Dell Force10 C150 Configuration Manual

Dell Force10 C150 Configuration Manual

Ftos configuration guide ftos e-series terascale, c-series, s-series (s50/s25)
Hide thumbs Also See for Force10 C150:
Table of Contents


FTOS Configuration Guide
E-Series TeraScale, C-Series,
S-Series (S50/S25)


Table of Contents

Summary of Contents for Dell Force10 C150

  • Page 1 FTOS Configuration Guide FTOS E-Series TeraScale, C-Series, S-Series (S50/S25)
  • Page 2 Information in this publication is subject to change without notice. © 2012 Dell Force10. All rights reserved. Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden. © 2012 Dell Inc. Trademarks used in this text: Dell(TM), the Dell logo, Dell Boomi(TM), Dell Precision(TM) , OptiPlex(TM), Latitude(TM), PowerEdge(TM), PowerVault(TM), PowerConnect(TM), OpenManage(TM), EqualLogic(TM), Compellent(TM), KACE(TM), FlexAddress(TM), Force10(TM) and Vostro(TM) are trademarks of Dell Inc.
  • Page 3: Table Of Contents

    1 About this Guide ..........33 Objectives .
  • Page 4 Change System Logging Settings ......... .63 Display the Logging Buffer and the Logging Configuration .
  • Page 5 6 802.3ah ............93 Link Layer OAM Overview .
  • Page 6 MAC Authentication Bypass ..........127 MAB in Single-host and Multi-Host Mode .
  • Page 7 Configuring BFD for VLANs ......... .198 Configuring BFD for Port-Channels .
  • Page 8 Boot Behavior ............286 When to Use CAM Profiling .
  • Page 9 Configuration Tasks ........... .314 Configure the System to be a DHCP Server .
  • Page 10 Enable Force10 Service Agent ......... . .348 Specify an SMTP Server for FTSA .
  • Page 11 Failure and Event Logging ......... . .392 Hot-lock Behavior .
  • Page 12 Configure Management Interfaces on the S-Series ......424 Displaying Information on a Management Interface ......425 VLAN Interfaces .
  • Page 13 ARP Learning via ARP Request ......... .474 Configurable ARP Retries .
  • Page 14 Clear IPv6 Routes ..........504 23 Intermediate System to Intermediate System .
  • Page 15 MAC Learning Limit ........... .562 mac learning-limit dynamic .
  • Page 16 Configuring Transmit and Receive Mode ........596 Configuring a Time to Live .
  • Page 17 View the Source-active Cache ........623 Limit the Source-active Cache .
  • Page 18 Multicast Policies ............665 IPv4 Multicast Policies .
  • Page 19 Enable OSPFv2 ...........705 Enable Multi-Process OSPF .
  • Page 20 Refusing Multicast Traffic ..........756 Sending Multicast Traffic .
  • Page 21 Create VLANs for an Office VOIP Deployment ......795 Configure LLDP-MED for an Office VOIP Deployment ..... .796 Configure Quality of Service for an Office VOIP Deployment .
  • Page 22 Configure Per-VLAN Spanning Tree Plus ........836 Related Configuration Tasks .
  • Page 23 Implementation Information ..........878 Configuration Information .
  • Page 24 Protection from TCP Tiny and Overlapping Fragment Attacks ....935 SCP and SSH ............935 Using SCP with SSH to copy a software image .
  • Page 25 Show sFlow Globally ..........976 Show sFlow on an Interface .
  • Page 26 Events that Bring Down a SONET Interface ....... .1013 SONET Port Recovery Mechanism ........1014 SONET MIB .
  • Page 27 Configuring Spanning Tree ..........1049 Related Configuration Tasks .
  • Page 28 Clearing a UFD-Disabled Interface ........1090 Displaying Uplink Failure Detection .
  • Page 29 VRRP Implementation ..........1129 VRRP version 3 .
  • Page 30 Save a hardware log to a file on the flash .......1176 Manual reload messages .
  • Page 31 Trace logs ............1214 Buffer full condition .
  • Page 33: About This Guide

    About this Guide Objectives This guide describes the protocols and features supported by the Dell Force10 Operating System (FTOS) and provides configuration instructions and examples for implementing them. It supports the system platforms E-Series, C-Series, and S-Series. The E-Series ExaScale platform is supported with FTOS version and later.
  • Page 34: Conventions

    This symbol is a note associated with some other text on the page that is marked with an asterisk. Related Documents For more information about the Dell Force10 E-Series, C-Series, and S-Series refer to the following documents: • FTOS Command Reference •...
  • Page 35: Configuration Fundamentals

    Configuration Fundamentals The FTOS Command Line Interface (CLI) is a text-based interface through which you can configure interfaces and protocols. The CLI is largely the same for the E-Series, C-Series, and S-Series with the exception of some commands and command outputs. The CLI is structured in modes for security and management purposes.
  • Page 36: Cli Modes

    CLI Modes Different sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (with the exception of EXEC mode commands preceded by the command The do Command on page 40). You can set user access rights to commands and command modes using privilege levels;...
  • Page 37: Navigating Cli Modes

