Dell 9.7(0.0) Enabling FIPS Mode, Generating Host-Keys

Enabling FIPS Mode

To enable or disable FIPS mode, use the console port.

Secure the host attached to the console port against unauthorized access. Any attempts to enable or

disable FIPS mode from a virtual terminal session are denied.

When you enable FIPS mode, the following actions are taken:

• If enabled, the SSH server is disabled.

• All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.

• Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage.

• FIPS mode is enabled.

– If you enable the SSH server when you enter the fips mode enable command, it is re-enabled

for version 2 only.

– If you re-enable the SSH server, a new RSA host key-pair is generated automatically. You can also

manually create this key-pair using the crypto key generate command.

NOTE: Under certain unusual circumstances, it is possible for the fips enable command to

indicate a failure.

• This failure occurs if any of the self-tests fail when you enable FIPS mode.

• This failure occurs if there were existing SSH/Telnet sessions that could not be closed

successfully in a reasonable amount of time. In general, this failure can occur if a user at a

remote host is in the process of establishing an SSH session to the local system, and has been

prompted to accept a new host key or to enter a password, but is not responding to the request.

Assuming this failure is a transient condition, attempting to enable FIPS mode again should be

successful.

To enable FIPS mode, use the following command.

• Enable FIPS mode from a console port.

CONFIGURATION

fips mode enable

Generating Host-Keys

The following describes hot-key generation.

When you enable or disable FIPS mode, the system deletes the current public/private host-key pair,

terminatesany SSH sessions that are in progress (deleting all the per-session encryption key information),

actually enables/tests FIPS mode, generates new host-keys, and re-enables the SSH server (assuming it

was enabled before enabling FIPS).

For more information, refer to the SSH Server and SCP Commands section in the Security chapter of the

Dell Networking OS Command Line Reference Guide.

