Download  Print this page

Dell Force10 C150 Configuration Manual

Ftos configuration guide ftos 8.4.2.7 e-series terascale, c-series, s-series (s50/s25).
Hide thumbs
   
1
2
Table of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990

Advertisement

FTOS Configuration Guide
FTOS 8.4.2.7
E-Series TeraScale, C-Series,
S-Series (S50/S25)

Advertisement

Table of Contents

   Also See for Dell Force10 C150

   Related Manuals for Dell Force10 C150

   Summary of Contents for Dell Force10 C150

  • Page 1 FTOS Configuration Guide FTOS 8.4.2.7 E-Series TeraScale, C-Series, S-Series (S50/S25)
  • Page 2 Information in this publication is subject to change without notice. © 2012 Dell Force10. All rights reserved. Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden. © 2012 Dell Inc. Trademarks used in this text: Dell(TM), the Dell logo, Dell Boomi(TM), Dell Precision(TM) , OptiPlex(TM), Latitude(TM), PowerEdge(TM), PowerVault(TM), PowerConnect(TM), OpenManage(TM), EqualLogic(TM), Compellent(TM), KACE(TM), FlexAddress(TM), Force10(TM) and Vostro(TM) are trademarks of Dell Inc.
  • Page 3: Table Of Contents

    1 About this Guide ..........33 Objectives .
  • Page 4 Change System Logging Settings ......... .63 Display the Logging Buffer and the Logging Configuration .
  • Page 5 6 802.3ah ............93 Link Layer OAM Overview .
  • Page 6 MAC Authentication Bypass ..........127 MAB in Single-host and Multi-Host Mode .
  • Page 7 Configuring BFD for VLANs ......... .198 Configuring BFD for Port-Channels .
  • Page 8 Boot Behavior ............286 When to Use CAM Profiling .
  • Page 9 Configuration Tasks ........... .314 Configure the System to be a DHCP Server .
  • Page 10 Enable Force10 Service Agent ......... . .348 Specify an SMTP Server for FTSA .
  • Page 11 Failure and Event Logging ......... . .392 Hot-lock Behavior .
  • Page 12 Configure Management Interfaces on the S-Series ......424 Displaying Information on a Management Interface ......425 VLAN Interfaces .
  • Page 13 ARP Learning via ARP Request ......... .474 Configurable ARP Retries .
  • Page 14 Clear IPv6 Routes ..........504 23 Intermediate System to Intermediate System .
  • Page 15 MAC Learning Limit ........... .562 mac learning-limit dynamic .
  • Page 16 Configuring Transmit and Receive Mode ........596 Configuring a Time to Live .
  • Page 17 View the Source-active Cache ........623 Limit the Source-active Cache .
  • Page 18 Multicast Policies ............665 IPv4 Multicast Policies .
  • Page 19 Enable OSPFv2 ...........705 Enable Multi-Process OSPF .
  • Page 20 Refusing Multicast Traffic ..........756 Sending Multicast Traffic .
  • Page 21 Create VLANs for an Office VOIP Deployment ......795 Configure LLDP-MED for an Office VOIP Deployment ..... .796 Configure Quality of Service for an Office VOIP Deployment .
  • Page 22 Configure Per-VLAN Spanning Tree Plus ........836 Related Configuration Tasks .
  • Page 23 Implementation Information ..........878 Configuration Information .
  • Page 24 Protection from TCP Tiny and Overlapping Fragment Attacks ....935 SCP and SSH ............935 Using SCP with SSH to copy a software image .
  • Page 25 Show sFlow Globally ..........976 Show sFlow on an Interface .
  • Page 26 Events that Bring Down a SONET Interface ....... .1013 SONET Port Recovery Mechanism ........1014 SONET MIB .
  • Page 27 Configuring Spanning Tree ..........1049 Related Configuration Tasks .
  • Page 28 Clearing a UFD-Disabled Interface ........1090 Displaying Uplink Failure Detection .
  • Page 29 VRRP Implementation ..........1129 VRRP version 3 .
  • Page 30 Save a hardware log to a file on the flash .......1176 Manual reload messages .
  • Page 31 Trace logs ............1214 Buffer full condition .
  • Page 33: About This Guide

    About this Guide Objectives This guide describes the protocols and features supported by the Dell Force10 Operating System (FTOS) and provides configuration instructions and examples for implementing them. It supports the system platforms E-Series, C-Series, and S-Series. The E-Series ExaScale platform is supported with FTOS version 8.1.1.0. and later.
  • Page 34: Conventions

    This symbol is a note associated with some other text on the page that is marked with an asterisk. Related Documents For more information about the Dell Force10 E-Series, C-Series, and S-Series refer to the following documents: • FTOS Command Reference •...
  • Page 35: Configuration Fundamentals

    Configuration Fundamentals The FTOS Command Line Interface (CLI) is a text-based interface through which you can configure interfaces and protocols. The CLI is largely the same for the E-Series, C-Series, and S-Series with the exception of some commands and command outputs. The CLI is structured in modes for security and management purposes.
  • Page 36: Cli Modes

    CLI Modes Different sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (with the exception of EXEC mode commands preceded by the command The do Command on page 40). You can set user access rights to commands and command modes using privilege levels;...
  • Page 37: Navigating Cli Modes

    Figure 2-2. CLI Modes in FTOS EXEC EXEC Privilege CONFIGURATION ARCHIVE AS-PATH ACL INTERFACE GIGABIT ETHERNET 10 GIGABIT ETHERNET INTERFACE RANGE LOOPBACK MANAGEMENT ETHERNET NULL PORT-CHANNEL SONET VLAN VRRP IPv6 IP COMMUNITY-LIST IP ACCESS-LIST STANDARD ACCESS-LIST EXTENDED ACCESS-LIST LINE AUXILIARY CONSOLE VIRTUAL TERMINAL MAC ACCESS-LIST...
  • Page 38 Table 2-1. FTOS Command Modes Access Command CLI Command Mode Prompt EXEC FTOS> Access the router through the console or Telnet. enable EXEC Privilege FTOS# • From EXEC mode, enter the command • From any other mode, use the command CONFIGURATION FTOS(conf)# •...
  • Page 39 Table 2-1. FTOS Command Modes Access Command CLI Command Mode Prompt mac access-list standard STANDARD ACCESS- FTOS(config-std-macl)# LIST mac access-list extended EXTENDED ACCESS- FTOS(config-ext-macl)# LIST MULTIPLE FTOS(config-mstp)# protocol spanning-tree mstp SPANNING TREE Per-VLAN SPANNING FTOS(config-pvst)# protocol spanning-tree pvst TREE Plus ip prefix-list PREFIX-LIST FTOS(conf-nprefixl)#...
  • Page 40: The Do Command

    The do Command Enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, etc.) without returning to EXEC mode by preceding the EXEC mode command with the command Figure 2-4 illustrates the command. Note: The following commands cannot be modified by the command: , and enable, disable, exit...
  • Page 41: Obtaining Help

    Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the help command: • Enter at the prompt or after a keyword to list the keywords available in the current mode. •...
  • Page 42: Command History

    • The UP and DOWN arrow keys display previously entered commands (see Command History). • The BACKSPACE and DELETE keys erase the previous letter. • Key combinations are available to move quickly across the command line, as described in Table 2-2.
  • Page 43: Filtering Show Command Outputs

    Filtering show Command Outputs show except find grep | Filter the output of a command to display specific information by adding no-more | save after the command. The variable is the text for which you are specified_text specified_text ignore-case filtering and it IS case sensitive unless the sub-option is implemented.
  • Page 44: Multiple Users In Configuration Mode

    % Warning: User "<username>" on line vty0 "10.11.130.2" is in configuration mode If either of these messages appears, Dell Force10 recommends that you coordinate with the users listed in the message so that you do not unintentionally overwrite each other’s configuration changes.
  • Page 45: Getting Started

    Getting Started This chapter contains the following major sections: • Default Configuration on page 46 • Configure a Host Name on page 47 • Access the System Remotely on page 47 • Configure the Enable Password on page 50 • Configuration File Management on page 50 •...
  • Page 46: Default Configuration

    Figure 3-1. Completed Boot Process .*************. #### #######. ######## ####### ######### ######## ######## .#. ###### ###########. #### .##. ## ### #### ###. ### ### ### ### ### ### ## ### #### ### ######## *# -## ### ###### ### ## ######### ######## *# ### ## ## ###...
  • Page 47: Configure A Host Name

    Configure a Host Name force10 The host name appears in the prompt. The default host name is • Host names must start with a letter and end with a letter or digit. • Characters within the string can be letters, digits, and hyphens. To configure a host name: Step Task...
  • Page 48: Configure The Management Port Ip Address

    Configure the Management Port IP Address Assign IP addresses to the management ports in order to access the system remotely. Note: Assign different IP addresses to each RPM’s management port. To configure the management port IP address: Step Task Command Syntax Command Mode interface ManagementEthernet Enter INTERFACE mode for the...
  • Page 49: Access The S-series Remotely

    7 is for inputting a password that is already encrypted using a Type 7 hash. Obtaining the encrypted password from the configuration of another Dell Force10 system. Access the S-Series Remotely The S-Series does not have a dedicated management port nor a separate management routing table.
  • Page 50: Configure The Enable Password

    Compact Flash for the internal and external Flash memory. It has a space limitation but does not limit the number of files it can contain. Note: Using flash memory cards in the system that have not been approved by Dell Force10 can cause unexpected system behavior, including a reboot.
  • Page 51: Copy Files To And From The System

