Home » Dell Manuals » Servers » Dell S6000 » Manual Viewer

Dell S6000 FTOS 9.0(2.0) Configuration Guide for the System - Page 252

Drop DHCP packets on snooped VLANs only, Dynamic ARP Inspection, request and replies from any device

Add to My Manuals
Save this manual to your list of manuals

Page 252 highlights

www.dell.com | support.dell.com Packets received on snooping disabled L3 Ports : 0 Snooping packets processed on L2 vlans : 142 DHCP Binding File Details Invalid File Invalid Binding Entry Binding Entry lease expired List of Trust Ports List of DHCP Snooping Enabled Vlans List of DAI Trust ports : 0 : 0 : 0 :Te 0/49 :Vl 10 :Te 0/49 Drop DHCP packets on snooped VLANs only Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE. Starting with FTOS Release 8.2.1.1, line cards maintain a list of snooped VLANs. When the binding table fills, DHCP packets are dropped only on snooped-VLANs, while such packets will be forwarded across non-snooped VLANs. Since DHCP packets are dropped, no new IP address assignments are made. However, DHCP Release and Decline packets are allowed so that the DHCP snooping table can decrease in size. Once the table usage falls below the max limit of 4000 entries, new IP address assignments are allowed. View the number of entries in the table with the show ip dhcp snooping binding command. This output displays the snooping binding table created using the ACK packets from the trusted port. FTOS#show ip dhcp snooping binding Codes : S - Static D - Dynamic IP Address MAC Address Expires(Sec) Type VLAN Interface 10.1.1.251 00:00:4d:57:f2:50 172800 D Vl 10 Te 0/2 10.1.1.252 00:00:4d:57:e6:f6 172800 D Vl 10 Te 0/1 10.1.1.253 00:00:4d:57:f8:e8 172740 D Vl 10 Te 0/3 10.1.1.254 00:00:4d:69:e8:f2 172740 D Vl 10 Te 0/50 Total number of Entries in the table : 4 Dynamic ARP Inspection Dynamic ARP inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism. Network devices accepts ARP request and replies from any device, and ARP replies are accepted even when no request was sent. If a client receives an ARP message for which a relevant entry already exists in its ARP cache, it overwrites the existing entry with the new information. The lack of authentication in ARP makes it vulnerable to spoofing. ARP spoofing is a technique attackers use to inject false IP to MAC mappings into the ARP cache of a network device. It is used to launch man-in-the-middle (MITM), and denial-of-service (DoS) attacks, among others. 230 | Dynamic Host Configuration Protocol (DHCP)