362 Enabling FIPS Cryptography

Contents

Main Notes, Cautions, and Warnings Contents Page Page 8 Bidirectional Forwarding Detection (BFD).................................................. 124 9 Border Gateway Protocol IPv4 (BGPv4).......................................................150 Page 10 Content Addressable Memory (CAM).........................................................216 Page Page 14 Dynamic Host Configuration Protocol (DHCP)........................................318 19 Force10 Resilient Ring Protocol (FRRP).....................................................368 20 GARP VLAN Registration Protocol (GVRP)................................................379 21 Internet Group Management Protocol (IGMP).........................................384 Page Page Page 27 Intermediate System to Intermediate System..........................................488 28 Link Aggregation Control Protocol (LACP)...............................................514 30 Link Layer Discovery Protocol (LLDP)........................................................544 31 Microsoft Network Load Balancing............................................................ 567 32 Multicast Source Discovery Protocol (MSDP)...........................................570 33 Multiple Spanning Tree Protocol (MSTP).................................................. 595 35 Open Shortest Path First (OSPFv2 and OSPFv3)...................................... 620 38 PIM Source-Specific Mode (PIM-SSM)....................................................... 671 42 Per-VLAN Spanning Tree Plus (PVST+)......................................................708 44 Routing Information Protocol (RIP)...........................................................749 46 Rapid Spanning Tree Protocol (RSTP)........................................................767 Page 50 Simple Network Management Protocol (SNMP)..................................... 844 Page Page 58 Virtual Routing and Forwarding (VRF)....................................................... 921 Page 61 Virtual Router Redundancy Protocol (VRRP).........................................1000 About this Guide Audience Conventions Related Documents Configuration Fundamentals Accessing the Command Line CLI Modes Navigating CLI Modes Page Page The do Command Undoing Commands Obtaining Help Entering and Editing Commands Command History Filtering show Command Outputs Page Multiple Users in Configuration Mode Getting Started Console Access Serial Console Accessing the Console Port Pin Assignments Default Configuration Configuring a Host Name Accessing the System Remotely Accessing the Z9500 Remotely Configure the Management Port IP Address Configure a Management Route Configuring a Username and Password Configuring the Enable Password Manage Configuration Files File Storage Copy Files to and from the System Page Save the Running-Configuration Configure the Overload Bit for a Startup Scenario Viewing Files Changes in Configuration Files Enabling Software Features on Devices Using a Command Option View Command History Upgrading the Dell Networking OS Using Hashes to Validate Software Images Page Switch Management Configuring Privilege Levels Creating a Custom Privilege Level Removing a Command from EXEC Mode Moving a Command from EXEC Privilege Mode to EXEC Mode Allowing Access to CONFIGURATION Mode Commands Allowing Access to the Following Modes Page Applying a Privilege Level to a Username Applying a Privilege Level to a Terminal Line Configuring Logging Audit and Security Logs Enabling Audit and Security Logs Displaying Audit and Security Logs Clearing Audit Logs Configuring Logging Format Setting Up a Secure Connection to a Syslog Server Log Messages in the Internal Buffer Configuration Task List for System Log Management Disabling System Logging Sending System Messages to a Syslog Server Configuring a UNIX System as a Syslog Server Display the Logging Buffer and the Logging Configuration Changing System Logging Settings Configuring a UNIX Logging Facility Level Synchronizing Log Messages Enabling Timestamp on Syslog Messages File Transfer Services Configuration Task List for File Transfer Services Enabling the FTP Server Configuring FTP Server Parameters Configuring FTP Client Parameters Terminal Lines Denying and Permitting Access to a Terminal Line Configuring Login Authentication for Terminal Lines Setting Time Out of EXEC Privilege Mode Using Telnet to Access Another Network Device Lock CONFIGURATION Mode Viewing the Configuration Lock Status Recovering from a Forgotten Password on the Z9500 Ignoring the Startup Configuration and Booting from the Factory-Default Configuration Recovering from a Failed Start on the Z9500 Restoring Factory-Default Settings Restoring Factory-Default Boot Environment Variables Page Page 802.1X The Port-Authentication Process Page EAP over RADIUS RADIUS Attributes for 802.1 Support Configuring 802.1X Page Page Configuring Request Identity Re-Transmissions Configuring a Quiet Period after a Failed Authentication Forcibly Authorizing or Unauthorizing a Port Re-Authenticating a Port Configuring Timeouts Configuring Dynamic VLAN Assignment with Port Authentication Guest and Authentication-Fail VLANs Configuring a Guest VLAN Configuring an Authentication-Fail VLAN Page Access Control Lists (ACLs) IP Access Control Lists (ACLs) CAM Usage User-Configurable CAM Allocation Test CAM Usage Example of the test cam-usage Command Implementing ACLs ACLs and VLANs ACL Optimization Determine the Order in which ACLs are Used to Classify Traffic Example of the order Keyword to Determine ACL Sequence IP Fragment Handling IP Fragments ACL Examples Layer 4 ACL Rules Examples Configure a Standard IP ACL Page Configuring a Standard IP ACL Filter Configure an Extended IP ACL Configuring Filters with a Sequence Number Configure Filters, TCP Packets Configuring Filters Without a Sequence Number Configure Layer 2 and Layer 3 ACLs Using ACL VLAN Groups Guidelines for Configuring ACL VLAN Groups Configuring an ACL VLAN Group Allocating ACL VLAN CAM Applying an IP ACL to an Interface Configure Ingress ACLs Configure Egress ACLs Applying Egress Layer 3 ACLs (Control-Plane) Counting ACL Hits IP Prefix Lists Configuration Task List for Prefix Lists Creating a Prefix List Creating a Prefix List Without a Sequence Number Viewing Prefix Lists Applying a Prefix List for Route Redistribution Applying a Filter to a Prefix List (OSPF) ACL Resequencing Resequencing an ACL or Prefix List Page Route Maps Configuration Task List for Route Maps Creating a Route Map Configure Route Map Filters Configuring Match Routes