    Table 3-1. file-destination • To copy a remote file to Dell Force10 system, combine the syntax for a remote file location file-origin with the syntax for a local file location shown in Table 3-1.
  • Page 52: Save The Running-configuration

    26292881 bytes successfully copied Save the Running-configuration The running-configuration contains the current system configuration. Dell Force10 recommends that you copy your running-configuration to the startup-configuration. The system uses the startup-configuration during boot-up to configure the system. The startup-configuration is stored in the internal flash on the primary RPM by default, but it can be saved onto an external flash (on an RPM) or a remote server.
  • Page 53: View Files

    Task Command Syntax Command Mode Save the running-configuration to: copy running-config startup-config the startup-configuration on the internal flash of the primary RPM copy running-config rpm flash://filename the internal flash on an RPM Note: The internal flash memories on the RPMs are synchronized whenever there is a change, but only if the RPMs are running the same version of FTOS.
  • Page 54: Command Syntax

    To view a list of files on the internal or external Flash: Step Task Command Syntax Command Mode View a list of files on: dir flash: the internal flash of an RPM EXEC Privilege dir slot: the external flash of an RPM The output of the command also shows the read/write privileges, size (in bytes), and date of modification for each file, as shown in...
  • Page 55: File System Management

    --More-- File System Management The Dell Force10 system can use the internal Flash, external Flash, or remote devices to store files. It stores files on the internal Flash by default but can be configured to store files elsewhere. To view file system information:...
  • Page 56: View Command History

    Figure 3-9, the default storage location is changed to the external Flash of the primary RPM. File management commands then apply to the external Flash rather than the internal Flash. Figure 3-9. Alternative Storage Location FTOS#cd slot0: FTOS#copy running-config test No File System Specified FTOS#copy run test 7419 bytes successfully copied...
  • Page 57: System Management

    System Management c e s System Management is supported on platforms: This chapter explains the different protocols or services used to manage the Dell Force10 system including: • Configure Privilege Levels on page 57 • Configure Logging on page 61 •...
  • Page 58: Removing A Command From Exec Mode

    A user can access all commands at his privilege level and below. Removing a command from EXEC mode Remove a command from the list of available commands in EXEC mode for a specific privilege level privilege exec using the command from CONFIGURATION mode.
  • Page 59 Task Command Syntax Command Mode privilege configure level level Allow access to INTERFACE, LINE, ROUTE-MAP, CONFIGURATION interface line route-map and/or ROUTER mode. Specify all keywords in the router command. command-keyword ||...|| command-keyword privilege configure interface Allow access to a CONFIGURATION, INTERFACE, CONFIGURATION line route-map...
  • Page 60 Figure 4-1. Create a Custom Privilege Level FTOS(conf)#do show run priv privilege exec level 3 capture privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp-pdu privilege exec level 3 capture bgp-pdu max-buffer-size privilege configure level 3 line privilege configure level 3 interface FTOS(conf)#do telnet 10.11.80.201 [telnet output omitted]...
  • Page 61: Apply A Privilege Level To A Username

    Apply a Privilege Level to a Username To set a privilege level for a user: Task Command Syntax Command Mode Configure a privilege level for a user. CONFIGURATION username username privilege level Apply a Privilege Level to a Terminal Line To set a privilege level for a terminal line: Task Command Syntax...
  • Page 62: Log Messages In The Logging Buffer

    Log Messages in the Logging Buffer All error messages, except those beginning with %BOOTUP (Message 1), are log in the internal buffer. Message 1 BootUp Events %BOOTUP:RPM0:CP %PORTPIPE-INIT-SUCCESS: Portpipe 0 enabled Configuration Task List for System Log Management The following list includes the configuration tasks for system log management: •...
  • Page 63: Send System Messages To A Syslog Server

    Send System Messages to a Syslog Server Send system messages to a syslog server by specifying a server: Task Command Syntax Command Mode Specify the server to which you want to send system logging ip-address ipv6-address CONFIGURATION messages. You can configure up to eight syslog servers, hostname which may be IPv4 and/or IPv6 addressed.
  • Page 64: Display The Logging Buffer And The Logging Configuration

    Task Command Syntax Command Mode Specify the size of the logging buffer. logging buffered size CONFIGURATION Note: When you decrease the buffer size, FTOS deletes all messages stored in the buffer. Increasing the buffer size does not affect messages in the buffer. logging history size Specify the number of messages that FTOS saves to its size...
  • Page 65 Figure 4-2. show logging Command Example FTOS#show logging syslog logging: enabled Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
  • Page 66: Configure A Unix Logging Facility Level

    Configure a UNIX Logging Facility Level Facility is a message tag used to describe the application or process that submitted the log message. You can save system log messages with a UNIX system logging facility: Command Syntax Command Mode Purpose logging facility [ facility-type CONFIGURATION...
  • Page 67: Synchronize Log Messages

    Synchronize Log Messages You can configure a terminal line to hold all logs until all command inputs and outputs are complete so that log printing does not interfere when you are performing management tasks. Log synchronization also filters system messages for a specific line based on severity level and limits number of messages that are printed at once.
  • Page 68: File Transfer Services

    File Transfer Services You can configure the system to transfer files over the network using File Transfer Protocol (FTP). Configuration Task List for File Transfer Services The following list includes the configuration tasks for file transfer services: • Enable FTP server on page 68 •...
  • Page 69: Terminal Lines

    Note: You cannot use the change directory ( cd ) command until ftp-server topdir is configured. show running-config ftp Display your FTP configuration using the command from EXEC Privilege mode, as shown in Figure 4-4. Configure FTP client parameters When the system will be an FTP client, configure FTP client parameters: Task Command Syntax Command Mode...
  • Page 70: Configure Login Authentication For Terminal Lines

    Figure 4-5. Applying an Access List to a VTY Line FTOS(config-std-nacl)#show config ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 FTOS(config-std-nacl)#line vty 0 FTOS(config-line-vty)#show config line vty 0 access-class myvtyacl FTOS Behavior: Prior to FTOS version 7.4.2.0, in order to deny access on a VTY line, you must apply an ACL and AAA authentication to the line.
  • Page 71: Time Out Of Exec Privilege Mode

    Step Task Command Syntax Command Mode If you used the line authentication password LINE method in the method list you applied to the terminal line, configure a password for the terminal line. line Figure 4-6 VTY lines 0-2 use a single authentication method, Figure 4-6.
  • Page 72: Telnet To Another Network Device

    Figure 4-7. Configuring EXEC Timeout FTOS(conf)#line con 0 FTOS(config-line-console)#exec-timeout 0 FTOS(config-line-console)#show config line console 0 exec-timeout 0 0 FTOS(config-line-console)# Telnet to Another Network Device To telnet to another device: Task Command Syntax Command Mode telnet-peer-rpm Telnet to the peer RPM. You do not need to configure the management EXEC Privilege port on the peer RPM to be able to telnet to it.
  • Page 73: Viewing The Configuration Lock Status

    A two types of locks can be set: auto and manual. configuration mode exclusive auto • Set an auto-lock using the command from CONFIGURATION mode. When you set an auto-lock, every time a user is in CONFIGURATION mode all other users are denied access.
  • Page 74: Recovering From A Forgotten Password

    send command You can then send any user a message using the from EXEC Privilege mode. Alternatively clear you can clear any line using the command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode. Recovering from a Forgotten Password If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter.
  • Page 75: Recovering From A Forgotten Enable Password

    Step Task Command Syntax Command Mode Figure 4-12. Renaming the startup-config RPM0-CP BOOT_ADMIN # dir flash: Directory of flash: 1 -rwx 11407411 Jun 09 2004 09:38:40 FTOS-EE3-5.3.1.1.bin 2 -rwx 4977 Jun 09 2004 09:38:38 startup-config.bak Reload the system. reload BOOT_ADMIN Copy startup-config.bak to the copy flash://startup-config.bak EXEC Privilege...
  • Page 76: Recovering From A Forgotten Password On S-series

    Step Task Command Syntax Command Mode Save the running-config to the copy running-config startup-config EXEC Privilege startup-config. The startup-config files on both RPMs will be synchronized. Recovering from a Forgotten Password on S-Series If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter.
  • Page 77: Recovering From A Failed Start

    Recovering from a Failed Start A system that does not start correctly might be attempting to boot from a corrupted FTOS image or from a incorrect location. To resolve the problem, you can restart the system and interrupt the boot process to boot change point the system to another boot location by using the command, as described below.
  • Page 78 boot change boot system Very similar to the options of the command, the command is available in CONFIGURATION mode on the C-Series and E-Series to set the boot parameters that, when saved to the startup configuration file, are stored in NVRAM and are then used routinely: Task Command Syntax Command Mode...
  • Page 79: Ethernet Cfm

    802.1ag 802.1ag is available only on platform: Ethernet Operations, Administration, and Maintenance (OAM) is a set of tools used to install, monitor, troubleshoot and manage Ethernet infrastructure deployments. Ethernet OAM consists of three main areas: 1. Service Layer OAM: IEEE 802.1ag Connectivity Fault Management (CFM) 2.
  • Page 80: Maintenance Domains

    There is a need for Layer 2 equivalents to manage and troubleshoot native Layer 2 Ethernet networks. With these tools, you can identify, isolate, and repair faults quickly and easily, which reduces operational cost of running the network. OAM also increases availability and reduces mean time to recovery, which allows for tighter service level agreements, resulting in increased revenue for the service provider.
  • Page 81: Maintenance End Points

    MEPs defined in 802.1ag for an 802.1 bridge: • Up-MEP: monitors the forwarding path internal to an bridge on the customer or provider edge; on Dell Force10 systems the internal forwarding path is effectively the switch fabric and forwarding engine. •...
  • Page 82: Implementation Information