Section	Page
About this Guide	23
Objectives	23
Audience	23
Conventions	24
Information Symbols	24
Related Documents	24
Configuration Fundamentals	25
Accessing the Command Line	25
CLI Modes	26
Navigating CLI Modes	27
The do Command	30
Undoing Commands	30
Obtaining Help	31
Entering and Editing Commands	31
Command History	32
Filtering show Command Outputs	33
Multiple Users in Configuration mode	35
Getting Started	37
Console access	37
Serial console	37
Accessing the RJ-45 console port with a DB-9 adapter	38
Default Configuration	38
Configure a Host Name	39
Access the System Remotely	39
Access the Z-Series, and the S-Series Remotely	39
Configure the Management Port IP Address	39
Configure a Management Route	40
Configure a Username and Password	40
Configure the Enable Password	41
Configuration File Management	42
Copy Files to and from the System	42
Important Points to Remember	42
Save the Running-configuration	43
View Files	44
View Configuration Files	45
File System Management	46
View command history	47
Upgrading FTOS	48
Management	49
Configure Privilege Levels	49
Create a Custom Privilege Level	49
Removing a command from EXEC mode	50
Move a command from EXEC privilege mode to EXEC mode	50
Allow Access to CONFIGURATION mode commands	50
Allow Access to INTERFACE, LINE, ROUTE-MAP, and ROUTER mode	50
Apply a Privilege Level to a Username	53
Apply a Privilege Level to a Terminal Line	53
Configure Logging	53
Log Messages in the Internal Buffer	54
Configuration Task List for System Log Management	54
Disable System Logging	54
Send System Messages to a Syslog Server	54
Configure a Unix System as a Syslog Server	55
Change System Logging Settings	55
Display the Logging Buffer and the Logging Configuration	56
Configure a UNIX logging facility level	57
Synchronize log messages	58
Enable timestamp on syslog messages	58
File Transfer Services	59
Configuration Task List for File Transfer Services	59
Enable FTP server	59
Configure FTP server parameters	60
Configure FTP client parameters	61
Terminal Lines	61
Deny and Permit Access to a Terminal Line	61
Configure Login Authentication for Terminal Lines	62
Time out of EXEC Privilege Mode	63
Telnet to Another Network Device	64
Lock CONFIGURATION mode	65
Viewing the Configuration Lock Status	66
Recovering from a Forgotten Password on the S4810 and S6000	66
Recovering from a Forgotten Enable Password on the S4810 and S6000	68
Recovering from a Failed Start on the S4810 and S6000	69
802.1X	71
Protocol Overview	71
The Port-authentication Process	72
EAP over RADIUS	73
RADIUS Attributes for 802.1 Support	74
Configuring 802.1X	74
Related Configuration Tasks	74
Important Points to Remember	75
Enabling 802.1X	75
Configuring Request Identity Re-transmissions	76
Configuring a Quiet Period after a Failed Authentication	77
Forcibly Authorizing or Unauthorizing a Port	78
Re-authenticating a Port	79
Periodic Re-authentication	79
Configuring Timeouts	80
Dynamic VLAN Assignment with Port Authentication	81
Guest and Authentication-fail VLANs	82
Configuring a Guest VLAN	83
Configuring an Authentication-fail VLAN	83
Access Control Lists (ACLs)	85
Overview	85
IP Access Control Lists (ACLs)	86
CAM Profiling, CAM Allocation, and CAM Optimization	86
User Configurable CAM Allocation	87
CAM optimization	87
Test CAM Usage	87
Implementing ACLs on FTOS	88
ACLs and VLANs	88
Determine the order in which ACLs are used to classify traffic	88
IP Fragment Handling	89
IP fragments ACL examples	90
Layer 4 ACL rules examples	90
Configure a standard IP ACL	91
Configure an extended IP ACL	93
Configure filters with sequence number	94
Configure filters without sequence number	95
Configuring Layer 2 and Layer 3 ACLs on an Interface	96
Assign an IP ACL to an Interface	97
Counting ACL Hits	98
Configuring Ingress ACLs	99
Configuring Egress ACLs	99
Egress Layer 3 ACL Lookup for Control-plane IP Traffic	100
IP Prefix Lists	101
Implementation Information	101
Configuration Task List for Prefix Lists	102
Configure a prefix list	102
Use a prefix list for route redistribution	104
ACL Resequencing	106
Resequencing an ACL or Prefix List	107
Route Maps	108
Implementation Information	108
Important Points to Remember	108
Configuration Task List for Route Maps	109
Create a route map	109
Configure route map filters	111
Configure a route map for route redistribution	114
Configure a route map for route tagging	115
Continue clause	115
Bidirectional Forwarding Detection (BFD)	117
Protocol Overview	117
How BFD Works	118
BFD packet format	118
BFD sessions	120
BFD three-way handshake	121
Session state changes	122
Important Points to Remember	123
Configuring Bidirectional Forwarding Detection	123
Configuring BFD for OSPF	123
Related configuration tasks	124
Establishing sessions with OSPF neighbors	124
Changing OSPF session parameters	125
Disabling BFD for OSPF	126
Configuring BFD for IS-IS	126
Related configuration tasks	126
Establishing sessions with IS-IS neighbors	126
Changing IS-IS session parameters	128
Disabling BFD for IS-IS	128
Configuring BFD for BGP	129
Prerequisites	129
Establishing sessions with BGP neighbors	129
Disabling BFD for BGP	131
Using BFD in a BGP Peer Group	131
Displaying BFD for BGP Information	132
Configuring Protocol Liveness	136
Border Gateway Protocol	137
Protocol Overview	138
Autonomous Systems (AS)	138
Sessions and Peers	140
Establishing a session	140
Peer Groups	141
