Home » Dell Manuals » Hubs & Switches » Dell MX5108n » Manual Viewer

Dell MX5108n OS10 Enterprise Edition User Guide for PowerEdge MX IO Modules Re - Page 398

IPsec authentication on interfaces, Enter the encryption algorithm used with ESP 3DES, DES, AES-CBC

Add to My Manuals
Save this manual to your list of manuals

Page 398 highlights

• The configured authentication or encryption policy is applied to all OSPFv3 packets transmitted on the interface or in the area. The IPsec security associations are the same on inbound and outbound traffic on an OSPFv3 interface. • There is no maximum AH or ESP header length because the headers have fields with variable lengths. Configure IPsec authentication on interfaces Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, first enable IPv6 unicast routing globally, then enable OSPFv3 on the interface, and assign it to an area. The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. You cannot configure the same SPI value on another interface even if it uses the same authentication or encryption algorithm. You cannot use an IPsec authentication type (MD5 or SHA-1) and the null setting at same time on an interface. These settings are mutually exclusive. • Enable IPsec authentication for OSPFv3 packets in Interface mode. ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} key} - null - Prevent an authentication policy configured for the area to be inherited on the interface. This parameter is only used if you configure IPsec area authentication. - ipsec spi number - Enter a unique security policy index (SPI) value (256 to 4294967295). - md5 - Enable message digest 5 (MD5) authentication. - sha1 - Enable secure hash algorithm 1 (SHA-1) authentication. - key - Enter the text string used in the authentication type. All neighboring OSPFv3 routers must share the key to exchange information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be 32 plain hex digits. For SHA-1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported. To delete an IPsec authentication policy, use the no ipv6 ospf authentication ipsec spi number or no ipv6 ospf authentication null command. Configure IPsec authentication on interface OS10(conf-if-eth1/1/1)# ipv6 ospf authentication ipsec spi 400 md5 12345678123456781234567812345678 OS10(conf-if-eth1/1/1)# show configuration ! interface ethernet1/1/1 ipv6 ospf authentication ipsec spi 400 md5 12345678123456781234567812345678 no switchport no shutdown ipv6 address 1::1/64 IPsec encryption on interfaces Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area. When you configure encryption on an interface, both IPsec encryption and authentication are enabled. You cannot configure encryption if you have already configured an interface for IPsec authentication (ipv6 ospf authentication ipsec). To configure encryption, you must first delete the authentication policy. • Enable IPsec encryption for OSPFv3 packets in Interface mode. ipv6 ospf encryption ipsec spi number esp encryption-type key authentication-type key - ipsec spi number - Enter a unique security policy index (SPI) value (256 to 4294967295). - esp encryption-type key - Enter the encryption algorithm used with ESP (3DES, DES, AES-CBC, or NULL). For AESCBC, only the AES-128 and AES-192 ciphers are supported. 398 Layer 3