    Implementation Information • Since the S-Series has a single MAC address for all physical/LAG interfaces, only one MEP is allowed per MA (per VLAN or per MD level). Configure CFM Configuring CFM is a five-step process: cam-acl 1. Configure the ecfmacl CAM region using the command.
  • Page 83: Enable Ethernet Cfm

    Enable Ethernet CFM Task Command Syntax Command Mode ethernet cfm Spawn the CFM process. No CFM configuration is CONFIGURATION allowed until the CFM process is spawned. disable Disable Ethernet CFM without stopping the CFM ETHERNET CFM process. Create a Maintenance Domain Connectivity Fault Management (CFM) divides a network into hierarchical maintenance domains, as shown in Figure...
  • Page 84: Create A Maintenance Association

    MEPs defined in 802.1ag for an 802.1 bridge: • Up-MEP: monitors the forwarding path internal to an bridge on the customer or provider edge; on Dell Force10 systems the internal forwarding path is effectively the switch fabric and forwarding engine. •...
  • Page 85: Create A Maintenance Intermediate Point

    Task Command Syntax Command Mode FTOS#show ethernet cfm maintenance-points local mep ------------------------------------------------------------------------------- MPID Domain Name Level Type Port CCM-Status MA Name VLAN ------------------------------------------------------------------------------- cfm0 Gi 4/10 Enabled test0 DOWN 00:01:e8:59:23:45 cfm1 Gi 4/10 Enabled test1 DOWN 00:01:e8:59:23:45 cfm2 Gi 4/10 Enabled test2 DOWN...
  • Page 86 • MIP Database (MIP-DB): Every MIP must maintain a database of all other MEPs in the MA that have announced their presence via CCM Task Command Syntax Command Mode show ethernet cfm maintenance-points remote detail active Display the MEP Database. EXEC Privilege domain expired...
  • Page 87: Continuity Check Messages

    Continuity Check Messages Continuity Check Messages (CCM) are periodic hellos used to: • discover MEPs and MIPs within a maintenance domain • detect loss of connectivity between MEPs • detect misconfiguration, such as VLAN ID mismatch between MEPs • to detect unauthorized MEPs in a maintenance domain Continuity Check Messages (CCM) are multicast Ethernet frames sent at regular intervals from each MEP.
  • Page 88: Enable Ccm

    Enable CCM Step Task Command Syntax Command Mode no ccm disable Enable CCM. ECFM DOMAIN Default: Disabled ccm transmit-interval seconds Configure the transmit interval (mandatory). ECFM DOMAIN Default: 10 seconds The interval specified applies to all MEPs in the domain. Enable Cross-checking Task Command Syntax...
  • Page 89: Link Trace Cache

    Figure 5-4. Linktrace Message and Response MPLS Core Link trace messages carry a unicast target address (the MAC address of an MIP or MEP) inside a multicast frame. The destination group address is based on the MD level of the transmitting MEP (01:80:C2:00:00:3[8 to F]).
  • Page 90: Enable Cfm Snmp Traps

    Task Command Syntax Command Mode FTOS#show ethernet cfm traceroute-cache Traceroute to 00:01:e8:52:4a:f8 on Domain Customer2, Level 7, MA name Test2 with VLAN 2 ------------------------------------------------------------------------------ Hops Host IngressMAC Ingr Action Relay Action Next Host Egress MAC Egress Action FWD Status ------------------------------------------------------------------------------ 00:00:00:01:e8:53:4a:f8 00:01:e8:52:4a:f8 IngOK...
  • Page 91: Display Ethernet Cfm Statistics

    Three values are given within the trap messages: MD Index, MA Index, and MPID. You can reference show ethernet cfm domain show ethernet cfm maintenance-points these values against the output of local mep FTOS#show ethernet cfm maintenance-points local mep ------------------------------------------------------------------------------- MPID Domain Name Level...
  • Page 92 Task Command Syntax Command Mode Display CFM statistics by port. show ethernet cfm port-statistics interface EXEC Privilege FTOS#show ethernet cfm port-statistics interface gigabitethernet 0/5 Port statistics for port: Gi 0/5 ================================== RX Statistics ============= Total CFM Pkts 75394 CCM Pkts 75394 LBM Pkts 0 LTM Pkts 0 LBR Pkts 0 LTR Pkts 0 Bad CFM Pkts 0 CFM Pkts Discarded 0...
  • Page 93: Link Layer Oam Overview

    802.3ah 802.3ah is available only on platform: A metropolitan area network (MAN) is a set of LANs, geographically separated but managed by a single entity. If the distance is large—across a city, for example—connectivity between LANs is managed by a service provider.
  • Page 94: Link Layer Oampdus

    • Remote Loopback—directs the remote system to reflects back frames that the local system transmits so that an administrator can isolate a fault. • Remote Failure Indication—notifies a peer of a critical link event. Link Layer OAMPDUs Link Layer OAM is conducted using OAMPDUs, shown in Figure 6-1.
  • Page 95: Link Layer Oam Operational Modes

    Link Layer OAM Operational Modes When participating in EFM OAM, system may operate in active or passive mode. • Active mode—Active mode systems initiate discovery. Once the Discovery process completes, they can send any OAMPDU while connected to a peer in Active mode, and a subset of OAMPDUs if the peer is in Passive mode (see Table 6-1).
  • Page 96: Link Layer Oam Events

    Link Layer OAM Events Link Layer OAM defines a set of events that may impact link operation, and monitors the link for those events. If an event occurs, the detecting system notifies its peer. There are two types of events: •...
  • Page 97: Configure Link Layer Oam

    Configure Link Layer OAM Configuring Link Layer OAM is a two-step process: 1. Enable Link Layer OAM. See page 97. 2. Enable any or all of the following: Link Performance Event Monitoring on page 99 Remote Failure Indication on page 102 Remote Loopback on page 103 Related Configuration Tasks •...
  • Page 98 Task Command Syntax Command Mode FTOS# show ethernet oam discovery interface <interface-name> Output format: <interface name> Local client __________ Administrative configurations: Mode:active Unidirection:not supported Link monitor:supported (on) Remote loopback:not supported MIB retrieval:not supported Mtu size:1500 Operational status: Port status:operational Loopback status:no loopback PDU permission:any PDU revision:1 Remote client...
  • Page 99: Adjust The Oampdu Transmission Parameters

    Adjust the OAMPDU Transmission Parameters Task Command Syntax Command Mode ethernet oam max-rate value min-rate value Specify a the maximum or minimum INTERFACE number of OAMPDUs to be sent per Range: 1-10 second. Default: 10 ethernet oam mode active passive Set the transmission mode to active or INTERFACE passive.
  • Page 100: Set Threshold Values

    Set Threshold Values The available pre-defined errors fall under two categories: • Symbol Errors—a symbol is an (electrical or optical) pulse on the physical medium that represents one or more bits. A symbol error occurs when a symbol degrades in transit so that the receiver is not able to decode it.
  • Page 101 Frame Errors per Second Task Command Syntax Command Mode ethernet oam link-monitor frame threshold high Specify the high threshold value for INTERFACE none frame errors, or disable the high frames threshold. Range: 1-65535 Default: None ethernet oam link-monitor frame threshold low frames Specify the low threshold for frame INTERFACE errors.
  • Page 102: Execute An Action Upon Exceeding The High Threshold

    Task Command Syntax Command Mode ethernet oam link-monitor frame-seconds window Specify the time period for error INTERFACE milliseconds second per time period condition. Range: 100-900, in multiples of 100 Default: 1000 milliseconds Execute an Action upon Exceeding the High Threshold When an error exceeds the low threshold, an event notification is sent to the peer.
  • Page 103: Remote Loopback

    Remote Loopback An active-mode device can place a passive peer into loopback mode by sending a Loopback Control OAMPDU. When in loopback mode: • the remote peer returns unaltered all non-OAMPDU frames sent by the local peer, and • all outbound data frames are discarded. Note: Control traffic egresses from loopback initiator and from interface in loopback mode.
  • Page 104: Display Link Layer Oam Configuration And Statistics

    Display Link Layer OAM Configuration and Statistics Task Command Syntax Command Mode show ethernet oam status interface interface Display Link Layer OAM status per EXEC Privilege interface. FTOS# show ethernet oam status interface <interface-name> Output Format : <interface-name> General ______ Mode:active PDU max rate:10 packets per second PDU min rate:1 packet per second...
  • Page 105 Task Command Syntax Command Mode FTOS# show ethernet oam statistics interface <interface-name> <interface-name> Counters: _________ Information OAMPDU Tx: 3439489 Information OAMPDU Rx: 9489 Unique Event Notification OAMPDU Tx: 0 Unique Event Notification OAMPDU x: 0 Duplicate Event Notification OAMPDU Tx: 0 Duplicate Event Notification OAMPDU Rx: 0 Loopback Control OAMPDU Tx: 0 Loopback Control OAMPDU Rx: 2...
  • Page 106: Manage Link Layer Oam

    Manage Link Layer OAM Enable MIB Retrieval Support/Function IEEE 802.3ah defines the Link OAM MIB in Sec 30A.20, “OAM entity managed object class”; all of the objects described there are supported. Note that 802.3ah does not include the ability to set/write remote MIB variables.
  • Page 107: Protocol Overview

