BGP Mode)
routerZ_bgpv6_af)# (for IPv6)
Dell(conf-router_isis)# router isis
Dell(conf-router_isisaf_ipv6)#
address-family ipv6
unicast (ROUTER ISIS Mode)
Dell(conf-router_ospf)# router ospf
Dell(conf-
ipv6 router ospf
ipv6router_ospf)#
Dell(conf-router_rip)# router rip
Dell(config-span)# protocol spanning-tree 0
Dell(conf-trace-acl)# ip trace-list
Dell(config-class-map)# class-map
Dell(conf-control-
control-plane-cpuqos
cpuqos)#
DCB POLICY Dell(conf-dcb-in)# (for input
policy)
Dell(conf-dcb-out)# (for
output policy)
DHCP
DHCP POOL
Dell(config-dhcp)# ip dhcp server
Dell(config-dhcp-pool-
name)#
ECMP
Dell(conf-ecmp-groupecmp-group-id)#
EIS
FRRP
Dell(conf-mgmt-eis)# management egress-
Dell(conf-frrp-ring-id)# protocol frrp
LLDP Dell(conf-lldp)# or
Dell(conf-if—interfacelldp)#
LLDP MANAGEMENT INTERFACE
LINE
Dell(conf-lldp-mgmtIf)#
Dell(config-line-console)
or Dell(config-line-vty)
dcb-input for input policy
dcb-output for output policy
pool (DHCP Mode)
ecmp-group
interface-selection
protocol lldp
(CONFIGURATION or INTERFACE
Modes)
management-interface (LLDP
Mode)
line console orline vty
Configuration Fundamentals
37
CLI Command Mode Prompt Access Command
MONITOR SESSION
OPENFLOW INSTANCE
PORT-CHANNEL FAILOVERGROUP
PRIORITY GROUP
PROTOCOL GVRP
QOS POLICY
VLT DOMAIN
VRRP
u-Boot
UPLINK STATE GROUP
Dell(conf-mon-sesssessionID)#
Dell(conf-of-instance-of-
id)#
Dell(conf-po-failovergrp)#
Dell(conf-pg)# priority-group
Dell(config-gvrp)# protocol gvrp
Dell(conf-qos-policy-outets)#
Dell(conf-vlt-domain)# vlt domain
Dell(conf-if-interface-
type-slot/port-vrid-vrrpgroup-id)#
Dell(=>)#
Dell(conf-uplink-stategroup-groupID)#
monitor session
openflow of-instance
port-channel failovergroup
qos-policy-output
vrrp-group
Press any key when the following
line appears on the console
during a system boot: Hit any
key to stop autoboot:
uplink-state-group
The following example shows how to change the command mode from CONFIGURATION mode to
PROTOCOL SPANNING TREE.
Example of Changing Command Modes
Dell(conf)#protocol spanning-tree 0
Dell(config-span)#
The do Command
Use the do command to enter an EXEC mode command from any CONFIGURATION mode
(CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode.
The following examples show how to use the do command in CONFIGURATION mode.
Rainier(conf)# do show ip interface brief
Interface IP-Address OK Method Status
Protocol
TenGigabitEthernet 0/0 unassigned NO Manual up down
TenGigabitEthernet 0/1 unassigned NO Manual up down
TenGigabitEthernet 0/2 unassigned NO Manual up down
TenGigabitEthernet 0/3 unassigned NO Manual up down
TenGigabitEthernet 0/4 unassigned YES Manual up up
TenGigabitEthernet 0/5 unassigned YES Manual up up
TenGigabitEthernet 0/6 unassigned YES Manual up up
TenGigabitEthernet 0/7 unassigned YES Manual up up
38
Configuration Fundamentals
TenGigabitEthernet 0/8 unassigned YES Manual up up
TenGigabitEthernet 0/9 unassigned YES Manual up up
Rainier(conf)# do show version
Dell Real Time Operating System Software
Dell Operating System Version: 2.0
Dell Application Software Version: 9-5
Copyright (c) 1999-2014 by Dell Inc. All Rights Reserved.
Build Time: Wed Jul 2 11:24:04 2014
Build Path: /sites/eqx/work/swbuild01_1/build16/MERCED-MR-9-5-0/SW/SRC
Dell Networking OS uptime is 2 hour(s), 20 minute(s)
System image file is "rith-rainier"
System Type: Z9500
Control Processor: Intel Centerton with 3 Gbytes (3203928064 bytes) of memory,
cores(s) 2.
16G bytes of boot flash memory.
1 36-port TE/FG (ZC)
2 48-port TE/FG (ZC)
520 Ten GigabitEthernet/IEEE 802.3 interface(s)
2 Forty GigabitEthernet/IEEE 802.3 interface(s)
Rainier(conf)# do show running-config interface tengigabitethernet 0/0
!
interface TenGigabitEthernet 0/0
no ip address
no shutdown
Undoing Commands
When you enter a command, the command line is added to the running configuration file (runningconfig).
To disable a command and remove it from the running-config, enter the no command, then the original
command. For example, to delete an IP address configured on an interface, use the
ip-address command.
NOTE: Use the help or ? command as described in Obtaining Help.
Example of Viewing Disabled Commands
Dell(conf)#interface tengigabitethernet 4/17
Dell(conf-if-te-4/17)#ip address 192.168.10.1/24
Dell(conf-if-te-4/17)#show config
!
interface TenGigabitEthernet 4/17
ip address 192.168.10.1/24
no shutdown
Dell(conf-if-te-4/17)#no ip address
Dell(conf-if-te-4/17)#show config
!
interface TenGigabitEthernet 4/17
no ip address
no shutdown
Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command.
For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.
no ip address
Configuration Fundamentals
39
Obtaining Help
Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using
the ? or help command:
• To list the keywords available in the current mode, enter ? at the prompt or after a keyword.
• Enter ? after a command prompt lists all of the available keywords. The output of this command is the
same as the
Dell#?
calendar Manage the hardware calendar
cd Change current directory
change Change subcommands
clear Reset functions
clock Manage the system clock
configure Configuring from terminal
copy Copy from one file to another
debug Debug functions
--More--
• Enter ? after a partial keyword lists all of the keywords that begin with the specified letters.
Dell(conf)#cl?
class-map
clock
Dell(conf)#cl
• Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword.
Dell(conf)#clock ?
summer-time Configure summer (daylight savings) time
timezone Configure time zone
Dell(conf)#clock
help command.
Entering and Editing Commands
Notes for entering commands.
• The CLI is not case-sensitive.
• You can enter partial CLI keywords.
– Enter the minimum number of letters to uniquely identify a command. For example, you cannot
enter cl as a partial keyword because both the clock and class-map commands begin with the
letters “cl.” You can enter clo, however, as a partial keyword because only one command begins
with those three letters.
• The TAB key auto-completes keywords in commands. Enter the minimum number of letters to
uniquely identify a command.
• The UP and DOWN arrow keys display previously entered commands (refer to Command History).
• The BACKSPACE and DELETE keys erase the previous letter.
• Key combinations are available to move quickly across the command line. The following table
describes these short-cut key combinations.
Short-Cut Key
Combination
CNTL-A Moves the cursor to the beginning of the command line.
CNTL-B Moves the cursor back one character.
Action
40
Configuration Fundamentals
Short-Cut Key
Combination
CNTL-D Deletes character at cursor.
CNTL-E Moves the cursor to the end of the line.
CNTL-F Moves the cursor forward one character.
CNTL-I Completes a keyword.
CNTL-K Deletes all characters from the cursor to the end of the command line.
CNTL-L Re-enters the previous command.
CNTL-N Return to more recent commands in the history buffer after recalling commands
CNTL-P Recalls commands, beginning with the last command.
CNTL-R Re-enters the previous command.
CNTL-U Deletes the line.
CNTL-W Deletes the previous word.
CNTL-X Deletes the line.
CNTL-Z Ends continuous scrolling of command outputs.
Esc B Moves the cursor back one word.
Action
with CTRL-P or the UP arrow key.
Esc F Moves the cursor forward one word.
Esc D Deletes all characters from the cursor to the end of the word.
Command History
The Dell Networking OS maintains a history of previously-entered commands for each mode. For
example:
• When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC
mode commands.
• When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered
CONFIGURATION mode commands.
Filtering show Command Outputs
Filter the output of a show command to display specific information by adding | [except | find |
grep | no-more | save]
The variable specified_text is the text for which you are filtering and it IS case sensitive unless you
use the ignore-case sub-option.
The grep command accepts an ignore-case sub-option that forces the search to case-insensitive. For
example, the commands:
• show run | grep Ethernet returns a search result with instances containing a capitalized
“Ethernet,” such as
interface TengigabitEthernet 0/0.
specified_text after the command.
Configuration Fundamentals
41
• show run | grep ethernet does not return that search result because it only searches for
instances containing a non-capitalized “ethernet.”
• show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and
“ethernet.”
The grep command displays only the lines containing specified text. The following example shows this
command used in combination with the
show processes command.
Dell#show processes cpu cp | grep system
0 72000 7200 10000 17.97% 17.81% 17.96%
0 system
NOTE: Dell Networking OS accepts a space or no space before and after the pipe. To filter a phrase
with spaces, underscores, or ranges, enclose the phrase with double quotation marks.
The except keyword displays text that does not match the specified text. The following example shows
this command used in combination with the
show processes command.
Example of the except Keyword
Dell#show processes cpu cp | except system
CPU utilization for five seconds: 28%/1%; one minute: 28%; five minutes: 28%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
538 43770 4377 10000 6.50% 7.59% 8.68% 0 sys
535 51140 5114 10000 3.54% 3.53% 3.83% 0 sysdlp
614 300 30 10000 0.59% 0.06% 0.07% 0 ssMgr
557 190 19 10000 0.20% 0.00% 0.03% 0 ipm
615 130 13 10000 0.00% 0.02% 0.03% 0 ipSecMgr
508 290 29 10000 0.00% 0.02% 0.04% 0 confdMgr
720 330 33 10000 0.00% 0.13% 0.10% 0 clish
19 410 41 10000 0.00% 0.00% 0.00% 0 mount_mfs
30 60 6 10000 0.00% 0.00% 0.00% 0 mount_mfs
25 1720 172 10000 0.00% 0.00% 0.00% 0 mount_mfs
22 0 0 0 0.00% 0.00% 0.00% 0 mount_mfs
533 0 0 0 0.00% 0.00% 0.00% 0 sysmon
12 0 0 0 0.00% 0.00% 0.00% 0 mount_mfs
2 10 1 10000 0.00% 0.00% 0.00% 0 sh
1 0 0 0 0.00% 0.00% 0.00% 0 init
529 0 0 0 0.00% 0.00% 0.00% 0 sysmon
523 10 1 10000 0.00% 0.00% 0.00% 0 mount_mfs
646 0 0 0 0.00% 0.00% 0.00% 0 cron
445 0 0 0 0.00% 0.00% 0.00% 0 flashmntr
579 5670 567 10000 0.00% 0.00% 0.00% 0 confd
329 0 0 0 0.00% 0.00% 0.00% 0 inetd
655 270 27 10000 0.00% 0.00% 0.00% 0 login
244 30 3 10000 0.00% 0.00% 0.00% 0 sh
74 30 3 10000 0.00% 0.00% 0.00% 0 sh
Example of the find Keyword
The find keyword displays the output of the show command beginning from the first occurrence of
specified text. The following example shows this command used in combination with the
show
processes command.
Dell#show processes cpu cp | find system
0 72900 7290 10000 17.79% 17.93% 17.96% 0 system
538 42710 4271 10000 6.52% 7.74% 8.68% 0 sysd
535 50600 5060 10000 3.56% 3.61% 3.83% 0 sysdlp
720 290 29 10000 0.20% 0.07% 0.17% 0 clish
614 250 25 10000 0.00% 0.03% 0.07% 0 ssMgr
615 130 13 10000 0.00% 0.02% 0.04% 0 ipSecMgr
42
Configuration Fundamentals
508 290 29 10000 0.00% 0.02% 0.09% 0 confdMgr
655 270 27 10000 0.00% 0.00% 0.09% 0 login
557 180 18 10000 0.00% 0.00% 0.06% 0 ipm
579 5670 567 10000 0.00% 0.00% 1.85% 0 confd
19 410 41 10000 0.00% 0.00% 0.00% 0 mount_mfs
22 0 0 0 0.00% 0.00% 0.00% 0 mount_mfs
533 0 0 0 0.00% 0.00% 0.00% 0 sysmon
12 0 0 0 0.00% 0.00% 0.00% 0 mount_mfs
2 10 1 10000 0.00% 0.00% 0.00% 0 sh
1 0 0 0 0.00% 0.00% 0.00% 0 init
529 0 0 0 0.00% 0.00% 0.00% 0 sysmon
523 10 1 10000 0.00% 0.00% 0.00% 0 mount_mfs
646 0 0 0 0.00% 0.00% 0.00% 0 cron
445 0 0 0 0.00% 0.00% 0.00% 0 flashmntr
329 0 0 0 0.00% 0.00% 0.00% 0 inetd
244 30 3 10000 0.00% 0.00% 0.00% 0 sh
74 30 3 10000 0.00% 0.00% 0.00% 0 sh
30 60 6 10000 0.00% 0.00% 0.00% 0 mount_mfs
25 1720 172 10000 0.00% 0.00% 0.00% 0 mount_mfs
The display command displays additional configuration information.