  • Page 38 Table 2-1. FTOS Command Modes Access Command CLI Command Mode Prompt EXEC FTOS> Access the router through the console or Telnet. enable EXEC Privilege FTOS# • From EXEC mode, enter the command • From any other mode, use the command CONFIGURATION FTOS(conf)# •...
  • Page 39 Table 2-1. FTOS Command Modes Access Command CLI Command Mode Prompt mac access-list standard STANDARD ACCESS- FTOS(config-std-macl)# LIST mac access-list extended EXTENDED ACCESS- FTOS(config-ext-macl)# LIST MULTIPLE FTOS(config-mstp)# protocol spanning-tree mstp SPANNING TREE Per-VLAN SPANNING FTOS(config-pvst)# protocol spanning-tree pvst TREE Plus ip prefix-list PREFIX-LIST FTOS(conf-nprefixl)#...
  • Page 40: The Do Command

    The do Command Enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, etc.) without returning to EXEC mode by preceding the EXEC mode command with the command Figure 2-4 illustrates the command. Note: The following commands cannot be modified by the command: , and enable, disable, exit...
  • Page 41: Obtaining Help

    Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the help command: • Enter at the prompt or after a keyword to list the keywords available in the current mode. •...
  • Page 42: Command History

    • The UP and DOWN arrow keys display previously entered commands (see Command History). • The BACKSPACE and DELETE keys erase the previous letter. • Key combinations are available to move quickly across the command line, as described in Table 2-2.
  • Page 43: Filtering Show Command Outputs

    Filtering show Command Outputs show except find grep | Filter the output of a command to display specific information by adding no-more | save after the command. The variable is the text for which you are specified_text specified_text ignore-case filtering and it IS case sensitive unless the sub-option is implemented.
  • Page 44: Multiple Users In Configuration Mode

    % Warning: User "<username>" on line vty0 "" is in configuration mode If either of these messages appears, Dell Force10 recommends that you coordinate with the users listed in the message so that you do not unintentionally overwrite each other’s configuration changes.
  • Page 45: Getting Started

    Getting Started This chapter contains the following major sections: • Default Configuration on page 46 • Configure a Host Name on page 47 • Access the System Remotely on page 47 • Configure the Enable Password on page 50 • Configuration File Management on page 50 •...
  • Page 46: Default Configuration

    Figure 3-1. Completed Boot Process .*************. #### #######. ######## ####### ######### ######## ######## .#. ###### ###########. #### .##. ## ### #### ###. ### ### ### ### ### ### ## ### #### ### ######## *# -## ### ###### ### ## ######### ######## *# ### ## ## ###...
  • Page 47: Configure A Host Name

    Configure a Host Name force10 The host name appears in the prompt. The default host name is • Host names must start with a letter and end with a letter or digit. • Characters within the string can be letters, digits, and hyphens. To configure a host name: Step Task...
  • Page 48: Configure The Management Port Ip Address

    Configure the Management Port IP Address Assign IP addresses to the management ports in order to access the system remotely. Note: Assign different IP addresses to each RPM’s management port. To configure the management port IP address: Step Task Command Syntax Command Mode interface ManagementEthernet Enter INTERFACE mode for the...
  • Page 49: Access The S-Series Remotely

    7 is for inputting a password that is already encrypted using a Type 7 hash. Obtaining the encrypted password from the configuration of another Dell Force10 system. Access the S-Series Remotely The S-Series does not have a dedicated management port nor a separate management routing table.
  • Page 50: Configure The Enable Password

    Compact Flash for the internal and external Flash memory. It has a space limitation but does not limit the number of files it can contain. Note: Using flash memory cards in the system that have not been approved by Dell Force10 can cause unexpected system behavior, including a reboot.
  • Page 51: Copy Files To And From The System

    Table 3-1. file-destination • To copy a remote file to Dell Force10 system, combine the syntax for a remote file location file-origin with the syntax for a local file location shown in Table 3-1.
  • Page 52: Save The Running-Configuration

    26292881 bytes successfully copied Save the Running-configuration The running-configuration contains the current system configuration. Dell Force10 recommends that you copy your running-configuration to the startup-configuration. The system uses the startup-configuration during boot-up to configure the system. The startup-configuration is stored in the internal flash on the primary RPM by default, but it can be saved onto an external flash (on an RPM) or a remote server.
  • Page 53: View Files

    Task Command Syntax Command Mode Save the running-configuration to: copy running-config startup-config the startup-configuration on the internal flash of the primary RPM copy running-config rpm flash://filename the internal flash on an RPM Note: The internal flash memories on the RPMs are synchronized whenever there is a change, but only if the RPMs are running the same version of FTOS.
  • Page 54: Command Syntax

    To view a list of files on the internal or external Flash: Step Task Command Syntax Command Mode View a list of files on: dir flash: the internal flash of an RPM EXEC Privilege dir slot: the external flash of an RPM The output of the command also shows the read/write privileges, size (in bytes), and date of modification for each file, as shown in...
  • Page 55: File System Management

    --More-- File System Management The Dell Force10 system can use the internal Flash, external Flash, or remote devices to store files. It stores files on the internal Flash by default but can be configured to store files elsewhere. To view file system information:...
  • Page 56: View Command History

    Figure 3-9, the default storage location is changed to the external Flash of the primary RPM. File management commands then apply to the external Flash rather than the internal Flash. Figure 3-9. Alternative Storage Location FTOS#cd slot0: FTOS#copy running-config test No File System Specified FTOS#copy run test 7419 bytes successfully copied...
  • Page 57: System Management

    System Management c e s System Management is supported on platforms: This chapter explains the different protocols or services used to manage the Dell Force10 system including: • Configure Privilege Levels on page 57 • Configure Logging on page 61 •...
  • Page 58: Removing A Command From Exec Mode