    802.1X c e s 802.1X is supported on platforms: This chapter has the following sections: • Protocol Overview on page 107 • Configuring 802.1X on page 111 • Important Points to Remember on page 112 • Enabling 802.1X on page 112 •...
  • Page 108 (typically RADIUS) via a mandatory intermediary network access device, in this case, a Dell Force10 switch. The network access device mediates all communication between the end-user device and the authentication server so that the network remains secure. The network access device uses EAP over Ethernet (EAPOL) to communicate with the end-user device and EAP over RADIUS to communicate with the server.
  • Page 109: The Port-authentication Process

    The authenticator changes the port state to authorized if the server can authenticate the supplicant. In this state, network traffic can be forwarded normally. Note: The Dell Force10 switches place 802.1X-enabled ports in the unauthorized state by default. The Port-authentication Process...
  • Page 110: Eap Over Radius

    Figure 7-2. 802.1X Authentication Process Authentication Supplicant Authenticator Server EAP over LAN (EAPOL) EAP over RADIUS Request Identity Response Identity Access Request Access Challenge EAP Request EAP Reponse Access Request Access {Accept | Reject} EAP {Sucess | Failure} EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579.
  • Page 111: Configuring 802.1x

    RADIUS Attributes for 802.1 Support Dell Force10 systems includes the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Table 7-1. 802.1X Supported RADIUS Attributes Attribute Name Description User-Name the name of the supplicant to be authenticated. NAS-IP-Address NAS-Port the physical port number by which the authenticator is connected to the supplicant.
  • Page 112: Important Points To Remember

    Important Points to Remember • FTOS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. • All platforms support only RADIUS as the authentication server. • On E-Series ExaScale, if the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if configured.
  • Page 113 To enable 802.1X: Step Task Command Syntax Command Mode dot1x authentication Enable 802.1X globally. CONFIGURATION interface range Enter INTERFACE mode on an interface or a range of INTERFACE interfaces. dot1x authentication Enable 802.1X on an interface or a range of interfaces. INTERFACE show running-config | find Verify that 802.1X is enabled globally and at interface level using the command...
  • Page 114: Configuring Request Identity Re-transmissions

    Configuring Request Identity Re-transmissions If the authenticator sends a Request Identity frame, but the supplicant does not respond, the authenticator waits 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator re-transmits are configurable. Note: There are several reasons why the supplicant might fail to respond;...
  • Page 115: Forcibly Authorizing Or Unauthorizing A Port

    Figure 7-7 shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame: • After 90 seconds and a maximum of 10 times for an unresponsive supplicant • Re-transmits an EAP Request Identity frame Figure 7-7. Configuring a Request Identity Re-transmissions FTOS(conf-if-range-gi-2/1)#dot1x tx-period 90 FTOS(conf-if-range-gi-2/1)#dot1x max-eap-req 10 FTOS(conf-if-range-gi-2/1)#dot1x quiet-period 120...
  • Page 116: Re-authenticating A Port

    To place a port in one of these three states: Step Task Command Syntax Command Mode dot1x port-control force-authorized Place a port in the ForceAuthorized, INTERFACE force-unauthorized auto ForceUnauthorized, or Auto state. Default: auto Figure 7-8 shows configuration information for a port that has been force-authorized. Figure 7-8.
  • Page 117: Configuring Timeouts

    To configure a maximum number of re-authentications: Step Task Command Syntax Command Mode dot1x reauth-max number Configure the maximum number of INTERFACE times that the supplicant can be Range: 1-10 reauthenticated. Default: 2 Figure 7-9. Configuring a Reauthentiction Period FTOS(conf-if-gi-2/1)#dot1x reauthentication interval 7200 FTOS(conf-if-gi-2/1)#dot1x reauth-max 10 FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.1x information on Gi 2/1:...
  • Page 118 To terminate the authentication process due to an unresponsive authentication server: Step Task Command Syntax Command Mode dot1x server-timeout seconds Terminate the authentication process due to an INTERFACE unresponsive authentication server. Range: 1-300. Default: 30 dot1x server-timeout Note: When you configure the value, you must take into account the communication medium used to dot1x communicate with an authentication server and the number of RADIUS servers configured.
  • Page 119: Dynamic Vlan Assignment With Port Authentication

    The dynamic VLAN assignment is based on RADIUS attribute 81, Tunnel-Private-Group-ID, and uses the following standard dot1x procedure: 1. The host sends a dot1x packet to the Dell Force10 system. 2. The system forwards a RADIUS REQUEST packet containing the host MAC address and ingress port number.
  • Page 120 Figure 7-11 shows the configuration on a Dell Force10 switch that uses dynamic VLAN assignment with 802.1X before you connect the end-user device (black and blue text), and after you connect the device (red text). The blue text corresponds to the numbered steps on page 119. Note that the GigabitEthernet 1/11 port, on which dynamic VLAN assignment with 802.1X is configured, is initially an untagged member of VLAN...
  • Page 121: Guest And Authentication-fail Vlans

    Guest and Authentication-Fail VLANs Typically, the authenticator (Dell Force10 system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured, or the VLAN that the authentication server indicates in the authentication data.
  • Page 122: Configuring An Authentication-fail Vlan

    Configuring an Authentication-Fail VLAN If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time (30 seconds by default, see Configuring a Quiet Period after a Failed Authentication on page 114). You can configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
  • Page 123: Multi-host Authentication

    Multi-Host Authentication Multi-Host Authentication is available on platforms: 802.1x assumes that a single end-user is connected to a single authenticator port, as shown in Figure 7-15; this one-to-one mode of authentication is called Single-host mode. If multiple end-users are connected to the same port, a many-to-one configuration, only the first end-user to respond to the identity request is authenticated.
  • Page 124 When the host mode is changed on a port that is already authenticated: • Single-host to Multi-host: all devices attached to the port that were previously blocked may access the network; the supplicant does not re-authenticate. • Multi-host to Single-host: the port restarts the authentication process, and the first end-user to respond is authenticated and allowed access.
  • Page 125: Multi-supplicant Authentication

    Task Command Syntax Command Mode dot1x host-mode single-host Configure Single-host Authentication mode on a port. INTERFACE FTOS(conf-if-gi-2/1)#dot1x port-control force-authorized FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.1x information on Gi 2/1: ----------------------------- Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable...
  • Page 126 During the authentication process, the Dell Force10 system is able to learn the MAC address of the device though the EAPoL frames, and the VLAN assignment from the RADIUS server. With this information it creates an authorized-MAC to VLAN mapping table per port. Then, the system can tag all incoming untagged frames with the appropriate VLAN-ID based on the table entries.
  • Page 127: Mac Authentication Bypass

    MAC Authentication Bypass MAC Authentication Bypass is supported on platforms: MAC Authentication Bypass (MAB) enables you to provide MAC-based security by allowing only known MAC addresses within the network using a RADIUS server. 802.1X-enabled clients can authenticate themselves using the 802.1X protocol. Other devices that do not use 802.1X—like IP phones, printers, and IP fax machines—still need connectivity to the network.
  • Page 128: Mab In Single-host And Multi-host Mode

    MAB in Single-host and Multi-Host Mode In single-host and multi-host mode, the switch attempts to authenticate a supplicant using 802.1X. If 802.1X times out because the supplicant does not respond to the Request Identity frame and MAB is enabled, the switch attempts to authenticate the first MAC it learns on the port. Subsequently, for single-host mode, traffic from all other MACs is dropped;...
  • Page 129 Step Task Command Syntax Command Mode (Optional) Use MAB authentication only— dot1x auth-type mab-only INTERFACE do not use 802.1X authentication first. If MAB fails the port or the MAC address is blocked, the port is placed in the guest VLAN (if configured). 802.1x authentication is not even attempted.
  • Page 130: Dynamic Cos With 802.1x

    VLAN and priority values are automatically applied to incoming packets. The RADIUS server finds the appropriate record based on the supplicant’s credentials and sends the priority re-mapping table to the Dell Force10 system by including Attribute 59 in the AUTH-ACCEPT packet. 802.1X...
  • Page 131 FTOS Behavior: The following conditions are applied to the use of dynamic CoS with 802.1X authentication on C-Series and S-Series platforms: • In accordance with port-based QoS, incoming dot1p values can be mapped to only four priority values: 0, 2, 4, and 6.
  • Page 132 802.1X...
  • Page 133: Ip Access Control Lists (acl), Prefix Lists, And Route-maps

    IP Access Control Lists (ACL), Prefix Lists, and Route-maps c e s IP Access Control Lists, Prefix Lists, and Route-maps are supported on platforms: c e s Ingress IP ACLs are supported on platforms: Egress IP ACLs are supported on platform: Overview At their simplest, Access Control Lists (ACLs), Prefix lists, and Route-maps permit or deny traffic based on MAC and/or IP addresses.
  • Page 134: Ip Access Control Lists (acls)

    IP Access Control Lists (ACLs) In the Dell Force10 switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the following criteria (for more information on ACL supported options see the FTOS Command Reference): •...
  • Page 135 CAM optimization is supported on platforms CAM Profiling CAM optimization is supported on platforms CAM profiling for ACLs is supported on E-Series TeraScale only. For complete information regarding E-Series TeraScale CAM profiles and configuration, refer to Chapter 11, Content Addressable Memory.
  • Page 136: Cam Optimization

    cam-acl Allocate space for IPV6 ACLs on the C-Series by using the command in CONFIGURATION mode. The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. Note that there are 16 FP blocks, but the System Flow requires 3 blocks that cannot be reallocated. The default CAM Allocation settings on a C-Series matching are: •...
  • Page 137: Implementing Acls On Ftos