The no-more command displays the output all at once rather than one screen at a time. This is similar to
terminal length command except that the no-more option affects the output of the specified
the
command only.
The save command copies the output to a file for future reference.
NOTE: You can filter a single command output multiple times. The save option must be the last
option entered. For example:
regular-expression | grep other-regular-expression | find regular-expression
| save.
Dell# command | grep regular-expression | except
Multiple Users in Configuration Mode
The Z9500 operating system notifies all users when there are multiple users logged in to
CONFIGURATION mode.
A warning message indicates the username, type of connection (console or VTY), and in the case of a VTY
connection, the IP address of the terminal on which the connection was established. For example:
• On the system that telnets into the switch, this message appears:
% Warning: The following users are currently configuring the system:
User "<username>" on line console0
• On the system that is connected over the console, this message appears:
% Warning: User "<username>" on line vty0 "10.11.130.2" is in configuration
mode
If either of these messages appears, Dell Networking recommends coordinating with the users listed in
the message so that you do not unintentionally overwrite each other’s configuration changes.
Configuration Fundamentals
43
Getting Started
This chapter describes how you start configuring your Z9500 operating software.
When you power up the chassis, the system performs a power-on self test (POST) and loads the Dell
Networking operating software. Boot messages scroll up the terminal window during this process. No
user interaction is required if the boot process proceeds without interruption.
When the boot process completes, the system status LED remains online (green) and the console
monitor displays the EXEC mode prompt.
For details about using the command line interface (CLI), refer to the Accessing the Command Line
section in the Configuration Fundamentals chapter.
Console Access
The Z9500 has two management ports:
• A serial RS-232 /RJ-45 console port for a local management connection
• An out-of-band (OOB) Ethernet port to manage the switch using its IP address
3
Serial Console
The RJ-45/RS-232 console port is labeled on the I/O side (upper right-hand) of the Z9500 chassis.
Figure 1. RJ-45 Console Port
1. RJ-45 Console Port
44
Getting Started
Accessing the Console Port
To access the console port, follow these steps:
For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter.
1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the
Z9500 console port to a terminal server.
2. Connect the other end of the cable to the DTE terminal server.
3. Terminal settings on the console port cannot be changed in the software and are set as follows:
• 9600 baud rate
• No parity
• 8 data bits
• 1 stop bit
• No flow control
Pin Assignments
You can connect to the console using a RJ-45 to RJ-45 rollover cable and a RJ-45 to DB-9 female DTE
adapter to a terminal server (for example, a PC).
The pin assignments between the console and a DTE terminal server are as follows:
Table 2. Pin Assignments Between the Console and a DTE Terminal Server
Console Port RJ-45 to RJ-45
Rollover Cable
Signal RJ-45 Pinout RJ-45 Pinout DB-9 Pin Signal
RTS 1 8 8 CTS
NC 2 7 6 DSR
TxD 3 6 2 RxD
GND 4 5 5 GND
GND 5 4 5 GND
RxD 6 3 3 TxD
NC 7 2 4 DTR
CTS 8 1 7 RTS
RJ-45 to RJ-45
Rollover Cable
RJ-45 to DB-9
Adapter
Terminal Server
Device
Default Configuration
Although a version of the Dell Networking OS is pre-loaded on the switch, the system is not configured
when you power up the first time (except for the default hostname, which is Dell). You must configure
the system using the CLI.
Configuring a Host Name
The host name appears in the prompt. The default host name is Dell.
• Host names must start with a letter and end with a letter or digit.
Getting Started
45
• Characters within the string can be letters, digits, and hyphens.
To create a host name, use the following command.
• Create a host name.
CONFIGURATION mode
hostname name
Example of the hostname Command
Dell(conf)#hostname R1
R1(conf)#
Accessing the System Remotely
You can configure the system to access it remotely by Telnet or SSH.
• The Z9500 has a dedicated management port and a management routing table that is separate from
the IP routing table.
• You can manage all Dell Networking products in-band via the front-end data ports through interfaces
assigned an IP address as well.
Accessing the Z9500 Remotely
Configuring the system for Telnet is a three-step process:
1. Configure an IP address for the management port. Configure the Management Port IP Address
2. Configure a management route with a default gateway. Configure a Management Route
3. Configure a username and password. Configure a Username and Password
Configure the Management Port IP Address
To access the system remotely, assign IP addresses to the management ports.
NOTE: Assign an IP address to the management port.
1. Enter INTERFACE mode for the Management port.
CONFIGURATION mode
interface ManagementEthernet 0/0
• The slot number is 0.
• The port number is 0.
2. Assign an IP address to the interface.
INTERFACE mode
ip address ip-address/mask
• ip-address: an address in dotted-decimal format (A.B.C.D).
• mask: a subnet mask in /prefix-length format (/ xx).
3. Enable the interface.
INTERFACE mode
46
Getting Started
no shutdown
Configure a Management Route
Define a path from the Z9500 to the network from which you are accessing the system remotely.
Management routes are separate from IP routes and are only used to manage the Z9500 through the
management port.
• Configure a management route to the network from which you are accessing the system.
CONFIGURATION mode
management route ip-address/mask gateway
– ip-address: the network address in dotted-decimal format (A.B.C.D).
– mask: a subnet mask in /prefix-length format (/ xx).
– gateway: the next hop for network traffic originating from the management port.
Configuring a Username and Password
To access the system remotely, you must configure a system username and password.
• Configure a username and password to access the system remotely.
CONFIGURATION mode
username username password [encryption-type] password
– encryption-type: specifies how you are inputting the password, is 0 by default, and is not
required.
* 0 is for inputting the password in clear text.
* 7 is for inputting a password that is already encrypted using a Type 7 hash. Obtaining the
encrypted password from the configuration of another Dell Networking system.
Configuring the Enable Password
Access EXEC Privilege mode using the enable command. EXEC Privilege mode is unrestricted by default.
Configure a password as a basic security measure.
There are two types of enable passwords:
• enable password stores the password in the running/startup configuration using a DES encryption
method.
• enable secret is stored in the running/startup configuration in using a stronger, MD5 encryption
method.
Dell Networking recommends using the enable secret password.
To configure an enable password, use the following command.
• Create a password to access EXEC Privilege mode.
CONFIGURATION mode
enable [password | secret] [level level] [encryption-type] password
– level: is the privilege level, is 15 by default, and is not required
Getting Started
47
– encryption-type: specifies how you are inputting the password, is 0 by default, and is not
required.
* 0 is for inputting the password in clear text.
* 7 is for inputting a password that is already encrypted using a DES hash. Obtain the encrypted
password from the configuration file of another Dell Networking system.
* 5 is for inputting a password that is already encrypted using an MD5 hash. Obtain the
encrypted password from the configuration file of another Dell Networking system.
Manage Configuration Files
Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the
system from EXEC Privilege mode.
File Storage
The Dell Networking OS can use the internal Flash, external Flash, or remote devices to store files.
The system stores files on the internal Flash by default, but can be configured to store files elsewhere.
To view file system information, use the following command.
• View information about each file system.
EXEC Privilege mode
show file-systems
The output of the show file-systems command in the following example shows the total capacity,
amount of free memory, file structure, media type, read/write privileges for each storage device in use.
Dell#show file-systems
Size(b) Free(b) Feature Type Flags Prefixes
6429872128 6397476864 FAT32 USERFLASH rw flash:
15775404032 15775399936 FAT32 USBFLASH rw usbflash:
- - - network rw ftp:
- - - network rw tftp:
- - - network rw scp:
You can change the default file system so that file management commands apply to a particular device
or memory.
To change the default directory, use the following command.
• Change the default directory.
EXEC Privilege mode
cd directory
Copy Files to and from the System
The command syntax for copying files is similar to UNIX. The copy command uses the format copy
source-file-url destination-file-url.
NOTE: For a detailed description of the copy command, refer to the Dell Networking OS Command
Reference.
48
Getting Started
• To copy a local file to a remote system, combine the file-origin syntax for a local file location with the
file-destination syntax for a remote file location.
• To copy a remote file to Dell Networking system, combine the file-origin syntax for a remote file
location with the file-destination syntax for a local file location.
Table 3. Forming a copy Command
Location source-file-url Syntax destination-file-url Syntax
Internal flash: System
For a remote file location:
FTP server
For a remote file location:
HTTP server
For a remote file location:
SCP server
For a remote file location:
TFTP server
copy flash://filename flash://filename
copy ftp://
username:password@{hostip
| hostname}/filepath/
filename
copy http://
username:password@{hostip
| hostname}/filepath/
filename
copy scp://{hostip |
hostname}/filepath/
filename
copy tftp://{hostip |
hostname}/filepath/
filename
ftp://
username:password@{hostip
| hostname}/ filepath/
filename
http://
username:password@{hostip
| hostname}/ filepath/
filename
scp://{hostip |
hostname}/filepath/
filename
tftp://{hostip |
hostname}/filepath/
filename
Important Points to Remember
• You may not copy a file from one remote system to another.
• You may not copy a file from one location to the same location.
• When copying to a server, you can only use a host name if a domain name server (DNS) server is
configured.
• The host IP address (hostip) supports IPv4 and IPv6 addresses in the source-file-url and destination-
file-url variables.
• When copying files to and from the system using FTP, HTTP, TFTP, or Telnet, you can specify a default
IP source interface for the file transfer protocol (ip {ftp | http |tlenet | tftp} source-
interface
interface.
• HTTP copy operations support egress interface selection (EIS) to isolate management-plane and
control-plane domains for HTTP traffic. For more information, see Egress Interface Selection (EIS).
commands). The IP source interface can be a loopback, port-channel, or physical
Example of Copying a File to an FTP Server
Dell#copy flash://FTOS-ZC-9.2.1.0B2.bin ftp://
myusername:mypassword@10.10.10.10//FTOS/FTOS-ZC-9.2.1.0B2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
94926657 bytes successfully copied
Example of Importing a File to the Local System
core1#$//copy ftp://myusername:mypassword@10.10.10.10//FTOS/
FTOS-ZC-9.2.1.0B2 flash://
Destination file name [FTOS-EF-8.2.1.0.bin.bin]:
Getting Started
49
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
26292881 bytes successfully copied
Save the Running-Configuration
The running-configuration contains the current system configuration. Dell Networking recommends
coping your running-configuration to the startup-configuration.
The system uses the startup-configuration during boot-up to configure the system. The startupconfiguration is stored in the internal flash on the system by default, but it can be saved on a USB flash
device or a remote server.
The commands in this section follow the same format as those commands in the Copy Files to and from
the System section but use the filenames startup-configuration and running-configuration. These
commands assume that current directory is the internal flash, which is the system default.
• Save the running-configuration to the startup-configuration on the system.
EXEC Privilege mode
copy running-config startup-config
• Save the running-configuration to an FTP server.
EXEC Privilege mode
copy running-config ftp:// username:password@{hostip | hostname}/filepath/
filename
• Save the running-configuration to a TFTP server.
EXEC Privilege mode
copy running-config tftp://{hostip | hostname}/ filepath/filename
• Save the running-configuration to an SCP server.
EXEC Privilege mode
copy running-config scp://{hostip | hostname}/ filepath/filename
NOTE: When copying to a server, a host name can only be used if a DNS server is configured.
Configure the Overload Bit for a Startup Scenario
For information about setting the router overload bit for a specific period of time after a switch reload is
implemented, refer to the Intermediate System to Intermediate System (IS-IS) section in the Dell
Networking OS Command Line Reference Guide
.
Viewing Files
You can only view file information and content on local file systems.
To view a list of files or the contents of a file, use the following commands.
• View a list of files on the internal flash.
EXEC Privilege mode
dir flash:
• View the contents of a file in the internal flash.
EXEC Privilege mode
show file flash://filename
50
Getting Started
• View a list of files on an external flash.
EXEC Privilege mode
dir usbflash:
• View the running-configuration.
EXEC Privilege mode
show running-config
• View the startup-configuration.
EXEC Privilege mode
show startup-config
Example of the dir Command
The output of the dir command also shows the read/write privileges, size (in bytes), and date of
modification for each file.
Dell#dir
Directory of flash:
1 drw- 32768 Jan 01 1980 00:00:00 .
