Home » Dell Manuals » Hubs & Switches » Dell MX5108n » Manual Viewer

Dell MX5108n OS10 Enterprise Edition User Guide for PowerEdge MX IO Modules Re - Page 580

Control-plane policing, ACL based, with trust

Add to My Manuals
Save this manual to your list of manuals

Page 580 highlights

• Pre-defined IP access-list OS10(config-cmap-qos)# match ip access-group name ip-acl-1 • Pre-defined IPv6 access-list OS10(config-cmap-qos)#match ipv6 access-group name ACLv6 • Pre-defined MAC access-list OS10(config-cmap-qos)# match mac access-group name mac-acl-1 3 Create a qos type policy-map to refer the classes. OS10(config)# policy-map cos-policy 4 Refer the class-maps in the policy-map and define the required action for the flows. OS10(config-pmap-qos)# class cmap OS10(config-pmap-c-qos)# ? OS10(config-pmap-qos)# class cmap OS10(config-pmap-c-qos)# end Exit to the exec Mode exit Exit from current mode no Negate a command or set its defaults police Rate police input traffic set Mark input traffic show show configuration trust Specify dynamic classification to trust[dscp/dot1p] ACL based classification with trust If you have enabled trust based classification and the system has class-maps to install ACL entries in the same policy-map that might conflict with the trust based classification, then by default the trust based classification takes precedence. You can modify the order of precedence by enabling the fallback option of trust dot1p or diffserv (DSCP). 1 Create class-maps. • Create a class-map of type qos to match CoS 5 flow. OS10(config)# class-map cmap-cos5 • Define the fields to be matched on 802.1p CoS 5 values. OS10(config-cmap-qos)# match cos 5 2 Create a policy-map for enabling trust and matching the CoS 5 flow. • Create a qos type policy-map to refer the classes. OS10(config)# policy-map cos-trust • Refer the class-maps in the policy-map and define the required action for the flows. OS10(config-pmap-qos)# class class-trust OS10(config-pmap-c-qos)# trust dot1p fallback OS10(config-pmap-qos)# class cmap-cos5 OS10(config-pmap-c-qos)# set qos-group 7 • Attach the policy-map to interface. OS10(conf-if-eth1/1/1)# service-policy input type qos cos-trust Control-plane policing Control-plane policing (CoPP) increases security on the system by protecting the route processor from unnecessary traffic and giving priority to important control plane and management traffic. CoPP uses a dedicated control plane configuration through the QoS CLIs to set rate-limiting capabilities for control plane packets. If the rate of control packets towards the CPU is higher than the packet rate that the CPU can handle, CoPP provides a method to selectively drop some of the control traffic so that the CPU can process high-priority control traffic. You can use CoPP to rate-limit traffic through each CPU port queue of the network processor (NPU). 580 Quality of service