    Figure 8-1. Command Example: test cam-usage (C-Series) FTOS#test cam-usage service-policy input TestPolicy linecard all Linecard | Portpipe | CAM Partition | Available CAM | Estimated CAM per Port | Status ------------------------------------------------------------------------------------------ 1 | IPv4Flow 232 | Allowed 1 | IPv6Flow 0 | Allowed 0 | IPv4Flow 232 |...
  • Page 138: Ip Fragment Handling

    Standard and Extended ACLs take up the same amount of CAM space. A single ACL rule uses 2 CAM entries whether it is identified as a Standard or Extended ACL. Determine the order in which ACLs are used to classify traffic service-queue When you link class-maps to queues using the command , FTOS matches the class-maps...
  • Page 139: Ip Fragments Acl Examples

    • Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the packet as a whole cannot be reassembled. •...
  • Page 140: Configure A Standard Ip Acl

    In the following, TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with TCP destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied. FTOS(conf)#ip access-list extended ABC FTOS(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24 FTOS(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragment...
  • Page 141 A standard IP ACL uses the source IP address as its match criterion. Note: On E-Series ExaScale systems, TCP ACL flags are not supported in standard or extended ACLs with IPv6 microcode. An error message is shown if IPv6 microcode is configured and an ACL is entered with a TCP filter included.
  • Page 142 Figure 8-4. Command example: seq FTOS(config-std-nacl)#seq 25 deny ip host 10.5.0.0 any log FTOS(config-std-nacl)#seq 15 permit tcp 10.3.0.0 /16 any FTOS(config-std-nacl)#show config ip access-list standard dilling seq 15 permit tcp 10.3.0.0/16 any seq 25 deny ip host 10.5.0.0 any log FTOS(config-std-nacl)# no seq To delete a filter, use the...
  • Page 143: Configure An Extended Ip Acl

    Figure 8-6. Command Example: show ip accounting access-list FTOS#show ip accounting access example interface gig 4/12 Extended IP access list example seq 10 deny tcp any any eq 111 seq 15 deny udp any any eq 111 seq 20 deny udp any any eq 2049 seq 25 deny udp any any eq 31337 seq 30 deny tcp any any range 12345 12346 seq 35 permit udp host 10.21.126.225 10.4.5.0 /28...
  • Page 144 Step Command Syntax Command Mode Purpose seq sequence-number deny CONFIG-EXT-NACL Configure a drop or forward filter. permit log and monitor options are supported on ip-protocol-number • E-Series only. icmp | ip | tcp | udp host source mask ip-address destination mask host ip-address operator count...
  • Page 145 When you create the filters with a specific sequence number, you can create the filters in any order and the filters are placed in the correct order. Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter.
  • Page 146: Established Flag

    Figure 8-8 illustrates an extended IP ACL in which the sequence numbers were assigned by the software. The filters were assigned sequence numbers based on the order in which they were configured (for show config example, the first filter was given the lowest sequence number). The command in the IP ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10.
  • Page 147: Assign An Ip Acl To An Interface

    If a rule is simply appended, existing counters are not affected. Table 8-2. L2 and L3 ACL Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Deny Denied by L3 ACL Deny Permit Permitted by L3 ACL Permit Deny Denied by L2 ACL...
  • Page 148: Counting Acl Hits

    To apply an IP ACL (standard or extended) to a physical or port channel interface, use these commands in the following sequence in the INTERFACE mode: Step Command Syntax Command Mode Purpose interface interface slot/port CONFIGURATION Enter the interface number. ip address ip-address INTERFACE...
  • Page 149: Configuring Ingress Acls

    Step Task View the number of packets matching the ACL using the show ip accounting access-list from EXEC Privilege mode. Configuring Ingress ACLs Ingress ACLs are applied to interfaces and to traffic entering the system.These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation.
  • Page 150: Egress Layer 3 Acl Lookup For Control-plane Ip Traffic

    An egress ACL is used when users would like to restrict egress traffic. For example, when a DOS attack traffic is isolated to one particular interface, you can apply an egress ACL to block that particular flow from exiting the box, thereby protecting downstream devices. ip access-group To create an egress ACLs, use the command...
  • Page 151: Configuring Acls To Loopback

    FTOS Behavior: VRRP hellos and IGMP packets are not affected when egress ACL filtering for CPU traffic is enabled. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface MAC address instead of VRRP virtual MAC address. Configuring ACLs to Loopback ACLs can be supplied on Loopback interfaces supported on platform...
  • Page 152 Step Command Syntax Command Mode Purpose seq number permit CONFIGURATION If you are applying an extended ACL, and it has loopback-logging any any a deny ip any any entry, this entry denies internally generated packets as well as packets received from external devices. To prevent internally generated packets from being dropped, make sure that the ACL you intend to apply has seq number...
  • Page 153: Ip Prefix Lists

    IP Prefix Lists c e s Prefix Lists are supported on platforms: IP prefix lists control routing policy. An IP prefix list is a series of sequential filters that contain a matching criterion (examine IP route prefix) and an action (permit or deny) to process routes. The filters are processed in sequence so that if a route prefix does not match the criterion in the first filter, the second filter (if configured) is applied.
  • Page 154: Configure A Prefix List

    The following list includes the configuration tasks for prefix lists: • Configure a prefix list on page 154 • Use a prefix list for route redistribution on page 156 For a complete listing of all commands related to prefix lists, refer to the FTOS Command Line Interface document.
  • Page 155 If you are creating a standard prefix list with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured. The FTOS assigns filters in multiples of five. To configure a filter without a specified sequence number, use these commands in the following sequence starting in the CONFIGURATION mode: Step...
  • Page 156: Use A Prefix List For Route Redistribution

    Figure 8-15. Command example: show ip prefix-list detail FTOS>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10...
  • Page 157: Acl Resequencing

    Figure 8-17. Command Example: show config in the ROUTER RIP Mode FTOS(conf-router_rip)#show config router rip distribute-list prefix juba out network 10.0.0.0 FTOS(conf-router_rip)#router ospf 34 To apply a filter to routes in OSPF, use either of the following commands in the ROUTER OSPF mode: Command Syntax Command Mode Purpose...
  • Page 158: Resequencing An Acl Or Prefix List

    IPv4 and IPv6 ACLs and prefixes and MAC ACLs can be resequenced. No CAM writes happen as a result of resequencing, so there is no packet loss; the behavior is like Hot-lock ACLs. Note: ACL Resequencing does not affect the rules or remarks or the order in which they are applied. It merely renumbers them so that new rules can be placed within the list as desired.
  • Page 159 Figure 8-19. Resequencing ACLs FTOS(config-ext-nacl)# show config ip access-list extended test remark remark this remark corresponds to permit any host 1.1.1.1 permit ip any host 1.1.1.1 remark remark this remark corresponds to permit ip any host 1.1.1.2 permit ip any host 1.1.1.2 permit ip any host 1.1.1.3 permit ip any host 1.1.1.4 FTOS# end...
  • Page 160: Route Maps

    Figure 8-20. Resequencing Remarks FTOS(config-ext-nacl)# show config ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4...
  • Page 161: Configuration Task List For Route Maps

    Important Points to Remember • For route-maps with more than one match clause: • Two or more match clauses within the same route-map sequence have the same match commands (though the values are different), matching a packet against these clauses is a logical OR operation. •...
  • Page 162 show config To view the configuration, use the command in the ROUTE-MAP mode (Figure 8-21). Figure 8-21. Command Example: show config in the ROUTE-MAP Mode FTOS(config-route-map)#show config route-map dilling permit 10 FTOS(config-route-map)# You can create multiple instances of this route map by using the sequence number option to place the route maps in the correct order.
  • Page 163: Configure Route Map Filters

    Figure 8-24. Command Example: show route-map FTOS#show route-map dilling route-map dilling, permit, sequence 10 Match clauses: Set clauses: route-map dilling, permit, sequence 15 Match clauses: interface Loopback 23 Set clauses: 3444 FTOS# no route-map To delete a route map, use the command in the CONFIGURATION mode.
  • Page 164 Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in any instance of that route-map. As an example: FTOS(conf)#route-map force permit 10 FTOS(config-route-map)#match tag 1000 FTOS(conf)#route-map force deny 20 FTOS(config-route-map)#match tag 1000 FTOS(conf)#route-map force deny 30 FTOS(config-route-map)#match tag 1000 In the above route-map, instance 10 permits the route having a tag value of 1000 and instances 20 &...
  • Page 165 Command Syntax Command Mode Purpose match ip address CONFIG-ROUTE-MAP Match destination routes specified in a prefix list prefix-list-name (IPv4). match ipv6 address CONFIG-ROUTE-MAP Match destination routes specified in a prefix list prefix-list-name (IPv6). match ip next-hop CONFIG-ROUTE-MAP Match next-hop routes specified in a prefix list | prefix-list (IPv4).
  • Page 166: Configure A Route Map For Route Redistribution

    Command Syntax Command Mode Purpose set ipv6 next-hop ip-address CONFIG-ROUTE-MAP Assign an IPv6 address as the route’s next hop. set origin { egp | igp | incomplete } CONFIG-ROUTE-MAP Assign an ORIGIN attribute. set tag tag-value CONFIG-ROUTE-MAP Specify a tag for the redistributed routes. set weight value CONFIG-ROUTE-MAP...
  • Page 167: Configure A Route Map For Route Tagging

    router ospf 34 default-information originate metric-type 1 redistribute static metric 20 metric-type 2 tag 0 route-map staticospf route-map staticospf permit 10 match interface GigabitEthernet 0/0 match metric set level backbone Configure a route map for route tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol.
  • Page 168 Figure 8-27. Command Example: continue route-map test permit 10 match commu comm-list1 set community 1:1 1:2 1:3 set as-path prepend 1 2 3 4 5 continue 30! IP Access Control Lists (ACL), Prefix Lists, and Route-maps...
  • Page 169: Bidirectional Forwarding Detection