    A user can access all commands at his privilege level and below. Removing a command from EXEC mode Remove a command from the list of available commands in EXEC mode for a specific privilege level privilege exec using the command from CONFIGURATION mode.
  • Page 59 Task Command Syntax Command Mode privilege configure level level Allow access to INTERFACE, LINE, ROUTE-MAP, CONFIGURATION interface line route-map and/or ROUTER mode. Specify all keywords in the router command. command-keyword ||...|| command-keyword privilege configure interface Allow access to a CONFIGURATION, INTERFACE, CONFIGURATION line route-map...
  • Page 60 Figure 4-1. Create a Custom Privilege Level FTOS(conf)#do show run priv privilege exec level 3 capture privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp-pdu privilege exec level 3 capture bgp-pdu max-buffer-size privilege configure level 3 line privilege configure level 3 interface FTOS(conf)#do telnet [telnet output omitted]...
  • Page 61: Apply A Privilege Level To A Username

    Apply a Privilege Level to a Username To set a privilege level for a user: Task Command Syntax Command Mode Configure a privilege level for a user. CONFIGURATION username username privilege level Apply a Privilege Level to a Terminal Line To set a privilege level for a terminal line: Task Command Syntax...
  • Page 62: Log Messages In The Logging Buffer

    Log Messages in the Logging Buffer All error messages, except those beginning with %BOOTUP (Message 1), are log in the internal buffer. Message 1 BootUp Events %BOOTUP:RPM0:CP %PORTPIPE-INIT-SUCCESS: Portpipe 0 enabled Configuration Task List for System Log Management The following list includes the configuration tasks for system log management: •...
  • Page 63: Send System Messages To A Syslog Server

    Send System Messages to a Syslog Server Send system messages to a syslog server by specifying a server: Task Command Syntax Command Mode Specify the server to which you want to send system logging ip-address ipv6-address CONFIGURATION messages. You can configure up to eight syslog servers, hostname which may be IPv4 and/or IPv6 addressed.
  • Page 64: Display The Logging Buffer And The Logging Configuration

    Task Command Syntax Command Mode Specify the size of the logging buffer. logging buffered size CONFIGURATION Note: When you decrease the buffer size, FTOS deletes all messages stored in the buffer. Increasing the buffer size does not affect messages in the buffer. logging history size Specify the number of messages that FTOS saves to its size...
  • Page 65 Figure 4-2. show logging Command Example FTOS#show logging syslog logging: enabled Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
  • Page 66: Configure A Unix Logging Facility Level

    Configure a UNIX Logging Facility Level Facility is a message tag used to describe the application or process that submitted the log message. You can save system log messages with a UNIX system logging facility: Command Syntax Command Mode Purpose logging facility [ facility-type CONFIGURATION...
  • Page 67: Synchronize Log Messages

    Synchronize Log Messages You can configure a terminal line to hold all logs until all command inputs and outputs are complete so that log printing does not interfere when you are performing management tasks. Log synchronization also filters system messages for a specific line based on severity level and limits number of messages that are printed at once.
  • Page 68: File Transfer Services

    File Transfer Services You can configure the system to transfer files over the network using File Transfer Protocol (FTP). Configuration Task List for File Transfer Services The following list includes the configuration tasks for file transfer services: • Enable FTP server on page 68 •...
  • Page 69: Terminal Lines

    Note: You cannot use the change directory ( cd ) command until ftp-server topdir is configured. show running-config ftp Display your FTP configuration using the command from EXEC Privilege mode, as shown in Figure 4-4. Configure FTP client parameters When the system will be an FTP client, configure FTP client parameters: Task Command Syntax Command Mode...
  • Page 70: Configure Login Authentication For Terminal Lines

    Figure 4-5. Applying an Access List to a VTY Line FTOS(config-std-nacl)#show config ip access-list standard myvtyacl seq 5 permit host FTOS(config-std-nacl)#line vty 0 FTOS(config-line-vty)#show config line vty 0 access-class myvtyacl FTOS Behavior: Prior to FTOS version, in order to deny access on a VTY line, you must apply an ACL and AAA authentication to the line.
  • Page 71: Time Out Of Exec Privilege Mode

    Step Task Command Syntax Command Mode If you used the line authentication password LINE method in the method list you applied to the terminal line, configure a password for the terminal line. line Figure 4-6 VTY lines 0-2 use a single authentication method, Figure 4-6.
  • Page 72: Telnet To Another Network Device

    Figure 4-7. Configuring EXEC Timeout FTOS(conf)#line con 0 FTOS(config-line-console)#exec-timeout 0 FTOS(config-line-console)#show config line console 0 exec-timeout 0 0 FTOS(config-line-console)# Telnet to Another Network Device To telnet to another device: Task Command Syntax Command Mode telnet-peer-rpm Telnet to the peer RPM. You do not need to configure the management EXEC Privilege port on the peer RPM to be able to telnet to it.
  • Page 73: Viewing The Configuration Lock Status

    A two types of locks can be set: auto and manual. configuration mode exclusive auto • Set an auto-lock using the command from CONFIGURATION mode. When you set an auto-lock, every time a user is in CONFIGURATION mode all other users are denied access.
  • Page 74: Recovering From A Forgotten Password

    send command You can then send any user a message using the from EXEC Privilege mode. Alternatively clear you can clear any line using the command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode. Recovering from a Forgotten Password If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter.
  • Page 75: Recovering From A Forgotten Enable Password