Route Reflectors	141
Communities	142
BGP Attributes	143
Best Path Selection Criteria	143
Best Path selection details	144
Weight	146
Local Preference	146
Multi-Exit Discriminators (MEDs)	146
Origin	147
AS Path	148
Next Hop	149
Multiprotocol BGP	149
Implementing BGP with FTOS	149
Additional Path (Add-Path) support	149
Advertise IGP cost as MED for redistributed routes	149
Ignore Router-ID for some best-path calculations	150
4-Byte AS Numbers	150
AS4 Number Representation	151
Dynamic AS Number Notation application	152
AS Number Migration	154
BGP4 Management Information Base (MIB)	156
Important Points to Remember	156
Configuration Information	157
BGP Configuration	158
Defaults	158
Configuration Task List for BGP	158
Enable BGP	159
Configure AS4 Number Representations	164
Configure Peer Groups	166
BGP fast fall-over	169
Configure passive peering	172
Maintain existing AS numbers during an AS migration	173
Allow an AS number to appear in its own AS path	175
Enable graceful restart	176
Filter on an AS-Path attribute	177
Redistribute routes	180
Enable additional paths	181
Configure IP community lists	181
Manipulate the COMMUNITY attribute	184
Change MED attribute	186
Change LOCAL_PREFERENCE attribute	187
Change NEXT_HOP attribute	188
Change WEIGHT attribute	188
Enable multipath	189
Filter BGP routes	189
Configure BGP route reflectors	192
Aggregate routes	193
Configure BGP confederations	194
Enable route flap dampening	194
Change BGP timers	199
BGP neighbor soft-reconfiguration	199
Route map continue	201
MBGP Configuration	201
BGP Regular Expression Optimization	202
Debugging BGP	202
Storing Last and Bad PDUs	203
Capturing PDUs	204
PDU Counters	206
Sample Configurations	206
Bare Metal Provisioning 2.0 (BMP 2.0)	217
Prerequisites	217
Restrictions	218
Comparison of BMP 1.5 and 2.0	218
Overview	218
Jumpstart mode	220
DHCP Server	220
MAC-Based IP assignment	220
DHCP configuration	220
File Server	221
Domain Name Server	222
System boot and set-up behavior in Jumpstart Mode	222
Content Addressable Memory (CAM)	225
Content Addressable Memory	225
When to Use CAM Profiling	225
Important Points to Remember	226
CAM Allocation	226
Test CAM Usage	228
View CAM-ACL settings	228
Return to the Default CAM Configuration	229
CAM Optimization	229
Troubleshoot CAM Profiling	229
CAM Profile Mismatches	229
QoS CAM Region Limitation	229
Control Plane Policing (CoPP)	231
Overview	231
Configure Control Plane Policing	233
Configure CoPP for protocols	234
Sample Config for CoPP protocol configuration	235
Configure CoPP for CPU queues	236
Sample Config for CoPP CPU queue configuration	237
Show commands	237
Dynamic Host Configuration Protocol (DHCP)	239
Protocol Overview	239
DHCP Packet Format and Options	240
Assigning an IP Address using DHCP	241
Implementation Information	242
Configuration Tasks	242
Configure the System to be a DHCP Server	242
Configuration Tasks	243
Related Configuration Tasks	243
Configure the Server for Automatic Address Allocation	243
Create an IP Address Pool	243
Exclude Addresses from the Address Pool	244
Specify an Address Lease Time	244
Specify a Default Gateway	244
Enable DHCP Server	245
Configure a Method of Hostname Resolution	245
Address Resolution using DNS	245
Address Resolution using NetBIOS WINS	246
Create Manual Binding Entries	246
Debug DHCP server	247
DHCP Clear Commands	247
Configure the System to be a Relay Agent	247
Configure Secure DHCP	248
Option 82	249
DHCP Snooping	249
Enable DCHP snooping	251
Add a static entry in the binding table	251
Clear the binding table	251
Display the contents of the binding table	251
Drop DHCP packets on snooped VLANs only	252
Dynamic ARP Inspection	252
Bypass the ARP Inspection	254
Source Address Validation	254
IP Source Address Validation	254
DHCP MAC Source Address Validation	255
IP+MAC Source Address Validation	255
Debugging and Diagnostics	257
Offline Diagnostics	257
Important Points to Remember	257
Running Offline Diagnostics	258
TRACE logs	265
Auto Save on Crash or Rollover	265
Hardware watchdog timer	265
Environmental monitoring	265
Digital Optical Monitoring (DOM) Details via Command Line Interface and SNMP	266
Power via Command Line Interface:	266
Power via SNMP:	268
Temperature via Command Line Interface:	269
Temperature via SNMP:	271
Recognize an Overtemperature Condition	276
Troubleshoot an Overtemperature Condition	277
Recognize an Under-Voltage Condition	277
Troubleshoot an Under-Voltage Condition	277
show hardware commands (S6000)	277
Troubleshooting packet loss	280
Displaying Drop Counters	280
Dataplane Statistics	281
Displaying Stack Member Counters	283
Application Core Dumps	284
Mini Core Dumps	284
Kernel Core Dumps	285
TCP Dumps	285
Equal Cost Multi-Path (ECMP)	287
Configurable Hash Algorithm Seed	287
Link Bundle Monitoring	287
Managing ECMP Group Paths	288
Data Center Bridging (DCB)	291
Ethernet Enhancements in Data Center Bridging	291
Priority-Based Flow Control	292
Enhanced Transmission Selection	293
Data Center Bridging Exchange Protocol	295
Data Center Bridging in a Traffic Flow	295
Data Center Bridging: Default Configuration	296
Enabling Data Center Bridging	296
QoS dot1p Traffic Classification and Queue Assignment	297
Configuring Priority-Based Flow Control	298
Configuring Lossless Queues	301
Configuration Enhanced Transmission Selection	302
ETS Prerequisites and Restrictions	303