Section	Page
OS10 Enterprise Edition User Guide — PowerEdge MX I/O Modules Release 10.4.0E(R3S)	3
Getting Started	21
Supported Hardware	21
OS10 image for MX Ethernet I/O modules	21
Download OS10 image and license	22
Installation	23
Automatic installation	24
Manual installation	24
Log into OS10	25
Install OS10 license	26
Remote access	27
Configure Management IP address	27
Management Route Configuration	28
Configure user name and password	28
Upgrade OS10	29
CLI Basics	29
User accounts	29
Key CLI features	29
CLI command modes	30
CLI command hierarchy	30
CLI command categories	30
CONFIGURATION Mode	31
Command help	31
Check device status	33
Candidate configuration	35
Change to transaction-based configuration	38
Copy running configuration	38
Restore startup configuration	39
Reload system image	39
Filter show commands	40
Alias command	40
Batch mode commands	44
Linux shell commands	44
SSH commands	45
OS9 environment commands	46
Common commands	46
alias	46
alias (multi-line)	47
batch	48
boot	48
commit	49
configure	49
copy	49
default (alias)	51
delete	51
description (alias)	52
dir	52
discard	53
do	53
feature config-os9-style	53
exit	54
license	54
line (alias)	55
lock	55
management route	56
move	56
no	57
reload	57
show alias	57
show boot	59
show candidate-configuration	59
show environment	61
show inventory	62
show ip management-route	62
show ipv6 management-route	63
show license status	63
show running-configuration	64
show startup-configuration	66
show system	67
show version	69
start	69
system	70
system identifier	70
terminal	70
traceroute	71
unlock	72
write	72
PowerEdge MX Ethernet I/O modules	74
Operating modes	74
Changing operating modes	76
Restrictions	76
Port groups on I/O modules	76
Double-density QSFP28 interfaces	76
Virtual ports	79
Single-density QSFP28 interfaces	82
Server-facing interfaces	83
Interfaces	85
Ethernet interfaces	85
L2 mode configuration	85
L3 mode configuration	86
Fibre Channel interfaces	86
Management interface	88
VLAN interfaces	88
User-configured default VLAN	89
VLAN scale profile	89
Loopback interfaces	90
Port-channel interfaces	90
Create port-channel	91
Add port member	91
Minimum links	92
Assign Port Channel IP Address	92
Remove or disable port-channel	92
Load balance traffic	93
Change hash algorithm	93
Configure interface ranges	93
Switch-port profiles	94
S4148-ON Series port profiles	95
S4148U-ON port profiles	96
Unified port groups	97
Configure breakout mode	99
Breakout auto-configuration	99
Reset default configuration	100
Forward error correction	101
Energy-efficient Ethernet	102
Enable energy-efficient Ethernet	103
Clear interface counters	103
View EEE status/statistics	103
EEE commands	104
View interface configuration	107
Interface commands	110
channel-group	110
default interface	110
default vlan-id	113
description (Interface)	113
duplex	114
feature auto-breakout	114
fec	115
interface ethernet	115
interface loopback	115
interface mgmt	116
interface null	116
interface port-channel	116
interface range	117
interface vlan	117
link-bundle-utilization	118
mode	118
mode l3	119
mtu	120
port-group	120
scale-profile vlan	121
show discovered-expanders	121
show interface	122
show inventory media	123
show link-bundle-utilization	124
show port-channel summary	124
show port-group	125
show switch-operating-mode	126
show switch-port-profile	126
show unit-provision	126
show vlan	127
shutdown	127
speed (Fibre Channel)	128
speed (Management)	128
switch-port-profile	129
switchport access vlan	131
switchport mode	131
switchport trunk allowed vlan	132
unit-provision	132
Fibre channel	134
Fibre Channel over Ethernet	134
Configure FIP snooping	135
Terminology	136
Virtual fabric	136
Fibre Channel zoning	139
F_Port on Ethernet	141
F_Port, NPG, and FCoE commands	141
clear fcoe database	141
clear fcoe statistics	141
fc alias	142
fc zone	142
fc zoneset	143
fcoe	143
fcoe max-sessions-per-enodemac	144
feature fc	144
feature fc npg	144
feature fip-snooping	145
fip-snooping enable	145
fip-snooping fc-map	145
fip-snooping port-mode fcf	146
member (alias)	146
member (zone)	147
member (zoneset)	147
name	147
show fc alias	148
show fc ns switch	148
show fc statistics	149
show fc switch	150
show fc zone	150
show fc zoneset	151
show fcoe enode	152
show fcoe fcf	152
show fcoe sessions	153
show fcoe statistics	153
show fcoe system	154
show fcoe vlan	154
show npg devices	154
show running-config vfabric	155
show vfabric	156
vfabric	157
vfabric (interface)	157
vlan	157
zone default-zone permit	158
zoneset activate	158
Layer 2	159
802.1X	159
Port authentication	160
EAP over RADIUS	161
Configure 802.1X	161
Enable 802.1X	162
Identity retransmissions	163
Failure quiet period	164
Port control mode	164
Reauthenticate port	165
Configure timeouts	166
802.1X commands	167
Link aggregation control protocol	172
Modes	172
Configuration	172
Interfaces	173
Rates	173
Sample configuration	174
LACP commands	177
Link layer discovery protocol	183
Protocol data units	183
Optional TLVs	184
Organizationally-specific TLVs	185
Media endpoint discovery	186
Network connectivity device	186
LLDP-MED capabilities TLV	186
Network policies TLVs	187
Define network policies	188
Packet timer values	188
Disable and re-enable LLDP	189
Disable and re-enable LLDP on management ports	190
Advertise TLVs	190
Network policy advertisement	191
Fast start repeat count	191
View LLDP configuration	192
Adjacent agent advertisements	193
Time to live	194
LLDP commands	194
Media Access Control	206
Static MAC Address	206
MAC Address Table	207
Clear MAC Address Table	207
MAC Commands	208
Multiple spanning-tree protocol	210
Configure MST protocol	211
Create instances	211
Root selection	213
Non-Dell hardware	213
Region name or revision	213
Modify parameters	214
Interface parameters	215
Forward traffic	215
Spanning-tree extensions	216
Debug configurations	218
MST commands	218
Rapid per-VLAN spanning-tree plus	228
Load balance and root selection	229