    Step Task Command Syntax Command Mode Figure 4-12. Renaming the startup-config RPM0-CP BOOT_ADMIN # dir flash: Directory of flash: 1 -rwx 11407411 Jun 09 2004 09:38:40 FTOS-EE3- 2 -rwx 4977 Jun 09 2004 09:38:38 startup-config.bak Reload the system. reload BOOT_ADMIN Copy startup-config.bak to the copy flash://startup-config.bak EXEC Privilege...
  • Page 76: Recovering From A Forgotten Password On S-Series

    Step Task Command Syntax Command Mode Save the running-config to the copy running-config startup-config EXEC Privilege startup-config. The startup-config files on both RPMs will be synchronized. Recovering from a Forgotten Password on S-Series If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter.
  • Page 77: Recovering From A Failed Start

    Recovering from a Failed Start A system that does not start correctly might be attempting to boot from a corrupted FTOS image or from a incorrect location. To resolve the problem, you can restart the system and interrupt the boot process to boot change point the system to another boot location by using the command, as described below.
  • Page 78 boot change boot system Very similar to the options of the command, the command is available in CONFIGURATION mode on the C-Series and E-Series to set the boot parameters that, when saved to the startup configuration file, are stored in NVRAM and are then used routinely: Task Command Syntax Command Mode...
  • Page 79: Ethernet Cfm

    802.1ag 802.1ag is available only on platform: Ethernet Operations, Administration, and Maintenance (OAM) is a set of tools used to install, monitor, troubleshoot and manage Ethernet infrastructure deployments. Ethernet OAM consists of three main areas: 1. Service Layer OAM: IEEE 802.1ag Connectivity Fault Management (CFM) 2.
  • Page 80: Maintenance Domains

    There is a need for Layer 2 equivalents to manage and troubleshoot native Layer 2 Ethernet networks. With these tools, you can identify, isolate, and repair faults quickly and easily, which reduces operational cost of running the network. OAM also increases availability and reduces mean time to recovery, which allows for tighter service level agreements, resulting in increased revenue for the service provider.
  • Page 81: Maintenance End Points

    MEPs defined in 802.1ag for an 802.1 bridge: • Up-MEP: monitors the forwarding path internal to an bridge on the customer or provider edge; on Dell Force10 systems the internal forwarding path is effectively the switch fabric and forwarding engine. •...
  • Page 82: Implementation Information

    Implementation Information • Since the S-Series has a single MAC address for all physical/LAG interfaces, only one MEP is allowed per MA (per VLAN or per MD level). Configure CFM Configuring CFM is a five-step process: cam-acl 1. Configure the ecfmacl CAM region using the command.
  • Page 83: Enable Ethernet Cfm

    Enable Ethernet CFM Task Command Syntax Command Mode ethernet cfm Spawn the CFM process. No CFM configuration is CONFIGURATION allowed until the CFM process is spawned. disable Disable Ethernet CFM without stopping the CFM ETHERNET CFM process. Create a Maintenance Domain Connectivity Fault Management (CFM) divides a network into hierarchical maintenance domains, as shown in Figure...
  • Page 84: Create A Maintenance Association

    MEPs defined in 802.1ag for an 802.1 bridge: • Up-MEP: monitors the forwarding path internal to an bridge on the customer or provider edge; on Dell Force10 systems the internal forwarding path is effectively the switch fabric and forwarding engine. •...
  • Page 85: Create A Maintenance Intermediate Point

    Task Command Syntax Command Mode FTOS#show ethernet cfm maintenance-points local mep ------------------------------------------------------------------------------- MPID Domain Name Level Type Port CCM-Status MA Name VLAN ------------------------------------------------------------------------------- cfm0 Gi 4/10 Enabled test0 DOWN 00:01:e8:59:23:45 cfm1 Gi 4/10 Enabled test1 DOWN 00:01:e8:59:23:45 cfm2 Gi 4/10 Enabled test2 DOWN...
  • Page 86 • MIP Database (MIP-DB): Every MIP must maintain a database of all other MEPs in the MA that have announced their presence via CCM Task Command Syntax Command Mode show ethernet cfm maintenance-points remote detail active Display the MEP Database. EXEC Privilege domain expired...
  • Page 87: Continuity Check Messages

    Continuity Check Messages Continuity Check Messages (CCM) are periodic hellos used to: • discover MEPs and MIPs within a maintenance domain • detect loss of connectivity between MEPs • detect misconfiguration, such as VLAN ID mismatch between MEPs • to detect unauthorized MEPs in a maintenance domain Continuity Check Messages (CCM) are multicast Ethernet frames sent at regular intervals from each MEP.
  • Page 88: Enable Ccm

    Enable CCM Step Task Command Syntax Command Mode no ccm disable Enable CCM. ECFM DOMAIN Default: Disabled ccm transmit-interval seconds Configure the transmit interval (mandatory). ECFM DOMAIN Default: 10 seconds The interval specified applies to all MEPs in the domain. Enable Cross-checking Task Command Syntax...
  • Page 89: Link Trace Cache

    Figure 5-4. Linktrace Message and Response MPLS Core Link trace messages carry a unicast target address (the MAC address of an MIP or MEP) inside a multicast frame. The destination group address is based on the MD level of the transmitting MEP (01:80:C2:00:00:3[8 to F]).
  • Page 90: Enable Cfm Snmp Traps

    Task Command Syntax Command Mode FTOS#show ethernet cfm traceroute-cache Traceroute to 00:01:e8:52:4a:f8 on Domain Customer2, Level 7, MA name Test2 with VLAN 2 ------------------------------------------------------------------------------ Hops Host IngressMAC Ingr Action Relay Action Next Host Egress MAC Egress Action FWD Status ------------------------------------------------------------------------------ 00:00:00:01:e8:53:4a:f8 00:01:e8:52:4a:f8 IngOK...
  • Page 91: Display Ethernet Cfm Statistics