Configuring Set Conditions Configure a Route Map for Route Redistribution Configure a Route Map for Route Tagging Continue Clause Page Bare Metal Provisioning (BMP) Enhanced Behavior of the stop bmp Command Removal of User-Defined String Parameter in the reload- type Command Service Tag Information in the Option 60 String Bidirectional Forwarding Detection (BFD) How BFD Works BFD Packet Format Page BFD Sessions BFD Three-Way Handshake Session State Changes Configure BFD Configure BFD for Static Routes Establishing Sessions for Static Routes Changing Static Route Session Parameters Disabling BFD for Static Routes Configure BFD for OSPF Page Establishing Sessions with OSPF Neighbors Changing OSPFv3 Session Parameters Disabling BFD for OSPFv3 Configure BFD for OSPFv3 Changing OSPFv3 Session Parameters Disabling BFD for OSPFv3 Establishing Sessions with OSPFv3 Neighbors Configure BFD for IS-IS Establishing Sessions with IS-IS Neighbors Changing IS-IS Session Parameters Disabling BFD for IS-IS Configure BFD for BGP Prerequisites Establishing Sessions with BGP Neighbors Page Disabling BFD for BGP Use BFD in a BGP Peer Group Displaying BFD for BGP Information Page Page Page Configure BFD for VRRP Establishing Sessions with All VRRP Neighbors Establishing VRRP Sessions on VRRP Neighbors Changing VRRP Session Parameters Disabling BFD for VRRP Configuring Protocol Liveness Border Gateway Protocol IPv4 (BGPv4) Autonomous Systems (AS) Page Page Establish a Session Peer Groups Route Reflectors Communities BGP Attributes Best Path Selection Criteria Best Path Selection Details Weight Local Preference Multi-Exit Discriminators (MEDs) Origin AS Path Next Hop Multiprotocol BGP Implement BGP Additional Path (Add-Path) Support Advertise IGP Cost as MED for Redistributed Routes Ignore Router-ID for Some Best-Path Calculations Four-Byte AS Numbers AS4 Number Representation Dynamic AS Number Notation Application AS Number Migration Page BGP4 Management Information Base (MIB) BGP Configuration Enabling BGP Page Page Page Configuring AS4 Number Representations Configuring Peer Groups Page Page Configuring BGP Fast Fail-Over Page Configuring Passive Peering Maintaining Existing AS Numbers During an AS Migration Allowing an AS Number to Appear in its Own AS Path Enabling Neighbor Graceful Restart Filtering on an AS-Path Attribute Page Regular Expressions as Filters Redistributing Routes Enabling Additional Paths Configuring IP Community Lists Page Configuring an IP Extended Community List Filtering Routes with Community Lists Manipulating the COMMUNITY Attribute Page Changing MED Attributes Changing the LOCAL_PREFERENCE Attribute Changing the NEXT_HOP Attribute Changing the WEIGHT Attribute Enabling Multipath Filtering BGP Routes Page Filtering BGP Routes Using Route Maps Filtering BGP Routes Using AS-PATH Information Configuring BGP Route Reflectors Aggregating Routes Configuring BGP Confederations Enabling Route Flap Dampening Page Page Changing BGP Timers Enabling BGP Neighbor Soft-Reconfiguration Route Map Continue Match a Clause with a Continue Clause Set a Clause with a Continue Clause Enabling MBGP Configurations BGP Regular Expression Optimization Debugging BGP Storing Last and Bad PDUs Capturing PDUs PDU Counters Page Page Page Page Page Page Page Page Page Content Addressable Memory (CAM) CAM Allocation Page Test CAM Usage View CAM-ACL Settings View CAM Usage Return to the Default CAM Configuration CAM Optimization Applications for CAM Profiling LAG Hashing LAG Hashing Based on Bidirectional Flow Unified Forwarding Table (UFT) Modes Configuring UFT Modes Page Control Plane Policing (CoPP) Z9500 CoPP Implementation Protocol-based Control Plane Policing Queue-based Control Plane Policing CoPP Example Configure Control Plane Policing Configuring CoPP for Protocols Examples of Configuring CoPP for Protocols Page Configuring CoPP for CPU Queues Examples of Configuring CoPP for CPU Queues Displaying CoPP Configuration Viewing Queue Rates Viewing MAC Protocol-Queue Mapping Viewing IPv4 Protocol-Queue Mapping Viewing IPv6 Protocol-Queue Mapping Viewing Per-Queue Protocol-Queue Mapping Viewing Complete Protocol-Queue Mapping Page Troubleshooting CoPP Operation Enabling CPU Traffic Statistics Viewing CPU Traffic Statistics Troubleshooting CPU Packet Loss Page Page Viewing Per-Protocol CoPP Counters Page Viewing Per-Queue CoPP Counters Page Data Center Bridging (DCB) Ethernet Enhancements in Data Center Bridging Priority-Based Flow Control Enhanced Transmission Selection Data Center Bridging Exchange Protocol (DCBx) Data Center Bridging in a Traffic Flow Enabling Data Center Bridging QoS dot1p Traffic Classification and Queue Assignment SNMP Support for PFC and Buffer Statistics Tracking DCB Maps and its Attributes DCB Map: Configuration Procedure Applying a DCB Map on a Port Configuring PFC without a DCB Map Configuring Lossless Queues Data Center Bridging: Default Configuration Configuring PFC and ETS in a DCB Map PFC Configuration Notes PFC Prerequisites and Restrictions ETS Configuration Notes ETS Prerequisites and Restrictions Configuring Priority-Based Flow Control Configuring Lossless Queues Configure Enhanced Transmission Selection ETS Prerequisites and Restrictions Creating an ETS Priority Group ETS Operation with DCBx Configuring Bandwidth Allocation for DCBx CIN Applying the DCB Policies on Linecard Applying DCB Policies on SFM Ports Configure a DCBx Operation DCBx Operation DCBx Port Roles Page DCB Configuration Exchange Configuration Source Election Propagation of DCB Information Auto-Detection and Manual Configuration of the DCBx Version Behavior of Tagged Packets Configuration Example for DSCP and PFC Priorities DCBx Example DCBx Prerequisites and Restrictions Configuring DCBx Configuring DCBx Globally on the Switch Page DCBx Error Messages Debugging DCBx on an Interface Verifying the DCB Configuration Page Page Page Page Page Page Page Page Page Page Generation of PFC for a Priority for Untagged Packets Operations on Untagged Packets Performing PFC Using DSCP Bits Instead of 802.1p Bits PFC and ETS Configuration Examples Using PFC and ETS to Manage Data Center Traffic Page PFC and ETS Configuration Command Examples Using PFC and ETS to Manage Converged Ethernet Traffic Hierarchical Scheduling in ETS Output Policies Priority-Based Flow Control Using Dynamic Buffer Method Pause and Resume of Traffic Buffer Sizes for Lossless or PFC Packets Configuring the Dynamic Buffer Method Page Page Page Page Page Page Debugging and Diagnostics Offline Diagnostics Running Offline Diagnostics Page Examples of Running Offline