Section	Page
OS10 Enterprise Edition User Guide — PowerEdge MX I/O Modules Release 10.4.0E(R3S)	3
Getting Started	21
Supported Hardware	21
OS10 image for MX Ethernet I/O modules	21
Download OS10 image and license	22
Installation	23
Automatic installation	24
Manual installation	24
Log into OS10	25
Install OS10 license	26
Remote access	27
Configure Management IP address	27
Management Route Configuration	28
Configure user name and password	28
Upgrade OS10	29
CLI Basics	29
User accounts	29
Key CLI features	29
CLI command modes	30
CLI command hierarchy	30
CLI command categories	30
CONFIGURATION Mode	31
Command help	31
Check device status	33
Candidate configuration	35
Change to transaction-based configuration	38
Copy running configuration	38
Restore startup configuration	39
Reload system image	39
Filter show commands	40
Alias command	40
Batch mode commands	44
Linux shell commands	44
SSH commands	45
OS9 environment commands	46
Common commands	46
alias	46
alias (multi-line)	47
batch	48
boot	48
commit	49
configure	49
copy	49
default (alias)	51
delete	51
description (alias)	52
dir	52
discard	53
do	53
feature config-os9-style	53
exit	54
license	54
line (alias)	55
lock	55
management route	56
move	56
no	57
reload	57
show alias	57
show boot	59
show candidate-configuration	59
show environment	61
show inventory	62
show ip management-route	62
show ipv6 management-route	63
show license status	63
show running-configuration	64
show startup-configuration	66
show system	67
show version	69
start	69
system	70
system identifier	70
terminal	70
traceroute	71
unlock	72
write	72
PowerEdge MX Ethernet I/O modules	74
Operating modes	74
Changing operating modes	76
Restrictions	76
Port groups on I/O modules	76
Double-density QSFP28 interfaces	76
Virtual ports	79
Single-density QSFP28 interfaces	82
Server-facing interfaces	83
Interfaces	85
Ethernet interfaces	85
L2 mode configuration	85
L3 mode configuration	86
Fibre Channel interfaces	86
Management interface	88
VLAN interfaces	88
User-configured default VLAN	89
VLAN scale profile	89
Loopback interfaces	90
Port-channel interfaces	90
Create port-channel	91
Add port member	91
Minimum links	92
Assign Port Channel IP Address	92
Remove or disable port-channel	92
Load balance traffic	93
Change hash algorithm	93
Configure interface ranges	93
Switch-port profiles	94
S4148-ON Series port profiles	95
S4148U-ON port profiles	96
Unified port groups	97
Configure breakout mode	99
Breakout auto-configuration	99
Reset default configuration	100
Forward error correction	101
Energy-efficient Ethernet	102
Enable energy-efficient Ethernet	103
Clear interface counters	103
View EEE status/statistics	103
EEE commands	104
View interface configuration	107
Interface commands	110
channel-group	110
default interface	110
default vlan-id	113
description (Interface)	113
duplex	114
feature auto-breakout	114
fec	115
interface ethernet	115
interface loopback	115
interface mgmt	116
interface null	116
interface port-channel	116
interface range	117
interface vlan	117
link-bundle-utilization	118
mode	118
mode l3	119
mtu	120
port-group	120
scale-profile vlan	121
show discovered-expanders	121
show interface	122
show inventory media	123
show link-bundle-utilization	124
show port-channel summary	124
show port-group	125
show switch-operating-mode	126
show switch-port-profile	126
show unit-provision	126
show vlan	127
shutdown	127
speed (Fibre Channel)	128
speed (Management)	128
switch-port-profile	129
switchport access vlan	131
switchport mode	131
switchport trunk allowed vlan	132
unit-provision	132
Fibre channel	134
Fibre Channel over Ethernet	134
Configure FIP snooping	135
Terminology	136
Virtual fabric	136
Fibre Channel zoning	139
F_Port on Ethernet	141
F_Port, NPG, and FCoE commands	141
clear fcoe database	141
clear fcoe statistics	141
fc alias	142
fc zone	142
fc zoneset	143
fcoe	143
fcoe max-sessions-per-enodemac	144
feature fc	144
feature fc npg	144
feature fip-snooping	145
fip-snooping enable	145
fip-snooping fc-map	145
fip-snooping port-mode fcf	146
member (alias)	146
member (zone)	147
member (zoneset)	147
name	147
show fc alias	148
show fc ns switch	148
show fc statistics	149
show fc switch	150
show fc zone	150
show fc zoneset	151
show fcoe enode	152
show fcoe fcf	152
show fcoe sessions	153
show fcoe statistics	153
show fcoe system	154
show fcoe vlan	154
show npg devices	154
show running-config vfabric	155
show vfabric	156
vfabric	157
vfabric (interface)	157
vlan	157
zone default-zone permit	158
zoneset activate	158
Layer 2	159
802.1X	159
Port authentication	160
EAP over RADIUS	161
Configure 802.1X	161
Enable 802.1X	162
Identity retransmissions	163
Failure quiet period	164
Port control mode	164
Reauthenticate port	165
Configure timeouts	166
802.1X commands	167
Link aggregation control protocol	172
Modes	172
Configuration	172
Interfaces	173
Rates	173
Sample configuration	174
LACP commands	177
Link layer discovery protocol	183
Protocol data units	183
Optional TLVs	184
Organizationally-specific TLVs	185
Media endpoint discovery	186
Network connectivity device	186
LLDP-MED capabilities TLV	186
Network policies TLVs	187
Define network policies	188
Packet timer values	188
Disable and re-enable LLDP	189
Disable and re-enable LLDP on management ports	190
Advertise TLVs	190
Network policy advertisement	191
Fast start repeat count	191
View LLDP configuration	192
Adjacent agent advertisements	193
Time to live	194
LLDP commands	194
Media Access Control	206
Static MAC Address	206
MAC Address Table	207
Clear MAC Address Table	207
MAC Commands	208
Multiple spanning-tree protocol	210
Configure MST protocol	211
Create instances	211
Root selection	213
Non-Dell hardware	213
Region name or revision	213
Modify parameters	214
Interface parameters	215
Forward traffic	215
Spanning-tree extensions	216
Debug configurations	218
MST commands	218
Rapid per-VLAN spanning-tree plus	228
Load balance and root selection	229