2 drwx 512 Jul 23 2007 00:38:44 ..
3 drw- 8192 Mar 30 1919 10:31:04 TRACE_LOG_DIR
4 drw- 8192 Mar 30 1919 10:31:04 CRASH_LOG_DIR
5 drw- 8192 Mar 30 1919 10:31:04 NVTRACE_LOG_DIR
6 drw- 8192 Mar 30 1919 10:31:04 CORE_DUMP_DIR
7 d--- 8192 Mar 30 1919 10:31:04 ADMIN_DIR
8 -rw- 33059550 Jul 11 2007 17:49:46 FTOS-EF-7.4.2.0.bin
9 -rw- 27674906 Jul 06 2007 00:20:24 FTOS-EF-4.7.4.302.bin
10 -rw- 27674906 Jul 06 2007 19:54:52 boot-image-FILE
11 drw- 8192 Jan 01 1980 00:18:28 diag
12 -rw- 7276 Jul 20 2007 01:52:40 startup-config.bak
13 -rw- 7341 Jul 20 2007 15:34:46 startup-config
14 -rw- 27674906 Jul 06 2007 19:52:22 boot-image
15 -rw- 27674906 Jul 06 2007 02:23:22 boot-flash
--More--
Changes in Configuration Files
Configuration files have three commented lines at the beginning of the file, as shown in the following
example, to help you track the last time any user made a change to the file, which user made the
changes, and when the file was last saved to the startup-configuration.
In the running-configuration file, if there is a difference between the timestamp on the “Last
configuration change,” and “Startup-config last updated,” you have made changes that have not been
saved and will not be preserved after a system reboot.
Example of the show running-config Command
Dell#show running-config
Current Configuration ...
! Version 9-2(1-552)
! Last configuration change at Tue Jan 21 09:32:57 2014 by admin
!
boot system primary tftp://10.11.8.13/rithvik-rainier
boot system secondary tftp://10.11.8.13/rithvik-rainier
boot system default system: A:
boot system gateway 172.27.1.1
Getting Started
51
!
redundancy auto-synchronize full
redundancy disable-auto-reboot
!
service timestamps log datetime
!
logging coredump
!
hostname pt-z9500-11
!
enable password 7 b125455cf679b208e79b910e85789edf
!
username admin password 7 1d28e9f33f99cf5c
!
linecard 0 provision Z9500LC36
--More—
Enabling Software Features on Devices Using a Command Option
This capability to activate software applications or components on a device using a command is
supported on the S4810, S4820T, and S6000, platforms.
Starting with Release 9.4(0.0), you can enable or disable specific software functionalities or applications
that need to run on a device by using a command attribute in the CLI interface. This capability enables
effective, streamlined management and administration of applications and utilities that run on a device.
You can employ this capability to perform an on-demand activation or turn-off of a software component
or protocol. A feature configuration file that is generated for each image contains feature names denotes
whether this enabling or disabling method is available for such features. In 9.4(0.0), you can enable or
disable the VRF application globally across the system by using this capability.
You can activate VRF application on a device by using the feature vrf command in CONFIGURATION
mode.
NOTE: The no feature vrf command is not supported on any of the platforms.
To enable the VRF feature and cause all VRF-related commands to be available or viewable in the CLI
interface, use the following command. You must enable the VRF feature before you can configure its
related attributes.
Dell(conf)# feature vrf
Based on whether VRF feature is identified as supported in the Feature Configuration file, configuration
command feature vrf becomes available for usage. This command will be stored in running-configuration
and will precede all other VRF-related configurations.
NOTE: The MXL and Z9000 platforms currently do not support VRF. These platforms support only
the management and default VRFs, which are available by default. As a result, the feature vrf
command is not available for these platforms.
To display the state of Dell Networking OS features:
Dell#show feature
Example of show feature output
52
Getting Started
For a particular target where VRF is enabled, the show output is similar to the following:
Feature State
------------------------------
VRF enabled
View Command History
The command-history trace feature captures all commands entered by all users of the system with a time
stamp and writes these messages to a dedicated trace log buffer.
The system generates a trace message for each executed command. No password information is saved
to the file.
To view the command-history trace, use the show command-history command.
Example of the show command-history Command
Dell#show command-history
[12/5 10:57:8]: CMD-(CLI):service password-encryption
[12/5 10:57:12]: CMD-(CLI):hostname Force10
[12/5 10:57:12]: CMD-(CLI):ip telnet server enable
[12/5 10:57:12]: CMD-(CLI):line console 0
[12/5 10:57:12]: CMD-(CLI):line vty 0 9
Upgrading the Dell Networking OS
NOTE: To upgrade the Dell Networking operating software, refer to the Release Notes for the
version you want to load on the switch.
Using Hashes to Validate Software Images
You can use the MD5 message-digest algorithm or SHA256 Secure Hash Algorithm to validate the
software image on the flash drive, after the image has been transferred to the system, but before the
image has been installed. The validation calculates a hash value of the downloaded image file on system’s
flash drive, and, optionally, compares it to a Dell Networking published hash for that file.
The MD5 or SHA256 hash provides a method of validating that you have downloaded the original
software. Calculating the hash on the local image file, and comparing the result to the hash published for
that file on iSupport, provides a high level of confidence that the local copy is exactly the same as the
published software image. This validation procedure, and the verify {md5 | sha256} command to support
it, can prevent the installation of corrupted or modified images.
The verify {md5 | sha256} command calculates and displays the hash of any file on the specified local
flash drive. You can compare the displayed hash against the appropriate hash published on i-Support.
Optionally, the published hash can be included in the verify {md5 | sha256} command, which will display
whether it matches the calculated hash of the indicated file.
To validate a software image:
Getting Started
53
1. Download Dell Networking OS software image file from the iSupport page to the local (FTP or TFTP)
server. The published hash for that file is displayed next to the software image file on the iSupport
page.
2. Go on to the Dell Networking system and copy the software image to the flash drive, using the copy
command.
3. Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256
flash://FTOS-SE-9.5.0.0.bin
4. Compare the generated hash value to the expected hash value published on the iSupport page.
To validate the software image on the flash drive after the image has been transferred to the system, but
before the image has been installed, use the verify {md5 | sha256} [ flash://]img-file [hash-value]
command in EXEC mode.
• md5: MD5 message-digest algorithm
• sha256: SHA256 Secure Hash Algorithm
• flash: (Optional) Specifies the flash drive. The default is to use the flash drive. You can just enter the
image file name.
• hash-value: (Optional). Specify the relevant hash published on i-Support.
• img-file: Enter the name of the Dell Networking software image file to validate
Examples: Without Entering the Hash Value for Verification
MD5
Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin
MD5 hash for FTOS-SE-9.5.0.0.bin: 275ceb73a4f3118e1d6bcf7d75753459
SHA256
Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin
SHA256 hash for FTOS-SE-9.5.0.0.bin:
e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933
Examples: Entering the Hash Value for Verification
MD5
Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin 275ceb73a4f3118e1d6bcf7d75753459
MD5 hash VERIFIED for FTOS-SE-9.5.0.0.bin
SHA256
Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin
e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933
SHA256 hash VERIFIED for FTOS-SE-9.5.0.0.bin
54
Getting Started
4
Switch Management
This chapter describes the switch management tasks supported on the Z9500.
Configuring Privilege Levels
Privilege levels restrict access to commands based on user or terminal line.
There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1.
Level Description
Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are
limited to enable, disable, and exit.
Level 1 Access to the system begins at EXEC mode, and all commands are available.
Level 15 Access to the system begins at EXEC Privilege mode, and all commands are
available.
For information about how access and authorization is controlled based on a user’s role, see Role-Based
Access Control.
Creating a Custom Privilege Level
Custom privilege levels start with the default EXEC mode command set. You can then customize privilege
levels 2-14 by:
• restricting access to an EXEC mode command
• moving commands from EXEC Privilege to EXEC mode
• restricting access
A user can access all commands at his privilege level and below.
Removing a Command from EXEC Mode
To remove a command from the list of available commands in EXEC mode for a specific privilege level,
use the privilege exec command from CONFIGURATION mode.
In the command, specify a level greater than the level given to a user or terminal line, then the first
keyword of each command you wish to restrict.
Moving a Command from EXEC Privilege Mode to EXEC Mode
To move a command from EXEC Privilege to EXEC mode for a privilege level, use the privilege exec
command from CONFIGURATION mode.
In the command, specify the privilege level of the user or terminal line and specify all keywords in the
command to which you want to allow access.
Switch Management
55
Allowing Access to CONFIGURATION Mode Commands
To allow access to CONFIGURATION mode, use the privilege exec level level configure
command from CONFIGURATION mode.
A user that enters CONFIGURATION mode remains at his privilege level and has access to only two
commands, end and exit. You must individually specify each CONFIGURATION mode command you
want to allow access to using the privilege configure level level command. In the command,
specify the privilege level of the user or terminal line and specify all the keywords in the command to
which you want to allow access.
Allowing Access to the Following Modes
This section describes how to allow access to the INTERFACE, LINE, ROUTE-MAP, and ROUTER modes.
Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE, ROUTE-MAP,
and ROUTER modes, you must first allow access to the command that enters you into the mode. For
example, to allow a user to enter INTERFACE mode, use the privilege configure level level
interface tengigabitethernet command.
Next, individually identify the INTERFACE, LINE, ROUTE-MAP or ROUTER commands to which you want
to allow access using the privilege {interface | line | route-map | router} level
level command. In the command, specify the privilege level of the user or terminal line and specify all
the keywords in the command to which you want to allow access.
To remove, move or allow access, use the following commands.
The configuration in the following example creates privilege level 3. This level:
• removes the resequence command from EXEC mode by requiring a minimum of privilege level 4
• moves the capture bgp-pdu max-buffer-size command from EXEC Privilege to EXEC mode by
requiring a minimum privilege level 3, which is the configured level for VTY 0
• allows access to CONFIGURATION mode with the banner command
• allows access to INTERFACE and LINE modes are allowed with no commands
• Remove a command from the list of available commands in EXEC mode.
CONFIGURATION mode
privilege exec level level {command ||...|| command}
• Move a command from EXEC Privilege to EXEC mode.
CONFIGURATION mode
privilege exec level level {command ||...|| command}
• Allow access to CONFIGURATION mode.
CONFIGURATION mode
privilege exec level level configure
• Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all the keywords in
the command.
CONFIGURATION mode
privilege configure level level {interface | line | route-map | router}
{command-keyword ||...|| command-keyword}
56
Switch Management
• Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode
command.
CONFIGURATION mode
privilege {configure |interface | line | route-map | router} level level
{command ||...|| command}
Example of EXEC Privilege Commands
Dell(conf)#do show run priv
!
privilege exec level 3 capture
privilege exec level 3 configure
privilege exec level 4 resequence
privilege exec level 3 capture bgp-pdu
privilege exec level 3 capture bgp-pdu max-buffer-size
privilege configure level 3 line
privilege configure level 3 interface
Dell(conf)#do telnet 10.11.80.201
[telnet output omitted]
Dell#show priv
Current privilege level is 3.
Dell#?
capture Capture packet
configure Configuring from terminal
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
ip Global IP subcommands
monitor Monitoring feature
mtrace Trace reverse multicast path from destination to source
ping Send echo messages
quit Exit from the EXEC
show Show running system information
[output omitted]
Dell#config
[output omitted]
Dell(conf)#do show priv
Current privilege level is 3.
Dell(conf)#?
end Exit from configuration mode
exit Exit from configuration mode
interface Select an interface to configure
line Configure a terminal line
linecard Set line card type
Dell(conf)#interface ?
loopback Loopback interface
managementethernet Management Ethernet interface
null Null interface
port-channel Port-channel interface
range Configure interface range
tengigabitethernet TenGigabit Ethernet interface
vlan VLAN interface
Dell(conf)#interface tengigabitethernet 1/1
Dell(conf-if-te-1/1)#?
end Exit from configuration mode
exit Exit from interface configuration mode
Dell(conf-if-te-1/1)#exit
Dell(conf)#line ?
aux Auxiliary line
console Primary terminal line
vty Virtual terminal
Switch Management
57
Dell(conf)#line vty 0
Dell(config-line-vty)#?
exit Exit from line configuration mode
Dell(config-line-vty)#
Applying a Privilege Level to a Username
To set the user privilege level, use the following command.
• Configure a privilege level for a user.
CONFIGURATION mode
username username privilege level
Applying a Privilege Level to a Terminal Line
To set a privilege level for a terminal line, use the following command.
• Configure a privilege level for a user.
CONFIGURATION mode
username username privilege level
NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC
mode, but the prompt is hostname#, rather than hostname>.
Configuring Logging
The Dell Networking operating system tracks changes in the system using event and error messages.
By default, the operating system logs these messages on:
• the internal buffer
• console and terminal lines
• any configured syslog servers
To disable logging, use the following commands.