Enable RPVST+	229
Select root bridge	230
Root assignment	231
Loop guard	232
Global parameters	232
RPVST+ commands	233
Rapid spanning-tree protocol	241
Enable globally	241
Global parameters	242
Interface parameters	243
Root bridge selection	244
EdgePort forward traffic	245
Spanning-tree extensions	245
RSTP commands	247
Virtual LANs	253
Default VLAN	253
Create or remove VLANs	254
Access mode	255
Trunk mode	256
Assign IP address	256
View VLAN configuration	257
VLAN commands	259
Port monitoring	260
Local port monitoring	260
Remote port monitoring	261
Encapsulated remote port monitoring	263
Flow-based monitoring	264
Remote port monitoring on VLT	265
Port monitoring commands	266
Layer 3	272
Border gateway protocol	272
Sessions and peers	273
Route reflectors	274
Multiprotocol BGP	274
Attributes	275
Selection criteria	275
Weight and local preference	276
Multiexit discriminators	277
Origin	277
AS path and next-hop	278
Best path selection	278
More path support	279
Advertise cost	279
4-Byte AS numbers	280
AS number migration	280
Configure border gateway protocol	281
Enable BGP	281
Configure Dual Stack	283
Peer templates	283
Neighbor fall-over	285
Fast external fallover	286
Passive peering	288
Local AS	288
AS number limit	289
Redistribute routes	290
Additional paths	290
MED attributes	291
Local preference attribute	291
Weight attribute	292
Enable multipath	293
Route-map filters	293
Route reflector clusters	293
Aggregate routes	294
Confederations	295
Route dampening	296
Timers	297
Neighbor soft-reconfiguration	297
BGP commands	298
Equal cost multi-path	323
Load balancing	323
ECMP commands	323
IPv4 routing	326
Assign interface IP address	326
Configure static routing	327
Address resolution protocol	328
IPv4 routing commands	328
IPv6 routing	332
Enable or disable IPv6	332
IPv6 addresses	333
Stateless autoconfiguration	334
Neighbor discovery	335
Duplicate address discovery	336
Static IPv6 routing	337
IPv6 destination unreachable	337
IPv6 hop-by-hop options	338
View IPv6 information	338
IPv6 commands	338
Internet group management protocol	349
IGMP snooping	349
IGMP snooping commands	352
Open shortest path first	357
Autonomous system areas	357
Areas, networks, and neighbors	358
Router types	359
Designated and backup designated routers	360
Link-state advertisements	360
Router priority	361
Shortest path first throttling	362
OSPFv2	363
OSPFv3	394
Object tracking manager	413
Interface tracking	414
Host tracking	415
Set tracking delays	416
Object tracking	416
View tracked objects	416
OTM commands	417
Policy-based routing	420
Policy-based route-maps	420
Access-list to match route-map	420
Set address to match route-map	420
Assign route-map to interface	421
View PBR information	421
PBR commands	422
Virtual routing and forwarding	424
Configure management VRF	424
VRF commands	426
Virtual router redundancy protocol	430
Configuration	431
Create virtual router	432
Group version	432
Virtual IP addresses	433
Configure virtual IP address	433
Set group priority	434
Authentication	435
Disable preempt	435
Advertisement interval	436
Interface/object tracking	437
Configure tracking	437
VRRP commands	438
UFT modes	444
Configure UFT modes	444
UFT commands	445
hardware forwarding-table mode	445
show hardware forwarding-table mode	445
show hardware forwarding-table mode all	446
System management	447
Dynamic host configuration protocol	447
Packet format and options	447
DHCP server	448
Automatic address allocation	449
Hostname resolution	450
Manual binding entries	451
DHCP relay agent	451
View DHCP Information	452
System domain name and list	452
DHCP commands	453
DNS commands	458
Network time protocol	460
Enable NTP	460
Broadcasts	461
Source IP address	461
Authentication	462
NTP commands	463
System clock	468
System Clock commands	468
User session management	470
User session management commands	470
Telnet server	471
Telnet commands	472
Security	472
User re-authentication	473
Password strength	473
Role-based access control	474
Assign user role	474
RADIUS authentication	475
TACACS+ authentication	475
SSH Server	476
Virtual terminal line	477
Enable login statistics	477
Security commands	478
Simple network management protocol	490
SNMP commands	490
Uplink Failure Detection	492
Configure uplink failure detection	493
UFD commands	494
OS10 image upgrade	498
Boot system partition	498
Upgrade commands	499
Access Control Lists	504
IP ACLs	504
MAC ACLs	505
IP fragment handling	505
IP fragments ACL	505
L3 ACL rules	506
Permit ACL with L3 information only	506
Deny ACL with L3 information only	506
Permit all packets from host	506
Permit only first fragments and non-fragmented packets from host	506
Assign sequence number to filter	506
User-provided sequence number	507
Auto-generated sequence number	507
L2 and L3 ACLs	507
Assign and apply ACL filters	508
Ingress ACL filters	509
Egress ACL filters	509
Clear access-list counters	510
IP prefix-lists	510
Route-maps	511
Match routes	512
Set conditions	512
continue Clause	513
ACL flow-based monitoring	513
Flow-based mirroring	513
Enable flow-based monitoring	514
ACL commands	515
clear ip access-list counters	515
clear ipv6 access-list counters	515
clear mac access-list counters	516
deny	516
deny (IPv6)	517
deny (MAC)	517
deny icmp	518
deny icmp (IPv6)	519
deny ip	519
deny ipv6	520
deny tcp	520
deny tcp (IPv6)	521
deny udp	522
deny udp (IPv6)	523
description	524
ip access-group	524
ip access-list	524
ip as-path access-list	525
ip community-list standard deny	526
ip community–list standard permit	526
ip extcommunity-list standard deny	527
ip extcommunity-list standard permit	527
ip prefix-list description	527
ip prefix-list deny	528
ip prefix-list permit	528
ip prefix-list seq deny	529
ip prefix-list seq permit	529
ipv6 access-group	530
ipv6 access-list	530
ipv6 prefix-list deny	530
ipv6 prefix-list description	531
ipv6 prefix-list permit	531
ipv6 prefix-list seq deny	532
ipv6 prefix-list seq permit	532