    Three values are given within the trap messages: MD Index, MA Index, and MPID. You can reference show ethernet cfm domain show ethernet cfm maintenance-points these values against the output of local mep FTOS#show ethernet cfm maintenance-points local mep ------------------------------------------------------------------------------- MPID Domain Name Level...
  • Page 92 Task Command Syntax Command Mode Display CFM statistics by port. show ethernet cfm port-statistics interface EXEC Privilege FTOS#show ethernet cfm port-statistics interface gigabitethernet 0/5 Port statistics for port: Gi 0/5 ================================== RX Statistics ============= Total CFM Pkts 75394 CCM Pkts 75394 LBM Pkts 0 LTM Pkts 0 LBR Pkts 0 LTR Pkts 0 Bad CFM Pkts 0 CFM Pkts Discarded 0...
  • Page 93: Link Layer Oam Overview

    802.3ah 802.3ah is available only on platform: A metropolitan area network (MAN) is a set of LANs, geographically separated but managed by a single entity. If the distance is large—across a city, for example—connectivity between LANs is managed by a service provider.
  • Page 94: Link Layer Oampdus

    • Remote Loopback—directs the remote system to reflects back frames that the local system transmits so that an administrator can isolate a fault. • Remote Failure Indication—notifies a peer of a critical link event. Link Layer OAMPDUs Link Layer OAM is conducted using OAMPDUs, shown in Figure 6-1.
  • Page 95: Link Layer Oam Operational Modes

    Link Layer OAM Operational Modes When participating in EFM OAM, system may operate in active or passive mode. • Active mode—Active mode systems initiate discovery. Once the Discovery process completes, they can send any OAMPDU while connected to a peer in Active mode, and a subset of OAMPDUs if the peer is in Passive mode (see Table 6-1).
  • Page 96: Link Layer Oam Events

    Link Layer OAM Events Link Layer OAM defines a set of events that may impact link operation, and monitors the link for those events. If an event occurs, the detecting system notifies its peer. There are two types of events: •...
  • Page 97: Configure Link Layer Oam

    Configure Link Layer OAM Configuring Link Layer OAM is a two-step process: 1. Enable Link Layer OAM. See page 97. 2. Enable any or all of the following: Link Performance Event Monitoring on page 99 Remote Failure Indication on page 102 Remote Loopback on page 103 Related Configuration Tasks •...
  • Page 98 Task Command Syntax Command Mode FTOS# show ethernet oam discovery interface <interface-name> Output format: <interface name> Local client __________ Administrative configurations: Mode:active Unidirection:not supported Link monitor:supported (on) Remote loopback:not supported MIB retrieval:not supported Mtu size:1500 Operational status: Port status:operational Loopback status:no loopback PDU permission:any PDU revision:1 Remote client...
  • Page 99: Adjust The Oampdu Transmission Parameters

    Adjust the OAMPDU Transmission Parameters Task Command Syntax Command Mode ethernet oam max-rate value min-rate value Specify a the maximum or minimum INTERFACE number of OAMPDUs to be sent per Range: 1-10 second. Default: 10 ethernet oam mode active passive Set the transmission mode to active or INTERFACE passive.
  • Page 100: Set Threshold Values

    Set Threshold Values The available pre-defined errors fall under two categories: • Symbol Errors—a symbol is an (electrical or optical) pulse on the physical medium that represents one or more bits. A symbol error occurs when a symbol degrades in transit so that the receiver is not able to decode it.
  • Page 101 Frame Errors per Second Task Command Syntax Command Mode ethernet oam link-monitor frame threshold high Specify the high threshold value for INTERFACE none frame errors, or disable the high frames threshold. Range: 1-65535 Default: None ethernet oam link-monitor frame threshold low frames Specify the low threshold for frame INTERFACE errors.
  • Page 102: Execute An Action Upon Exceeding The High Threshold

    Task Command Syntax Command Mode ethernet oam link-monitor frame-seconds window Specify the time period for error INTERFACE milliseconds second per time period condition. Range: 100-900, in multiples of 100 Default: 1000 milliseconds Execute an Action upon Exceeding the High Threshold When an error exceeds the low threshold, an event notification is sent to the peer.
  • Page 103: Remote Loopback

    Remote Loopback An active-mode device can place a passive peer into loopback mode by sending a Loopback Control OAMPDU. When in loopback mode: • the remote peer returns unaltered all non-OAMPDU frames sent by the local peer, and • all outbound data frames are discarded. Note: Control traffic egresses from loopback initiator and from interface in loopback mode.
  • Page 104: Display Link Layer Oam Configuration And Statistics

    Display Link Layer OAM Configuration and Statistics Task Command Syntax Command Mode show ethernet oam status interface interface Display Link Layer OAM status per EXEC Privilege interface. FTOS# show ethernet oam status interface <interface-name> Output Format : <interface-name> General ______ Mode:active PDU max rate:10 packets per second PDU min rate:1 packet per second...
  • Page 105 Task Command Syntax Command Mode FTOS# show ethernet oam statistics interface <interface-name> <interface-name> Counters: _________ Information OAMPDU Tx: 3439489 Information OAMPDU Rx: 9489 Unique Event Notification OAMPDU Tx: 0 Unique Event Notification OAMPDU x: 0 Duplicate Event Notification OAMPDU Tx: 0 Duplicate Event Notification OAMPDU Rx: 0 Loopback Control OAMPDU Tx: 0 Loopback Control OAMPDU Rx: 2...
  • Page 106: Manage Link Layer Oam