• Disable all logging except on the console.
CONFIGURATION mode
no logging on
• Disable logging to the logging buffer.
CONFIGURATION mode
no logging buffer
• Disable logging to terminal lines.
CONFIGURATION mode
no logging monitor
• Disable console logging.
CONFIGURATION mode
no logging console
58
Switch Management
Audit and Security Logs
This section describes how to configure, display, and clear audit and security logs.
The following is the configuration task list for audit and security logs:
• Enabling Audit and Security Logs
• Displaying Audit and Security Logs
• Clearing Audit Logs
Enabling Audit and Security Logs
You enable audit and security logs to monitor configuration changes or determine if these changes affect
the operation of the system in the network. You log audit and security events to a system log server,
using the logging extended command in CONFIGURATION mode. This command is available with or
without RBAC enabled. For information about RBAC, see Role-Based Access Control.
Audit Logs
The audit log contains configuration events and information. The types of information in this log consist
of the following:
• User logins to the switch.
• System events for network issues or system issues.
• Users making configuration changes. The switch logs who made the configuration changes and the
date and time of the change. However, each specific change on the configuration is not logged. Only
that the configuration was modified is logged with the user ID, date, and time of the change.
• Uncontrolled shutdown.
Security Logs
The security log contains security events and information. RBAC restricts access to audit and security logs
based on the CLI sessions’ user roles. The types of information in this log consist of the following:
• Establishment of secure traffic flows, such as SSH.
• Violations on secure flows or certificate issues.
• Adding and deleting of users.
• User access and configuration changes to the security and crypto parameters (not the key
information but the crypto configuration)
Important Points to Remember
When you enabled RBAC and extended logging:
• Only the system administrator user role can execute this command.
• The system administrator and system security administrator user roles can view security events and
system events.
• The system administrator user roles can view audit, security, and system events.
• Only the system administrator and security administrator user roles can view security logs.
Switch Management
59
• The network administrator and network operator user roles can view system events.
NOTE: If extended logging is disabled, you can only view system events, regardless of RBAC user
role.
Example of Enabling Audit and Security Logs
Dell(conf)#logging extended
Displaying Audit and Security Logs
To display audit logs, use the show logging auditlog command in Exec mode. To view these logs,
you must first enable the logging extended command. Only the RBAC system administrator user role can
view the audit logs. Only the RBAC security administrator and system administrator user role can view the
security logs. If extended logging is disabled, you can only view system events, regardless of RBAC user
role. To view security logs, use the show logging command.
Example of the show logging auditlog Command
For information about the logging extended command, see Enabling Audit and Security Logs
Dell#show logging auditlog
May 12 12:20:25: Dell#: %CLI-6-logging extended by admin from vty0 (10.14.1.98)
May 12 12:20:42: Dell#: %CLI-6-configure terminal by admin from vty0
(10.14.1.98)
May 12 12:20:42: Dell#: %CLI-6-service timestamps log datetime by admin from
vty0 (10.14.1.98)
Example of the show logging Command for Security
For information about the logging extended command, see Enabling Audit and Security Logs
Dell#show logging
Jun 10 04:23:40: %STKUNIT0-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user
admin on line vty0 ( 10.14.1.91 )
Clearing Audit Logs
To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is
enabled, only the system administrator user role can issue this command.
Example of the clear logging auditlog Command
Dell# clear logging auditlog
Configuring Logging Format
To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version [0 | 1}
command in CONFIGURATION mode. By default, the system log version is set to 0.
The following describes the two log messages formats:
• 0 – Displays syslog messages format as described in RFC 3164, The BSD syslog Protocol
• 1 – Displays syslog message format as described in RFC 5424, The SYSLOG Protocol
Example of Configuring the Logging Message Format
Dell(conf)#logging version ?
<0-1> Select syslog version (default = 0)
Dell(conf)#logging version 1
60
Switch Management
Setting Up a Secure Connection to a Syslog Server
You can use reverse tunneling with the port forwarding to securely connect to a syslog server.
Pre-requisites
To configure a secure connection from the switch to the syslog server:
1. On the switch, enable the SSH server
Dell(conf)#ip ssh server enable
2. On the syslog server, create a reverse SSH tunnel from the syslog server to FTOS switch, using
following syntax:
ssh -R <remote port>:<syslog server>:<syslog server listen port>
user@remote_host -nNf
In the following example the syslog server IP address is 10.156.166.48 and the listening port is
5141. The switch IP address is 10.16.131.141 and the listening port is 5140
ssh -R 5140:10.156.166.48:5141 admin@10.16.131.141 -nNf
Switch Management
61
3. Configure logging to a local host. locahost is “127.0.0.1” or “::1”.
If you do not, the system displays an error when you attempt to enable role-based only AAA
authorization.
Dell(conf)# logging localhost tcp port
Dell(conf)#logging 127.0.0.1 tcp 5140
Log Messages in the Internal Buffer
All error messages, except those beginning with %BOOTUP (Message), are logged in the internal buffer.
Configuration Task List for System Log Management
There are two configuration tasks for system log management:
• Disable System Logging
• Send System Messages to a Syslog Server
• Send System Messages to a Syslog Server
• Change System Logging Settings
• Display the Logging Buffer and the Logging Configuration
• Configure a UNIX Logging Facility Level
• Enable Timestamp on Syslog Messages
• Synchronize Log Messages
• Audit and Security Logs
•
Configuring Logging Format
• Secure Connection to a Syslog Server
Disabling System Logging
By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the
console, and the syslog servers.
To disable system logging, use the following commands.
• Disable all logging except on the console.
CONFIGURATION mode
no logging on
• Disable logging to the logging buffer.
CONFIGURATION mode
no logging buffer
• Disable logging to terminal lines.
CONFIGURATION mode
no logging monitor
• Disable console logging.
CONFIGURATION mode
62
Switch Management
no logging console
Sending System Messages to a Syslog Server
To send system messages to a specified syslog server, use the following command. The following syslog
standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009,
obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.
• Specify the server to which you want to send system messages. You can configure up to eight syslog
servers.
CONFIGURATION mode
logging {ip-address | ipv6-address | hostname} {{udp {port}} | {tcp {port}}}
Configuring a UNIX System as a Syslog Server
To configure a UNIX System as a syslog server, use the following command.
• Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the
UNIX system and assigning write permissions to the file.
– Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/ftos.log
– Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log
In the previous lines, local7 is the logging facility level and debugging is the severity level.
Display the Logging Buffer and the Logging Configuration
To display the current contents of the logging buffer and the logging settings for the system, use the
show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered
based on the user roles. Only the security administrator and system administrator can view the security
logs.
Example of the show logging Command
Dell#show logging
Syslog logging: enabled
Console logging: level debugging
Monitor logging: level debugging
Buffer logging: level debugging, 416 Messages Logged, Size (40960 bytes)
Trap logging: level informational
Logging to 10.1.2.4
Logging to 172.31.1.4
Logging to 133.33.33.4
Logging to 172.16.1.162
Logging to 10.10.10.4
Jan 21 09:52:21: %SYSTEM:CP %SYS-5-CONFIG_I: Configured from vty0
( 10.11.8.68 )by admin
Jan 21 09:32:57: %SYSTEM:CP %SYS-5-CONFIG_I: Configured from vty0
( 10.11.8.68 )by admin
Jan 21 09:32:57: %SYSTEM:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable
password authentication success on vty0 ( 10.11.8.68 )
Jan 21 09:32:57: %SYSTEM:CP %SEC-5-LOGIN_SUCCESS: Login successful for user
admin on line vty0 ( 10.11.8.68 )
Jan 21 04:11:02: %SYSTEM:CP %IFMGR-5-OSTATE_DN: Changed interface state to
down: Te 0/1
Switch Management
63
Jan 21 04:11:02: %SYSTEM:CP %IFMGR-5-OSTATE_DN: Changed interface state to
down: Te 0/0
Jan 21 03:12:54: %SYSTEM:LP %CHMGR-2-PSU_FAN_SPEED_CHANGE: PSU_Fan speed
changed to 60 % of the full speed
Jan 21 03:12:54: %SYSTEM:LP %CHMGR-2-FAN_SPEED_CHANGE: Fan speed changed to 40
% of the full speed
Jan 21 03:02:51: %SYSTEM:LP %CHMGR-2-PSU_FAN_SPEED_CHANGE: PSU_Fan speed
changed to 80 % of the full speed
Jan 21 03:02:51: %SYSTEM:LP %CHMGR-2-FAN_SPEED_CHANGE: Fan speed changed to 50
% of the full speed
Jan 21 02:56:54: %SYSTEM:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP
WARM_START.
Jan 21 02:56:54: %SYSTEM:CP %IFMGR-5-OSTATE_UP: Changed interface state to up:
Te 2/3
--More--
To view any changes made, use the show running-config logging command in EXEC privilege
mode, as shown in the example for
Configure a UNIX Logging Facility Level.
Changing System Logging Settings
You can change the default settings of the system logging by changing the severity level and the storage
location.
The default is to log all messages up to debug level, that is, all system messages. By changing the severity
level in the logging commands, you control the number of system messages logged.
To specify the system logging settings, use the following commands.
• Specify the minimum severity level for logging to the logging buffer.
CONFIGURATION mode
logging buffered level
• Specify the minimum severity level for logging to the console.
CONFIGURATION mode
logging console level
• Specify the minimum severity level for logging to terminal lines.
CONFIGURATION mode
logging monitor level
• Specify the minimum severity level for logging to a syslog server.
CONFIGURATION mode
logging trap level
• Specify the minimum severity level for logging to the syslog history table.
CONFIGURATION mode
logging history level
• Specify the size of the logging buffer.
CONFIGURATION mode
logging buffered size
64
Switch Management
NOTE: When you decrease the buffer size, the operating system deletes all messages stored in
the buffer. Increasing the buffer size does not affect messages in the buffer.
• Specify the number of messages that the operating system saves to its logging history table.
CONFIGURATION mode
logging history size size
To view the logging buffer and configuration, use the show logging command in EXEC privilege mode,
as shown in the example for
To view the logging configuration, use the show running-config logging command in privilege
mode, as shown in the example for Configure a UNIX Logging Facility Level.
Display the Logging Buffer and the Logging Configuration.
Configuring a UNIX Logging Facility Level
You can save system log messages with a UNIX system logging facility.
To configure a UNIX logging facility level, use the following command.
• Specify one of the following parameters.
CONFIGURATION mode
logging facility [facility-type]
– auth (for authorization messages)
– cron (for system scheduler messages)
– daemon (for system daemons)
– kern (for kernel messages)
– local0 (for local use)
– local1 (for local use)
– local2 (for local use)
– local3 (for local use)
– local4 (for local use)
– local5 (for local use)
– local6 (for local use)
– local7 (for local use)
– lpr (for line printer system messages)
– mail (for mail system messages)
– news (for USENET news messages)
– sys9 (system use)
– sys10 (system use)
– sys11 (system use)
– sys12 (system use)
– sys13 (system use)
– sys14 (system use)
– syslog (for syslog messages)
– user (for user programs)
Switch Management
65
– uucp (UNIX to UNIX copy protocol)
Example of the show running-config logging Command
To view non-default settings, use the show running-config logging command in EXEC mode.
Dell#show running-config logging
!
logging buffered 524288 debugging
service timestamps log datetime msec
service timestamps debug datetime msec
!
logging trap debugging
logging facility user
logging source-interface Loopback 0
logging 10.10.10.4
Dell#
Synchronizing Log Messages
You can configure the Dell Networking OS to filter and consolidate the system messages for a specific
line by synchronizing the message output.
Only the messages with a severity at or below the set level appear. This feature works on the terminal and
console connections available on the system.
1. Enter LINE mode.
CONFIGURATION mode
line {console 0 | vty number [end-number] | aux 0}
Configure the following parameters for the virtual terminal lines:
• number: the range is from zero (0) to 8.
• end-number: the range is from 1 to 8.
You can configure multiple virtual terminals at one time by entering a number and an end-number.
2. Configure a level and set the maximum number of messages to print.
LINE mode
logging synchronous [level severity-level | all] [limit]
Configure the following optional parameters:
• level severity-level: the range is from 0 to 7. The default is 2. Use the all keyword to
include all messages.
• limit: the range is from 20 to 300. The default is 20.
To view the logging synchronous configuration, use the show config command in LINE mode.
Enabling Timestamp on Syslog Messages
By default, syslog messages do not include a time/date stamp stating when the error or message was
created.
To enable timestamp, use the following command.
66
Switch Management
• Add timestamp to syslog messages.
CONFIGURATION mode
service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone]
| uptime]
Specify the following optional parameters:
– You can add the keyword localtime to include the localtime, msec, and show-timezone. If
you do not add the keyword localtime, the time is UTC.
– uptime: To view time since last boot.
