Home » Dell Manuals » Servers » Dell Force10 S55T » Manual Viewer

Dell Force10 S55T S55 Configuration Guide FTOS 8.3.5.3 - Page 104

IP Fragment Handling, Using the Order Keyword in ACLs

Add to My Manuals
Save this manual to your list of manuals

Page 104 highlights

www.dell.com | support.dell.com ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8. Therefore, (without the keyword order) packets within the range 20.1.1.0/24 match positive against cmap1 and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be buffered in queue 4. In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use the order keyword to specify the order in which you want to apply ACL rules, as shown in Figure 7-2. The order can range from 0 to 254. FTOS writes to the CAM ACL rules with lower order numbers (order numbers closer to 0) before rules with higher order numbers so that packets are matched as you intended. By default, all ACL rules have an order of 254. Figure 7-2. Using the Order Keyword in ACLs Force10(conf)#ip access-list standard acl1 Force10(config-std-nacl)#permit 20.0.0.0/8 Force10(config-std-nacl)#exit Force10(conf)#ip access-list standard acl2 Force10(config-std-nacl)#permit 20.1.1.0/24 order 0 Force10(config-std-nacl)#exit Force10(conf)#class-map match-all cmap1 Force10(conf-class-map)#match ip access-group acl1 Force10(conf-class-map)#exit Force10(conf)#class-map match-all cmap2 Force10(conf-class-map)#match ip access-group acl2 Force10(conf-class-map)#exit Force10(conf)#policy-map-input pmap Force10(conf-policy-map-in)#service-queue 7 class-map cmap1 Force10(conf-policy-map-in)#service-queue 4 class-map cmap2 Force10(conf-policy-map-in)#exit Force10(conf)#interface gig 1/0 Force10(conf-if-gi-1/0)#service-policy input pmap IP Fragment Handling FTOS supports a configurable option to explicitly deny IP fragmented packets, particularly second and subsequent packets. It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp). • Both standard and extended ACLs support IP fragments. • Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the packet as a whole cannot be reassembled. • Implementing the required rules will use a significant number of CAM entries per TCP/UDP entry. • For IP ACL, FTOS always applies implicit deny. You do not have to configure it. • For IP ACL, FTOS applies implicit permit for second and subsequent fragment just prior to the implicit deny. • If an explicit deny is configured, the second and subsequent fragments will not hit the implicit permit rule for fragments. 104 | Access Control Lists (ACL), Prefix Lists, and Route-maps