Enable RPVST+	229
Select root bridge	230
Root assignment	231
Loop guard	232
Global parameters	232
RPVST+ commands	233
Rapid spanning-tree protocol	241
Enable globally	241
Global parameters	242
Interface parameters	243
Root bridge selection	244
EdgePort forward traffic	245
Spanning-tree extensions	245
RSTP commands	247
Virtual LANs	253
Default VLAN	253
Create or remove VLANs	254
Access mode	255
Trunk mode	256
Assign IP address	256
View VLAN configuration	257
VLAN commands	259
Port monitoring	260
Local port monitoring	260
Remote port monitoring	261
Encapsulated remote port monitoring	263
Flow-based monitoring	264
Remote port monitoring on VLT	265
Port monitoring commands	266
Layer 3	272
Border gateway protocol	272
Sessions and peers	273
Route reflectors	274
Multiprotocol BGP	274
Attributes	275
Selection criteria	275
Weight and local preference	276
Multiexit discriminators	277
Origin	277
AS path and next-hop	278
Best path selection	278
More path support	279
Advertise cost	279
4-Byte AS numbers	280
AS number migration	280
Configure border gateway protocol	281
Enable BGP	281
Configure Dual Stack	283
Peer templates	283
Neighbor fall-over	285
Fast external fallover	286
Passive peering	288
Local AS	288
AS number limit	289
Redistribute routes	290
Additional paths	290
MED attributes	291
Local preference attribute	291
Weight attribute	292
Enable multipath	293
Route-map filters	293
Route reflector clusters	293
Aggregate routes	294
Confederations	295
Route dampening	296
Timers	297
Neighbor soft-reconfiguration	297
BGP commands	298
Equal cost multi-path	323
Load balancing	323
ECMP commands	323
IPv4 routing	326
Assign interface IP address	326
Configure static routing	327
Address resolution protocol	328
IPv4 routing commands	328
IPv6 routing	332
Enable or disable IPv6	332
IPv6 addresses	333
Stateless autoconfiguration	334
Neighbor discovery	335
Duplicate address discovery	336
Static IPv6 routing	337
IPv6 destination unreachable	337
IPv6 hop-by-hop options	338
View IPv6 information	338
IPv6 commands	338
Internet group management protocol	349
IGMP snooping	349
IGMP snooping commands	352
Open shortest path first	357
Autonomous system areas	357
Areas, networks, and neighbors	358
Router types	359
Designated and backup designated routers	360
Link-state advertisements	360
Router priority	361
Shortest path first throttling	362
OSPFv2	363
OSPFv3	394
Object tracking manager	413
Interface tracking	414
Host tracking	415
Set tracking delays	416
Object tracking	416
View tracked objects	416
OTM commands	417
Policy-based routing	420
Policy-based route-maps	420
Access-list to match route-map	420
Set address to match route-map	420
Assign route-map to interface	421
View PBR information	421
PBR commands	422
Virtual routing and forwarding	424
Configure management VRF	424
VRF commands	426
Virtual router redundancy protocol	430
Configuration	431
Create virtual router	432
Group version	432
Virtual IP addresses	433
Configure virtual IP address	433
Set group priority	434
Authentication	435
Disable preempt	435
Advertisement interval	436
Interface/object tracking	437
Configure tracking	437
VRRP commands	438
UFT modes	444
Configure UFT modes	444
UFT commands	445
hardware forwarding-table mode	445
show hardware forwarding-table mode	445
show hardware forwarding-table mode all	446
System management	447
Dynamic host configuration protocol	447
Packet format and options	447
DHCP server	448
Automatic address allocation	449
Hostname resolution	450
Manual binding entries	451
DHCP relay agent	451
View DHCP Information	452
System domain name and list	452
DHCP commands	453
DNS commands	458
Network time protocol	460
Enable NTP	460
Broadcasts	461
Source IP address	461
Authentication	462
NTP commands	463
System clock	468
System Clock commands	468
User session management	470
User session management commands	470
Telnet server	471
Telnet commands	472
Security	472
User re-authentication	473
Password strength	473
Role-based access control	474
Assign user role	474
RADIUS authentication	475
TACACS+ authentication	475
SSH Server	476
Virtual terminal line	477
Enable login statistics	477
Security commands	478
Simple network management protocol	490
SNMP commands	490
Uplink Failure Detection	492
Configure uplink failure detection	493
UFD commands	494
OS10 image upgrade	498
Boot system partition	498
Upgrade commands	499
Access Control Lists	504
IP ACLs	504
MAC ACLs	505
IP fragment handling	505
IP fragments ACL	505
L3 ACL rules	506
Permit ACL with L3 information only	506
Deny ACL with L3 information only	506
Permit all packets from host	506
Permit only first fragments and non-fragmented packets from host	506
Assign sequence number to filter	506
User-provided sequence number	507
Auto-generated sequence number	507
L2 and L3 ACLs	507
Assign and apply ACL filters	508
Ingress ACL filters	509
Egress ACL filters	509
Clear access-list counters	510
IP prefix-lists	510
Route-maps	511
Match routes	512
Set conditions	512
continue Clause	513
ACL flow-based monitoring	513
Flow-based mirroring	513
Enable flow-based monitoring	514
ACL commands	515
clear ip access-list counters	515
clear ipv6 access-list counters	515
clear mac access-list counters	516
deny	516
deny (IPv6)	517
deny (MAC)	517
deny icmp	518
deny icmp (IPv6)	519
deny ip	519
deny ipv6	520
deny tcp	520
deny tcp (IPv6)	521
deny udp	522
deny udp (IPv6)	523
description	524
ip access-group	524
ip access-list	524
ip as-path access-list	525
ip community-list standard deny	526
ip community–list standard permit	526
ip extcommunity-list standard deny	527
ip extcommunity-list standard permit	527
ip prefix-list description	527
ip prefix-list deny	528
ip prefix-list permit	528
ip prefix-list seq deny	529
ip prefix-list seq permit	529
ipv6 access-group	530
ipv6 access-list	530
ipv6 prefix-list deny	530
ipv6 prefix-list description	531
ipv6 prefix-list permit	531
ipv6 prefix-list seq deny	532
ipv6 prefix-list seq permit	532