    Manage Link Layer OAM Enable MIB Retrieval Support/Function IEEE 802.3ah defines the Link OAM MIB in Sec 30A.20, “OAM entity managed object class”; all of the objects described there are supported. Note that 802.3ah does not include the ability to set/write remote MIB variables.
  • Page 107: Protocol Overview

    802.1X c e s 802.1X is supported on platforms: This chapter has the following sections: • Protocol Overview on page 107 • Configuring 802.1X on page 111 • Important Points to Remember on page 112 • Enabling 802.1X on page 112 •...
  • Page 108 (typically RADIUS) via a mandatory intermediary network access device, in this case, a Dell Force10 switch. The network access device mediates all communication between the end-user device and the authentication server so that the network remains secure. The network access device uses EAP over Ethernet (EAPOL) to communicate with the end-user device and EAP over RADIUS to communicate with the server.
  • Page 109: The Port-Authentication Process

    The authenticator changes the port state to authorized if the server can authenticate the supplicant. In this state, network traffic can be forwarded normally. Note: The Dell Force10 switches place 802.1X-enabled ports in the unauthorized state by default. The Port-authentication Process...
  • Page 110: Eap Over Radius

    Figure 7-2. 802.1X Authentication Process Authentication Supplicant Authenticator Server EAP over LAN (EAPOL) EAP over RADIUS Request Identity Response Identity Access Request Access Challenge EAP Request EAP Reponse Access Request Access {Accept | Reject} EAP {Sucess | Failure} EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579.
  • Page 111: Configuring 802.1X

    RADIUS Attributes for 802.1 Support Dell Force10 systems includes the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Table 7-1. 802.1X Supported RADIUS Attributes Attribute Name Description User-Name the name of the supplicant to be authenticated. NAS-IP-Address NAS-Port the physical port number by which the authenticator is connected to the supplicant.
  • Page 112: Important Points To Remember

    Important Points to Remember • FTOS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. • All platforms support only RADIUS as the authentication server. • On E-Series ExaScale, if the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if configured.
  • Page 113 To enable 802.1X: Step Task Command Syntax Command Mode dot1x authentication Enable 802.1X globally. CONFIGURATION interface range Enter INTERFACE mode on an interface or a range of INTERFACE interfaces. dot1x authentication Enable 802.1X on an interface or a range of interfaces. INTERFACE show running-config | find Verify that 802.1X is enabled globally and at interface level using the command...
  • Page 114: Configuring Request Identity Re-Transmissions

    Configuring Request Identity Re-transmissions If the authenticator sends a Request Identity frame, but the supplicant does not respond, the authenticator waits 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator re-transmits are configurable. Note: There are several reasons why the supplicant might fail to respond;...
  • Page 115: Forcibly Authorizing Or Unauthorizing A Port

    Figure 7-7 shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame: • After 90 seconds and a maximum of 10 times for an unresponsive supplicant • Re-transmits an EAP Request Identity frame Figure 7-7. Configuring a Request Identity Re-transmissions FTOS(conf-if-range-gi-2/1)#dot1x tx-period 90 FTOS(conf-if-range-gi-2/1)#dot1x max-eap-req 10 FTOS(conf-if-range-gi-2/1)#dot1x quiet-period 120...
  • Page 116: Re-Authenticating A Port

    To place a port in one of these three states: Step Task Command Syntax Command Mode dot1x port-control force-authorized Place a port in the ForceAuthorized, INTERFACE force-unauthorized auto ForceUnauthorized, or Auto state. Default: auto Figure 7-8 shows configuration information for a port that has been force-authorized. Figure 7-8.
  • Page 117: Configuring Timeouts

    To configure a maximum number of re-authentications: Step Task Command Syntax Command Mode dot1x reauth-max number Configure the maximum number of INTERFACE times that the supplicant can be Range: 1-10 reauthenticated. Default: 2 Figure 7-9. Configuring a Reauthentiction Period FTOS(conf-if-gi-2/1)#dot1x reauthentication interval 7200 FTOS(conf-if-gi-2/1)#dot1x reauth-max 10 FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.1x information on Gi 2/1:...
  • Page 118 To terminate the authentication process due to an unresponsive authentication server: Step Task Command Syntax Command Mode dot1x server-timeout seconds Terminate the authentication process due to an INTERFACE unresponsive authentication server. Range: 1-300. Default: 30 dot1x server-timeout Note: When you configure the value, you must take into account the communication medium used to dot1x communicate with an authentication server and the number of RADIUS servers configured.
  • Page 119: Dynamic Vlan Assignment With Port Authentication

    The dynamic VLAN assignment is based on RADIUS attribute 81, Tunnel-Private-Group-ID, and uses the following standard dot1x procedure: 1. The host sends a dot1x packet to the Dell Force10 system. 2. The system forwards a RADIUS REQUEST packet containing the host MAC address and ingress port number.
  • Page 120 Figure 7-11 shows the configuration on a Dell Force10 switch that uses dynamic VLAN assignment with 802.1X before you connect the end-user device (black and blue text), and after you connect the device (red text). The blue text corresponds to the numbered steps on page 119. Note that the GigabitEthernet 1/11 port, on which dynamic VLAN assignment with 802.1X is configured, is initially an untagged member of VLAN...
  • Page 121: Guest And Authentication-Fail Vlans