Section	Page
About this Guide	23
Objectives	23
Audience	23
Conventions	23
Information Symbols	24
Related Documents	24
Configuration Fundamentals	25
Accessing the Command Line	25
CLI Modes	26
Navigating CLI Modes	27
The do Command	30
Undoing Commands	30
Obtaining Help	31
Entering and Editing Commands	31
Command History	32
Filtering show Command Outputs	33
Multiple Users in Configuration mode	34
Getting Started	35
Console access	35
Serial console	35
Default Configuration	36
Configure a Host Name	37
Access the System Remotely	37
Access the C-Series and E-Series and the S4810 Remotely	37
Access the S-Series Remotely	39
Configure the Enable Password	40
Configuration File Management	40
Copy Files to and from the System	41
Save the Running-configuration	42
Configure the Overload bit for Startup Scenario	43
View Files	44
File System Management	45
View command history	46
Upgrading FTOS	46
Management	47
Configure Privilege Levels	47
Create a Custom Privilege Level	47
Apply a Privilege Level to a Username	51
Apply a Privilege Level to a Terminal Line	51
Configure Logging	51
Log Messages in the Internal Buffer	52
Configuration Task List for System Log Management	52
Disable System Logging	52
Send System Messages to a Syslog Server	53
Configure a Unix System as a Syslog Server	53
Change System Logging Settings	53
Display the Logging Buffer and the Logging Configuration	54
Configure a UNIX logging facility level	56
Synchronize log messages	57
Enable timestamp on syslog messages	57
File Transfer Services	58
Configuration Task List for File Transfer Services	58
Terminal Lines	60
Deny and Permit Access to a Terminal Line	60
Configure Login Authentication for Terminal Lines	61
Time out of EXEC Privilege Mode	62
Telnet to Another Network Device	63
Lock CONFIGURATION mode	64
Viewing the Configuration Lock Status	65
Recovering from a Forgotten Password on the S55	65
Recovering from a Forgotten Enable Password on the S55	66
Recovering from a Failed Start on the S55	67
802.1ag	69
Ethernet CFM	69
Maintenance Domains	70
Maintenance Points	70
Maintenance End Points	71
Implementation Information	72
Configure CFM	72
Related Configuration Tasks	72
Enable Ethernet CFM	73
Create a Maintenance Domain	73
Create a Maintenance Association	74
Create Maintenance Points	74
Create a Maintenance End Point	74
Create a Maintenance Intermediate Point	75
MP Databases	75
Continuity Check Messages	77
Enable CCM	78
Enable Cross-checking	78
Loopback Message and Response	78
Linktrace Message and Response	78
Link Trace Cache	79
Enable CFM SNMP Traps.	80
Display Ethernet CFM Statistics	81
802.1X	83
Protocol Overview	83
The Port-authentication Process	84
EAP over RADIUS	85
Configuring 802.1X	87
Related Configuration Tasks	87
Important Points to Remember	87
Enabling 802.1X	87
Configuring Request Identity Re-transmissions	90
Configuring a Quiet Period after a Failed Authentication	90
Forcibly Authorizing or Unauthorizing a Port	91
Re-authenticating a Port	93
Periodic Re-authentication	93
Configuring Timeouts	94
Dynamic VLAN Assignment with Port Authentication	95
Guest and Authentication-fail VLANs	96
Configuring a Guest VLAN	97
Configuring an Authentication-fail VLAN	97
Access Control Lists (ACL), Prefix Lists, and Route-maps	99
Overview	99
IP Access Control Lists (ACLs)	100
CAM Profiling, CAM Allocation, and CAM Optimization	100
Implementing ACLs on FTOS	103
IP Fragment Handling	104
Configure a standard IP ACL	106
Configure an extended IP ACL	109
Configuring Layer 2 and Layer 3 ACLs on an Interface	112
Assign an IP ACL to an Interface	112
Counting ACL Hits	114
Configuring Ingress ACLs	114
Configuring Egress ACLs	115
Egress Layer 3 ACL Lookup for Control-plane IP Traffic	116
Configuring ACLs to Loopback	116
Applying an ACL on Loopback Interfaces	117
IP Prefix Lists	118
Implementation Information	118
Configuration Task List for Prefix Lists	119
ACL Resequencing	123
Resequencing an ACL or Prefix List	124
Route Maps	125
Implementation Information	125
Important Points to Remember	125
Configuration Task List for Route Maps	126
Border Gateway Protocol IPv4 (BGPv4)	135
Protocol Overview	136
Autonomous Systems (AS)	136
Sessions and Peers	138
Route Reflectors	139
Confederations	140
BGP Attributes	141
Best Path Selection Criteria	141
Weight	144
Local Preference	144
Multi-Exit Discriminators (MEDs)	144
Origin	145
AS Path	146
Next Hop	147
Multiprotocol BGP	147
Implementing BGP with FTOS	147
4-Byte AS Numbers	148
AS4 Number Representation	149
AS Number Migration	151
BGP4 Management Information Base (MIB)	153
Important Points to Remember	153
Configuration Information	154
BGP Configuration	155
Configuration Task List for BGP	155
MBGP Configuration	196
BGP Regular Expression Optimization	197
Debugging BGP	197
Storing Last and Bad PDUs	198
Capturing PDUs	199
PDU Counters	201
Sample Configurations	201
Bare Metal Provisioning 2.0	211
Prerequisites	211
Restrictions	212
Overview	212
Jumpstart mode	213
DHCP Server	213
File Server	216
Domain Name Server	216
Switch boot and set-up behavior in Jumpstart Mode	216
Content Addressable Memory	219
Content Addressable Memory	219
CAM Profiles	220
Microcode	221
CAM Profiling for ACLs	222
Boot Behavior	223
When to Use CAM Profiling	225
Important Points to Remember	225