Diagnostics Page Page Page Page Page Page TRACE Logs Auto Save on Reload, Crash, or Rollover Last Restart Reason Line Card Restart Causes and Reasons show hardware Commands Page Environmental Monitoring Display Power Supply Status Display Fan Status Display Transceiver Type Page Recognize an Over-Temperature Condition Troubleshoot an Over-Temperature Condition Page Troubleshooting Packet Loss Displaying Drop Counters Page Displaying Dataplane Statistics Displaying Line-Card Counters Accessing Application Core Dumps Mini Core Dumps Full Kernel Core Dumps Enabling TCP Dumps Dynamic Host Configuration Protocol (DHCP) DHCP Packet Format and Options Page Assign an IP Address using DHCP Page Configure the System to be a DHCP Server Configuring the Server for Automatic Address Allocation Configuration Tasks Excluding Addresses from the Address Pool Specifying an Address Lease Time Specifying a Default Gateway Configure a Method of Hostname Resolution Using DNS for Address Resolution Using NetBIOS WINS for Address Resolution Creating Manual Binding Entries Debugging the DHCP Server Using DHCP Clear Commands Configure the System to be a Relay Agent Page Configure the System to be a DHCP Client DHCP Client on a Management Interface DHCP Client Operation with Other Features Virtual Link Trunking (VLT) VLAN and Port Channels Configure Secure DHCP Option 82 DHCP Snooping Enabling DHCP Snooping Enabling IPv6 DHCP Snooping Adding a Static Entry in the Binding Table Adding a Static IPV6 DHCP Snooping Binding Table Clearing the Binding Table Clearing the DHCP IPv6 Binding Table Displaying the Contents of the Binding Table Displaying the Contents of the DHCPv6 Binding Table Debugging the IPv6 DHCP IPv6 DHCP Snooping MAC-Address Verification Drop DHCP Packets on Snooped VLANs Only Dynamic ARP Inspection Configuring Dynamic ARP Inspection Bypassing the ARP Inspection Source Address Validation Enabling IP Source Address Validation DHCP MAC Source Address Validation Enabling IP+MAC Source Address Validation Viewing the Number of SAV Dropped Packets Clearing the Number of SAV Dropped Packets Equal Cost Multi-Path (ECMP) ECMP for Flow-Based Affinity Enabling Deterministic ECMP Next Hop Configuring the Hash Algorithm Seed Link Bundle Monitoring Managing ECMP Group Paths Creating an ECMP Group Bundle Modifying the ECMP Group Threshold ECMP Support in L3 Host and LPM Tables Page FCoE Transit Fibre Channel over Ethernet Ensure Robustness in a Converged Ethernet Network Page FIP Snooping on Ethernet Bridges Page Using FIP Snooping FIP Snooping Prerequisites Page Enabling the FCoE Transit Feature Enable FIP Snooping on VLANs Configure the FC-MAP Value Configure a Port for a Bridge-to-Bridge Link Configure a Port for a Bridge-to-FCF Link Impact on Other Software Features FIP Snooping Restrictions Configuring FIP Snooping Page FCoE Transit Configuration Example Displaying FIP Snooping Information Page Page Page Page Page Page Enabling FIPS Cryptography Configuration Tasks Preparing the System Enabling FIPS Mode Generating Host-Keys Monitoring FIPS Mode Status Disabling FIPS Mode Page Flex Hash Flex Hash Capability Overview Configuring the Flex Hash Mechanism RDMA Over Converged Ethernet (RoCE) Overview Preserving 802.1Q VLAN Tag Value for Lite Subinterfaces Force10 Resilient Ring Protocol (FRRP) Ring Status Ring Checking Ring Failure Ring Restoration Multiple FRRP Rings Member VLAN Spanning Two Rings Connected by One Switch Important FRRP Points Important FRRP Concepts Page Implementing FRRP FRRP Configuration Creating the FRRP Group Configuring the Control VLAN Configuring and Adding the Member VLANs Setting the FRRP Timers Clearing the FRRP Counters Viewing the FRRP Configuration Viewing the FRRP Information Troubleshooting FRRP Configuration Checks Sample Configuration and Topology Page Page GARP VLAN Registration Protocol (GVRP) Configure GVRP Enabling GVRP Globally Enabling GVRP on a Layer 2 Interface Configure GVRP Registration Configure a GARP Timer Page Internet Group Management Protocol (IGMP) IGMP Implementation Information IGMP Protocol Overview IGMP Version 2 Join a Multicast Group Responding to an IGMP Query Sending an Unsolicited IGMP Report Leaving a Multicast Group IGMP Version 3 Joining and Filtering Groups and Sources Leaving and Staying in Groups Configure IGMP Viewing IGMP Enabled Interfaces Selecting an IGMP Version Viewing IGMP Groups Adjusting Timers Adjusting Query and Response Timers Adjusting the IGMP Querier Timeout Value Configuring a Static IGMP Group Enabling IGMP Immediate-Leave IGMP Snooping IGMP Snooping Implementation Information Configuring IGMP Snooping Removing a Group-Port Association Disabling Multicast Flooding Specifying a Port as Connected to a Multicast Router Configuring the Switch as Querier Adjusting the Last Member Query Interval Fast Convergence after MSTP Topology Changes Designating a Multicast Router Interface Interfaces Basic Interface Configuration Advanced Interface Configuration Port Numbering Convention Interface Types View Basic Interface Information Page Enabling a Physical Interface Physical Interfaces Port Pipes Network Processing Units (NPUs) Configuration Task List for Physical Interfaces Overview of Layer Modes Configuring Layer 2 (Data Link) Mode Configuring Layer 2 (Interface) Mode Configuring Layer 3 (Network) Mode Configuring Layer 3 (Interface) Mode Egress Interface Selection (EIS) Configuring EIS Management Interfaces Configuring a Dedicated Management Interface Configuring a Management Interface on an Ethernet Port VLAN Interfaces Loopback Interfaces Null Interfaces Port Channel Interfaces Port Channel Definition and Standards Port Channel Benefits Port Channel Implementation 10/40 Gbps Interfaces in Port Channels Configuration Tasks for Port Channel Interfaces Creating a Port Channel Adding a Physical Interface to a Port Channel Page Reassigning an Interface to a New Port Channel Configuring the Minimum Oper Up Links in a Port Channel Adding or Removing a Port Channel from a VLAN Assigning an IP Address to a Port Channel Deleting or Disabling a Port Channel Load Balancing Through Port Channels Load-Balancing Methods Changing the Hash Algorithm Bulk Configuration Interface Range Bulk Configuration Examples Create a Single-Range Create a Multiple-Range Exclude Duplicate Entries Exclude a Smaller Port Range Overlap Port Ranges Defining Interface Range Macros Define the Interface Range Choosing an Interface-Range Macro Monitoring and Maintaining Interfaces Displaying Traffic Statistics on HiGig Ports Link Bundle Monitoring Monitoring HiGig Link Bundles Guidelines