If you do not specify a parameter, the system configures uptime.
To view the configuration, use the show running-config logging command in EXEC privilege mode.
To disable time stamping on syslog messages, use the no service timestamps [log | debug]
command.
File Transfer Services
With Dell Networking OS, you can configure the system to transfer files over the network using the file
transfer protocol (FTP).
One FTP application is copying the system image files over an interface on to the system; however, FTP is
not supported on virtual local area network (VLAN) interfaces.
The FTP and TFTP services are enhanced to support the VRF-aware functionality. If you want the FTP or
TFTP server to use a VRF table that is attached to an interface, you must configure the FTP or TFTP server
to use a specific routing table. You can use the ip ftp vrf vrf-name or ip tftp vrf vrf-name
command to inform the FTP or TFTP server to use a specific routing table. After you configure this
setting, the VRF table is used to look up the destination address. However, these changes are backwardcompatible and do not affect existing behavior; meaning, you can still use the source-interface
command to communicate with a particular interface even if no VRF is configured on that interface.
For more information about FTP, refer to RFC 959, File Transfer Protocol.
NOTE: To transmit large files, Dell Networking recommends configuring the switch as an FTP
server.
Configuration Task List for File Transfer Services
The configuration tasks for file transfer services are:
• Enable FTP Server (mandatory)
• Configure FTP Server Parameters (optional)
• Configure FTP Client Parameters (optional)
Enabling the FTP Server
To enable the system as an FTP server, use the following command.
To view FTP configuration, use the show running-config ftp command in EXEC privilege mode.
• Enable FTP on the system.
Switch Management
67
CONFIGURATION mode
ftp-server enable
Example of Viewing FTP Configuration
Dell#show running ftp
!
ftp-server enable
ftp-server username nairobi password 0 zanzibar
Dell#
Configuring FTP Server Parameters
After you enable the FTP server on the system, you can configure different parameters.
To specify the system logging settings, use the following commands.
• Specify the directory for users using FTP to reach the system.
CONFIGURATION mode
ftp-server topdir dir
The default is the internal flash directory.
• Specify a user name for all FTP users and configure either a plain text or encrypted password.
CONFIGURATION mode
ftp-server username username password [encryption-type] password
Configure the following optional and required parameters:
– username: enter a text string.
– encryption-type: enter 0 for plain text or 7 for encrypted text.
– password: enter a text string.
NOTE: You cannot use the change directory (cd) command until you have configured ftp-
server topdir.
To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode.
Configuring FTP Client Parameters
To configure FTP client parameters, use the following commands.
• Enter the following keywords and slot/port or number information:
– For a loopback interface, enter the keyword loopback then a number between 0 and 16383.
– For a port channel interface, enter the keywords port-channel then a number from 1 to 255.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port
information.
– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
– For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
CONFIGURATION mode
68
Switch Management
ip ftp source-interface interface
• Configure a password.
CONFIGURATION mode
ip ftp password password
• Enter a username to use on the FTP client.
CONFIGURATION mode
ip ftp username name
To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode,
as shown in the example for Enable FTP Server.
Terminal Lines
You can access the system remotely and restrict access to the system by creating user profiles.
Terminal lines on the system provide different means of accessing the system. The console line (console)
connects you through the console port. The virtual terminal lines (VTYs) connect you through Telnet to
the system.
Denying and Permitting Access to a Terminal Line
Dell Networking recommends applying only standard access control lists (ACLs) to deny and permit
access to VTY lines.
• Layer 3 ACLs deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with
no rules does not deny traffic.
• You cannot use the show ip accounting access-list command to display the contents of an
ACL that is applied only to a VTY line.
To apply an IP ACL to a line, Use the following command.
• Apply an ACL to a VTY line.
LINE mode
ip access-class access-list
Example of an ACL that Permits Terminal Access
To view the configuration, use the show config command in LINE mode.
Dell(config-std-nacl)#show config
!
ip access-list standard myvtyacl
seq 5 permit host 10.11.0.1
Dell(config-std-nacl)#line vty 0
Dell(config-line-vty)#show config
line vty 0
access-class myvtyacl
Switch Management
69
Configuring Login Authentication for Terminal Lines
You can use any combination of up to six authentication methods to authenticate a user on a terminal
line.
A combination of authentication methods is called a method list. If the user fails the first authentication
method, the system prompts the next method until all methods are exhausted, at which point the
connection is terminated. The available authentication methods are:
enable
line
local
none
radius
tacacs+
1. Configure an authentication method list. You may use a mnemonic name or use the keyword
default. The default authentication method for terminal lines is local and the default method list is
empty.
CONFIGURATION mode
aaa authentication login {method-list-name | default} [method-1] [method-2]
[method-3] [method-4] [method-5] [method-6]
2. Apply the method list from Step 1 to a terminal line.
CONFIGURATION mode
login authentication {method-list-name | default}
3. If you used the line authentication method in the method list you applied to the terminal line,
configure a password for the terminal line.
LINE mode
Prompt for the enable password.
Prompt for the password you assigned to the terminal line. Configure a password
for the terminal line to which you assign a method list that contains the line
authentication method. Configure a password using the password command from
LINE mode.
Prompt for the system username and password.
Do not authenticate the user.
Prompt for a username and password and use a RADIUS server to authenticate.
Prompt for a username and password and use a TACACS+ server to authenticate.
password
Example of Terminal Line Authentication
In the following example, VTY lines 0-2 use a single authentication method, line.
Dell(conf)#aaa authentication login myvtymethodlist line
Dell(conf)#line vty 0 2
Dell(config-line-vty)#login authentication myvtymethodlist
Dell(config-line-vty)#password myvtypassword
Dell(config-line-vty)#show config
line vty 0
password myvtypassword
login authentication myvtymethodlist
line vty 1
password myvtypassword
login authentication myvtymethodlist
line vty 2
password myvtypassword
70
Switch Management
login authentication myvtymethodlist
Dell(config-line-vty)#
Setting Time Out of EXEC Privilege Mode
EXEC time-out is a basic security feature that returns the system to EXEC mode after a period of inactivity
on the terminal lines.
To set time out, use the following commands.
• Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes
on VTY. Disable EXEC time out by setting the time-out period to 0.
LINE mode
exec-timeout minutes [seconds]
• Return to the default time-out values.
LINE mode
no exec-timeout
Example of Setting the Time Out Period for EXEC Privilege Mode
The following example shows how to set the time-out period and how to view the configuration using
the show config command from LINE mode.
Dell(conf)#line con 0
Dell(config-line-console)#exec-timeout 0
Dell(config-line-console)#show config
line console 0
exec-timeout 0 0
Dell(config-line-console)#
Using Telnet to Access Another Network Device
To telnet to another device, use the following commands.
NOTE: On the Z9500, the system allows 120 Telnet sessions per minute, allowing the login and
logout of 10 Telnet sessions, 12 times in a minute. If the system reaches this non-practical limit, the
Telnet service is stopped for 10 minutes. You can use console and SSH service to access the system
during downtime.
• Telnet to a device with an IPv4 or IPv6 address.
EXEC Privilege
telnet [ip-address]
If you do not enter an IP address, the system enters a Telnet dialog that prompts you for one.
Enter an IPv4 address in dotted decimal format (A.B.C.D).
Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros
is supported.
Example of the telnet Command for Device Access
Dell# telnet 10.11.80.203
Trying 10.11.80.203...
Switch Management
71
Connected to 10.11.80.203.
Exit character is '^]'.
Login:
Login: admin
Password:
Dell>exit
Dell#telnet 2200:2200:2200:2200:2200::2201
Trying 2200:2200:2200:2200:2200::2201...
Connected to 2200:2200:2200:2200:2200::2201.
Exit character is '^]'.
FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1)
login: admin
Dell#
Lock CONFIGURATION Mode
The system allows multiple users to make configurations at the same time. You can lock
CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message
2).
You can set two types of locks: auto and manual.
• Set auto-lock using the configuration mode exclusive auto command from
CONFIGURATION mode. When you set auto-lock, every time a user is in CONFIGURATION mode, all
other users are denied access. This means that you can exit to EXEC Privilege mode, and re-enter
CONFIGURATION mode without having to set the lock again.
• Set manual lock using the configure terminal lock command from CONFIGURATION mode.
When you configure a manual lock, which is the default, you must enter this command each time you
want to enter CONFIGURATION mode and deny access to others.
Viewing the Configuration Lock Status
If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which
user has control of CONFIGURATION mode using the show configuration lock command from
EXEC Privilege mode.
You can then send any user a message using the send command from EXEC Privilege mode.
Alternatively, you can clear any line using the clear command from EXEC Privilege mode. If you clear a
console session, the user is returned to EXEC mode.
Example of Locking CONFIGURATION Mode for Single-User Access
Dell(conf)#configuration mode exclusive auto
BATMAN(conf)#exit
3d23h35m: %SYSTEM-P:CP %SYS-5-CONFIG_I: Configured from console by console
Dell#config
! Locks configuration mode exclusively.
Dell(conf)#
If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears
on their terminal (message 1): % Error: User "" on line console0 is in exclusive
configuration mode
If any user is already in CONFIGURATION mode when while a lock is in place, the following appears on
their terminal (message 2): % Error: Can't lock configuration mode exclusively since
.
72
Switch Management
the following users are currently configuring the system: User "admin" on line
vty1 ( 10.1.1.1 ).
NOTE: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you
configure a lock and then exit CONFIGURATION mode, and another user enters CONFIGURATION
mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though
you are the one that configured the lock.
NOTE: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is
unconfigured.
Recovering from a Forgotten Password on the Z9500
If you configure authentication for the console and you exit out of EXEC mode or your console session
times out, you are prompted for a password to re-enter.
If you forget your password, follow these steps:
1. Log onto the system using the console.
2. Power-cycle the chassis by disconnecting and.then reconnecting the power cord.
3. During bootup, press Esc when prompted to abort the boot process.
You enter Boot-Line Interface (BLI) mode at the BOOT_USER# prompt.
4. At the BLI prompt, set the system parameter to ignore the enable password and reload the system:
BOOT_USER# ignore enable-password
BOOT_USER# reload
NOTE: You must manually enter each CLI command. The system rejects a command if you
copy and paste it in the command line.
5. Configure a new password.
CONFIGURATION mode
enable {secret | password}
6. Save the change in the running configuration to the startup configuration.
EXEC Privilege mode
copy running-config startup-config
Ignoring the Startup Configuration and Booting from the Factory-Default Configuration
If you do not want to do not want to boot up with your current startup configuration and do not want to
delete it, you can interrupt the boot process and boot up with the Z9500 factory-default configuration.
To boot up with the factory-default configuration:
1. Log onto the system using the console.
2. Power-cycle the chassis by disconnecting and.then reconnecting the power cord.
3. During bootup, press Esc when prompted to abort the boot process.
You enter Boot-Line Interface (BLI) mode at the BOOT_USER# prompt.
Switch Management
73
4. At the BLI prompt, set the system parameter to ignore the startup configuration and reload the
system:
BOOT_USER# ignore startup-config
BOOT_USER# reload
NOTE: You must manually enter each CLI command. The system rejects a command if you
copy and paste it in the command line.
Recovering from a Failed Start on the Z9500
A switch that does not start correctly might be trying to boot from a corrupted Dell Networking OS image
or from a mis-specified location.
In this case, you can restart the system and interrupt the boot process to point the system to another
boot location.
1. Power-cycle the chassis (pull the power cord and reinsert it).
2. During bootup, press the ESC key when this message appears: Press Esc to stop autoboot...
You enter Boot-Line Interface (BLI) mode at the BOOT_USER# prompt.
3. At the BLI prompt, set the system parameter to ignore the enable password and reload the system:
BOOT_USER mode
BOOT_USER# boot change primary
You are prompted to enter a valid boot device (for example, ftp o r tftp) and a path or filename for
the Dell Networking OS image that you want to use.
4. (Optional) Set the secondary and default boot locations by entering the following commands:
BOOT_USER mode
BOOT_USER# boot change secondary
BOOT_USER# boot change default
5. Reboot the chassis.
BOOT_USER mode
reload
Restoring Factory-Default Settings
When you restore factory-default settings on a switch, the existing NVRAM settings, startup configuration,
and all configured settings are deleted.
To restore the factory-default settings, enter the restore factory-defaults {clear-all |
nvram} command in EXEC Privilege mode.
CAUTION: There is no undo for this command.
Important Points to Remember
• When you restore the factory-default settings on all units in a stack, the units are placed in standalone
mode.
74
Switch Management
• After the restore is complete, a switch reloads immediately.
The following example shows how the restore factory-defaults command restores a switch to its factory
default settings.