Select CAM Profiles	225
CAM Allocation	226
Test CAM Usage	227
View CAM Profiles	228
View CAM-ACL settings	228
View CAM Usage	229
CAM Optimization	230
Applications for CAM Profiling	230
LAG Hashing	230
LAG Hashing based on Bidirectional Flow	231
CAM profile for the VLAN ACL group feature	231
Troubleshoot CAM Profiling	231
CAM Profile Mismatches	231
QoS CAM Region Limitation	232
Dynamic Host Configuration Protocol (DHCP)	233
Protocol Overview	233
DHCP Packet Format and Options	234
Assigning an IP Address using DHCP	235
Implementation Information	236
Configuration Tasks	236
Configure the System to be a DHCP Server	237
Configuration Tasks	237
Configure the Server for Automatic Address Allocation	238
Specify a Default Gateway	239
Enable DHCP Server	239
Configure a Method of Hostname Resolution	240
Create Manual Binding Entries	241
Debug DHCP server	241
DHCP Clear Commands	241
Configure the System to be a Relay Agent	242
Configure the System for User Port Stacking	243
Configure Secure DHCP	243
Option 82	243
DHCP Snooping	244
Drop DHCP packets on snooped VLANs only	246
Dynamic ARP Inspection	247
Source Address Validation	249
Dell Force10 Resilient Ring Protocol	253
Protocol Overview	253
Ring Status	254
Multiple FRRP Rings	255
Important FRRP Points	256
Important FRRP Concepts	257
Implementing FRRP	258
FRRP Configuration	258
Troubleshooting FRRP	263
Configuration Checks	263
Sample Configuration and Topology	263
GARP VLAN Registration Protocol	265
Protocol Overview	265
Important Points to Remember	265
Configuring GVRP	266
Related Configuration Tasks	267
Enabling GVRP Globally	267
Enabling GVRP on a Layer 2 Interface	268
Configuring GVRP Registration	268
Configuring a GARP Timer	269
Internet Group Management Protocol	271
IGMP Implementation Information	271
IGMP Protocol Overview	271
IGMP version 2	272
IGMP version 3	273
Configuring IGMP	276
Related Configuration Tasks	276
Viewing IGMP Enabled Interfaces	276
Selecting an IGMP Version	277
Viewing IGMP Groups	277
Adjusting Timers	278
Adjusting Query and Response Timers	278
Adjusting the IGMP Querier Timeout Value	278
Configuring a Static IGMP Group	279
Enabling IGMP Immediate-leave	279
IGMP Snooping	280
IGMP Snooping Implementation Information	280
Configuring IGMP Snooping	280
Enabling IGMP Immediate-leave	280
Disabling Multicast Flooding	281
Specifying a Port as Connected to a Multicast Router	281
Configuring the Switch as Querier	281
Fast Convergence after MSTP Topology Changes	282
Designating a Multicast Router Interface	282
Interfaces	283
Interface Types	284
View Basic Interface Information	284
Enable a Physical Interface	286
Physical Interfaces	287
Configuration Task List for Physical Interfaces	287
Overview of Layer Modes	288
Configure Layer 2 (Data Link) Mode	288
Configure Layer 3 (Network) Mode	289
Management Interfaces	290
Configure Management Interfaces on the E-Series and C-Series and on the S55	290
Configure Management Interfaces on the S-Series	291
VLAN Interfaces	292
Loopback Interfaces	293
Null Interfaces	294
Port Channel Interfaces	294
Bulk Configuration	306
Interface Range	306
Bulk Configuration Examples	307
Interface Range Macros	309
Define the Interface Range	309
Choose an Interface-range Macro	309
Monitor and Maintain Interfaces	310
Maintenance using TDR	311
Link Debounce Timer	312
Important Points to Remember about Link Debounce Timer	312
Assign a debounce time to an interface	313
Show debounce times in an interface	313
Disable ports when one only SFM is available (E300 only)	313
Disable port on one SFM	314
Link Dampening	314
Important Points to Remember	314
Enable Link Dampening	315
Ethernet Pause Frames	316
Threshold Settings	317
Enable Pause Frames	318
Configure MTU Size on an Interface	319
Port-pipes	320
Auto-Negotiation on Ethernet Interfaces	321
View Advanced Interface Information	323
Display Only Configured Interfaces	323
Configure Interface Sampling Size	324
Dynamic Counters	326
IPv4 Addressing	329
IP Addresses	329
Implementation Information	330
Configuration Task List for IP Addresses	330
Directed Broadcast	334
Resolution of Host Names	334
ARP	337
Configuration Task List for ARP	337
ARP Learning via Gratuitous ARP	339
ARP Learning via ARP Request	340
Configurable ARP Retries	341
ICMP	341
Configuration Task List for ICMP	341
IPv6 Addressing	343
Protocol Overview	343
Extended Address Space	344
Stateless Autoconfiguration	344
IPv6 Headers	345
Extension Header fields	347
Addressing	348
Implementing IPv6 with FTOS	350
ICMPv6	352
Path MTU Discovery	353
IPv6 Neighbor Discovery	354
IPv6 Neighbor Discovery of MTU packets	354
QoS for IPv6	354
IPv6 Multicast	355
SSH over an IPv6 Transport	355
Configuration Task List for IPv6	356
Change your CAM-Profile on an E-Series system	356
Adjust your CAM-Profile on an C-Series or S-Series	357
Assign an IPv6 Address to an Interface	358
Assign a Static IPv6 Route	359
Telnet with IPv6	359
SNMP over IPv6	360
Show IPv6 Information	360
Show an IPv6 Interface	361
Show IPv6 Routes	362
Show the Running-Configuration for an Interface	364
Clear IPv6 Routes	364
iSCSI Optimization	367
iSCSI Optimization Overview	367
Detection and Port Configuration for Dell Compellent Arrays	367
Link Aggregation Control Protoco	369