for Monitoring HiGig Link-Bundles Enabling HiGig Link-Bundle Monitoring Fanning out 40G Ports Dynamically Splitting QSFP Ports to SFP+ Ports Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port Support for LM4 Optics Example Scenarios Page Page Page Link Dampening Enabling Link Dampening Clearing Dampening Counters Link Dampening Support for XML Configure MTU Size on an Interface Using Ethernet Pause Frames for Flow Control Enabling Pause Frames Configure the MTU Size on an Interface Auto-Negotiation on Ethernet Interfaces Set Auto-Negotiation Options View Advanced Interface Information Configuring the Interface Sampling Size Page Dynamic Counters Clearing Interface Counters Page Internet Protocol Security (IPSec) Configuring IPSec IPv4 Routing IP Addresses Configuration Tasks for IP Addresses Assigning IP Addresses to an Interface Configuring Static Routes Configure Static Routes for the Management Interface Enabling Directed Broadcast Resolution of Host Names Enabling Dynamic Resolution of Host Names Specifying the Local System Domain and a List of Domains Configuring DNS with Traceroute ARP Configuration Tasks for ARP Configuring Static ARP Entries Enabling Proxy ARP Clearing ARP Cache ARP Learning via Gratuitous ARP Enabling ARP Learning via Gratuitous ARP ARP Learning via ARP Request Configuring ARP Retries ICMP Configuration Tasks for ICMP Enabling ICMP Unreachable Messages UDP Helper Configure UDP Helper Enabling UDP Helper Configuring a Broadcast Address Configurations Using UDP Helper UDP Helper with Broadcast-All Addresses UDP Helper with Subnet Broadcast Addresses UDP Helper with Configured Broadcast Addresses UDP Helper with No Configured Broadcast Addresses Troubleshooting UDP Helper IPv6 Routing Extended Address Space Stateless Autoconfiguration IPv6 Headers IPv6 Header Fields Hop Limit (8 bits) Source Address (128 bits) Destination Address (128 bits) Extension Header Fields Hop-by-Hop Options Header IPv6 Addressing Link-local Addresses Static and Dynamic Addressing IPv6 Implementation on the Dell Networking OS Page Configuring the LPM Table for IPv6 Extended Prefixes ICMPv6 Path MTU Discovery IPv6 Neighbor Discovery IPv6 Neighbor Discovery of MTU Packets Configuring the IPv6 Recursive DNS Server Debugging IPv6 RDNSS Information Sent to the Host Displaying IPv6 RDNSS Information Secure Shell (SSH) Over an IPv6 Transport Configuration Tasks for IPv6 Adjusting Your CAM Profile Assigning an IPv6 Address to an Interface Assigning a Static IPv6 Route Configuring Telnet with IPv6 SNMP over IPv6 Displaying IPv6 Information Displaying an IPv6 Configuration Displaying IPv6 Routes Page Displaying the Running Configuration for an Interface Clearing IPv6 Routes iSCSI Optimization iSCSI Optimization Overview Page Default iSCSI Optimization Values iSCSI Optimization Prerequisites Configuring iSCSI Optimization Page Page Displaying iSCSI Optimization Information Enable and Disable iSCSI Optimization Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer Monitoring iSCSI Traffic Flows Information Monitored in iSCSI Traffic Flows Detection and Auto-Configuration for Dell EqualLogic Arrays Configuring Detection and Ports for Dell Compellent Arrays Application of Quality of Service to iSCSI Traffic Flows Intermediate System to Intermediate System IS-IS Protocol Overview IS-IS Addressing Multi-Topology IS-IS Transition Mode Interface Support Adjacencies Graceful Restart Timers Page Configuration Tasks for IS-IS Enabling IS-IS Page Page Configuring Multi-Topology IS-IS (MT IS-IS) Configuring IS-IS Graceful Restart Page Changing LSP Attributes Configuring the IS-IS Metric Style Configuring the IS-IS Cost Configuring the Distance of a Route Changing the IS-Type Controlling Routing Updates Distribute Routes Applying IPv4 Routes Applying IPv6 Routes Redistributing IPv4 Routes Redistributing IPv6 Routes Configuring Authentication Passwords Setting the Overload Bit Debugging IS-IS IS-IS Metric Styles Configure Metric Values Maximum Values in the Routing Table Change the IS-IS Metric Style in One Level Only Page Leaks from One Level to Another Page Page Link Aggregation Control Protocol (LACP) Introduction to Dynamic LAGs and LACP LACP Modes Configuring LACP Commands LACP Configuration Tasks Creating a LAG Configuring the LAG Interfaces as Dynamic Setting the LACP Long Timeout Monitoring and Debugging LACP Shared LAG State Tracking Configuring Shared LAG State Tracking Important Points about Shared LAG State Tracking LACP Basic Configuration Example Configure a LAG on ALPHA Page Page Page Page Page Page Page Layer 2 Manage the MAC Address Table Clearing the MAC Address Table Setting the Aging Time for Dynamic Entries Configuring a Static MAC Address MAC Learning Limit Setting the MAC Learning Limit mac learning-limit Dynamic mac learning-limit mac-address-sticky mac learning-limit station-move mac learning-limit no-station-move Learning Limit Violation Actions Setting Station Move Violation Actions Recovering from Learning Limit and Station Move Violations NIC Teaming Configure Redundant Pairs Page Important Points about Configuring Redundant Pairs Far-End Failure Detection FEFD State Changes Configuring FEFD Enabling FEFD on an Interface Debugging FEFD Page Link Layer Discovery Protocol (LLDP) 802.1AB (LLDP) Overview Protocol Data Units Optional TLVs Management TLVs Organizationally Specific TLVs IEEE Organizationally Specific TLVs TIA-1057 (LLDP-MED) Overview TIA Organizationally Specific TLVs LLDP-MED Capabilities TLV LLDP-MED Network Policies TLV Page Extended Power via MDI TLV Configure LLDP LLDP Compatibility CONFIGURATION versus INTERFACE Configurations Enabling LLDP Disabling and Undoing LLDP Enabling LLDP on Management Ports Disabling and Undoing LLDP on Management Ports Advertising TLVs Viewing the LLDP Configuration Viewing Information Advertised by Adjacent LLDP Agents Configuring LLDPDU Intervals Configuring Transmit and Receive Mode Configuring a Time to Live Debugging LLDP Relevant Management Objects Page Page Page Page Page Microsoft Network Load Balancing NLB Unicast and Multicast Modes NLB Unicast Mode Example NLB Multicast Mode Example NLB Benefits NLB Restrictions NLB VLAN Flooding Configuring NLB on a Switch Multicast Source Discovery Protocol (MSDP) Page Anycast RP Configure Multicast Source Discovery Protocol Page Page Page Enable MSDP Manage the Source-Active Cache Viewing the Source-Active Cache Limiting the Source-Active Cache Clearing the Source-Active Cache Enabling the Rejected Source-Active Cache Accept Source-Active Messages that Fail the RFP Check Page Page Page Specifying Source-Active