    Guest and Authentication-Fail VLANs Typically, the authenticator (Dell Force10 system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured, or the VLAN that the authentication server indicates in the authentication data.
  • Page 122: Configuring An Authentication-Fail Vlan

    Configuring an Authentication-Fail VLAN If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time (30 seconds by default, see Configuring a Quiet Period after a Failed Authentication on page 114). You can configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
  • Page 123: Multi-Host Authentication

    Multi-Host Authentication Multi-Host Authentication is available on platforms: 802.1x assumes that a single end-user is connected to a single authenticator port, as shown in Figure 7-15; this one-to-one mode of authentication is called Single-host mode. If multiple end-users are connected to the same port, a many-to-one configuration, only the first end-user to respond to the identity request is authenticated.
  • Page 124 When the host mode is changed on a port that is already authenticated: • Single-host to Multi-host: all devices attached to the port that were previously blocked may access the network; the supplicant does not re-authenticate. • Multi-host to Single-host: the port restarts the authentication process, and the first end-user to respond is authenticated and allowed access.
  • Page 125: Multi-Supplicant Authentication

    Task Command Syntax Command Mode dot1x host-mode single-host Configure Single-host Authentication mode on a port. INTERFACE FTOS(conf-if-gi-2/1)#dot1x port-control force-authorized FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.1x information on Gi 2/1: ----------------------------- Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable...
  • Page 126 During the authentication process, the Dell Force10 system is able to learn the MAC address of the device though the EAPoL frames, and the VLAN assignment from the RADIUS server. With this information it creates an authorized-MAC to VLAN mapping table per port. Then, the system can tag all incoming untagged frames with the appropriate VLAN-ID based on the table entries.
  • Page 127: Mac Authentication Bypass

    MAC Authentication Bypass MAC Authentication Bypass is supported on platforms: MAC Authentication Bypass (MAB) enables you to provide MAC-based security by allowing only known MAC addresses within the network using a RADIUS server. 802.1X-enabled clients can authenticate themselves using the 802.1X protocol. Other devices that do not use 802.1X—like IP phones, printers, and IP fax machines—still need connectivity to the network.
  • Page 128: Mab In Single-Host And Multi-Host Mode

    MAB in Single-host and Multi-Host Mode In single-host and multi-host mode, the switch attempts to authenticate a supplicant using 802.1X. If 802.1X times out because the supplicant does not respond to the Request Identity frame and MAB is enabled, the switch attempts to authenticate the first MAC it learns on the port. Subsequently, for single-host mode, traffic from all other MACs is dropped;...
  • Page 129 Step Task Command Syntax Command Mode (Optional) Use MAB authentication only— dot1x auth-type mab-only INTERFACE do not use 802.1X authentication first. If MAB fails the port or the MAC address is blocked, the port is placed in the guest VLAN (if configured). 802.1x authentication is not even attempted.
  • Page 130: Dynamic Cos With 802.1X

    VLAN and priority values are automatically applied to incoming packets. The RADIUS server finds the appropriate record based on the supplicant’s credentials and sends the priority re-mapping table to the Dell Force10 system by including Attribute 59 in the AUTH-ACCEPT packet. 802.1X...
  • Page 131 FTOS Behavior: The following conditions are applied to the use of dynamic CoS with 802.1X authentication on C-Series and S-Series platforms: • In accordance with port-based QoS, incoming dot1p values can be mapped to only four priority values: 0, 2, 4, and 6.
  • Page 132 802.1X...
  • Page 133: Ip Access Control Lists (Acl), Prefix Lists, And Route-Maps

    IP Access Control Lists (ACL), Prefix Lists, and Route-maps c e s IP Access Control Lists, Prefix Lists, and Route-maps are supported on platforms: c e s Ingress IP ACLs are supported on platforms: Egress IP ACLs are supported on platform: Overview At their simplest, Access Control Lists (ACLs), Prefix lists, and Route-maps permit or deny traffic based on MAC and/or IP addresses.
  • Page 134: Ip Access Control Lists (Acls)

    IP Access Control Lists (ACLs) In the Dell Force10 switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the following criteria (for more information on ACL supported options see the FTOS Command Reference): •...
  • Page 135 CAM optimization is supported on platforms CAM Profiling CAM optimization is supported on platforms CAM profiling for ACLs is supported on E-Series TeraScale only. For complete information regarding E-Series TeraScale CAM profiles and configuration, refer to Chapter 11, Content Addressable Memory.
  • Page 136: Cam Optimization

    cam-acl Allocate space for IPV6 ACLs on the C-Series by using the command in CONFIGURATION mode. The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. Note that there are 16 FP blocks, but the System Flow requires 3 blocks that cannot be reallocated. The default CAM Allocation settings on a C-Series matching are: •...
  • Page 137: Implementing Acls On Ftos

    Figure 8-1. Command Example: test cam-usage (C-Series) FTOS#test cam-usage service-policy input TestPolicy linecard all Linecard | Portpipe | CAM Partition | Available CAM | Estimated CAM per Port | Status ------------------------------------------------------------------------------------------ 1 | IPv4Flow 232 | Allowed 1 | IPv6Flow 0 | Allowed 0 | IPv4Flow 232 |...
  • Page 138: Ip Fragment Handling

    Standard and Extended ACLs take up the same amount of CAM space. A single ACL rule uses 2 CAM entries whether it is identified as a Standard or Extended ACL. Determine the order in which ACLs are used to classify traffic service-queue When you link class-maps to queues using the command , FTOS matches the class-maps...
  • Page 139: Ip Fragments Acl Examples

    • Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the packet as a whole cannot be reassembled. •...
  • Page 140: Configure A Standard Ip Acl

    In the following, TCP packets that are first fragments or non-fragmented from host with TCP destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host are permitted. All other IP packets that are non-first fragments are denied. FTOS(conf)#ip access-list extended ABC FTOS(conf-ext-nacl)#permit tcp host any eq 24 FTOS(conf-ext-nacl)#permit tcp host any fragment...
  • Page 141 A standard IP ACL uses the source IP address as its match criterion. Note: On E-Series ExaScale systems, TCP ACL flags are not supported in standard or extended ACLs with IPv6 microcode. An error message is shown if IPv6 microcode is configured and an ACL is entered with a TCP filter included.
  • Page 142 Figure 8-4. Command example: seq FTOS(config-std-nacl)#seq 25 deny ip host any log FTOS(config-std-nacl)#seq 15 permit tcp /16 any FTOS(config-std-nacl)#show config ip access-list standard dilling seq 15 permit tcp any seq 25 deny ip host any log FTOS(config-std-nacl)# no seq To delete a filter, use the...
  • Page 143: Configure An Extended Ip Acl

    Figure 8-6. Command Example: show ip accounting access-list FTOS#show ip accounting access example interface gig 4/12 Extended IP access list example seq 10 deny tcp any any eq 111 seq 15 deny udp any any eq 111 seq 20 deny udp any any eq 2049 seq 25 deny udp any any eq 31337 seq 30 deny tcp any any range 12345 12346 seq 35 permit udp host /28...
  • Page 144 Step Command Syntax Command Mode Purpose seq sequence-number deny CONFIG-EXT-NACL Configure a drop or forward filter. permit log and monitor options are supported on ip-protocol-number • E-Series only. icmp | ip | tcp | udp host source mask ip-address destination mask host ip-address operator count...
  • Page 145 When you create the filters with a specific sequence number, you can create the filters in any order and the filters are placed in the correct order. Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter.
  • Page 146: Established Flag

    Figure 8-8 illustrates an extended IP ACL in which the sequence numbers were assigned by the software. The filters were assigned sequence numbers based on the order in which they were configured (for show config example, the first filter was given the lowest sequence number). The command in the IP ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10.
  • Page 147: Assign An Ip Acl To An Interface

    If a rule is simply appended, existing counters are not affected. Table 8-2. L2 and L3 ACL Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Deny Denied by L3 ACL Deny Permit Permitted by L3 ACL Permit Deny Denied by L2 ACL...
  • Page 148: Counting Acl Hits

    To apply an IP ACL (standard or extended) to a physical or port channel interface, use these commands in the following sequence in the INTERFACE mode: Step Command Syntax Command Mode Purpose interface interface slot/port CONFIGURATION Enter the interface number. ip address ip-address INTERFACE...
  • Page 149: Configuring Ingress Acls

    Step Task View the number of packets matching the ACL using the show ip accounting access-list from EXEC Privilege mode. Configuring Ingress ACLs Ingress ACLs are applied to interfaces and to traffic entering the system.These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation.
  • Page 150: Egress Layer 3 Acl Lookup For Control-Plane Ip Traffic

    An egress ACL is used when users would like to restrict egress traffic. For example, when a DOS attack traffic is isolated to one particular interface, you can apply an egress ACL to block that particular flow from exiting the box, thereby protecting downstream devices. ip access-group To create an egress ACLs, use the command...
  • Page 151: Configuring Acls To Loopback

    FTOS Behavior: VRRP hellos and IGMP packets are not affected when egress ACL filtering for CPU traffic is enabled. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface MAC address instead of VRRP virtual MAC address. Configuring ACLs to Loopback ACLs can be supplied on Loopback interfaces supported on platform...
  • Page 152 Step Command Syntax Command Mode Purpose seq number permit CONFIGURATION If you are applying an extended ACL, and it has loopback-logging any any a deny ip any any entry, this entry denies internally generated packets as well as packets received from external devices. To prevent internally generated packets from being dropped, make sure that the ACL you intend to apply has seq number...
  • Page 153: Ip Prefix Lists

    IP Prefix Lists c e s Prefix Lists are supported on platforms: IP prefix lists control routing policy. An IP prefix list is a series of sequential filters that contain a matching criterion (examine IP route prefix) and an action (permit or deny) to process routes. The filters are processed in sequence so that if a route prefix does not match the criterion in the first filter, the second filter (if configured) is applied.
  • Page 154: Configure A Prefix List

    The following list includes the configuration tasks for prefix lists: • Configure a prefix list on page 154 • Use a prefix list for route redistribution on page 156 For a complete listing of all commands related to prefix lists, refer to the FTOS Command Line Interface document.
  • Page 155 If you are creating a standard prefix list with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured. The FTOS assigns filters in multiples of five. To configure a filter without a specified sequence number, use these commands in the following sequence starting in the CONFIGURATION mode: Step...
  • Page 156: Use A Prefix List For Route Redistribution

    Figure 8-15. Command example: show ip prefix-list detail FTOS>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny le 32 (hit count: 0) seq 6 deny ge 23 (hit count: 0) seq 10 permit le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10...
  • Page 157: Acl Resequencing

    Figure 8-17. Command Example: show config in the ROUTER RIP Mode FTOS(conf-router_rip)#show config router rip distribute-list prefix juba out network FTOS(conf-router_rip)#router ospf 34 To apply a filter to routes in OSPF, use either of the following commands in the ROUTER OSPF mode: Command Syntax