Introduction to Dynamic LAGs and LACP	369
Important Points to Remember	370
LACP modes	370
LACP Configuration Commands	371
LACP Configuration Tasks	371
Monitor and Debugging LACP	373
Shared LAG State Tracking	374
Configure Shared LAG State Tracking	374
Important Points about Shared LAG State Tracking	376
Configure LACP as Hitless	376
LACP Basic Configuration Example	377
Layer 2	387
Managing the MAC Address Table	387
Clear the MAC Address Table	387
Set the Aging Time for Dynamic Entries	388
Configure a Static MAC Address	388
Display the MAC Address Table	389
MAC Learning Limit	389
mac learning-limit dynamic	390
mac learning-limit mac-address-sticky	391
mac learning-limit station-move	391
Learning Limit Violation Actions	391
Station Move Violation Actions	392
Recovering from Learning Limit and Station Move Violations	392
Per-VLAN MAC Learning Limit	393
NIC Teaming	394
MAC Move Optimization	395
Microsoft Clustering	395
Default Behavior	396
Configuring the Switch for Microsoft Server Clustering	396
Enable and Disable VLAN Flooding	397
Configuring Redundant Pairs	398
Important Points about Configuring Redundant Pairs	399
Restricting Layer 2 Flooding	401
Far-end Failure Detection	402
FEFD state changes	403
Important Points to Remember	404
Configuring FEFD	404
Debugging FEFD	405
Link Layer Discovery Protocol	407
802.1AB (LLDP) Overview	407
Protocol Data Units	407
Optional TLVs	408
Management TLVs	409
TIA-1057 (LLDP-MED) Overview	410
TIA Organizationally Specific TLVs	411
Configuring LLDP	414
Related Configuration Tasks	414
Important Points to Remember	415
LLDP Compatibility	415
CONFIGURATION versus INTERFACE Configurations	415
Enabling LLDP	416
Disabling and Undoing LLDP	416
Advertising TLVs	416
Viewing the LLDP Configuration	418
Viewing Information Advertised by Adjacent LLDP Agents	418
Configuring LLDPDU Intervals	419
Configuring Transmit and Receive Mode	420
Configuring a Time to Live	421
Debugging LLDP	422
Relevant Management Objects	423
Multiple Spanning Tree Protocol	427
Protocol Overview	427
Implementation Information	428
Configure Multiple Spanning Tree Protocol	428
Related Configuration Tasks	428
Enable Multiple Spanning Tree Globally	429
Add and Remove Interfaces	429
Create Multiple Spanning Tree Instances	429
Influence MSTP Root Selection	431
Interoperate with Non-FTOS Bridges	431
Modify Global Parameters	432
Modify Interface Parameters	433
Configure an EdgePort	434
Flush MAC Addresses after a Topology Change	435
MSTP Sample Configurations	436
Debugging and Verifying MSTP Configuration	440
Multicast Features	443
Implementation Information	443
Enable IP Multicast	443
Multicast with ECMP	444
Implementation Information	444
First Packet Forwarding for Lossless Multicast	445
Multicast Policies	446
IPv4 Multicast Policies	446
IPv6 Multicast Policies	451
Multicast Traceroute	453
Multicast Quality of Service	453
Optimize the E-Series for Multicast Traffic	454
Allocate More Buffer Memory for Multicast WRED	454
Allocate More Bandwidth to Multicast using Egress WFQ	454
Tune the Central Scheduler for Multicast	454
Open Shortest Path First (OSPFv2 and OSPFv3)	457
Protocol Overview	458
Autonomous System (AS) Areas	458
Networks and Neighbors	460
Router Types	460
Designated and Backup Designated Routers	462
Link-State Advertisements (LSAs)	463
Virtual Links	464
Router Priority and Cost	464
Implementing OSPF with FTOS	465
Fast Convergence ( OSPFv2, IPv4 only)	466
Multi-Process OSPF (OSPFv2, IPv4 only)	466
RFC-2328 Compliant OSPF Flooding	467
OSPF ACK Packing	468
OSPF Adjacency with Cisco Routers	468
Configuration Information	468
Configuration Task List for OSPFv2 (OSPF for IPv4)	469
Troubleshooting OSPFv2	486
Configuration Task List for OSPFv3 (OSPF for IPv6)	489
Troubleshooting OSPFv3	494
Sample Configurations for OSPFv2	495
Basic OSPFv2 Router Topology	495
PIM Sparse-Mode	497
Implementation Information	497
Protocol Overview	497
Requesting Multicast Traffic	498
Refusing Multicast Traffic	498
Sending Multicast Traffic	498
Important Points to Remember	499
Configure PIM-SM	499
Related Configuration Tasks	499
Enable PIM-SM	500
Configurable S,G Expiry Timers	501
Configure a Static Rendezvous Point	502
Override Bootstrap Router Updates	503
Configure a Designated Router	503
Create Multicast Boundaries and Domains	504
PIM Source-Specific Mode	505
Implementation Information	507
Important Points to Remember	507
Configure PIM-SM	507
Related Configuration Tasks	507
Enable PIM-SSM	507
Use PIM-SSM with IGMP version 2 Hosts	508
Power over Ethernet	511
Configuring Power over Ethernet	512
Related Configuration Tasks	513
Enabling PoE on a Port	513
Manage Ports using Power Priority and the Power Budget	515
Determine the Power Priority for a Port	515
Determine the Affect of a Port on the Power Budget	517
Monitor the Power Budget	518
Manage Power Priorities	519
Recover from a Failed Power Supply	520
Deploying VOIP	521
Create VLANs for an Office VOIP Deployment	521
Configure LLDP-MED for an Office VOIP Deployment	522
Configure Quality of Service for an Office VOIP Deployment	523
Port Monitoring	527
Important Points to Remember	527
Port Monitoring on E-Series	528
E-Series TeraScale	528
E-Series ExaScale	529
Port Monitoring on C-Series and S-Series	529