Dell# restore factory-defaults nvram
***********************************************************************
* Warning - Restoring factory defaults will delete the existing *
* persistent settings (stacking, fanout, etc.) *
* After restoration the unit(s) will be powercycled immediately. *
* Proceed with caution ! *
***********************************************************************
Proceed with factory settings? Confirm [yes/no]:yes
-- Restore status --
Unit Nvram Config
------------------------
0 Success
Power-cycling the unit(s).
....
Restoring Factory-Default Boot Environment Variables
The Boot line determines the location of the image that is used to boot up the switch after restoring
factory-default settings. Ideally, these locations contain valid images, which the switch uses to boot up.
When you restore factory-default settings, you can either use a flash boot procedure or a network boot
procedure to boot the switch.
When you use a flash boot procedure to boot the switch, the reset boot variables are displayed below
restore bootvar in the command output.
• If the primary boot line is A: and the A: partition contains a valid image, the primary boot line is set to
A:, the secondary boot line is set to B: (if B: also contains a valid image), and default boot line is set to
a Null String.
• If the primary boot line is B: and the B: partition contains a valid image, the primary boot line is set to
B:, the secondary boot line is set to A: (if A: also contains a valid image), and default boot line is set to
a Null string.
• If either partition contains an invalid or corrupted image, the partition is not set in any of the boot
lines. If both partitions contain invalid images, the primary, secondary, and default boot lines are set to
a Null string.
When you use a network boot procedure to boot the switch, the reset boot variables are displayed below
restore bootvar in the command output.
• If the primary partition contains a valid image and the secondary partition does not contain a valid
image, the primary boot line is set to A: and the secondary and default boot lines are set to a Null
string.
• If both partitions have valid images, the primary boot line value is set to the partition configured to
boot the device in case of a network failure. The secondary and default boot lines are set to a Null
string.
Important Points to Remember
• The CLI remains at the boot prompt if no partition contains a valid image.
Switch Management
75
• To enable a TFTP boot after restoring factory default settings, you must stop the boot process using
the boot-line interface (BLI).
• The tftpboot command does not work after you perform a reset bootvar because the
management IP address, network mask, and gateway IP address are all reset to NULL.
In case the system fails to reload the image from a flash partition, follow these steps:
1. Power-cycle the chassis (pull the power cord and reinsert it).
2. When prompted by the system, press the Esc key to abort the boot process.
You are placed in the boot-line interface (BLI) at the BOOT_USER # prompt.
Press any key
3. Assign the new location of the FTOS image to be used when the system reloads.
To boot from flash partition A:
BOOT_USER # boot change primary
boot device : flash
file name : systema
BOOT_USER #
To boot from flash partition B:
BOOT_USER # boot change primary
boot device : flash
file name : systemb
BOOT_USER #
To boot from the network:
BOOT_USER # boot change primary
boot device : tftp
file name : FTOS-SI-9-5-0-169.bin
Server IP address : 10.16.127.35
BOOT_USER #
4. Assign an IP address and network mask to the Management Ethernet interface.
BOOT_USER # interface management ethernet ip address ip_address_with_mask
For example, 10.16.150.106/16.
5. Assign an IP address as the default gateway for the system.
76
Switch Management
default-gateway gateway_ip_address
For example, 10.16.150.254.
6. The environment variables are auto saved.
7. Reload the system.
BOOT_USER # reload
Switch Management
77
5
802.1X
802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is
disallowed from sending or receiving packets on the network until its identity can be verified (through a
username and password, for example). This feature is named for its IEEE specification.
802.1X employs extensible authentication protocol (EAP) to transfer a device’s credentials to an
authentication server (typically RADIUS) using a mandatory intermediary network access device, in this
case, a Dell Networking switch. The network access device mediates all communication between the
end-user device and the authentication server so that the network remains secure. The network access
device uses EAP-over-Ethernet (EAPOL) to communicate with the end-user device and EAP-overRADIUS to communicate with the server.
NOTE: The Dell Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS,
PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.
The following figures show how the EAP frames are encapsulated in Ethernet and RADIUS frames.
Figure 2. EAP Frames Encapsulated in Ethernet and RADUIS
78
802.1X
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS
The authentication process involves three devices:
• The device attempting to access the network is the supplicant. The supplicant is not allowed to
communicate on the network until the authenticator authorizes the port. It can only communicate
with the authenticator in response to 802.1X requests.
• The device with which the supplicant communicates is the authenticator. The authenticator is the
gate keeper of the network. It translates and forwards requests and responses between the
authentication server and the supplicant. The authenticator also changes the status of the port based
on the results of the authentication process. The Dell Networking switch is the authenticator.
• The authentication-server selects the authentication method, verifies the information the supplicant
provides, and grants it network access privileges.
Ports can be in one of two states:
• Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in
or out of the port.
• The authenticator changes the port state to authorized if the server can authenticate the supplicant.
In this state, network traffic can be forwarded normally.
NOTE: The Z9500 places 802.1X-enabled ports in the unauthorized state by default.
The Port-Authentication Process
The authentication process begins when the authenticator senses that a link status has changed from
down to up:
1. When the authenticator senses a link state change, it requests that the supplicant identify itself using
an EAP Identity Request frame.
2. The supplicant responds with its identity in an EAP Response Identity frame.
802.1X
79
3. The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a
RADIUS Access-Request frame and forwards the frame to the authentication server.
4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame
requests that the supplicant prove that it is who it claims to be, using a specified method (an EAPMethod). The challenge is translated and forwarded to the supplicant by the authenticator.
5. The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant
provides the Requested Challenge information in an EAP response, which is translated and
forwarded to the authentication server as another Access-Request frame.
6. If the identity information provided by the supplicant is valid, the authentication server sends an
Access-Accept frame in which network privileges are specified. The authenticator changes the port
state to authorized and forwards an EAP Success frame. If the identity information is invalid, the
server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator
forwards an EAP Failure frame.
Figure 4. EAP Port-Authentication
80
802.1X
EAP over RADIUS
802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as
defined in RFC 3579.
EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV)
format. The Type value for EAP messages is 79.
Figure 5. EAP Over RADIUS
RADIUS Attributes for 802.1 Support
Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request
messages:
Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server.
Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet.
Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to
the supplicant.
Attribute 81 Tunnel-Private-Group-ID: associate a tunneled session with a particular group of
users.
Configuring 802.1X
Configuring 802.1X on a port is a one-step process.
For more information, refer to Enabling 802.1X.
Related Configuration Tasks
• Configuring Request Identity Re-Transmissions
• Forcibly Authorizing or Unauthorizing a Port
• Re-Authenticating a Port
• Configuring Timeouts
• Configuring a Guest VLAN
• Configuring an Authentication-Fail VLAN
802.1X
81
Important Points to Remember
• The system supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MSCHAPv2 with PEAP.
• All platforms support only RADIUS as the authentication server.
• If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary
RADIUS server, if configured.
• 802.1X is not supported on port-channels or port-channel members.
Enabling 802.1X
Enable 802.1X globally.
Figure 6. 802.1X Enabled
1. Enable 802.1X globally.
CONFIGURATION mode
82
802.1X
dot1x authentication
2. Enter INTERFACE mode on an interface or a range of interfaces.
INTERFACE mode
interface [range]
3. Enable 802.1X on the supplicant interface only.
INTERFACE mode
dot1x authentication
Examples of Verifying that 802.1X is Enabled Globally or on an Interface
Verify that 802.1X is enabled globally and at the interface level using the show running-config |
find dot1x command from EXEC Privilege mode.
The bold lines show that 802.1X is enabled.
Dell#show running-config | find dot1x
dot1x authentication
!
[output omitted]
!
interface TenGigabitEthernet 2/1
no ip address
dot1x authentication
no shutdown
!
Dell#
View 802.1X configuration information for an interface using the show dot1x interface command.
The bold lines show that 802.1X is enabled on all ports unauthorized by default.
Dell#show dot1x interface TenGigabitEthernet 2/1
802.1x information on Te 2/1:
-----------------------------
Dot1x Status: Enable
Port Control: AUTO
Port Auth Status: UNAUTHORIZED
Re-Authentication: Disable
Untagged VLAN id: None
Guest VLAN: Disable
Guest VLAN id: NONE
Auth-Fail VLAN: Disable
Auth-Fail VLAN id: NONE
Auth-Fail Max-Attempts: NONE
Mac-Auth-Bypass: Disable
Mac-Auth-Bypass Only: Disable
Tx Period: 30 seconds
Quiet Period: 60 seconds
ReAuth Max: 2
Supplicant Timeout: 30 seconds
Server Timeout: 30 seconds
Re-Auth Interval: 3600 seconds
Max-EAP-Req: 2
Host Mode: SINGLE_HOST
Auth PAE State: Initialize
Backend State: Initialize
802.1X
83
Configuring Request Identity Re-Transmissions
If the authenticator sends a Request Identity frame, but the supplicant does not respond, the
authenticator waits 30 seconds and then re-transmits the frame.
The amount of time that the authenticator waits before re-transmitting and the maximum number of
times that the authenticator re-transmits are configurable.
NOTE: There are several reasons why the supplicant might fail to respond; for example, the
supplicant might have been booting when the request arrived or there might be a physical layer
problem.
To configure re-transmissions, use the following commands.
• Configure the amount of time that the authenticator waits before re-transmitting an EAP Request
Identity frame.
INTERFACE mode
dot1x tx-period number
The range is from 1 to 65535 (1 year)
The default is 30.
• Configure a maximum number of times the authenticator re-transmits a Request Identity frame.
INTERFACE mode
dot1x max-eap-req number
The range is from 1 to 10.
The default is 2.
The example in Configuring a Quiet Period after a Failed Authentication shows configuration information
for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and
re-transmits a maximum of 10 times.
Configuring a Quiet Period after a Failed Authentication
If the supplicant fails the authentication process, the authenticator sends another Request Identity frame
after 30 seconds by default, but you can configure this period.
NOTE: The quiet period (dot1x quiet-period) is a transmit interval for after a failed
authentication; the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive
supplicant.
To configure a quiet period, use the following command.
• Configure the amount of time that the authenticator waits to re-transmit a Request Identity frame
after a failed authentication.
INTERFACE mode
dot1x quiet-period seconds
The range is from 1 to 65535.
The default is 60 seconds.
84
802.1X
Example of Configuring and Verifying Port Authentication
The following example shows configuration information for a port for which the authenticator retransmits an EAP Request Identity frame:
• after 90 seconds and a maximum of 10 times for an unresponsive supplicant
• re-transmits an EAP Request Identity frame
The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions.
Dell(conf-if-range-Te-0/0)#dot1x tx-period 90
Dell(conf-if-range-Te-0/0)#dot1x max-eap-req 10
Dell(conf-if-range-Te-0/0)#dot1x quiet-period 120
Dell#show dot1x interface TenGigabitEthernet 2/1
802.1x information on Te 2/1:
-----------------------------
Dot1x Status: Enable
Port Control: AUTO
Port Auth Status: UNAUTHORIZED
Re-Authentication: Disable
Untagged VLAN id: None
Tx Period: 90 seconds
Quiet Period: 120 seconds
ReAuth Max: 2
Supplicant Timeout: 30 seconds
Server Timeout: 30 seconds
Re-Auth Interval: 3600 seconds
Max-EAP-Req: 10
Auth Type: SINGLE_HOST
Auth PAE State: Initialize
Backend State: Initialize
Forcibly Authorizing or Unauthorizing a Port
IEEE 802.1X requires that a port can be manually placed into any of three states:
• ForceAuthorized — an authorized state. A device connected to this port in this state is never
subjected to the authentication process, but is allowed to communicate on the network. Placing the
port in this state is same as disabling 802.1X on the port.
• ForceUnauthorized — an unauthorized state. A device connected to a port in this state is never
subjected to the authentication process and is not allowed to communicate on the network. Placing
the port in this state is the same as shutting down the port. Any attempt by the supplicant to initiate
authentication is ignored.
• Auto — an unauthorized state by default. A device connected to this port in this state is subjected to
the authentication process. If the process is successful, the port is authorized and the connected
device can communicate on the network. All ports are placed in the Auto state by default.
To set the port state, use the following command.
• Place a port in the ForceAuthorized, ForceUnauthorized, or Auto state.
INTERFACE mode
dot1x port-control {force-authorized | force-unauthorized | auto}
The default state is auto.
802.1X
85
Example of Placing a Port in Force-Authorized State and Viewing the Configuration
The example shows configuration information for a port that has been force-authorized.
The bold line shows the new port-control state.