    BFD also carries less overhead than routing protocol hello mechanisms. Control packets can be encapsulated in any form that is convenient, and, on Dell Force10 routers, sessions are maintained by BFD Agents that reside on the line card, which frees resources on the RPM. Only session state changes are reported to the BFD Manager (on the RPM), which in turn notifies the routing protocols that are registered with it.
  • Page 170: How Bfd Works

    How BFD Works Two neighboring systems running BFD establish a session using a three-way handshake. After the session has been established, the systems exchange control packets at agreed upon intervals. In addition, systems send a control packet anytime there is a state change or change in a session parameter; these control packets are sent without regard to transmit and receive intervals.
  • Page 171 Figure 9-1. BFD in IPv4 Packet Format Bidirectional Forwarding Detection | 171...
  • Page 172: Field Description

    Table 9-1. BFD Packet Fields Field Description Diagnostic Code The reason that the last session failed. State The current local session state. See sessions. Flag A bit that indicates packet function. If the poll bit is set, the receiving system must respond as soon as possible, without regard to its transmit interval.
  • Page 173 BFD sessions BFD must be enabled on both sides of a link in order to establish a session. The two participating systems can assume either of two roles: • Active—The active system initiates the BFD session. Both systems can be active for the same session. •...
  • Page 174 handshake. At this point, the discriminator values have been exchanged, and the transmit intervals have been negotiated. 4. The passive system receives the control packet, changes its state to Up. Both systems agree that a session has been established. However, since both members must send a control packet—that requires a response—anytime there is a state change or change in a session parameter, the passive system sends a final response indicating the state change.
  • Page 175: Configuring Bidirectional Forwarding Detection

    Figure 9-3. BFD State Machine current session state Up, Admin Down, Timer the packet received Down Init Down Admin Down, Admin Down, Timer Down, Timer Down Up, Init Init Init, Up Important Points to Remember • BFD for line card ports is hitless, but is not hitless for VLANs since they are instantiated on the RPM. •...
  • Page 176: Configuring Bfd For Physical Ports

    Configuring BFD for Physical Ports BFD on physical ports is useful when no routing protocol is enabled. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet. When BFD is enabled, the local system removes the route as soon as it stops receiving periodic control packets from the remote system.
  • Page 177 Figure 9-5. Establishing a BFD Session for Physical Ports R1: ACTIVE Role R2: ACTIVE Role 4/24 Force10(config)# bfd enable Force10(config)# interface gigabitethernet 2/1 Force10(conf-if-gi-2/1)# ip address 2.2.2.2/24 Force10(conf-if-gi-2/1)# bfd neighbor 2.2.2.1 Force10(config)# bfd enable Force10(config)# interface gigabitethernet 4/24 Force10(conf-if-gi-2/1)# ip address 2.2.2.1/24 fnC0038mp Force10(conf-if-gi-2/1)# bfd neighbor 2.2.2.2 To establish a session:...
  • Page 178 Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured per interface; if you change a parameter, the change affects all physical port sessions on that interface. Dell Force10 recommends maintaining the default values. To change session parameters on an interface:...
  • Page 179 Figure 9-8. Changing Session Parameters for Physical Ports R1(conf-if-gi-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive R1(conf-if-gi-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.2 Remote MAC Addr: 00:01:e8:06:95:a2 Int: GigabitEthernet 4/24 State: Up Configured parameters:...
  • Page 180: Configuring Bfd For Static Routes

    To re-enable BFD on an interface: Step Task Command Syntax Command Mode bfd enable Enable BFD on an interface. INTERFACE Configuring BFD for Static Routes BFD gives systems a link state detection mechanism for static routes. With BFD, systems are notified to remove static routes from the routing table as soon as the link state change occurs, rather than having to wait until packets fail to reach their next hop.
  • Page 181 To establish a BFD session: Step Task Command Syntax Command Mode ip route bfd Establish BFD sessions for all neighbors that are the next hop CONFIGURATION of a static route. show bfd neighbors Verify that sessions have been created for static routes using the command , as shown show bfd neighbors detail Figure...
  • Page 182: Configuring Bfd For Ospf

    To disable BFD for static routes: Step Task Command Syntax Command Mode no ip route bfd Disable BFD for static routes. CONFIGURATION Configuring BFD for OSPF When using BFD with OSPF, the OSPF protocol registers with the BFD manager on the RPM. BFD sessions are established with all neighboring interfaces participating in OSPF.
  • Page 183: Show Bfd Neighbors

    Figure 9-11. Establishing Sessions with OSPF Neighbors Force10(conf-if-gi-2/1)# ip address 2.2.2.2/24 Force10(conf-if-gi-2/2)# ip address 2.2.3.1/24 Force10(conf-if-gi-2/1)# no shutdown Force10(conf-if-gi-2/2)# no shutdown Force10(conf-if-gi-2/1)# exit Force10(conf-if-gi-2/2)# exit Force10(config)# router ospf 1 Force10(config)# router ospf 1 Force10(config-router_ospf )# network 2.2.2.0/24 area 0 Force10(config-router_ospf )# network 2.2.3.0/24 area 1 Force10(config-router_ospf )# bfd all-neighbors Force10(config-router_ospf )# bfd all-neighbors AREA 0...
  • Page 184 Changing OSPF session parameters BFD sessions are configured with default intervals and a default role. The parameters that can be configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all OSPF sessions or all OSPF sessions on a particular interface; if you change a parameter globally, the change affects all OSPF neighbors sessions.
  • Page 185: Configuring Bfd For Bgp

    Configuring BFD for BGP BFD for BGP is only supported on platforms: In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces.
  • Page 186 Note that the sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: bfd all-neighbors • By establishing BFD sessions with all neighbors discovered by BGP ( command) neighbor {ip-address | peer-group-name} • By establishing a BFD session with a specified BGP neighbor ( command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
  • Page 187 Step Task Command Syntax Command Mode bfd all-neighbors [interval millisecs Configure parameters for a BFD session CONFIG-ROUTER- min_rx millisecs multiplier value role established with all neighbors discovered by {active | passive}] BGP. neighbor { ip-address Establish a BFD session with a specified BGP } bfd peer-group-name neighbor or peer group using the default BFD...
  • Page 188 bfd all-neighbors • The neighbor inherits only the global timer values that are configured with the command (interval, min_rx, and multiplier). If you explicitly enable (or disable) a peer group for BFD that has no BFD parameters configured (e.g. neighbor advertisement interval) using the command, the peer group inherits any peer-group-name...
  • Page 189 show The following examples show the BFD for BGP output displayed for these commands. Figure 9-14. Verifying a BFD for BGP Configuration: show running-config bgp Command R2# show running-config bgp router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1...
  • Page 190 Figure 9-16. Verifying BFD Sessions with BGP Neighbors: show bfd neighbors detail Command R2# show bfd neighbors detail Session Discriminator: 9 Neighbor Discriminator: 10 Local Addr: 1.1.1.3 Local MAC Addr: 00:01:e8:66:da:33 Remote Addr: 1.1.1.2 Remote MAC Addr: 00:01:e8:8a:da:7b Int: TenGigabitEthernet 6/0 State: Up Configured parameters: BFD session parameters: TX (packet transmission), RX...
  • Page 191 Figure 9-17. Displaying BFD Packet Counters: show bfd counters bgp Command R2# show bfd counters bgp Interface TenGigabitEthernet 6/0 Protocol BGP Messages: Registration De-registration Init Down Admin Down Interface TenGigabitEthernet 6/1 Protocol BGP Messages: Registration De-registration Init Down Admin Down Interface TenGigabitEthernet 6/2 Protocol BGP Messages:...
  • Page 192 Figure 9-19. Displaying Routing Sessions with BGP Neighbors: show ip bgp neighbors Command R2# show ip bgp neighbors 2.2.2.2 BGP neighbor is 2.2.2.2, remote AS 1, external link BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 Last read 00:00:30, last write 00:00:30 Hold time is 180, keepalive interval is 60 seconds Received 8 messages, 0 in queue...
  • Page 193: Configuring Bfd For Is-is

    Configuring BFD for IS-IS BFD for IS-IS is supported on platform: When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager on the RPM. BFD sessions are then established with all neighboring interfaces participating in IS-IS. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the IS-IS protocol that a link state change occurred.
  • Page 194 To establish BFD with all IS-IS neighbors out of a single interface: Step Task Command Syntax Command Mode isis bfd all-neighbors Establish sessions with all IS-IS neighbors out of an INTERFACE interface. show bfd neighbors View the established sessions using the command , as shown in Figure 9-21.
  • Page 195: Configuring Bfd For Vrrp

    Disabling BFD for IS-IS If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the remote system are placed in a Down state (Message 3 on page 179).
  • Page 196 Figure 9-22. Establishing Sessions with VRRP Neighbors VIRTUAL IP Address: 2.2.5.4 R1: BACKUP R2: MASTER 4/25 Force10(config-if-range-gi-4/25)# ip address 2.2.5.1/24 Force10(conf-if-gi-2/3)#ip address 2.2.5.2/24 Force10(config-if-range-gi-4/25)# no shutdown Force10(config-if-gi-2/3)# no shutdown Force10(config-if-range-gi-4/25)# vrrp-group 1 Force10(config-if-range-gi-4/25)# vrrp-group 1 Force10(config-if-range-gi-4/25)# virtual-address 2.2.5.4 Force10(config-if-range-gi-4/25)# virtual-address 2.2.5.4 IP Address: 2.2.5.3 Force10(config-if-range-gi-4/25)# vrrp bfd all-neighbors Force10(config-if-range-gi-4/25)# vrrp bfd all-neighbors...
  • Page 197 Figure 9-23. Viewing Established Sessions for VRRP Neighbors R1(conf-if-gi-4/25)#vrrp bfd all-neighbors R1(conf-if-gi-4/25)#do show bfd neighbor - Active session role Ad Dn - Admin Down - CLI - ISIS VRRP BFD Sessions Enabled - OSPF - Static Route (RTM) - VRRP LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients...
  • Page 198: Configuring Bfd For Vlans