Creating a QoS DCB Output Policy	303
Creating an ETS Priority Group	306
Applying an DCB Output Policy for a Priority Group to an Interface	307
ETS Operation with DCBX	308
Configuring Bandwidth Allocation for DCBX CIN	309
Configuring DCBx Operation	310
Supported DCBx Versions	310
DCBx Operation	310
DCBx Port Roles	311
DCB Configuration Exchange	312
Configuration Source Election	313
Propagation of DCB Information	313
Auto-Detection and Manual Configuration of the DCBx Version	314
DCBx Example	314
DCBx Prerequisites and Restrictions	315
DCBx Configuration Procedure	316
Configuring DCBx Globally on the Switch	318
Verifying DCB Configuration	319
Troubleshooting PFC, ETS, and DCBx Operation	331
DCBx Oper Status is Down	331
DCBx Error Messages	333
Debugging DCBx on an Interface	334
FIP Snooping	335
Fibre Channel over Ethernet	335
Ensuring Robustness in a Converged Ethernet Network	335
FIP Snooping on Ethernet Bridges	337
FIP Snooping in a Switch Stack	339
Configuring FIP Snooping	339
Enabling the FIP Snooping Feature	340
Enabling FIP Snooping on VLANs	340
Configuring the FC-MAP Value	340
Configuring a Port for a Bridge-to-FCF Link	340
Impact on other Software Features	341
FIP Snooping Prerequisites	341
FIP Snooping Restrictions	341
Configuration Procedure	342
Displaying FIP Snooping Information	343
FIP Snooping Configuration Example	349
Force10 Resilient Ring Protocol (FRRP)	353
Protocol Overview	353
Ring Status	354
Ring Checking	354
Ring Failure	355
Ring Restoration	355
Multiple FRRP Rings	355
Member VLAN Spanning Two Rings Connected by One Switch	355
Important FRRP Points	356
Important FRRP Concepts	357
Implementing FRRP	358
FRRP Configuration	359
Create the FRRP group	359
Configure the Control VLAN	359
Configure and add the Member VLANs	361
Set FRRP Timers	362
Clear FRRP counters	362
Show FRRP configuration	363
Show FRRP information	363
Troubleshooting FRRP	363
Configuration Checks	363
Sample Configuration and Topology	363
GARP VLAN Registration Protocol (GVRP)	367
Protocol Overview	367
Important Points to Remember	367
Configuring GVRP	368
Related Configuration Tasks	369
Enabling GVRP Globally	369
Enabling GVRP on a Layer 2 Interface	370
Configuring GVRP Registration	370
Configuring a GARP Timer	371
Internet Group Management Protocol (IGMP)	373
IGMP Implementation Information	373
IGMP Protocol Overview	373
IGMP version 2	374
Joining a Multicast Group	374
Leaving a Multicast Group	375
IGMP version 3	375
Joining and Filtering Groups and Sources	376
Leaving and Staying in Groups	377
Configuring IGMP	378
Related Configuration Tasks	378
Viewing IGMP Enabled Interfaces	379
Selecting an IGMP Version	379
Viewing IGMP Groups	379
Adjusting Timers	380
Adjusting Query and Response Timers	380
Adjusting the IGMP Querier Timeout Value	380
Configuring a Static IGMP Group	381
Enabling IGMP Immediate-leave	381
IGMP Snooping	381
IGMP Snooping Implementation Information	382
Configuring IGMP Snooping	382
Related Configuration Tasks	382
Enabling IGMP Immediate-leave	382
Disabling Multicast Flooding	383
Specifying a Port as Connected to a Multicast Router	383
Configuring the Switch as Querier	383
Adjusting the Last Member Query Interval	383
Fast Convergence after MSTP Topology Changes	384
Designating a Multicast Router Interface	384
Debugging IGMP	384
Interfaces	385
Basic Interface Configuration:	385
Advanced Interface Configuration:	385
Interface Types	386
View Basic Interface Information	386
Enable a Physical Interface	388
Physical Interfaces	389
Configuration Task List for Physical Interfaces	389
Overview of Layer Modes	390
Configure Layer 2 (Data Link) Mode	390
Configure Layer 3 (Network) Mode	391
Management Interfaces	392
Configure Management Interfaces	392
VLAN Interfaces	393
Loopback Interfaces	394
Null Interfaces	395
Port Channel Interfaces	395
Port channel definition and standards	395
Port channel benefits	396
Port channel implementation	396
Configuration task list for port channel interfaces	397
Create a port channel	397
Add a physical interface to a port channel	398
Reassign an interface to a new port channel	400
Configure the minimum oper up links in a port channel (LAG)	401
Add or remove a port channel from a VLAN	401
Assign an IP address to a port channel	402
Delete or disable a port channel	402
Load balancing through port channels	403
S-Series load-balancing	403
Hash algorithm	404
Hash Seed	404
Bulk Configuration	406
Interface Range	406
Bulk Configuration Examples	406
Create a single-range	407
Create a multiple-range	407
Exclude duplicate entries	407
Exclude a smaller port range	407
Overlap port ranges	407
Commas	408
Add ranges	408
Interface Range Macros	408
Define the Interface Range	409
Choose an Interface-range Macro	409
Monitor and Maintain Interfaces	409
Splitting QSFP ports to SFP+ ports	410
Important Points	411
Link Dampening	412
Important Points to Remember	412
Enable Link Dampening	412
Clear Dampening Counters	413
Configure MTU size on an Interface	413
Ethernet Pause Frames	414
Threshold Settings	414
Enable Pause Frames	415
Configure MTU Size on an Interface	415
Adjust the keepalive timer	416
View Advanced Interface Information	417
Display Only Configured Interfaces	417
Configure Interface Sampling Size	418
Dynamic Counters	419
Clear interface counters	421
IPv4 Routing	423
IP Addresses	423
Implementation Information	424
Configuration Task List for IP Addresses	424