Match case Limit results 1 per page

104

Access Control Lists (ACL), Prefix Lists, and Route-maps

www.dell.com | support.dell.com

ACLs

acl1

and

acl2

have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.

Therefore, (without the keyword

order

) packets within the range 20.1.1.0/24 match positive against

cmap1

and are buffered in queue 7, though you intended for these packets to match positive against

cmap2

and be

buffered in queue 4.

In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use

the

order

keyword to specify the order in which you want to apply ACL rules, as shown in

Figure 7-2

. The

order can range from 0 to 254. FTOS writes to the CAM ACL rules with lower order numbers (order

numbers closer to 0) before rules with higher order numbers so that packets are matched as you intended.

By default, all ACL rules have an order of 254.

Figure 7-2.

Using the Order Keyword in ACLs

IP Fragment Handling

FTOS supports a configurable option to explicitly deny IP fragmented packets, particularly second and

subsequent packets. It extends the existing ACL command syntax with the

fragments

keyword for all

Layer 3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp).

•

Both standard and extended ACLs support IP fragments.

•

Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these

fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the

packet as a whole cannot be reassembled.

•

Implementing the required rules will use a significant number of CAM entries per TCP/UDP entry.

•

For IP ACL, FTOS always applies implicit deny. You do not have to configure it.

•

For IP ACL, FTOS applies implicit permit for second and subsequent fragment just prior to the

implicit deny.

•

If an

explicit

deny is configured, the second and subsequent fragments will not hit the implicit permit

rule for fragments.

Force10(conf)#ip access-list standard acl1

Force10(config-std-nacl)#permit 20.0.0.0/8

Force10(config-std-nacl)#exit

Force10(conf)#ip access-list standard acl2

Force10(config-std-nacl)#

permit 20.1.1.0/24 order 0

Force10(config-std-nacl)#exit

Force10(conf)#class-map match-all cmap1

Force10(conf-class-map)#match ip access-group acl1

Force10(conf-class-map)#exit

Force10(conf)#class-map match-all cmap2

Force10(conf-class-map)#match ip access-group acl2

Force10(conf-class-map)#exit

Force10(conf)#policy-map-input pmap

Force10(conf-policy-map-in)#service-queue 7 class-map cmap1

Force10(conf-policy-map-in)#service-queue 4 class-map cmap2

Force10(conf-policy-map-in)#exit

Force10(conf)#interface gig 1/0

Force10(conf-if-gi-1/0)#service-policy input pmap