Dell(conf-if-Te-0/0)#dot1x port-control force-authorized
Dell(conf-if-Te-0/0)#show dot1x interface TenGigabitEthernet 0/0
802.1x information on Te 0/0:
-----------------------------
Dot1x Status: Enable
Port Control: FORCE_AUTHORIZED
Port Auth Status: UNAUTHORIZED
Re-Authentication: Disable
Untagged VLAN id: None
Tx Period: 90 seconds
Quiet Period: 120 seconds
ReAuth Max: 2
Supplicant Timeout: 30 seconds
Server Timeout: 30 seconds
Re-Auth Interval: 3600 seconds
Max-EAP-Req: 10
Auth Type: SINGLE_HOST
Auth PAE State: Initialize
Backend State: Initialize
Auth PAE State: Initialize
Backend State: Initialize
Re-Authenticating a Port
You can configure the authenticator for periodic re-authentication.
After the supplicant has been authenticated, and the port has been authorized, you can configure the
authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the
supplicant is required to re-authenticate every 3600 seconds, but you can configure this interval. You can
configure a maximum number of re-authentications as well.
To configure re-authentication time settings, use the following commands.
• Configure the authenticator to periodically re-authenticate the supplicant.
INTERFACE mode
dot1x reauthentication [interval] seconds
The range is from 1 to 65535.
The default is 3600.
• Configure the maximum number of times that the supplicant can be re-authenticated.
INTERFACE mode
dot1x reauth-max number
The range is from 1 to 10.
The default is 2.
Example of Re-Authenticating a Port and Verifying the Configuration
86
802.1X
The bold lines show that re-authentication is enabled and the new maximum and re-authentication time
period.
Dell(conf-if-Te-0/0)#dot1x reauthentication interval 7200
Dell(conf-if-Te-0/0)#dot1x reauth-max 10
Dell(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0
802.1x information on Te 0/0:
-----------------------------
Dot1x Status: Enable
Port Control: FORCE_AUTHORIZED
Port Auth Status: UNAUTHORIZED
Re-Authentication: Enable
Untagged VLAN id: None
Tx Period: 90 seconds
Quiet Period: 120 seconds
ReAuth Max: 10
Supplicant Timeout: 30 seconds
Server Timeout: 30 seconds
Re-Auth Interval: 7200 seconds
Max-EAP-Req: 10
Auth Type: SINGLE_HOST
Auth PAE State: Initialize
Backend State: Initialize
Auth PAE State: Initialize
Backend State: Initialize
Configuring Timeouts
If the supplicant or the authentication server is unresponsive, the authenticator terminates the
authentication process after 30 seconds by default. You can configure the amount of time the
authenticator waits for a response.
To terminate the authentication process, use the following commands.
• Terminate the authentication process due to an unresponsive supplicant.
INTERFACE mode
dot1x supplicant-timeout seconds
The range is from 1 to 300.
The default is 30.
• Terminate the authentication process due to an unresponsive authentication server.
INTERFACE mode
dot1x server-timeout seconds
The range is from 1 to 300.
The default is 30.
Example of Viewing Configured Server Timeouts
The example shows configuration information for a port for which the authenticator terminates the
authentication process for an unresponsive supplicant or server after 15 seconds.
802.1X
87
The bold lines show the new supplicant and server timeouts.
Dell(conf-if-Te-0/0)#dot1x port-control force-authorized
Dell(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0
802.1x information on Te 0/0:
-----------------------------
Dot1x Status: Enable
Port Control: FORCE_AUTHORIZED
Port Auth Status: UNAUTHORIZED
Re-Authentication: Disable
Untagged VLAN id: None
Guest VLAN: Disable
Guest VLAN id: NONE
Auth-Fail VLAN: Disable
Auth-Fail VLAN id: NONE
Auth-Fail Max-Attempts: NONE
Tx Period: 90 seconds
Quiet Period: 120 seconds
ReAuth Max: 10
Supplicant Timeout: 15 seconds
Server Timeout: 15 seconds
Re-Auth Interval: 7200 seconds
Max-EAP-Req: 10
Auth Type: SINGLE_HOST
Auth PAE State: Initialize
Backend State: Initialize
Enter the tasks the user should do after finishing this task (optional).
Configuring Dynamic VLAN Assignment with Port Authentication
On the Z9500, 802.1X authentication supports dynamic VLAN assignment.
The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN
assignment uses the standard dot1x procedure:
1. The host sends a dot1x packet to the Dell Networking system
2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port
number
3. The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN
assignment using Tunnel-Private-Group-ID
The illustration shows the configuration before connecting the end user device in black and blue text,
and after connecting the device in red text. The blue text corresponds to the preceding numbered steps
on dynamic VLAN assignment with 802.1X.
88
802.1X
Figure 7. Dynamic VLAN Assignment
1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations
(refer to the illustration inDynamic VLAN Assignment with Port Authentication).
2. Make the interface a switchport so that it can be assigned to a VLAN.
3. Create the VLAN to which the interface will be assigned.
4. Connect the supplicant to the port configured for 802.1X.
5. Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in
Dynamic VLAN Assignment with Port Authentication).
Guest and Authentication-Fail VLANs
Typically, the authenticator (the Dell system) denies the supplicant access to the network until the
supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and
places it in either the VLAN for which the port is configured or the VLAN that the authentication server
indicates in the authentication data.
NOTE: Ports cannot be dynamically assigned to the default VLAN.
802.1X
89
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases
this behavior is not appropriate. External users of an enterprise network, for example, might not be able
to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network
printers, do not have 802.1X capability and therefore cannot authenticate themselves. To be able to
connect such devices, they must be allowed access the network without compromising network security.
The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices
and the Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users.
• If the supplicant fails authentication a specified number of times, the authenticator places the port in
the Authentication-fail VLAN.
• If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of
the Guest VLAN and the authentication process begins.
Configuring a Guest VLAN
If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the
system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN.
NOTE: For more information about configuring timeouts, refer to Configuring Timeouts.
Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using
the dot1x guest-vlan command from INTERFACE mode. View your configuration using the show
config command from INTERFACE mode or using the show dot1x interface command from EXEC
Privilege mode.
Example of Viewing Guest VLAN Configuration
Dell(conf-if-Te-2/1)#dot1x guest-vlan 200
Dell(conf-if-Te 2/1))#show config
!
interface TenGigabitEthernet 21
switchport
dot1x guest-vlan 200
no shutdown
Dell(conf-if-Te 2/1))#
Configuring an Authentication-Fail VLAN
If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified
amount of time.
NOTE: For more information about authenticator re-attempts, refer to Configuring a Quiet Period
after a Failed Authentication.
You can configure the maximum number of times the authenticator re-attempts authentication after a
failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
Configure a port to be placed in the VLAN after failing the authentication process as specified number of
times using the dot1x auth-fail-vlan command from INTERFACE mode. Configure the maximum
number of authentication attempts by the authenticator using the keyword max-attempts with this
command.
Example of Configuring Maximum Authentication Attempts
Dell(conf-if-Te-2/1)#dot1x guest-vlan 200
Dell(conf-if-Te 2/1)#show config
90
802.1X
!
interface TenGigabitEthernet 2/1
switchport
dot1x authentication
dot1x guest-vlan 200
no shutdown
Dell(conf-if-Te-2/1)#
Dell(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5
Dell(conf-if-Te-2/1)#show config
!
interface TenGigabitEthernet 2/1
switchport
dot1x authentication
dot1x guest-vlan 200
dot1x auth-fail-vlan 100 max-attempts 5
no shutdown
Dell(conf-if-Te-2/1)#
View your configuration using the show config command from INTERFACE mode, as shown in the
example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC
Privilege mode.
Example of Viewing Configured Authentication
802.1x information on Te 2/1:
-----------------------------
Dot1x Status: Enable
Port Control: FORCE_AUTHORIZED
Port Auth Status: UNAUTHORIZED
Re-Authentication: Disable
Untagged VLAN id: None
Guest VLAN: Disabled
Guest VLAN id: 200
Auth-Fail VLAN: Disabled
Auth-Fail VLAN id: 100
Auth-Fail Max-Attempts: 5
Tx Period: 90 seconds
Quiet Period: 120 seconds
ReAuth Max: 10
Supplicant Timeout: 15 seconds
Server Timeout: 15 seconds
Re-Auth Interval: 7200 seconds
Max-EAP-Req: 10
Auth Type: SINGLE_HOST
Auth PAE State: Initialize
Backend State: Initialize
802.1X
91
6
Access Control Lists (ACLs)
This chapter describes access control lists (ACLs), prefix lists, and route-maps.
At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on
MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps.
For MAC ACLS, refer to Layer 2.
An ACL is essentially a filter containing some criteria to match (examine IP, transmission control protocol
[TCP], or user datagram protocol [UDP] packets) and an action to take (permit or deny). ACLs are
processed in sequence so that if a packet does not match the criterion in the first filter, the second filter
(if configured) is applied. When a packet matches a filter, the switch drops or forwards the packet based
on the filter’s specified action. If the packet does not match any of the filters in the ACL, the packet is
dropped (implicit deny).
The number of ACLs supported on a system depends on your content addressable memory (CAM) size.
For more information, refer to User Configurable CAM Allocation and CAM Optimization. For complete
CAM profiling information, refer to Content Addressable Memory (CAM).
You can configure ACLs on VRF instances. In addition to the existing qualifying parameters, Layer 3 ACLs
also incorporate VRF ID as one of the parameters. Using this new capability, you can also configure VRF
based ACLs on interfaces.
NOTE: You can apply Layer 3 VRF-aware ACLs only at the ingress level.
You can apply VRF-aware ACLs on:
• VRF Instances
• Interfaces
In order to configure VRF-aware ACLs on VRF instances, you must carve out a separate CAM region. You
can use the cam-acl command for allocating CAM regions. As part of the enhancements to support
VRF-aware ACLs, the cam-acl command now includes the following new parameter that enables you to
allocate a CAM region:
The order of priority for configuring user-defined ACL CAM regions is as follows:
• V4 ACL CAM
• VRF V4 ACL CAM
• L2 ACL CAM
With the inclusion of VRF based ACLs, the order of precedence of Layer 3 ACL rules is as follows:
• Port/VLAN based PERMIT/DENY Rules
• Port/VLAN based IMPLICIT DENY Rules
• VRF based PERMIT/DENY Rules
92
vrfv4acl.
Access Control Lists (ACLs)
• VRF based IMPLICIT DENY Rules
NOTE: In order for the VRF ACLs to take effect, ACLs configured in the Layer 3 CAM region must
have an implicit-permit option.
You can use the ip access-group command to configure VRF-aware ACLs on interfaces. Using the ip
access-group
for configuring ACLs on interfaces. The VRF range is from 1 to 63. These ACLs use the existing V4 ACL
CAM region to populate the entries in the hardware and do not require you to carve out a separate CAM
region.
NOTE: You can configure VRF-aware ACLs on interfaces either using a range of VLANs or a range of
VRFs but not both.
command, in addition to a range of VLANs, you can also specify a range of VRFs as input
IP Access Control Lists (ACLs)
You can create two different types of IP ACLs: standard or extended.
A standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the
following criteria:
• IP protocol number
• Source IP address
• Destination IP address
• Source TCP port number
• Destination TCP port number
• Source UDP port number
• Destination UDP port number
For more information about ACL options, refer to the Dell Networking OS Command Reference Guide.
For extended ACL, TCP, and UDP filters, you can match criteria on specific or ranges of TCP or UDP
ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions.
When creating an access list, the sequence of the filters is important. You have a choice of assigning
sequence numbers to the filters as you enter them, or the system assigns numbers in the order the filters
are created. The sequence numbers are listed in the display output of the show config and show ip
accounting access-list commands.
Ingress and egress Hot Lock ACLs allow you to append or delete new rules into an existing ACL (already
written into CAM) without disrupting traffic flow. Existing entries in the CAM are shuffled to
accommodate the new entries. Hot lock ACLs are enabled by default and support both standard and
extended ACLs and on all platforms.
NOTE: Hot lock ACLs are supported for Ingress ACLs only.
CAM Usage
The following section describes CAM allocation and CAM optimization.
• User Configurable CAM Allocation
Access Control Lists (ACLs)
93
• CAM Optimization
User-Configurable CAM Allocation
User-configurable content-addressable memory (CAM) allows you to specify the amount of memory
space that you want to allocate for ACLs.
To allocate ACL CAM, use the cam-acl command in CONFIGURATION mode. For information about
how to allocate CAM for ACL VLANs, see
The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP
blocks. (There are 16 FP blocks, but System Flow requires three blocks that cannot be reallocated.)
Enter the allocation as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd
numbered ranges.
Save the new CAM settings to the startup-config (use write-mem or copy run start) then reload the
system for the new settings to take effect.
Allocating ACL VLAN CAM.
Test CAM Usage
The test cam-usage command is supported on the Z9500.
This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS
optimization for IPv6 ACLs.
To determine whether sufficient ACL CAM space is available to enable a service-policy, use this
command. To verify the actual CAM space required, create a class map with all the required ACL rules,
then execute the test cam-usage command in Privilege mode. The following example shows the
output when executing this command. The status column indicates whether you can enable the policy.