Match case Limit results 1 per page

230

Dynamic Host Configuration Protocol (DHCP)

www.dell.com | support.dell.com

Packets received on snooping disabled L3 Ports

: 0

Snooping packets processed on L2 vlans

: 142

DHCP Binding File Details

Invalid File

: 0

Invalid Binding Entry

: 0

Binding Entry lease expired

: 0

List of Trust Ports

:Te 0/49

List of DHCP Snooping Enabled Vlans

:Vl 10

List of DAI Trust ports

:Te 0/49

Drop DHCP packets on snooped VLANs only

Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE.

Starting with FTOS Release 8.2.1.1, line cards maintain a list of snooped VLANs. When the binding table

fills, DHCP packets are dropped only on snooped-VLANs, while such packets will be forwarded across

non-snooped VLANs. Since DHCP packets are dropped, no new IP address assignments are made.

However, DHCP Release and Decline packets are allowed so that the DHCP snooping table can decrease

in size. Once the table usage falls below the max limit of 4000 entries, new IP address assignments are

allowed.

View the number of entries in the table with the

show ip dhcp snooping binding

command. This output

displays the snooping binding table created using the ACK packets from the trusted port.

FTOS#

show ip dhcp snooping binding

Codes :

S - Static D - Dynamic

IP Address

MAC Address

Expires(Sec)

Type

VLAN

Interface

========================================================================

10.1.1.251

00:00:4d:57:f2:50

172800

Vl 10

Te 0/2

10.1.1.252

00:00:4d:57:e6:f6

172800

Vl 10

Te 0/1

10.1.1.253

00:00:4d:57:f8:e8

172740

Vl 10

Te 0/3

10.1.1.254

00:00:4d:69:e8:f2

172740

Vl 10

Te 0/50

Total number of Entries in the table : 4

Dynamic ARP Inspection

Dynamic ARP inspection prevents ARP spoofing by forwarding only ARP frames that have been validated

against the DHCP binding table.

ARP is a stateless protocol that provides no authentication mechanism. Network devices accepts ARP

request and replies from any device, and ARP replies are accepted even when no request was sent. If a

client receives an ARP message for which a relevant entry already exists in its ARP cache, it overwrites the

existing entry with the new information.

The lack of authentication in ARP makes it vulnerable to spoofing. ARP spoofing is a technique attackers

use to inject false IP to MAC mappings into the ARP cache of a network device. It is used to launch

man-in-the-middle (MITM), and denial-of-service (DoS) attacks, among others.