Match case Limit results 1 per page

•

Pre-deﬁned

IP access-list

OS10(config-cmap-qos)# match ip access-group name ip-acl-1

•

Pre-deﬁned

IPv6 access-list

OS10(config-cmap-qos)#match ipv6 access-group name ACLv6

•

Pre-deﬁned

MAC access-list

OS10(config-cmap-qos)# match mac access-group name mac-acl-1

Create a qos type policy-map to refer the classes.

OS10(config)# policy-map cos-policy

Refer the class-maps in the policy-map and

deﬁne

the required action for the

ﬂows.

OS10(config-pmap-qos)# class cmap

OS10(config-pmap-c-qos)# ?

OS10(config-pmap-qos)# class cmap

OS10(config-pmap-c-qos)#

end

Exit to the exec Mode

exit

Exit from current mode

Negate a command or set its defaults

police

Rate police input traffic

set

Mark input traffic

show

show configuration

trust

Specify dynamic classification to trust[dscp/dot1p]

ACL based

classiﬁcation

with trust

If you have enabled trust based

classiﬁcation

and the system has class-maps to install ACL entries in the same policy-map that might

conﬂict

with the trust based

classiﬁcation,

then by default the trust based

classiﬁcation

takes precedence.

You can modify the order of precedence by enabling the fallback option of trust dot1p or

diﬀserv

(DSCP).

Create class-maps.

•

Create a class-map of type qos to match CoS 5

ﬂow.

OS10(config)# class-map cmap-cos5

•

Deﬁne

the

ﬁelds

to be matched on 802.1p CoS 5 values.

OS10(config-cmap-qos)# match cos 5

Create a policy-map for enabling trust and matching the CoS 5

ﬂow.

•

Create a qos type policy-map to refer the classes.

OS10(config)# policy-map cos-trust

•

Refer the class-maps in the policy-map and

deﬁne

the required action for the

ﬂows.

OS10(config-pmap-qos)# class class-trust

OS10(config-pmap-c-qos)# trust dot1p fallback

OS10(config-pmap-qos)# class cmap-cos5

OS10(config-pmap-c-qos)# set qos-group 7

•

Attach the policy-map to interface.

OS10(conf-if-eth1/1/1)# service-policy input type qos cos-trust

Control-plane policing

Control-plane policing (CoPP) increases security on the system by protecting the route processor from unnecessary

traﬃc

and giving

priority to important control plane and management

traﬃc.

CoPP uses a dedicated control plane

conﬁguration

through the QoS CLIs to set

rate-limiting capabilities for control plane packets.

If the rate of control packets towards the CPU is higher than the packet rate that the CPU can handle, CoPP provides a method to

selectively drop some of the control

traﬃc

so that the CPU can process high-priority control

traﬃc.

You can use CoPP to rate-limit

traﬃc

through each CPU port queue of the network processor (NPU).

580

Quality of service