Example of the test cam-usage Command
Dell#test cam-usage service-policy input TestPolicy linecard all
Linecard|Portpipe|CAM Partition|Available CAM|Estimated CAM per Port|Status
--------------------------------------------------------------------------
2| 1| IPv4Flow| 232| 0|Allowed
2| 1| IPv6Flow| 0| 0|Allowed
4| 0| IPv4Flow| 232| 0|Allowed
4| 0| IPv6Flow| 0| 0|Allowed
Dell#
Implementing ACLs
You can assign one IP ACL per physical or VLAN interface. If you do not assign an IP ACL to an interface,
it is not used by the software in any other capacity.
The number of entries allowed per ACL is hardware-dependent.
If you enable counters on IP ACL rules that are already configured, those counters are reset when a new
rule is inserted or prepended. If a rule is appended, the existing counters are not affected. This is
applicable to the following features:
• L2 Ingress Access list
• L2 Egress Access list
94
Access Control Lists (ACLs)
• L3 Egress Access list
ACLs and VLANs
There are some differences when assigning ACLs to a VLAN rather than a physical port.
For example, when using a single port-pipe, if you apply an ACL to a VLAN, one copy of the ACL entries is
installed in the ACL CAM on the port-pipe. The entry looks for the incoming VLAN in the packet. Whereas
if you apply an ACL on individual ports of a VLAN, separate copies of the ACL entries are installed for each
port belonging to a port-pipe.
When you use the log keyword, the CP has to log the details about the packets that match. Depending
on how many packets match the log entry and at what rate, the CP might become busy as it has to log
these packets’ details. However, the Route Processor (RP) is unaffected. This option is typically useful
when debugging some problem related to control traffic. We have used this option numerous times in
the field and have not encountered problems so far.
ACL Optimization
If an access list contains duplicate entries, the system deletes one entry to conserve CAM space.
Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM
entries whether it is identified as a standard or extended ACL.
Determine the Order in which ACLs are Used to Classify Traffic
When you link class-maps to queues using the service-queue command, the system matches the
class-maps according to queue priority (queue numbers closer to 0 have lower priorities).
As shown in the following example, class-map cmap2 is matched against ingress packets before cmap1.
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
Therefore (without the keyword order), packets within the range 20.1.1.0/24 match positive against
cmap1 and are buffered in queue 7, though you intended for these packets to match positive against
cmap2 and be buffered in queue 4.
In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use
the order keyword to specify the order in which you want to apply ACL rules. The order can range from
0 to 254. The system writes to the CAM ACL rules with lower-order numbers (order numbers closer to 0)
before rules with higher-order numbers so that packets are matched as you intended. By default, all ACL
rules have an order of 254.
Example of the order Keyword to Determine ACL Sequence
Dell(conf)#ip access-list standard acl1
Dell(config-std-nacl)#permit 20.0.0.0/8
Dell(config-std-nacl)#exit
Dell(conf)#ip access-list standard acl2
Dell(config-std-nacl)#
Dell(config-std-nacl)#exit
Dell(conf)#class-map match-all cmap1
Dell(conf-class-map)#match ip access-group acl1
Dell(conf-class-map)#exit
Dell(conf)#class-map match-all cmap2
Dell(conf-class-map)#match ip access-group acl2
Dell(conf-class-map)#exit
Dell(conf)#policy-map-input pmap
Dell(conf-policy-map-in)#service-queue 7 class-map cmap1
Dell(conf-policy-map-in)#service-queue 4 class-map cmap2
Access Control Lists (ACLs)
permit 20.1.1.0/24 order 0
95
Dell(conf-policy-map-in)#exit
Dell(conf)#interface tengig 1/0
Dell(conf-if-te-1/0)#service-policy input pmap
IP Fragment Handling
The system supports a configurable option to explicitly deny IP fragmented packets, particularly second
and subsequent packets.
It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable
to all Layer protocols (permit/deny ip/tcp/udp/icmp).
• Both standard and extended ACLs support IP fragments.
• Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these
fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the
packet as a whole cannot be reassembled.
• Implementing the required rules uses a significant number of CAM entries per TCP/UDP entry.
• For an IP ACL, the system always applies implicit deny. You do not have to configure it.
• For an IP ACL, the system applies implicit permit for second and subsequent fragment just prior to the
implicit deny.
• If you configure an explicit deny, the second and subsequent fragments do not hit the implicit permit
rule for fragments.
• Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL
with the
ACL entries are not actually installed the offending rule in CAM.
fragments option and apply it to a Loopback interface, the command is accepted but the
IP Fragments ACL Examples
The following examples show how you can use ACL commands with the fragment keyword to filter
fragmented packets.
Example of Permitting All Packets on an Interface
The following configuration permits all packets (both fragmented and non-fragmented) with destination
IP 10.1.1.1. The second rule does not get hit at all.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32Dell(conf-ext-nacl)#deny ip any
10.1.1.1./32 fragments
Dell(conf-ext-nacl)
Example of Denying Second and Subsequent Fragments
To deny the second/subsequent fragments, use the same rules in a different order. These ACLs deny all
second and subsequent fragments with destination IP 10.1.1.1 but permit the first fragment and nonfragmented packets with destination IP 10.1.1.1.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments
Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32
Dell(conf-ext-nacl)
Layer 4 ACL Rules Examples
The following examples show the ACL commands for Layer 4 packet filtering.
Permit an ACL line with L3 information only, and the fragments keyword is present:
96
Access Control Lists (ACLs)
If a packet’s L3 information matches the L3 information in the ACL line, the packet's FO is checked.
• If a packet's FO > 0, the packet is permitted.
• If a packet's FO = 0, the next ACL entry is processed.
Deny ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information does match the L3 information in the ACL line, the packet's FO is checked.
• If a packet's FO > 0, the packet is denied.
• If a packet's FO = 0, the next ACL line is processed.
Example of Permitting All Packets from a Specified Host
In this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted.
All others are denied.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
Dell(conf-ext-nacl)#deny ip any any fragment
Dell(conf-ext-nacl)
Example of Permitting Only First Fragments and Non-Fragmented Packets from a Specified Host
In the following example, the TCP packets that are first fragments or non-fragmented from host 10.1.1.1
with TCP destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host
10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragment
Dell(conf-ext-nacl)#deny ip any any fragment
Dell(conf-ext-nacl)
Example of Logging Denied Packets
To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/
UDP fragments, use a configuration similar to the following.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit tcp any any fragment
Dell(conf-ext-nacl)#permit udp any any fragment
Dell(conf-ext-nacl)#
Dell(conf-ext-nacl)
When configuring ACLs with the fragments keyword, be aware of the following.
When an ACL filters packets, it looks at the fragment offset (FO) to determine whether it is a fragment.
• FO = 0 means it is either the first fragment or the packet is a non-fragment.
• FO > 0 means it is dealing with the fragments of the original packet.
deny ip any any log
Configure a Standard IP ACL
To configure an ACL, use commands in IP ACCESS LIST mode and INTERFACE mode.
For a complete list of all the commands related to IP ACLs, refer to the Dell Networking OS Command
Line Interface Reference Guide. To set up extended ACLs, refer to Configure an Extended IP ACL.
A standard IP ACL uses the source IP address as its match criterion.
1. Enter IP ACCESS LIST mode by naming a standard IP access list.
Access Control Lists (ACLs)
97
CONFIGURATION mode
ip access-list standard access-listname
2. Configure a drop or forward filter.
CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address}
[count [byte]] [order] [fragments]
NOTE: When assigning sequence numbers to filters, keep in mind that you might need to insert a
new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five.
When you use the log keyword, the CP logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these
packets’ details.
To view the rules of a particular ACL configured on a particular interface, use the show ip accounting
access-list ACL-name interface interface command in EXEC Privilege mode.
Examples of Using a Standard IP ACL
The following example shows viewing the rules of a specific ACL on an interface.
Dell#show ip accounting access-list ToOspf interface gig 1/6
Standard IP access list ToOspf
seq 5 deny any
seq 10 deny 10.2.0.0 /16
seq 15 deny 10.3.0.0 /16
seq 20 deny 10.4.0.0 /16
seq 25 deny 10.5.0.0 /16
seq 30 deny 10.6.0.0 /16
seq 35 deny 10.7.0.0 /16
seq 40 deny 10.8.0.0 /16
seq 45 deny 10.9.0.0 /16
seq 50 deny 10.10.0.0 /16
Dell#
The following example shows how the seq command orders the filters according to the sequence
number assigned. In the example, filter 25 was configured before filter 15, but the show config
command displays the filters in the correct order.
Dell(config-std-nacl)#seq 25 deny ip host 10.5.0.0 any log
Dell(config-std-nacl)#seq 15 permit tcp 10.3.0.0 /16 any
Dell(config-std-nacl)#show config
!
ip access-list standard dilling
seq 15 permit tcp 10.3.0.0/16 any
seq 25 deny ip host 10.5.0.0 any log
Dell(config-std-nacl)#
To delete a filter, use the no seq sequence-number command in IP ACCESS LIST mode.
98
Access Control Lists (ACLs)
Configuring a Standard IP ACL Filter
If you are creating a standard ACL with only one or two filters, you can let the system assign a sequence
number based on the order in which the filters are configured. The software assigns filters in multiples of
five.
1. Configure a standard IP ACL and assign it a unique name.
CONFIGURATION mode
ip access-list standard access-list-name
2. Configure a drop or forward IP ACL filter.
CONFIG-STD-NACL mode
{deny | permit} {source [mask] | any | host ip-address} [count [byte]]
[order] [fragments]
When you use the log keyword, the CP logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these
packets’ details.
The following example shows a standard IP ACL in which the system assigns the sequence numbers. The
filters were assigned sequence numbers based on the order in which they were configured (for example,
the first filter was given the lowest sequence number). The show config command in IP ACCESS LIST
mode displays the two filters with the sequence numbers 5 and 10.
Examples of Viewing Filter Sequence Standard ACLs
The following example shows viewing a filter sequence for a specified standard ACL.
Dell(config-route-map)#ip access standard kigali
Dell(config-std-nacl)#permit 10.1.0.0/16
Dell(config-std-nacl)#show config
!
ip access-list standard kigali
seq 5 permit 10.1.0.0/16 seq 10 deny tcp any any eq 111
Dell(config-std-nacl)#
To view all configured IP ACLs, use the show ip accounting access-list command in EXEC
Privilege mode.
Dell#show ip accounting access example interface gig 4/12
Extended IP access list example
seq 10 deny tcp any any eq 111
seq 15 deny udp any any eq 111
seq 20 deny udp any any eq 2049
seq 25 deny udp any any eq 31337
seq 30 deny tcp any any range 12345 12346
seq 35 permit udp host 10.21.126.225 10.4.5.0 /28
seq 40 permit udp host 10.21.126.226 10.4.5.0 /28
seq 45 permit udp 10.8.0.0 /16 10.50.188.118 /31 range 1812 1813
seq 50 permit tcp 10.8.0.0 /16 10.50.188.118 /31 eq 49
seq 55 permit udp 10.15.1.0 /24 10.50.188.118 /31 range 1812 1813
To delete a filter, enter the show config command in IP ACCESS LIST mode and locate the sequence
number of the filter you want to delete. Then use the no seq sequence-number command in IP
ACCESS LIST mode.
Access Control Lists (ACLs)
99
Configure an Extended IP ACL
Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP
host addresses, UDP addresses, and UDP host addresses.
Because traffic passes through the filter in the order of the filter’s sequence, you can configure the
extended IP ACL by first entering IP ACCESS LIST mode and then assigning a sequence number to the
filter.
Configuring Filters with a Sequence Number
To configure filters with a sequence number, use the following commands.
1. Enter IP ACCESS LIST mode by creating an extended IP ACL.
CONFIGURATION mode
ip access-list extended access-list-name
2. Configure a drop or forward filter.
CONFIG-EXT-NACL mode
seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp |
udp} {
ip-address} [operator port [port]] [count [byte]] [order] [fragments]
When you use the log keyword, the CP logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these
packets’ details.
source mask | any | host ip-address} {destination mask | any | host
Configure Filters, TCP Packets
To create a filter for TCP packets with a specified sequence number, use the following commands.
1. Create an extended IP ACL and assign it a unique name.
CONFIGURATION mode
ip access-list extended access-list-name
2. Configure an extended IP ACL filter for TCP packets.
CONFIG-EXT-NACL mode
seq sequence-number {deny | permit} tcp {source mask | any | host ipaddress}} [count [byte]] [order] [fragments]
Configure Filters, TCP Packets
To create a filter for UDP packets with a specified sequence number, use the following commands.
1. Create an extended IP ACL and assign it a unique name.
CONFIGURATION mode
ip access-list extended access-list-name
2. Configure an extended IP ACL filter for UDP packets.
100
Access Control Lists (ACLs)
Loading...