Messages Limiting the Source-Active Messages from a Peer Preventing MSDP from Caching a Local Source Preventing MSDP from Caching a Remote Source Preventing MSDP from Advertising a Local Source Logging Changes in Peership States Terminating a Peership Clearing Peer Statistics Debugging MSDP MSDP with Anycast RP Page Configuring Anycast RP Reducing Source-Active Message Flooding Specifying the RP Address Used in SA Messages Page Page MSDP Sample Configurations Page Page Multiple Spanning Tree Protocol (MSTP) Spanning Tree Variations Configure Multiple Spanning Tree Protocol Enable Multiple Spanning Tree Globally Adding and Removing Interfaces Creating Multiple Spanning Tree Instances Page Influencing MSTP Root Selection Interoperate with Non-Dell Bridges Changing the Region Name or Revision Modifying the Interface Parameters Page Flush MAC Addresses after a Topology Change MSTP Sample Configurations Router 1 Running-Configuration Router 2 Running-Configuration Router 3 Running-Configuration Example Running-Configuration Debugging and Verifying MSTP Configurations Page Page Multicast Features Enabling IP Multicast Multicast with ECMP Page First Packet Forwarding for Lossless Multicast Multicast Policies IPv4 Multicast Policies Limiting the Number of Multicast Routes Preventing a Host from Joining a Group Page Page Rate Limiting IGMP Join Requests Preventing a PIM Router from Forming an Adjacency Preventing a Source from Registering with the RP Page Page Preventing a PIM Router from Processing a Join Open Shortest Path First (OSPFv2 and OSPFv3) Autonomous System (AS) Areas Area Types Networks and Neighbors Router Types Page Autonomous System Border Router (ASBR) Internal Router (IR) Designated and Backup Designated Routers Link-State Advertisements (LSAs) LSA Throttling Virtual Links Router Priority and Cost OSPF Implementation Fast Convergence (OSPFv2, IPv4 Only) Multi-Process OSPFv2 (IPv4 only) Processing SNMP and Sending SNMP Traps RFC-2328 Compliant OSPF Flooding Enabling RFC-2328 Compliant OSPF Flooding OSPF ACK Packing Setting OSPF Adjacency with Cisco Routers Configuration Task List for OSPFv2 (OSPF for IPv4) Enabling OSPFv2 Assigning a Router ID Enabling Multi-Process OSPF (OSPFv2, IPv4 Only) Assigning an OSPFv2 Area Enable OSPFv2 on Interfaces Page Configuring Stub Areas Configuring LSA Throttling Timers Enabling Passive Interfaces Enabling Fast-Convergence Changing OSPFv2 Parameters on Interfaces Page Enabling OSPFv2 Authentication Configuring Virtual Links Creating Filter Routes Applying Prefix Lists Redistributing Routes Troubleshooting OSPFv2 Page Sample Configurations for OSPFv2 Basic OSPFv2 Router Topology OSPF Area 0 Te 1/1 and 1/2 OSPF Area 0 Te 3/1 and 3/2 OSPF Area 0 Te 2/1 and 2/2 Configuration Task List for OSPFv3 (OSPF for IPv6) Enabling IPv6 Unicast Routing Assigning IPv6 Addresses on an Interface Assigning Area ID on an Interface Assigning OSPFv3 Process ID and Router ID Globally Configuring Stub Areas Configuring Passive-Interface Redistributing Routes Configuring a Default Route OSPFv3 Authentication Using IPsec OSPFv3 Authentication Using IPsec: Configuration Notes Configuring IPsec Authentication on an Interface Configuring IPsec Encryption on an Interface Configuring IPSec Authentication for an OSPFv3 Area Configuring IPsec Encryption for an OSPFv3 Area Displaying OSPFv3 IPsec Security Policies Page Troubleshooting OSPFv3 Viewing Summary Information Page Pay As You Grow Installing a License Page Page Displaying License Information Page PIM Sparse-Mode (PIM-SM) Requesting Multicast Traffic Refuse Multicast Traffic Send Multicast Traffic Important Point to Remember Configuring PIM-SM Enable PIM-SM Configuring S,G Expiry Timers Configuring a Static Rendezvous Point Overriding Bootstrap Router Updates Configuring a Designated Router Creating Multicast Boundaries and Domains Enabling PIM-SM Graceful Restart PIM Source-Specific Mode (PIM-SSM) Configure PIM-SMM Enabling PIM-SSM Use PIM-SSM with IGMP Version 2 Hosts Configuring PIM-SSM with IGMPv2 Page Policy-based Routing (PBR) Page Implementing Policy-based Routing with Dell Networking OS Configuration Task List for Policy-based Routing Page Page PBR Exceptions (Permit) Page Page Sample Configuration Create the Redirect-List GOLD Assign Redirect-List GOLD to Interface 2/11 View Redirect-List GOLD Port Monitoring Local Port Monitoring Examples of Port Monitoring Page Configuring Port Monitoring Remote Port Mirroring Remote Port Mirroring Example Configuring Remote Port Mirroring Configuration Notes Restrictions Displaying a Remote-Port Mirroring Configuration Configuring Remote Port Monitoring Page Page Page Encapsulated Remote-Port Monitoring Page Private VLANs (PVLAN) Private VLAN Concepts Using the Private VLAN Commands Configuration Task List Creating PVLAN ports Creating a Primary VLAN Creating a Community VLAN Creating an Isolated VLAN Private VLAN Configuration Example Inspecting the Private VLAN Configuration Page Page Per-VLAN Spanning Tree Plus (PVST+) Configure Per-VLAN Spanning Tree Plus Enabling PVST+ Disabling PVST+ Influencing PVST+ Root Selection Page Modifying Global PVST+ Parameters Modifying Interface PVST+ Parameters Page PVST+ in Multi-Vendor Networks Enabling PVST+ Extend System ID PVST+ Sample Configurations Page Quality of Service (QoS) Port-Based QoS Configurations Setting dot1p Priorities for Incoming Traffic Honoring dot1p Priorities on Ingress Traffic Priority-Tagged Frames on the Default VLAN Configuring Port-Based Rate Policing Configuring Port-Based Rate Shaping Policy-Based QoS Configurations Classify Traffic Creating a Layer 3 Class Map Creating a Layer 2 Class Map Applying Layer 2 Match Criteria on a Layer 3 Interface Applying DSCP and VLAN Match Criteria on a Service Queue Ordering ACL Rules Displaying Configured Class Maps and Match Criteria Page Create a QoS Policy Creating an Input QoS Policy Configuring Policy-Based Rate Policing Setting a DSCP Value for Egress Packets Setting a dot1p Value for Egress Packets Creating an Output QoS Policy Strict-Priority Queuing Configuring Policy-Based Rate Shaping Allocating Bandwidth to Queue Specifying WRED Drop Precedence Create Policy Maps Creating Input Policy Maps Applying a Class-Map or Input QoS Policy to a Queue Applying an Input QoS Policy to an Input Policy Map Honoring DSCP Values on Ingress Packets Honoring dot1p Values on Ingress Packets Mapping dot1p Values to Service Queues Guaranteeing Bandwidth to dot1p-Based Service Queues Applying an Input Policy Map to an Interface Creating Output Policy Maps Applying an Output QoS Policy to a Queue