    Configuring BFD for VLANs BFD on Dell Force10 systems is a Layer 3 protocol. Therefore, BFD is used with routed VLANs. BFD on VLANs is analogous to BFD on physical ports. If no routing protocol is enabled, and a remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
  • Page 199 There is one BFD Agent for VLANs and port-channels, which resides on RP2 as opposed to the other agents which are on the line card. Therefore, the 100 total possible sessions that this agent can maintain is shared for VLANs and port-channels. Configuring BFD for VLANs is a two-step process: 1.
  • Page 200 These parameters are configured per interface; if a configuration change is made, the change affects all sessions on that interface. Caution: When configuring BFD on VLAN or LAG interfaces on the C-Series, Dell Force10 recommends a minimum value of 500 milliseconds for both the transmit and minimum receive time, which yields a final detection time of (500ms *3) 1500 milliseconds.
  • Page 201: Configuring Bfd For Port-channels

    Configuring BFD for Port-Channels BFD on port-channels is analogous to BFD on physical ports. If no routing protocol is enabled, and a remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
  • Page 202 These parameters are configured per interface; if you change a parameter, the change affects all sessions on that interface. Caution: When configuring BFD on VLAN or LAG interfaces on the C-Series, Dell Force10 recommends a minimum value of 500 milliseconds for both the transmit and minimum receive time, which yields a final detection time of (500ms *3) 1500 milliseconds.
  • Page 203: Configuring Protocol Liveness

    To disable BFD for a port-channel: Step Task Command Syntax Command Mode no bfd enable Disable BFD for a port-channel. INTERFACE PORT-CHANNEL Configuring Protocol Liveness Protocol Liveness is a feature that notifies the BFD Manager when a client protocol is disabled. When a client is disabled, all BFD sessions for that protocol are torn down.
  • Page 204 Figure 9-30. debug bfd packet Command Output RX packet dump: 20 c0 03 18 00 00 00 05 00 00 00 04 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:13 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24 TX packet dump: 20 c0 03 18 00 00 00 04 00 00 00 05 00 01 86 a0 00 01 86 a0 00 00 00 00...
  • Page 205: Border Gateway Protocol Ipv4 (bgpv4)

    C-Series pre-7.7.1.0 E-Series TeraScale This chapter is intended to provide a general description of Border Gateway Protocol version 4 (BGPv4) as it is supported in the Dell Force10 Operating System (FTOS). This chapter includes the following topics: • Protocol Overview •...
  • Page 206: Autonomous Systems (as)

    • Implementing BGP with FTOS • Advertise IGP cost as MED for redistributed routes • Ignore Router-ID for some best-path calculations • 4-Byte AS Numbers • AS4 Number Representation • AS Number Migration • BGP4 Management Information Base (MIB) • Important Points to Remember •...
  • Page 207 A stub AS is one that is connected to only one other AS. A transit AS is one that provides connections through itself to separate networks. For example as seen in Figure 10-1, Router 1 can use Router 2 (the transit AS) to connect to Router 4. ISPs are always transit ASs, because they provide connections from one network to another.
  • Page 208: Sessions And Peers

    Figure 10-2. Full Mesh Examples 4 Routers 6 Routers 8 Routers The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers.
  • Page 209: Route Reflectors

    In order to make decisions in its operations with other BGP peers, a BGP peer uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in. The BGP protocol defines the messages that each peer should exchange in order to change the session from one state to another.
  • Page 210: Confederations

    To illustrate how these rules affect routing, see Figure 10-3 and the following steps.Routers B, C, D, E, and G are members of the same AS - AS100. These routers are also in the same Route Reflection Cluster, where Router D is the Route Reflector. Router E and H are client peers of Router D; Routers B and C and nonclient peers of Router D.
  • Page 211: Bgp Attributes

    BGP Attributes Routes learned via BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination. These properties are referred to as BGP attributes, and an understanding of how BGP attributes influence route selection is required for the design of robust networks.
  • Page 212 Figure 10-4. BGP Best Path Selection No, or Not Resulting in a Single Route Locally Highest Lowest Highest Shortest Lowest Learned Lowest Originated Weight Local Pref Origin NEXT-HOP AS Path via EBGP Path Code Cost Tie Breakers Lowest Cluster ID List from Lowest...
  • Page 213 • AS_CONFED_SEQUENCE has a path length of 1, no matter how many ASs are in the AS_CONFED_SEQUENCE. 5. Prefer the path with the lowest ORIGIN type (IGP is lower than EGP, and EGP is lower than INCOMPLETE). 6. Prefer the path with the lowest Multi-Exit Discriminator (MED) attribute. The following criteria apply: •...
  • Page 214: Weight

    Weight The Weight attribute is local to the router and is not advertised to neighboring routers. If the router learns about more than one route to the same destination, the route with the highest weight will be preferred. The route with the highest weight is installed in the IP routing table. Local Preference Local Preference (LOCAL_PREF) represents the degree of preference within the entire AS.
  • Page 215: Origin

    One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this example, assume the MED is the only attribute applied. In Figure 10-6, AS100 and AS200 connect in two places. Each connection is a BGP session. AS200 sets the MED for its T1 exit point to 100 and the MED for its OC3 exit point to 50.
  • Page 216 Generally, an IGP indicator means that the route was derived inside the originating AS. EGP generally means that a route was learned from an external gateway protocol. An INCOMPLETE origin code generally results from aggregation, redistribution or other indirect ways of installing routes into BGP. In FTOS, these origin codes appear as shown in Figure 10-7.
  • Page 217: Next Hop

    Next Hop The Next Hop is the IP address used to reach the advertising router. For EBGP neighbors, the Next-Hop address is the IP address of the connection between the neighbors. For IBGP, the EBGP Next-Hop address is carried into the local AS. A Next Hop attribute is set when a BGP speaker advertises itself to another BGP speaker outside its local AS.
  • Page 218: Byte As Numbers

    redistribute metric • If the command does not have any configured and BGP Peer out-bound route-map metric-type internal does have configured, BGP advertises the IGP cost as MED. redistribute metric route-map set metric redistribute route-type • If the command has configured ( metric) metric-type internal...
  • Page 219: As4 Number Representation

    4294967295 Where the 2-Byte format is 1-65535, the 4-Byte format is 1- . Enter AS Numbers using the show ip bgp traditional format. If the ASN is greater than 65535, the dot format is shown when using the commands. For example, an ASN entered as 3183856184 will appear in the show commands as 48581.51768;...
  • Page 220 ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS Numbers less than 65536 appear in integer format (asplain); AS Numbers equal to or greater than 65536 appear using the decimal method (asdot+). For example, the AS Number 65526 appears as 65526, and the AS Number 65546 appears as 1.10.
  • Page 221: As Number Migration

    Figure 10-10. Dynamic changes when command is disabled in the show running bgp asnotation config AS NOTATION DISABLED FTOS(conf-router_bgp)#no bgp asnotation FTOS(conf-router_bgp)#sho conf router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057 <output truncated> FTOS(conf-router_bgp)#do sho ip bgp BGP table version is 28093, local router ID is 172.30.1.57 AS4 SUPPORT DISABLED FTOS(conf-router_bgp)#no bgp four-octet-as-support...
  • Page 222: Before Migration

    Figure 10-11. Local-AS Scenario Router A AS 100 Router C AS 300 Router B AS 200 Before Migration Router A AS 100 Router C AS 100 AS 300 Router B Local AS After Migration, with Local-AS enabled When you complete your migration, and you have reconfigured your network with the new information you must disable this feature.
  • Page 223: Bgp4 Management Information Base (mib)

    SNMP objects and notifications (traps) defined in the draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell Force10 website, www.force10networks.com. Note: See the Dell Force10 iSupport webpage for the Force10-BGP4-V2-MIB and other MIB documentation. Important Points to Remember •...
  • Page 224: Configuration Information

    To avoid SNMP timeouts with a large-scale configuration (large number of BGP neighbors and a large BGP Loc-RIB), Dell Force10 recommends setting the timeout and retry count values to a relatively higher number. e.g. t = 60 or r = 5.
  • Page 225: Bgp Configuration