Match case Limit results 1 per page

•

The

conﬁgured

authentication or encryption policy is applied to all OSPFv3 packets transmitted on the interface or in the area. The

IPsec security associations are the same on inbound and outbound

traﬃc

on an OSPFv3 interface.

•

There is no maximum AH or ESP header length because the headers have

ﬁelds

with variable lengths.

Conﬁgure

IPsec authentication on interfaces

Prerequisite

: Before you enable IPsec authentication on an OSPFv3 interface,

ﬁrst

enable IPv6 unicast routing globally, then enable

OSPFv3 on the interface, and assign it to an area.

The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. You cannot

conﬁgure

the same SPI

value on another interface even if it uses the same authentication or encryption algorithm.

You cannot use an IPsec authentication type (MD5 or SHA-1) and the

null

setting at same time on an interface. These settings are

mutually exclusive.

•

Enable IPsec authentication for OSPFv3 packets in Interface mode.

ipv6 ospf authentication {null | ipsec spi

number

{MD5 | SHA1}

key

}

–

null

— Prevent an authentication policy

conﬁgured

for the area to be inherited on the interface. This parameter is only used if you

conﬁgure

IPsec area authentication.

–

ipsec spi

number

— Enter a unique security policy index (SPI) value (256 to 4294967295).

–

md5

— Enable message digest 5 (MD5) authentication.

–

sha1

— Enable secure hash algorithm 1 (SHA-1) authentication.

–

key

— Enter the text string used in the authentication type. All neighboring OSPFv3 routers must share the key to exchange

information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be 32 plain hex digits.

For SHA-1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported.

To delete an IPsec authentication policy, use the

no ipv6 ospf authentication ipsec spi

number

no ipv6 ospf

authentication null

command.

Conﬁgure

IPsec authentication on interface

OS10(conf-if-eth1/1/1)# ipv6 ospf authentication ipsec spi 400 md5

12345678123456781234567812345678

OS10(conf-if-eth1/1/1)# show configuration

interface ethernet1/1/1

ipv6 ospf authentication ipsec spi 400 md5 12345678123456781234567812345678

no switchport

no shutdown

ipv6 address 1::1/64

IPsec encryption on interfaces

Prerequisite

: Before you enable IPsec encryption on an OSPFv3 interface, enable IPv6 unicast routing globally,

conﬁgure

an IPv6 address

and enable OSPFv3 on the interface, and assign it to an area.

When you

conﬁgure

encryption on an interface, both IPsec encryption and authentication are enabled. You cannot

conﬁgure

encryption if

you have already

conﬁgured

an interface for IPsec authentication (

ipv6 ospf authentication ipsec

). To

conﬁgure

encryption,

you must

ﬁrst

delete the authentication policy.

•

Enable IPsec encryption for OSPFv3 packets in Interface mode.

ipv6 ospf encryption ipsec spi

number

esp

encryption-type

key

authentication-type

key

–

ipsec spi

number

— Enter a unique security policy index (SPI) value (256 to 4294967295).

–

esp

encryption-type

key

— Enter the encryption algorithm used with ESP (3DES, DES, AES-CBC, or NULL). For AES-

CBC, only the AES-128 and AES-192 ciphers are supported.

398

Layer 3