Specifying an Aggregate QoS Policy Applying an Output Policy Map to an Interface DSCP Color Maps Creating a DSCP Color Map Displaying DSCP Color Maps Displaying a DSCP Color Policy Configuration Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Creating WRED Profiles Applying a WRED Profile to Traffic Displaying Default and Configured WRED Profiles Displaying WRED Drop Statistics Explicit Congestion Notification ECN Packet Classification Example: Color-marking non-ECN Packets in One Traffic Class Example: Color-marking non-ECN Packets in Different Traffic Classes Using A Configurable Weight for WRED and ECN Benefits of Using a Configurable Weight for WRED with ECN Setting Average Queue Size using a Weight Global Service-Pools for WRED with ECN Configuring a Weight for WRED and ECN Operation Pre-Calculating Available QoS CAM Space SNMP Support for Buffer Statistics Tracking Routing Information Protocol (RIP) RIPv1 RIPv2 Page Enabling RIP Globally Configure RIP on Interfaces Controlling RIP Routing Updates Assigning a Prefix List to RIP Routes Adding RIP Routes from Other Instances Setting the Send and Receive Version Page Generating a Default Route Summarize Routes Controlling Route Metrics Debugging RIP RIP Configuration Example RIP Configuration on Core2 Core 2 RIP Output RIP Configuration on Core3 Core 3 RIP Output Page RIP Configuration Summary Page Remote Monitoring (RMON) Fault Recovery Setting the RMON Alarm Configuring an RMON Event Configuring RMON Collection Statistics Configuring the RMON Collection History Rapid Spanning Tree Protocol (RSTP) Configuring Rapid Spanning Tree RSTP and VLT Configuring Interfaces for Layer 2 Mode Enabling Rapid Spanning Tree Protocol Globally Page Adding and Removing Interfaces Page Enabling SNMP Traps for Root Elections and Topology Changes Modifying Interface Parameters Influencing RSTP Root Selection Configuring Fast Hellos for Link State Detection Page Security Role-Based Access Control Overview of RBAC Privilege-or-Role Mode versus Role-only Mode Configuring Role-based Only AAA Authorization System-Defined RBAC User Roles User Roles Creating a New User Role Modifying Command Permissions for Roles Page Adding and Deleting Users from a Role AAA Authentication and Authorization for Roles Configure AAA Authentication for Roles Configure AAA Authorization for Roles Page Configuring TACACS+ and RADIUS VSA Attributes for RBAC Role Accounting Configuring AAA Accounting for Roles Applying an Accounting Method to a Role Displaying Active Accounting Sessions for Roles Display Information About User Roles Displaying User Roles Displaying Role Permissions Assigned to a Command Displaying Information About Users Logged into the Switch AAA Accounting Configuration Task List for AAA Accounting Enabling AAA Accounting Suppressing AAA Accounting for Null Username Sessions Configuring Accounting of EXEC and Privilege-Level Command Usage Configuring AAA Accounting for Terminal Lines Monitoring AAA Accounting AAA Authentication Configuration Task List for AAA Authentication Configure Login Authentication for Terminal Lines Configuring AAA Authentication Login Methods Enabling AAA Authentication Enabling AAA Authentication RADIUS Server-Side Configuration Obscuring Passwords and Keys AAA Authorization Privilege Levels Overview Configuration Task List for Privilege Levels Configuring a Username and Password Configuring the Enable Password Command Configuring Custom Privilege Levels Page Specifying LINE Mode Password and Privilege Enabling and Disabling Privilege Levels Resetting a Password RADIUS RADIUS Authentication and Authorization Idle Time ACL Configuration Information Auto-Command Configuration Task List for RADIUS Defining a AAA Method List to be Used for RADIUS Applying the Method List to Terminal Lines Specifying a RADIUS Server Host Setting Global Communication Parameters for all RADIUS Server Hosts Monitoring RADIUS TACACS+ Configuration Task List for TACACS+ Choosing TACACS+ as the Authentication Method Page Monitoring TACACS+ TACACS+ Remote Authentication and Authorization Specifying a TACACS+ Server Host Command Authorization Protection from TCP Tiny and Overlapping Fragment Attacks Enabling SCP and SSH Using SCP with SSH to Copy a Software Image Removing the RSA Host Keys and Zeroizing Storage Configuring When to Re-generate an SSH Key Configuring the SSH Server Cipher List Configuring the HMAC Algorithm for the SSH Server Configuring the SSH Server Cipher List Secure Shell Authentication Enabling SSH Authentication by Password Using RSA Authentication of SSH Configuring Host-Based SSH Authentication Using Client-Based SSH Authentication Troubleshooting SSH Telnet VTY Line and Access-Class Configuration VTY Line Local Authentication and Authorization VTY Line Remote Authentication and Authorization VTY MAC-SA Filter Support Page Service Provider Bridging VLAN Stacking Page Configure VLAN Stacking Creating Access and Trunk Ports Enable VLAN-Stacking for a VLAN Configuring the Protocol Type Value for the Outer VLAN Tag Configuring Options for Trunk Ports Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks VLAN Stacking Page Page VLAN Stacking Packet Drop Precedence Enabling Drop Eligibility Honoring the Incoming DEI Value Marking Egress Packets with a DEI Value Dynamic Mode CoS for VLAN Stacking Page Mapping C-Tag to S-Tag dot1p Values Layer 2 Protocol Tunneling Page Page Specifying a Destination MAC Address for BPDUs Setting Rate-Limit BPDUs Debugging Layer 2 Protocol Tunneling Provider Backbone Bridging sFlow Enabling and Disabling sFlow Enabling and Disabling sFlow on an Interface Enabling sFlow Max-Header Size Extended Page sFlow Show Commands Displaying Show sFlow Global Displaying Show sFlow on an Interface Displaying Show sFlow on a Line Card Configuring Specify Collectors Changing the Polling Intervals Back-Off Mechanism sFlow on LAG ports Enabling Extended sFlow Page Page Simple Network Management Protocol (SNMP) Configuration Task List for SNMP Set up SNMP Creating a Community Setting Up User-Based Security (SNMPv3) Reading Managed Object Values Writing Managed Object Values Configuring Contact and Location Information using SNMP Subscribing to Managed Object Value Updates using SNMP Enabling a Subset of SNMP Traps Page Copy Configuration Files Using SNMP Page Copying a Configuration File Copying Configuration Files via SNMP Copying the Startup-Config Files to the Running-Config Copying the Startup-Config Files to the Server via FTP Copying the Startup-Config Files to the Server via TFTP Copy a Binary File to the Startup-Configuration Additional MIB