    BGP Configuration To enable the BGP process and begin exchanging information, you must assign an AS number and use commands in the ROUTER BGP mode to configure a BGP neighbor. Defaults By default, BGP is disabled. By default, FTOS compares the MED attribute on different paths from within the same AS (the always-compare-med command is not enabled).
  • Page 226 • Configure passive peering • Maintain existing AS numbers during an AS migration • Allow an AS number to appear in its own AS path • Enable graceful restart • Filter on an AS-Path attribute • Configure IP community lists •...
  • Page 227 Use these commands in the following sequence, starting in the CONFIGURATION mode to establish BGP sessions on the router. Step Command Syntax Command Mode Purpose router bgp CONFIGURATION Assign an AS number and enter the as-number ROUTER BGP mode. AS Number: 0-65535 (2-Byte) or 1-4294967295 (4-Byte) or 0.1-65535.65535 (Dotted format) Only one AS is supported per system...
  • Page 228 show config Enter in CONFIGURATION ROUTER BGP mode to view the BGP configuration. Use the show ip bgp summary command in EXEC Privilege mode to view the BGP status. Figure 10-12 shows the summary with a 2-Byte AS Number displayed; Figure 10-13 shows the summary with a 4-Byte AS Number displayed.
  • Page 229 Figure 10-14 displays two neighbors, one is an external and the second one is an internal BGP neighbor. The first line of the output for each neighbor displays the AS number and states whether the link is an external or internal. show ip bgp neighbors The third line of the output contains the BGP State.
  • Page 230 Figure 10-15. Command example: show running-config bgp R2#show running-config bgp router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown...
  • Page 231 Task Command Syntax Command Mode bgp asnotation asdot Enable ASDOT AS Number CONFIG-ROUTER-BGP representation. Figure 10-17 bgp asnotation asdot+ Enable ASDOT+ AS Number CONFIG-ROUTER-BGP representation.Figure 10-18 Figure 10-16. Command example and output: bgp asnotation asplain FTOS(conf-router_bgp)#bgp asnotation asplain FTOS(conf-router_bgp)#sho conf router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508...
  • Page 232 Configure Peer Groups To configure multiple BGP neighbors at one time, create and populate a BGP peer group. Another advantage of peer groups is that members of a peer groups inherit the configuration properties of the group and share same update policy. A maximum of 256 Peer Groups are allowed on the system.
  • Page 233 When you add a peer to a peer group, it inherits all the peer group’s configured parameters. A neighbor become part of a peer group if it has any of the following commands are configured: cannot • neighbor advertisement-interval • neighbor distribute-list out •...
  • Page 234: Neighbor Shutdown

    Figure 10-20. Command example: show config (peer-group enabled FTOS(conf-router_bgp)#neighbor zanzibar no shutdown FTOS(conf-router_bgp)#show config Enabling neighbor zanzibar router bgp 45 bgp fast-external-fallover bgp log-neighbor-changes neighbor zanzibar peer-group neighbor zanzibar no shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.1 shutdown neighbor 10.14.8.60 remote-as 18505 neighbor 10.14.8.60 no shutdown FTOS(conf-router_bgp)# To disable a peer group,...
  • Page 235 Figure 10-21. Command example: show ip bgp peer-group FTOS>show ip bgp peer-group Peer-group zanzibar, remote AS 65535 BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is zanzibar, peer-group internal, Number of peers in this group 26 Peer-group members (* - outbound optimized): 10.68.160.1 10.68.161.1...
  • Page 236 The BGP fast fall-over feature is configured on a per-neighbor or peer-group basis and is disabled by default. Command Syntax Command Mode Purpose neighbor { ip-address CONFIG-ROUTER-BGP Enable BGP Fast Fall-Over } fall-over peer-group-name [no] neighbor [neighbor | peer-group] fall-over To disable Fast Fall-Over, use the command in CONFIGURATION ROUTER BGP mode...
  • Page 237 Figure 10-22. Command example: show ip bgp neighbors FTOS#sh ip bgp neighbors BGP neighbor is 100.100.100.100, remote AS 65517, internal link Member of peer-group test for session parameters BGP version 4, remote router ID 30.30.30.5 BGP state ESTABLISHED, in this state for 00:19:15 Last read 00:00:15, last write 00:00:06 Hold time is 180, keepalive interval is 60 seconds Received 52 messages, 0 notifications, 0 in queue...
  • Page 238 Figure 10-23. Command example: show ip bgp peer-group FTOS#sh ip bgp peer-group Peer-group test Fall-over enabled BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.100* FTOS#...
  • Page 239 Step Command Syntax Command Mode Purpose neighbor peer-group-name no CONFIG-ROUTER- Enable the peer group. shutdown neighbor peer-group-name CONFIG-ROUTER- Create and specify a remote peer as a BGP remote-as as-number neighbor. Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED.
  • Page 240 Figure 10-24. Local-as information shown R2(conf-router_bgp)#show conf router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in Actual AS Number neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 Local-AS Number 6500...
  • Page 241 Figure 10-25. Allowas-in information shown R2(conf-router_bgp)#show conf router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500...
  • Page 242 • Advertise to all BGP neighbors and peer-groups that the forwarding state of all routes has been saved. This prompts all peers to continue saving the routes they receive from your E-Series and to continue forwarding traffic. • Bring the secondary RPM online as the primary and re-open sessions with all peers operating in “no shutdown”...
  • Page 243 Filter on an AS-Path attribute The BGP attribute, AS_PATH, can be used to manipulate routing policies. The AS_PATH attribute contains a sequence of AS numbers representing the route’s path. As the route traverses an Autonomous System, the AS number is prepended to the route. You can manipulate routes based on their AS_PATH to affect interdomain routing.
  • Page 244 Step Command Syntax Command Mode Purpose { deny | permit } filter CONFIG-AS-PATH Enter the parameter to match BGP AS-PATH for parameter filtering. This is the filter that will be used to match the AS-path. The entries can be any format, letters, numbers, or regular expressions.
  • Page 245 Figure 10-27. Filtering with Regular Expression FTOS(config)#router bgp 99 FTOS(conf-router_bgp)#neigh AAA peer-group FTOS(conf-router_bgp)#neigh AAA no shut FTOS(conf-router_bgp)#show conf router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown FTOS(conf-router_bgp)#neigh 10.155.15.2 filter-list 1 in FTOS(conf-router_bgp)#ex Create the Access List and Filter FTOS(conf)#ip as-path access-list Eagle...
  • Page 246: Redistribute Routes

    Table 10-4. Regular Expressions Regular Expression Definition ( ) (parenthesis) Specifies patterns for multiple use when followed by one of the multiplier metacharacters: asterisk *, plus sign +, or question mark ? [ ] (brackets) Matches any enclosed character; specifies a range of single characters - (hyphen) Used within brackets to specify a range of AS or community numbers.
  • Page 247 Command Syntax Command Mode Purpose redistribute ospf [ match ROUTER BGP or Include specific OSPF routes in IS-IS. process-id external { 1 | 2 } | match internal ] CONF-ROUTER_BGPv6_ Configure the following parameters: [ metric-type { external | internal }] •...
  • Page 248 Use these commands in the following sequence, starting in the CONFIGURATION mode to configure an IP community list. Step Command Syntax Command Mode Purpose ip community-list CONFIGURATION Create a Community list and enter the community-list-name COMMUNITY-LIST mode. { deny | permit } CONFIG-COMMUNITY- Configure a Community list by denying or permitting | local-AS...
  • Page 249 Figure 10-28. Command example: show ip community-lists FTOS#show ip community-lists ip community-list standard 1 deny 701:20 deny 702:20 deny 703:20 deny 704:20 deny 705:20 deny 14551:20 deny 701:112 deny 702:112 deny 703:112 deny 704:112 deny 705:112 deny 14551:112 deny 701:667 deny 702:667 deny 703:667 Use these commands in the following sequence, starting in the CONFIGURATION mode, To use an IP...
  • Page 250 Manipulate the COMMUNITY attribute In addition to permitting or denying routes based on the values of the COMMUNITY attributes, you can manipulate the COMMUNITY attribute value and send the COMMUNITY attribute with the route information. By default, FTOS does not send the COMMUNITY attribute. Use the following command in the CONFIGURATION ROUTER BGP mode to send the COMMUNITY attribute to BGP neighbors.
  • Page 251: Show Ip Bgp Community

    Step Command Syntax Command Mode Purpose exit CONFIG-ROUTE-MAP Return to the CONFIGURATION mode. router bgp CONFIGURATION Enter the ROUTER BGP mode. as-number neighbor { ip-address CONFIG-ROUTER-BGP Apply the route map to the neighbor or peer group’s incoming or outgoing routes. peer-group-name route-map { in |...
  • Page 252 Use any or all of the following commands in the CONFIGURATION ROUTER BGP mode to change how the MED attribute is used. Command Syntax Command Mode Purpose bgp always-compare-med CONFIG-ROUTER- Enable MED comparison in the paths from neighbors with different ASs. By default, this comparison is not performed.
  • Page 253 Step Command Syntax Command Mode Purpose router bgp CONFIGURATION Enter the ROUTER BGP mode. as-number neighbor { CONFIG-ROUTER-BGP Apply the route map to the neighbor or peer ip-address } route-map group’s incoming or outgoing routes. peer-group-name { in | out } map-name show config To view the BGP configuration, use the...
  • Page 254 You can also use route maps to change this and other BGP attributes. For example, you can include the following command in a route map to specify the next hop address: Command Syntax Command Mode Purpose set weight weight CONFIG-ROUTE-MAP Sets weight for the route.
  • Page 255 Refer to Chapter 8, “IP Access Control Lists (ACL), Prefix Lists, and Route-maps,” on page 133 configuration information on prefix lists, AS-PATH ACLs, and route maps. Note: When you configure a new set of BGP policies, always reset the neighbor or peer group by entering the clear ip bgp command in EXEC Privilege mode.
  • Page 256 Use these commands in the following sequence, starting in the CONFIGURATION mode to filter routes using a route map. Step Command Syntax Command Mode Purpose route-map [ permit | map-name CONFIGURATION Create a route map and assign it a name. deny ] [ sequence-number { match | set }...
  • Page 257 Step Command Syntax Command Mode Purpose neighbor { CONFIG-ROUTER-B Filter routes based on the criteria in the ip-address } filter-list peer-group-name configured route map.