Objects to View Copy Statistics Obtaining a Value for MIB Objects MIB Support to Display the Available Memory Size on Flash Viewing the Available Flash Memory Size MIB Support to Display the Software Core Files Generated by the System Viewing the Software Core Files Generated by the System Manage VLANs using SNMP Creating a VLAN Assigning a VLAN Alias Displaying the Ports in a VLAN Add Tagged and Untagged Ports to a VLAN Managing Overload on Startup Enabling and Disabling a Port using SNMP Fetch Dynamic MAC Entries using SNMP Page Deriving Interface Indices Monitor Port-Channels Troubleshooting SNMP Operation Storm Control Configure Storm Control Configuring Storm Control from INTERFACE Mode Configuring Storm Control from CONFIGURATION Mode Spanning Tree Protocol (STP) Configure Spanning Tree Configuring Interfaces for Layer 2 Mode Enabling Spanning Tree Protocol Globally Page Adding an Interface to the Spanning Tree Group Page Modifying Interface STP Parameters Enabling PortFast Preventing Network Disruptions with BPDU Guard Page Selecting STP Root STP Root Guard Root Guard Scenario Configuring Root Guard Enabling SNMP Traps for Root Elections and Topology Changes STP Loop Guard Configuring Loop Guard Displaying STP Guard Configuration Page System Time and Date Network Time Protocol Protocol Overview Implementation Information Configure the Network Time Protocol Enabling NTP Configuring NTP Broadcasts Disabling NTP on an Interface Configuring a Source IP Address for NTP Packets Configuring NTP Authentication Page Page Page Time and Date Configuration Task List Setting the Time and Date for the Switch Software Clock Setting the Timezone Set Daylight Saving Time Setting Daylight Saving Time Once Setting Recurring Daylight Saving Time Page Tunneling Configuring a Tunnel Configuring Tunnel Keepalive Settings Configuring a Tunnel Interface Configuring Tunnel allow-remote Decapsulation Configuring Tunnel source anylocal Decapsulation Multipoint Receive-Only Tunnels Guidelines for Configuring Multipoint Receive-Only Tunnels Page Upgrade Procedures Upgrade Overview Get Help with Upgrades Z9500 Bootup and Upgrades Page Uplink Failure Detection (UFD) Feature Description How Uplink Failure Detection Works UFD and NIC Teaming Configuring Uplink Failure Detection Page Clearing a UFD-Disabled Interface Displaying Uplink Failure Detection Page Sample Configuration: Uplink Failure Detection Page Virtual LANs (VLANs) Default VLAN Port-Based VLANs VLANs and Port Tagging Configuration Task List Creating a Port-Based VLAN Assigning Interfaces to a VLAN Moving Untagged Interfaces Assigning an IP Address to a VLAN Configuring Native VLANs Enabling Null VLAN as the Default VLAN Virtual Routing and Forwarding (VRF) VRF Overview VRF Configuration Notes Page Page DHCP VRF Configuration Load VRF CAM Creating a Non-Default VRF Instance Assigning an Interface to a VRF Assigning a Front-end Port to a Management VRF View VRF Instance Information Assigning an OSPF Process to a VRF Instance Configuring VRRP on a VRF Instance Configuring Management VRF Configuring a Static Route Sample VRF Configuration Page Page Page Page Page Page Route Leaking VRFs Dynamic Route Leaking Configuring Route Leaking without Filtering Criteria Page Page Configuring Route Leaking with Filtering Page Page Virtual Link Trunking (VLT) VLT on Core Switches Enhanced VLT VLT Terminology Configure Virtual Link Trunking Configuration Notes Page Page Primary and Secondary VLT Peers RSTP and VLT VLT Bandwidth Monitoring VLT and IGMP Snooping VLT IPv6 VLT Port Delayed Restoration PIM-Sparse Mode Support on VLT Page VLT Routing Spanned VLANs VLT Unicast Routing Configuring VLT Unicast VLT Multicast Routing Configuring VLT Multicast Non-VLT ARP Sync RSTP Configuration Preventing Forwarding Loops in a VLT Domain Sample RSTP Configuration Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 1) Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 2) Configuring VLT Configuring a VLT Interconnect Enabling VLT and Creating a VLT Domain Configuring a VLT Backup Link Configuring a VLT Port Delay Period Reconfiguring the Default VLT Settings (Optional) Connecting a VLT Domain to an Attached Access Device (Switch or Server) Configuring a VLT VLAN Peer-Down (Optional) Configuring Enhanced VLT (eVLT) (Optional) Page VLT Sample Configuration Page Page Page PVST+ Configuration Sample PVST+ Configuration eVLT Configuration Example eVLT Configuration Step Examples Page PIM-Sparse Mode Configuration Example Verifying a VLT Configuration Page Page Additional VLT Sample Configurations Configuring Virtual Link Trunking (VLT Peer 1) Configuring Virtual Link Trunking (VLT Peer 2) Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access Switch) Troubleshooting VLT Reconfiguring Stacked Switches as VLT Specifying VLT Nodes in a PVLAN Association of VLTi as a Member of a PVLAN MAC Synchronization for VLT Nodes in a PVLAN PVLAN Operations When One VLT Peer is Down PVLAN Operations When a VLT Peer is Restarted Interoperation of VLT Nodes in a PVLAN with ARP Requests Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN Page Configuring a VLT VLAN or LAG in a PVLAN Creating a VLT LAG or a VLT VLAN Associating the VLT LAG or VLT VLAN in a PVLAN Proxy ARP Capability on VLT Peer Nodes Working of Proxy ARP for VLT Peer Nodes VLT Nodes as Rendezvous Points for Multicast Resiliency Configuring VLAN-Stack over VLT Page Page Page Page VLT Proxy Gateway Proxy Gateway in VLT Domains Page LLDP organizational TLV for proxy gateway Sample Configuration Scenario for VLT Proxy Gateway Page Configuring an LLDP VLT Proxy Gateway Virtual Router Redundancy Protocol (VRRP) VRRP Overview VRRP Benefits VRRP Implementation VRRP Configuration Creating a Virtual Router Configuring the VRRP Version for an IPv4 Group Assign Virtual IP addresses Configuring a Virtual IP Address Setting VRRP Group (Virtual Router) Priority Configuring VRRP Authentication Disabling Preempt Changing the Advertisement Interval Track an Interface or Object Tracking an Interface Page Setting VRRP Initialization Delay VRRP for an IPv4 Configuration Page Page Page Page VRRP in a VRF Configuration VRRP in a VRF: Non-VLAN Scenario Page VLAN Scenario Page Displaying VRRP in a VRF Configuration Page Standards Compliance IEEE Compliance RFC and I-D Compliance General Internet Protocols Border Gateway Protocol (BGP) General IPv4 Protocols General IPv6 Protocols Intermediate System to Intermediate System (IS-IS) Page Network Management Page Page Page Page Page Multicast Open Shortest Path First (OSPF) Routing Information Protocol (RIP) MIB Location